diff --git a/cpp/ql/lib/change-notes/2026-04-28-strsafe.md b/cpp/ql/lib/change-notes/2026-04-28-strsafe.md new file mode 100644 index 00000000000..9ef3fab0853 --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-04-28-strsafe.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added taint flow models for the `Strsafe.h` header from the Windows SDK. \ No newline at end of file diff --git a/cpp/ql/lib/ext/Strsafe.model.yml b/cpp/ql/lib/ext/Strsafe.model.yml new file mode 100644 index 00000000000..44013854a06 --- /dev/null +++ b/cpp/ql/lib/ext/Strsafe.model.yml @@ -0,0 +1,94 @@ +# Models for strsafe.h safe string functions +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: sourceModel + data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance + # StringCchGets: (pszDest, cchDest) + - ["", "", False, "StringCchGetsA", "", "", "Argument[*0]", "local", "manual"] + - ["", "", False, "StringCchGetsW", "", "", "Argument[*0]", "local", "manual"] + # StringCbGets: (pszDest, cbDest) + - ["", "", False, "StringCbGetsA", "", "", "Argument[*0]", "local", "manual"] + - ["", "", False, "StringCbGetsW", "", "", "Argument[*0]", "local", "manual"] + # StringCchGetsEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags) + - ["", "", False, "StringCchGetsExA", "", "", "Argument[*0]", "local", "manual"] + - ["", "", False, "StringCchGetsExW", "", "", "Argument[*0]", "local", "manual"] + # StringCbGetsEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags) + - ["", "", False, "StringCbGetsExA", "", "", "Argument[*0]", "local", "manual"] + - ["", "", False, "StringCbGetsExW", "", "", "Argument[*0]", "local", "manual"] + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + # StringCchCopy: (pszDest, cchDest, pszSrc) + - ["", "", False, "StringCchCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCopy: (pszDest, cbDest, pszSrc) + - ["", "", False, "StringCbCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCopyEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags) + - ["", "", False, "StringCchCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCopyEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags) + - ["", "", False, "StringCbCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCopyN: (pszDest, cchDest, pszSrc, cchToCopy) + - ["", "", False, "StringCchCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCopyN: (pszDest, cbDest, pszSrc, cbToCopy) + - ["", "", False, "StringCbCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCopyNEx: (pszDest, cchDest, pszSrc, cchToCopy, ppszDestEnd, pcchRemaining, dwFlags) + - ["", "", False, "StringCchCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCopyNEx: (pszDest, cbDest, pszSrc, cbToCopy, ppszDestEnd, pcbRemaining, dwFlags) + - ["", "", False, "StringCbCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCat: (pszDest, cchDest, pszSrc) + - ["", "", False, "StringCchCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCat: (pszDest, cbDest, pszSrc) + - ["", "", False, "StringCbCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCatEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags) + - ["", "", False, "StringCchCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCatEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags) + - ["", "", False, "StringCbCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCatN: (pszDest, cchDest, pszSrc, cchToAppend) + - ["", "", False, "StringCchCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCatN: (pszDest, cbDest, pszSrc, cbToAppend) + - ["", "", False, "StringCbCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchCatNEx: (pszDest, cchDest, pszSrc, cchToAppend, ppszDestEnd, pcchRemaining, dwFlags) + - ["", "", False, "StringCchCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbCatNEx: (pszDest, cbDest, pszSrc, cbToAppend, ppszDestEnd, pcbRemaining, dwFlags) + - ["", "", False, "StringCbCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchPrintf: (pszDest, cchDest, pszFormat, ...) + - ["", "", False, "StringCchPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"] + # StringCbPrintf: (pszDest, cbDest, pszFormat, ...) + - ["", "", False, "StringCbPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"] + # StringCchPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, ...) + - ["", "", False, "StringCchPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"] + # StringCbPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, ...) + - ["", "", False, "StringCbPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"] + # StringCchVPrintf: (pszDest, cchDest, pszFormat, argList) + - ["", "", False, "StringCchVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCbVPrintf: (pszDest, cbDest, pszFormat, argList) + - ["", "", False, "StringCbVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"] + # StringCchVPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, argList) + - ["", "", False, "StringCchVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCchVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"] + # StringCbVPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, argList) + - ["", "", False, "StringCbVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"] + - ["", "", False, "StringCbVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"] diff --git a/cpp/ql/test/library-tests/builtins/complex/builtin.expected b/cpp/ql/test/library-tests/builtins/complex/builtin.expected index c1b9b18a412..2537ff065ac 100644 --- a/cpp/ql/test/library-tests/builtins/complex/builtin.expected +++ b/cpp/ql/test/library-tests/builtins/complex/builtin.expected @@ -1,4 +1,4 @@ | complex.c:3:23:3:51 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:3:41:3:44 | real | file://:0:0:0:0 | double | complex.c:3:47:3:50 | imag | file://:0:0:0:0 | double | -| complex.c:4:23:4:57 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:4:41:4:47 | 2.71828000000000003 | file://:0:0:0:0 | double | complex.c:4:50:4:56 | 3.141589999999999883 | file://:0:0:0:0 | double | +| complex.c:4:23:4:57 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:4:41:4:47 | 2.71828 | file://:0:0:0:0 | double | complex.c:4:50:4:56 | 3.14159 | file://:0:0:0:0 | double | | complex.c:8:22:8:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:8:40:8:44 | realf | file://:0:0:0:0 | float | complex.c:8:47:8:51 | imagf | file://:0:0:0:0 | float | -| complex.c:9:22:9:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:9:40:9:44 | 1.230000019 | file://:0:0:0:0 | float | complex.c:9:47:9:51 | 4.559999943 | file://:0:0:0:0 | float | +| complex.c:9:22:9:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:9:40:9:44 | 1.23 | file://:0:0:0:0 | float | complex.c:9:47:9:51 | 4.56 | file://:0:0:0:0 | float | diff --git a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected index 4d78c4016da..f6833ab4ff1 100644 --- a/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected +++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected @@ -298,16 +298,16 @@ | test.c:182:8:182:34 | ! ... | ! ... == 1 when ! ... is true | | test.c:182:8:182:34 | ! ... | ... && ... != 0 when ! ... is false | | test.c:182:8:182:34 | ! ... | ... && ... == 0 when ! ... is true | -| test.c:182:10:182:20 | ... >= ... | 9.999999999999999547e-07 < foo+1 when ... >= ... is true | -| test.c:182:10:182:20 | ... >= ... | 9.999999999999999547e-07 >= foo+1 when ... >= ... is false | +| test.c:182:10:182:20 | ... >= ... | 1.0E-6 < foo+1 when ... >= ... is true | +| test.c:182:10:182:20 | ... >= ... | 1.0E-6 >= foo+1 when ... >= ... is false | | test.c:182:10:182:20 | ... >= ... | ... >= ... != 0 when ... >= ... is true | | test.c:182:10:182:20 | ... >= ... | ... >= ... != 1 when ... >= ... is false | | test.c:182:10:182:20 | ... >= ... | ... >= ... == 0 when ... >= ... is false | | test.c:182:10:182:20 | ... >= ... | ... >= ... == 1 when ... >= ... is true | -| test.c:182:10:182:20 | ... >= ... | foo < 9.999999999999999547e-07+0 when ... >= ... is false | -| test.c:182:10:182:20 | ... >= ... | foo >= 9.999999999999999547e-07+0 when ... >= ... is true | +| test.c:182:10:182:20 | ... >= ... | foo < 1.0E-6+0 when ... >= ... is false | +| test.c:182:10:182:20 | ... >= ... | foo >= 1.0E-6+0 when ... >= ... is true | | test.c:182:10:182:33 | ... && ... | 1.0 >= foo+1 when ... && ... is true | -| test.c:182:10:182:33 | ... && ... | 9.999999999999999547e-07 < foo+1 when ... && ... is true | +| test.c:182:10:182:33 | ... && ... | 1.0E-6 < foo+1 when ... && ... is true | | test.c:182:10:182:33 | ... && ... | ! ... != 0 when ... && ... is false | | test.c:182:10:182:33 | ... && ... | ! ... != 1 when ... && ... is true | | test.c:182:10:182:33 | ... && ... | ! ... == 0 when ... && ... is true | @@ -319,7 +319,7 @@ | test.c:182:10:182:33 | ... && ... | ... >= ... != 0 when ... && ... is true | | test.c:182:10:182:33 | ... && ... | ... >= ... == 1 when ... && ... is true | | test.c:182:10:182:33 | ... && ... | foo < 1.0+0 when ... && ... is true | -| test.c:182:10:182:33 | ... && ... | foo >= 9.999999999999999547e-07+0 when ... && ... is true | +| test.c:182:10:182:33 | ... && ... | foo >= 1.0E-6+0 when ... && ... is true | | test.c:182:25:182:33 | ... < ... | 1.0 < foo+1 when ... < ... is false | | test.c:182:25:182:33 | ... < ... | 1.0 >= foo+1 when ... < ... is true | | test.c:182:25:182:33 | ... < ... | ... < ... != 0 when ... < ... is true | diff --git a/cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected b/cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected index 5a364e3deaa..cf99d2c20b8 100644 --- a/cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected +++ b/cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected @@ -169,12 +169,12 @@ binary | test.c:176:8:176:15 | ! ... | test.c:176:14:176:14 | b | < | test.c:176:10:176:10 | a | 1 | test.c:176:18:178:5 | { ... } | | test.c:176:10:176:14 | ... < ... | test.c:176:10:176:10 | a | >= | test.c:176:14:176:14 | b | 0 | test.c:176:18:178:5 | { ... } | | test.c:176:10:176:14 | ... < ... | test.c:176:14:176:14 | b | < | test.c:176:10:176:10 | a | 1 | test.c:176:18:178:5 | { ... } | -| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:181:25:182:20 | { ... } | -| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:182:25:182:33 | foo | -| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } | -| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:182:25:182:33 | foo | -| test.c:182:10:182:33 | ... && ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:181:25:182:20 | { ... } | -| test.c:182:10:182:33 | ... && ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } | +| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:181:25:182:20 | { ... } | +| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:182:25:182:33 | foo | +| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } | +| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:182:25:182:33 | foo | +| test.c:182:10:182:33 | ... && ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:181:25:182:20 | { ... } | +| test.c:182:10:182:33 | ... && ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } | | test.c:182:10:182:33 | ... && ... | test.c:182:25:182:27 | foo | < | test.c:182:31:182:33 | 1.0 | 0 | test.c:181:25:182:20 | { ... } | | test.c:182:10:182:33 | ... && ... | test.c:182:31:182:33 | 1.0 | >= | test.c:182:25:182:27 | foo | 1 | test.c:181:25:182:20 | { ... } | | test.c:182:25:182:33 | ... < ... | test.c:182:25:182:27 | foo | < | test.c:182:31:182:33 | 1.0 | 0 | test.c:181:25:182:20 | { ... } | diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp index c515a199f07..e4947a112f8 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp @@ -115,3 +115,19 @@ void test_zmc(void *socket) { // ... } } + +long StringCchGetsA(char *, size_t); +long StringCchGetsExA(char *, size_t, char **, size_t *, unsigned long); + +void test_strsafe_gets() { + { + char dest[256] = {0}; + StringCchGetsA(dest, sizeof(dest)); // $ local_source + } + { + char dest[256] = {0}; + char *end; + size_t remaining; + StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 0f4d67f2695..9224cd62e82 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -8008,6 +8008,174 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | taint.cpp:866:26:866:34 | ref arg & ... | taint.cpp:866:27:866:34 | size_out [inner post update] | | | taint.cpp:866:27:866:34 | size_out | taint.cpp:866:26:866:34 | & ... | | | taint.cpp:867:8:867:8 | p | taint.cpp:867:7:867:8 | * ... | TAINT | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:897:38:897:43 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:907:37:907:42 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:914:40:914:45 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:919:39:919:44 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:926:41:926:46 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:931:37:931:42 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:941:36:941:41 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:948:39:948:44 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:953:38:953:43 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:960:40:960:45 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:965:46:965:51 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:975:45:975:50 | source | | +| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:982:69:982:74 | source | | +| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:902:38:902:44 | wsource | | +| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:936:37:936:43 | wsource | | +| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:970:47:970:53 | wsource | | +| taint.cpp:896:19:896:22 | {...} | taint.cpp:897:18:897:21 | dest | | +| taint.cpp:896:19:896:22 | {...} | taint.cpp:897:31:897:34 | dest | | +| taint.cpp:896:19:896:22 | {...} | taint.cpp:898:9:898:12 | dest | | +| taint.cpp:896:21:896:21 | 0 | taint.cpp:896:19:896:22 | {...} | TAINT | +| taint.cpp:897:18:897:21 | ref arg dest | taint.cpp:898:9:898:12 | dest | | +| taint.cpp:898:9:898:12 | dest | taint.cpp:898:8:898:12 | * ... | | +| taint.cpp:901:22:901:25 | {...} | taint.cpp:902:18:902:21 | dest | | +| taint.cpp:901:22:901:25 | {...} | taint.cpp:902:31:902:34 | dest | | +| taint.cpp:901:22:901:25 | {...} | taint.cpp:903:9:903:12 | dest | | +| taint.cpp:901:24:901:24 | 0 | taint.cpp:901:22:901:25 | {...} | TAINT | +| taint.cpp:902:18:902:21 | ref arg dest | taint.cpp:903:9:903:12 | dest | | +| taint.cpp:903:9:903:12 | dest | taint.cpp:903:8:903:12 | * ... | | +| taint.cpp:906:19:906:22 | {...} | taint.cpp:907:17:907:20 | dest | | +| taint.cpp:906:19:906:22 | {...} | taint.cpp:907:30:907:33 | dest | | +| taint.cpp:906:19:906:22 | {...} | taint.cpp:908:9:908:12 | dest | | +| taint.cpp:906:21:906:21 | 0 | taint.cpp:906:19:906:22 | {...} | TAINT | +| taint.cpp:907:17:907:20 | ref arg dest | taint.cpp:908:9:908:12 | dest | | +| taint.cpp:908:9:908:12 | dest | taint.cpp:908:8:908:12 | * ... | | +| taint.cpp:911:19:911:22 | {...} | taint.cpp:914:20:914:23 | dest | | +| taint.cpp:911:19:911:22 | {...} | taint.cpp:914:33:914:36 | dest | | +| taint.cpp:911:19:911:22 | {...} | taint.cpp:915:9:915:12 | dest | | +| taint.cpp:911:21:911:21 | 0 | taint.cpp:911:19:911:22 | {...} | TAINT | +| taint.cpp:912:9:912:11 | end | taint.cpp:914:49:914:51 | end | | +| taint.cpp:913:10:913:18 | remaining | taint.cpp:914:55:914:63 | remaining | | +| taint.cpp:914:20:914:23 | ref arg dest | taint.cpp:915:9:915:12 | dest | | +| taint.cpp:914:48:914:51 | ref arg & ... | taint.cpp:914:49:914:51 | end [inner post update] | | +| taint.cpp:914:49:914:51 | end | taint.cpp:914:48:914:51 | & ... | | +| taint.cpp:914:54:914:63 | ref arg & ... | taint.cpp:914:55:914:63 | remaining [inner post update] | | +| taint.cpp:914:55:914:63 | remaining | taint.cpp:914:54:914:63 | & ... | | +| taint.cpp:915:9:915:12 | dest | taint.cpp:915:8:915:12 | * ... | | +| taint.cpp:918:19:918:22 | {...} | taint.cpp:919:19:919:22 | dest | | +| taint.cpp:918:19:918:22 | {...} | taint.cpp:919:32:919:35 | dest | | +| taint.cpp:918:19:918:22 | {...} | taint.cpp:920:9:920:12 | dest | | +| taint.cpp:918:21:918:21 | 0 | taint.cpp:918:19:918:22 | {...} | TAINT | +| taint.cpp:919:19:919:22 | ref arg dest | taint.cpp:920:9:920:12 | dest | | +| taint.cpp:920:9:920:12 | dest | taint.cpp:920:8:920:12 | * ... | | +| taint.cpp:923:19:923:22 | {...} | taint.cpp:926:21:926:24 | dest | | +| taint.cpp:923:19:923:22 | {...} | taint.cpp:926:34:926:37 | dest | | +| taint.cpp:923:19:923:22 | {...} | taint.cpp:927:8:927:11 | dest | | +| taint.cpp:923:21:923:21 | 0 | taint.cpp:923:19:923:22 | {...} | TAINT | +| taint.cpp:924:9:924:11 | end | taint.cpp:926:55:926:57 | end | | +| taint.cpp:925:10:925:18 | remaining | taint.cpp:926:61:926:69 | remaining | | +| taint.cpp:926:21:926:24 | ref arg dest | taint.cpp:927:8:927:11 | dest | | +| taint.cpp:926:54:926:57 | ref arg & ... | taint.cpp:926:55:926:57 | end [inner post update] | | +| taint.cpp:926:55:926:57 | end | taint.cpp:926:54:926:57 | & ... | | +| taint.cpp:926:60:926:69 | ref arg & ... | taint.cpp:926:61:926:69 | remaining [inner post update] | | +| taint.cpp:926:61:926:69 | remaining | taint.cpp:926:60:926:69 | & ... | | +| taint.cpp:930:20:930:27 | prefix | taint.cpp:931:17:931:20 | dest | | +| taint.cpp:930:20:930:27 | prefix | taint.cpp:931:30:931:33 | dest | | +| taint.cpp:930:20:930:27 | prefix | taint.cpp:932:9:932:12 | dest | | +| taint.cpp:931:17:931:20 | ref arg dest | taint.cpp:932:9:932:12 | dest | | +| taint.cpp:932:9:932:12 | dest | taint.cpp:932:8:932:12 | * ... | | +| taint.cpp:935:23:935:31 | prefix | taint.cpp:936:17:936:20 | dest | | +| taint.cpp:935:23:935:31 | prefix | taint.cpp:936:30:936:33 | dest | | +| taint.cpp:935:23:935:31 | prefix | taint.cpp:937:9:937:12 | dest | | +| taint.cpp:936:17:936:20 | ref arg dest | taint.cpp:937:9:937:12 | dest | | +| taint.cpp:937:9:937:12 | dest | taint.cpp:937:8:937:12 | * ... | | +| taint.cpp:940:20:940:27 | prefix | taint.cpp:941:16:941:19 | dest | | +| taint.cpp:940:20:940:27 | prefix | taint.cpp:941:29:941:32 | dest | | +| taint.cpp:940:20:940:27 | prefix | taint.cpp:942:9:942:12 | dest | | +| taint.cpp:941:16:941:19 | ref arg dest | taint.cpp:942:9:942:12 | dest | | +| taint.cpp:942:9:942:12 | dest | taint.cpp:942:8:942:12 | * ... | | +| taint.cpp:945:20:945:27 | prefix | taint.cpp:948:19:948:22 | dest | | +| taint.cpp:945:20:945:27 | prefix | taint.cpp:948:32:948:35 | dest | | +| taint.cpp:945:20:945:27 | prefix | taint.cpp:949:9:949:12 | dest | | +| taint.cpp:946:9:946:11 | end | taint.cpp:948:48:948:50 | end | | +| taint.cpp:947:10:947:18 | remaining | taint.cpp:948:54:948:62 | remaining | | +| taint.cpp:948:19:948:22 | ref arg dest | taint.cpp:949:9:949:12 | dest | | +| taint.cpp:948:47:948:50 | ref arg & ... | taint.cpp:948:48:948:50 | end [inner post update] | | +| taint.cpp:948:48:948:50 | end | taint.cpp:948:47:948:50 | & ... | | +| taint.cpp:948:53:948:62 | ref arg & ... | taint.cpp:948:54:948:62 | remaining [inner post update] | | +| taint.cpp:948:54:948:62 | remaining | taint.cpp:948:53:948:62 | & ... | | +| taint.cpp:949:9:949:12 | dest | taint.cpp:949:8:949:12 | * ... | | +| taint.cpp:952:20:952:27 | prefix | taint.cpp:953:18:953:21 | dest | | +| taint.cpp:952:20:952:27 | prefix | taint.cpp:953:31:953:34 | dest | | +| taint.cpp:952:20:952:27 | prefix | taint.cpp:954:9:954:12 | dest | | +| taint.cpp:953:18:953:21 | ref arg dest | taint.cpp:954:9:954:12 | dest | | +| taint.cpp:954:9:954:12 | dest | taint.cpp:954:8:954:12 | * ... | | +| taint.cpp:957:20:957:27 | prefix | taint.cpp:960:20:960:23 | dest | | +| taint.cpp:957:20:957:27 | prefix | taint.cpp:960:33:960:36 | dest | | +| taint.cpp:957:20:957:27 | prefix | taint.cpp:961:9:961:12 | dest | | +| taint.cpp:958:9:958:11 | end | taint.cpp:960:54:960:56 | end | | +| taint.cpp:959:10:959:18 | remaining | taint.cpp:960:60:960:68 | remaining | | +| taint.cpp:960:20:960:23 | ref arg dest | taint.cpp:961:9:961:12 | dest | | +| taint.cpp:960:53:960:56 | ref arg & ... | taint.cpp:960:54:960:56 | end [inner post update] | | +| taint.cpp:960:54:960:56 | end | taint.cpp:960:53:960:56 | & ... | | +| taint.cpp:960:59:960:68 | ref arg & ... | taint.cpp:960:60:960:68 | remaining [inner post update] | | +| taint.cpp:960:60:960:68 | remaining | taint.cpp:960:59:960:68 | & ... | | +| taint.cpp:961:9:961:12 | dest | taint.cpp:961:8:961:12 | * ... | | +| taint.cpp:964:19:964:22 | {...} | taint.cpp:965:20:965:23 | dest | | +| taint.cpp:964:19:964:22 | {...} | taint.cpp:965:33:965:36 | dest | | +| taint.cpp:964:19:964:22 | {...} | taint.cpp:966:9:966:12 | dest | | +| taint.cpp:964:21:964:21 | 0 | taint.cpp:964:19:964:22 | {...} | TAINT | +| taint.cpp:965:20:965:23 | ref arg dest | taint.cpp:966:9:966:12 | dest | | +| taint.cpp:965:40:965:43 | %s | taint.cpp:965:20:965:23 | ref arg dest | TAINT | +| taint.cpp:965:46:965:51 | ref arg source | taint.cpp:975:45:975:50 | source | | +| taint.cpp:965:46:965:51 | ref arg source | taint.cpp:982:69:982:74 | source | | +| taint.cpp:965:46:965:51 | source | taint.cpp:965:20:965:23 | ref arg dest | TAINT | +| taint.cpp:966:9:966:12 | dest | taint.cpp:966:8:966:12 | * ... | | +| taint.cpp:969:22:969:25 | {...} | taint.cpp:970:20:970:23 | dest | | +| taint.cpp:969:22:969:25 | {...} | taint.cpp:970:33:970:36 | dest | | +| taint.cpp:969:22:969:25 | {...} | taint.cpp:971:9:971:12 | dest | | +| taint.cpp:969:24:969:24 | 0 | taint.cpp:969:22:969:25 | {...} | TAINT | +| taint.cpp:970:20:970:23 | ref arg dest | taint.cpp:971:9:971:12 | dest | | +| taint.cpp:970:40:970:44 | %s | taint.cpp:970:20:970:23 | ref arg dest | TAINT | +| taint.cpp:970:47:970:53 | wsource | taint.cpp:970:20:970:23 | ref arg dest | TAINT | +| taint.cpp:971:9:971:12 | dest | taint.cpp:971:8:971:12 | * ... | | +| taint.cpp:974:19:974:22 | {...} | taint.cpp:975:19:975:22 | dest | | +| taint.cpp:974:19:974:22 | {...} | taint.cpp:975:32:975:35 | dest | | +| taint.cpp:974:19:974:22 | {...} | taint.cpp:976:9:976:12 | dest | | +| taint.cpp:974:21:974:21 | 0 | taint.cpp:974:19:974:22 | {...} | TAINT | +| taint.cpp:975:19:975:22 | ref arg dest | taint.cpp:976:9:976:12 | dest | | +| taint.cpp:975:39:975:42 | %s | taint.cpp:975:19:975:22 | ref arg dest | TAINT | +| taint.cpp:975:45:975:50 | ref arg source | taint.cpp:982:69:982:74 | source | | +| taint.cpp:975:45:975:50 | source | taint.cpp:975:19:975:22 | ref arg dest | TAINT | +| taint.cpp:976:9:976:12 | dest | taint.cpp:976:8:976:12 | * ... | | +| taint.cpp:979:19:979:22 | {...} | taint.cpp:982:22:982:25 | dest | | +| taint.cpp:979:19:979:22 | {...} | taint.cpp:982:35:982:38 | dest | | +| taint.cpp:979:19:979:22 | {...} | taint.cpp:983:9:983:12 | dest | | +| taint.cpp:979:21:979:21 | 0 | taint.cpp:979:19:979:22 | {...} | TAINT | +| taint.cpp:980:9:980:11 | end | taint.cpp:982:43:982:45 | end | | +| taint.cpp:981:10:981:18 | remaining | taint.cpp:982:49:982:57 | remaining | | +| taint.cpp:982:22:982:25 | ref arg dest | taint.cpp:983:9:983:12 | dest | | +| taint.cpp:982:42:982:45 | ref arg & ... | taint.cpp:982:43:982:45 | end [inner post update] | | +| taint.cpp:982:43:982:45 | end | taint.cpp:982:42:982:45 | & ... | | +| taint.cpp:982:48:982:57 | ref arg & ... | taint.cpp:982:49:982:57 | remaining [inner post update] | | +| taint.cpp:982:49:982:57 | remaining | taint.cpp:982:48:982:57 | & ... | | +| taint.cpp:982:63:982:66 | %s | taint.cpp:982:22:982:25 | ref arg dest | TAINT | +| taint.cpp:982:69:982:74 | source | taint.cpp:982:22:982:25 | ref arg dest | TAINT | +| taint.cpp:983:9:983:12 | dest | taint.cpp:983:8:983:12 | * ... | | +| taint.cpp:986:19:986:22 | {...} | taint.cpp:988:20:988:23 | dest | | +| taint.cpp:986:19:986:22 | {...} | taint.cpp:988:33:988:36 | dest | | +| taint.cpp:986:19:986:22 | {...} | taint.cpp:989:9:989:12 | dest | | +| taint.cpp:986:21:986:21 | 0 | taint.cpp:986:19:986:22 | {...} | TAINT | +| taint.cpp:987:15:987:29 | call to indirect_source | taint.cpp:988:40:988:42 | fmt | | +| taint.cpp:988:20:988:23 | ref arg dest | taint.cpp:989:9:989:12 | dest | | +| taint.cpp:988:40:988:42 | fmt | taint.cpp:988:20:988:23 | ref arg dest | TAINT | +| taint.cpp:989:9:989:12 | dest | taint.cpp:989:8:989:12 | * ... | | +| taint.cpp:992:19:992:22 | {...} | taint.cpp:993:20:993:23 | dest | | +| taint.cpp:992:19:992:22 | {...} | taint.cpp:993:33:993:36 | dest | | +| taint.cpp:992:19:992:22 | {...} | taint.cpp:994:9:994:12 | dest | | +| taint.cpp:992:21:992:21 | 0 | taint.cpp:992:19:992:22 | {...} | TAINT | +| taint.cpp:993:20:993:23 | ref arg dest | taint.cpp:994:9:994:12 | dest | | +| taint.cpp:993:40:993:43 | %d | taint.cpp:993:20:993:23 | ref arg dest | TAINT | +| taint.cpp:993:46:993:47 | 42 | taint.cpp:993:20:993:23 | ref arg dest | TAINT | +| taint.cpp:994:9:994:12 | dest | taint.cpp:994:8:994:12 | * ... | | +| taint.cpp:997:19:997:22 | {...} | taint.cpp:998:18:998:21 | dest | | +| taint.cpp:997:19:997:22 | {...} | taint.cpp:998:31:998:34 | dest | | +| taint.cpp:997:19:997:22 | {...} | taint.cpp:999:9:999:12 | dest | | +| taint.cpp:997:21:997:21 | 0 | taint.cpp:997:19:997:22 | {...} | TAINT | +| taint.cpp:998:18:998:21 | ref arg dest | taint.cpp:999:9:999:12 | dest | | +| taint.cpp:999:9:999:12 | dest | taint.cpp:999:8:999:12 | * ... | | | thread.cpp:10:27:10:27 | s | thread.cpp:10:27:10:27 | s | | | thread.cpp:10:27:10:27 | s | thread.cpp:11:8:11:8 | s | | | thread.cpp:14:26:14:26 | s | thread.cpp:15:8:15:8 | s | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index fa32e192239..3168fb3a96f 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -866,3 +866,136 @@ void test_iconv(size_t size) { iconv(0, &s, &size, &p, &size_out); sink(*p); // $ ast,ir } + +using va_list = void*; + +long StringCchCopyA(char *, size_t, const char *); +long StringCchCopyW(wchar_t *, size_t, const wchar_t *); +long StringCbCopyA(char *, size_t, const char *); +long StringCchCopyExA(char *, size_t, const char *, char **, size_t *, unsigned long); +long StringCchCopyNA(char *, size_t, const char *, size_t); +long StringCchCopyNExA(char *, size_t, const char *, size_t, char **, size_t *, unsigned long); +long StringCchCatA(char *, size_t, const char *); +long StringCchCatW(wchar_t *, size_t, const wchar_t *); +long StringCbCatA(char *, size_t, const char *); +long StringCchCatExA(char *, size_t, const char *, char **, size_t *, unsigned long); +long StringCchCatNA(char *, size_t, const char *, size_t); +long StringCchCatNExA(char *, size_t, const char *, size_t, char **, size_t *, unsigned long); +long StringCchPrintfA(char *, size_t, const char *, ...); +long StringCchPrintfW(wchar_t *, size_t, const wchar_t *, ...); +long StringCbPrintfA(char *, size_t, const char *, ...); +long StringCchPrintfExA(char *, size_t, char **, size_t *, unsigned long, const char *, ...); +long StringCchVPrintfA(char *, size_t, const char *, va_list); +long StringCchVPrintfExA(char *, size_t, char **, size_t *, unsigned long, const char *, va_list); + +void test_strsafe() { + char *source = indirect_source(); + wchar_t *wsource = (wchar_t *)indirect_source(); + + { + char dest[256] = {0}; + StringCchCopyA(dest, sizeof(dest), source); + sink(*dest); // $ ir MISSING: ast + } + { + wchar_t dest[256] = {0}; + StringCchCopyW(dest, sizeof(dest), wsource); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + StringCbCopyA(dest, sizeof(dest), source); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + char *end; + size_t remaining; + StringCchCopyExA(dest, sizeof(dest), source, &end, &remaining, 0); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + StringCchCopyNA(dest, sizeof(dest), source, 128); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + char *end; + size_t remaining; + StringCchCopyNExA(dest, sizeof(dest), source, 128, &end, &remaining, 0); + sink(dest); // $ ir MISSING: ast + } + { + char dest[256] = "prefix"; + StringCchCatA(dest, sizeof(dest), source); + sink(*dest); // $ ir MISSING: ast + } + { + wchar_t dest[256] = L"prefix"; + StringCchCatW(dest, sizeof(dest), wsource); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = "prefix"; + StringCbCatA(dest, sizeof(dest), source); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = "prefix"; + char *end; + size_t remaining; + StringCchCatExA(dest, sizeof(dest), source, &end, &remaining, 0); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = "prefix"; + StringCchCatNA(dest, sizeof(dest), source, 128); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = "prefix"; + char *end; + size_t remaining; + StringCchCatNExA(dest, sizeof(dest), source, 128, &end, &remaining, 0); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + StringCchPrintfA(dest, sizeof(dest), "%s", source); + sink(*dest); // $ ir MISSING: ast + } + { + wchar_t dest[256] = {0}; + StringCchPrintfW(dest, sizeof(dest), L"%s", wsource); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + StringCbPrintfA(dest, sizeof(dest), "%s", source); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + char *end; + size_t remaining; + StringCchPrintfExA(dest, sizeof(dest), &end, &remaining, 0, "%s", source); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + char *fmt = indirect_source(); + StringCchPrintfA(dest, sizeof(dest), fmt); + sink(*dest); // $ ir MISSING: ast + } + { + char dest[256] = {0}; + StringCchPrintfA(dest, sizeof(dest), "%d", 42); + sink(*dest); // clean + } + { + char dest[256] = {0}; + StringCchCopyA(dest, sizeof(dest), "hello"); + sink(*dest); // clean + } +} diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index e0002aa9c03..5ad32759da5 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -28044,6 +28044,118 @@ getParameterTypeName | taint.cpp:859:8:859:12 | iconv | 4 | unsigned long * | | taint.cpp:861:6:861:15 | test_iconv | 0 | size_t | | taint.cpp:861:6:861:15 | test_iconv | 0 | unsigned long | +| taint.cpp:872:6:872:19 | StringCchCopyA | 0 | char * | +| taint.cpp:872:6:872:19 | StringCchCopyA | 1 | size_t | +| taint.cpp:872:6:872:19 | StringCchCopyA | 1 | unsigned long | +| taint.cpp:872:6:872:19 | StringCchCopyA | 2 | const char * | +| taint.cpp:873:6:873:19 | StringCchCopyW | 0 | wchar_t * | +| taint.cpp:873:6:873:19 | StringCchCopyW | 1 | size_t | +| taint.cpp:873:6:873:19 | StringCchCopyW | 1 | unsigned long | +| taint.cpp:873:6:873:19 | StringCchCopyW | 2 | const wchar_t * | +| taint.cpp:874:6:874:18 | StringCbCopyA | 0 | char * | +| taint.cpp:874:6:874:18 | StringCbCopyA | 1 | size_t | +| taint.cpp:874:6:874:18 | StringCbCopyA | 1 | unsigned long | +| taint.cpp:874:6:874:18 | StringCbCopyA | 2 | const char * | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 0 | char * | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 1 | size_t | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 1 | unsigned long | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 2 | const char * | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 3 | char ** | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 4 | size_t * | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 4 | unsigned long * | +| taint.cpp:875:6:875:21 | StringCchCopyExA | 5 | unsigned long | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 0 | char * | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 1 | size_t | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 1 | unsigned long | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 2 | const char * | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 3 | size_t | +| taint.cpp:876:6:876:20 | StringCchCopyNA | 3 | unsigned long | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 0 | char * | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 1 | size_t | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 1 | unsigned long | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 2 | const char * | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 3 | size_t | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 3 | unsigned long | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 4 | char ** | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 5 | size_t * | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 5 | unsigned long * | +| taint.cpp:877:6:877:22 | StringCchCopyNExA | 6 | unsigned long | +| taint.cpp:878:6:878:18 | StringCchCatA | 0 | char * | +| taint.cpp:878:6:878:18 | StringCchCatA | 1 | size_t | +| taint.cpp:878:6:878:18 | StringCchCatA | 1 | unsigned long | +| taint.cpp:878:6:878:18 | StringCchCatA | 2 | const char * | +| taint.cpp:879:6:879:18 | StringCchCatW | 0 | wchar_t * | +| taint.cpp:879:6:879:18 | StringCchCatW | 1 | size_t | +| taint.cpp:879:6:879:18 | StringCchCatW | 1 | unsigned long | +| taint.cpp:879:6:879:18 | StringCchCatW | 2 | const wchar_t * | +| taint.cpp:880:6:880:17 | StringCbCatA | 0 | char * | +| taint.cpp:880:6:880:17 | StringCbCatA | 1 | size_t | +| taint.cpp:880:6:880:17 | StringCbCatA | 1 | unsigned long | +| taint.cpp:880:6:880:17 | StringCbCatA | 2 | const char * | +| taint.cpp:881:6:881:20 | StringCchCatExA | 0 | char * | +| taint.cpp:881:6:881:20 | StringCchCatExA | 1 | size_t | +| taint.cpp:881:6:881:20 | StringCchCatExA | 1 | unsigned long | +| taint.cpp:881:6:881:20 | StringCchCatExA | 2 | const char * | +| taint.cpp:881:6:881:20 | StringCchCatExA | 3 | char ** | +| taint.cpp:881:6:881:20 | StringCchCatExA | 4 | size_t * | +| taint.cpp:881:6:881:20 | StringCchCatExA | 4 | unsigned long * | +| taint.cpp:881:6:881:20 | StringCchCatExA | 5 | unsigned long | +| taint.cpp:882:6:882:19 | StringCchCatNA | 0 | char * | +| taint.cpp:882:6:882:19 | StringCchCatNA | 1 | size_t | +| taint.cpp:882:6:882:19 | StringCchCatNA | 1 | unsigned long | +| taint.cpp:882:6:882:19 | StringCchCatNA | 2 | const char * | +| taint.cpp:882:6:882:19 | StringCchCatNA | 3 | size_t | +| taint.cpp:882:6:882:19 | StringCchCatNA | 3 | unsigned long | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 0 | char * | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 1 | size_t | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 1 | unsigned long | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 2 | const char * | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 3 | size_t | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 3 | unsigned long | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 4 | char ** | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 5 | size_t * | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 5 | unsigned long * | +| taint.cpp:883:6:883:21 | StringCchCatNExA | 6 | unsigned long | +| taint.cpp:884:6:884:21 | StringCchPrintfA | 0 | char * | +| taint.cpp:884:6:884:21 | StringCchPrintfA | 1 | size_t | +| taint.cpp:884:6:884:21 | StringCchPrintfA | 1 | unsigned long | +| taint.cpp:884:6:884:21 | StringCchPrintfA | 2 | const char * | +| taint.cpp:884:6:884:21 | StringCchPrintfA | 3 | ... | +| taint.cpp:885:6:885:21 | StringCchPrintfW | 0 | wchar_t * | +| taint.cpp:885:6:885:21 | StringCchPrintfW | 1 | size_t | +| taint.cpp:885:6:885:21 | StringCchPrintfW | 1 | unsigned long | +| taint.cpp:885:6:885:21 | StringCchPrintfW | 2 | const wchar_t * | +| taint.cpp:885:6:885:21 | StringCchPrintfW | 3 | ... | +| taint.cpp:886:6:886:20 | StringCbPrintfA | 0 | char * | +| taint.cpp:886:6:886:20 | StringCbPrintfA | 1 | size_t | +| taint.cpp:886:6:886:20 | StringCbPrintfA | 1 | unsigned long | +| taint.cpp:886:6:886:20 | StringCbPrintfA | 2 | const char * | +| taint.cpp:886:6:886:20 | StringCbPrintfA | 3 | ... | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 0 | char * | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 1 | size_t | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 1 | unsigned long | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 2 | char ** | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 3 | size_t * | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 3 | unsigned long * | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 4 | unsigned long | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 5 | const char * | +| taint.cpp:887:6:887:23 | StringCchPrintfExA | 6 | ... | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 0 | char * | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 1 | size_t | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 1 | unsigned long | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 2 | const char * | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 3 | va_list | +| taint.cpp:888:6:888:22 | StringCchVPrintfA | 3 | void * | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 0 | char * | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 1 | size_t | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 1 | unsigned long | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 2 | char ** | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 3 | size_t * | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 3 | unsigned long * | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 4 | unsigned long | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 5 | const char * | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 6 | va_list | +| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 6 | void * | | thread.cpp:4:6:4:9 | sink | 0 | int | | thread.cpp:6:8:6:8 | operator= | 0 | S && | | thread.cpp:6:8:6:8 | operator= | 0 | const S & | diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected index c3e46114edf..59b5f6214f3 100644 --- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected +++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected @@ -25796,9 +25796,9 @@ ir.cpp: # 2919| getExpr(): [FunctionCall] call to VariableTemplateFunc # 2919| Type = [DoubleType] double # 2919| ValueCategory = prvalue -# 2919| getArgument(0): [Literal] 2.299999999999999822 +# 2919| getArgument(0): [Literal] 2.3 # 2919| Type = [DoubleType] double -# 2919| Value = [Literal] 2.299999999999999822 +# 2919| Value = [Literal] 2.3 # 2919| ValueCategory = prvalue # 2919| getExpr().getFullyConverted(): [CStyleCast] (int)... # 2919| Conversion = [FloatingPointToIntegralConversion] floating point to integral conversion diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected index 66810913e5d..96035c16533 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected @@ -12954,21 +12954,21 @@ ir.cpp: # 1592| double StructuredBindingTupleRefGet::d # 1592| Block 0 -# 1592| v1592_1(void) = EnterFunction : -# 1592| m1592_2(unknown) = AliasedDefinition : -# 1592| m1592_3(unknown) = InitializeNonLocal : -# 1592| m1592_4(unknown) = Chi : total:m1592_2, partial:m1592_3 -# 1592| r1592_5(glval) = VariableAddress[#this] : -# 1592| m1592_6(glval) = InitializeParameter[#this] : &:r1592_5 -# 1592| r1592_7(glval) = Load[#this] : &:r1592_5, m1592_6 -# 1592| m1592_8(StructuredBindingTupleRefGet) = InitializeIndirection[#this] : &:r1592_7 -# 1592| r1592_9(glval) = FieldAddress[d] : r1592_7 -# 1592| r1592_10(double) = Constant[2.200000000000000178] : -# 1592| m1592_11(double) = Store[?] : &:r1592_9, r1592_10 -# 1592| m1592_12(unknown) = Chi : total:m1592_8, partial:m1592_11 -# 1592| v1592_13(void) = ReturnVoid : -# 1592| v1592_14(void) = AliasedUse : m1592_3 -# 1592| v1592_15(void) = ExitFunction : +# 1592| v1592_1(void) = EnterFunction : +# 1592| m1592_2(unknown) = AliasedDefinition : +# 1592| m1592_3(unknown) = InitializeNonLocal : +# 1592| m1592_4(unknown) = Chi : total:m1592_2, partial:m1592_3 +# 1592| r1592_5(glval) = VariableAddress[#this] : +# 1592| m1592_6(glval) = InitializeParameter[#this] : &:r1592_5 +# 1592| r1592_7(glval) = Load[#this] : &:r1592_5, m1592_6 +# 1592| m1592_8(StructuredBindingTupleRefGet) = InitializeIndirection[#this] : &:r1592_7 +# 1592| r1592_9(glval) = FieldAddress[d] : r1592_7 +# 1592| r1592_10(double) = Constant[2.2] : +# 1592| m1592_11(double) = Store[?] : &:r1592_9, r1592_10 +# 1592| m1592_12(unknown) = Chi : total:m1592_8, partial:m1592_11 +# 1592| v1592_13(void) = ReturnVoid : +# 1592| v1592_14(void) = AliasedUse : m1592_3 +# 1592| v1592_15(void) = ExitFunction : # 1593| int& StructuredBindingTupleRefGet::r # 1593| Block 0 @@ -21761,7 +21761,7 @@ ir.cpp: # 2919| m2919_2(unknown) = AliasedDefinition : # 2919| r2919_3(glval) = VariableAddress[VariableTemplateFuncUse] : # 2919| r2919_4(glval) = FunctionAddress[VariableTemplateFunc] : -# 2919| r2919_5(double) = Constant[2.299999999999999822] : +# 2919| r2919_5(double) = Constant[2.3] : # 2919| r2919_6(double) = Call[VariableTemplateFunc] : func:r2919_4, 0:r2919_5 # 2919| m2919_7(unknown) = ^CallSideEffect : ~m2919_2 # 2919| m2919_8(unknown) = Chi : total:m2919_2, partial:m2919_7 diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected index 4e73b7d1aa6..05ab6c50d70 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected +++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected @@ -11861,19 +11861,19 @@ ir.cpp: # 1592| double StructuredBindingTupleRefGet::d # 1592| Block 0 -# 1592| v1592_1(void) = EnterFunction : -# 1592| mu1592_2(unknown) = AliasedDefinition : -# 1592| mu1592_3(unknown) = InitializeNonLocal : -# 1592| r1592_4(glval) = VariableAddress[#this] : -# 1592| mu1592_5(glval) = InitializeParameter[#this] : &:r1592_4 -# 1592| r1592_6(glval) = Load[#this] : &:r1592_4, ~m? -# 1592| mu1592_7(StructuredBindingTupleRefGet) = InitializeIndirection[#this] : &:r1592_6 -# 1592| r1592_8(glval) = FieldAddress[d] : r1592_6 -# 1592| r1592_9(double) = Constant[2.200000000000000178] : -# 1592| mu1592_10(double) = Store[?] : &:r1592_8, r1592_9 -# 1592| v1592_11(void) = ReturnVoid : -# 1592| v1592_12(void) = AliasedUse : ~m? -# 1592| v1592_13(void) = ExitFunction : +# 1592| v1592_1(void) = EnterFunction : +# 1592| mu1592_2(unknown) = AliasedDefinition : +# 1592| mu1592_3(unknown) = InitializeNonLocal : +# 1592| r1592_4(glval) = VariableAddress[#this] : +# 1592| mu1592_5(glval) = InitializeParameter[#this] : &:r1592_4 +# 1592| r1592_6(glval) = Load[#this] : &:r1592_4, ~m? +# 1592| mu1592_7(StructuredBindingTupleRefGet) = InitializeIndirection[#this] : &:r1592_6 +# 1592| r1592_8(glval) = FieldAddress[d] : r1592_6 +# 1592| r1592_9(double) = Constant[2.2] : +# 1592| mu1592_10(double) = Store[?] : &:r1592_8, r1592_9 +# 1592| v1592_11(void) = ReturnVoid : +# 1592| v1592_12(void) = AliasedUse : ~m? +# 1592| v1592_13(void) = ExitFunction : # 1593| int& StructuredBindingTupleRefGet::r # 1593| Block 0 @@ -19768,7 +19768,7 @@ ir.cpp: # 2919| mu2919_2(unknown) = AliasedDefinition : # 2919| r2919_3(glval) = VariableAddress[VariableTemplateFuncUse] : # 2919| r2919_4(glval) = FunctionAddress[VariableTemplateFunc] : -# 2919| r2919_5(double) = Constant[2.299999999999999822] : +# 2919| r2919_5(double) = Constant[2.3] : # 2919| r2919_6(double) = Call[VariableTemplateFunc] : func:r2919_4, 0:r2919_5 # 2919| mu2919_7(unknown) = ^CallSideEffect : ~m? # 2919| r2919_8(int) = Convert : r2919_6 diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected index b8424b8f01a..7d441d6293a 100644 --- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected +++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected @@ -1293,12 +1293,12 @@ estimateNrOfBounds | test.c:415:26:415:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:415:30:415:30 | q | 1.0 | 1.0 | 1.0 | | test.c:415:30:415:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:415:34:415:43 | 0.4743882700000000008 | 1.0 | -1.0 | -1.0 | -| test.c:415:47:415:56 | 0.1433388700000000071 | 1.0 | -1.0 | -1.0 | -| test.c:415:60:415:69 | 0.3527920299999999787 | 1.0 | -1.0 | -1.0 | -| test.c:415:73:415:82 | 0.3920645799999999959 | 1.0 | -1.0 | -1.0 | -| test.c:415:86:415:95 | 0.2154022499999999896 | 1.0 | -1.0 | -1.0 | -| test.c:415:99:415:108 | 0.4049680500000000238 | 1.0 | -1.0 | -1.0 | +| test.c:415:34:415:43 | 0.47438827 | 1.0 | -1.0 | -1.0 | +| test.c:415:47:415:56 | 0.14333887 | 1.0 | -1.0 | -1.0 | +| test.c:415:60:415:69 | 0.35279203 | 1.0 | -1.0 | -1.0 | +| test.c:415:73:415:82 | 0.39206458 | 1.0 | -1.0 | -1.0 | +| test.c:415:86:415:95 | 0.21540225 | 1.0 | -1.0 | -1.0 | +| test.c:415:99:415:108 | 0.40496805 | 1.0 | -1.0 | -1.0 | | test.c:416:14:416:14 | m | 2.0 | 1.0 | 1.0 | | test.c:416:14:416:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:416:18:416:18 | n | 3.0 | 1.0 | 1.0 | @@ -1309,12 +1309,12 @@ estimateNrOfBounds | test.c:416:26:416:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:416:30:416:30 | q | 3.0 | 1.0 | 1.0 | | test.c:416:30:416:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:416:34:416:43 | 0.3418334800000000229 | 1.0 | -1.0 | -1.0 | -| test.c:416:47:416:56 | 0.3533464000000000049 | 1.0 | -1.0 | -1.0 | -| test.c:416:60:416:69 | 0.2224785300000000077 | 1.0 | -1.0 | -1.0 | -| test.c:416:73:416:82 | 0.326618929999999974 | 1.0 | -1.0 | -1.0 | -| test.c:416:86:416:95 | 0.5927046500000000551 | 1.0 | -1.0 | -1.0 | -| test.c:416:99:416:108 | 0.5297741000000000255 | 1.0 | -1.0 | -1.0 | +| test.c:416:34:416:43 | 0.34183348 | 1.0 | -1.0 | -1.0 | +| test.c:416:47:416:56 | 0.3533464 | 1.0 | -1.0 | -1.0 | +| test.c:416:60:416:69 | 0.22247853 | 1.0 | -1.0 | -1.0 | +| test.c:416:73:416:82 | 0.32661893 | 1.0 | -1.0 | -1.0 | +| test.c:416:86:416:95 | 0.59270465 | 1.0 | -1.0 | -1.0 | +| test.c:416:99:416:108 | 0.5297741 | 1.0 | -1.0 | -1.0 | | test.c:417:14:417:14 | m | 3.5 | 1.0 | 1.0 | | test.c:417:14:417:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:417:18:417:18 | n | 8.0 | 1.0 | 1.0 | @@ -1325,12 +1325,12 @@ estimateNrOfBounds | test.c:417:26:417:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:417:30:417:30 | q | 8.0 | 1.0 | 1.0 | | test.c:417:30:417:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:417:34:417:43 | 0.774296030000000024 | 1.0 | -1.0 | -1.0 | -| test.c:417:47:417:56 | 0.3147808400000000062 | 1.0 | -1.0 | -1.0 | -| test.c:417:60:417:69 | 0.3123551399999999756 | 1.0 | -1.0 | -1.0 | -| test.c:417:73:417:82 | 0.05121255999999999725 | 1.0 | -1.0 | -1.0 | -| test.c:417:86:417:95 | 0.7931074500000000471 | 1.0 | -1.0 | -1.0 | -| test.c:417:99:417:108 | 0.6798145100000000385 | 1.0 | -1.0 | -1.0 | +| test.c:417:34:417:43 | 0.77429603 | 1.0 | -1.0 | -1.0 | +| test.c:417:47:417:56 | 0.31478084 | 1.0 | -1.0 | -1.0 | +| test.c:417:60:417:69 | 0.31235514 | 1.0 | -1.0 | -1.0 | +| test.c:417:73:417:82 | 0.05121256 | 1.0 | -1.0 | -1.0 | +| test.c:417:86:417:95 | 0.79310745 | 1.0 | -1.0 | -1.0 | +| test.c:417:99:417:108 | 0.67981451 | 1.0 | -1.0 | -1.0 | | test.c:418:14:418:14 | m | 5.75 | 1.0 | 1.0 | | test.c:418:14:418:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:418:18:418:18 | n | 20.5 | 1.0 | 1.0 | @@ -1341,12 +1341,12 @@ estimateNrOfBounds | test.c:418:26:418:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:418:30:418:30 | q | 20.5 | 1.0 | 1.0 | | test.c:418:30:418:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:418:34:418:43 | 0.4472955599999999809 | 1.0 | -1.0 | -1.0 | -| test.c:418:47:418:56 | 0.8059920200000000312 | 1.0 | -1.0 | -1.0 | -| test.c:418:60:418:69 | 0.9899726199999999698 | 1.0 | -1.0 | -1.0 | -| test.c:418:73:418:82 | 0.5995273199999999747 | 1.0 | -1.0 | -1.0 | -| test.c:418:86:418:95 | 0.3697694799999999837 | 1.0 | -1.0 | -1.0 | -| test.c:418:99:418:108 | 0.8386683499999999514 | 1.0 | -1.0 | -1.0 | +| test.c:418:34:418:43 | 0.44729556 | 1.0 | -1.0 | -1.0 | +| test.c:418:47:418:56 | 0.80599202 | 1.0 | -1.0 | -1.0 | +| test.c:418:60:418:69 | 0.98997262 | 1.0 | -1.0 | -1.0 | +| test.c:418:73:418:82 | 0.59952732 | 1.0 | -1.0 | -1.0 | +| test.c:418:86:418:95 | 0.36976948 | 1.0 | -1.0 | -1.0 | +| test.c:418:99:418:108 | 0.83866835 | 1.0 | -1.0 | -1.0 | | test.c:419:14:419:14 | m | 9.125 | 1.0 | 1.0 | | test.c:419:14:419:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:419:18:419:18 | n | 51.75 | 1.0 | 1.0 | @@ -1357,12 +1357,12 @@ estimateNrOfBounds | test.c:419:26:419:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:419:30:419:30 | q | 51.75 | 1.0 | 1.0 | | test.c:419:30:419:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:419:34:419:43 | 0.4931182800000000199 | 1.0 | -1.0 | -1.0 | -| test.c:419:47:419:56 | 0.9038991100000000056 | 1.0 | -1.0 | -1.0 | -| test.c:419:60:419:69 | 0.1059771199999999941 | 1.0 | -1.0 | -1.0 | -| test.c:419:73:419:82 | 0.2177842600000000073 | 1.0 | -1.0 | -1.0 | -| test.c:419:86:419:95 | 0.7248596600000000167 | 1.0 | -1.0 | -1.0 | -| test.c:419:99:419:108 | 0.6873487400000000136 | 1.0 | -1.0 | -1.0 | +| test.c:419:34:419:43 | 0.49311828 | 1.0 | -1.0 | -1.0 | +| test.c:419:47:419:56 | 0.90389911 | 1.0 | -1.0 | -1.0 | +| test.c:419:60:419:69 | 0.10597712 | 1.0 | -1.0 | -1.0 | +| test.c:419:73:419:82 | 0.21778426 | 1.0 | -1.0 | -1.0 | +| test.c:419:86:419:95 | 0.72485966 | 1.0 | -1.0 | -1.0 | +| test.c:419:99:419:108 | 0.68734874 | 1.0 | -1.0 | -1.0 | | test.c:420:14:420:14 | m | 14.1875 | 1.0 | 1.0 | | test.c:420:14:420:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:420:18:420:18 | n | 129.875 | 1.0 | 1.0 | @@ -1373,12 +1373,12 @@ estimateNrOfBounds | test.c:420:26:420:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:420:30:420:30 | q | 129.875 | 1.0 | 1.0 | | test.c:420:30:420:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:420:34:420:43 | 0.4745284799999999747 | 1.0 | -1.0 | -1.0 | -| test.c:420:47:420:56 | 0.107866500000000004 | 1.0 | -1.0 | -1.0 | -| test.c:420:60:420:69 | 0.1188457599999999947 | 1.0 | -1.0 | -1.0 | -| test.c:420:73:420:82 | 0.7616405200000000431 | 1.0 | -1.0 | -1.0 | -| test.c:420:86:420:95 | 0.3480889200000000239 | 1.0 | -1.0 | -1.0 | -| test.c:420:99:420:108 | 0.584408649999999974 | 1.0 | -1.0 | -1.0 | +| test.c:420:34:420:43 | 0.47452848 | 1.0 | -1.0 | -1.0 | +| test.c:420:47:420:56 | 0.1078665 | 1.0 | -1.0 | -1.0 | +| test.c:420:60:420:69 | 0.11884576 | 1.0 | -1.0 | -1.0 | +| test.c:420:73:420:82 | 0.76164052 | 1.0 | -1.0 | -1.0 | +| test.c:420:86:420:95 | 0.34808892 | 1.0 | -1.0 | -1.0 | +| test.c:420:99:420:108 | 0.58440865 | 1.0 | -1.0 | -1.0 | | test.c:421:14:421:14 | m | 21.78125 | 1.0 | 1.0 | | test.c:421:14:421:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:421:18:421:18 | n | 325.1875 | 1.0 | 1.0 | @@ -1390,11 +1390,11 @@ estimateNrOfBounds | test.c:421:30:421:30 | q | 325.1875 | 1.0 | 1.0 | | test.c:421:30:421:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:421:34:421:43 | 0.02524326 | 1.0 | -1.0 | -1.0 | -| test.c:421:47:421:56 | 0.8290504600000000446 | 1.0 | -1.0 | -1.0 | -| test.c:421:60:421:69 | 0.95823075000000002 | 1.0 | -1.0 | -1.0 | -| test.c:421:73:421:82 | 0.1251655799999999985 | 1.0 | -1.0 | -1.0 | -| test.c:421:86:421:95 | 0.8523517900000000536 | 1.0 | -1.0 | -1.0 | -| test.c:421:99:421:108 | 0.3623238400000000081 | 1.0 | -1.0 | -1.0 | +| test.c:421:47:421:56 | 0.82905046 | 1.0 | -1.0 | -1.0 | +| test.c:421:60:421:69 | 0.95823075 | 1.0 | -1.0 | -1.0 | +| test.c:421:73:421:82 | 0.12516558 | 1.0 | -1.0 | -1.0 | +| test.c:421:86:421:95 | 0.85235179 | 1.0 | -1.0 | -1.0 | +| test.c:421:99:421:108 | 0.36232384 | 1.0 | -1.0 | -1.0 | | test.c:422:14:422:14 | m | 33.171875 | 1.0 | 1.0 | | test.c:422:14:422:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:422:18:422:18 | n | 813.46875 | 1.0 | 1.0 | @@ -1405,12 +1405,12 @@ estimateNrOfBounds | test.c:422:26:422:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:422:30:422:30 | q | 813.46875 | 1.0 | 1.0 | | test.c:422:30:422:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:422:34:422:43 | 0.3870862600000000153 | 1.0 | -1.0 | -1.0 | -| test.c:422:47:422:56 | 0.3287604399999999871 | 1.0 | -1.0 | -1.0 | -| test.c:422:60:422:69 | 0.1496348500000000137 | 1.0 | -1.0 | -1.0 | -| test.c:422:73:422:82 | 0.4504110800000000192 | 1.0 | -1.0 | -1.0 | -| test.c:422:86:422:95 | 0.4864090899999999884 | 1.0 | -1.0 | -1.0 | -| test.c:422:99:422:108 | 0.8433127200000000157 | 1.0 | -1.0 | -1.0 | +| test.c:422:34:422:43 | 0.38708626 | 1.0 | -1.0 | -1.0 | +| test.c:422:47:422:56 | 0.32876044 | 1.0 | -1.0 | -1.0 | +| test.c:422:60:422:69 | 0.14963485 | 1.0 | -1.0 | -1.0 | +| test.c:422:73:422:82 | 0.45041108 | 1.0 | -1.0 | -1.0 | +| test.c:422:86:422:95 | 0.48640909 | 1.0 | -1.0 | -1.0 | +| test.c:422:99:422:108 | 0.84331272 | 1.0 | -1.0 | -1.0 | | test.c:423:14:423:14 | m | 50.2578125 | 1.0 | 1.0 | | test.c:423:14:423:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:423:18:423:18 | n | 2034.171875 | 1.0 | 1.0 | @@ -1421,12 +1421,12 @@ estimateNrOfBounds | test.c:423:26:423:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:423:30:423:30 | q | 2034.171875 | 1.0 | 1.0 | | test.c:423:30:423:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:423:34:423:43 | 0.1575506299999999971 | 1.0 | -1.0 | -1.0 | -| test.c:423:47:423:56 | 0.7708683299999999905 | 1.0 | -1.0 | -1.0 | -| test.c:423:60:423:69 | 0.2642848099999999811 | 1.0 | -1.0 | -1.0 | -| test.c:423:73:423:82 | 0.1480050800000000111 | 1.0 | -1.0 | -1.0 | -| test.c:423:86:423:95 | 0.374281430000000026 | 1.0 | -1.0 | -1.0 | -| test.c:423:99:423:108 | 0.05328182000000000057 | 1.0 | -1.0 | -1.0 | +| test.c:423:34:423:43 | 0.15755063 | 1.0 | -1.0 | -1.0 | +| test.c:423:47:423:56 | 0.77086833 | 1.0 | -1.0 | -1.0 | +| test.c:423:60:423:69 | 0.26428481 | 1.0 | -1.0 | -1.0 | +| test.c:423:73:423:82 | 0.14800508 | 1.0 | -1.0 | -1.0 | +| test.c:423:86:423:95 | 0.37428143 | 1.0 | -1.0 | -1.0 | +| test.c:423:99:423:108 | 0.05328182 | 1.0 | -1.0 | -1.0 | | test.c:424:14:424:14 | m | 75.88671875 | 1.0 | 1.0 | | test.c:424:14:424:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:424:18:424:18 | n | 5085.9296875 | 1.0 | 1.0 | @@ -1437,12 +1437,12 @@ estimateNrOfBounds | test.c:424:26:424:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:424:30:424:30 | q | 5085.9296875 | 1.0 | 1.0 | | test.c:424:30:424:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:424:34:424:43 | 0.4173653600000000186 | 1.0 | -1.0 | -1.0 | -| test.c:424:47:424:56 | 0.7682662799999999681 | 1.0 | -1.0 | -1.0 | -| test.c:424:60:424:69 | 0.2764323799999999776 | 1.0 | -1.0 | -1.0 | -| test.c:424:73:424:82 | 0.5567927400000000082 | 1.0 | -1.0 | -1.0 | -| test.c:424:86:424:95 | 0.3946885700000000163 | 1.0 | -1.0 | -1.0 | -| test.c:424:99:424:108 | 0.6907214400000000198 | 1.0 | -1.0 | -1.0 | +| test.c:424:34:424:43 | 0.41736536 | 1.0 | -1.0 | -1.0 | +| test.c:424:47:424:56 | 0.76826628 | 1.0 | -1.0 | -1.0 | +| test.c:424:60:424:69 | 0.27643238 | 1.0 | -1.0 | -1.0 | +| test.c:424:73:424:82 | 0.55679274 | 1.0 | -1.0 | -1.0 | +| test.c:424:86:424:95 | 0.39468857 | 1.0 | -1.0 | -1.0 | +| test.c:424:99:424:108 | 0.69072144 | 1.0 | -1.0 | -1.0 | | test.c:425:14:425:14 | m | 114.330078125 | 1.0 | 1.0 | | test.c:425:14:425:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:425:18:425:18 | n | 12715.32421875 | 1.0 | 1.0 | @@ -1453,12 +1453,12 @@ estimateNrOfBounds | test.c:425:26:425:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:425:30:425:30 | q | 12715.32421875 | 1.0 | 1.0 | | test.c:425:30:425:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:425:34:425:43 | 0.8895534499999999678 | 1.0 | -1.0 | -1.0 | -| test.c:425:47:425:56 | 0.2990482400000000207 | 1.0 | -1.0 | -1.0 | -| test.c:425:60:425:69 | 0.7624258299999999711 | 1.0 | -1.0 | -1.0 | -| test.c:425:73:425:82 | 0.2051910999999999874 | 1.0 | -1.0 | -1.0 | -| test.c:425:86:425:95 | 0.8874555899999999609 | 1.0 | -1.0 | -1.0 | -| test.c:425:99:425:108 | 0.8137279800000000174 | 1.0 | -1.0 | -1.0 | +| test.c:425:34:425:43 | 0.88955345 | 1.0 | -1.0 | -1.0 | +| test.c:425:47:425:56 | 0.29904824 | 1.0 | -1.0 | -1.0 | +| test.c:425:60:425:69 | 0.76242583 | 1.0 | -1.0 | -1.0 | +| test.c:425:73:425:82 | 0.2051911 | 1.0 | -1.0 | -1.0 | +| test.c:425:86:425:95 | 0.88745559 | 1.0 | -1.0 | -1.0 | +| test.c:425:99:425:108 | 0.81372798 | 1.0 | -1.0 | -1.0 | | test.c:426:14:426:14 | m | 171.9951171875 | 1.0 | 1.0 | | test.c:426:14:426:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:426:18:426:18 | n | 31788.810546875 | 1.0 | 1.0 | @@ -1469,12 +1469,12 @@ estimateNrOfBounds | test.c:426:26:426:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | | test.c:426:30:426:30 | q | 31788.810546875 | 1.0 | 1.0 | | test.c:426:30:426:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 | -| test.c:426:34:426:43 | 0.4218627600000000033 | 1.0 | -1.0 | -1.0 | -| test.c:426:47:426:56 | 0.5384335799999999672 | 1.0 | -1.0 | -1.0 | -| test.c:426:60:426:69 | 0.4499667900000000054 | 1.0 | -1.0 | -1.0 | -| test.c:426:73:426:82 | 0.1320411400000000013 | 1.0 | -1.0 | -1.0 | -| test.c:426:86:426:95 | 0.5203124099999999475 | 1.0 | -1.0 | -1.0 | -| test.c:426:99:426:108 | 0.4276264699999999808 | 1.0 | -1.0 | -1.0 | +| test.c:426:34:426:43 | 0.42186276 | 1.0 | -1.0 | -1.0 | +| test.c:426:47:426:56 | 0.53843358 | 1.0 | -1.0 | -1.0 | +| test.c:426:60:426:69 | 0.44996679 | 1.0 | -1.0 | -1.0 | +| test.c:426:73:426:82 | 0.13204114 | 1.0 | -1.0 | -1.0 | +| test.c:426:86:426:95 | 0.52031241 | 1.0 | -1.0 | -1.0 | +| test.c:426:99:426:108 | 0.42762647 | 1.0 | -1.0 | -1.0 | | test.c:432:19:432:19 | a | 1.0 | 1.0 | 1.0 | | test.c:432:19:432:23 | ... + ... | 1.0 | 1.0 | 1.0 | | test.c:432:19:432:27 | ... + ... | 1.0 | 1.0 | 1.0 | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected index 9424c731765..63851030bba 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected @@ -11,8 +11,13 @@ edges | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | provenance | | | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | provenance | | | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | provenance | DataFlowFunction | +| test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | provenance | MaD:403 | +| test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | provenance | | | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | provenance | | | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | provenance | TaintFunction | +| test.cpp:195:20:195:23 | StringCchPrintfW output argument | test.cpp:197:11:197:14 | *wstr | provenance | | +| test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | provenance | | +| test.cpp:195:31:195:33 | *str | test.cpp:195:20:195:23 | StringCchPrintfW output argument | provenance | MaD:403 | | test.cpp:204:25:204:36 | *call to get_string | test.cpp:204:25:204:36 | *call to get_string | provenance | | | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | provenance | | | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | provenance | | @@ -55,7 +60,11 @@ nodes | test.cpp:130:20:130:26 | *access to array | semmle.label | *access to array | | test.cpp:167:31:167:34 | *data | semmle.label | *data | | test.cpp:170:12:170:14 | *res | semmle.label | *res | +| test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | semmle.label | [summary param] *0 in StringCchPrintfW [Return] | +| test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | semmle.label | [summary param] *2 in StringCchPrintfW | | test.cpp:193:32:193:34 | *str | semmle.label | *str | +| test.cpp:195:20:195:23 | StringCchPrintfW output argument | semmle.label | StringCchPrintfW output argument | +| test.cpp:195:31:195:33 | *str | semmle.label | *str | | test.cpp:195:31:195:33 | *str | semmle.label | *str | | test.cpp:197:11:197:14 | *wstr | semmle.label | *wstr | | test.cpp:204:25:204:36 | *call to get_string | semmle.label | *call to get_string | @@ -88,6 +97,7 @@ nodes | test.cpp:245:25:245:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:247:12:247:16 | *hello | semmle.label | *hello | subpaths +| test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | test.cpp:195:20:195:23 | StringCchPrintfW output argument | #select | NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.expected index d067430aba9..162161e369b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.expected @@ -2,10 +2,10 @@ | test.c:33:3:33:19 | call to not_yet_declared2 | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:77:6:77:22 | not_yet_declared2 | not_yet_declared2 | test.c:33:21:33:22 | ca | ca | file://:0:0:0:0 | int[4] | int[4] | test.c:77:24:77:26 | (unnamed parameter 0) | int (unnamed parameter 0) | | test.c:41:3:41:29 | call to declared_empty_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:78:6:78:32 | declared_empty_defined_with | declared_empty_defined_with | test.c:41:31:41:32 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:78:38:78:38 | x | int x | | test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:29:45:31 | 4 | 4 | file://:0:0:0:0 | long long | long long | test.c:81:36:81:36 | x | int x | -| test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:37:45:42 | 2500000000.0 | 2500000000.0 | file://:0:0:0:0 | float | float | test.c:81:50:81:50 | z | int z | -| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x | +| test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:37:45:42 | 2.5E9 | 2.5E9 | file://:0:0:0:0 | float | float | test.c:81:50:81:50 | z | int z | +| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x | | test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:34:48:34 | 0 | 0 | file://:0:0:0:0 | int | int | test.c:93:43:93:43 | y | void * y | -| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x | +| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x | | test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:34:48:34 | 0 | 0 | file://:0:0:0:0 | int | int | test.c:93:43:93:43 | y | void * y | | test.c:50:3:50:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:6:6:6:24 | declared_with_array | declared_with_array | test.c:50:23:50:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:94:31:94:31 | a | char[6] a | | test.c:50:3:50:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:94:6:94:24 | declared_with_array | declared_with_array | test.c:50:23:50:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:94:31:94:31 | a | char[6] a | @@ -15,4 +15,4 @@ | test.c:58:3:58:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:58:26:58:28 | 99 | 99 | file://:0:0:0:0 | int | int | test.c:104:44:104:45 | ll | long long ll | | test.c:59:3:59:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:59:26:59:26 | 3 | 3 | file://:0:0:0:0 | int | int | test.c:104:44:104:45 | ll | long long ll | | test.c:61:3:61:21 | call to defined_with_double | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:100:8:100:26 | defined_with_double | defined_with_double | test.c:61:23:61:25 | 2 | 2 | file://:0:0:0:0 | long long | long long | test.c:100:35:100:35 | d | double d | -| test.c:62:3:62:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:62:26:62:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:104:44:104:45 | ll | long long ll | +| test.c:62:3:62:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:62:26:62:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:104:44:104:45 | ll | long long ll | diff --git a/go/ql/lib/semmle/go/Decls.qll b/go/ql/lib/semmle/go/Decls.qll index 7588ab913be..f42058cd3e8 100644 --- a/go/ql/lib/semmle/go/Decls.qll +++ b/go/ql/lib/semmle/go/Decls.qll @@ -1,7 +1,7 @@ /** * Provides classes for working with declarations. */ -overlay[local] +overlay[local?] module; import go @@ -137,6 +137,7 @@ class FuncDef extends @funcdef, StmtParent, ExprParent { /** * Gets a call to this function. */ + overlay[global] DataFlow::CallNode getACall() { result.getACallee() = this } /** Holds if this function is variadic. */ diff --git a/go/ql/lib/semmle/go/Scopes.qll b/go/ql/lib/semmle/go/Scopes.qll index 4e9a13c8ea1..9f18290fb01 100644 --- a/go/ql/lib/semmle/go/Scopes.qll +++ b/go/ql/lib/semmle/go/Scopes.qll @@ -1,7 +1,7 @@ /** * Provides classes for working with scopes and declared objects. */ -overlay[local] +overlay[local?] module; import go @@ -418,6 +418,7 @@ class Function extends ValueEntity, @functionobject { * This includes calls that target this function indirectly, by calling an * interface method that this function implements. */ + overlay[global] pragma[nomagic] DataFlow::CallNode getACall() { this = result.getACalleeIncludingExternals().asFunction() } diff --git a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll index 88a659f6f82..3547e70b858 100644 --- a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll +++ b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll @@ -127,16 +127,19 @@ private predicate sideEffectCfg(ControlFlow::Node src, ControlFlow::Node dst) { /** * Holds if `dominator` is the immediate dominator of `node` in - * the side-effect CFG. + * the side-effect CFG belonging to `entry`. */ -private predicate iDomEffect(ControlFlow::Node dominator, ControlFlow::Node node) = - idominance(entryNode/1, sideEffectCfg/2)(_, dominator, node) +private predicate iDomEffect( + ControlFlow::Node entry, ControlFlow::Node dominator, ControlFlow::Node node +) = idominance(entryNode/1, sideEffectCfg/2)(entry, dominator, node) /** * Gets the most recent side effect. To be more precise, `result` is a * dominator of `node` and no side-effects can occur between `result` and * `node`. * + * `entry` is the entry node for the function containing `node` and `result`. + * * `sideEffectCFG` has an edge from the function entry to every node with a * side-effect. This means that every node with a side-effect has the * function entry as its immediate dominator. So if node `x` dominates node @@ -180,16 +183,26 @@ private predicate iDomEffect(ControlFlow::Node dominator, ControlFlow::Node node * * The immediate dominator path to line 015 is 000 - 009 - 012 - 015. * Therefore, the most recent side effect for line 015 is line 009. + * (Note that line 009 is not a side-effect itself. Instead, it is the + * point where the control flow paths from the side-effects at 004 and 007 + * merge. Because its immediate dominator is the entry node 000, it serves + * as the safe root for expressions evaluated after those side-effects.) */ -cached -private ControlFlow::Node mostRecentSideEffect(ControlFlow::Node node) { - exists(ControlFlow::Node entry | - entryNode(entry) and - iDomEffect(entry, result) and - iDomEffect*(result, node) +private ControlFlow::Node mostRecentSideEffect(ControlFlow::Node entry, ControlFlow::Node node) { + iDomEffect(entry, entry, result) and + result = node + or + exists(ControlFlow::Node mid | + result = mostRecentSideEffect(entry, mid) and + iDomEffect(entry, mid, node) ) } +cached +private ControlFlow::Node mostRecentSideEffectUnique(ControlFlow::Node node) { + result = unique( | | mostRecentSideEffect(_, node)) +} + /** Used to represent the "global value number" of an expression. */ cached private newtype GvnBase = @@ -369,10 +382,12 @@ private predicate mkMethodAccess(DataFlow::Node access, GVN qualifier, Method m) ) } -private predicate analyzableFieldRead(Read fread, DataFlow::Node base, Field f) { +private predicate analyzableFieldRead( + Read fread, DataFlow::Node base, Field f, ControlFlow::Node dominator +) { exists(IR::ReadInstruction r | r = fread.asInstruction() | r.readsField(base.asInstruction(), f) and - strictcount(mostRecentSideEffect(r)) = 1 and + dominator = mostRecentSideEffectUnique(r) and not r.isConst() ) } @@ -381,9 +396,8 @@ private predicate mkFieldRead( DataFlow::Node fread, GVN qualifier, Field v, ControlFlow::Node dominator ) { exists(DataFlow::Node base | - analyzableFieldRead(fread, base, v) and - qualifier = globalValueNumber(base) and - dominator = mostRecentSideEffect(fread.asInstruction()) + analyzableFieldRead(fread, base, v, dominator) and + qualifier = globalValueNumber(base) ) } @@ -421,18 +435,17 @@ private predicate incompleteSsa(ValueEntity v) { /** * Holds if `access` is an access to a variable `target` for which SSA information is incomplete. */ -private predicate analyzableOtherVariable(DataFlow::Node access, ValueEntity target) { +private predicate analyzableOtherVariable( + DataFlow::Node access, ValueEntity target, ControlFlow::Node dominator +) { access.asInstruction().reads(target) and incompleteSsa(target) and - strictcount(mostRecentSideEffect(access.asInstruction())) = 1 and + dominator = mostRecentSideEffectUnique(access.asInstruction()) and not access.isConst() and not target instanceof Function } -private predicate mkOtherVariable(DataFlow::Node access, ValueEntity x, ControlFlow::Node dominator) { - analyzableOtherVariable(access, x) and - dominator = mostRecentSideEffect(access.asInstruction()) -} +private predicate mkOtherVariable = analyzableOtherVariable/3; private predicate analyzableBinaryOp( DataFlow::BinaryOperationNode op, string opname, DataFlow::Node lhs, DataFlow::Node rhs @@ -463,29 +476,29 @@ private predicate mkUnaryOp(DataFlow::UnaryOperationNode op, GVN child, string o opname = op.getOperator() } -private predicate analyzableIndexExpr(DataFlow::ElementReadNode ae) { - strictcount(mostRecentSideEffect(ae.asInstruction())) = 1 and +private predicate analyzableIndexExpr(DataFlow::ElementReadNode ae, ControlFlow::Node dominator) { + dominator = mostRecentSideEffectUnique(ae.asInstruction()) and not ae.isConst() } private predicate mkIndex( DataFlow::ElementReadNode ae, GVN base, GVN offset, ControlFlow::Node dominator ) { - analyzableIndexExpr(ae) and + analyzableIndexExpr(ae, dominator) and base = globalValueNumber(ae.getBase()) and - offset = globalValueNumber(ae.getIndex()) and - dominator = mostRecentSideEffect(ae.asInstruction()) + offset = globalValueNumber(ae.getIndex()) } -private predicate analyzablePointerDereferenceExpr(DataFlow::PointerDereferenceNode deref) { - strictcount(mostRecentSideEffect(deref.asInstruction())) = 1 and +private predicate analyzablePointerDereferenceExpr( + DataFlow::PointerDereferenceNode deref, ControlFlow::Node dominator +) { + dominator = mostRecentSideEffectUnique(deref.asInstruction()) and not deref.isConst() } private predicate mkDeref(DataFlow::PointerDereferenceNode deref, GVN p, ControlFlow::Node dominator) { - analyzablePointerDereferenceExpr(deref) and - p = globalValueNumber(deref.getOperand()) and - dominator = mostRecentSideEffect(deref.asInstruction()) + analyzablePointerDereferenceExpr(deref, dominator) and + p = globalValueNumber(deref.getOperand()) } private predicate ssaInit(SsaExplicitDefinition ssa, DataFlow::Node rhs) { @@ -587,12 +600,12 @@ private predicate analyzableExpr(DataFlow::Node e) { analyzableConst(e) or any(DataFlow::SsaNode ssa).getAUse() = e or e instanceof DataFlow::SsaNode or - analyzableOtherVariable(e, _) or + analyzableOtherVariable(e, _, _) or analyzableMethodAccess(e, _, _) or - analyzableFieldRead(e, _, _) or + analyzableFieldRead(e, _, _, _) or analyzableCall(e, _) or analyzableBinaryOp(e, _, _, _) or analyzableUnaryOp(e) or - analyzableIndexExpr(e) or - analyzablePointerDereferenceExpr(e) + analyzableIndexExpr(e, _) or + analyzablePointerDereferenceExpr(e, _) } diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll index 8fca4bec8c6..603da6364df 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll @@ -1,4 +1,4 @@ -overlay[local] +overlay[local?] module; private import go @@ -488,6 +488,7 @@ module Public { * For virtual calls, we look up possible targets in all types that implement the receiver * interface type. */ + overlay[global] Callable getACalleeIncludingExternals() { result = this.getACalleeWithoutVirtualDispatch() or @@ -504,6 +505,7 @@ module Public { * As `getACalleeIncludingExternals`, except excluding external functions (those for which * we lack a definition, such as standard library functions). */ + overlay[global] pragma[nomagic] FuncDef getACallee() { result = this.getACalleeIncludingExternals().getFuncDef() } diff --git a/javascript/extractor/tests/yaml/input/emoji_buffer_boundary.yml b/javascript/extractor/tests/yaml/input/emoji_buffer_boundary.yml new file mode 100644 index 00000000000..a254c885d38 --- /dev/null +++ b/javascript/extractor/tests/yaml/input/emoji_buffer_boundary.yml @@ -0,0 +1,2 @@ +# xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +key: 🚀 diff --git a/javascript/extractor/tests/yaml/output/trap/emoji_buffer_boundary.yml.trap b/javascript/extractor/tests/yaml/output/trap/emoji_buffer_boundary.yml.trap new file mode 100644 index 00000000000..936088d8c09 --- /dev/null +++ b/javascript/extractor/tests/yaml/output/trap/emoji_buffer_boundary.yml.trap @@ -0,0 +1,27 @@ +#10000=@"/emoji_buffer_boundary.yml;sourcefile" +files(#10000,"/emoji_buffer_boundary.yml") +#10001=@"/;folder" +folders(#10001,"/") +containerparent(#10001,#10000) +#10002=@"loc,{#10000},0,0,0,0" +locations_default(#10002,#10000,0,0,0,0) +hasLocation(#10000,#10002) +#20000=* +#20001=* +yaml_scalars(#20001,0,"key") +yaml(#20001,0,#20000,1,"tag:yaml.org,2002:str","key") +#20002=@"loc,{#10000},2,1,2,3" +locations_default(#20002,#10000,2,1,2,3) +yaml_locations(#20001,#20002) +#20003=* +yaml_scalars(#20003,0,"🚀") +yaml(#20003,0,#20000,-1,"tag:yaml.org,2002:str","\u1f680\ude80") +#20004=@"loc,{#10000},2,6,2,6" +locations_default(#20004,#10000,2,6,2,6) +yaml_locations(#20003,#20004) +yaml(#20000,1,#10000,0,"tag:yaml.org,2002:map","key: \u1f680\ude80") +#20005=@"loc,{#10000},2,1,2,8" +locations_default(#20005,#10000,2,1,2,8) +yaml_locations(#20000,#20005) +numlines(#10000,2,0,0) +filetype(#10000,"yaml")