hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge from main

Browse Source
This commit is contained in:
Dave Bartolomeo
2020-10-28 15:35:46 -04:00
parent 5a6cd4aca9 ae84d1383e
commit 7a2c59c194
214 changed files with 13527 additions and 2840 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/src/Best Practices/Exceptions/LeakyCatch.qhelp
View File

@@ -39,7 +39,7 @@ void good() {
</example>
<references>
<li>MSDN Library for MFC: <a href="http://msdn.microsoft.com/en-us/library/0e5twxsh(v=vs.110).aspx">Exceptions: Catching and Deleting Exceptions</a>.</li>
<li>MSDN Library for MFC: <a href="https://docs.microsoft.com/en-us/cpp/mfc/exceptions-catching-and-deleting-exceptions">Exceptions: Catching and Deleting Exceptions</a>.</li>
</references>

2
cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.qhelp
View File

@@ -27,7 +27,7 @@ then removing it will make code more readable. If the static variable is needed
<a href="https://www.securecoding.cert.org/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">Detect and remove code that has no effect</a>
</li>
<li>
<a href="https://www.securecoding.cert.org/confluence/display/cplusplus/DCL07-CPP.+Minimize+the+scope+of+variables+and+methods">Minimize the scope of variables and methods</a>
<a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL19-C.+Minimize+the+scope+of+variables+and+functions">Minimize the scope of variables and functions</a>
</li>

2
cpp/ql/src/Best Practices/UseOfGoto.qhelp
View File

@@ -41,7 +41,7 @@ this rule.
E. W. Dijkstra Archive: <a href="http://www.cs.utexas.edu/users/EWD/transcriptions/EWD02xx/EWD215.html">A Case against the GO TO Statement (EWD-215)</a>.
</li>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-gb/library/b34dt9cd%28v=vs.80%29.aspx">The goto Statement</a>.
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/goto-statement-cpp">goto Statement (C++)</a>.
</li>
<li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.

2
cpp/ql/src/Critical/MissingNullTest.qhelp
View File

@@ -27,6 +27,6 @@ this cannot happen.
</example>
<references>
<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointerss">EXP34-C. Do not dereference null pointers</a>.</li>
<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers">EXP34-C. Do not dereference null pointers</a>.</li>
</references>
</qhelp>

2
cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.qhelp
View File

@@ -23,7 +23,7 @@ As a result, this check incorrectly considers all negative numbers as even.
<references>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/ty2ax9z9%28v=vs.71%29.aspx">Multiplicative Operators: *, /, and %</a>.
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/multiplicative-operators-and-the-modulus-operator">Multiplicative Operators and the Modulus Operator</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Modulo_operation#Common_pitfalls">Modulo Operation - Common pitfalls</a>.

2
cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.qhelp
View File

@@ -24,7 +24,7 @@
Code Project: <a href="http://www.codeproject.com/Articles/2247/An-introduction-to-bitwise-operators">An introduction to bitwise operators</a>
</li>
<li>
MSDN Library: <a href="https://msdn.microsoft.com/en-us/library/dxda59dh.aspx">Signed Bitwise Operations</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/c-language/signed-bitwise-operations">Signed Bitwise Operations</a>
</li>

2
cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.qhelp
View File

@@ -21,7 +21,7 @@ It is best to fully parenthesize complex comparison expressions to explicitly de
<references>
<li>
<a href="http://msdn.microsoft.com/en-us/library/126fe14k%28v=VS.80%29.aspx">Operator Precedence and Associativity</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/cpp-built-in-operators-precedence-and-associativity">C++ built-in operators, precedence, and associativity</a>
</li>
<li>
<a href="http://www.cplusplus.com/doc/tutorial/operators/">Operators</a>

2
cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.qhelp
View File

@@ -24,7 +24,7 @@ as rounding errors will be more prominent when using such values.
<li>
D. Goldberg, <em>What Every Computer Scientist Should Know About Floating-Point Arithmetic</em>,
ACM Computing Surveys, Volume 23, Issue 1, March 1991 (<a href="http://docs.sun.com/source/806-3568/ncg_goldberg.html">available online</a>).
ACM Computing Surveys, Volume 23, Issue 1, March 1991 (<a href="https://docs.oracle.com/cd/E19957-01/806-3568/ncg_goldberg.html">available online</a>).
</li>

2
cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.qhelp
View File

@@ -23,7 +23,7 @@ the expression would produce a result that would be too large to fit in the smal
<references>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/ty2ax9z9%28v=vs.71%29.aspx">Multiplicative Operators: *, /, and %</a>.
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/multiplicative-operators-and-the-modulus-operator">Multiplicative Operators and the Modulus Operator</a>.
</li>
<li>
Cplusplus.com: <a href="http://www.cplusplus.com/articles/DE18T05o/">Integer overflow</a>.

2
cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.qhelp
View File

@@ -23,7 +23,7 @@ the latter occupies eight bytes on a 64-bit machine.</p>
<references>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/hh279667.aspx">Type Conversions and Type Safety (Modern C++)</a>.
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/type-conversions-and-type-safety-modern-cpp">Type Conversions and Type Safety</a>.
</li>
<li>
Cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/typecasting/">Type conversions</a>.

2
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.qhelp
View File

@@ -23,7 +23,7 @@ the function.
<li>CERT C Coding
Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings">FIO30-C. Exclude user input from format strings</a>.</li>
<li>cplusplus.com: <a href="http://www.tutorialspoint.com/cplusplus/cpp_functions.htm">C++ Functions</a>.</li>
<li>MSDN Alphabetical Function Reference: <a href="http://msdn.microsoft.com/en-us/library/wc7014hz%28VS.71%29.aspx">printf, wprintf</a>.</li>
<li>CRT Alphabetical Function Reference: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/printf-printf-l-wprintf-wprintf-l">printf, _printf_l, wprintf, _wprintf_l</a>.</li>

3
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -155,7 +155,8 @@ where
not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
) and
not arg.isAffectedByMacro() and
not arg.isFromUninstantiatedTemplate(_)
not arg.isFromUninstantiatedTemplate(_) and
not actual.getUnspecifiedType() instanceof ErroneousType
select arg,
"This argument should be of type '" + expected.getName() + "' but is of type '" +
actual.getUnspecifiedType().getName() + "'"

2
cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.qhelp
View File

@@ -15,7 +15,7 @@ of days. Alternatively, use an established library routine that already contain
</recommendation>
<references>
<li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
<li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
<li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
<li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
</references>

2
cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.qhelp
View File

@@ -22,7 +22,7 @@
</example>
<references>
<li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
<li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
<li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
<li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
</references>

2
cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.qhelp
View File

@@ -34,7 +34,7 @@
</example>
<references>
<li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
<li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
<li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
<li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
</references>

2
cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.qhelp
View File

@@ -23,7 +23,7 @@
</example>
<references>
<li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
<li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
<li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
<li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
</references>

2
cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp
View File

@@ -23,7 +23,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
Tutorialspoint - The C++ Programming Language: <a href="http://www.tutorialspoint.com/cplusplus/cpp_switch_statement.htm">C++ switch statement</a>
</li>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/k0t5wee3%28v=VS.80%29.aspx">The switch Statement</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
</li>
<li>
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).

3
cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
View File

@@ -88,7 +88,8 @@ where
not arg.isAffectedByMacro() and
size32 = ilp32.paddedSize(actual) and
size64 = lp64.paddedSize(actual) and
size64 != size32
size64 != size32 and
not actual instanceof ErroneousType
select arg,
"This argument should be of type '" + expected.getName() + "' but is of type '" + actual.getName()
+ "' (which changes size from " + size32 + " to " + size64 + " on 64-bit systems)."

2
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.qhelp
View File

@@ -30,7 +30,7 @@ For an array, the size is the number of elements of the array multiplied by the
Cplusplus.comn: <a href="http://www.cplusplus.com/reference/clibrary/cstring/memset/">memset</a>
</li>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/aa246471%28v=VS.60%29.aspx">memset</a>, <a href="http://msdn.microsoft.com/en-us/library/4s7x1k91%28v=VS.71%29.aspx">sizeof Operator</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/memset-wmemset">memset, wmemset</a>, <a href="https://docs.microsoft.com/en-us/cpp/cpp/sizeof-operator">sizeof Operator</a>
</li>

3
cpp/ql/src/Likely Bugs/NestedLoopSameVar.qhelp
View File

@@ -25,9 +25,6 @@ outer loop. </p>
<li>
Tutorialspoint - The C++ Programming Language: <a href="http://www.tutorialspoint.com/cplusplus/cpp_nested_loops.htm">C++ nested loops</a>
</li>
<li>
MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/8y82wx12%28v=VS.80%29.aspx">Nested Control Structures</a>
</li>

2
cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.qhelp
View File

@@ -20,7 +20,7 @@ object instance).</p>
</example>
<references>
<li>R. Chen, <a href="http://blogs.msdn.com/oldnewthing/archive/2004/05/07/127826.aspx">When should your destructor be virtual?</a>.</li>
<li>R. Chen, <a href="https://devblogs.microsoft.com/oldnewthing/20040507-00/?p=39443">When should your destructor be virtual?</a>.</li>
<li>S. Meyers. <em>Effective C++ 3d ed.</em> pp 40-44. Addison-Wesley Professional, 2005.</li>
</references>
</qhelp>

2
cpp/ql/src/Metrics/Files/FMacroRatio.qhelp
View File

@@ -27,7 +27,7 @@ and IDE support than macros.</p>
<references>
<li>
<a href="http://msdn.microsoft.com/en-us/library/503x3e3s%28v=vs.80%29.aspx">Macros</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/preprocessor/macros-c-cpp">Macros (C/C++)</a>
</li>
<li>
<a href="http://www.stroustrup.com/icsm-2012-demacro.pdf">Rejuvenating C++ Programs through

2
cpp/ql/src/Metrics/Files/FTimeInFrontend.qhelp
View File

@@ -15,7 +15,7 @@
<references>
<li>
<a href="http://msdn.microsoft.com/en-us/library/36k2cdd4%28v=VS.80%29.aspx">The #include Directive</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/preprocessor/hash-include-directive-c-cpp">#include directive (C/C++)</a>
</li>
<li>
<a href="http://gcc.gnu.org/onlinedocs/cpp/Include-Operation.html#Include-Operation">Include operation</a>

2
cpp/ql/src/Security/CWE/CWE-089/SqlTainted.qhelp
View File

@@ -21,7 +21,7 @@ string before converting it to SQL.</p>
</example>
<references>
<li>Microsoft Developer Network: <a href="http://msdn.microsoft.com/en-us/library/ms161953.aspx">SQL Injection</a>.</li>
<li>MSDN Library: <a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection">SQL Injection</a>.</li>
<!-- LocalWords: SQL CWE

9
cpp/ql/src/definitions.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Jump-to-definition links
* @description Generates use-definition pairs that provide the data
* for jump-to-definition in the code viewer.
* for jump-to-definition in the code viewer of LGTM.
* @kind definitions
* @id cpp/jump-to-definition
*/
@@ -9,5 +9,10 @@
import definitions
from Top e, Top def, string kind
where def = definitionOf(e, kind)
where
def = definitionOf(e, kind) and
// We need to exclude definitions for elements inside template instantiations,
// as these often lead to multiple links to definitions from the same source location.
// LGTM does not support this bevaviour.
not e.isFromTemplateInstantiation(_)
select e, def, kind

11
cpp/ql/src/definitions.qll
View File

@@ -124,6 +124,7 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
/**
* Gets an element, of kind `kind`, that element `e` uses, if any.
* Attention: This predicate yields multiple definitions for a single location.
*
* The `kind` is a string representing what kind of use it is:
* - `"M"` for function and method calls
@@ -196,15 +197,7 @@ Top definitionOf(Top e, string kind) {
not e.(Element).isInMacroExpansion() and
// exclude nested macro invocations, as they will overlap with
// the top macro invocation.
not exists(e.(MacroAccess).getParentInvocation()) and
// exclude results from template instantiations, as:
// (1) these dependencies will often be caused by a choice of
// template parameter, which is non-local to this part of code; and
// (2) overlapping results pointing to different locations will
// be very common.
// It's possible we could allow a subset of these dependencies
// in future, if we're careful to ensure the above don't apply.
not e.isFromTemplateInstantiation(_)
not exists(e.(MacroAccess).getParentInvocation())
) and
// Some entities have many locations. This can arise for an external
// function that is frequently declared but not defined, or perhaps

2
cpp/ql/src/jsf/4.10 Classes/AV Rule 89.qhelp
View File

@@ -15,7 +15,7 @@ as both virtual and non-virtual in one hierarchy as violations.</p>
AV Rule 89, <em>Joint Strike Fighter Air Vehicle C++ Coding Standards</em>. Lockheed Martin Corporation, 2005.
</li>
<li>
<a href="http://msdn.microsoft.com/en-us/library/wcz57btd%28v=vs.80%29.aspx">Virtual Base Classes</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/multiple-base-classes">Multiple Base Classes</a>.
</li>

2
cpp/ql/src/jsf/4.13 Functions/AV Rule 114.qhelp
View File

@@ -37,7 +37,7 @@ assuming the function had a non-float return type that can fit in a machine word
MISRA C++ Rule 8-4-3, <em>Guidelines for the use of the C++ language in critical systems</em>. The Motor Industry Software Reliability Associate, 2008.
</li>
<li>
<a href="http://msdn.microsoft.com/en-US/library/k68ktdwf%28v=VS.80%29.aspx">The return Statement</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/return-statement-cpp">return Statement (C++)</a>.
</li>

2
cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.qhelp
View File

@@ -37,7 +37,7 @@ better to let the compiler assign values at compile time.
MISRA C++ Rule 8-5-3, <em>Guidelines for the use of the C++ language in critical systems</em>. The Motor Industry Software Reliability Associate, 2008.
</li>
<li>
<a href="http://msdn.microsoft.com/en-us/library/2dzy4k6e%28v=vs.71%29.aspx">C++ Enumeration Declarations</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/enumerations-cpp">Enumerations (C++)</a>.
</li>

2
cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp
View File

@@ -29,7 +29,7 @@ the break statement only exits from one level of the loop.</p>
<a href="http://www.cs.utexas.edu/users/EWD/transcriptions/EWD02xx/EWD215.html">A Case against the GO TO Statement (EWD-215).</a>
</li>
<li>
<a href="https://msdn.microsoft.com/en-gb/library/b34dt9cd%28v=vs.80%29.aspx">MSDN Library: The goto Statement</a>
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/goto-statement-cpp">goto Statement (C++)</a>.
</li>
<li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).

2
cpp/ql/src/localDefinitions.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Jump-to-definition links
* @description Generates use-definition pairs that provide the data
* for jump-to-definition in the code viewer.
* for jump-to-definition in the code viewer of VSCode.
* @kind definitions
* @id cpp/ide-jump-to-definition
* @tags ide-contextual-queries/local-definitions

2
cpp/ql/src/localReferences.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Find-references links
* @description Generates use-definition pairs that provide the data
* for find-references in the code viewer.
* for find-references in the code viewer of VSCode.
* @kind definitions
* @id cpp/ide-find-references
* @tags ide-contextual-queries/local-references

15
cpp/ql/src/semmle/code/cpp/Print.qll
View File

@@ -1,4 +1,17 @@
import cpp
private import PrintAST
/**
* Print function declarations only if there is a `PrintASTConfiguration`
* that requests that function, or no `PrintASTConfiguration` exists.
*/
private predicate shouldPrintDeclaration(Declaration decl) {
not decl instanceof Function
or
not exists(PrintASTConfiguration c)
or
exists(PrintASTConfiguration config | config.shouldPrintFunction(decl))
}
/**
* Gets a string containing the scope in which this declaration is declared.
@@ -48,6 +61,8 @@ private string getTemplateArgumentString(Declaration d, int i) {
* A `Declaration` extended to add methods for generating strings useful only for dumps and debugging.
*/
abstract private class DumpDeclaration extends Declaration {
DumpDeclaration() { shouldPrintDeclaration(this) }
/**
* Gets a string that uniquely identifies this declaration, suitable for use when debugging queries. Only holds for
* functions, user-defined types, global and namespace-scope variables, and member variables.

28
cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
View File

@@ -801,12 +801,34 @@ module FlowVar_internal {
}
Expr getAnIteratorAccess(Variable collection) {
exists(Call c, SsaDefinition def, Variable iterator |
c.getQualifier() = collection.getAnAccess() and
c.getTarget() instanceof BeginOrEndFunction and
exists(
Call c, SsaDefinition def, Variable iterator, FunctionInput input, FunctionOutput output
|
c.getTarget().(GetIteratorFunction).getsIterator(input, output) and
(
(
input.isQualifierObject() or
input.isQualifierAddress()
) and
c.getQualifier() = collection.getAnAccess()
or
exists(int index |
input.isParameter(index) or
input.isParameterDeref(index)
|
c.getArgument(index) = collection.getAnAccess()
)
) and
output.isReturnValue() and
def.getAnUltimateDefiningValue(iterator) = c and
result = def.getAUse(iterator)
)
or
exists(Call crement |
crement = result and
[crement.getQualifier(), crement.getArgument(0)] = getAnIteratorAccess(collection) and
crement.getTarget().getName() = ["operator++", "operator--"]
)
}
class IteratorParameter extends Parameter {

8
cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll
View File

@@ -27,7 +27,7 @@ class VarArgsExpr extends BuiltInOperation, @var_args_expr { }
* __builtin_va_start(ap, last_named_param);
* ```
*/
class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
class BuiltInVarArgsStart extends VarArgsExpr, @vastartexpr {
override string toString() { result = "__builtin_va_start" }
override string getAPrimaryQlClass() { result = "BuiltInVarArgsStart" }
@@ -52,7 +52,7 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
* __builtin_va_end(ap);
* ```
*/
class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
class BuiltInVarArgsEnd extends VarArgsExpr, @vaendexpr {
override string toString() { result = "__builtin_va_end" }
override string getAPrimaryQlClass() { result = "BuiltInVarArgsEnd" }
@@ -70,7 +70,7 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
* ap = __builtin_va_arg(ap, long);
* ```
*/
class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
class BuiltInVarArg extends VarArgsExpr, @vaargexpr {
override string toString() { result = "__builtin_va_arg" }
override string getAPrimaryQlClass() { result = "BuiltInVarArg" }
@@ -90,7 +90,7 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
* va_copy(aq, ap);
* ```
*/
class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
class BuiltInVarArgCopy extends VarArgsExpr, @vacopyexpr {
override string toString() { result = "__builtin_va_copy" }
override string getAPrimaryQlClass() { result = "BuiltInVarArgCopy" }

4
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
View File

@@ -217,4 +217,8 @@ string getInstructionTagId(TInstructionTag tag) {
tag = DynamicInitializationFlagConstantTag() and result = "DynInitFlagConst"
or
tag = DynamicInitializationFlagStoreTag() and result = "DynInitFlagStore"
or
tag = ThisAddressTag() and result = "ThisAddress"
or
tag = ThisLoadTag() and result = "ThisLoad"
}

49
cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
View File

@@ -92,6 +92,9 @@ class IteratorPointerDereferenceOperator extends Operator, TaintFunction, Iterat
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input = iteratorInput and
output.isReturnValue()
or
input.isReturnValueDeref() and
output.isParameterDeref(0)
}
}
@@ -180,6 +183,9 @@ class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunc
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isQualifierObject() and
output.isReturnValue()
or
input.isReturnValueDeref() and
output.isQualifierObject()
}
}
@@ -274,11 +280,32 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction, Iterato
}
}
/**
* An `operator=` member function of an iterator class that is not a copy or move assignment
* operator.
*
* The `hasTaintFlow` override provides flow through output iterators that return themselves with
* `operator*` and use their own `operator=` to assign to the container.
*/
class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunction {
IteratorAssignmentMemberOperator() {
this.hasName("operator=") and
this.getDeclaringType() instanceof Iterator and
not this instanceof CopyAssignmentOperator and
not this instanceof MoveAssignmentOperator
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isParameterDeref(0) and
output.isQualifierObject()
}
}
/**
* A `begin` or `end` member function, or a related member function, that
* returns an iterator.
*/
class BeginOrEndFunction extends MemberFunction, TaintFunction {
class BeginOrEndFunction extends MemberFunction, TaintFunction, GetIteratorFunction {
BeginOrEndFunction() {
this
.hasName(["begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend",
@@ -290,4 +317,24 @@ class BeginOrEndFunction extends MemberFunction, TaintFunction {
input.isQualifierObject() and
output.isReturnValue()
}
override predicate getsIterator(FunctionInput input, FunctionOutput output) {
input.isQualifierObject() and
output.isReturnValue()
}
}
/**
* The `std::front_inserter`, `std::inserter`, and `std::back_inserter`
* functions.
*/
class InserterIteratorFunction extends GetIteratorFunction {
InserterIteratorFunction() {
this.hasQualifiedName("std", ["front_inserter", "inserter", "back_inserter"])
}
override predicate getsIterator(FunctionInput input, FunctionOutput output) {
input.isParameterDeref(0) and
output.isReturnValue()
}
}

11
cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll
View File

@@ -15,3 +15,14 @@ import semmle.code.cpp.models.Models
* can be used to write to the iterator's underlying collection.
*/
abstract class IteratorReferenceFunction extends Function { }
/**
* A function which takes a container and returns an iterator over that container.
*/
abstract class GetIteratorFunction extends Function {
/**
* Holds if the return value or buffer represented by `output` is an iterator over the container
* passd in the argument, qualifier, or buffer represented by `input`.
*/
abstract predicate getsIterator(FunctionInput input, FunctionOutput output);
}

334
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -262,8 +262,6 @@
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) | |
| format.cpp:16:21:16:21 | s | format.cpp:22:22:22:22 | s | |
| format.cpp:16:31:16:31 | n | format.cpp:22:25:22:25 | n | |
| format.cpp:16:46:16:51 | format | format.cpp:22:28:22:33 | format | |
@@ -3147,6 +3145,40 @@
| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:53:12:53:18 | source1 | |
| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:54:14:54:20 | source1 | |
| standalone_iterators.cpp:53:12:53:18 | ref arg source1 | standalone_iterators.cpp:54:14:54:20 | source1 | |
| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:85:35:85:36 | c1 | |
| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:89:35:89:36 | c2 | |
| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
| standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 | |
| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | |
| standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 | |
| standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
| standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 | |
| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | |
| standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 | |
| standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
| stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] | |
| stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] | |
| stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x | |
| stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x | |
| stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x | |
| stl.h:95:69:95:69 | x | stl.h:96:42:96:42 | x | |
| stl.h:95:69:95:69 | x | stl.h:96:42:96:42 | x | |
| stl.h:95:69:95:69 | x | stl.h:96:42:96:42 | x | |
| stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x | |
| stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x | |
| stl.h:241:30:241:40 | call to allocator | stl.h:241:21:241:41 | noexcept(...) | TAINT |
| stl.h:241:30:241:40 | call to allocator | stl.h:241:21:241:41 | noexcept(...) | TAINT |
| stl.h:241:30:241:40 | call to allocator | stl.h:241:21:241:41 | noexcept(...) | TAINT |
@@ -6768,66 +6800,75 @@
| vector.cpp:337:38:337:38 | b | vector.cpp:372:5:372:5 | b | |
| vector.cpp:338:22:338:24 | call to vector | vector.cpp:340:34:340:35 | v1 | |
| vector.cpp:338:22:338:24 | call to vector | vector.cpp:342:7:342:8 | v1 | |
| vector.cpp:338:22:338:24 | call to vector | vector.cpp:401:1:401:1 | v1 | |
| vector.cpp:338:22:338:24 | call to vector | vector.cpp:415:1:415:1 | v1 | |
| vector.cpp:338:30:338:32 | call to vector | vector.cpp:344:38:344:39 | v2 | |
| vector.cpp:338:30:338:32 | call to vector | vector.cpp:344:56:344:57 | v2 | |
| vector.cpp:338:30:338:32 | call to vector | vector.cpp:347:7:347:8 | v2 | |
| vector.cpp:338:30:338:32 | call to vector | vector.cpp:401:1:401:1 | v2 | |
| vector.cpp:338:30:338:32 | call to vector | vector.cpp:415:1:415:1 | v2 | |
| vector.cpp:338:38:338:40 | call to vector | vector.cpp:349:15:349:16 | v3 | |
| vector.cpp:338:38:338:40 | call to vector | vector.cpp:352:7:352:8 | v3 | |
| vector.cpp:338:38:338:40 | call to vector | vector.cpp:401:1:401:1 | v3 | |
| vector.cpp:338:38:338:40 | call to vector | vector.cpp:415:1:415:1 | v3 | |
| vector.cpp:338:46:338:48 | call to vector | vector.cpp:354:38:354:39 | v4 | |
| vector.cpp:338:46:338:48 | call to vector | vector.cpp:354:56:354:57 | v4 | |
| vector.cpp:338:46:338:48 | call to vector | vector.cpp:357:7:357:8 | v4 | |
| vector.cpp:338:46:338:48 | call to vector | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:338:46:338:48 | call to vector | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:338:54:338:56 | call to vector | vector.cpp:359:34:359:35 | v5 | |
| vector.cpp:338:54:338:56 | call to vector | vector.cpp:361:7:361:8 | v5 | |
| vector.cpp:338:54:338:56 | call to vector | vector.cpp:363:7:363:8 | v5 | |
| vector.cpp:338:54:338:56 | call to vector | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:338:54:338:56 | call to vector | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:365:34:365:35 | v6 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:367:7:367:8 | v6 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:368:2:368:3 | v6 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:369:7:369:8 | v6 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:338:62:338:64 | call to vector | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:371:34:371:35 | v7 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:374:8:374:9 | v7 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:377:8:377:9 | v7 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:338:70:338:72 | call to vector | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:338:78:338:80 | call to vector | vector.cpp:381:34:381:35 | v8 | |
| vector.cpp:338:78:338:80 | call to vector | vector.cpp:383:7:383:8 | v8 | |
| vector.cpp:338:78:338:80 | call to vector | vector.cpp:385:7:385:8 | v8 | |
| vector.cpp:338:78:338:80 | call to vector | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:338:78:338:80 | call to vector | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:338:86:338:88 | call to vector | vector.cpp:387:34:387:35 | v9 | |
| vector.cpp:338:86:338:88 | call to vector | vector.cpp:392:7:392:8 | v9 | |
| vector.cpp:338:86:338:88 | call to vector | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:338:86:338:88 | call to vector | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:338:95:338:97 | call to vector | vector.cpp:394:35:394:37 | v10 | |
| vector.cpp:338:95:338:97 | call to vector | vector.cpp:396:7:396:9 | v10 | |
| vector.cpp:338:95:338:97 | call to vector | vector.cpp:401:1:401:1 | v10 | |
| vector.cpp:338:95:338:97 | call to vector | vector.cpp:415:1:415:1 | v10 | |
| vector.cpp:338:104:338:106 | call to vector | vector.cpp:398:35:398:37 | v11 | |
| vector.cpp:338:104:338:106 | call to vector | vector.cpp:400:7:400:9 | v11 | |
| vector.cpp:338:104:338:106 | call to vector | vector.cpp:401:1:401:1 | v11 | |
| vector.cpp:338:104:338:106 | call to vector | vector.cpp:415:1:415:1 | v11 | |
| vector.cpp:338:113:338:115 | call to vector | vector.cpp:402:35:402:37 | v12 | |
| vector.cpp:338:113:338:115 | call to vector | vector.cpp:405:7:405:9 | v12 | |
| vector.cpp:338:113:338:115 | call to vector | vector.cpp:415:1:415:1 | v12 | |
| vector.cpp:338:122:338:124 | call to vector | vector.cpp:407:35:407:37 | v13 | |
| vector.cpp:338:122:338:124 | call to vector | vector.cpp:409:7:409:9 | v13 | |
| vector.cpp:338:122:338:124 | call to vector | vector.cpp:415:1:415:1 | v13 | |
| vector.cpp:338:131:338:133 | call to vector | vector.cpp:411:35:411:37 | v14 | |
| vector.cpp:338:131:338:133 | call to vector | vector.cpp:414:7:414:9 | v14 | |
| vector.cpp:338:131:338:133 | call to vector | vector.cpp:415:1:415:1 | v14 | |
| vector.cpp:340:34:340:35 | ref arg v1 | vector.cpp:342:7:342:8 | v1 | |
| vector.cpp:340:34:340:35 | ref arg v1 | vector.cpp:401:1:401:1 | v1 | |
| vector.cpp:340:34:340:35 | ref arg v1 | vector.cpp:415:1:415:1 | v1 | |
| vector.cpp:340:34:340:35 | v1 | vector.cpp:340:37:340:41 | call to begin | TAINT |
| vector.cpp:340:37:340:41 | call to begin | vector.cpp:341:3:341:4 | i1 | |
| vector.cpp:341:2:341:2 | call to operator* [post update] | vector.cpp:342:7:342:8 | v1 | |
| vector.cpp:341:2:341:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v1 | |
| vector.cpp:341:2:341:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v1 | |
| vector.cpp:341:2:341:15 | ... = ... | vector.cpp:341:2:341:2 | call to operator* [post update] | |
| vector.cpp:341:3:341:4 | i1 | vector.cpp:341:2:341:2 | call to operator* | TAINT |
| vector.cpp:341:8:341:13 | call to source | vector.cpp:341:2:341:2 | call to operator* [post update] | TAINT |
| vector.cpp:341:8:341:13 | call to source | vector.cpp:341:2:341:15 | ... = ... | |
| vector.cpp:342:7:342:8 | ref arg v1 | vector.cpp:401:1:401:1 | v1 | |
| vector.cpp:342:7:342:8 | ref arg v1 | vector.cpp:415:1:415:1 | v1 | |
| vector.cpp:344:38:344:39 | ref arg v2 | vector.cpp:344:56:344:57 | v2 | |
| vector.cpp:344:38:344:39 | ref arg v2 | vector.cpp:347:7:347:8 | v2 | |
| vector.cpp:344:38:344:39 | ref arg v2 | vector.cpp:401:1:401:1 | v2 | |
| vector.cpp:344:38:344:39 | ref arg v2 | vector.cpp:415:1:415:1 | v2 | |
| vector.cpp:344:38:344:39 | v2 | vector.cpp:344:41:344:45 | call to begin | TAINT |
| vector.cpp:344:41:344:45 | call to begin | vector.cpp:344:50:344:51 | it | |
| vector.cpp:344:41:344:45 | call to begin | vector.cpp:344:68:344:69 | it | |
| vector.cpp:344:41:344:45 | call to begin | vector.cpp:345:4:345:5 | it | |
| vector.cpp:344:56:344:57 | ref arg v2 | vector.cpp:344:56:344:57 | v2 | |
| vector.cpp:344:56:344:57 | ref arg v2 | vector.cpp:347:7:347:8 | v2 | |
| vector.cpp:344:56:344:57 | ref arg v2 | vector.cpp:401:1:401:1 | v2 | |
| vector.cpp:344:56:344:57 | ref arg v2 | vector.cpp:415:1:415:1 | v2 | |
| vector.cpp:344:56:344:57 | v2 | vector.cpp:344:59:344:61 | call to end | TAINT |
| vector.cpp:344:68:344:69 | it | vector.cpp:344:66:344:66 | call to operator++ | |
| vector.cpp:344:68:344:69 | ref arg it | vector.cpp:344:50:344:51 | it | |
@@ -6835,12 +6876,12 @@
| vector.cpp:344:68:344:69 | ref arg it | vector.cpp:345:4:345:5 | it | |
| vector.cpp:345:3:345:3 | call to operator* [post update] | vector.cpp:344:56:344:57 | v2 | |
| vector.cpp:345:3:345:3 | call to operator* [post update] | vector.cpp:347:7:347:8 | v2 | |
| vector.cpp:345:3:345:3 | call to operator* [post update] | vector.cpp:401:1:401:1 | v2 | |
| vector.cpp:345:3:345:3 | call to operator* [post update] | vector.cpp:415:1:415:1 | v2 | |
| vector.cpp:345:3:345:16 | ... = ... | vector.cpp:345:3:345:3 | call to operator* [post update] | |
| vector.cpp:345:4:345:5 | it | vector.cpp:345:3:345:3 | call to operator* | TAINT |
| vector.cpp:345:9:345:14 | call to source | vector.cpp:345:3:345:3 | call to operator* [post update] | TAINT |
| vector.cpp:345:9:345:14 | call to source | vector.cpp:345:3:345:16 | ... = ... | |
| vector.cpp:347:7:347:8 | ref arg v2 | vector.cpp:401:1:401:1 | v2 | |
| vector.cpp:347:7:347:8 | ref arg v2 | vector.cpp:415:1:415:1 | v2 | |
| vector.cpp:349:15:349:15 | (__begin) | vector.cpp:349:15:349:15 | call to operator* | TAINT |
| vector.cpp:349:15:349:15 | (__begin) | vector.cpp:349:15:349:15 | call to operator++ | |
| vector.cpp:349:15:349:15 | (__end) | vector.cpp:349:15:349:15 | call to iterator | |
@@ -6859,17 +6900,17 @@
| vector.cpp:349:15:349:16 | v3 | vector.cpp:349:15:349:15 | call to operator* | TAINT |
| vector.cpp:350:3:350:14 | ... = ... | vector.cpp:350:3:350:3 | x [post update] | |
| vector.cpp:350:7:350:12 | call to source | vector.cpp:350:3:350:14 | ... = ... | |
| vector.cpp:352:7:352:8 | ref arg v3 | vector.cpp:401:1:401:1 | v3 | |
| vector.cpp:352:7:352:8 | ref arg v3 | vector.cpp:415:1:415:1 | v3 | |
| vector.cpp:354:38:354:39 | ref arg v4 | vector.cpp:354:56:354:57 | v4 | |
| vector.cpp:354:38:354:39 | ref arg v4 | vector.cpp:357:7:357:8 | v4 | |
| vector.cpp:354:38:354:39 | ref arg v4 | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:354:38:354:39 | ref arg v4 | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:354:38:354:39 | v4 | vector.cpp:354:41:354:45 | call to begin | TAINT |
| vector.cpp:354:41:354:45 | call to begin | vector.cpp:354:50:354:51 | it | |
| vector.cpp:354:41:354:45 | call to begin | vector.cpp:354:68:354:69 | it | |
| vector.cpp:354:41:354:45 | call to begin | vector.cpp:355:32:355:33 | it | |
| vector.cpp:354:56:354:57 | ref arg v4 | vector.cpp:354:56:354:57 | v4 | |
| vector.cpp:354:56:354:57 | ref arg v4 | vector.cpp:357:7:357:8 | v4 | |
| vector.cpp:354:56:354:57 | ref arg v4 | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:354:56:354:57 | ref arg v4 | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:354:56:354:57 | v4 | vector.cpp:354:59:354:61 | call to end | TAINT |
| vector.cpp:354:68:354:69 | it | vector.cpp:354:66:354:66 | call to operator++ | |
| vector.cpp:354:68:354:69 | ref arg it | vector.cpp:354:50:354:51 | it | |
@@ -6877,138 +6918,311 @@
| vector.cpp:354:68:354:69 | ref arg it | vector.cpp:355:32:355:33 | it | |
| vector.cpp:355:32:355:33 | call to iterator [post update] | vector.cpp:354:56:354:57 | v4 | |
| vector.cpp:355:32:355:33 | call to iterator [post update] | vector.cpp:357:7:357:8 | v4 | |
| vector.cpp:355:32:355:33 | call to iterator [post update] | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:355:32:355:33 | call to iterator [post update] | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:355:32:355:33 | it | vector.cpp:355:32:355:33 | call to iterator | |
| vector.cpp:355:32:355:33 | it [post update] | vector.cpp:354:56:354:57 | v4 | |
| vector.cpp:355:32:355:33 | it [post update] | vector.cpp:357:7:357:8 | v4 | |
| vector.cpp:355:32:355:33 | it [post update] | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:357:7:357:8 | ref arg v4 | vector.cpp:401:1:401:1 | v4 | |
| vector.cpp:355:32:355:33 | it [post update] | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:357:7:357:8 | ref arg v4 | vector.cpp:415:1:415:1 | v4 | |
| vector.cpp:359:34:359:35 | ref arg v5 | vector.cpp:361:7:361:8 | v5 | |
| vector.cpp:359:34:359:35 | ref arg v5 | vector.cpp:363:7:363:8 | v5 | |
| vector.cpp:359:34:359:35 | ref arg v5 | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:359:34:359:35 | ref arg v5 | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:359:34:359:35 | v5 | vector.cpp:359:37:359:41 | call to begin | TAINT |
| vector.cpp:359:37:359:41 | call to begin | vector.cpp:360:3:360:4 | i5 | |
| vector.cpp:359:37:359:41 | call to begin | vector.cpp:362:3:362:4 | i5 | |
| vector.cpp:360:2:360:2 | call to operator* [post update] | vector.cpp:361:7:361:8 | v5 | |
| vector.cpp:360:2:360:2 | call to operator* [post update] | vector.cpp:363:7:363:8 | v5 | |
| vector.cpp:360:2:360:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:360:2:360:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:360:2:360:15 | ... = ... | vector.cpp:360:2:360:2 | call to operator* [post update] | |
| vector.cpp:360:3:360:4 | i5 | vector.cpp:360:2:360:2 | call to operator* | TAINT |
| vector.cpp:360:8:360:13 | call to source | vector.cpp:360:2:360:2 | call to operator* [post update] | TAINT |
| vector.cpp:360:8:360:13 | call to source | vector.cpp:360:2:360:15 | ... = ... | |
| vector.cpp:361:7:361:8 | ref arg v5 | vector.cpp:363:7:363:8 | v5 | |
| vector.cpp:361:7:361:8 | ref arg v5 | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:361:7:361:8 | ref arg v5 | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:362:2:362:2 | call to operator* [post update] | vector.cpp:363:7:363:8 | v5 | |
| vector.cpp:362:2:362:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:362:2:362:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:362:2:362:8 | ... = ... | vector.cpp:362:2:362:2 | call to operator* [post update] | |
| vector.cpp:362:3:362:4 | i5 | vector.cpp:362:2:362:2 | call to operator* | TAINT |
| vector.cpp:362:8:362:8 | 1 | vector.cpp:362:2:362:2 | call to operator* [post update] | TAINT |
| vector.cpp:362:8:362:8 | 1 | vector.cpp:362:2:362:8 | ... = ... | |
| vector.cpp:363:7:363:8 | ref arg v5 | vector.cpp:401:1:401:1 | v5 | |
| vector.cpp:363:7:363:8 | ref arg v5 | vector.cpp:415:1:415:1 | v5 | |
| vector.cpp:365:34:365:35 | ref arg v6 | vector.cpp:367:7:367:8 | v6 | |
| vector.cpp:365:34:365:35 | ref arg v6 | vector.cpp:368:2:368:3 | v6 | |
| vector.cpp:365:34:365:35 | ref arg v6 | vector.cpp:369:7:369:8 | v6 | |
| vector.cpp:365:34:365:35 | ref arg v6 | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:365:34:365:35 | ref arg v6 | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:365:34:365:35 | v6 | vector.cpp:365:37:365:41 | call to begin | TAINT |
| vector.cpp:365:37:365:41 | call to begin | vector.cpp:366:3:366:4 | i6 | |
| vector.cpp:366:2:366:2 | call to operator* [post update] | vector.cpp:367:7:367:8 | v6 | |
| vector.cpp:366:2:366:2 | call to operator* [post update] | vector.cpp:368:2:368:3 | v6 | |
| vector.cpp:366:2:366:2 | call to operator* [post update] | vector.cpp:369:7:369:8 | v6 | |
| vector.cpp:366:2:366:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:366:2:366:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:366:2:366:15 | ... = ... | vector.cpp:366:2:366:2 | call to operator* [post update] | |
| vector.cpp:366:3:366:4 | i6 | vector.cpp:366:2:366:2 | call to operator* | TAINT |
| vector.cpp:366:8:366:13 | call to source | vector.cpp:366:2:366:2 | call to operator* [post update] | TAINT |
| vector.cpp:366:8:366:13 | call to source | vector.cpp:366:2:366:15 | ... = ... | |
| vector.cpp:367:7:367:8 | ref arg v6 | vector.cpp:368:2:368:3 | v6 | |
| vector.cpp:367:7:367:8 | ref arg v6 | vector.cpp:369:7:369:8 | v6 | |
| vector.cpp:367:7:367:8 | ref arg v6 | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:367:7:367:8 | ref arg v6 | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:368:2:368:3 | ref arg v6 | vector.cpp:369:7:369:8 | v6 | |
| vector.cpp:368:2:368:3 | ref arg v6 | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:368:2:368:3 | ref arg v6 | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:368:7:368:26 | call to vector | vector.cpp:368:2:368:3 | ref arg v6 | TAINT |
| vector.cpp:368:7:368:26 | call to vector | vector.cpp:368:5:368:5 | call to operator= | TAINT |
| vector.cpp:369:7:369:8 | ref arg v6 | vector.cpp:401:1:401:1 | v6 | |
| vector.cpp:369:7:369:8 | ref arg v6 | vector.cpp:415:1:415:1 | v6 | |
| vector.cpp:371:34:371:35 | ref arg v7 | vector.cpp:374:8:374:9 | v7 | |
| vector.cpp:371:34:371:35 | ref arg v7 | vector.cpp:377:8:377:9 | v7 | |
| vector.cpp:371:34:371:35 | ref arg v7 | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:371:34:371:35 | ref arg v7 | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:371:34:371:35 | ref arg v7 | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:371:34:371:35 | v7 | vector.cpp:371:37:371:41 | call to begin | TAINT |
| vector.cpp:371:37:371:41 | call to begin | vector.cpp:373:4:373:5 | i7 | |
| vector.cpp:371:37:371:41 | call to begin | vector.cpp:376:4:376:5 | i7 | |
| vector.cpp:373:3:373:3 | call to operator* [post update] | vector.cpp:374:8:374:9 | v7 | |
| vector.cpp:373:3:373:3 | call to operator* [post update] | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:373:3:373:3 | call to operator* [post update] | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:373:3:373:3 | call to operator* [post update] | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:373:3:373:16 | ... = ... | vector.cpp:373:3:373:3 | call to operator* [post update] | |
| vector.cpp:373:4:373:5 | i7 | vector.cpp:373:3:373:3 | call to operator* | TAINT |
| vector.cpp:373:9:373:14 | call to source | vector.cpp:373:3:373:3 | call to operator* [post update] | TAINT |
| vector.cpp:373:9:373:14 | call to source | vector.cpp:373:3:373:16 | ... = ... | |
| vector.cpp:374:8:374:9 | ref arg v7 | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:374:8:374:9 | ref arg v7 | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:374:8:374:9 | ref arg v7 | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:376:3:376:3 | call to operator* [post update] | vector.cpp:377:8:377:9 | v7 | |
| vector.cpp:376:3:376:3 | call to operator* [post update] | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:376:3:376:3 | call to operator* [post update] | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:376:3:376:3 | call to operator* [post update] | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:376:3:376:9 | ... = ... | vector.cpp:376:3:376:3 | call to operator* [post update] | |
| vector.cpp:376:4:376:5 | i7 | vector.cpp:376:3:376:3 | call to operator* | TAINT |
| vector.cpp:376:9:376:9 | 1 | vector.cpp:376:3:376:3 | call to operator* [post update] | TAINT |
| vector.cpp:376:9:376:9 | 1 | vector.cpp:376:3:376:9 | ... = ... | |
| vector.cpp:377:8:377:9 | ref arg v7 | vector.cpp:379:7:379:8 | v7 | |
| vector.cpp:377:8:377:9 | ref arg v7 | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:379:7:379:8 | ref arg v7 | vector.cpp:401:1:401:1 | v7 | |
| vector.cpp:377:8:377:9 | ref arg v7 | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:379:7:379:8 | ref arg v7 | vector.cpp:415:1:415:1 | v7 | |
| vector.cpp:381:34:381:35 | ref arg v8 | vector.cpp:383:7:383:8 | v8 | |
| vector.cpp:381:34:381:35 | ref arg v8 | vector.cpp:385:7:385:8 | v8 | |
| vector.cpp:381:34:381:35 | ref arg v8 | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:381:34:381:35 | ref arg v8 | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:381:34:381:35 | v8 | vector.cpp:381:37:381:41 | call to begin | TAINT |
| vector.cpp:381:37:381:41 | call to begin | vector.cpp:382:3:382:4 | i8 | |
| vector.cpp:381:37:381:41 | call to begin | vector.cpp:384:3:384:4 | i8 | |
| vector.cpp:382:2:382:2 | call to operator* [post update] | vector.cpp:383:7:383:8 | v8 | |
| vector.cpp:382:2:382:2 | call to operator* [post update] | vector.cpp:385:7:385:8 | v8 | |
| vector.cpp:382:2:382:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:382:2:382:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:382:2:382:15 | ... = ... | vector.cpp:382:2:382:2 | call to operator* [post update] | |
| vector.cpp:382:3:382:4 | i8 | vector.cpp:382:2:382:2 | call to operator* | TAINT |
| vector.cpp:382:8:382:13 | call to source | vector.cpp:382:2:382:2 | call to operator* [post update] | TAINT |
| vector.cpp:382:8:382:13 | call to source | vector.cpp:382:2:382:15 | ... = ... | |
| vector.cpp:383:7:383:8 | ref arg v8 | vector.cpp:385:7:385:8 | v8 | |
| vector.cpp:383:7:383:8 | ref arg v8 | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:383:7:383:8 | ref arg v8 | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:384:2:384:2 | call to operator* [post update] | vector.cpp:385:7:385:8 | v8 | |
| vector.cpp:384:2:384:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:384:2:384:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:384:2:384:8 | ... = ... | vector.cpp:384:2:384:2 | call to operator* [post update] | |
| vector.cpp:384:3:384:4 | i8 | vector.cpp:384:2:384:2 | call to operator* | TAINT |
| vector.cpp:384:8:384:8 | 1 | vector.cpp:384:2:384:2 | call to operator* [post update] | TAINT |
| vector.cpp:384:8:384:8 | 1 | vector.cpp:384:2:384:8 | ... = ... | |
| vector.cpp:385:7:385:8 | ref arg v8 | vector.cpp:401:1:401:1 | v8 | |
| vector.cpp:385:7:385:8 | ref arg v8 | vector.cpp:415:1:415:1 | v8 | |
| vector.cpp:387:34:387:35 | ref arg v9 | vector.cpp:392:7:392:8 | v9 | |
| vector.cpp:387:34:387:35 | ref arg v9 | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:387:34:387:35 | ref arg v9 | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:387:34:387:35 | v9 | vector.cpp:387:37:387:41 | call to begin | TAINT |
| vector.cpp:387:37:387:41 | call to begin | vector.cpp:389:3:389:4 | i9 | |
| vector.cpp:387:37:387:41 | call to begin | vector.cpp:390:31:390:32 | i9 | |
| vector.cpp:389:2:389:2 | call to operator* [post update] | vector.cpp:392:7:392:8 | v9 | |
| vector.cpp:389:2:389:2 | call to operator* [post update] | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:389:2:389:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:389:2:389:15 | ... = ... | vector.cpp:389:2:389:2 | call to operator* [post update] | |
| vector.cpp:389:3:389:4 | i9 | vector.cpp:389:2:389:2 | call to operator* | TAINT |
| vector.cpp:389:8:389:13 | call to source | vector.cpp:389:2:389:2 | call to operator* [post update] | TAINT |
| vector.cpp:389:8:389:13 | call to source | vector.cpp:389:2:389:15 | ... = ... | |
| vector.cpp:390:31:390:32 | call to iterator [post update] | vector.cpp:392:7:392:8 | v9 | |
| vector.cpp:390:31:390:32 | call to iterator [post update] | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:390:31:390:32 | call to iterator [post update] | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:390:31:390:32 | i9 | vector.cpp:390:31:390:32 | call to iterator | |
| vector.cpp:390:31:390:32 | i9 [post update] | vector.cpp:392:7:392:8 | v9 | |
| vector.cpp:390:31:390:32 | i9 [post update] | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:392:7:392:8 | ref arg v9 | vector.cpp:401:1:401:1 | v9 | |
| vector.cpp:390:31:390:32 | i9 [post update] | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:392:7:392:8 | ref arg v9 | vector.cpp:415:1:415:1 | v9 | |
| vector.cpp:394:35:394:37 | ref arg v10 | vector.cpp:396:7:396:9 | v10 | |
| vector.cpp:394:35:394:37 | ref arg v10 | vector.cpp:401:1:401:1 | v10 | |
| vector.cpp:394:35:394:37 | ref arg v10 | vector.cpp:415:1:415:1 | v10 | |
| vector.cpp:394:35:394:37 | v10 | vector.cpp:394:39:394:43 | call to begin | TAINT |
| vector.cpp:394:39:394:43 | call to begin | vector.cpp:395:33:395:35 | i10 | |
| vector.cpp:395:33:395:35 | call to iterator [post update] | vector.cpp:396:7:396:9 | v10 | |
| vector.cpp:395:33:395:35 | call to iterator [post update] | vector.cpp:401:1:401:1 | v10 | |
| vector.cpp:395:33:395:35 | call to iterator [post update] | vector.cpp:415:1:415:1 | v10 | |
| vector.cpp:395:33:395:35 | i10 | vector.cpp:395:33:395:35 | call to iterator | |
| vector.cpp:395:33:395:35 | i10 [post update] | vector.cpp:396:7:396:9 | v10 | |
| vector.cpp:395:33:395:35 | i10 [post update] | vector.cpp:401:1:401:1 | v10 | |
| vector.cpp:396:7:396:9 | ref arg v10 | vector.cpp:401:1:401:1 | v10 | |
| vector.cpp:395:33:395:35 | i10 [post update] | vector.cpp:415:1:415:1 | v10 | |
| vector.cpp:396:7:396:9 | ref arg v10 | vector.cpp:415:1:415:1 | v10 | |
| vector.cpp:398:35:398:37 | ref arg v11 | vector.cpp:400:7:400:9 | v11 | |
| vector.cpp:398:35:398:37 | ref arg v11 | vector.cpp:401:1:401:1 | v11 | |
| vector.cpp:398:35:398:37 | ref arg v11 | vector.cpp:415:1:415:1 | v11 | |
| vector.cpp:398:35:398:37 | v11 | vector.cpp:398:39:398:43 | call to begin | TAINT |
| vector.cpp:398:39:398:43 | call to begin | vector.cpp:399:33:399:35 | i11 | |
| vector.cpp:399:33:399:35 | call to iterator [post update] | vector.cpp:400:7:400:9 | v11 | |
| vector.cpp:399:33:399:35 | call to iterator [post update] | vector.cpp:401:1:401:1 | v11 | |
| vector.cpp:399:33:399:35 | call to iterator [post update] | vector.cpp:415:1:415:1 | v11 | |
| vector.cpp:399:33:399:35 | i11 | vector.cpp:399:33:399:35 | call to iterator | |
| vector.cpp:399:33:399:35 | i11 [post update] | vector.cpp:400:7:400:9 | v11 | |
| vector.cpp:399:33:399:35 | i11 [post update] | vector.cpp:401:1:401:1 | v11 | |
| vector.cpp:400:7:400:9 | ref arg v11 | vector.cpp:401:1:401:1 | v11 | |
| vector.cpp:399:33:399:35 | i11 [post update] | vector.cpp:415:1:415:1 | v11 | |
| vector.cpp:400:7:400:9 | ref arg v11 | vector.cpp:415:1:415:1 | v11 | |
| vector.cpp:402:35:402:37 | ref arg v12 | vector.cpp:405:7:405:9 | v12 | |
| vector.cpp:402:35:402:37 | ref arg v12 | vector.cpp:415:1:415:1 | v12 | |
| vector.cpp:402:35:402:37 | v12 | vector.cpp:402:39:402:43 | call to begin | TAINT |
| vector.cpp:402:39:402:43 | call to begin | vector.cpp:403:3:403:5 | i12 | |
| vector.cpp:402:39:402:43 | call to begin | vector.cpp:404:3:404:5 | i12 | |
| vector.cpp:403:2:403:2 | call to operator* [post update] | vector.cpp:405:7:405:9 | v12 | |
| vector.cpp:403:2:403:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v12 | |
| vector.cpp:403:2:403:11 | ... = ... | vector.cpp:403:2:403:2 | call to operator* [post update] | |
| vector.cpp:403:3:403:5 | i12 | vector.cpp:403:6:403:6 | call to operator++ | |
| vector.cpp:403:3:403:5 | ref arg i12 | vector.cpp:404:3:404:5 | i12 | |
| vector.cpp:403:6:403:6 | call to operator++ | vector.cpp:403:2:403:2 | call to operator* | TAINT |
| vector.cpp:403:11:403:11 | 0 | vector.cpp:403:2:403:2 | call to operator* [post update] | TAINT |
| vector.cpp:403:11:403:11 | 0 | vector.cpp:403:2:403:11 | ... = ... | |
| vector.cpp:404:2:404:2 | call to operator* [post update] | vector.cpp:405:7:405:9 | v12 | |
| vector.cpp:404:2:404:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v12 | |
| vector.cpp:404:2:404:16 | ... = ... | vector.cpp:404:2:404:2 | call to operator* [post update] | |
| vector.cpp:404:3:404:5 | i12 | vector.cpp:404:2:404:2 | call to operator* | TAINT |
| vector.cpp:404:9:404:14 | call to source | vector.cpp:404:2:404:2 | call to operator* [post update] | TAINT |
| vector.cpp:404:9:404:14 | call to source | vector.cpp:404:2:404:16 | ... = ... | |
| vector.cpp:405:7:405:9 | ref arg v12 | vector.cpp:415:1:415:1 | v12 | |
| vector.cpp:407:35:407:37 | ref arg v13 | vector.cpp:409:7:409:9 | v13 | |
| vector.cpp:407:35:407:37 | ref arg v13 | vector.cpp:415:1:415:1 | v13 | |
| vector.cpp:407:35:407:37 | v13 | vector.cpp:407:39:407:43 | call to begin | TAINT |
| vector.cpp:407:39:407:43 | call to begin | vector.cpp:408:3:408:5 | i13 | |
| vector.cpp:408:2:408:2 | call to operator* [post update] | vector.cpp:409:7:409:9 | v13 | |
| vector.cpp:408:2:408:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v13 | |
| vector.cpp:408:2:408:18 | ... = ... | vector.cpp:408:2:408:2 | call to operator* [post update] | |
| vector.cpp:408:3:408:5 | i13 | vector.cpp:408:6:408:6 | call to operator++ | |
| vector.cpp:408:6:408:6 | call to operator++ | vector.cpp:408:2:408:2 | call to operator* | TAINT |
| vector.cpp:408:11:408:16 | call to source | vector.cpp:408:2:408:2 | call to operator* [post update] | TAINT |
| vector.cpp:408:11:408:16 | call to source | vector.cpp:408:2:408:18 | ... = ... | |
| vector.cpp:409:7:409:9 | ref arg v13 | vector.cpp:415:1:415:1 | v13 | |
| vector.cpp:411:35:411:37 | ref arg v14 | vector.cpp:414:7:414:9 | v14 | |
| vector.cpp:411:35:411:37 | ref arg v14 | vector.cpp:415:1:415:1 | v14 | |
| vector.cpp:411:35:411:37 | v14 | vector.cpp:411:39:411:43 | call to begin | TAINT |
| vector.cpp:411:39:411:43 | call to begin | vector.cpp:412:2:412:4 | i14 | |
| vector.cpp:411:39:411:43 | call to begin | vector.cpp:413:3:413:5 | i14 | |
| vector.cpp:412:2:412:4 | i14 | vector.cpp:412:5:412:5 | call to operator++ | |
| vector.cpp:412:2:412:4 | ref arg i14 | vector.cpp:413:3:413:5 | i14 | |
| vector.cpp:413:2:413:2 | call to operator* [post update] | vector.cpp:414:7:414:9 | v14 | |
| vector.cpp:413:2:413:2 | call to operator* [post update] | vector.cpp:415:1:415:1 | v14 | |
| vector.cpp:413:2:413:18 | ... = ... | vector.cpp:413:2:413:2 | call to operator* [post update] | |
| vector.cpp:413:3:413:5 | i14 | vector.cpp:413:6:413:6 | call to operator++ | |
| vector.cpp:413:6:413:6 | call to operator++ | vector.cpp:413:2:413:2 | call to operator* | TAINT |
| vector.cpp:413:11:413:16 | call to source | vector.cpp:413:2:413:2 | call to operator* [post update] | TAINT |
| vector.cpp:413:11:413:16 | call to source | vector.cpp:413:2:413:18 | ... = ... | |
| vector.cpp:414:7:414:9 | ref arg v14 | vector.cpp:415:1:415:1 | v14 | |
| vector.cpp:417:33:417:45 | source_string | vector.cpp:421:23:421:35 | source_string | |
| vector.cpp:417:33:417:45 | source_string | vector.cpp:428:23:428:35 | source_string | |
| vector.cpp:417:33:417:45 | source_string | vector.cpp:442:23:442:35 | source_string | |
| vector.cpp:419:28:419:30 | call to vector | vector.cpp:420:13:420:15 | out | |
| vector.cpp:419:28:419:30 | call to vector | vector.cpp:422:8:422:10 | out | |
| vector.cpp:419:28:419:30 | call to vector | vector.cpp:423:2:423:2 | out | |
| vector.cpp:420:13:420:15 | out | vector.cpp:420:17:420:19 | call to end | TAINT |
| vector.cpp:420:13:420:15 | ref arg out | vector.cpp:422:8:422:10 | out | |
| vector.cpp:420:13:420:15 | ref arg out | vector.cpp:423:2:423:2 | out | |
| vector.cpp:420:17:420:19 | call to end | vector.cpp:421:4:421:5 | it | |
| vector.cpp:421:3:421:3 | call to operator* [post update] | vector.cpp:422:8:422:10 | out | |
| vector.cpp:421:3:421:3 | call to operator* [post update] | vector.cpp:423:2:423:2 | out | |
| vector.cpp:421:3:421:36 | ... = ... | vector.cpp:421:3:421:3 | call to operator* [post update] | |
| vector.cpp:421:4:421:5 | it | vector.cpp:421:6:421:6 | call to operator++ | |
| vector.cpp:421:6:421:6 | call to operator++ | vector.cpp:421:3:421:3 | call to operator* | TAINT |
| vector.cpp:421:11:421:36 | call to basic_string | vector.cpp:421:3:421:3 | call to operator* [post update] | TAINT |
| vector.cpp:421:11:421:36 | call to basic_string | vector.cpp:421:3:421:36 | ... = ... | |
| vector.cpp:421:23:421:35 | source_string | vector.cpp:421:11:421:36 | call to basic_string | TAINT |
| vector.cpp:422:8:422:10 | ref arg out | vector.cpp:423:2:423:2 | out | |
| vector.cpp:426:28:426:30 | call to vector | vector.cpp:427:32:427:34 | out | |
| vector.cpp:426:28:426:30 | call to vector | vector.cpp:429:8:429:10 | out | |
| vector.cpp:426:28:426:30 | call to vector | vector.cpp:430:2:430:2 | out | |
| vector.cpp:427:13:427:30 | call to back_inserter | vector.cpp:428:4:428:5 | it | |
| vector.cpp:427:32:427:34 | ref arg out | vector.cpp:429:8:429:10 | out | |
| vector.cpp:427:32:427:34 | ref arg out | vector.cpp:430:2:430:2 | out | |
| vector.cpp:428:3:428:3 | ref arg call to operator* | vector.cpp:428:6:428:6 | ref arg call to operator++ | TAINT |
| vector.cpp:428:3:428:3 | ref arg call to operator* | vector.cpp:429:8:429:10 | out | |
| vector.cpp:428:3:428:3 | ref arg call to operator* | vector.cpp:430:2:430:2 | out | |
| vector.cpp:428:4:428:5 | it | vector.cpp:428:6:428:6 | call to operator++ | |
| vector.cpp:428:6:428:6 | call to operator++ | vector.cpp:428:3:428:3 | call to operator* | TAINT |
| vector.cpp:428:6:428:6 | ref arg call to operator++ | vector.cpp:428:4:428:5 | ref arg it | |
| vector.cpp:428:11:428:36 | call to basic_string | vector.cpp:428:3:428:3 | ref arg call to operator* | TAINT |
| vector.cpp:428:23:428:35 | source_string | vector.cpp:428:11:428:36 | call to basic_string | TAINT |
| vector.cpp:429:8:429:10 | ref arg out | vector.cpp:430:2:430:2 | out | |
| vector.cpp:433:20:433:22 | call to vector | vector.cpp:434:32:434:34 | out | |
| vector.cpp:433:20:433:22 | call to vector | vector.cpp:436:8:436:10 | out | |
| vector.cpp:433:20:433:22 | call to vector | vector.cpp:437:2:437:2 | out | |
| vector.cpp:434:13:434:30 | call to back_inserter | vector.cpp:435:4:435:5 | it | |
| vector.cpp:434:32:434:34 | ref arg out | vector.cpp:436:8:436:10 | out | |
| vector.cpp:434:32:434:34 | ref arg out | vector.cpp:437:2:437:2 | out | |
| vector.cpp:435:3:435:3 | ref arg call to operator* | vector.cpp:435:6:435:6 | ref arg call to operator++ | TAINT |
| vector.cpp:435:3:435:3 | ref arg call to operator* | vector.cpp:436:8:436:10 | out | |
| vector.cpp:435:3:435:3 | ref arg call to operator* | vector.cpp:437:2:437:2 | out | |
| vector.cpp:435:4:435:5 | it | vector.cpp:435:6:435:6 | call to operator++ | |
| vector.cpp:435:6:435:6 | call to operator++ | vector.cpp:435:3:435:3 | call to operator* | TAINT |
| vector.cpp:435:6:435:6 | ref arg call to operator++ | vector.cpp:435:4:435:5 | ref arg it | |
| vector.cpp:435:11:435:16 | call to source | vector.cpp:435:3:435:3 | ref arg call to operator* | TAINT |
| vector.cpp:436:8:436:10 | ref arg out | vector.cpp:437:2:437:2 | out | |
| vector.cpp:440:28:440:30 | call to vector | vector.cpp:441:32:441:34 | out | |
| vector.cpp:440:28:440:30 | call to vector | vector.cpp:443:8:443:10 | out | |
| vector.cpp:440:28:440:30 | call to vector | vector.cpp:444:2:444:2 | out | |
| vector.cpp:441:13:441:30 | call to back_inserter | vector.cpp:442:6:442:7 | it | |
| vector.cpp:441:32:441:34 | ref arg out | vector.cpp:443:8:443:10 | out | |
| vector.cpp:441:32:441:34 | ref arg out | vector.cpp:444:2:444:2 | out | |
| vector.cpp:442:3:442:3 | ref arg call to operator* | vector.cpp:442:4:442:4 | ref arg call to operator++ | TAINT |
| vector.cpp:442:3:442:3 | ref arg call to operator* | vector.cpp:443:8:443:10 | out | |
| vector.cpp:442:3:442:3 | ref arg call to operator* | vector.cpp:444:2:444:2 | out | |
| vector.cpp:442:4:442:4 | call to operator++ | vector.cpp:442:3:442:3 | call to operator* | TAINT |
| vector.cpp:442:4:442:4 | ref arg call to operator++ | vector.cpp:442:6:442:7 | ref arg it | |
| vector.cpp:442:6:442:7 | it | vector.cpp:442:4:442:4 | call to operator++ | |
| vector.cpp:442:11:442:36 | call to basic_string | vector.cpp:442:3:442:3 | ref arg call to operator* | TAINT |
| vector.cpp:442:23:442:35 | source_string | vector.cpp:442:11:442:36 | call to basic_string | TAINT |
| vector.cpp:443:8:443:10 | ref arg out | vector.cpp:444:2:444:2 | out | |
| vector.cpp:447:20:447:22 | call to vector | vector.cpp:448:32:448:34 | out | |
| vector.cpp:447:20:447:22 | call to vector | vector.cpp:450:8:450:10 | out | |
| vector.cpp:447:20:447:22 | call to vector | vector.cpp:451:2:451:2 | out | |
| vector.cpp:448:13:448:30 | call to back_inserter | vector.cpp:449:6:449:7 | it | |
| vector.cpp:448:32:448:34 | ref arg out | vector.cpp:450:8:450:10 | out | |
| vector.cpp:448:32:448:34 | ref arg out | vector.cpp:451:2:451:2 | out | |
| vector.cpp:449:3:449:3 | ref arg call to operator* | vector.cpp:449:4:449:4 | ref arg call to operator++ | TAINT |
| vector.cpp:449:3:449:3 | ref arg call to operator* | vector.cpp:450:8:450:10 | out | |
| vector.cpp:449:3:449:3 | ref arg call to operator* | vector.cpp:451:2:451:2 | out | |
| vector.cpp:449:4:449:4 | call to operator++ | vector.cpp:449:3:449:3 | call to operator* | TAINT |
| vector.cpp:449:4:449:4 | ref arg call to operator++ | vector.cpp:449:6:449:7 | ref arg it | |
| vector.cpp:449:6:449:7 | it | vector.cpp:449:4:449:4 | call to operator++ | |
| vector.cpp:449:11:449:16 | call to source | vector.cpp:449:3:449:3 | ref arg call to operator* | TAINT |
| vector.cpp:450:8:450:10 | ref arg out | vector.cpp:451:2:451:2 | out | |
| vector.cpp:467:22:467:25 | call to vector | vector.cpp:471:8:471:8 | v | |
| vector.cpp:467:22:467:25 | call to vector | vector.cpp:472:11:472:11 | v | |
| vector.cpp:467:22:467:25 | call to vector | vector.cpp:473:8:473:8 | v | |
| vector.cpp:467:22:467:25 | call to vector | vector.cpp:474:2:474:2 | v | |
| vector.cpp:468:11:468:16 | call to source | vector.cpp:472:18:472:18 | s | |
| vector.cpp:469:10:469:11 | 0 | vector.cpp:472:13:472:13 | i | |
| vector.cpp:471:8:471:8 | ref arg v | vector.cpp:472:11:472:11 | v | |
| vector.cpp:471:8:471:8 | ref arg v | vector.cpp:473:8:473:8 | v | |
| vector.cpp:471:8:471:8 | ref arg v | vector.cpp:474:2:474:2 | v | |
| vector.cpp:472:10:472:14 | & ... | vector.cpp:472:3:472:8 | call to memcpy | |
| vector.cpp:472:10:472:14 | ref arg & ... | vector.cpp:472:12:472:12 | call to operator[] [inner post update] | |
| vector.cpp:472:11:472:11 | ref arg v | vector.cpp:473:8:473:8 | v | |
| vector.cpp:472:11:472:11 | ref arg v | vector.cpp:474:2:474:2 | v | |
| vector.cpp:472:11:472:11 | v | vector.cpp:472:12:472:12 | call to operator[] | TAINT |
| vector.cpp:472:12:472:12 | call to operator[] | vector.cpp:472:10:472:14 | & ... | |
| vector.cpp:472:12:472:12 | call to operator[] [inner post update] | vector.cpp:472:11:472:11 | ref arg v | TAINT |
| vector.cpp:472:17:472:18 | & ... | vector.cpp:472:3:472:8 | call to memcpy | TAINT |
| vector.cpp:472:17:472:18 | & ... | vector.cpp:472:10:472:14 | ref arg & ... | TAINT |
| vector.cpp:472:18:472:18 | s | vector.cpp:472:10:472:14 | ref arg & ... | |
| vector.cpp:472:18:472:18 | s | vector.cpp:472:17:472:18 | & ... | |
| vector.cpp:473:8:473:8 | ref arg v | vector.cpp:474:2:474:2 | v | |
| vector.cpp:477:24:477:27 | call to vector | vector.cpp:483:8:483:9 | cs | |
| vector.cpp:477:24:477:27 | call to vector | vector.cpp:484:11:484:12 | cs | |
| vector.cpp:477:24:477:27 | call to vector | vector.cpp:486:8:486:9 | cs | |
| vector.cpp:477:24:477:27 | call to vector | vector.cpp:487:2:487:2 | cs | |
| vector.cpp:478:21:478:37 | call to source | vector.cpp:480:22:480:24 | src | |
| vector.cpp:478:21:478:37 | call to source | vector.cpp:482:8:482:10 | src | |
| vector.cpp:478:21:478:37 | call to source | vector.cpp:484:25:484:27 | src | |
| vector.cpp:478:21:478:37 | call to source | vector.cpp:485:8:485:10 | src | |
| vector.cpp:479:23:479:24 | 10 | vector.cpp:484:14:484:17 | offs | |
| vector.cpp:480:26:480:31 | call to length | vector.cpp:484:38:484:40 | len | |
| vector.cpp:482:8:482:10 | ref arg src | vector.cpp:484:25:484:27 | src | |
| vector.cpp:482:8:482:10 | ref arg src | vector.cpp:485:8:485:10 | src | |
| vector.cpp:483:8:483:9 | ref arg cs | vector.cpp:484:11:484:12 | cs | |
| vector.cpp:483:8:483:9 | ref arg cs | vector.cpp:486:8:486:9 | cs | |
| vector.cpp:483:8:483:9 | ref arg cs | vector.cpp:487:2:487:2 | cs | |
| vector.cpp:484:10:484:22 | & ... | vector.cpp:484:3:484:8 | call to memcpy | |
| vector.cpp:484:10:484:22 | ref arg & ... | vector.cpp:484:13:484:13 | call to operator[] [inner post update] | |
| vector.cpp:484:11:484:12 | cs | vector.cpp:484:13:484:13 | call to operator[] | TAINT |
| vector.cpp:484:11:484:12 | ref arg cs | vector.cpp:486:8:486:9 | cs | |
| vector.cpp:484:11:484:12 | ref arg cs | vector.cpp:487:2:487:2 | cs | |
| vector.cpp:484:13:484:13 | call to operator[] | vector.cpp:484:10:484:22 | & ... | |
| vector.cpp:484:13:484:13 | call to operator[] [inner post update] | vector.cpp:484:11:484:12 | ref arg cs | TAINT |
| vector.cpp:484:14:484:17 | offs | vector.cpp:484:14:484:21 | ... + ... | TAINT |
| vector.cpp:484:21:484:21 | 1 | vector.cpp:484:14:484:21 | ... + ... | TAINT |
| vector.cpp:484:25:484:27 | src | vector.cpp:484:29:484:33 | call to c_str | TAINT |
| vector.cpp:484:29:484:33 | call to c_str | vector.cpp:484:3:484:8 | call to memcpy | TAINT |
| vector.cpp:484:29:484:33 | call to c_str | vector.cpp:484:10:484:22 | ref arg & ... | TAINT |
| vector.cpp:486:8:486:9 | ref arg cs | vector.cpp:487:2:487:2 | cs | |

37
cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
View File

@@ -53,3 +53,40 @@ void test_non_iterator(non_iterator source1) {
sink(*(source1++));
sink(*(++source1));
}
int source();
class insert_iterator_by_trait {
public:
insert_iterator_by_trait &operator++();
insert_iterator_by_trait operator++(int);
insert_iterator_by_trait &operator--();
insert_iterator_by_trait operator--(int);
insert_iterator_by_trait operator*();
insert_iterator_by_trait operator=(int x);
};
template<>
struct std::iterator_traits<insert_iterator_by_trait> {
typedef output_iterator_tag iterator_category;
};
class container {
public:
container();
insert_iterator_by_trait begin();
};
void sink(container);
void test_insert_iterator() {
container c1, c2;
insert_iterator_by_trait i1 = c1.begin();
*i1-- = source();
sink(c1);
insert_iterator_by_trait i2 = c2.begin();
*i2-- = 0;
sink(c2);
}

51
cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
View File

@@ -68,6 +68,57 @@ namespace std {
struct forward_iterator_tag : public input_iterator_tag {};
struct bidirectional_iterator_tag : public forward_iterator_tag {};
struct random_access_iterator_tag : public bidirectional_iterator_tag {};
struct output_iterator_tag {};
template<class Container>
class back_insert_iterator {
protected:
Container* container = nullptr;
public:
using iterator_category = output_iterator_tag;
using value_type = void;
using difference_type = ptrdiff_t;
using pointer = void;
using reference = void;
using container_type = Container;
constexpr back_insert_iterator() noexcept = default;
constexpr explicit back_insert_iterator(Container& x);
back_insert_iterator& operator=(const typename Container::value_type& value);
back_insert_iterator& operator=(typename Container::value_type&& value);
back_insert_iterator& operator*();
back_insert_iterator& operator++();
back_insert_iterator operator++(int);
};
template<class Container>
constexpr back_insert_iterator<Container> back_inserter(Container& x) {
return back_insert_iterator<Container>(x);
}
template<class Container>
class front_insert_iterator {
protected:
Container* container = nullptr;
public:
using iterator_category = output_iterator_tag;
using value_type = void;
using difference_type = ptrdiff_t;
using pointer = void;
using reference = void;
using container_type = Container;
constexpr front_insert_iterator() noexcept = default;
constexpr explicit front_insert_iterator(Container& x);
constexpr front_insert_iterator& operator=(const typename Container::value_type& value);
constexpr front_insert_iterator& operator=(typename Container::value_type&& value);
constexpr front_insert_iterator& operator*();
constexpr front_insert_iterator& operator++();
constexpr front_insert_iterator operator++(int);
};
template<class Container>
constexpr front_insert_iterator<Container> front_inserter(Container& x) {
return front_insert_iterator<Container>(x);
}
}
// --- string ---

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -192,7 +192,7 @@ void *memcpy(void *dest, void *src, int len);
void test_memcpy(int *source) {
int x;
memcpy(&x, source, sizeof(int));
sink(x);
sink(x); // tainted
}
// --- std::swap ---

13
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -260,6 +260,7 @@
| standalone_iterators.cpp:46:10:46:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
| standalone_iterators.cpp:47:10:47:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
| standalone_iterators.cpp:48:10:48:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
| standalone_iterators.cpp:87:10:87:11 | c1 | standalone_iterators.cpp:86:13:86:18 | call to source |
| string.cpp:29:7:29:7 | a | string.cpp:25:12:25:17 | call to source |
| string.cpp:31:7:31:7 | c | string.cpp:27:16:27:21 | call to source |
| string.cpp:33:9:33:13 | call to c_str | string.cpp:27:16:27:21 | call to source |
@@ -655,3 +656,15 @@
| vector.cpp:392:7:392:8 | v9 | vector.cpp:330:10:330:15 | call to source |
| vector.cpp:392:7:392:8 | v9 | vector.cpp:389:8:389:13 | call to source |
| vector.cpp:400:7:400:9 | v11 | vector.cpp:399:38:399:43 | call to source |
| vector.cpp:405:7:405:9 | v12 | vector.cpp:404:9:404:14 | call to source |
| vector.cpp:409:7:409:9 | v13 | vector.cpp:408:11:408:16 | call to source |
| vector.cpp:414:7:414:9 | v14 | vector.cpp:413:11:413:16 | call to source |
| vector.cpp:422:8:422:10 | out | vector.cpp:417:33:417:45 | source_string |
| vector.cpp:429:8:429:10 | out | vector.cpp:417:33:417:45 | source_string |
| vector.cpp:436:8:436:10 | out | vector.cpp:435:11:435:16 | call to source |
| vector.cpp:443:8:443:10 | out | vector.cpp:417:33:417:45 | source_string |
| vector.cpp:450:8:450:10 | out | vector.cpp:449:11:449:16 | call to source |
| vector.cpp:473:8:473:8 | v | vector.cpp:468:11:468:16 | call to source |
| vector.cpp:482:8:482:10 | src | vector.cpp:478:21:478:37 | call to source |
| vector.cpp:485:8:485:10 | src | vector.cpp:478:21:478:37 | call to source |
| vector.cpp:486:8:486:9 | cs | vector.cpp:478:21:478:37 | call to source |

11
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -75,6 +75,7 @@
| standalone_iterators.cpp:42:10:42:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
| standalone_iterators.cpp:47:10:47:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
| standalone_iterators.cpp:48:10:48:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
| standalone_iterators.cpp:87:10:87:11 | standalone_iterators.cpp:86:13:86:18 | AST only |
| string.cpp:33:9:33:13 | string.cpp:27:16:27:21 | AST only |
| string.cpp:39:13:39:17 | string.cpp:14:10:14:15 | AST only |
| string.cpp:43:13:43:17 | string.cpp:14:10:14:15 | AST only |
@@ -255,3 +256,13 @@
| vector.cpp:392:7:392:8 | vector.cpp:330:10:330:15 | AST only |
| vector.cpp:392:7:392:8 | vector.cpp:389:8:389:13 | AST only |
| vector.cpp:400:7:400:9 | vector.cpp:399:38:399:43 | AST only |
| vector.cpp:405:7:405:9 | vector.cpp:404:9:404:14 | AST only |
| vector.cpp:409:7:409:9 | vector.cpp:408:11:408:16 | AST only |
| vector.cpp:414:7:414:9 | vector.cpp:413:11:413:16 | AST only |
| vector.cpp:422:8:422:10 | vector.cpp:417:33:417:45 | AST only |
| vector.cpp:429:8:429:10 | vector.cpp:417:33:417:45 | AST only |
| vector.cpp:436:8:436:10 | vector.cpp:435:11:435:16 | AST only |
| vector.cpp:443:8:443:10 | vector.cpp:417:33:417:45 | AST only |
| vector.cpp:450:8:450:10 | vector.cpp:449:11:449:16 | AST only |
| vector.cpp:473:8:473:8 | vector.cpp:468:11:468:16 | AST only |
| vector.cpp:486:8:486:9 | vector.cpp:478:21:478:37 | AST only |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -575,3 +575,5 @@
| vector.cpp:312:7:312:7 | Argument 0 indirection | vector.cpp:303:14:303:19 | call to source |
| vector.cpp:324:7:324:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |
| vector.cpp:326:7:326:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |
| vector.cpp:482:8:482:10 | Argument 0 indirection | vector.cpp:478:21:478:37 | call to source |
| vector.cpp:485:8:485:10 | Argument 0 indirection | vector.cpp:478:21:478:37 | call to source |

91
cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
View File

@@ -11,7 +11,7 @@ namespace ns_int
}
void sink(int);
void sink(std::vector<int> &);
template<typename T> void sink(std::vector<T> &);
void test_range_based_for_loop_vector(int source1) {
std::vector<int> v(100, source1);
@@ -335,7 +335,7 @@ void vector_iterator_assign_wrapper(std::vector<int>::iterator iter, int i) {
}
void test_vector_output_iterator(int b) {
std::vector<int> v1(10), v2(10), v3(10), v4(10), v5(10), v6(10), v7(10), v8(10), v9(10), v10(10), v11(10);
std::vector<int> v1(10), v2(10), v3(10), v4(10), v5(10), v6(10), v7(10), v8(10), v9(10), v10(10), v11(10), v12(10), v13(10), v14(10);
std::vector<int>::iterator i1 = v1.begin();
*i1 = source();
@@ -398,4 +398,91 @@ void test_vector_output_iterator(int b) {
std::vector<int>::iterator i11 = v11.begin();
vector_iterator_assign_wrapper(i11, source());
sink(v11); // tainted [NOT DETECTED by IR]
std::vector<int>::iterator i12 = v12.begin();
*i12++ = 0;
*i12 = source();
sink(v12); // tainted [NOT DETECTED by IR]
std::vector<int>::iterator i13 = v13.begin();
*i13++ = source();
sink(v13); // tainted [NOT DETECTED by IR]
std::vector<int>::iterator i14 = v14.begin();
i14++;
*i14++ = source();
sink(v14); // tainted [NOT DETECTED by IR]
}
void test_vector_inserter(char *source_string) {
{
std::vector<std::string> out;
auto it = out.end();
*it++ = std::string(source_string);
sink(out); // tainted [NOT DETECTED by IR]
}
{
std::vector<std::string> out;
auto it = std::back_inserter(out);
*it++ = std::string(source_string);
sink(out); // tainted [NOT DETECTED by IR]
}
{
std::vector<int> out;
auto it = std::back_inserter(out);
*it++ = source();
sink(out); // tainted [NOT DETECTED by IR]
}
{
std::vector<std::string> out;
auto it = std::back_inserter(out);
*++it = std::string(source_string);
sink(out); // tainted [NOT DETECTED by IR]
}
{
std::vector<int> out;
auto it = std::back_inserter(out);
*++it = source();
sink(out); // tainted [NOT DETECTED by IR]
}
}
void *memcpy(void *s1, const void *s2, size_t n);
namespace ns_string
{
std::string source();
}
void sink(std::vector<char> &);
void sink(std::string &);
void test_vector_memcpy()
{
{
std::vector<int> v(100);
int s = source();
int i = 0;
sink(v);
memcpy(&v[i], &s, sizeof(int));
sink(v); // tainted [NOT DETECTED by IR]
}
{
std::vector<char> cs(100);
std::string src = ns_string::source();
const size_t offs = 10;
const size_t len = src.length();
sink(src); // tainted
sink(cs);
memcpy(&cs[offs + 1], src.c_str(), len);
sink(src); // tainted
sink(cs); // tainted [NOT DETECTED by IR]
}
}

4
cpp/ql/test/query-tests/definitions/locationInfo.ql
View File

@@ -40,7 +40,9 @@ string issues(Link e) {
filepath1 = filepath2 and
not end1 < begin2 and
not begin1 > end2 and
e != e2
e != e2 and
not e.isFromTemplateInstantiation(_) and
not e2.isFromTemplateInstantiation(_)
) and
result = "overlaps another link"
}