hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into python-mutating-descriptor

Browse Source
This commit is contained in:
Mark Shannon
2019-01-29 14:46:33 +00:00
committed by GitHub
parent 3992346add d776d9f903
commit 7fe3c3d516
94 changed files with 2500 additions and 1009 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
change-notes/1.20/analysis-cpp.md
View File

@@ -10,11 +10,13 @@
|-----------------------------|-----------|--------------------------------------------------------------------|
| Use of string copy function in a condition (`cpp/string-copy-return-value-as-boolean`) | correctness | This query identifies calls to string copy functions used in conditions, where it's likely that a different function was intended to be called. |
| Lossy function result cast (`cpp/lossy-function-result-cast`) | correctness | Finds function calls whose result type is a floating point type, which are implicitly cast to an integral type. Newly available but not displayed by default on LGTM. |
| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | reliability | Finds function calls where the size of an array being passed is smaller than the array size of the declared parameter. Newly displayed on LGTM. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|----------------------------|------------------------|------------------------------------------------------------------|
| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | Fewer false positives | An exception has been added to this query for variable sized arrays. |
| Suspicious add with sizeof (`cpp/suspicious-add-sizeof`) | Fewer false positives | Pointer arithmetic on `char * const` expressions (and other variations of `char *`) are now correctly excluded from the results. |
| Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Fewer false positives | False positives involving types that are not uniquely named in the snapshot have been fixed. |
| Call to memory access function may overflow buffer (`cpp/overflow-buffer`) | More correct results | Calls to `fread` are now examined by this query. |

1
change-notes/1.20/analysis-javascript.md
View File

@@ -37,6 +37,7 @@
| Useless assignment to property. | Fewer false-positive results | This rule now treats assignments with complex right-hand sides correctly. |
| Unsafe dynamic method access | Fewer false-positive results | This rule no longer flags concatenated strings as unsafe method names. |
| Unvalidated dynamic method call | More true-positive results | This rule now flags concatenated strings as unvalidated method names in more cases. |
| Useless conditional | More true-positive results | This rule now flags additional uses of function call values. |
## Changes to QL libraries

2
change-notes/1.20/analysis-python.md
View File

@@ -14,12 +14,14 @@ Removes false positives seen when using Python 3.6, but not when using earlier v
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Default version of SSL/TLS may be insecure (`py/insecure-default-protocol`) | security, external/cwe/cwe-327 | Finds instances where an insecure default protocol may be used. Results are shown on LGTM by default. |
| Overly permissive file permissions (`py/overly-permissive-file`) | security, external/cwe/cwe-732 | Finds instances where a file is created with overly permissive permissions. Results are not shown on LGTM by default. |
| Use of insecure SSL/TLS version (`py/insecure-protocol`) | security, external/cwe/cwe-327 | Finds instances where a known insecure protocol has been specified. Results are shown on LGTM by default. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|----------------------------|------------------------|------------------------------------------------------------------|
| Comparison using is when operands support \_\_eq\_\_ (`py/comparison-using-is`) | Fewer false positive results | Results where one of the objects being compared is an enum member are no longer reported. |
| Mutation of descriptor in \_\_get\_\_ or \_\_set\_\_ method (`py/mutable-descriptor`) | Fewer false positive results | Results where the mutation does not occur when calling one of the `__get__`, `__set__` or `__delete__` methods are no longer reported. |
| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a `doctest` string are no longer reported. |
| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a type-hint comment are no longer reported. |

3
cpp/config/suites/c/correctness
View File

@@ -7,7 +7,7 @@
+ semmlecode-cpp-queries/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql: /Correctness/Dangerous Conversions
+ semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
+ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
# Consistent Use
# Consistent Use
+ semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCallOnResult.ql: /Correctness/Consistent Use
@@ -15,6 +15,7 @@
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/FutileParams.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

3
cpp/config/suites/cpp/correctness
View File

@@ -8,7 +8,7 @@
+ semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
+ semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
+ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
# Consistent Use
# Consistent Use
+ semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCallOnResult.ql: /Correctness/Consistent Use
@@ -16,6 +16,7 @@
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/FutileParams.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

3
cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
View File

@@ -5,9 +5,11 @@
* @kind problem
* @id cpp/array-arg-size-mismatch
* @problem.severity warning
* @precision high
* @tags reliability
*/
import cpp
import semmle.code.cpp.commons.Buffer
from Function f, FunctionCall c, int i, ArrayType argType, ArrayType paramType, int a, int b
where f = c.getTarget() and
@@ -17,6 +19,7 @@ where f = c.getTarget() and
b = paramType.getArraySize() and
argType.getBaseType().getSize() = paramType.getBaseType().getSize() and
a < b and
not memberMayBeVarSize(_, c.getArgument(i).(VariableAccess).getTarget()) and
// filter out results for inconsistent declarations
strictcount(f.getParameter(i).getType().getSize()) = 1
select c.getArgument(i), "Array of size " + a +

11
cpp/ql/src/Likely Bugs/Likely Typos/FutileParams.c Normal file
View File

@@ -0,0 +1,11 @@
void no_argument();
void one_argument(int x);
void calls() {
no_argument(1) // BAD: `no_argument` will accept and ignore the argument
one_argument(1); // GOOD: `one_argument` will accept and use the argument
no_argument(); // GOOD: `no_argument` has not been passed an argument
}

29
cpp/ql/src/Likely Bugs/Likely Typos/FutileParams.qhelp Normal file
View File

@@ -0,0 +1,29 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>A function is called with arguments despite having an empty parameter list. This may indicate
that the incorrect function is being called, or that the author misunderstood the function.</p>
<p>In C, a function declared with an empty parameter list `()` is considered to have an unknown
parameter list, and therefore can be called with any set of arguments. To declare a function
which takes no arguments, you must use `(void)` as the parameter list in any forward declarations.
In C++, either style of declaration indicates that the function accepts no arguments.</p>
</overview>
<recommendation>
<p>Call the function without arguments, or call a different function that expects the arguments
being passed.</p>
</recommendation>
<example><sample src="FutileParams.c" />
</example>
<references>
<li>SEI CERT C++ Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL20-C.+Explicitly+specify+void+when+a+function+accepts+no+arguments"> DCL20-C. Explicitly specify void when a function accepts no arguments </a></li>
</references>
</qhelp>

22
cpp/ql/src/Likely Bugs/Likely Typos/FutileParams.ql Normal file
View File

@@ -0,0 +1,22 @@
/**
* @name Non-empty call to function declared without parameters
* @description A call to a function declared without parameters has arguments, which may indicate
* that the code does not follow the author's intent.
* @kind problem
* @problem.severity warning
* @precision very-high
* @id cpp/futile-params
* @tags correctness
* maintainability
*/
import cpp
from Function f, FunctionCall fc
where fc.getTarget() = f
and f.getNumberOfParameters() = 0
and not f.isVarargs()
and fc.getNumberOfArguments() != 0
and not f instanceof BuiltInFunction
and exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() | not fde.isImplicit())
select fc, "This call has arguments, but $@ is not declared with any parameters.", f, f.toString()

1
cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.expected Normal file
View File

@@ -0,0 +1 @@
| test.cpp:24:4:24:7 | arr3 | Array of size 3 passed to $@ which expects an array of size 4. | test.cpp:8:6:8:6 | g | g |

1
cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Conversion/ArrayArgSizeMismatch.ql

49
cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp Normal file
View File

@@ -0,0 +1,49 @@
typedef unsigned long size_t;
void *malloc(size_t size);
#define NUM (4)
void f(int *vs);
void g(int vs[4]);
void h(float fs[NUM]);
struct myStruct
{
unsigned int num;
float data[0];
};
void test(float f3[3], float f4[4], float f5[5], float *fp)
{
int arr3[3], arr4[4], arr5[5];
f(arr3); // GOOD
f(arr4); // GOOD
f(arr5); // GOOD
g(arr3); // BAD
g(arr4); // GOOD
g(arr5); // GOOD
h(f3); // BAD [NOT DETECTED]
h(f4); // GOOD
h(f5); // GOOD
h(fp); // GOOD
{
// variable size struct
myStruct *ms;
ms = (myStruct *)malloc(sizeof(myStruct) + (4 * sizeof(float)));
ms->num = 4;
ms->data[0] = ms->data[1] = ms->data[2] = ms->data[3] = 0;
h(ms->data); // GOOD
}
{
// char array
char ca[4 * sizeof(int)];
g((int *)ca); // GOOD
}
};

3
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/FutileParams/FutileParams.expected Normal file
View File

@@ -0,0 +1,3 @@
| test.c:8:3:8:16 | call to declared_empty | This call has arguments, but $@ is not declared with any parameters. | test.c:1:6:1:19 | declared_empty | declared_empty |
| test.c:14:3:14:19 | call to not_yet_declared1 | This call has arguments, but $@ is not declared with any parameters. | test.c:14:3:14:3 | not_yet_declared1 | not_yet_declared1 |
| test.c:14:3:14:19 | call to not_yet_declared1 | This call has arguments, but $@ is not declared with any parameters. | test.c:25:6:25:22 | not_yet_declared1 | not_yet_declared1 |

1
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/FutileParams/FutileParams.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Likely Typos/FutileParams.ql

29
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/FutileParams/test.c Normal file
View File

@@ -0,0 +1,29 @@
void declared_empty();
void declared_void(void);
void declared_with(int);
void declared_empty_defined_with();
void test() {
declared_empty(); // GOOD
declared_empty(1); // BAD
declared_void(); // GOOD
declared_with(1); // GOOD
undeclared(1); // GOOD
not_yet_declared1(1); // BAD
not_yet_declared2(1); // GOOD
declared_empty_defined_with(); // BAD [NOT DETECTED]
declared_empty_defined_with(1); // GOOD
int x;
declared_empty_defined_with(&x); // BAD [NOT DETECTED]
declared_empty_defined_with(x, x); // BAD [NOT DETECTED]
}
void not_yet_declared1();
void not_yet_declared2(int);
void declared_empty_defined_with(int x) {
// do nothing
}

8
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/FutileParams/test.cpp Normal file
View File

@@ -0,0 +1,8 @@
void cpp_varargs(...);
void bar();
void test() {
cpp_varargs(); // GOOD
cpp_varargs(1); // GOOD
__builtin_constant_p("something"); // GOOD: builtin
}

9
csharp/autobuilder/Semmle.Autobuild.Tests/BuildScripts.cs
View File

@@ -855,6 +855,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"curl -sO https://dot.net/v1/dotnet-install.sh"] = 0;
Actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0;
Actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0;
Actions.RunProcess[@"rm dotnet-install.sh"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet --info"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet clean test.csproj"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet restore test.csproj"] = 0;
@@ -879,7 +880,7 @@ namespace Semmle.Extraction.Tests
Actions.LoadXml["test.csproj"] = xml;
var autobuilder = CreateAutoBuilder("csharp", false, dotnetVersion: "2.1.3");
TestAutobuilderScript(autobuilder, 0, 10);
TestAutobuilderScript(autobuilder, 0, 11);
}
[Fact]
@@ -890,6 +891,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"curl -sO https://dot.net/v1/dotnet-install.sh"] = 0;
Actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0;
Actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0;
Actions.RunProcess[@"rm dotnet-install.sh"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet --info"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet clean test.csproj"] = 0;
Actions.RunProcess[@"C:\Project/.dotnet/dotnet restore test.csproj"] = 0;
@@ -914,7 +916,7 @@ namespace Semmle.Extraction.Tests
Actions.LoadXml["test.csproj"] = xml;
var autobuilder = CreateAutoBuilder("csharp", false, dotnetVersion: "2.1.3");
TestAutobuilderScript(autobuilder, 0, 10);
TestAutobuilderScript(autobuilder, 0, 11);
}
[Fact]
@@ -923,6 +925,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
Actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
Actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
Actions.RunProcess[@"cmd.exe /C del C:\Project\install-dotnet.ps1"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean test.csproj"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore test.csproj"] = 0;
@@ -947,7 +950,7 @@ namespace Semmle.Extraction.Tests
Actions.LoadXml["test.csproj"] = xml;
var autobuilder = CreateAutoBuilder("csharp", true, dotnetVersion: "2.1.3");
TestAutobuilderScript(autobuilder, 0, 8);
TestAutobuilderScript(autobuilder, 0, 9);
}
[Fact]

13
csharp/autobuilder/Semmle.Autobuild/DotNetRule.cs
View File

@@ -185,7 +185,12 @@ Invoke-Command -ScriptBlock $ScriptBlock";
Argument(version).
Argument("-InstallDir").
Argument(path);
return install.Script;
var removeScript = new CommandBuilder(builder.Actions).
RunCommand("del").
Argument(psScriptFile);
return install.Script & BuildScript.Try(removeScript.Script);
}
else
{
@@ -208,7 +213,11 @@ Invoke-Command -ScriptBlock $ScriptBlock";
Argument("--install-dir").
Argument(path);
return curl.Script & chmod.Script & install.Script;
var removeScript = new CommandBuilder(builder.Actions).
RunCommand("rm").
Argument("dotnet-install.sh");
return curl.Script & chmod.Script & install.Script & BuildScript.Try(removeScript.Script);
}
});
}

14
csharp/ql/src/semmle/code/csharp/Assignable.qll
View File

@@ -39,6 +39,12 @@ class AssignableMemberAccess extends MemberAccess, AssignableAccess {
override AssignableMember getTarget() { result = AssignableAccess.super.getTarget() }
}
private predicate nameOfChild(NameOfExpr noe, Expr child) {
child = noe
or
exists(Expr mid | nameOfChild(noe, mid) | child = mid.getAChildExpr())
}
/**
* An access to an assignable that reads the underlying value. Either a
* variable read (`VariableRead`), a property read (`PropertyRead`), an
@@ -67,7 +73,7 @@ class AssignableRead extends AssignableAccess {
or
this = any(AssignableDefinitions::AddressOfDefinition def).getTargetAccess()
) and
not this = any(NameOfExpr noe).getAChildExpr*()
not nameOfChild(_, this)
}
/**
@@ -696,6 +702,9 @@ module AssignableDefinitions {
IsPatternDefinition() { this = TIsPatternDefinition(ipe) }
/** Gets the underlying `is` expression. */
IsPatternExpr getIsPatternExpr() { result = ipe }
/** Gets the underlying local variable declaration. */
LocalVariableDeclExpr getDeclaration() { result = ipe.getVariableDeclExpr() }
@@ -721,6 +730,9 @@ module AssignableDefinitions {
TypeCasePatternDefinition() { this = TTypeCasePatternDefinition(tc) }
/** Gets the underlying `case` statement. */
TypeCase getTypeCase() { result = tc }
/** Gets the underlying local variable declaration. */
LocalVariableDeclExpr getDeclaration() { result = tc.getVariableDeclExpr() }

3
csharp/ql/src/semmle/code/csharp/Stmt.qll
View File

@@ -262,6 +262,9 @@ class CaseStmt extends Stmt, @case {
* ```
*/
Expr getCondition() { result = this.getChild(2) }
/** Gets the `switch` statement that this `case` statement belongs to. */
SwitchStmt getSwitchStmt() { result.getACase() = this }
}
/**

21
csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowGraph.qll
View File

@@ -867,6 +867,8 @@ module ControlFlow {
* pre-order.
*/
private module Successor {
private import semmle.code.csharp.ExprOrStmtParent
/**
* A control flow element where the children are evaluated following a
* standard left-to-right evaluation. The actual evaluation order is
@@ -2436,11 +2438,16 @@ module ControlFlow {
* Gets the control flow element that is first executed when entering
* callable `c`.
*/
ControlFlowElement succEntry(Callable c) {
if exists(c.(Constructor).getInitializer()) then
result = first(c.(Constructor).getInitializer())
else
result = first(c.getBody())
ControlFlowElement succEntry(@top_level_exprorstmt_parent p) {
p = any(Callable c |
if exists(c.(Constructor).getInitializer()) then
result = first(c.(Constructor).getInitializer())
else
result = first(c.getBody())
)
or
expr_parent_top_level_adjusted(any(Expr e | result = first(e)), _, p) and
not p instanceof Callable
}
/**
@@ -3807,8 +3814,8 @@ module ControlFlow {
* Holds if `succ` with splits `succSplits` is the first element that is executed
* when entering callable `pred`.
*/
pragma [noinline]
predicate succEntrySplits(Callable pred, ControlFlowElement succ, Splits succSplits, SuccessorType t) {
pragma[noinline]
predicate succEntrySplits(@top_level_exprorstmt_parent pred, ControlFlowElement succ, Splits succSplits, SuccessorType t) {
succ = succEntry(pred) and
t instanceof NormalSuccessor and
succSplits = TSplitsNil() // initially no splits

175
csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
View File

@@ -417,7 +417,9 @@ class AccessOrCallExpr extends Expr {
* An expression can have more than one SSA qualifier in the presence
* of control flow splitting.
*/
Ssa::Definition getAnSsaQualifier() { result = getAnSsaQualifier(this) }
Ssa::Definition getAnSsaQualifier(ControlFlow::Node cfn) {
result = getAnSsaQualifier(this, cfn)
}
}
private Declaration getDeclarationTarget(Expr e) {
@@ -425,18 +427,20 @@ private Declaration getDeclarationTarget(Expr e) {
result = e.(Call).getTarget()
}
private Ssa::Definition getAnSsaQualifier(Expr e) {
e = getATrackedAccess(result)
private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlow::Node cfn) {
e = getATrackedAccess(result, cfn)
or
not e = getATrackedAccess(_) and
result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier())
not e = getATrackedAccess(_, _) and
result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier(), cfn)
}
private AssignableAccess getATrackedAccess(Ssa::Definition def) {
private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlow::Node cfn) {
(
result = def.getARead()
result = def.getAReadAtNode(cfn)
or
result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess()
result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and
result.getAControlFlowNode() = cfn and
cfn.getBasicBlock() = def.getBasicBlock()
) and
not def instanceof Ssa::ImplicitUntrackedDefinition
}
@@ -483,7 +487,7 @@ class GuardedExpr extends AccessOrCallExpr {
private AccessOrCallExpr sub0;
private AbstractValue v0;
GuardedExpr() { isGuardedBy(this, g, sub0, v0) }
GuardedExpr() { isGuardedByExpr(this, g, sub0, v0) }
/**
* Gets an expression that guards this expression. That is, this expression is
@@ -525,6 +529,115 @@ class GuardedExpr extends AccessOrCallExpr {
}
}
/**
* A guarded control flow node. A guarded control flow node is like a guarded
* expression (`GuardedExpr`), except control flow graph splitting is taken
* into account. That is, one control flow node belonging to an expression may
* be guarded, while another split need not be guarded:
*
* ```
* if (b)
* if (x == null)
* return;
* x.ToString();
* if (b)
* ...
* ```
*
* In the example above, the node for `x.ToString()` is null-guarded in the
* split `b == true`, but not in the split `b == false`.
*/
class GuardedControlFlowNode extends ControlFlow::Nodes::ElementNode {
private Guard g;
private AccessOrCallExpr sub0;
private AbstractValue v0;
GuardedControlFlowNode() { isGuardedByNode(this, g, sub0, v0) }
/**
* Gets an expression that guards this control flow node. That is, this control
* flow node is only reached when the returned expression has abstract value `v`.
*
* The expression `sub` is a sub expression of the guarding expression that is
* structurally equal to the expression belonging to this control flow node.
*
* In case this control flow node or `sub` accesses an SSA variable in its
* left-most qualifier, then so must the other (accessing the same SSA
* variable).
*/
Expr getAGuard(Expr sub, AbstractValue v) {
result = g and
sub = sub0 and
v = v0
}
/**
* Holds if this control flow node must have abstract value `v`. That is, this
* control flow node is guarded by a structurally equal expression having
* abstract value `v`.
*/
predicate mustHaveValue(AbstractValue v) {
exists(Expr e | e = this.getAGuard(e, v))
}
}
/**
* A guarded data flow node. A guarded data flow node is like a guarded expression
* (`GuardedExpr`), except control flow graph splitting is taken into account. That
* is, one data flow node belonging to an expression may be guarded, while another
* split need not be guarded:
*
* ```
* if (b)
* if (x == null)
* return;
* x.ToString();
* if (b)
* ...
* ```
*
* In the example above, the node for `x.ToString()` is null-guarded in the
* split `b == true`, but not in the split `b == false`.
*/
class GuardedDataFlowNode extends DataFlow::ExprNode {
private Guard g;
private AccessOrCallExpr sub0;
private AbstractValue v0;
GuardedDataFlowNode() {
exists(ControlFlow::Nodes::ElementNode cfn |
exists(this.getExprAtNode(cfn)) |
isGuardedByNode(cfn, g, sub0, v0)
)
}
/**
* Gets an expression that guards this data flow node. That is, this data flow
* node is only reached when the returned expression has abstract value `v`.
*
* The expression `sub` is a sub expression of the guarding expression that is
* structurally equal to the expression belonging to this data flow node.
*
* In case this data flow node or `sub` accesses an SSA variable in its
* left-most qualifier, then so must the other (accessing the same SSA
* variable).
*/
Expr getAGuard(Expr sub, AbstractValue v) {
result = g and
sub = sub0 and
v = v0
}
/**
* Holds if this data flow node must have abstract value `v`. That is, this
* data flow node is guarded by a structurally equal expression having
* abstract value `v`.
*/
predicate mustHaveValue(AbstractValue v) {
exists(Expr e | e = this.getAGuard(e, v))
}
}
/** An expression guarded by a `null` check. */
class NullGuardedExpr extends GuardedExpr {
NullGuardedExpr() {
@@ -532,6 +645,13 @@ class NullGuardedExpr extends GuardedExpr {
}
}
/** A data flow node guarded by a `null` check. */
class NullGuardedDataFlowNode extends GuardedDataFlowNode {
NullGuardedDataFlowNode() {
this.mustHaveValue(any(NullValue v | not v.isNull()))
}
}
/** INTERNAL: Do not use. */
module Internal {
private import ControlFlow::Internal
@@ -653,7 +773,7 @@ module Internal {
* Holds if control flow node `cfn` only is reached when this guard evaluates to `v`,
* because of an assertion.
*/
private predicate assertionControlsNode(ControlFlow::Node cfn, AbstractValue v) {
predicate assertionControlsNode(ControlFlow::Node cfn, AbstractValue v) {
exists(Assertion a, Guard g, AbstractValue v0 |
asserts(a, g, v0) and
impliesSteps(g, v0, this, v)
@@ -1097,17 +1217,17 @@ module Internal {
private cached module Cached {
pragma[noinline]
private predicate isGuardedBy0(ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
private predicate isGuardedByNode0(ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
cfn = guarded.getAControlFlowNode() and
g.controls(cfn.getBasicBlock(), v) and
exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded))
}
pragma[noinline]
private predicate isGuardedBy1(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
private predicate isGuardedByExpr1(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
forex(ControlFlow::Node cfn |
cfn = guarded.getAControlFlowNode() |
isGuardedBy0(cfn, guarded, g, sub, v)
isGuardedByNode0(cfn, guarded, g, sub, v)
)
or
g.assertionControlsElement(guarded, v) and
@@ -1115,12 +1235,33 @@ module Internal {
}
cached
predicate isGuardedBy(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
isGuardedBy1(guarded, g, sub, v) and
predicate isGuardedByExpr(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
isGuardedByExpr1(guarded, g, sub, v) and
sub = g.getAChildExpr*() and
forall(Ssa::Definition def |
def = sub.getAnSsaQualifier() |
def = guarded.getAnSsaQualifier()
def = sub.getAnSsaQualifier(_) |
def = guarded.getAnSsaQualifier(_)
)
}
pragma[noinline]
private predicate isGuardedByNode1(ControlFlow::Nodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
isGuardedByNode0(guarded, _, g, sub, v)
or
g.assertionControlsNode(guarded, v) and
exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded.getElement()))
}
cached
predicate isGuardedByNode(ControlFlow::Nodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, AbstractValue v) {
isGuardedByNode1(guarded, g, sub, v) and
sub = g.getAChildExpr*() and
forall(Ssa::Definition def |
def = sub.getAnSsaQualifier(_) |
exists(ControlFlow::Node cfn |
def = guarded.getElement().(AccessOrCallExpr).getAnSsaQualifier(cfn) |
cfn.getBasicBlock() = guarded.getBasicBlock()
)
)
}

376
csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll
View File

@@ -21,6 +21,12 @@ module DataFlow {
/** Gets the expression corresponding to this node, if any. */
DotNet::Expr asExpr() { result = this.(ExprNode).getExpr() }
/** Gets the expression corresponding to this node, at control flow node `cfn`, if any. */
Expr asExprAtNode(ControlFlow::Nodes::ElementNode cfn) {
this = TExprNode(cfn) and
result = cfn.getElement()
}
/** Gets the parameter corresponding to this node, if any. */
DotNet::Parameter asParameter() { result = this.(ParameterNode).getParameter() }
@@ -41,30 +47,47 @@ module DataFlow {
/**
* An expression, viewed as a node in a data flow graph.
*/
class ExprNode extends Node, TExprNode {
DotNet::Expr expr;
ExprNode() { this = TExprNode(expr) }
class ExprNode extends Node {
ExprNode() { this = TExprNode(_) or this = TCilExprNode(_) }
/** Gets the expression corresponding to this node. */
DotNet::Expr getExpr() { result = expr }
DotNet::Expr getExpr() {
result = this.getExprAtNode(_)
or
this = TCilExprNode(result)
}
override DotNet::Type getType() { result = expr.getType() }
/** Gets the expression corresponding to this node, at control flow node `cfn`. */
Expr getExprAtNode(ControlFlow::Nodes::ElementNode cfn) {
this = TExprNode(cfn) and
result = cfn.getElement()
}
override DotNet::Callable getEnclosingCallable() { result = expr.getEnclosingCallable() }
override DotNet::Type getType() { result = this.getExpr().getType() }
override DotNet::Callable getEnclosingCallable() { result = this.getExpr().getEnclosingCallable() }
override string toString() {
result = expr.(Expr).toString()
exists(ControlFlow::Nodes::ElementNode cfn |
this = TExprNode(cfn) |
result = cfn.toString()
)
or
expr instanceof CIL::Expr and
this = TCilExprNode(_) and
result = "CIL expression"
}
override Location getLocation() {
result = expr.(Expr).getLocation()
exists(ControlFlow::Nodes::ElementNode cfn |
this = TExprNode(cfn) |
result = cfn.getLocation()
)
or
result.getFile().isPdbSourceFile() and
result = expr.(CIL::Expr).getALocation()
exists(CIL::Expr e |
this = TCilExprNode(e) |
result = e.getALocation()
)
}
}
@@ -83,9 +106,7 @@ module DataFlow {
DotNet::Parameter getParameter() { none() }
}
/**
* Gets the node corresponding to expression `e`.
*/
/** Gets a node corresponding to expression `e`. */
ExprNode exprNode(DotNet::Expr e) { result.getExpr() = e }
/**
@@ -258,9 +279,7 @@ module DataFlow {
}
}
/**
* INTERNAL: Do not use.
*/
/** INTERNAL: Do not use. */
module Internal {
private import semmle.code.csharp.dataflow.DelegateDataFlow
private import semmle.code.csharp.dispatch.Dispatch
@@ -473,6 +492,9 @@ module DataFlow {
/** Gets the context corresponding to this argument node. */
bindingset [config]
abstract ArgumentContext getContext(Configuration config);
/** Holds if this argument node does not have an associated control flow node. */
abstract predicate hasNoControlFlowNode();
}
/** A data flow node that represents an explicit call argument. */
@@ -511,6 +533,11 @@ module DataFlow {
override ExplicitArgumentContext getContext(Configuration config) {
result.getCallContext() = this.getArgumentCallContext(config)
}
override predicate hasNoControlFlowNode() {
this.asExpr() instanceof CIL::Expr or
this instanceof ImplicitDelegateCallNode
}
}
/**
@@ -558,6 +585,8 @@ module DataFlow {
exists(config) // eliminate warning
}
override predicate hasNoControlFlowNode() { any() }
override Type getType() { result = v.getType() }
override Callable getEnclosingCallable() { result = c.getEnclosingCallable() }
@@ -699,9 +728,180 @@ module DataFlow {
}
/**
* Provides predicates related to local data flow.
* A helper class for defining expression-based data flow steps, while properly
* taking control flow into account.
*/
abstract class ExprStepConfiguration extends string {
bindingset[this]
ExprStepConfiguration() { any() }
/**
* Holds if data can flow from expression `exprFrom` to expression `exprTo`,
* but only by following control flow successors (resp. predecessors, as
* specified by `isSuccesor`) inside the scope `scope`. The Boolean `exactScope`
* indicates whether a transitive child of `scope` is allowed
* (`exactScope = false`).
*/
predicate stepsToExpr(Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) { none() }
/**
* Holds if data can flow from expression `exprFrom` to definition `defTo`,
* but only by following control flow successors (resp. predecessors, as
* specified by `isSuccesor`) inside the scope `scope`. The Bolean `exactScope`
* indicates whether a transitive child of `scope` is allowed (`exactScope = false`).
*/
predicate stepsToDefinition(Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) { none() }
private predicate reachesBasicBlockExprRec(Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb) {
exists(ControlFlow::BasicBlock mid |
this.reachesBasicBlockExpr(exprFrom, exprTo, scope, exactScope, isSuccessor, cfnFrom, mid) |
isSuccessor = true and
bb = mid.getASuccessor()
or
isSuccessor = false and
bb = mid.getAPredecessor()
)
}
pragma[nomagic]
private predicate reachesBasicBlockExpr(Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb) {
this.stepsToExpr(exprFrom, exprTo, scope, exactScope, isSuccessor) and
cfnFrom = exprFrom.getAControlFlowNode() and
bb = cfnFrom.getBasicBlock()
or
exists(ControlFlowElement scope0, boolean exactScope0 |
this.reachesBasicBlockExprRec(exprFrom, exprTo, scope0, exactScope0, isSuccessor, cfnFrom, bb) and
this.stepsToExpr(exprFrom, exprTo, scope, exactScope, isSuccessor)
|
exactScope0 = false and
bb.getANode().getElement() = scope0.getAChild*()
or
exactScope0 = true and
bb.getANode().getElement() = scope0
)
}
private predicate reachesBasicBlockDefinitionRec(Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb) {
exists(ControlFlow::BasicBlock mid |
this.reachesBasicBlockDefinition(exprFrom, defTo, scope, exactScope, isSuccessor, cfnFrom, mid) |
isSuccessor = true and
bb = mid.getASuccessor()
or
isSuccessor = false and
bb = mid.getAPredecessor()
)
}
pragma[nomagic]
private predicate reachesBasicBlockDefinition(Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb) {
this.stepsToDefinition(exprFrom, defTo, scope, exactScope, isSuccessor) and
cfnFrom = exprFrom.getAControlFlowNode() and
bb = cfnFrom.getBasicBlock()
or
exists(ControlFlowElement scope0, boolean exactScope0 |
this.reachesBasicBlockDefinitionRec(exprFrom, defTo, scope0, exactScope0, isSuccessor, cfnFrom, bb) and
this.stepsToDefinition(exprFrom, defTo, scope, exactScope, isSuccessor)
|
exactScope0 = false and
bb.getANode().getElement() = scope0.getAChild*()
or
exactScope0 = true and
bb.getANode().getElement() = scope0
)
}
private predicate hasExprStep(ExprNode nodeFrom, ExprNode nodeTo) {
exists(Expr exprFrom, Expr exprTo, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb |
this.reachesBasicBlockExpr(exprFrom, exprTo, _, _, _, cfnFrom, bb) |
exprFrom = nodeFrom.asExprAtNode(cfnFrom) and
exprTo = nodeTo.asExprAtNode(bb.getANode())
)
}
private predicate hasSsaDefinitionStep(ExprNode nodeFrom, SsaDefinitionNode nodeTo) {
exists(Expr exprFrom, AssignableDefinition defTo, Ssa::ExplicitDefinition ssaDef, ControlFlow::Nodes::ElementNode cfnFrom, ControlFlow::BasicBlock bb |
this.reachesBasicBlockDefinition(exprFrom, defTo, _, _, _, cfnFrom, bb) |
exprFrom = nodeFrom.asExprAtNode(cfnFrom) and
ssaDef.getADefinition() = defTo and
ssaDef.getBasicBlock() = bb and
nodeTo.getDefinition() = ssaDef
)
}
/**
* Holds if `stepsTo(Expr|SsaDefintion)()` induce a data flow step from
* `nodeFrom` to `nodeTo`.
*/
predicate hasStep(ExprNode nodeFrom, Node nodeTo) {
this.hasExprStep(nodeFrom, nodeTo) or
this.hasSsaDefinitionStep(nodeFrom, nodeTo)
}
}
/** Provides predicates related to local data flow. */
module LocalFlow {
private class LocalExprStepConfiguration extends ExprStepConfiguration {
LocalExprStepConfiguration() { this = "LocalExprStepConfiguration" }
override predicate stepsToExpr(Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) {
exactScope = false and
(
// Flow using library code
libraryFlow(exprFrom, exprTo, scope, isSuccessor, true)
or
exprFrom = exprTo.(ParenthesizedExpr).getExpr() and
scope = exprTo and
isSuccessor = true
or
exprTo = any(ConditionalExpr ce |
exprFrom = ce.getThen() or
exprFrom = ce.getElse()
) and
scope = exprTo and
isSuccessor = false
or
exprFrom = exprTo.(Cast).getExpr() and
scope = exprTo and
isSuccessor = true
or
exprFrom = exprTo.(AwaitExpr).getExpr() and
scope = exprTo and
isSuccessor = true
or
// An `=` expression, where the result of the expression is used
exprTo = any(AssignExpr ae |
ae.getParent() instanceof Expr and
exprFrom = ae.getRValue()
) and
scope = exprTo and
isSuccessor = true
)
}
override predicate stepsToDefinition(Expr exprFrom, AssignableDefinition def, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) {
// Flow from source to definition
exactScope = false and
def.getSource() = exprFrom and
(
scope = def.getExpr() and
isSuccessor = true
or
scope = def.(AssignableDefinitions::IsPatternDefinition).getIsPatternExpr() and
isSuccessor = false
or
exists(SwitchStmt ss |
ss = def.(AssignableDefinitions::TypeCasePatternDefinition).getTypeCase().getSwitchStmt() and
isSuccessor = true
|
scope = ss.getCondition()
or
scope = ss.getACase()
)
)
}
}
/**
* Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
* (intra-procedural) step.
@@ -709,18 +909,20 @@ module DataFlow {
cached
predicate step(Node nodeFrom, Node nodeTo) {
forceCachingInSameStage() and
localFlowStepExpr(nodeFrom.asExpr(), nodeTo.asExpr())
or
// Flow from source to SSA definition
exists(Ssa::ExplicitDefinition def |
def.getADefinition().getSource() = nodeFrom.asExpr() |
nodeTo.(SsaDefinitionNode).getDefinition() = def
)
TaintTracking::Internal::Cached::forceCachingInSameStage() and
any(LocalExprStepConfiguration x).hasStep(nodeFrom, nodeTo)
or
// Flow from SSA definition to first read
exists(Ssa::Definition def |
exists(Ssa::Definition def, ControlFlow::Node cfn |
def = nodeFrom.(SsaDefinitionNode).getDefinition() |
nodeTo.asExpr() = def.getAFirstRead()
nodeTo.asExprAtNode(cfn) = def.getAFirstReadAtNode(cfn)
)
or
// Flow from read to next read
exists(ControlFlow::Node cfnFrom, ControlFlow::Node cfnTo |
Ssa::Internal::adjacentReadPairSameVar(cfnFrom, cfnTo) |
nodeFrom = TExprNode(cfnFrom) and
nodeTo = TExprNode(cfnTo)
)
or
// Flow into SSA pseudo definition
@@ -779,9 +981,9 @@ module DataFlow {
def = nodeFrom.(SsaDefinitionNode).getDefinition() and
not exists(def.getARead())
or
exists(AssignableRead read |
read = nodeFrom.asExpr() |
def.getALastRead() = read
exists(AssignableRead read, ControlFlow::Node cfn |
read = nodeFrom.asExprAtNode(cfn) |
def.getALastReadAtNode(cfn) = read
)
}
@@ -794,34 +996,30 @@ module DataFlow {
)
}
private predicate localFlowStepExpr(Expr exprFrom, Expr exprTo) {
// Flow using library code
libraryFlow(exprFrom, exprTo, true)
private Expr getALibraryFlowParent(Expr exprFrom, Expr exprTo, boolean preservesValue) {
libraryFlow(exprFrom, exprTo, preservesValue) and
result = exprFrom
or
// Flow from read to next read
exprTo = exprFrom.(AssignableRead).getANextRead()
or
exprFrom = exprTo.(ParenthesizedExpr).getExpr()
or
exprTo = any(ConditionalExpr ce |
exprFrom = ce.getThen() or
exprFrom = ce.getElse()
)
or
exprFrom = exprTo.(Cast).getExpr()
or
exprFrom = exprTo.(AwaitExpr).getExpr()
or
// An `=` expression, where the result of the expression is used
exprTo = any(AssignExpr ae |
ae.getParent() instanceof Expr and
exprFrom = ae.getRValue()
exists(Expr mid |
mid = getALibraryFlowParent(exprFrom, exprTo, preservesValue) |
result.getAChildExpr() = mid and
not mid.getAChildExpr*() = exprTo
)
}
predicate libraryFlow(Expr exprFrom, Expr exprTo, Expr scope, boolean isSuccessor, boolean preservesValue) {
// To not pollute the definitions in `LibraryTypeDataFlow.qll` with syntactic scope,
// simply use the nearest common parent expression for `exprFrom` and `exprTo`
scope = getALibraryFlowParent(exprFrom, exprTo, preservesValue) and
scope.getAChildExpr*() = exprTo and
// Similarly, for simplicity allow following both forwards and backwards edges from
// `exprFrom` to `exprTo`
(isSuccessor = true or isSuccessor = false)
}
predicate localFlowStepNoConfig(Node pred, Node succ) {
localFlowStep(pred, succ) or
flowThroughCallableLibraryOutRef(_, pred.asExpr(), succ, true)
flowThroughCallableLibraryOutRef(_, pred, succ, true)
}
/**
@@ -1135,7 +1333,9 @@ module DataFlow {
cached predicate forceCachingInSameStage() { any() }
cached newtype TNode =
TExprNode(DotNet::Expr e)
TExprNode(ControlFlow::Nodes::ElementNode cfn) {
cfn.getElement() instanceof Expr
}
or
TSsaDefinitionNode(Ssa::Definition def)
or
@@ -1143,6 +1343,8 @@ module DataFlow {
p.getMethod().hasBody()
}
or
TCilExprNode(CIL::Expr e)
or
TImplicitDelegateCallNode(DelegateArgumentToLibraryCallable arg)
or
TImplicitCapturedArgumentNode(Call c, LocalScopeVariable v) {
@@ -1554,8 +1756,8 @@ module DataFlow {
* Holds if data may flow from argument `mid` of a call, back out from the
* call to `out`. The context after the call is `ctx`.
*/
pragma [noinline]
private predicate flowThroughCallable(FlowGraphNode mid, OutNode out, Context ctx) {
pragma[nomagic]
private predicate flowThroughCallable0(FlowGraphNode mid, OutNode out, Context ctx) {
exists(CallNode call, ParameterNode p, ArgumentContext innerctx, CallContext cc |
flowIntoCallable(mid, p, innerctx) and
paramFlowsThrough(call, p, out, innerctx, cc) |
@@ -1579,6 +1781,44 @@ module DataFlow {
)
}
private predicate flowThroughCallable1Scope(OutNode out, Expr e) {
flowThroughCallable0(_, out, _) and
e = out.asExpr().(Expr).getAChildExpr*()
}
pragma[nomagic]
private predicate flowThroughCallable1(FlowGraphNode mid, OutNode out, ControlFlow::Nodes::ElementNode cfn, Context ctx) {
flowThroughCallable0(mid, out, ctx) and
exists(mid.getNode().asExprAtNode(cfn))
or
exists(ControlFlow::Nodes::ElementNode cfnMid |
flowThroughCallable1(mid, out, cfnMid, ctx) |
cfn = cfnMid.getASuccessor() and
flowThroughCallable1Scope(out, cfn.getElement())
)
}
/**
* Holds if data may flow from argument `mid` of a call, back out from the
* call to `out`. The context after the call is `ctx`.
*/
pragma[nomagic]
private predicate flowThroughCallable(FlowGraphNode mid, OutNode out, Context ctx) {
// If both `mid` and `out` have associated control flow nodes, the latter
// must be reachable from the former
exists(ControlFlow::Node cfn |
flowThroughCallable1(mid, out, cfn, ctx) |
exists(out.asExprAtNode(cfn))
)
or
flowThroughCallable0(mid, out, ctx) and
(
mid.getNode().(ArgumentNode).hasNoControlFlowNode()
or
not out.asExpr() instanceof Expr
)
}
/**
* Holds if data can flow (inter-procedurally) from `source` to `sink`.
*
@@ -1592,6 +1832,23 @@ module DataFlow {
flowsink.getNode() = sink
}
private class FlowThroughCallableLibraryOutRefStepConfiguration extends ExprStepConfiguration {
FlowThroughCallableLibraryOutRefStepConfiguration() {
this = "FlowThroughCallableLibraryOutRefStepConfiguration"
}
override predicate stepsToDefinition(Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) {
exists(MethodCall mc, Parameter outRef |
libraryFlowOutRef(mc, exprFrom, outRef, _) |
defTo.getTargetAccess() = mc.getArgumentForParameter(outRef) and
defTo instanceof AssignableDefinitions::OutRefDefinition and
scope = mc and
isSuccessor = true and
exactScope = false
)
}
}
/**
* Holds if `arg` is an argument of the method call `mc`, where the target
* of `mc` is a library callable that forwards `arg` to an `out`/`ref` argument
@@ -1605,12 +1862,9 @@ module DataFlow {
* `mc = Int32.TryParse("42", out i)`, `arg = "42"`, and `node` is the access
* to `i` in `out i`.
*/
predicate flowThroughCallableLibraryOutRef(MethodCall mc, Expr arg, SsaDefinitionNode node, boolean preservesValue) {
exists(Parameter outRef, AssignableDefinitions::OutRefDefinition def |
libraryFlowOutRef(mc, arg, outRef, preservesValue) |
def = node.getDefinition().(Ssa::ExplicitDefinition).getADefinition() and
def.getTargetAccess() = mc.getArgumentForParameter(outRef)
)
predicate flowThroughCallableLibraryOutRef(MethodCall mc, ExprNode arg, SsaDefinitionNode node, boolean preservesValue) {
libraryFlowOutRef(mc, arg.getExpr(), _, preservesValue) and
any(FlowThroughCallableLibraryOutRefStepConfiguration x).hasStep(arg, node)
}
/**

215
csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
View File

@@ -31,87 +31,6 @@ module TaintTracking {
localAdditionalTaintStep(nodeFrom, nodeTo)
}
private CIL::DataFlowNode asCilDataFlowNode(DataFlow::Node node) {
result = node.asParameter() or
result = node.asExpr()
}
private predicate localTaintStepCil(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
asCilDataFlowNode(nodeFrom).getALocalFlowSucc(asCilDataFlowNode(nodeTo), any(CIL::Tainted t))
}
private cached predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
localAdditionalTaintStepExpr(nodeFrom.asExpr(), nodeTo.asExpr())
or
DataFlow::Internal::flowOutOfDelegateLibraryCall(nodeFrom, nodeTo, false)
or
// Taint from `foreach` expression
exists(ForeachStmt fs, AssignableDefinitions::LocalVariableDefinition def, Ssa::ExplicitDefinition ssaDef |
nodeFrom.asExpr() = fs.getIterableExpr() and
def.getTarget() = fs.getVariable() and
ssaDef.getADefinition() = def and
nodeTo.(DataFlow::Internal::SsaDefinitionNode).getDefinition() = ssaDef
)
or
localTaintStepCil(nodeFrom, nodeTo)
}
private predicate localAdditionalTaintStepExpr(Expr exprFrom, Expr exprTo) {
// Taint propagation using library code
libraryFlow(exprFrom, exprTo, false)
or
// Taint from assigned value to element qualifier (`x[i] = 0`)
exists(AssignExpr ae |
exprFrom = ae.getRValue() and
exprTo.(AssignableRead) = getElementAccessQualifier+(ae.getLValue())
)
or
// Taint from array initializer
exprFrom = exprTo.(ArrayCreation).getInitializer().getAnElement()
or
// Taint from object initializer
exists(ElementInitializer ei |
ei = exprTo.(ObjectCreation).getInitializer().(CollectionInitializer).getAnElementInitializer() and
exprFrom = ei.getArgument(ei.getNumberOfArguments() - 1) // assume the last argument is the value (i.e., not a key)
)
or
// Taint from element qualifier
exprFrom = exprTo.(ElementAccess).getQualifier()
or
exprFrom = exprTo.(AddExpr).getAnOperand()
or
// A comparison expression where taint can flow from one of the
// operands if the other operand is a constant value.
exists(ComparisonTest ct, Expr other |
ct.getExpr() = exprTo and
exprFrom = ct.getAnArgument() and
other = ct.getAnArgument() and
other.stripCasts().hasValue() and
exprFrom != other
)
or
exprFrom = exprTo.(LogicalOperation).getAnOperand()
or
// Taint from tuple argument
exprTo = any(TupleExpr te |
exprFrom = te.getAnArgument() and
te.isReadAccess()
)
or
exprFrom = exprTo.(InterpolatedStringExpr).getAChild()
or
// Taint from tuple expression
exprTo = any(MemberAccess ma |
ma.getQualifier().getType() instanceof TupleType and
exprFrom = ma.getQualifier()
)
}
/** Gets the qualifier of element access `ea`. */
private Expr getElementAccessQualifier(ElementAccess ea) {
result = ea.getQualifier()
}
/**
* A taint tracking configuration.
*
@@ -163,7 +82,7 @@ module TaintTracking {
override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
isAdditionalTaintStep(pred, succ) or
localAdditionalTaintStep(pred, succ) or
DataFlow::Internal::flowThroughCallableLibraryOutRef(_, pred.asExpr(), succ, false)
DataFlow::Internal::flowThroughCallableLibraryOutRef(_, pred, succ, false)
}
final
@@ -191,7 +110,135 @@ module TaintTracking {
}
}
private predicate canYieldReturn(Callable c, Expr e) {
c.getSourceDeclaration().canYieldReturn(e)
/** INTERNAL: Do not use. */
module Internal {
predicate canYieldReturn(Callable c, Expr e) {
c.getSourceDeclaration().canYieldReturn(e)
}
private CIL::DataFlowNode asCilDataFlowNode(DataFlow::Node node) {
result = node.asParameter() or
result = node.asExpr()
}
private predicate localTaintStepCil(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
asCilDataFlowNode(nodeFrom).getALocalFlowSucc(asCilDataFlowNode(nodeTo), any(CIL::Tainted t))
}
/** Gets the qualifier of element access `ea`. */
private Expr getElementAccessQualifier(ElementAccess ea) {
result = ea.getQualifier()
}
private class LocalTaintExprStepConfiguration extends DataFlow::Internal::ExprStepConfiguration {
LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" }
override predicate stepsToExpr(Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) {
exactScope = false and
(
// Taint propagation using library code
DataFlow::Internal::LocalFlow::libraryFlow(exprFrom, exprTo, scope, isSuccessor, false)
or
// Taint from assigned value to element qualifier (`x[i] = 0`)
exists(AssignExpr ae |
exprFrom = ae.getRValue() and
exprTo.(AssignableRead) = getElementAccessQualifier+(ae.getLValue()) and
scope = ae and
isSuccessor = false
)
or
// Taint from array initializer
exprFrom = exprTo.(ArrayCreation).getInitializer().getAnElement() and
scope = exprTo and
isSuccessor = false
or
// Taint from object initializer
exists(ElementInitializer ei |
ei = exprTo.(ObjectCreation).getInitializer().(CollectionInitializer).getAnElementInitializer() and
exprFrom = ei.getArgument(ei.getNumberOfArguments() - 1) and // assume the last argument is the value (i.e., not a key)
scope = exprTo and
isSuccessor = false
)
or
// Taint from element qualifier
exprFrom = exprTo.(ElementAccess).getQualifier() and
scope = exprTo and
isSuccessor = true
or
exprFrom = exprTo.(AddExpr).getAnOperand() and
scope = exprTo and
isSuccessor = true
or
// A comparison expression where taint can flow from one of the
// operands if the other operand is a constant value.
exists(ComparisonTest ct, Expr other |
ct.getExpr() = exprTo and
exprFrom = ct.getAnArgument() and
other = ct.getAnArgument() and
other.stripCasts().hasValue() and
exprFrom != other and
scope = exprTo and
isSuccessor = true
)
or
exprFrom = exprTo.(LogicalOperation).getAnOperand() and
scope = exprTo and
isSuccessor = false
or
// Taint from tuple argument
exprTo = any(TupleExpr te |
exprFrom = te.getAnArgument() and
te.isReadAccess() and
scope = exprTo and
isSuccessor = true
)
or
exprFrom = exprTo.(InterpolatedStringExpr).getAChild() and
scope = exprTo and
isSuccessor = true
or
// Taint from tuple expression
exprTo = any(MemberAccess ma |
ma.getQualifier().getType() instanceof TupleType and
exprFrom = ma.getQualifier() and
scope = exprTo and
isSuccessor = true
)
)
}
override predicate stepsToDefinition(Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope, boolean isSuccessor) {
// Taint from `foreach` expression
exists(ForeachStmt fs |
exprFrom = fs.getIterableExpr() and
defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() = fs.getVariableDeclExpr() and
isSuccessor = true
|
scope = fs and
exactScope = true
or
scope = fs.getIterableExpr() and
exactScope = false
or
scope = fs.getVariableDeclExpr() and
exactScope = false
)
}
}
cached module Cached {
cached predicate forceCachingInSameStage() { any() }
cached predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
DataFlow::Internal::Cached::forceCachingInSameStage() and
any(LocalTaintExprStepConfiguration x).hasStep(nodeFrom, nodeTo)
or
DataFlow::Internal::flowOutOfDelegateLibraryCall(nodeFrom, nodeTo, false)
or
localTaintStepCil(nodeFrom, nodeTo)
}
}
import Cached
}
private import Internal
}

13
csharp/ql/src/semmle/code/csharp/exprs/Call.qll
View File

@@ -517,7 +517,7 @@ class DelegateCall extends Call, @delegate_invocation_expr {
)
or
exists(AddEventSource aes, CallContext::CallContext cc2 |
aes = this.getAnAddEventSource() and
aes = this.getAnAddEventSource(_) and
result = aes.getARuntimeTarget(cc2)
|
aes = this.getAnAddEventSourceSameEnclosingCallable() and
@@ -529,18 +529,17 @@ class DelegateCall extends Call, @delegate_invocation_expr {
)
}
private AddEventSource getAnAddEventSource() {
this.getDelegateExpr().(EventAccess).getTarget() = result.getEvent()
private AddEventSource getAnAddEventSource(Callable enclosingCallable) {
this.getDelegateExpr().(EventAccess).getTarget() = result.getEvent() and
enclosingCallable = result.getExpr().getEnclosingCallable()
}
private AddEventSource getAnAddEventSourceSameEnclosingCallable() {
result = getAnAddEventSource() and
result.getExpr().getEnclosingCallable() = this.getEnclosingCallable()
result = getAnAddEventSource(this.getEnclosingCallable())
}
private AddEventSource getAnAddEventSourceDifferentEnclosingCallable() {
result = getAnAddEventSource() and
result.getExpr().getEnclosingCallable() != this.getEnclosingCallable()
exists(Callable c | result = getAnAddEventSource(c) | c != this.getEnclosingCallable())
}
override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }

5
csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
View File

@@ -670,7 +670,10 @@ class TupleExpr extends Expr, @tuple_expr {
Expr getAnArgument() { result = getArgument(_) }
/** Holds if this tuple is a read access. */
predicate isReadAccess() { not exists(AssignExpr e | this = e.getLValue().getAChildExpr*()) }
predicate isReadAccess() {
not exists(AssignExpr e | this = e.getLValue().getAChildExpr*()) and
not exists(ForeachStmt fs | this = fs.getVariableDeclTuple().getAChildExpr*())
}
}
/**

6
csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll
View File

@@ -123,9 +123,9 @@ module TaintedPath {
*/
class PathCheck extends Sanitizer {
PathCheck() {
// This expression is structurally replicated in a dominating guard which is not a "weak" check.
exists(Expr e |
this.getExpr().(GuardedExpr).isGuardedBy(_, e, _) and
// This expression is structurally replicated in a dominating guard which is not a "weak" check
exists(Expr e, AbstractValues::BooleanValue v |
exists(this.(GuardedDataFlowNode).getAGuard(e, v)) and
not inWeakCheck(e)
)
}

5
csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll
View File

@@ -98,8 +98,9 @@ module UrlRedirect {
*/
class IsLocalUrlSanitizer extends Sanitizer {
IsLocalUrlSanitizer() {
exists(MethodCall mc | mc.getTarget().hasName("IsLocalUrl") |
this.getExpr().(GuardedExpr).isGuardedBy(mc, mc.getArgument(0), true)
exists(MethodCall mc, AbstractValues::BooleanValue v | mc.getTarget().hasName("IsLocalUrl") |
mc = this.(GuardedDataFlowNode).getAGuard(mc.getArgument(0), v) and
v.getValue() = true
)
}
}

6
csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
View File

@@ -127,10 +127,10 @@ module ZipSlip {
*/
class StringCheckSanitizer extends Sanitizer {
StringCheckSanitizer() {
exists(GuardedExpr ge, MethodCall mc, Expr startsWithQualifier |
ge = this.asExpr() and
ge.isGuardedBy(mc, startsWithQualifier, true)
exists(MethodCall mc, Expr startsWithQualifier, AbstractValues::BooleanValue v |
mc = this.(GuardedDataFlowNode).getAGuard(startsWithQualifier, v)
|
v.getValue() = true and
mc.getTarget().hasQualifiedName("System.String", "StartsWith") and
mc.getQualifier() = startsWithQualifier and
// A StartsWith check against Path.Combine is not sufficient, because the ".." elements have

2
csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
View File

@@ -243,6 +243,8 @@
| Foreach.cs:36:10:36:11 | exit M6 | Foreach.cs:36:10:36:11 | exit M6 | 1 |
| Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | 1 |
| Foreach.cs:38:26:38:26 | String x | Foreach.cs:39:11:39:11 | ; | 4 |
| Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:13:3:17 | ... + ... | 3 |
| Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:27:4:31 | ... + ... | 3 |
| Initializers.cs:6:5:6:16 | enter Initializers | Initializers.cs:6:5:6:16 | exit Initializers | 3 |
| Initializers.cs:8:10:8:10 | enter M | Initializers.cs:8:10:8:10 | exit M | 23 |
| NullCoalescing.cs:3:9:3:10 | enter M1 | NullCoalescing.cs:3:23:3:23 | access to parameter i | 3 |

4
csharp/ql/test/library-tests/controlflow/graph/BasicBlockDominance.expected
View File

@@ -504,6 +504,8 @@
| post | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... |
| post | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:26:38:26 | String x |
| post | Foreach.cs:38:26:38:26 | String x | Foreach.cs:38:26:38:26 | String x |
| post | Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:13:3:13 | access to field H |
| post | Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:27:4:27 | access to field H |
| post | Initializers.cs:6:5:6:16 | enter Initializers | Initializers.cs:6:5:6:16 | enter Initializers |
| post | Initializers.cs:8:10:8:10 | enter M | Initializers.cs:8:10:8:10 | enter M |
| post | NullCoalescing.cs:3:9:3:10 | enter M1 | NullCoalescing.cs:3:9:3:10 | enter M1 |
@@ -1910,6 +1912,8 @@
| pre | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... |
| pre | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:26:38:26 | String x |
| pre | Foreach.cs:38:26:38:26 | String x | Foreach.cs:38:26:38:26 | String x |
| pre | Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:13:3:13 | access to field H |
| pre | Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:27:4:27 | access to field H |
| pre | Initializers.cs:6:5:6:16 | enter Initializers | Initializers.cs:6:5:6:16 | enter Initializers |
| pre | Initializers.cs:8:10:8:10 | enter M | Initializers.cs:8:10:8:10 | enter M |
| pre | NullCoalescing.cs:3:9:3:10 | enter M1 | NullCoalescing.cs:3:9:3:10 | enter M1 |

16
csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
View File

@@ -896,6 +896,10 @@
| post | Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:26:38:26 | String x |
| post | Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:37:5:40:5 | {...} |
| post | Foreach.cs:39:11:39:11 | ; | Foreach.cs:38:18:38:34 | (..., ...) |
| post | Initializers.cs:3:13:3:17 | ... + ... | Initializers.cs:3:17:3:17 | 1 |
| post | Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:13:3:13 | access to field H |
| post | Initializers.cs:4:27:4:31 | ... + ... | Initializers.cs:4:31:4:31 | 2 |
| post | Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:27:4:27 | access to field H |
| post | Initializers.cs:6:5:6:16 | exit Initializers | Initializers.cs:6:28:6:30 | {...} |
| post | Initializers.cs:6:28:6:30 | {...} | Initializers.cs:6:5:6:16 | enter Initializers |
| post | Initializers.cs:8:10:8:10 | exit M | Initializers.cs:11:13:11:63 | Initializers[] iz = ... |
@@ -909,9 +913,9 @@
| post | Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:17:10:53 | object creation of type Initializers |
| post | Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:44:10:44 | 0 |
| post | Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:40:10:40 | access to field F |
| post | Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:40:10:44 | ... = ... |
| post | Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:40:10:44 | ... = ... |
| post | Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:51:10:51 | 1 |
| post | Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:47:10:47 | access to field G |
| post | Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:47:10:47 | access to property G |
| post | Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:10:13:10:53 | Initializers i = ... |
| post | Initializers.cs:11:13:11:14 | access to local variable iz | Initializers.cs:11:9:11:64 | ... ...; |
| post | Initializers.cs:11:13:11:63 | Initializers[] iz = ... | Initializers.cs:11:37:11:63 | { ..., ... } |
@@ -3141,6 +3145,10 @@
| pre | Foreach.cs:38:26:38:26 | String x | Foreach.cs:38:33:38:33 | Int32 y |
| pre | Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:18:38:34 | (..., ...) |
| pre | Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... |
| pre | Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:17:3:17 | 1 |
| pre | Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:13:3:17 | ... + ... |
| pre | Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:31:4:31 | 2 |
| pre | Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:27:4:31 | ... + ... |
| pre | Initializers.cs:6:5:6:16 | enter Initializers | Initializers.cs:6:28:6:30 | {...} |
| pre | Initializers.cs:6:28:6:30 | {...} | Initializers.cs:6:5:6:16 | exit Initializers |
| pre | Initializers.cs:8:10:8:10 | enter M | Initializers.cs:9:5:12:5 | {...} |
@@ -3152,9 +3160,9 @@
| pre | Initializers.cs:10:34:10:35 | "" | Initializers.cs:10:17:10:53 | object creation of type Initializers |
| pre | Initializers.cs:10:38:10:53 | { ..., ... } | Initializers.cs:10:13:10:53 | Initializers i = ... |
| pre | Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:44:10:44 | 0 |
| pre | Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to field G |
| pre | Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to property G |
| pre | Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:40:10:44 | ... = ... |
| pre | Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:51:10:51 | 1 |
| pre | Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:51:10:51 | 1 |
| pre | Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:38:10:53 | { ..., ... } |
| pre | Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:47:10:51 | ... = ... |
| pre | Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:11:13:11:14 | access to local variable iz |

8
csharp/ql/test/library-tests/controlflow/graph/ElementGraph.expected
View File

@@ -685,6 +685,10 @@
| Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:18:38:34 | (..., ...) | semmle.label | successor |
| Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | semmle.label | successor |
| Foreach.cs:39:11:39:11 | ; | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | semmle.label | successor |
| Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:17:3:17 | 1 | semmle.label | successor |
| Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:13:3:17 | ... + ... | semmle.label | successor |
| Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:31:4:31 | 2 | semmle.label | successor |
| Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:27:4:31 | ... + ... | semmle.label | successor |
| Initializers.cs:9:5:12:5 | {...} | Initializers.cs:10:9:10:54 | ... ...; | semmle.label | successor |
| Initializers.cs:10:9:10:54 | ... ...; | Initializers.cs:10:13:10:13 | access to local variable i | semmle.label | successor |
| Initializers.cs:10:13:10:13 | access to local variable i | Initializers.cs:10:34:10:35 | "" | semmle.label | successor |
@@ -693,9 +697,9 @@
| Initializers.cs:10:34:10:35 | "" | Initializers.cs:10:17:10:53 | object creation of type Initializers | semmle.label | successor |
| Initializers.cs:10:38:10:53 | { ..., ... } | Initializers.cs:10:13:10:53 | Initializers i = ... | semmle.label | successor |
| Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:44:10:44 | 0 | semmle.label | successor |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to field G | semmle.label | successor |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to property G | semmle.label | successor |
| Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:40:10:44 | ... = ... | semmle.label | successor |
| Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:51:10:51 | 1 | semmle.label | successor |
| Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:51:10:51 | 1 | semmle.label | successor |
| Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:38:10:53 | { ..., ... } | semmle.label | successor |
| Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:47:10:51 | ... = ... | semmle.label | successor |
| Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:11:13:11:14 | access to local variable iz | semmle.label | successor |

11
csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
View File

@@ -727,6 +727,12 @@
| Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:33:38:33 | Int32 y |
| Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:38:39:38:42 | access to parameter args |
| Foreach.cs:39:11:39:11 | ; | Foreach.cs:39:11:39:11 | ; |
| Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:13:3:13 | access to field H |
| Initializers.cs:3:13:3:17 | ... + ... | Initializers.cs:3:13:3:13 | access to field H |
| Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:17:3:17 | 1 |
| Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:27:4:27 | access to field H |
| Initializers.cs:4:27:4:31 | ... + ... | Initializers.cs:4:27:4:27 | access to field H |
| Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:31:4:31 | 2 |
| Initializers.cs:6:28:6:30 | {...} | Initializers.cs:6:28:6:30 | {...} |
| Initializers.cs:9:5:12:5 | {...} | Initializers.cs:9:5:12:5 | {...} |
| Initializers.cs:10:9:10:54 | ... ...; | Initializers.cs:10:9:10:54 | ... ...; |
@@ -738,8 +744,8 @@
| Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:40:10:40 | access to field F |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:40:10:40 | access to field F |
| Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:44:10:44 | 0 |
| Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:47:10:47 | access to field G |
| Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:47:10:47 | access to field G |
| Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:47:10:47 | access to property G |
| Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:47:10:47 | access to property G |
| Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:51:10:51 | 1 |
| Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:11:9:11:64 | ... ...; |
| Initializers.cs:11:13:11:14 | access to local variable iz | Initializers.cs:11:13:11:14 | access to local variable iz |
@@ -750,6 +756,7 @@
| Initializers.cs:11:39:11:39 | access to local variable i | Initializers.cs:11:39:11:39 | access to local variable i |
| Initializers.cs:11:42:11:61 | object creation of type Initializers | Initializers.cs:11:59:11:60 | "" |
| Initializers.cs:11:59:11:60 | "" | Initializers.cs:11:59:11:60 | "" |
| Initializers.cs:14:20:14:20 | 1 | Initializers.cs:14:20:14:20 | 1 |
| NullCoalescing.cs:3:23:3:23 | access to parameter i | NullCoalescing.cs:3:23:3:23 | access to parameter i |
| NullCoalescing.cs:3:23:3:28 | ... ?? ... | NullCoalescing.cs:3:23:3:28 | ... ?? ... |
| NullCoalescing.cs:3:28:3:28 | 0 | NullCoalescing.cs:3:28:3:28 | 0 |

9
csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
View File

@@ -969,6 +969,12 @@
| Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:33:38:33 | Int32 y | normal |
| Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:38:39:38:42 | access to parameter args | normal |
| Foreach.cs:39:11:39:11 | ; | Foreach.cs:39:11:39:11 | ; | normal |
| Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:13:3:13 | access to field H | normal |
| Initializers.cs:3:13:3:17 | ... + ... | Initializers.cs:3:13:3:17 | ... + ... | normal |
| Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:17:3:17 | 1 | normal |
| Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:27:4:27 | access to field H | normal |
| Initializers.cs:4:27:4:31 | ... + ... | Initializers.cs:4:27:4:31 | ... + ... | normal |
| Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:31:4:31 | 2 | normal |
| Initializers.cs:6:28:6:30 | {...} | Initializers.cs:6:28:6:30 | {...} | normal |
| Initializers.cs:9:5:12:5 | {...} | Initializers.cs:11:13:11:63 | Initializers[] iz = ... | normal |
| Initializers.cs:10:9:10:54 | ... ...; | Initializers.cs:10:13:10:53 | Initializers i = ... | normal |
@@ -980,7 +986,7 @@
| Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:40:10:40 | access to field F | normal |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:40:10:44 | ... = ... | normal |
| Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:44:10:44 | 0 | normal |
| Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:47:10:47 | access to field G | normal |
| Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:47:10:47 | access to property G | normal |
| Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:47:10:51 | ... = ... | normal |
| Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:51:10:51 | 1 | normal |
| Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:11:13:11:63 | Initializers[] iz = ... | normal |
@@ -992,6 +998,7 @@
| Initializers.cs:11:39:11:39 | access to local variable i | Initializers.cs:11:39:11:39 | access to local variable i | normal |
| Initializers.cs:11:42:11:61 | object creation of type Initializers | Initializers.cs:11:42:11:61 | object creation of type Initializers | normal |
| Initializers.cs:11:59:11:60 | "" | Initializers.cs:11:59:11:60 | "" | normal |
| Initializers.cs:14:20:14:20 | 1 | Initializers.cs:14:20:14:20 | 1 | normal |
| NullCoalescing.cs:3:23:3:23 | access to parameter i | NullCoalescing.cs:3:23:3:23 | access to parameter i | non-null |
| NullCoalescing.cs:3:23:3:23 | access to parameter i | NullCoalescing.cs:3:23:3:23 | access to parameter i | null |
| NullCoalescing.cs:3:23:3:28 | ... ?? ... | NullCoalescing.cs:3:23:3:23 | access to parameter i | non-null |

6
csharp/ql/test/library-tests/controlflow/graph/Initializers.cs
View File

@@ -1,7 +1,7 @@
class Initializers
{
int F;
int G;
int F = H + 1;
int G { get; set; } = H + 2;
Initializers(string s) { }
@@ -10,4 +10,6 @@ class Initializers
var i = new Initializers("") { F = 0, G = 1 };
var iz = new Initializers[] { i, new Initializers("") };
}
static int H = 1;
}

8
csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
View File

@@ -1034,6 +1034,10 @@
| Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:18:38:34 | (..., ...) | semmle.label | successor |
| Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | semmle.label | successor |
| Foreach.cs:39:11:39:11 | ; | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | semmle.label | successor |
| Initializers.cs:3:13:3:13 | access to field H | Initializers.cs:3:17:3:17 | 1 | semmle.label | successor |
| Initializers.cs:3:17:3:17 | 1 | Initializers.cs:3:13:3:17 | ... + ... | semmle.label | successor |
| Initializers.cs:4:27:4:27 | access to field H | Initializers.cs:4:31:4:31 | 2 | semmle.label | successor |
| Initializers.cs:4:31:4:31 | 2 | Initializers.cs:4:27:4:31 | ... + ... | semmle.label | successor |
| Initializers.cs:6:5:6:16 | enter Initializers | Initializers.cs:6:28:6:30 | {...} | semmle.label | successor |
| Initializers.cs:6:28:6:30 | {...} | Initializers.cs:6:5:6:16 | exit Initializers | semmle.label | successor |
| Initializers.cs:8:10:8:10 | enter M | Initializers.cs:9:5:12:5 | {...} | semmle.label | successor |
@@ -1045,9 +1049,9 @@
| Initializers.cs:10:34:10:35 | "" | Initializers.cs:10:17:10:53 | object creation of type Initializers | semmle.label | successor |
| Initializers.cs:10:38:10:53 | { ..., ... } | Initializers.cs:10:13:10:53 | Initializers i = ... | semmle.label | successor |
| Initializers.cs:10:40:10:40 | access to field F | Initializers.cs:10:44:10:44 | 0 | semmle.label | successor |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to field G | semmle.label | successor |
| Initializers.cs:10:40:10:44 | ... = ... | Initializers.cs:10:47:10:47 | access to property G | semmle.label | successor |
| Initializers.cs:10:44:10:44 | 0 | Initializers.cs:10:40:10:44 | ... = ... | semmle.label | successor |
| Initializers.cs:10:47:10:47 | access to field G | Initializers.cs:10:51:10:51 | 1 | semmle.label | successor |
| Initializers.cs:10:47:10:47 | access to property G | Initializers.cs:10:51:10:51 | 1 | semmle.label | successor |
| Initializers.cs:10:47:10:51 | ... = ... | Initializers.cs:10:38:10:53 | { ..., ... } | semmle.label | successor |
| Initializers.cs:10:51:10:51 | 1 | Initializers.cs:10:47:10:51 | ... = ... | semmle.label | successor |
| Initializers.cs:11:9:11:64 | ... ...; | Initializers.cs:11:13:11:14 | access to local variable iz | semmle.label | successor |

232
csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.expected Normal file
View File

@@ -0,0 +1,232 @@
| Assert.cs:11:27:11:27 | access to local variable s | Assert.cs:10:22:10:22 | access to local variable s | Assert.cs:10:22:10:22 | access to local variable s | non-null |
| Assert.cs:11:27:11:27 | access to local variable s | Assert.cs:10:22:10:30 | ... != ... | Assert.cs:10:22:10:22 | access to local variable s | true |
| Assert.cs:18:27:18:27 | access to local variable s | Assert.cs:17:23:17:23 | access to local variable s | Assert.cs:17:23:17:23 | access to local variable s | null |
| Assert.cs:25:27:25:27 | access to local variable s | Assert.cs:24:26:24:26 | access to local variable s | Assert.cs:24:26:24:26 | access to local variable s | non-null |
| Assert.cs:32:27:32:27 | access to local variable s | Assert.cs:31:23:31:23 | access to local variable s | Assert.cs:31:23:31:23 | access to local variable s | null |
| Assert.cs:32:27:32:27 | access to local variable s | Assert.cs:31:23:31:31 | ... == ... | Assert.cs:31:23:31:23 | access to local variable s | true |
| Assert.cs:39:27:39:27 | access to local variable s | Assert.cs:38:23:38:23 | access to local variable s | Assert.cs:38:23:38:23 | access to local variable s | non-null |
| Assert.cs:39:27:39:27 | access to local variable s | Assert.cs:38:23:38:31 | ... != ... | Assert.cs:38:23:38:23 | access to local variable s | true |
| Assert.cs:46:27:46:27 | access to local variable s | Assert.cs:45:24:45:24 | access to local variable s | Assert.cs:45:24:45:24 | access to local variable s | null |
| Assert.cs:46:27:46:27 | access to local variable s | Assert.cs:45:24:45:32 | ... != ... | Assert.cs:45:24:45:24 | access to local variable s | false |
| Assert.cs:53:27:53:27 | access to local variable s | Assert.cs:52:24:52:24 | access to local variable s | Assert.cs:52:24:52:24 | access to local variable s | non-null |
| Assert.cs:53:27:53:27 | access to local variable s | Assert.cs:52:24:52:32 | ... == ... | Assert.cs:52:24:52:24 | access to local variable s | false |
| Assert.cs:59:36:59:36 | access to parameter b | Assert.cs:58:20:58:20 | access to parameter b | Assert.cs:58:20:58:20 | access to parameter b | false |
| Assert.cs:59:36:59:36 | access to parameter b | Assert.cs:58:20:58:32 | ... ? ... : ... | Assert.cs:58:20:58:20 | access to parameter b | non-null |
| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | non-null |
| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:31 | ... != ... | Assert.cs:59:23:59:23 | access to local variable s | true |
| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:36 | ... && ... | Assert.cs:59:23:59:23 | access to local variable s | true |
| Assert.cs:66:37:66:37 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | false |
| Assert.cs:66:37:66:37 | access to parameter b | Assert.cs:65:20:65:32 | ... ? ... : ... | Assert.cs:65:20:65:20 | access to parameter b | non-null |
| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | non-null |
| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:32 | ... == ... | Assert.cs:66:24:66:24 | access to local variable s | false |
| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:37 | ... \|\| ... | Assert.cs:66:24:66:24 | access to local variable s | false |
| Assert.cs:73:36:73:36 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | true |
| Assert.cs:73:36:73:36 | access to parameter b | Assert.cs:72:20:72:32 | ... ? ... : ... | Assert.cs:72:20:72:20 | access to parameter b | null |
| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | null |
| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:31 | ... == ... | Assert.cs:73:23:73:23 | access to local variable s | true |
| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:36 | ... && ... | Assert.cs:73:23:73:23 | access to local variable s | true |
| Assert.cs:80:37:80:37 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | true |
| Assert.cs:80:37:80:37 | access to parameter b | Assert.cs:79:20:79:32 | ... ? ... : ... | Assert.cs:79:20:79:20 | access to parameter b | null |
| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | null |
| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:32 | ... != ... | Assert.cs:80:24:80:24 | access to local variable s | false |
| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:37 | ... \|\| ... | Assert.cs:80:24:80:24 | access to local variable s | false |
| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:12:13:12:24 | ... > ... | Guards.cs:12:13:12:13 | access to parameter s | true |
| Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | non-null |
| Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:21 | ... != ... | Guards.cs:24:13:24:13 | access to parameter s | true |
| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:36 | !... | Guards.cs:32:35:32:35 | access to parameter x | true |
| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:35:32:35 | access to parameter x | true |
| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:14:32:36 | call to method IsNullOrEmpty | Guards.cs:32:35:32:35 | access to parameter x | false |
| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | non-null |
| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:42:32:42 | access to parameter y | true |
| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:40:32:51 | !... | Guards.cs:32:42:32:42 | access to parameter y | true |
| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | non-null |
| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:50 | ... == ... | Guards.cs:32:42:32:42 | access to parameter y | false |
| Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | non-null |
| Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:21 | ... == ... | Guards.cs:35:13:35:13 | access to parameter x | false |
| Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | non-null |
| Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:34 | ... == ... | Guards.cs:35:26:35:26 | access to parameter y | false |
| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | non-null |
| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:23 | ... == ... | Guards.cs:38:15:38:15 | access to parameter x | false |
| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | non-null |
| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:36 | ... == ... | Guards.cs:38:28:38:28 | access to parameter y | false |
| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | non-null |
| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:25 | ... != ... | Guards.cs:41:17:41:17 | access to parameter x | true |
| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | non-null |
| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:38 | ... != ... | Guards.cs:41:30:41:30 | access to parameter y | true |
| Guards.cs:48:31:48:40 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | non-null |
| Guards.cs:48:31:48:40 | access to field Field | Guards.cs:47:13:47:25 | ... != ... | Guards.cs:47:13:47:17 | access to field Field | true |
| Guards.cs:55:27:55:27 | access to parameter g | Guards.cs:53:13:53:19 | access to field Field | Guards.cs:53:13:53:13 | access to parameter g | non-null |
| Guards.cs:55:27:55:27 | access to parameter g | Guards.cs:53:13:53:27 | ... == ... | Guards.cs:53:13:53:13 | access to parameter g | false |
| Guards.cs:55:27:55:33 | access to field Field | Guards.cs:53:13:53:19 | access to field Field | Guards.cs:53:13:53:19 | access to field Field | non-null |
| Guards.cs:55:27:55:33 | access to field Field | Guards.cs:53:13:53:27 | ... == ... | Guards.cs:53:13:53:19 | access to field Field | false |
| Guards.cs:62:27:62:27 | access to parameter g | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:13 | access to parameter g | non-null |
| Guards.cs:62:27:62:27 | access to parameter g | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:13 | access to parameter g | false |
| Guards.cs:62:27:62:36 | access to property Property | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:22 | access to property Property | non-null |
| Guards.cs:62:27:62:36 | access to property Property | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:22 | access to property Property | false |
| Guards.cs:62:27:62:45 | access to property Property | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:31 | access to property Property | non-null |
| Guards.cs:62:27:62:45 | access to property Property | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:31 | access to property Property | false |
| Guards.cs:62:27:62:51 | access to field Field | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:37 | access to field Field | non-null |
| Guards.cs:62:27:62:51 | access to field Field | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:37 | access to field Field | false |
| Guards.cs:63:27:63:27 | access to parameter g | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:13 | access to parameter g | non-null |
| Guards.cs:63:27:63:27 | access to parameter g | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:13 | access to parameter g | false |
| Guards.cs:63:27:63:36 | access to property Property | Guards.cs:60:13:60:37 | access to field Field | Guards.cs:60:13:60:22 | access to property Property | non-null |
| Guards.cs:63:27:63:36 | access to property Property | Guards.cs:60:13:60:45 | ... == ... | Guards.cs:60:13:60:22 | access to property Property | false |
| Guards.cs:70:31:70:31 | access to parameter s | Guards.cs:68:16:68:16 | access to parameter s | Guards.cs:68:16:68:16 | access to parameter s | non-null |
| Guards.cs:70:31:70:31 | access to parameter s | Guards.cs:68:16:68:24 | ... != ... | Guards.cs:68:16:68:16 | access to parameter s | true |
| Guards.cs:79:31:79:31 | access to parameter s | Guards.cs:78:13:78:13 | access to parameter s | Guards.cs:78:13:78:13 | access to parameter s | non-null |
| Guards.cs:79:31:79:31 | access to parameter s | Guards.cs:78:13:78:26 | ... == ... | Guards.cs:78:13:78:13 | access to parameter s | true |
| Guards.cs:79:31:79:31 | access to parameter s | Guards.cs:78:15:78:21 | access to property Length | Guards.cs:78:13:78:13 | access to parameter s | non-null |
| Guards.cs:81:31:81:31 | access to parameter s | Guards.cs:80:13:80:13 | access to parameter s | Guards.cs:80:13:80:13 | access to parameter s | non-null |
| Guards.cs:81:31:81:31 | access to parameter s | Guards.cs:80:13:80:25 | ... > ... | Guards.cs:80:13:80:13 | access to parameter s | true |
| Guards.cs:81:31:81:31 | access to parameter s | Guards.cs:80:15:80:21 | access to property Length | Guards.cs:80:13:80:13 | access to parameter s | non-null |
| Guards.cs:83:31:83:31 | access to parameter s | Guards.cs:82:13:82:13 | access to parameter s | Guards.cs:82:13:82:13 | access to parameter s | non-null |
| Guards.cs:83:31:83:31 | access to parameter s | Guards.cs:82:13:82:26 | ... >= ... | Guards.cs:82:13:82:13 | access to parameter s | true |
| Guards.cs:83:31:83:31 | access to parameter s | Guards.cs:82:15:82:21 | access to property Length | Guards.cs:82:13:82:13 | access to parameter s | non-null |
| Guards.cs:85:31:85:31 | access to parameter s | Guards.cs:84:13:84:13 | access to parameter s | Guards.cs:84:13:84:13 | access to parameter s | non-null |
| Guards.cs:85:31:85:31 | access to parameter s | Guards.cs:84:13:84:26 | ... < ... | Guards.cs:84:13:84:13 | access to parameter s | true |
| Guards.cs:85:31:85:31 | access to parameter s | Guards.cs:84:15:84:21 | access to property Length | Guards.cs:84:13:84:13 | access to parameter s | non-null |
| Guards.cs:87:31:87:31 | access to parameter s | Guards.cs:86:13:86:13 | access to parameter s | Guards.cs:86:13:86:13 | access to parameter s | non-null |
| Guards.cs:87:31:87:31 | access to parameter s | Guards.cs:86:13:86:27 | ... <= ... | Guards.cs:86:13:86:13 | access to parameter s | true |
| Guards.cs:87:31:87:31 | access to parameter s | Guards.cs:86:15:86:21 | access to property Length | Guards.cs:86:13:86:13 | access to parameter s | non-null |
| Guards.cs:89:31:89:31 | access to parameter s | Guards.cs:88:13:88:13 | access to parameter s | Guards.cs:88:13:88:13 | access to parameter s | non-null |
| Guards.cs:89:31:89:31 | access to parameter s | Guards.cs:88:13:88:29 | ... != ... | Guards.cs:88:13:88:13 | access to parameter s | true |
| Guards.cs:89:31:89:31 | access to parameter s | Guards.cs:88:15:88:21 | access to property Length | Guards.cs:88:13:88:13 | access to parameter s | non-null |
| Guards.cs:91:31:91:31 | access to parameter s | Guards.cs:88:13:88:13 | access to parameter s | Guards.cs:88:13:88:13 | access to parameter s | null |
| Guards.cs:91:31:91:31 | access to parameter s | Guards.cs:88:13:88:29 | ... != ... | Guards.cs:88:13:88:13 | access to parameter s | false |
| Guards.cs:91:31:91:31 | access to parameter s | Guards.cs:88:15:88:21 | access to property Length | Guards.cs:88:13:88:13 | access to parameter s | null |
| Guards.cs:93:31:93:31 | access to parameter s | Guards.cs:92:13:92:30 | ... != ... | Guards.cs:92:13:92:13 | access to parameter s | true |
| Guards.cs:95:31:95:31 | access to parameter s | Guards.cs:92:13:92:13 | access to parameter s | Guards.cs:92:13:92:13 | access to parameter s | non-null |
| Guards.cs:95:31:95:31 | access to parameter s | Guards.cs:92:13:92:25 | ... - ... | Guards.cs:92:13:92:13 | access to parameter s | non-null |
| Guards.cs:95:31:95:31 | access to parameter s | Guards.cs:92:13:92:30 | ... != ... | Guards.cs:92:13:92:13 | access to parameter s | false |
| Guards.cs:95:31:95:31 | access to parameter s | Guards.cs:92:15:92:21 | access to property Length | Guards.cs:92:13:92:13 | access to parameter s | non-null |
| Guards.cs:97:31:97:31 | access to parameter s | Guards.cs:96:13:96:13 | access to parameter s | Guards.cs:96:13:96:13 | access to parameter s | non-null |
| Guards.cs:97:31:97:31 | access to parameter s | Guards.cs:96:13:96:19 | ... == ... | Guards.cs:96:13:96:13 | access to parameter s | true |
| Guards.cs:99:31:99:31 | access to parameter s | Guards.cs:96:13:96:19 | ... == ... | Guards.cs:96:13:96:13 | access to parameter s | false |
| Guards.cs:106:9:106:9 | access to parameter g | Guards.cs:104:13:104:37 | access to field Field | Guards.cs:104:13:104:13 | access to parameter g | non-null |
| Guards.cs:106:9:106:9 | access to parameter g | Guards.cs:104:13:104:45 | ... == ... | Guards.cs:104:13:104:13 | access to parameter g | false |
| Guards.cs:107:27:107:27 | access to parameter g | Guards.cs:104:13:104:37 | access to field Field | Guards.cs:104:13:104:13 | access to parameter g | non-null |
| Guards.cs:107:27:107:27 | access to parameter g | Guards.cs:104:13:104:45 | ... == ... | Guards.cs:104:13:104:13 | access to parameter g | false |
| Guards.cs:108:27:108:27 | access to parameter g | Guards.cs:104:13:104:37 | access to field Field | Guards.cs:104:13:104:13 | access to parameter g | non-null |
| Guards.cs:108:27:108:27 | access to parameter g | Guards.cs:104:13:104:45 | ... == ... | Guards.cs:104:13:104:13 | access to parameter g | false |
| Guards.cs:114:14:114:14 | access to parameter g | Guards.cs:113:21:113:45 | access to field Field | Guards.cs:113:21:113:21 | access to parameter g | null |
| Guards.cs:114:14:114:23 | access to property Property | Guards.cs:113:21:113:45 | access to field Field | Guards.cs:113:21:113:30 | access to property Property | null |
| Guards.cs:114:14:114:32 | access to property Property | Guards.cs:113:21:113:45 | access to field Field | Guards.cs:113:21:113:39 | access to property Property | null |
| Guards.cs:114:14:114:38 | access to field Field | Guards.cs:113:21:113:45 | access to field Field | Guards.cs:113:21:113:45 | access to field Field | null |
| Guards.cs:116:27:116:27 | access to parameter g | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:17 | access to parameter g | non-null |
| Guards.cs:116:27:116:36 | access to property Property | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:26 | access to property Property | non-null |
| Guards.cs:116:27:116:45 | access to property Property | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:35 | access to property Property | non-null |
| Guards.cs:116:27:116:51 | access to field Field | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:41 | access to field Field | non-null |
| Guards.cs:117:9:117:9 | access to parameter g | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:17 | access to parameter g | non-null |
| Guards.cs:118:27:118:27 | access to parameter g | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:17 | access to parameter g | non-null |
| Guards.cs:119:27:119:27 | access to parameter g | Guards.cs:115:17:115:41 | access to field Field | Guards.cs:115:17:115:17 | access to parameter g | non-null |
| Guards.cs:125:29:125:30 | access to parameter s1 | Guards.cs:125:18:125:19 | access to parameter s1 | Guards.cs:125:18:125:19 | access to parameter s1 | non-null |
| Guards.cs:131:20:131:20 | access to parameter s | Guards.cs:130:13:130:13 | access to parameter s | Guards.cs:130:13:130:13 | access to parameter s | null |
| Guards.cs:131:20:131:20 | access to parameter s | Guards.cs:130:13:130:21 | ... is ... | Guards.cs:130:13:130:13 | access to parameter s | true |
| Guards.cs:132:16:132:16 | access to parameter s | Guards.cs:130:13:130:13 | access to parameter s | Guards.cs:130:13:130:13 | access to parameter s | non-null |
| Guards.cs:132:16:132:16 | access to parameter s | Guards.cs:130:13:130:21 | ... is ... | Guards.cs:130:13:130:13 | access to parameter s | false |
| Guards.cs:138:20:138:20 | access to parameter s | Guards.cs:137:13:137:13 | access to parameter s | Guards.cs:137:13:137:13 | access to parameter s | non-null |
| Guards.cs:138:20:138:20 | access to parameter s | Guards.cs:137:13:137:23 | ... is ... | Guards.cs:137:13:137:13 | access to parameter s | true |
| Guards.cs:139:16:139:16 | access to parameter s | Guards.cs:137:13:137:13 | access to parameter s | Guards.cs:137:13:137:13 | access to parameter s | null |
| Guards.cs:139:16:139:16 | access to parameter s | Guards.cs:137:13:137:23 | ... is ... | Guards.cs:137:13:137:13 | access to parameter s | false |
| Guards.cs:146:16:146:16 | access to parameter o | Guards.cs:144:13:144:25 | ... is ... | Guards.cs:144:13:144:13 | access to parameter o | false |
| Guards.cs:154:24:154:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | match case Action<Object>: |
| Guards.cs:154:24:154:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-null |
| Guards.cs:158:24:158:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | match case ...: |
| Guards.cs:158:24:158:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<Object>: |
| Guards.cs:158:24:158:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<String> a: |
| Guards.cs:158:24:158:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-null |
| Guards.cs:160:24:160:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | match case ...: |
| Guards.cs:160:24:160:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case ...: |
| Guards.cs:160:24:160:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<Object>: |
| Guards.cs:160:24:160:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<String> a: |
| Guards.cs:160:24:160:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | null |
| Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case ...: |
| Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case ...: |
| Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<Object>: |
| Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match case Action<String> a: |
| Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-null |
| Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:14:168:41 | call to method IsNullOrWhiteSpace | Guards.cs:168:40:168:40 | access to parameter x | false |
| Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | non-null |
| Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:14:189:25 | call to method NullTest1 | Guards.cs:189:24:189:24 | access to parameter s | false |
| Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | non-null |
| Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:14:191:25 | call to method NullTest2 | Guards.cs:191:24:191:24 | access to parameter s | false |
| Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | non-null |
| Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:14:193:25 | call to method NullTest3 | Guards.cs:193:24:193:24 | access to parameter s | false |
| Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | non-null |
| Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:13:195:27 | call to method NotNullTest4 | Guards.cs:195:26:195:26 | access to parameter s | true |
| Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | non-null |
| Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:14:197:29 | call to method NullTestWrong | Guards.cs:197:28:197:28 | access to parameter s | false |
| Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | non-null |
| Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
| Guards.cs:208:17:208:17 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | non-null |
| Guards.cs:208:17:208:17 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
| Splitting.cs:13:17:13:17 | [b (line 9): true] access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | non-null |
| Splitting.cs:13:17:13:17 | [b (line 9): true] access to parameter o | Splitting.cs:12:17:12:25 | ... != ... | Splitting.cs:12:17:12:17 | access to parameter o | true |
| Splitting.cs:14:13:14:13 | [b (line 9): false] access to parameter b | Splitting.cs:11:13:11:13 | access to parameter b | Splitting.cs:11:13:11:13 | access to parameter b | false |
| Splitting.cs:14:13:14:13 | [b (line 9): true] access to parameter b | Splitting.cs:11:13:11:13 | access to parameter b | Splitting.cs:11:13:11:13 | access to parameter b | true |
| Splitting.cs:23:24:23:24 | access to parameter o | Splitting.cs:22:17:22:17 | access to parameter o | Splitting.cs:22:17:22:17 | access to parameter o | non-null |
| Splitting.cs:23:24:23:24 | access to parameter o | Splitting.cs:22:17:22:25 | ... != ... | Splitting.cs:22:17:22:17 | access to parameter o | true |
| Splitting.cs:24:13:24:13 | [b (line 19): false] access to parameter b | Splitting.cs:21:13:21:13 | access to parameter b | Splitting.cs:21:13:21:13 | access to parameter b | false |
| Splitting.cs:24:13:24:13 | [b (line 19): true] access to parameter b | Splitting.cs:21:13:21:13 | access to parameter b | Splitting.cs:21:13:21:13 | access to parameter b | true |
| Splitting.cs:25:13:25:13 | access to parameter o | Splitting.cs:22:17:22:17 | access to parameter o | Splitting.cs:22:17:22:17 | access to parameter o | null |
| Splitting.cs:25:13:25:13 | access to parameter o | Splitting.cs:22:17:22:25 | ... != ... | Splitting.cs:22:17:22:17 | access to parameter o | false |
| Splitting.cs:34:13:34:13 | [b (line 29): false] access to parameter b | Splitting.cs:31:13:31:13 | access to parameter b | Splitting.cs:31:13:31:13 | access to parameter b | false |
| Splitting.cs:34:13:34:13 | [b (line 29): true] access to parameter b | Splitting.cs:31:13:31:13 | access to parameter b | Splitting.cs:31:13:31:13 | access to parameter b | true |
| Splitting.cs:35:13:35:13 | access to parameter o | Splitting.cs:32:17:32:17 | access to parameter o | Splitting.cs:32:17:32:17 | access to parameter o | non-null |
| Splitting.cs:35:13:35:13 | access to parameter o | Splitting.cs:32:17:32:25 | ... == ... | Splitting.cs:32:17:32:17 | access to parameter o | false |
| Splitting.cs:44:17:44:17 | [b (line 39): true] access to parameter o | Splitting.cs:41:13:41:13 | access to parameter o | Splitting.cs:41:13:41:13 | access to parameter o | non-null |
| Splitting.cs:44:17:44:17 | [b (line 39): true] access to parameter o | Splitting.cs:41:13:41:21 | ... != ... | Splitting.cs:41:13:41:13 | access to parameter o | true |
| Splitting.cs:45:17:45:17 | [b (line 39): false] access to parameter b | Splitting.cs:43:17:43:17 | access to parameter b | Splitting.cs:43:17:43:17 | access to parameter b | false |
| Splitting.cs:45:17:45:17 | [b (line 39): true] access to parameter b | Splitting.cs:43:17:43:17 | access to parameter b | Splitting.cs:43:17:43:17 | access to parameter b | true |
| Splitting.cs:46:17:46:17 | access to parameter o | Splitting.cs:41:13:41:13 | access to parameter o | Splitting.cs:41:13:41:13 | access to parameter o | non-null |
| Splitting.cs:46:17:46:17 | access to parameter o | Splitting.cs:41:13:41:21 | ... != ... | Splitting.cs:41:13:41:13 | access to parameter o | true |
| Splitting.cs:55:13:55:13 | [b (line 50): false] access to parameter o | Splitting.cs:54:13:54:13 | access to parameter o | Splitting.cs:54:13:54:13 | access to parameter o | non-null |
| Splitting.cs:55:13:55:13 | [b (line 50): false] access to parameter o | Splitting.cs:54:13:54:21 | ... != ... | Splitting.cs:54:13:54:13 | access to parameter o | true |
| Splitting.cs:55:13:55:13 | [b (line 50): true] access to parameter o | Splitting.cs:54:13:54:13 | access to parameter o | Splitting.cs:54:13:54:13 | access to parameter o | non-null |
| Splitting.cs:55:13:55:13 | [b (line 50): true] access to parameter o | Splitting.cs:54:13:54:21 | ... != ... | Splitting.cs:54:13:54:13 | access to parameter o | true |
| Splitting.cs:56:13:56:13 | [b (line 50): false] access to parameter b | Splitting.cs:52:13:52:13 | access to parameter b | Splitting.cs:52:13:52:13 | access to parameter b | false |
| Splitting.cs:56:13:56:13 | [b (line 50): true] access to parameter b | Splitting.cs:52:13:52:13 | access to parameter b | Splitting.cs:52:13:52:13 | access to parameter b | true |
| Splitting.cs:66:20:66:20 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | non-null |
| Splitting.cs:66:20:66:20 | access to parameter o | Splitting.cs:65:13:65:21 | ... != ... | Splitting.cs:65:13:65:13 | access to parameter o | true |
| Splitting.cs:67:13:67:13 | [b (line 61): false] access to parameter b | Splitting.cs:63:13:63:13 | access to parameter b | Splitting.cs:63:13:63:13 | access to parameter b | false |
| Splitting.cs:67:13:67:13 | [b (line 61): true] access to parameter b | Splitting.cs:63:13:63:13 | access to parameter b | Splitting.cs:63:13:63:13 | access to parameter b | true |
| Splitting.cs:68:13:68:13 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | null |
| Splitting.cs:68:13:68:13 | access to parameter o | Splitting.cs:65:13:65:21 | ... != ... | Splitting.cs:65:13:65:13 | access to parameter o | false |
| Splitting.cs:69:16:69:16 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | Splitting.cs:65:13:65:13 | access to parameter o | null |
| Splitting.cs:69:16:69:16 | access to parameter o | Splitting.cs:65:13:65:21 | ... != ... | Splitting.cs:65:13:65:13 | access to parameter o | false |
| Splitting.cs:78:24:78:24 | access to parameter o | Splitting.cs:76:13:76:13 | access to parameter o | Splitting.cs:76:13:76:13 | access to parameter o | non-null |
| Splitting.cs:78:24:78:24 | access to parameter o | Splitting.cs:76:13:76:21 | ... != ... | Splitting.cs:76:13:76:13 | access to parameter o | true |
| Splitting.cs:79:13:79:13 | [b (line 72): false] access to parameter b | Splitting.cs:74:13:74:13 | access to parameter b | Splitting.cs:74:13:74:13 | access to parameter b | false |
| Splitting.cs:79:13:79:13 | [b (line 72): true] access to parameter b | Splitting.cs:74:13:74:13 | access to parameter b | Splitting.cs:74:13:74:13 | access to parameter b | true |
| Splitting.cs:88:9:88:9 | [b (line 84): true] access to parameter o | Splitting.cs:87:26:87:26 | access to parameter o | Splitting.cs:87:26:87:26 | access to parameter o | non-null |
| Splitting.cs:88:9:88:9 | [b (line 84): true] access to parameter o | Splitting.cs:87:26:87:34 | ... != ... | Splitting.cs:87:26:87:26 | access to parameter o | true |
| Splitting.cs:89:13:89:13 | [b (line 84): false] access to parameter b | Splitting.cs:86:13:86:13 | access to parameter b | Splitting.cs:86:13:86:13 | access to parameter b | false |
| Splitting.cs:89:13:89:13 | [b (line 84): true] access to parameter b | Splitting.cs:86:13:86:13 | access to parameter b | Splitting.cs:86:13:86:13 | access to parameter b | true |
| Splitting.cs:90:13:90:13 | access to parameter o | Splitting.cs:87:26:87:26 | access to parameter o | Splitting.cs:87:26:87:26 | access to parameter o | non-null |
| Splitting.cs:90:13:90:13 | access to parameter o | Splitting.cs:87:26:87:34 | ... != ... | Splitting.cs:87:26:87:26 | access to parameter o | true |
| Splitting.cs:98:13:98:13 | [b (line 94): false] access to parameter b | Splitting.cs:96:13:96:13 | access to parameter b | Splitting.cs:96:13:96:13 | access to parameter b | false |
| Splitting.cs:98:13:98:13 | [b (line 94): true] access to parameter b | Splitting.cs:96:13:96:13 | access to parameter b | Splitting.cs:96:13:96:13 | access to parameter b | true |
| Splitting.cs:99:13:99:13 | access to parameter o | Splitting.cs:97:26:97:26 | access to parameter o | Splitting.cs:97:26:97:26 | access to parameter o | null |
| Splitting.cs:99:13:99:13 | access to parameter o | Splitting.cs:97:26:97:34 | ... == ... | Splitting.cs:97:26:97:26 | access to parameter o | true |
| Splitting.cs:107:13:107:13 | [b (line 103): true] access to parameter o | Splitting.cs:105:22:105:22 | access to parameter o | Splitting.cs:105:22:105:22 | access to parameter o | non-null |
| Splitting.cs:107:13:107:13 | [b (line 103): true] access to parameter o | Splitting.cs:105:22:105:30 | ... != ... | Splitting.cs:105:22:105:22 | access to parameter o | true |
| Splitting.cs:108:13:108:13 | [b (line 103): false] access to parameter b | Splitting.cs:106:13:106:13 | access to parameter b | Splitting.cs:106:13:106:13 | access to parameter b | false |
| Splitting.cs:108:13:108:13 | [b (line 103): true] access to parameter b | Splitting.cs:106:13:106:13 | access to parameter b | Splitting.cs:106:13:106:13 | access to parameter b | true |
| Splitting.cs:109:13:109:13 | access to parameter o | Splitting.cs:105:22:105:22 | access to parameter o | Splitting.cs:105:22:105:22 | access to parameter o | non-null |
| Splitting.cs:109:13:109:13 | access to parameter o | Splitting.cs:105:22:105:30 | ... != ... | Splitting.cs:105:22:105:22 | access to parameter o | true |
| Splitting.cs:117:9:117:9 | [b (line 112): false] access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | non-null |
| Splitting.cs:117:9:117:9 | [b (line 112): false] access to parameter o | Splitting.cs:116:22:116:30 | ... != ... | Splitting.cs:116:22:116:22 | access to parameter o | true |
| Splitting.cs:117:9:117:9 | [b (line 112): true] access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | non-null |
| Splitting.cs:117:9:117:9 | [b (line 112): true] access to parameter o | Splitting.cs:116:22:116:30 | ... != ... | Splitting.cs:116:22:116:22 | access to parameter o | true |
| Splitting.cs:118:13:118:13 | [b (line 112): false] access to parameter b | Splitting.cs:114:13:114:13 | access to parameter b | Splitting.cs:114:13:114:13 | access to parameter b | false |
| Splitting.cs:118:13:118:13 | [b (line 112): true] access to parameter b | Splitting.cs:114:13:114:13 | access to parameter b | Splitting.cs:114:13:114:13 | access to parameter b | true |
| Splitting.cs:119:13:119:13 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | non-null |
| Splitting.cs:119:13:119:13 | access to parameter o | Splitting.cs:116:22:116:30 | ... != ... | Splitting.cs:116:22:116:22 | access to parameter o | true |
| Splitting.cs:120:16:120:16 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | Splitting.cs:116:22:116:22 | access to parameter o | non-null |
| Splitting.cs:120:16:120:16 | access to parameter o | Splitting.cs:116:22:116:30 | ... != ... | Splitting.cs:116:22:116:22 | access to parameter o | true |
| Splitting.cs:130:21:130:21 | [b (line 123): false] access to parameter b | Splitting.cs:130:21:130:21 | access to parameter b | Splitting.cs:130:21:130:21 | access to parameter b | false |
| Splitting.cs:132:25:132:25 | [b (line 123): false] access to parameter b | Splitting.cs:130:21:130:21 | access to parameter b | Splitting.cs:130:21:130:21 | access to parameter b | false |

5
csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.ql Normal file
View File

@@ -0,0 +1,5 @@
import csharp
import semmle.code.csharp.controlflow.Guards
from GuardedControlFlowNode gcfn, Expr sub, AbstractValue v
select gcfn, gcfn.getAGuard(sub, v), sub, v

6
csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
View File

@@ -185,14 +185,8 @@
| CSharp7.cs:284:41:284:48 | access to property Key | CSharp7.cs:284:40:284:61 | (..., ...) |
| CSharp7.cs:284:51:284:54 | access to parameter item | CSharp7.cs:284:51:284:60 | access to property Value |
| CSharp7.cs:284:51:284:60 | access to property Value | CSharp7.cs:284:40:284:61 | (..., ...) |
| CSharp7.cs:286:23:286:23 | Int32 a | CSharp7.cs:286:18:286:34 | (..., ...) |
| CSharp7.cs:286:33:286:33 | String b | CSharp7.cs:286:18:286:34 | (..., ...) |
| CSharp7.cs:286:39:286:42 | access to local variable list | CSharp7.cs:288:36:288:39 | access to local variable list |
| CSharp7.cs:288:23:288:23 | Int32 a | CSharp7.cs:288:18:288:31 | (..., ...) |
| CSharp7.cs:288:30:288:30 | String b | CSharp7.cs:288:18:288:31 | (..., ...) |
| CSharp7.cs:288:36:288:39 | access to local variable list | CSharp7.cs:290:32:290:35 | access to local variable list |
| CSharp7.cs:290:23:290:23 | Int32 a | CSharp7.cs:290:18:290:27 | (..., ...) |
| CSharp7.cs:290:26:290:26 | String b | CSharp7.cs:290:18:290:27 | (..., ...) |
| CSharp7.cs:298:17:298:19 | SSA def(x) | CSharp7.cs:298:22:298:39 | SSA phi(x) |
| CSharp7.cs:298:19:298:19 | 0 | CSharp7.cs:298:17:298:19 | SSA def(x) |
| CSharp7.cs:298:22:298:22 | access to local variable x | CSharp7.cs:298:22:298:25 | ... < ... |

6
csharp/ql/test/library-tests/csharp7/TupleAccess.expected
View File

@@ -40,6 +40,6 @@
| CSharp7.cs:224:9:224:18 | (..., ...) | write |
| CSharp7.cs:225:9:225:18 | (..., ...) | write |
| CSharp7.cs:284:40:284:61 | (..., ...) | read |
| CSharp7.cs:286:18:286:34 | (..., ...) | read |
| CSharp7.cs:288:18:288:31 | (..., ...) | read |
| CSharp7.cs:290:18:290:27 | (..., ...) | read |
| CSharp7.cs:286:18:286:34 | (..., ...) | write |
| CSharp7.cs:288:18:288:31 | (..., ...) | write |
| CSharp7.cs:290:18:290:27 | (..., ...) | write |

5
csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll
View File

@@ -9,8 +9,9 @@ class Configuration extends DataFlow::Configuration {
override predicate isSink(DataFlow::Node sink) { any() }
override predicate isBarrier(DataFlow::Node node) {
exists(EQExpr eq, Expr e |
node.asExpr().(GuardedExpr).isGuardedBy(eq, e, true) and
exists(EQExpr eq, Expr e, AbstractValues::BooleanValue v |
eq = node.(GuardedDataFlowNode).getAGuard(e, v) |
v.getValue() = true and
eq.getAnOperand() = e and
eq.getAnOperand() instanceof NullLiteral
)

77
csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
View File

@@ -1,37 +1,40 @@
| access to field SinkField0 |
| access to local variable sink0 |
| access to local variable sink1 |
| access to local variable sink10 |
| access to local variable sink11 |
| access to local variable sink19 |
| access to local variable sink2 |
| access to local variable sink20 |
| access to local variable sink23 |
| access to local variable sink27 |
| access to local variable sink28 |
| access to local variable sink29 |
| access to local variable sink3 |
| access to local variable sink30 |
| access to local variable sink31 |
| access to local variable sink32 |
| access to local variable sink33 |
| access to local variable sink34 |
| access to local variable sink35 |
| access to local variable sink36 |
| access to local variable sink37 |
| access to local variable sink38 |
| access to local variable sink4 |
| access to local variable sink5 |
| access to local variable sink6 |
| access to local variable sink7 |
| access to local variable sink8 |
| access to local variable sink9 |
| access to parameter sinkParam0 |
| access to parameter sinkParam1 |
| access to parameter sinkParam2 |
| access to parameter sinkParam3 |
| access to parameter sinkParam4 |
| access to parameter sinkParam5 |
| access to parameter sinkParam6 |
| access to parameter sinkParam7 |
| access to property SinkProperty0 |
| Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 |
| Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

8
csharp/ql/test/library-tests/dataflow/global/DataFlow.ql
View File

@@ -1,8 +1,6 @@
import csharp
import Common
from Config c, DataFlow::Node source, DataFlow::Node sink, string s
where
c.hasFlow(source, sink) and
s = sink.toString()
select s order by s
from Config c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select sink

107
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
View File

@@ -172,6 +172,18 @@ edges
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
nodes
| Capture.cs:7:20:7:26 | tainted |
| Capture.cs:9:9:13:9 | SSA capture def(tainted) |
@@ -302,42 +314,61 @@ nodes
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
#select
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | access to local variable sink1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | access to local variable sink10 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | access to local variable sink11 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | access to local variable sink19 | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | access to local variable sink2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | access to local variable sink20 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | access to local variable sink23 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted | Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted | Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 | access to local variable sink29 | Capture.cs:7:20:7:26 | tainted | Capture.cs:30:19:30:24 | access to local variable sink29 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | access to local variable sink3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| Capture.cs:60:15:60:20 | access to local variable sink30 | access to local variable sink30 | Capture.cs:57:22:57:35 | "taint source" | Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 | access to local variable sink31 | Capture.cs:67:26:67:39 | "taint source" | Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 | access to local variable sink32 | Capture.cs:77:22:77:35 | "taint source" | Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 | access to local variable sink33 | Capture.cs:101:25:101:31 | tainted | Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 | access to local variable sink34 | Capture.cs:101:25:101:31 | tainted | Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 | access to local variable sink35 | Capture.cs:101:25:101:31 | tainted | Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 | access to local variable sink36 | Capture.cs:101:25:101:31 | tainted | Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 | access to local variable sink37 | Capture.cs:101:25:101:31 | tainted | Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 | access to local variable sink38 | Capture.cs:101:25:101:31 | tainted | Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | access to local variable sink4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | access to local variable sink5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | access to local variable sink6 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | access to local variable sink7 | GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | access to local variable sink8 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | access to local variable sink9 | GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | access to parameter sinkParam2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | access to parameter sinkParam3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | access to parameter sinkParam4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | access to parameter sinkParam5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | access to parameter sinkParam6 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | access to parameter sinkParam7 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | access to property SinkProperty0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | access to local variable sink1 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | access to local variable sink10 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | access to local variable sink11 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | access to local variable sink19 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | access to local variable sink2 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | access to local variable sink20 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | access to local variable sink23 |
| Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 | Capture.cs:7:20:7:26 | tainted | Capture.cs:30:19:30:24 | access to local variable sink29 | access to local variable sink29 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | access to local variable sink3 |
| Capture.cs:60:15:60:20 | access to local variable sink30 | Capture.cs:57:22:57:35 | "taint source" | Capture.cs:60:15:60:20 | access to local variable sink30 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 | Capture.cs:67:26:67:39 | "taint source" | Capture.cs:72:15:72:20 | access to local variable sink31 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 | Capture.cs:77:22:77:35 | "taint source" | Capture.cs:81:15:81:20 | access to local variable sink32 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 | Capture.cs:101:25:101:31 | tainted | Capture.cs:109:15:109:20 | access to local variable sink33 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 | Capture.cs:101:25:101:31 | tainted | Capture.cs:121:15:121:20 | access to local variable sink34 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 | Capture.cs:101:25:101:31 | tainted | Capture.cs:130:15:130:20 | access to local variable sink35 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 | Capture.cs:101:25:101:31 | tainted | Capture.cs:137:15:137:20 | access to local variable sink36 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 | Capture.cs:101:25:101:31 | tainted | Capture.cs:145:15:145:20 | access to local variable sink37 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 | Capture.cs:101:25:101:31 | tainted | Capture.cs:171:15:171:20 | access to local variable sink38 | access to local variable sink38 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | access to local variable sink8 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | access to local variable sink9 |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | access to property SinkProperty0 |

2
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.ql
View File

@@ -10,4 +10,4 @@ from Config c, DataFlow::PathNode source, DataFlow::PathNode sink, string s
where
c.hasFlowPath(source, sink) and
s = sink.toString()
select sink, s, source, sink order by s
select sink, source, sink, s order by s

17
csharp/ql/test/library-tests/dataflow/global/Splitting.cs Normal file
View File

@@ -0,0 +1,17 @@
class Splitting
{
void M1(bool b, string tainted)
{
if (b)
if (tainted == null)
return;
var x = Return(tainted);
Check(x);
if (b)
Check(x);
}
static void Check<T>(T x) { }
static T Return<T>(T x) => x;
}

109
csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
View File

@@ -1,53 +1,56 @@
| access to field SinkField0 |
| access to local variable sink0 |
| access to local variable sink1 |
| access to local variable sink10 |
| access to local variable sink11 |
| access to local variable sink12 |
| access to local variable sink13 |
| access to local variable sink14 |
| access to local variable sink15 |
| access to local variable sink16 |
| access to local variable sink17 |
| access to local variable sink18 |
| access to local variable sink19 |
| access to local variable sink2 |
| access to local variable sink20 |
| access to local variable sink21 |
| access to local variable sink22 |
| access to local variable sink23 |
| access to local variable sink24 |
| access to local variable sink25 |
| access to local variable sink26 |
| access to local variable sink27 |
| access to local variable sink28 |
| access to local variable sink29 |
| access to local variable sink3 |
| access to local variable sink30 |
| access to local variable sink31 |
| access to local variable sink32 |
| access to local variable sink33 |
| access to local variable sink34 |
| access to local variable sink35 |
| access to local variable sink36 |
| access to local variable sink37 |
| access to local variable sink38 |
| access to local variable sink4 |
| access to local variable sink5 |
| access to local variable sink6 |
| access to local variable sink7 |
| access to local variable sink8 |
| access to local variable sink9 |
| access to parameter sinkParam0 |
| access to parameter sinkParam1 |
| access to parameter sinkParam10 |
| access to parameter sinkParam11 |
| access to parameter sinkParam2 |
| access to parameter sinkParam3 |
| access to parameter sinkParam4 |
| access to parameter sinkParam5 |
| access to parameter sinkParam6 |
| access to parameter sinkParam7 |
| access to parameter sinkParam8 |
| access to parameter sinkParam9 |
| access to property SinkProperty0 |
| Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 |
| Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 |
| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 |
| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

8
csharp/ql/test/library-tests/dataflow/global/TaintTracking.ql
View File

@@ -11,8 +11,6 @@ class TTConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { c.isSink(sink) }
}
from TTConfig c, DataFlow::Node source, DataFlow::Node sink, string s
where
c.hasFlow(source, sink) and
s = sink.toString()
select s order by s
from TTConfig c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select sink

139
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
View File

@@ -215,6 +215,18 @@ edges
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
nodes
| Capture.cs:7:20:7:26 | tainted |
| Capture.cs:9:9:13:9 | SSA capture def(tainted) |
@@ -390,58 +402,77 @@ nodes
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
#select
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | access to local variable sink1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | access to local variable sink10 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | access to local variable sink11 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 | access to local variable sink12 | GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 | access to local variable sink13 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 |
| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 | access to local variable sink14 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 | access to local variable sink15 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 | access to local variable sink16 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 | access to local variable sink17 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 | access to local variable sink18 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | access to local variable sink19 | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | access to local variable sink2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | access to local variable sink20 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 | access to local variable sink21 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 | access to local variable sink22 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | access to local variable sink23 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 | access to local variable sink24 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | access to local variable sink25 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | access to local variable sink26 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted | Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted | Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 | access to local variable sink29 | Capture.cs:7:20:7:26 | tainted | Capture.cs:30:19:30:24 | access to local variable sink29 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | access to local variable sink3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| Capture.cs:60:15:60:20 | access to local variable sink30 | access to local variable sink30 | Capture.cs:57:22:57:35 | "taint source" | Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 | access to local variable sink31 | Capture.cs:67:26:67:39 | "taint source" | Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 | access to local variable sink32 | Capture.cs:77:22:77:35 | "taint source" | Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 | access to local variable sink33 | Capture.cs:101:25:101:31 | tainted | Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 | access to local variable sink34 | Capture.cs:101:25:101:31 | tainted | Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 | access to local variable sink35 | Capture.cs:101:25:101:31 | tainted | Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 | access to local variable sink36 | Capture.cs:101:25:101:31 | tainted | Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 | access to local variable sink37 | Capture.cs:101:25:101:31 | tainted | Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 | access to local variable sink38 | Capture.cs:101:25:101:31 | tainted | Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | access to local variable sink4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | access to local variable sink5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | access to local variable sink6 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | access to local variable sink7 | GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | access to local variable sink8 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | access to local variable sink9 | GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 | access to parameter sinkParam10 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 | access to parameter sinkParam11 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | access to parameter sinkParam2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | access to parameter sinkParam3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | access to parameter sinkParam4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | access to parameter sinkParam5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | access to parameter sinkParam6 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | access to parameter sinkParam7 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 | access to parameter sinkParam8 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 | access to parameter sinkParam9 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | access to property SinkProperty0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 | Capture.cs:7:20:7:26 | tainted | Capture.cs:30:19:30:24 | access to local variable sink29 | access to local variable sink29 |
| Capture.cs:60:15:60:20 | access to local variable sink30 | Capture.cs:57:22:57:35 | "taint source" | Capture.cs:60:15:60:20 | access to local variable sink30 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 | Capture.cs:67:26:67:39 | "taint source" | Capture.cs:72:15:72:20 | access to local variable sink31 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 | Capture.cs:77:22:77:35 | "taint source" | Capture.cs:81:15:81:20 | access to local variable sink32 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 | Capture.cs:101:25:101:31 | tainted | Capture.cs:109:15:109:20 | access to local variable sink33 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 | Capture.cs:101:25:101:31 | tainted | Capture.cs:121:15:121:20 | access to local variable sink34 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 | Capture.cs:101:25:101:31 | tainted | Capture.cs:130:15:130:20 | access to local variable sink35 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 | Capture.cs:101:25:101:31 | tainted | Capture.cs:137:15:137:20 | access to local variable sink36 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 | Capture.cs:101:25:101:31 | tainted | Capture.cs:145:15:145:20 | access to local variable sink37 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 | Capture.cs:101:25:101:31 | tainted | Capture.cs:171:15:171:20 | access to local variable sink38 | access to local variable sink38 |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | access to local variable sink1 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | access to local variable sink2 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | access to local variable sink3 |
| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 | access to local variable sink13 |
| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 | access to local variable sink14 |
| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 | access to local variable sink15 |
| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 | access to local variable sink16 |
| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 | access to local variable sink17 |
| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 | access to local variable sink18 |
| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 | access to local variable sink21 |
| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 | access to local variable sink22 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | access to local variable sink8 |
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 | GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 | access to local variable sink12 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | access to local variable sink23 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | access to local variable sink9 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | access to local variable sink10 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | access to local variable sink19 |
| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 | access to parameter sinkParam10 |
| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 | access to local variable sink24 |
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | access to local variable sink25 |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | access to local variable sink26 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | access to local variable sink11 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | access to local variable sink20 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |

2
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.ql
View File

@@ -20,4 +20,4 @@ from TTConfig c, DataFlow::PathNode source, DataFlow::PathNode sink, string s
where
c.hasFlowPath(source, sink) and
s = sink.toString()
select sink, s, source, sink order by s
select sink, source, sink, s

42
csharp/ql/test/library-tests/dataflow/local/DataFlow.expected
View File

@@ -1,19 +1,23 @@
| access to field SsaFieldSink0 |
| access to field SsaFieldSink1 |
| access to local variable sink0 |
| access to local variable sink40 |
| access to local variable sink41 |
| access to local variable sink42 |
| access to local variable sink43 |
| access to local variable sink67 |
| access to local variable sink68 |
| access to local variable sink70 |
| access to local variable sink71 |
| access to local variable sink72 |
| access to local variable ssaSink0 |
| access to local variable ssaSink1 |
| access to local variable ssaSink2 |
| access to local variable ssaSink3 |
| access to local variable ssaSink4 |
| access to local variable ssaSink5 |
| access to parameter tainted |
| LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 |
| LocalDataFlow.cs:302:15:302:20 | access to local variable sink41 |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
| SSA.cs:60:15:60:22 | access to local variable ssaSink3 |
| SSA.cs:69:15:69:34 | access to field SsaFieldSink0 |
| SSA.cs:98:15:98:22 | access to local variable ssaSink4 |
| SSA.cs:124:15:124:34 | access to field SsaFieldSink1 |
| SSA.cs:180:15:180:22 | access to local variable ssaSink5 |
| Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x |
| Splitting.cs:12:15:12:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x |
| Splitting.cs:27:19:27:19 | access to local variable x |

16
csharp/ql/test/library-tests/dataflow/local/DataFlow.ql
View File

@@ -1,9 +1,15 @@
import csharp
import Common
import semmle.code.csharp.controlflow.Guards
from MyFlowSource source, Access target, string s
predicate step(DataFlow::Node pred, DataFlow::Node succ) {
DataFlow::localFlowStep(pred, succ) and
not succ instanceof NullGuardedDataFlowNode
}
from MyFlowSource source, DataFlow::Node sink, Access target
where
DataFlow::localFlowStep+(source, DataFlow::exprNode(target)) and
exists(MethodCall mc | mc.getTarget().getName() = "Check" and mc.getAnArgument() = target) and
s = target.toString()
select s order by s
step+(source, sink) and
sink = DataFlow::exprNode(target) and
exists(MethodCall mc | mc.getTarget().getName() = "Check" and mc.getAnArgument() = target)
select sink

99
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -14,6 +14,7 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
| LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 | LocalDataFlow.cs:61:18:61:22 | access to local variable sink0 |
@@ -48,18 +49,25 @@
| LocalDataFlow.cs:85:15:85:22 | access to local variable nonSink0 | LocalDataFlow.cs:92:21:92:28 | access to local variable nonSink0 |
| LocalDataFlow.cs:88:13:88:27 | SSA def(sink6) | LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 |
| LocalDataFlow.cs:88:22:88:26 | access to local variable sink5 | LocalDataFlow.cs:88:13:88:27 | SSA def(sink6) |
| LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 | LocalDataFlow.cs:96:35:96:39 | access to local variable sink6 |
| LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 | LocalDataFlow.cs:96:31:96:35 | [b (line 49): false] access to local variable sink6 |
| LocalDataFlow.cs:92:9:92:29 | SSA def(nonSink0) | LocalDataFlow.cs:93:15:93:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:92:21:92:28 | access to local variable nonSink0 | LocalDataFlow.cs:92:9:92:29 | SSA def(nonSink0) |
| LocalDataFlow.cs:96:13:96:39 | SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | access to local variable sink7 |
| LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:39 | SSA def(sink7) |
| LocalDataFlow.cs:96:29:96:31 | "a" | LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... |
| LocalDataFlow.cs:96:35:96:39 | access to local variable sink6 | LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... |
| LocalDataFlow.cs:97:15:97:19 | access to local variable sink7 | LocalDataFlow.cs:104:29:104:33 | access to local variable sink7 |
| LocalDataFlow.cs:100:9:100:41 | SSA def(nonSink0) | LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... | LocalDataFlow.cs:100:9:100:41 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:29:100:33 | "abc" | LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... |
| LocalDataFlow.cs:100:37:100:41 | "def" | LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... |
| LocalDataFlow.cs:96:13:96:35 | [b (line 49): false] SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | [b (line 49): false] access to local variable sink7 |
| LocalDataFlow.cs:96:13:96:35 | [b (line 49): true] SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | [b (line 49): true] access to local variable sink7 |
| LocalDataFlow.cs:96:21:96:21 | access to parameter b | LocalDataFlow.cs:100:20:100:20 | [b (line 49): false] access to parameter b |
| LocalDataFlow.cs:96:21:96:21 | access to parameter b | LocalDataFlow.cs:100:20:100:20 | [b (line 49): true] access to parameter b |
| LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:35 | [b (line 49): false] SSA def(sink7) |
| LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:35 | [b (line 49): true] SSA def(sink7) |
| LocalDataFlow.cs:96:25:96:27 | [b (line 49): true] "a" | LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... |
| LocalDataFlow.cs:96:31:96:35 | [b (line 49): false] access to local variable sink6 | LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): false] access to local variable sink7 | LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): true] access to local variable sink7 | LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) |
| LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) | LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) | LocalDataFlow.cs:104:29:104:33 | access to local variable sink7 |
| LocalDataFlow.cs:100:20:100:36 | [b (line 49): false] ... ? ... : ... | LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:20:100:36 | [b (line 49): true] ... ? ... : ... | LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:24:100:28 | "abc" | LocalDataFlow.cs:100:20:100:36 | [b (line 49): true] ... ? ... : ... |
| LocalDataFlow.cs:100:32:100:36 | "def" | LocalDataFlow.cs:100:20:100:36 | [b (line 49): false] ... ? ... : ... |
| LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 | LocalDataFlow.cs:108:32:108:39 | access to local variable nonSink0 |
| LocalDataFlow.cs:104:13:104:33 | SSA def(sink8) | LocalDataFlow.cs:105:15:105:19 | access to local variable sink8 |
| LocalDataFlow.cs:104:21:104:33 | (...) ... | LocalDataFlow.cs:104:13:104:33 | SSA def(sink8) |
@@ -638,3 +646,74 @@
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:176:21:176:28 | access to local variable ssaSink5 |
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:180:9:180:24 | SSA phi(ssaSink5) |
| SSA.cs:180:9:180:24 | SSA phi(ssaSink5) | SSA.cs:180:15:180:22 | access to local variable ssaSink5 |
| Splitting.cs:3:18:3:18 | b | Splitting.cs:6:13:6:13 | access to parameter b |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:5:17:5:23 | access to parameter tainted |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:12:15:12:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:5:17:5:23 | access to parameter tainted | Splitting.cs:5:13:5:23 | SSA def(x) |
| Splitting.cs:6:13:6:13 | access to parameter b | Splitting.cs:13:13:13:13 | [b (line 3): false] access to parameter b |
| Splitting.cs:6:13:6:13 | access to parameter b | Splitting.cs:13:13:13:13 | [b (line 3): true] access to parameter b |
| Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x | Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x | Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x | Splitting.cs:14:19:14:19 | access to local variable x |
| Splitting.cs:17:18:17:18 | b | Splitting.cs:20:13:20:13 | access to parameter b |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:22:19:22:19 | [b (line 17): true] access to local variable x |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x |
| Splitting.cs:19:17:19:18 | "" | Splitting.cs:19:13:19:18 | SSA def(x) |
| Splitting.cs:20:13:20:13 | access to parameter b | Splitting.cs:26:13:26:13 | [b (line 17): false] access to parameter b |
| Splitting.cs:20:13:20:13 | access to parameter b | Splitting.cs:26:13:26:13 | [b (line 17): true] access to parameter b |
| Splitting.cs:23:13:23:30 | [b (line 17): true] SSA def(x) | Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x |
| Splitting.cs:23:17:23:30 | [b (line 17): true] "taint source" | Splitting.cs:23:13:23:30 | [b (line 17): true] SSA def(x) |
| Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x | Splitting.cs:29:19:29:19 | access to local variable x |
| Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x | Splitting.cs:27:19:27:19 | access to local variable x |
| Splitting.cs:32:18:32:18 | b | Splitting.cs:35:13:35:13 | access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b |
| Splitting.cs:37:9:37:15 | [b (line 32): false] SSA def(x) | Splitting.cs:38:15:38:15 | [b (line 32): false] access to local variable x |
| Splitting.cs:37:9:37:15 | [b (line 32): true] SSA def(x) | Splitting.cs:38:15:38:15 | [b (line 32): true] access to local variable x |
| Splitting.cs:37:13:37:15 | [b (line 32): false] "b" | Splitting.cs:37:9:37:15 | [b (line 32): false] SSA def(x) |
| Splitting.cs:37:13:37:15 | [b (line 32): true] "b" | Splitting.cs:37:9:37:15 | [b (line 32): true] SSA def(x) |
| Splitting.cs:38:15:38:15 | [b (line 32): false] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x |
| Splitting.cs:38:15:38:15 | [b (line 32): true] access to local variable x | Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): false] access to parameter b |
| Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): true] access to parameter b |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:39:15:39:25 | [b (line 32): true] ... ? ... : ... |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:23:39:25 | [b (line 32): false] "c" | Splitting.cs:39:15:39:25 | [b (line 32): false] ... ? ... : ... |
| Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): false] (...) ... |
| Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): true] (...) ... |
| Splitting.cs:41:19:41:21 | [b (line 32): false] "d" | Splitting.cs:41:15:41:21 | [b (line 32): false] ... = ... |
| Splitting.cs:41:19:41:21 | [b (line 32): true] "d" | Splitting.cs:41:15:41:21 | [b (line 32): true] ... = ... |
| Splitting.cs:46:18:46:18 | b | Splitting.cs:49:13:49:13 | access to parameter b |
| Splitting.cs:48:13:48:18 | SSA def(x) | Splitting.cs:53:13:53:13 | [b (line 46): false] access to local variable x |
| Splitting.cs:48:17:48:18 | "" | Splitting.cs:48:13:48:18 | SSA def(x) |
| Splitting.cs:49:13:49:13 | access to parameter b | Splitting.cs:60:13:60:13 | [b (line 46): false] access to parameter b |
| Splitting.cs:49:13:49:13 | access to parameter b | Splitting.cs:60:13:60:13 | [b (line 46): true] access to parameter b |
| Splitting.cs:50:13:50:21 | [b (line 46): true] SSA def(x) | Splitting.cs:53:13:53:13 | [b (line 46): true] access to local variable x |
| Splitting.cs:50:17:50:21 | [b (line 46): true] "abc" | Splitting.cs:50:13:50:21 | [b (line 46): true] SSA def(x) |
| Splitting.cs:51:13:51:36 | [b (line 46): false] SSA def(y) | Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y |
| Splitting.cs:51:13:51:36 | [b (line 46): true] SSA def(y) | Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y |
| Splitting.cs:51:17:51:36 | [b (line 46): false] array creation of type String[] | Splitting.cs:51:13:51:36 | [b (line 46): false] SSA def(y) |
| Splitting.cs:51:17:51:36 | [b (line 46): true] array creation of type String[] | Splitting.cs:51:13:51:36 | [b (line 46): true] SSA def(y) |
| Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y | Splitting.cs:53:17:53:17 | [b (line 46): false] access to local variable y |
| Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y | Splitting.cs:53:17:53:17 | [b (line 46): true] access to local variable y |
| Splitting.cs:53:9:53:20 | [b (line 46): false] SSA def(x) | Splitting.cs:54:17:54:17 | [b (line 46): false] access to local variable x |
| Splitting.cs:53:9:53:20 | [b (line 46): true] SSA def(x) | Splitting.cs:54:17:54:17 | [b (line 46): true] access to local variable x |
| Splitting.cs:53:13:53:20 | [b (line 46): false] ... + ... | Splitting.cs:53:9:53:20 | [b (line 46): false] SSA def(x) |
| Splitting.cs:53:13:53:20 | [b (line 46): true] ... + ... | Splitting.cs:53:9:53:20 | [b (line 46): true] SSA def(x) |
| Splitting.cs:53:17:53:17 | [b (line 46): false] access to local variable y | Splitting.cs:57:17:57:17 | [b (line 46): false] access to local variable y |
| Splitting.cs:53:17:53:17 | [b (line 46): true] access to local variable y | Splitting.cs:57:17:57:17 | [b (line 46): true] access to local variable y |
| Splitting.cs:54:13:54:23 | [b (line 46): false] SSA def(z) | Splitting.cs:55:14:55:14 | [b (line 46): false] access to local variable z |
| Splitting.cs:54:13:54:23 | [b (line 46): true] SSA def(z) | Splitting.cs:55:14:55:14 | [b (line 46): true] access to local variable z |
| Splitting.cs:54:17:54:17 | [b (line 46): false] access to local variable x | Splitting.cs:56:17:56:17 | [b (line 46): false] access to local variable x |
| Splitting.cs:54:17:54:17 | [b (line 46): true] access to local variable x | Splitting.cs:56:17:56:17 | [b (line 46): true] access to local variable x |
| Splitting.cs:54:17:54:23 | [b (line 46): false] ... == ... | Splitting.cs:54:13:54:23 | [b (line 46): false] SSA def(z) |
| Splitting.cs:54:17:54:23 | [b (line 46): true] ... == ... | Splitting.cs:54:13:54:23 | [b (line 46): true] SSA def(z) |
| Splitting.cs:56:9:56:19 | [b (line 46): false] SSA def(x) | Splitting.cs:57:14:57:14 | [b (line 46): false] access to local variable x |
| Splitting.cs:56:9:56:19 | [b (line 46): true] SSA def(x) | Splitting.cs:57:14:57:14 | [b (line 46): true] access to local variable x |
| Splitting.cs:56:13:56:19 | [b (line 46): false] $"..." | Splitting.cs:56:9:56:19 | [b (line 46): false] SSA def(x) |
| Splitting.cs:56:13:56:19 | [b (line 46): true] $"..." | Splitting.cs:56:9:56:19 | [b (line 46): true] SSA def(x) |
| Splitting.cs:57:17:57:17 | [b (line 46): false] access to local variable y | Splitting.cs:58:27:58:27 | [b (line 46): false] access to local variable y |
| Splitting.cs:57:17:57:17 | [b (line 46): true] access to local variable y | Splitting.cs:58:27:58:27 | [b (line 46): true] access to local variable y |
| Splitting.cs:58:22:58:22 | [b (line 46): false] SSA def(s) | Splitting.cs:59:19:59:19 | [b (line 46): false] access to local variable s |
| Splitting.cs:58:22:58:22 | [b (line 46): true] SSA def(s) | Splitting.cs:59:19:59:19 | [b (line 46): true] access to local variable s |

6
csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs
View File

@@ -46,7 +46,7 @@ namespace System.Runtime.Serialization
/// </summary>
public class LocalDataFlow
{
public async void M()
public async void M(bool b)
{
// Assignment, tainted
var sink0 = "taint source";
@@ -93,11 +93,11 @@ public class LocalDataFlow
Check(nonSink0);
// Conditional expression, tainted
var sink7 = 1 > 2 ? "a" : sink6;
var sink7 = b ? "a" : sink6;
Check(sink7);
// Conditional expression, not tainted
nonSink0 = 4 == 2 ? "abc" : "def";
nonSink0 = b ? "abc" : "def";
Check(nonSink0);
// Cast, tainted

66
csharp/ql/test/library-tests/dataflow/local/Splitting.cs Normal file
View File

@@ -0,0 +1,66 @@
class Splitting
{
void M1(bool b, string tainted)
{
var x = tainted;
if (b)
{
Check(x);
if (x == null)
return;
}
Check(x);
if (b)
Check(x);
}
void M2(bool b)
{
var x = "";
if (b)
{
Check(x);
x = "taint source";
}
Check(x);
if (b)
Check(x);
else
Check(x);
}
void M3(bool b)
{
var x = "";
if (b)
x = "a";
x = "b";
Check(x);
Check(b ? x : "c");
Check((object)x);
Check(x = "d");
if (b)
return;
}
void M4(bool b)
{
var x = "";
if (b)
x = "abc";
var y = new string[] { "a" };
y[0] = "b";
x = x + y[0];
var z = x == "";
z = !z;
x = $"c{x}";
x = (x, y).Item1;
foreach (var s in y)
Check(s);
if (b)
return;
}
string Field;
static void Check<T>(T x) { }
}

149
csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected
View File

@@ -1,72 +1,77 @@
| access to field SsaFieldSink0 |
| access to field SsaFieldSink1 |
| access to local variable sink0 |
| access to local variable sink1 |
| access to local variable sink10 |
| access to local variable sink11 |
| access to local variable sink12 |
| access to local variable sink13 |
| access to local variable sink14 |
| access to local variable sink15 |
| access to local variable sink16 |
| access to local variable sink17 |
| access to local variable sink18 |
| access to local variable sink19 |
| access to local variable sink2 |
| access to local variable sink20 |
| access to local variable sink21 |
| access to local variable sink22 |
| access to local variable sink23 |
| access to local variable sink24 |
| access to local variable sink25 |
| access to local variable sink26 |
| access to local variable sink27 |
| access to local variable sink28 |
| access to local variable sink29 |
| access to local variable sink3 |
| access to local variable sink30 |
| access to local variable sink31 |
| access to local variable sink32 |
| access to local variable sink33 |
| access to local variable sink34 |
| access to local variable sink35 |
| access to local variable sink36 |
| access to local variable sink40 |
| access to local variable sink41 |
| access to local variable sink42 |
| access to local variable sink43 |
| access to local variable sink45 |
| access to local variable sink46 |
| access to local variable sink47 |
| access to local variable sink48 |
| access to local variable sink49 |
| access to local variable sink5 |
| access to local variable sink50 |
| access to local variable sink51 |
| access to local variable sink52 |
| access to local variable sink53 |
| access to local variable sink54 |
| access to local variable sink6 |
| access to local variable sink60 |
| access to local variable sink61 |
| access to local variable sink62 |
| access to local variable sink63 |
| access to local variable sink64 |
| access to local variable sink65 |
| access to local variable sink66 |
| access to local variable sink67 |
| access to local variable sink68 |
| access to local variable sink69 |
| access to local variable sink7 |
| access to local variable sink70 |
| access to local variable sink71 |
| access to local variable sink72 |
| access to local variable sink8 |
| access to local variable sink9 |
| access to local variable ssaSink0 |
| access to local variable ssaSink1 |
| access to local variable ssaSink2 |
| access to local variable ssaSink3 |
| access to local variable ssaSink4 |
| access to local variable ssaSink5 |
| access to parameter tainted |
| LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:62:15:62:19 | access to local variable sink1 |
| LocalDataFlow.cs:71:15:71:19 | access to local variable sink2 |
| LocalDataFlow.cs:81:15:81:19 | access to local variable sink5 |
| LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): false] access to local variable sink7 |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): true] access to local variable sink7 |
| LocalDataFlow.cs:105:15:105:19 | access to local variable sink8 |
| LocalDataFlow.cs:113:15:113:19 | access to local variable sink9 |
| LocalDataFlow.cs:121:15:121:20 | access to local variable sink10 |
| LocalDataFlow.cs:129:15:129:20 | access to local variable sink11 |
| LocalDataFlow.cs:137:15:137:20 | access to local variable sink14 |
| LocalDataFlow.cs:145:15:145:20 | access to local variable sink15 |
| LocalDataFlow.cs:148:15:148:20 | access to local variable sink16 |
| LocalDataFlow.cs:150:15:150:20 | access to local variable sink17 |
| LocalDataFlow.cs:152:15:152:20 | access to local variable sink18 |
| LocalDataFlow.cs:154:15:154:20 | access to local variable sink19 |
| LocalDataFlow.cs:156:15:156:20 | access to local variable sink45 |
| LocalDataFlow.cs:159:15:159:20 | access to local variable sink46 |
| LocalDataFlow.cs:161:15:161:20 | access to local variable sink47 |
| LocalDataFlow.cs:163:15:163:20 | access to local variable sink49 |
| LocalDataFlow.cs:165:15:165:20 | access to local variable sink50 |
| LocalDataFlow.cs:167:15:167:20 | access to local variable sink51 |
| LocalDataFlow.cs:169:15:169:20 | access to local variable sink52 |
| LocalDataFlow.cs:197:15:197:20 | access to local variable sink20 |
| LocalDataFlow.cs:199:15:199:20 | access to local variable sink21 |
| LocalDataFlow.cs:201:15:201:20 | access to local variable sink22 |
| LocalDataFlow.cs:211:15:211:20 | access to local variable sink23 |
| LocalDataFlow.cs:219:15:219:20 | access to local variable sink24 |
| LocalDataFlow.cs:227:15:227:20 | access to local variable sink25 |
| LocalDataFlow.cs:235:15:235:20 | access to local variable sink26 |
| LocalDataFlow.cs:237:15:237:20 | access to local variable sink27 |
| LocalDataFlow.cs:239:15:239:20 | access to local variable sink28 |
| LocalDataFlow.cs:241:15:241:20 | access to local variable sink29 |
| LocalDataFlow.cs:243:15:243:20 | access to local variable sink30 |
| LocalDataFlow.cs:259:15:259:20 | access to local variable sink31 |
| LocalDataFlow.cs:261:15:261:20 | access to local variable sink32 |
| LocalDataFlow.cs:271:15:271:20 | access to local variable sink33 |
| LocalDataFlow.cs:273:15:273:20 | access to local variable sink48 |
| LocalDataFlow.cs:283:15:283:20 | access to local variable sink34 |
| LocalDataFlow.cs:285:15:285:20 | access to local variable sink35 |
| LocalDataFlow.cs:288:15:288:20 | access to local variable sink36 |
| LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 |
| LocalDataFlow.cs:302:15:302:20 | access to local variable sink41 |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:321:15:321:19 | access to local variable sink3 |
| LocalDataFlow.cs:323:15:323:20 | access to local variable sink12 |
| LocalDataFlow.cs:325:15:325:20 | access to local variable sink13 |
| LocalDataFlow.cs:339:15:339:20 | access to local variable sink53 |
| LocalDataFlow.cs:341:15:341:20 | access to local variable sink54 |
| LocalDataFlow.cs:355:15:355:20 | access to local variable sink60 |
| LocalDataFlow.cs:364:19:364:24 | access to local variable sink61 |
| LocalDataFlow.cs:366:15:366:20 | access to local variable sink62 |
| LocalDataFlow.cs:368:15:368:20 | access to local variable sink63 |
| LocalDataFlow.cs:370:15:370:20 | access to local variable sink64 |
| LocalDataFlow.cs:372:15:372:20 | access to local variable sink65 |
| LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:404:15:404:20 | access to local variable sink69 |
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
| SSA.cs:60:15:60:22 | access to local variable ssaSink3 |
| SSA.cs:69:15:69:34 | access to field SsaFieldSink0 |
| SSA.cs:98:15:98:22 | access to local variable ssaSink4 |
| SSA.cs:124:15:124:34 | access to field SsaFieldSink1 |
| SSA.cs:180:15:180:22 | access to local variable ssaSink5 |
| Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x |
| Splitting.cs:12:15:12:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x |
| Splitting.cs:27:19:27:19 | access to local variable x |

16
csharp/ql/test/library-tests/dataflow/local/TaintTracking.ql
View File

@@ -1,9 +1,15 @@
import csharp
import Common
import semmle.code.csharp.controlflow.Guards
from MyFlowSource source, Access sink, string s
predicate step(DataFlow::Node pred, DataFlow::Node succ) {
TaintTracking::localTaintStep(pred, succ) and
not succ instanceof NullGuardedDataFlowNode
}
from MyFlowSource source, DataFlow::Node sink, Access target
where
TaintTracking::localTaintStep+(source, DataFlow::exprNode(sink)) and
exists(MethodCall mc | mc.getTarget().getName() = "Check" and mc.getAnArgument() = sink) and
s = sink.toString()
select s order by s
step+(source, sink) and
sink = DataFlow::exprNode(target) and
exists(MethodCall mc | mc.getTarget().getName() = "Check" and mc.getAnArgument() = target)
select sink

139
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

@@ -14,6 +14,7 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
| LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 | LocalDataFlow.cs:61:18:61:22 | access to local variable sink0 |
@@ -64,24 +65,28 @@
| LocalDataFlow.cs:85:15:85:22 | access to local variable nonSink0 | LocalDataFlow.cs:92:21:92:28 | access to local variable nonSink0 |
| LocalDataFlow.cs:88:13:88:27 | SSA def(sink6) | LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 |
| LocalDataFlow.cs:88:22:88:26 | access to local variable sink5 | LocalDataFlow.cs:88:13:88:27 | SSA def(sink6) |
| LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 | LocalDataFlow.cs:96:35:96:39 | access to local variable sink6 |
| LocalDataFlow.cs:89:15:89:19 | access to local variable sink6 | LocalDataFlow.cs:96:31:96:35 | [b (line 49): false] access to local variable sink6 |
| LocalDataFlow.cs:92:9:92:29 | SSA def(nonSink0) | LocalDataFlow.cs:93:15:93:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:92:21:92:28 | access to local variable nonSink0 | LocalDataFlow.cs:92:9:92:29 | SSA def(nonSink0) |
| LocalDataFlow.cs:96:13:96:39 | SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | access to local variable sink7 |
| LocalDataFlow.cs:96:21:96:21 | 1 | LocalDataFlow.cs:96:21:96:25 | ... > ... |
| LocalDataFlow.cs:96:21:96:25 | ... > ... | LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... |
| LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:39 | SSA def(sink7) |
| LocalDataFlow.cs:96:25:96:25 | 2 | LocalDataFlow.cs:96:21:96:25 | ... > ... |
| LocalDataFlow.cs:96:29:96:31 | "a" | LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... |
| LocalDataFlow.cs:96:35:96:39 | access to local variable sink6 | LocalDataFlow.cs:96:21:96:39 | ... ? ... : ... |
| LocalDataFlow.cs:97:15:97:19 | access to local variable sink7 | LocalDataFlow.cs:104:29:104:33 | access to local variable sink7 |
| LocalDataFlow.cs:100:9:100:41 | SSA def(nonSink0) | LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:100:20:100:20 | 4 | LocalDataFlow.cs:100:20:100:25 | ... == ... |
| LocalDataFlow.cs:100:20:100:25 | ... == ... | LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... |
| LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... | LocalDataFlow.cs:100:9:100:41 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:25:100:25 | 2 | LocalDataFlow.cs:100:20:100:25 | ... == ... |
| LocalDataFlow.cs:100:29:100:33 | "abc" | LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... |
| LocalDataFlow.cs:100:37:100:41 | "def" | LocalDataFlow.cs:100:20:100:41 | ... ? ... : ... |
| LocalDataFlow.cs:96:13:96:35 | [b (line 49): false] SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | [b (line 49): false] access to local variable sink7 |
| LocalDataFlow.cs:96:13:96:35 | [b (line 49): true] SSA def(sink7) | LocalDataFlow.cs:97:15:97:19 | [b (line 49): true] access to local variable sink7 |
| LocalDataFlow.cs:96:21:96:21 | access to parameter b | LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... |
| LocalDataFlow.cs:96:21:96:21 | access to parameter b | LocalDataFlow.cs:100:20:100:20 | [b (line 49): false] access to parameter b |
| LocalDataFlow.cs:96:21:96:21 | access to parameter b | LocalDataFlow.cs:100:20:100:20 | [b (line 49): true] access to parameter b |
| LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:35 | [b (line 49): false] SSA def(sink7) |
| LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... | LocalDataFlow.cs:96:13:96:35 | [b (line 49): true] SSA def(sink7) |
| LocalDataFlow.cs:96:25:96:27 | [b (line 49): true] "a" | LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... |
| LocalDataFlow.cs:96:31:96:35 | [b (line 49): false] access to local variable sink6 | LocalDataFlow.cs:96:21:96:35 | ... ? ... : ... |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): false] access to local variable sink7 | LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) |
| LocalDataFlow.cs:97:15:97:19 | [b (line 49): true] access to local variable sink7 | LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) |
| LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) | LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:100:9:100:36 | SSA phi(sink7) | LocalDataFlow.cs:104:29:104:33 | access to local variable sink7 |
| LocalDataFlow.cs:100:20:100:20 | [b (line 49): false] access to parameter b | LocalDataFlow.cs:100:20:100:36 | [b (line 49): false] ... ? ... : ... |
| LocalDataFlow.cs:100:20:100:20 | [b (line 49): true] access to parameter b | LocalDataFlow.cs:100:20:100:36 | [b (line 49): true] ... ? ... : ... |
| LocalDataFlow.cs:100:20:100:36 | [b (line 49): false] ... ? ... : ... | LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:20:100:36 | [b (line 49): true] ... ? ... : ... | LocalDataFlow.cs:100:9:100:36 | SSA def(nonSink0) |
| LocalDataFlow.cs:100:24:100:28 | "abc" | LocalDataFlow.cs:100:20:100:36 | [b (line 49): true] ... ? ... : ... |
| LocalDataFlow.cs:100:32:100:36 | "def" | LocalDataFlow.cs:100:20:100:36 | [b (line 49): false] ... ? ... : ... |
| LocalDataFlow.cs:101:15:101:22 | access to local variable nonSink0 | LocalDataFlow.cs:108:32:108:39 | access to local variable nonSink0 |
| LocalDataFlow.cs:104:13:104:33 | SSA def(sink8) | LocalDataFlow.cs:105:15:105:19 | access to local variable sink8 |
| LocalDataFlow.cs:104:21:104:33 | (...) ... | LocalDataFlow.cs:104:13:104:33 | SSA def(sink8) |
@@ -802,3 +807,105 @@
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:176:21:176:28 | access to local variable ssaSink5 |
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:180:9:180:24 | SSA phi(ssaSink5) |
| SSA.cs:180:9:180:24 | SSA phi(ssaSink5) | SSA.cs:180:15:180:22 | access to local variable ssaSink5 |
| Splitting.cs:3:18:3:18 | b | Splitting.cs:6:13:6:13 | access to parameter b |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:5:17:5:23 | access to parameter tainted |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:12:15:12:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:5:17:5:23 | access to parameter tainted | Splitting.cs:5:13:5:23 | SSA def(x) |
| Splitting.cs:6:13:6:13 | access to parameter b | Splitting.cs:13:13:13:13 | [b (line 3): false] access to parameter b |
| Splitting.cs:6:13:6:13 | access to parameter b | Splitting.cs:13:13:13:13 | [b (line 3): true] access to parameter b |
| Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x | Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x | Splitting.cs:9:17:9:25 | [b (line 3): true] ... == ... |
| Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x | Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x | Splitting.cs:14:19:14:19 | access to local variable x |
| Splitting.cs:17:18:17:18 | b | Splitting.cs:20:13:20:13 | access to parameter b |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:22:19:22:19 | [b (line 17): true] access to local variable x |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x |
| Splitting.cs:19:17:19:18 | "" | Splitting.cs:19:13:19:18 | SSA def(x) |
| Splitting.cs:20:13:20:13 | access to parameter b | Splitting.cs:26:13:26:13 | [b (line 17): false] access to parameter b |
| Splitting.cs:20:13:20:13 | access to parameter b | Splitting.cs:26:13:26:13 | [b (line 17): true] access to parameter b |
| Splitting.cs:23:13:23:30 | [b (line 17): true] SSA def(x) | Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x |
| Splitting.cs:23:17:23:30 | [b (line 17): true] "taint source" | Splitting.cs:23:13:23:30 | [b (line 17): true] SSA def(x) |
| Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x | Splitting.cs:29:19:29:19 | access to local variable x |
| Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x | Splitting.cs:27:19:27:19 | access to local variable x |
| Splitting.cs:32:18:32:18 | b | Splitting.cs:35:13:35:13 | access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b |
| Splitting.cs:37:9:37:15 | [b (line 32): false] SSA def(x) | Splitting.cs:38:15:38:15 | [b (line 32): false] access to local variable x |
| Splitting.cs:37:9:37:15 | [b (line 32): true] SSA def(x) | Splitting.cs:38:15:38:15 | [b (line 32): true] access to local variable x |
| Splitting.cs:37:13:37:15 | [b (line 32): false] "b" | Splitting.cs:37:9:37:15 | [b (line 32): false] SSA def(x) |
| Splitting.cs:37:13:37:15 | [b (line 32): true] "b" | Splitting.cs:37:9:37:15 | [b (line 32): true] SSA def(x) |
| Splitting.cs:38:15:38:15 | [b (line 32): false] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x |
| Splitting.cs:38:15:38:15 | [b (line 32): true] access to local variable x | Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b | Splitting.cs:39:15:39:25 | [b (line 32): false] ... ? ... : ... |
| Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): false] access to parameter b |
| Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b | Splitting.cs:39:15:39:25 | [b (line 32): true] ... ? ... : ... |
| Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): true] access to parameter b |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:39:15:39:25 | [b (line 32): true] ... ? ... : ... |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:23:39:25 | [b (line 32): false] "c" | Splitting.cs:39:15:39:25 | [b (line 32): false] ... ? ... : ... |
| Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): false] (...) ... |
| Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): true] (...) ... |
| Splitting.cs:41:19:41:21 | [b (line 32): false] "d" | Splitting.cs:41:15:41:21 | [b (line 32): false] ... = ... |
| Splitting.cs:41:19:41:21 | [b (line 32): true] "d" | Splitting.cs:41:15:41:21 | [b (line 32): true] ... = ... |
| Splitting.cs:46:18:46:18 | b | Splitting.cs:49:13:49:13 | access to parameter b |
| Splitting.cs:48:13:48:18 | SSA def(x) | Splitting.cs:53:13:53:13 | [b (line 46): false] access to local variable x |
| Splitting.cs:48:17:48:18 | "" | Splitting.cs:48:13:48:18 | SSA def(x) |
| Splitting.cs:49:13:49:13 | access to parameter b | Splitting.cs:60:13:60:13 | [b (line 46): false] access to parameter b |
| Splitting.cs:49:13:49:13 | access to parameter b | Splitting.cs:60:13:60:13 | [b (line 46): true] access to parameter b |
| Splitting.cs:50:13:50:21 | [b (line 46): true] SSA def(x) | Splitting.cs:53:13:53:13 | [b (line 46): true] access to local variable x |
| Splitting.cs:50:17:50:21 | [b (line 46): true] "abc" | Splitting.cs:50:13:50:21 | [b (line 46): true] SSA def(x) |
| Splitting.cs:51:13:51:36 | [b (line 46): false] SSA def(y) | Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y |
| Splitting.cs:51:13:51:36 | [b (line 46): true] SSA def(y) | Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y |
| Splitting.cs:51:17:51:36 | [b (line 46): false] array creation of type String[] | Splitting.cs:51:13:51:36 | [b (line 46): false] SSA def(y) |
| Splitting.cs:51:17:51:36 | [b (line 46): true] array creation of type String[] | Splitting.cs:51:13:51:36 | [b (line 46): true] SSA def(y) |
| Splitting.cs:51:32:51:34 | [b (line 46): false] "a" | Splitting.cs:51:17:51:36 | [b (line 46): false] array creation of type String[] |
| Splitting.cs:51:32:51:34 | [b (line 46): true] "a" | Splitting.cs:51:17:51:36 | [b (line 46): true] array creation of type String[] |
| Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y | Splitting.cs:52:9:52:12 | [b (line 46): false] access to array element |
| Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y | Splitting.cs:53:17:53:17 | [b (line 46): false] access to local variable y |
| Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y | Splitting.cs:52:9:52:12 | [b (line 46): true] access to array element |
| Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y | Splitting.cs:53:17:53:17 | [b (line 46): true] access to local variable y |
| Splitting.cs:52:16:52:18 | [b (line 46): false] "b" | Splitting.cs:52:9:52:9 | [b (line 46): false] access to local variable y |
| Splitting.cs:52:16:52:18 | [b (line 46): true] "b" | Splitting.cs:52:9:52:9 | [b (line 46): true] access to local variable y |
| Splitting.cs:53:9:53:20 | [b (line 46): false] SSA def(x) | Splitting.cs:54:17:54:17 | [b (line 46): false] access to local variable x |
| Splitting.cs:53:9:53:20 | [b (line 46): true] SSA def(x) | Splitting.cs:54:17:54:17 | [b (line 46): true] access to local variable x |
| Splitting.cs:53:13:53:13 | [b (line 46): false] access to local variable x | Splitting.cs:53:13:53:20 | [b (line 46): false] ... + ... |
| Splitting.cs:53:13:53:13 | [b (line 46): true] access to local variable x | Splitting.cs:53:13:53:20 | [b (line 46): true] ... + ... |
| Splitting.cs:53:13:53:20 | [b (line 46): false] ... + ... | Splitting.cs:53:9:53:20 | [b (line 46): false] SSA def(x) |
| Splitting.cs:53:13:53:20 | [b (line 46): true] ... + ... | Splitting.cs:53:9:53:20 | [b (line 46): true] SSA def(x) |
| Splitting.cs:53:17:53:17 | [b (line 46): false] access to local variable y | Splitting.cs:53:17:53:20 | [b (line 46): false] access to array element |
| Splitting.cs:53:17:53:17 | [b (line 46): false] access to local variable y | Splitting.cs:57:17:57:17 | [b (line 46): false] access to local variable y |
| Splitting.cs:53:17:53:17 | [b (line 46): true] access to local variable y | Splitting.cs:53:17:53:20 | [b (line 46): true] access to array element |
| Splitting.cs:53:17:53:17 | [b (line 46): true] access to local variable y | Splitting.cs:57:17:57:17 | [b (line 46): true] access to local variable y |
| Splitting.cs:53:17:53:20 | [b (line 46): false] access to array element | Splitting.cs:53:13:53:20 | [b (line 46): false] ... + ... |
| Splitting.cs:53:17:53:20 | [b (line 46): true] access to array element | Splitting.cs:53:13:53:20 | [b (line 46): true] ... + ... |
| Splitting.cs:54:13:54:23 | [b (line 46): false] SSA def(z) | Splitting.cs:55:14:55:14 | [b (line 46): false] access to local variable z |
| Splitting.cs:54:13:54:23 | [b (line 46): true] SSA def(z) | Splitting.cs:55:14:55:14 | [b (line 46): true] access to local variable z |
| Splitting.cs:54:17:54:17 | [b (line 46): false] access to local variable x | Splitting.cs:54:17:54:23 | [b (line 46): false] ... == ... |
| Splitting.cs:54:17:54:17 | [b (line 46): false] access to local variable x | Splitting.cs:56:17:56:17 | [b (line 46): false] access to local variable x |
| Splitting.cs:54:17:54:17 | [b (line 46): true] access to local variable x | Splitting.cs:54:17:54:23 | [b (line 46): true] ... == ... |
| Splitting.cs:54:17:54:17 | [b (line 46): true] access to local variable x | Splitting.cs:56:17:56:17 | [b (line 46): true] access to local variable x |
| Splitting.cs:54:17:54:23 | [b (line 46): false] ... == ... | Splitting.cs:54:13:54:23 | [b (line 46): false] SSA def(z) |
| Splitting.cs:54:17:54:23 | [b (line 46): true] ... == ... | Splitting.cs:54:13:54:23 | [b (line 46): true] SSA def(z) |
| Splitting.cs:55:14:55:14 | [b (line 46): false] access to local variable z | Splitting.cs:55:13:55:14 | [b (line 46): false] !... |
| Splitting.cs:55:14:55:14 | [b (line 46): true] access to local variable z | Splitting.cs:55:13:55:14 | [b (line 46): true] !... |
| Splitting.cs:56:9:56:19 | [b (line 46): false] SSA def(x) | Splitting.cs:57:14:57:14 | [b (line 46): false] access to local variable x |
| Splitting.cs:56:9:56:19 | [b (line 46): true] SSA def(x) | Splitting.cs:57:14:57:14 | [b (line 46): true] access to local variable x |
| Splitting.cs:56:13:56:19 | [b (line 46): false] $"..." | Splitting.cs:56:9:56:19 | [b (line 46): false] SSA def(x) |
| Splitting.cs:56:13:56:19 | [b (line 46): true] $"..." | Splitting.cs:56:9:56:19 | [b (line 46): true] SSA def(x) |
| Splitting.cs:56:15:56:15 | [b (line 46): false] "c" | Splitting.cs:56:13:56:19 | [b (line 46): false] $"..." |
| Splitting.cs:56:15:56:15 | [b (line 46): true] "c" | Splitting.cs:56:13:56:19 | [b (line 46): true] $"..." |
| Splitting.cs:56:17:56:17 | [b (line 46): false] access to local variable x | Splitting.cs:56:13:56:19 | [b (line 46): false] $"..." |
| Splitting.cs:56:17:56:17 | [b (line 46): true] access to local variable x | Splitting.cs:56:13:56:19 | [b (line 46): true] $"..." |
| Splitting.cs:57:13:57:18 | [b (line 46): false] (..., ...) | Splitting.cs:57:13:57:24 | [b (line 46): false] access to field Item1 |
| Splitting.cs:57:13:57:18 | [b (line 46): true] (..., ...) | Splitting.cs:57:13:57:24 | [b (line 46): true] access to field Item1 |
| Splitting.cs:57:14:57:14 | [b (line 46): false] access to local variable x | Splitting.cs:57:13:57:18 | [b (line 46): false] (..., ...) |
| Splitting.cs:57:14:57:14 | [b (line 46): true] access to local variable x | Splitting.cs:57:13:57:18 | [b (line 46): true] (..., ...) |
| Splitting.cs:57:17:57:17 | [b (line 46): false] access to local variable y | Splitting.cs:57:13:57:18 | [b (line 46): false] (..., ...) |
| Splitting.cs:57:17:57:17 | [b (line 46): false] access to local variable y | Splitting.cs:58:27:58:27 | [b (line 46): false] access to local variable y |
| Splitting.cs:57:17:57:17 | [b (line 46): true] access to local variable y | Splitting.cs:57:13:57:18 | [b (line 46): true] (..., ...) |
| Splitting.cs:57:17:57:17 | [b (line 46): true] access to local variable y | Splitting.cs:58:27:58:27 | [b (line 46): true] access to local variable y |
| Splitting.cs:58:22:58:22 | [b (line 46): false] SSA def(s) | Splitting.cs:59:19:59:19 | [b (line 46): false] access to local variable s |
| Splitting.cs:58:22:58:22 | [b (line 46): true] SSA def(s) | Splitting.cs:59:19:59:19 | [b (line 46): true] access to local variable s |
| Splitting.cs:58:27:58:27 | [b (line 46): false] access to local variable y | Splitting.cs:58:22:58:22 | [b (line 46): false] SSA def(s) |
| Splitting.cs:58:27:58:27 | [b (line 46): true] access to local variable y | Splitting.cs:58:22:58:22 | [b (line 46): true] SSA def(s) |

340
csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected Normal file
View File

@@ -0,0 +1,340 @@
| Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:6:16:6:16 | i |
| Capture.cs:8:13:8:17 | SSA def(x) | Capture.cs:8:13:8:17 | Int32 x = ... |
| Capture.cs:10:16:27:9 | SSA def(a) | Capture.cs:10:16:27:9 | Action a = ... |
| Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:10:20:27:9 | (...) => ... |
| Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:13:13:13:17 | ... = ... |
| Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:15:13:15:17 | ... = ... |
| Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:17:17:17:21 | Int32 y = ... |
| Capture.cs:19:20:23:13 | SSA def(b) | Capture.cs:19:20:23:13 | Action b = ... |
| Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:19:24:23:13 | (...) => ... |
| Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:19:24:23:13 | (...) => ... |
| Capture.cs:29:13:29:17 | SSA def(z) | Capture.cs:29:13:29:17 | Int32 z = ... |
| Capture.cs:30:16:30:35 | SSA def(c) | Capture.cs:30:16:30:35 | Action c = ... |
| Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:30:28:30:32 | ... = ... |
| Capture.cs:32:9:32:11 | SSA call def(z) | Capture.cs:32:9:32:11 | delegate call |
| Capture.cs:37:9:37:13 | SSA def(z) | Capture.cs:37:9:37:13 | ... = ... |
| Capture.cs:38:9:38:11 | SSA call def(i) | Capture.cs:38:9:38:11 | delegate call |
| Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:38:9:38:11 | delegate call |
| Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:43:9:43:13 | ... = ... |
| Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:44:9:44:12 | call to method M |
| Capture.cs:50:20:50:20 | SSA param(a) | Capture.cs:50:20:50:20 | a |
| Capture.cs:52:16:52:43 | SSA def(b) | Capture.cs:52:16:52:43 | Action b = ... |
| Capture.cs:52:28:52:40 | SSA def(a) | Capture.cs:52:28:52:40 | ... = ... |
| Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:53:9:53:11 | delegate call |
| Capture.cs:57:57:57:63 | SSA param(strings) | Capture.cs:57:57:57:63 | strings |
| Capture.cs:59:13:59:17 | SSA def(i) | Capture.cs:59:13:59:17 | Int32 i = ... |
| Capture.cs:60:27:60:38 | SSA def(e) | Capture.cs:60:27:60:38 | Func<String,Int32> e = ... |
| Capture.cs:60:31:60:38 | SSA capture def(i) | Capture.cs:60:31:60:38 | (...) => ... |
| Capture.cs:60:36:60:38 | SSA def(i) | Capture.cs:60:36:60:38 | ...++ |
| Capture.cs:61:9:61:25 | SSA call def(i) | Capture.cs:61:9:61:25 | call to method Select |
| Capture.cs:65:45:65:51 | SSA param(strings) | Capture.cs:65:45:65:51 | strings |
| Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:67:13:67:19 | Char c = ... |
| Capture.cs:68:32:68:32 | SSA param(s) | Capture.cs:68:32:68:32 | s |
| Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:32:68:49 | (...) => ... |
| Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:69:9:69:62 | M |
| Capture.cs:69:25:69:25 | SSA param(s) | Capture.cs:69:25:69:25 | s |
| Capture.cs:73:67:73:73 | SSA param(strings) | Capture.cs:73:67:73:73 | strings |
| Capture.cs:75:13:75:17 | SSA def(i) | Capture.cs:75:13:75:17 | Int32 i = ... |
| Capture.cs:76:63:76:81 | SSA def(e) | Capture.cs:76:63:76:81 | Expression<Func<String,Int32>> e = ... |
| Capture.cs:76:67:76:81 | SSA capture def(i) | Capture.cs:76:67:76:81 | (...) => ... |
| Capture.cs:76:80:76:80 | SSA def(i) | Capture.cs:76:72:76:81 | call to method Inc |
| Capture.cs:77:9:77:25 | SSA call def(i) | Capture.cs:77:9:77:25 | call to method Select |
| Capture.cs:81:28:81:28 | SSA param(i) | Capture.cs:81:28:81:28 | i |
| Capture.cs:81:34:81:36 | SSA def(i) | Capture.cs:81:34:81:36 | ...++ |
| Capture.cs:83:65:83:71 | SSA param(strings) | Capture.cs:83:65:83:71 | strings |
| Capture.cs:85:13:85:20 | SSA def(b) | Capture.cs:85:13:85:20 | Boolean b = ... |
| Capture.cs:86:64:86:73 | SSA def(e) | Capture.cs:86:64:86:73 | Expression<Func<String,Boolean>> e = ... |
| Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:86:68:86:73 | (...) => ... |
| Capture.cs:92:18:92:18 | SSA param(d) | Capture.cs:92:18:92:18 | d |
| Capture.cs:94:13:94:18 | SSA def(y) | Capture.cs:94:13:94:18 | Int32 y = ... |
| Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:96:12:100:9 | (...) => ... |
| Capture.cs:98:17:98:21 | SSA def(x) | Capture.cs:98:17:98:21 | Int32 x = ... |
| Capture.cs:105:13:105:17 | SSA def(z) | Capture.cs:105:13:105:17 | ... = ... |
| Capture.cs:114:13:114:18 | SSA def(a) | Capture.cs:114:13:114:18 | Int32 a = ... |
| Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:115:9:119:9 | M1 |
| Capture.cs:117:17:117:21 | SSA def(x) | Capture.cs:117:17:117:21 | Int32 x = ... |
| Capture.cs:125:13:125:17 | SSA def(b) | Capture.cs:125:13:125:17 | ... = ... |
| Capture.cs:130:13:130:18 | SSA def(c) | Capture.cs:130:13:130:18 | Int32 c = ... |
| Capture.cs:133:13:133:17 | SSA def(c) | Capture.cs:133:13:133:17 | ... = ... |
| Capture.cs:136:9:136:12 | SSA call def(c) | Capture.cs:136:9:136:12 | call to local function M3 |
| Capture.cs:139:13:139:18 | SSA def(d) | Capture.cs:139:13:139:18 | Int32 d = ... |
| Capture.cs:142:13:142:17 | SSA def(d) | Capture.cs:142:13:142:17 | ... = ... |
| Capture.cs:144:9:144:12 | SSA call def(d) | Capture.cs:144:9:144:12 | call to local function M4 |
| Capture.cs:148:9:152:9 | SSA capture def(e) | Capture.cs:148:9:152:9 | M5 |
| Capture.cs:154:13:154:18 | SSA def(f) | Capture.cs:154:13:154:18 | Int32 f = ... |
| Capture.cs:163:9:166:9 | SSA capture def(g) | Capture.cs:163:9:166:9 | M7 |
| Capture.cs:171:13:171:17 | SSA def(h) | Capture.cs:171:13:171:17 | ... = ... |
| Capture.cs:174:17:174:21 | SSA def(h) | Capture.cs:174:17:174:21 | ... = ... |
| Capture.cs:176:13:176:16 | SSA call def(h) | Capture.cs:176:13:176:16 | call to local function M9 |
| Capture.cs:182:17:182:21 | SSA def(i) | Capture.cs:182:17:182:21 | Int32 i = ... |
| Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:183:13:186:13 | M11 |
| Capture.cs:188:13:188:17 | SSA def(i) | Capture.cs:188:13:188:17 | ... = ... |
| Capture.cs:197:17:197:21 | SSA def(i) | Capture.cs:197:17:197:21 | Int32 i = ... |
| Capture.cs:198:28:198:44 | SSA def(eh) | Capture.cs:198:28:198:44 | MyEventHandler eh = ... |
| Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:198:33:198:44 | (...) => ... |
| Capture.cs:203:28:203:45 | SSA def(eh2) | Capture.cs:203:28:203:45 | MyEventHandler eh2 = ... |
| Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:203:34:203:45 | (...) => ... |
| Capture.cs:209:17:209:21 | SSA def(i) | Capture.cs:209:17:209:21 | Int32 i = ... |
| Capture.cs:210:24:210:59 | SSA def(p) | Capture.cs:210:24:210:59 | Process p = ... |
| Capture.cs:212:30:212:71 | SSA def(exited) | Capture.cs:212:30:212:71 | EventHandler exited = ... |
| Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:212:39:212:71 | (...) => ... |
| Capture.cs:231:9:231:49 | SSA capture def(i) | Capture.cs:231:9:231:49 | M2 |
| Capture.cs:232:9:232:13 | SSA def(i) | Capture.cs:232:9:232:13 | ... = ... |
| Capture.cs:235:21:235:25 | SSA def(i) | Capture.cs:235:21:235:25 | ... = ... |
| Capture.cs:236:9:236:12 | SSA call def(i) | Capture.cs:236:9:236:12 | call to local function M3 |
| Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | b |
| Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | Int32 i = ... |
| Consistency.cs:15:17:15:21 | [finally: exception(Exception)] SSA def(i) | Consistency.cs:15:17:15:21 | Int32 i = ... |
| Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:9:25:30 | call to method Out |
| Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | call to method Out |
| Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | ... = ... |
| Consistency.cs:39:28:39:32 | SSA def(i) | Consistency.cs:39:28:39:32 | ... = ... |
| Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | S s |
| Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:30:49:30 | a |
| Consistency.cs:49:37:49:37 | SSA param(i) | Consistency.cs:49:37:49:37 | i |
| Consistency.cs:51:20:51:20 | SSA param(a) | Consistency.cs:51:20:51:20 | a |
| Consistency.cs:56:17:56:40 | SSA def(k) | Consistency.cs:56:17:56:40 | Int32 k = ... |
| Consistency.cs:57:9:57:13 | SSA def(k) | Consistency.cs:57:9:57:13 | ... = ... |
| Consistency.cs:58:9:58:13 | SSA def(k) | Consistency.cs:58:9:58:13 | ... = ... |
| DefUse.cs:3:26:3:26 | SSA param(w) | DefUse.cs:3:26:3:26 | w |
| DefUse.cs:5:13:5:17 | SSA def(x) | DefUse.cs:5:13:5:17 | Int32 x = ... |
| DefUse.cs:6:14:6:19 | SSA def(y) | DefUse.cs:6:14:6:19 | Int64 y = ... |
| DefUse.cs:13:13:13:18 | SSA def(y) | DefUse.cs:13:13:13:18 | ... = ... |
| DefUse.cs:18:13:18:18 | SSA def(y) | DefUse.cs:18:13:18:18 | ... = ... |
| DefUse.cs:19:13:19:18 | SSA def(w) | DefUse.cs:19:13:19:18 | ... = ... |
| DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:28:13:28:18 | ... = ... |
| DefUse.cs:29:13:29:18 | SSA def(w) | DefUse.cs:29:13:29:18 | ... = ... |
| DefUse.cs:39:13:39:18 | SSA def(y) | DefUse.cs:39:13:39:18 | ... = ... |
| DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:44:13:44:17 | Int32 z = ... |
| DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:47:9:47:24 | call to method outMethod |
| DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:50:9:50:24 | call to method refMethod |
| DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:53:9:53:17 | ... = ... |
| DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:56:9:56:16 | ... = ... |
| DefUse.cs:59:13:59:17 | SSA def(i) | DefUse.cs:59:13:59:17 | Int32 i = ... |
| DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:63:9:63:18 | ... = ... |
| DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:66:9:66:18 | ... = ... |
| DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:67:19:67:27 | TestClass tc = ... |
| DefUse.cs:71:9:71:13 | SSA def(i) | DefUse.cs:71:9:71:13 | ... = ... |
| DefUse.cs:72:9:72:11 | SSA def(i) | DefUse.cs:72:9:72:11 | ...++ |
| DefUse.cs:75:9:75:13 | SSA def(i) | DefUse.cs:75:9:75:13 | ... = ... |
| DefUse.cs:76:9:76:11 | SSA def(i) | DefUse.cs:76:9:76:11 | ...-- |
| DefUse.cs:79:13:79:18 | SSA def(x1) | DefUse.cs:79:13:79:18 | Int32 x1 = ... |
| DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:80:16:80:32 | call to method refMethod |
| DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:83:13:83:18 | Int32 x2 = ... |
| DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:84:9:86:17 | call to method refOutMethod |
| DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:89:13:89:18 | Int32 x3 = ... |
| DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:91:9:93:17 | call to method refOutMethod |
| DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:91:9:93:17 | call to method refOutMethod |
| DefUse.cs:97:13:97:18 | SSA def(x5) | DefUse.cs:97:13:97:18 | Int32 x5 = ... |
| DefUse.cs:101:13:101:23 | SSA def(x5) | DefUse.cs:101:13:101:23 | ... = ... |
| DefUse.cs:104:9:104:15 | SSA def(x5) | DefUse.cs:104:9:104:15 | ... = ... |
| DefUse.cs:114:47:114:52 | SSA def(i) | DefUse.cs:114:47:114:52 | ... = ... |
| DefUse.cs:116:47:116:51 | SSA def(i) | DefUse.cs:116:47:116:51 | ... = ... |
| DefUse.cs:118:45:118:45 | SSA param(i) | DefUse.cs:118:45:118:45 | i |
| DefUse.cs:118:61:118:65 | SSA def(j) | DefUse.cs:118:61:118:65 | ... = ... |
| DefUse.cs:118:68:118:72 | SSA def(i) | DefUse.cs:118:68:118:72 | ... = ... |
| DefUse.cs:128:19:128:19 | SSA param(i) | DefUse.cs:128:19:128:19 | i |
| DefUse.cs:134:22:134:22 | SSA param(d) | DefUse.cs:134:22:134:22 | d |
| DefUse.cs:142:68:142:69 | SSA param(ie) | DefUse.cs:142:68:142:69 | ie |
| DefUse.cs:144:22:144:22 | SSA def(x) | DefUse.cs:144:22:144:22 | String x |
| DefUse.cs:155:9:155:18 | SSA def(this.Field4) | DefUse.cs:155:9:155:18 | ... = ... |
| DefUse.cs:160:10:160:16 | SSA entry def(this.Field4) | DefUse.cs:160:10:160:16 | FieldM2 |
| DefUse.cs:167:23:167:23 | SSA param(i) | DefUse.cs:167:23:167:23 | i |
| DefUse.cs:170:9:170:13 | SSA def(i) | DefUse.cs:170:9:170:13 | ... = ... |
| DefUse.cs:171:23:180:9 | SSA def(a) | DefUse.cs:171:23:180:9 | Action a = ... |
| DefUse.cs:173:13:173:17 | SSA def(i) | DefUse.cs:173:13:173:17 | ... = ... |
| DefUse.cs:175:32:179:13 | SSA capture def(i) | DefUse.cs:175:32:179:13 | (...) => ... |
| DefUse.cs:181:9:181:11 | SSA call def(i) | DefUse.cs:181:9:181:11 | delegate call |
| DefUse.cs:184:9:184:18 | SSA def(this.Field5) | DefUse.cs:184:9:184:18 | ... = ... |
| DefUse.cs:186:9:190:9 | SSA def(a) | DefUse.cs:186:9:190:9 | ... = ... |
| DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:188:13:188:22 | ... = ... |
| DefUse.cs:191:9:191:11 | SSA call def(this.Field5) | DefUse.cs:191:9:191:11 | delegate call |
| Example.cs:6:23:6:23 | SSA param(i) | Example.cs:6:23:6:23 | i |
| Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:8:9:8:22 | ... = ... |
| Example.cs:11:13:11:30 | SSA def(this.Field) | Example.cs:11:13:11:30 | ... = ... |
| Example.cs:13:13:13:23 | SSA call def(this.Field) | Example.cs:13:13:13:23 | call to method SetField |
| Example.cs:18:16:18:16 | SSA param(p) | Example.cs:18:16:18:16 | p |
| Example.cs:18:24:18:24 | SSA param(b) | Example.cs:18:24:18:24 | b |
| Example.cs:23:13:23:17 | SSA def(p) | Example.cs:23:13:23:17 | ... = ... |
| Fields.cs:16:17:16:17 | SSA entry def(this.xs) | Fields.cs:16:17:16:17 | F |
| Fields.cs:19:9:19:13 | SSA call def(this.xs) | Fields.cs:19:9:19:13 | call to method Upd |
| Fields.cs:20:9:20:14 | SSA def(x) | Fields.cs:20:9:20:14 | ... = ... |
| Fields.cs:22:13:22:17 | SSA call def(this.xs) | Fields.cs:22:13:22:17 | call to method Upd |
| Fields.cs:24:9:24:23 | SSA def(this.xs) | Fields.cs:24:9:24:23 | ... = ... |
| Fields.cs:28:17:28:17 | SSA entry def(Fields.stat) | Fields.cs:28:17:28:17 | G |
| Fields.cs:28:17:28:17 | SSA entry def(this.xs) | Fields.cs:28:17:28:17 | G |
| Fields.cs:30:13:30:28 | SSA def(f) | Fields.cs:30:13:30:28 | Fields f = ... |
| Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:30:13:30:28 | Fields f = ... |
| Fields.cs:30:17:30:28 | SSA call def(Fields.stat) | Fields.cs:30:17:30:28 | object creation of type Fields |
| Fields.cs:34:9:34:16 | SSA call def(Fields.stat) | Fields.cs:34:9:34:16 | call to method F |
| Fields.cs:34:9:34:16 | SSA call def(f.xs) | Fields.cs:34:9:34:16 | call to method F |
| Fields.cs:34:9:34:16 | SSA call def(this.xs) | Fields.cs:34:9:34:16 | call to method F |
| Fields.cs:38:9:38:13 | SSA call def(Fields.stat) | Fields.cs:38:9:38:13 | call to method F |
| Fields.cs:38:9:38:13 | SSA call def(f.xs) | Fields.cs:38:9:38:13 | call to method F |
| Fields.cs:38:9:38:13 | SSA call def(this.xs) | Fields.cs:38:9:38:13 | call to method F |
| Fields.cs:42:9:42:23 | SSA def(this.xs) | Fields.cs:42:9:42:23 | ... = ... |
| Fields.cs:45:9:45:25 | SSA def(f.xs) | Fields.cs:45:9:45:25 | ... = ... |
| Fields.cs:47:9:47:14 | SSA def(z) | Fields.cs:47:9:47:14 | ... = ... |
| Fields.cs:49:13:49:28 | SSA def(f) | Fields.cs:49:13:49:28 | ... = ... |
| Fields.cs:49:13:49:28 | SSA qualifier def(f.xs) | Fields.cs:49:13:49:28 | ... = ... |
| Fields.cs:49:17:49:28 | SSA call def(Fields.stat) | Fields.cs:49:17:49:28 | object creation of type Fields |
| Fields.cs:51:9:51:20 | SSA call def(Fields.stat) | Fields.cs:51:9:51:20 | object creation of type Fields |
| Fields.cs:61:17:61:17 | SSA entry def(this.LoopField) | Fields.cs:61:17:61:17 | H |
| Fields.cs:63:16:63:28 | SSA untracked def(this.VolatileField) | Fields.cs:63:16:63:28 | this access |
| Fields.cs:69:21:69:33 | SSA untracked def(this.VolatileField) | Fields.cs:69:21:69:33 | this access |
| Fields.cs:71:17:71:35 | SSA untracked def(this.SingleAccessedField) | Fields.cs:71:17:71:35 | this access |
| Fields.cs:76:20:76:38 | SSA untracked def(this.SingleAccessedField) | Fields.cs:76:20:76:38 | this access |
| Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:77:13:77:45 | Fields f = ... |
| Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:78:23:78:54 | Action a = ... |
| Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:78:27:78:54 | (...) => ... |
| Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:79:23:79:35 | Action b = ... |
| Fields.cs:80:9:80:25 | SSA def(f.xs) | Fields.cs:80:9:80:25 | ... = ... |
| Fields.cs:81:9:81:11 | SSA call def(f.xs) | Fields.cs:81:9:81:11 | delegate call |
| Fields.cs:83:9:83:25 | SSA def(f.xs) | Fields.cs:83:9:83:25 | ... = ... |
| Fields.cs:85:9:85:22 | SSA def(this.xs) | Fields.cs:85:9:85:22 | ... = ... |
| Fields.cs:86:9:86:47 | SSA call def(f.xs) | Fields.cs:86:9:86:47 | call to method Select |
| Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:24:86:46 | (...) => ... |
| Fields.cs:87:9:87:22 | SSA def(this.xs) | Fields.cs:87:9:87:22 | ... = ... |
| Fields.cs:88:9:88:25 | SSA def(f.xs) | Fields.cs:88:9:88:25 | ... = ... |
| Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:24:89:46 | (...) => ... |
| Fields.cs:95:19:95:19 | SSA param(f) | Fields.cs:95:19:95:19 | f |
| Fields.cs:97:9:97:30 | SSA def(f.Field) | Fields.cs:97:9:97:30 | ... = ... |
| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:97:9:97:30 | ... = ... |
| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... |
| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... |
| Fields.cs:102:9:102:28 | SSA def(this.Field) | Fields.cs:102:9:102:28 | ... = ... |
| Fields.cs:107:33:107:33 | SSA param(f) | Fields.cs:107:33:107:33 | f |
| Fields.cs:109:10:109:10 | SSA entry def(this.Field) | Fields.cs:109:10:109:10 | K |
| Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field) | Fields.cs:109:10:109:10 | K |
| Fields.cs:109:10:109:10 | SSA entry def(this.Field.Field.xs) | Fields.cs:109:10:109:10 | K |
| Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:114:9:114:22 | call to method SetField |
| Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:114:9:114:22 | call to method SetField |
| Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | call to method SetField |
| OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:7:10:7:10 | M |
| OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... |
| OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:9:10:33 | call to method OutRefM |
| OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:9:10:33 | call to method OutRefM |
| OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:13:9:13:33 | call to method OutRefM |
| OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:13:9:13:33 | call to method OutRefM |
| OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:9:16:37 | call to method OutRefM |
| OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:18:13:18:28 | OutRef t = ... |
| OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:18:13:18:28 | OutRef t = ... |
| OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM |
| OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM |
| OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:9:22:30 | call to method OutRefM2 |
| OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:24:9:24:30 | call to method OutRefM3 |
| OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:28:37:28:37 | j |
| OutRef.cs:30:9:30:13 | SSA def(i) | OutRef.cs:30:9:30:13 | ... = ... |
| OutRef.cs:31:9:31:13 | SSA def(j) | OutRef.cs:31:9:31:13 | ... = ... |
| OutRef.cs:34:38:34:38 | SSA param(j) | OutRef.cs:34:38:34:38 | j |
| OutRef.cs:36:9:36:13 | SSA def(i) | OutRef.cs:36:9:36:13 | ... = ... |
| OutRef.cs:39:24:39:24 | SSA param(b) | OutRef.cs:39:24:39:24 | b |
| OutRef.cs:39:35:39:35 | SSA param(j) | OutRef.cs:39:35:39:35 | j |
| OutRef.cs:42:13:42:17 | SSA def(j) | OutRef.cs:42:13:42:17 | ... = ... |
| Patterns.cs:7:16:7:23 | SSA def(o) | Patterns.cs:7:16:7:23 | Object o = ... |
| Patterns.cs:8:18:8:23 | SSA def(i1) | Patterns.cs:8:18:8:23 | Int32 i1 |
| Patterns.cs:12:23:12:31 | SSA def(s1) | Patterns.cs:12:23:12:31 | String s1 |
| Patterns.cs:24:18:24:23 | SSA def(i2) | Patterns.cs:24:18:24:23 | Int32 i2 |
| Patterns.cs:27:18:27:23 | SSA def(i3) | Patterns.cs:27:18:27:23 | Int32 i3 |
| Patterns.cs:30:18:30:26 | SSA def(s2) | Patterns.cs:30:18:30:26 | String s2 |
| Properties.cs:16:17:16:17 | SSA entry def(this.xs) | Properties.cs:16:17:16:17 | F |
| Properties.cs:19:9:19:13 | SSA call def(this.xs) | Properties.cs:19:9:19:13 | call to method Upd |
| Properties.cs:20:9:20:14 | SSA def(x) | Properties.cs:20:9:20:14 | ... = ... |
| Properties.cs:22:13:22:17 | SSA call def(this.xs) | Properties.cs:22:13:22:17 | call to method Upd |
| Properties.cs:24:9:24:23 | SSA def(this.xs) | Properties.cs:24:9:24:23 | ... = ... |
| Properties.cs:28:17:28:17 | SSA entry def(Properties.stat) | Properties.cs:28:17:28:17 | G |
| Properties.cs:28:17:28:17 | SSA entry def(this.xs) | Properties.cs:28:17:28:17 | G |
| Properties.cs:30:13:30:32 | SSA def(f) | Properties.cs:30:13:30:32 | Properties f = ... |
| Properties.cs:30:13:30:32 | SSA qualifier def(f.xs) | Properties.cs:30:13:30:32 | Properties f = ... |
| Properties.cs:30:17:30:32 | SSA call def(Properties.stat) | Properties.cs:30:17:30:32 | object creation of type Properties |
| Properties.cs:34:9:34:16 | SSA call def(Properties.stat) | Properties.cs:34:9:34:16 | call to method F |
| Properties.cs:34:9:34:16 | SSA call def(f.xs) | Properties.cs:34:9:34:16 | call to method F |
| Properties.cs:34:9:34:16 | SSA call def(this.xs) | Properties.cs:34:9:34:16 | call to method F |
| Properties.cs:38:9:38:13 | SSA call def(Properties.stat) | Properties.cs:38:9:38:13 | call to method F |
| Properties.cs:38:9:38:13 | SSA call def(f.xs) | Properties.cs:38:9:38:13 | call to method F |
| Properties.cs:38:9:38:13 | SSA call def(this.xs) | Properties.cs:38:9:38:13 | call to method F |
| Properties.cs:42:9:42:23 | SSA def(this.xs) | Properties.cs:42:9:42:23 | ... = ... |
| Properties.cs:45:9:45:25 | SSA def(f.xs) | Properties.cs:45:9:45:25 | ... = ... |
| Properties.cs:47:9:47:14 | SSA def(z) | Properties.cs:47:9:47:14 | ... = ... |
| Properties.cs:49:13:49:32 | SSA def(f) | Properties.cs:49:13:49:32 | ... = ... |
| Properties.cs:49:13:49:32 | SSA qualifier def(f.xs) | Properties.cs:49:13:49:32 | ... = ... |
| Properties.cs:49:17:49:32 | SSA call def(Properties.stat) | Properties.cs:49:17:49:32 | object creation of type Properties |
| Properties.cs:51:9:51:24 | SSA call def(Properties.stat) | Properties.cs:51:9:51:24 | object creation of type Properties |
| Properties.cs:61:17:61:17 | SSA entry def(this.LoopProp) | Properties.cs:61:17:61:17 | H |
| Properties.cs:61:23:61:23 | SSA param(i) | Properties.cs:61:23:61:23 | i |
| Properties.cs:63:16:63:18 | SSA def(i) | Properties.cs:63:16:63:18 | ...-- |
| Properties.cs:67:21:67:38 | SSA untracked def(this.SingleAccessedProp) | Properties.cs:67:21:67:38 | this access |
| Properties.cs:72:20:72:37 | SSA untracked def(this.SingleAccessedProp) | Properties.cs:72:20:72:37 | this access |
| Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:73:13:73:32 | Properties f = ... |
| Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:74:23:74:54 | Action a = ... |
| Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:74:27:74:54 | (...) => ... |
| Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:75:23:75:35 | Action b = ... |
| Properties.cs:76:9:76:25 | SSA def(f.xs) | Properties.cs:76:9:76:25 | ... = ... |
| Properties.cs:77:9:77:11 | SSA call def(f.xs) | Properties.cs:77:9:77:11 | delegate call |
| Properties.cs:79:9:79:25 | SSA def(f.xs) | Properties.cs:79:9:79:25 | ... = ... |
| Properties.cs:81:9:81:22 | SSA def(this.xs) | Properties.cs:81:9:81:22 | ... = ... |
| Properties.cs:82:9:82:47 | SSA call def(f.xs) | Properties.cs:82:9:82:47 | call to method Select |
| Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:24:82:46 | (...) => ... |
| Properties.cs:83:9:83:22 | SSA def(this.xs) | Properties.cs:83:9:83:22 | ... = ... |
| Properties.cs:84:9:84:25 | SSA def(f.xs) | Properties.cs:84:9:84:25 | ... = ... |
| Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:24:85:46 | (...) => ... |
| Properties.cs:95:20:95:38 | SSA untracked def(this.NonTrivialProp) | Properties.cs:95:20:95:23 | this access |
| Properties.cs:98:16:98:31 | SSA untracked def(this.VirtualProp) | Properties.cs:98:16:98:19 | this access |
| Properties.cs:100:9:100:26 | SSA untracked def(this.VolatileField) | Properties.cs:100:9:100:12 | this access |
| Properties.cs:101:21:101:38 | SSA untracked def(this.VolatileField) | Properties.cs:101:21:101:24 | this access |
| Properties.cs:101:21:101:41 | SSA untracked def(this.VolatileField.xs) | Properties.cs:101:21:101:38 | access to field VolatileField |
| Properties.cs:106:37:106:37 | SSA param(p) | Properties.cs:106:37:106:37 | p |
| Properties.cs:108:10:108:10 | SSA entry def(this.Props) | Properties.cs:108:10:108:10 | K |
| Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props) | Properties.cs:108:10:108:10 | K |
| Properties.cs:108:10:108:10 | SSA entry def(this.Props.Props.xs) | Properties.cs:108:10:108:10 | K |
| Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:113:9:113:22 | call to method SetProps |
| Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:113:9:113:22 | call to method SetProps |
| Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:113:9:113:22 | call to method SetProps |
| Splitting.cs:3:18:3:18 | SSA param(b) | Splitting.cs:3:18:3:18 | b |
| Splitting.cs:7:13:7:19 | [b (line 3): true] SSA def(x) | Splitting.cs:7:13:7:19 | ... = ... |
| Splitting.cs:10:13:10:19 | [b (line 3): false] SSA def(x) | Splitting.cs:10:13:10:19 | ... = ... |
| Splitting.cs:22:18:22:18 | SSA param(b) | Splitting.cs:22:18:22:18 | b |
| Splitting.cs:29:13:29:19 | [b (line 22): false] SSA def(x) | Splitting.cs:29:13:29:19 | ... = ... |
| Splitting.cs:32:9:32:15 | [b (line 22): false] SSA def(x) | Splitting.cs:32:9:32:15 | ... = ... |
| Splitting.cs:32:9:32:15 | [b (line 22): true] SSA def(x) | Splitting.cs:32:9:32:15 | ... = ... |
| Splitting.cs:42:18:42:18 | SSA param(b) | Splitting.cs:42:18:42:18 | b |
| Splitting.cs:46:13:46:19 | [b (line 42): true] SSA def(x) | Splitting.cs:46:13:46:19 | ... = ... |
| Splitting.cs:49:13:49:19 | [b (line 42): false] SSA def(x) | Splitting.cs:49:13:49:19 | ... = ... |
| Test.cs:5:15:5:20 | SSA param(param1) | Test.cs:5:15:5:20 | param1 |
| Test.cs:5:67:5:72 | SSA param(param2) | Test.cs:5:67:5:72 | param2 |
| Test.cs:7:9:7:17 | SSA def(this.field) | Test.cs:7:9:7:17 | ... = ... |
| Test.cs:8:13:8:17 | SSA def(x) | Test.cs:8:13:8:17 | Int32 x = ... |
| Test.cs:13:13:13:15 | SSA def(x) | Test.cs:13:13:13:15 | ...++ |
| Test.cs:14:13:14:19 | SSA def(y) | Test.cs:14:13:14:19 | ... = ... |
| Test.cs:14:17:14:19 | SSA def(x) | Test.cs:14:17:14:19 | ++... |
| Test.cs:15:13:15:17 | SSA def(z) | Test.cs:15:13:15:17 | ... = ... |
| Test.cs:19:13:19:17 | SSA def(y) | Test.cs:19:13:19:17 | ... = ... |
| Test.cs:20:13:20:18 | SSA def(y) | Test.cs:20:13:20:18 | ... = ... |
| Test.cs:21:13:21:22 | SSA def(this.field) | Test.cs:21:13:21:22 | ... = ... |
| Test.cs:22:13:22:17 | SSA def(z) | Test.cs:22:13:22:17 | ... = ... |
| Test.cs:27:17:27:24 | SSA def(param1) | Test.cs:27:17:27:24 | ...++ |
| Test.cs:31:13:31:18 | SSA def(y) | Test.cs:31:13:31:18 | ... = ... |
| Test.cs:34:18:34:22 | SSA def(i) | Test.cs:34:18:34:22 | Int32 i = ... |
| Test.cs:34:33:34:35 | SSA def(i) | Test.cs:34:33:34:35 | ...++ |
| Test.cs:36:13:36:18 | SSA def(x) | Test.cs:36:13:36:18 | ... = ... |
| Test.cs:39:22:39:22 | SSA def(w) | Test.cs:39:22:39:22 | Int32 w |
| Test.cs:41:13:41:23 | SSA def(param1) | Test.cs:41:13:41:23 | ... = ... |
| Test.cs:46:10:46:10 | SSA entry def(this.field) | Test.cs:46:10:46:10 | g |
| Test.cs:46:16:46:18 | SSA param(in) | Test.cs:46:16:46:18 | in |
| Test.cs:50:13:50:20 | SSA def(out) | Test.cs:50:13:50:20 | ... = ... |
| Test.cs:54:13:54:20 | SSA def(out) | Test.cs:54:13:54:20 | ... = ... |
| Test.cs:57:9:57:17 | SSA def(this.field) | Test.cs:57:9:57:17 | ... = ... |
| Test.cs:68:45:68:45 | [exception: DivideByZeroException] SSA def(e) | Test.cs:68:45:68:45 | DivideByZeroException e |
| Tuples.cs:10:9:10:54 | SSA def(b) | Tuples.cs:10:9:10:54 | ... = ... |
| Tuples.cs:10:9:10:54 | SSA def(s) | Tuples.cs:10:9:10:54 | ... = ... |
| Tuples.cs:10:9:10:54 | SSA def(x) | Tuples.cs:10:9:10:54 | ... = ... |
| Tuples.cs:14:9:14:32 | SSA def(b) | Tuples.cs:14:9:14:32 | ... = ... |
| Tuples.cs:14:9:14:32 | SSA def(s) | Tuples.cs:14:9:14:32 | ... = ... |
| Tuples.cs:14:9:14:32 | SSA def(x) | Tuples.cs:14:9:14:32 | ... = ... |
| Tuples.cs:18:40:18:57 | SSA def(tuple) | Tuples.cs:18:40:18:57 | (Int32,(Boolean,String)) tuple = ... |
| Tuples.cs:20:9:20:34 | SSA def(this.Field) | Tuples.cs:20:9:20:34 | ... = ... |
| Tuples.cs:20:9:20:34 | SSA def(this.Property) | Tuples.cs:20:9:20:34 | ... = ... |
| Tuples.cs:23:9:23:37 | SSA def(x) | Tuples.cs:23:9:23:37 | ... = ... |
| Tuples.cs:25:13:25:28 | SSA def(t) | Tuples.cs:25:13:25:28 | Tuples t = ... |
| Tuples.cs:26:9:26:33 | SSA def(t.Field) | Tuples.cs:26:9:26:33 | ... = ... |
| Tuples.cs:26:9:26:33 | SSA def(this.Field) | Tuples.cs:26:9:26:33 | ... = ... |

4
csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql Normal file
View File

@@ -0,0 +1,4 @@
import csharp
from Ssa::Definition def
select def, def.getElement()

3
csharp/ql/test/library-tests/dispatch/CallGraph.expected
View File

@@ -175,4 +175,5 @@
| ViableCallable.cs:409:10:409:12 | Run | ViableCallable.cs:403:53:403:57 | M |
| ViableCallable.cs:409:10:409:12 | Run | ViableCallable.cs:405:42:405:46 | M |
| ViableCallable.cs:431:25:431:29 | M2 | ViableCallable.cs:442:17:442:23 | (...) => ... |
| ViableCallable.cs:436:9:436:9 | M | ViableCallable.cs:430:23:430:24 | M1 |
| ViableCallable.cs:436:10:436:10 | M | ViableCallable.cs:430:23:430:24 | M1 |
| ViableCallable.cs:436:10:436:10 | M | ViableCallable.cs:431:25:431:29 | M2 |

2
csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected
View File

@@ -399,5 +399,5 @@
| ViableCallable.cs:422:13:422:37 | call to method Mock | ViableCallable.Mock<A4>() |
| ViableCallable.cs:424:9:424:21 | call to method M | C15.A4.M<T1>() |
| ViableCallable.cs:424:9:424:21 | call to method M | C15.A5.M<T1>() |
| ViableCallable.cs:439:16:439:26 | call to method M1 | C16<String,Int32>.M1(string) |
| ViableCallable.cs:439:9:439:19 | call to method M1 | C16<String,Int32>.M1(string) |
| ViableCallable.cs:442:9:442:24 | call to method M2 | C16<String,Int32>.M2<T>(Func<T>) |

4
csharp/ql/test/library-tests/dispatch/ViableCallable.cs
View File

@@ -433,10 +433,10 @@ abstract class C16<T1, T2>
class C17 : C16<string, int>
{
int M(int i)
void M(int i)
{
// Viable callables: C16<string, int>.M1()
return this.M1("");
this.M1("");
// Viable callables: C16<string, int>.M2<int>()
this.M2(() => i);

5
csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs
View File

@@ -5,7 +5,7 @@ using System.Web;
public class StackTraceHandler : IHttpHandler
{
bool b;
public void ProcessRequest(HttpContext ctx)
{
try
@@ -54,7 +54,8 @@ public class StackTraceHandler : IHttpHandler
// Method that may throw an exception
public void doSomeWork()
{
throw new Exception();
if (b)
throw new Exception();
}
public void log(string s, Exception e)

23
javascript/ql/src/Statements/UselessConditional.ql
View File

@@ -65,17 +65,24 @@ predicate isInitialParameterUse(Expr e) {
}
/**
* Holds if `e` directly uses the returned value from a function call that returns a constant boolean value.
* Holds if `e` directly uses the returned value from functions that return constant boolean values.
*/
predicate isConstantBooleanReturnValue(Expr e) {
// unlike `SourceNode.flowsTo` this will not include uses we have refinement information for
exists(DataFlow::CallNode call | exists(call.analyze().getTheBooleanValue()) |
e = call.asExpr()
or
// also support return values that are assigned to variables
exists(SsaExplicitDefinition ssa |
ssa.getDef().getSource() = call.asExpr() and
ssa.getVariable().getAUse() = e
exists(string b | (b = "true" or b = "false") |
forex(DataFlow::CallNode call, Expr ret |
ret = call.getACallee().getAReturnedExpr() and
(
e = call.asExpr()
or
// also support return values that are assigned to variables
exists(SsaExplicitDefinition ssa |
ssa.getDef().getSource() = call.asExpr() and
ssa.getVariable().getAUse() = e
)
)
|
ret.(BooleanLiteral).getValue() = b
)
)
or

3
javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.expected
View File

@@ -22,6 +22,9 @@
| UselessConditional.js:102:19:102:19 | x | This use of variable 'x' always evaluates to false. |
| UselessConditional.js:103:23:103:23 | x | This use of variable 'x' always evaluates to false. |
| UselessConditional.js:109:15:109:16 | {} | This expression always evaluates to true. |
| UselessConditional.js:129:6:129:24 | constantUndefined() | This call to constantUndefined always evaluates to false. |
| UselessConditional.js:135:6:135:32 | constan ... ined1() | This call to constantFalseOrUndefined1 always evaluates to false. |
| UselessConditional.js:139:6:139:32 | constan ... ined2() | This call to constantFalseOrUndefined2 always evaluates to false. |
| UselessConditionalGood.js:58:12:58:13 | x2 | This use of variable 'x2' always evaluates to false. |
| UselessConditionalGood.js:69:12:69:13 | xy | This use of variable 'xy' always evaluates to false. |
| UselessConditionalGood.js:85:12:85:13 | xy | This use of variable 'xy' always evaluates to false. |

31
javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js
View File

@@ -109,4 +109,35 @@ async function awaitFlow(){
if ((x && {}) || y) {} // NOT OK
});
(function(){
function constantFalse1() {
return false;
}
if (constantFalse1()) // OK
return;
function constantFalse2() {
return false;
}
let constantFalse = unknown? constantFalse1 : constantFalse2;
if (constantFalse2()) // OK
return;
function constantUndefined() {
return undefined;
}
if (constantUndefined()) // NOT OK
return;
function constantFalseOrUndefined1() {
return unknown? false: undefined;
}
if (constantFalseOrUndefined1()) // NOT OK
return;
let constantFalseOrUndefined2 = unknown? constantFalse1 : constantUndefined;
if (constantFalseOrUndefined2()) // NOT OK
return;
});
// semmle-extractor-options: --experimental

14
python/ql/src/Expressions/IsComparisons.qll
View File

@@ -107,6 +107,20 @@ predicate invalid_portable_is_comparison(Compare comp, Cmpop op, ClassObject cls
left.refersTo(obj) and right.refersTo(obj) and
exists(ImmutableLiteral il | il.getLiteralObject() = obj)
)
and
/* OK to use 'is' when comparing with a member of an enum */
not exists(Expr left, Expr right, AstNode origin |
comp.compares(left, op, right) and
enum_member(origin) |
left.refersTo(_, origin) or right.refersTo(_, origin)
)
}
private predicate enum_member(AstNode obj) {
exists(ClassObject cls, AssignStmt asgn |
cls.getASuperType().getName() = "Enum" |
cls.getPyClass() = asgn.getScope() and
asgn.getValue() = obj
)
}

26
python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp Normal file
View File

@@ -0,0 +1,26 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
When creating a file POSIX systems allow permissions to be specified
for owner, group and others separately. Permissions should be kept as
strict as possible, preventing access to the files contents by other users.
</p>
</overview>
<recommendation>
<p>
Restrict the file permissions of files to prevent any but the owner being able to read or write to that file
</p>
</recommendation>
<references>
<li>
Wikipedia:
<a href="https://en.wikipedia.org/wiki/File_system_permissions">File system permissions</a>.
</li>
</references>
</qhelp>

53
python/ql/src/Security/CWE-732/WeakFilePermissions.ql Normal file
View File

@@ -0,0 +1,53 @@
/**
* @name Overly permissive file permissions
* @description Allowing files to be readable or writable by users other than the owner may allow sensitive information to be accessed.
* @kind problem
* @id py/overly-permissive-file
* @problem.severity warning
* @sub-severity high
* @precision medium
* @tags external/cwe/cwe-732
* security
*/
import python
bindingset[p]
int world_permission(int p) {
result = p % 8
}
bindingset[p]
int group_permission(int p) {
result = (p/8) % 8
}
bindingset[p]
string access(int p) {
p%4 >= 2 and result = "writable" or
p%4 < 2 and p != 0 and result = "readable"
}
bindingset[p]
string permissive_permission(int p) {
result = "world " + access(world_permission(p))
or
world_permission(p) = 0 and result = "group " + access(group_permission(p))
}
predicate chmod_call(CallNode call, FunctionObject chmod, NumericObject num) {
any(ModuleObject os | os.getName() = "os").getAttribute("chmod") = chmod and
chmod.getACall() = call and call.getArg(1).refersTo(num)
}
predicate open_call(CallNode call, FunctionObject open, NumericObject num) {
any(ModuleObject os | os.getName() = "os").getAttribute("open") = open and
open.getACall() = call and call.getArg(2).refersTo(num)
}
from CallNode call, FunctionObject func, NumericObject num, string permission
where
(chmod_call(call, func, num) or open_call(call, func, num))
and
permission = permissive_permission(num.intValue())
select call, "Overly permissive mask in " + func.getName() + " sets file to " + permission + "."

7
python/ql/src/semmle/python/Variables.qll
View File

@@ -4,6 +4,13 @@ import python
/** A variable, either a global or local variable (including parameters) */
class Variable extends @py_variable {
Variable() {
exists(string name |
variable(this, _, name) and
not name = "*" and not name = "$"
)
}
/** Gets the identifier (name) of this variable */
string getId() {
variable(this, _, result)

57
python/ql/src/semmle/python/dataflow/SsaDefinitions.qll
View File

@@ -26,7 +26,11 @@ abstract class PythonSsaSourceVariable extends SsaSourceVariable {
}
override string getName() {
result = this.(Variable).getId()
variable(this, _, result)
}
Scope getScope() {
variable(this, result, _)
}
abstract ControlFlowNode getAnImplicitUse();
@@ -46,7 +50,7 @@ abstract class PythonSsaSourceVariable extends SsaSourceVariable {
/* Add a use at the end of scope for all variables to keep them live
* This is necessary for taint-tracking.
*/
result = this.(Variable).getScope().getANormalExit()
result = this.getScope().getANormalExit()
}
override predicate hasDefiningNode(ControlFlowNode def) {
@@ -107,7 +111,6 @@ class FunctionLocalVariable extends PythonSsaSourceVariable {
}
override ControlFlowNode getScopeEntryDefinition() {
not this.(LocalVariable).getId() = "*" and
exists(Scope s |
s.getEntryNode() = result |
s = this.(LocalVariable).getScope() and
@@ -146,7 +149,6 @@ class NonLocalVariable extends PythonSsaSourceVariable {
}
override CallNode redefinedAtCallSite() {
not this.(LocalVariable).getId() = "*" and
result.getScope().getScope*() = this.(LocalVariable).getScope()
}
@@ -163,7 +165,6 @@ class ClassLocalVariable extends PythonSsaSourceVariable {
}
override ControlFlowNode getScopeEntryDefinition() {
not this.(LocalVariable).getId() = "*" and
result = this.(LocalVariable).getScope().getEntryNode()
}
@@ -235,7 +236,6 @@ class ModuleVariable extends PythonSsaSourceVariable {
}
override ControlFlowNode getScopeEntryDefinition() {
not this.(GlobalVariable).getId() = "*" and
exists(Scope s |
s.getEntryNode() = result |
/* Module entry point */
@@ -253,13 +253,6 @@ class ModuleVariable extends PythonSsaSourceVariable {
this = scope.getOuterVariable(_) or
this.(Variable).getAUse().getScope() = scope
)
or
this.(GlobalVariable).getId() = "*" and
exists(Scope s |
s.getEntryNode() = result and
this.(Variable).getScope() = s and
exists(ImportStar is | is.getScope() = s)
)
}
override CallNode redefinedAtCallSite() { none() }
@@ -307,6 +300,29 @@ class EscapingGlobalVariable extends ModuleVariable {
}
class SpecialSsaSourceVariable extends PythonSsaSourceVariable {
SpecialSsaSourceVariable() {
variable(this, _, "*") or variable(this, _, "$")
}
override ControlFlowNode getAnImplicitUse() {
exists(ImportTimeScope s |
result = s.getANormalExit() and this.getScope() = s
)
}
override ControlFlowNode getScopeEntryDefinition() {
/* Module entry point */
this.getScope().getEntryNode() = result
}
override CallNode redefinedAtCallSite() {
result.(CallNode).getScope().getScope*() = this.(GlobalVariable).getScope()
}
}
private predicate variable_or_attribute_defined_out_of_scope(Variable v) {
exists(NameNode n | n.defines(v) and not n.getScope() = v.getScope())
or
@@ -330,7 +346,7 @@ cached module SsaSource {
/** Holds if `v` is used as the receiver in a method call. */
cached predicate method_call_refinement(Variable v, ControlFlowNode use, CallNode call) {
use = v.getAUse() and
use = v.getAUse() and
call.getFunction().(AttrNode).getObject() = use
}
@@ -387,16 +403,17 @@ cached module SsaSource {
/** Holds if the name of `var` refers to a submodule of a package and `f` is the entry point
* to the __init__ module of that package.
*/
cached predicate init_module_submodule_defn(Variable var, ControlFlowNode f) {
cached predicate init_module_submodule_defn(PythonSsaSourceVariable var, ControlFlowNode f) {
var instanceof GlobalVariable and
exists(Module init |
init.isPackageInit() and exists(init.getPackage().getSubModule(var.getId())) and
var instanceof GlobalVariable and init.getEntryNode() = f and
init.isPackageInit() and exists(init.getPackage().getSubModule(var.getName())) and
init.getEntryNode() = f and
var.getScope() = init
)
}
/** Holds if the `v` is in scope at a `from import ... *` and may thus be redefined by that statement */
cached predicate import_star_refinement(Variable v, ControlFlowNode use, ControlFlowNode def) {
cached predicate import_star_refinement(PythonSsaSourceVariable v, ControlFlowNode use, ControlFlowNode def) {
use = def and def instanceof ImportStarNode
and
(
@@ -443,7 +460,7 @@ cached module SsaSource {
}
private predicate refinement(Variable v, ControlFlowNode use, ControlFlowNode def) {
private predicate refinement(PythonSsaSourceVariable v, ControlFlowNode use, ControlFlowNode def) {
SsaSource::import_star_refinement(v, use, def)
or
SsaSource::attribute_assignment_refinement(v, use, def)
@@ -456,5 +473,5 @@ private predicate refinement(Variable v, ControlFlowNode use, ControlFlowNode de
or
SsaSource::method_call_refinement(v, use, def)
or
def = v.(PythonSsaSourceVariable).redefinedAtCallSite() and def = use
def = v.redefinedAtCallSite() and def = use
}

120
python/ql/src/semmle/python/pointsto/PointsTo.qll
View File

@@ -119,7 +119,7 @@ module PointsTo {
or
exists(Module init |
init = package.getInitModule().getModule() |
not exists(Variable v | v.getScope() = init | v.getId() = name or v.getId() = "*")
not exists(PythonSsaSourceVariable v | v.getScope() = init | v.getName() = name or v.getName() = "*")
or
exists(EssaVariable v, PointsToContext imp |
v.getScope() = init and v.getName() = "*" and v.getAUse() = init.getANormalExit() |
@@ -139,15 +139,15 @@ module PointsTo {
var.getSourceVariable().getName() = name and
ssa_variable_points_to(var, imp, obj, cls, orig) and
imp.isImport() and
not obj = undefinedVariable() |
obj != undefinedVariable() |
origin = origin_from_object_or_here(orig, exit)
)
or
not exists(EssaVariable var | var.getAUse() = m.getANormalExit() and var.getSourceVariable().getName() = name) and
exists(EssaVariable var, PointsToContext imp |
var.getAUse() = m.getANormalExit() and var.getSourceVariable().getName() = "*" |
var.getAUse() = m.getANormalExit() and var.getName() = "*" |
SSA::ssa_variable_named_attribute_points_to(var, imp, name, obj, cls, origin) and
imp.isImport() and not obj = undefinedVariable()
imp.isImport() and obj != undefinedVariable()
)
}
@@ -257,7 +257,7 @@ module PointsTo {
/** Holds if `f` is the instantiation of an object, `cls(...)`. */
cached predicate instantiation(CallNode f, PointsToContext context, ClassObject cls) {
points_to(f.getFunction(), context, cls, _, _) and
not cls = theTypeType() and
cls != theTypeType() and
Types::callToClassWillReturnInstance(cls)
}
@@ -312,7 +312,7 @@ module PointsTo {
)
or
exists(Object obj |
not obj = undefinedVariable() and
obj != undefinedVariable() and
py_module_attributes(mod.getModule(), name, obj, _, _)
) and result = true
or
@@ -345,7 +345,7 @@ module PointsTo {
private boolean package_exports_boolean(PackageObject pack, string name) {
explicitly_imported(pack.submodule(name)) and
(
not exists(pack.getInitModule())
pack.hasNoInitModule()
or
exists(ModuleObject init |
pack.getInitModule() = init |
@@ -381,9 +381,11 @@ module PointsTo {
exists(Object value |
points_to(guard.getLastNode(), context, value, _, _)
|
guard.controls(b, true) and not value.booleanValue() = false
guard.controls(b, _) and value.maybe()
or
guard.controls(b, false) and not value.booleanValue() = true
guard.controls(b, true) and value.booleanValue() = true
or
guard.controls(b, false) and value.booleanValue() = false
)
or
/* Assume the true edge of an assert is reachable (except for assert 0/False) */
@@ -402,9 +404,11 @@ module PointsTo {
exists(ConditionBlock guard, Object value |
points_to(guard.getLastNode(), context, value, _, _)
|
guard.controlsEdge(pred, succ, true) and not value.booleanValue() = false
guard.controlsEdge(pred, succ, _) and value.maybe()
or
guard.controlsEdge(pred, succ, false) and not value.booleanValue() = true
guard.controlsEdge(pred, succ, true) and value.booleanValue() = true
or
guard.controlsEdge(pred, succ, false) and value.booleanValue() = false
)
}
@@ -553,7 +557,7 @@ module PointsTo {
/** Gets an object pointed to by a use (of a variable). */
private predicate use_points_to(NameNode f, PointsToContext context, Object value, ClassObject cls, ControlFlowNode origin) {
exists(ObjectOrCfg origin_or_obj |
not value = undefinedVariable() and
value != undefinedVariable() and
use_points_to_maybe_origin(f, context, value, cls, origin_or_obj) |
origin = origin_from_object_or_here(origin_or_obj, f)
)
@@ -577,7 +581,7 @@ module PointsTo {
pragma [noinline]
private predicate class_or_module_attribute(Object obj, string name, Object value, ClassObject cls, ObjectOrCfg orig) {
/* Normal class attributes */
Types::class_attribute_lookup(obj, name, value, cls, orig) and not cls = theStaticMethodType() and not cls = theClassMethodType()
Types::class_attribute_lookup(obj, name, value, cls, orig) and cls != theStaticMethodType() and cls != theClassMethodType()
or
/* Static methods of the class */
exists(CallNode sm | Types::class_attribute_lookup(obj, name, sm, theStaticMethodType(), _) and sm.getArg(0) = value and cls = thePyFunctionType() and orig = value)
@@ -853,9 +857,13 @@ module PointsTo {
exists(Object operand |
points_to(f.getOperand(), context, operand, _, _)
|
not operand.booleanValue() = true and value = theTrueObject()
operand.maybe() and value = theTrueObject()
or
not operand.booleanValue() = false and value = theFalseObject()
operand.maybe() and value = theFalseObject()
or
operand.booleanValue() = false and value = theTrueObject()
or
operand.booleanValue() = true and value = theFalseObject()
)
}
@@ -1003,17 +1011,18 @@ module PointsTo {
pragma [noinline]
predicate call_points_to_builtin_function(CallNode f, PointsToContext context, Object value, ClassObject cls, ControlFlowNode origin) {
exists(BuiltinCallable b |
not b = builtin_object("isinstance") and
not b = builtin_object("issubclass") and
not b = builtin_object("callable") and
b != builtin_object("isinstance") and
b != builtin_object("issubclass") and
b != builtin_object("callable") and
f = get_a_call(b, context) and
cls = b.getAReturnType()
) and
f = origin and
if cls = theNoneType() then
value = theNoneObject()
else
value = f
(
cls = theNoneType() and value = theNoneObject()
or
cls != theNoneType() and value = f
)
}
/** Holds if call is to an object that always returns its first argument.
@@ -1160,7 +1169,7 @@ module PointsTo {
cls != theSuperType() and
exists(Object o |
/* list.__init__() is not a call to type.__init__() */
not o instanceof ClassObject |
o.notClass() |
points_to(n.(AttrNode).getObject(name), context, o, cls, _)
)
or
@@ -1203,12 +1212,14 @@ module PointsTo {
/** Holds if `func` implicitly returns the `None` object */
predicate implicitly_returns(PyFunctionObject func, Object none_, ClassObject noneType) {
noneType = theNoneType() and not func.getFunction().isGenerator() and none_ = theNoneObject() and
(
not exists(func.getAReturnedNode()) and exists(func.getFunction().getANormalExit())
or
exists(Return ret | ret.getScope() = func.getFunction() and not exists(ret.getValue()))
)
noneType = theNoneType() and none_ = theNoneObject() and
exists(Function f |
f = func.getFunction() and not f.isGenerator()
|
not exists(Return ret | ret.getScope() = f) and exists(f.getANormalExit())
or
exists(Return ret | ret.getScope() = f and not exists(ret.getValue()))
)
}
}
@@ -1244,7 +1255,10 @@ module PointsTo {
* is available to all functions. Although not strictly true, this gives less surprising
* results in practice. */
pred_context.isMain() and pred_scope instanceof Module and succ_context.fromRuntime() and
not strictcount(pred_var.getSourceVariable().(Variable).getAStore()) > 1
exists(Variable v |
v = pred_var.getSourceVariable() and
not strictcount(v.getAStore()) > 1
)
)
or
exists(NonEscapingGlobalVariable var |
@@ -1571,8 +1585,8 @@ module PointsTo {
deco = f.getADecorator().getAFlowNode() |
exists(Object o |
points_to(deco, _, o, _, _) |
not o = theStaticMethodType() and
not o = theClassMethodType()
o != theStaticMethodType() and
o != theClassMethodType()
)
or not deco instanceof NameNode
)
@@ -1589,7 +1603,7 @@ module PointsTo {
|
obj instanceof ClassObject and value = obj and cls = objcls
or
not obj instanceof ClassObject and value = objcls and cls = Types::class_get_meta_class(objcls)
obj.notClass() and value = objcls and cls = Types::class_get_meta_class(objcls)
)
}
@@ -1707,16 +1721,17 @@ module PointsTo {
call = def.getCall() and
var = def.getSourceVariable() and
context.untrackableCall(call) and
exists(PyFunctionObject modifier |
exists(PyFunctionObject modifier, Function f |
f = modifier.getFunction() and
call = get_a_call(modifier, context) and
not modifies_escaping_variable(modifier, var)
not modifies_escaping_variable(f, var)
)
)
}
private predicate modifies_escaping_variable(FunctionObject modifier, PythonSsaSourceVariable var) {
private predicate modifies_escaping_variable(Function modifier, PythonSsaSourceVariable var) {
exists(var.redefinedAtCallSite()) and
modifier.getFunction().getBody().contains(var.(Variable).getAStore())
modifier.getBody().contains(var.(Variable).getAStore())
}
pragma [noinline]
@@ -2320,7 +2335,7 @@ module PointsTo {
or
cls = theObjectType() and result = 0
or
exists(builtin_base_type(cls)) and not cls = theObjectType() and result = 1
exists(builtin_base_type(cls)) and cls != theObjectType() and result = 1
or
cls = theUnknownType() and result = 1
}
@@ -2476,7 +2491,7 @@ module PointsTo {
/** INTERNAL -- Use `ClassObject.declaredAttribute(name). instead. */
cached predicate class_declared_attribute(ClassObject owner, string name, Object value, ClassObject vcls, ObjectOrCfg origin) {
/* Note that src_var must be a local variable, we aren't interested in the value that any global variable may hold */
not value = undefinedVariable() and
value != undefinedVariable() and
exists(EssaVariable var, LocalVariable src_var |
var.getSourceVariable() = src_var and
src_var.getId() = name and
@@ -2561,7 +2576,12 @@ module PointsTo {
or
exists(int i | failed_inference(class_base_type(cls, i), _) and reason = "Failed inference for base class at position " + i)
or
exists(int i | strictcount(class_base_type(cls, i)) > 1 and reason = "Multiple bases at position " + i)
exists(int i, Object base1, Object base2 |
base1 = class_base_type(cls, i) and
base2 = class_base_type(cls, i) and
base1 != base2 and
reason = "Multiple bases at position " + i
)
or
exists(int i, int j | class_base_type(cls, i) = class_base_type(cls, j) and i != j and reason = "Duplicate bases classes")
or
@@ -2581,7 +2601,7 @@ module PointsTo {
private ClassObject declared_meta_class(ClassObject cls) {
exists(Object obj |
ssa_variable_points_to(metaclass_var(cls), _, obj, _, _) |
ssa_variable_points_to(metaclass_var(cls.getPyClass()), _, obj, _, _) |
result = obj
or
obj = unknownValue() and result = theUnknownType()
@@ -2597,28 +2617,30 @@ module PointsTo {
private boolean has_metaclass_var_metaclass(ClassObject cls) {
exists(Object obj |
ssa_variable_points_to(metaclass_var(cls), _, obj, _, _) |
ssa_variable_points_to(metaclass_var(cls.getPyClass()), _, obj, _, _) |
obj = undefinedVariable() and result = false
or
obj != undefinedVariable() and result = true
)
or
not exists(metaclass_var(cls)) and result = false
exists(Class pycls |
pycls = cls.getPyClass() and
not exists(metaclass_var(pycls)) and result = false
)
}
private boolean has_declared_metaclass(ClassObject cls) {
py_cobjecttypes(cls, _) and result = true
or
not cls.isBuiltin() and
result = has_six_add_metaclass(cls).booleanOr(has_metaclass_var_metaclass(cls))
}
private EssaVariable metaclass_var(ClassObject cls) {
result.getASourceUse() = cls.getPyClass().getMetaClass().getAFlowNode()
private EssaVariable metaclass_var(Class cls) {
result.getASourceUse() = cls.getMetaClass().getAFlowNode()
or
major_version() = 2 and not exists(cls.getPyClass().getMetaClass()) and
major_version() = 2 and not exists(cls.getMetaClass()) and
result.getName() = "__metaclass__" and
cls.getPyClass().(ImportTimeScope).entryEdge(result.getAUse(), _)
cls.(ImportTimeScope).entryEdge(result.getAUse(), _)
}
private ClassObject get_inherited_metaclass(ClassObject cls) {
@@ -2628,7 +2650,7 @@ module PointsTo {
exists(Object base |
base = class_base_type(cls, _) and
result = theUnknownType() |
not base instanceof ClassObject
base.notClass()
or
base = theUnknownType()
)

4
python/ql/src/semmle/python/types/ClassObject.qll
View File

@@ -392,6 +392,10 @@ class ClassObject extends Object {
result.getFunction().refersTo(this)
}
predicate notClass() {
none()
}
}
/** The 'str' class. This is the same as the 'bytes' class for

8
python/ql/src/semmle/python/types/ModuleObject.qll
View File

@@ -226,6 +226,14 @@ class PackageObject extends ModuleObject {
result.getModule() = this.getModule().getInitModule()
}
/** Holds if this package has no `__init__.py` file. */
predicate hasNoInitModule() {
not exists(Module m |
m.isPackageInit() and
m.getFile().getParent() = this.getPath()
)
}
override predicate exportsComplete() {
not exists(this.getInitModule())
or

8
python/ql/src/semmle/python/types/Object.qll
View File

@@ -151,6 +151,14 @@ class Object extends @py_object {
)
}
final predicate maybe() {
not exists(this.booleanValue())
}
predicate notClass() {
any()
}
/** Holds if this object can be referred to by `longName`
* For example, the modules `dict` in the `sys` module
* has the long name `sys.modules` and the name `os.path.join`

10
python/ql/src/semmle/python/web/tornado/Request.qll
View File

@@ -15,16 +15,22 @@ class TornadoRequest extends TaintKind {
result instanceof ExternalStringDictKind and
(
name = "headers" or
name = "arguments" or
name = "cookies"
)
or
result instanceof ExternalStringKind and
(
name = "path" or
name = "uri" or
name = "query" or
name = "body"
)
or
result instanceof ExternalStringSequenceDictKind and
(
name = "arguments" or
name = "query_arguments" or
name = "body_arguments"
)
}
}

3
python/ql/src/semmle/python/web/twisted/Request.qll
View File

@@ -19,8 +19,7 @@ class TwistedRequest extends TaintKind {
or
result instanceof ExternalStringKind and
(
name = "uri" or
name = "path"
name = "uri"
)
}

6
python/ql/test/library-tests/PointsTo/new/Dataflow.expected
View File

@@ -1,14 +1,11 @@
| __init__.py:0 | *_0 = ScopeEntryDefinition |
| __init__.py:0 | __name___0 = ScopeEntryDefinition |
| __init__.py:0 | __package___0 = ScopeEntryDefinition |
| __init__.py:0 | module2_0 = ImplicitSubModuleDefinition |
| __init__.py:0 | moduleX_0 = ImplicitSubModuleDefinition |
| __init__.py:0 | sys_0 = ScopeEntryDefinition |
| __init__.py:1 | *_1 = ImportStarRefinement(*_0) |
| __init__.py:1 | __name___1 = ImportStarRefinement(__name___0) |
| __init__.py:1 | __package___1 = ImportStarRefinement(__package___0) |
| __init__.py:1 | sys_1 = ImportStarRefinement(sys_0) |
| __init__.py:2 | *_2 = ImportStarRefinement(*_1) |
| __init__.py:2 | __name___2 = ImportStarRefinement(__name___1) |
| __init__.py:2 | __package___2 = ImportStarRefinement(__package___1) |
| __init__.py:2 | module_0 = ImportMember |
@@ -498,7 +495,6 @@
| h_classes.py:52 | arg1_0 = ParameterDefinition |
| h_classes.py:52 | n_0 = FunctionExpr |
| h_classes.py:52 | self_0 = ParameterDefinition |
| i_imports.py:0 | *_0 = ScopeEntryDefinition |
| i_imports.py:0 | BytesIO_0 = ScopeEntryDefinition |
| i_imports.py:0 | StringIO_0 = ScopeEntryDefinition |
| i_imports.py:0 | __name___0 = ScopeEntryDefinition |
@@ -513,7 +509,6 @@
| i_imports.py:3 | a_0 = IntegerLiteral |
| i_imports.py:4 | b_0 = IntegerLiteral |
| i_imports.py:5 | c_0 = IntegerLiteral |
| i_imports.py:7 | *_1 = ImportStarRefinement(*_0) |
| i_imports.py:7 | BytesIO_1 = ImportStarRefinement(BytesIO_0) |
| i_imports.py:7 | StringIO_1 = ImportStarRefinement(StringIO_0) |
| i_imports.py:7 | __name___1 = ImportStarRefinement(__name___0) |
@@ -528,7 +523,6 @@
| i_imports.py:13 | argv_1 = ImportMember |
| i_imports.py:17 | sys_1 = ImportExpr |
| i_imports.py:23 | code_1 = ImportExpr |
| i_imports.py:27 | *_2 = ImportStarRefinement(*_1) |
| i_imports.py:27 | __name___2 = ImportStarRefinement(__name___1) |
| i_imports.py:27 | __package___2 = ImportStarRefinement(__package___1) |
| i_imports.py:27 | a_2 = ImportStarRefinement(a_1) |

2
python/ql/test/library-tests/PointsTo/new/Dataflow.ql
View File

@@ -4,5 +4,5 @@ import python
import Util
from EssaVariable v, EssaDefinition def
where def = v.getDefinition()
where def = v.getDefinition() and not v.getSourceVariable() instanceof SpecialSsaSourceVariable
select locate(def.getLocation(), "abdefghijknrs_"), v.getRepresentation() + " = " + def.getRepresentation()

10
python/ql/test/library-tests/PointsTo/new/SsaAttr.expected
View File

@@ -37,16 +37,6 @@
| g_class_init.py:52 | self_3 | version | phi(self_1, self_2) | 'v2' | runtime |
| g_class_init.py:52 | self_3 | version | phi(self_1, self_2) | 'v3' | runtime |
| g_class_init.py:54 | self_1 | version | Pi(self_0) [true] | 'v2' | runtime |
| i_imports.py:7 | *_1 | x | ImportStarRefinement(*_0) | float 1.0 | import |
| i_imports.py:7 | *_1 | y | ImportStarRefinement(*_0) | float 2.0 | import |
| i_imports.py:27 | *_2 | module1 | ImportStarRefinement(*_1) | Module code.test_package.module1 | import |
| i_imports.py:27 | *_2 | module2 | ImportStarRefinement(*_1) | Module code.test_package.module2 | import |
| i_imports.py:27 | *_2 | p | ImportStarRefinement(*_1) | int 1 | import |
| i_imports.py:27 | *_2 | q | ImportStarRefinement(*_1) | int 2 | import |
| i_imports.py:27 | *_2 | r | ImportStarRefinement(*_1) | Dict | import |
| i_imports.py:27 | *_2 | s | ImportStarRefinement(*_1) | NoneType None | import |
| i_imports.py:27 | *_2 | x | ImportStarRefinement(*_1) | float 1.0 | import |
| i_imports.py:27 | *_2 | y | ImportStarRefinement(*_1) | float 2.0 | import |
| k_getsetattr.py:6 | self_0 | a | ParameterDefinition | float 7.0 | code/k_getsetattr.py:15 from runtime |
| k_getsetattr.py:6 | self_0 | c | ParameterDefinition | int 2 | code/k_getsetattr.py:15 from runtime |
| k_getsetattr.py:7 | self_1 | a | ArgumentRefinement(self_0) | int 0 | code/k_getsetattr.py:15 from runtime |

2
python/ql/test/library-tests/PointsTo/new/SsaAttr.ql
View File

@@ -5,7 +5,7 @@ private import semmle.python.pointsto.PointsToContext
import Util
from EssaVariable var, string name, Object o, PointsToContext ctx
where PointsTo::Test::ssa_variable_named_attribute_points_to(var, ctx, name, o, _, _)
where PointsTo::Test::ssa_variable_named_attribute_points_to(var, ctx, name, o, _, _) and not var.getSourceVariable() instanceof SpecialSsaSourceVariable
select
locate(var.getDefinition().getLocation(), "abdfgikm"), var.getRepresentation(),
name, var.getDefinition().getRepresentation(), repr(o), ctx

3
python/ql/test/library-tests/PointsTo/new/SsaUses.expected
View File

@@ -1,4 +1,3 @@
| __init__.py:0 | *_2 | Exit node for Module code.test_package.__init__ |
| __init__.py:0 | __name___0 | Exit node for Module code.__init__ |
| __init__.py:0 | __name___0 | Exit node for Module code.package.__init__ |
| __init__.py:0 | __name___2 | Exit node for Module code.test_package.__init__ |
@@ -12,11 +11,9 @@
| __init__.py:0 | moduleX_1 | Exit node for Module code.package.__init__ |
| __init__.py:0 | module_0 | Exit node for Module code.package.__init__ |
| __init__.py:0 | sys_2 | Exit node for Module code.test_package.__init__ |
| __init__.py:1 | *_0 | ControlFlowNode for from module1 import * |
| __init__.py:1 | __name___0 | ControlFlowNode for from module1 import * |
| __init__.py:1 | __package___0 | ControlFlowNode for from module1 import * |
| __init__.py:1 | sys_0 | ControlFlowNode for from module1 import * |
| __init__.py:2 | *_1 | ControlFlowNode for from module2 import * |
| __init__.py:2 | __name___1 | ControlFlowNode for from module2 import * |
| __init__.py:2 | __package___1 | ControlFlowNode for from module2 import * |
| __init__.py:2 | sys_1 | ControlFlowNode for from module2 import * |

2
python/ql/test/library-tests/PointsTo/new/SsaUses.ql
View File

@@ -5,5 +5,5 @@ import semmle.python.pointsto.PointsTo
import Util
from EssaVariable var, ControlFlowNode use
where use = var.getAUse()
where use = var.getAUse() and not var.getSourceVariable() instanceof SpecialSsaSourceVariable
select locate(use.getLocation(), "abdeghjks_"), var.getRepresentation(), use.toString()

257
python/ql/test/library-tests/ast/Child.expected
View File

@@ -1,257 +0,0 @@
| test.py:0:0 | Module test | test.py:5:1 | ClassDef |
| test.py:0:0 | Module test | test.py:11:1 | FunctionDef |
| test.py:0:0 | Module test | test.py:14:1 | FunctionDef |
| test.py:0:0 | Module test | test.py:17:1 | FunctionDef |
| test.py:0:0 | Module test | test.py:51:1 | FunctionDef |
| test.py:2:2 | deco1() | test.py:2:2 | deco1 |
| test.py:2:2 | deco1() | test.py:3:1 | deco2()() |
| test.py:3:1 | deco2() | test.py:3:2 | deco2 |
| test.py:3:1 | deco2()() | test.py:3:1 | deco2() |
| test.py:3:1 | deco2()() | test.py:4:2 | Attribute() |
| test.py:4:2 | Attribute | test.py:4:2 | Attribute |
| test.py:4:2 | Attribute | test.py:4:2 | deco3 |
| test.py:4:2 | Attribute() | test.py:4:2 | Attribute |
| test.py:4:2 | Attribute() | test.py:5:1 | ClassExpr |
| test.py:5:1 | Class C | test.py:7:5 | FunctionDef |
| test.py:5:1 | ClassDef | test.py:2:2 | deco1() |
| test.py:5:1 | ClassDef | test.py:5:7 | C |
| test.py:5:1 | ClassExpr | test.py:5:1 | Class C |
| test.py:5:1 | ClassExpr | test.py:5:9 | Base |
| test.py:7:5 | Function __init__ | test.py:7:18 | self |
| test.py:7:5 | Function __init__ | test.py:8:9 | Pass |
| test.py:7:5 | FunctionDef | test.py:7:5 | FunctionExpr |
| test.py:7:5 | FunctionDef | test.py:7:9 | __init__ |
| test.py:7:5 | FunctionExpr | test.py:7:5 | Function __init__ |
| test.py:10:1 | Attribute() | test.py:10:2 | Attribute |
| test.py:10:1 | Attribute()() | test.py:10:1 | Attribute() |
| test.py:10:1 | Attribute()() | test.py:11:1 | FunctionExpr |
| test.py:10:2 | Attribute | test.py:10:2 | deco4 |
| test.py:11:1 | Function f | test.py:12:5 | Pass |
| test.py:11:1 | FunctionDef | test.py:10:1 | Attribute()() |
| test.py:11:1 | FunctionDef | test.py:11:5 | f |
| test.py:11:1 | FunctionExpr | test.py:11:1 | Function f |
| test.py:14:1 | Function f | test.py:14:7 | pos0 |
| test.py:14:1 | Function f | test.py:14:13 | pos1 |
| test.py:14:1 | Function f | test.py:14:20 | args |
| test.py:14:1 | Function f | test.py:14:28 | kwargs |
| test.py:14:1 | Function f | test.py:15:5 | Pass |
| test.py:14:1 | FunctionDef | test.py:14:1 | FunctionExpr |
| test.py:14:1 | FunctionDef | test.py:14:5 | f |
| test.py:14:1 | FunctionExpr | test.py:14:1 | Function f |
| test.py:17:1 | Function simple_stmts | test.py:18:5 | Pass |
| test.py:17:1 | Function simple_stmts | test.py:19:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:19:13 | Delete |
| test.py:17:1 | Function simple_stmts | test.py:19:20 | Pass |
| test.py:17:1 | Function simple_stmts | test.py:20:5 | If |
| test.py:17:1 | Function simple_stmts | test.py:24:5 | AssignStmt |
| test.py:17:1 | Function simple_stmts | test.py:44:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:45:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:46:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:47:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:48:5 | ExprStmt |
| test.py:17:1 | Function simple_stmts | test.py:49:5 | ExprStmt |
| test.py:17:1 | FunctionDef | test.py:17:1 | FunctionExpr |
| test.py:17:1 | FunctionDef | test.py:17:5 | simple_stmts |
| test.py:17:1 | FunctionExpr | test.py:17:1 | Function simple_stmts |
| test.py:19:5 | ExprStmt | test.py:19:5 | foo() |
| test.py:19:5 | foo() | test.py:19:5 | foo |
| test.py:19:13 | Delete | test.py:19:17 | x |
| test.py:20:5 | If | test.py:20:8 | thing |
| test.py:20:5 | If | test.py:21:9 | For |
| test.py:21:9 | For | test.py:21:13 | a |
| test.py:21:9 | For | test.py:21:18 | b |
| test.py:21:9 | For | test.py:22:13 | Pass |
| test.py:24:5 | AssignStmt | test.py:24:5 | tmp |
| test.py:24:5 | AssignStmt | test.py:25:9 | Yield |
| test.py:25:9 | Yield | test.py:25:15 | Tuple |
| test.py:25:15 | Tuple | test.py:25:15 | IntegerLiteral |
| test.py:25:15 | Tuple | test.py:26:9 | name |
| test.py:25:15 | Tuple | test.py:27:9 | Attribute |
| test.py:25:15 | Tuple | test.py:28:9 | BinaryExpr |
| test.py:25:15 | Tuple | test.py:29:9 | BinaryExpr |
| test.py:25:15 | Tuple | test.py:30:9 | BinaryExpr |
| test.py:25:15 | Tuple | test.py:31:9 | Attribute |
| test.py:25:15 | Tuple | test.py:32:9 | Subscript |
| test.py:25:15 | Tuple | test.py:33:9 | Lambda |
| test.py:25:15 | Tuple | test.py:34:9 | BoolExpr |
| test.py:25:15 | Tuple | test.py:35:9 | Compare |
| test.py:25:15 | Tuple | test.py:36:9 | DictComp |
| test.py:25:15 | Tuple | test.py:37:9 | SetComp |
| test.py:25:15 | Tuple | test.py:38:9 | ListComp |
| test.py:25:15 | Tuple | test.py:39:9 | List |
| test.py:25:15 | Tuple | test.py:40:9 | Dict |
| test.py:25:15 | Tuple | test.py:41:9 | Tuple |
| test.py:25:15 | Tuple | test.py:42:10 | Tuple |
| test.py:27:9 | Attribute | test.py:27:9 | attr |
| test.py:28:9 | BinaryExpr | test.py:28:9 | a |
| test.py:28:9 | BinaryExpr | test.py:28:13 | b |
| test.py:29:9 | BinaryExpr | test.py:29:9 | IntegerLiteral |
| test.py:29:9 | BinaryExpr | test.py:29:13 | IntegerLiteral |
| test.py:30:9 | BinaryExpr | test.py:30:9 | FloatLiteral |
| test.py:30:9 | BinaryExpr | test.py:30:15 | IntegerLiteral |
| test.py:31:9 | Attribute | test.py:31:9 | Attribute |
| test.py:31:9 | Attribute | test.py:31:9 | a |
| test.py:32:9 | Attribute | test.py:32:9 | a() |
| test.py:32:9 | Subscript | test.py:32:9 | Attribute |
| test.py:32:9 | Subscript | test.py:32:15 | c |
| test.py:32:9 | a() | test.py:32:9 | a |
| test.py:33:9 | Function lambda | test.py:33:16 | x |
| test.py:33:9 | Function lambda | test.py:33:19 | Return |
| test.py:33:9 | Lambda | test.py:33:9 | Function lambda |
| test.py:33:19 | BinaryExpr | test.py:33:19 | x |
| test.py:33:19 | BinaryExpr | test.py:33:21 | IntegerLiteral |
| test.py:33:19 | Return | test.py:33:19 | BinaryExpr |
| test.py:34:9 | BoolExpr | test.py:34:9 | p |
| test.py:34:9 | BoolExpr | test.py:34:14 | BoolExpr |
| test.py:34:14 | BoolExpr | test.py:34:14 | q |
| test.py:34:14 | BoolExpr | test.py:34:20 | BinaryExpr |
| test.py:34:20 | BinaryExpr | test.py:34:20 | r |
| test.py:34:20 | BinaryExpr | test.py:34:24 | s |
| test.py:35:9 | Compare | test.py:35:9 | a |
| test.py:35:9 | Compare | test.py:35:13 | b |
| test.py:35:9 | Compare | test.py:35:17 | c |
| test.py:35:9 | Compare | test.py:35:22 | IntegerLiteral |
| test.py:36:9 | DictComp | test.py:36:9 | Function dictcomp |
| test.py:36:9 | DictComp | test.py:36:26 | x |
| test.py:36:9 | For | test.py:36:9 | .0 |
| test.py:36:9 | For | test.py:36:9 | For |
| test.py:36:9 | For | test.py:36:11 | ExprStmt |
| test.py:36:9 | For | test.py:36:21 | z |
| test.py:36:9 | For | test.py:36:32 | y |
| test.py:36:9 | For | test.py:36:37 | z |
| test.py:36:9 | Function dictcomp | test.py:36:9 | .0 |
| test.py:36:9 | Function dictcomp | test.py:36:9 | For |
| test.py:36:11 | ExprStmt | test.py:36:11 | Yield |
| test.py:36:11 | Tuple | test.py:36:11 | IntegerLiteral |
| test.py:36:11 | Tuple | test.py:36:15 | y |
| test.py:36:11 | Yield | test.py:36:11 | Tuple |
| test.py:37:9 | For | test.py:37:9 | .0 |
| test.py:37:9 | For | test.py:37:9 | For |
| test.py:37:9 | For | test.py:37:12 | ExprStmt |
| test.py:37:9 | For | test.py:37:22 | z |
| test.py:37:9 | For | test.py:37:33 | y |
| test.py:37:9 | For | test.py:37:38 | z |
| test.py:37:9 | Function setcomp | test.py:37:9 | .0 |
| test.py:37:9 | Function setcomp | test.py:37:9 | For |
| test.py:37:9 | SetComp | test.py:37:9 | Function setcomp |
| test.py:37:9 | SetComp | test.py:37:27 | x |
| test.py:37:12 | ExprStmt | test.py:37:12 | Yield |
| test.py:37:12 | Tuple | test.py:37:12 | IntegerLiteral |
| test.py:37:12 | Tuple | test.py:37:15 | y |
| test.py:37:12 | Yield | test.py:37:12 | Tuple |
| test.py:38:9 | For | test.py:38:9 | .0 |
| test.py:38:9 | For | test.py:38:11 | ExprStmt |
| test.py:38:9 | For | test.py:38:20 | y |
| test.py:38:9 | Function listcomp | test.py:38:9 | .0 |
| test.py:38:9 | Function listcomp | test.py:38:9 | For |
| test.py:38:9 | ListComp | test.py:38:9 | Function listcomp |
| test.py:38:9 | ListComp | test.py:38:25 | z |
| test.py:38:11 | BinaryExpr | test.py:38:11 | y |
| test.py:38:11 | BinaryExpr | test.py:38:14 | IntegerLiteral |
| test.py:38:11 | ExprStmt | test.py:38:11 | Yield |
| test.py:38:11 | Yield | test.py:38:11 | BinaryExpr |
| test.py:42:10 | Tuple | test.py:42:10 | IntegerLiteral |
| test.py:44:5 | ExprStmt | test.py:44:5 | foo() |
| test.py:44:5 | foo() | test.py:44:5 | foo |
| test.py:44:5 | foo() | test.py:44:9 | IntegerLiteral |
| test.py:45:5 | ExprStmt | test.py:45:5 | foo() |
| test.py:45:5 | foo() | test.py:45:5 | foo |
| test.py:45:5 | foo() | test.py:45:9 | Keyword |
| test.py:45:9 | Keyword | test.py:45:11 | IntegerLiteral |
| test.py:46:5 | ExprStmt | test.py:46:5 | foo() |
| test.py:46:5 | foo() | test.py:46:5 | foo |
| test.py:46:5 | foo() | test.py:46:9 | IntegerLiteral |
| test.py:46:5 | foo() | test.py:46:11 | IntegerLiteral |
| test.py:46:5 | foo() | test.py:46:13 | Starred |
| test.py:46:13 | Starred | test.py:46:14 | t |
| test.py:47:5 | ExprStmt | test.py:47:5 | foo() |
| test.py:47:5 | foo() | test.py:47:5 | foo |
| test.py:47:5 | foo() | test.py:47:9 | IntegerLiteral |
| test.py:47:5 | foo() | test.py:47:11 | Keyword |
| test.py:47:5 | foo() | test.py:47:15 | Starred |
| test.py:47:11 | Keyword | test.py:47:13 | IntegerLiteral |
| test.py:47:15 | Starred | test.py:47:16 | t |
| test.py:48:5 | ExprStmt | test.py:48:5 | foo() |
| test.py:48:5 | foo() | test.py:48:5 | foo |
| test.py:48:5 | foo() | test.py:48:9 | IntegerLiteral |
| test.py:48:5 | foo() | test.py:48:11 | Keyword |
| test.py:48:5 | foo() | test.py:48:15 | Starred |
| test.py:48:5 | foo() | test.py:48:18 | DictUnpacking |
| test.py:48:11 | Keyword | test.py:48:13 | IntegerLiteral |
| test.py:48:15 | Starred | test.py:48:16 | t |
| test.py:48:18 | DictUnpacking | test.py:48:20 | d |
| test.py:49:5 | ExprStmt | test.py:49:5 | f() |
| test.py:49:5 | f() | test.py:49:5 | f |
| test.py:49:5 | f() | test.py:49:7 | DictUnpacking |
| test.py:49:7 | DictUnpacking | test.py:49:9 | d |
| test.py:51:1 | Function compound_stmts | test.py:52:5 | If |
| test.py:51:1 | Function compound_stmts | test.py:56:5 | While |
| test.py:51:1 | Function compound_stmts | test.py:61:5 | For |
| test.py:51:1 | Function compound_stmts | test.py:63:5 | With |
| test.py:51:1 | Function compound_stmts | test.py:65:5 | Try |
| test.py:51:1 | Function compound_stmts | test.py:69:5 | Try |
| test.py:51:1 | Function compound_stmts | test.py:73:5 | Try |
| test.py:51:1 | Function compound_stmts | test.py:77:5 | Try |
| test.py:51:1 | Function compound_stmts | test.py:81:5 | Try |
| test.py:51:1 | Function compound_stmts | test.py:87:5 | Try |
| test.py:51:1 | FunctionDef | test.py:51:1 | FunctionExpr |
| test.py:51:1 | FunctionDef | test.py:51:5 | compound_stmts |
| test.py:51:1 | FunctionExpr | test.py:51:1 | Function compound_stmts |
| test.py:52:5 | If | test.py:52:8 | cond |
| test.py:52:5 | If | test.py:53:9 | Return |
| test.py:52:5 | If | test.py:55:9 | Raise |
| test.py:53:9 | Return | test.py:53:16 | x |
| test.py:55:9 | Raise | test.py:55:15 | y |
| test.py:56:5 | While | test.py:56:11 | True |
| test.py:56:5 | While | test.py:57:9 | If |
| test.py:57:9 | If | test.py:57:12 | cond |
| test.py:57:9 | If | test.py:58:13 | Break |
| test.py:57:9 | If | test.py:60:13 | Continue |
| test.py:61:5 | For | test.py:61:9 | x |
| test.py:61:5 | For | test.py:61:14 | y |
| test.py:61:5 | For | test.py:62:9 | Pass |
| test.py:63:5 | With | test.py:63:5 | With |
| test.py:63:5 | With | test.py:63:10 | a |
| test.py:63:5 | With | test.py:63:15 | b |
| test.py:63:5 | With | test.py:63:18 | c |
| test.py:63:5 | With | test.py:63:23 | d |
| test.py:63:5 | With | test.py:64:9 | ExprStmt |
| test.py:64:9 | ExprStmt | test.py:64:9 | body |
| test.py:65:5 | Try | test.py:66:9 | ExprStmt |
| test.py:65:5 | Try | test.py:67:5 | ExceptStmt |
| test.py:66:9 | ExprStmt | test.py:66:9 | t1 |
| test.py:67:5 | ExceptStmt | test.py:68:9 | ExprStmt |
| test.py:68:9 | ExprStmt | test.py:68:9 | e1 |
| test.py:69:5 | Try | test.py:70:9 | ExprStmt |
| test.py:69:5 | Try | test.py:71:5 | ExceptStmt |
| test.py:70:9 | ExprStmt | test.py:70:9 | t2 |
| test.py:71:5 | ExceptStmt | test.py:71:12 | Exception |
| test.py:71:5 | ExceptStmt | test.py:72:9 | ExprStmt |
| test.py:72:9 | ExprStmt | test.py:72:9 | e2 |
| test.py:73:5 | Try | test.py:74:9 | ExprStmt |
| test.py:73:5 | Try | test.py:75:5 | ExceptStmt |
| test.py:74:9 | ExprStmt | test.py:74:9 | t3 |
| test.py:75:5 | ExceptStmt | test.py:75:12 | Exception |
| test.py:75:5 | ExceptStmt | test.py:75:25 | ex |
| test.py:75:5 | ExceptStmt | test.py:76:9 | ExprStmt |
| test.py:76:9 | ExprStmt | test.py:76:9 | e3 |
| test.py:77:5 | Try | test.py:78:9 | ExprStmt |
| test.py:77:5 | Try | test.py:80:9 | ExprStmt |
| test.py:78:9 | ExprStmt | test.py:78:9 | t4 |
| test.py:80:9 | ExprStmt | test.py:80:9 | f4 |
| test.py:81:5 | Try | test.py:82:9 | ExprStmt |
| test.py:81:5 | Try | test.py:83:5 | ExceptStmt |
| test.py:81:5 | Try | test.py:86:9 | ExprStmt |
| test.py:82:9 | ExprStmt | test.py:82:9 | t5 |
| test.py:83:5 | ExceptStmt | test.py:83:12 | Exception |
| test.py:83:5 | ExceptStmt | test.py:83:25 | ex |
| test.py:83:5 | ExceptStmt | test.py:84:9 | ExprStmt |
| test.py:84:9 | ExprStmt | test.py:84:9 | e5 |
| test.py:86:9 | ExprStmt | test.py:86:9 | f5 |
| test.py:87:5 | Try | test.py:88:9 | ExprStmt |
| test.py:87:5 | Try | test.py:90:9 | Try |
| test.py:88:9 | ExprStmt | test.py:88:9 | t6 |
| test.py:90:9 | Try | test.py:91:13 | ExprStmt |
| test.py:90:9 | Try | test.py:93:13 | ExprStmt |
| test.py:91:13 | ExprStmt | test.py:91:13 | t7 |
| test.py:93:13 | ExprStmt | test.py:93:13 | f7 |

7
python/ql/test/library-tests/ast/Child.ql
View File

@@ -1,7 +0,0 @@
import python
import semmle.python.TestUtils
from AstNode p, AstNode c
where p.getAChildNode() = c
select compact_location(p), p.toString(), compact_location(c), c.toString()

94
python/ql/test/library-tests/ast/test.py
View File

@@ -1,94 +0,0 @@
@deco1
@deco2()
@deco3.attr1.attr2
class C(Base):
def __init__(self):
pass
@deco4.attr()
def f():
pass
def f(pos0, pos1, *args, **kwargs):
pass
def simple_stmts():
pass
foo() ; del x; pass
if thing:
for a in b:
pass
#Expressions
tmp = (
yield 3,
name,
attr.attrname,
a + b,
3 & 4,
3.0 * 4,
a.b.c.d,
a().b[c],
lambda x: x+1,
p or q and r ^ s,
a < b > c in 5,
{ 1 : y for z in x for y in z},
{ (1, y) for z in x for y in z},
[ y**2 for y in z ],
[],
{},
(),
(1,),
)
foo(1)
foo(a=1)
foo(1,2,*t)
foo(1,a=1,*t)
foo(1,a=1,*t,**d)
f(**d)
def compound_stmts():
if cond:
return x
else:
raise y
while True:
if cond:
break
else:
continue
for x in y:
pass
with a as b, c as d:
body
try:
t1
except:
e1
try:
t2
except Exception:
e2
try:
t3
except Exception as ex:
e3
try:
t4
finally:
f4
try:
t5
except Exception as ex:
e5
finally:
f5
try:
t6
finally:
try:
t7
finally:
f7

20
python/ql/test/query-tests/Expressions/eq/expressions_test.py
View File

@@ -24,7 +24,7 @@
#ODASA-4519
#OK as we are using identity tests for unique objects
V2 = "v2"
V3 = "v3"
@@ -85,3 +85,21 @@ def both_sides_known(zero_based="auto", query_id=False):
if zero_based is False: # False positive here
pass
#Avoid depending on enum back port for Python 2 tests:
class Enum(object):
pass
class MyEnum(Enum):
memberA = None
memberB = 10
memberC = ("Hello", "World")
def comp_enum(x):
if x is MyEnum.memberA:
return
if x is MyEnum.memberB:
return
if x is MyEnum.memberC:
return

7
python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected Normal file
View File

@@ -0,0 +1,7 @@
| test.py:7:1:7:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
| test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
| test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
| test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
| test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
| test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |

1
python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-732/WeakFilePermissions.ql

2
python/ql/test/query-tests/Security/CWE-732/options Normal file
View File

@@ -0,0 +1,2 @@
semmle-extractor-options: --max-import-depth=2 -p ../lib
optimize: true

16
python/ql/test/query-tests/Security/CWE-732/test.py Normal file
View File

@@ -0,0 +1,16 @@
import os
import stat
file = 'semmle/important_secrets'
os.chmod(file, 0o7) # BAD
os.chmod(file, 0o77) # BAD
os.chmod(file, 0o777) # BAD
os.chmod(file, 0o600) # GOOD
os.chmod(file, 0o550) # BAD
os.chmod(file, stat.S_IRWXU) # GOOD
os.chmod(file, stat.S_IWGRP) # BAD
os.chmod(file, 400) # BAD -- Decimal format.
os.open(file, 'w', 0o704) # BAD

6
python/ql/test/query-tests/Security/lib/os/__init__.py
View File

@@ -3,3 +3,9 @@ def system(cmd, *args, **kwargs):
def popen(cmd, *args, **kwargs):
return None
def chmod(path, mode):
pass
def open(path, flags, mode):
pass