Add 'View DFG' queries

.bazelrc

@@ -11,6 +11,8 @@ build --compilation_mode opt
 common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
+# Disable Android SDK auto-detection (we don't use it, and rules_android has Bazel 9 compatibility issues)
+build --repo_env=ANDROID_HOME=
 
 # print test output, like sembuild does.
 # Set to `errors` if this is too verbose.
@@ -34,7 +36,7 @@ common --@rules_dotnet//dotnet/settings:strict_deps=false
 common --@rules_rust//rust/toolchain/channel=nightly
 
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
-common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
+common --incompatible_autoload_externally="+@rules_cc,+@rules_java,+@rules_shell"
 
 build --java_language_version=17
 build --tool_java_language_version=17

.bazelversion

@@ -1 +1 @@
-8.4.2
+9.0.0

MODULE.bazel

@@ -15,17 +15,19 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_go", version = "0.56.1")
+bazel_dep(name = "rules_cc", version = "0.2.16")
+bazel_dep(name = "rules_go", version = "0.59.0")
+bazel_dep(name = "rules_java", version = "9.0.3")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
-bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
+bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "0.40.0")
 bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
-bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.40.0")
+bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
+bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
@@ -188,6 +190,15 @@ pip.parse(
 )
 use_repo(pip, "codegen_deps")
 
+python = use_extension("@rules_python//python/extensions:python.bzl", "python")
+python.toolchain(
+    is_default = True,
+    python_version = "3.12",
+)
+use_repo(python, "python_3_12", "python_versions")
+
+register_toolchains("@python_versions//3.12:all")
+
 swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
 
 # following list can be kept in sync with `bazel mod tidy`

cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.

cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll

@@ -14,7 +14,9 @@ class PackedTimeType extends Type {
   }
 }
 
-private predicate timeType(string typeName) { typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm"] }
+private predicate timeType(string typeName) {
+  typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm", "TIME_FIELDS", "_TIME_FIELDS", "PTIME_FIELDS"]
+}
 
 /**
  * A type that is used to represent times and dates in an 'unpacked' form, that is,
@@ -95,3 +97,24 @@ class StructTmMonthFieldAccess extends MonthFieldAccess {
 class StructTmYearFieldAccess extends YearFieldAccess {
   StructTmYearFieldAccess() { this.getTarget().getName() = "tm_year" }
 }
+
+/**
+ * A `DayFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsDayFieldAccess extends DayFieldAccess {
+  TimeFieldsDayFieldAccess() { this.getTarget().getName() = "Day" }
+}
+
+/**
+ * A `MonthFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsMonthFieldAccess extends MonthFieldAccess {
+  TimeFieldsMonthFieldAccess() { this.getTarget().getName() = "Month" }
+}
+
+/**
+ * A `YearFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsYearFieldAccess extends YearFieldAccess {
+  TimeFieldsYearFieldAccess() { this.getTarget().getName() = "Year" }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -552,34 +552,47 @@ private module BoundsEstimate {
   private float nrOfBoundsPhiGuard(RangeSsaDefinition def, StackVariable v) {
     // If we have
     //
-    //   if (x < c) { e1 }
-    //   e2
+    //   if (x < c) { e1 } else { e2 }
+    //   e3
     //
-    // then `e2` is both a guard phi node (guarded by `x < c`) and a normal
-    // phi node (control is merged after the `if` statement).
+    // then `{ e1 }` and `{ e2 }` are both guard phi nodes guarded by `x < c`.
+    // The range analysis propagates bounds on `x` into both branches, filtered
+    // by the condition. In this case all lower bounds flow to `{ e1 }` and only
+    // lower bounds that are smaller than `c` flow to `{ e2 }`.
     //
-    // Assume `x` has `n` bounds. Then `n` bounds are propagated to the guard
-    // phi node `{ e1 }` and, since `{ e1 }` is input to `e2` as a normal phi
-    // node, `n` bounds are propagated to `e2`. If we also propagate the `n`
-    // bounds to `e2` as a guard phi node, then we square the number of
-    // bounds.
+    // The largest number of bounds possible for `e3` is the number of bounds on `x` plus
+    // one. This happens when all bounds flow from `x` to `e1` to `e3` and the
+    // bound `c` can flow to `e2` to `e3`.
     //
-    // However in practice `x < c` is going to cut down the number of bounds:
-    // The tracked bounds can't flow to both branches as that would require
-    // them to simultaneously be greater and smaller than `c`. To approximate
-    // this better, the contribution from a guard phi node that is also a
-    // normal phi node is 1.
-    exists(def.getAPhiInput(v)) and
-    isGuardPhiWithBound(def, v, _) and
-    result = 1
-    or
-    not exists(def.getAPhiInput(v)) and
-    // If there's different `access`es, then they refer to the same variable
-    // with the same lower bounds. Hence adding these guards make no sense (the
-    // implementation will take the union, but they'll be removed by
-    // deduplication). Hence we use `max` as an approximation.
-    result =
-      max(VariableAccess access | isGuardPhiWithBound(def, v, access) | nrOfBoundsExpr(access))
+    // We want to optimize our bounds estimate for `e3`, as that is the estimate
+    // that can continue propagating forward. We don't know how the existing
+    // bounds will be split between the different branches. That depends on
+    // whether the range analysis is tracking lower bounds or upper bounds, and
+    // on the meaning of the condition.
+    //
+    // As a heuristic we divide the number of bounds on `x` by 2 to "average"
+    // the effect of the condition and add 1 to account for the bound from the
+    // condition itself. This will approximate estimates inside the branches,
+    // but will give a good estimate after the branches are merged.
+    //
+    // This also handles cases such as this one
+    //
+    //   if (x < c) { e1 }
+    //   e3
+    //
+    // where `e3` is both a guard phi node (guarded by `x < c`) and a normal
+    // phi node (control is merged after the `if` statement). Here half of the
+    // bounds flow into the branch and then to `e3` as a normal phi node and the
+    // "other" half flow from the condition to `e3` as a guard phi node.
+    exists(float varBounds |
+      // If there's different `access`es, then they refer to the same
+      // variable with the same lower bounds. Hence adding these guards makes no
+      // sense (the implementation will take the union, but they'll be removed by
+      // deduplication). Hence we use `max` as an approximation.
+      varBounds =
+        max(VariableAccess access | isGuardPhiWithBound(def, v, access) | nrOfBoundsExpr(access)) and
+      result = (varBounds + 1) / 2
+    )
     or
     def.isPhiNode(v) and
     not isGuardPhiWithBound(def, v, _) and
@@ -2180,6 +2193,16 @@ module SimpleRangeAnalysisInternal {
 
   /** Gets the estimate of the number of bounds for `e`. */
   float estimateNrOfBounds(Expr e) { result = BoundsEstimate::nrOfBoundsExpr(e) }
+
+  /** Counts the numbers of lower bounds that are computed internally for `e`. */
+  float countNrOfLowerBounds(Expr e) {
+    result = strictcount(float lb | lb = getLowerBoundsImpl(e) | lb)
+  }
+
+  /** Counts the numbers of upper bounds that are computed internally for `e`. */
+  float countNrOfUpperBounds(Expr e) {
+    result = strictcount(float ub | ub = getUpperBoundsImpl(e) | ub)
+  }
 }
 
 /** Provides predicates for debugging the simple range analysis library. */
@@ -2208,7 +2231,7 @@ private module Debug {
    */
   predicate countGetLowerBoundsImpl(Expr e, int n) {
     e = getRelevantLocatable() and
-    n = strictcount(float lb | lb = getLowerBoundsImpl(e) | lb)
+    n = SimpleRangeAnalysisInternal::countNrOfLowerBounds(e)
   }
 
   float debugNrOfBounds(Expr e) {

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -308,3 +308,37 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
 
 module PossibleYearArithmeticOperationCheckFlow =
   TaintTracking::Global<PossibleYearArithmeticOperationCheckConfig>;
+
+/**
+ * A time conversion function where either
+ * 1) an incorrect leap year date would result in an error that can be checked from the return value or
+ * 2) an incorrect leap year date is auto corrected (no checks required)
+ */
+class TimeConversionFunction extends Function {
+  boolean autoLeapYearCorrecting;
+
+  TimeConversionFunction() {
+    autoLeapYearCorrecting = false and
+    (
+      this.getName() =
+        [
+          "FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
+          "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
+          "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
+          "RtlTimeToSecondsSince1970", "_mkgmtime", "SetSystemTime", "VarUdateFromDate", "from_tm"
+        ]
+      or
+      // Matches all forms of GetDateFormat, e.g. GetDateFormatA/W/Ex
+      this.getName().matches("GetDateFormat%")
+    )
+    or
+    autoLeapYearCorrecting = true and
+    this.getName() =
+      ["mktime", "_mktime32", "_mktime64", "SystemTimeToVariantTime", "VariantTimeToSystemTime"]
+  }
+
+  /**
+   * Holds if the function is expected to auto convert a bad leap year date.
+   */
+  predicate isAutoLeapYearCorrecting() { autoLeapYearCorrecting = true }
+}