Sync Main (autogenerated) #320

dilanbhalla · 2026-01-26T13:14:06Z

This PR syncs the latest changes from codeql-cli/latest into main.

This was initially lost after rebasing with indentation changes

Some abstract classes defines fields without binding them, leaving it up to the subclasses to bind them. When combined with overlay[local?], the charpred for such an abstract class can become local, while the subclasses are global. The means the charpred needs to be materialized, even though it doesn't bind the fields, leading to a cartesian product.

This was somehow lost in a rebase

We want the type itself to be local but nearly all its member predicates are global.

Previously this was implied by MkClassInstance but that's no longer the case.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

…Ps after fixing conflation.

…dyn trait types

Update CSV framework coverage reports

Rust: Avoid unnecessary constraint satisfaction

Actions: Add `examples` qlpack

Before ``` Evaluated relational algebra for predicate TypeMention::RefTypeReprMention.resolveRootType/0#dispred#091b949a#fb@4bd8a49g with tuple counts: 124419 ~0% {1} r1 = RefTypeRepr::Generated::RefTypeRepr#422893fa AND NOT `RefTypeRepr::Generated::RefTypeRepr.isMut/0#dispred#e2b9988f`(FIRST 1) 6621454761 ~1% {3} | JOIN WITH `Type::DataType.getTypeItem/0#dispred#83467854` CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Rhs.1 915101745 ~0% {4} | JOIN WITH `project#Type::DataType.getPositionalTypeParameter/1#dispred#3bf49cbe` ON FIRST 1 OUTPUT Lhs.2, _, Lhs.1, Lhs.0 915101745 ~3% {4} | REWRITE WITH Out.1 := "Ref" 124419 ~0% {2} | JOIN WITH `Builtins::BuiltinType.getName/0#dispred#8f62ab0a` ON FIRST 2 OUTPUT Lhs.2, Lhs.3 76728 ~0% {1} r2 = JOIN RefTypeRepr::Generated::RefTypeRepr#422893fa WITH `RefTypeRepr::Generated::RefTypeRepr.isMut/0#dispred#e2b9988f` ON FIRST 1 OUTPUT Lhs.0 4083387432 ~1% {3} | JOIN WITH `Type::DataType.getTypeItem/0#dispred#83467854` CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Rhs.1 564334440 ~3% {4} | JOIN WITH `project#Type::DataType.getPositionalTypeParameter/1#dispred#3bf49cbe` ON FIRST 1 OUTPUT Lhs.2, _, Lhs.1, Lhs.0 564334440 ~0% {4} | REWRITE WITH Out.1 := "RefMut" 76728 ~2% {2} | JOIN WITH `Builtins::BuiltinType.getName/0#dispred#8f62ab0a` ON FIRST 2 OUTPUT Lhs.2, Lhs.3 201147 ~1% {2} r3 = r1 UNION r2 return r3 ``` After ``` Evaluated relational algebra for predicate TypeMention::RefTypeReprMention.resolveRootType/0#dispred#091b949a#fb@8f12aa2a with tuple counts: 124419 ~0% {1} r1 = RefTypeRepr::Generated::RefTypeRepr#422893fa AND NOT `RefTypeRepr::Generated::RefTypeRepr.isMut/0#dispred#e2b9988f`(FIRST 1) 124419 ~0% {2} | JOIN WITH Type::RefSharedType#090df68e CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0 124419 ~0% {2} | JOIN WITH `project#Type::DataType.getPositionalTypeParameter/1#dispred#3bf49cbe` ON FIRST 1 OUTPUT Lhs.1, Lhs.0 76728 ~0% {1} r2 = JOIN RefTypeRepr::Generated::RefTypeRepr#422893fa WITH `RefTypeRepr::Generated::RefTypeRepr.isMut/0#dispred#e2b9988f` ON FIRST 1 OUTPUT Lhs.0 76728 ~0% {2} | JOIN WITH Type::RefMutType#c67a1837 CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0 76728 ~2% {2} | JOIN WITH `project#Type::DataType.getPositionalTypeParameter/1#dispred#3bf49cbe` ON FIRST 1 OUTPUT Lhs.1, Lhs.0 201147 ~1% {2} r3 = r1 UNION r2 return r3 ```

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Before ``` Evaluated relational algebra for predicate _ElementImpl::Impl::MacroExpansion::isAttributeMacroExpansionSourceLocation/2#3429148c_Locatable::Lo__#antijoin_rhs@9f4aa4rk with tuple counts: 5127263380 ~4% {3} r1 = JOIN `_AstNodeImpl::Impl::AstNode#22e758cf_ElementImpl::Impl::MacroExpansion::getATokenTreeNode/1#a2df59a3__#shared` WITH `ElementImpl::Impl::MacroExpansion::isAttributeMacroExpansionSourceLocation/2#3429148c` ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Lhs.0 305226 ~0% {2} | JOIN WITH `Locatable::Locatable.getLocation/0#dispred#f3f7e2b2` ON FIRST 2 OUTPUT Lhs.0, Lhs.2 return r1 ``` (No After; the predicate is no longer generated)

Rust: Fix bad join

JS: Add support for props callbacks in Vue router configs

C++: Fix conflation in barrier guards

JS: Skip minified file if avg line length > 200

Release preparation for version 2.24.0

Compatible with the latest released version of the CodeQL CLI

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

+                    case 0:
+                        return;
+                    case 143 when attempt < 3:
+                        HandleRetryExitCode143(dotnetCliInvoker.Exec, attempt, logger);


In general, to avoid Path.Combine silently discarding earlier path segments when later arguments are absolute, prefer Path.Join for simple concatenation of path segments when you do not want this “absolute path wins” behavior. Path.Join will simply concatenate segments with the correct directory separator, without treating an absolute later component as resetting the path.

The best targeted fix here is to replace Path.Combine(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot") with Path.Join(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot"). Both methods live in System.IO.Path, so no new imports are required. This change preserves all existing behavior for the current arguments (base directory plus a relative folder name) while guarding against future accidental introduction of an absolute path segment that would otherwise cause Path.Combine to drop the earlier part. The change is localized to GetRestoreArgs in csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs, near line 76, and no other logic needs to be updated.

csharp/autobuilder/Semmle.Autobuild.Shared/Autobuilder.cs

                // Finally look for language specific project files, e.g. `.csproj` files
-                ret = FindFiles(this.Options.Language.ProjectExtension, f => new Project<TAutobuildOptions>(this, f))?.ToList();
+                ret = FindFiles(Options.Language.ProjectExtension, f => new Project<TAutobuildOptions>(this, f))?.ToList();


asgerf and others added 30 commits January 7, 2026 11:05

JS: Localize MkModuleExport

3110e5a

JS: Localize MkModuleImport

a2a9518

JS: Localize MkClassInstance

385bb32

JS: Use forceLocal to localize MkTypeUse

3ed0f36

JS: Remove unused predicate

6c00a7f

JS: Make API nodes and labels local

295bc69

JS: Improve join order at MkUse call

123bc64

JS: Add missing def-node roots

271567c

JS: Call forceLocal on the output of Stage 1

daf04f1

JS: Also expose "any state" version of tracking predicates

b12d927

JS: Restrict Stage1 to the base database

1001e86

JS: Add overlay-specific Stage2

9c37e07

JS:Add more member labels

c9d3f06

JS: Add debug tools for detecting lost nodes/edges

4bd0f34

JS: Change signature of 'edges' to support quick eval

825c083

JS: Add back CallReceiverStep() restriction

a6dfb83

This was initially lost after rebasing with indentation changes

JS: Remove global dependency that wasnt needed anyway

cf0e765

JS: Include import paths from custom ModuleImportNode::Range subclasses

ed3a8bd

JS: Bugfix in Stage1Local::trackDefNode

651608a

JS: Simplify toString()

7974416

JS: Update test output to reflect Node.toString() change

962c128

JS: Work around an issue with overlay-invariance

8731eee

JS: Add back promisify-all support

27e8bcb

This was somehow lost in a rebase

JS: Make API::Node overlay[local?]

97d369c

We want the type itself to be local but nearly all its member predicates are global.

JS: Sync ApiGraphModels.qll

869efb8

JS: Fix some QL4QL alerts

369848a

JS: Add a missing needsDefNode restriction

cae27c4

Previously this was implied by MkClassInstance but that's no longer the case.

JS: Fix bad join in export logic

9721b4e

Update javascript/ql/lib/semmle/javascript/ApiGraphs.qll

d0dbc91

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

MathiasVP and others added 24 commits January 15, 2026 18:31

C++: Add indirect barrier guard to 'cpp/unbounded-write' to prevent F…

6da7890

…Ps after fixing conflation.

Add changed framework coverage reports

549307a

Rust: Move TypeAbstraction into separate file

c0b3569

Rust: Avoid duplicated entries in conditionSatisfiesConstraint for …

a116932

…dyn trait types

Merge pull request github#21175 from github/workflow/coverage/update

c14b869

Update CSV framework coverage reports

Rust: Remove trait parameter from canonicalDynTraitTypeAbstraction

6b3d863

Merge pull request github#21172 from paldepind/rust/dyn-abs

ec09440

Rust: Avoid unnecessary constraint satisfaction

Actions: Add examples qlpack

3cdca25

Merge pull request github#21177 from hvitved/actions/example-dir

7c95fef

Actions: Add `examples` qlpack

Update cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

5e9fd12

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

C++: Add change note.

08a6b99

C++: Switch another 'DataFlowType' to 'Type'.

f05bff0

Merge pull request github#21179 from hvitved/rust/fix-bad-join

1c689d0

Rust: Fix bad join

Merge pull request github#21180 from hvitved/rust/fix-bad-join2

06b99b2

Rust: Fix bad join

Merge pull request github#21159 from asgerf/js/vue-prop-function

077bbb2

JS: Add support for props callbacks in Vue router configs

Merge pull request github#21171 from MathiasVP/fix-conflation-in-guards

dc7ce3f

C++: Fix conflation in barrier guards

Merge pull request github#20940 from asgerf/js/detect-minified-files

bedb803

JS: Skip minified file if avg line length > 200

Release preparation for version 2.24.0

4142b9c

Fix typo in changelog

7836765

Fix list formatting inconsistency

1739e13

Merge pull request github#21189 from github/release-prep/2.24.0

c5329f6

Release preparation for version 2.24.0

Merge tag 'codeql-cli/latest' into auto/sync-main-pr

5818330

Compatible with the latest released version of the CodeQL CLI

dilanbhalla added the autogenerated label Jan 26, 2026

dilanbhalla requested review from MathiasVP and ropwareJB January 26, 2026 13:14

github-advanced-security bot found potential problems Jan 26, 2026

View reviewed changes

ropwareJB approved these changes Jan 26, 2026

View reviewed changes

dilanbhalla merged commit c4a73dd into main Jan 26, 2026
17 checks passed

@@ -73,7 +73,7 @@
                             var path = ".empty";
                             if (tempWorkingDirectory != null)
                             {
-                                path = Path.Combine(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot");
+                                path = Path.Join(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot");
                                 Directory.CreateDirectory(path);
                             }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync Main (autogenerated) #320

Sync Main (autogenerated) #320

dilanbhalla commented Jan 26, 2026

Uh oh!

Check notice

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

19 participants

Sync Main (autogenerated) #320

Sync Main (autogenerated) #320

Conversation

dilanbhalla commented Jan 26, 2026

Uh oh!

Check notice

Copilot Autofix

Check notice

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

19 participants