[AI] Reduce verbosity of AI comments + other cleanup.

Author: NateD-MSFT

src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.md

@@ -54,11 +54,11 @@ Correct example
 * [ C28111 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28111-floating-point-irql-mismatch)
 
 ## Semmle-specific notes
-**Wrapper / common-caller pattern.** The query reasons about IRQL-changing calls between save and restore not only when both calls share an enclosing function, but also when they sit inside one-level helper wrappers that are called from a common caller (for example, thin `save_fp_helper` / `restore_fp_helper` functions that simply forward to `KeSaveFloatingPointState` / `KeRestoreFloatingPointState`). In those cases the intermediate IRQL transition is searched in the common caller (or in either helper's enclosing function for the asymmetric case where one side is a helper and the other is direct).
+**Wrapper / common-caller pattern.** The query searches for IRQL-changing calls between save and restore in either their shared enclosing function, or — when one or both endpoints sit inside a thin one-level helper (e.g. `save_fp_helper` forwarding to `KeSaveFloatingPointState`) — in the common caller of those helpers.
 
-**Remaining limitations.** Despite the source-position and AST-loop branches, the predicate still does not detect:
+**Known false negatives:**
 
-* **IRQL changes performed deep inside helper bodies.** If the helper function itself raises or lowers the IRQL after the save (or before the restore), the change is not visible from the common caller's source-position view, and no intermediate IRQL change is found. Annotating the helper with `_IRQL_raises_` or `_IRQL_saves_global_` makes its IRQL behavior visible without body inspection.
-* **Indirect calls.** IRQL changes performed by an indirect call (function pointer or dispatch-table call) between save and restore are not detected, because the predicate only inspects the static call target.
-* **Loops where the restore is textually before the save.** The AST-loop branch of `irqlChangesBetween` correctly recognises that all three calls (save, restore, and an IRQL-changing call) sit inside the same loop body and would fire on this pattern. However, the upstream IRQL analysis library used to compute the IRQL at the save and restore sites does not consistently bind a value at the argument expression of `KeSaveFloatingPointState` when the call is inside a loop body, so the `irqlSource != irqlSink` filter rejects these cases before `irqlChangesBetween` is consulted. Recovering this true positive requires improvements to the IRQL analysis library and not just to this query.
-* **Wrapper chains longer than one level.** Only one level of wrapping is currently modelled (the helper is called directly from the common caller). Multi-level wrappers require the same annotation hint described above, or a direct call site.
+* **IRQL changes deep inside helper bodies.** If a helper raises/lowers IRQL between its entry and the save/restore primitive it forwards to, that change isn't visible from the common caller. Annotate the helper with `_IRQL_raises_` / `_IRQL_saves_global_` to make its IRQL behavior visible without body inspection.
+* **Indirect calls.** IRQL changes via function pointer or dispatch-table dispatch are not recognized; the predicate inspects only the static call target.
+* **Loops where restore is textually before save.** The AST-loop branch of `irqlChangesBetween` correctly recognizes such patterns, but the upstream IRQL cascade does not always bind at `KeSaveFloatingPointState`'s argument expression inside loop bodies, so the `irqlSource != irqlSink` filter rejects them before this predicate fires. Recovering this case needs work in `Irql.qll`.
+* **Wrapper chains longer than one level.** Only one level of helper wrapping is modelled. Multi-level wrappers need the annotation hint above, or a direct call site.

src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.qhelp

@@ -61,60 +61,49 @@
 		</li>
 	</references>
 	<semmleNotes>
+		<!-- === AI-generated === -->
 		<p>
-			<b>Wrapper / common-caller pattern.</b> The query reasons about
-			IRQL-changing calls between save and restore not only when both
-			calls share an enclosing function, but also when they sit inside
-			one-level helper wrappers that are called from a common caller
-			(for example, thin <code>save_fp_helper</code> /
-			<code>restore_fp_helper</code> functions that simply forward to
-			<code>KeSaveFloatingPointState</code> /
-			<code>KeRestoreFloatingPointState</code>). In those cases the
-			intermediate IRQL transition is searched in the common caller
-			(or in either helper's enclosing function for the asymmetric case
-			where one side is a helper and the other is direct).
+			<b>Wrapper / common-caller pattern.</b> The query searches for
+			IRQL-changing calls between save and restore in either their
+			shared enclosing function, or &#8212; when one or both endpoints
+			sit inside a thin one-level helper (e.g.
+			<code>save_fp_helper</code> forwarding to
+			<code>KeSaveFloatingPointState</code>) &#8212; in the common
+			caller of those helpers.
 		</p>
 		<p>
-			<b>Remaining limitations.</b> Despite the source-position and
-			AST-loop branches, the predicate still does not detect:
+			<b>Known false negatives:</b>
 		</p>
 		<ul>
 			<li>
-				<b>IRQL changes performed deep inside helper bodies.</b>
-				If the helper function itself raises or lowers the IRQL after
-				the save (or before the restore), the change is not visible
-				from the common caller's source-position view, and no
-				intermediate IRQL change is found. Annotating the helper with
-				<code>_IRQL_raises_</code> or <code>_IRQL_saves_global_</code>
-				makes its IRQL behavior visible without body inspection.
+				<b>IRQL changes deep inside helper bodies.</b> If a helper
+				raises/lowers IRQL between its entry and the save/restore
+				primitive it forwards to, that change isn't visible from
+				the common caller. Annotate the helper with
+				<code>_IRQL_raises_</code> /
+				<code>_IRQL_saves_global_</code> to make its IRQL behavior
+				visible without body inspection.
 			</li>
 			<li>
-				<b>Indirect calls.</b> IRQL changes performed by an indirect
-				call (function pointer or dispatch-table call) between save
-				and restore are not detected, because the predicate only
-				inspects the static call target.
+				<b>Indirect calls.</b> IRQL changes via function pointer or
+				dispatch-table dispatch are not recognized; the predicate
+				inspects only the static call target.
 			</li>
 			<li>
-				<b>Loops where the restore is textually before the save.</b>
-				The AST-loop branch of <code>irqlChangesBetween</code>
-				correctly recognises that all three calls (save, restore,
-				and an IRQL-changing call) sit inside the same loop body and
-				would fire on this pattern. However, the upstream IRQL
-				analysis library used to compute the IRQL at the save and
-				restore sites does not consistently bind a value at the
-				argument expression of <code>KeSaveFloatingPointState</code>
-				when the call is inside a loop body, so the
-				<code>irqlSource != irqlSink</code> filter rejects these
-				cases before <code>irqlChangesBetween</code> is consulted.
-				Recovering this true positive requires improvements to the
-				IRQL analysis library and not just to this query.
+				<b>Loops where restore is textually before save.</b> The
+				AST-loop branch of <code>irqlChangesBetween</code>
+				correctly recognizes such patterns, but the upstream IRQL
+				cascade does not always bind at
+				<code>KeSaveFloatingPointState</code>'s argument expression
+				inside loop bodies, so the
+				<code>irqlSource != irqlSink</code> filter rejects them
+				before this predicate fires. Recovering this case needs
+				work in <code>Irql.qll</code>.
 			</li>
 			<li>
 				<b>Wrapper chains longer than one level.</b> Only one level
-				of wrapping is currently modelled (the helper is called
-				directly from the common caller). Multi-level wrappers
-				require the same annotation hint described above, or a
-				direct call site.
+				of helper wrapping is modelled. Multi-level wrappers need
+				the annotation hint above, or a direct call site.
 			</li>
 		</ul>
 	</semmleNotes>

src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.ql

@@ -43,6 +43,8 @@ module FloatStateFlowConfig implements DataFlow::ConfigSig {
 module FloatStateFlow = DataFlow::Global<FloatStateFlowConfig>;
 
 /**
+ * --- AI-generated ---
+ *
  * Gets a source line in `f` that anchors `fc` from `f`'s perspective:
  *
  *   - If `fc`'s enclosing function is `f`, the anchor is `fc`'s own
@@ -68,76 +70,53 @@ private int anchorLineForCall(Function f, FunctionCall fc) {
 }
 
 /**
- * Holds if there is an IRQL-changing call between `saveCall` and
- * `restoreCall` in some function `f`. This predicate is a sanity filter
- * applied on top of the dataflow result: dataflow has already shown the
- * floating-point buffer flows from `saveCall` to `restoreCall`, and this
- * predicate ensures there is at least one IRQL transition that could
- * actually run between them.  Without it the query would emit the pure
- * may-analysis artifact where two save / restore sites are compared at
- * different hypothetical entry IRQLs but no IRQL transition can happen
- * between them at runtime.
+ * --- AI-generated ---
+ *
+ * Holds if some IRQL-changing call could run between `saveCall` and
+ * `restoreCall` at runtime. Used as a sanity filter on top of the
+ * dataflow result: dataflow already paired save -> restore, but
+ * without this filter we'd flag pairs whose hypothetical entry IRQLs
+ * differ even though no actual IRQL transition runs between them.
  *
- * Two complementary disjuncts cooperate:
+ * Two additive disjuncts:
  *
- *  1. **Source-position branch.** For some `f`, an IRQL-changing call
- *     `mid` in `f` lies on a source line bracketed by the anchor lines
- *     of `saveCall` and `restoreCall` (see `anchorLineForCall`).  The
- *     anchor mechanism lets `f` be the directly enclosing function of
- *     both calls or a one-level wrapper / common caller, which covers
- *     the cross-function case that intra-procedural CFG cannot reach.
+ *  1. **Source-position branch.** A `FunctionCall` `mid` syntactically
+ *     inside some `f` has `isIrqlChangingCall(mid)` and lies on a
+ *     source line bracketed by `anchorLineForCall(f, save/restoreCall)`.
+ *     Two cross-function reach mechanisms with different depth bounds
+ *     cooperate: `anchorLineForCall` walks at most one call-graph edge
+ *     (we need a concrete line in `f` to anchor each endpoint), but
+ *     `isIrqlChangingCall` is transitively recursive through
+ *     `isIrqlChangingFunction`, so `mid`'s target can chain through any
+ *     number of wrappers before reaching a primitive (`KeRaiseIrql`,
+ *     `_IRQL_raises_`, etc.).
  *
- *  2. **AST-loop branch.** All three calls (`saveCall`, `restoreCall`,
- *     `mid`) sit inside the body of the same loop in their common
- *     enclosing function.  The loop back-edge means that at runtime
- *     each iteration's `restoreCall` can be preceded by the previous
- *     iteration's `saveCall` with `mid` between them, so an
- *     IRQL-changing `mid` anywhere in the loop body is a real
- *     transition between save and restore even when `restoreCall` is
- *     textually above `saveCall`.  Source-line position alone cannot
- *     express this: when the restore is textually earlier than the
- *     save the bracketing line range is empty and branch (1) trivially
- *     fails.
+ *  2. **AST-loop branch.** All three calls share an enclosing loop body
+ *     in the same function. The back-edge makes any IRQL-changing call
+ *     in the loop a real transition between save and restore on a
+ *     subsequent iteration, including when restore is textually above
+ *     save (which makes branch 1's range empty).
  *
- * The two branches are disjoint in spirit: branch (1) handles
- * cross-function and acyclic in-function cases; branch (2) handles
- * intra-function loops and re-entrant patterns.  Combining them is
- * strictly additive (can only enable more findings, never suppress one
- * that branch (1) would have flagged), so existing true positives are
- * preserved.
+ * We use source-line bracketing rather than CFG reachability because
+ * the extracted cpp CFG can drop forward edges across `if (call(...))`
+ * and similar boundaries, silently losing TPs. The AST relation in
+ * branch 2 is densely populated and avoids that gap.
  *
- * Why not full intra-procedural CFG reachability instead of branch (1)?
- * The cpp control-flow graph in some extracted databases does not
- * transitively connect calls across certain statement boundaries (in
- * particular, forward reachability across `if (call(...))` conditions
- * is unreliable in our extracted DBs), which would silently eliminate
- * true positives that branch (1) catches via source-line bracketing.
- * AST-loop containment in branch (2) sidesteps this by relying on the
- * AST `Loop.getStmt().getAChild*()` relation, which is densely
- * populated and reflects the syntactic loop body directly.
+ * Caveat: `getPotentialExitIrqlAtCfn` doesn't always bind at save-call
+ * argument expressions inside loop bodies in current extracted DBs, so
+ * branch 2 can fire correctly while the upstream `irqlSource != irqlSink`
+ * still filters it out. Recovering those needs work in `Irql.qll`.
  *
- * Caveat: branch (2) cooperates with `irqlSource != irqlSink` only when
- * the IRQL-analysis library binds `getPotentialExitIrqlAtCfn` at the
- * argument expression of `KeSaveFloatingPointState`. In our current
- * extracted DBs that binding is not always produced for `save` calls
- * inside loop bodies, so some real-world loop true positives may
- * still be filtered out by the upstream IRQL filter even when this
- * predicate fires; recovering those will require improvements to
- * the IRQL analysis library itself.
+ * Performance: `pragma[inline_late]` + `bindingset[saveCall, restoreCall]`
+ * specialize this per call site after dataflow has bound the endpoints,
+ * turning a codebase-wide enumeration of (save, restore) pairs into a
+ * per-pair check. Both annotations are planner hints; semantics unchanged.
  *
- * Performance note: `pragma[inline_late]` lets the planner specialize
- * this predicate at its call site after the dataflow result has bound
- * `saveCall` and `restoreCall`. Without it, the body would otherwise
- * be materialized over every (saveCall, restoreCall) pair in the
- * codebase that satisfies the constraints (millions of tuples on
- * large drivers), only to be intersected with a much smaller dataflow
- * result set afterwards. With it, the body is evaluated only for the
- * dataflow-derived pairs, turning a codebase-wide enumeration into a
- * per-pair check. The accompanying `bindingset` records the calling
- * convention required by `inline_late` (both arguments bound at the
- * call site, which is satisfied by the `from` clause below).
- * Semantics are unchanged — both annotations are planner hints, not
- * logical changes.
+ * --- Human comments ---
+ * 
+ * Branch (1) wound up like this for perf reasons as well; a transitive 
+ * check across all of the helper's internals gets expensive and in practice
+ * if there are helper functions involved they're pretty shallow.
  */
 bindingset[saveCall, restoreCall]
 pragma[inline_late]

src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.md

@@ -28,7 +28,5 @@ This query may provide false positives in cases where functions are not annotate
 
 For information on how to annotate your functions with information about how they adjust the IRQL, see "IRQL annotations for drivers" in the references section.
 
-**Lower-on-exit pattern: known false negative.** When a function has no `_IRQL_always_function_max_` but does carry an `_IRQL_raises_(R)` annotation, the query treats `R` as the implicit ceiling for the function body. A function annotated as both `_IRQL_requires_min_(M)` and `_IRQL_raises_(R)` with `M > R` is interpreted as a "lower IRQL on exit" pattern (for example a wrapper around a mutex or spin-lock release that runs at `DISPATCH_LEVEL` on entry and returns at `PASSIVE_LEVEL`). For these functions the implicit ceiling is suppressed entirely, because `R` describes the exit IRQL rather than a maximum.
-
-This means that a buggy "lower-on-exit" function whose body raises the IRQL above `M` at some intermediate point will *not* be flagged. If the function actually has a maximum that should be enforced along the body, declare it explicitly with `_IRQL_always_function_max_(MAX)` so the query has a concrete ceiling to check against.
+**Lower-on-exit pattern: known false negative.** A function annotated `_IRQL_requires_min_(M)` + `_IRQL_raises_(R)` with `M > R` is treated as "raises only at exit" (e.g. a wrapper around a spin-lock or mutex release that enters at `DISPATCH_LEVEL` and returns at `PASSIVE_LEVEL`): the query suppresses the implicit ceiling so `R` is read as the exit IRQL rather than a body-wide maximum. Consequently a buggy lower-on-exit function whose body raises IRQL above `M` in the middle is not flagged. To enforce a body-wide maximum, declare it explicitly with `_IRQL_always_function_max_(MAX)`.
 

src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.qhelp

@@ -36,26 +36,21 @@
 		<p>This query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.</p>
 		<p>This query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.</p>
 		<p>For information on how to annotate your functions with information about how they adjust the IRQL, see "IRQL annotations for drivers" in the references section.</p>
+		<!-- === AI-generated === -->
 		<p>
-			<b>Lower-on-exit pattern: known false negative.</b> When a function has
-			no <code>_IRQL_always_function_max_</code> but does carry an
-			<code>_IRQL_raises_(R)</code> annotation, the query treats <code>R</code>
-			as the implicit ceiling for the function body. A function annotated as
-			both <code>_IRQL_requires_min_(M)</code> and
-			<code>_IRQL_raises_(R)</code> with <code>M &gt; R</code> is interpreted
-			as a "lower IRQL on exit" pattern (for example a wrapper around a mutex
-			or spin-lock release that runs at <code>DISPATCH_LEVEL</code> on entry
-			and returns at <code>PASSIVE_LEVEL</code>). For these functions the
-			implicit ceiling is suppressed entirely, because <code>R</code> describes
-			the exit IRQL rather than a maximum.
-		</p>
-		<p>
-			This means that a buggy "lower-on-exit" function whose body raises the
-			IRQL above <code>M</code> at some intermediate point will <i>not</i> be
-			flagged. If the function actually has a maximum that should be enforced
-			along the body, declare it explicitly with
-			<code>_IRQL_always_function_max_(MAX)</code> so the query has a concrete
-			ceiling to check against.
+			<b>Lower-on-exit pattern: known false negative.</b> A function
+			annotated <code>_IRQL_requires_min_(M)</code> +
+			<code>_IRQL_raises_(R)</code> with <code>M &gt; R</code> is
+			treated as "raises only at exit" (e.g. a wrapper around a
+			spin-lock or mutex release that enters at
+			<code>DISPATCH_LEVEL</code> and returns at
+			<code>PASSIVE_LEVEL</code>): the query suppresses the
+			implicit ceiling so <code>R</code> is read as the exit IRQL
+			rather than a body-wide maximum. Consequently a buggy
+			lower-on-exit function whose body raises IRQL above
+			<code>M</code> in the middle is not flagged. To enforce a
+			body-wide maximum, declare it explicitly with
+			<code>_IRQL_always_function_max_(MAX)</code>.
 		</p>
 	</semmleNotes>
 </qhelp>