hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into unsigneddiff2

Browse Source
This commit is contained in:
Geoffrey White
2021-05-07 16:35:16 +01:00
parent 69468514f0 10e76ff28f
commit 75edcf0b4f
907 changed files with 29906 additions and 8295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
View File

@@ -1,5 +1,9 @@
| test.cpp:30:15:30:26 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:38:9:38:20 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:50:13:50:38 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:51:22:51:47 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:53:18:53:43 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:29:13:29:24 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:37:13:37:24 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:41:13:41:24 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:49:8:49:19 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:58:8:58:19 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:63:8:63:19 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:92:5:92:31 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:93:15:93:41 | call to operator new[] | memory allocation error check is incorrect or missing |
| test.cpp:96:10:96:36 | call to operator new[] | memory allocation error check is incorrect or missing |

214
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
View File

@@ -1,97 +1,137 @@
#define NULL ((void*)0)
class exception {};
#define NULL ((void *)0)
namespace std{
struct nothrow_t {};
typedef unsigned long size_t;
class bad_alloc{
const char* what() const throw();
};
extern const std::nothrow_t nothrow;
}
namespace std {
struct nothrow_t {};
typedef unsigned long size_t;
class exception {};
class bad_alloc : public exception {};
extern const std::nothrow_t nothrow;
} // namespace std
using namespace std;
void* operator new(std::size_t _Size);
void* operator new[](std::size_t _Size);
void* operator new( std::size_t count, const std::nothrow_t& tag );
void* operator new[]( std::size_t count, const std::nothrow_t& tag );
void *operator new(std::size_t);
void *operator new[](std::size_t);
void *operator new(std::size_t, const std::nothrow_t &) noexcept;
void *operator new[](std::size_t, const std::nothrow_t &) noexcept;
void badNew_0_0()
{
while (true) {
new int[100]; // BAD [NOT DETECTED]
if(!(new int[100])) // BAD [NOT DETECTED]
return;
}
}
void badNew_0_1()
{
int * i = new int[100]; // BAD
if(i == 0)
return;
if(!i)
return;
if(i == NULL)
return;
int * j;
j = new int[100]; // BAD
if(j == 0)
return;
if(!j)
return;
if(j == NULL)
return;
}
void badNew_1_0()
{
try {
while (true) {
new(std::nothrow) int[100]; // BAD
int* p = new(std::nothrow) int[100]; // BAD
int* p1;
p1 = new(std::nothrow) int[100]; // BAD
}
} catch (const exception &){//const std::bad_alloc& e) {
// std::cout << e.what() << '\n';
}
}
void badNew_1_1()
{
while (true) {
int* p = new(std::nothrow) int[100]; // BAD [NOT DETECTED]
new(std::nothrow) int[100]; // BAD [NOT DETECTED]
}
void bad_new_in_condition() {
if (!(new int)) { // BAD [NOT DETECTED]
return;
}
}
void goodNew_0_0()
{
try {
while (true) {
new int[100]; // GOOD
}
} catch (const exception &){//const std::bad_alloc& e) {
// std::cout << e.what() << '\n';
}
void foo(int**);
void bad_new_missing_exception_handling() {
int *p1 = new int[100]; // BAD
if (p1 == 0)
return;
int *p2 = new int[100]; // BAD [NOT DETECTED]
if (!p2)
return;
int *p3 = new int[100]; // BAD
if (p3 == NULL)
return;
int *p4 = new int[100]; // BAD
if (p4 == nullptr)
return;
int *p5 = new int[100]; // BAD [NOT DETECTED]
if (p5) {} else return;
int *p6;
p6 = new int[100]; // BAD
if (p6 == 0) return;
int *p7;
p7 = new int[100]; // BAD [NOT DETECTED]
if (!p7)
return;
int *p8;
p8 = new int[100]; // BAD
if (p8 == NULL)
return;
int *p9;
p9 = new int[100]; // BAD
if (p9 != nullptr) {
} else
return;
int *p10;
p10 = new int[100]; // BAD [NOT DETECTED]
if (p10 != 0) {
}
int *p11;
do {
p11 = new int[100]; // BAD [NOT DETECTED]
} while (!p11);
int* p12 = new int[100];
foo(&p12);
if(p12) {} else return; // GOOD: p12 is probably modified in foo, so it's
// not the return value of the new that's checked.
int* p13 = new int[100];
foo(&p13);
if(!p13) {
return;
} else { }; // GOOD: same as above.
}
void goodNew_1_0()
{
while (true) {
int* p = new(std::nothrow) int[100]; // GOOD
if (p == nullptr) {
// std::cout << "Allocation returned nullptr\n";
break;
}
int* p1;
p1 = new(std::nothrow) int[100]; // GOOD
if (p1 == nullptr) {
// std::cout << "Allocation returned nullptr\n";
break;
}
if (new(std::nothrow) int[100] == nullptr) { // GOOD
// std::cout << "Allocation returned nullptr\n";
break;
}
}
void bad_new_nothrow_in_exception_body() {
try {
new (std::nothrow) int[100]; // BAD
int *p1 = new (std::nothrow) int[100]; // BAD
int *p2;
p2 = new (std::nothrow) int[100]; // BAD
} catch (const std::bad_alloc &) {
}
}
void good_new_has_exception_handling() {
try {
int *p1 = new int[100]; // GOOD
} catch (...) {
}
}
void good_new_handles_nullptr() {
int *p1 = new (std::nothrow) int[100]; // GOOD
if (p1 == nullptr)
return;
int *p2;
p2 = new (std::nothrow) int[100]; // GOOD
if (p2 == nullptr)
return;
int *p3;
p3 = new (std::nothrow) int[100]; // GOOD
if (p3 != nullptr) {
}
int *p4;
p4 = new (std::nothrow) int[100]; // GOOD
if (p4) {
} else
return;
int *p5;
p5 = new (std::nothrow) int[100]; // GOOD
if (p5 != nullptr) {
} else
return;
if (new (std::nothrow) int[100] == nullptr)
return; // GOOD
}

4
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected Normal file
View File

@@ -0,0 +1,4 @@
| test.c:15:6:15:16 | ... + ... | this expression needs your attention |
| test.c:17:17:17:27 | ... + ... | this expression needs your attention |
| test.c:22:10:22:15 | ... > ... | this expression needs your attention |
| test.c:26:10:26:15 | ... > ... | this expression needs your attention |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.c:8:6:8:51 | ... & ... | This bitwise operation appears in a context where a Boolean operation is expected. |
| test.c:10:6:10:30 | ... & ... | This bitwise operation appears in a context where a Boolean operation is expected. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql

32
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c Normal file
View File

@@ -0,0 +1,32 @@
int tmpFunction(){
return 5;
}
void workFunction_0(char *s) {
int intSize;
char buf[80];
if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
if(intSize>0 && tmpFunction()) return;
if(intSize<0 & tmpFunction()) return; // BAD
}
void workFunction_1(char *s) {
int intA,intB;
if(intA + intB) return; // BAD
if(intA + intB>4) return; // GOOD
if(intA>0 && (intA + intB)) return; // BAD
while(intA>0)
{
if(intB - intA<10) break;
intA--;
}while(intA>0); // BAD
for(intA=100; intA>0; intA--)
{
if(intB - intA<10) break;
}while(intA>0); // BAD
while(intA>0)
{
if(intB - intA<10) break;
intA--;
} // GOOD
}

18
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
View File

@@ -1,9 +1,9 @@
| test.c:42:3:42:24 | ... = ... | potential unsafe or redundant assignment. |
| test.c:43:3:43:40 | ... = ... | potential unsafe or redundant assignment. |
| test.c:44:3:44:40 | ... = ... | potential unsafe or redundant assignment. |
| test.c:45:3:45:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:46:3:46:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:47:3:47:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:48:3:48:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:49:3:49:50 | ... = ... | potential unsafe or redundant assignment. |
| test.c:50:3:50:50 | ... = ... | potential unsafe or redundant assignment. |
| test.c:54:3:54:24 | ... = ... | potential unsafe or redundant assignment. |
| test.c:55:3:55:40 | ... = ... | potential unsafe or redundant assignment. |
| test.c:56:3:56:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:57:3:57:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:58:3:58:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:59:3:59:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:60:3:60:52 | ... = ... | potential unsafe or redundant assignment. |
| test.c:61:3:61:50 | ... = ... | potential unsafe or redundant assignment. |
| test.c:62:3:62:54 | ... = ... | potential unsafe or redundant assignment. |

8
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
View File

@@ -1,3 +1,5 @@
| test.c:4:3:4:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
| test.c:11:3:11:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
| test.c:19:3:19:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
| test.c:8:3:8:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
| test.c:9:3:9:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
| test.c:17:3:17:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
| test.c:18:3:18:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
| test.c:46:3:46:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |

5
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected Normal file
View File

@@ -0,0 +1,5 @@
| test.cpp:10:8:10:10 | - ... | this expression needs attention |
| test.cpp:12:3:12:6 | ... ++ | this expression needs attention |
| test.cpp:13:3:13:6 | ++ ... | this expression needs attention |
| test.cpp:14:6:14:21 | ... = ... | this expression needs attention |
| test.cpp:16:6:16:21 | ... = ... | this expression needs attention |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql

98
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
View File

@@ -1,70 +1,84 @@
void workFunction_0(char *s) {
char * strncat(char*, const char*, unsigned);
unsigned strlen(const char*);
void* malloc(unsigned);
void strncat_test1(char *s) {
char buf[80];
strncat(buf, s, sizeof(buf)-strlen(buf)-1); // GOOD
strncat(buf, s, sizeof(buf)-strlen(buf)); // BAD
strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED]
strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
strncat(buf, s, sizeof(buf) - strlen(buf)); // BAD
strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD
}
void workFunction_1(char *s) {
#define MAX_SIZE 80
void strncat_test2(char *s) {
char buf[MAX_SIZE];
strncat(buf, s, MAX_SIZE-strlen(buf)-1); // GOOD
strncat(buf, s, MAX_SIZE-strlen(buf)); // BAD
strncat(buf, "fix", MAX_SIZE-strlen(buf)); // BAD [NOT DETECTED]
strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
strncat(buf, s, MAX_SIZE - strlen(buf)); // BAD
strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD
}
void workFunction_2_0(char *s) {
char * buf;
int len=80;
buf = (char *) malloc(len);
strncat(buf, s, len-strlen(buf)-1); // GOOD
strncat(buf, s, len-strlen(buf)); // BAD
strncat(buf, "fix", len-strlen(buf)); // BAD [NOT DETECTED]
void strncat_test3(char *s) {
int len = 80;
char* buf = (char *) malloc(len);
strncat(buf, s, len - strlen(buf) - 1); // GOOD
strncat(buf, s, len - strlen(buf)); // BAD [NOT DETECTED]
strncat(buf, "fix", len - strlen(buf)); // BAD [NOT DETECTED]
}
void workFunction_2_1(char *s) {
char * buf;
int len=80;
buf = (char *) malloc(len+1);
strncat(buf, s, len-strlen(buf)-1); // GOOD
strncat(buf, s, len-strlen(buf)); // GOOD
void strncat_test4(char *s) {
int len = 80;
char* buf = (char *) malloc(len + 1);
strncat(buf, s, len - strlen(buf) - 1); // GOOD
strncat(buf, s, len - strlen(buf)); // GOOD
}
struct buffers
{
unsigned char buff1[50];
unsigned char *buff2;
unsigned char array[50];
unsigned char *pointer;
} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
void strncat_test5(char* s, struct buffers* buffers) {
unsigned len_array = strlen(buffers->array);
unsigned max_size = sizeof(buffers->array);
unsigned free_size = max_size - len_array;
strncat(buffers->array, s, free_size); // BAD
}
void badFunc0(){
void strlen_test1(){
unsigned char buff1[12];
struct buffers buffAll;
struct buffers * buffAll1;
buff1[strlen(buff1)]=0; // BAD
buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
buffAll.array[strlen(buffAll.array)]=0; // BAD
buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD
buffAll1->array[strlen(buffAll1->array)]=0; // BAD
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD
globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD
globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD
}
void noBadFunc0(){
void strlen_test2(){
unsigned char buff1[12],buff1_c[12];
struct buffers buffAll,buffAll_c;
struct buffers * buffAll1,*buffAll1_c;
buff1[strlen(buff1_c)]=0; // GOOD
buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
buffAll.array[strlen(buffAll_c.array)]=0; // GOOD
buffAll.pointer[strlen(buffAll.array)]=0; // GOOD
buffAll1->array[strlen(buffAll1_c->array)]=0; // GOOD
buffAll1->pointer[strlen(buffAll1->array)]=0; // GOOD
globalBuff1.array[strlen(globalBuff1_c.array)]=0; // GOOD
globalBuff1.pointer[strlen(globalBuff1.array)]=0; // GOOD
globalBuff2->array[strlen(globalBuff2_c->array)]=0; // GOOD
globalBuff2->pointer[strlen(globalBuff2->array)]=0; // GOOD
}
void goodFunc0(){
void strlen_test3(){
unsigned char buffer[12];
int i;
for(i = 0; i < 6; i++)

26
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp Normal file
View File

@@ -0,0 +1,26 @@
int tmpFunc()
{
return 12;
}
void testFunction()
{
int i1,i2,i3;
bool b1,b2,b3;
char c1,c2,c3;
b1 = -b2; //BAD
b1 = !b2; //GOOD
b1++; //BAD
++b1; //BAD
if(i1=tmpFunc()!=i2) //BAD
return;
if(i1=tmpFunc()!=11) //BAD
return;
if((i1=tmpFunc())!=i2) //GOOD
return;
if((i1=tmpFunc())!=11) //GOOD
return;
if(i1=tmpFunc()!=1) //GOOD
return;
if(i1=tmpFunc()==b1) //GOOD
return;
}

139
cpp/ql/test/include/memory.h Normal file
View File

@@ -0,0 +1,139 @@
#if !defined(CODEQL_MEMORY_H)
#define CODEQL_MEMORY_H
namespace std {
namespace detail {
template<typename T>
class compressed_pair_element {
T element;
public:
compressed_pair_element() = default;
compressed_pair_element(const T& t) : element(t) {}
T& get() { return element; }
const T& get() const { return element; }
};
template<typename T, typename U>
struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
compressed_pair() = default;
compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
compressed_pair(const compressed_pair&) = delete;
compressed_pair(compressed_pair<T, U>&&) noexcept = default;
T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
};
}
template<class T>
struct default_delete {
void operator()(T* ptr) const { delete ptr; }
};
template<class T>
struct default_delete<T[]> {
template<class U>
void operator()(U* ptr) const { delete[] ptr; }
};
template<class T, class Deleter = default_delete<T> >
class unique_ptr {
private:
detail::compressed_pair<T*, Deleter> data;
public:
constexpr unique_ptr() noexcept {}
explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
unique_ptr(const unique_ptr& ptr) = delete;
unique_ptr(unique_ptr&& ptr) noexcept = default;
unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
T& operator*() const { return *get(); }
T* operator->() const noexcept { return get(); }
T* get() const noexcept { return data.first(); }
T* release() noexcept {
Deleter& d = data.second();
d(data.first());
data.first() = nullptr;
}
~unique_ptr() {
Deleter& d = data.second();
d(data.first());
}
};
template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
}
class ctrl_block {
unsigned uses;
public:
ctrl_block() : uses(1) {}
void inc() { ++uses; }
bool dec() { return --uses == 0; }
virtual void destroy() = 0;
virtual ~ctrl_block() {}
};
template<typename T, class Deleter = default_delete<T> >
struct ctrl_block_impl: public ctrl_block {
T* ptr;
Deleter d;
ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
virtual void destroy() override { d(ptr); }
};
template<class T>
class shared_ptr {
private:
ctrl_block* ctrl;
T* ptr;
void dec() {
if(ctrl->dec()) {
ctrl->destroy();
delete ctrl;
}
}
void inc() {
ctrl->inc();
}
public:
constexpr shared_ptr() noexcept = default;
shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
inc();
}
shared_ptr(shared_ptr&& s) noexcept = default;
shared_ptr(unique_ptr<T>&& s) : shared_ptr(s.release()) {
}
T* operator->() const { return ptr; }
T& operator*() const { return *ptr; }
T* get() const noexcept { return ptr; }
~shared_ptr() { dec(); }
};
template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
}
}
#endif

21
cpp/ql/test/include/type_traits.h Normal file
View File

@@ -0,0 +1,21 @@
#if !defined(CODEQL_TYPE_TRAITS_H)
#define CODEQL_TYPE_TRAITS_H
namespace std {
template<typename T>
struct remove_reference {
typedef T type;
};
template<typename T>
struct remove_reference<T&> {
typedef T type;
};
template<typename T>
struct remove_reference<T&&> {
typedef T type;
};
}
#endif

13
cpp/ql/test/include/utility.h Normal file
View File

@@ -0,0 +1,13 @@
#if !defined(CODEQL_UTILITY_H)
#define CODEQL_UTILITY_H
#include "type_traits.h"
namespace std {
template<typename T>
typename remove_reference<T>::type&& move(T&& src) {
return static_cast<typename remove_reference<T>::type&&>(src);
}
}
#endif

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -26,6 +26,7 @@ unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
| test.cpp:373:5:373:20 | Store | PostUpdateNode should have one pre-update node but has 0. |
uniquePostUpdate
postIsInSameCallable
reverseRead
@@ -82,4 +83,5 @@ postWithInFlow
| test.cpp:125:3:125:11 | Chi | PostUpdateNode should not be the target of local flow. |
| test.cpp:359:5:359:20 | Chi | PostUpdateNode should not be the target of local flow. |
| test.cpp:373:5:373:20 | Chi | PostUpdateNode should not be the target of local flow. |
| test.cpp:373:5:373:20 | Store | PostUpdateNode should not be the target of local flow. |
| test.cpp:465:3:465:15 | Chi | PostUpdateNode should not be the target of local flow. |

4
cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
View File

@@ -20,7 +20,9 @@ unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
| D.cpp:57:5:57:42 | Store | PostUpdateNode should have one pre-update node but has 0. |
| simple.cpp:65:5:65:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
| simple.cpp:83:9:83:28 | Store | PostUpdateNode should have one pre-update node but has 0. |
| simple.cpp:92:5:92:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
uniquePostUpdate
postIsInSameCallable
@@ -54,6 +56,7 @@ postWithInFlow
| D.cpp:49:15:49:24 | Chi | PostUpdateNode should not be the target of local flow. |
| D.cpp:56:15:56:24 | Chi | PostUpdateNode should not be the target of local flow. |
| D.cpp:57:5:57:42 | Chi | PostUpdateNode should not be the target of local flow. |
| D.cpp:57:5:57:42 | Store | PostUpdateNode should not be the target of local flow. |
| aliasing.cpp:9:3:9:22 | Chi | PostUpdateNode should not be the target of local flow. |
| aliasing.cpp:13:3:13:21 | Chi | PostUpdateNode should not be the target of local flow. |
| aliasing.cpp:17:3:17:21 | Chi | PostUpdateNode should not be the target of local flow. |
@@ -150,6 +153,7 @@ postWithInFlow
| simple.cpp:23:35:23:35 | Chi | PostUpdateNode should not be the target of local flow. |
| simple.cpp:65:5:65:22 | Store | PostUpdateNode should not be the target of local flow. |
| simple.cpp:83:9:83:28 | Chi | PostUpdateNode should not be the target of local flow. |
| simple.cpp:83:9:83:28 | Store | PostUpdateNode should not be the target of local flow. |
| simple.cpp:92:5:92:22 | Store | PostUpdateNode should not be the target of local flow. |
| struct_init.c:20:20:20:29 | Chi | PostUpdateNode should not be the target of local flow. |
| struct_init.c:20:34:20:34 | Chi | PostUpdateNode should not be the target of local flow. |

6
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

@@ -228,8 +228,8 @@ edges
| simple.cpp:65:5:65:22 | Store [i] | simple.cpp:66:12:66:12 | Store [i] |
| simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] |
| simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i |
| simple.cpp:83:9:83:28 | Chi [f1] | simple.cpp:84:14:84:20 | this indirection [f1] |
| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Chi [f1] |
| simple.cpp:83:9:83:28 | Store [f1] | simple.cpp:84:14:84:20 | this indirection [f1] |
| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Store [f1] |
| simple.cpp:84:14:84:20 | this indirection [f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
| simple.cpp:92:5:92:22 | Store [i] | simple.cpp:93:20:93:20 | Store [i] |
| simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | Store [i] |
@@ -494,7 +494,7 @@ nodes
| simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
| simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] |
| simple.cpp:67:13:67:13 | i | semmle.label | i |
| simple.cpp:83:9:83:28 | Chi [f1] | semmle.label | Chi [f1] |
| simple.cpp:83:9:83:28 | Store [f1] | semmle.label | Store [f1] |
| simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input |
| simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 |
| simple.cpp:84:14:84:20 | this indirection [f1] | semmle.label | this indirection [f1] |

18
cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql
View File

@@ -19,15 +19,19 @@ class IRPartialDefNode extends IRNode {
override string toString() { result = n.asPartialDefinition().toString() }
}
from Node node, AST::Node astNode, IR::Node irNode, string msg
from Node node, string msg
where
node.asIR() = irNode and
exists(irNode.asPartialDefinition()) and
not exists(AST::Node otherNode | otherNode.asPartialDefinition() = irNode.asPartialDefinition()) and
exists(IR::Node irNode, Expr partial |
node.asIR() = irNode and
partial = irNode.asPartialDefinition() and
not exists(AST::Node otherNode | otherNode.asPartialDefinition() = partial)
) and
msg = "IR only"
or
node.asAST() = astNode and
exists(astNode.asPartialDefinition()) and
not exists(IR::Node otherNode | otherNode.asPartialDefinition() = astNode.asPartialDefinition()) and
exists(AST::Node astNode, Expr partial |
node.asAST() = astNode and
partial = astNode.asPartialDefinition() and
not exists(IR::Node otherNode | otherNode.asPartialDefinition() = partial)
) and
msg = "AST only"
select node, msg

8
cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
View File

@@ -7,7 +7,7 @@ void test_unique_ptr_int() {
std::unique_ptr<int> p1(new int(source()));
std::unique_ptr<int> p2 = std::make_unique<int>(source());
sink(*p1); // $ MISSING: ast,ir
sink(*p1); // $ ir MISSING: ast
sink(*p2); // $ ast ir=8:50
}
@@ -21,7 +21,7 @@ void test_unique_ptr_struct() {
std::unique_ptr<A> p1(new A{source(), 0});
std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
sink(p1->x); // $ MISSING: ast,ir
sink(p1->x); // $ ir MISSING: ast
sink(p1->y);
sink(p2->x); // $ MISSING: ast,ir
sink(p2->y);
@@ -31,7 +31,7 @@ void test_shared_ptr_int() {
std::shared_ptr<int> p1(new int(source()));
std::shared_ptr<int> p2 = std::make_shared<int>(source());
sink(*p1); // $ ast
sink(*p1); // $ ast ir
sink(*p2); // $ ast ir=32:50
}
@@ -39,7 +39,7 @@ void test_shared_ptr_struct() {
std::shared_ptr<A> p1(new A{source(), 0});
std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
sink(p1->x); // $ MISSING: ast,ir
sink(p1->x); // $ ir MISSING: ast
sink(p1->y);
sink(p2->x); // $ MISSING: ast,ir
sink(p2->y);

471
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -3223,52 +3223,235 @@
| smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p | |
| smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p | |
| smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | |
| smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p | |
| smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p | |
| smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p | |
| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | p [inner post update] | |
| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | ref arg p | TAINT |
| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p | |
| smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
| smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:18:11:18:11 | p [inner post update] | |
| smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p | |
| smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p | |
| smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p | |
| smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | |
| smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p | |
| smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p | |
| smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p | |
| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | p [inner post update] | |
| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | ref arg p | TAINT |
| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p | |
| smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
| smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:30:11:30:11 | p [inner post update] | |
| smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p | |
| smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p | |
| smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p | |
| smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p | |
| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | p [inner post update] | |
| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | ref arg p | TAINT |
| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p | |
| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p | |
| smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | |
| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | |
| smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:37:6:37:6 | p [inner post update] | |
| smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p | |
| smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p | |
| smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... | |
| smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p | |
| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | |
| smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p | |
| smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p | |
| smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p | |
| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | p [inner post update] | |
| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | ref arg p | TAINT |
| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p | |
| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p | |
| smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | |
| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | |
| smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:45:6:45:6 | p [inner post update] | |
| smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p | |
| smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p | |
| smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... | |
| smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p | |
| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | |
| smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p | |
| smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | TAINT |
| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | |
| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p | TAINT |
| smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p | |
| smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | TAINT |
| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | |
| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p | TAINT |
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p | |
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p | |
| smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
| smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> | |
| smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p | |
| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> | |
| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:70:37:70:39 | ptr | |
| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr | |
| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr | |
| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] | |
| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ref arg ptr | TAINT |
| smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | |
| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | |
| smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr | |
| smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] | |
| smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... | |
| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p | |
| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p | |
| smart_pointer.cpp:76:13:76:13 | p | smart_pointer.cpp:76:13:76:13 | call to shared_ptr | |
| smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p [inner post update] | |
| smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p | |
| smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:76:13:76:13 | p [inner post update] | |
| smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:77:9:77:9 | p | |
| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | |
| smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:86:45:86:45 | p | |
| smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:87:3:87:3 | p | |
| smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:88:8:88:8 | p | |
| smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:89:8:89:8 | p | |
| smart_pointer.cpp:86:67:86:67 | q | smart_pointer.cpp:86:67:86:67 | q | |
| smart_pointer.cpp:86:67:86:67 | q | smart_pointer.cpp:91:3:91:3 | q | |
| smart_pointer.cpp:86:67:86:67 | q | smart_pointer.cpp:92:8:92:8 | q | |
| smart_pointer.cpp:86:67:86:67 | q | smart_pointer.cpp:93:8:93:8 | q | |
| smart_pointer.cpp:86:67:86:67 | q | smart_pointer.cpp:94:8:94:8 | q | |
| smart_pointer.cpp:87:3:87:3 | p | smart_pointer.cpp:87:4:87:4 | call to operator-> | |
| smart_pointer.cpp:87:3:87:3 | ref arg p | smart_pointer.cpp:86:45:86:45 | p | |
| smart_pointer.cpp:87:3:87:3 | ref arg p | smart_pointer.cpp:88:8:88:8 | p | |
| smart_pointer.cpp:87:3:87:3 | ref arg p | smart_pointer.cpp:89:8:89:8 | p | |
| smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:87:6:87:6 | x [post update] | |
| smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:88:11:88:11 | x | |
| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:87:3:87:3 | ref arg p | TAINT |
| smart_pointer.cpp:87:10:87:15 | call to source | smart_pointer.cpp:87:3:87:17 | ... = ... | |
| smart_pointer.cpp:88:8:88:8 | p | smart_pointer.cpp:88:9:88:9 | call to operator-> | |
| smart_pointer.cpp:88:8:88:8 | ref arg p | smart_pointer.cpp:86:45:86:45 | p | |
| smart_pointer.cpp:88:8:88:8 | ref arg p | smart_pointer.cpp:89:8:89:8 | p | |
| smart_pointer.cpp:89:8:89:8 | p | smart_pointer.cpp:89:9:89:9 | call to operator-> | |
| smart_pointer.cpp:89:8:89:8 | ref arg p | smart_pointer.cpp:86:45:86:45 | p | |
| smart_pointer.cpp:91:3:91:3 | q | smart_pointer.cpp:91:4:91:4 | call to operator-> | |
| smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:86:67:86:67 | q | |
| smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:92:8:92:8 | q | |
| smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:93:8:93:8 | q | |
| smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:94:8:94:8 | q | |
| smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:91:9:91:9 | x [post update] | |
| smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:92:14:92:14 | x | |
| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:91:3:91:3 | ref arg q | TAINT |
| smart_pointer.cpp:91:13:91:18 | call to source | smart_pointer.cpp:91:3:91:20 | ... = ... | |
| smart_pointer.cpp:92:8:92:8 | q | smart_pointer.cpp:92:9:92:9 | call to operator-> | |
| smart_pointer.cpp:92:8:92:8 | ref arg q | smart_pointer.cpp:86:67:86:67 | q | |
| smart_pointer.cpp:92:8:92:8 | ref arg q | smart_pointer.cpp:93:8:93:8 | q | |
| smart_pointer.cpp:92:8:92:8 | ref arg q | smart_pointer.cpp:94:8:94:8 | q | |
| smart_pointer.cpp:93:8:93:8 | q | smart_pointer.cpp:93:9:93:9 | call to operator-> | |
| smart_pointer.cpp:93:8:93:8 | ref arg q | smart_pointer.cpp:86:67:86:67 | q | |
| smart_pointer.cpp:93:8:93:8 | ref arg q | smart_pointer.cpp:94:8:94:8 | q | |
| smart_pointer.cpp:94:8:94:8 | q | smart_pointer.cpp:94:9:94:9 | call to operator-> | |
| smart_pointer.cpp:94:8:94:8 | ref arg q | smart_pointer.cpp:86:67:86:67 | q | |
| smart_pointer.cpp:97:17:97:18 | pa | smart_pointer.cpp:98:5:98:6 | pa | |
| smart_pointer.cpp:98:5:98:20 | ... = ... | smart_pointer.cpp:98:9:98:9 | x [post update] | |
| smart_pointer.cpp:98:13:98:18 | call to source | smart_pointer.cpp:98:5:98:20 | ... = ... | |
| smart_pointer.cpp:102:25:102:50 | call to unique_ptr | smart_pointer.cpp:103:11:103:11 | p | |
| smart_pointer.cpp:102:25:102:50 | call to unique_ptr | smart_pointer.cpp:104:8:104:8 | p | |
| smart_pointer.cpp:103:11:103:11 | p | smart_pointer.cpp:103:13:103:15 | call to get | |
| smart_pointer.cpp:103:11:103:11 | ref arg p | smart_pointer.cpp:104:8:104:8 | p | |
| smart_pointer.cpp:103:13:103:15 | ref arg call to get | smart_pointer.cpp:103:11:103:11 | ref arg p | TAINT |
| smart_pointer.cpp:104:8:104:8 | p | smart_pointer.cpp:104:9:104:9 | call to operator-> | |
| smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:112:40:112:42 | ptr | |
| smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:113:2:113:4 | ptr | |
| smart_pointer.cpp:113:2:113:4 | ptr | smart_pointer.cpp:113:5:113:5 | call to operator-> | |
| smart_pointer.cpp:113:2:113:4 | ref arg ptr | smart_pointer.cpp:112:40:112:42 | ptr | |
| smart_pointer.cpp:113:2:113:18 | ... = ... | smart_pointer.cpp:113:7:113:7 | x [post update] | |
| smart_pointer.cpp:113:5:113:5 | call to operator-> [post update] | smart_pointer.cpp:113:2:113:4 | ref arg ptr | TAINT |
| smart_pointer.cpp:113:11:113:16 | call to source | smart_pointer.cpp:113:2:113:18 | ... = ... | |
| smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:116:52:116:54 | ptr | |
| smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:117:2:117:4 | ptr | |
| smart_pointer.cpp:117:2:117:4 | ptr | smart_pointer.cpp:117:5:117:5 | call to operator-> | |
| smart_pointer.cpp:117:2:117:4 | ref arg ptr | smart_pointer.cpp:116:52:116:54 | ptr | |
| smart_pointer.cpp:117:2:117:18 | ... = ... | smart_pointer.cpp:117:7:117:7 | x [post update] | |
| smart_pointer.cpp:117:5:117:5 | call to operator-> [post update] | smart_pointer.cpp:117:2:117:4 | ref arg ptr | TAINT |
| smart_pointer.cpp:117:11:117:16 | call to source | smart_pointer.cpp:117:2:117:18 | ... = ... | |
| smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:120:48:120:50 | ptr | |
| smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr | |
| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr | |
| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] | |
| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ref arg ptr | TAINT |
| smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | |
| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* | |
| smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr | |
| smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] | |
| smart_pointer.cpp:121:10:121:15 | call to source | smart_pointer.cpp:121:3:121:17 | ... = ... | |
| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:124:48:124:49 | p1 | |
| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:125:18:125:19 | p1 | |
| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:126:8:126:9 | p1 | |
| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:128:14:128:15 | p2 | |
| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:129:10:129:11 | p2 | |
| smart_pointer.cpp:125:18:125:19 | p1 | smart_pointer.cpp:125:20:125:20 | call to operator-> | |
| smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 | |
| smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:126:8:126:9 | p1 | |
| smart_pointer.cpp:125:18:125:22 | ref arg call to shared_ptr | smart_pointer.cpp:125:22:125:22 | q [inner post update] | |
| smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 | TAINT |
| smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr | |
| smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] | |
| smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> | |
| smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 | |
| smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
| smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> | |
| smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
| smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] | |
| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] | |
| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 | |
| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] | |
| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] | |
| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:129:10:129:11 | p2 | |
| smart_pointer.cpp:128:14:128:15 | p2 | smart_pointer.cpp:128:13:128:13 | call to operator* | TAINT |
| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] | |
| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 | |
| smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] | |
| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | ref arg p2 | TAINT |
| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* | |
| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
| smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 | |
| smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] | |
| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:132:53:132:54 | p1 | |
| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:133:23:133:24 | p1 | |
| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:134:8:134:9 | p1 | |
| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:136:18:136:19 | p2 | |
| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:137:10:137:11 | p2 | |
| smart_pointer.cpp:133:23:133:24 | p1 | smart_pointer.cpp:133:25:133:25 | call to operator-> | |
| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | |
| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 | |
| smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 | TAINT |
| smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> | |
| smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | |
| smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 | TAINT |
| smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> | |
| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] | |
| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | ref arg p2 | TAINT |
| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 | |
| smart_pointer.cpp:136:18:136:19 | p2 | smart_pointer.cpp:136:17:136:17 | call to operator* | TAINT |
| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] | |
| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 | |
| smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] | |
| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | ref arg p2 | TAINT |
| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* | |
| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | |
@@ -3360,13 +3543,13 @@
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | |
| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | |
| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
@@ -3388,125 +3571,125 @@
| stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
| stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
| stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | (no string representation) | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] | |
| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] | |
| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] | |
| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] | |
| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] | |
| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:3:395:6 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y | |
| stl.h:395:36:395:43 | call to unknown function | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] | |
| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
| stl.h:395:46:395:54 | call to unknown function | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward | |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward | |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] | |
| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] | |
| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] | |
| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] | |
| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] | |
| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:3:396:6 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y | |
| stl.h:396:36:396:43 | call to unknown function | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] | |
| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
| stl.h:396:46:396:54 | call to unknown function | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y | |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
| string.cpp:25:12:25:17 | call to source | string.cpp:29:7:29:7 | a | |
| string.cpp:26:16:26:20 | 123 | string.cpp:26:16:26:21 | call to basic_string | TAINT |
| string.cpp:26:16:26:21 | call to basic_string | string.cpp:30:7:30:7 | b | |
@@ -4059,13 +4242,13 @@
| string.cpp:407:9:407:10 | i6 | string.cpp:407:8:407:8 | call to operator* | TAINT |
| string.cpp:408:8:408:9 | i2 | string.cpp:408:3:408:9 | ... = ... | |
| string.cpp:408:8:408:9 | i2 | string.cpp:409:10:409:11 | i7 | |
| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= | |
| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= | TAINT |
| string.cpp:409:12:409:12 | call to operator+= | string.cpp:409:8:409:8 | call to operator* | TAINT |
| string.cpp:409:12:409:12 | ref arg call to operator+= | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
| string.cpp:409:14:409:14 | 1 | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
| string.cpp:410:8:410:9 | i2 | string.cpp:410:3:410:9 | ... = ... | |
| string.cpp:410:8:410:9 | i2 | string.cpp:411:10:411:11 | i8 | |
| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= | |
| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= | TAINT |
| string.cpp:411:12:411:12 | call to operator-= | string.cpp:411:8:411:8 | call to operator* | TAINT |
| string.cpp:411:12:411:12 | ref arg call to operator-= | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
| string.cpp:411:14:411:14 | 1 | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
@@ -4480,7 +4663,7 @@
| stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:39:7:39:9 | ss3 | |
| stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:44:7:44:9 | ss3 | |
| stringstream.cpp:33:7:33:9 | ss3 | stringstream.cpp:33:11:33:11 | call to operator<< | |
| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | |
| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | TAINT |
| stringstream.cpp:33:11:33:11 | ref arg call to operator<< | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
| stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
| stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
@@ -4489,7 +4672,7 @@
| stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:40:7:40:9 | ss4 | |
| stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:45:7:45:9 | ss4 | |
| stringstream.cpp:34:7:34:9 | ss4 | stringstream.cpp:34:11:34:11 | call to operator<< | |
| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | |
| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | TAINT |
| stringstream.cpp:34:11:34:11 | ref arg call to operator<< | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
| stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
| stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
@@ -4770,7 +4953,7 @@
| stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 | |
| stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:11:147:11 | call to operator>> | |
| stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:14:147:15 | ref arg s3 | TAINT |
| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> | |
| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> | TAINT |
| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:20:147:21 | ref arg s4 | TAINT |
| stringstream.cpp:147:11:147:11 | ref arg call to operator>> | stringstream.cpp:147:7:147:9 | ref arg ss2 | TAINT |
| stringstream.cpp:147:14:147:15 | ref arg s3 | stringstream.cpp:150:7:150:8 | s3 | |
@@ -4802,7 +4985,7 @@
| stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 | |
| stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:11:155:11 | call to operator>> | |
| stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:14:155:15 | ref arg b3 | TAINT |
| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> | |
| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> | TAINT |
| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:20:155:21 | ref arg b4 | TAINT |
| stringstream.cpp:155:11:155:11 | ref arg call to operator>> | stringstream.cpp:155:7:155:9 | ref arg ss2 | TAINT |
| stringstream.cpp:155:14:155:15 | ref arg b3 | stringstream.cpp:158:7:158:8 | b3 | |
@@ -5124,7 +5307,7 @@
| stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:7:245:13 | call to getline | |
| stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:20:245:21 | ref arg s6 | TAINT |
| stringstream.cpp:245:20:245:21 | ref arg s6 | stringstream.cpp:248:7:248:8 | s6 | |
| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline | |
| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline | TAINT |
| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:33:250:34 | ref arg s8 | TAINT |
| stringstream.cpp:250:15:250:21 | ref arg call to getline | stringstream.cpp:250:23:250:25 | ref arg ss2 | TAINT |
| stringstream.cpp:250:23:250:25 | ss2 | stringstream.cpp:250:15:250:21 | call to getline | |
@@ -5328,7 +5511,7 @@
| swap1.cpp:100:9:100:17 | ref arg call to move | swap1.cpp:103:10:103:10 | x | |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:5:100:5 | ref arg y | TAINT |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:7:100:7 | call to operator= | TAINT |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move | |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move | TAINT |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:109:5:109:13 | move_from | |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:111:10:111:18 | move_from | |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:113:41:113:49 | move_from | |
@@ -5341,7 +5524,7 @@
| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | TAINT |
| swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] | |
| swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to | |
| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | |
| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | TAINT |
| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:51 | call to Class | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x | |
@@ -5375,7 +5558,7 @@
| swap1.cpp:142:5:142:5 | ref arg y | swap1.cpp:144:10:144:10 | y | |
| swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:142:29:142:29 | x [inner post update] | |
| swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:145:10:145:10 | x | |
| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move | |
| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move | TAINT |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t | |
@@ -5507,7 +5690,7 @@
| swap2.cpp:100:9:100:17 | ref arg call to move | swap2.cpp:103:10:103:10 | x | |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:5:100:5 | ref arg y | TAINT |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:7:100:7 | call to operator= | TAINT |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move | |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move | TAINT |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:109:5:109:13 | move_from | |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:111:10:111:18 | move_from | |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:113:41:113:49 | move_from | |
@@ -5520,7 +5703,7 @@
| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | TAINT |
| swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] | |
| swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to | |
| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | |
| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | TAINT |
| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:51 | call to Class | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x | |
@@ -5554,7 +5737,7 @@
| swap2.cpp:142:5:142:5 | ref arg y | swap2.cpp:144:10:144:10 | y | |
| swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:142:29:142:29 | x [inner post update] | |
| swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:145:10:145:10 | x | |
| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move | |
| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move | TAINT |
| taint.cpp:4:27:4:33 | source1 | taint.cpp:6:13:6:19 | source1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:5:8:5:13 | clean1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:6:3:6:8 | clean1 | |
@@ -7778,7 +7961,7 @@
| vector.cpp:527:9:527:10 | ref arg it | vector.cpp:529:9:529:10 | it | |
| vector.cpp:527:9:527:10 | ref arg it | vector.cpp:530:3:530:4 | it | |
| vector.cpp:527:9:527:10 | ref arg it | vector.cpp:531:9:531:10 | it | |
| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= | |
| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= | TAINT |
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it | |
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it | |
| vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it | |
@@ -7786,7 +7969,7 @@
| vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
| vector.cpp:529:9:529:10 | ref arg it | vector.cpp:530:3:530:4 | it | |
| vector.cpp:529:9:529:10 | ref arg it | vector.cpp:531:9:531:10 | it | |
| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= | |
| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= | TAINT |
| vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it | |
| vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |

82
cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
View File

@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);
void test_make_shared() {
std::shared_ptr<int> p = std::make_shared<int>(source());
sink(*p); // $ ast MISSING: ir
sink(*p); // $ ast,ir
sink(p); // $ ast,ir
}
@@ -21,7 +21,7 @@ void test_make_shared_array() {
void test_make_unique() {
std::unique_ptr<int> p = std::make_unique<int>(source());
sink(*p); // $ ast MISSING: ir
sink(*p); // $ ast,ir
sink(p); // $ ast,ir
}
@@ -35,16 +35,16 @@ void test_reverse_taint_shared() {
std::shared_ptr<int> p = std::make_shared<int>();
*p = source();
sink(p); // $ MISSING: ast,ir
sink(*p); // $ MISSING: ast,ir
sink(p); // $ ast MISSING: ir
sink(*p); // $ ast MISSING: ir
}
void test_reverse_taint_unique() {
std::unique_ptr<int> p = std::unique_ptr<int>();
*p = source();
sink(p); // $ MISSING: ast,ir
sink(*p); // $ MISSING: ast,ir
sink(p); // $ ast MISSING: ir
sink(*p); // $ ast MISSING: ir
}
void test_shared_get() {
@@ -65,4 +65,74 @@ void test_shared_field_member() {
std::unique_ptr<A> p = std::make_unique<A>(source(), 0);
sink(p->x); // $ MISSING: ast,ir
sink(p->y); // not tainted
}
void getNumber(std::shared_ptr<int> ptr) {
*ptr = source();
}
int test_from_issue_5190() {
std::shared_ptr<int> p(new int);
getNumber(p);
sink(*p); // $ ast MISSING: ir
}
struct B {
A a1;
A a2;
int z;
};
void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
p->x = source();
sink(p->x); // $ ast MISSING: ir
sink(p->y);
q->a1.x = source();
sink(q->a1.x); // $ ast MISSING: ir
sink(q->a1.y);
sink(q->a2.x);
}
void taint_x(A* pa) {
pa->x = source();
}
void reverse_taint_smart_pointer() {
std::unique_ptr<A> p = std::unique_ptr<A>(new A);
taint_x(p.get());
sink(p->x); // $ ast,ir
}
struct C {
int z;
std::shared_ptr<A> q;
};
void taint_x_shared(std::shared_ptr<A> ptr) {
ptr->x = source();
}
void taint_x_shared_cref(const std::shared_ptr<A>& ptr) {
ptr->x = source();
}
void getNumberCRef(const std::shared_ptr<int>& ptr) {
*ptr = source();
}
int nested_shared_ptr_taint(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
taint_x_shared(p1->q);
sink(p1->q->x); // $ ast MISSING: ir
getNumber(*p2);
sink(**p2); // $ ast MISSING: ir
}
int nested_shared_ptr_taint_cref(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
taint_x_shared_cref(p1->q);
sink(p1->q->x); // $ ast MISSING: ir
getNumberCRef(*p2);
sink(**p2); // $ ast MISSING: ir
}

1
cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
View File

@@ -349,6 +349,7 @@ namespace std {
public:
shared_ptr() noexcept;
explicit shared_ptr(T*);
shared_ptr(const shared_ptr&) noexcept;
template<class U> shared_ptr(const shared_ptr<U>&) noexcept;
template<class U> shared_ptr(shared_ptr<U>&&) noexcept;

337
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -42,7 +42,7 @@ bad_asts.cpp:
# 16| r16_3(int) = Constant[1] :
# 16| r16_4(int) = Call[MemberFunction] : func:r16_2, this:r16_1, 0:r16_3
# 16| mu16_5(unknown) = ^CallSideEffect : ~m?
# 16| v16_6(void) = ^BufferReadSideEffect[-1] : &:r16_1, ~m?
# 16| v16_6(void) = ^IndirectReadSideEffect[-1] : &:r16_1, ~m?
# 16| mu16_7(S) = ^IndirectMayWriteSideEffect[-1] : &:r16_1
# 17| v17_1(void) = NoOp :
# 14| v14_4(void) = ReturnVoid :
@@ -3385,47 +3385,46 @@ ir.cpp:
# 622| void CallMethods(String&, String*, String)
# 622| Block 0
# 622| v622_1(void) = EnterFunction :
# 622| mu622_2(unknown) = AliasedDefinition :
# 622| mu622_3(unknown) = InitializeNonLocal :
# 622| r622_4(glval<String &>) = VariableAddress[r] :
# 622| mu622_5(String &) = InitializeParameter[r] : &:r622_4
# 622| r622_6(String &) = Load[r] : &:r622_4, ~m?
# 622| mu622_7(unknown) = InitializeIndirection[r] : &:r622_6
# 622| r622_8(glval<String *>) = VariableAddress[p] :
# 622| mu622_9(String *) = InitializeParameter[p] : &:r622_8
# 622| r622_10(String *) = Load[p] : &:r622_8, ~m?
# 622| mu622_11(unknown) = InitializeIndirection[p] : &:r622_10
# 622| r622_12(glval<String>) = VariableAddress[s] :
# 622| mu622_13(String) = InitializeParameter[s] : &:r622_12
# 623| r623_1(glval<String &>) = VariableAddress[r] :
# 623| r623_2(String &) = Load[r] : &:r623_1, ~m?
# 623| r623_3(glval<String>) = CopyValue : r623_2
# 623| r623_4(glval<String>) = Convert : r623_3
# 623| r623_5(glval<unknown>) = FunctionAddress[c_str] :
# 623| r623_6(char *) = Call[c_str] : func:r623_5, this:r623_4
# 623| mu623_7(unknown) = ^CallSideEffect : ~m?
# 623| v623_8(void) = ^BufferReadSideEffect[-1] : &:r623_4, ~m?
# 624| r624_1(glval<String *>) = VariableAddress[p] :
# 624| r624_2(String *) = Load[p] : &:r624_1, ~m?
# 624| r624_3(String *) = Convert : r624_2
# 624| r624_4(glval<unknown>) = FunctionAddress[c_str] :
# 624| r624_5(char *) = Call[c_str] : func:r624_4, this:r624_3
# 624| mu624_6(unknown) = ^CallSideEffect : ~m?
# 624| v624_7(void) = ^BufferReadSideEffect[-1] : &:r624_3, ~m?
# 624| mu624_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r624_3
# 625| r625_1(glval<String>) = VariableAddress[s] :
# 625| r625_2(glval<String>) = Convert : r625_1
# 625| r625_3(glval<unknown>) = FunctionAddress[c_str] :
# 625| r625_4(char *) = Call[c_str] : func:r625_3, this:r625_2
# 625| mu625_5(unknown) = ^CallSideEffect : ~m?
# 625| v625_6(void) = ^BufferReadSideEffect[-1] : &:r625_2, ~m?
# 626| v626_1(void) = NoOp :
# 622| v622_14(void) = ReturnIndirection[r] : &:r622_6, ~m?
# 622| v622_15(void) = ReturnIndirection[p] : &:r622_10, ~m?
# 622| v622_16(void) = ReturnVoid :
# 622| v622_17(void) = AliasedUse : ~m?
# 622| v622_18(void) = ExitFunction :
# 622| v622_1(void) = EnterFunction :
# 622| mu622_2(unknown) = AliasedDefinition :
# 622| mu622_3(unknown) = InitializeNonLocal :
# 622| r622_4(glval<String &>) = VariableAddress[r] :
# 622| mu622_5(String &) = InitializeParameter[r] : &:r622_4
# 622| r622_6(String &) = Load[r] : &:r622_4, ~m?
# 622| mu622_7(unknown) = InitializeIndirection[r] : &:r622_6
# 622| r622_8(glval<String *>) = VariableAddress[p] :
# 622| mu622_9(String *) = InitializeParameter[p] : &:r622_8
# 622| r622_10(String *) = Load[p] : &:r622_8, ~m?
# 622| mu622_11(unknown) = InitializeIndirection[p] : &:r622_10
# 622| r622_12(glval<String>) = VariableAddress[s] :
# 622| mu622_13(String) = InitializeParameter[s] : &:r622_12
# 623| r623_1(glval<String &>) = VariableAddress[r] :
# 623| r623_2(String &) = Load[r] : &:r623_1, ~m?
# 623| r623_3(glval<String>) = CopyValue : r623_2
# 623| r623_4(glval<String>) = Convert : r623_3
# 623| r623_5(glval<unknown>) = FunctionAddress[c_str] :
# 623| r623_6(char *) = Call[c_str] : func:r623_5, this:r623_4
# 623| mu623_7(unknown) = ^CallSideEffect : ~m?
# 623| v623_8(void) = ^IndirectReadSideEffect[-1] : &:r623_4, ~m?
# 624| r624_1(glval<String *>) = VariableAddress[p] :
# 624| r624_2(String *) = Load[p] : &:r624_1, ~m?
# 624| r624_3(String *) = Convert : r624_2
# 624| r624_4(glval<unknown>) = FunctionAddress[c_str] :
# 624| r624_5(char *) = Call[c_str] : func:r624_4, this:r624_3
# 624| mu624_6(unknown) = ^CallSideEffect : ~m?
# 624| v624_7(void) = ^IndirectReadSideEffect[-1] : &:r624_3, ~m?
# 625| r625_1(glval<String>) = VariableAddress[s] :
# 625| r625_2(glval<String>) = Convert : r625_1
# 625| r625_3(glval<unknown>) = FunctionAddress[c_str] :
# 625| r625_4(char *) = Call[c_str] : func:r625_3, this:r625_2
# 625| mu625_5(unknown) = ^CallSideEffect : ~m?
# 625| v625_6(void) = ^IndirectReadSideEffect[-1] : &:r625_2, ~m?
# 626| v626_1(void) = NoOp :
# 622| v622_14(void) = ReturnIndirection[r] : &:r622_6, ~m?
# 622| v622_15(void) = ReturnIndirection[p] : &:r622_10, ~m?
# 622| v622_16(void) = ReturnVoid :
# 622| v622_17(void) = AliasedUse : ~m?
# 622| v622_18(void) = ExitFunction :
# 628| void C::~C()
# 628| Block 0
@@ -3575,7 +3574,7 @@ ir.cpp:
# 653| r653_4(int) = Constant[0] :
# 653| r653_5(int) = Call[InstanceMemberFunction] : func:r653_3, this:r653_2, 0:r653_4
# 653| mu653_6(unknown) = ^CallSideEffect : ~m?
# 653| v653_7(void) = ^BufferReadSideEffect[-1] : &:r653_2, ~m?
# 653| v653_7(void) = ^IndirectReadSideEffect[-1] : &:r653_2, ~m?
# 653| mu653_8(C) = ^IndirectMayWriteSideEffect[-1] : &:r653_2
# 654| r654_1(glval<unknown>) = VariableAddress[#this] :
# 654| r654_2(C *) = Load[#this] : &:r654_1, ~m?
@@ -3584,7 +3583,7 @@ ir.cpp:
# 654| r654_5(int) = Constant[1] :
# 654| r654_6(int) = Call[InstanceMemberFunction] : func:r654_4, this:r654_3, 0:r654_5
# 654| mu654_7(unknown) = ^CallSideEffect : ~m?
# 654| v654_8(void) = ^BufferReadSideEffect[-1] : &:r654_3, ~m?
# 654| v654_8(void) = ^IndirectReadSideEffect[-1] : &:r654_3, ~m?
# 654| mu654_9(C) = ^IndirectMayWriteSideEffect[-1] : &:r654_3
# 655| r655_1(glval<unknown>) = VariableAddress[#this] :
# 655| r655_2(C *) = Load[#this] : &:r655_1, ~m?
@@ -3592,7 +3591,7 @@ ir.cpp:
# 655| r655_4(int) = Constant[2] :
# 655| r655_5(int) = Call[InstanceMemberFunction] : func:r655_3, this:r655_2, 0:r655_4
# 655| mu655_6(unknown) = ^CallSideEffect : ~m?
# 655| v655_7(void) = ^BufferReadSideEffect[-1] : &:r655_2, ~m?
# 655| v655_7(void) = ^IndirectReadSideEffect[-1] : &:r655_2, ~m?
# 655| mu655_8(C) = ^IndirectMayWriteSideEffect[-1] : &:r655_2
# 656| v656_1(void) = NoOp :
# 652| v652_8(void) = ReturnIndirection[#this] : &:r652_6, ~m?
@@ -4006,7 +4005,7 @@ ir.cpp:
#-----| r0_6(String &) = CopyValue : r745_15
# 745| r745_16(String &) = Call[operator=] : func:r745_12, this:r745_11, 0:r0_6
# 745| mu745_17(unknown) = ^CallSideEffect : ~m?
# 745| v745_18(void) = ^BufferReadSideEffect[-1] : &:r745_11, ~m?
# 745| v745_18(void) = ^IndirectReadSideEffect[-1] : &:r745_11, ~m?
#-----| v0_7(void) = ^BufferReadSideEffect[0] : &:r0_6, ~m?
# 745| mu745_19(String) = ^IndirectMayWriteSideEffect[-1] : &:r745_11
#-----| r0_8(glval<String>) = CopyValue : r745_16
@@ -4113,7 +4112,7 @@ ir.cpp:
#-----| r0_8(Base &) = CopyValue : r754_14
# 754| r754_15(Base &) = Call[operator=] : func:r754_10, this:r0_5, 0:r0_8
# 754| mu754_16(unknown) = ^CallSideEffect : ~m?
#-----| v0_9(void) = ^BufferReadSideEffect[-1] : &:r0_5, ~m?
#-----| v0_9(void) = ^IndirectReadSideEffect[-1] : &:r0_5, ~m?
#-----| v0_10(void) = ^BufferReadSideEffect[0] : &:r0_8, ~m?
#-----| mu0_11(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_5
#-----| r0_12(glval<Base>) = CopyValue : r754_15
@@ -4129,7 +4128,7 @@ ir.cpp:
#-----| r0_14(String &) = CopyValue : r754_24
# 754| r754_25(String &) = Call[operator=] : func:r754_21, this:r754_20, 0:r0_14
# 754| mu754_26(unknown) = ^CallSideEffect : ~m?
# 754| v754_27(void) = ^BufferReadSideEffect[-1] : &:r754_20, ~m?
# 754| v754_27(void) = ^IndirectReadSideEffect[-1] : &:r754_20, ~m?
#-----| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_14, ~m?
# 754| mu754_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r754_20
#-----| r0_16(glval<String>) = CopyValue : r754_25
@@ -4220,7 +4219,7 @@ ir.cpp:
#-----| r0_8(Middle &) = CopyValue : r763_14
# 763| r763_15(Middle &) = Call[operator=] : func:r763_10, this:r0_5, 0:r0_8
# 763| mu763_16(unknown) = ^CallSideEffect : ~m?
#-----| v0_9(void) = ^BufferReadSideEffect[-1] : &:r0_5, ~m?
#-----| v0_9(void) = ^IndirectReadSideEffect[-1] : &:r0_5, ~m?
#-----| v0_10(void) = ^BufferReadSideEffect[0] : &:r0_8, ~m?
#-----| mu0_11(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_5
#-----| r0_12(glval<Middle>) = CopyValue : r763_15
@@ -4236,7 +4235,7 @@ ir.cpp:
#-----| r0_14(String &) = CopyValue : r763_24
# 763| r763_25(String &) = Call[operator=] : func:r763_21, this:r763_20, 0:r0_14
# 763| mu763_26(unknown) = ^CallSideEffect : ~m?
# 763| v763_27(void) = ^BufferReadSideEffect[-1] : &:r763_20, ~m?
# 763| v763_27(void) = ^IndirectReadSideEffect[-1] : &:r763_20, ~m?
#-----| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_14, ~m?
# 763| mu763_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r763_20
#-----| r0_16(glval<String>) = CopyValue : r763_25
@@ -4505,7 +4504,7 @@ ir.cpp:
# 808| r808_5(Base &) = CopyValue : r808_4
# 808| r808_6(Base &) = Call[operator=] : func:r808_2, this:r808_1, 0:r808_5
# 808| mu808_7(unknown) = ^CallSideEffect : ~m?
# 808| v808_8(void) = ^BufferReadSideEffect[-1] : &:r808_1, ~m?
# 808| v808_8(void) = ^IndirectReadSideEffect[-1] : &:r808_1, ~m?
# 808| v808_9(void) = ^BufferReadSideEffect[0] : &:r808_5, ~m?
# 808| mu808_10(Base) = ^IndirectMayWriteSideEffect[-1] : &:r808_1
# 808| r808_11(glval<Base>) = CopyValue : r808_6
@@ -4525,7 +4524,7 @@ ir.cpp:
# 809| r809_14(Base &) = CopyValue : r809_13
# 809| r809_15(Base &) = Call[operator=] : func:r809_2, this:r809_1, 0:r809_14
# 809| mu809_16(unknown) = ^CallSideEffect : ~m?
# 809| v809_17(void) = ^BufferReadSideEffect[-1] : &:r809_1, ~m?
# 809| v809_17(void) = ^IndirectReadSideEffect[-1] : &:r809_1, ~m?
# 809| v809_18(void) = ^BufferReadSideEffect[0] : &:r809_14, ~m?
# 809| mu809_19(Base) = ^IndirectMayWriteSideEffect[-1] : &:r809_1
# 809| r809_20(glval<Base>) = CopyValue : r809_15
@@ -4545,7 +4544,7 @@ ir.cpp:
# 810| r810_14(Base &) = CopyValue : r810_13
# 810| r810_15(Base &) = Call[operator=] : func:r810_2, this:r810_1, 0:r810_14
# 810| mu810_16(unknown) = ^CallSideEffect : ~m?
# 810| v810_17(void) = ^BufferReadSideEffect[-1] : &:r810_1, ~m?
# 810| v810_17(void) = ^IndirectReadSideEffect[-1] : &:r810_1, ~m?
# 810| v810_18(void) = ^BufferReadSideEffect[0] : &:r810_14, ~m?
# 810| mu810_19(Base) = ^IndirectMayWriteSideEffect[-1] : &:r810_1
# 810| r810_20(glval<Base>) = CopyValue : r810_15
@@ -4577,7 +4576,7 @@ ir.cpp:
# 816| r816_6(Middle &) = CopyValue : r816_5
# 816| r816_7(Middle &) = Call[operator=] : func:r816_2, this:r816_1, 0:r816_6
# 816| mu816_8(unknown) = ^CallSideEffect : ~m?
# 816| v816_9(void) = ^BufferReadSideEffect[-1] : &:r816_1, ~m?
# 816| v816_9(void) = ^IndirectReadSideEffect[-1] : &:r816_1, ~m?
# 816| v816_10(void) = ^BufferReadSideEffect[0] : &:r816_6, ~m?
# 816| mu816_11(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r816_1
# 816| r816_12(glval<Middle>) = CopyValue : r816_7
@@ -4589,7 +4588,7 @@ ir.cpp:
# 817| r817_6(Middle &) = CopyValue : r817_5
# 817| r817_7(Middle &) = Call[operator=] : func:r817_2, this:r817_1, 0:r817_6
# 817| mu817_8(unknown) = ^CallSideEffect : ~m?
# 817| v817_9(void) = ^BufferReadSideEffect[-1] : &:r817_1, ~m?
# 817| v817_9(void) = ^IndirectReadSideEffect[-1] : &:r817_1, ~m?
# 817| v817_10(void) = ^BufferReadSideEffect[0] : &:r817_6, ~m?
# 817| mu817_11(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r817_1
# 817| r817_12(glval<Middle>) = CopyValue : r817_7
@@ -4616,7 +4615,7 @@ ir.cpp:
# 822| r822_6(Base &) = CopyValue : r822_5
# 822| r822_7(Base &) = Call[operator=] : func:r822_2, this:r822_1, 0:r822_6
# 822| mu822_8(unknown) = ^CallSideEffect : ~m?
# 822| v822_9(void) = ^BufferReadSideEffect[-1] : &:r822_1, ~m?
# 822| v822_9(void) = ^IndirectReadSideEffect[-1] : &:r822_1, ~m?
# 822| v822_10(void) = ^BufferReadSideEffect[0] : &:r822_6, ~m?
# 822| mu822_11(Base) = ^IndirectMayWriteSideEffect[-1] : &:r822_1
# 822| r822_12(glval<Base>) = CopyValue : r822_7
@@ -4637,7 +4636,7 @@ ir.cpp:
# 823| r823_15(Base &) = CopyValue : r823_14
# 823| r823_16(Base &) = Call[operator=] : func:r823_2, this:r823_1, 0:r823_15
# 823| mu823_17(unknown) = ^CallSideEffect : ~m?
# 823| v823_18(void) = ^BufferReadSideEffect[-1] : &:r823_1, ~m?
# 823| v823_18(void) = ^IndirectReadSideEffect[-1] : &:r823_1, ~m?
# 823| v823_19(void) = ^BufferReadSideEffect[0] : &:r823_15, ~m?
# 823| mu823_20(Base) = ^IndirectMayWriteSideEffect[-1] : &:r823_1
# 823| r823_21(glval<Base>) = CopyValue : r823_16
@@ -4658,7 +4657,7 @@ ir.cpp:
# 824| r824_15(Base &) = CopyValue : r824_14
# 824| r824_16(Base &) = Call[operator=] : func:r824_2, this:r824_1, 0:r824_15
# 824| mu824_17(unknown) = ^CallSideEffect : ~m?
# 824| v824_18(void) = ^BufferReadSideEffect[-1] : &:r824_1, ~m?
# 824| v824_18(void) = ^IndirectReadSideEffect[-1] : &:r824_1, ~m?
# 824| v824_19(void) = ^BufferReadSideEffect[0] : &:r824_15, ~m?
# 824| mu824_20(Base) = ^IndirectMayWriteSideEffect[-1] : &:r824_1
# 824| r824_21(glval<Base>) = CopyValue : r824_16
@@ -4694,7 +4693,7 @@ ir.cpp:
# 830| r830_7(Derived &) = CopyValue : r830_6
# 830| r830_8(Derived &) = Call[operator=] : func:r830_2, this:r830_1, 0:r830_7
# 830| mu830_9(unknown) = ^CallSideEffect : ~m?
# 830| v830_10(void) = ^BufferReadSideEffect[-1] : &:r830_1, ~m?
# 830| v830_10(void) = ^IndirectReadSideEffect[-1] : &:r830_1, ~m?
# 830| v830_11(void) = ^BufferReadSideEffect[0] : &:r830_7, ~m?
# 830| mu830_12(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r830_1
# 830| r830_13(glval<Derived>) = CopyValue : r830_8
@@ -4707,7 +4706,7 @@ ir.cpp:
# 831| r831_7(Derived &) = CopyValue : r831_6
# 831| r831_8(Derived &) = Call[operator=] : func:r831_2, this:r831_1, 0:r831_7
# 831| mu831_9(unknown) = ^CallSideEffect : ~m?
# 831| v831_10(void) = ^BufferReadSideEffect[-1] : &:r831_1, ~m?
# 831| v831_10(void) = ^IndirectReadSideEffect[-1] : &:r831_1, ~m?
# 831| v831_11(void) = ^BufferReadSideEffect[0] : &:r831_7, ~m?
# 831| mu831_12(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r831_1
# 831| r831_13(glval<Derived>) = CopyValue : r831_8
@@ -5688,7 +5687,7 @@ ir.cpp:
# 1044| r1044_4(float) = Constant[1.0] :
# 1044| r1044_5(char) = Call[operator()] : func:r1044_3, this:r1044_2, 0:r1044_4
# 1044| mu1044_6(unknown) = ^CallSideEffect : ~m?
# 1044| v1044_7(void) = ^BufferReadSideEffect[-1] : &:r1044_2, ~m?
# 1044| v1044_7(void) = ^IndirectReadSideEffect[-1] : &:r1044_2, ~m?
# 1045| r1045_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_val] :
# 1045| r1045_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1045:20] :
# 1045| mu1045_3(decltype([...](...){...})) = Uninitialized[#temp1045:20] : &:r1045_2
@@ -5709,7 +5708,7 @@ ir.cpp:
# 1046| r1046_4(float) = Constant[2.0] :
# 1046| r1046_5(char) = Call[operator()] : func:r1046_3, this:r1046_2, 0:r1046_4
# 1046| mu1046_6(unknown) = ^CallSideEffect : ~m?
# 1046| v1046_7(void) = ^BufferReadSideEffect[-1] : &:r1046_2, ~m?
# 1046| v1046_7(void) = ^IndirectReadSideEffect[-1] : &:r1046_2, ~m?
# 1047| r1047_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_ref_explicit] :
# 1047| r1047_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1047:29] :
# 1047| mu1047_3(decltype([...](...){...})) = Uninitialized[#temp1047:29] : &:r1047_2
@@ -5727,7 +5726,7 @@ ir.cpp:
# 1048| r1048_4(float) = Constant[3.0] :
# 1048| r1048_5(char) = Call[operator()] : func:r1048_3, this:r1048_2, 0:r1048_4
# 1048| mu1048_6(unknown) = ^CallSideEffect : ~m?
# 1048| v1048_7(void) = ^BufferReadSideEffect[-1] : &:r1048_2, ~m?
# 1048| v1048_7(void) = ^IndirectReadSideEffect[-1] : &:r1048_2, ~m?
# 1049| r1049_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit] :
# 1049| r1049_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1049:29] :
# 1049| mu1049_3(decltype([...](...){...})) = Uninitialized[#temp1049:29] : &:r1049_2
@@ -5744,7 +5743,7 @@ ir.cpp:
# 1050| r1050_4(float) = Constant[4.0] :
# 1050| r1050_5(char) = Call[operator()] : func:r1050_3, this:r1050_2, 0:r1050_4
# 1050| mu1050_6(unknown) = ^CallSideEffect : ~m?
# 1050| v1050_7(void) = ^BufferReadSideEffect[-1] : &:r1050_2, ~m?
# 1050| v1050_7(void) = ^IndirectReadSideEffect[-1] : &:r1050_2, ~m?
# 1051| r1051_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_mixed_explicit] :
# 1051| r1051_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1051:31] :
# 1051| mu1051_3(decltype([...](...){...})) = Uninitialized[#temp1051:31] : &:r1051_2
@@ -5766,7 +5765,7 @@ ir.cpp:
# 1052| r1052_4(float) = Constant[5.0] :
# 1052| r1052_5(char) = Call[operator()] : func:r1052_3, this:r1052_2, 0:r1052_4
# 1052| mu1052_6(unknown) = ^CallSideEffect : ~m?
# 1052| v1052_7(void) = ^BufferReadSideEffect[-1] : &:r1052_2, ~m?
# 1052| v1052_7(void) = ^IndirectReadSideEffect[-1] : &:r1052_2, ~m?
# 1053| r1053_1(glval<int>) = VariableAddress[r] :
# 1053| r1053_2(glval<int>) = VariableAddress[x] :
# 1053| r1053_3(int) = Load[x] : &:r1053_2, ~m?
@@ -5804,7 +5803,7 @@ ir.cpp:
# 1055| r1055_4(float) = Constant[6.0] :
# 1055| r1055_5(char) = Call[operator()] : func:r1055_3, this:r1055_2, 0:r1055_4
# 1055| mu1055_6(unknown) = ^CallSideEffect : ~m?
# 1055| v1055_7(void) = ^BufferReadSideEffect[-1] : &:r1055_2, ~m?
# 1055| v1055_7(void) = ^IndirectReadSideEffect[-1] : &:r1055_2, ~m?
# 1056| v1056_1(void) = NoOp :
# 1040| v1040_10(void) = ReturnIndirection[s] : &:r1040_8, ~m?
# 1040| v1040_11(void) = ReturnVoid :
@@ -5869,7 +5868,7 @@ ir.cpp:
# 1043| r1043_16(glval<unknown>) = FunctionAddress[c_str] :
# 1043| r1043_17(char *) = Call[c_str] : func:r1043_16, this:r1043_15
# 1043| mu1043_18(unknown) = ^CallSideEffect : ~m?
# 1043| v1043_19(void) = ^BufferReadSideEffect[-1] : &:r1043_15, ~m?
# 1043| v1043_19(void) = ^IndirectReadSideEffect[-1] : &:r1043_15, ~m?
# 1043| r1043_20(glval<unknown>) = VariableAddress[#this] :
# 1043| r1043_21(lambda [] type at line 1043, col. 21 *) = Load[#this] : &:r1043_20, ~m?
# 1043| r1043_22(glval<int &>) = FieldAddress[x] : r1043_21
@@ -5921,7 +5920,7 @@ ir.cpp:
# 1045| r1045_14(glval<unknown>) = FunctionAddress[c_str] :
# 1045| r1045_15(char *) = Call[c_str] : func:r1045_14, this:r1045_13
# 1045| mu1045_16(unknown) = ^CallSideEffect : ~m?
# 1045| v1045_17(void) = ^BufferReadSideEffect[-1] : &:r1045_13, ~m?
# 1045| v1045_17(void) = ^IndirectReadSideEffect[-1] : &:r1045_13, ~m?
# 1045| r1045_18(glval<unknown>) = VariableAddress[#this] :
# 1045| r1045_19(lambda [] type at line 1045, col. 21 *) = Load[#this] : &:r1045_18, ~m?
# 1045| r1045_20(glval<int>) = FieldAddress[x] : r1045_19
@@ -5955,7 +5954,7 @@ ir.cpp:
# 1047| r1047_16(glval<unknown>) = FunctionAddress[c_str] :
# 1047| r1047_17(char *) = Call[c_str] : func:r1047_16, this:r1047_15
# 1047| mu1047_18(unknown) = ^CallSideEffect : ~m?
# 1047| v1047_19(void) = ^BufferReadSideEffect[-1] : &:r1047_15, ~m?
# 1047| v1047_19(void) = ^IndirectReadSideEffect[-1] : &:r1047_15, ~m?
# 1047| r1047_20(int) = Constant[0] :
# 1047| r1047_21(glval<char>) = PointerAdd[1] : r1047_17, r1047_20
# 1047| r1047_22(char) = Load[?] : &:r1047_21, ~m?
@@ -6003,7 +6002,7 @@ ir.cpp:
# 1049| r1049_14(glval<unknown>) = FunctionAddress[c_str] :
# 1049| r1049_15(char *) = Call[c_str] : func:r1049_14, this:r1049_13
# 1049| mu1049_16(unknown) = ^CallSideEffect : ~m?
# 1049| v1049_17(void) = ^BufferReadSideEffect[-1] : &:r1049_13, ~m?
# 1049| v1049_17(void) = ^IndirectReadSideEffect[-1] : &:r1049_13, ~m?
# 1049| r1049_18(int) = Constant[0] :
# 1049| r1049_19(glval<char>) = PointerAdd[1] : r1049_15, r1049_18
# 1049| r1049_20(char) = Load[?] : &:r1049_19, ~m?
@@ -6034,7 +6033,7 @@ ir.cpp:
# 1051| r1051_16(glval<unknown>) = FunctionAddress[c_str] :
# 1051| r1051_17(char *) = Call[c_str] : func:r1051_16, this:r1051_15
# 1051| mu1051_18(unknown) = ^CallSideEffect : ~m?
# 1051| v1051_19(void) = ^BufferReadSideEffect[-1] : &:r1051_15, ~m?
# 1051| v1051_19(void) = ^IndirectReadSideEffect[-1] : &:r1051_15, ~m?
# 1051| r1051_20(glval<unknown>) = VariableAddress[#this] :
# 1051| r1051_21(lambda [] type at line 1051, col. 32 *) = Load[#this] : &:r1051_20, ~m?
# 1051| r1051_22(glval<int>) = FieldAddress[x] : r1051_21
@@ -6068,7 +6067,7 @@ ir.cpp:
# 1054| r1054_16(glval<unknown>) = FunctionAddress[c_str] :
# 1054| r1054_17(char *) = Call[c_str] : func:r1054_16, this:r1054_15
# 1054| mu1054_18(unknown) = ^CallSideEffect : ~m?
# 1054| v1054_19(void) = ^BufferReadSideEffect[-1] : &:r1054_15, ~m?
# 1054| v1054_19(void) = ^IndirectReadSideEffect[-1] : &:r1054_15, ~m?
# 1054| r1054_20(glval<unknown>) = VariableAddress[#this] :
# 1054| r1054_21(lambda [] type at line 1054, col. 23 *) = Load[#this] : &:r1054_20, ~m?
# 1054| r1054_22(glval<int>) = FieldAddress[x] : r1054_21
@@ -6095,37 +6094,37 @@ ir.cpp:
# 1077| void RangeBasedFor(vector<int> const&)
# 1077| Block 0
# 1077| v1077_1(void) = EnterFunction :
# 1077| mu1077_2(unknown) = AliasedDefinition :
# 1077| mu1077_3(unknown) = InitializeNonLocal :
# 1077| r1077_4(glval<vector<int> &>) = VariableAddress[v] :
# 1077| mu1077_5(vector<int> &) = InitializeParameter[v] : &:r1077_4
# 1077| r1077_6(vector<int> &) = Load[v] : &:r1077_4, ~m?
# 1077| mu1077_7(unknown) = InitializeIndirection[v] : &:r1077_6
# 1078| r1078_1(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_2(glval<vector<int> &>) = VariableAddress[v] :
# 1078| r1078_3(vector<int> &) = Load[v] : &:r1078_2, ~m?
# 1078| r1078_4(glval<vector<int>>) = CopyValue : r1078_3
# 1078| r1078_5(vector<int> &) = CopyValue : r1078_4
# 1078| mu1078_6(vector<int> &) = Store[(__range)] : &:r1078_1, r1078_5
# 1078| r1078_7(glval<iterator>) = VariableAddress[(__begin)] :
# 1078| r1078_8(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_9(vector<int> &) = Load[(__range)] : &:r1078_8, ~m?
#-----| r0_1(glval<vector<int>>) = CopyValue : r1078_9
# 1078| r1078_10(glval<unknown>) = FunctionAddress[begin] :
# 1078| r1078_11(iterator) = Call[begin] : func:r1078_10, this:r0_1
# 1078| mu1078_12(unknown) = ^CallSideEffect : ~m?
#-----| v0_2(void) = ^BufferReadSideEffect[-1] : &:r0_1, ~m?
# 1078| mu1078_13(iterator) = Store[(__begin)] : &:r1078_7, r1078_11
# 1078| r1078_14(glval<iterator>) = VariableAddress[(__end)] :
# 1078| r1078_15(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_16(vector<int> &) = Load[(__range)] : &:r1078_15, ~m?
#-----| r0_3(glval<vector<int>>) = CopyValue : r1078_16
# 1078| r1078_17(glval<unknown>) = FunctionAddress[end] :
# 1078| r1078_18(iterator) = Call[end] : func:r1078_17, this:r0_3
# 1078| mu1078_19(unknown) = ^CallSideEffect : ~m?
#-----| v0_4(void) = ^BufferReadSideEffect[-1] : &:r0_3, ~m?
# 1078| mu1078_20(iterator) = Store[(__end)] : &:r1078_14, r1078_18
# 1077| v1077_1(void) = EnterFunction :
# 1077| mu1077_2(unknown) = AliasedDefinition :
# 1077| mu1077_3(unknown) = InitializeNonLocal :
# 1077| r1077_4(glval<vector<int> &>) = VariableAddress[v] :
# 1077| mu1077_5(vector<int> &) = InitializeParameter[v] : &:r1077_4
# 1077| r1077_6(vector<int> &) = Load[v] : &:r1077_4, ~m?
# 1077| mu1077_7(unknown) = InitializeIndirection[v] : &:r1077_6
# 1078| r1078_1(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_2(glval<vector<int> &>) = VariableAddress[v] :
# 1078| r1078_3(vector<int> &) = Load[v] : &:r1078_2, ~m?
# 1078| r1078_4(glval<vector<int>>) = CopyValue : r1078_3
# 1078| r1078_5(vector<int> &) = CopyValue : r1078_4
# 1078| mu1078_6(vector<int> &) = Store[(__range)] : &:r1078_1, r1078_5
# 1078| r1078_7(glval<iterator>) = VariableAddress[(__begin)] :
# 1078| r1078_8(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_9(vector<int> &) = Load[(__range)] : &:r1078_8, ~m?
#-----| r0_1(glval<vector<int>>) = CopyValue : r1078_9
# 1078| r1078_10(glval<unknown>) = FunctionAddress[begin] :
# 1078| r1078_11(iterator) = Call[begin] : func:r1078_10, this:r0_1
# 1078| mu1078_12(unknown) = ^CallSideEffect : ~m?
#-----| v0_2(void) = ^IndirectReadSideEffect[-1] : &:r0_1, ~m?
# 1078| mu1078_13(iterator) = Store[(__begin)] : &:r1078_7, r1078_11
# 1078| r1078_14(glval<iterator>) = VariableAddress[(__end)] :
# 1078| r1078_15(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1078| r1078_16(vector<int> &) = Load[(__range)] : &:r1078_15, ~m?
#-----| r0_3(glval<vector<int>>) = CopyValue : r1078_16
# 1078| r1078_17(glval<unknown>) = FunctionAddress[end] :
# 1078| r1078_18(iterator) = Call[end] : func:r1078_17, this:r0_3
# 1078| mu1078_19(unknown) = ^CallSideEffect : ~m?
#-----| v0_4(void) = ^IndirectReadSideEffect[-1] : &:r0_3, ~m?
# 1078| mu1078_20(iterator) = Store[(__end)] : &:r1078_14, r1078_18
#-----| Goto -> Block 1
# 1078| Block 1
@@ -6136,26 +6135,26 @@ ir.cpp:
# 1078| r1078_24(iterator) = Load[(__end)] : &:r1078_23, ~m?
# 1078| r1078_25(bool) = Call[operator!=] : func:r1078_22, this:r0_5, 0:r1078_24
# 1078| mu1078_26(unknown) = ^CallSideEffect : ~m?
#-----| v0_6(void) = ^BufferReadSideEffect[-1] : &:r0_5, ~m?
#-----| v0_6(void) = ^IndirectReadSideEffect[-1] : &:r0_5, ~m?
# 1078| v1078_27(void) = ConditionalBranch : r1078_25
#-----| False -> Block 5
#-----| True -> Block 2
# 1078| Block 2
# 1078| r1078_28(glval<int>) = VariableAddress[e] :
# 1078| r1078_29(glval<iterator>) = VariableAddress[(__begin)] :
#-----| r0_7(glval<iterator>) = Convert : r1078_29
# 1078| r1078_30(glval<unknown>) = FunctionAddress[operator*] :
# 1078| r1078_31(int &) = Call[operator*] : func:r1078_30, this:r0_7
# 1078| mu1078_32(unknown) = ^CallSideEffect : ~m?
#-----| v0_8(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~m?
# 1078| r1078_33(int) = Load[?] : &:r1078_31, ~m?
# 1078| mu1078_34(int) = Store[e] : &:r1078_28, r1078_33
# 1079| r1079_1(glval<int>) = VariableAddress[e] :
# 1079| r1079_2(int) = Load[e] : &:r1079_1, ~m?
# 1079| r1079_3(int) = Constant[0] :
# 1079| r1079_4(bool) = CompareGT : r1079_2, r1079_3
# 1079| v1079_5(void) = ConditionalBranch : r1079_4
# 1078| r1078_28(glval<int>) = VariableAddress[e] :
# 1078| r1078_29(glval<iterator>) = VariableAddress[(__begin)] :
#-----| r0_7(glval<iterator>) = Convert : r1078_29
# 1078| r1078_30(glval<unknown>) = FunctionAddress[operator*] :
# 1078| r1078_31(int &) = Call[operator*] : func:r1078_30, this:r0_7
# 1078| mu1078_32(unknown) = ^CallSideEffect : ~m?
#-----| v0_8(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~m?
# 1078| r1078_33(int) = Load[?] : &:r1078_31, ~m?
# 1078| mu1078_34(int) = Store[e] : &:r1078_28, r1078_33
# 1079| r1079_1(glval<int>) = VariableAddress[e] :
# 1079| r1079_2(int) = Load[e] : &:r1079_1, ~m?
# 1079| r1079_3(int) = Constant[0] :
# 1079| r1079_4(bool) = CompareGT : r1079_2, r1079_3
# 1079| v1079_5(void) = ConditionalBranch : r1079_4
#-----| False -> Block 4
#-----| True -> Block 3
@@ -6169,36 +6168,36 @@ ir.cpp:
# 1078| r1078_37(glval<unknown>) = FunctionAddress[operator++] :
# 1078| r1078_38(iterator &) = Call[operator++] : func:r1078_37, this:r1078_36
# 1078| mu1078_39(unknown) = ^CallSideEffect : ~m?
# 1078| v1078_40(void) = ^BufferReadSideEffect[-1] : &:r1078_36, ~m?
# 1078| v1078_40(void) = ^IndirectReadSideEffect[-1] : &:r1078_36, ~m?
# 1078| mu1078_41(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r1078_36
# 1078| r1078_42(glval<iterator>) = CopyValue : r1078_38
#-----| Goto (back edge) -> Block 1
# 1084| Block 5
# 1084| r1084_1(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_2(glval<vector<int> &>) = VariableAddress[v] :
# 1084| r1084_3(vector<int> &) = Load[v] : &:r1084_2, ~m?
# 1084| r1084_4(glval<vector<int>>) = CopyValue : r1084_3
# 1084| r1084_5(vector<int> &) = CopyValue : r1084_4
# 1084| mu1084_6(vector<int> &) = Store[(__range)] : &:r1084_1, r1084_5
# 1084| r1084_7(glval<iterator>) = VariableAddress[(__begin)] :
# 1084| r1084_8(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_9(vector<int> &) = Load[(__range)] : &:r1084_8, ~m?
#-----| r0_9(glval<vector<int>>) = CopyValue : r1084_9
# 1084| r1084_10(glval<unknown>) = FunctionAddress[begin] :
# 1084| r1084_11(iterator) = Call[begin] : func:r1084_10, this:r0_9
# 1084| mu1084_12(unknown) = ^CallSideEffect : ~m?
#-----| v0_10(void) = ^BufferReadSideEffect[-1] : &:r0_9, ~m?
# 1084| mu1084_13(iterator) = Store[(__begin)] : &:r1084_7, r1084_11
# 1084| r1084_14(glval<iterator>) = VariableAddress[(__end)] :
# 1084| r1084_15(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_16(vector<int> &) = Load[(__range)] : &:r1084_15, ~m?
#-----| r0_11(glval<vector<int>>) = CopyValue : r1084_16
# 1084| r1084_17(glval<unknown>) = FunctionAddress[end] :
# 1084| r1084_18(iterator) = Call[end] : func:r1084_17, this:r0_11
# 1084| mu1084_19(unknown) = ^CallSideEffect : ~m?
#-----| v0_12(void) = ^BufferReadSideEffect[-1] : &:r0_11, ~m?
# 1084| mu1084_20(iterator) = Store[(__end)] : &:r1084_14, r1084_18
# 1084| r1084_1(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_2(glval<vector<int> &>) = VariableAddress[v] :
# 1084| r1084_3(vector<int> &) = Load[v] : &:r1084_2, ~m?
# 1084| r1084_4(glval<vector<int>>) = CopyValue : r1084_3
# 1084| r1084_5(vector<int> &) = CopyValue : r1084_4
# 1084| mu1084_6(vector<int> &) = Store[(__range)] : &:r1084_1, r1084_5
# 1084| r1084_7(glval<iterator>) = VariableAddress[(__begin)] :
# 1084| r1084_8(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_9(vector<int> &) = Load[(__range)] : &:r1084_8, ~m?
#-----| r0_9(glval<vector<int>>) = CopyValue : r1084_9
# 1084| r1084_10(glval<unknown>) = FunctionAddress[begin] :
# 1084| r1084_11(iterator) = Call[begin] : func:r1084_10, this:r0_9
# 1084| mu1084_12(unknown) = ^CallSideEffect : ~m?
#-----| v0_10(void) = ^IndirectReadSideEffect[-1] : &:r0_9, ~m?
# 1084| mu1084_13(iterator) = Store[(__begin)] : &:r1084_7, r1084_11
# 1084| r1084_14(glval<iterator>) = VariableAddress[(__end)] :
# 1084| r1084_15(glval<vector<int> &>) = VariableAddress[(__range)] :
# 1084| r1084_16(vector<int> &) = Load[(__range)] : &:r1084_15, ~m?
#-----| r0_11(glval<vector<int>>) = CopyValue : r1084_16
# 1084| r1084_17(glval<unknown>) = FunctionAddress[end] :
# 1084| r1084_18(iterator) = Call[end] : func:r1084_17, this:r0_11
# 1084| mu1084_19(unknown) = ^CallSideEffect : ~m?
#-----| v0_12(void) = ^IndirectReadSideEffect[-1] : &:r0_11, ~m?
# 1084| mu1084_20(iterator) = Store[(__end)] : &:r1084_14, r1084_18
#-----| Goto -> Block 6
# 1084| Block 6
@@ -6209,7 +6208,7 @@ ir.cpp:
# 1084| r1084_24(iterator) = Load[(__end)] : &:r1084_23, ~m?
# 1084| r1084_25(bool) = Call[operator!=] : func:r1084_22, this:r0_13, 0:r1084_24
# 1084| mu1084_26(unknown) = ^CallSideEffect : ~m?
#-----| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_13, ~m?
#-----| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_13, ~m?
# 1084| v1084_27(void) = ConditionalBranch : r1084_25
#-----| False -> Block 10
#-----| True -> Block 8
@@ -6219,29 +6218,29 @@ ir.cpp:
# 1084| r1084_29(glval<unknown>) = FunctionAddress[operator++] :
# 1084| r1084_30(iterator &) = Call[operator++] : func:r1084_29, this:r1084_28
# 1084| mu1084_31(unknown) = ^CallSideEffect : ~m?
# 1084| v1084_32(void) = ^BufferReadSideEffect[-1] : &:r1084_28, ~m?
# 1084| v1084_32(void) = ^IndirectReadSideEffect[-1] : &:r1084_28, ~m?
# 1084| mu1084_33(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r1084_28
# 1084| r1084_34(glval<iterator>) = CopyValue : r1084_30
#-----| Goto (back edge) -> Block 6
# 1084| Block 8
# 1084| r1084_35(glval<int &>) = VariableAddress[e] :
# 1084| r1084_36(glval<iterator>) = VariableAddress[(__begin)] :
#-----| r0_15(glval<iterator>) = Convert : r1084_36
# 1084| r1084_37(glval<unknown>) = FunctionAddress[operator*] :
# 1084| r1084_38(int &) = Call[operator*] : func:r1084_37, this:r0_15
# 1084| mu1084_39(unknown) = ^CallSideEffect : ~m?
#-----| v0_16(void) = ^BufferReadSideEffect[-1] : &:r0_15, ~m?
# 1084| r1084_40(glval<int>) = CopyValue : r1084_38
# 1084| r1084_41(glval<int>) = Convert : r1084_40
# 1084| r1084_42(int &) = CopyValue : r1084_41
# 1084| mu1084_43(int &) = Store[e] : &:r1084_35, r1084_42
# 1085| r1085_1(glval<int &>) = VariableAddress[e] :
# 1085| r1085_2(int &) = Load[e] : &:r1085_1, ~m?
# 1085| r1085_3(int) = Load[?] : &:r1085_2, ~m?
# 1085| r1085_4(int) = Constant[5] :
# 1085| r1085_5(bool) = CompareLT : r1085_3, r1085_4
# 1085| v1085_6(void) = ConditionalBranch : r1085_5
# 1084| r1084_35(glval<int &>) = VariableAddress[e] :
# 1084| r1084_36(glval<iterator>) = VariableAddress[(__begin)] :
#-----| r0_15(glval<iterator>) = Convert : r1084_36
# 1084| r1084_37(glval<unknown>) = FunctionAddress[operator*] :
# 1084| r1084_38(int &) = Call[operator*] : func:r1084_37, this:r0_15
# 1084| mu1084_39(unknown) = ^CallSideEffect : ~m?
#-----| v0_16(void) = ^IndirectReadSideEffect[-1] : &:r0_15, ~m?
# 1084| r1084_40(glval<int>) = CopyValue : r1084_38
# 1084| r1084_41(glval<int>) = Convert : r1084_40
# 1084| r1084_42(int &) = CopyValue : r1084_41
# 1084| mu1084_43(int &) = Store[e] : &:r1084_35, r1084_42
# 1085| r1085_1(glval<int &>) = VariableAddress[e] :
# 1085| r1085_2(int &) = Load[e] : &:r1085_1, ~m?
# 1085| r1085_3(int) = Load[?] : &:r1085_2, ~m?
# 1085| r1085_4(int) = Constant[5] :
# 1085| r1085_5(bool) = CompareLT : r1085_3, r1085_4
# 1085| v1085_6(void) = ConditionalBranch : r1085_5
#-----| False -> Block 7
#-----| True -> Block 9
@@ -7525,7 +7524,7 @@ ir.cpp:
# 1373| r1373_8(glval<unknown>) = FunctionAddress[c_str] :
# 1373| r1373_9(char *) = Call[c_str] : func:r1373_8, this:r1373_7
# 1373| mu1373_10(unknown) = ^CallSideEffect : ~m?
# 1373| v1373_11(void) = ^BufferReadSideEffect[-1] : &:r1373_7, ~m?
# 1373| v1373_11(void) = ^IndirectReadSideEffect[-1] : &:r1373_7, ~m?
# 1374| r1374_1(glval<String>) = VariableAddress[#temp1374:5] :
# 1374| r1374_2(glval<unknown>) = FunctionAddress[returnValue] :
# 1374| r1374_3(String) = Call[returnValue] : func:r1374_2
@@ -7535,7 +7534,7 @@ ir.cpp:
# 1374| r1374_7(glval<unknown>) = FunctionAddress[c_str] :
# 1374| r1374_8(char *) = Call[c_str] : func:r1374_7, this:r1374_6
# 1374| mu1374_9(unknown) = ^CallSideEffect : ~m?
# 1374| v1374_10(void) = ^BufferReadSideEffect[-1] : &:r1374_6, ~m?
# 1374| v1374_10(void) = ^IndirectReadSideEffect[-1] : &:r1374_6, ~m?
# 1376| r1376_1(glval<String>) = VariableAddress[#temp1376:5] :
# 1376| r1376_2(glval<unknown>) = FunctionAddress[defaultConstruct] :
# 1376| r1376_3(String) = Call[defaultConstruct] : func:r1376_2
@@ -7589,7 +7588,7 @@ ir.cpp:
# 1385| r1385_4(glval<unknown>) = FunctionAddress[method] :
# 1385| v1385_5(void) = Call[method] : func:r1385_4, this:r1385_1
# 1385| mu1385_6(unknown) = ^CallSideEffect : ~m?
# 1385| v1385_7(void) = ^BufferReadSideEffect[-1] : &:r1385_1, ~m?
# 1385| v1385_7(void) = ^IndirectReadSideEffect[-1] : &:r1385_1, ~m?
# 1385| mu1385_8(destructor_only) = ^IndirectMayWriteSideEffect[-1] : &:r1385_1
# 1386| r1386_1(glval<destructor_only>) = VariableAddress[#temp1386:5] :
# 1386| r1386_2(glval<unknown>) = FunctionAddress[returnValue] :
@@ -7599,7 +7598,7 @@ ir.cpp:
# 1386| r1386_6(glval<unknown>) = FunctionAddress[method] :
# 1386| v1386_7(void) = Call[method] : func:r1386_6, this:r1386_1
# 1386| mu1386_8(unknown) = ^CallSideEffect : ~m?
# 1386| v1386_9(void) = ^BufferReadSideEffect[-1] : &:r1386_1, ~m?
# 1386| v1386_9(void) = ^IndirectReadSideEffect[-1] : &:r1386_1, ~m?
# 1386| mu1386_10(destructor_only) = ^IndirectMayWriteSideEffect[-1] : &:r1386_1
# 1388| r1388_1(glval<destructor_only>) = VariableAddress[#temp1388:5] :
# 1388| r1388_2(glval<unknown>) = FunctionAddress[defaultConstruct] :
@@ -7667,7 +7666,7 @@ ir.cpp:
# 1397| r1397_7(glval<unknown>) = FunctionAddress[method] :
# 1397| v1397_8(void) = Call[method] : func:r1397_7, this:r1397_1
# 1397| mu1397_9(unknown) = ^CallSideEffect : ~m?
# 1397| v1397_10(void) = ^BufferReadSideEffect[-1] : &:r1397_1, ~m?
# 1397| v1397_10(void) = ^IndirectReadSideEffect[-1] : &:r1397_1, ~m?
# 1397| mu1397_11(copy_constructor) = ^IndirectMayWriteSideEffect[-1] : &:r1397_1
# 1398| r1398_1(glval<copy_constructor>) = VariableAddress[#temp1398:5] :
# 1398| r1398_2(glval<unknown>) = FunctionAddress[returnValue] :
@@ -7677,7 +7676,7 @@ ir.cpp:
# 1398| r1398_6(glval<unknown>) = FunctionAddress[method] :
# 1398| v1398_7(void) = Call[method] : func:r1398_6, this:r1398_1
# 1398| mu1398_8(unknown) = ^CallSideEffect : ~m?
# 1398| v1398_9(void) = ^BufferReadSideEffect[-1] : &:r1398_1, ~m?
# 1398| v1398_9(void) = ^IndirectReadSideEffect[-1] : &:r1398_1, ~m?
# 1398| mu1398_10(copy_constructor) = ^IndirectMayWriteSideEffect[-1] : &:r1398_1
# 1399| r1399_1(glval<copy_constructor>) = VariableAddress[#temp1399:5] :
# 1399| r1399_2(glval<unknown>) = FunctionAddress[defaultConstruct] :
@@ -7851,7 +7850,7 @@ ir.cpp:
# 1447| r1447_9(glval<unknown>) = FunctionAddress[f] :
# 1447| r1447_10(float) = Call[f] : func:r1447_9, this:r1447_8
# 1447| mu1447_11(unknown) = ^CallSideEffect : ~m?
# 1447| v1447_12(void) = ^BufferReadSideEffect[-1] : &:r1447_8, ~m?
# 1447| v1447_12(void) = ^IndirectReadSideEffect[-1] : &:r1447_8, ~m?
# 1447| mu1447_13(float) = Store[f] : &:r1447_1, r1447_10
# 1448| v1448_1(void) = NoOp :
# 1443| v1443_4(void) = ReturnVoid :

19
cpp/ql/test/library-tests/ir/points_to/points_to.ql
View File

@@ -5,7 +5,16 @@ private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
private predicate ignoreAllocation(string name) {
name = "i" or
name = "p" or
name = "q"
name = "q" or
name = "s" or
name = "t" or
name = "?{AllAliased}"
}
private predicate ignoreFile(File file) {
// Ignore standard headers.
file.getBaseName() = ["memory.h", "type_traits.h", "utility.h"] or
not file.fromSource()
}
module Raw {
@@ -29,7 +38,8 @@ module Raw {
not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
value = memLocation.toString() and
element = instr.toString() and
location = instr.getLocation()
location = instr.getLocation() and
not ignoreFile(location.getFile())
)
}
}
@@ -52,13 +62,14 @@ module UnaliasedSSA {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Instruction instr, MemoryLocation memLocation |
memLocation = getAMemoryAccess(instr) and
not memLocation instanceof AliasedVirtualVariable and
not memLocation.getVirtualVariable() instanceof AliasedVirtualVariable and
not memLocation instanceof AllNonLocalMemory and
tag = "ussa" and
not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
value = memLocation.toString() and
element = instr.toString() and
location = instr.getLocation()
location = instr.getLocation() and
not ignoreFile(location.getFile())
)
}
}

33
cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp Normal file
View File

@@ -0,0 +1,33 @@
#include "../../../include/memory.h"
#include "../../../include/utility.h"
using std::shared_ptr;
using std::unique_ptr;
struct S {
int x;
};
void unique_ptr_init(S s) {
unique_ptr<S> p(new S); //$ussa=dynamic{1}
int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
*p = s; //$ussa=dynamic{1}[0..4)<S>
unique_ptr<S> q = std::move(p);
*(q.get()) = s; //$ussa=dynamic{1}[0..4)<S>
shared_ptr<S> t(std::move(q));
t->x = 5; //$ussa=dynamic{1}[0..4)<int>
*t = s; //$ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
}
void shared_ptr_init(S s) {
shared_ptr<S> p(new S); //$ussa=dynamic{1}
int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
*p = s; //$ussa=dynamic{1}[0..4)<S>
shared_ptr<S> q = std::move(p);
*(q.get()) = s; //$ussa=dynamic{1}[0..4)<S>
shared_ptr<S> t(q);
t->x = 5; //$ussa=dynamic{1}[0..4)<int>
*t = s; //$ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
}

6
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -1059,7 +1059,7 @@ ssa.cpp:
# 241| v241_3(void) = Call[g] : func:r241_2, this:r241_1
# 241| m241_4(unknown) = ^CallSideEffect : ~m240_7
# 241| m241_5(unknown) = Chi : total:m240_7, partial:m241_4
# 241| v241_6(void) = ^BufferReadSideEffect[-1] : &:r241_1, ~m240_9
# 241| v241_6(void) = ^IndirectReadSideEffect[-1] : &:r241_1, m240_9
# 241| m241_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r241_1
# 241| m241_8(Constructible) = Chi : total:m240_9, partial:m241_7
# 242| r242_1(glval<Constructible>) = VariableAddress[c] :
@@ -1067,7 +1067,7 @@ ssa.cpp:
# 242| v242_3(void) = Call[g] : func:r242_2, this:r242_1
# 242| m242_4(unknown) = ^CallSideEffect : ~m241_5
# 242| m242_5(unknown) = Chi : total:m241_5, partial:m242_4
# 242| v242_6(void) = ^BufferReadSideEffect[-1] : &:r242_1, ~m241_8
# 242| v242_6(void) = ^IndirectReadSideEffect[-1] : &:r242_1, m241_8
# 242| m242_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r242_1
# 242| m242_8(Constructible) = Chi : total:m241_8, partial:m242_7
# 243| r243_1(glval<Constructible>) = VariableAddress[c2] :
@@ -1084,7 +1084,7 @@ ssa.cpp:
# 244| v244_3(void) = Call[g] : func:r244_2, this:r244_1
# 244| m244_4(unknown) = ^CallSideEffect : ~m243_7
# 244| m244_5(unknown) = Chi : total:m243_7, partial:m244_4
# 244| v244_6(void) = ^BufferReadSideEffect[-1] : &:r244_1, ~m243_9
# 244| v244_6(void) = ^IndirectReadSideEffect[-1] : &:r244_1, m243_9
# 244| m244_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r244_1
# 244| m244_8(Constructible) = Chi : total:m243_9, partial:m244_7
# 245| v245_1(void) = NoOp :

6
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
View File

@@ -1054,7 +1054,7 @@ ssa.cpp:
# 241| v241_3(void) = Call[g] : func:r241_2, this:r241_1
# 241| m241_4(unknown) = ^CallSideEffect : ~m240_7
# 241| m241_5(unknown) = Chi : total:m240_7, partial:m241_4
# 241| v241_6(void) = ^BufferReadSideEffect[-1] : &:r241_1, ~m240_9
# 241| v241_6(void) = ^IndirectReadSideEffect[-1] : &:r241_1, m240_9
# 241| m241_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r241_1
# 241| m241_8(Constructible) = Chi : total:m240_9, partial:m241_7
# 242| r242_1(glval<Constructible>) = VariableAddress[c] :
@@ -1062,7 +1062,7 @@ ssa.cpp:
# 242| v242_3(void) = Call[g] : func:r242_2, this:r242_1
# 242| m242_4(unknown) = ^CallSideEffect : ~m241_5
# 242| m242_5(unknown) = Chi : total:m241_5, partial:m242_4
# 242| v242_6(void) = ^BufferReadSideEffect[-1] : &:r242_1, ~m241_8
# 242| v242_6(void) = ^IndirectReadSideEffect[-1] : &:r242_1, m241_8
# 242| m242_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r242_1
# 242| m242_8(Constructible) = Chi : total:m241_8, partial:m242_7
# 243| r243_1(glval<Constructible>) = VariableAddress[c2] :
@@ -1079,7 +1079,7 @@ ssa.cpp:
# 244| v244_3(void) = Call[g] : func:r244_2, this:r244_1
# 244| m244_4(unknown) = ^CallSideEffect : ~m243_7
# 244| m244_5(unknown) = Chi : total:m243_7, partial:m244_4
# 244| v244_6(void) = ^BufferReadSideEffect[-1] : &:r244_1, ~m243_9
# 244| v244_6(void) = ^IndirectReadSideEffect[-1] : &:r244_1, m243_9
# 244| m244_7(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r244_1
# 244| m244_8(Constructible) = Chi : total:m243_9, partial:m244_7
# 245| v245_1(void) = NoOp :

6
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
View File

@@ -983,13 +983,13 @@ ssa.cpp:
# 241| r241_2(glval<unknown>) = FunctionAddress[g] :
# 241| v241_3(void) = Call[g] : func:r241_2, this:r241_1
# 241| mu241_4(unknown) = ^CallSideEffect : ~m?
# 241| v241_5(void) = ^BufferReadSideEffect[-1] : &:r241_1, ~m?
# 241| v241_5(void) = ^IndirectReadSideEffect[-1] : &:r241_1, ~m?
# 241| mu241_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r241_1
# 242| r242_1(glval<Constructible>) = VariableAddress[c] :
# 242| r242_2(glval<unknown>) = FunctionAddress[g] :
# 242| v242_3(void) = Call[g] : func:r242_2, this:r242_1
# 242| mu242_4(unknown) = ^CallSideEffect : ~m?
# 242| v242_5(void) = ^BufferReadSideEffect[-1] : &:r242_1, ~m?
# 242| v242_5(void) = ^IndirectReadSideEffect[-1] : &:r242_1, ~m?
# 242| mu242_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r242_1
# 243| r243_1(glval<Constructible>) = VariableAddress[c2] :
# 243| mu243_2(Constructible) = Uninitialized[c2] : &:r243_1
@@ -1002,7 +1002,7 @@ ssa.cpp:
# 244| r244_2(glval<unknown>) = FunctionAddress[g] :
# 244| v244_3(void) = Call[g] : func:r244_2, this:r244_1
# 244| mu244_4(unknown) = ^CallSideEffect : ~m?
# 244| v244_5(void) = ^BufferReadSideEffect[-1] : &:r244_1, ~m?
# 244| v244_5(void) = ^IndirectReadSideEffect[-1] : &:r244_1, ~m?
# 244| mu244_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r244_1
# 245| v245_1(void) = NoOp :
# 239| v239_4(void) = ReturnVoid :

6
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
View File

@@ -983,13 +983,13 @@ ssa.cpp:
# 241| r241_2(glval<unknown>) = FunctionAddress[g] :
# 241| v241_3(void) = Call[g] : func:r241_2, this:r241_1
# 241| mu241_4(unknown) = ^CallSideEffect : ~m?
# 241| v241_5(void) = ^BufferReadSideEffect[-1] : &:r241_1, ~m?
# 241| v241_5(void) = ^IndirectReadSideEffect[-1] : &:r241_1, ~m?
# 241| mu241_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r241_1
# 242| r242_1(glval<Constructible>) = VariableAddress[c] :
# 242| r242_2(glval<unknown>) = FunctionAddress[g] :
# 242| v242_3(void) = Call[g] : func:r242_2, this:r242_1
# 242| mu242_4(unknown) = ^CallSideEffect : ~m?
# 242| v242_5(void) = ^BufferReadSideEffect[-1] : &:r242_1, ~m?
# 242| v242_5(void) = ^IndirectReadSideEffect[-1] : &:r242_1, ~m?
# 242| mu242_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r242_1
# 243| r243_1(glval<Constructible>) = VariableAddress[c2] :
# 243| mu243_2(Constructible) = Uninitialized[c2] : &:r243_1
@@ -1002,7 +1002,7 @@ ssa.cpp:
# 244| r244_2(glval<unknown>) = FunctionAddress[g] :
# 244| v244_3(void) = Call[g] : func:r244_2, this:r244_1
# 244| mu244_4(unknown) = ^CallSideEffect : ~m?
# 244| v244_5(void) = ^BufferReadSideEffect[-1] : &:r244_1, ~m?
# 244| v244_5(void) = ^IndirectReadSideEffect[-1] : &:r244_1, ~m?
# 244| mu244_6(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r244_1
# 245| v245_1(void) = NoOp :
# 239| v239_4(void) = ReturnVoid :

1
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
View File

@@ -10,3 +10,4 @@
| test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
| test.cpp:156:3:156:26 | new | This memory is never freed |
| test.cpp:157:3:157:26 | new[] | This memory is never freed |
| test.cpp:167:14:167:19 | call to strdup | This memory is never freed |

12
cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp
View File

@@ -156,3 +156,15 @@ int overloadedNew() {
new(std::nothrow) int(3); // BAD
new(std::nothrow) int[2]; // BAD
}
// --- strdup ---
char *strdup(const char *s1);
void output_msg(const char *msg);
void test_strdup() {
char msg[] = "OctoCat";
char *cpy = strdup(msg); // BAD
output_msg(cpy);
}

4
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected
View File

@@ -19,3 +19,7 @@
| test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:166:22:166:27 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:168:24:168:29 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:169:23:169:28 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:171:7:171:12 | ... = ... | Use of '=' where '==' may have been intended. |

18
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp
View File

@@ -153,3 +153,21 @@ void f3(int x, int y) {
if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD
}
}
bool use(int);
void f4(int x, bool b) {
if((x = 10) && use(x)) {} // GOOD: This is likely just a short-hand way of writing an assignment
// followed by a boolean check.
if((x = 10) && b && use(x)) {} // GOOD: Same reason as above
if((x = 10) && use(x) && b) {} // GOOD: Same reason as above
if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above
if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison.
// This doesn't match the usual pattern.
if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above
if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above
if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in
// a boolean check.
}

27
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp
View File

@@ -189,3 +189,30 @@ int *&conversionInFlow() {
int *&pRef = p; // has conversion in the middle of data flow
return pRef; // BAD [NOT DETECTED]
}
namespace std {
template<typename T>
class shared_ptr {
public:
shared_ptr() noexcept;
explicit shared_ptr(T*);
shared_ptr(const shared_ptr&) noexcept;
template<class U> shared_ptr(const shared_ptr<U>&) noexcept;
template<class U> shared_ptr(shared_ptr<U>&&) noexcept;
shared_ptr<T>& operator=(const shared_ptr<T>&) noexcept;
shared_ptr<T>& operator=(shared_ptr<T>&&) noexcept;
T& operator*() const noexcept;
T* operator->() const noexcept;
T* get() const noexcept;
};
}
auto make_read_port()
{
auto port = std::shared_ptr<int>(new int);
auto ptr = port.get();
return ptr; // GOOD
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
View File

@@ -3,6 +3,4 @@
| test.c:50:3:50:5 | sc3 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:49:9:49:16 | 127 | Extreme value |
| test.c:59:3:59:5 | sc6 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:58:9:58:16 | 127 | Extreme value |
| test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
| test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
| test.c:76:3:76:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
| test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |

4
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
View File

@@ -72,8 +72,8 @@ void test_negatives() {
signed char sc1, sc2, sc3, sc4, sc5, sc6, sc7, sc8;
sc1 = CHAR_MAX;
sc1 += 0; // GOOD [FALSE POSITIVE]
sc1 += -1; // GOOD [FALSE POSITIVE]
sc1 += 0; // GOOD
sc1 += -1; // GOOD
sc2 = CHAR_MIN;
sc2 += -1; // BAD [NOT DETECTED]
sc3 = CHAR_MIN;

3
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
View File

@@ -1,8 +1,5 @@
| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test3.c:15:10:15:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
| test3.c:15:14:15:14 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
| test3.c:15:18:15:18 | z | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
| test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.expected
View File

@@ -7,3 +7,4 @@
| test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:482:2:482:19 | call to pthread_mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |

43
cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp
View File

@@ -445,3 +445,46 @@ bool test_mutex(data_t *data)
return true;
}
// ---
struct pthread_mutex
{
// ...
};
void pthread_mutex_lock(pthread_mutex *m);
void pthread_mutex_unlock(pthread_mutex *m);
class MyClass
{
public:
pthread_mutex lock;
};
bool maybe();
int test_MyClass_good(MyClass *obj)
{
pthread_mutex_lock(&obj->lock);
if (maybe()) {
pthread_mutex_unlock(&obj->lock);
return -1; // GOOD
}
pthread_mutex_unlock(&obj->lock); // GOOD
return 0;
}
int test_MyClass_bad(MyClass *obj)
{
pthread_mutex_lock(&obj->lock);
if (maybe()) {
return -1; // BAD
}
pthread_mutex_unlock(&obj->lock); // GOOD
return 0;
}

9
cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected
View File

@@ -18,9 +18,10 @@
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
| Variants.cpp:25:3:25:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
| Variants.cpp:65:3:65:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:66:3:66:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:67:3:67:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:26:3:26:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
| Variants.cpp:69:3:69:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:70:3:70:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:71:3:71:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:72:3:72:22 | ... = ... | Resource d is acquired by class MyClass6 but not released anywhere in this class. |
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |

6
cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp
View File

@@ -5,6 +5,7 @@ void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size);
void *realloc(void *ptr, size_t size);
void free(void* ptr);
char *strdup(const char *s1);
int *ID(int *x)
{
@@ -45,6 +46,7 @@ public:
a = new int[10]; // GOOD
b = (int *)calloc(10, sizeof(int)); // GOOD
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
d = strdup("string");
}
~MyClass5()
@@ -52,9 +54,11 @@ public:
delete [] a;
free(b);
free(c);
free(d);
}
int *a, *b, *c;
char *d;
};
class MyClass6
@@ -65,6 +69,7 @@ public:
a = new int[10]; // BAD
b = (int *)calloc(10, sizeof(int)); // BAD
c = (int *)realloc(0, 10 * sizeof(int)); // BAD
d = strdup("string"); // BAD
}
~MyClass6()
@@ -72,6 +77,7 @@ public:
}
int *a, *b, *c;
char *d;
};
class MyClass7