hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into xxe

Browse Source
This commit is contained in:
Geoffrey White
2022-04-22 11:50:41 +01:00
parent 3326fd5400 c015ef6ef4
commit 79aba67036
486 changed files with 12369 additions and 19528 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,26 @@
## 0.0.13
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
## 0.0.11
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2022-02-07-deleted-deprecations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

5
cpp/ql/lib/change-notes/2022-02-07-deprecated-acronyms.md
View File

@@ -1,5 +0,0 @@
---
category: deprecated
---
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.

4
cpp/ql/lib/change-notes/2022-03-10-template-implicit-copy.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.

4
cpp/ql/lib/change-notes/2022-03-14-c11-noreturn.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.

4
cpp/ql/lib/change-notes/2022-03-14-flow-state-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.

4
cpp/ql/lib/change-notes/2022-03-14-taint-interface-cleanup.md
View File

@@ -1,4 +0,0 @@
---
category: breaking
---
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.

4
cpp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.

20
cpp/ql/lib/change-notes/released/0.0.12.md Normal file
View File

@@ -0,0 +1,20 @@
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C11 functions with the `_Noreturn` or `noreturn` specifier.
* `hasImplicitCopyConstructor` and `hasImplicitCopyAssignmentOperator` now correctly handle implicitly-deleted operators in templates.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

1
cpp/ql/lib/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.0.12-dev
version: 0.1.0-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

7
cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
View File

@@ -84,6 +84,7 @@ private int fileHeaderLimit(File f) {
fc = fileFirstComment(f) and
result =
min(int line |
// code ending the initial comments
exists(DeclarationEntry de, Location l |
l = de.getLocation() and
l.getFile() = f and
@@ -105,7 +106,13 @@ private int fileHeaderLimit(File f) {
line > fc
)
or
// end of the file
line = f.getMetrics().getNumberOfLines()
or
// rarely, we've seen extremely long sequences of initial comments
// (and/or limitations in the above constraints) cause an overflow of
// the maximum string length. So don't look past 1000 lines regardless.
line = 1000
)
)
}

13
cpp/ql/lib/semmle/code/cpp/Element.qll
View File

@@ -109,10 +109,7 @@ class Element extends ElementBase {
then
exists(MacroInvocation mi |
this = mi.getAGeneratedElement() and
not exists(MacroInvocation closer |
this = closer.getAGeneratedElement() and
mi = closer.getParentInvocation+()
) and
not hasCloserMacroInvocation(this, mi) and
result = mi.getMacro()
)
else result = this
@@ -236,6 +233,14 @@ class Element extends ElementBase {
}
}
pragma[noinline]
private predicate hasCloserMacroInvocation(Element elem, MacroInvocation mi) {
exists(MacroInvocation closer |
elem = closer.getAGeneratedElement() and
mi = closer.getParentInvocation()
)
}
private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
instantiation.(Function).isConstructedFrom(_) and
e = instantiation

8
cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
View File

@@ -27,11 +27,11 @@ int getBufferSize(Expr bufferExpr, Element why) {
result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
why = bufferVar and
not memberMayBeVarSize(_, bufferVar) and
not result = 0 // zero sized arrays are likely to have special usage, for example
or
// zero sized arrays are likely to have special usage, for example
// behaving a bit like a 'union' overlapping other fields.
// buffer is an initialized array
// e.g. int buffer[] = {1, 2, 3};
not result = 0
or
// buffer is an initialized array, e.g., int buffer[] = {1, 2, 3};
why = bufferVar.getInitializer().getExpr() and
(
why instanceof AggregateLiteral or

6
cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll
View File

@@ -80,7 +80,11 @@ abstract class StackVariableReachability extends string {
j > i and
sink = bb.getNode(j) and
this.isSink(sink, v) and
not exists(int k | this.isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
not exists(int k, ControlFlowNode node |
node = bb.getNode(k) and this.isBarrier(pragma[only_bind_into](node), v)
|
k in [i + 1 .. j - 1]
)
)
or
not exists(int k | this.isBarrier(bb.getNode(k), v) | k > i) and

82
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

20
cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
View File

@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
/**
* Holds if taint propagation into `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerIn(node, state)
}
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/**
* Holds if taint propagation out of `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerOut(node, state)
}
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

20
cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
View File

@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
/**
* Holds if taint propagation into `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerIn(node, state)
}
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/**
* Holds if taint propagation out of `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerOut(node, state)
}
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

82
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

82
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View File

@@ -87,21 +87,9 @@ abstract class Configuration extends string {
/** Holds if data flow into `node` is prohibited. */
predicate isBarrierIn(Node node) { none() }
/**
* Holds if data flow into `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierIn(Node node, FlowState state) { none() }
/** Holds if data flow out of `node` is prohibited. */
predicate isBarrierOut(Node node) { none() }
/**
* Holds if data flow out of `node` is prohibited when the flow state is
* `state`
*/
predicate isBarrierOut(Node node, FlowState state) { none() }
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
predicate isBarrierGuard(BarrierGuard guard) { none() }
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
}
private predicate fullInBarrier(NodeEx node, Configuration config) {
private predicate inBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierIn(n, state)
|
config.isSource(n, state)
)
}
private predicate fullOutBarrier(NodeEx node, Configuration config) {
private predicate outBarrier(NodeEx node, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
)
}
private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
exists(Node n |
node.asNode() = n and
config.isBarrierOut(n, state)
|
config.isSink(n, state)
)
}
pragma[nomagic]
private predicate fullBarrier(NodeEx node, Configuration config) {
exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
exists(Node n | node.asNode() = n |
config.isBarrier(n, state)
or
config.isBarrierIn(n, state) and
not config.isSource(n, state)
or
config.isBarrierOut(n, state) and
not config.isSink(n, state)
or
exists(BarrierGuard g |
config.isBarrierGuard(g, state) and
n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
/** Provides the relevant barriers for a step from `node1` to `node2`. */
pragma[inline]
private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
not fullOutBarrier(node1, config) and
not fullInBarrier(node2, config) and
not outBarrier(node1, config) and
not inBarrier(node2, config) and
not fullBarrier(node1, config) and
not fullBarrier(node2, config)
}
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config)
)
@@ -517,8 +479,6 @@ private predicate additionalJumpStateStep(
config.isAdditionalFlowStep(n1, s1, n2, s2) and
getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
stepFilter(node1, node2, config) and
not stateOutBarrier(node1, s1, config) and
not stateInBarrier(node2, s2, config) and
not stateBarrier(node1, s1, config) and
not stateBarrier(node2, s2, config) and
not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -918,8 +878,8 @@ private module Stage1 {
private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
revFlow(node, true, config) and
fwdFlow(node, true, config) and
not fullInBarrier(node, config) and
not fullOutBarrier(node, config)
not inBarrier(node, config) and
not outBarrier(node, config)
}
/** Holds if flow may return from `callable`. */
@@ -1014,8 +974,8 @@ private predicate flowOutOfCallNodeCand1(
) {
viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
Stage1::revFlow(ret, config) and
not fullOutBarrier(ret, config) and
not fullInBarrier(out, config)
not outBarrier(ret, config) and
not inBarrier(out, config)
}
pragma[nomagic]
@@ -1036,8 +996,8 @@ private predicate flowIntoCallNodeCand1(
) {
viableParamArgNodeCand1(call, p, arg, config) and
Stage1::revFlow(p, config) and
not fullOutBarrier(arg, config) and
not fullInBarrier(p, config)
not outBarrier(arg, config) and
not inBarrier(p, config)
}
/**
@@ -1158,8 +1118,8 @@ private module Stage2 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
bindingset[node1, state1, config]
bindingset[node2, state2, config]
@@ -1246,7 +1206,7 @@ private module Stage2 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -1951,8 +1911,8 @@ private module Stage3 {
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) { any() }
private predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
@@ -2035,7 +1995,7 @@ private module Stage3 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -2765,12 +2725,11 @@ private module Stage4 {
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) {
bindingset[node, cc]
private LocalCc getLocalCc(NodeEx node, Cc cc) {
result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
node.getEnclosingCallable()) and
exists(config)
node.getEnclosingCallable())
}
private predicate localStep(
@@ -2863,7 +2822,7 @@ private module Stage4 {
or
exists(NodeEx mid, FlowState state0, Ap ap0, LocalCc localCc |
fwdFlow(mid, state0, cc, argAp, ap0, config) and
localCc = getLocalCc(mid, cc, config)
localCc = getLocalCc(mid, cc)
|
localStep(mid, state0, node, state, true, _, config, localCc) and
ap = ap0
@@ -5048,6 +5007,7 @@ private module FlowExploration {
)
}
pragma[nomagic]
private predicate revPartialPathStep(
PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config

20
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
View File

@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
/**
* Holds if taint propagation into `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerIn(node, state)
}
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/**
* Holds if taint propagation out of `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerOut(node, state)
}
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

20
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
View File

@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
/**
* Holds if taint propagation into `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerIn(node, state)
}
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/**
* Holds if taint propagation out of `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerOut(node, state)
}
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

20
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
View File

@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
/**
* Holds if taint propagation into `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerIn(node, state)
}
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/**
* Holds if taint propagation out of `node` is prohibited when the flow state is
* `state`.
*/
predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
this.isSanitizerOut(node, state)
}
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

2
cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
View File

@@ -25,6 +25,7 @@ predicate guardedAbs(Operation e, Expr use) {
* Holds if the value of `use` is guarded to be less than something, and `e`
* is in code controlled by that guard (where the guard condition held).
*/
pragma[nomagic]
predicate guardedLesser(Operation e, Expr use) {
exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
or
@@ -35,6 +36,7 @@ predicate guardedLesser(Operation e, Expr use) {
* Holds if the value of `use` is guarded to be greater than something, and `e`
* is in code controlled by that guard (where the guard condition held).
*/
pragma[nomagic]
predicate guardedGreater(Operation e, Expr use) {
exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), false))
or

2
cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
View File

@@ -58,5 +58,5 @@ where
not exists(AsmStmt s | f = s.getEnclosingFunction()) and
not v.getAnAttribute().getName() = "unused" and
not any(ErrorExpr e).getEnclosingFunction() = f and // unextracted expr may use `v`
not any(ConditionDeclExpr cde).getEnclosingFunction() = f // this case can be removed when the `if (a = b; a)` test case doesn't depend on this exclusion
not any(ConditionDeclExpr cde).getEnclosingFunction() = f // this case can be removed when the `if (a = b; a)` and `switch (a = b; a)` test cases don't depend on this exclusion
select v, "Variable " + v.getName() + " is not used"

9
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,12 @@
## 0.0.13
## 0.0.12
### Minor Analysis Improvements
* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.
## 0.0.11
### Breaking Changes

4
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -116,8 +116,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
state instanceof ConcatState
}
override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) {
isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
override predicate isSanitizerOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}
}

4
cpp/ql/src/change-notes/2022-03-07-system-data-exposure.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.

8
cpp/ql/src/change-notes/2022-03-10-port-three-queries-to-taint-tracking.md → cpp/ql/src/change-notes/released/0.0.12.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.0.12
### Minor Analysis Improvements
* The `cpp/overflow-destination`, `cpp/unclear-array-index-validation`, and `cpp/uncontrolled-allocation-size` queries have been modernized and converted to `path-problem` queries and provide more true positive results.
* The `cpp/system-data-exposure` query has been increased from `medium` to `high` precision, following a number of improvements to the query logic.

1
cpp/ql/src/change-notes/released/0.0.13.md Normal file
View File

@@ -0,0 +1 @@
## 0.0.13

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.11
lastReleaseVersion: 0.0.13

13
cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
View File

@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {
VariableAccess va;
WriteAccessCheckMacro() {
this.getName() = ["user_write_access_begin", "user_access_begin"] and
this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and
va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
}
@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {
}
Expr getUserModePtr() {
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or
result = writeUserPtr.getOperand()
}
}
@@ -46,11 +47,13 @@ class ExploitableUserModePtrParam extends Parameter {
not exists(WriteAccessCheckMacro writeAccessCheck |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(writeAccessCheck.getArgument()))
) and
exists(UnSafePutUserMacro unsafePutUser |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(unsafePutUser.getUserModePtr()))
)
}
}
from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser
where
DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
from ExploitableUserModePtrParam p
select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.0.12-dev
version: 0.1.0-dev
groups:
- cpp
- queries

194
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -13365,6 +13365,200 @@ ir.cpp:
# 1717| <params>:
# 1717| getEntryPoint(): [BlockStmt] { ... }
# 1717| getStmt(0): [ReturnStmt] return ...
# 1721| [CopyAssignmentOperator] CopyConstructorWithImplicitArgumentClass& CopyConstructorWithImplicitArgumentClass::operator=(CopyConstructorWithImplicitArgumentClass const&)
# 1721| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1724| [Constructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
# 1724| <params>:
# 1724| <initializations>:
# 1724| getEntryPoint(): [BlockStmt] { ... }
# 1724| getStmt(0): [ReturnStmt] return ...
# 1725| [CopyConstructor] void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
# 1725| <params>:
# 1725| getParameter(0): [Parameter] c
# 1725| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1725| <initializations>:
# 1725| getEntryPoint(): [BlockStmt] { ... }
# 1726| getStmt(0): [ExprStmt] ExprStmt
# 1726| getExpr(): [AssignExpr] ... = ...
# 1726| Type = [IntType] int
# 1726| ValueCategory = lvalue
# 1726| getLValue(): [PointerFieldAccess] x
# 1726| Type = [IntType] int
# 1726| ValueCategory = lvalue
# 1726| getQualifier(): [ThisExpr] this
# 1726| Type = [PointerType] CopyConstructorWithImplicitArgumentClass *
# 1726| ValueCategory = prvalue(load)
# 1726| getRValue(): [ReferenceFieldAccess] x
# 1726| Type = [IntType] int
# 1726| ValueCategory = prvalue(load)
# 1726| getQualifier(): [VariableAccess] c
# 1726| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1726| ValueCategory = prvalue(load)
# 1726| getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
# 1726| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1726| ValueCategory = lvalue
# 1727| getStmt(1): [ReturnStmt] return ...
# 1730| [CopyAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass const&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
# 1730| [MoveAssignmentOperator] CopyConstructorWithBitwiseCopyClass& CopyConstructorWithBitwiseCopyClass::operator=(CopyConstructorWithBitwiseCopyClass&&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
# 1730| [CopyConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass const&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorWithBitwiseCopyClass &
# 1730| [MoveConstructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass(CopyConstructorWithBitwiseCopyClass&&)
# 1730| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorWithBitwiseCopyClass &&
# 1733| [Constructor] void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
# 1733| <params>:
# 1733| <initializations>:
# 1733| getEntryPoint(): [BlockStmt] { ... }
# 1733| getStmt(0): [ReturnStmt] return ...
# 1736| [CopyAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass const&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| [MoveAssignmentOperator] CopyConstructorTestNonVirtualClass& CopyConstructorTestNonVirtualClass::operator=(CopyConstructorTestNonVirtualClass&&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
# 1736| [CopyConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| <initializations>:
# 1736| getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
# 1736| Type = [VoidType] void
# 1736| ValueCategory = prvalue
# 1736| getArgument(0): [VariableAccess] (unnamed parameter 0)
# 1736| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1736| ValueCategory = prvalue(load)
# 1736| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1736| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1736| ValueCategory = prvalue
# 1736| getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
# 1736| Conversion = [BaseClassConversion] base class conversion
# 1736| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1736| ValueCategory = lvalue
# 1736| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1736| Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
# 1736| ValueCategory = lvalue
# 1736| getInitializer(1): (no string representation)
# 1736| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1736| ValueCategory = prvalue
# 1736| getEntryPoint(): [BlockStmt] { ... }
# 1736| getStmt(0): [ReturnStmt] return ...
# 1736| [MoveConstructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass&&)
# 1736| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestNonVirtualClass &&
# 1740| [Constructor] void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
# 1740| <params>:
# 1740| <initializations>:
# 1740| getInitializer(0): [ConstructorDirectInit] call to CopyConstructorWithImplicitArgumentClass
# 1740| Type = [VoidType] void
# 1740| ValueCategory = prvalue
# 1740| getInitializer(1): [ConstructorDirectInit] call to CopyConstructorWithBitwiseCopyClass
# 1740| Type = [VoidType] void
# 1740| ValueCategory = prvalue
# 1740| getEntryPoint(): [BlockStmt] { ... }
# 1740| getStmt(0): [ReturnStmt] return ...
# 1743| [CopyAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass const&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| [MoveAssignmentOperator] CopyConstructorTestVirtualClass& CopyConstructorTestVirtualClass::operator=(CopyConstructorTestVirtualClass&&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
# 1743| [CopyConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| <initializations>:
# 1743| getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
# 1743| Type = [VoidType] void
# 1743| ValueCategory = prvalue
# 1743| getArgument(0): [VariableAccess] (unnamed parameter 0)
# 1743| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1743| ValueCategory = prvalue(load)
# 1743| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1743| Type = [LValueReferenceType] const CopyConstructorWithImplicitArgumentClass &
# 1743| ValueCategory = prvalue
# 1743| getExpr(): [CStyleCast] (const CopyConstructorWithImplicitArgumentClass)...
# 1743| Conversion = [BaseClassConversion] base class conversion
# 1743| Type = [SpecifiedType] const CopyConstructorWithImplicitArgumentClass
# 1743| ValueCategory = lvalue
# 1743| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1743| Type = [SpecifiedType] const CopyConstructorTestVirtualClass
# 1743| ValueCategory = lvalue
# 1743| getInitializer(1): (no string representation)
# 1743| Type = [VirtualBaseClass] CopyConstructorWithBitwiseCopyClass
# 1743| ValueCategory = prvalue
# 1743| getEntryPoint(): [BlockStmt] { ... }
# 1743| getStmt(0): [ReturnStmt] return ...
# 1743| [MoveConstructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass&&)
# 1743| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] CopyConstructorTestVirtualClass &&
# 1747| [Constructor] void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
# 1747| <params>:
# 1747| <initializations>:
# 1747| getInitializer(0): [ConstructorVirtualInit] call to CopyConstructorWithImplicitArgumentClass
# 1747| Type = [VoidType] void
# 1747| ValueCategory = prvalue
# 1747| getInitializer(1): [ConstructorVirtualInit] call to CopyConstructorWithBitwiseCopyClass
# 1747| Type = [VoidType] void
# 1747| ValueCategory = prvalue
# 1747| getEntryPoint(): [BlockStmt] { ... }
# 1747| getStmt(0): [ReturnStmt] return ...
# 1750| [TopLevelFunction] int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
# 1750| <params>:
# 1751| getParameter(0): [Parameter] x
# 1751| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1752| getParameter(1): [Parameter] y
# 1752| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1752| getEntryPoint(): [BlockStmt] { ... }
# 1753| getStmt(0): [DeclStmt] declaration
# 1753| getDeclarationEntry(0): [VariableDeclarationEntry] definition of cx
# 1753| Type = [Class] CopyConstructorTestNonVirtualClass
# 1753| getVariable().getInitializer(): [Initializer] initializer for cx
# 1753| getExpr(): [ConstructorCall] call to CopyConstructorTestNonVirtualClass
# 1753| Type = [VoidType] void
# 1753| ValueCategory = prvalue
# 1753| getArgument(0): [VariableAccess] x
# 1753| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1753| ValueCategory = prvalue(load)
# 1753| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1753| Type = [LValueReferenceType] const CopyConstructorTestNonVirtualClass &
# 1753| ValueCategory = prvalue
# 1753| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1753| Type = [SpecifiedType] const CopyConstructorTestNonVirtualClass
# 1753| ValueCategory = lvalue
# 1754| getStmt(1): [DeclStmt] declaration
# 1754| getDeclarationEntry(0): [VariableDeclarationEntry] definition of cy
# 1754| Type = [Class] CopyConstructorTestVirtualClass
# 1754| getVariable().getInitializer(): [Initializer] initializer for cy
# 1754| getExpr(): [ConstructorCall] call to CopyConstructorTestVirtualClass
# 1754| Type = [VoidType] void
# 1754| ValueCategory = prvalue
# 1754| getArgument(0): [VariableAccess] y
# 1754| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1754| ValueCategory = prvalue(load)
# 1754| getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
# 1754| Type = [LValueReferenceType] const CopyConstructorTestVirtualClass &
# 1754| ValueCategory = prvalue
# 1754| getExpr(): [ReferenceDereferenceExpr] (reference dereference)
# 1754| Type = [SpecifiedType] const CopyConstructorTestVirtualClass
# 1754| ValueCategory = lvalue
# 1755| getStmt(2): [ReturnStmt] return ...
perf-regression.cpp:
# 4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
# 4| <params>:

36
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -1718,4 +1718,40 @@ void captured_lambda2(TrivialLambdaClass p1, TrivialLambdaClass &p2, TrivialLamb
};
}
class CopyConstructorWithImplicitArgumentClass {
int x;
public:
CopyConstructorWithImplicitArgumentClass() {}
CopyConstructorWithImplicitArgumentClass(const CopyConstructorWithImplicitArgumentClass &c) {
x = c.x;
}
};
class CopyConstructorWithBitwiseCopyClass {
int y;
public:
CopyConstructorWithBitwiseCopyClass() {}
};
class CopyConstructorTestNonVirtualClass :
public CopyConstructorWithImplicitArgumentClass,
public CopyConstructorWithBitwiseCopyClass {
public:
CopyConstructorTestNonVirtualClass() {}
};
class CopyConstructorTestVirtualClass :
public virtual CopyConstructorWithImplicitArgumentClass,
public virtual CopyConstructorWithBitwiseCopyClass {
public:
CopyConstructorTestVirtualClass() {}
};
int implicit_copy_constructor_test(
const CopyConstructorTestNonVirtualClass &x,
const CopyConstructorTestVirtualClass &y) {
CopyConstructorTestNonVirtualClass cx = x;
CopyConstructorTestVirtualClass cy = y;
}
// semmle-extractor-options: -std=c++17 --clang

206
cpp/ql/test/library-tests/ir/ir/operand_locations.expected
View File

@@ -670,6 +670,10 @@
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_1 |
| file://:0:0:0:0 | Address | &:r0_2 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
@@ -686,6 +690,10 @@
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_3 |
| file://:0:0:0:0 | Address | &:r0_5 |
| file://:0:0:0:0 | Address | &:r0_5 |
| file://:0:0:0:0 | Address | &:r0_5 |
@@ -746,6 +754,8 @@
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m0_2 |
| file://:0:0:0:0 | Load | m745_6 |
| file://:0:0:0:0 | Load | m754_6 |
| file://:0:0:0:0 | Load | m763_6 |
@@ -767,6 +777,8 @@
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m0_4 |
| file://:0:0:0:0 | SideEffect | m1078_23 |
| file://:0:0:0:0 | SideEffect | m1078_23 |
| file://:0:0:0:0 | SideEffect | m1084_23 |
@@ -8009,6 +8021,200 @@
| ir.cpp:1717:30:1717:30 | Load | m1717_6 |
| ir.cpp:1717:30:1717:30 | SideEffect | m1717_3 |
| ir.cpp:1717:30:1717:30 | SideEffect | m1717_8 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_5 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
| ir.cpp:1724:5:1724:44 | Address | &:r1724_7 |
| ir.cpp:1724:5:1724:44 | ChiPartial | partial:m1724_3 |
| ir.cpp:1724:5:1724:44 | ChiTotal | total:m1724_2 |
| ir.cpp:1724:5:1724:44 | Load | m1724_6 |
| ir.cpp:1724:5:1724:44 | SideEffect | m1724_3 |
| ir.cpp:1724:5:1724:44 | SideEffect | m1724_8 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_5 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
| ir.cpp:1725:5:1725:44 | Address | &:r1725_7 |
| ir.cpp:1725:5:1725:44 | ChiPartial | partial:m1725_3 |
| ir.cpp:1725:5:1725:44 | ChiTotal | total:m1725_2 |
| ir.cpp:1725:5:1725:44 | Load | m1725_6 |
| ir.cpp:1725:5:1725:44 | SideEffect | m1725_3 |
| ir.cpp:1725:5:1725:44 | SideEffect | m1726_10 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_9 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
| ir.cpp:1725:94:1725:94 | Address | &:r1725_11 |
| ir.cpp:1725:94:1725:94 | Load | m1725_10 |
| ir.cpp:1725:94:1725:94 | SideEffect | m1725_12 |
| ir.cpp:1726:9:1726:9 | Address | &:r1726_6 |
| ir.cpp:1726:9:1726:9 | Address | &:r1726_8 |
| ir.cpp:1726:9:1726:9 | Load | m1725_6 |
| ir.cpp:1726:9:1726:9 | Unary | r1726_7 |
| ir.cpp:1726:9:1726:15 | ChiPartial | partial:m1726_9 |
| ir.cpp:1726:9:1726:15 | ChiTotal | total:m1725_8 |
| ir.cpp:1726:13:1726:13 | Address | &:r1726_1 |
| ir.cpp:1726:13:1726:13 | Load | m1725_10 |
| ir.cpp:1726:13:1726:13 | Unary | r1726_2 |
| ir.cpp:1726:13:1726:13 | Unary | r1726_3 |
| ir.cpp:1726:15:1726:15 | Address | &:r1726_4 |
| ir.cpp:1726:15:1726:15 | Load | ~m1725_12 |
| ir.cpp:1726:15:1726:15 | StoreValue | r1726_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_5 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
| ir.cpp:1733:5:1733:39 | Address | &:r1733_7 |
| ir.cpp:1733:5:1733:39 | ChiPartial | partial:m1733_3 |
| ir.cpp:1733:5:1733:39 | ChiTotal | total:m1733_2 |
| ir.cpp:1733:5:1733:39 | Load | m1733_6 |
| ir.cpp:1733:5:1733:39 | SideEffect | m1733_3 |
| ir.cpp:1733:5:1733:39 | SideEffect | m1733_8 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_5 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_7 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_9 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_11 |
| ir.cpp:1736:7:1736:7 | Address | &:r1736_15 |
| ir.cpp:1736:7:1736:7 | Arg(0) | 0:r1736_15 |
| ir.cpp:1736:7:1736:7 | Arg(this) | this:r1736_9 |
| ir.cpp:1736:7:1736:7 | CallTarget | func:r1736_10 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_3 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_17 |
| ir.cpp:1736:7:1736:7 | ChiPartial | partial:m1736_20 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_2 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_4 |
| ir.cpp:1736:7:1736:7 | ChiTotal | total:m1736_8 |
| ir.cpp:1736:7:1736:7 | Load | m0_2 |
| ir.cpp:1736:7:1736:7 | Load | m1736_6 |
| ir.cpp:1736:7:1736:7 | SideEffect | m1736_21 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m0_4 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_4 |
| ir.cpp:1736:7:1736:7 | SideEffect | ~m1736_18 |
| ir.cpp:1736:7:1736:7 | Unary | m1736_6 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_12 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_13 |
| ir.cpp:1736:7:1736:7 | Unary | r1736_14 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_5 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
| ir.cpp:1740:5:1740:38 | Address | &:r1740_7 |
| ir.cpp:1740:5:1740:38 | ChiPartial | partial:m1740_3 |
| ir.cpp:1740:5:1740:38 | ChiTotal | total:m1740_2 |
| ir.cpp:1740:5:1740:38 | Load | m1740_6 |
| ir.cpp:1740:5:1740:38 | SideEffect | m1740_22 |
| ir.cpp:1740:5:1740:38 | SideEffect | ~m1740_20 |
| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
| ir.cpp:1740:5:1740:38 | Unary | m1740_6 |
| ir.cpp:1740:42:1740:42 | Address | &:r1740_9 |
| ir.cpp:1740:42:1740:42 | Address | &:r1740_16 |
| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_9 |
| ir.cpp:1740:42:1740:42 | Arg(this) | this:r1740_16 |
| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_10 |
| ir.cpp:1740:42:1740:42 | CallTarget | func:r1740_17 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_12 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_14 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_19 |
| ir.cpp:1740:42:1740:42 | ChiPartial | partial:m1740_21 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_4 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_8 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_13 |
| ir.cpp:1740:42:1740:42 | ChiTotal | total:m1740_15 |
| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_4 |
| ir.cpp:1740:42:1740:42 | SideEffect | ~m1740_13 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_5 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_7 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_9 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_11 |
| ir.cpp:1743:7:1743:7 | Address | &:r1743_15 |
| ir.cpp:1743:7:1743:7 | Arg(0) | 0:r1743_15 |
| ir.cpp:1743:7:1743:7 | Arg(this) | this:r1743_9 |
| ir.cpp:1743:7:1743:7 | CallTarget | func:r1743_10 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_3 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_17 |
| ir.cpp:1743:7:1743:7 | ChiPartial | partial:m1743_20 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_2 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_4 |
| ir.cpp:1743:7:1743:7 | ChiTotal | total:m1743_18 |
| ir.cpp:1743:7:1743:7 | Load | m0_2 |
| ir.cpp:1743:7:1743:7 | Load | m1743_6 |
| ir.cpp:1743:7:1743:7 | SideEffect | m1743_8 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m0_4 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_4 |
| ir.cpp:1743:7:1743:7 | SideEffect | ~m1743_21 |
| ir.cpp:1743:7:1743:7 | Unary | m1743_6 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_12 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_13 |
| ir.cpp:1743:7:1743:7 | Unary | r1743_14 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_5 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
| ir.cpp:1747:5:1747:35 | Address | &:r1747_7 |
| ir.cpp:1747:5:1747:35 | ChiPartial | partial:m1747_3 |
| ir.cpp:1747:5:1747:35 | ChiTotal | total:m1747_2 |
| ir.cpp:1747:5:1747:35 | Load | m1747_6 |
| ir.cpp:1747:5:1747:35 | SideEffect | m1747_8 |
| ir.cpp:1747:5:1747:35 | SideEffect | ~m1747_22 |
| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
| ir.cpp:1747:5:1747:35 | Unary | m1747_6 |
| ir.cpp:1747:39:1747:39 | Address | &:r1747_9 |
| ir.cpp:1747:39:1747:39 | Address | &:r1747_16 |
| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_9 |
| ir.cpp:1747:39:1747:39 | Arg(this) | this:r1747_16 |
| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_10 |
| ir.cpp:1747:39:1747:39 | CallTarget | func:r1747_17 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_12 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_14 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_19 |
| ir.cpp:1747:39:1747:39 | ChiPartial | partial:m1747_21 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_4 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_13 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_15 |
| ir.cpp:1747:39:1747:39 | ChiTotal | total:m1747_20 |
| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_4 |
| ir.cpp:1747:39:1747:39 | SideEffect | ~m1747_15 |
| ir.cpp:1750:5:1750:34 | ChiPartial | partial:m1750_3 |
| ir.cpp:1750:5:1750:34 | ChiTotal | total:m1750_2 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_1 |
| ir.cpp:1751:51:1751:51 | Address | &:r1751_3 |
| ir.cpp:1751:51:1751:51 | Load | m1751_2 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_1 |
| ir.cpp:1752:48:1752:48 | Address | &:r1752_3 |
| ir.cpp:1752:48:1752:48 | Load | m1752_2 |
| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
| ir.cpp:1753:40:1753:41 | Address | &:r1753_1 |
| ir.cpp:1753:40:1753:41 | Arg(this) | this:r1753_1 |
| ir.cpp:1753:44:1753:45 | CallTarget | func:r1753_3 |
| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_9 |
| ir.cpp:1753:44:1753:45 | ChiPartial | partial:m1753_12 |
| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1750_4 |
| ir.cpp:1753:44:1753:45 | ChiTotal | total:m1753_2 |
| ir.cpp:1753:44:1753:45 | SideEffect | ~m1750_4 |
| ir.cpp:1753:45:1753:45 | Address | &:r1753_4 |
| ir.cpp:1753:45:1753:45 | Address | &:r1753_7 |
| ir.cpp:1753:45:1753:45 | Arg(0) | 0:r1753_7 |
| ir.cpp:1753:45:1753:45 | Load | m1751_2 |
| ir.cpp:1753:45:1753:45 | SideEffect | ~m1751_4 |
| ir.cpp:1753:45:1753:45 | Unary | r1753_5 |
| ir.cpp:1753:45:1753:45 | Unary | r1753_6 |
| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
| ir.cpp:1754:37:1754:38 | Address | &:r1754_1 |
| ir.cpp:1754:37:1754:38 | Arg(this) | this:r1754_1 |
| ir.cpp:1754:41:1754:42 | CallTarget | func:r1754_3 |
| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_9 |
| ir.cpp:1754:41:1754:42 | ChiPartial | partial:m1754_12 |
| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1753_10 |
| ir.cpp:1754:41:1754:42 | ChiTotal | total:m1754_2 |
| ir.cpp:1754:41:1754:42 | SideEffect | ~m1753_10 |
| ir.cpp:1754:42:1754:42 | Address | &:r1754_4 |
| ir.cpp:1754:42:1754:42 | Address | &:r1754_7 |
| ir.cpp:1754:42:1754:42 | Arg(0) | 0:r1754_7 |
| ir.cpp:1754:42:1754:42 | Load | m1752_2 |
| ir.cpp:1754:42:1754:42 | SideEffect | ~m1752_4 |
| ir.cpp:1754:42:1754:42 | Unary | r1754_5 |
| ir.cpp:1754:42:1754:42 | Unary | r1754_6 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

2
cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
View File

@@ -18,6 +18,8 @@ lostReachability
backEdgeCountMismatch
useNotDominatedByDefinition
| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| ir.cpp:1751:51:1751:51 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
| ir.cpp:1752:48:1752:48 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1750:5:1750:34 | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) | int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&) |
switchInstructionWithoutDefaultEdge
notMarkedAsConflated
wronglyMarkedAsConflated

216
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -9202,6 +9202,222 @@ ir.cpp:
# 1717| v1717_11(void) = AliasedUse : ~m?
# 1717| v1717_12(void) = ExitFunction :
# 1724| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass()
# 1724| Block 0
# 1724| v1724_1(void) = EnterFunction :
# 1724| mu1724_2(unknown) = AliasedDefinition :
# 1724| mu1724_3(unknown) = InitializeNonLocal :
# 1724| r1724_4(glval<unknown>) = VariableAddress[#this] :
# 1724| mu1724_5(glval<CopyConstructorWithImplicitArgumentClass>) = InitializeParameter[#this] : &:r1724_4
# 1724| r1724_6(glval<CopyConstructorWithImplicitArgumentClass>) = Load[#this] : &:r1724_4, ~m?
# 1724| mu1724_7(CopyConstructorWithImplicitArgumentClass) = InitializeIndirection[#this] : &:r1724_6
# 1724| v1724_8(void) = NoOp :
# 1724| v1724_9(void) = ReturnIndirection[#this] : &:r1724_6, ~m?
# 1724| v1724_10(void) = ReturnVoid :
# 1724| v1724_11(void) = AliasedUse : ~m?
# 1724| v1724_12(void) = ExitFunction :
# 1725| void CopyConstructorWithImplicitArgumentClass::CopyConstructorWithImplicitArgumentClass(CopyConstructorWithImplicitArgumentClass const&)
# 1725| Block 0
# 1725| v1725_1(void) = EnterFunction :
# 1725| mu1725_2(unknown) = AliasedDefinition :
# 1725| mu1725_3(unknown) = InitializeNonLocal :
# 1725| r1725_4(glval<unknown>) = VariableAddress[#this] :
# 1725| mu1725_5(glval<CopyConstructorWithImplicitArgumentClass>) = InitializeParameter[#this] : &:r1725_4
# 1725| r1725_6(glval<CopyConstructorWithImplicitArgumentClass>) = Load[#this] : &:r1725_4, ~m?
# 1725| mu1725_7(CopyConstructorWithImplicitArgumentClass) = InitializeIndirection[#this] : &:r1725_6
# 1725| r1725_8(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c] :
# 1725| mu1725_9(CopyConstructorWithImplicitArgumentClass &) = InitializeParameter[c] : &:r1725_8
# 1725| r1725_10(CopyConstructorWithImplicitArgumentClass &) = Load[c] : &:r1725_8, ~m?
# 1725| mu1725_11(unknown) = InitializeIndirection[c] : &:r1725_10
# 1726| r1726_1(glval<CopyConstructorWithImplicitArgumentClass &>) = VariableAddress[c] :
# 1726| r1726_2(CopyConstructorWithImplicitArgumentClass &) = Load[c] : &:r1726_1, ~m?
# 1726| r1726_3(glval<CopyConstructorWithImplicitArgumentClass>) = CopyValue : r1726_2
# 1726| r1726_4(glval<int>) = FieldAddress[x] : r1726_3
# 1726| r1726_5(int) = Load[?] : &:r1726_4, ~m?
# 1726| r1726_6(glval<unknown>) = VariableAddress[#this] :
# 1726| r1726_7(CopyConstructorWithImplicitArgumentClass *) = Load[#this] : &:r1726_6, ~m?
# 1726| r1726_8(glval<int>) = FieldAddress[x] : r1726_7
# 1726| mu1726_9(int) = Store[?] : &:r1726_8, r1726_5
# 1727| v1727_1(void) = NoOp :
# 1725| v1725_12(void) = ReturnIndirection[#this] : &:r1725_6, ~m?
# 1725| v1725_13(void) = ReturnIndirection[c] : &:r1725_10, ~m?
# 1725| v1725_14(void) = ReturnVoid :
# 1725| v1725_15(void) = AliasedUse : ~m?
# 1725| v1725_16(void) = ExitFunction :
# 1733| void CopyConstructorWithBitwiseCopyClass::CopyConstructorWithBitwiseCopyClass()
# 1733| Block 0
# 1733| v1733_1(void) = EnterFunction :
# 1733| mu1733_2(unknown) = AliasedDefinition :
# 1733| mu1733_3(unknown) = InitializeNonLocal :
# 1733| r1733_4(glval<unknown>) = VariableAddress[#this] :
# 1733| mu1733_5(glval<CopyConstructorWithBitwiseCopyClass>) = InitializeParameter[#this] : &:r1733_4
# 1733| r1733_6(glval<CopyConstructorWithBitwiseCopyClass>) = Load[#this] : &:r1733_4, ~m?
# 1733| mu1733_7(CopyConstructorWithBitwiseCopyClass) = InitializeIndirection[#this] : &:r1733_6
# 1733| v1733_8(void) = NoOp :
# 1733| v1733_9(void) = ReturnIndirection[#this] : &:r1733_6, ~m?
# 1733| v1733_10(void) = ReturnVoid :
# 1733| v1733_11(void) = AliasedUse : ~m?
# 1733| v1733_12(void) = ExitFunction :
# 1736| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass(CopyConstructorTestNonVirtualClass const&)
# 1736| Block 0
# 1736| v1736_1(void) = EnterFunction :
# 1736| mu1736_2(unknown) = AliasedDefinition :
# 1736| mu1736_3(unknown) = InitializeNonLocal :
# 1736| r1736_4(glval<unknown>) = VariableAddress[#this] :
# 1736| mu1736_5(glval<CopyConstructorTestNonVirtualClass>) = InitializeParameter[#this] : &:r1736_4
# 1736| r1736_6(glval<CopyConstructorTestNonVirtualClass>) = Load[#this] : &:r1736_4, ~m?
# 1736| mu1736_7(CopyConstructorTestNonVirtualClass) = InitializeIndirection[#this] : &:r1736_6
#-----| r0_1(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
#-----| mu0_2(CopyConstructorTestNonVirtualClass &) = InitializeParameter[(unnamed parameter 0)] : &:r0_1
#-----| r0_3(CopyConstructorTestNonVirtualClass &) = Load[(unnamed parameter 0)] : &:r0_1, ~m?
#-----| mu0_4(unknown) = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
# 1736| r1736_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1736_5
# 1736| r1736_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1736| r1736_10(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
# 1736| r1736_11(CopyConstructorTestNonVirtualClass &) = Load[(unnamed parameter 0)] : &:r1736_10, ~m?
# 1736| r1736_12(glval<CopyConstructorTestNonVirtualClass>) = CopyValue : r1736_11
# 1736| r1736_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : r1736_12
# 1736| r1736_14(CopyConstructorWithImplicitArgumentClass &) = CopyValue : r1736_13
# 1736| v1736_15(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1736_9, this:r1736_8, 0:r1736_14
# 1736| mu1736_16(unknown) = ^CallSideEffect : ~m?
# 1736| v1736_17(void) = ^BufferReadSideEffect[0] : &:r1736_14, ~m?
# 1736| mu1736_18(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1736_8
# 1736| v1736_19(void) = NoOp :
# 1736| v1736_20(void) = ReturnIndirection[#this] : &:r1736_6, ~m?
#-----| v0_5(void) = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
# 1736| v1736_21(void) = ReturnVoid :
# 1736| v1736_22(void) = AliasedUse : ~m?
# 1736| v1736_23(void) = ExitFunction :
# 1740| void CopyConstructorTestNonVirtualClass::CopyConstructorTestNonVirtualClass()
# 1740| Block 0
# 1740| v1740_1(void) = EnterFunction :
# 1740| mu1740_2(unknown) = AliasedDefinition :
# 1740| mu1740_3(unknown) = InitializeNonLocal :
# 1740| r1740_4(glval<unknown>) = VariableAddress[#this] :
# 1740| mu1740_5(glval<CopyConstructorTestNonVirtualClass>) = InitializeParameter[#this] : &:r1740_4
# 1740| r1740_6(glval<CopyConstructorTestNonVirtualClass>) = Load[#this] : &:r1740_4, ~m?
# 1740| mu1740_7(CopyConstructorTestNonVirtualClass) = InitializeIndirection[#this] : &:r1740_6
# 1740| r1740_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1740_5
# 1740| r1740_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1740| v1740_10(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1740_9, this:r1740_8
# 1740| mu1740_11(unknown) = ^CallSideEffect : ~m?
# 1740| mu1740_12(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1740_8
# 1740| r1740_13(glval<CopyConstructorWithBitwiseCopyClass>) = ConvertToNonVirtualBase[CopyConstructorTestNonVirtualClass : CopyConstructorWithBitwiseCopyClass] : mu1740_5
# 1740| r1740_14(glval<unknown>) = FunctionAddress[CopyConstructorWithBitwiseCopyClass] :
# 1740| v1740_15(void) = Call[CopyConstructorWithBitwiseCopyClass] : func:r1740_14, this:r1740_13
# 1740| mu1740_16(unknown) = ^CallSideEffect : ~m?
# 1740| mu1740_17(CopyConstructorWithBitwiseCopyClass) = ^IndirectMayWriteSideEffect[-1] : &:r1740_13
# 1740| v1740_18(void) = NoOp :
# 1740| v1740_19(void) = ReturnIndirection[#this] : &:r1740_6, ~m?
# 1740| v1740_20(void) = ReturnVoid :
# 1740| v1740_21(void) = AliasedUse : ~m?
# 1740| v1740_22(void) = ExitFunction :
# 1743| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass(CopyConstructorTestVirtualClass const&)
# 1743| Block 0
# 1743| v1743_1(void) = EnterFunction :
# 1743| mu1743_2(unknown) = AliasedDefinition :
# 1743| mu1743_3(unknown) = InitializeNonLocal :
# 1743| r1743_4(glval<unknown>) = VariableAddress[#this] :
# 1743| mu1743_5(glval<CopyConstructorTestVirtualClass>) = InitializeParameter[#this] : &:r1743_4
# 1743| r1743_6(glval<CopyConstructorTestVirtualClass>) = Load[#this] : &:r1743_4, ~m?
# 1743| mu1743_7(CopyConstructorTestVirtualClass) = InitializeIndirection[#this] : &:r1743_6
#-----| r0_1(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
#-----| mu0_2(CopyConstructorTestVirtualClass &) = InitializeParameter[(unnamed parameter 0)] : &:r0_1
#-----| r0_3(CopyConstructorTestVirtualClass &) = Load[(unnamed parameter 0)] : &:r0_1, ~m?
#-----| mu0_4(unknown) = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
# 1743| r1743_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1743_5
# 1743| r1743_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1743| r1743_10(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[(unnamed parameter 0)] :
# 1743| r1743_11(CopyConstructorTestVirtualClass &) = Load[(unnamed parameter 0)] : &:r1743_10, ~m?
# 1743| r1743_12(glval<CopyConstructorTestVirtualClass>) = CopyValue : r1743_11
# 1743| r1743_13(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : r1743_12
# 1743| r1743_14(CopyConstructorWithImplicitArgumentClass &) = CopyValue : r1743_13
# 1743| v1743_15(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1743_9, this:r1743_8, 0:r1743_14
# 1743| mu1743_16(unknown) = ^CallSideEffect : ~m?
# 1743| v1743_17(void) = ^BufferReadSideEffect[0] : &:r1743_14, ~m?
# 1743| mu1743_18(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1743_8
# 1743| v1743_19(void) = NoOp :
# 1743| v1743_20(void) = ReturnIndirection[#this] : &:r1743_6, ~m?
#-----| v0_5(void) = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
# 1743| v1743_21(void) = ReturnVoid :
# 1743| v1743_22(void) = AliasedUse : ~m?
# 1743| v1743_23(void) = ExitFunction :
# 1747| void CopyConstructorTestVirtualClass::CopyConstructorTestVirtualClass()
# 1747| Block 0
# 1747| v1747_1(void) = EnterFunction :
# 1747| mu1747_2(unknown) = AliasedDefinition :
# 1747| mu1747_3(unknown) = InitializeNonLocal :
# 1747| r1747_4(glval<unknown>) = VariableAddress[#this] :
# 1747| mu1747_5(glval<CopyConstructorTestVirtualClass>) = InitializeParameter[#this] : &:r1747_4
# 1747| r1747_6(glval<CopyConstructorTestVirtualClass>) = Load[#this] : &:r1747_4, ~m?
# 1747| mu1747_7(CopyConstructorTestVirtualClass) = InitializeIndirection[#this] : &:r1747_6
# 1747| r1747_8(glval<CopyConstructorWithImplicitArgumentClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithImplicitArgumentClass] : mu1747_5
# 1747| r1747_9(glval<unknown>) = FunctionAddress[CopyConstructorWithImplicitArgumentClass] :
# 1747| v1747_10(void) = Call[CopyConstructorWithImplicitArgumentClass] : func:r1747_9, this:r1747_8
# 1747| mu1747_11(unknown) = ^CallSideEffect : ~m?
# 1747| mu1747_12(CopyConstructorWithImplicitArgumentClass) = ^IndirectMayWriteSideEffect[-1] : &:r1747_8
# 1747| r1747_13(glval<CopyConstructorWithBitwiseCopyClass>) = ConvertToNonVirtualBase[CopyConstructorTestVirtualClass : CopyConstructorWithBitwiseCopyClass] : mu1747_5
# 1747| r1747_14(glval<unknown>) = FunctionAddress[CopyConstructorWithBitwiseCopyClass] :
# 1747| v1747_15(void) = Call[CopyConstructorWithBitwiseCopyClass] : func:r1747_14, this:r1747_13
# 1747| mu1747_16(unknown) = ^CallSideEffect : ~m?
# 1747| mu1747_17(CopyConstructorWithBitwiseCopyClass) = ^IndirectMayWriteSideEffect[-1] : &:r1747_13
# 1747| v1747_18(void) = NoOp :
# 1747| v1747_19(void) = ReturnIndirection[#this] : &:r1747_6, ~m?
# 1747| v1747_20(void) = ReturnVoid :
# 1747| v1747_21(void) = AliasedUse : ~m?
# 1747| v1747_22(void) = ExitFunction :
# 1750| int implicit_copy_constructor_test(CopyConstructorTestNonVirtualClass const&, CopyConstructorTestVirtualClass const&)
# 1750| Block 0
# 1750| v1750_1(void) = EnterFunction :
# 1750| mu1750_2(unknown) = AliasedDefinition :
# 1750| mu1750_3(unknown) = InitializeNonLocal :
# 1751| r1751_1(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x] :
# 1751| mu1751_2(CopyConstructorTestNonVirtualClass &) = InitializeParameter[x] : &:r1751_1
# 1751| r1751_3(CopyConstructorTestNonVirtualClass &) = Load[x] : &:r1751_1, ~m?
# 1751| mu1751_4(unknown) = InitializeIndirection[x] : &:r1751_3
# 1752| r1752_1(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[y] :
# 1752| mu1752_2(CopyConstructorTestVirtualClass &) = InitializeParameter[y] : &:r1752_1
# 1752| r1752_3(CopyConstructorTestVirtualClass &) = Load[y] : &:r1752_1, ~m?
# 1752| mu1752_4(unknown) = InitializeIndirection[y] : &:r1752_3
# 1753| r1753_1(glval<CopyConstructorTestNonVirtualClass>) = VariableAddress[cx] :
# 1753| mu1753_2(CopyConstructorTestNonVirtualClass) = Uninitialized[cx] : &:r1753_1
# 1753| r1753_3(glval<unknown>) = FunctionAddress[CopyConstructorTestNonVirtualClass] :
# 1753| r1753_4(glval<CopyConstructorTestNonVirtualClass &>) = VariableAddress[x] :
# 1753| r1753_5(CopyConstructorTestNonVirtualClass &) = Load[x] : &:r1753_4, ~m?
# 1753| r1753_6(glval<CopyConstructorTestNonVirtualClass>) = CopyValue : r1753_5
# 1753| r1753_7(CopyConstructorTestNonVirtualClass &) = CopyValue : r1753_6
# 1753| v1753_8(void) = Call[CopyConstructorTestNonVirtualClass] : func:r1753_3, this:r1753_1, 0:r1753_7
# 1753| mu1753_9(unknown) = ^CallSideEffect : ~m?
# 1753| v1753_10(void) = ^BufferReadSideEffect[0] : &:r1753_7, ~m?
# 1753| mu1753_11(CopyConstructorTestNonVirtualClass) = ^IndirectMayWriteSideEffect[-1] : &:r1753_1
# 1754| r1754_1(glval<CopyConstructorTestVirtualClass>) = VariableAddress[cy] :
# 1754| mu1754_2(CopyConstructorTestVirtualClass) = Uninitialized[cy] : &:r1754_1
# 1754| r1754_3(glval<unknown>) = FunctionAddress[CopyConstructorTestVirtualClass] :
# 1754| r1754_4(glval<CopyConstructorTestVirtualClass &>) = VariableAddress[y] :
# 1754| r1754_5(CopyConstructorTestVirtualClass &) = Load[y] : &:r1754_4, ~m?
# 1754| r1754_6(glval<CopyConstructorTestVirtualClass>) = CopyValue : r1754_5
# 1754| r1754_7(CopyConstructorTestVirtualClass &) = CopyValue : r1754_6
# 1754| v1754_8(void) = Call[CopyConstructorTestVirtualClass] : func:r1754_3, this:r1754_1, 0:r1754_7
# 1754| mu1754_9(unknown) = ^CallSideEffect : ~m?
# 1754| v1754_10(void) = ^BufferReadSideEffect[0] : &:r1754_7, ~m?
# 1754| mu1754_11(CopyConstructorTestVirtualClass) = ^IndirectMayWriteSideEffect[-1] : &:r1754_1
# 1755| v1755_1(void) = Unreached :
# 1751| Block 1
# 1751| v1751_5(void) = ReturnIndirection[x] : &:r1751_3, ~m?
# 1752| v1752_5(void) = ReturnIndirection[y] : &:r1752_3, ~m?
# 1750| r1750_4(glval<int>) = VariableAddress[#return] :
# 1750| v1750_5(void) = ReturnValue : &:r1750_4, ~m?
# 1750| v1750_6(void) = AliasedUse : ~m?
# 1750| v1750_7(void) = ExitFunction :
perf-regression.cpp:
# 6| void Big::Big()
# 6| Block 0

1
cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
View File

@@ -123,3 +123,4 @@ postWithInFlow
| misc.c:220:4:220:5 | sp [inner post update] | PostUpdateNode should not be the target of local flow. |
| static_init_templates.cpp:3:2:3:4 | ref [post update] | PostUpdateNode should not be the target of local flow. |
| static_init_templates.cpp:21:2:21:4 | val [post update] | PostUpdateNode should not be the target of local flow. |
| try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. |

12
cpp/ql/test/library-tests/usings/Usings1.expected
View File

@@ -1,7 +1,7 @@
| templates.cpp:9:5:9:14 | using c | UsingDeclarationEntry, enclosingElement:std |
| usings.cpp:8:1:8:11 | using nf | UsingDeclarationEntry, enclosingElement:(global namespace) |
| templates.cpp:9:14:9:14 | using c | UsingDeclarationEntry, enclosingElement:std |
| usings.cpp:8:10:8:11 | using nf | UsingDeclarationEntry, enclosingElement:(global namespace) |
| usings.cpp:9:1:9:17 | using namespace N | UsingDirectiveEntry, enclosingElement:(global namespace) |
| usings.cpp:18:3:18:13 | using bf | UsingDeclarationEntry, enclosingElement:D |
| usings.cpp:21:5:21:14 | using gf | UsingDeclarationEntry, enclosingElement:{ ... } |
| usings.cpp:34:3:34:20 | using tbf | UsingDeclarationEntry, enclosingElement:TD |
| usings.cpp:42:5:42:22 | using foo | UsingDeclarationEntry, enclosingElement:nsbar |
| usings.cpp:18:12:18:13 | using bf | UsingDeclarationEntry, enclosingElement:D |
| usings.cpp:21:13:21:14 | using gf | UsingDeclarationEntry, enclosingElement:{ ... } |
| usings.cpp:34:18:34:20 | using tbf | UsingDeclarationEntry, enclosingElement:TD |
| usings.cpp:42:20:42:22 | using foo | UsingDeclarationEntry, enclosingElement:nsbar |

13
cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp
View File

@@ -163,3 +163,16 @@ void test_captured_contructor()
myFunction2( [obj](){} );
}
// ---
void test_switch_initializer()
{
bool a = 42, b = 43; // GOOD: a, b are both used
switch (a = b; a)
{
default:
// ...
}
}