Merge pull request #3788 from geoffw0/callderef

C++: Add bcopy to models and use it.

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -5507,8 +5507,6 @@
 | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... |  |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy | TAINT |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
-| taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:2:194:7 | call to memcpy | TAINT |
-| taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... |  |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:210:7:210:7 | x |  |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:213:12:213:12 | x |  |

cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.expected

@@ -0,0 +1,6 @@
+| test.cpp:23:8:23:8 | p | Value may be null; it should be checked before dereferencing. |
+| test.cpp:35:10:35:10 | q | Value may be null; it should be checked before dereferencing. |
+| test.cpp:43:13:43:13 | q | Value may be null; it should be checked before dereferencing. |
+| test.cpp:51:17:51:17 | q | Value may be null; it should be checked before dereferencing. |
+| test.cpp:58:8:58:8 | p | Value may be null; it should be checked before dereferencing. |
+| test.cpp:67:8:67:8 | p | Value may be null; it should be checked before dereferencing. |

cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref

@@ -0,0 +1 @@
+Critical/MissingNullTest.ql

cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp

@@ -0,0 +1,71 @@
+
+#define NULL (0)
+
+typedef unsigned long size_t;
+
+void *memcpy(void *s1, const void *s2, size_t n);
+void bcopy(const void *source, void *dest, size_t amount);
+
+void mycopyint(const int *source, int *dest)
+{
+	*dest = *source;
+}
+
+void test1(bool cond)
+{
+	int x, y;
+	
+	{
+		int *p, *q;
+
+		y = *p; // BAD (p is uninitialized and could be 0) [NOT DETECTED]
+		p = NULL;
+		y = *p; // BAD (p is 0)
+		p = &x;
+		y = *p; // GOOD (p points to x)
+		p = q;
+		y = *p; // BAD (p is uninitialized and could be 0) [NOT DETECTED]
+	}
+
+	{
+		int *p = &x;
+		int *q = 0;
+
+		memcpy(p, &y, sizeof(int)); // GOOD (p points to x)
+		memcpy(q, &y, sizeof(int)); // BAD (p is 0)
+	}
+
+	{
+		int *p = &x;
+		int *q = 0;
+
+		bcopy(&y, p, sizeof(int)); // GOOD (p points to x)
+		bcopy(&y, q, sizeof(int)); // BAD (p is 0)
+	}
+
+	{
+		int *p = &x;
+		int *q = 0;
+
+		mycopyint(&y, p); // GOOD (p points to x)
+		mycopyint(&y, q); // BAD (p is 0)
+	}
+
+	{
+		int *p = 0;
+		int *q = &x;
+
+		y = *p; // BAD (p is 0)
+		memcpy(&p, &q, sizeof(p));
+		y = *p; // GOOD (p points to x)
+	}
+
+	{
+		int *p = 0;
+		int *q = &x;
+
+		y = *p; // BAD (p is 0)
+		bcopy(&q, &p, sizeof(p));
+		y = *p; // GOOD (p points to x)
+	}
+}