Merge pull request #10093 from smowton/smowton/feature/java-singular-locations

Java: pick an arbitrary representative location when an entity has many candidate locations.

Author: smowton

cpp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

csharp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

go/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

java/ql/lib/change-notes/2022-08-19-signular-locations.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their `getLocation` and `hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication.

java/ql/lib/semmle/code/Location.qll

@@ -205,5 +205,19 @@ cached
 private predicate fixedHasLocation(Top l, Location loc, File f) {
   hasSourceLocation(l, loc, f)
   or
-  hasLocation(l, loc) and not hasSourceLocation(l, _, _) and locations_default(loc, f, _, _, _, _)
+  // When an entity has more than one location, as it might due to
+  // e.g. a parameterized generic being seen and extracted in several
+  // different directories or JAR files, select an arbitrary representative
+  // location to avoid needlessly duplicating alerts.
+  //
+  // Don't do this when the relevant location is in a source file, because
+  // that is much more unusual and we would rather notice the bug than mask it here.
+  loc =
+    min(Location candidateLoc |
+      hasLocation(l, candidateLoc)
+    |
+      candidateLoc order by candidateLoc.getFile().toString()
+    ) and
+  not hasSourceLocation(l, _, _) and
+  locations_default(loc, f, _, _, _, _)
 }

java/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

java/ql/test/kotlin/library-tests/fake_overrides/kotlin_calling_java/call.expected

@@ -1,2 +1 @@
-| A.kt:4:21:4:29 | someFun(...) | file:///!unknown-binary-location/OC$C.class:0:0:0:0 | someFun | file:///!unknown-binary-location/OC$C.class:0:0:0:0 | C<D1,D2,E1,E2> | OC.class:0:0:0:0 | OC<F1,F2> |
 | A.kt:4:21:4:29 | someFun(...) | file:///!unknown-binary-location/OC$C.class:0:0:0:0 | someFun | file:///!unknown-binary-location/OC$C.class:0:0:0:0 | C<D1,D2,E1,E2> | file:///!unknown-binary-location/OC.class:0:0:0:0 | OC<F1,F2> |

python/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

ql/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }

ruby/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
   override Location getLocation() { result = comment.getLocation() }
 }
 
+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
   string tag;
   string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
   string getKnownFailure() { result = knownFailure }
 
   predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
     getTag() = actualResult.getTag() and
     getValue() = actualResult.getValue()
   }