hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into aliasperf2

Browse Source
This commit is contained in:
Geoffrey White
2024-10-08 15:08:43 +01:00
parent 4a131dd8f1 5a4cd1c578
commit 7ff376b346
7421 changed files with 349132 additions and 136485 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp Normal file
View File

@@ -0,0 +1,43 @@
#include "../../../../../library-tests/string_concat/stl.h"
namespace std{
struct CURL {};
typedef CURL curl;
enum curl_constant{
CURLOPT_URL,
CURLOPT_SSL_VERIFYHOST,
CURLOPT_SSL_VERIFYPEER
};
CURL *curl_easy_init();
void curl_easy_cleanup(CURL *handle);
void curl_easy_perform(CURL *handle);
void curl_easy_setopt(CURL *handle, curl_constant param, int p);
void curl_easy_setopt(CURL *handle, curl_constant param, char* p);
}
using namespace std;
char host[] = "codeql.com";
void bad(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
void good(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
int main(int c, char** argv){
bad();
good();
}

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.expected Normal file
View File

@@ -0,0 +1,2 @@
| CurlSSL.cpp:25:2:25:17 | call to curl_easy_setopt | This call disables Secure Socket Layer and could potentially lead to MITM attacks |
| CurlSSL.cpp:26:2:26:17 | call to curl_easy_setopt | This call disables Secure Socket Layer and could potentially lead to MITM attacks |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-295/CurlSSL.ql

239
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected Normal file
View File

@@ -0,0 +1,239 @@
edges
| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | |
| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance | |
| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:21:30:21:52 | *access to array | provenance | |
| brotliTest.cpp:21:30:21:52 | *access to array | brotliTest.cpp:24:51:24:58 | **& ... | provenance | |
| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | provenance | |
| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:22:41:22:42 | *ar | provenance | |
| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance | |
| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:34:35:34:41 | *access to array | provenance | |
| libarchiveTests.cpp:34:32:34:32 | *a | libarchiveTests.cpp:38:27:38:27 | *a | provenance | |
| libarchiveTests.cpp:34:35:34:41 | *access to array | libarchiveTests.cpp:34:32:34:32 | *a | provenance | Config |
| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | provenance | |
| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:38:27:38:27 | read_data output argument | provenance | |
| libarchiveTests.cpp:38:27:38:27 | read_data output argument | libarchiveTests.cpp:38:27:38:27 | *a | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:8:23:8:26 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:9:27:9:30 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:10:24:10:27 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:11:21:11:24 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | main.cpp:12:21:12:24 | **argv | provenance | |
| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | |
| main.cpp:8:23:8:26 | **argv | main.cpp:8:23:8:26 | brotli_test output argument | provenance | |
| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:9:27:9:30 | **argv | provenance | |
| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:10:24:10:27 | **argv | provenance | |
| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:11:21:11:24 | **argv | provenance | |
| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:12:21:12:24 | **argv | provenance | |
| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance | |
| main.cpp:9:27:9:30 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument | provenance | |
| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:10:24:10:27 | **argv | provenance | |
| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:11:21:11:24 | **argv | provenance | |
| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:12:21:12:24 | **argv | provenance | |
| main.cpp:10:24:10:27 | **argv | main.cpp:10:24:10:27 | minizip_test output argument | provenance | |
| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance | |
| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:11:21:11:24 | **argv | provenance | |
| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:12:21:12:24 | **argv | provenance | |
| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance | |
| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance | |
| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | **argv | provenance | |
| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | *argv | provenance | |
| main.cpp:12:21:12:24 | **argv | zstdTest.cpp:26:39:26:42 | **argv | provenance | |
| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | **argv | provenance | |
| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | *argv | provenance | |
| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance | |
| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | provenance | |
| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:24:41:24:47 | *access to array | provenance | |
| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | provenance | |
| minizipTest.cpp:24:29:24:38 | **zip_reader | minizipTest.cpp:26:30:26:39 | **zip_reader | provenance | |
| minizipTest.cpp:24:29:24:38 | *zip_reader | minizipTest.cpp:26:30:26:39 | *zip_reader | provenance | |
| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | **zip_reader | provenance | Config |
| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | *zip_reader | provenance | Config |
| zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:20:25:20:39 | *input | provenance | |
| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:16:26:16:30 | *input | provenance | |
| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:24:17:24:26 | & ... | provenance | Config |
| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:25:13:25:22 | & ... | provenance | Config |
| zlibTest.cpp:24:17:24:26 | & ... | zlibTest.cpp:25:13:25:22 | & ... | provenance | |
| zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:38:29:38:36 | *fileName | provenance | |
| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance | |
| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:41:20:41:26 | inFileZ | provenance | |
| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | provenance | |
| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance | Config |
| zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:48:29:48:36 | *fileName | provenance | |
| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance | |
| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:51:38:51:44 | inFileZ | provenance | |
| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | provenance | |
| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance | Config |
| zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:58:29:58:36 | *fileName | provenance | |
| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance | |
| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:62:25:62:31 | inFileZ | provenance | |
| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | provenance | |
| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance | Config |
| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | provenance | |
| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:77:45:77:59 | *input | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:81:19:81:25 | *access to array | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:82:18:82:24 | *access to array | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:83:19:83:25 | *access to array | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:84:18:84:24 | *access to array | provenance | |
| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:85:19:85:25 | *access to array | provenance | |
| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | provenance | |
| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:82:18:82:24 | *access to array | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance | |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance | |
| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | provenance | |
| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | provenance | |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance | |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance | |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance | |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance | |
| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | provenance | |
| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | provenance | |
| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance | |
| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance | |
| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance | |
| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | provenance | |
| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | provenance | |
| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance | |
| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance | |
| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | provenance | |
| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:85:19:85:25 | InflateString output argument | provenance | |
| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance | |
| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance | |
| zstdTest.cpp:26:39:26:42 | **argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance | |
| zstdTest.cpp:26:39:26:42 | *argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance | |
| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance | |
| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:35:52:35:54 | fin | provenance | |
| zstdTest.cpp:27:35:27:41 | *access to array | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance | Config |
| zstdTest.cpp:35:32:35:37 | **buffIn | zstdTest.cpp:36:32:36:37 | **buffIn | provenance | |
| zstdTest.cpp:35:32:35:37 | *buffIn | zstdTest.cpp:36:32:36:37 | *buffIn | provenance | |
| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | **buffIn | provenance | Config |
| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | *buffIn | provenance | Config |
| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:35:32:35:37 | **buffIn | provenance | |
| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:35:32:35:37 | *buffIn | provenance | |
| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance | |
| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance | |
nodes
| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
| brotliTest.cpp:18:35:18:53 | *access to array | semmle.label | *access to array |
| brotliTest.cpp:21:30:21:52 | *access to array | semmle.label | *access to array |
| brotliTest.cpp:24:51:24:58 | **& ... | semmle.label | **& ... |
| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
| libarchiveTests.cpp:22:41:22:42 | *ar | semmle.label | *ar |
| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
| libarchiveTests.cpp:34:32:34:32 | *a | semmle.label | *a |
| libarchiveTests.cpp:34:35:34:41 | *access to array | semmle.label | *access to array |
| libarchiveTests.cpp:38:27:38:27 | *a | semmle.label | *a |
| libarchiveTests.cpp:38:27:38:27 | read_data output argument | semmle.label | read_data output argument |
| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
| main.cpp:8:23:8:26 | **argv | semmle.label | **argv |
| main.cpp:8:23:8:26 | brotli_test output argument | semmle.label | brotli_test output argument |
| main.cpp:9:27:9:30 | **argv | semmle.label | **argv |
| main.cpp:9:27:9:30 | libarchive_test output argument | semmle.label | libarchive_test output argument |
| main.cpp:10:24:10:27 | **argv | semmle.label | **argv |
| main.cpp:10:24:10:27 | minizip_test output argument | semmle.label | minizip_test output argument |
| main.cpp:11:21:11:24 | **argv | semmle.label | **argv |
| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
| main.cpp:12:21:12:24 | **argv | semmle.label | **argv |
| main.cpp:12:21:12:24 | *argv | semmle.label | *argv |
| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
| minizipTest.cpp:17:52:17:67 | *access to array | semmle.label | *access to array |
| minizipTest.cpp:24:29:24:38 | **zip_reader | semmle.label | **zip_reader |
| minizipTest.cpp:24:29:24:38 | *zip_reader | semmle.label | *zip_reader |
| minizipTest.cpp:24:41:24:47 | *access to array | semmle.label | *access to array |
| minizipTest.cpp:26:30:26:39 | **zip_reader | semmle.label | **zip_reader |
| minizipTest.cpp:26:30:26:39 | *zip_reader | semmle.label | *zip_reader |
| minizipTest.cpp:28:13:28:19 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
| zlibTest.cpp:20:25:20:39 | *input | semmle.label | *input |
| zlibTest.cpp:24:17:24:26 | & ... | semmle.label | & ... |
| zlibTest.cpp:25:13:25:22 | & ... | semmle.label | & ... |
| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:38:29:38:36 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:41:20:41:26 | inFileZ | semmle.label | inFileZ |
| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:48:29:48:36 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:51:38:51:44 | inFileZ | semmle.label | inFileZ |
| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
| zlibTest.cpp:58:29:58:36 | *fileName | semmle.label | *fileName |
| zlibTest.cpp:62:25:62:31 | inFileZ | semmle.label | inFileZ |
| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
| zlibTest.cpp:77:45:77:59 | *input | semmle.label | *input |
| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
| zlibTest.cpp:80:33:80:36 | **argv [Return] | semmle.label | **argv [Return] |
| zlibTest.cpp:81:19:81:25 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | semmle.label | UnsafeGzfread output argument |
| zlibTest.cpp:82:18:82:24 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | semmle.label | UnsafeGzgets output argument |
| zlibTest.cpp:83:19:83:25 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | semmle.label | UnsafeInflate output argument |
| zlibTest.cpp:84:18:84:24 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | semmle.label | UnsafeGzread output argument |
| zlibTest.cpp:85:19:85:25 | *access to array | semmle.label | *access to array |
| zlibTest.cpp:85:19:85:25 | InflateString output argument | semmle.label | InflateString output argument |
| zstdTest.cpp:26:39:26:42 | **argv | semmle.label | **argv |
| zstdTest.cpp:26:39:26:42 | *argv | semmle.label | *argv |
| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
| zstdTest.cpp:27:35:27:41 | *access to array | semmle.label | *access to array |
| zstdTest.cpp:35:32:35:37 | **buffIn | semmle.label | **buffIn |
| zstdTest.cpp:35:32:35:37 | *buffIn | semmle.label | *buffIn |
| zstdTest.cpp:35:52:35:54 | fin | semmle.label | fin |
| zstdTest.cpp:36:32:36:37 | **buffIn | semmle.label | **buffIn |
| zstdTest.cpp:36:32:36:37 | *buffIn | semmle.label | *buffIn |
| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
subpaths
| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:38:27:38:27 | read_data output argument |
| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | main.cpp:8:23:8:26 | brotli_test output argument |
| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument |
| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | main.cpp:10:24:10:27 | minizip_test output argument |
| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | main.cpp:11:21:11:24 | zlib_test output argument |
| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument |
| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument |
| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument |
| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument |
| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument |
#select
| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-409/DecompressionBombs.ql

26
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp Normal file
View File

@@ -0,0 +1,26 @@
typedef long unsigned int size_t;
typedef unsigned char uint8_t;
enum BrotliDecoderResult {};
struct BrotliDecoderState;
BrotliDecoderResult BrotliDecoderDecompress(
size_t encoded_size, const uint8_t encoded_buffer[],
size_t *decoded_size, uint8_t decoded_buffer[]);
BrotliDecoderResult BrotliDecoderDecompressStream(
BrotliDecoderState *state, size_t *available_in, const uint8_t **next_in,
size_t *available_out, uint8_t **next_out, size_t *total_out);
void brotli_test(int argc, const char **argv) {
uint8_t output[1024];
size_t output_size = sizeof(output);
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
size_t input_size = 1024;
const uint8_t *input_p = (const uint8_t*)argv[2];
uint8_t *output_p = output;
size_t out_size;
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
&output_p, &out_size);
}

42
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp Normal file
View File

@@ -0,0 +1,42 @@
#define ARCHIVE_EOF 1
#define ARCHIVE_OK 0
#define ARCHIVE_WARN (-20)
struct archive;
struct archive_entry;
typedef int size_t;
typedef int la_int64_t;
archive *archive_read_new();
int archive_read_open_filename(archive *pArchive, const char *filename, int i);
int archive_read_next_header(archive *a, archive_entry **entry);
int archive_entry_size(archive_entry *pEntry);
int archive_read_data_block(archive *pArchive, const void **pVoid, size_t *pInt, la_int64_t *pInt1);
static int read_data(archive *ar) {
for (;;) {
const void *buff;
size_t size;
la_int64_t offset;
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
if (r == ARCHIVE_EOF)
return ARCHIVE_OK;
if (r < ARCHIVE_OK)
return r;
}
}
void libarchive_test(int argc, const char **argv) {
archive *a = archive_read_new();
archive_entry *entry;
archive_read_open_filename(a, argv[1], 10240);
for (;;) {
archive_read_next_header(a, &entry);
if (archive_entry_size(entry) > 0) {
if (read_data(a) < ARCHIVE_WARN)
break;
}
}
}

14
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp Normal file
View File

@@ -0,0 +1,14 @@
void brotli_test(int argc, const char **argv);
void libarchive_test(int argc, const char **argv);
void minizip_test(int argc, const char **argv);
void zlib_test(int argc, const char **argv);
void zstd_test(int argc, const char **argv);
int main(int argc, const char **argv) {
brotli_test(argc, argv);
libarchive_test(argc, argv);
minizip_test(argc, argv);
zlib_test(argc, argv);
zstd_test(argc, argv);
return 0;
}

29
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp Normal file
View File

@@ -0,0 +1,29 @@
typedef signed int int32_t;
void *mz_zip_reader_create();
int32_t mz_zip_reader_open_file(void *handle, const char *path);
int32_t mz_zip_reader_goto_first_entry(void *pVoid);
int32_t mz_zip_reader_entry_save(void *pVoid, int stream, int write);
int32_t mz_zip_entry_read(void *pVoid, void *buf, int32_t i);
void UnzOpen(const char *string);
void *mz_zip_create();
void minizip_test(int argc, const char **argv) {
void *zip_handle = mz_zip_create();
int32_t bytes_read;
char buf[4096];
while(true) {
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
if (bytes_read <= 0) {
break;
}
}
void *zip_reader = mz_zip_reader_create();
mz_zip_reader_open_file(zip_reader, argv[1]);
mz_zip_reader_goto_first_entry(zip_reader);
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
UnzOpen(argv[3]); // BAD
}

86
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp Normal file
View File

@@ -0,0 +1,86 @@
typedef unsigned char Bytef;
typedef unsigned long uLong;
typedef uLong uLongf;
typedef unsigned int uInt;
struct z_stream {
Bytef *next_in;
Bytef *next_out;
uInt avail_out;
};
void inflateInit(z_stream *infstream);
void inflate(z_stream *infstream, int i);
void inflateEnd(z_stream *infstream);
void UnsafeInflate(char *input) {
unsigned char output[1024];
z_stream infstream;
infstream.next_in = (Bytef *) input; // input char array
infstream.avail_out = sizeof(output); // size of output
infstream.next_out = output; // output char array
inflateInit(&infstream);
inflate(&infstream, 0); // BAD
}
struct gzFile {
};
gzFile gzopen(char *str, const char *rb);
unsigned int gzread(gzFile gz_file, unsigned char *str, int i);
bool gzfread(char *str, int i, int i1, gzFile gz_file);
char *gzgets(gzFile gz_file, char *buffer, int i);
void UnsafeGzread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
unsigned char unzipBuffer[8192];
while (true) {
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
break;
}
}
}
void UnsafeGzfread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
while (true) {
char buffer[1000];
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
break;
}
}
}
void UnsafeGzgets(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
char *buffer = new char[4000000000];
char *result;
while (true) {
result = gzgets(inFileZ, buffer, 1000000000); // BAD
if (result == nullptr) {
break;
}
}
}
int uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen);
void InflateString(char *input) {
unsigned char output[1024];
uLong source_length = 500;
uLong destination_length = sizeof(output);
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
}
void zlib_test(int argc, char **argv) {
UnsafeGzfread(argv[2]);
UnsafeGzgets(argv[2]);
UnsafeInflate(argv[2]);
UnsafeGzread(argv[2]);
InflateString(argv[2]);
}

43
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp Normal file
View File

@@ -0,0 +1,43 @@
typedef long unsigned int size_t;
struct FILE;
FILE *fopen_orDie(const char *filename, const char *instruction);
size_t fread_orDie(void *const pVoid, const size_t read, FILE *const pFile);
void *const malloc_orDie(const size_t size);
struct ZSTD_DCtx;
typedef struct ZSTD_inBuffer_s {
const void *src;
size_t size;
size_t pos;
} ZSTD_inBuffer;
typedef struct ZSTD_outBuffer_s {
void *dst;
size_t size;
size_t pos;
} ZSTD_outBuffer;
const size_t ZSTD_DStreamInSize();
const size_t ZSTD_DStreamOutSize();
ZSTD_DCtx *const ZSTD_createDCtx();
const size_t ZSTD_decompressStream(ZSTD_DCtx *const pCtx, ZSTD_outBuffer *pS, ZSTD_inBuffer *pS1);
void CHECK_ZSTD(const size_t ret);
void zstd_test(int argc, const char **argv) {
FILE *const fin = fopen_orDie(argv[1], "rb");
size_t const buffInSize = ZSTD_DStreamInSize();
void *const buffIn = malloc_orDie(buffInSize);
size_t const buffOutSize = ZSTD_DStreamOutSize();
void *const buffOut = malloc_orDie(buffOutSize);
ZSTD_DCtx *const dctx = ZSTD_createDCtx();
size_t read;
while ((read = fread_orDie(buffIn, buffInSize, fin))) {
ZSTD_inBuffer input = {buffIn, read, 0};
while (input.pos < input.size) {
ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD
CHECK_ZSTD(ret);
}
}
}

1
cpp/ql/test/header-variant-tests/multi-target-includes/includes.expected
View File

@@ -5,6 +5,5 @@
| main1.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
| main2.cpp:3:1:3:19 | #include "common.h" | Include | common.h | 1 |
| main2.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
| nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | nameclash.h | 1 |
| nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir1/nameclash.h | 1 |
| nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir2/nameclash.h | 1 |

15
cpp/ql/test/library-tests/builtins/type_traits/clang.cpp
View File

@@ -1,4 +1,4 @@
// semmle-extractor-options: --clang --clang_version 180000
// semmle-extractor-options: --clang --edg --clang_version --edg 190000
struct S {
void f() {}
@@ -108,3 +108,16 @@ bool b_is_unbounded_array2 = __is_unbounded_array(int[42]);
bool b_is_referenceable1 = __is_referenceable(int);
bool b_is_referenceable2 = __is_referenceable(void);
bool b_is_trivially_equality_comparable1 = __is_trivially_equality_comparable(int);
bool b_is_trivially_equality_comparable2 = __is_trivially_equality_comparable(void);
enum class E {
a, b
};
bool b_is_scoped_enum1 = __is_scoped_enum(E);
bool b_is_scoped_enum2 = __is_scoped_enum(int);
bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);

14
cpp/ql/test/library-tests/builtins/type_traits/expr.expected
View File

@@ -153,7 +153,21 @@
| clang.cpp:109:28:109:50 | int | | <none> |
| clang.cpp:110:28:110:51 | __is_referenceable | void | 0 |
| clang.cpp:110:28:110:51 | void | | <none> |
| clang.cpp:112:44:112:82 | __is_trivially_equality_comparable | int | 1 |
| clang.cpp:112:44:112:82 | int | | <none> |
| clang.cpp:113:44:113:83 | __is_trivially_equality_comparable | void | 0 |
| clang.cpp:113:44:113:83 | void | | <none> |
| clang.cpp:119:26:119:44 | E | | <none> |
| clang.cpp:119:26:119:44 | __is_scoped_enum | E | 1 |
| clang.cpp:120:26:120:46 | __is_scoped_enum | int | 0 |
| clang.cpp:120:26:120:46 | int | | <none> |
| clang.cpp:122:36:122:66 | __is_trivially_relocatable | int | 1 |
| clang.cpp:122:36:122:66 | int | | <none> |
| clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
| clang.cpp:123:36:123:67 | void | | <none> |
| file://:0:0:0:0 | 0 | | 0 |
| file://:0:0:0:0 | 0 | | 0 |
| file://:0:0:0:0 | 1 | | 1 |
| file://:0:0:0:0 | 1 | | 1 |
| file://:0:0:0:0 | 2 | | 2 |
| gcc.cpp:3:25:3:25 | 8 | | 8 |

458
cpp/ql/test/library-tests/c11_generic/PrintAST.expected Normal file
View File

@@ -0,0 +1,458 @@
#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
#-----| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const __va_list_tag &
#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
#-----| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [RValueReferenceType] __va_list_tag &&
generic.c:
# 3| [FormattingFunction,TopLevelFunction] int printf(char const*)
# 3| <params>:
# 3| getParameter(0): [Parameter] format
# 3| Type = [PointerType] const char *
# 14| [TopLevelFunction] int main()
# 14| <params>:
# 15| getEntryPoint(): [BlockStmt] { ... }
# 16| getStmt(0): [DeclStmt] declaration
# 16| getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
# 16| Type = [IntType] int
# 17| getStmt(1): [DeclStmt] declaration
# 17| getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
# 17| Type = [CTypedefType] MYINT
# 18| getStmt(2): [DeclStmt] declaration
# 18| getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
# 18| Type = [PointerType] const char *
# 19| getStmt(3): [DeclStmt] declaration
# 19| getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
# 19| Type = [PointerType] float ***
# 21| getStmt(4): [ExprStmt] ExprStmt
# 21| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 21| Type = [IntType] int
# 21| ValueCategory = prvalue
# 21| getArgument(0): i is %s\n
# 21| Type = [ArrayType] char[9]
# 21| Value = [StringLiteral] "i is %s\n"
# 21| ValueCategory = lvalue
# 21| getArgument(1): int
# 21| Type = [ArrayType] char[4]
# 21| Value = [StringLiteral] "int"
# 21| ValueCategory = lvalue
# 21| getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
# 21| Conversion = [PointerConversion] pointer conversion
# 21| Type = [PointerType] const char *
# 21| ValueCategory = prvalue
# 21| getExpr(): [ArrayToPointerConversion] array to pointer conversion
# 21| Type = [CharPointerType] char *
# 21| ValueCategory = prvalue
# 21| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 21| Type = [CharPointerType] char *
# 21| ValueCategory = prvalue
# 21| getExpr(): [C11GenericExpr] _Generic
# 21| Type = [ArrayType] char[4]
# 21| Value = [C11GenericExpr] int
# 21| ValueCategory = lvalue
# 21| getControllingExpr(): [VariableAccess] i
# 21| Type = [IntType] int
# 21| ValueCategory = prvalue(load)
# 21| getAssociationType(0): [TypeName] int
# 21| Type = [IntType] int
# 21| ValueCategory = prvalue
# 21| getAssociationExpr(0): [ReuseExpr] reuse of int
# 21| Type = [ArrayType] char[4]
# 21| ValueCategory = lvalue
# 21| getAssociationType(1): [TypeName] const char *
# 21| Type = [PointerType] const char *
# 21| ValueCategory = prvalue
# 21| getAssociationExpr(1): string
# 21| Type = [ArrayType] char[7]
# 21| Value = [StringLiteral] "string"
# 21| ValueCategory = lvalue
# 21| getAssociationType(2): [TypeName] void
# 21| Type = [VoidType] void
# 21| ValueCategory = prvalue
# 21| getAssociationExpr(2): unknown
# 21| Type = [ArrayType] char[8]
# 21| Value = [StringLiteral] "unknown"
# 21| ValueCategory = lvalue
# 21| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 21| Type = [IntType] int
# 21| ValueCategory = prvalue(load)
# 22| getStmt(5): [ExprStmt] ExprStmt
# 22| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 22| Type = [IntType] int
# 22| ValueCategory = prvalue
# 22| getArgument(0): c is %s\n
# 22| Type = [ArrayType] char[9]
# 22| Value = [StringLiteral] "c is %s\n"
# 22| ValueCategory = lvalue
# 22| getArgument(1): int
# 22| Type = [ArrayType] char[4]
# 22| Value = [StringLiteral] "int"
# 22| ValueCategory = lvalue
# 22| getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
# 22| Conversion = [PointerConversion] pointer conversion
# 22| Type = [PointerType] const char *
# 22| ValueCategory = prvalue
# 22| getExpr(): [ArrayToPointerConversion] array to pointer conversion
# 22| Type = [CharPointerType] char *
# 22| ValueCategory = prvalue
# 22| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 22| Type = [CharPointerType] char *
# 22| ValueCategory = prvalue
# 22| getExpr(): [C11GenericExpr] _Generic
# 22| Type = [ArrayType] char[4]
# 22| Value = [C11GenericExpr] int
# 22| ValueCategory = lvalue
# 22| getControllingExpr(): [VariableAccess] m
# 22| Type = [CTypedefType] MYINT
# 22| ValueCategory = prvalue(load)
# 22| getAssociationType(0): [TypeName] int
# 22| Type = [IntType] int
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(0): [ReuseExpr] reuse of int
# 22| Type = [ArrayType] char[4]
# 22| ValueCategory = lvalue
# 22| getAssociationType(1): [TypeName] const char *
# 22| Type = [PointerType] const char *
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(1): string
# 22| Type = [ArrayType] char[7]
# 22| Value = [StringLiteral] "string"
# 22| ValueCategory = lvalue
# 22| getAssociationType(2): [TypeName] void
# 22| Type = [VoidType] void
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(2): unknown
# 22| Type = [ArrayType] char[8]
# 22| Value = [StringLiteral] "unknown"
# 22| ValueCategory = lvalue
# 22| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 22| Type = [CTypedefType] MYINT
# 22| ValueCategory = prvalue(load)
# 23| getStmt(6): [ExprStmt] ExprStmt
# 23| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 23| Type = [IntType] int
# 23| ValueCategory = prvalue
# 23| getArgument(0): s is %s\n
# 23| Type = [ArrayType] char[9]
# 23| Value = [StringLiteral] "s is %s\n"
# 23| ValueCategory = lvalue
# 23| getArgument(1): string
# 23| Type = [ArrayType] char[7]
# 23| Value = [StringLiteral] "string"
# 23| ValueCategory = lvalue
# 23| getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
# 23| Conversion = [PointerConversion] pointer conversion
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue
# 23| getExpr(): [ArrayToPointerConversion] array to pointer conversion
# 23| Type = [CharPointerType] char *
# 23| ValueCategory = prvalue
# 23| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 23| Type = [CharPointerType] char *
# 23| ValueCategory = prvalue
# 23| getExpr(): [C11GenericExpr] _Generic
# 23| Type = [ArrayType] char[7]
# 23| Value = [C11GenericExpr] string
# 23| ValueCategory = lvalue
# 23| getControllingExpr(): [VariableAccess] s
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue(load)
# 23| getAssociationType(0): [TypeName] int
# 23| Type = [IntType] int
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(0): int
# 23| Type = [ArrayType] char[4]
# 23| Value = [StringLiteral] "int"
# 23| ValueCategory = lvalue
# 23| getAssociationType(1): [TypeName] const char *
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(1): [ReuseExpr] reuse of string
# 23| Type = [ArrayType] char[7]
# 23| ValueCategory = lvalue
# 23| getAssociationType(2): [TypeName] void
# 23| Type = [VoidType] void
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(2): unknown
# 23| Type = [ArrayType] char[8]
# 23| Value = [StringLiteral] "unknown"
# 23| ValueCategory = lvalue
# 23| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue(load)
# 24| getStmt(7): [ExprStmt] ExprStmt
# 24| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 24| Type = [IntType] int
# 24| ValueCategory = prvalue
# 24| getArgument(0): f is %s\n
# 24| Type = [ArrayType] char[9]
# 24| Value = [StringLiteral] "f is %s\n"
# 24| ValueCategory = lvalue
# 24| getArgument(1): unknown
# 24| Type = [ArrayType] char[8]
# 24| Value = [StringLiteral] "unknown"
# 24| ValueCategory = lvalue
# 24| getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
# 24| Conversion = [PointerConversion] pointer conversion
# 24| Type = [PointerType] const char *
# 24| ValueCategory = prvalue
# 24| getExpr(): [ArrayToPointerConversion] array to pointer conversion
# 24| Type = [CharPointerType] char *
# 24| ValueCategory = prvalue
# 24| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 24| Type = [CharPointerType] char *
# 24| ValueCategory = prvalue
# 24| getExpr(): [C11GenericExpr] _Generic
# 24| Type = [ArrayType] char[8]
# 24| Value = [C11GenericExpr] unknown
# 24| ValueCategory = lvalue
# 24| getControllingExpr(): [VariableAccess] f
# 24| Type = [PointerType] float ***
# 24| ValueCategory = prvalue(load)
# 24| getAssociationType(0): [TypeName] int
# 24| Type = [IntType] int
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(0): int
# 24| Type = [ArrayType] char[4]
# 24| Value = [StringLiteral] "int"
# 24| ValueCategory = lvalue
# 24| getAssociationType(1): [TypeName] const char *
# 24| Type = [PointerType] const char *
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(1): string
# 24| Type = [ArrayType] char[7]
# 24| Value = [StringLiteral] "string"
# 24| ValueCategory = lvalue
# 24| getAssociationType(2): [TypeName] void
# 24| Type = [VoidType] void
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(2): [ReuseExpr] reuse of unknown
# 24| Type = [ArrayType] char[8]
# 24| ValueCategory = lvalue
# 24| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 24| Type = [PointerType] float ***
# 24| ValueCategory = prvalue(load)
# 25| getStmt(8): [ReturnStmt] return ...
#-----| getExpr(): [Literal] 0
#-----| Type = [IntType] int
#-----| Value = [Literal] 0
#-----| ValueCategory = prvalue
generic.cpp:
# 4| [FormattingFunction,TopLevelFunction] int printf(char const*)
# 4| <params>:
# 4| getParameter(0): [Parameter] format
# 4| Type = [PointerType] const char *
# 15| [TopLevelFunction] int main()
# 15| <params>:
# 16| getEntryPoint(): [BlockStmt] { ... }
# 17| getStmt(0): [DeclStmt] declaration
# 17| getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
# 17| Type = [IntType] int
# 18| getStmt(1): [DeclStmt] declaration
# 18| getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
# 18| Type = [CTypedefType] MYINT
# 19| getStmt(2): [DeclStmt] declaration
# 19| getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
# 19| Type = [PointerType] const char *
# 20| getStmt(3): [DeclStmt] declaration
# 20| getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
# 20| Type = [PointerType] float ***
# 22| getStmt(4): [ExprStmt] ExprStmt
# 22| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 22| Type = [IntType] int
# 22| ValueCategory = prvalue
# 22| getArgument(0): i is %s\n
# 22| Type = [ArrayType] const char[9]
# 22| Value = [StringLiteral] "i is %s\n"
# 22| ValueCategory = lvalue
# 22| getArgument(1): int
# 22| Type = [ArrayType] const char[4]
# 22| Value = [StringLiteral] "int"
# 22| ValueCategory = lvalue
# 22| getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 22| Type = [PointerType] const char *
# 22| ValueCategory = prvalue
# 22| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 22| Type = [PointerType] const char *
# 22| ValueCategory = prvalue
# 22| getExpr(): [C11GenericExpr] _Generic
# 22| Type = [ArrayType] const char[4]
# 22| Value = [C11GenericExpr] int
# 22| ValueCategory = lvalue
# 22| getControllingExpr(): [VariableAccess] i
# 22| Type = [IntType] int
# 22| ValueCategory = lvalue
# 22| getAssociationType(0): [TypeName] int
# 22| Type = [IntType] int
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(0): [ReuseExpr] reuse of int
# 22| Type = [ArrayType] const char[4]
# 22| ValueCategory = lvalue
# 22| getAssociationType(1): [TypeName] const char *
# 22| Type = [PointerType] const char *
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(1): string
# 22| Type = [ArrayType] const char[7]
# 22| Value = [StringLiteral] "string"
# 22| ValueCategory = lvalue
# 22| getAssociationType(2): [TypeName] void
# 22| Type = [VoidType] void
# 22| ValueCategory = prvalue
# 22| getAssociationExpr(2): unknown
# 22| Type = [ArrayType] const char[8]
# 22| Value = [StringLiteral] "unknown"
# 22| ValueCategory = lvalue
# 22| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 22| Type = [IntType] int
# 22| ValueCategory = lvalue
# 23| getStmt(5): [ExprStmt] ExprStmt
# 23| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 23| Type = [IntType] int
# 23| ValueCategory = prvalue
# 23| getArgument(0): c is %s\n
# 23| Type = [ArrayType] const char[9]
# 23| Value = [StringLiteral] "c is %s\n"
# 23| ValueCategory = lvalue
# 23| getArgument(1): int
# 23| Type = [ArrayType] const char[4]
# 23| Value = [StringLiteral] "int"
# 23| ValueCategory = lvalue
# 23| getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue
# 23| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue
# 23| getExpr(): [C11GenericExpr] _Generic
# 23| Type = [ArrayType] const char[4]
# 23| Value = [C11GenericExpr] int
# 23| ValueCategory = lvalue
# 23| getControllingExpr(): [VariableAccess] m
# 23| Type = [CTypedefType] MYINT
# 23| ValueCategory = lvalue
# 23| getAssociationType(0): [TypeName] int
# 23| Type = [IntType] int
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(0): [ReuseExpr] reuse of int
# 23| Type = [ArrayType] const char[4]
# 23| ValueCategory = lvalue
# 23| getAssociationType(1): [TypeName] const char *
# 23| Type = [PointerType] const char *
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(1): string
# 23| Type = [ArrayType] const char[7]
# 23| Value = [StringLiteral] "string"
# 23| ValueCategory = lvalue
# 23| getAssociationType(2): [TypeName] void
# 23| Type = [VoidType] void
# 23| ValueCategory = prvalue
# 23| getAssociationExpr(2): unknown
# 23| Type = [ArrayType] const char[8]
# 23| Value = [StringLiteral] "unknown"
# 23| ValueCategory = lvalue
# 23| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 23| Type = [CTypedefType] MYINT
# 23| ValueCategory = lvalue
# 24| getStmt(6): [ExprStmt] ExprStmt
# 24| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 24| Type = [IntType] int
# 24| ValueCategory = prvalue
# 24| getArgument(0): s is %s\n
# 24| Type = [ArrayType] const char[9]
# 24| Value = [StringLiteral] "s is %s\n"
# 24| ValueCategory = lvalue
# 24| getArgument(1): string
# 24| Type = [ArrayType] const char[7]
# 24| Value = [StringLiteral] "string"
# 24| ValueCategory = lvalue
# 24| getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 24| Type = [PointerType] const char *
# 24| ValueCategory = prvalue
# 24| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 24| Type = [PointerType] const char *
# 24| ValueCategory = prvalue
# 24| getExpr(): [C11GenericExpr] _Generic
# 24| Type = [ArrayType] const char[7]
# 24| Value = [C11GenericExpr] string
# 24| ValueCategory = lvalue
# 24| getControllingExpr(): [VariableAccess] s
# 24| Type = [PointerType] const char *
# 24| ValueCategory = lvalue
# 24| getAssociationType(0): [TypeName] int
# 24| Type = [IntType] int
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(0): int
# 24| Type = [ArrayType] const char[4]
# 24| Value = [StringLiteral] "int"
# 24| ValueCategory = lvalue
# 24| getAssociationType(1): [TypeName] const char *
# 24| Type = [PointerType] const char *
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(1): [ReuseExpr] reuse of string
# 24| Type = [ArrayType] const char[7]
# 24| ValueCategory = lvalue
# 24| getAssociationType(2): [TypeName] void
# 24| Type = [VoidType] void
# 24| ValueCategory = prvalue
# 24| getAssociationExpr(2): unknown
# 24| Type = [ArrayType] const char[8]
# 24| Value = [StringLiteral] "unknown"
# 24| ValueCategory = lvalue
# 24| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 24| Type = [PointerType] const char *
# 24| ValueCategory = lvalue
# 25| getStmt(7): [ExprStmt] ExprStmt
# 25| getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
# 25| Type = [IntType] int
# 25| ValueCategory = prvalue
# 25| getArgument(0): f is %s\n
# 25| Type = [ArrayType] const char[9]
# 25| Value = [StringLiteral] "f is %s\n"
# 25| ValueCategory = lvalue
# 25| getArgument(1): unknown
# 25| Type = [ArrayType] const char[8]
# 25| Value = [StringLiteral] "unknown"
# 25| ValueCategory = lvalue
# 25| getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 25| Type = [PointerType] const char *
# 25| ValueCategory = prvalue
# 25| getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
# 25| Type = [PointerType] const char *
# 25| ValueCategory = prvalue
# 25| getExpr(): [C11GenericExpr] _Generic
# 25| Type = [ArrayType] const char[8]
# 25| Value = [C11GenericExpr] unknown
# 25| ValueCategory = lvalue
# 25| getControllingExpr(): [VariableAccess] f
# 25| Type = [PointerType] float ***
# 25| ValueCategory = lvalue
# 25| getAssociationType(0): [TypeName] int
# 25| Type = [IntType] int
# 25| ValueCategory = prvalue
# 25| getAssociationExpr(0): int
# 25| Type = [ArrayType] const char[4]
# 25| Value = [StringLiteral] "int"
# 25| ValueCategory = lvalue
# 25| getAssociationType(1): [TypeName] const char *
# 25| Type = [PointerType] const char *
# 25| ValueCategory = prvalue
# 25| getAssociationExpr(1): string
# 25| Type = [ArrayType] const char[7]
# 25| Value = [StringLiteral] "string"
# 25| ValueCategory = lvalue
# 25| getAssociationType(2): [TypeName] void
# 25| Type = [VoidType] void
# 25| ValueCategory = prvalue
# 25| getAssociationExpr(2): [ReuseExpr] reuse of unknown
# 25| Type = [ArrayType] const char[8]
# 25| ValueCategory = lvalue
# 25| getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
# 25| Type = [PointerType] float ***
# 25| ValueCategory = lvalue
# 26| getStmt(8): [ReturnStmt] return ...
#-----| getExpr(): [Literal] 0
#-----| Type = [IntType] int
#-----| Value = [Literal] 0
#-----| ValueCategory = prvalue

1
cpp/ql/test/library-tests/c11_generic/PrintAST.qlref Normal file
View File

@@ -0,0 +1 @@
semmle/code/cpp/PrintAST.ql

8
cpp/ql/test/library-tests/c11_generic/macro_invocation.expected Normal file
View File

@@ -0,0 +1,8 @@
| generic.c:21:22:21:32 | _Generic | generic.c:21:22:21:32 | describe(val) |
| generic.c:22:22:22:32 | _Generic | generic.c:22:22:22:32 | describe(val) |
| generic.c:23:22:23:32 | _Generic | generic.c:23:22:23:32 | describe(val) |
| generic.c:24:22:24:32 | _Generic | generic.c:24:22:24:32 | describe(val) |
| generic.cpp:22:22:22:32 | _Generic | generic.cpp:22:22:22:32 | describe(val) |
| generic.cpp:23:22:23:32 | _Generic | generic.cpp:23:22:23:32 | describe(val) |
| generic.cpp:24:22:24:32 | _Generic | generic.cpp:24:22:24:32 | describe(val) |
| generic.cpp:25:22:25:32 | _Generic | generic.cpp:25:22:25:32 | describe(val) |

5
cpp/ql/test/library-tests/c11_generic/macro_invocation.ql Normal file
View File

@@ -0,0 +1,5 @@
import cpp
from C11GenericExpr g, MacroInvocation m
where m.getAnExpandedElement() = g
select g, m

22
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -33,7 +33,7 @@ argHasPostUpdate
| test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
| test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
| test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. |
| test.cpp:1057:19:1057:21 | * ... | ArgumentNode is missing PostUpdateNode. |
| test.cpp:1093:19:1093:21 | * ... | ArgumentNode is missing PostUpdateNode. |
postWithInFlow
| BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
| BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
@@ -167,15 +167,17 @@ postWithInFlow
| test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
| test.cpp:1051:5:1051:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1052:9:1052:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1056:5:1056:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1056:6:1056:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1062:53:1062:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1072:3:1072:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1072:4:1072:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1073:3:1073:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1073:4:1073:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1066:5:1066:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1069:5:1069:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1087:5:1087:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1088:9:1088:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1092:5:1092:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1092:6:1092:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1098:53:1098:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1108:3:1108:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

4
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -26,6 +26,10 @@ postWithInFlow
| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1076:2:1076:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1076:10:1076:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1077:2:1077:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1077:10:1077:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

18
cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected
View File

@@ -202,12 +202,12 @@
| test.cpp:489:23:489:29 | *content | test.cpp:490:8:490:17 | * ... |
| test.cpp:489:23:489:29 | content | test.cpp:489:23:489:29 | content |
| test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
| test.cpp:1050:12:1050:12 | definition of a | test.cpp:1051:3:1051:3 | *a |
| test.cpp:1051:3:1051:3 | *a | test.cpp:1052:8:1052:9 | *& ... |
| test.cpp:1051:3:1051:3 | *a [post update] | test.cpp:1052:8:1052:9 | *& ... |
| test.cpp:1051:3:1051:3 | a | test.cpp:1052:8:1052:9 | & ... |
| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:8:1052:9 | & ... |
| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
| test.cpp:1051:15:1051:21 | *0 | test.cpp:1051:3:1051:21 | *... = ... |
| test.cpp:1052:9:1052:9 | *a | test.cpp:1052:8:1052:9 | *& ... |
| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
| test.cpp:1086:12:1086:12 | definition of a | test.cpp:1087:3:1087:3 | *a |
| test.cpp:1087:3:1087:3 | *a | test.cpp:1088:8:1088:9 | *& ... |
| test.cpp:1087:3:1087:3 | *a [post update] | test.cpp:1088:8:1088:9 | *& ... |
| test.cpp:1087:3:1087:3 | a | test.cpp:1088:8:1088:9 | & ... |
| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:8:1088:9 | & ... |
| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
| test.cpp:1087:15:1087:21 | *0 | test.cpp:1087:3:1087:21 | *... = ... |
| test.cpp:1088:9:1088:9 | *a | test.cpp:1088:8:1088:9 | *& ... |
| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

14
cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected
View File

@@ -81,10 +81,10 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (loc
| test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
| test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
| test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:9:1052:9 | a |
| test.cpp:1051:3:1051:21 | ... = ... | test.cpp:1051:5:1051:11 | content [post update] |
| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
| test.cpp:1052:8:1052:9 | ref arg & ... | test.cpp:1052:9:1052:9 | a [inner post update] |
| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:9:1088:9 | a |
| test.cpp:1087:3:1087:21 | ... = ... | test.cpp:1087:5:1087:11 | content [post update] |
| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
| test.cpp:1088:8:1088:9 | ref arg & ... | test.cpp:1088:9:1088:9 | a [inner post update] |
| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

13
cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
View File

@@ -127,7 +127,11 @@ astFlow
| test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
| test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
| test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
| test.cpp:1050:12:1050:12 | a | test.cpp:1052:8:1052:9 | & ... |
| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
| test.cpp:1066:9:1066:14 | call to source | test.cpp:1080:10:1080:10 | i |
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i |
| test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... |
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
| true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -313,7 +317,12 @@ irFlow
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
| test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
| test.cpp:1081:27:1081:34 | call to source | test.cpp:1081:27:1081:34 | call to source |
| test.cpp:1052:13:1052:27 | *call to indirect_source | test.cpp:1054:7:1054:11 | * ... |
| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
| test.cpp:1066:9:1066:14 | call to source | test.cpp:1079:10:1079:10 | i |
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
| test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
| true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

36
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -1046,6 +1046,42 @@ void memset_test(char* buf) { // $ ast-def=buf ir-def=*buf
sink(*buf); // $ ir MISSING: ast
}
void *realloc(void *, size_t);
void test_realloc() {
int *src = indirect_source();
int *dest = (int*)realloc(src, sizeof(int));
sink(*dest); // $ ir, MISSING: ast
}
struct MyInt {
int i;
MyInt();
void swap(MyInt &j);
};
void test_member_swap() {
MyInt s1;
MyInt s2;
s2.i = source();
MyInt s3;
MyInt s4;
s4.i = source();
sink(s1.i);
sink(s2.i); // $ ast,ir
sink(s3.i);
sink(s4.i); // $ ast,ir
s1.swap(s2);
s4.swap(s3);
sink(s1.i); // $ ir
sink(s2.i); // $ SPURIOUS: ast
sink(s3.i); // $ ir
sink(s4.i); // $ SPURIOUS: ast
}
void flow_out_of_address_with_local_flow() {
MyStruct a;
a.content = nullptr;

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected
View File

@@ -51,5 +51,5 @@ incorrectBaseType
| test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * |
| test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
| test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
| test.cpp:1062:52:1062:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
| test.cpp:1098:52:1098:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
failures

4
cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
View File

@@ -54,5 +54,5 @@
| test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
| test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
| test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |

8
cpp/ql/test/library-tests/dataflow/external-models/flow.expected
View File

@@ -3,20 +3,20 @@ failures
edges
| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:10 |
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:2 |
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:2 Sink:MaD:6 |
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:2 Sink:MaD:6 |
| asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
| asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:100:64:100:71 | *send_str | provenance | TaintFunction |
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | |
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance | |
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | |
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:644 |
| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:642 |
| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:643 |
| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance | Sink:MaD:643 |
| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance | |
| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance | |
| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:643 |
| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance | Sink:MaD:643 |
| test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance | |
| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:644 |
nodes

6
cpp/ql/test/library-tests/dataflow/fields/Nodes.qll
View File

@@ -13,9 +13,6 @@ class Node extends TNode {
AST::DataFlow::Node asAst() { none() }
/** DEPRECATED: Alias for asAst */
deprecated AST::DataFlow::Node asAST() { result = this.asAst() }
Location getLocation() { none() }
}
@@ -28,9 +25,6 @@ class AstNode extends Node, TAstNode {
override AST::DataFlow::Node asAst() { result = n }
/** DEPRECATED: Alias for asAst */
deprecated override AST::DataFlow::Node asAST() { result = this.asAst() }
override Location getLocation() { result = n.getLocation() }
}

4
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

@@ -848,6 +848,8 @@ edges
| simple.cpp:120:8:120:8 | *a [i] | simple.cpp:120:10:120:10 | i | provenance | |
| struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:14:24:14:25 | *ab [a] | provenance | |
| struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:8:15:9 | *ab [a] | provenance | |
| struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:8:15:9 | *ab [a] | provenance | |
| struct_init.c:15:8:15:9 | *ab [a] | struct_init.c:15:12:15:12 | a | provenance | |
| struct_init.c:15:8:15:9 | *ab [a] | struct_init.c:15:12:15:12 | a | provenance | |
| struct_init.c:20:13:20:14 | *definition of ab [a] | struct_init.c:22:8:22:9 | *ab [a] | provenance | |
| struct_init.c:20:13:20:14 | *definition of ab [a] | struct_init.c:24:10:24:12 | *& ... [a] | provenance | |
@@ -1758,6 +1760,8 @@ nodes
| simple.cpp:120:10:120:10 | i | semmle.label | i |
| struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] |
| struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] |
| struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] |
| struct_init.c:15:8:15:9 | *ab [a] | semmle.label | *ab [a] |
| struct_init.c:15:8:15:9 | *ab [a] | semmle.label | *ab [a] |
| struct_init.c:15:12:15:12 | a | semmle.label | a |
| struct_init.c:20:13:20:14 | *definition of ab [a] | semmle.label | *definition of ab [a] |

4
cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
View File

@@ -737,6 +737,8 @@ edges
| simple.cpp:120:8:120:8 | a [i] | simple.cpp:120:10:120:10 | i | provenance | |
| struct_init.c:14:24:14:25 | ab [a] | struct_init.c:14:24:14:25 | ab [a] | provenance | |
| struct_init.c:14:24:14:25 | ab [a] | struct_init.c:15:8:15:9 | ab [a] | provenance | |
| struct_init.c:14:24:14:25 | ab [a] | struct_init.c:15:8:15:9 | ab [a] | provenance | |
| struct_init.c:15:8:15:9 | ab [a] | struct_init.c:15:12:15:12 | a | provenance | |
| struct_init.c:15:8:15:9 | ab [a] | struct_init.c:15:12:15:12 | a | provenance | |
| struct_init.c:15:8:15:9 | ab [a] | struct_init.c:15:12:15:12 | a | provenance | |
| struct_init.c:15:8:15:9 | ab [post update] [a] | struct_init.c:14:24:14:25 | ab [a] | provenance | |
@@ -1549,6 +1551,8 @@ nodes
| simple.cpp:120:10:120:10 | i | semmle.label | i |
| struct_init.c:14:24:14:25 | ab [a] | semmle.label | ab [a] |
| struct_init.c:14:24:14:25 | ab [a] | semmle.label | ab [a] |
| struct_init.c:14:24:14:25 | ab [a] | semmle.label | ab [a] |
| struct_init.c:15:8:15:9 | ab [a] | semmle.label | ab [a] |
| struct_init.c:15:8:15:9 | ab [a] | semmle.label | ab [a] |
| struct_init.c:15:8:15:9 | ab [post update] [a] | semmle.label | ab [post update] [a] |
| struct_init.c:15:12:15:12 | a | semmle.label | a |

127
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -554,19 +554,15 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| map.cpp:67:30:67:42 | call to pair | map.cpp:80:7:80:7 | l | |
| map.cpp:67:30:67:42 | call to pair | map.cpp:81:7:81:7 | l | |
| map.cpp:67:37:67:41 | 456 | map.cpp:67:30:67:42 | call to pair | TAINT |
| map.cpp:68:3:68:3 | i | map.cpp:68:10:68:10 | ref arg j | TAINT |
| map.cpp:68:3:68:3 | ref arg i | map.cpp:70:7:70:7 | i | |
| map.cpp:68:3:68:3 | ref arg i | map.cpp:71:7:71:7 | i | |
| map.cpp:68:3:68:3 | ref arg i | map.cpp:72:7:72:7 | i | |
| map.cpp:68:10:68:10 | j | map.cpp:68:3:68:3 | ref arg i | TAINT |
| map.cpp:68:10:68:10 | ref arg j | map.cpp:73:7:73:7 | j | |
| map.cpp:68:10:68:10 | ref arg j | map.cpp:74:7:74:7 | j | |
| map.cpp:68:10:68:10 | ref arg j | map.cpp:75:7:75:7 | j | |
| map.cpp:69:2:69:2 | k | map.cpp:69:9:69:9 | ref arg l | TAINT |
| map.cpp:69:2:69:2 | ref arg k | map.cpp:76:7:76:7 | k | |
| map.cpp:69:2:69:2 | ref arg k | map.cpp:77:7:77:7 | k | |
| map.cpp:69:2:69:2 | ref arg k | map.cpp:78:7:78:7 | k | |
| map.cpp:69:9:69:9 | l | map.cpp:69:2:69:2 | ref arg k | TAINT |
| map.cpp:69:9:69:9 | ref arg l | map.cpp:79:7:79:7 | l | |
| map.cpp:69:9:69:9 | ref arg l | map.cpp:80:7:80:7 | l | |
| map.cpp:69:9:69:9 | ref arg l | map.cpp:81:7:81:7 | l | |
@@ -1065,16 +1061,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| map.cpp:194:7:194:9 | m16 | map.cpp:194:7:194:9 | call to map | |
| map.cpp:195:7:195:9 | m17 | map.cpp:195:7:195:9 | call to map | |
| map.cpp:196:7:196:9 | m18 | map.cpp:196:7:196:9 | call to map | |
| map.cpp:197:2:197:4 | m15 | map.cpp:197:11:197:13 | ref arg m16 | TAINT |
| map.cpp:197:2:197:4 | ref arg m15 | map.cpp:199:7:199:9 | m15 | |
| map.cpp:197:2:197:4 | ref arg m15 | map.cpp:252:1:252:1 | m15 | |
| map.cpp:197:11:197:13 | m16 | map.cpp:197:2:197:4 | ref arg m15 | TAINT |
| map.cpp:197:11:197:13 | ref arg m16 | map.cpp:200:7:200:9 | m16 | |
| map.cpp:197:11:197:13 | ref arg m16 | map.cpp:252:1:252:1 | m16 | |
| map.cpp:198:2:198:4 | m17 | map.cpp:198:11:198:13 | ref arg m18 | TAINT |
| map.cpp:198:2:198:4 | ref arg m17 | map.cpp:201:7:201:9 | m17 | |
| map.cpp:198:2:198:4 | ref arg m17 | map.cpp:252:1:252:1 | m17 | |
| map.cpp:198:11:198:13 | m18 | map.cpp:198:2:198:4 | ref arg m17 | TAINT |
| map.cpp:198:11:198:13 | ref arg m18 | map.cpp:202:7:202:9 | m18 | |
| map.cpp:198:11:198:13 | ref arg m18 | map.cpp:252:1:252:1 | m18 | |
| map.cpp:199:7:199:9 | m15 | map.cpp:199:7:199:9 | call to map | |
@@ -1747,16 +1739,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| map.cpp:343:7:343:9 | m16 | map.cpp:343:7:343:9 | call to unordered_map | |
| map.cpp:344:7:344:9 | m17 | map.cpp:344:7:344:9 | call to unordered_map | |
| map.cpp:345:7:345:9 | m18 | map.cpp:345:7:345:9 | call to unordered_map | |
| map.cpp:346:2:346:4 | m15 | map.cpp:346:11:346:13 | ref arg m16 | TAINT |
| map.cpp:346:2:346:4 | ref arg m15 | map.cpp:348:7:348:9 | m15 | |
| map.cpp:346:2:346:4 | ref arg m15 | map.cpp:438:1:438:1 | m15 | |
| map.cpp:346:11:346:13 | m16 | map.cpp:346:2:346:4 | ref arg m15 | TAINT |
| map.cpp:346:11:346:13 | ref arg m16 | map.cpp:349:7:349:9 | m16 | |
| map.cpp:346:11:346:13 | ref arg m16 | map.cpp:438:1:438:1 | m16 | |
| map.cpp:347:2:347:4 | m17 | map.cpp:347:11:347:13 | ref arg m18 | TAINT |
| map.cpp:347:2:347:4 | ref arg m17 | map.cpp:350:7:350:9 | m17 | |
| map.cpp:347:2:347:4 | ref arg m17 | map.cpp:438:1:438:1 | m17 | |
| map.cpp:347:11:347:13 | m18 | map.cpp:347:2:347:4 | ref arg m17 | TAINT |
| map.cpp:347:11:347:13 | ref arg m18 | map.cpp:351:7:351:9 | m18 | |
| map.cpp:347:11:347:13 | ref arg m18 | map.cpp:438:1:438:1 | m18 | |
| map.cpp:348:7:348:9 | m15 | map.cpp:348:7:348:9 | call to unordered_map | |
@@ -2579,16 +2567,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| set.cpp:81:7:81:9 | s15 | set.cpp:81:7:81:9 | call to set | |
| set.cpp:82:2:82:4 | ref arg s12 | set.cpp:84:7:84:9 | s12 | |
| set.cpp:82:2:82:4 | ref arg s12 | set.cpp:126:1:126:1 | s12 | |
| set.cpp:82:2:82:4 | s12 | set.cpp:82:11:82:13 | ref arg s13 | TAINT |
| set.cpp:82:11:82:13 | ref arg s13 | set.cpp:85:7:85:9 | s13 | |
| set.cpp:82:11:82:13 | ref arg s13 | set.cpp:126:1:126:1 | s13 | |
| set.cpp:82:11:82:13 | s13 | set.cpp:82:2:82:4 | ref arg s12 | TAINT |
| set.cpp:83:2:83:4 | ref arg s14 | set.cpp:86:7:86:9 | s14 | |
| set.cpp:83:2:83:4 | ref arg s14 | set.cpp:126:1:126:1 | s14 | |
| set.cpp:83:2:83:4 | s14 | set.cpp:83:11:83:13 | ref arg s15 | TAINT |
| set.cpp:83:11:83:13 | ref arg s15 | set.cpp:87:7:87:9 | s15 | |
| set.cpp:83:11:83:13 | ref arg s15 | set.cpp:126:1:126:1 | s15 | |
| set.cpp:83:11:83:13 | s15 | set.cpp:83:2:83:4 | ref arg s14 | TAINT |
| set.cpp:84:7:84:9 | s12 | set.cpp:84:7:84:9 | call to set | |
| set.cpp:85:7:85:9 | s13 | set.cpp:85:7:85:9 | call to set | |
| set.cpp:86:7:86:9 | s14 | set.cpp:86:7:86:9 | call to set | |
@@ -3066,16 +3050,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| set.cpp:193:7:193:9 | s15 | set.cpp:193:7:193:9 | call to unordered_set | |
| set.cpp:194:2:194:4 | ref arg s12 | set.cpp:196:7:196:9 | s12 | |
| set.cpp:194:2:194:4 | ref arg s12 | set.cpp:238:1:238:1 | s12 | |
| set.cpp:194:2:194:4 | s12 | set.cpp:194:11:194:13 | ref arg s13 | TAINT |
| set.cpp:194:11:194:13 | ref arg s13 | set.cpp:197:7:197:9 | s13 | |
| set.cpp:194:11:194:13 | ref arg s13 | set.cpp:238:1:238:1 | s13 | |
| set.cpp:194:11:194:13 | s13 | set.cpp:194:2:194:4 | ref arg s12 | TAINT |
| set.cpp:195:2:195:4 | ref arg s14 | set.cpp:198:7:198:9 | s14 | |
| set.cpp:195:2:195:4 | ref arg s14 | set.cpp:238:1:238:1 | s14 | |
| set.cpp:195:2:195:4 | s14 | set.cpp:195:11:195:13 | ref arg s15 | TAINT |
| set.cpp:195:11:195:13 | ref arg s15 | set.cpp:199:7:199:9 | s15 | |
| set.cpp:195:11:195:13 | ref arg s15 | set.cpp:238:1:238:1 | s15 | |
| set.cpp:195:11:195:13 | s15 | set.cpp:195:2:195:4 | ref arg s14 | TAINT |
| set.cpp:196:7:196:9 | s12 | set.cpp:196:7:196:9 | call to unordered_set | |
| set.cpp:197:7:197:9 | s13 | set.cpp:197:7:197:9 | call to unordered_set | |
| set.cpp:198:7:198:9 | s14 | set.cpp:198:7:198:9 | call to unordered_set | |
@@ -4047,13 +4027,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| string.cpp:272:17:272:25 | call to basic_string | string.cpp:280:2:280:3 | s4 | |
| string.cpp:272:17:272:25 | call to basic_string | string.cpp:285:7:285:8 | s4 | |
| string.cpp:279:2:279:3 | ref arg s1 | string.cpp:282:7:282:8 | s1 | |
| string.cpp:279:2:279:3 | s1 | string.cpp:279:10:279:11 | ref arg s2 | TAINT |
| string.cpp:279:10:279:11 | ref arg s2 | string.cpp:283:7:283:8 | s2 | |
| string.cpp:279:10:279:11 | s2 | string.cpp:279:2:279:3 | ref arg s1 | TAINT |
| string.cpp:280:2:280:3 | ref arg s4 | string.cpp:285:7:285:8 | s4 | |
| string.cpp:280:2:280:3 | s4 | string.cpp:280:10:280:11 | ref arg s3 | TAINT |
| string.cpp:280:10:280:11 | ref arg s3 | string.cpp:284:7:284:8 | s3 | |
| string.cpp:280:10:280:11 | s3 | string.cpp:280:2:280:3 | ref arg s4 | TAINT |
| string.cpp:289:17:289:22 | call to source | string.cpp:289:17:289:25 | call to basic_string | TAINT |
| string.cpp:289:17:289:25 | call to basic_string | string.cpp:293:7:293:8 | s1 | |
| string.cpp:289:17:289:25 | call to basic_string | string.cpp:297:2:297:3 | s1 | |
@@ -4839,13 +4815,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:118:2:118:4 | ss4 | |
| stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:123:7:123:9 | ss4 | |
| stringstream.cpp:117:2:117:4 | ref arg ss1 | stringstream.cpp:120:7:120:9 | ss1 | |
| stringstream.cpp:117:2:117:4 | ss1 | stringstream.cpp:117:11:117:13 | ref arg ss2 | TAINT |
| stringstream.cpp:117:11:117:13 | ref arg ss2 | stringstream.cpp:121:7:121:9 | ss2 | |
| stringstream.cpp:117:11:117:13 | ss2 | stringstream.cpp:117:2:117:4 | ref arg ss1 | TAINT |
| stringstream.cpp:118:2:118:4 | ref arg ss4 | stringstream.cpp:123:7:123:9 | ss4 | |
| stringstream.cpp:118:2:118:4 | ss4 | stringstream.cpp:118:11:118:13 | ref arg ss3 | TAINT |
| stringstream.cpp:118:11:118:13 | ref arg ss3 | stringstream.cpp:122:7:122:9 | ss3 | |
| stringstream.cpp:118:11:118:13 | ss3 | stringstream.cpp:118:2:118:4 | ref arg ss4 | TAINT |
| stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:142:7:142:9 | ss1 | |
| stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:145:7:145:9 | ss1 | |
| stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:153:7:153:9 | ss1 | |
@@ -5413,9 +5385,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap1.cpp:24:9:24:13 | this | swap1.cpp:24:31:24:34 | this | |
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:23:24:26 | that | |
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:36:24:39 | that | |
| swap1.cpp:24:31:24:34 | this | swap1.cpp:24:36:24:39 | ref arg that | TAINT |
| swap1.cpp:24:36:24:39 | ref arg that | swap1.cpp:24:23:24:26 | that | |
| swap1.cpp:24:36:24:39 | that | swap1.cpp:24:31:24:34 | ref arg this | TAINT |
| swap1.cpp:25:9:25:13 | this | swap1.cpp:25:36:25:52 | constructor init of field data1 [pre-this] | |
| swap1.cpp:25:28:25:31 | that | swap1.cpp:25:42:25:45 | that | |
| swap1.cpp:25:47:25:51 | data1 | swap1.cpp:25:36:25:52 | constructor init of field data1 | TAINT |
@@ -5425,36 +5395,28 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap1.cpp:29:23:29:27 | call to Class | swap1.cpp:30:18:30:20 | tmp | |
| swap1.cpp:29:24:29:27 | that | swap1.cpp:29:23:29:27 | call to Class | |
| swap1.cpp:30:13:30:16 | ref arg this | swap1.cpp:31:21:31:24 | this | |
| swap1.cpp:30:13:30:16 | this | swap1.cpp:30:18:30:20 | ref arg tmp | TAINT |
| swap1.cpp:30:13:30:16 | this | swap1.cpp:31:21:31:24 | this | |
| swap1.cpp:30:18:30:20 | tmp | swap1.cpp:30:13:30:16 | ref arg this | TAINT |
| swap1.cpp:31:21:31:24 | this | swap1.cpp:31:20:31:24 | * ... | TAINT |
| swap1.cpp:34:16:34:24 | this | swap1.cpp:36:13:36:16 | this | |
| swap1.cpp:34:34:34:37 | that | swap1.cpp:34:34:34:37 | that | |
| swap1.cpp:34:34:34:37 | that | swap1.cpp:36:18:36:21 | that | |
| swap1.cpp:36:13:36:16 | ref arg this | swap1.cpp:37:21:37:24 | this | |
| swap1.cpp:36:13:36:16 | this | swap1.cpp:36:18:36:21 | ref arg that | TAINT |
| swap1.cpp:36:13:36:16 | this | swap1.cpp:37:21:37:24 | this | |
| swap1.cpp:36:18:36:21 | ref arg that | swap1.cpp:34:34:34:37 | that | |
| swap1.cpp:36:18:36:21 | that | swap1.cpp:36:13:36:16 | ref arg this | TAINT |
| swap1.cpp:37:21:37:24 | this | swap1.cpp:37:20:37:24 | * ... | TAINT |
| swap1.cpp:40:16:40:26 | this | swap1.cpp:43:13:43:16 | this | |
| swap1.cpp:40:41:40:44 | that | swap1.cpp:42:24:42:27 | that | |
| swap1.cpp:42:23:42:27 | call to Class | swap1.cpp:43:18:43:20 | tmp | |
| swap1.cpp:42:24:42:27 | that | swap1.cpp:42:23:42:27 | call to Class | |
| swap1.cpp:43:13:43:16 | ref arg this | swap1.cpp:44:21:44:24 | this | |
| swap1.cpp:43:13:43:16 | this | swap1.cpp:43:18:43:20 | ref arg tmp | TAINT |
| swap1.cpp:43:13:43:16 | this | swap1.cpp:44:21:44:24 | this | |
| swap1.cpp:43:18:43:20 | tmp | swap1.cpp:43:13:43:16 | ref arg this | TAINT |
| swap1.cpp:44:21:44:24 | this | swap1.cpp:44:20:44:24 | * ... | TAINT |
| swap1.cpp:47:16:47:26 | this | swap1.cpp:49:13:49:16 | this | |
| swap1.cpp:47:36:47:39 | that | swap1.cpp:47:36:47:39 | that | |
| swap1.cpp:47:36:47:39 | that | swap1.cpp:49:18:49:21 | that | |
| swap1.cpp:49:13:49:16 | ref arg this | swap1.cpp:50:21:50:24 | this | |
| swap1.cpp:49:13:49:16 | this | swap1.cpp:49:18:49:21 | ref arg that | TAINT |
| swap1.cpp:49:13:49:16 | this | swap1.cpp:50:21:50:24 | this | |
| swap1.cpp:49:18:49:21 | ref arg that | swap1.cpp:47:36:47:39 | that | |
| swap1.cpp:49:18:49:21 | that | swap1.cpp:49:13:49:16 | ref arg this | TAINT |
| swap1.cpp:50:21:50:24 | this | swap1.cpp:50:20:50:24 | * ... | TAINT |
| swap1.cpp:53:14:53:17 | this | swap1.cpp:56:18:56:22 | this | |
| swap1.cpp:53:26:53:29 | that | swap1.cpp:53:26:53:29 | that | |
@@ -5468,9 +5430,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap1.cpp:61:32:61:32 | y | swap1.cpp:61:32:61:32 | y | |
| swap1.cpp:61:32:61:32 | y | swap1.cpp:63:16:63:16 | y | |
| swap1.cpp:63:9:63:9 | ref arg x | swap1.cpp:61:22:61:22 | x | |
| swap1.cpp:63:9:63:9 | x | swap1.cpp:63:16:63:16 | ref arg y | TAINT |
| swap1.cpp:63:16:63:16 | ref arg y | swap1.cpp:61:32:61:32 | y | |
| swap1.cpp:63:16:63:16 | y | swap1.cpp:63:9:63:9 | ref arg x | TAINT |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:71:5:71:5 | x | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:73:10:73:10 | x | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:76:9:76:9 | x | |
@@ -5579,9 +5539,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap2.cpp:24:9:24:13 | this | swap2.cpp:24:31:24:34 | this | |
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:23:24:26 | that | |
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:36:24:39 | that | |
| swap2.cpp:24:31:24:34 | this | swap2.cpp:24:36:24:39 | ref arg that | TAINT |
| swap2.cpp:24:36:24:39 | ref arg that | swap2.cpp:24:23:24:26 | that | |
| swap2.cpp:24:36:24:39 | that | swap2.cpp:24:31:24:34 | ref arg this | TAINT |
| swap2.cpp:25:9:25:13 | this | swap2.cpp:25:36:25:52 | constructor init of field data1 [pre-this] | |
| swap2.cpp:25:28:25:31 | that | swap2.cpp:25:42:25:45 | that | |
| swap2.cpp:25:28:25:31 | that | swap2.cpp:25:61:25:64 | that | |
@@ -5596,36 +5554,28 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap2.cpp:29:23:29:27 | call to Class | swap2.cpp:30:18:30:20 | tmp | |
| swap2.cpp:29:24:29:27 | that | swap2.cpp:29:23:29:27 | call to Class | |
| swap2.cpp:30:13:30:16 | ref arg this | swap2.cpp:31:21:31:24 | this | |
| swap2.cpp:30:13:30:16 | this | swap2.cpp:30:18:30:20 | ref arg tmp | TAINT |
| swap2.cpp:30:13:30:16 | this | swap2.cpp:31:21:31:24 | this | |
| swap2.cpp:30:18:30:20 | tmp | swap2.cpp:30:13:30:16 | ref arg this | TAINT |
| swap2.cpp:31:21:31:24 | this | swap2.cpp:31:20:31:24 | * ... | TAINT |
| swap2.cpp:34:16:34:24 | this | swap2.cpp:36:13:36:16 | this | |
| swap2.cpp:34:34:34:37 | that | swap2.cpp:34:34:34:37 | that | |
| swap2.cpp:34:34:34:37 | that | swap2.cpp:36:18:36:21 | that | |
| swap2.cpp:36:13:36:16 | ref arg this | swap2.cpp:37:21:37:24 | this | |
| swap2.cpp:36:13:36:16 | this | swap2.cpp:36:18:36:21 | ref arg that | TAINT |
| swap2.cpp:36:13:36:16 | this | swap2.cpp:37:21:37:24 | this | |
| swap2.cpp:36:18:36:21 | ref arg that | swap2.cpp:34:34:34:37 | that | |
| swap2.cpp:36:18:36:21 | that | swap2.cpp:36:13:36:16 | ref arg this | TAINT |
| swap2.cpp:37:21:37:24 | this | swap2.cpp:37:20:37:24 | * ... | TAINT |
| swap2.cpp:40:16:40:26 | this | swap2.cpp:43:13:43:16 | this | |
| swap2.cpp:40:41:40:44 | that | swap2.cpp:42:24:42:27 | that | |
| swap2.cpp:42:23:42:27 | call to Class | swap2.cpp:43:18:43:20 | tmp | |
| swap2.cpp:42:24:42:27 | that | swap2.cpp:42:23:42:27 | call to Class | |
| swap2.cpp:43:13:43:16 | ref arg this | swap2.cpp:44:21:44:24 | this | |
| swap2.cpp:43:13:43:16 | this | swap2.cpp:43:18:43:20 | ref arg tmp | TAINT |
| swap2.cpp:43:13:43:16 | this | swap2.cpp:44:21:44:24 | this | |
| swap2.cpp:43:18:43:20 | tmp | swap2.cpp:43:13:43:16 | ref arg this | TAINT |
| swap2.cpp:44:21:44:24 | this | swap2.cpp:44:20:44:24 | * ... | TAINT |
| swap2.cpp:47:16:47:26 | this | swap2.cpp:49:13:49:16 | this | |
| swap2.cpp:47:36:47:39 | that | swap2.cpp:47:36:47:39 | that | |
| swap2.cpp:47:36:47:39 | that | swap2.cpp:49:18:49:21 | that | |
| swap2.cpp:49:13:49:16 | ref arg this | swap2.cpp:50:21:50:24 | this | |
| swap2.cpp:49:13:49:16 | this | swap2.cpp:49:18:49:21 | ref arg that | TAINT |
| swap2.cpp:49:13:49:16 | this | swap2.cpp:50:21:50:24 | this | |
| swap2.cpp:49:18:49:21 | ref arg that | swap2.cpp:47:36:47:39 | that | |
| swap2.cpp:49:18:49:21 | that | swap2.cpp:49:13:49:16 | ref arg this | TAINT |
| swap2.cpp:50:21:50:24 | this | swap2.cpp:50:20:50:24 | * ... | TAINT |
| swap2.cpp:53:14:53:17 | this | swap2.cpp:56:18:56:22 | this | |
| swap2.cpp:53:26:53:29 | that | swap2.cpp:53:26:53:29 | that | |
@@ -5647,9 +5597,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| swap2.cpp:61:32:61:32 | y | swap2.cpp:61:32:61:32 | y | |
| swap2.cpp:61:32:61:32 | y | swap2.cpp:63:16:63:16 | y | |
| swap2.cpp:63:9:63:9 | ref arg x | swap2.cpp:61:22:61:22 | x | |
| swap2.cpp:63:9:63:9 | x | swap2.cpp:63:16:63:16 | ref arg y | TAINT |
| swap2.cpp:63:16:63:16 | ref arg y | swap2.cpp:61:32:61:32 | y | |
| swap2.cpp:63:16:63:16 | y | swap2.cpp:63:9:63:9 | ref arg x | TAINT |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:71:5:71:5 | x | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:73:10:73:10 | x | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:76:9:76:9 | x | |
@@ -6597,38 +6545,45 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| taint.cpp:729:27:729:32 | endptr | taint.cpp:729:26:729:32 | & ... | |
| taint.cpp:731:7:731:12 | ref arg endptr | taint.cpp:732:8:732:13 | endptr | |
| taint.cpp:732:8:732:13 | endptr | taint.cpp:732:7:732:13 | * ... | TAINT |
| taint.cpp:738:17:738:31 | call to indirect_source | taint.cpp:739:30:739:35 | source | |
| taint.cpp:739:22:739:28 | call to realloc | taint.cpp:740:7:740:10 | dest | |
| taint.cpp:739:30:739:35 | source | taint.cpp:739:22:739:28 | call to realloc | TAINT |
| taint.cpp:743:40:743:45 | buffer | taint.cpp:744:5:744:10 | buffer | |
| taint.cpp:743:40:743:45 | buffer | taint.cpp:745:27:745:32 | buffer | |
| taint.cpp:744:4:744:10 | * ... | taint.cpp:744:3:744:10 | * ... | TAINT |
| taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT |
| taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... | |
| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer | |
| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... | |
| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer | |
| taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT |
| taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT |
| taint.cpp:746:10:746:15 | buffer | taint.cpp:746:9:746:15 | * ... | TAINT |
| taint.cpp:751:31:751:34 | path | taint.cpp:751:31:751:34 | path | |
| taint.cpp:751:31:751:34 | path | taint.cpp:752:10:752:13 | path | |
| taint.cpp:751:31:751:34 | path | taint.cpp:753:10:753:13 | path | |
| taint.cpp:751:43:751:46 | data | taint.cpp:751:43:751:46 | data | |
| taint.cpp:751:43:751:46 | data | taint.cpp:753:22:753:25 | data | |
| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:751:31:751:34 | path | |
| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:753:10:753:13 | path | |
| taint.cpp:752:16:752:19 | %s | taint.cpp:752:10:752:13 | ref arg path | TAINT |
| taint.cpp:752:22:752:26 | abc | taint.cpp:752:10:752:13 | ref arg path | TAINT |
| taint.cpp:753:10:753:13 | ref arg path | taint.cpp:751:31:751:34 | path | |
| taint.cpp:753:16:753:19 | %s | taint.cpp:753:10:753:13 | ref arg path | TAINT |
| taint.cpp:753:22:753:25 | data | taint.cpp:753:10:753:13 | ref arg path | TAINT |
| taint.cpp:753:22:753:25 | ref arg data | taint.cpp:751:43:751:46 | data | |
| taint.cpp:757:7:757:10 | path | taint.cpp:758:21:758:24 | path | |
| taint.cpp:757:7:757:10 | path | taint.cpp:759:8:759:11 | path | |
| taint.cpp:758:21:758:24 | ref arg path | taint.cpp:759:8:759:11 | path | |
| taint.cpp:759:8:759:11 | path | taint.cpp:759:7:759:11 | * ... | |
| taint.cpp:769:37:769:42 | call to source | taint.cpp:770:7:770:9 | obj | |
| taint.cpp:739:17:739:31 | call to indirect_source | taint.cpp:740:30:740:35 | source | |
| taint.cpp:740:22:740:28 | call to realloc | taint.cpp:741:7:741:10 | dest | |
| taint.cpp:740:30:740:35 | source | taint.cpp:740:22:740:28 | call to realloc | TAINT |
| taint.cpp:744:40:744:45 | buffer | taint.cpp:745:5:745:10 | buffer | |
| taint.cpp:744:40:744:45 | buffer | taint.cpp:746:27:746:32 | buffer | |
| taint.cpp:745:4:745:10 | * ... | taint.cpp:745:3:745:10 | * ... | TAINT |
| taint.cpp:745:5:745:10 | buffer | taint.cpp:745:4:745:10 | * ... | TAINT |
| taint.cpp:745:14:745:19 | call to source | taint.cpp:745:3:745:21 | ... = ... | |
| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:744:40:744:45 | buffer | |
| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:746:3:746:37 | ... = ... | |
| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:747:10:747:15 | buffer | |
| taint.cpp:746:27:746:32 | buffer | taint.cpp:746:19:746:25 | call to realloc | TAINT |
| taint.cpp:747:9:747:15 | * ... | taint.cpp:747:8:747:15 | * ... | TAINT |
| taint.cpp:747:10:747:15 | buffer | taint.cpp:747:9:747:15 | * ... | TAINT |
| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:753:2:753:2 | a | |
| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:754:22:754:22 | a | |
| taint.cpp:753:2:753:2 | a [post update] | taint.cpp:754:22:754:22 | a | |
| taint.cpp:753:2:753:16 | ... = ... | taint.cpp:753:5:753:5 | x [post update] | |
| taint.cpp:753:9:753:14 | call to source | taint.cpp:753:2:753:16 | ... = ... | |
| taint.cpp:754:14:754:20 | call to realloc | taint.cpp:755:7:755:8 | a2 | |
| taint.cpp:754:22:754:22 | a | taint.cpp:754:14:754:20 | call to realloc | TAINT |
| taint.cpp:760:31:760:34 | path | taint.cpp:760:31:760:34 | path | |
| taint.cpp:760:31:760:34 | path | taint.cpp:761:10:761:13 | path | |
| taint.cpp:760:31:760:34 | path | taint.cpp:762:10:762:13 | path | |
| taint.cpp:760:43:760:46 | data | taint.cpp:760:43:760:46 | data | |
| taint.cpp:760:43:760:46 | data | taint.cpp:762:22:762:25 | data | |
| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:760:31:760:34 | path | |
| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:762:10:762:13 | path | |
| taint.cpp:761:16:761:19 | %s | taint.cpp:761:10:761:13 | ref arg path | TAINT |
| taint.cpp:761:22:761:26 | abc | taint.cpp:761:10:761:13 | ref arg path | TAINT |
| taint.cpp:762:10:762:13 | ref arg path | taint.cpp:760:31:760:34 | path | |
| taint.cpp:762:16:762:19 | %s | taint.cpp:762:10:762:13 | ref arg path | TAINT |
| taint.cpp:762:22:762:25 | data | taint.cpp:762:10:762:13 | ref arg path | TAINT |
| taint.cpp:762:22:762:25 | ref arg data | taint.cpp:760:43:760:46 | data | |
| taint.cpp:766:7:766:10 | path | taint.cpp:767:21:767:24 | path | |
| taint.cpp:766:7:766:10 | path | taint.cpp:768:8:768:11 | path | |
| taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path | |
| taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... | |
| taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | |
| vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v | |
@@ -7005,16 +6960,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 | |
| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 | |
| vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 | |
| vector.cpp:114:2:114:3 | v1 | vector.cpp:114:10:114:11 | ref arg v2 | TAINT |
| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:118:7:118:8 | v2 | |
| vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:121:1:121:1 | v2 | |
| vector.cpp:114:10:114:11 | v2 | vector.cpp:114:2:114:3 | ref arg v1 | TAINT |
| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:119:7:119:8 | v3 | |
| vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:121:1:121:1 | v3 | |
| vector.cpp:115:2:115:3 | v3 | vector.cpp:115:10:115:11 | ref arg v4 | TAINT |
| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:120:7:120:8 | v4 | |
| vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:121:1:121:1 | v4 | |
| vector.cpp:115:10:115:11 | v4 | vector.cpp:115:2:115:3 | ref arg v3 | TAINT |
| vector.cpp:117:7:117:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 | |
| vector.cpp:118:7:118:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 | |
| vector.cpp:119:7:119:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 | |

16
cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
View File

@@ -68,8 +68,8 @@ void test_pair()
i.swap(j);
k.swap(l);
sink(i.first);
sink(i.second); // $ MISSING: ast,ir
sink(i); // $ ast,ir
sink(i.second); // $ ir, MISSING: ast
sink(i); // $ ir
sink(j.first);
sink(j.second); // $ SPURIOUS: ast
sink(j); // $ SPURIOUS: ast
@@ -77,8 +77,8 @@ void test_pair()
sink(k.second); // $ SPURIOUS: ast
sink(k); // $ SPURIOUS: ast
sink(l.first);
sink(l.second); // $ MISSING: ast,ir
sink(l); // $ ast,ir
sink(l.second); // $ ir, MISSING: ast
sink(l); // $ ir
sink(make_pair("123", "456"));
sink(make_pair("123", "456").first);
@@ -197,8 +197,8 @@ void test_map()
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m16); // $ ir
sink(m17); // $ ir
sink(m18); // $ SPURIOUS: ast
// merge
@@ -346,8 +346,8 @@ void test_unordered_map()
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m16); // $ ir
sink(m17); // $ ir
sink(m18); // $ SPURIOUS: ast
// merge

8
cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
View File

@@ -82,8 +82,8 @@ void test_set()
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s13); // $ ir
sink(s14); // $ ir
sink(s15); // $ SPURIOUS: ast
// merge
@@ -194,8 +194,8 @@ void test_unordered_set()
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s13); // $ ir
sink(s14); // $ ir
sink(s15); // $ SPURIOUS: ast
// merge

4
cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
View File

@@ -279,9 +279,9 @@ void test_string_swap() {
s1.swap(s2);
s4.swap(s3);
sink(s1); // $ ast,ir
sink(s1); // $ ir
sink(s2); // $ SPURIOUS: ast
sink(s3); // $ ast,ir
sink(s3); // $ ir
sink(s4); // $ SPURIOUS: ast
}

4
cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
View File

@@ -117,9 +117,9 @@ void test_stringstream_swap()
ss1.swap(ss2);
ss4.swap(ss3);
sink(ss1); // $ ast,ir
sink(ss1); // $ ir
sink(ss2); // $ SPURIOUS: ast
sink(ss3); // $ ast,ir
sink(ss3); // $ ir
sink(ss4); // $ SPURIOUS: ast
}

11
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -450,7 +450,7 @@ void test_qualifiers()
b.member = source();
sink(b); // $ ir MISSING: ast
sink(b.member); // $ ast,ir
sink(b.getMember()); // $ ir MISSING: ast
sink(b.getMember()); // $ MISSING: ir ast
c = new MyClass2(0);
@@ -732,6 +732,7 @@ void test_strtol(char *source) {
sink(*endptr); // $ ast,ir
}
void *malloc(size_t);
void *realloc(void *, size_t);
void test_realloc() {
@@ -746,6 +747,14 @@ void test_realloc_2_indirections(int **buffer) {
sink(**buffer); // $ ir MISSING: ast
}
void test_realloc_struct_field() {
struct A { int x; };
A* a = (A*)malloc(sizeof(A));
a->x = source();
A* a2 = (A*)realloc(a, sizeof(A));
sink(a2->x); // $ ir MISSING: ast
}
int sprintf(char *, const char *, ...);
void call_sprintf_twice(char* path, char* data) {

4
cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
View File

@@ -115,8 +115,8 @@ void test_vector_swap() {
v3.swap(v4);
sink(v1);
sink(v2); // $ ir MISSING:ast
sink(v3); // $ ir MISSING:ast
sink(v2); // $ ir MISSING: ast
sink(v3); // $ ir MISSING: ast
sink(v4);
}

8
cpp/ql/test/library-tests/files/Files.expected
View File

@@ -1,4 +1,4 @@
| c.c | library-tests/files/c.c | CFile, MetricFile | C | | |
| files1.cpp | library-tests/files/files1.cpp | CppFile, MetricFile | C++ | swap | t |
| files1.h | library-tests/files/files1.h | HeaderFile, MetricFile | | swap | |
| files2.cpp | library-tests/files/files2.cpp | CppFile, MetricFile | C++ | g | x, y |
| c.c | c.c | CFile, MetricFile | C | | |
| files1.cpp | files1.cpp | CppFile, MetricFile | C++ | swap | t |
| files1.h | files1.h | HeaderFile, MetricFile | | swap | |
| files2.cpp | files2.cpp | CppFile, MetricFile | C++ | g | x, y |

1
cpp/ql/test/library-tests/includes/include_next/includes.expected
View File

@@ -1,4 +1,3 @@
| a/test.h:2:1:2:22 | #include_next <test.h> | a/test.h:0:0:0:0 | a/test.h |
| a/test.h:2:1:2:22 | #include_next <test.h> | b/test.h:0:0:0:0 | b/test.h |
| b/loop.h:2:1:2:22 | #include_next <test.h> | a/test.h:0:0:0:0 | a/test.h |
| b/test.h:4:1:4:17 | #include "loop.h" | b/loop.h:0:0:0:0 | b/loop.h |

49451
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

File diff suppressed because it is too large Load Diff

32050
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

File diff suppressed because it is too large Load Diff

22
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected
View File

@@ -29,26 +29,4 @@ fieldAddressOnNonPointer
thisArgumentIsNonPointer
| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
nonUniqueIRVariable
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
missingCppType

22
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected
View File

@@ -29,26 +29,4 @@ fieldAddressOnNonPointer
thisArgumentIsNonPointer
| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
nonUniqueIRVariable
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
missingCppType

29
cpp/ql/test/library-tests/ir/ir/generic.c
View File

@@ -1,6 +1,31 @@
void c11_generic_test(unsigned int x, int y) {
void c11_generic_test_with_load(unsigned int x, int y) {
unsigned int r;
r = _Generic(r, unsigned int: x, int: y) + 1;
}
// // semmle-extractor-options: -std=c11
#define describe(val) \
_Generic((val), \
int: "int", \
default: "unknown" \
)
const char *c11_generic_test_with_constant_and_macro()
{
int i;
return describe(i);
}
const char *c11_generic_test_with_constant_and_no_macro()
{
int i;
return _Generic(i, int: "int", default: "unknown");
}
void c11_generic_test_test_with_cast(int y) {
unsigned int r;
r = _Generic(r, unsigned int: (unsigned int)y, int: y);
}
// semmle-extractor-options: -std=c11

52
cpp/ql/test/library-tests/ir/ir/ir.c
View File

@@ -29,4 +29,56 @@ int TryExceptTest(int x) {
return 0;
}
void unexplained_loop_regression()
{
__try
{
ExRaiseAccessViolation(0);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ExRaiseAccessViolation(1);
}
}
void try_with_finally()
{
int x = 0;
__try
{
x = 1;
}
__finally
{
x = 2;
}
}
void throw_in_try_with_finally()
{
int x = 0;
__try
{
ExRaiseAccessViolation(0);
}
__finally
{
x = 1;
}
}
void throw_in_try_with_throw_in_finally()
{
__try {
ExRaiseAccessViolation(0);
}
__finally {
ExRaiseAccessViolation(0);
}
}
void raise_access_violation() {
ExRaiseAccessViolation(1);
}
// semmle-extractor-options: --microsoft

3093
cpp/ql/test/library-tests/ir/ir/many-defs-per-use.cpp
View File

File diff suppressed because it is too large Load Diff

28
cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
View File

@@ -38,32 +38,4 @@ fieldAddressOnNonPointer
thisArgumentIsNonPointer
| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
nonUniqueIRVariable
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
missingCppType

32018
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/test/library-tests/ir/ir/try_except.cpp
View File

@@ -51,4 +51,4 @@ void throw_cpp(int b) {
__except (1) {
sink(x);
}
}
}

22
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected
View File

@@ -29,26 +29,4 @@ fieldAddressOnNonPointer
thisArgumentIsNonPointer
| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
nonUniqueIRVariable
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
missingCppType

22
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected
View File

@@ -29,26 +29,4 @@ fieldAddressOnNonPointer
thisArgumentIsNonPointer
| ir.cpp:2546:34:2546:34 | Call: call to operator bool | Call instruction 'Call: call to operator bool' has a `this` argument operand that is not an address, in function '$@'. | ir.cpp:2545:6:2545:23 | void this_inconsistency(bool) | void this_inconsistency(bool) |
nonUniqueIRVariable
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:87:20:87:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:91:21:91:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:95:20:95:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:96:3:96:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:99:21:99:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:100:3:100:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:103:20:103:20 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:104:3:104:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:108:21:108:21 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| coroutines.cpp:109:3:109:3 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:87:20:87:33 | co_returnable_void co_return_void() | co_returnable_void co_return_void() |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:91:21:91:33 | co_returnable_value co_return_int(int) | co_returnable_value co_return_int(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:95:20:95:38 | co_returnable_void co_yield_value_void(int) | co_returnable_void co_yield_value_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:99:21:99:40 | co_returnable_value co_yield_value_value(int) | co_returnable_value co_yield_value_value(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:103:20:103:43 | co_returnable_void co_yield_and_return_void(int) | co_returnable_void co_yield_and_return_void(int) |
| file://:0:0:0:0 | VariableAddress: (unnamed local variable) | Variable address instruction 'VariableAddress: (unnamed local variable)' has no associated variable, in function '$@'. | coroutines.cpp:108:21:108:45 | co_returnable_value co_yield_and_return_value(int) | co_returnable_value co_yield_and_return_value(int) |
missingCppType

169
cpp/ql/test/library-tests/macros/inmacroexpansion/inmacroexpansion.expected
View File

@@ -2,25 +2,168 @@
| file://:0:0:0:0 | (unnamed parameter 0) | false |
| file://:0:0:0:0 | __super | false |
| file://:0:0:0:0 | __va_list_tag | false |
| file://:0:0:0:0 | decltype([...](...){...}) | false |
| file://:0:0:0:0 | operator= | false |
| file://:0:0:0:0 | operator= | false |
| test.cpp:0:0:0:0 | test.cpp | false |
| test.cpp:2:1:2:61 | #define FOO class S{int i; void f(void) { int j; return; } }; | false |
| test.cpp:2:1:2:68 | #define CLASS_DECL class S{int i; void f(void) { int j; return; } }; | false |
| test.cpp:4:1:4:1 | S | false |
| test.cpp:4:1:4:1 | declaration of S | false |
| test.cpp:4:1:4:1 | declaration of operator= | false |
| test.cpp:4:1:4:1 | declaration of operator= | false |
| test.cpp:4:1:4:1 | operator= | false |
| test.cpp:4:1:4:1 | operator= | false |
| test.cpp:4:1:4:3 | FOO | false |
| test.cpp:4:1:4:3 | S | false |
| test.cpp:4:1:4:3 | declaration | true |
| test.cpp:4:1:4:3 | definition of S | true |
| test.cpp:4:1:4:3 | definition of f | true |
| test.cpp:4:1:4:3 | definition of i | true |
| test.cpp:4:1:4:3 | definition of j | true |
| test.cpp:4:1:4:3 | f | false |
| test.cpp:4:1:4:3 | i | false |
| test.cpp:4:1:4:3 | j | true |
| test.cpp:4:1:4:3 | return ... | true |
| test.cpp:4:1:4:3 | { ... } | true |
| test.cpp:4:1:4:10 | CLASS_DECL | false |
| test.cpp:4:1:4:10 | S | false |
| test.cpp:4:1:4:10 | declaration | true |
| test.cpp:4:1:4:10 | definition of S | true |
| test.cpp:4:1:4:10 | definition of f | true |
| test.cpp:4:1:4:10 | definition of i | true |
| test.cpp:4:1:4:10 | definition of j | true |
| test.cpp:4:1:4:10 | f | false |
| test.cpp:4:1:4:10 | i | false |
| test.cpp:4:1:4:10 | j | true |
| test.cpp:4:1:4:10 | return ... | true |
| test.cpp:4:1:4:10 | { ... } | true |
| test.cpp:6:1:6:42 | #define FUNCTION_DECL void f1() { int k; } | false |
| test.cpp:8:1:8:13 | FUNCTION_DECL | false |
| test.cpp:8:1:8:13 | declaration | true |
| test.cpp:8:1:8:13 | definition of f1 | true |
| test.cpp:8:1:8:13 | definition of k | true |
| test.cpp:8:1:8:13 | f1 | false |
| test.cpp:8:1:8:13 | k | true |
| test.cpp:8:1:8:13 | return ... | true |
| test.cpp:8:1:8:13 | { ... } | true |
| test.cpp:10:1:10:33 | #define VARIABLE_DECL int v1 = 1; | false |
| test.cpp:12:1:12:13 | 1 | true |
| test.cpp:12:1:12:13 | VARIABLE_DECL | false |
| test.cpp:12:1:12:13 | definition of v1 | true |
| test.cpp:12:1:12:13 | initializer for v1 | true |
| test.cpp:12:1:12:13 | v1 | true |
| test.cpp:14:1:14:35 | #define TYPE_DECL_1 typedef int t1; | false |
| test.cpp:16:1:16:11 | TYPE_DECL_1 | false |
| test.cpp:16:1:16:11 | declaration of t1 | true |
| test.cpp:16:1:16:11 | t1 | false |
| test.cpp:18:1:18:35 | #define TYPE_DECL_2 using t2 = int; | false |
| test.cpp:20:1:20:11 | TYPE_DECL_2 | false |
| test.cpp:20:1:20:11 | declaration of t2 | true |
| test.cpp:20:1:20:11 | t2 | false |
| test.cpp:22:1:22:47 | #define NAMESPACE_DECL namespace ns { int v2; } | false |
| test.cpp:24:1:24:14 | NAMESPACE_DECL | false |
| test.cpp:24:1:24:14 | definition of v2 | true |
| test.cpp:24:1:24:14 | ns | false |
| test.cpp:24:1:24:14 | ns | false |
| test.cpp:24:1:24:14 | v2 | true |
| test.cpp:26:1:26:43 | #define USING_NAMESPACE using namespace ns; | false |
| test.cpp:28:1:28:34 | #define ENUM_CONSTANT enum_element | false |
| test.cpp:30:12:30:21 | definition of enum_class | false |
| test.cpp:30:12:30:21 | enum_class | false |
| test.cpp:30:25:30:37 | ENUM_CONSTANT | false |
| test.cpp:30:25:30:37 | enum_element | false |
| test.cpp:32:1:32:41 | #define USING_ENUM using enum enum_class; | false |
| test.cpp:34:1:34:10 | USING_ENUM | false |
| test.cpp:34:1:34:10 | using enum enum_class | false |
| test.cpp:36:1:36:48 | #define STATIC_ASSERT static_assert(1 == 1, ""); | false |
| test.cpp:38:1:38:13 | 1 | true |
| test.cpp:38:1:38:13 | 1 | true |
| test.cpp:38:1:38:13 | ... == ... | true |
| test.cpp:38:1:38:13 | STATIC_ASSERT | false |
| test.cpp:38:1:38:13 | static_assert(..., "") | false |
| test.cpp:40:1:40:42 | #define ATTRIBUTE [[nodiscard("reason1")]] | false |
| test.cpp:42:1:42:9 | ATTRIBUTE | false |
| test.cpp:42:1:42:9 | nodiscard | false |
| test.cpp:42:1:42:9 | reason1 | false |
| test.cpp:42:1:42:9 | reason1 | true |
| test.cpp:43:5:43:6 | declaration of f2 | false |
| test.cpp:43:5:43:6 | f2 | false |
| test.cpp:45:1:45:31 | #define ATTRIBUTE_ARG "reason2" | false |
| test.cpp:47:3:47:11 | nodiscard | false |
| test.cpp:47:13:47:25 | ATTRIBUTE_ARG | false |
| test.cpp:47:13:47:25 | reason2 | false |
| test.cpp:47:13:47:25 | reason2 | true |
| test.cpp:48:5:48:6 | declaration of f3 | false |
| test.cpp:48:5:48:6 | f3 | false |
| test.cpp:50:1:50:16 | #define TYPE int | false |
| test.cpp:52:1:52:4 | TYPE | false |
| test.cpp:52:6:52:7 | definition of v3 | true |
| test.cpp:52:6:52:7 | v3 | true |
| test.cpp:52:11:52:11 | 1 | false |
| test.cpp:52:11:52:11 | initializer for v3 | false |
| test.cpp:54:1:54:29 | #define DERIVATION : public S | false |
| test.cpp:56:7:56:7 | T | false |
| test.cpp:56:7:56:7 | T | false |
| test.cpp:56:7:56:7 | declaration of T | false |
| test.cpp:56:7:56:7 | declaration of operator= | false |
| test.cpp:56:7:56:7 | declaration of operator= | false |
| test.cpp:56:7:56:7 | definition of T | false |
| test.cpp:56:7:56:7 | operator= | false |
| test.cpp:56:7:56:7 | operator= | false |
| test.cpp:56:9:56:18 | DERIVATION | false |
| test.cpp:56:9:56:18 | derivation | false |
| test.cpp:58:1:58:31 | #define FRIEND friend int f3(); | false |
| test.cpp:60:7:60:7 | U | false |
| test.cpp:60:7:60:7 | declaration of operator= | false |
| test.cpp:60:7:60:7 | declaration of operator= | false |
| test.cpp:60:7:60:7 | definition of U | false |
| test.cpp:60:7:60:7 | operator= | false |
| test.cpp:60:7:60:7 | operator= | false |
| test.cpp:61:3:61:8 | FRIEND | false |
| test.cpp:61:3:61:8 | U's friend | false |
| test.cpp:64:1:64:24 | #define NAME_QUAL_1 ns:: | false |
| test.cpp:66:1:66:22 | #define NAME_QUAL_2 ns | false |
| test.cpp:68:1:68:19 | #define LOCAL_VAR m | false |
| test.cpp:70:6:70:7 | definition of f4 | false |
| test.cpp:70:6:70:7 | f4 | false |
| test.cpp:70:11:76:1 | { ... } | false |
| test.cpp:71:5:71:8 | ns:: | false |
| test.cpp:71:5:71:15 | NAME_QUAL_1 | false |
| test.cpp:71:5:71:18 | v2 | false |
| test.cpp:71:5:71:19 | ExprStmt | false |
| test.cpp:72:5:72:8 | ns:: | false |
| test.cpp:72:5:72:15 | NAME_QUAL_2 | false |
| test.cpp:72:5:72:21 | v2 | false |
| test.cpp:72:5:72:22 | ExprStmt | false |
| test.cpp:73:5:73:23 | declaration | false |
| test.cpp:73:9:73:17 | LOCAL_VAR | false |
| test.cpp:73:9:73:17 | definition of m | true |
| test.cpp:73:9:73:17 | m | true |
| test.cpp:73:20:73:22 | 42 | false |
| test.cpp:73:20:73:22 | initializer for m | false |
| test.cpp:74:5:74:41 | declaration | false |
| test.cpp:74:10:74:10 | definition of l | false |
| test.cpp:74:10:74:10 | l | false |
| test.cpp:74:13:74:40 | [...](...){...} | false |
| test.cpp:74:13:74:40 | initializer for l | false |
| test.cpp:74:13:74:40 | {...} | false |
| test.cpp:74:14:74:14 | (unnamed constructor) | false |
| test.cpp:74:14:74:14 | (unnamed constructor) | false |
| test.cpp:74:14:74:14 | (unnamed constructor) | false |
| test.cpp:74:14:74:14 | declaration of (unnamed constructor) | false |
| test.cpp:74:14:74:14 | declaration of (unnamed constructor) | false |
| test.cpp:74:14:74:14 | definition of (unnamed constructor) | false |
| test.cpp:74:14:74:14 | definition of operator= | false |
| test.cpp:74:14:74:14 | operator= | false |
| test.cpp:74:15:74:15 | definition of m | false |
| test.cpp:74:15:74:15 | m | false |
| test.cpp:74:15:74:15 | m | false |
| test.cpp:74:15:74:23 | LOCAL_VAR | false |
| test.cpp:74:15:74:23 | m | true |
| test.cpp:74:25:74:25 | definition of operator() | false |
| test.cpp:74:25:74:25 | operator() | false |
| test.cpp:74:28:74:40 | { ... } | false |
| test.cpp:74:30:74:38 | return ... | false |
| test.cpp:74:37:74:37 | (int)... | false |
| test.cpp:75:5:75:5 | (const lambda [] type at line 74, col. 14)... | false |
| test.cpp:75:5:75:5 | l | false |
| test.cpp:75:5:75:8 | ExprStmt | false |
| test.cpp:75:6:75:6 | call to operator() | false |
| test.cpp:76:1:76:1 | return ... | false |
| test.cpp:78:1:78:15 | #define ID(x) x | false |
| test.cpp:79:1:79:23 | #define NESTED(x) ID(x) | false |
| test.cpp:80:5:80:6 | definition of v4 | false |
| test.cpp:80:5:80:6 | v4 | false |
| test.cpp:80:10:80:18 | ID(x) | false |
| test.cpp:80:10:80:18 | NESTED(x) | false |
| test.cpp:80:17:80:17 | 1 | true |
| test.cpp:80:17:80:17 | initializer for v4 | true |
| test.cpp:82:1:82:39 | // semmle-extractor-options: -std=c++20 | false |

81
cpp/ql/test/library-tests/macros/inmacroexpansion/test.cpp
View File

@@ -1,5 +1,82 @@
#define FOO class S{int i; void f(void) { int j; return; } };
#define CLASS_DECL class S{int i; void f(void) { int j; return; } };
FOO
CLASS_DECL
#define FUNCTION_DECL void f1() { int k; }
FUNCTION_DECL
#define VARIABLE_DECL int v1 = 1;
VARIABLE_DECL
#define TYPE_DECL_1 typedef int t1;
TYPE_DECL_1
#define TYPE_DECL_2 using t2 = int;
TYPE_DECL_2
#define NAMESPACE_DECL namespace ns { int v2; }
NAMESPACE_DECL
#define USING_NAMESPACE using namespace ns;
#define ENUM_CONSTANT enum_element
enum class enum_class { ENUM_CONSTANT };
#define USING_ENUM using enum enum_class;
USING_ENUM
#define STATIC_ASSERT static_assert(1 == 1, "");
STATIC_ASSERT
#define ATTRIBUTE [[nodiscard("reason1")]]
ATTRIBUTE
int f2();
#define ATTRIBUTE_ARG "reason2"
[[nodiscard(ATTRIBUTE_ARG)]]
int f3();
#define TYPE int
TYPE v3 = 1;
#define DERIVATION : public S
class T DERIVATION {};
#define FRIEND friend int f3();
class U {
FRIEND
};
#define NAME_QUAL_1 ns::
#define NAME_QUAL_2 ns
#define LOCAL_VAR m
void f4() {
NAME_QUAL_1 v2;
NAME_QUAL_2 :: v2;
int LOCAL_VAR = 42;
auto l = [LOCAL_VAR]() { return m; };
l();
}
#define ID(x) x
#define NESTED(x) ID(x)
int v4 = NESTED(1);
// semmle-extractor-options: -std=c++20

2
cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.expected
View File

@@ -7,8 +7,6 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ms_try_mix.cpp:38:5:38:5 | Chi: c106 | Instruction 'Chi: c106' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
| ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
| stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
ambiguousSuccessors
unexplainedLoop

2
cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected
View File

@@ -8,8 +8,6 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ms_try_mix.cpp:38:5:38:5 | IndirectMayWriteSideEffect: c106 | Instruction 'IndirectMayWriteSideEffect: c106' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
| ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
| stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
| stmt_expr.cpp:29:11:32:11 | CopyValue: (statement expression) | Instruction 'CopyValue: (statement expression)' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
| stmt_in_type.cpp:5:53:5:53 | Constant: 1 | Instruction 'Constant: 1' has no successors in function '$@'. | stmt_in_type.cpp:2:6:2:12 | void cpp_fun() | void cpp_fun() |

2
cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.expected
View File

@@ -7,8 +7,6 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ms_try_mix.cpp:38:5:38:5 | IndirectMayWriteSideEffect: c106 | Instruction 'IndirectMayWriteSideEffect: c106' has no successors in function '$@'. | ms_try_mix.cpp:29:6:29:19 | void ms_finally_mix(int) | void ms_finally_mix(int) |
| ms_try_mix.cpp:53:5:53:11 | ThrowValue: throw ... | Instruction 'ThrowValue: throw ...' has no successors in function '$@'. | ms_try_mix.cpp:49:6:49:28 | void ms_empty_finally_at_end() | void ms_empty_finally_at_end() |
| stmt_expr.cpp:27:5:27:15 | Store: ... = ... | Instruction 'Store: ... = ...' has no successors in function '$@'. | stmt_expr.cpp:21:13:21:13 | void stmtexpr::g(int) | void stmtexpr::g(int) |
ambiguousSuccessors
unexplainedLoop

30
cpp/ql/test/library-tests/types/datasizeof/datasizeof.cpp Normal file
View File

@@ -0,0 +1,30 @@
// semmle-extractor-options: --clang --edg --clang_version --edg 190000
typedef unsigned int size_t;
class MyClass
{
public:
int x;
int *ptr;
char c;
};
void func() {
int i;
char c;
int * ptr;
MyClass mc;
int arr[10];
size_t sz1 = __datasizeof(int);
size_t sz2 = __datasizeof(char);
size_t sz3 = __datasizeof(int *);
size_t sz4 = __datasizeof(MyClass);
size_t sz5 = __datasizeof(i);
size_t sz6 = __datasizeof(c);
size_t sz7 = __datasizeof(ptr);
size_t sz8 = __datasizeof(mc);
size_t sz9 = __datasizeof(arr);
size_t sz10 = __datasizeof(arr[4]);
}

10
cpp/ql/test/library-tests/types/datasizeof/datasizeof.expected Normal file
View File

@@ -0,0 +1,10 @@
| datasizeof.cpp:20:15:20:31 | __datasizeof(int) | 4 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
| datasizeof.cpp:21:15:21:32 | __datasizeof(char) | 1 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
| datasizeof.cpp:22:15:22:33 | __datasizeof(int *) | 8 | DatasizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
| datasizeof.cpp:23:15:23:35 | __datasizeof(MyClass) | 24 | DatasizeofTypeOperator.getTypeOperand() | datasizeof.cpp:5:7:5:13 | MyClass |
| datasizeof.cpp:24:15:24:29 | __datasizeof(<expr>) | 4 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:24:28:24:28 | i |
| datasizeof.cpp:25:15:25:29 | __datasizeof(<expr>) | 1 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:25:28:25:28 | c |
| datasizeof.cpp:26:15:26:31 | __datasizeof(<expr>) | 8 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:26:28:26:30 | ptr |
| datasizeof.cpp:27:15:27:30 | __datasizeof(<expr>) | 24 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:27:28:27:29 | mc |
| datasizeof.cpp:28:15:28:31 | __datasizeof(<expr>) | 40 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:28:28:28:30 | arr |
| datasizeof.cpp:29:16:29:35 | __datasizeof(<expr>) | 4 | DatasizeofExprOperator.getExprOperand() | datasizeof.cpp:29:29:29:34 | access to array |

10
cpp/ql/test/library-tests/types/datasizeof/datasizeof.ql Normal file
View File

@@ -0,0 +1,10 @@
import cpp
from DatasizeofOperator sto, string elemDesc, Element e
where
elemDesc = "DatasizeofTypeOperator.getTypeOperand()" and
e = sto.(DatasizeofTypeOperator).getTypeOperand()
or
elemDesc = "DatasizeofExprOperator.getExprOperand()" and
e = sto.(DatasizeofExprOperator).getExprOperand()
select sto, sto.getValue(), elemDesc, e

20
cpp/ql/test/library-tests/types/sizeof/sizeof.expected
View File

@@ -1,10 +1,10 @@
| sizeof.cpp:19:15:19:25 | sizeof(int) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
| sizeof.cpp:20:15:20:26 | sizeof(char) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
| sizeof.cpp:21:15:21:27 | sizeof(int *) | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
| sizeof.cpp:22:15:22:29 | sizeof(MyClass) | SizeofTypeOperator.getTypeOperand() | sizeof.cpp:4:7:4:13 | MyClass |
| sizeof.cpp:23:15:23:23 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:23:22:23:22 | i |
| sizeof.cpp:24:15:24:23 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:24:22:24:22 | c |
| sizeof.cpp:25:15:25:25 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:25:22:25:24 | ptr |
| sizeof.cpp:26:15:26:24 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:26:22:26:23 | mc |
| sizeof.cpp:27:15:27:25 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:27:22:27:24 | arr |
| sizeof.cpp:28:16:28:29 | sizeof(<expr>) | SizeofExprOperator.getExprOperand() | sizeof.cpp:28:23:28:28 | access to array |
| sizeof.cpp:19:15:19:25 | sizeof(int) | 4 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int |
| sizeof.cpp:20:15:20:26 | sizeof(char) | 1 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | char |
| sizeof.cpp:21:15:21:27 | sizeof(int *) | 8 | SizeofTypeOperator.getTypeOperand() | file://:0:0:0:0 | int * |
| sizeof.cpp:22:15:22:29 | sizeof(MyClass) | 16 | SizeofTypeOperator.getTypeOperand() | sizeof.cpp:4:7:4:13 | MyClass |
| sizeof.cpp:23:15:23:23 | sizeof(<expr>) | 4 | SizeofExprOperator.getExprOperand() | sizeof.cpp:23:22:23:22 | i |
| sizeof.cpp:24:15:24:23 | sizeof(<expr>) | 1 | SizeofExprOperator.getExprOperand() | sizeof.cpp:24:22:24:22 | c |
| sizeof.cpp:25:15:25:25 | sizeof(<expr>) | 8 | SizeofExprOperator.getExprOperand() | sizeof.cpp:25:22:25:24 | ptr |
| sizeof.cpp:26:15:26:24 | sizeof(<expr>) | 16 | SizeofExprOperator.getExprOperand() | sizeof.cpp:26:22:26:23 | mc |
| sizeof.cpp:27:15:27:25 | sizeof(<expr>) | 40 | SizeofExprOperator.getExprOperand() | sizeof.cpp:27:22:27:24 | arr |
| sizeof.cpp:28:16:28:29 | sizeof(<expr>) | 4 | SizeofExprOperator.getExprOperand() | sizeof.cpp:28:23:28:28 | access to array |

2
cpp/ql/test/library-tests/types/sizeof/sizeof.ql
View File

@@ -7,4 +7,4 @@ where
or
elemDesc = "SizeofExprOperator.getExprOperand()" and
e = sto.(SizeofExprOperator).getExprOperand()
select sto, elemDesc, e
select sto, sto.getValue(), elemDesc, e

1
cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
View File

@@ -16,7 +16,6 @@ edges
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | provenance | |
| test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:234:9:234:11 | *... ++ | provenance | |
| test_free.cpp:234:9:234:11 | *... ++ | test_free.cpp:236:9:236:10 | * ... | provenance | |
| test_free.cpp:238:15:238:17 | *... ++ | test_free.cpp:238:15:238:17 | *... ++ | provenance | |
| test_free.cpp:238:15:238:17 | *... ++ | test_free.cpp:241:9:241:10 | * ... | provenance | |
| test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:238:15:238:17 | *... ++ | provenance | |
| test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | provenance | |

10
cpp/ql/test/query-tests/Diagnostics/Info.expected
View File

@@ -1,6 +1,6 @@
| containserror.cpp:0:0:0:0 | containserror.cpp | query-tests/Diagnostics/containserror.cpp | fromSource, normalTermination |
| containswarning.cpp:0:0:0:0 | containswarning.cpp | query-tests/Diagnostics/containswarning.cpp | fromSource, normalTermination |
| doesnotcompile.cpp:0:0:0:0 | doesnotcompile.cpp | query-tests/Diagnostics/doesnotcompile.cpp | ExtractionProblem (severity 1), fromSource, normalTermination |
| containserror.cpp:0:0:0:0 | containserror.cpp | containserror.cpp | fromSource, normalTermination |
| containswarning.cpp:0:0:0:0 | containswarning.cpp | containswarning.cpp | fromSource, normalTermination |
| doesnotcompile.cpp:0:0:0:0 | doesnotcompile.cpp | doesnotcompile.cpp | ExtractionProblem (severity 1), fromSource, normalTermination |
| file://:0:0:0:0 | | | |
| header.h:0:0:0:0 | header.h | query-tests/Diagnostics/header.h | fromSource |
| successful.cpp:0:0:0:0 | successful.cpp | query-tests/Diagnostics/successful.cpp | fromSource, normalTermination |
| header.h:0:0:0:0 | header.h | header.h | fromSource |
| successful.cpp:0:0:0:0 | successful.cpp | successful.cpp | fromSource, normalTermination |

32
cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.expected
View File

@@ -1,16 +1,16 @@
| comment_prototypes.c:29:6:29:11 | proto6 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:9:5:9:10 | call to proto6 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:29:6:29:11 | proto6 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:9:5:9:10 | call to proto6 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| comment_prototypes.c:34:6:34:11 | proto7 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:10:5:10:10 | call to proto7 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:34:6:34:11 | proto7 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:10:5:10:10 | call to proto7 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| comment_prototypes.c:45:6:45:11 | proto9 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:12:5:12:10 | call to proto9 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:45:6:45:11 | proto9 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:12:5:12:10 | call to proto9 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| comment_prototypes.c:50:6:50:12 | proto10 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:13:5:13:11 | call to proto10 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:50:6:50:12 | proto10 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:13:5:13:11 | call to proto10 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| comment_prototypes.c:55:6:55:12 | proto11 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:14:5:14:11 | call to proto11 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:55:6:55:12 | proto11 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:14:5:14:11 | call to proto11 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| comment_prototypes.c:66:6:66:12 | proto13 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:16:5:16:11 | call to proto13 | query-tests/Documentation/DocumentApi/comment_prototypes_caller1.c |
| comment_prototypes.c:66:6:66:12 | proto13 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:16:5:16:11 | call to proto13 | query-tests/Documentation/DocumentApi/comment_prototypes_caller2.c |
| definition.c:2:6:2:7 | f1 | Functions called from other files should be documented (called from $@). | user1.c:9:5:9:6 | call to f1 | query-tests/Documentation/DocumentApi/user1.c |
| definition.c:2:6:2:7 | f1 | Functions called from other files should be documented (called from $@). | user2.c:7:5:7:6 | call to f1 | query-tests/Documentation/DocumentApi/user2.c |
| definition.c:32:6:32:7 | f6 | Functions called from other files should be documented (called from $@). | user1.c:14:5:14:6 | call to f6 | query-tests/Documentation/DocumentApi/user1.c |
| definition.c:32:6:32:7 | f6 | Functions called from other files should be documented (called from $@). | user2.c:10:5:10:6 | call to f6 | query-tests/Documentation/DocumentApi/user2.c |
| comment_prototypes.c:29:6:29:11 | proto6 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:9:5:9:10 | call to proto6 | comment_prototypes_caller1.c |
| comment_prototypes.c:29:6:29:11 | proto6 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:9:5:9:10 | call to proto6 | comment_prototypes_caller2.c |
| comment_prototypes.c:34:6:34:11 | proto7 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:10:5:10:10 | call to proto7 | comment_prototypes_caller1.c |
| comment_prototypes.c:34:6:34:11 | proto7 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:10:5:10:10 | call to proto7 | comment_prototypes_caller2.c |
| comment_prototypes.c:45:6:45:11 | proto9 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:12:5:12:10 | call to proto9 | comment_prototypes_caller1.c |
| comment_prototypes.c:45:6:45:11 | proto9 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:12:5:12:10 | call to proto9 | comment_prototypes_caller2.c |
| comment_prototypes.c:50:6:50:12 | proto10 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:13:5:13:11 | call to proto10 | comment_prototypes_caller1.c |
| comment_prototypes.c:50:6:50:12 | proto10 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:13:5:13:11 | call to proto10 | comment_prototypes_caller2.c |
| comment_prototypes.c:55:6:55:12 | proto11 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:14:5:14:11 | call to proto11 | comment_prototypes_caller1.c |
| comment_prototypes.c:55:6:55:12 | proto11 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:14:5:14:11 | call to proto11 | comment_prototypes_caller2.c |
| comment_prototypes.c:66:6:66:12 | proto13 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller1.c:16:5:16:11 | call to proto13 | comment_prototypes_caller1.c |
| comment_prototypes.c:66:6:66:12 | proto13 | Functions called from other files should be documented (called from $@). | comment_prototypes_caller2.c:16:5:16:11 | call to proto13 | comment_prototypes_caller2.c |
| definition.c:2:6:2:7 | f1 | Functions called from other files should be documented (called from $@). | user1.c:9:5:9:6 | call to f1 | user1.c |
| definition.c:2:6:2:7 | f1 | Functions called from other files should be documented (called from $@). | user2.c:7:5:7:6 | call to f1 | user2.c |
| definition.c:32:6:32:7 | f6 | Functions called from other files should be documented (called from $@). | user1.c:14:5:14:6 | call to f6 | user1.c |
| definition.c:32:6:32:7 | f6 | Functions called from other files should be documented (called from $@). | user2.c:10:5:10:6 | call to f6 | user2.c |

1
cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected
View File

@@ -10,3 +10,4 @@
| test.c:15:2:15:7 | call to printf | Format for printf expects 3 arguments but given 2 |
| test.c:19:2:19:7 | call to printf | Format for printf expects 2 arguments but given 1 |
| test.c:29:3:29:8 | call to printf | Format for printf expects 2 arguments but given 1 |
| test.c:53:2:53:10 | call to my_logger | Format for my_logger expects 3 arguments but given 2 |

3
cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp
View File

@@ -44,3 +44,6 @@ void test_custom_printf2()
printf("", "%i %i", 100, 200); // GOOD
printf("%i %i", "" ); // GOOD
}
extern "C" void my_logger(int param, char *fmt, ...) __attribute__((format(printf, 2, 3))) {}

8
cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c
View File

@@ -46,4 +46,12 @@ void test(int i, const char *str)
printf("%Y", 1, 2); // GOOD (unknown format character, this might be correct)
printf("%1.1Y", 1, 2); // GOOD (unknown format character, this might be correct)
printf("%*.*Y", 1, 2); // GOOD (unknown format character, this might be correct)
// Implicit logger function declaration
my_logger(0, "%i %i %i %i %i %i\n", 1, 2, 3, 4, 5, 6); // GOOD
my_logger(0, "%i %i %i\n", 1, 2, 3); // GOOD
my_logger(0, "%i %i %i\n", 1, 2); // BAD (too few format arguments)
}
// A spurious definition of my_logger
extern void my_logger(int param, char *fmt, int, int, int, int, int);

8
cpp/ql/test/query-tests/Metrics/Dependencies/ExternalDependencies.expected
View File

@@ -1,4 +1,4 @@
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibC<\|>unknown | 5 |
| /query-tests/Metrics/Dependencies/include.h<\|>LibD<\|>unknown | 1 |
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibA<\|>unknown | 1 |
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibB<\|>unknown | 1 |
| /main.cpp<\|>LibC<\|>unknown | 5 |
| /include.h<\|>LibD<\|>unknown | 1 |
| /main.cpp<\|>LibA<\|>unknown | 1 |
| /main.cpp<\|>LibB<\|>unknown | 1 |

8
cpp/ql/test/query-tests/Metrics/Dependencies/ExternalDependenciesSourceLinks.expected
View File

@@ -1,4 +1,4 @@
| /query-tests/Metrics/Dependencies/include.h<\|>LibD<\|>unknown | include.h:0:0:0:0 | include.h |
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibA<\|>unknown | main.cpp:0:0:0:0 | main.cpp |
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibB<\|>unknown | main.cpp:0:0:0:0 | main.cpp |
| /query-tests/Metrics/Dependencies/main.cpp<\|>LibC<\|>unknown | main.cpp:0:0:0:0 | main.cpp |
| /include.h<\|>LibD<\|>unknown | include.h:0:0:0:0 | include.h |
| /main.cpp<\|>LibA<\|>unknown | main.cpp:0:0:0:0 | main.cpp |
| /main.cpp<\|>LibB<\|>unknown | main.cpp:0:0:0:0 | main.cpp |
| /main.cpp<\|>LibC<\|>unknown | main.cpp:0:0:0:0 | main.cpp |

26
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
View File

@@ -31,9 +31,9 @@ edges
| main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance | |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance | |
| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv | provenance | |
| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | **argv | provenance | |
| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | *argv | provenance | |
| main.cpp:10:20:10:23 | **argv | tests.cpp:689:32:689:35 | **argv | provenance | |
| main.cpp:10:20:10:23 | *argv | tests.cpp:689:32:689:35 | **argv | provenance | |
| main.cpp:10:20:10:23 | *argv | tests.cpp:689:32:689:35 | *argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance | |
| test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance | |
@@ -46,12 +46,12 @@ edges
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home | provenance | |
| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array | provenance | |
| tests.cpp:657:32:657:35 | *argv | tests.cpp:682:9:682:15 | *access to array | provenance | |
| tests.cpp:657:32:657:35 | *argv | tests.cpp:683:9:683:15 | *access to array | provenance | |
| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance | |
| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance | |
| tests.cpp:689:32:689:35 | **argv | tests.cpp:714:9:714:15 | *access to array | provenance | |
| tests.cpp:689:32:689:35 | **argv | tests.cpp:715:9:715:15 | *access to array | provenance | |
| tests.cpp:689:32:689:35 | *argv | tests.cpp:714:9:714:15 | *access to array | provenance | |
| tests.cpp:689:32:689:35 | *argv | tests.cpp:715:9:715:15 | *access to array | provenance | |
| tests.cpp:714:9:714:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance | |
| tests.cpp:715:9:715:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance | |
| tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance | |
| tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance | |
nodes
@@ -85,10 +85,10 @@ nodes
| tests.cpp:628:14:628:14 | *s [*home] | semmle.label | *s [*home] |
| tests.cpp:628:14:628:19 | *home | semmle.label | *home |
| tests.cpp:628:16:628:19 | *home | semmle.label | *home |
| tests.cpp:657:32:657:35 | **argv | semmle.label | **argv |
| tests.cpp:657:32:657:35 | *argv | semmle.label | *argv |
| tests.cpp:682:9:682:15 | *access to array | semmle.label | *access to array |
| tests.cpp:683:9:683:15 | *access to array | semmle.label | *access to array |
| tests.cpp:689:32:689:35 | **argv | semmle.label | **argv |
| tests.cpp:689:32:689:35 | *argv | semmle.label | *argv |
| tests.cpp:714:9:714:15 | *access to array | semmle.label | *access to array |
| tests.cpp:715:9:715:15 | *access to array | semmle.label | *access to array |
| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
| tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
| tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |

32
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
View File

@@ -654,6 +654,38 @@ void test26(bool cond)
if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
}
#define IND 100
#define MAX_SIZE 100
void test27(){
char *src = "";
char *dest = "abcdefgh";
int ind = 100;
char buffer[MAX_SIZE];
strncpy(dest, src, 8); // GOOD, strncpy will not read past null terminator of source
if(IND < MAX_SIZE){
buffer[IND] = 0; // GOOD: out of bounds, but inaccessible code
}
}
typedef struct _MYSTRUCT {
unsigned long a;
unsigned short b;
unsigned char z[ 100 ];
} MYSTRUCT;
const MYSTRUCT _myStruct = { 0 };
typedef const MYSTRUCT& MYSTRUCTREF;
// False positive case due to use of typedefs
int test28(MYSTRUCTREF g)
{
return memcmp(&g, &_myStruct, sizeof(MYSTRUCT)); // GOOD
}
int tests_main(int argc, char *argv[])
{
long long arr17[19];

6
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
View File

@@ -32,6 +32,8 @@ edges
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | provenance | |
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | provenance | |
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | provenance | |
| test.cpp:62:19:62:24 | call to rand | test.cpp:62:19:62:24 | call to rand | provenance | |
| test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | provenance | |
| test.cpp:86:10:86:13 | call to rand | test.cpp:86:10:86:13 | call to rand | provenance | |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | provenance | |
| test.cpp:98:10:98:13 | call to rand | test.cpp:98:10:98:13 | call to rand | provenance | |
@@ -105,6 +107,9 @@ nodes
| test.cpp:31:7:31:7 | r | semmle.label | r |
| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
| test.cpp:37:7:37:7 | r | semmle.label | r |
| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
| test.cpp:65:9:65:9 | x | semmle.label | x |
| test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
| test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
| test.cpp:90:10:90:10 | x | semmle.label | x |
@@ -156,6 +161,7 @@ subpaths
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value |
| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp
View File

@@ -62,7 +62,7 @@ unsigned int test_remainder_subtract_unsigned()
unsigned int x = rand();
unsigned int y = x % 100; // y <= x
return x - y; // GOOD (as y <= x)
return x - y; // GOOD (as y <= x) [FALSE POSITIVE]
}
typedef unsigned long size_t;

138
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -13,26 +13,30 @@ edges
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:133:14:133:17 | call to atoi | provenance | TaintFunction |
| test.cpp:148:15:148:18 | call to atol | test.cpp:152:11:152:28 | ... * ... | provenance | |
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:148:15:148:18 | call to atol | provenance | TaintFunction |
| test.cpp:209:8:209:23 | *get_tainted_size | test.cpp:241:9:241:24 | call to get_tainted_size | provenance | |
| test.cpp:211:9:211:42 | ... * ... | test.cpp:209:8:209:23 | *get_tainted_size | provenance | |
| test.cpp:211:14:211:27 | *call to getenv | test.cpp:211:9:211:42 | ... * ... | provenance | TaintFunction |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s | provenance | |
| test.cpp:237:19:237:52 | ... * ... | test.cpp:239:9:239:18 | local_size | provenance | |
| test.cpp:237:19:237:52 | ... * ... | test.cpp:245:11:245:20 | local_size | provenance | |
| test.cpp:237:19:237:52 | ... * ... | test.cpp:247:10:247:19 | local_size | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:237:19:237:52 | ... * ... | provenance | TaintFunction |
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument | provenance | |
| test.cpp:251:2:251:32 | ... = ... | test.cpp:250:20:250:27 | *out_size | provenance | |
| test.cpp:251:18:251:31 | *call to getenv | test.cpp:251:2:251:32 | ... = ... | provenance | TaintFunction |
| test.cpp:259:15:259:18 | call to atoi | test.cpp:263:11:263:29 | ... * ... | provenance | |
| test.cpp:259:20:259:33 | *call to getenv | test.cpp:259:15:259:18 | call to atoi | provenance | TaintFunction |
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... | provenance | |
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... | provenance | |
| test.cpp:353:13:353:16 | call to atoi | test.cpp:355:35:355:38 | size | provenance | |
| test.cpp:353:13:353:16 | call to atoi | test.cpp:356:35:356:38 | size | provenance | |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:353:13:353:16 | call to atoi | provenance | TaintFunction |
| test.cpp:190:14:190:17 | call to atoi | test.cpp:194:11:194:28 | ... * ... | provenance | |
| test.cpp:190:19:190:32 | *call to getenv | test.cpp:190:14:190:17 | call to atoi | provenance | TaintFunction |
| test.cpp:205:14:205:17 | call to atoi | test.cpp:209:11:209:28 | ... * ... | provenance | |
| test.cpp:205:19:205:32 | *call to getenv | test.cpp:205:14:205:17 | call to atoi | provenance | TaintFunction |
| test.cpp:239:8:239:23 | *get_tainted_size | test.cpp:271:9:271:24 | call to get_tainted_size | provenance | |
| test.cpp:241:9:241:42 | ... * ... | test.cpp:239:8:239:23 | *get_tainted_size | provenance | |
| test.cpp:241:14:241:27 | *call to getenv | test.cpp:241:9:241:42 | ... * ... | provenance | TaintFunction |
| test.cpp:260:21:260:21 | s | test.cpp:261:21:261:21 | s | provenance | |
| test.cpp:267:19:267:52 | ... * ... | test.cpp:269:9:269:18 | local_size | provenance | |
| test.cpp:267:19:267:52 | ... * ... | test.cpp:275:11:275:20 | local_size | provenance | |
| test.cpp:267:19:267:52 | ... * ... | test.cpp:277:10:277:19 | local_size | provenance | |
| test.cpp:267:24:267:37 | *call to getenv | test.cpp:267:19:267:52 | ... * ... | provenance | TaintFunction |
| test.cpp:277:10:277:19 | local_size | test.cpp:260:21:260:21 | s | provenance | |
| test.cpp:280:20:280:27 | *out_size | test.cpp:319:17:319:20 | get_size output argument | provenance | |
| test.cpp:280:20:280:27 | *out_size | test.cpp:335:18:335:21 | get_size output argument | provenance | |
| test.cpp:281:2:281:32 | ... = ... | test.cpp:280:20:280:27 | *out_size | provenance | |
| test.cpp:281:18:281:31 | *call to getenv | test.cpp:281:2:281:32 | ... = ... | provenance | TaintFunction |
| test.cpp:289:15:289:18 | call to atoi | test.cpp:293:11:293:29 | ... * ... | provenance | |
| test.cpp:289:20:289:33 | *call to getenv | test.cpp:289:15:289:18 | call to atoi | provenance | TaintFunction |
| test.cpp:319:17:319:20 | get_size output argument | test.cpp:321:11:321:28 | ... * ... | provenance | |
| test.cpp:335:18:335:21 | get_size output argument | test.cpp:338:10:338:27 | ... * ... | provenance | |
| test.cpp:383:13:383:16 | call to atoi | test.cpp:385:35:385:38 | size | provenance | |
| test.cpp:383:13:383:16 | call to atoi | test.cpp:386:35:386:38 | size | provenance | |
| test.cpp:383:18:383:31 | *call to getenv | test.cpp:383:13:383:16 | call to atoi | provenance | TaintFunction |
nodes
| test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
| test.cpp:40:16:40:19 | call to atoi | semmle.label | call to atoi |
@@ -52,48 +56,56 @@ nodes
| test.cpp:148:15:148:18 | call to atol | semmle.label | call to atol |
| test.cpp:148:20:148:33 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:209:8:209:23 | *get_tainted_size | semmle.label | *get_tainted_size |
| test.cpp:211:9:211:42 | ... * ... | semmle.label | ... * ... |
| test.cpp:211:14:211:27 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:230:21:230:21 | s | semmle.label | s |
| test.cpp:231:21:231:21 | s | semmle.label | s |
| test.cpp:237:19:237:52 | ... * ... | semmle.label | ... * ... |
| test.cpp:237:24:237:37 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
| test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
| test.cpp:250:20:250:27 | *out_size | semmle.label | *out_size |
| test.cpp:251:2:251:32 | ... = ... | semmle.label | ... = ... |
| test.cpp:251:18:251:31 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:259:15:259:18 | call to atoi | semmle.label | call to atoi |
| test.cpp:259:20:259:33 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:289:17:289:20 | get_size output argument | semmle.label | get_size output argument |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:305:18:305:21 | get_size output argument | semmle.label | get_size output argument |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:353:13:353:16 | call to atoi | semmle.label | call to atoi |
| test.cpp:353:18:353:31 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:355:35:355:38 | size | semmle.label | size |
| test.cpp:356:35:356:38 | size | semmle.label | size |
| test.cpp:190:14:190:17 | call to atoi | semmle.label | call to atoi |
| test.cpp:190:19:190:32 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:194:11:194:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:205:14:205:17 | call to atoi | semmle.label | call to atoi |
| test.cpp:205:19:205:32 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:209:11:209:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:239:8:239:23 | *get_tainted_size | semmle.label | *get_tainted_size |
| test.cpp:241:9:241:42 | ... * ... | semmle.label | ... * ... |
| test.cpp:241:14:241:27 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:260:21:260:21 | s | semmle.label | s |
| test.cpp:261:21:261:21 | s | semmle.label | s |
| test.cpp:267:19:267:52 | ... * ... | semmle.label | ... * ... |
| test.cpp:267:24:267:37 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:269:9:269:18 | local_size | semmle.label | local_size |
| test.cpp:271:9:271:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:275:11:275:20 | local_size | semmle.label | local_size |
| test.cpp:277:10:277:19 | local_size | semmle.label | local_size |
| test.cpp:280:20:280:27 | *out_size | semmle.label | *out_size |
| test.cpp:281:2:281:32 | ... = ... | semmle.label | ... = ... |
| test.cpp:281:18:281:31 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:289:15:289:18 | call to atoi | semmle.label | call to atoi |
| test.cpp:289:20:289:33 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:293:11:293:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:319:17:319:20 | get_size output argument | semmle.label | get_size output argument |
| test.cpp:321:11:321:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:335:18:335:21 | get_size output argument | semmle.label | get_size output argument |
| test.cpp:338:10:338:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:383:13:383:16 | call to atoi | semmle.label | call to atoi |
| test.cpp:383:18:383:31 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:385:35:385:38 | size | semmle.label | size |
| test.cpp:386:35:386:38 | size | semmle.label | size |
subpaths
#select
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) |
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) |
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) |
| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:37 | *call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | *call to getenv | user input (an environment variable) |
| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:37 | *call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | *call to getenv | user input (an environment variable) |
| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:27 | *call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:27 | *call to getenv | user input (an environment variable) |
| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:37 | *call to getenv | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | *call to getenv | user input (an environment variable) |
| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:33 | *call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:33 | *call to getenv | user input (an environment variable) |
| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:31 | *call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | *call to getenv | user input (an environment variable) |
| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | *call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | *call to getenv | user input (an environment variable) |
| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:31 | *call to getenv | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | *call to getenv | user input (an environment variable) |
| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:31 | *call to getenv | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | *call to getenv | user input (an environment variable) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) |
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) |
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) |
| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) |
| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) |
| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) |
| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) |
| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |
| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |

34
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
View File

@@ -40,10 +40,10 @@ int main(int argc, char **argv) {
int tainted = atoi(argv[1]);
MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD
MyStruct *arr2 = (MyStruct *)malloc(tainted); // DUBIOUS (not multiplied by anything)
MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD
MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD
MyStruct *arr4 = (MyStruct *)malloc(getTainted() * sizeof(MyStruct)); // BAD [NOT DETECTED]
MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // DUBIOUS (not multiplied by anything)
MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD
int size = tainted * 8;
char *chars1 = (char *)malloc(size); // BAD
@@ -180,6 +180,36 @@ void more_bounded_tests() {
}
}
{
int size = atoi(getenv("USER"));
int size2 = size % 100;
malloc(size2 * sizeof(int)); // GOOD
}
{
int size = atoi(getenv("USER"));
if (size % 100)
{
malloc(size * sizeof(int)); // BAD
}
}
{
int size = atoi(getenv("USER"));
int size2 = size & 7; // Pick the first three bits of size
malloc(size2 * sizeof(int)); // GOOD
}
{
int size = atoi(getenv("USER"));
if (size & 7)
{
malloc(size * sizeof(int)); // BAD
}
}
{
int size = atoi(getenv("USER"));

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
View File

@@ -22,11 +22,9 @@ edges
| test.c:41:5:41:24 | ... = ... | test.c:44:7:44:10 | len2 | provenance | |
| test.c:41:5:41:24 | ... = ... | test.c:44:7:44:12 | ... -- | provenance | |
| test.c:44:7:44:12 | ... -- | test.c:44:7:44:10 | len2 | provenance | |
| test.c:44:7:44:12 | ... -- | test.c:44:7:44:12 | ... -- | provenance | |
| test.c:51:5:51:24 | ... = ... | test.c:54:7:54:10 | len3 | provenance | |
| test.c:51:5:51:24 | ... = ... | test.c:54:7:54:12 | ... -- | provenance | |
| test.c:54:7:54:12 | ... -- | test.c:54:7:54:10 | len3 | provenance | |
| test.c:54:7:54:12 | ... -- | test.c:54:7:54:12 | ... -- | provenance | |
nodes
| test2.cpp:12:21:12:21 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |

44
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/LoopConditionsConst.expected
View File

@@ -2,25 +2,25 @@
| test.cpp:43:2:45:2 | for(...;...;...) ... | test.cpp:43:18:43:26 | ... < ... | | i | { ... } | i | ExprStmt |
| test.cpp:74:2:77:2 | while (...) ... | test.cpp:74:9:74:17 | ... > ... | 1 | count | { ... } | count | ExprStmt |
| test.cpp:84:2:88:2 | while (...) ... | test.cpp:84:9:84:17 | ... > ... | | count | { ... } | count | if (...) ... |
| test.cpp:171:3:173:3 | while (...) ... | test.cpp:171:10:171:43 | ... != ... | 0 | | { ... } | 0 | return ... |
| test.cpp:251:2:255:2 | while (...) ... | test.cpp:251:9:251:12 | loop | 1 | loop | { ... } | loop | return ... |
| test.cpp:263:2:267:2 | while (...) ... | test.cpp:263:9:263:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
| test.cpp:275:2:279:2 | while (...) ... | test.cpp:275:9:275:13 | ! ... | 1 | stop | { ... } | stop | return ... |
| test.cpp:287:2:291:2 | while (...) ... | test.cpp:287:9:287:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
| test.cpp:299:2:303:2 | while (...) ... | test.cpp:299:9:299:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
| test.cpp:311:2:315:2 | while (...) ... | test.cpp:311:9:311:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
| test.cpp:323:2:328:2 | while (...) ... | test.cpp:323:9:323:17 | ... ? ... : ... | | b, c | { ... } | c | return ... |
| test.cpp:336:2:341:2 | while (...) ... | test.cpp:336:9:336:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
| test.cpp:348:2:351:17 | do (...) ... | test.cpp:351:11:351:15 | 0 | | { ... } | { ... } | { ... } | return ... |
| test.cpp:361:2:364:2 | while (...) ... | test.cpp:361:9:361:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
| test.cpp:365:2:368:2 | while (...) ... | test.cpp:365:9:365:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
| test.cpp:369:2:373:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
| test.cpp:374:2:376:17 | do (...) ... | test.cpp:376:11:376:15 | 0 | | do (...) ... | { ... } | { ... } | return ... |
| test.cpp:384:2:386:2 | while (...) ... | test.cpp:384:9:384:12 | 1 | 1 | 1 | { ... } | | return ... |
| test.cpp:394:2:396:2 | while (...) ... | test.cpp:394:9:394:21 | ... , ... | | { ... } | { ... } | | |
| test.cpp:404:3:408:3 | while (...) ... | test.cpp:404:10:404:13 | loop | 1 | loop | { ... } | | |
| test.cpp:416:2:418:2 | for(...;...;...) ... | test.cpp:416:18:416:23 | ... < ... | 1 | i | { ... } | i | return ... |
| test.cpp:424:2:425:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
| test.cpp:433:2:434:2 | for(...;...;...) ... | test.cpp:433:18:433:22 | 0 | 0 | | { ... } | 0 | return ... |
| test.cpp:559:3:564:3 | while (...) ... | test.cpp:559:9:559:15 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
| test.cpp:574:3:579:3 | while (...) ... | test.cpp:574:10:574:16 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
| test.cpp:172:3:174:3 | while (...) ... | test.cpp:172:10:172:43 | ... != ... | | args | { ... } | args | return ... |
| test.cpp:259:2:263:2 | while (...) ... | test.cpp:259:9:259:12 | loop | 1 | loop | { ... } | loop | return ... |
| test.cpp:271:2:275:2 | while (...) ... | test.cpp:271:9:271:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
| test.cpp:283:2:287:2 | while (...) ... | test.cpp:283:9:283:13 | ! ... | 1 | stop | { ... } | stop | return ... |
| test.cpp:295:2:299:2 | while (...) ... | test.cpp:295:9:295:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
| test.cpp:307:2:311:2 | while (...) ... | test.cpp:307:9:307:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
| test.cpp:319:2:323:2 | while (...) ... | test.cpp:319:9:319:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
| test.cpp:331:2:336:2 | while (...) ... | test.cpp:331:9:331:17 | ... ? ... : ... | | b, c | { ... } | c | return ... |
| test.cpp:344:2:349:2 | while (...) ... | test.cpp:344:9:344:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
| test.cpp:356:2:359:17 | do (...) ... | test.cpp:359:11:359:15 | 0 | | { ... } | { ... } | { ... } | return ... |
| test.cpp:369:2:372:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
| test.cpp:373:2:376:2 | while (...) ... | test.cpp:373:9:373:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
| test.cpp:377:2:381:2 | while (...) ... | test.cpp:377:9:377:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
| test.cpp:382:2:384:17 | do (...) ... | test.cpp:384:11:384:15 | 0 | | do (...) ... | { ... } | { ... } | return ... |
| test.cpp:392:2:394:2 | while (...) ... | test.cpp:392:9:392:12 | 1 | 1 | 1 | { ... } | | return ... |
| test.cpp:402:2:404:2 | while (...) ... | test.cpp:402:9:402:21 | ... , ... | | { ... } | { ... } | | |
| test.cpp:412:3:416:3 | while (...) ... | test.cpp:412:10:412:13 | loop | 1 | loop | { ... } | | |
| test.cpp:424:2:426:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
| test.cpp:432:2:433:2 | for(...;...;...) ... | test.cpp:432:18:432:23 | ... < ... | 1 | i | { ... } | i | return ... |
| test.cpp:441:2:442:2 | for(...;...;...) ... | test.cpp:441:18:441:22 | 0 | 0 | | { ... } | 0 | return ... |
| test.cpp:567:3:572:3 | while (...) ... | test.cpp:567:9:567:15 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
| test.cpp:582:3:587:3 | while (...) ... | test.cpp:582:10:582:16 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |

46
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected
View File

@@ -1,29 +1,31 @@
edges
nodes
| errors.cpp:13:7:13:7 | definition of x | semmle.label | definition of x |
| test.cpp:11:6:11:8 | definition of foo | semmle.label | definition of foo |
| test.cpp:111:6:111:8 | definition of foo | semmle.label | definition of foo |
| test.cpp:218:7:218:7 | definition of x | semmle.label | definition of x |
| test.cpp:241:6:241:6 | definition of i | semmle.label | definition of i |
| test.cpp:333:7:333:7 | definition of a | semmle.label | definition of a |
| test.cpp:358:7:358:7 | definition of a | semmle.label | definition of a |
| test.cpp:359:6:359:8 | definition of val | semmle.label | definition of val |
| test.cpp:414:9:414:9 | definition of j | semmle.label | definition of j |
| test.cpp:431:9:431:9 | definition of j | semmle.label | definition of j |
| test.cpp:452:6:452:6 | definition of x | semmle.label | definition of x |
| test.cpp:458:6:458:6 | definition of x | semmle.label | definition of x |
| test.cpp:464:6:464:6 | definition of x | semmle.label | definition of x |
| test.cpp:471:6:471:6 | definition of x | semmle.label | definition of x |
| test.cpp:226:7:226:7 | definition of x | semmle.label | definition of x |
| test.cpp:249:6:249:6 | definition of i | semmle.label | definition of i |
| test.cpp:341:7:341:7 | definition of a | semmle.label | definition of a |
| test.cpp:366:7:366:7 | definition of a | semmle.label | definition of a |
| test.cpp:367:6:367:8 | definition of val | semmle.label | definition of val |
| test.cpp:422:9:422:9 | definition of j | semmle.label | definition of j |
| test.cpp:439:9:439:9 | definition of j | semmle.label | definition of j |
| test.cpp:460:6:460:6 | definition of x | semmle.label | definition of x |
| test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x |
| test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x |
| test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x |
#select
| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x |
| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |
| test.cpp:219:3:219:3 | x | test.cpp:218:7:218:7 | definition of x | test.cpp:218:7:218:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:218:7:218:7 | x | x |
| test.cpp:243:13:243:13 | i | test.cpp:241:6:241:6 | definition of i | test.cpp:241:6:241:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:241:6:241:6 | i | i |
| test.cpp:336:10:336:10 | a | test.cpp:333:7:333:7 | definition of a | test.cpp:333:7:333:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:333:7:333:7 | a | a |
| test.cpp:369:10:369:10 | a | test.cpp:358:7:358:7 | definition of a | test.cpp:358:7:358:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:358:7:358:7 | a | a |
| test.cpp:378:9:378:11 | val | test.cpp:359:6:359:8 | definition of val | test.cpp:359:6:359:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:359:6:359:8 | val | val |
| test.cpp:417:10:417:10 | j | test.cpp:414:9:414:9 | definition of j | test.cpp:414:9:414:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:414:9:414:9 | j | j |
| test.cpp:436:9:436:9 | j | test.cpp:431:9:431:9 | definition of j | test.cpp:431:9:431:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:431:9:431:9 | j | j |
| test.cpp:454:2:454:2 | x | test.cpp:452:6:452:6 | definition of x | test.cpp:452:6:452:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:452:6:452:6 | x | x |
| test.cpp:460:7:460:7 | x | test.cpp:458:6:458:6 | definition of x | test.cpp:458:6:458:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:458:6:458:6 | x | x |
| test.cpp:467:2:467:2 | x | test.cpp:464:6:464:6 | definition of x | test.cpp:464:6:464:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:464:6:464:6 | x | x |
| test.cpp:474:7:474:7 | x | test.cpp:471:6:471:6 | definition of x | test.cpp:471:6:471:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:471:6:471:6 | x | x |
| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x |
| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i |
| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a |
| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a |
| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val |
| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j |
| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j |
| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x |
| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x |
| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x |
| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x |

15
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp Normal file
View File

@@ -0,0 +1,15 @@
// semmle-extractor-options: --expect_errors
int f1() {
int x;
initialize(&x); // error expression - initialize() is not defined
return x; // GOOD - assume x is initialized
}
void * operator new(unsigned long, bool);
void operator delete(void*, bool);
int f2() {
int x;
new(true) int (x); // BAD, ignore implicit error expression
}

18
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp
View File

@@ -156,11 +156,12 @@ int absCorrect2(int i) {
return j; // correct: j always initialized before use
}
typedef __builtin_va_list va_list;
#define va_start(v, l) __builtin_va_start(v,l)
#define va_end(v) __builtin_va_end(v)
#define va_arg(v, l) __builtin_va_arg(v,l)
#define va_copy(d, s) __builtin_va_copy(d,s)
typedef void *va_list;
#define va_start(ap, parmN)
#define va_end(ap)
#define va_arg(ap, type) ((type)0)
#define NULL 0
// Variadic initialisation
@@ -176,7 +177,7 @@ void init(int val, ...) {
void test15() {
int foo;
init(42, &foo, NULL);
use(foo); //GOOD -- initialised by `init`
use(foo); // GOOD -- initialised by `init`
}
// Variadic non-initialisation
@@ -192,6 +193,13 @@ void test16() {
use(foo); // BAD (NOT REPORTED)
}
void test_va_copy(va_list va) {
va_list va2;
va_copy(va2, va); // GOOD -- this is an initialization
use(va2);
va_end(va2);
}
bool test17(bool b) {
int foo;
int *p = nullptr;

1
cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.expected
View File

@@ -17,3 +17,4 @@
| test.cpp:229:15:229:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:231:16:231:19 | { ... } | This catch block |
| test.cpp:242:14:242:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:243:34:243:36 | { ... } | This catch block |
| test.cpp:276:17:276:31 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:277:8:277:12 | ! ... | This check |
| test.cpp:288:19:288:47 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:291:30:293:5 | { ... } | This catch block |

2
cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp
View File

@@ -282,7 +282,7 @@ namespace qhelp {
}
// BAD: the allocation won't throw an exception, but
// instead return a null pointer. [NOT DETECTED]
// instead return a null pointer.
void bad2(std::size_t length) noexcept {
try {
int* dest = new(std::nothrow) int[length];

57
cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
View File

@@ -53,4 +53,59 @@ void NonStringFalsePositiveTest2(unsigned char* buffer)
{
wchar_t *lpWchar = NULL;
lpWchar = (LPWSTR)buffer; // Possible False Positive
}
}
typedef unsigned char BYTE;
using FOO = BYTE*;
void NonStringFalsePositiveTest3(FOO buffer)
{
wchar_t *lpWchar = NULL;
lpWchar = (LPWSTR)buffer; // GOOD
}
#define UNICODE 0x8
// assume EMPTY_MACRO is tied to if UNICODE is enabled
#ifdef EMPTY_MACRO
typedef WCHAR* LPTSTR;
#else
typedef char* LPTSTR;
#endif
void CheckedConversionFalsePositiveTest3(unsigned short flags, LPTSTR buffer)
{
wchar_t *lpWchar = NULL;
if(flags & UNICODE)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
if((flags & UNICODE) == 0x8)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
if((flags & UNICODE) != 0x8)
lpWchar = (LPWSTR)buffer; // BUG
else
lpWchar = (LPWSTR)buffer; // GOOD
// Bad operator precedence
if(flags & UNICODE == 0x8)
lpWchar = (LPWSTR)buffer; // BUG
else
lpWchar = (LPWSTR)buffer; // BUG
if((flags & UNICODE) != 0)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
if((flags & UNICODE) == 0)
lpWchar = (LPWSTR)buffer; // BUG
else
lpWchar = (LPWSTR)buffer; // GOOD
lpWchar = (LPWSTR)buffer; // BUG
}

8
cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
View File

@@ -3,3 +3,11 @@
| WcharCharConversion.cpp:24:22:24:27 | lpChar | Conversion from char * to wchar_t *. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:26:23:26:28 | lpChar | Conversion from char * to LPCWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:27:17:27:22 | lpChar | Conversion from char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:82:21:82:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:87:21:87:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:90:21:90:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:96:21:96:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:98:21:98:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:103:21:103:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:106:21:106:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:110:20:110:25 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |