Release summary

• New queries added for the following rule packages: BannedAPIs, Conversions
• The following changes have been made for this release:
  • A3-9-1 -VariableWidthIntegerTypesUsed.ql:
    • This query now reports the use of non-fixed width integer types in function return types, with the exception ofchar types and formain functions.
• ENV34-C,RULE-21-20,RULE-25-5-3:DoNotStorePointersReturnedByEnvFunctions.ql,CallToSetlocaleInvalidatesOldPointers.ql,CallToSetlocaleInvalidatesOldPointersMisra.ql
• Fixed a misspelling of "subsequent" in the alert message.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.20.7.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-6-9-2 -AvoidStandardIntegerTypeNames.ql
• RULE-7-0-1 -NoConversionFromBool.ql
• RULE-7-0-2 -NoImplicitBoolConversion.ql
• RULE-7-0-3 -NoCharacterNumericalValue.ql
• RULE-7-0-4 -InappropriateBitwiseOrShiftOperands.ql
• RULE-7-0-5 -NoSignednessChangeFromPromotion.ql
• RULE-7-0-6 -NumericAssignmentTypeMismatch.ql
• RULE-7-11-3 -FunctionPointerConversionContext.ql
• RULE-18-5-2 -AvoidProgramTerminatingFunctions.ql
• RULE-21-2-2 -UnsafeStringHandlingFunctions.ql
• RULE-21-2-3 -BannedSystemFunction.ql
• RULE-21-10-1 -NoVariadicFunctionMacros.ql
• RULE-21-10-2 -NoCsetjmpHeader.ql
• RULE-23-11-1 -UseSmartPtrFactoryFunctions.ql
• RULE-24-5-1 -CharacterHandlingFunctionRestrictions.ql
• RULE-24-5-2 -NoMemoryFunctionsFromCString.ql
• RULE-25-5-1 -LocaleGlobalFunctionNotAllowed.ql

Release summary

• New queries added for the following rule packages: Expressions2
• The following changes have been made for this release:
  • DCL40-C,RULE-8-4:IncompatibleFunctionDeclarations.ql,CompatibleDeclarationFunctionDefined.ql.
    • Fixed performance issues introduced when upgrading to CodeQL2.20.7 by removing unnecessary check that matching function declarations have matching names.
  • RULE-7-5:IncorrectlySizedIntegerConstantMacroArgument.ql.
    • Added abindingset to improve performance when checking if a literal matches the size of an integer constant macro.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.20.7.

Appendix: CERT-C new queries

New queries added to cover the following rules:

• EXP16-C -DoNotCompareFunctionPointersToConstantValues.ql

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• SIG30-C:CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
• Fixed a misspelling of "asynchronous" in the alert message.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • FIO39-C,FIO50-CPP,A27-0-3,RULE-30-0-2:IOFstreamMissingPositioning.ql,InterleavedInputOutputWithoutPosition.ql,InterleavedInputOutputWithoutFlush.ql,ReadsAndWritesOnStreamNotSeparatedByPositioning.ql.
    • Improved performance for codebases with large numbers of stream or file accesses.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Release summary

• No new queries were added for this release

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Release summary

• New queries added for the following rule packages: FloatingPoint
• The following changes have been made for this release:
  • RULE-1-4 -EmergentLanguageFeaturesUsed.ql:
    • Allow usage of atomics,thread.h, and_Thread_local as per Misra C 2012 Amendment 4.
  • RULE-21-22,RULE-21-23 -TgMathArgumentWithInvalidEssentialType.ql,TgMathArgumentsWithDifferingStandardType.ql
    • Change type-generic macro analysis for finding macro parameters to be compatible with gcc, by ignoring early arguments inserted by gcc.
    • Change explicit conversion logic to ignore the explicit casts inserted in macro bodies by clang, which previously overruled the argument essential type.
  • RULE-13-2 -UnsequencedAtomicReads.ql:
    • Handle statement expression implementation of atomic operations in gcc.
  • RULE-21-25 -InvalidMemoryOrderArgument.ql:
    • Handle case of where the enummemory_order is declared via a typedef as an anonymous enum.
    • Rewrite how atomically sequenced operations are found; no longer look for builtins or internal functions, instead look for macros with the exact expected name and analyze the macro bodies for the memory sequence parameter.
  • RULE-9-7 -UninitializedAtomicArgument.ql:
    • Handle gcc case whereatomic_init is defined is a call toatomic_store, and take a more flexible approach to finding the initialized atomic variable.
  • DIR-4-15 -PossibleMisuseOfUndetectedInfinity.ql,PossibleMisuseOfUndetectedNaN.ql:
    • Fix issue when analyzing clang/gcc implementations of floating point classification macros, where analysis incorrectly determined thatx inisinf(x) was guaranteed to be infinite at the call site itself, affecting later analysis involvingx.
  • The following query suites have been added or modified for CERT C:
    • A new query suite has been createdcert-c-default.qls to avoid confusion with the CERT C++ query suites. Thecert-default.qls suite has been deprecated, and will be removed in a future releases, and is replaced by thecert-c-default.qls suite.
      • Thecert-c-default.qls suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
    • One new query suite,cert-c-recommended.qls has been added to enable running CERT recommendations (as opposed to rules) that will be added in the future.
    • The default query suite,cert-c-default.qls has been set to exclude CERT recommendations (as opposed to rules) that will be added in the future.
  • The following query suites have been added or modified for CERT C++:
    • A new query suite has been createdcert-cpp-default.qls to avoid confusion with the CERT C query suites. Thecert-default.qls suite has been deprecated, and will be removed in a future releases, and is replaced by thecert-cpp-default.qls suite.
      • Thecert-cpp-default.qls suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
    • A new query suite has been createdcert-cpp-single-translation-unit.qls to avoid confusion with the CERT C query suites. Thecert-single-translation-unit.qls suite has been deprecated, and will be removed in a future releases, and is replaced by thecert-cpp-single-translation-unit.qls suite.
  • DIR-4-15 -PossibleMisuseOfUndetectedInfinity.ql,PossibleMisuseOfUndetectedNaN.ql:
    • Add logic to suppress NaNs from the CodeQL extractor in the new restricted range analysis, which can have unexpected downstream effects.
    • Alter the behavior of floating point class guards (such asisinf,isfinite,isnan) to more correctly reflect the branches that have been guarded.
    • Query files have been moved/refactored to share logic across MISRA-C and MISRA-C++; no observable change in behavior from this is expected.
  • All CERT rules now include additional tags to represent theRisk Assessment properties specified on CERT rules.
    • In addition, new query suites are included which allow the selection of queries that represent CERT Rules (not Recommendations) for each of the Levels (1-3). These are calledcert-<lang>-<level>.qls and can be used either directly in the CodeQL CLI, or via the CodeQL Action.
  • Support for MISRA C 2023 is now completed.
    • The default query suites for MISRA C now target MISRA C 2023.
    • The user manual has been updated to list MISRA C 2023 as completed.
    • Themisra-c-2012-third-edition-with-amendment-2.qls query suite can be used to run the queries present in MISRA C 2012 (3rd Edition) and Amendment 2.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• DIR-0-3-1 -PossibleMisuseOfInfiniteFloatingPointValue.ql,PossibleMisuseOfNaNFloatingPointValue.ql

Release summary

• New queries added for the following rule packages: Concurrency9, EssentialTypes2, FloatingTypes2, Generics, Contracts, Pointers1
• The following changes have been made for this release:
  • Concurrency.qll - for all queries using this library
    • This has been refactored into a set of smaller utility files. No impact on query results or performance expected.
  • All rules usingType.qll,TypeUses.qll,Pointers.qll,TrivialType.qll,VariablyModifiedTypes.qll:
    • Files moved intocpp/common/types directory. No external changes in behavior expected.
• RULE-2-8 -UnusedObjectDefinition.ql,UnusedObjectDefinitionStrict.ql:
  • Refactor to allow additional parameters in non-macro results for libraryDeduplicateMacroResults.qll.
  • Refactor to replaceLocation withLocatable in API of libraryDeduplicationMacroResults.qll.
  • No observable difference in behavior expected.
• EssentialType - for all queries related to essential types:
  • Updated the way essential types of expressions with "conversions" (including explicit casts, parenthesis, and implicit conversions such as array-to-pointer conversions) are handled, to get proper essential types when parenthesis, casts, and generics interact.
• RULE-8-3 -DeclarationsOfAFunctionSameNameAndType.ql,DeclarationsOfAnObjectSameNameAndType.ql:
  • New shared module used to fix false positives for compound types referring to the same basic integer types under a different name, e.g., query will not report forsigned[4] used in place ofint[4] as per MISRA spec.
  • Now query will report incompatibilities for two functions of the same name with a different number of parameters.
  • Query result string updated to not use the word "Compatible," which is confusing, as it may falsely appear that the query is testing for compatibility as defined by C17.
• RULE-8-4,DCL-40C -CompatibleDeclarationFunctionDefined.ql,CompatibleDeclarationObjectDefined.ql,IncomptatibleFunctionDeclarations.ql:
  • New shared module used to fix false positives by updating "compatible" type checks to more closely match the C17 standard. For instance,int[3] andint[] are compatible declarations (whileint[3] andint[4] are not), and typedefs are now resolved as well. Some false positives may still occur regarding structs from different compilation units.
• DIR-4-9 -FunctionOverFunctionLikeMacro.ql:
  • Macros with_Generic now no longer reported.
• RULE-1-4 -EmergentLanguageFeaturesUsed.ql:
  • Ban on usage of_Generics removed.
• RULE-18-6 -ThreadLocalObjectAddressCopiedToGlobalObject.ql:
  • New query added to detect thread local objects assigned to static storage duration objects.
• RULE-21-12 -ExceptionHandlingFeaturesOfFenvhUsed.ql:
  • Added reports for#includeing "fenv.h", and for usingfesetenv,feupdatenv, andfesetround.
  • Report message altered to handle new cases.
• TheDeviationsSuppression.ql query has been restored after being incorrectly deleted in a previous release.
• DIR-4-11 -LowPrecisionPeriodicTrigonometricFunctionCall.ql:
  • New query within rule added to detect calls to periodic trigonometric functions with values outside of pi*k for k that depends on implementation and application precision goals, assuming k=1 for 32 bit floating types and k=10 for 64 bit floating types.
• RULE-8-3,RULE-8-4,DCL40-C,RULE-23-5:DeclarationsOfAFunctionSameNameAndType.ql,DeclarationsOfAnObjectSameNameAndType.ql,CompatibleDeclarationOfFunctionDefined.ql,CompatibleDeclarationObjectDefined.ql,IncompatibleFunctionDeclarations.ql,DangerousDefaultSelectionForPointerInGeneric.ql:
  • Added pragmas to alter join order on function parameter equivalence (names and types).
  • Refactored expression which the optimizer was confused by, and compiled into a cartesian product.
  • Altered the moduleCompatible.qll to compute equality in two stages. Firstly, all pairs of possible type comparisons (including recursive comparisons) are found, then those pairwise comparisons are evaluated in a second stage. This greatly reduces the number of comparisons and greatly improves performance.
• RULE-23-5:DangerousDefaultSelectionForPointerInGeneric.ql:
  • Altered the moduleSimpleAssignment.qll in accordance with the changes toCompatible.qll.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• DIR-4-11 -LowPrecisionPeriodicTrigonometricFunctionCall.ql
• DIR-4-15 -PossibleMisuseOfUndetectedInfinity.ql,PossibleMisuseOfUndetectedNaN.ql
• DIR-5-1 -PossibleDataRaceBetweenThreads.ql
• RULE-18-6 -ThreadLocalObjectAddressCopiedToGlobalObject.ql
• RULE-21-22 -TgMathArgumentWithInvalidEssentialType.ql
• RULE-21-23 -TgMathArgumentsWithDifferingStandardType.ql
• RULE-22-15 -ThreadResourceDisposedBeforeThreadsJoined.ql
• RULE-22-17 -InvalidOperationOnUnlockedMutex.ql
• RULE-22-18 -NonRecursiveMutexRecursivelyLocked.ql,NonRecursiveMutexRecursivelyLockedAudit.ql
• RULE-22-19 -ConditionVariableUsedWithMultipleMutexes.ql
• RULE-22-20 -ThreadStorageNotInitializedBeforeUse.ql,ThreadStoragePointerInitializedInsideThread.ql
• RULE-23-1 -GenericSelectionNotExpandedFromAMacro.ql,GenericSelectionDoesntDependOnMacroArgument.ql
• RULE-23-2 -GenericSelectionNotFromMacroWithSideEffects.ql
• RULE-23-3 -GenericWithoutNonDefaultAssociation.ql
• RULE-23-4 -GenericAssociationWithUnselectableType.ql
• RULE-23-5 -DangerousDefaultSelectionForPointerInGeneric.ql
• RULE-23-6 -GenericExpressionWithIncorrectEssentialType.ql
• RULE-23-7 -InvalidGenericMacroArgumentEvaluation.ql
• RULE-23-8 -DefaultGenericSelectionNotFirstOrLast.ql

Release summary

• New queries added for the following rule packages: Declarations9, SideEffects3
• The following changes have been made for this release:
  • RULE-11-3 -CastBetweenObjectPointerAndDifferentObjectType.ql
    • Constrain exception that pointer types to may be cast to char types, so that it does not apply to atomic pointer types, in compliance with MISRA-C 2012 Amendment 4.
  • RULE-11-8 -CastRemovesConstOrVolatileQualification.ql
    • Query expanded to detect cases of removing_Atomic qualification, in compliance with MISRA-C 2012 Amendment 4.
  • EXP33-C,RULE-9-1,A8-5-0,EXP53-CPP -DoNotReadUninitializedMemory.ql,ObjectWithAutoStorageDurationReadBeforeInit.ql,MemoryNotInitializedBeforeItIsRead.ql,DoNotReadUninitializedMemory.ql
    • Atomic local variables excluded from query results, in compliance with MISRA-C 2012 Amendment 4, and to reduce false positives in the other standards.
  • RULE-13-2 -UnsequencedAtomicReads.ql
    • New query to find expressions which read an atomic variable more than once between sequence points, to address new case from MISRA-C 2012 Amendment 4.
  • RULE-3-1 -CharacterSequencesAndUsedWithinAComment.ql
    • Add exception allowing URLs inside of cpp-style/* ... */ comments, in compliance with MISRA-C 2012 Amendment 4.
    • No longer report cases of//*some comment in this rule.
  • A new in code deviation format has been introduced, using the C/C++ attribute syntax:

    [[codeql::<standard>_deviation("<code-identifier>")]]

    This can be applied to functions, statements and variables to apply a deviation from the Coding Standards configuration file. The user manual has been updated to describe the new format.
  • For those codebases that cannot use standard attributes, we have also introduced a comment based syntax

    // codeql::<standard>_deviation(<code-identifier>)// codeql::<standard>_deviation_next_line(<code-identifier>)// codeql::<standard>_deviation_begin(<code-identifier>)// codeql::<standard>_deviation_end(<code-identifier>)

    Further information is available in the user manual.
  • RULE-8-7 -ShouldNotBeDefinedWithExternalLinkage.ql:
    • Remove false positives where the declaration is not defined in the database.
    • Remove false positives where the definition and reference are in different translation units.
    • Remove false positives where the reference occurs in a header file.
  • RULE-8-3 -DeclarationsOfAFunctionSameNameAndType.ql:
    • Implement new exception, unnamed parameters are not covered by this rule.
  • RULE-10-2 -AdditionSubtractionOnEssentiallyCharType.ql:
    • Disallow+ and- operations with an essentially char type and other types larger than int type.
    • Note, this change affects the essential type of such expressions, which may affect other essential types rules.
  • RULE-18-1,M5-0-16 -PointerAndDerivedPointerMustAddressSameArray.ql,PointerAndDerivedPointerAccessDifferentArray.ql:
    • Treat casts to byte pointers as pointers to arrays of the size of the pointed-to type.
    • Fix typo in report message, "passed" replaced with "past."
    • Suppress results where range analysis appears potentially unreliable.
  • RULE-21-10,RULE-25-5-3,ENV34-C -CallToSetlocaleInvalidatesOldPointers.ql,CallToSetlocaleInvalidatesOldPointersMisra.ql,DoNotStorePointersReturnedByEnvFunctions.ql:
    • Report usage of returned pointers fromasctime,ctime, during a call to either of the former.
    • Report usage of returned pointers fromgmtime,localtime, during a call to either of the former.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-11-10 -AtomicQualifierAppliedToVoid.ql
• RULE-13-2 -UnsequencedAtomicReads.ql

Release summary

• New queries added for the following rule packages: Concurrency6, Concurrency7, Concurrency8
• The following changes have been made for this release:
• CON34-C -AppropriateThreadObjectStorageDurations.ql:
  • Improved analysis for detecting objects with automatic storage duration
  • New reports will includea.x,a[x] for objecta with automatic storage duration
• DCL30-C -AppropriateStorageDurationsFunctionReturn.ql:
  • Improved analysis for detecting objects with automatic storage duration
  • New reports will includea.x,a[x] for objecta with automatic storage duration
  • False positives related to returning copying pointer values
• EXP35-C -DoNotModifyObjectsWithTemporaryLifetime.ql:
  • Improved analysis for detecting objects with temporary lifetime
  • More non-lvalue expressions that produce temporary objects detected, for instance(x = y).x, previously onlyf().x discovered
• MEM33-C -AllocStructsWithAFlexibleArrayMemberDynamically.ql:
  • Improved analysis for detecting objects with automatic storage duration
  • New reports will include struct literals with a flexible array member
• RULE-18-9 -ModifiableLValueSubscriptedWithTemporaryLifetime.ql:
  • Problems will be reported at more obviously non-lvalue locations
  • Implementation refactored to be shared with other libraries
  • No other changes expected
• RULE-18-9 -ArrayToPointerConversionOfTemporaryLifetime.ql:
  • Problems will be reported at more obviously non-lvalue locations
  • Implementation refactored to be shared with other libraries
  • No other changes expected
• Concurrency - for all queries related to RAII-style mutexes
  • These types of locks have been refactored to improve performance in some queries. No change in query results expected.
• ERR57-CPP -DoNotLeakResourcesWhenHandlingExceptions.ql:
  • Resource leak detection code refactored for sharing across queries
  • Control flow no longer uses "cut nodes." This could impact performance positively or negatively, however measurements have been taken that indicate no significant change
  • Some false positives have been suppressed due to slightly different control flow approach
  • Leaked mutex locks and open files are reported at slightly different location, reported at call site (e.g.f.open(...),m.lock()) rather than on the variable itself (f andm).
• A15-1-4 -ValidResourcesStateBeforeThrow.ql:
  • Resource leak detection code refactored for sharing across queries
  • Control flow no longer uses "cut nodes." This could impact performance positively or negatively, however measurements have been taken that indicate no significant change
  • Some false positives have been suppressed due to slightly different control flow approach
  • Leaked mutex locks and open files are reported at slightly different location, reported at call site (e.g.f.open(...),m.lock()) rather than on the variable itself (f andm).
• A15-4-4 -MissingNoExcept.ql:
  • Enable deviations on either declarations or definitions.
• A7-1-1 -DeclarationUnmodifiedObjectMissingConstSpecifier.ql:
  • Exclude rvalue references.
• EssentialType - for all queries related to essential types:
  • Complex floating types are now considered a different essential type than real floating types.
• RULE-10-1RULE-10-3,RULE-10-4,RULE-10-5,RULE-10-7,RULE-10-8 -OperandsOfAnInappropriateEssentialType.ql,AssignmentOfIncompatibleEssentialType.ql,OperandsWithMismatchedEssentialTypeCategory.ql,InappropriateEssentialTypeCast.ql,ImplicitConversionOfCompositeExpression.ql,InappropriateCastOfCompositeExpression.ql:
  • Updates to rules handling complex floating types in MISRA-C 2012 Amendment 3 have been implemented.
• RULE-14-1,LoopOverEssentiallyFloatType.ql:
  • Query updated to account for the existence of complex essentially floating point types. No change in query results or performance expected.
• DIR-4-6 -PlainNumericalTypeUsedOverExplicitTypedef.ql:
  • Updates from MISRA-C 2012 Amendment 3 specifying complex fixed width typedef support has been implemented.
• RULE-1-4 -EmergentLanguageFeaturesUsed.ql:
  • Remove restrictions onstdnoreturn.h,stdalign.h.
• RULE-13-6 -SizeofOperandWithSideEffect.ql:
  • Changed from Mandatory to Required in implementation of Technical Corrigenda 2.
• RULE-17-5 -ArrayFunctionArgumentNumberOfElements.ql:
  • Changed from Advisory to Required in implementation of Technical Corrigenda 2.
• RULE-21-11 -StandardHeaderFileTgmathhUsed.ql:
  • Changed from Required to Advisory in implementation of Amendment 3.
• A3-1-5 -NonTrivialNonTemplateFunctionDefinedInsideClassDefinition.ql:
  • Mark this as anaudit query. As a consequence, it will no longer be run as part of the default query suite for AUTOSAR. It can still be run as part of theautosar-audit.qls query suite. The query has been downgraded because the rule allows for functions to be declared in the class body if they were "intended" to be inlined, and that developer intention cannot be determined automatically from the code.
• M5-3-1 -EachOperandOfTheOperatorOfTheLogicalAndOrTheLogicalOperatorsShallHaveTypeBool.ql:
  • Consistently exclude results in unevaluated contexts associated with uninstantiated templates, for examplenoexcept specifiers andstatic_asserts.
• A5-1-9 -IdenticalLambdaExpressions.ql:
  • Performance has been improved.
  • False positives due to repeated invocation of macros containing lambdas have been excluded.
• A2-7-3 -UndocumentedUserDefinedType.ql
  • Fixes#718. Include trailing characters after group comment endings with ///@{ ... ///@}.
• A27-0-3,FIO309-C,FIO50-CPP,RULE-30-0-2 -InterleavedInputOutputWithoutFlush.ql,DoNotAlternatelyIOFromStreamWithoutPositioning.ql,InterleavedInputOutputWithoutPosition.ql,ReadsAndWritesOnStreamNotSeparatedByPositioning.ql:
  • Reduce evaluation time on complex codebases.
• RULE-22-16,ERR57-CPP,A15-1-4 -MutexObjectsNotAlwaysUnlocked.ql,DoNotLeakResourcesWhenHandlingExceptions.ql,ValidResourcesStateBeforeThrow.ql:
  • Shared moduleResourceLeakAnalysis.qll changed to not get aliases recursively for simplicity and improved performance. The recent update to these queries had logic intending to handle the case where an allocation node is an alias of a parent node, and the free operation releases that parent node. However, the behavior was incorrectly defined and not working, and in the presence of performance issues this behavior has been removed.
  • (RULE-22-16 only) The alias behavior has been updated to compare expressions withHashCons instead ofGlobalValueNumbering for higher performance. GVN is more expensive generally, seemed to introduce low performance joins secondarily, and is stricter thanHashCons in a contravening position, meaning a stricter analysis introduces a higher likelihood of false positives.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• DIR-5-2 -NotNoDeadlocksBetweenThreads.ql
• DIR-5-3 -ThreadCreatedByThread.ql,BannedDynamicThreadCreation.ql
• RULE-9-7 -UninitializedAtomicObject.ql
• RULE-12-6 -AtomicAggregateObjectDirectlyAccessed.ql
• RULE-21-25 -InvalidMemoryOrderArgument.ql
• RULE-21-26 -TimedlockOnInappropriateMutexType.ql
• RULE-22-11 -ThreadPreviouslyJoinedOrDetached.ql
• RULE-22-12 -NonstandardUseOfThreadingObject.ql
• RULE-22-13 -ThreadingObjectWithInvalidStorageDuration.ql
• RULE-22-14 -MutexNotInitializedBeforeUse.ql,MutexInitializedInsideThread.ql,MutexInitWithInvalidMutexType.ql
• RULE-22-16 -MutexObjectsNotAlwaysUnlocked.ql

Release summary

• New queries added for the following rule packages: DeadCode2
• The following changes have been made for this release:
  • RULE-10-1,RULE-10-3,RULE-10-4,RULE-10-5,RULE-10-6,RULE-10-7,RULE-10-8,RULE-12-2 -OperandsOfAnInappropriateEssentialType.ql,AssignmentOfIncompatibleEssentialType.ql,OperandsWithMismatchedEssentialTypeCategory.ql,InappropriateEssentialTypeCast.ql,AssignmentToWiderEssentialType,ql,ImplicitConversionOfCompositeExpression.ql,InappropriateCastOfCompositeExpression.ql:
    • False positives and false negatives removed due to fixing incorrect essential type of the binary bitwise operations^,| and&. Previously the standard type was used, instead of applying the essential type rules which dictate that if both arguments have the same signedness, the essential type will have the same signedness and a rank equal to the larger of the two operands.
  • M7-5-1,RULE-6-8-2 -FunctionReturnAutomaticVarCondition.ql,ReturnReferenceOrPointerToAutomaticLocalVariable.ql:
    • Remove false positives for member and global variables reported under this rule.
  • A7-1-2 -FunctionMissingConstexpr.ql
    • Address false positives by removing the query - the rule is not intended to cover functions.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.18.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.18.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.18.4.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-2-8 -UnusedObjectDefinition.ql,UnusedObjectDefinitionStrict.ql