diff --git a/change-notes/1.23/analysis-cpp.md b/change-notes/1.23/analysis-cpp.md index 4c7b1d0a26c1..e4f7096ed672 100644 --- a/change-notes/1.23/analysis-cpp.md +++ b/change-notes/1.23/analysis-cpp.md @@ -30,32 +30,35 @@ The following changes in version 1.23 affect C/C++ analysis in all applications. ## Changes to libraries -* The data-flow library has been extended with a new feature to aid debugging. - Instead of specifying `isSink(Node n) { any() }` on a configuration to - explore the possible flow from a source, it is recommended to use the new - `Configuration::hasPartialFlow` predicate, as this gives a more complete - picture of the partial flow paths from a given source. The feature is - disabled by default and can be enabled for individual configurations by - overriding `int explorationLimit()`. -* The data-flow library now supports flow out of C++ reference parameters. -* The data-flow library now allows flow through the address-of operator (`&`). -* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a - definition of `x` when `x` is a variable of pointer type. It no longer - considers deep paths such as `f(&x.myField)` to be definitions of `x`. These - changes are in line with the user expectations we've observed. -* The data-flow library now makes it easier to specify barriers/sanitizers - arising from guards by overriding the predicate - `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking - configurations respectively. -* There is now a `DataFlow::localExprFlow` predicate and a - `TaintTracking::localExprTaint` predicate to make it easy to use the most - common case of local data flow and taint: from one `Expr` to another. +* The data-flow library in `semmle.code.cpp.dataflow.DataFlow` and + `semmle.code.cpp.dataflow.TaintTracking` have had extensive changes: + * Data flow through fields is now more complete and reliable. + * To debug a lack of flow, instead of specifying `isSink(Node n) { any() }` + on a configuration to + explore the possible flow from a source, it is recommended to use the new + `Configuration::hasPartialFlow` predicate as this gives a more complete + picture of the partial flow paths from a given source. The feature is + disabled by default and can be enabled for individual configurations by + overriding `int explorationLimit()`. + * There is now flow out of C++ reference parameters. + * There is now flow through the address-of operator (`&`). + * The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a + definition of `x` when `x` is a variable of pointer type. It no longer + considers deep paths such as `f(&x.myField)` to be definitions of `x`. These + changes are in line with the user expectations we've observed. + * It's now easier to specify barriers/sanitizers + arising from guards by overriding the predicate + `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking + configurations respectively. + * There is now a `DataFlow::localExprFlow` predicate and a + `TaintTracking::localExprTaint` predicate to make it easy to use the most + common case of local data flow and taint: from one `Expr` to another. * The member predicates of the `FunctionInput` and `FunctionOutput` classes have been renamed for clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates have been deprecated, and will be removed in a future release. Code that uses the old member predicates should be updated to use the corresponding new member predicate. -* The predicates `Declaration.hasStdName()` and `Declaration.hasGlobalOrStdName` - have been added, simplifying handling of C++ standard library functions. +* The predicate `Declaration.hasGlobalOrStdName` has been added, making it + easier to recognize C library functions called from C++. * The control-flow graph is now computed in QL, not in the extractor. This can lead to regressions (or improvements) in how queries are optimized because optimization in QL relies on static size estimates, and the control-flow edge