Merge pull request #21983 from owen-mc/java/convert-to-inline-expectation-tests

owen-mc · web-flow · commit 14c72def96b2 · 2026-06-15T10:31:56.000+01:00
Java: Improve inline expectations test comments
diff --git a/java/ql/test/query-tests/Nullness/B.java b/java/ql/test/query-tests/Nullness/B.java
@@ -331,7 +331,7 @@ public void corrConds3(Object y) {
       x = new Object();
     }
     if(y instanceof String) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -341,7 +341,7 @@ public void corrConds4(Object y) {
       x = new Object();
     }
     if(!(y instanceof String)) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -351,23 +351,23 @@ public void corrConds5(Object y, Object z) {
       x = new Object();
     }
     if(y == z) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
 
     Object x2 = null;
     if(y != z) {
       x2 = new Object();
     }
     if(y != z) {
-      x2.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x2.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
 
     Object x3 = null;
     if(y != z) {
       x3 = new Object();
     }
     if(!(y == z)) {
-      x3.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x3.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -462,7 +462,7 @@ public void loopCorrTest2(boolean[] a) {
       cur = a[i];
       if (!prev) {
         // correctly guarded by !cur from the _previous_ iteration
-        x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+        x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
       } else {
         x = new Object();
       }
@@ -484,7 +484,7 @@ public void loopCorrTest3(String[] ss) {
           t = new Object();
         }
         // correctly guarded by t: null -> String -> Object
-        x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+        x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
       }
     }
   }
@@ -573,7 +573,7 @@ public void testFinally2(int[] xs) {
       } finally {
       }
     }
-    s.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+    s.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     // CFG reachability does not distinguish abrupt successors
   }
 }
diff --git a/java/ql/test/query-tests/Nullness/C.java b/java/ql/test/query-tests/Nullness/C.java
@@ -6,8 +6,8 @@ public void ex1(long[][][] a1, int ix, int len) {
     long[][] a2 = null;
     boolean haveA2 = ix < len && (a2 = a1[ix]) != null;
     long[] a3 = null;
-    final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
-    if (haveA3) a3[0] = 0; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    if (haveA3) a3[0] = 0; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
   }
 
   public void ex2(boolean x, boolean y) {
@@ -18,7 +18,7 @@ public void ex2(boolean x, boolean y) {
       s2 = (s1 == null) ? null : "";
     }
     if (s2 != null)
-      s1.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      s1.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
   }
 
   public void ex3(List<String> ss) {
@@ -48,7 +48,7 @@ public void ex4(Iterable<String> list, int step) {
         slice = new ArrayList<>();
         result.add(slice);
       }
-      slice.add(str); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      slice.add(str); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       ++index;
       iter.remove();
     }
@@ -141,7 +141,7 @@ public void ex9(boolean cond, Object obj1) {
   public void ex10(int[] a) {
     int n = a == null ? 0 : a.length;
     for (int i = 0; i < n; i++) {
-      int x = a[i]; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      int x = a[i]; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       if (x > 7)
         a = new int[n];
     }
@@ -216,7 +216,7 @@ public void ex15(Object o1, Object o2) {
     if (o1 == o2) {
       return;
     }
-    if (o1.equals(o2)) { // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    if (o1.equals(o2)) { // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       return;
     }
   }
@@ -230,7 +230,7 @@ private Object getFoo16() {
   public static void ex16(C c) {
     int[] xs = c.getFoo16() != null ? new int[5] : null;
     if (c.getFoo16() != null) {
-      xs[0]++; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      xs[0]++; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
     }
   }
 
diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.java b/java/ql/test/query-tests/UseBraces/UseBraces.java
@@ -11,25 +11,25 @@ void test(boolean bb)
 	{
 		int x = 0, y;
 		int[] branches = new int[10];
-		
+
 		// If-then statement
-		
+
 		if(1==1)
 		{
 			f();
 		}
 			g();	// No alert
-			
-		if(1==1)	
+
+		if(1==1)
 			f();
 		g();		// No alert
-		
+
 		if(1==1)
 			f(); // $ Alert
-			g();	// Alert
-			
+			g();
+
 		if(1==1)
-			f();	g();	// $ Alert // Alert
+			f();	g();	// $ Alert
 
 		// If-then-else statement
 
@@ -41,29 +41,29 @@ void test(boolean bb)
 		{
 			g();
 		}
-		
+
 			g();	// No alert
-			
+
 		if(1==2)
 			f();
 		else
 			g();
 		f();		// No alert
-			
+
 		if(true)
 		{
 			f();
 		}
 		else
 			f(); // $ Alert
-			g();	// Alert
-			
+			g();
+
 		if(true)
 		{
 			f();
 		}
 		else
-			f();  g();	// $ Alert // Alert
+			f();  g();	// $ Alert
 
 		// While statement
 
@@ -80,44 +80,44 @@ void test(boolean bb)
 
 		while(bb   )
 			f(); // $ Alert
-			g();		// Alert
+			g();
 			g();		// No alert
 
 		while(bb   )
-			f();	g();		// $ Alert // Alert
+			f();	g();		// $ Alert
 
 
 		while(bb)
 			if (x != 0) x = 1;
 
 		// Do-while statement
-		
+
 		do
 			f();
 		while(false);
 			g();	// No alert
-		
+
 		// For statement
 		for(int i=0; i<10; ++i)
 		{
 			f();
 		}
 			g();
-			
+
 		for(int i=0; i<10; ++i)
 			f();
 		g();
-		
+
 		for(int i=0; i<10; ++i)
 			f(); // $ Alert
-			g();				// Alert
+			g();
 
 		for(int i=0; i<10; ++i)
-			f(); g();			// $ Alert // Alert
+			f(); g();			// $ Alert
+
 
-		
 		// Foreach statement
-		
+
 		for( int b : branches)
 			x += b;
 		f();
@@ -130,42 +130,42 @@ void test(boolean bb)
 
 		for( int b : branches)
 			f(); // $ Alert
-			g();			// Alert
+			g();
 
 		for( int b : branches)
-			f(); g();		// $ Alert // Alert
+			f(); g();		// $ Alert
 
 		// Nested ifs
 		if( true )
 		if(false)
 			f();
 		g();	// No alert
-		
+
 		if( true )
 			if(false) // $ Alert
 				f();
-			g();	// Alert
-		
+			g();
+
 		if( true )
 			;
-		else 
+		else
 		if (false)
 			f();
 		g();	// No alert
 
 		if( true )
 			;
-		else 
+		else
 			if (false)
 				f();
-			g();	// false negative
+			g();  // $ MISSING: Alert // false negative
 
 		if( true )
 			;
 		else if (false)
 			f();  // $ Alert
-			g();	// Alert
-		
+			g();
+
 		// Nested combinations
 		if (true)
 		while (x<10)
@@ -175,7 +175,7 @@ else if (false)
 		if (true)
 			while (x<10) // $ Alert
 				f();
-			g();	// Alert
+			g();
 
 		while (x<10)
 		if (true)
@@ -185,7 +185,7 @@ else if (false)
 		while (x<10)
 			if (true) // $ Alert
 				f();
-			g();	// Alert
+			g();
 
 		if (true)
 			f();
diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java
@@ -62,10 +62,10 @@ public void sanitizerTests(HttpServletRequest request, HttpServletResponse respo
 		response.setHeader("h", t.replace('\n', ' ').replace('\r', ' '));
 
 		// FALSE NEGATIVE: replace only some line breaks
-		response.setHeader("h", t.replace('\n', ' '));
+		response.setHeader("h", t.replace('\n', ' ')); // $ MISSING: Alert
 
 		// FALSE NEGATIVE: replace only some line breaks
-		response.setHeader("h", t.replaceAll("\r", ""));
+		response.setHeader("h", t.replaceAll("\r", "")); // $ MISSING: Alert
 
 		// GOOD: replace all linebreaks with a simple regex
 		response.setHeader("h", t.replaceAll("\n", "").replaceAll("\r", ""));
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
@@ -78,7 +78,7 @@ public void main(String[] args) {
 				// FALSE NEGATIVE: stillTainted could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillTainted + 100;
+				int output = stillTainted + 100; // $ MISSING: Alert[java/tainted-arithmetic]
 			}
 		}
 
@@ -107,7 +107,7 @@ public void main(String[] args) {
 			}
 			int output = data + 1;
 		}
-		
+
 		{
 			double x= Double.MAX_VALUE;
 			// OK: CWE-190 only pertains to integer arithmetic
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java
@@ -84,7 +84,7 @@ public static void main(String[] args) {
 			// FALSE POSITIVE: the query check purely based on the type, it
 			// can't try to
 			// determine whether the value may in fact always be in bounds
-			i += j; // $ Alert[java/implicit-cast-in-compound-assignment]
+			i += j; // $ SPURIOUS: Alert[java/implicit-cast-in-compound-assignment]
 		}
 
 		// ArithmeticWithExtremeValues
@@ -224,7 +224,7 @@ public static void main(String[] args) {
 				// FALSE NEGATIVE: stillLarge could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillLarge + 100;
+				int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]
 			}
 		}
 
@@ -263,7 +263,7 @@ public static void main(String[] args) {
 				// FALSE NEGATIVE: stillLarge could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillLarge + 100;
+				int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]
 			}
 		}
 
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java

Original file line number	Diff line number	Diff line change
`@@ -331,7 +331,7 @@ public void corrConds3(Object y) {`
`331`	`331`	`x = new Object();`
`332`	`332`	`}`
`333`	`333`	`if(y instanceof String) {`
`334`		`- x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`334`	`+ x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`335`	`335`	`}`
`336`	`336`	`}`
`337`	`337`
`@@ -341,7 +341,7 @@ public void corrConds4(Object y) {`
`341`	`341`	`x = new Object();`
`342`	`342`	`}`
`343`	`343`	`if(!(y instanceof String)) {`
`344`		`- x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`344`	`+ x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`345`	`345`	`}`
`346`	`346`	`}`
`347`	`347`
`@@ -351,23 +351,23 @@ public void corrConds5(Object y, Object z) {`
`351`	`351`	`x = new Object();`
`352`	`352`	`}`
`353`	`353`	`if(y == z) {`
`354`		`- x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`354`	`+ x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`355`	`355`	`}`
`356`	`356`
`357`	`357`	`Object x2 = null;`
`358`	`358`	`if(y != z) {`
`359`	`359`	`x2 = new Object();`
`360`	`360`	`}`
`361`	`361`	`if(y != z) {`
`362`		`- x2.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`362`	`+ x2.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`Object x3 = null;`
`366`	`366`	`if(y != z) {`
`367`	`367`	`x3 = new Object();`
`368`	`368`	`}`
`369`	`369`	`if(!(y == z)) {`
`370`		`- x3.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`370`	`+ x3.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`371`	`371`	`}`
`372`	`372`	`}`
`373`	`373`
`@@ -462,7 +462,7 @@ public void loopCorrTest2(boolean[] a) {`
`462`	`462`	`cur = a[i];`
`463`	`463`	`if (!prev) {`
`464`	`464`	`// correctly guarded by !cur from the _previous_ iteration`
`465`		`- x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`465`	`+ x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`466`	`466`	`} else {`
`467`	`467`	`x = new Object();`
`468`	`468`	`}`
`@@ -484,7 +484,7 @@ public void loopCorrTest3(String[] ss) {`
`484`	`484`	`t = new Object();`
`485`	`485`	`}`
`486`	`486`	`// correctly guarded by t: null -> String -> Object`
`487`		`- x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`487`	`+ x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`488`	`488`	`}`
`489`	`489`	`}`
`490`	`490`	`}`
`@@ -573,7 +573,7 @@ public void testFinally2(int[] xs) {`
`573`	`573`	`} finally {`
`574`	`574`	`}`
`575`	`575`	`}`
`576`		`- s.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
	`576`	`+ s.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive`
`577`	`577`	`// CFG reachability does not distinguish abrupt successors`
`578`	`578`	`}`
`579`	`579`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,8 @@ public void ex1(long[][][] a1, int ix, int len) {`
`6`	`6`	`long[][] a2 = null;`
`7`	`7`	`boolean haveA2 = ix < len && (a2 = a1[ix]) != null;`
`8`	`8`	`long[] a3 = null;`
`9`		`- final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`10`		`- if (haveA3) a3[0] = 0; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`9`	`+ final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`10`	`+ if (haveA3) a3[0] = 0; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`public void ex2(boolean x, boolean y) {`
`@@ -18,7 +18,7 @@ public void ex2(boolean x, boolean y) {`
`18`	`18`	`s2 = (s1 == null) ? null : "";`
`19`	`19`	`}`
`20`	`20`	`if (s2 != null)`
`21`		`- s1.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`21`	`+ s1.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`public void ex3(List<String> ss) {`
`@@ -48,7 +48,7 @@ public void ex4(Iterable<String> list, int step) {`
`48`	`48`	`slice = new ArrayList<>();`
`49`	`49`	`result.add(slice);`
`50`	`50`	`}`
`51`		`- slice.add(str); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`51`	`+ slice.add(str); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`52`	`52`	`++index;`
`53`	`53`	`iter.remove();`
`54`	`54`	`}`
`@@ -141,7 +141,7 @@ public void ex9(boolean cond, Object obj1) {`
`141`	`141`	`public void ex10(int[] a) {`
`142`	`142`	`int n = a == null ? 0 : a.length;`
`143`	`143`	`for (int i = 0; i < n; i++) {`
`144`		`- int x = a[i]; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`144`	`+ int x = a[i]; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`145`	`145`	`if (x > 7)`
`146`	`146`	`a = new int[n];`
`147`	`147`	`}`
`@@ -216,7 +216,7 @@ public void ex15(Object o1, Object o2) {`
`216`	`216`	`if (o1 == o2) {`
`217`	`217`	`return;`
`218`	`218`	`}`
`219`		`- if (o1.equals(o2)) { // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`219`	`+ if (o1.equals(o2)) { // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`220`	`220`	`return;`
`221`	`221`	`}`
`222`	`222`	`}`
`@@ -230,7 +230,7 @@ private Object getFoo16() {`
`230`	`230`	`public static void ex16(C c) {`
`231`	`231`	`int[] xs = c.getFoo16() != null ? new int[5] : null;`
`232`	`232`	`if (c.getFoo16() != null) {`
`233`		`- xs[0]++; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
	`233`	`+ xs[0]++; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive`
`234`	`234`	`}`
`235`	`235`	`}`
`236`	`236`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ public void main(String[] args) {`
`78`	`78`	`// FALSE NEGATIVE: stillTainted could still be very large, even`
`79`	`79`	`// after`
`80`	`80`	`// it has had arithmetic done on it`
`81`		`- int output = stillTainted + 100;`
	`81`	`+ int output = stillTainted + 100; // $ MISSING: Alert[java/tainted-arithmetic]`
`82`	`82`	`}`
`83`	`83`	`}`
`84`	`84`
`@@ -107,7 +107,7 @@ public void main(String[] args) {`
`107`	`107`	`}`
`108`	`108`	`int output = data + 1;`
`109`	`109`	`}`
`110`		`-`
	`110`	`+`
`111`	`111`	`{`
`112`	`112`	`double x= Double.MAX_VALUE;`
`113`	`113`	`// OK: CWE-190 only pertains to integer arithmetic`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ public static void main(String[] args) {`
`84`	`84`	`// FALSE POSITIVE: the query check purely based on the type, it`
`85`	`85`	`// can't try to`
`86`	`86`	`// determine whether the value may in fact always be in bounds`
`87`		`- i += j; // $ Alert[java/implicit-cast-in-compound-assignment]`
	`87`	`+ i += j; // $ SPURIOUS: Alert[java/implicit-cast-in-compound-assignment]`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`// ArithmeticWithExtremeValues`
`@@ -224,7 +224,7 @@ public static void main(String[] args) {`
`224`	`224`	`// FALSE NEGATIVE: stillLarge could still be very large, even`
`225`	`225`	`// after`
`226`	`226`	`// it has had arithmetic done on it`
`227`		`- int output = stillLarge + 100;`
	`227`	`+ int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]`
`228`	`228`	`}`
`229`	`229`	`}`
`230`	`230`
`@@ -263,7 +263,7 @@ public static void main(String[] args) {`
`263`	`263`	`// FALSE NEGATIVE: stillLarge could still be very large, even`
`264`	`264`	`// after`
`265`	`265`	`// it has had arithmetic done on it`
`266`		`- int output = stillLarge + 100;`
	`266`	`+ int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]`
`267`	`267`	`}`
`268`	`268`	`}`
`269`	`269`