Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args

Conflicts:
	cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
	cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
	cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected

cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected

@@ -1,5 +1,9 @@
 | test2.cpp:19:3:19:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:18:12:18:18 | new | new |
 | test2.cpp:26:3:26:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:25:7:25:13 | new | new |
+| test2.cpp:51:2:51:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:45:18:45:24 | new | new |
+| test2.cpp:55:2:55:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:46:20:46:33 | call to operator new | new |
+| test2.cpp:57:2:57:18 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test2.cpp:47:21:47:26 | call to malloc | malloc |
+| test2.cpp:58:2:58:18 | call to operator delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test2.cpp:47:21:47:26 | call to malloc | malloc |
 | test.cpp:36:2:36:17 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:27:18:27:23 | call to malloc | malloc |
 | test.cpp:41:2:41:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:26:7:26:17 | new | new |
 | test.cpp:68:3:68:11 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:64:28:64:33 | call to malloc | malloc |

cpp/ql/test/query-tests/Critical/NewFree/test2.cpp

@@ -34,3 +34,27 @@ public:
 };
 
 MyTest2Class<int> mt2c_i;
+
+// ---
+
+void* operator new(size_t);
+void operator delete(void*);
+
+void test_operator_new()
+{
+	void *ptr_new = new int;
+	void *ptr_opnew = ::operator new(sizeof(int));
+	void *ptr_malloc = malloc(sizeof(int));
+
+	delete ptr_new; // GOOD
+	::operator delete(ptr_new); // GOOD
+	free(ptr_new); // BAD
+
+	delete ptr_opnew; // GOOD
+	::operator delete(ptr_opnew); // GOOD
+	free(ptr_opnew); // BAD
+
+	delete ptr_malloc; // BAD
+	::operator delete(ptr_malloc); // BAD
+	free(ptr_malloc); // GOOD
+}

cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected

@@ -1,7 +1,9 @@
 | tests1.cpp:26:21:26:26 | call to malloc | This allocation does not include space to null-terminate the string. |
+| tests1.cpp:36:21:36:26 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests1.cpp:56:21:56:27 | call to realloc | This allocation does not include space to null-terminate the string. |
 | tests1.cpp:67:21:67:26 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests1.cpp:89:25:89:30 | call to malloc | This allocation does not include space to null-terminate the string. |
+| tests1.cpp:109:25:109:30 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.expected

@@ -1 +1,2 @@
 | tests2.cpp:34:4:34:9 | call to strcat | This buffer only contains enough room for 'str1' (copied on line 33) |
+| tests2.cpp:52:4:52:9 | call to strcat | This buffer only contains enough room for 'str1' (copied on line 51) |

cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp

@@ -33,7 +33,7 @@ void tests1(int case_num)
 			break;
 
 		case 3:
-			buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD [NOT DETECTED]
+			buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD
 			strcpy(buffer, str);
 			break;
 
@@ -106,7 +106,7 @@ void tests1(int case_num)
 			break;
 
 		case 105:
-			wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD [NOT DETECTED]
+			wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD
 			wcscpy(wbuffer, wstr);
 			break;
 

cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp

@@ -47,7 +47,7 @@ void tests2(int case_num)
 			break;
 
 		case 4:
-			buffer = (char *)malloc((strlen(str1) + 1) * sizeof(char)); // BAD [NOT DETECTED]
+			buffer = (char *)malloc((strlen(str1) + 1) * sizeof(char)); // BAD
 			strcpy(buffer, str1);
 			strcat(buffer, str2);
 			break;

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -1 +1,13 @@
-| test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
+edges
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
+nodes
+| test.c:9:23:9:26 | argv | semmle.label | argv |
+| test.c:9:23:9:26 | argv | semmle.label | argv |
+| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
+| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
+| test.c:17:11:17:18 | fileName | semmle.label | fileName |
+#select
+| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -1,2 +1,30 @@
-| search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+edges
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:45:17:45:25 | raw_query | search.c:14:24:14:28 | query |
+| search.c:47:17:47:25 | raw_query | search.c:22:24:22:28 | query |
+nodes
+| search.c:14:24:14:28 | query | semmle.label | query |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:22:24:22:28 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:45:17:45:25 | raw_query | semmle.label | raw_query |
+| search.c:47:17:47:25 | raw_query | semmle.label | raw_query |
+#select
+| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,2 +1,25 @@
-| test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
+edges
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:24:30:24:36 | command |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:29:30:29:36 | command |
+nodes
+| test.cpp:24:30:24:36 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:29:30:29:36 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
+#select
+| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
+| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -1,5 +1,53 @@
-| tests.c:28:3:28:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:29:3:29:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
-| tests.c:34:25:34:33 | buffer100 | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
+edges
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+nodes
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+#select
+| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
+| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
+| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
+| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected

@@ -3,7 +3,9 @@
 | test.c:16:20:16:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:32:20:32:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:49:20:49:25 | call to malloc | This allocation does not include space to null-terminate the string. |
+| test.c:64:20:64:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:24:35:24:40 | call to malloc | This allocation does not include space to null-terminate the string. |
+| test.cpp:31:35:31:40 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:45:28:45:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:55:28:55:33 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.cpp:63:28:63:33 | call to malloc | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.c

@@ -60,7 +60,7 @@ void good2(char *str) {
 }
 
 void bad3(char *str) {
-    // BAD -- Not allocating space for '\0' terminator [NOT DETECTED]
+    // BAD -- Not allocating space for '\0' terminator
     char *buffer = malloc(strlen(str) * sizeof(char));
     strcpy(buffer, str);
     free(buffer);

cpp/ql/test/query-tests/Security/CWE/CWE-131/semmle/NoSpaceForZeroTerminator/test.cpp

@@ -27,7 +27,7 @@ void bad1(wchar_t *wstr) {
 }
 
 void bad2(wchar_t *wstr) {
-    // BAD -- Not allocating space for '\0' terminator [NOT DETECTED]
+    // BAD -- Not allocating space for '\0' terminator
     wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t));
     wcscpy(wbuffer, wstr);
     free(wbuffer);

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -1,28 +1,329 @@
-| argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
-| argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
-| argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
-| argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
-| argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
-| argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
-| argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
-| argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
-| argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
-| argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
+edges
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | BufferReadSideEffect |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | BufferReadSideEffect |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | BufferReadSideEffect |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | BufferReadSideEffect |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:117:15:117:16 | BufferReadSideEffect | argvLocal.c:117:15:117:16 | printWrapper output argument |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:117:15:117:16 | printWrapper output argument |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | BufferReadSideEffect |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:122:15:122:16 | BufferReadSideEffect | argvLocal.c:122:15:122:16 | printWrapper output argument |
+| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | BufferReadSideEffect |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | BufferReadSideEffect |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:128:15:128:16 | BufferReadSideEffect | argvLocal.c:128:15:128:16 | printWrapper output argument |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:128:15:128:16 | printWrapper output argument |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+nodes
+| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
+| argvLocal.c:9:25:9:31 | correct | semmle.label | correct |
+| argvLocal.c:10:9:10:15 | Chi | semmle.label | Chi |
+| argvLocal.c:10:9:10:15 | Chi | semmle.label | Chi |
+| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
+| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
+| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
+| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
+| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
+| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
+| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
+| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
+| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
+| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
+| argvLocal.c:117:15:117:16 | BufferReadSideEffect | semmle.label | BufferReadSideEffect |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | BufferReadSideEffect | semmle.label | BufferReadSideEffect |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
+| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
+| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
+| argvLocal.c:128:15:128:16 | BufferReadSideEffect | semmle.label | BufferReadSideEffect |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
+| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
+| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
+| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
+| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
+| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
+| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
+| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
+| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+#select
+| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
+| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
+| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:157:9:157:10 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:164:9:164:11 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
+| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected

@@ -1,7 +1,83 @@
-| funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
-| funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
-| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
-| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
-| funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
-| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
-| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
+edges
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
+| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
+| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
+| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
+| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
+| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
+| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
+| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
+nodes
+| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
+| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
+| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
+| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
+| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
+| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
+| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
+| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
+| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
+| funcsLocal.c:31:19:31:21 | i41 | semmle.label | i41 |
+| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
+| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
+| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
+| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
+| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
+| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
+| funcsLocal.c:41:18:41:20 | i61 | semmle.label | i61 |
+| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
+#select
+| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
+| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
+| funcsLocal.c:37:9:37:10 | i5 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
+| funcsLocal.c:58:9:58:10 | e1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected

@@ -1,5 +1,65 @@
-| globalVars.c:27:9:27:12 | copy | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:8:7:8:10 | copy | copy | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:30:15:30:18 | copy | This value may flow through $@, originating from $@, and is a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:8:7:8:10 | copy | copy | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:38:9:38:13 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:41:15:41:19 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:50:9:50:13 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
+edges
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | Store |
+| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy |
+| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store |
+| globalVars.c:16:2:16:12 | Store | globalVars.c:9:7:9:11 | copy2 |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
+| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+nodes
+| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
+| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
+| globalVars.c:11:22:11:25 | argv | semmle.label | argv |
+| globalVars.c:12:2:12:15 | Store | semmle.label | Store |
+| globalVars.c:15:21:15:23 | val | semmle.label | val |
+| globalVars.c:16:2:16:12 | Store | semmle.label | Store |
+| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
+| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
+| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
+| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+#select
+| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:38:9:38:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:41:15:41:19 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:41:15:41:19 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:50:9:50:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected

@@ -1,11 +1,157 @@
-| ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
-| ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
-| ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
-| ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
-| ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
-| ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
-| ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
-| ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
-| ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
-| ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
-| ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |
+edges
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+nodes
+| ifs.c:61:8:61:11 | argv | semmle.label | argv |
+| ifs.c:61:8:61:11 | argv | semmle.label | argv |
+| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:68:8:68:11 | argv | semmle.label | argv |
+| ifs.c:68:8:68:11 | argv | semmle.label | argv |
+| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:74:8:74:11 | argv | semmle.label | argv |
+| ifs.c:74:8:74:11 | argv | semmle.label | argv |
+| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:80:8:80:11 | argv | semmle.label | argv |
+| ifs.c:80:8:80:11 | argv | semmle.label | argv |
+| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:86:8:86:11 | argv | semmle.label | argv |
+| ifs.c:86:8:86:11 | argv | semmle.label | argv |
+| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:92:8:92:11 | argv | semmle.label | argv |
+| ifs.c:92:8:92:11 | argv | semmle.label | argv |
+| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:98:8:98:11 | argv | semmle.label | argv |
+| ifs.c:98:8:98:11 | argv | semmle.label | argv |
+| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:105:8:105:11 | argv | semmle.label | argv |
+| ifs.c:105:8:105:11 | argv | semmle.label | argv |
+| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:111:8:111:11 | argv | semmle.label | argv |
+| ifs.c:111:8:111:11 | argv | semmle.label | argv |
+| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:117:8:117:11 | argv | semmle.label | argv |
+| ifs.c:117:8:117:11 | argv | semmle.label | argv |
+| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:123:8:123:11 | argv | semmle.label | argv |
+| ifs.c:123:8:123:11 | argv | semmle.label | argv |
+| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+#select
+| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
+| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
+| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
+| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
+| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
+| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
+| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
+| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
+| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
+| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
+| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected

@@ -0,0 +1,15 @@
+| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
+| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
+| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
+| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |
+| test.c:87:14:87:18 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:84:15:84:15 | x | x |
+| test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
+| test.c:93:14:93:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:93:18:93:25 | 16711680 | 16711680 |
+| test.c:95:14:95:27 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:95:18:95:27 | 4278190080 | 4278190080 |
+| test.c:99:14:99:29 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:99:19:99:28 | ... & ... | ... & ... |
+| test.c:101:14:101:31 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:101:19:101:30 | ... & ... | ... & ... |
+| test.c:103:14:103:33 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:103:19:103:32 | ... & ... | ... & ... |
+| test.c:105:14:105:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:105:19:105:24 | ... >> ... | ... >> ... |
+| test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
+| test.c:128:15:128:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
+| test.c:139:15:139:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c

@@ -0,0 +1,147 @@
+
+void test1 (int x) {
+	char c;
+	for (c = 0; c < x; c++) {} //BAD
+}
+
+void test2 (int x) {
+	char c;
+	for (c = 0; x > c; c++) {} // BAD
+}
+
+void test3 (int x) {
+	short s;
+	for (s = 0; s < x; s++) {} //BAD
+}
+
+void runner() { // get range analysis to give large values to x in tests
+	test1(65536);
+	test2(65536);
+	test3(655360);
+	test7((unsigned long long)1<<48);
+	test8(65536);
+	test9(65536);
+	test10(65536);
+
+}
+
+void test4 () {
+	short s1;
+	short s2 = 200;
+	for (s1 = 0;  s1 < s2; s1++) {}
+}
+
+void test5 () {
+	short s1;
+	int x = 65536;
+	s1 < x;
+}
+
+void test6() {
+	short  s1;
+	for (s1 = 0; s1 < 0x0000ffff; s1++) {}
+}
+
+void test7(long long l) {
+	int i;
+	for (i = 0; i < l; i++) {}
+}
+
+void test8(int x) {
+	short s;
+	for (s = 256; s < x; x--) {}
+}
+
+
+void test9(int x) {
+	short s;
+	for (s = 256; s < x; ) {
+		x--;
+	}
+}
+
+void test10(int x) {
+	short s;
+	for (s = 0; s < x; ) { // BAD
+		do
+		{
+			s++;
+		} while (0);
+	}
+}
+
+extern const int const256;
+
+void test11() {
+	short s;
+	for(s = 0; s < const256; ++s) {}
+}
+
+unsigned int get_a_uint();
+
+void test12() {
+	unsigned char c;
+	unsigned int x;
+
+	x = get_a_uint();
+	for (c = 0; c < x; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF; c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF00; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF0000; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF000000; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF00); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF0000); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF000000); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 8); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 16); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints)
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF00) >> 8); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF0000) >> 16); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF000000) >> 24); c++) {} // GOOD
+}
+
+int get_an_int();
+
+void test13() {
+	unsigned char uc;
+	int sx, sy;
+	unsigned ux, uy, sz;
+
+	ux = get_a_uint();
+	uy = get_a_uint();
+	sz = ux & uy;
+	for (uc = 0; uc < sz; uc++) {} // BAD
+
+	ux = get_a_uint();
+	uy = get_a_uint();
+	if (ux > 128) {ux = 128;}
+	sz = ux & uy;
+	for (uc = 0; uc < sz; uc++) {} // GOOD
+
+	sx = get_an_int();
+	sy = get_an_int();
+	sz = (unsigned)sx & (unsigned)sy;
+	for (uc = 0; uc < sz; uc++) {} // BAD
+
+	sx = get_an_int();
+	sy = get_an_int();
+	if (sx < 0) {sx = 0;}
+	if (sx > 128) {sx = 128;}
+	sz = (unsigned)sx & (unsigned)sy;
+	for (uc = 0; uc < sz; uc++) {} // GOOD
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -1,9 +1,138 @@
-| test.cpp:42:31:42:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:31:43:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:45:31:45:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:48:25:48:30 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
+edges
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
+| test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
+nodes
+| test.cpp:39:21:39:24 | argv | semmle.label | argv |
+| test.cpp:39:21:39:24 | argv | semmle.label | argv |
+| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:201:9:201:42 | Store | semmle.label | Store |
+| test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
+| test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:214:23:214:23 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:220:21:220:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
+| test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
+#select
+| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
+| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
+| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
+| test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -5,8 +5,8 @@ typedef struct {} FILE;
 
 void *malloc(size_t size);
 void *realloc(void *ptr, size_t size);
+void free(void *ptr);
 int atoi(const char *nptr);
-
 struct MyStruct
 {
 	char data[256];
@@ -39,10 +39,10 @@ int main(int argc, char **argv) {
 	int tainted = atoi(argv[1]);
 
 	MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD
-	MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD
+	MyStruct *arr2 = (MyStruct *)malloc(tainted); // DUBIOUS (not multiplied by anything)
 	MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD
 	MyStruct *arr4 = (MyStruct *)malloc(getTainted() * sizeof(MyStruct)); // BAD [NOT DETECTED]
-	MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD [NOT DETECTED]
+	MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // DUBIOUS (not multiplied by anything)
 
 	int size = tainted * 8;
 	char *chars1 = (char *)malloc(size); // BAD
@@ -52,7 +52,7 @@ int main(int argc, char **argv) {
 	arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD
 
 	size = 8;
-	chars3 = new char[size]; // GOOD [FALSE POSITIVE]
+	chars3 = new char[size]; // GOOD
 
 	return 0;
 }
@@ -120,9 +120,119 @@ int bounded(int x, int limit) {
 }
 
 void open_file_bounded () {
-	int size = size = atoi(getenv("USER"));
+	int size = atoi(getenv("USER"));
 	int bounded_size = bounded(size, MAX_SIZE);
 	
-	int* a = (int*)malloc(bounded_size); // GOOD
-	int* b = (int*)malloc(size); // BAD
-}
+	int* a = (int*)malloc(bounded_size * sizeof(int)); // GOOD
+	int* b = (int*)malloc(size * sizeof(int)); // BAD
+}
+
+void more_bounded_tests() {
+	{
+		int size = atoi(getenv("USER"));
+
+		malloc(size * sizeof(int)); // BAD
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size > 0)
+		{
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size < 100)
+		{
+			malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((size > 0) && (size < 100))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((100 > size) && (0 < size))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+
+		if ((size > 0) && (size < 100))
+		{
+			// ...
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size > 100)
+		{
+			malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+		}
+	}
+}
+
+size_t get_untainted_size()
+{
+	return 10 * sizeof(int);
+}
+
+size_t get_tainted_size()
+{
+	return atoi(getenv("USER")) * sizeof(int);
+}
+
+size_t get_bounded_size()
+{
+	size_t s = atoi(getenv("USER")) * sizeof(int);
+
+	if (s < 0) { s = 0; }
+	if (s > 100) { s = 100; }
+
+	return s;
+}
+
+void *my_alloc(size_t s) {
+	void *ptr = malloc(s); // [UNHELPFUL RESULT]
+
+	return ptr;
+}
+
+void my_func(size_t s) {
+	void *ptr = malloc(s); // BAD
+
+	free(ptr);
+}
+
+void more_cases() {
+	int local_size = atoi(getenv("USER")) * sizeof(int);
+
+	malloc(local_size); // BAD
+	malloc(get_untainted_size()); // GOOD
+	malloc(get_tainted_size()); // BAD
+	malloc(get_bounded_size()); // GOOD
+
+	my_alloc(100); // GOOD
+	my_alloc(local_size); // BAD [NOT DETECTED IN CORRECT LOCATION]
+	my_func(100); // GOOD
+	my_func(local_size); // GOOD
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

@@ -1,9 +1,138 @@
-| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
-| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
-| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
-| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
-| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
-| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
-| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+edges
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:13:2:13:15 | Chi | test.cpp:30:13:30:14 | get_rand2 output argument |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
+| test.cpp:18:2:18:14 | Chi | test.cpp:36:13:36:13 | get_rand3 output argument |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
+nodes
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.cpp:8:9:8:12 | Store | semmle.label | Store |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:13:2:13:15 | Chi | semmle.label | Chi |
+| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
+| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
+| test.cpp:18:2:18:14 | Chi | semmle.label | Chi |
+| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
+| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
+| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | semmle.label | get_rand2 output argument |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+#select
+| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
+| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.expected

@@ -1,4 +0,0 @@
-| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
-| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
-| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
-| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test.c

@@ -1,78 +0,0 @@
-
-void test1 (int x) {
-	char c;
-	for (c = 0; c < x; c++) {} //BAD
-}
-
-void test2 (int x) {
-	char c;
-	for (c = 0; x > c; c++) {} // BAD
-}
-
-void test3 (int x) {
-	short s;
-	for (s = 0; s < x; s++) {} //BAD
-}
-
-void runner() { // get range analysis to give large values to x in tests
-	test1(65536);
-	test2(65536);
-	test3(655360);
-	test7((unsigned long long)1<<48);
-	test8(65536);
-	test9(65536);
-	test10(65536);
-
-}
-
-void test4 () {
-	short s1;
-	short s2 = 200;
-	for (s1 = 0;  s1 < s2; s1++) {}
-}
-
-void test5 () {
-	short s1;
-	int x = 65536;
-	s1 < x;
-}
-
-void test6() {
-	short  s1;
-	for (s1 = 0; s1 < 0x0000ffff; s1++) {}
-}
-
-void test7(long long l) {
-	int i;
-	for (i = 0; i < l; i++) {}
-}
-
-void test8(int x) {
-	short s;
-	for (s = 256; s < x; x--) {}
-}
-
-
-void test9(int x) {
-	short s;
-	for (s = 256; s < x; ) {
-		x--;
-	}
-}
-
-void test10(int x) {
-	short s;
-	for (s = 0; s < x; ) { // BAD
-		do
-		{
-			s++;
-		} while (0);
-	}
-}
-
-extern const int const256;
-
-void test11() {
-	short s;
-	for(s = 0; s < const256; ++s) {}
-}

cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected

@@ -1,3 +1,33 @@
-| test.cpp:20:7:20:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
-| test.cpp:31:7:31:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
-| test.cpp:42:7:42:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
+edges
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+nodes
+| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+#select
+| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
+| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
+| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected

@@ -1 +1,13 @@
-| test.cpp:58:3:58:9 | call to sprintf | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
+edges
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+nodes
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+#select
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected

@@ -0,0 +1 @@
+| test.cpp:21:3:21:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:21:10:21:14 | file1 | filename | test.cpp:19:7:19:12 | call to rename | checked |

cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp

@@ -0,0 +1,51 @@
+
+class String
+{
+public:
+	String(const char *_s);
+	void set(const char *_s);
+};
+
+void create(const String &filename);
+bool rename(const String &from, const String &to);
+void remove(const String &filename);
+
+void test1()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		remove(file1); // BAD
+	}
+}
+
+
+void test2()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		file1.set("d.txt");
+		remove(file1); // GOOD
+	}
+}
+
+
+void test3()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+	file1.set("d.txt");
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		remove(file1); // BAD [NOT DETECTED]
+	}
+}

cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected

@@ -1,7 +1,7 @@
-| test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:30:25:30:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:38:30:38:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:61:27:61:37 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is int *. |
-| test.cpp:89:43:89:55 | sizeof(MyABC) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is myInt *const. |
+| test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:30:25:30:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:38:30:38:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:61:27:61:37 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
+| test.cpp:89:43:89:55 | sizeof(MyABC) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | myInt *const | myInt *const |

cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected

@@ -1,2 +1,37 @@
-| test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
-| test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
+edges
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
+nodes
+| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
+| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+#select
+| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
+| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |