hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into ihsinme-patch-102

Browse Source
This commit is contained in:
Jeroen Ketema
2023-02-06 20:16:53 +01:00
committed by GitHub
parent 65c9a7b278 4eebeab8a8
commit 868f07bc91
14480 changed files with 1387558 additions and 352417 deletions
Download Patch File Download Diff File Expand all files Collapse all files

374
cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
View File

@@ -1,365 +1,35 @@
/**
* Provides a library for writing QL tests whose success or failure is based on expected results
* embedded in the test source code as comments, rather than the contents of an `.expected` file
* (in that the `.expected` file should always be empty).
*
* To add this framework to a new language:
* - Add a file `InlineExpectationsTestPrivate.qll` that defines a `ExpectationComment` class. This class
* must support a `getContents` method that returns the contents of the given comment, _excluding_
* the comment indicator itself. It should also define `toString` and `getLocation` as usual.
*
* To create a new inline expectations test:
* - Declare a class that extends `InlineExpectationsTest`. In the characteristic predicate of the
* new class, bind `this` to a unique string (usually the name of the test).
* - Override the `hasActualResult()` predicate to produce the actual results of the query. For each
* result, specify a `Location`, a text description of the element for which the result was
* reported, a short string to serve as the tag to identify expected results for this test, and the
* expected value of the result.
* - Override `getARelevantTag()` to return the set of tags that can be produced by
* `hasActualResult()`. Often this is just a single tag.
*
* Example:
* ```ql
* class ConstantValueTest extends InlineExpectationsTest {
* ConstantValueTest() { this = "ConstantValueTest" }
*
* override string getARelevantTag() {
* // We only use one tag for this test.
* result = "const"
* }
*
* override predicate hasActualResult(
* Location location, string element, string tag, string value
* ) {
* exists(Expr e |
* tag = "const" and // The tag for this test.
* value = e.getValue() and // The expected value. Will only hold for constant expressions.
* location = e.getLocation() and // The location of the result to be reported.
* element = e.toString() // The display text for the result.
* )
* }
* }
* ```
*
* There is no need to write a `select` clause or query predicate. All of the differences between
* expected results and actual results will be reported in the `failures()` query predicate.
*
* To annotate the test source code with an expected result, place a comment starting with a `$` on the
* same line as the expected result, with text of the following format as the body of the comment:
*
* `tag=expected-value`
*
* Where `tag` is the value of the `tag` parameter from `hasActualResult()`, and `expected-value` is
* the value of the `value` parameter from `hasActualResult()`. The `=expected-value` portion may be
* omitted, in which case `expected-value` is treated as the empty string. Multiple expectations may
* be placed in the same comment. Any actual result that
* appears on a line that does not contain a matching expected result comment will be reported with
* a message of the form "Unexpected result: tag=value". Any expected result comment for which there
* is no matching actual result will be reported with a message of the form
* "Missing result: tag=expected-value".
*
* Example:
* ```cpp
* int i = x + 5; // $ const=5
* int j = y + (7 - 3) // $ const=7 const=3 const=4 // The result of the subtraction is a constant.
* ```
*
* For tests that contain known missing and spurious results, it is possible to further
* annotate that a particular expected result is known to be spurious, or that a particular
* missing result is known to be missing:
*
* `$ SPURIOUS: tag=expected-value` // Spurious result
* `$ MISSING: tag=expected-value` // Missing result
*
* A spurious expectation is treated as any other expected result, except that if there is no
* matching actual result, the message will be of the form "Fixed spurious result: tag=value". A
* missing expectation is treated as if there were no expected result, except that if a
* matching expected result is found, the message will be of the form
* "Fixed missing result: tag=value".
*
* A single line can contain all the expected, spurious and missing results of that line. For instance:
* `$ tag1=value1 SPURIOUS: tag2=value2 MISSING: tag3=value3`.
*
* If the same result value is expected for two or more tags on the same line, there is a shorthand
* notation available:
*
* `tag1,tag2=expected-value`
*
* is equivalent to:
*
* `tag1=expected-value tag2=expected-value`
* Inline expectation tests for C++.
* See `shared/util/codeql/util/test/InlineExpectationsTest.qll`
*/
private import InlineExpectationsTestPrivate
import cpp as C
private import codeql.util.test.InlineExpectationsTest
/**
* The base class for tests with inline expectations. The test extends this class to provide the actual
* results of the query, which are then compared with the expected results in comments to produce a
* list of failure messages that point out where the actual results differ from the expected
* results.
*/
abstract class InlineExpectationsTest extends string {
bindingset[this]
InlineExpectationsTest() { any() }
private module Impl implements InlineExpectationsTestSig {
private newtype TExpectationComment = MkExpectationComment(C::CppStyleComment c)
/**
* Returns all tags that can be generated by this test. Most tests will only ever produce a single
* tag. Any expected result comments for a tag that is not returned by the `getARelevantTag()`
* predicate for an active test will be ignored. This makes it possible to write multiple tests in
* different `.ql` files that all query the same source code.
* A class representing a line comment in the CPP style.
* Unlike the `CppStyleComment` class, however, the string returned by `getContents` does _not_
* include the preceding comment marker (`//`).
*/
abstract string getARelevantTag();
class ExpectationComment extends TExpectationComment {
C::CppStyleComment comment;
/**
* Returns the actual results of the query that is being tested. Each result consist of the
* following values:
* - `location` - The source code location of the result. Any expected result comment must appear
* on the start line of this location.
* - `element` - Display text for the element on which the result is reported.
* - `tag` - The tag that marks this result as coming from this test. This must be one of the tags
* returned by `getARelevantTag()`.
* - `value` - The value of the result, which will be matched against the value associated with
* `tag` in any expected result comment on that line.
*/
abstract predicate hasActualResult(Location location, string element, string tag, string value);
ExpectationComment() { this = MkExpectationComment(comment) }
/**
* Holds if there is an optional result on the specified location.
*
* This is similar to `hasActualResult`, but returns results that do not require a matching annotation.
* A failure will still arise if there is an annotation that does not match any results, but not vice versa.
* Override this predicate to specify optional results.
*/
predicate hasOptionalResult(Location location, string element, string tag, string value) {
none()
/** Returns the contents of the given comment, _without_ the preceding comment marker (`//`). */
string getContents() { result = comment.getContents().suffix(2) }
/** Gets a textual representation of this element. */
string toString() { result = comment.toString() }
/** Gets the location of this comment. */
Location getLocation() { result = comment.getLocation() }
}
final predicate hasFailureMessage(FailureLocatable element, string message) {
exists(ActualResult actualResult |
actualResult.getTest() = this and
element = actualResult and
(
exists(FalseNegativeExpectation falseNegative |
falseNegative.matchesActualResult(actualResult) and
message = "Fixed missing result:" + falseNegative.getExpectationText()
)
or
not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
message = "Unexpected result: " + actualResult.getExpectationText() and
not actualResult.isOptional()
)
)
or
exists(ValidExpectation expectation |
not exists(ActualResult actualResult | expectation.matchesActualResult(actualResult)) and
expectation.getTag() = getARelevantTag() and
element = expectation and
(
expectation instanceof GoodExpectation and
message = "Missing result:" + expectation.getExpectationText()
or
expectation instanceof FalsePositiveExpectation and
message = "Fixed spurious result:" + expectation.getExpectationText()
)
)
or
exists(InvalidExpectation expectation |
element = expectation and
message = "Invalid expectation syntax: " + expectation.getExpectation()
)
}
class Location = C::Location;
}
/**
* RegEx pattern to match a comment containing one or more expected results. The comment must have
* `$` as its first non-whitespace character. Any subsequent character
* is treated as part of the expected results, except that the comment may contain a `//` sequence
* to treat the remainder of the line as a regular (non-interpreted) comment.
*/
private string expectationCommentPattern() { result = "\\s*\\$((?:[^/]|/[^/])*)(?://.*)?" }
/**
* The possible columns in an expectation comment. The `TDefaultColumn` branch represents the first
* column in a comment. This column is not precedeeded by a name. `TNamedColumn(name)` represents a
* column containing expected results preceeded by the string `name:`.
*/
private newtype TColumn =
TDefaultColumn() or
TNamedColumn(string name) { name = ["MISSING", "SPURIOUS"] }
bindingset[start, content]
private int getEndOfColumnPosition(int start, string content) {
result =
min(string name, int cand |
exists(TNamedColumn(name)) and
cand = content.indexOf(name + ":") and
cand >= start
|
cand
)
or
not exists(string name |
exists(TNamedColumn(name)) and
content.indexOf(name + ":") >= start
) and
result = content.length()
}
private predicate getAnExpectation(
ExpectationComment comment, TColumn column, string expectation, string tags, string value
) {
exists(string content |
content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and
(
column = TDefaultColumn() and
exists(int end |
end = getEndOfColumnPosition(0, content) and
expectation = content.prefix(end).regexpFind(expectationPattern(), _, _).trim()
)
or
exists(string name, int start, int end |
column = TNamedColumn(name) and
start = content.indexOf(name + ":") + name.length() + 1 and
end = getEndOfColumnPosition(start, content) and
expectation = content.substring(start, end).regexpFind(expectationPattern(), _, _).trim()
)
)
) and
tags = expectation.regexpCapture(expectationPattern(), 1) and
if exists(expectation.regexpCapture(expectationPattern(), 2))
then value = expectation.regexpCapture(expectationPattern(), 2)
else value = ""
}
private string getColumnString(TColumn column) {
column = TDefaultColumn() and result = ""
or
column = TNamedColumn(result)
}
/**
* RegEx pattern to match a single expected result, not including the leading `$`. It consists of one or
* more comma-separated tags containing only letters, digits, `-` and `_` (note that the first character
* must not be a digit), optionally followed by `=` and the expected value.
*/
private string expectationPattern() {
exists(string tag, string tags, string value |
tag = "[A-Za-z-_][A-Za-z-_0-9]*" and
tags = "((?:" + tag + ")(?:\\s*,\\s*" + tag + ")*)" and
// In Python, we allow both `"` and `'` for strings, as well as the prefixes `bru`.
// For example, `b"foo"`.
value = "((?:[bru]*\"[^\"]*\"|[bru]*'[^']*'|\\S+)*)" and
result = tags + "(?:=" + value + ")?"
)
}
private newtype TFailureLocatable =
TActualResult(
InlineExpectationsTest test, Location location, string element, string tag, string value,
boolean optional
) {
test.hasActualResult(location, element, tag, value) and
optional = false
or
test.hasOptionalResult(location, element, tag, value) and optional = true
} or
TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
exists(TColumn column, string tags |
getAnExpectation(comment, column, _, tags, value) and
tag = tags.splitAt(",") and
knownFailure = getColumnString(column)
)
} or
TInvalidExpectation(ExpectationComment comment, string expectation) {
getAnExpectation(comment, _, expectation, _, _) and
not expectation.regexpMatch(expectationPattern())
}
class FailureLocatable extends TFailureLocatable {
string toString() { none() }
Location getLocation() { none() }
final string getExpectationText() { result = getTag() + "=" + getValue() }
string getTag() { none() }
string getValue() { none() }
}
class ActualResult extends FailureLocatable, TActualResult {
InlineExpectationsTest test;
Location location;
string element;
string tag;
string value;
boolean optional;
ActualResult() { this = TActualResult(test, location, element, tag, value, optional) }
override string toString() { result = element }
override Location getLocation() { result = location }
InlineExpectationsTest getTest() { result = test }
override string getTag() { result = tag }
override string getValue() { result = value }
predicate isOptional() { optional = true }
}
abstract private class Expectation extends FailureLocatable {
ExpectationComment comment;
override string toString() { result = comment.toString() }
override Location getLocation() { result = comment.getLocation() }
}
private class ValidExpectation extends Expectation, TValidExpectation {
string tag;
string value;
string knownFailure;
ValidExpectation() { this = TValidExpectation(comment, tag, value, knownFailure) }
override string getTag() { result = tag }
override string getValue() { result = value }
string getKnownFailure() { result = knownFailure }
predicate matchesActualResult(ActualResult actualResult) {
getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
getLocation().getFile() = actualResult.getLocation().getFile() and
getTag() = actualResult.getTag() and
getValue() = actualResult.getValue()
}
}
/* Note: These next three classes correspond to all the possible values of type `TColumn`. */
class GoodExpectation extends ValidExpectation {
GoodExpectation() { getKnownFailure() = "" }
}
class FalsePositiveExpectation extends ValidExpectation {
FalsePositiveExpectation() { getKnownFailure() = "SPURIOUS" }
}
class FalseNegativeExpectation extends ValidExpectation {
FalseNegativeExpectation() { getKnownFailure() = "MISSING" }
}
class InvalidExpectation extends Expectation, TInvalidExpectation {
string expectation;
InvalidExpectation() { this = TInvalidExpectation(comment, expectation) }
string getExpectation() { result = expectation }
}
query predicate failures(FailureLocatable element, string message) {
exists(InlineExpectationsTest test | test.hasFailureMessage(element, message))
}
import Make<Impl>

23
cpp/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll
View File

@@ -1,23 +0,0 @@
import cpp
private newtype TExpectationComment = MkExpectationComment(CppStyleComment c)
/**
* Represents a line comment in the CPP style.
* Unlike the `CppStyleComment` class, however, the string returned by `getContents` does _not_
* include the preceding comment marker (`//`).
*/
class ExpectationComment extends TExpectationComment {
CppStyleComment comment;
ExpectationComment() { this = MkExpectationComment(comment) }
/** Returns the contents of the given comment, _without_ the preceding comment marker (`//`). */
string getContents() { result = comment.getContents().suffix(2) }
/** Gets a textual representation of this element. */
string toString() { result = comment.toString() }
/** Gets the location of this comment. */
Location getLocation() { result = comment.getLocation() }
}

6
cpp/ql/test/TestUtilities/dataflow/FlowTestCommon.qll
View File

@@ -13,7 +13,7 @@
import cpp
private import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IRDataFlow
private import semmle.code.cpp.dataflow.DataFlow::DataFlow as ASTDataFlow
private import semmle.code.cpp.dataflow.DataFlow::DataFlow as AstDataFlow
import TestUtilities.InlineExpectationsTest
class IRFlowTest extends InlineExpectationsTest {
@@ -49,11 +49,11 @@ class AstFlowTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(
ASTDataFlow::Node source, ASTDataFlow::Node sink, ASTDataFlow::Configuration conf, int n
AstDataFlow::Node source, AstDataFlow::Node sink, AstDataFlow::Configuration conf, int n
|
tag = "ast" and
conf.hasFlow(source, sink) and
n = strictcount(ASTDataFlow::Node otherSource | conf.hasFlow(otherSource, sink)) and
n = strictcount(AstDataFlow::Node otherSource | conf.hasFlow(otherSource, sink)) and
(
n = 1 and value = ""
or

2
cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.expected
View File

@@ -1 +1 @@
| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | a global variable |
| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides a $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | global variable |

44
cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.expected Normal file
View File

@@ -0,0 +1,44 @@
| bitshift.cpp:23:3:23:9 | ... <<= ... | 0.0 | 255.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
| bitshift.cpp:25:5:25:11 | ... <<= ... | 0.0 | 240.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
| bitshift.cpp:29:3:29:8 | ... << ... | 0.0 | 1020.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:32:3:32:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:35:3:35:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:38:3:38:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:39:3:39:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:40:3:40:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:43:3:43:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:46:3:46:22 | ... << ... | 128.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:49:3:49:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:52:5:52:10 | ... << ... | 1.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:57:3:57:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:58:3:58:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:59:3:59:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:60:3:60:22 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:61:3:61:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:64:3:64:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:67:3:67:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:70:5:70:10 | ... << ... | 1.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:75:5:75:10 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:76:5:76:10 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:90:3:90:9 | ... >>= ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
| bitshift.cpp:92:5:92:11 | ... >>= ... | 0.0 | 15.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
| bitshift.cpp:96:3:96:8 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:99:3:99:9 | ... >> ... | 0.0 | 0.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:103:3:103:9 | ... >> ... | 0.0 | 0.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:106:3:106:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:107:3:107:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:108:3:108:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:111:3:111:19 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:114:3:114:24 | ... >> ... | 32.0 | 32.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:117:3:117:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:120:5:120:12 | ... >> ... | 32.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:126:3:126:8 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:127:3:127:9 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:128:3:128:9 | ... >> ... | -1.0 | 0.0 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:129:3:129:22 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:130:3:130:19 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:133:3:133:21 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:136:3:136:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:139:5:139:12 | ... >> ... | 32.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:144:5:144:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
| bitshift.cpp:145:5:145:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |

24
cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.ql Normal file
View File

@@ -0,0 +1,24 @@
import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import experimental.semmle.code.cpp.rangeanalysis.extensions.ConstantShiftExprRange
Expr getLOp(Operation o) {
result = o.(BinaryOperation).getLeftOperand() or
result = o.(Assignment).getLValue()
}
Expr getROp(Operation o) {
result = o.(BinaryOperation).getRightOperand() or
result = o.(Assignment).getRValue()
}
from Operation o
where
(
o instanceof BinaryBitwiseOperation
or
o instanceof AssignBitwiseOperation
)
select o, lowerBound(o), upperBound(o), getLOp(o).getUnderlyingType(),
getROp(o).getUnderlyingType(), getLOp(o).getFullyConverted().getUnderlyingType(),
getROp(o).getFullyConverted().getUnderlyingType()

147
cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/bitshift.cpp Normal file
View File

@@ -0,0 +1,147 @@
typedef signed char int8_t;
typedef short int16_t;
typedef int int32_t;
typedef long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long uint64_t;
extern uint8_t value_known_at_runtime8();
void testLShiftOperator() {
uint8_t unsigned_const1 = 7;
uint8_t unsigned_const2(7);
uint8_t unsigned_const3{7};
int8_t signed_const = -7;
uint8_t x = value_known_at_runtime8();
int8_t y = (int8_t)value_known_at_runtime8();
uint8_t z = value_known_at_runtime8();
// An assign left shift operator. Note that no promotion occurs here
z <<= 2; // [0, 255]
if (z <= 60) {
z <<= 2; // [0, 240]
}
// A normal shift
x << 2; // [0, 1020]
// Possible to exceed the maximum size
x << 25; // [-2147483648, 2147483648]
// Undefined behavior
x << 34; // [-2147483648, 2147483648]
// A normal shift by a constant in a variable
x << unsigned_const1; // [0, 32640]
x << unsigned_const2; // [0, 32640]
x << unsigned_const3; // [0, 32640]
// Negative shifts are undefined
x << signed_const; // [-2147483648, 2147483648]
// Now the left operand is a constant
1 << unsigned_const1; // [128, 128]
// x could be large enough to cause undefined behavior
1 << x; // [-2147483648, 2147483647]
if (x < 8) {
// x is now constrained so the shift is defined
1 << x; // [1, 128]
}
// We don't support shifting negative values (and some of these are undefined
// anyway)
y << 2; // [-2147483648, 2147483647]
y << 25; // [-2147483648, 2147483648]
y << 34; // [-2147483648, 2147483648]
y << unsigned_const1; // [-2147483648, 2147483647]
y << signed_const; // [-2147483648, 2147483648]
// Negative shifts are undefined
1 << signed_const; // [-2147483648, 2147483648]
// We don't handle cases where the shift range could be negative
1 << y; // [-2147483648, 2147483648]
if (y >= 0 && y < 8) {
// The shift range is now positive
1 << y; // [1, 128]
}
if (x > 0 and x < 2 and y > 0 and x < 2) {
// We don't support shifts where neither operand is a constant at the moment
x << y; // [-2147483648, 2147483648]
y << x; // [-2147483648, 2147483648]
}
}
void testRShiftOperator() {
uint8_t unsigned_const1 = 2;
uint8_t unsigned_const2(2);
uint8_t unsigned_const3{2};
int8_t signed_const = -2;
uint8_t x = value_known_at_runtime8();
int8_t y = (int8_t)value_known_at_runtime8();
uint8_t z = value_known_at_runtime8();
// An assign right shift operator. Note that no promotion occurs here
z >>= 2; // [0, 63]
if (z <= 60) {
z >>= 2; // [0, 15]
}
// A normal shift
x >> 2; // [0, 63]
// Possible to exceed the maximum size
x >> 25; // [0, 0]
// Undefined behavior, but this case is handled by the SimpleRangeAnalysis
// library and sets the the bounds to [0, 0], which is fine
x >> 34; // [0, 0]
// A normal shift by a constant in a variable
x >> unsigned_const1; // [0, 63]
x >> unsigned_const2; // [0, 63]
x >> unsigned_const3; // [0, 63]
// Negative shifts are undefined
x >> signed_const; // [-2147483648, 2147483648]
// Now the left operand is a constant
128 >> unsigned_const1; // [32, 32]
// x could be large enough to cause undefined behavior
128 >> x; // [-2147483648, 2147483647]
if (x < 3) {
// x is now constrained so the shift is defined
128 >> x; // [32, 128]
}
// We don't support shifting negative values, but the SimpleRangeAnalysis
// library handles the first three cases even though they're implementation
// defined or undefined behavior (TODO: Check ideone)
y >> 2; // [-2147483648, 2147483647] (Default is [-32, 31])
y >> 25; // -2147483648, 2147483647] (Default is [-1, 0])
y >> 34; // [-1, 0] (My code doesn't touch this, so default code is used)
y >> unsigned_const1; // [-2147483648, 2147483647]
y >> signed_const; // [-2147483648, 2147483648]
// Negative shifts are undefined
128 >> signed_const; // [-2147483648, 2147483648]
// We don't handle cases where the shift range could be negative
128 >> y; // [-2147483648, 2147483648]
if (y >= 0 && y < 3) {
// The shift range is now positive
128 >> y; // [32, 128]
}
if (x > 0 and x < 2 and y > 0 and x < 2) {
// We don't support shifts where neither operand is a constant at the moment
x >> y; // [-2147483648, 2147483648]
y >> x; // [-2147483648, 2147483648]
}
}

106
cpp/ql/test/experimental/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
View File

@@ -1,32 +1,34 @@
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:15:6:15 | InitializeParameter: x | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:22:6:22 | InitializeParameter: y | 0 | false | CompareLT: ... < ... | test.cpp:7:7:7:11 | test.cpp:7:7:7:11 |
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:22:6:22 | InitializeParameter: y | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:20:10:20:10 | Store: x | test.cpp:14:15:14:15 | InitializeParameter: x | -2 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:20:10:20:10 | Store: x | test.cpp:14:22:14:22 | InitializeParameter: y | -2 | false | CompareLT: ... < ... | test.cpp:15:7:15:11 | test.cpp:15:7:15:11 |
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:15:6:15 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:22:6:22 | ValueNumberBound | 0 | false | CompareLT: ... < ... | test.cpp:7:7:7:11 | test.cpp:7:7:7:11 |
| test.cpp:10:10:10:10 | Store: x | test.cpp:6:22:6:22 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:20:10:20:10 | Store: x | test.cpp:14:15:14:15 | ValueNumberBound | -2 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:20:10:20:10 | Store: x | test.cpp:14:22:14:22 | ValueNumberBound | -2 | false | CompareLT: ... < ... | test.cpp:15:7:15:11 | test.cpp:15:7:15:11 |
| test.cpp:27:10:27:10 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:27:10:27:10 | Load: i | test.cpp:24:15:24:15 | InitializeParameter: x | -1 | true | CompareLT: ... < ... | test.cpp:26:14:26:18 | test.cpp:26:14:26:18 |
| test.cpp:27:10:27:10 | Load: i | test.cpp:24:15:24:15 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:26:14:26:18 | test.cpp:26:14:26:18 |
| test.cpp:30:10:30:10 | Load: i | file://:0:0:0:0 | 0 | 1 | false | CompareGT: ... > ... | test.cpp:29:14:29:18 | test.cpp:29:14:29:18 |
| test.cpp:30:10:30:10 | Load: i | test.cpp:24:15:24:15 | InitializeParameter: x | 0 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:30:10:30:10 | Load: i | test.cpp:26:14:26:14 | Phi: i | 0 | true | CompareLT: ... < ... | test.cpp:26:14:26:18 | test.cpp:26:14:26:18 |
| test.cpp:30:10:30:10 | Load: i | test.cpp:24:15:24:15 | ValueNumberBound | 0 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:30:10:30:10 | Load: i | test.cpp:26:14:26:14 | ValueNumberBound | 0 | true | CompareLT: ... < ... | test.cpp:26:14:26:18 | test.cpp:26:14:26:18 |
| test.cpp:33:10:33:10 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:24:15:24:15 | InitializeParameter: x | 1 | true | CompareLT: ... < ... | test.cpp:32:14:32:22 | test.cpp:32:14:32:22 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:26:14:26:14 | Phi: i | 1 | true | CompareLT: ... < ... | test.cpp:32:14:32:22 | test.cpp:32:14:32:22 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:29:14:29:14 | Phi: i | 0 | false | CompareGT: ... > ... | test.cpp:29:14:29:18 | test.cpp:29:14:29:18 |
| test.cpp:40:10:40:14 | Load: begin | test.cpp:38:16:38:20 | InitializeParameter: begin | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:40:10:40:14 | Load: begin | test.cpp:38:28:38:30 | InitializeParameter: end | -1 | true | CompareLT: ... < ... | test.cpp:39:10:39:20 | test.cpp:39:10:39:20 |
| test.cpp:49:12:49:12 | Load: x | test.cpp:46:22:46:22 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:48:9:48:13 | test.cpp:48:9:48:13 |
| test.cpp:49:12:49:12 | Load: x | test.cpp:46:29:46:29 | InitializeParameter: z | -2 | true | CompareLT: ... < ... | test.cpp:48:9:48:13 | test.cpp:48:9:48:13 |
| test.cpp:54:12:54:12 | Load: x | test.cpp:46:22:46:22 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:52:7:52:11 | test.cpp:52:7:52:11 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | InitializeParameter: p | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | InitializeParameter: p | 3 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:61:39:61:51 | Convert: (char *)... | -1 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | InitializeParameter: p | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | InitializeParameter: p | 3 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:32:61:35 | Phi: iter | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:39:61:51 | Convert: (char *)... | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:24:15:24:15 | ValueNumberBound | 1 | true | CompareLT: ... < ... | test.cpp:32:14:32:22 | test.cpp:32:14:32:22 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:26:14:26:14 | ValueNumberBound | 1 | true | CompareLT: ... < ... | test.cpp:32:14:32:22 | test.cpp:32:14:32:22 |
| test.cpp:33:10:33:10 | Load: i | test.cpp:29:14:29:14 | ValueNumberBound | 0 | false | CompareGT: ... > ... | test.cpp:29:14:29:18 | test.cpp:29:14:29:18 |
| test.cpp:40:10:40:14 | Load: begin | test.cpp:38:16:38:20 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:40:10:40:14 | Load: begin | test.cpp:38:28:38:30 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:39:10:39:20 | test.cpp:39:10:39:20 |
| test.cpp:49:12:49:12 | Load: x | test.cpp:46:22:46:22 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:48:9:48:13 | test.cpp:48:9:48:13 |
| test.cpp:49:12:49:12 | Load: x | test.cpp:46:29:46:29 | ValueNumberBound | -2 | true | CompareLT: ... < ... | test.cpp:48:9:48:13 | test.cpp:48:9:48:13 |
| test.cpp:54:12:54:12 | Load: x | test.cpp:46:22:46:22 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:52:7:52:11 | test.cpp:52:7:52:11 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 3 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:61:39:61:51 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:61:48:61:50 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 3 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:32:61:35 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:39:61:51 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:48:61:50 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:77:12:77:12 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:15:72:15 | InitializeParameter: x | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:22:72:22 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:15:72:15 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:22:72:22 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
| test.cpp:85:10:85:10 | Load: x | file://:0:0:0:0 | 0 | 2 | false | CompareGT: ... > ... | test.cpp:84:7:84:11 | test.cpp:84:7:84:11 |
| test.cpp:87:10:87:10 | Load: x | file://:0:0:0:0 | 0 | 1 | true | CompareGT: ... > ... | test.cpp:84:7:84:11 | test.cpp:84:7:84:11 |
| test.cpp:90:10:90:10 | Load: x | file://:0:0:0:0 | 0 | 1 | false | CompareGE: ... >= ... | test.cpp:89:7:89:12 | test.cpp:89:7:89:12 |
@@ -35,32 +37,32 @@
| test.cpp:97:10:97:10 | Load: x | file://:0:0:0:0 | 0 | 1 | false | CompareLT: ... < ... | test.cpp:94:7:94:11 | test.cpp:94:7:94:11 |
| test.cpp:100:10:100:10 | Load: x | file://:0:0:0:0 | 0 | 1 | true | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
| test.cpp:102:10:102:10 | Load: x | file://:0:0:0:0 | 0 | 2 | false | CompareLE: ... <= ... | test.cpp:99:7:99:12 | test.cpp:99:7:99:12 |
| test.cpp:117:10:117:10 | Load: i | test.cpp:114:3:114:6 | Phi: call to sink | -1 | true | CompareLT: ... < ... | test.cpp:116:7:116:11 | test.cpp:116:7:116:11 |
| test.cpp:117:10:117:10 | Load: i | test.cpp:114:3:114:6 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:116:7:116:11 | test.cpp:116:7:116:11 |
| test.cpp:130:10:130:10 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:140:10:140:10 | Store: i | file://:0:0:0:0 | 0 | 1 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:135:16:135:16 | InitializeParameter: x | 0 | false | CompareLT: ... < ... | test.cpp:139:11:139:15 | test.cpp:139:11:139:15 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:138:5:138:5 | Phi: i | 1 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:138:5:138:5 | Phi: i | 1 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | false | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:158:12:158:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -2 | true | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:158:12:158:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -2 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:161:12:161:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -2 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:161:12:161:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -2 | true | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | false | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 1 | false | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 |
| test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 1 | true | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 |
| test.cpp:169:12:169:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 0 | false | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:177:10:177:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | 1 | false | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:179:10:179:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | 0 | true | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:183:10:183:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | -1 | true | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
| test.cpp:185:10:185:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | 0 | true | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:187:10:187:10 | Store: i | test.cpp:175:23:175:23 | InitializeParameter: x | 0 | false | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
| test.cpp:194:8:194:8 | Load: l | test.cpp:191:16:191:16 | InitializeParameter: i | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:194:8:194:8 | Load: l | test.cpp:191:16:191:16 | InitializeParameter: i | 0 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:200:10:200:10 | Load: i | test.cpp:198:25:198:25 | InitializeParameter: l | -1 | true | CompareLT: ... < ... | test.cpp:199:7:199:11 | test.cpp:199:7:199:11 |
| test.cpp:203:11:203:11 | Load: i | test.cpp:198:25:198:25 | InitializeParameter: l | -3 | true | CompareLT: ... < ... | test.cpp:202:7:202:15 | test.cpp:202:7:202:15 |
| test.cpp:209:10:209:10 | Load: x | test.cpp:207:24:207:24 | InitializeParameter: y | -3 | true | CompareLT: ... < ... | test.cpp:208:7:208:15 | test.cpp:208:7:208:15 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:135:16:135:16 | ValueNumberBound | 0 | false | CompareLT: ... < ... | test.cpp:139:11:139:15 | test.cpp:139:11:139:15 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:138:5:138:5 | ValueNumberBound | 1 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:140:10:140:10 | Store: i | test.cpp:138:5:138:5 | ValueNumberBound | 1 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | false | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | true | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:156:12:156:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:158:12:158:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -2 | true | CompareEQ: ... == ... | test.cpp:155:9:155:16 | test.cpp:155:9:155:16 |
| test.cpp:158:12:158:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -2 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:161:12:161:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -2 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:161:12:161:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -2 | true | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | false | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | -1 | true | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 |
| test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | 1 | false | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 |
| test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | 1 | true | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 |
| test.cpp:169:12:169:12 | Load: x | test.cpp:153:23:153:23 | ValueNumberBound | 0 | false | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 |
| test.cpp:177:10:177:10 | Load: i | test.cpp:175:23:175:23 | ValueNumberBound | 1 | false | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:179:10:179:10 | Load: i | test.cpp:175:23:175:23 | ValueNumberBound | 0 | true | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:183:10:183:10 | Load: i | test.cpp:175:23:175:23 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
| test.cpp:185:10:185:10 | Load: i | test.cpp:175:23:175:23 | ValueNumberBound | 0 | true | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
| test.cpp:187:10:187:10 | Store: i | test.cpp:175:23:175:23 | ValueNumberBound | 0 | false | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
| test.cpp:194:8:194:8 | Load: l | test.cpp:191:16:191:16 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:194:8:194:8 | Load: l | test.cpp:191:16:191:16 | ValueNumberBound | 0 | true | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:200:10:200:10 | Load: i | test.cpp:198:25:198:25 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:199:7:199:11 | test.cpp:199:7:199:11 |
| test.cpp:203:11:203:11 | Load: i | test.cpp:198:25:198:25 | ValueNumberBound | -3 | true | CompareLT: ... < ... | test.cpp:202:7:202:15 | test.cpp:202:7:202:15 |
| test.cpp:209:10:209:10 | Load: x | test.cpp:207:24:207:24 | ValueNumberBound | -3 | true | CompareLT: ... < ... | test.cpp:208:7:208:15 | test.cpp:208:7:208:15 |

3
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.expected Normal file
View File

@@ -0,0 +1,3 @@
| test.cpp:20:21:20:22 | ref arg & ... | This 'unsafe_put_user' writes a user-mode pointer without a security check. |
| test.cpp:41:21:41:22 | ref arg & ... | This 'unsafe_put_user' writes a user-mode pointer without a security check. |
| test.cpp:69:21:69:27 | ref arg & ... | This 'unsafe_put_user' writes a user-mode pointer without a security check. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql

86
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/test.cpp Normal file
View File

@@ -0,0 +1,86 @@
typedef unsigned long size_t;
#define SYSCALL_DEFINE(name, ...) \
void do_sys_##name(); \
void sys_##name(...) { do_sys_##name(); } \
void do_sys_##name()
SYSCALL_DEFINE(somesystemcall, void *param) {};
bool user_access_begin_impl(const void *where, size_t sz);
void user_access_end_impl();
#define user_access_begin(where, sz) user_access_begin_impl(where, sz)
#define user_access_end() user_access_end_impl()
void unsafe_put_user_impl(int what, const void *where, size_t sz);
#define unsafe_put_user(what, where) unsafe_put_user_impl( (what), (where), sizeof(*(where)) )
void test1(int p)
{
sys_somesystemcall(&p);
unsafe_put_user(123, &p); // BAD
}
void test2(int p)
{
sys_somesystemcall(&p);
if (user_access_begin(&p, sizeof(p)))
{
unsafe_put_user(123, &p); // GOOD
user_access_end();
}
}
void test3()
{
int v;
sys_somesystemcall(&v);
unsafe_put_user(123, &v); // BAD
}
void test4()
{
int v;
sys_somesystemcall(&v);
if (user_access_begin(&v, sizeof(v)))
{
unsafe_put_user(123, &v); // GOOD
user_access_end();
}
}
struct data
{
int x;
};
void test5()
{
data myData;
sys_somesystemcall(&myData);
unsafe_put_user(123, &(myData.x)); // BAD
}
void test6()
{
data myData;
sys_somesystemcall(&myData);
if (user_access_begin(&myData, sizeof(myData)))
{
unsafe_put_user(123, &(myData.x)); // GOOD
user_access_end();
}
}

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.expected
View File

@@ -1 +1 @@
| test.c:6:3:6:8 | call to memset | The value of argument '$@' appears to be checked after the call, rather than before it. | test.c:6:17:6:20 | len1 | len1 |
| test.c:6:3:6:8 | call to memset | The value of argument $@ appears to be checked after the call, rather than before it. | test.c:6:17:6:20 | len1 | len1 |

11
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected Normal file
View File

@@ -0,0 +1,11 @@
edges
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | (const char *)... |
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
nodes
| test.cpp:22:27:22:30 | argv | semmle.label | argv |
| test.cpp:29:13:29:20 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
subpaths
#select
| test.cpp:29:13:29:20 | (const char *)... | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | (const char *)... | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-078/WordexpTainted.ql

45
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp Normal file
View File

@@ -0,0 +1,45 @@
#ifdef _MSC_VER
#define restrict __restrict
#else
#define restrict __restrict__
#endif
typedef unsigned long size_t;
typedef struct {
size_t we_wordc;
char **we_wordv;
size_t we_offs;
} wordexp_t;
enum {
WRDE_APPEND = (1 << 1),
WRDE_NOCMD = (1 << 2)
};
int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
int main(int argc, char** argv) {
char *filePath = argv[2];
{
// BAD: the user string is injected directly into `wordexp` which performs command substitution
wordexp_t we;
wordexp(filePath, &we, 0);
}
{
// GOOD: command substitution is disabled
wordexp_t we;
wordexp(filePath, &we, WRDE_NOCMD);
}
{
// GOOD: command substitution is disabled
wordexp_t we;
wordexp(filePath, &we, WRDE_NOCMD | WRDE_APPEND);
}
}

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.expected
View File

@@ -1 +1 @@
| test.cpp:23:3:23:8 | call to fclose | Consider changing the call to $@ | test.cpp:9:6:9:13 | myFclose | myFclose |
| test.cpp:23:3:23:8 | call to fclose | Consider changing the call to $@. | test.cpp:9:6:9:13 | myFclose | myFclose |

344
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected Normal file
View File

@@ -0,0 +1,344 @@
edges
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:24:21:24:31 | Call indirection [string] |
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:34:21:34:31 | Call indirection [string] |
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:39:21:39:31 | Call indirection [string] |
| test.cpp:18:5:18:30 | Store | test.cpp:18:10:18:15 | Load indirection [post update] [string] |
| test.cpp:18:10:18:15 | Load indirection [post update] [string] | test.cpp:16:11:16:21 | VariableAddress indirection [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | Store |
| test.cpp:24:21:24:31 | Call indirection [string] | test.cpp:26:13:26:15 | Load indirection [string] |
| test.cpp:26:13:26:15 | Load indirection [string] | test.cpp:26:18:26:23 | FieldAddress indirection |
| test.cpp:26:18:26:23 | FieldAddress indirection | test.cpp:26:18:26:23 | Load |
| test.cpp:29:32:29:34 | str indirection [string] | test.cpp:30:13:30:15 | Load indirection [string] |
| test.cpp:30:13:30:15 | Load indirection [string] | test.cpp:30:18:30:23 | FieldAddress indirection |
| test.cpp:30:18:30:23 | FieldAddress indirection | test.cpp:30:18:30:23 | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | test.cpp:35:21:35:23 | str indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | test.cpp:29:32:29:34 | str indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:41:13:41:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:42:13:42:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:44:13:44:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:45:13:45:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:48:17:48:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:52:17:52:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:56:17:56:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:60:17:60:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:64:17:64:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:68:17:68:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:72:17:72:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:76:17:76:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:80:17:80:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:84:17:84:19 | Load indirection [string] |
| test.cpp:41:13:41:15 | Load indirection [string] | test.cpp:41:18:41:23 | FieldAddress indirection |
| test.cpp:41:18:41:23 | FieldAddress indirection | test.cpp:41:18:41:23 | Load |
| test.cpp:42:13:42:15 | Load indirection [string] | test.cpp:42:18:42:23 | FieldAddress indirection |
| test.cpp:42:18:42:23 | FieldAddress indirection | test.cpp:42:18:42:23 | Load |
| test.cpp:44:13:44:15 | Load indirection [string] | test.cpp:44:18:44:23 | FieldAddress indirection |
| test.cpp:44:18:44:23 | FieldAddress indirection | test.cpp:44:18:44:23 | Load |
| test.cpp:45:13:45:15 | Load indirection [string] | test.cpp:45:18:45:23 | FieldAddress indirection |
| test.cpp:45:18:45:23 | FieldAddress indirection | test.cpp:45:18:45:23 | Load |
| test.cpp:48:17:48:19 | Load indirection [string] | test.cpp:48:22:48:27 | FieldAddress indirection |
| test.cpp:48:22:48:27 | FieldAddress indirection | test.cpp:48:22:48:27 | Load |
| test.cpp:52:17:52:19 | Load indirection [string] | test.cpp:52:22:52:27 | FieldAddress indirection |
| test.cpp:52:22:52:27 | FieldAddress indirection | test.cpp:52:22:52:27 | Load |
| test.cpp:56:17:56:19 | Load indirection [string] | test.cpp:56:22:56:27 | FieldAddress indirection |
| test.cpp:56:22:56:27 | FieldAddress indirection | test.cpp:56:22:56:27 | Load |
| test.cpp:60:17:60:19 | Load indirection [string] | test.cpp:60:22:60:27 | FieldAddress indirection |
| test.cpp:60:22:60:27 | FieldAddress indirection | test.cpp:60:22:60:27 | Load |
| test.cpp:64:17:64:19 | Load indirection [string] | test.cpp:64:22:64:27 | FieldAddress indirection |
| test.cpp:64:22:64:27 | FieldAddress indirection | test.cpp:64:22:64:27 | Load |
| test.cpp:68:17:68:19 | Load indirection [string] | test.cpp:68:22:68:27 | FieldAddress indirection |
| test.cpp:68:22:68:27 | FieldAddress indirection | test.cpp:68:22:68:27 | Load |
| test.cpp:72:17:72:19 | Load indirection [string] | test.cpp:72:22:72:27 | FieldAddress indirection |
| test.cpp:72:22:72:27 | FieldAddress indirection | test.cpp:72:22:72:27 | Load |
| test.cpp:76:17:76:19 | Load indirection [string] | test.cpp:76:22:76:27 | FieldAddress indirection |
| test.cpp:76:22:76:27 | FieldAddress indirection | test.cpp:76:22:76:27 | Load |
| test.cpp:80:17:80:19 | Load indirection [string] | test.cpp:80:22:80:27 | FieldAddress indirection |
| test.cpp:80:22:80:27 | FieldAddress indirection | test.cpp:80:22:80:27 | Load |
| test.cpp:84:17:84:19 | Load indirection [string] | test.cpp:84:22:84:27 | FieldAddress indirection |
| test.cpp:84:22:84:27 | FieldAddress indirection | test.cpp:84:22:84:27 | Load |
| test.cpp:88:11:88:30 | VariableAddress indirection [string] | test.cpp:96:21:96:40 | Call indirection [string] |
| test.cpp:90:5:90:34 | Store | test.cpp:90:10:90:15 | Load indirection [post update] [string] |
| test.cpp:90:10:90:15 | Load indirection [post update] [string] | test.cpp:88:11:88:30 | VariableAddress indirection [string] |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | Store |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:98:13:98:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:99:13:99:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:101:13:101:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:102:13:102:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:105:17:105:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:109:17:109:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:113:17:113:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:117:17:117:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:121:17:121:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:125:17:125:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:129:17:129:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:133:17:133:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:137:17:137:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:141:17:141:19 | Load indirection [string] |
| test.cpp:98:13:98:15 | Load indirection [string] | test.cpp:98:18:98:23 | FieldAddress indirection |
| test.cpp:98:18:98:23 | FieldAddress indirection | test.cpp:98:18:98:23 | Load |
| test.cpp:99:13:99:15 | Load indirection [string] | test.cpp:99:18:99:23 | FieldAddress indirection |
| test.cpp:99:18:99:23 | FieldAddress indirection | test.cpp:99:18:99:23 | Load |
| test.cpp:101:13:101:15 | Load indirection [string] | test.cpp:101:18:101:23 | FieldAddress indirection |
| test.cpp:101:18:101:23 | FieldAddress indirection | test.cpp:101:18:101:23 | Load |
| test.cpp:102:13:102:15 | Load indirection [string] | test.cpp:102:18:102:23 | FieldAddress indirection |
| test.cpp:102:18:102:23 | FieldAddress indirection | test.cpp:102:18:102:23 | Load |
| test.cpp:105:17:105:19 | Load indirection [string] | test.cpp:105:22:105:27 | FieldAddress indirection |
| test.cpp:105:22:105:27 | FieldAddress indirection | test.cpp:105:22:105:27 | Load |
| test.cpp:109:17:109:19 | Load indirection [string] | test.cpp:109:22:109:27 | FieldAddress indirection |
| test.cpp:109:22:109:27 | FieldAddress indirection | test.cpp:109:22:109:27 | Load |
| test.cpp:113:17:113:19 | Load indirection [string] | test.cpp:113:22:113:27 | FieldAddress indirection |
| test.cpp:113:22:113:27 | FieldAddress indirection | test.cpp:113:22:113:27 | Load |
| test.cpp:117:17:117:19 | Load indirection [string] | test.cpp:117:22:117:27 | FieldAddress indirection |
| test.cpp:117:22:117:27 | FieldAddress indirection | test.cpp:117:22:117:27 | Load |
| test.cpp:121:17:121:19 | Load indirection [string] | test.cpp:121:22:121:27 | FieldAddress indirection |
| test.cpp:121:22:121:27 | FieldAddress indirection | test.cpp:121:22:121:27 | Load |
| test.cpp:125:17:125:19 | Load indirection [string] | test.cpp:125:22:125:27 | FieldAddress indirection |
| test.cpp:125:22:125:27 | FieldAddress indirection | test.cpp:125:22:125:27 | Load |
| test.cpp:129:17:129:19 | Load indirection [string] | test.cpp:129:22:129:27 | FieldAddress indirection |
| test.cpp:129:22:129:27 | FieldAddress indirection | test.cpp:129:22:129:27 | Load |
| test.cpp:133:17:133:19 | Load indirection [string] | test.cpp:133:22:133:27 | FieldAddress indirection |
| test.cpp:133:22:133:27 | FieldAddress indirection | test.cpp:133:22:133:27 | Load |
| test.cpp:137:17:137:19 | Load indirection [string] | test.cpp:137:22:137:27 | FieldAddress indirection |
| test.cpp:137:22:137:27 | FieldAddress indirection | test.cpp:137:22:137:27 | Load |
| test.cpp:141:17:141:19 | Load indirection [string] | test.cpp:141:22:141:27 | FieldAddress indirection |
| test.cpp:141:22:141:27 | FieldAddress indirection | test.cpp:141:22:141:27 | Load |
| test.cpp:147:5:147:34 | Store | test.cpp:147:10:147:15 | Load indirection [post update] [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:150:13:150:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:151:13:151:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:152:13:152:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:154:13:154:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:155:13:155:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:156:13:156:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:159:17:159:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:163:17:163:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:167:17:167:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:171:17:171:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:175:17:175:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:179:17:179:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:183:17:183:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:187:17:187:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:191:17:191:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:195:17:195:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:199:17:199:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:203:17:203:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:207:17:207:19 | Load indirection [string] |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | Store |
| test.cpp:150:13:150:15 | Load indirection [string] | test.cpp:150:18:150:23 | FieldAddress indirection |
| test.cpp:150:18:150:23 | FieldAddress indirection | test.cpp:150:18:150:23 | Load |
| test.cpp:151:13:151:15 | Load indirection [string] | test.cpp:151:18:151:23 | FieldAddress indirection |
| test.cpp:151:18:151:23 | FieldAddress indirection | test.cpp:151:18:151:23 | Load |
| test.cpp:152:13:152:15 | Load indirection [string] | test.cpp:152:18:152:23 | FieldAddress indirection |
| test.cpp:152:18:152:23 | FieldAddress indirection | test.cpp:152:18:152:23 | Load |
| test.cpp:154:13:154:15 | Load indirection [string] | test.cpp:154:18:154:23 | FieldAddress indirection |
| test.cpp:154:18:154:23 | FieldAddress indirection | test.cpp:154:18:154:23 | Load |
| test.cpp:155:13:155:15 | Load indirection [string] | test.cpp:155:18:155:23 | FieldAddress indirection |
| test.cpp:155:18:155:23 | FieldAddress indirection | test.cpp:155:18:155:23 | Load |
| test.cpp:156:13:156:15 | Load indirection [string] | test.cpp:156:18:156:23 | FieldAddress indirection |
| test.cpp:156:18:156:23 | FieldAddress indirection | test.cpp:156:18:156:23 | Load |
| test.cpp:159:17:159:19 | Load indirection [string] | test.cpp:159:22:159:27 | FieldAddress indirection |
| test.cpp:159:22:159:27 | FieldAddress indirection | test.cpp:159:22:159:27 | Load |
| test.cpp:163:17:163:19 | Load indirection [string] | test.cpp:163:22:163:27 | FieldAddress indirection |
| test.cpp:163:22:163:27 | FieldAddress indirection | test.cpp:163:22:163:27 | Load |
| test.cpp:167:17:167:19 | Load indirection [string] | test.cpp:167:22:167:27 | FieldAddress indirection |
| test.cpp:167:22:167:27 | FieldAddress indirection | test.cpp:167:22:167:27 | Load |
| test.cpp:171:17:171:19 | Load indirection [string] | test.cpp:171:22:171:27 | FieldAddress indirection |
| test.cpp:171:22:171:27 | FieldAddress indirection | test.cpp:171:22:171:27 | Load |
| test.cpp:175:17:175:19 | Load indirection [string] | test.cpp:175:22:175:27 | FieldAddress indirection |
| test.cpp:175:22:175:27 | FieldAddress indirection | test.cpp:175:22:175:27 | Load |
| test.cpp:179:17:179:19 | Load indirection [string] | test.cpp:179:22:179:27 | FieldAddress indirection |
| test.cpp:179:22:179:27 | FieldAddress indirection | test.cpp:179:22:179:27 | Load |
| test.cpp:183:17:183:19 | Load indirection [string] | test.cpp:183:22:183:27 | FieldAddress indirection |
| test.cpp:183:22:183:27 | FieldAddress indirection | test.cpp:183:22:183:27 | Load |
| test.cpp:187:17:187:19 | Load indirection [string] | test.cpp:187:22:187:27 | FieldAddress indirection |
| test.cpp:187:22:187:27 | FieldAddress indirection | test.cpp:187:22:187:27 | Load |
| test.cpp:191:17:191:19 | Load indirection [string] | test.cpp:191:22:191:27 | FieldAddress indirection |
| test.cpp:191:22:191:27 | FieldAddress indirection | test.cpp:191:22:191:27 | Load |
| test.cpp:195:17:195:19 | Load indirection [string] | test.cpp:195:22:195:27 | FieldAddress indirection |
| test.cpp:195:22:195:27 | FieldAddress indirection | test.cpp:195:22:195:27 | Load |
| test.cpp:199:17:199:19 | Load indirection [string] | test.cpp:199:22:199:27 | FieldAddress indirection |
| test.cpp:199:22:199:27 | FieldAddress indirection | test.cpp:199:22:199:27 | Load |
| test.cpp:203:17:203:19 | Load indirection [string] | test.cpp:203:22:203:27 | FieldAddress indirection |
| test.cpp:203:22:203:27 | FieldAddress indirection | test.cpp:203:22:203:27 | Load |
| test.cpp:207:17:207:19 | Load indirection [string] | test.cpp:207:22:207:27 | FieldAddress indirection |
| test.cpp:207:22:207:27 | FieldAddress indirection | test.cpp:207:22:207:27 | Load |
nodes
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
| test.cpp:18:5:18:30 | Store | semmle.label | Store |
| test.cpp:18:10:18:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:24:21:24:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:26:13:26:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:26:18:26:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:26:18:26:23 | Load | semmle.label | Load |
| test.cpp:29:32:29:34 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:30:13:30:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:30:18:30:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:30:18:30:23 | Load | semmle.label | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:41:13:41:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:41:18:41:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:41:18:41:23 | Load | semmle.label | Load |
| test.cpp:42:13:42:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:42:18:42:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:42:18:42:23 | Load | semmle.label | Load |
| test.cpp:44:13:44:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:44:18:44:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:44:18:44:23 | Load | semmle.label | Load |
| test.cpp:45:13:45:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:45:18:45:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:45:18:45:23 | Load | semmle.label | Load |
| test.cpp:48:17:48:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:48:22:48:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:48:22:48:27 | Load | semmle.label | Load |
| test.cpp:52:17:52:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:52:22:52:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:52:22:52:27 | Load | semmle.label | Load |
| test.cpp:56:17:56:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:56:22:56:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:56:22:56:27 | Load | semmle.label | Load |
| test.cpp:60:17:60:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:60:22:60:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:60:22:60:27 | Load | semmle.label | Load |
| test.cpp:64:17:64:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:64:22:64:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:64:22:64:27 | Load | semmle.label | Load |
| test.cpp:68:17:68:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:68:22:68:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:68:22:68:27 | Load | semmle.label | Load |
| test.cpp:72:17:72:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:72:22:72:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:72:22:72:27 | Load | semmle.label | Load |
| test.cpp:76:17:76:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:76:22:76:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:76:22:76:27 | Load | semmle.label | Load |
| test.cpp:80:17:80:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:80:22:80:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:80:22:80:27 | Load | semmle.label | Load |
| test.cpp:84:17:84:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:84:22:84:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:84:22:84:27 | Load | semmle.label | Load |
| test.cpp:88:11:88:30 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
| test.cpp:90:5:90:34 | Store | semmle.label | Store |
| test.cpp:90:10:90:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:90:19:90:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:96:21:96:40 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:98:13:98:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:98:18:98:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:98:18:98:23 | Load | semmle.label | Load |
| test.cpp:99:13:99:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:99:18:99:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:99:18:99:23 | Load | semmle.label | Load |
| test.cpp:101:13:101:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:101:18:101:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:101:18:101:23 | Load | semmle.label | Load |
| test.cpp:102:13:102:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:102:18:102:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:102:18:102:23 | Load | semmle.label | Load |
| test.cpp:105:17:105:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:105:22:105:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:105:22:105:27 | Load | semmle.label | Load |
| test.cpp:109:17:109:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:109:22:109:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:109:22:109:27 | Load | semmle.label | Load |
| test.cpp:113:17:113:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:113:22:113:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:113:22:113:27 | Load | semmle.label | Load |
| test.cpp:117:17:117:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:117:22:117:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:117:22:117:27 | Load | semmle.label | Load |
| test.cpp:121:17:121:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:121:22:121:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:121:22:121:27 | Load | semmle.label | Load |
| test.cpp:125:17:125:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:125:22:125:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:125:22:125:27 | Load | semmle.label | Load |
| test.cpp:129:17:129:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:129:22:129:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:129:22:129:27 | Load | semmle.label | Load |
| test.cpp:133:17:133:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:133:22:133:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:133:22:133:27 | Load | semmle.label | Load |
| test.cpp:137:17:137:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:137:22:137:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:137:22:137:27 | Load | semmle.label | Load |
| test.cpp:141:17:141:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:141:22:141:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:141:22:141:27 | Load | semmle.label | Load |
| test.cpp:147:5:147:34 | Store | semmle.label | Store |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:150:13:150:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:150:18:150:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:150:18:150:23 | Load | semmle.label | Load |
| test.cpp:151:13:151:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:151:18:151:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:151:18:151:23 | Load | semmle.label | Load |
| test.cpp:152:13:152:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:152:18:152:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:152:18:152:23 | Load | semmle.label | Load |
| test.cpp:154:13:154:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:154:18:154:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:154:18:154:23 | Load | semmle.label | Load |
| test.cpp:155:13:155:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:155:18:155:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:155:18:155:23 | Load | semmle.label | Load |
| test.cpp:156:13:156:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:156:18:156:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:156:18:156:23 | Load | semmle.label | Load |
| test.cpp:159:17:159:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:159:22:159:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:159:22:159:27 | Load | semmle.label | Load |
| test.cpp:163:17:163:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:163:22:163:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:163:22:163:27 | Load | semmle.label | Load |
| test.cpp:167:17:167:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:167:22:167:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:167:22:167:27 | Load | semmle.label | Load |
| test.cpp:171:17:171:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:171:22:171:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:171:22:171:27 | Load | semmle.label | Load |
| test.cpp:175:17:175:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:175:22:175:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:175:22:175:27 | Load | semmle.label | Load |
| test.cpp:179:17:179:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:179:22:179:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:179:22:179:27 | Load | semmle.label | Load |
| test.cpp:183:17:183:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:183:22:183:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:183:22:183:27 | Load | semmle.label | Load |
| test.cpp:187:17:187:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:187:22:187:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:187:22:187:27 | Load | semmle.label | Load |
| test.cpp:191:17:191:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:191:22:191:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:191:22:191:27 | Load | semmle.label | Load |
| test.cpp:195:17:195:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:195:22:195:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:195:22:195:27 | Load | semmle.label | Load |
| test.cpp:199:17:199:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:199:22:199:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:199:22:199:27 | Load | semmle.label | Load |
| test.cpp:203:17:203:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:203:22:203:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:203:22:203:27 | Load | semmle.label | Load |
| test.cpp:207:17:207:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:207:22:207:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:207:22:207:27 | Load | semmle.label | Load |
subpaths
#select
| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | Load | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |
| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | Load | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string |
| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string |
| test.cpp:99:5:99:11 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:99:18:99:23 | Load | This write may overflow $@ by 1 element. | test.cpp:99:18:99:23 | string | string |
| test.cpp:129:9:129:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:129:22:129:27 | Load | This write may overflow $@ by 1 element. | test.cpp:129:22:129:27 | string | string |
| test.cpp:137:9:137:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:137:22:137:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:137:22:137:27 | string | string |
| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | Load | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string |
| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | Load | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string |
| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | Load | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string |
| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | Load | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string |
| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | Load | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string |
| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | Load | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string |
| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string |
| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | Load | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Likely Bugs/OverrunWriteProductFlow.ql

210
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp Normal file
View File

@@ -0,0 +1,210 @@
typedef unsigned size_t;
int sprintf(char *s, const char *format, ...);
int snprintf(char *s, size_t n, const char *format, ...);
int scanf(const char *format, ...);
int sscanf(const char *s, const char *format, ...);
char *malloc(size_t size);
char *strncpy(char *dst, const char *src, size_t n);
typedef struct
{
char *string;
unsigned size;
} string_t;
string_t *mk_string_t(int size) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->string = malloc(size);
str->size = size;
return str;
}
void test1(int size, char *buf) {
string_t *str = mk_string_t(size);
strncpy(str->string, buf, str->size); // GOOD
}
void strncpy_wrapper(string_t *str, char *buf) {
strncpy(str->string, buf, str->size); // GOOD
}
void test2(int size, char *buf) {
string_t *str = mk_string_t(size);
strncpy_wrapper(str, buf);
}
void test3(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = mk_string_t(size);
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // GOOD
strncpy(str->string, buf, size + 1); // BAD [NOT DETECTED]
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
}
string_t *mk_string_t_plus_one(int size) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->string = malloc(size + 1);
str->size = size + 1;
return str;
}
void test4(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = mk_string_t_plus_one(size);
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // GOOD
strncpy(str->string, buf, size + 1); // GOOD
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
}
void test5(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->string = malloc(size - 1);
str->size = size - 1;
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size - 1); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // BAD
strncpy(str->string, buf, size - 1); // GOOD
strncpy(str->string, buf, size + 1); // BAD
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize < size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
}

26
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.expected Normal file
View File

@@ -0,0 +1,26 @@
| test1.cpp:28:5:28:23 | call to WideCharToMultiByte | According to the definition of the functions, if the source buffer and the destination buffer are the same, undefined behavior is possible. |
| test1.cpp:29:5:29:23 | call to MultiByteToWideChar | According to the definition of the functions, if the source buffer and the destination buffer are the same, undefined behavior is possible. |
| test1.cpp:45:3:45:21 | call to WideCharToMultiByte | According to the definition of the functions, it is not guaranteed to write a null character at the end of the string, so access beyond the bounds of the destination buffer is possible. |
| test1.cpp:58:3:58:21 | call to MultiByteToWideChar | The buffer destination has a type other than char, you need to take this into account when allocating memory. |
| test1.cpp:70:3:70:21 | call to MultiByteToWideChar | The buffer destination has a type other than char, you need to take this into account when allocating memory. |
| test1.cpp:76:10:76:28 | call to WideCharToMultiByte | If the destination buffer is NULL and its size is not 0, then undefined behavior is possible. |
| test1.cpp:93:5:93:23 | call to WideCharToMultiByte | According to the definition of the functions, it is not guaranteed to write a null character at the end of the string, so access beyond the bounds of the destination buffer is possible. |
| test2.cpp:15:5:15:12 | call to mbstowcs | According to the definition of the functions, if the source buffer and the destination buffer are the same, undefined behavior is possible. |
| test2.cpp:17:5:17:15 | call to _mbstowcs_l | According to the definition of the functions, if the source buffer and the destination buffer are the same, undefined behavior is possible. |
| test2.cpp:19:5:19:13 | call to mbsrtowcs | According to the definition of the functions, if the source buffer and the destination buffer are the same, undefined behavior is possible. |
| test2.cpp:35:3:35:10 | call to mbstowcs | According to the definition of the functions, it is not guaranteed to write a null character at the end of the string, so access beyond the bounds of the destination buffer is possible. |
| test2.cpp:48:3:48:10 | call to mbstowcs | The buffer destination has a type other than char, you need to take this into account when allocating memory. |
| test2.cpp:60:3:60:10 | call to mbstowcs | The buffer destination has a type other than char, you need to take this into account when allocating memory. |
| test2.cpp:66:10:66:17 | call to mbstowcs | If the destination buffer is NULL and its size is not 0, then undefined behavior is possible. |
| test2.cpp:80:3:80:10 | call to mbstowcs | According to the definition of the functions, it is not guaranteed to write a null character at the end of the string, so access beyond the bounds of the destination buffer is possible. |
| test3.cpp:16:5:16:13 | access to array | This buffer may contain multibyte characters, so attempting to copy may result in part of the last character being lost. |
| test3.cpp:36:13:36:18 | ... + ... | This buffer may contain multibyte characters, so an attempt to copy may result in an overflow. |
| test3.cpp:47:3:47:24 | access to array | The size of the array element is greater than one byte, so the offset will point outside the array. |
| test.cpp:66:27:66:32 | call to mbtowc | Size can be less than maximum character length, use macro MB_CUR_MAX. |
| test.cpp:76:27:76:32 | call to mbtowc | Size can be less than maximum character length, use macro MB_CUR_MAX. |
| test.cpp:106:11:106:16 | call to mbtowc | Access beyond the allocated memory is possible, the length can change without changing the pointer. |
| test.cpp:123:11:123:16 | call to mbtowc | Access beyond the allocated memory is possible, the length can change without changing the pointer. |
| test.cpp:140:11:140:16 | call to mbtowc | Access beyond the allocated memory is possible, the length can change without changing the pointer. |
| test.cpp:158:11:158:16 | call to mbtowc | Access beyond the allocated memory is possible, the length can change without changing the pointer. |
| test.cpp:181:11:181:16 | call to mbtowc | Access beyond the allocated memory is possible, the length can change without changing the pointer. |
| test.cpp:197:11:197:16 | call to mbtowc | Maybe you're using the function's return value incorrectly. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

206
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp Normal file
View File

@@ -0,0 +1,206 @@
typedef unsigned long size_t;
#define MB_CUR_MAX 6
#define MB_LEN_MAX 16
int mbtowc(wchar_t *out, const char *in, size_t size);
int wprintf (const wchar_t* format, ...);
int strlen( const char * string );
int checkErrors();
void goodTest0()
{
char * ptr = "123456789";
int ret;
int len;
len = 9;
for (wchar_t wc; (ret = mbtowc(&wc, ptr, len)) > 0; len-=ret) { // GOOD
wprintf(L"%lc", wc);
ptr += ret;
}
}
void goodTest1(const char* ptr)
{
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, len)) > 0; len-=ret) { // GOOD
wprintf(L"%lc", wc);
ptr += ret;
}
}
void goodTest2(char* ptr)
{
int ret;
ptr[10]=0;
int len = 9;
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 16)) > 0; len-=ret) { // GOOD
wprintf(L"%lc", wc);
ptr += ret;
}
}
void goodTest3(const char* ptr)
{
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, MB_CUR_MAX)) > 0; len-=ret) { // GOOD
wprintf(L"%lc", wc);
ptr += ret;
}
}
void goodTest4(const char* ptr)
{
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, MB_LEN_MAX)) > 0; len-=ret) { // GOOD
wprintf(L"%lc", wc);
ptr += ret;
}
}
void badTest1(const char* ptr)
{
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
}
void badTest2(const char* ptr)
{
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
}
void goodTest5(const char* ptr,wchar_t *wc,int wc_len)
{
int ret;
int len;
len = wc_len;
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, len); // GOOD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len-=ret;
ptr+=ret;
wc++;
}
}
void badTest3(const char* ptr,int wc_len)
{
int ret;
int len;
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len-=ret;
ptr+=ret;
wc++;
}
}
void badTest4(const char* ptr,int wc_len)
{
int ret;
int len;
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, 16); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len-=ret;
ptr+=ret;
wc++;
}
}
void badTest5(const char* ptr,int wc_len)
{
int ret;
int len;
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len-=ret;
ptr+=ret;
wc++;
}
}
void badTest6(const char* ptr,int wc_len)
{
int ret;
int len;
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, wc_len); // BAD
if (ret <0)
if (checkErrors()) {
++ptr;
--len;
continue;
} else
break;
if (ret == 0 || ret > len)
break;
wc_len--;
len-=ret;
wc++;
ptr+=ret;
}
}
void badTest7(const char* ptr,int wc_len)
{
int ret;
int len;
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, len); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len--;
wc++;
ptr+=ret;
}
}
void badTest8(const char* ptr,wchar_t *wc)
{
int ret;
int len;
len = strlen(ptr);
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, len); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
break;
len-=ret;
ptr++;
wc+=ret;
}
}

95
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp Normal file
View File

@@ -0,0 +1,95 @@
#define CP_ACP 1
#define CP_UTF8 1
#define WC_COMPOSITECHECK 1
#define NULL 0
typedef unsigned int UINT;
typedef unsigned long DWORD, *PDWORD, *LPDWORD;
typedef char CHAR;
#define CONST const
typedef wchar_t WCHAR;
typedef CHAR *LPSTR;
typedef CONST CHAR *LPCSTR;
typedef CONST WCHAR *LPCWSTR;
typedef int BOOL;
typedef BOOL *LPBOOL;
int WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cbMultiByte,LPCWSTR lpDefaultChar,LPBOOL lpUsedDefaultChar);
int MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cbMultiByte,LPCWSTR lpWideCharStr,int cchWideChar);
int printf ( const char * format, ... );
typedef unsigned int size_t;
void* calloc (size_t num, size_t size);
void* malloc (size_t size);
void badTest1(void *src, int size) {
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
}
void goodTest2(){
wchar_t src[] = L"0123456789ABCDEF";
char dst[16];
int res = WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // GOOD
if (res == sizeof(dst)) {
dst[res-1] = NULL;
} else {
dst[res] = NULL;
}
printf("%s\n", dst);
}
void badTest2(){
wchar_t src[] = L"0123456789ABCDEF";
char dst[16];
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
printf("%s\n", dst);
}
void goodTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // GOOD
}
void badTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
void goodTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc((size + 1)*sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // GOOD
}
void badTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc(size + 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
int goodTest5(void *src){
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
}
int badTest5 (void *src) {
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
}
void goodTest6(WCHAR *src)
{
int size;
char dst[5] ="";
size = WideCharToMultiByte(CP_ACP, WC_COMPOSITECHECK, src, -1, dst, 0, 0, 0);
if(size>=sizeof(dst)){
printf("buffer size error\n");
return;
}
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, sizeof(dst), 0, 0); // GOOD
printf("%s\n", dst);
}
void badTest6(WCHAR *src)
{
char dst[5] ="";
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
printf("%s\n", dst);
}

82
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp Normal file
View File

@@ -0,0 +1,82 @@
#define NULL 0
typedef unsigned int size_t;
struct mbstate_t{};
struct _locale_t{};
int printf ( const char * format, ... );
void* calloc (size_t num, size_t size);
void* malloc (size_t size);
size_t mbstowcs(wchar_t *wcstr,const char *mbstr,size_t count);
size_t _mbstowcs_l(wchar_t *wcstr,const char *mbstr,size_t count, _locale_t locale);
size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbstate);
void badTest1(void *src, int size) {
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
_locale_t locale;
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
mbstate_t *mbstate;
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
}
void goodTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
int res = mbstowcs(dst, src,16); // GOOD
if (res == sizeof(dst)) {
dst[res-1] = NULL;
} else {
dst[res] = NULL;
}
printf("%s\n", dst);
}
void badTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
mbstowcs(dst, src,16); // BAD
printf("%s\n", dst);
}
void goodTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, sizeof(wchar_t));
mbstowcs(dst, src,size+1); // GOOD
}
void badTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
mbstowcs(dst, src,size+1); // BAD
}
void goodTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc((size + 1)*sizeof(wchar_t));
mbstowcs(dst, src,size+1); // GOOD
}
void badTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc(size + 1);
mbstowcs(dst, src,size+1); // BAD
}
int goodTest5(void *src){
return mbstowcs(NULL, (char*)src,NULL); // GOOD
}
int badTest5 (void *src) {
return mbstowcs(NULL, (char*)src,3); // BAD
}
void goodTest6(void *src){
wchar_t dst[5];
int size = mbstowcs(NULL, (char*)src,NULL);
if(size>=sizeof(dst)){
printf("buffer size error\n");
return;
}
mbstowcs(dst, (char*)src,sizeof(dst)); // GOOD
printf("%s\n", dst);
}
void badTest6(void *src){
wchar_t dst[5];
mbstowcs(dst, (char*)src,260); // BAD
printf("%s\n", dst);
}

48
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp Normal file
View File

@@ -0,0 +1,48 @@
#define NULL 0
typedef unsigned int size_t;
unsigned char * _mbsnbcpy(unsigned char * strDest,const unsigned char * strSource,size_t count);
size_t _mbclen(const unsigned char *c);
void _mbccpy(unsigned char *dest,const unsigned char *src);
unsigned char *_mbsinc(const unsigned char *current);
void goodTest1(unsigned char *src){
unsigned char dst[50];
_mbsnbcpy(dst,src,sizeof(dst)); // GOOD
}
size_t badTest1(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( cb < sizeof(dst) )
dst[cb++]=*src++; // BAD
return _mbclen(dst);
}
void goodTest2(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( (cb + _mbclen(src)) <= sizeof(dst) )
{
_mbccpy(dst+cb,src); // GOOD
cb+=_mbclen(src);
src=_mbsinc(src);
}
}
void badTest2(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( cb < sizeof(dst) )
{
_mbccpy(dst+cb,src); // BAD
cb+=_mbclen(src);
src=_mbsinc(src);
}
}
void goodTest3(){
wchar_t name[50];
name[sizeof(name) / sizeof(*name) - 1] = L'\0'; // GOOD
}
void badTest3(){
wchar_t name[50];
name[sizeof(name) - 1] = L'\0'; // BAD
}

10
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
View File

@@ -1,5 +1,7 @@
edges
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size |
nodes
| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
@@ -8,6 +10,11 @@ nodes
| test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
| test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
| test.cpp:31:27:31:31 | ... * ... | semmle.label | ... * ... |
| test.cpp:37:24:37:27 | size | semmle.label | size |
| test.cpp:37:46:37:49 | size | semmle.label | size |
| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
| test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
subpaths
#select
| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
@@ -16,3 +23,6 @@ subpaths
| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
| test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:27:30:31 | ... * ... | multiplication |
| test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:27:31:31 | ... * ... | multiplication |
| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |

15
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp
View File

@@ -30,3 +30,18 @@ void test()
char *buffer8 = new char[x * y]; // BAD
char *buffer9 = new char[x * x]; // BAD
}
// --- custom allocators ---
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
void *MyMalloc2(size_t size);
void customAllocatorTests()
{
int x = getAnInt();
int y = getAnInt();
char *buffer1 = (char *)MyMalloc1(x * y); // BAD
char *buffer2 = (char *)MyMalloc2(x * y); // BAD
}

112
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected Normal file
View File

@@ -0,0 +1,112 @@
edges
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | Load |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:31:9:31:11 | arr indirection [p] |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:35:9:35:11 | arr indirection [p] |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
| test.cpp:21:5:21:24 | Store | test.cpp:21:9:21:9 | arr indirection [post update] [p] |
| test.cpp:21:9:21:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | VariableAddress indirection [p] |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | Store |
| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
| test.cpp:31:13:31:13 | p | test.cpp:31:13:31:13 | Load |
| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
| test.cpp:35:13:35:13 | p | test.cpp:35:13:35:13 | Load |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
| test.cpp:41:13:41:13 | p | test.cpp:41:13:41:13 | Load |
| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
| test.cpp:45:13:45:13 | p | test.cpp:45:13:45:13 | Load |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
| test.cpp:55:5:55:24 | Store | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | Store |
| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
| test.cpp:59:13:59:13 | p | test.cpp:59:13:59:13 | Load |
| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
| test.cpp:63:13:63:13 | p | test.cpp:63:13:63:13 | Load |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:76:20:76:29 | Call indirection [p] |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
| test.cpp:69:5:69:25 | Store | test.cpp:69:10:69:10 | Load indirection [post update] [p] |
| test.cpp:69:10:69:10 | Load indirection [post update] [p] | test.cpp:67:10:67:19 | VariableAddress indirection [p] |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | Store |
| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:79:9:79:11 | Load indirection [p] |
| test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:83:9:83:11 | Load indirection [p] |
| test.cpp:79:9:79:11 | Load indirection [p] | test.cpp:79:14:79:14 | p |
| test.cpp:79:14:79:14 | p | test.cpp:79:14:79:14 | Load |
| test.cpp:83:9:83:11 | Load indirection [p] | test.cpp:83:14:83:14 | p |
| test.cpp:83:14:83:14 | p | test.cpp:83:14:83:14 | Load |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | Load indirection [p] |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | Load indirection [p] |
| test.cpp:89:9:89:11 | Load indirection [p] | test.cpp:89:14:89:14 | p |
| test.cpp:89:14:89:14 | p | test.cpp:89:14:89:14 | Load |
| test.cpp:93:9:93:11 | Load indirection [p] | test.cpp:93:14:93:14 | p |
| test.cpp:93:14:93:14 | p | test.cpp:93:14:93:14 | Load |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
nodes
| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
| test.cpp:6:9:6:11 | Load | semmle.label | Load |
| test.cpp:10:9:10:11 | Load | semmle.label | Load |
| test.cpp:19:9:19:16 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
| test.cpp:21:5:21:24 | Store | semmle.label | Store |
| test.cpp:21:9:21:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
| test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
| test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:31:13:31:13 | Load | semmle.label | Load |
| test.cpp:31:13:31:13 | p | semmle.label | p |
| test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:35:13:35:13 | Load | semmle.label | Load |
| test.cpp:35:13:35:13 | p | semmle.label | p |
| test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:41:13:41:13 | Load | semmle.label | Load |
| test.cpp:41:13:41:13 | p | semmle.label | p |
| test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:45:13:45:13 | Load | semmle.label | Load |
| test.cpp:45:13:45:13 | p | semmle.label | p |
| test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
| test.cpp:55:5:55:24 | Store | semmle.label | Store |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
| test.cpp:55:13:55:18 | call to malloc | semmle.label | call to malloc |
| test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:59:13:59:13 | Load | semmle.label | Load |
| test.cpp:59:13:59:13 | p | semmle.label | p |
| test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:63:13:63:13 | Load | semmle.label | Load |
| test.cpp:63:13:63:13 | p | semmle.label | p |
| test.cpp:67:10:67:19 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
| test.cpp:69:5:69:25 | Store | semmle.label | Store |
| test.cpp:69:10:69:10 | Load indirection [post update] [p] | semmle.label | Load indirection [post update] [p] |
| test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
| test.cpp:76:20:76:29 | Call indirection [p] | semmle.label | Call indirection [p] |
| test.cpp:79:9:79:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:79:14:79:14 | Load | semmle.label | Load |
| test.cpp:79:14:79:14 | p | semmle.label | p |
| test.cpp:83:9:83:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:83:14:83:14 | Load | semmle.label | Load |
| test.cpp:83:14:83:14 | p | semmle.label | p |
| test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:89:9:89:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:89:14:89:14 | Load | semmle.label | Load |
| test.cpp:89:14:89:14 | p | semmle.label | p |
| test.cpp:93:9:93:11 | Load indirection [p] | semmle.label | Load indirection [p] |
| test.cpp:93:14:93:14 | Load | semmle.label | Load |
| test.cpp:93:14:93:14 | p | semmle.label | p |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
subpaths
#select
| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | Load | Load |
| test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | Load | Load |
| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | Load | Load |
| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | Load | Load |
| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | Load | Load |
| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | Store | Store |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | Store | Store |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | Load | Load |
| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | Load | Load |
| test.cpp:83:14:83:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | Load | Load |
| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | Load | Load |
| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | Load | Load |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Likely Bugs/ArrayAccessProductFlow.ql

110
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp Normal file
View File

@@ -0,0 +1,110 @@
char *malloc(int size);
void test1(int size) {
char *arr = malloc(size);
for (int i = 0; i < size; i++) {
arr[i] = 0; // GOOD
}
for (int i = 0; i <= size; i++) {
arr[i] = i; // BAD
}
}
typedef struct {
int size;
char *p;
} array_t;
array_t mk_array(int size) {
array_t arr;
arr.p = malloc(size);
arr.size = size;
return arr;
}
void test2(int size) {
array_t arr = mk_array(size);
for (int i = 0; i < arr.size; i++) {
arr.p[i] = 0; // GOOD
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
}
}
void test3_callee(array_t arr) {
for (int i = 0; i < arr.size; i++) {
arr.p[i] = 0; // GOOD
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
}
}
void test3(int size) {
test3_callee(mk_array(size));
}
void test4(int size) {
array_t arr;
arr.p = malloc(size);
arr.size = size;
for (int i = 0; i < arr.size; i++) {
arr.p[i] = 0; // GOOD
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // BAD
}
}
array_t *mk_array_p(int size) {
array_t *arr = (array_t*) malloc(sizeof(array_t));
arr->p = malloc(size);
arr->size = size;
return arr;
}
void test5(int size) {
array_t *arr = mk_array_p(size);
for (int i = 0; i < arr->size; i++) {
arr->p[i] = 0; // GOOD
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // BAD
}
}
void test6_callee(array_t *arr) {
for (int i = 0; i < arr->size; i++) {
arr->p[i] = 0; // GOOD
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // BAD
}
}
void test6(int size) {
test6_callee(mk_array_p(size));
}
void test7(int size) {
char *arr = malloc(size);
for (char *p = arr; p < arr + size; p++) {
*p = 0; // GOOD
}
for (char *p = arr; p <= arr + size; p++) {
*p = 0; // BAD [NOT DETECTED]
}
}

37
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected Normal file
View File

@@ -0,0 +1,37 @@
edges
| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | Load |
| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | Load |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
nodes
| test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
| test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
| test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
| test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
| test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
| test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
| test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
| test.cpp:66:32:66:32 | Load | semmle.label | Load |
| test.cpp:66:32:66:32 | p | semmle.label | p |
| test.cpp:66:32:66:32 | p | semmle.label | p |
| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
| test.cpp:67:6:67:6 | Load | semmle.label | Load |
| test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
| test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
subpaths
#select
| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

80
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp Normal file
View File

@@ -0,0 +1,80 @@
#define MAX_SIZE 1024
struct ZeroArray {
int size;
int buf[0];
};
struct OneArray {
int size;
int buf[1];
};
struct BigArray {
int size;
int buf[MAX_SIZE];
};
struct ArrayAndFields {
int buf[MAX_SIZE];
int field1;
int field2;
};
// tests for dynamic-size trailing arrays
void testZeroArray(ZeroArray *arr) {
arr->buf[0] = 0;
}
void testOneArray(OneArray *arr) {
arr->buf[1] = 0;
}
void testBig(BigArray *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD
arr->buf[MAX_SIZE+1] = 0; // BAD
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD
}
}
void testFields(ArrayAndFields *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // BAD?
arr->buf[MAX_SIZE+1] = 0; // BAD?
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // BAD?
}
for(int i = 0; i < MAX_SIZE+2; i++) {
arr->buf[i] = 0; // BAD?
}
// is this different if it's a memcpy?
}
void assignThroughPointer(int *p) {
*p = 0; // ??? should the result go at a flow source?
}
void addToPointerAndAssign(int *p) {
p[MAX_SIZE-1] = 0; // GOOD
p[MAX_SIZE] = 0; // BAD
}
void testInterproc(BigArray *arr) {
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
addToPointerAndAssign(arr->buf);
}

570
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected Normal file
View File

@@ -0,0 +1,570 @@
edges
| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:15 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:12:16:12:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
| test.cpp:5:15:5:22 | Store | test.cpp:12:16:12:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:6:15:6:15 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:7:16:7:16 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:8:16:8:16 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:9:16:9:16 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
| test.cpp:10:16:10:16 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:11:16:11:16 | Load | test.cpp:12:16:12:16 | Load |
| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
| test.cpp:16:15:16:20 | call to malloc | test.cpp:17:15:17:15 | Load |
| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:15 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:36:16:36:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
| test.cpp:29:15:29:28 | Store | test.cpp:36:16:36:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:30:15:30:15 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:31:16:31:16 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:32:16:32:16 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:33:16:33:16 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
| test.cpp:34:16:34:16 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:35:16:35:16 | Load | test.cpp:36:16:36:16 | Load |
| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:15 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:28 | ... + ... | test.cpp:48:16:48:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
| test.cpp:41:15:41:28 | Store | test.cpp:48:16:48:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:42:15:42:15 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:43:16:43:16 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:44:16:44:16 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:45:16:45:16 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
| test.cpp:46:16:46:16 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:47:16:47:16 | Load | test.cpp:48:16:48:16 | Load |
| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:62:39:62:39 | Load |
| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:66:39:66:39 | Load |
| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:70:38:70:38 | Load |
| test.cpp:51:33:51:35 | Load indirection | test.cpp:60:34:60:37 | mk_array output argument |
| test.cpp:52:19:52:24 | call to malloc | test.cpp:51:7:51:14 | VariableAddress indirection |
| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:16 | Load |
| test.cpp:53:5:53:23 | Store | test.cpp:51:33:51:35 | Load indirection |
| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | Load indirection |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:62:32:62:34 | Load |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:66:32:66:34 | Load |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:70:31:70:33 | Load |
| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:91:20:91:22 | arr indirection [begin] |
| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:95:20:95:22 | arr indirection [begin] |
| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:99:20:99:22 | arr indirection [begin] |
| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:119:18:119:25 | call to mk_array [begin] |
| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:91:36:91:38 | arr indirection [end] |
| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:95:36:95:38 | arr indirection [end] |
| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:99:35:99:37 | arr indirection [end] |
| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:119:18:119:25 | call to mk_array [end] |
| test.cpp:82:5:82:28 | Store | test.cpp:82:9:82:13 | arr indirection [post update] [begin] |
| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:80:9:80:16 | VariableAddress indirection [begin] |
| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:83:15:83:17 | arr indirection [begin] |
| test.cpp:82:17:82:22 | call to malloc | test.cpp:82:5:82:28 | Store |
| test.cpp:83:5:83:30 | Store | test.cpp:83:9:83:11 | arr indirection [post update] [end] |
| test.cpp:83:9:83:11 | arr indirection [post update] [end] | test.cpp:80:9:80:16 | VariableAddress indirection [end] |
| test.cpp:83:15:83:17 | arr indirection [begin] | test.cpp:83:19:83:23 | begin |
| test.cpp:83:15:83:30 | ... + ... | test.cpp:83:5:83:30 | Store |
| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
| test.cpp:83:19:83:23 | begin | test.cpp:83:19:83:23 | Load |
| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:24:91:28 | begin |
| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:47:91:47 | Load |
| test.cpp:91:24:91:28 | begin | test.cpp:91:47:91:47 | Load |
| test.cpp:91:36:91:38 | arr indirection [end] | test.cpp:91:40:91:42 | end |
| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
| test.cpp:91:40:91:42 | end | test.cpp:91:40:91:42 | Load |
| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:24:95:28 | begin |
| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:47:95:47 | Load |
| test.cpp:95:24:95:28 | begin | test.cpp:95:47:95:47 | Load |
| test.cpp:95:36:95:38 | arr indirection [end] | test.cpp:95:40:95:42 | end |
| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
| test.cpp:95:40:95:42 | end | test.cpp:95:40:95:42 | Load |
| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:24:99:28 | begin |
| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:46:99:46 | Load |
| test.cpp:99:24:99:28 | begin | test.cpp:99:46:99:46 | Load |
| test.cpp:99:35:99:37 | arr indirection [end] | test.cpp:99:39:99:41 | end |
| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
| test.cpp:99:39:99:41 | end | test.cpp:99:39:99:41 | Load |
| test.cpp:104:27:104:29 | arr [begin] | test.cpp:105:20:105:22 | arr indirection [begin] |
| test.cpp:104:27:104:29 | arr [begin] | test.cpp:109:20:109:22 | arr indirection [begin] |
| test.cpp:104:27:104:29 | arr [begin] | test.cpp:113:20:113:22 | arr indirection [begin] |
| test.cpp:104:27:104:29 | arr [end] | test.cpp:105:36:105:38 | arr indirection [end] |
| test.cpp:104:27:104:29 | arr [end] | test.cpp:109:36:109:38 | arr indirection [end] |
| test.cpp:104:27:104:29 | arr [end] | test.cpp:113:35:113:37 | arr indirection [end] |
| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:24:105:28 | begin |
| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:47:105:47 | Load |
| test.cpp:105:24:105:28 | begin | test.cpp:105:47:105:47 | Load |
| test.cpp:105:36:105:38 | arr indirection [end] | test.cpp:105:40:105:42 | end |
| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
| test.cpp:105:40:105:42 | end | test.cpp:105:40:105:42 | Load |
| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:24:109:28 | begin |
| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:47:109:47 | Load |
| test.cpp:109:24:109:28 | begin | test.cpp:109:47:109:47 | Load |
| test.cpp:109:36:109:38 | arr indirection [end] | test.cpp:109:40:109:42 | end |
| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
| test.cpp:109:40:109:42 | end | test.cpp:109:40:109:42 | Load |
| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:24:113:28 | begin |
| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:46:113:46 | Load |
| test.cpp:113:24:113:28 | begin | test.cpp:113:46:113:46 | Load |
| test.cpp:113:35:113:37 | arr indirection [end] | test.cpp:113:39:113:41 | end |
| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
| test.cpp:113:39:113:41 | end | test.cpp:113:39:113:41 | Load |
| test.cpp:119:18:119:25 | call to mk_array [begin] | test.cpp:104:27:104:29 | arr [begin] |
| test.cpp:119:18:119:25 | call to mk_array [end] | test.cpp:104:27:104:29 | arr [end] |
| test.cpp:124:15:124:20 | call to malloc | test.cpp:125:5:125:17 | Store |
| test.cpp:124:15:124:20 | call to malloc | test.cpp:126:15:126:15 | Load |
| test.cpp:125:5:125:17 | Store | test.cpp:125:9:125:13 | arr indirection [post update] [begin] |
| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:129:11:129:13 | arr indirection [begin] |
| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:133:11:133:13 | arr indirection [begin] |
| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:137:11:137:13 | arr indirection [begin] |
| test.cpp:129:11:129:13 | arr indirection [begin] | test.cpp:129:15:129:19 | begin |
| test.cpp:129:15:129:19 | begin | test.cpp:129:15:129:19 | Load |
| test.cpp:133:11:133:13 | arr indirection [begin] | test.cpp:133:15:133:19 | begin |
| test.cpp:133:15:133:19 | begin | test.cpp:133:15:133:19 | Load |
| test.cpp:137:11:137:13 | arr indirection [begin] | test.cpp:137:15:137:19 | begin |
| test.cpp:137:15:137:19 | begin | test.cpp:137:15:137:19 | Load |
| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:150:20:150:29 | Call indirection [begin] |
| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] |
| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:150:20:150:29 | Call indirection [end] |
| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:180:19:180:28 | call to mk_array_p indirection [end] |
| test.cpp:143:5:143:29 | Store | test.cpp:143:10:143:14 | Load indirection [post update] [begin] |
| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:141:10:141:19 | VariableAddress indirection [begin] |
| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:144:16:144:18 | Load indirection [begin] |
| test.cpp:143:18:143:23 | call to malloc | test.cpp:143:5:143:29 | Store |
| test.cpp:144:5:144:32 | Store | test.cpp:144:10:144:12 | Load indirection [post update] [end] |
| test.cpp:144:10:144:12 | Load indirection [post update] [end] | test.cpp:141:10:141:19 | VariableAddress indirection [end] |
| test.cpp:144:16:144:18 | Load indirection [begin] | test.cpp:144:21:144:25 | begin |
| test.cpp:144:16:144:32 | ... + ... | test.cpp:144:5:144:32 | Store |
| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
| test.cpp:144:21:144:25 | begin | test.cpp:144:21:144:25 | Load |
| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:152:20:152:22 | Load indirection [begin] |
| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:156:20:156:22 | Load indirection [begin] |
| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:160:20:160:22 | Load indirection [begin] |
| test.cpp:150:20:150:29 | Call indirection [end] | test.cpp:156:37:156:39 | Load indirection [end] |
| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:25:152:29 | begin |
| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:49:152:49 | Load |
| test.cpp:152:25:152:29 | begin | test.cpp:152:49:152:49 | Load |
| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:25:156:29 | begin |
| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:49:156:49 | Load |
| test.cpp:156:25:156:29 | begin | test.cpp:156:49:156:49 | Load |
| test.cpp:156:37:156:39 | Load indirection [end] | test.cpp:156:42:156:44 | end |
| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
| test.cpp:156:42:156:44 | end | test.cpp:156:42:156:44 | Load |
| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:25:160:29 | begin |
| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:48:160:48 | Load |
| test.cpp:160:25:160:29 | begin | test.cpp:160:48:160:48 | Load |
| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:166:20:166:22 | Load indirection [begin] |
| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:170:20:170:22 | Load indirection [begin] |
| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:174:20:174:22 | Load indirection [begin] |
| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:166:37:166:39 | Load indirection [end] |
| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:170:37:170:39 | Load indirection [end] |
| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:174:36:174:38 | Load indirection [end] |
| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:25:166:29 | begin |
| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:49:166:49 | Load |
| test.cpp:166:25:166:29 | begin | test.cpp:166:49:166:49 | Load |
| test.cpp:166:37:166:39 | Load indirection [end] | test.cpp:166:42:166:44 | end |
| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
| test.cpp:166:42:166:44 | end | test.cpp:166:42:166:44 | Load |
| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:25:170:29 | begin |
| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:49:170:49 | Load |
| test.cpp:170:25:170:29 | begin | test.cpp:170:49:170:49 | Load |
| test.cpp:170:37:170:39 | Load indirection [end] | test.cpp:170:42:170:44 | end |
| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
| test.cpp:170:42:170:44 | end | test.cpp:170:42:170:44 | Load |
| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:25:174:29 | begin |
| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:48:174:48 | Load |
| test.cpp:174:25:174:29 | begin | test.cpp:174:48:174:48 | Load |
| test.cpp:174:36:174:38 | Load indirection [end] | test.cpp:174:41:174:43 | end |
| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
| test.cpp:174:41:174:43 | end | test.cpp:174:41:174:43 | Load |
| test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | test.cpp:165:29:165:31 | arr indirection [begin] |
| test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | test.cpp:165:29:165:31 | arr indirection [end] |
| test.cpp:188:15:188:20 | call to malloc | test.cpp:189:15:189:15 | Load |
| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:17 | Load |
| test.cpp:194:23:194:28 | call to malloc | test.cpp:197:8:197:8 | Load |
| test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:5 | Load |
| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | ... + ... |
| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
| test.cpp:195:17:195:17 | Load | test.cpp:195:17:195:23 | Store |
| test.cpp:195:17:195:17 | Load | test.cpp:197:20:197:22 | Load |
| test.cpp:195:17:195:17 | Load | test.cpp:201:5:201:12 | access to array |
| test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | Store |
| test.cpp:195:17:195:23 | ... + ... | test.cpp:195:17:195:23 | Store |
| test.cpp:195:17:195:23 | ... + ... | test.cpp:197:20:197:22 | Load |
| test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:195:17:195:23 | ... + ... | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:195:17:195:23 | Store | test.cpp:197:20:197:22 | Load |
| test.cpp:195:17:195:23 | Store | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:195:17:195:23 | Store | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:197:20:197:22 | Load | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:201:5:201:12 | access to array | test.cpp:201:5:201:19 | Store: ... = ... |
| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:17 | Load |
| test.cpp:205:23:205:28 | call to malloc | test.cpp:208:15:208:15 | Load |
| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | Store |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | Store |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:209:12:209:14 | Load |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:206:17:206:23 | Store | test.cpp:209:12:209:14 | Load |
| test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:209:12:209:14 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:213:5:213:6 | * ... | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:6 | * ... |
| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
| test.cpp:221:17:221:22 | call to malloc | test.cpp:222:5:222:5 | Load |
#select
| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
| test.cpp:20:14:20:21 | Load: * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
| test.cpp:30:14:30:15 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
| test.cpp:42:14:42:15 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
| test.cpp:67:9:67:14 | Store: ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
| test.cpp:96:9:96:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:96:9:96:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
| test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
| test.cpp:157:9:157:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:157:9:157:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
| test.cpp:171:9:171:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:171:9:171:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
| test.cpp:201:5:201:19 | Store: ... = ... | test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:194:23:194:28 | call to malloc | call to malloc | test.cpp:195:21:195:23 | len | len |
| test.cpp:213:5:213:13 | Store: ... = ... | test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:23:205:28 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql

224
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp Normal file
View File

@@ -0,0 +1,224 @@
char *malloc(int size);
void test1(int size) {
char* p = malloc(size);
char* q = p + size;
char a = *q; // BAD
char b = *(q - 1); // GOOD
char c = *(q + 1); // BAD
char d = *(q + size); // BAD [NOT DETECTED]
char e = *(q - size); // GOOD
char f = *(q + size + 1); // BAD [NOT DETECTED]
char g = *(q - size - 1); // GOOD
}
void test2(int size) {
char* p = malloc(size);
char* q = p + size - 1;
char a = *q; // GOOD
char b = *(q - 1); // GOOD
char c = *(q + 1); // BAD
char d = *(q + size); // BAD [NOT DETECTED]
char e = *(q - size); // GOOD
char f = *(q + size + 1); // BAD [NOT DETECTED]
char g = *(q - size - 1); // GOOD
}
void test3(int size) {
char* p = malloc(size + 1);
char* q = p + (size + 1);
char a = *q; // BAD
char b = *(q - 1); // GOOD
char c = *(q + 1); // BAD
char d = *(q + size); // BAD [NOT DETECTED]
char e = *(q - size); // GOOD
char f = *(q + size + 1); // BAD [NOT DETECTED]
char g = *(q - size - 1); // GOOD
}
void test4(int size) {
char* p = malloc(size - 1);
char* q = p + (size - 1);
char a = *q; // BAD
char b = *(q - 1); // GOOD
char c = *(q + 1); // BAD
char d = *(q + size); // BAD [NOT DETECTED]
char e = *(q - size); // GOOD
char f = *(q + size + 1); // BAD [NOT DETECTED]
char g = *(q - size - 1); // GOOD
}
char* mk_array(int size, char** end) {
char* begin = malloc(size);
*end = begin + size;
return begin;
}
void test5(int size) {
char* end;
char* begin = mk_array(size, &end);
for (char* p = begin; p != end; ++p) {
*p = 0; // GOOD
}
for (char* p = begin; p <= end; ++p) {
*p = 0; // BAD
}
for (char* p = begin; p < end; ++p) {
*p = 0; // GOOD
}
}
struct array_t {
char* begin;
char* end;
};
array_t mk_array(int size) {
array_t arr;
arr.begin = malloc(size);
arr.end = arr.begin + size;
return arr;
}
void test6(int size) {
array_t arr = mk_array(size);
for (char* p = arr.begin; p != arr.end; ++p) {
*p = 0; // GOOD
}
for (char* p = arr.begin; p <= arr.end; ++p) {
*p = 0; // BAD
}
for (char* p = arr.begin; p < arr.end; ++p) {
*p = 0; // GOOD
}
}
void test7_callee(array_t arr) {
for (char* p = arr.begin; p != arr.end; ++p) {
*p = 0; // GOOD
}
for (char* p = arr.begin; p <= arr.end; ++p) {
*p = 0; // BAD
}
for (char* p = arr.begin; p < arr.end; ++p) {
*p = 0; // GOOD
}
}
void test7(int size) {
test7_callee(mk_array(size));
}
void test8(int size) {
array_t arr;
char* p = malloc(size);
arr.begin = p;
arr.end = p + size;
for (int i = 0; i < arr.end - arr.begin; i++) {
*(arr.begin + i) = 0; // GOOD
}
for (int i = 0; i != arr.end - arr.begin; i++) {
*(arr.begin + i) = 0; // GOOD
}
for (int i = 0; i <= arr.end - arr.begin; i++) {
*(arr.begin + i) = 0; // BAD [NOT DETECTED]
}
}
array_t *mk_array_p(int size) {
array_t *arr = (array_t*) malloc(sizeof(array_t));
arr->begin = malloc(size);
arr->end = arr->begin + size;
return arr;
}
void test9(int size) {
array_t *arr = mk_array_p(size);
for (char* p = arr->begin; p != arr->end; ++p) {
*p = 0; // GOOD
}
for (char* p = arr->begin; p <= arr->end; ++p) {
*p = 0; // BAD
}
for (char* p = arr->begin; p < arr->end; ++p) {
*p = 0; // GOOD
}
}
void test10_callee(array_t *arr) {
for (char* p = arr->begin; p != arr->end; ++p) {
*p = 0; // GOOD
}
for (char* p = arr->begin; p <= arr->end; ++p) {
*p = 0; // BAD
}
for (char* p = arr->begin; p < arr->end; ++p) {
*p = 0; // GOOD
}
}
void test10(int size) {
test10_callee(mk_array_p(size));
}
void deref_plus_one(char* q) {
char a = *(q + 1); // BAD [NOT DETECTED]
}
void test11(unsigned size) {
char *p = malloc(size);
char *q = p + size - 1;
deref_plus_one(q);
}
void test12(unsigned len, unsigned index) {
char* p = (char *)malloc(len);
char* end = p + len;
if(p + index > end) {
return;
}
p[index] = '\0'; // BAD
}
void test13(unsigned len, unsigned index) {
char* p = (char *)malloc(len);
char* end = p + len;
char* q = p + index;
if(q > end) {
return;
}
*q = '\0'; // BAD
}
bool unknown();
void test14(unsigned long n, char *p) {
while (unknown()) {
n++;
p = (char *)malloc(n);
p[n - 1] = 'a'; // GOOD
}
}

12
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected
View File

@@ -19,9 +19,9 @@ nodes
subpaths
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | test.cpp:81:17:81:20 | call to func |
#select
| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |
| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |

16
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected
View File

@@ -1,8 +1,8 @@
| test.c:34:29:34:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:63:29:63:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:139:29:139:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:186:29:186:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:282:29:282:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:299:26:299:32 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:328:29:328:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:342:29:342:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
| test.c:34:29:34:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:63:29:63:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:139:29:139:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:186:29:186:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:282:29:282:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:299:26:299:32 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:328:29:328:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |
| test.c:342:29:342:35 | call to realloc | Possible loss of original pointer on unsuccessful call to 'realloc'. |

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.cpp:45:20:45:31 | call to SSL_shutdown | You need to handle the return value 'SSL_shutdown'. |
| test.cpp:61:11:61:22 | call to SSL_shutdown | You need to handle the return value 'SSL_shutdown'. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

75
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp Normal file
View File

@@ -0,0 +1,75 @@
// it's not exact, but it's enough for an example
typedef int SSL;
int SSL_shutdown(SSL *ssl);
int SSL_get_error(const SSL *ssl, int ret);
void ERR_clear_error(void);
void print_error(char *buff,int code);
int gootTest1(SSL *ssl)
{
int ret;
switch ((ret = SSL_shutdown(ssl))) {
case 1:
break;
case 0:
ERR_clear_error();
if ((ret = SSL_shutdown(ssl)) == 1) break; // GOOD
default:
print_error("error shutdown",
SSL_get_error(ssl, ret));
return -1;
}
return 0;
}
int gootTest2(SSL *ssl)
{
int ret;
switch ((ret = SSL_shutdown(ssl))) {
case 1:
break;
case 0:
ERR_clear_error();
if (-1 != (ret = SSL_shutdown(ssl))) break; // GOOD
default:
print_error("error shutdown",
SSL_get_error(ssl, ret));
return -1;
}
return 0;
}
int badTest1(SSL *ssl)
{
int ret;
switch ((ret = SSL_shutdown(ssl))) {
case 1:
break;
case 0:
SSL_shutdown(ssl); // BAD
break;
default:
print_error("error shutdown",
SSL_get_error(ssl, ret));
return -1;
}
return 0;
}
int badTest2(SSL *ssl)
{
int ret;
ret = SSL_shutdown(ssl);
switch (ret) {
case 1:
break;
case 0:
SSL_shutdown(ssl); // BAD
break;
default:
print_error("error shutdown",
SSL_get_error(ssl, ret));
return -1;
}
return 0;
}

8
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
View File

@@ -1,4 +1,4 @@
| test.c:15:6:15:16 | ... + ... | this expression needs your attention |
| test.c:17:17:17:27 | ... + ... | this expression needs your attention |
| test.c:22:10:22:15 | ... > ... | this expression needs your attention |
| test.c:26:10:26:15 | ... > ... | this expression needs your attention |
| test.c:15:6:15:16 | ... + ... | This expression needs your attention. |
| test.c:17:17:17:27 | ... + ... | This expression needs your attention. |
| test.c:22:10:22:15 | ... > ... | This expression needs your attention. |
| test.c:26:10:26:15 | ... > ... | This expression needs your attention. |

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected
View File

@@ -1,3 +1,3 @@
| test.cpp:35:3:35:33 | call to runtime_error | Object creation of exception type on stack. Did you forget the throw keyword? |
| test.cpp:41:3:41:11 | call to funcTest1 | There is an exception in the function that requires your attention. |
| test.cpp:42:3:42:9 | call to DllMain | DllMain contains an exeption not wrapped in a try..catch block. |
| test.cpp:42:3:42:9 | call to DllMain | DllMain contains an exception not wrapped in a try..catch block. |

16
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.expected
View File

@@ -1,8 +1,8 @@
| test.cpp:52:3:52:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:53:3:53:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:54:3:54:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:105:3:105:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:106:3:106:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:107:3:107:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:115:3:115:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:120:3:120:7 | call to scanf | Unchecked return value for call to 'scanf'. |
| test.cpp:52:3:52:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:53:3:53:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:54:3:54:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:105:3:105:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:106:3:106:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:107:3:107:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:115:3:115:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |
| test.cpp:120:3:120:7 | call to scanf | Unchecked return value for call to $@. | test.cpp:1:5:1:9 | scanf | scanf |

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.expected
View File

@@ -4,4 +4,4 @@
| test.cpp:24:6:24:13 | ... \| ... | Expression ranges do not match operation precedence. |
| test.cpp:28:6:28:13 | ... ^ ... | Expression ranges do not match operation precedence. |
| test.cpp:33:6:33:13 | ... \| ... | Expression ranges do not match operation precedence. |
| test.cpp:38:6:38:13 | ... \| ... | specify the priority with parentheses. |
| test.cpp:38:6:38:13 | ... \| ... | Specify the priority with parentheses. |

18
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
View File

@@ -1,9 +1,9 @@
| test.c:16:3:16:24 | ... = ... | potential unsafe or redundant assignment. |
| test.c:17:3:17:40 | ... = ... | potential unsafe or redundant assignment. |
| test.c:18:3:18:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:19:3:19:44 | ... = ... | potential unsafe or redundant assignment. |
| test.c:20:3:20:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:21:3:21:48 | ... = ... | potential unsafe or redundant assignment. |
| test.c:22:3:22:52 | ... = ... | potential unsafe or redundant assignment. |
| test.c:23:3:23:50 | ... = ... | potential unsafe or redundant assignment. |
| test.c:24:3:24:54 | ... = ... | potential unsafe or redundant assignment. |
| test.c:16:3:16:24 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:17:3:17:40 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:18:3:18:44 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:19:3:19:44 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:20:3:20:48 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:21:3:21:48 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:22:3:22:52 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:23:3:23:50 | ... = ... | Potential unsafe or redundant assignment. |
| test.c:24:3:24:54 | ... = ... | Potential unsafe or redundant assignment. |

10
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
View File

@@ -1,5 +1,5 @@
| test.cpp:10:8:10:10 | - ... | this expression needs attention |
| test.cpp:12:3:12:6 | ... ++ | this expression needs attention |
| test.cpp:13:3:13:6 | ++ ... | this expression needs attention |
| test.cpp:14:6:14:21 | ... = ... | this expression needs attention |
| test.cpp:16:6:16:21 | ... = ... | this expression needs attention |
| test.cpp:10:8:10:10 | - ... | This expression needs attention. |
| test.cpp:12:3:12:6 | ... ++ | This expression needs attention. |
| test.cpp:13:3:13:6 | ++ ... | This expression needs attention. |
| test.cpp:14:6:14:21 | ... = ... | This expression needs attention. |
| test.cpp:16:6:16:21 | ... = ... | This expression needs attention. |

6
cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.expected
View File

@@ -1,3 +1,3 @@
| MemoryUnsafeFunctionScan.cpp:19:5:19:9 | call to scanf | Dangerous use of one of the scanf functions |
| MemoryUnsafeFunctionScan.cpp:28:5:28:10 | call to fscanf | Dangerous use of one of the scanf functions |
| MemoryUnsafeFunctionScan.cpp:36:3:36:8 | call to sscanf | Dangerous use of one of the scanf functions |
| MemoryUnsafeFunctionScan.cpp:19:5:19:9 | call to scanf | Dangerous use of one of the scanf functions. |
| MemoryUnsafeFunctionScan.cpp:28:5:28:10 | call to fscanf | Dangerous use of one of the scanf functions. |
| MemoryUnsafeFunctionScan.cpp:36:3:36:8 | call to sscanf | Dangerous use of one of the scanf functions. |

5
cpp/ql/test/library-tests/builtins/edg/edg.c
View File

@@ -1,4 +1,4 @@
// semmle-extractor-options: --clang
struct mystruct {
int f1;
int f2;
@@ -13,3 +13,6 @@ void f(void) {
int i2 = edg_offsetof(struct mystruct,f2);
}
void g(void) {
double f = __builtin_bit_cast(double,42l);
}

3
cpp/ql/test/library-tests/builtins/edg/expr.expected
View File

@@ -13,3 +13,6 @@
| edg.c:13:14:13:45 | (size_t)... | 0 | 0 |
| edg.c:13:14:13:45 | __INTADDR__ | 1 | 1 |
| edg.c:13:43:13:44 | f2 | 0 | 0 |
| edg.c:17:16:17:45 | __builtin_bit_cast | 1 | 1 |
| edg.c:17:16:17:45 | double | 0 | 0 |
| edg.c:17:42:17:44 | 42 | 1 | 1 |

88
cpp/ql/test/library-tests/builtins/type_traits/clang.cpp Normal file
View File

@@ -0,0 +1,88 @@
// semmle-extractor-options: --clang --clang_version 100000
struct S {
void f() {}
int o;
};
using f_type = decltype(&S::f);
using o_type = decltype(&S::o);
struct T;
bool b_is_same1 = __is_same(int, int);
bool b_is_same2 = __is_same(int, float);
bool b_is_function1 = __is_function(void(int));
bool b_is_function2 = __is_function(int);
bool b_is_array1 = __is_array(int[]);
bool b_is_array2 = __is_array(int);
unsigned long b_array_rank1 = __array_rank(int[42][42]);
unsigned long b_array_rank2 = __array_rank(int);
unsigned long b_array_extent1 = __array_extent(int[42][42], 1);
unsigned long b_array_extent2 = __array_extent(int[42][42], 2);
unsigned long b_array_extent3 = __array_extent(int, 0);
bool bok_is_arithmetic1 = __is_arithmetic(S);
bool bok_is_arithmetic2 = __is_arithmetic(int);
bool bok_is_complete_type1 = __is_complete_type(S);
bool bok_is_complete_type2 = __is_complete_type(T);
bool bok_is_compound1 = __is_compound(S);
bool bok_is_compound2 = __is_compound(int);
bool bok_is_const1 = __is_const(const int);
bool bok_is_const2 = __is_const(int);
bool bok_is_floating_point1 = __is_floating_point(int);
bool bok_is_floating_point2 = __is_floating_point(float);
bool bok_is_fundamental1 = __is_fundamental(S);
bool bok_is_fundamental2 = __is_fundamental(int);
bool bok_is_integral1 = __is_integral(float);
bool bok_is_integral2 = __is_integral(int);
bool bok_is_lvalue_reference1 = __is_lvalue_reference(int&);
bool bok_is_lvalue_reference2 = __is_lvalue_reference(int);
bool bok_is_member_function_pointer1 = __is_member_function_pointer(f_type);
bool bok_is_member_function_pointer2 = __is_member_function_pointer(o_type);
bool bok_is_member_object_pointer1 = __is_member_object_pointer(f_type);
bool bok_is_member_object_pointer2 = __is_member_object_pointer(o_type);
bool bok_is_member_pointer1 = __is_member_pointer(f_type);
bool bok_is_member_pointer2 = __is_member_pointer(o_type);
bool bok_is_member_pointer3 = __is_member_pointer(int);
bool bok_is_object1 = __is_object(int);
bool bok_is_object2 = __is_object(int&);
bool bok_is_pointer1 = __is_pointer(int);
bool bok_is_pointer2 = __is_pointer(int*);
bool bok_is_reference1 = __is_reference(int);
bool bok_is_reference2 = __is_reference(int&);
bool bok_is_rvalue_reference1 = __is_rvalue_reference(int&&);
bool bok_is_rvalue_reference2 = __is_rvalue_reference(int);
bool bok_is_scalar1 = __is_scalar(int);
bool bok_is_scalar2 = __is_scalar(int[]);
bool bok_is_signed1 = __is_signed(int);
bool bok_is_signed2 = __is_signed(unsigned int);
bool bok_is_unsigned1 = __is_unsigned(int);
bool bok_is_unsigned2 = __is_unsigned(unsigned int);
bool bok_is_void1 = __is_void(void);
bool bok_is_void2 = __is_void(int);
bool bok_is_volatile1 = __is_volatile(volatile int);
bool bok_is_volatile2 = __is_volatile(int);

152
cpp/ql/test/library-tests/builtins/type_traits/expr.expected
View File

@@ -1,3 +1,126 @@
| clang.cpp:8:25:8:29 | f | | <none> |
| clang.cpp:9:25:9:29 | o | | <none> |
| clang.cpp:13:19:13:37 | __is_same | int,int | 1 |
| clang.cpp:13:19:13:37 | int | | <none> |
| clang.cpp:13:19:13:37 | int | | <none> |
| clang.cpp:14:19:14:39 | __is_same | int,float | 0 |
| clang.cpp:14:19:14:39 | float | | <none> |
| clang.cpp:14:19:14:39 | int | | <none> |
| clang.cpp:16:23:16:46 | ..()(..) | | <none> |
| clang.cpp:16:23:16:46 | __is_function | ..()(..) | 1 |
| clang.cpp:17:23:17:40 | __is_function | int | 0 |
| clang.cpp:17:23:17:40 | int | | <none> |
| clang.cpp:19:20:19:36 | __is_array | int[] | 1 |
| clang.cpp:19:20:19:36 | int[] | | <none> |
| clang.cpp:20:20:20:34 | __is_array | int | 0 |
| clang.cpp:20:20:20:34 | int | | <none> |
| clang.cpp:22:31:22:55 | __array_rank | int[42][42] | 2 |
| clang.cpp:22:31:22:55 | int[42][42] | | <none> |
| clang.cpp:22:48:22:49 | 42 | | 42 |
| clang.cpp:22:48:22:49 | (unsigned long)... | | 42 |
| clang.cpp:22:52:22:53 | 42 | | 42 |
| clang.cpp:22:52:22:53 | (unsigned long)... | | 42 |
| clang.cpp:23:31:23:47 | __array_rank | int | 0 |
| clang.cpp:23:31:23:47 | int | | <none> |
| clang.cpp:25:33:25:62 | __array_extent | int[42][42],1 | 42 |
| clang.cpp:25:33:25:62 | int[42][42] | | <none> |
| clang.cpp:25:52:25:53 | 42 | | 42 |
| clang.cpp:25:52:25:53 | (unsigned long)... | | 42 |
| clang.cpp:25:56:25:57 | 42 | | 42 |
| clang.cpp:25:56:25:57 | (unsigned long)... | | 42 |
| clang.cpp:25:61:25:61 | 1 | | 1 |
| clang.cpp:26:33:26:62 | __array_extent | int[42][42],2 | 0 |
| clang.cpp:26:33:26:62 | int[42][42] | | <none> |
| clang.cpp:26:52:26:53 | 42 | | 42 |
| clang.cpp:26:52:26:53 | (unsigned long)... | | 42 |
| clang.cpp:26:56:26:57 | 42 | | 42 |
| clang.cpp:26:56:26:57 | (unsigned long)... | | 42 |
| clang.cpp:26:61:26:61 | 2 | | 2 |
| clang.cpp:27:33:27:54 | __array_extent | int,0 | 0 |
| clang.cpp:27:33:27:54 | int | | <none> |
| clang.cpp:27:53:27:53 | 0 | | 0 |
| clang.cpp:29:27:29:44 | S | | <none> |
| clang.cpp:29:27:29:44 | __is_arithmetic | S | 0 |
| clang.cpp:30:27:30:46 | __is_arithmetic | int | 1 |
| clang.cpp:30:27:30:46 | int | | <none> |
| clang.cpp:32:30:32:50 | S | | <none> |
| clang.cpp:32:30:32:50 | __is_complete_type | S | 1 |
| clang.cpp:33:30:33:50 | T | | <none> |
| clang.cpp:33:30:33:50 | __is_complete_type | T | 0 |
| clang.cpp:35:25:35:40 | S | | <none> |
| clang.cpp:35:25:35:40 | __is_compound | S | 1 |
| clang.cpp:36:25:36:42 | __is_compound | int | 0 |
| clang.cpp:36:25:36:42 | int | | <none> |
| clang.cpp:38:22:38:42 | __is_const | const int | 1 |
| clang.cpp:38:22:38:42 | const int | | <none> |
| clang.cpp:39:22:39:36 | __is_const | int | 0 |
| clang.cpp:39:22:39:36 | int | | <none> |
| clang.cpp:41:31:41:54 | __is_floating_point | int | 0 |
| clang.cpp:41:31:41:54 | int | | <none> |
| clang.cpp:42:31:42:56 | __is_floating_point | float | 1 |
| clang.cpp:42:31:42:56 | float | | <none> |
| clang.cpp:44:28:44:46 | S | | <none> |
| clang.cpp:44:28:44:46 | __is_fundamental | S | 0 |
| clang.cpp:45:28:45:48 | __is_fundamental | int | 1 |
| clang.cpp:45:28:45:48 | int | | <none> |
| clang.cpp:47:25:47:44 | __is_integral | float | 0 |
| clang.cpp:47:25:47:44 | float | | <none> |
| clang.cpp:48:25:48:42 | __is_integral | int | 1 |
| clang.cpp:48:25:48:42 | int | | <none> |
| clang.cpp:50:33:50:59 | __is_lvalue_reference | int & | 1 |
| clang.cpp:50:33:50:59 | int & | | <none> |
| clang.cpp:51:33:51:58 | __is_lvalue_reference | int | 0 |
| clang.cpp:51:33:51:58 | int | | <none> |
| clang.cpp:53:40:53:75 | __is_member_function_pointer | f_type | 1 |
| clang.cpp:53:40:53:75 | f_type | | <none> |
| clang.cpp:54:40:54:75 | __is_member_function_pointer | o_type | 0 |
| clang.cpp:54:40:54:75 | o_type | | <none> |
| clang.cpp:56:38:56:71 | __is_member_object_pointer | f_type | 0 |
| clang.cpp:56:38:56:71 | f_type | | <none> |
| clang.cpp:57:38:57:71 | __is_member_object_pointer | o_type | 1 |
| clang.cpp:57:38:57:71 | o_type | | <none> |
| clang.cpp:59:31:59:57 | __is_member_pointer | f_type | 1 |
| clang.cpp:59:31:59:57 | f_type | | <none> |
| clang.cpp:60:31:60:57 | __is_member_pointer | o_type | 1 |
| clang.cpp:60:31:60:57 | o_type | | <none> |
| clang.cpp:61:31:61:54 | __is_member_pointer | int | 0 |
| clang.cpp:61:31:61:54 | int | | <none> |
| clang.cpp:63:23:63:38 | __is_object | int | 1 |
| clang.cpp:63:23:63:38 | int | | <none> |
| clang.cpp:64:23:64:39 | __is_object | int & | 0 |
| clang.cpp:64:23:64:39 | int & | | <none> |
| clang.cpp:66:24:66:40 | __is_pointer | int | 0 |
| clang.cpp:66:24:66:40 | int | | <none> |
| clang.cpp:67:24:67:41 | __is_pointer | int * | 1 |
| clang.cpp:67:24:67:41 | int * | | <none> |
| clang.cpp:69:26:69:44 | __is_reference | int | 0 |
| clang.cpp:69:26:69:44 | int | | <none> |
| clang.cpp:70:26:70:45 | __is_reference | int & | 1 |
| clang.cpp:70:26:70:45 | int & | | <none> |
| clang.cpp:72:33:72:60 | __is_rvalue_reference | int && | 1 |
| clang.cpp:72:33:72:60 | int && | | <none> |
| clang.cpp:73:33:73:58 | __is_rvalue_reference | int | 0 |
| clang.cpp:73:33:73:58 | int | | <none> |
| clang.cpp:75:23:75:38 | __is_scalar | int | 1 |
| clang.cpp:75:23:75:38 | int | | <none> |
| clang.cpp:76:23:76:40 | __is_scalar | int[] | 0 |
| clang.cpp:76:23:76:40 | int[] | | <none> |
| clang.cpp:78:23:78:38 | __is_signed | int | 1 |
| clang.cpp:78:23:78:38 | int | | <none> |
| clang.cpp:79:23:79:47 | __is_signed | unsigned int | 0 |
| clang.cpp:79:23:79:47 | unsigned int | | <none> |
| clang.cpp:81:25:81:42 | __is_unsigned | int | 0 |
| clang.cpp:81:25:81:42 | int | | <none> |
| clang.cpp:82:25:82:51 | __is_unsigned | unsigned int | 1 |
| clang.cpp:82:25:82:51 | unsigned int | | <none> |
| clang.cpp:84:21:84:35 | __is_void | void | 1 |
| clang.cpp:84:21:84:35 | void | | <none> |
| clang.cpp:85:21:85:34 | __is_void | int | 0 |
| clang.cpp:85:21:85:34 | int | | <none> |
| clang.cpp:87:25:87:51 | __is_volatile | volatile int | 1 |
| clang.cpp:87:25:87:51 | volatile int | | <none> |
| clang.cpp:88:25:88:42 | __is_volatile | int | 0 |
| clang.cpp:88:25:88:42 | int | | <none> |
| file://:0:0:0:0 | 0 | | 0 |
| file://:0:0:0:0 | 1 | | 1 |
| file://:0:0:0:0 | 2 | | 2 |
@@ -296,3 +419,32 @@
| ms.cpp:255:24:255:43 | a_struct | | <none> |
| ms.cpp:256:24:256:49 | __is_final | a_final_struct | 1 |
| ms.cpp:256:24:256:49 | a_final_struct | | <none> |
| ms.cpp:258:29:258:62 | __is_assignable | a_struct,a_struct | 1 |
| ms.cpp:258:29:258:62 | a_struct | | <none> |
| ms.cpp:258:29:258:62 | a_struct | | <none> |
| ms.cpp:259:29:259:59 | __is_assignable | a_struct,empty | 0 |
| ms.cpp:259:29:259:59 | a_struct | | <none> |
| ms.cpp:259:29:259:59 | empty | | <none> |
| ms.cpp:260:29:260:57 | __is_assignable | a_struct,int | 0 |
| ms.cpp:260:29:260:57 | a_struct | | <none> |
| ms.cpp:260:29:260:57 | int | | <none> |
| ms.cpp:262:28:262:51 | __is_aggregate | a_struct | 1 |
| ms.cpp:262:28:262:51 | a_struct | | <none> |
| ms.cpp:263:28:263:46 | __is_aggregate | int | 0 |
| ms.cpp:263:28:263:46 | int | | <none> |
| ms.cpp:265:49:265:88 | __has_unique_object_representations | int | 1 |
| ms.cpp:265:49:265:88 | int | | <none> |
| ms.cpp:266:49:266:90 | __has_unique_object_representations | float | 0 |
| ms.cpp:266:49:266:90 | float | | <none> |
| ms.cpp:268:36:268:68 | __is_layout_compatible | int,long | 0 |
| ms.cpp:268:36:268:68 | int | | <none> |
| ms.cpp:268:36:268:68 | long | | <none> |
| ms.cpp:269:36:269:75 | __is_layout_compatible | int *,int *const | 1 |
| ms.cpp:269:36:269:75 | int * | | <none> |
| ms.cpp:269:36:269:75 | int *const | | <none> |
| ms.cpp:271:51:271:101 | __is_pointer_interconvertible_base_of | empty,empty | 1 |
| ms.cpp:271:51:271:101 | empty | | <none> |
| ms.cpp:271:51:271:101 | empty | | <none> |
| ms.cpp:272:51:272:104 | __is_pointer_interconvertible_base_of | empty,abstract | 0 |
| ms.cpp:272:51:272:104 | abstract | | <none> |
| ms.cpp:272:51:272:104 | empty | | <none> |

19
cpp/ql/test/library-tests/builtins/type_traits/ms.cpp
View File

@@ -1,4 +1,4 @@
// semmle-extractor-options: --microsoft --microsoft_version 1600
class empty {
};
@@ -254,5 +254,20 @@ void f(void) {
bool b_is_final1 = __is_final(a_struct);
bool b_is_final2 = __is_final(a_final_struct);
}
bool b_is_assignable1 = __is_assignable(a_struct,a_struct);
bool b_is_assignable2 = __is_assignable(a_struct,empty);
bool b_is_assignable3 = __is_assignable(a_struct,int);
bool b_is_aggregate1 = __is_aggregate(a_struct);
bool b_is_aggregate2 = __is_aggregate(int);
bool b_has_unique_object_representations1 = __has_unique_object_representations(int);
bool b_has_unique_object_representations2 = __has_unique_object_representations(float);
bool b_is_layout_compatible1 = __is_layout_compatible(int, long);
bool b_is_layout_compatible2 = __is_layout_compatible(int*, int* const);
bool b_is_pointer_interconvertible_base_of1 = __is_pointer_interconvertible_base_of(empty, empty);
bool b_is_pointer_interconvertible_base_of2 = __is_pointer_interconvertible_base_of(empty, abstract);
}

1
cpp/ql/test/library-tests/builtins/type_traits/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: --microsoft --microsoft_version 1600

1
cpp/ql/test/library-tests/constants/strlen/expr.expected
View File

@@ -1,3 +1,4 @@
| strlen.cpp:7:49:7:49 | 1 |
| strlen.cpp:11:39:11:48 | array to pointer conversion |
| strlen.cpp:11:39:11:48 | file.ext |
| strlen.cpp:12:35:12:40 | call to strlen |

49
cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.cpp Normal file
View File

@@ -0,0 +1,49 @@
int *global_ptr;
const char *global_string = "hello, world";
void test1(int *ptr, int &ref)
{
const char *str;
int v, *p;
char c;
v = *ptr; // `ptr` dereferenced
v = ptr[0]; // `ptr` dereferenced
p = ptr;
*ptr = 0; // `ptr` dereferenced
ptr[0] = 0; // `ptr` dereferenced
ptr = 0;
(*ptr)++; // `ptr`, `*ptr` dereferenced
*(ptr++); // `ptr++` dereferenced
ptr++;
v = ref; // (`ref` implicitly dereferenced, not detected)
p = &ref;
ref = 0; // (`ref` implicitly dereferenced, not detected)
ref++; // (`ref` implicitly dereferenced, not detected)
*global_ptr; // `global_ptr` dereferenced
str = global_string;
c = global_string[5]; // `global_string` dereferenced
}
struct myStruct
{
int x;
void f() {};
void (*g)();
};
void test1(myStruct *ms)
{
void (*h)();
ms;
ms->x; // `ms` dereferenced
ms->f(); // `ms` dereferenced
ms->g(); // `ms` dereferenced
h = ms->g; // `ms` dereferenced
}

13
cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.expected Normal file
View File

@@ -0,0 +1,13 @@
| dereferenced.cpp:11:6:11:9 | * ... | dereferenced.cpp:11:7:11:9 | ptr |
| dereferenced.cpp:12:6:12:11 | access to array | dereferenced.cpp:12:6:12:8 | ptr |
| dereferenced.cpp:15:2:15:5 | * ... | dereferenced.cpp:15:3:15:5 | ptr |
| dereferenced.cpp:16:2:16:7 | access to array | dereferenced.cpp:16:2:16:4 | ptr |
| dereferenced.cpp:19:3:19:6 | * ... | dereferenced.cpp:19:4:19:6 | ptr |
| dereferenced.cpp:19:4:19:6 | ptr | dereferenced.cpp:19:3:19:6 | * ... |
| dereferenced.cpp:20:2:20:9 | * ... | dereferenced.cpp:20:4:20:8 | ... ++ |
| dereferenced.cpp:28:2:28:12 | * ... | dereferenced.cpp:28:3:28:12 | global_ptr |
| dereferenced.cpp:30:6:30:21 | access to array | dereferenced.cpp:30:6:30:18 | global_string |
| dereferenced.cpp:45:6:45:6 | x | dereferenced.cpp:45:2:45:3 | ms |
| dereferenced.cpp:46:6:46:6 | call to f | dereferenced.cpp:46:2:46:3 | ms |
| dereferenced.cpp:47:6:47:6 | g | dereferenced.cpp:47:2:47:3 | ms |
| dereferenced.cpp:48:10:48:10 | g | dereferenced.cpp:48:6:48:7 | ms |

6
cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import semmle.code.cpp.controlflow.Dereferenced
from Expr op, Expr e
where dereferencedByOperation(op, e) // => dereferenced(e)
select op, e

20
cpp/ql/test/library-tests/controlflow/nullness/nullness.expected Normal file
View File

@@ -0,0 +1,20 @@
| test.cpp:9:9:9:9 | v | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:10:9:10:10 | ! ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:11:9:11:14 | ... == ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:12:9:12:17 | ... == ... | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:13:9:13:14 | ... != ... | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:14:9:14:17 | ... != ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:15:8:15:23 | call to __builtin_expect | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:16:8:16:23 | call to __builtin_expect | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:17:9:17:17 | ... && ... | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:18:9:18:17 | ... && ... | test.cpp:5:13:5:13 | v | is not null | is valid |
| test.cpp:19:9:19:18 | ... && ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:20:9:20:18 | ... && ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:21:9:21:14 | ... = ... | test.cpp:5:13:5:13 | v | is null | is not valid |
| test.cpp:21:9:21:14 | ... = ... | test.cpp:7:10:7:10 | b | is not null | is valid |
| test.cpp:22:9:22:14 | ... = ... | test.cpp:5:13:5:13 | v | is not null | is not valid |
| test.cpp:22:9:22:14 | ... = ... | test.cpp:7:13:7:13 | c | is not null | is not valid |
| test.cpp:22:17:22:17 | c | test.cpp:7:13:7:13 | c | is not null | is valid |
| test.cpp:23:21:23:21 | x | test.cpp:23:14:23:14 | x | is not null | is valid |
| test.cpp:24:9:24:18 | (condition decl) | test.cpp:5:13:5:13 | v | is not null | is not valid |
| test.cpp:24:9:24:18 | (condition decl) | test.cpp:24:14:24:14 | y | is not null | is valid |

8
cpp/ql/test/library-tests/controlflow/nullness/nullness.ql Normal file
View File

@@ -0,0 +1,8 @@
import cpp
from AnalysedExpr a, LocalScopeVariable v, string isNullCheck, string isValidCheck
where
v.getAnAccess().getEnclosingStmt() = a.getParent() and
(if a.isNullCheck(v) then isNullCheck = "is null" else isNullCheck = "is not null") and
(if a.isValidCheck(v) then isValidCheck = "is valid" else isValidCheck = "is not valid")
select a, v, isNullCheck, isValidCheck

25
cpp/ql/test/library-tests/controlflow/nullness/test.cpp Normal file
View File

@@ -0,0 +1,25 @@
// semmle-extractor-options: -std=c++17
long __builtin_expect(long);
void f(int *v) {
int *w;
bool b, c;
if (v) {}
if (!v) {}
if (v == 0) {}
if ((!v) == 0) {}
if (v != 0) {}
if ((!v) != 0) {}
if(__builtin_expect((long)v)) {}
if(__builtin_expect((long)!v)) {}
if (true && v) {}
if (v && true) {}
if (true && !v) {}
if (!v && true) {}
if (b = !v) {}
if (c = !v; c) {}
if (int *x = v; x) {}
if (int *y = v) {}
}

2
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected
View File

@@ -0,0 +1,2 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)

8
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
View File

@@ -4,7 +4,7 @@
*/
import cpp
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TaintedWithPath::Private
@@ -17,7 +17,7 @@ predicate isSinkArgument(Element sink) {
)
}
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
predicate astTaint(Expr source, Element sink) { AstTaintTracking::tainted(source, sink) }
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { isSinkArgument(e) }
@@ -44,8 +44,8 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
override string getARelevantTag() { result = ["ir-path", "ir-sink"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element source, Element elem, TaintedWithPath::PathNode node, int n |
irTaint(source, node, tag) and
exists(Element elem, TaintedWithPath::PathNode node, int n |
irTaint(_, node, tag) and
elem = getElementFromPathNode(node) and
n = count(int startline | getAPredecessor(node).hasLocationInfo(_, startline, _, _, _)) and
location = elem.getLocation() and

26
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
View File

@@ -1,18 +1,6 @@
#include "../shared.h"
int main() {
sink(_strdup(getenv("VAR"))); // $ ir MISSING: ast
sink(strdup(getenv("VAR"))); // $ ast,ir
sink(unmodeled_function(getenv("VAR"))); // clean by assumption
@@ -59,9 +47,6 @@ void test_outparams() {
sink(p2); // $ ir MISSING: ast
}
struct XY {
int x;
int y;
@@ -230,24 +215,17 @@ void test_recv() {
// --- send and related functions ---
int send(int, const void*, int, int);
void test_send(char* buffer, int length) {
send(0, buffer, length, 0); // $ remote
}
struct iovec {
void *iov_base;
unsigned iov_len;
};
int readv(int, const struct iovec*, int);
int writev(int, const struct iovec*, int);
void sink(const iovec* iovs);
void sink(iovec);
int test_readv_and_writev(iovec* iovs) {
void test_readv_and_writev(iovec* iovs) {
readv(0, iovs, 16);
sink(iovs); // $ast,ir
sink(iovs[0]); // $ast,ir
@@ -256,6 +234,4 @@ int test_readv_and_writev(iovec* iovs) {
char* p = (char*)iovs[1].iov_base;
sink(p); // $ MISSING: ast,ir
sink(*p); // $ MISSING: ast,ir
writev(0, iovs, 16); // $ remote
}

20
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.ql
View File

@@ -1,20 +0,0 @@
/** This tests that we are able to detect remote flow sinks. */
import cpp
import TestUtilities.InlineExpectationsTest
import semmle.code.cpp.security.FlowSources
class RemoteFlowSinkTest extends InlineExpectationsTest {
RemoteFlowSinkTest() { this = "RemoteFlowSinkTest" }
override string getARelevantTag() { result = "remote" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "remote" and
value = "" and
exists(RemoteFlowSink node |
location = node.getLocation() and
element = node.toString()
)
}
}

2
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
View File

@@ -0,0 +1,2 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)

4
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
View File

@@ -5,7 +5,7 @@
*/
import cpp
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TestUtilities.InlineExpectationsTest
@@ -18,7 +18,7 @@ predicate argToSinkCall(Element sink) {
}
predicate astTaint(Expr source, Element sink) {
ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
AstTaintTracking::tainted(source, sink) and argToSinkCall(sink)
}
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {

2
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.expected
View File

@@ -0,0 +1,2 @@
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:8,3-47)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:12,3-53)

12
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.ql
View File

@@ -1,11 +1,11 @@
import cpp
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import TestUtilities.InlineExpectationsTest
predicate astTaint(Expr source, Element sink, string globalVar) {
ASTTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
AstTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
}
predicate irTaint(Expr source, Element sink, string globalVar) {
@@ -18,9 +18,9 @@ class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
override string getARelevantTag() { result = "ir" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Expr source, Element tainted |
exists(Element tainted |
tag = "ir" and
irTaint(source, tainted, value) and
irTaint(_, tainted, value) and
location = tainted.getLocation() and
element = tainted.toString()
)
@@ -33,9 +33,9 @@ class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
override string getARelevantTag() { result = "ast" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Expr source, Element tainted |
exists(Element tainted |
tag = "ast" and
astTaint(source, tainted, value) and
astTaint(_, tainted, value) and
location = tainted.getLocation() and
element = tainted.toString()
)

15
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -6,6 +6,8 @@ uniqueNodeToString
missingToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
@@ -87,3 +89,16 @@ postWithInFlow
| test.cpp:465:3:465:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:465:4:465:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:470:22:470:22 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:499:4:499:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:505:35:505:35 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:511:5:511:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:511:6:511:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:516:5:516:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:516:6:516:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:522:25:522:25 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:526:25:526:25 | y [inner post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox

29
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -21,6 +21,8 @@ uniqueNodeToString
missingToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
@@ -199,7 +201,9 @@ postWithInFlow
| example.c:28:22:28:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| example.c:28:23:28:25 | pos [post update] | PostUpdateNode should not be the target of local flow. |
| globals.cpp:5:9:5:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| globals.cpp:9:5:9:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| globals.cpp:13:5:13:19 | flowTestGlobal1 [post update] | PostUpdateNode should not be the target of local flow. |
| globals.cpp:16:12:16:26 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| globals.cpp:23:5:23:19 | flowTestGlobal2 [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:8:6:8:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:9:6:9:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -218,10 +222,10 @@ postWithInFlow
| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -580,6 +584,25 @@ postWithInFlow
| test.cpp:489:7:489:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:491:5:491:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:494:5:494:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:499:4:499:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:499:4:499:4 | p [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:504:7:504:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:505:35:505:35 | x [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:511:5:511:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:511:6:511:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:511:6:511:6 | p [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:516:5:516:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:516:6:516:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:516:6:516:6 | p [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:522:24:522:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:522:24:522:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:522:25:522:25 | x [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:526:24:526:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:526:24:526:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:526:25:526:25 | y [post update] | PostUpdateNode should not be the target of local flow. |
| true_upon_entry.cpp:9:7:9:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| true_upon_entry.cpp:10:12:10:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| true_upon_entry.cpp:10:27:10:27 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -625,3 +648,7 @@ postWithInFlow
| true_upon_entry.cpp:98:7:98:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| true_upon_entry.cpp:101:18:101:18 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
| true_upon_entry.cpp:102:5:102:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp
View File

@@ -87,7 +87,7 @@ Top *identity(Top *top) {
void callIdentityFunctions(Top *top, Bottom *bottom) {
identity(bottom)->isSink(source()); // $ MISSING: ast,ir
identity(top)->isSink(source()); // now flow
identity(top)->isSink(source()); // no flow
}
using SinkFunctionType = void (*)(int);

48
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -329,24 +329,24 @@ namespace NestedTests {
namespace FlowThroughGlobals {
int globalVar;
int taintGlobal() {
void taintGlobal() {
globalVar = source();
}
int f() {
sink(globalVar); // tainted or clean? Not sure.
void f() {
sink(globalVar); // $ ir=333:17 ir=347:17 // tainted or clean? Not sure.
taintGlobal();
sink(globalVar); // $ MISSING: ast,ir
sink(globalVar); // $ ir=333:17 ir=347:17 MISSING: ast
}
int calledAfterTaint() {
sink(globalVar); // $ MISSING: ast,ir
void calledAfterTaint() {
sink(globalVar); // $ ir=333:17 ir=347:17 MISSING: ast
}
int taintAndCall() {
void taintAndCall() {
globalVar = source();
calledAfterTaint();
sink(globalVar); // $ ast,ir
sink(globalVar); // $ ast ir=333:17 ir=347:17
}
}
@@ -494,3 +494,35 @@ void regression_with_phi_flow(int clean1) {
x = source();
}
}
int intOutparamSourceMissingReturn(int *p) {
*p = source();
// return deliberately omitted to test IR dataflow behavior
}
void viaOutparamMissingReturn() {
int x = 0;
intOutparamSourceMissingReturn(&x);
sink(x); // $ ast,ir
}
void sink_then_source_1(int* p) {
sink(*p); // clean
*p = source();
}
void sink_then_source_2(int* p, int y) {
sink(y); // $ SPURIOUS: ast
*p = source();
}
void test_sink_then_source() {
{
int x;
sink_then_source_1(&x);
}
{
int y;
sink_then_source_2(&y, y);
}
}

52
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
View File

@@ -2,19 +2,17 @@ import TestUtilities.dataflow.FlowTestCommon
module AstTest {
private import semmle.code.cpp.dataflow.DataFlow
private import semmle.code.cpp.controlflow.Guards
/**
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
* S in `if (guarded(x)) S`.
*/
// This is tested in `BarrierGuard.cpp`.
class TestBarrierGuard extends DataFlow::BarrierGuard {
TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" }
override predicate checks(Expr checked, boolean isTrue) {
checked = this.(FunctionCall).getArgument(0) and
isTrue = true
}
predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
g.(FunctionCall).getTarget().getName() = "guarded" and
checked = g.(FunctionCall).getArgument(0) and
isTrue = true
}
/** Common data flow configuration to be used by tests. */
@@ -40,29 +38,26 @@ module AstTest {
}
override predicate isBarrier(DataFlow::Node barrier) {
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
}
override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
}
}
module IRTest {
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.controlflow.IRGuards
/**
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
* S in `if (guarded(x)) S`.
*/
// This is tested in `BarrierGuard.cpp`.
class TestBarrierGuard extends DataFlow::BarrierGuard {
TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
override predicate checksInstr(Instruction checked, boolean isTrue) {
checked = this.(CallInstruction).getPositionalArgument(0) and
isTrue = true
}
predicate testBarrierGuard(IRGuardCondition g, Instruction checked, boolean isTrue) {
g.(CallInstruction).getStaticCallTarget().getName() = "guarded" and
checked = g.(CallInstruction).getPositionalArgument(0) and
isTrue = true
}
/** Common data flow configuration to be used by tests. */
@@ -82,28 +77,9 @@ module IRTest {
)
}
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
exists(GlobalOrNamespaceVariable var | var.getName().matches("flowTestGlobal%") |
writesVariable(n1.asInstruction(), var) and
var = n2.asVariable()
or
readsVariable(n2.asInstruction(), var) and
var = n1.asVariable()
)
}
override predicate isBarrier(DataFlow::Node barrier) {
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
barrier = DataFlow::InstructionBarrierGuard<testBarrierGuard/3>::getABarrierNode()
}
override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
}
private predicate readsVariable(LoadInstruction load, Variable var) {
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
}
private predicate writesVariable(StoreInstruction store, Variable var) {
store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
}
}

24
cpp/ql/test/library-tests/dataflow/dataflow-tests/true_upon_entry.cpp
View File

@@ -5,7 +5,7 @@ int source();
void sink(...);
bool random();
int test1() {
void test1() {
int x = source();
for (int i = 0; i < 10; i++) {
x = 0;
@@ -13,7 +13,7 @@ int test1() {
sink(x); // $ SPURIOUS: ir
}
int test2(int iterations) {
void test2(int iterations) {
int x = source();
for (int i = 0; i < iterations; i++) {
x = 0;
@@ -21,7 +21,7 @@ int test2(int iterations) {
sink(x); // $ ast,ir
}
int test3() {
void test3() {
int x = 0;
for (int i = 0; i < 10; i++) {
x = source();
@@ -29,7 +29,7 @@ int test3() {
sink(x); // $ ast,ir
}
int test4() {
void test4() {
int x = source();
for (int i = 0; i < 10; i++) {
if (random())
@@ -39,7 +39,7 @@ int test4() {
sink(x); // $ ast,ir
}
int test5() {
void test5() {
int x = source();
for (int i = 0; i < 10; i++) {
if (random())
@@ -49,7 +49,7 @@ int test5() {
sink(x); // $ ast,ir
}
int test6() {
void test6() {
int y;
int x = source();
for (int i = 0; i < 10 && (y = 1); i++) {
@@ -57,7 +57,7 @@ int test6() {
sink(x); // $ ast,ir
}
int test7() {
void test7() {
int y;
int x = source();
for (int i = 0; i < 10 && (y = 1); i++) {
@@ -66,7 +66,7 @@ int test7() {
sink(x); // $ SPURIOUS: ir
}
int test8() {
void test8() {
int x = source();
// It appears to the analysis that the condition can exit after `i < 10`
// without having assigned to `x`. That is an effect of how the
@@ -78,7 +78,7 @@ int test8() {
sink(x); // $ SPURIOUS: ast,ir
}
int test9() {
void test9() {
int y;
int x = source();
for (int i = 0; (y = 1) && i < 10; i++) {
@@ -86,21 +86,21 @@ int test9() {
sink(x); // $ ast,ir
}
int test10() {
void test10() {
int x = source();
for (int i = 0; (x = 1) && i < 10; i++) {
}
sink(x); // no flow
}
int test10(int b, int d) {
void test10(int b, int d) {
int i = 0;
int x = source();
if (b)
goto L;
for (; i < 10; i += d) {
x = 0;
L:
L: ;
}
sink(x); // $ ir MISSING: ast
}

3
cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
View File

@@ -34,3 +34,6 @@
| test.cpp:441:7:441:11 | local | test.cpp:442:18:442:22 | local |
| test.cpp:441:7:441:11 | local | test.cpp:443:8:443:12 | local |
| test.cpp:441:7:441:11 | local | test.cpp:444:9:444:13 | local |
| test.cpp:521:9:521:9 | x | test.cpp:522:25:522:25 | x |
| test.cpp:525:9:525:9 | y | test.cpp:526:25:526:25 | y |
| test.cpp:525:9:525:9 | y | test.cpp:526:28:526:28 | y |

6
cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
View File

@@ -12,6 +12,8 @@ uniqueNodeToString
missingToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
@@ -155,3 +157,7 @@ postWithInFlow
| simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:24:11:24:12 | ab [inner post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:36:17:36:24 | nestedAB [inner post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox

6
cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
View File

@@ -15,6 +15,8 @@ uniqueNodeToString
missingToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
@@ -1323,3 +1325,7 @@ postWithInFlow
| struct_init.c:46:16:46:24 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:46:16:46:24 | pointerAB [post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:46:16:46:24 | pointerAB [post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox

1
cpp/ql/test/library-tests/dataflow/security-taint/tainted.expected
View File

@@ -1,3 +1,4 @@
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted.ql:5,3-29)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv | |

5
cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected
View File

@@ -1,3 +1,8 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:5,35-54)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:12,7-26)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:16,3-22)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted_diff.ql:11,3-34)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted_diff.ql:17,7-38)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |

2
cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected
View File

@@ -1,3 +1,5 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_ir.ql:3,35-50)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_ir.ql:9,3-18)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |

0
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/remote-flow-sink.expected → cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.expected
View File

32
cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql Normal file
View File

@@ -0,0 +1,32 @@
/** This tests that we are able to detect local flow sources. */
import cpp
import TestUtilities.InlineExpectationsTest
import semmle.code.cpp.security.FlowSources
class LocalFlowSourceTest extends InlineExpectationsTest {
LocalFlowSourceTest() { this = "LocalFlowSourceTest" }
override string getARelevantTag() { result = "local_source" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "local_source" and
exists(LocalFlowSource node, int n |
n =
strictcount(LocalFlowSource otherNode |
node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
) and
(
n = 1 and value = ""
or
// If there is more than one node on this line
// we specify the location explicitly.
n > 1 and
value =
node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
) and
location = node.getLocation() and
element = node.toString()
)
}
}

0
cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected Normal file
View File

59
cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql Normal file
View File

@@ -0,0 +1,59 @@
/** This tests that we are able to detect remote flow sources and sinks. */
import cpp
import TestUtilities.InlineExpectationsTest
import semmle.code.cpp.security.FlowSources
class RemoteFlowSourceTest extends InlineExpectationsTest {
RemoteFlowSourceTest() { this = "RemoteFlowSourceTest" }
override string getARelevantTag() { result = "remote_source" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "remote_source" and
exists(RemoteFlowSource node, int n |
n =
strictcount(RemoteFlowSource otherNode |
node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
) and
(
n = 1 and value = ""
or
// If there is more than one node on this line
// we specify the location explicitly.
n > 1 and
value =
node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
) and
location = node.getLocation() and
element = node.toString()
)
}
}
class RemoteFlowSinkTest extends InlineExpectationsTest {
RemoteFlowSinkTest() { this = "RemoteFlowSinkTest" }
override string getARelevantTag() { result = "remote_sink" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "remote_sink" and
exists(RemoteFlowSink node, int n |
n =
strictcount(RemoteFlowSink otherNode |
node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
) and
(
n = 1 and value = ""
or
// If there is more than one node on this line
// we specify the location explicitly.
n > 1 and
value =
node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
) and
location = node.getLocation() and
element = node.toString()
)
}
}

52
cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp Normal file
View File

@@ -0,0 +1,52 @@
char *getenv(const char *name);
char *secure_getenv(const char *name);
wchar_t *_wgetenv(const wchar_t *name);
void test_getenv() {
void *var1 = getenv("VAR"); // $ local_source
void *var2 = secure_getenv("VAR"); // $ local_source
void *var3 = _wgetenv(L"VAR"); // $ local_source
}
int send(int, const void*, int, int);
void test_send(char* buffer, int length) {
send(0, buffer, length, 0); // $ remote_sink
}
struct iovec {
void *iov_base;
unsigned iov_len;
};
int readv(int, const struct iovec*, int);
int writev(int, const struct iovec*, int);
void test_readv_and_writev(iovec* iovs) {
readv(0, iovs, 16); // $ remote_source
writev(0, iovs, 16); // $ remote_sink
}
struct FILE;
int fscanf(FILE *stream, const char *format, ...);
int scanf(const char *format, ...);
void test_scanf(FILE *stream, int *d, char *buf) {
scanf(""); // Not a local source, as there are no output arguments
fscanf(stream, ""); // Not a remote source, as there are no output arguments
scanf("%d", d); // $ local_source
fscanf(stream, "%d", d); // $ remote_source
scanf("%d %s", d, buf); // $ local_source=40:18 local_source=40:21
fscanf(stream, "%d %s", d, buf); // $ remote_source=41:27 remote_source=41:30
}
struct addrinfo;
int getaddrinfo(const char *hostname, const char *servname,
const struct addrinfo *hints, struct addrinfo **res);
void test_inet(char *hostname, char *servname, struct addrinfo *hints) {
addrinfo *res;
int ret = getaddrinfo(hostname, servname, hints, &res); // $ remote_source
}

4
cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp
View File

@@ -9,7 +9,7 @@ struct sockaddr {
char* sa_data;
};
int accept(int, const sockaddr*, int*);
int accept(int, sockaddr*, int*);
void sink(sockaddr);
@@ -20,5 +20,5 @@ void test_accept() {
int a = accept(s, &addr, &size);
sink(a); // $ ast=17:11 ir SPURIOUS: ast=18:12
sink(addr); // $ ast,ir
sink(addr); // $ ast=17:11 ir SPURIOUS: ast=18:12
}

214
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -142,9 +142,14 @@
| bsd.cpp:19:14:19:29 | sizeof(sockaddr) | bsd.cpp:20:29:20:32 | size | |
| bsd.cpp:20:11:20:16 | call to accept | bsd.cpp:22:8:22:8 | a | |
| bsd.cpp:20:18:20:18 | s | bsd.cpp:20:11:20:16 | call to accept | TAINT |
| bsd.cpp:20:18:20:18 | s | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
| bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:11:20:16 | call to accept | TAINT |
| bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
| bsd.cpp:20:21:20:25 | ref arg & ... | bsd.cpp:20:22:20:25 | addr [inner post update] | |
| bsd.cpp:20:21:20:25 | ref arg & ... | bsd.cpp:23:8:23:11 | addr | |
| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:11:20:16 | call to accept | TAINT |
| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... | |
| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
| bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] | |
| bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... | |
| constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] | |
@@ -3477,106 +3482,106 @@
| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 | |
| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:42:14:42:20 | source1 | |
| standalone_iterators.cpp:40:11:40:17 | source1 | standalone_iterators.cpp:40:10:40:10 | call to operator* | TAINT |
| standalone_iterators.cpp:41:12:41:18 | ref arg source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
| standalone_iterators.cpp:41:12:41:18 | ref arg source1 | standalone_iterators.cpp:42:14:42:20 | source1 | |
| standalone_iterators.cpp:41:12:41:18 | source1 | standalone_iterators.cpp:41:19:41:19 | call to operator++ | |
| standalone_iterators.cpp:41:19:41:19 | call to operator++ | standalone_iterators.cpp:41:10:41:10 | call to operator* | TAINT |
| standalone_iterators.cpp:42:12:42:12 | call to operator++ | standalone_iterators.cpp:42:10:42:10 | call to operator* | TAINT |
| standalone_iterators.cpp:42:14:42:20 | ref arg source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
| standalone_iterators.cpp:42:14:42:20 | source1 | standalone_iterators.cpp:42:12:42:12 | call to operator++ | |
| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:45:39:45:45 | source1 | |
| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:46:11:46:17 | source1 | |
| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:47:12:47:18 | source1 | |
| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:48:14:48:20 | source1 | |
| standalone_iterators.cpp:46:11:46:17 | source1 | standalone_iterators.cpp:46:10:46:10 | call to operator* | TAINT |
| standalone_iterators.cpp:47:12:47:18 | ref arg source1 | standalone_iterators.cpp:45:39:45:45 | source1 | |
| standalone_iterators.cpp:47:12:47:18 | ref arg source1 | standalone_iterators.cpp:48:14:48:20 | source1 | |
| standalone_iterators.cpp:47:12:47:18 | source1 | standalone_iterators.cpp:47:19:47:19 | call to operator++ | |
| standalone_iterators.cpp:47:19:47:19 | call to operator++ | standalone_iterators.cpp:47:10:47:10 | call to operator* | TAINT |
| standalone_iterators.cpp:48:12:48:12 | call to operator++ | standalone_iterators.cpp:48:10:48:10 | call to operator* | TAINT |
| standalone_iterators.cpp:48:14:48:20 | ref arg source1 | standalone_iterators.cpp:45:39:45:45 | source1 | |
| standalone_iterators.cpp:48:14:48:20 | source1 | standalone_iterators.cpp:48:12:48:12 | call to operator++ | |
| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:52:11:52:17 | source1 | |
| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:53:12:53:18 | source1 | |
| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:54:14:54:20 | source1 | |
| standalone_iterators.cpp:53:12:53:18 | ref arg source1 | standalone_iterators.cpp:54:14:54:20 | source1 | |
| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:85:35:85:36 | c1 | |
| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:89:35:89:36 | c2 | |
| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
| standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 | |
| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 | |
| standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | |
| standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 | |
| standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
| standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 | |
| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 | |
| standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | |
| standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 | |
| standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 | |
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 | |
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:106:6:106:7 | c1 | |
| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:101:6:101:7 | c1 | standalone_iterators.cpp:101:9:101:13 | call to begin | TAINT |
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:102:6:102:7 | c1 | |
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 | |
| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:101:2:101:15 | ... = ... | |
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:103:3:103:3 | a | |
| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:104:7:104:7 | a | |
| standalone_iterators.cpp:102:6:102:7 | c1 | standalone_iterators.cpp:102:9:102:13 | call to begin | TAINT |
| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 | |
| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... | |
| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b | |
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 | |
| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a | |
| standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 | |
| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:106:6:106:7 | c1 | standalone_iterators.cpp:106:9:106:13 | call to begin | TAINT |
| standalone_iterators.cpp:106:6:106:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:106:2:106:15 | ... = ... | |
| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:108:7:108:7 | c | |
| standalone_iterators.cpp:107:7:107:7 | b [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:108:7:108:7 | c [post update] | standalone_iterators.cpp:109:7:109:8 | c1 | |
| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:116:7:116:8 | c1 | |
| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:116:7:116:8 | c1 | standalone_iterators.cpp:116:10:116:14 | call to begin | TAINT |
| standalone_iterators.cpp:116:7:116:8 | ref arg c1 | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:116:2:116:16 | ... = ... | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:117:7:117:8 | it | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:118:2:118:3 | it | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:119:7:119:8 | it | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it | |
| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 | |
| standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it | |
| standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:43:45:43:51 | source1 | |
| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:44:11:44:17 | source1 | |
| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:45:12:45:18 | source1 | |
| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:46:14:46:20 | source1 | |
| standalone_iterators.cpp:44:11:44:17 | source1 | standalone_iterators.cpp:44:10:44:10 | call to operator* | TAINT |
| standalone_iterators.cpp:45:12:45:18 | ref arg source1 | standalone_iterators.cpp:43:45:43:51 | source1 | |
| standalone_iterators.cpp:45:12:45:18 | ref arg source1 | standalone_iterators.cpp:46:14:46:20 | source1 | |
| standalone_iterators.cpp:45:12:45:18 | source1 | standalone_iterators.cpp:45:19:45:19 | call to operator++ | |
| standalone_iterators.cpp:45:19:45:19 | call to operator++ | standalone_iterators.cpp:45:10:45:10 | call to operator* | TAINT |
| standalone_iterators.cpp:46:12:46:12 | call to operator++ | standalone_iterators.cpp:46:10:46:10 | call to operator* | TAINT |
| standalone_iterators.cpp:46:14:46:20 | ref arg source1 | standalone_iterators.cpp:43:45:43:51 | source1 | |
| standalone_iterators.cpp:46:14:46:20 | source1 | standalone_iterators.cpp:46:12:46:12 | call to operator++ | |
| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:49:39:49:45 | source1 | |
| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:50:11:50:17 | source1 | |
| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:51:12:51:18 | source1 | |
| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:52:14:52:20 | source1 | |
| standalone_iterators.cpp:50:11:50:17 | source1 | standalone_iterators.cpp:50:10:50:10 | call to operator* | TAINT |
| standalone_iterators.cpp:51:12:51:18 | ref arg source1 | standalone_iterators.cpp:49:39:49:45 | source1 | |
| standalone_iterators.cpp:51:12:51:18 | ref arg source1 | standalone_iterators.cpp:52:14:52:20 | source1 | |
| standalone_iterators.cpp:51:12:51:18 | source1 | standalone_iterators.cpp:51:19:51:19 | call to operator++ | |
| standalone_iterators.cpp:51:19:51:19 | call to operator++ | standalone_iterators.cpp:51:10:51:10 | call to operator* | TAINT |
| standalone_iterators.cpp:52:12:52:12 | call to operator++ | standalone_iterators.cpp:52:10:52:10 | call to operator* | TAINT |
| standalone_iterators.cpp:52:14:52:20 | ref arg source1 | standalone_iterators.cpp:49:39:49:45 | source1 | |
| standalone_iterators.cpp:52:14:52:20 | source1 | standalone_iterators.cpp:52:12:52:12 | call to operator++ | |
| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:56:11:56:17 | source1 | |
| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:57:12:57:18 | source1 | |
| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:58:14:58:20 | source1 | |
| standalone_iterators.cpp:57:12:57:18 | ref arg source1 | standalone_iterators.cpp:58:14:58:20 | source1 | |
| standalone_iterators.cpp:91:15:91:16 | call to container | standalone_iterators.cpp:93:35:93:36 | c1 | |
| standalone_iterators.cpp:91:15:91:16 | call to container | standalone_iterators.cpp:95:10:95:11 | c1 | |
| standalone_iterators.cpp:91:19:91:20 | call to container | standalone_iterators.cpp:97:35:97:36 | c2 | |
| standalone_iterators.cpp:91:19:91:20 | call to container | standalone_iterators.cpp:99:10:99:11 | c2 | |
| standalone_iterators.cpp:93:35:93:36 | c1 | standalone_iterators.cpp:93:38:93:42 | call to begin | TAINT |
| standalone_iterators.cpp:93:35:93:36 | ref arg c1 | standalone_iterators.cpp:95:10:95:11 | c1 | |
| standalone_iterators.cpp:93:38:93:42 | call to begin | standalone_iterators.cpp:94:6:94:7 | i1 | |
| standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | standalone_iterators.cpp:94:8:94:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | standalone_iterators.cpp:95:10:95:11 | c1 | |
| standalone_iterators.cpp:94:6:94:7 | i1 | standalone_iterators.cpp:94:8:94:8 | call to operator-- | |
| standalone_iterators.cpp:94:8:94:8 | call to operator-- | standalone_iterators.cpp:94:5:94:5 | call to operator* | TAINT |
| standalone_iterators.cpp:94:8:94:8 | ref arg call to operator-- | standalone_iterators.cpp:94:6:94:7 | ref arg i1 | |
| standalone_iterators.cpp:94:13:94:18 | call to source | standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:97:35:97:36 | c2 | standalone_iterators.cpp:97:38:97:42 | call to begin | TAINT |
| standalone_iterators.cpp:97:35:97:36 | ref arg c2 | standalone_iterators.cpp:99:10:99:11 | c2 | |
| standalone_iterators.cpp:97:38:97:42 | call to begin | standalone_iterators.cpp:98:6:98:7 | i2 | |
| standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | standalone_iterators.cpp:98:8:98:8 | ref arg call to operator-- | TAINT |
| standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | standalone_iterators.cpp:99:10:99:11 | c2 | |
| standalone_iterators.cpp:98:6:98:7 | i2 | standalone_iterators.cpp:98:8:98:8 | call to operator-- | |
| standalone_iterators.cpp:98:8:98:8 | call to operator-- | standalone_iterators.cpp:98:5:98:5 | call to operator* | TAINT |
| standalone_iterators.cpp:98:8:98:8 | ref arg call to operator-- | standalone_iterators.cpp:98:6:98:7 | ref arg i2 | |
| standalone_iterators.cpp:98:13:98:13 | 0 | standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:109:6:109:7 | c1 | |
| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:110:6:110:7 | c1 | |
| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:114:6:114:7 | c1 | |
| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:109:6:109:7 | c1 | standalone_iterators.cpp:109:9:109:13 | call to begin | TAINT |
| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:110:6:110:7 | c1 | |
| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:114:6:114:7 | c1 | |
| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:109:2:109:15 | ... = ... | |
| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:111:3:111:3 | a | |
| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:112:7:112:7 | a | |
| standalone_iterators.cpp:110:6:110:7 | c1 | standalone_iterators.cpp:110:9:110:13 | call to begin | TAINT |
| standalone_iterators.cpp:110:6:110:7 | ref arg c1 | standalone_iterators.cpp:114:6:114:7 | c1 | |
| standalone_iterators.cpp:110:6:110:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:110:9:110:13 | call to begin | standalone_iterators.cpp:110:2:110:15 | ... = ... | |
| standalone_iterators.cpp:110:9:110:13 | call to begin | standalone_iterators.cpp:115:7:115:7 | b | |
| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:111:3:111:3 | ref arg a | TAINT |
| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:114:6:114:7 | c1 | |
| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:111:3:111:3 | a | standalone_iterators.cpp:111:2:111:2 | call to operator* | TAINT |
| standalone_iterators.cpp:111:3:111:3 | ref arg a | standalone_iterators.cpp:112:7:112:7 | a | |
| standalone_iterators.cpp:111:7:111:12 | call to source | standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | TAINT |
| standalone_iterators.cpp:112:7:112:7 | a [post update] | standalone_iterators.cpp:114:6:114:7 | c1 | |
| standalone_iterators.cpp:112:7:112:7 | a [post update] | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:114:6:114:7 | c1 | standalone_iterators.cpp:114:9:114:13 | call to begin | TAINT |
| standalone_iterators.cpp:114:6:114:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:114:9:114:13 | call to begin | standalone_iterators.cpp:114:2:114:15 | ... = ... | |
| standalone_iterators.cpp:114:9:114:13 | call to begin | standalone_iterators.cpp:116:7:116:7 | c | |
| standalone_iterators.cpp:115:7:115:7 | b [post update] | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:116:7:116:7 | c [post update] | standalone_iterators.cpp:117:7:117:8 | c1 | |
| standalone_iterators.cpp:121:15:121:16 | call to container | standalone_iterators.cpp:124:7:124:8 | c1 | |
| standalone_iterators.cpp:121:15:121:16 | call to container | standalone_iterators.cpp:130:7:130:8 | c1 | |
| standalone_iterators.cpp:124:7:124:8 | c1 | standalone_iterators.cpp:124:10:124:14 | call to begin | TAINT |
| standalone_iterators.cpp:124:7:124:8 | ref arg c1 | standalone_iterators.cpp:130:7:130:8 | c1 | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:124:2:124:16 | ... = ... | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:125:7:125:8 | it | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:126:2:126:3 | it | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:127:7:127:8 | it | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:128:2:128:3 | it | |
| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:129:7:129:8 | it | |
| standalone_iterators.cpp:125:7:125:8 | it [post update] | standalone_iterators.cpp:130:7:130:8 | c1 | |
| standalone_iterators.cpp:126:2:126:3 | it | standalone_iterators.cpp:126:5:126:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:127:7:127:8 | it | |
| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:128:2:128:3 | it | |
| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:129:7:129:8 | it | |
| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:130:7:130:8 | c1 | |
| standalone_iterators.cpp:126:8:126:8 | 1 | standalone_iterators.cpp:126:2:126:3 | ref arg it | TAINT |
| standalone_iterators.cpp:128:2:128:3 | it | standalone_iterators.cpp:128:5:128:5 | call to operator+= | TAINT |
| standalone_iterators.cpp:128:2:128:3 | ref arg it | standalone_iterators.cpp:129:7:129:8 | it | |
| standalone_iterators.cpp:128:8:128:13 | call to source | standalone_iterators.cpp:128:2:128:3 | ref arg it | TAINT |
| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container | |
@@ -5964,6 +5969,7 @@
| taint.cpp:172:10:172:15 | buffer | taint.cpp:172:3:172:8 | call to strcat | |
| taint.cpp:172:10:172:15 | buffer | taint.cpp:172:10:172:15 | ref arg buffer | TAINT |
| taint.cpp:172:10:172:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer | |
| taint.cpp:172:18:172:24 | tainted | taint.cpp:172:3:172:8 | call to strcat | TAINT |
| taint.cpp:172:18:172:24 | tainted | taint.cpp:172:10:172:15 | ref arg buffer | TAINT |
| taint.cpp:180:19:180:19 | p | taint.cpp:180:19:180:19 | p | |
| taint.cpp:180:19:180:19 | p | taint.cpp:181:9:181:9 | p | |
@@ -6373,12 +6379,14 @@
| taint.cpp:561:9:561:13 | dest1 | taint.cpp:561:9:561:13 | ref arg dest1 | TAINT |
| taint.cpp:561:9:561:13 | ref arg dest1 | taint.cpp:560:24:560:28 | dest1 | |
| taint.cpp:561:9:561:13 | ref arg dest1 | taint.cpp:562:7:562:11 | dest1 | |
| taint.cpp:561:16:561:21 | source | taint.cpp:561:2:561:7 | call to strcat | TAINT |
| taint.cpp:561:16:561:21 | source | taint.cpp:561:9:561:13 | ref arg dest1 | TAINT |
| taint.cpp:562:7:562:11 | ref arg dest1 | taint.cpp:560:24:560:28 | dest1 | |
| taint.cpp:564:9:564:13 | dest2 | taint.cpp:564:2:564:7 | call to strcat | |
| taint.cpp:564:9:564:13 | dest2 | taint.cpp:564:9:564:13 | ref arg dest2 | TAINT |
| taint.cpp:564:9:564:13 | ref arg dest2 | taint.cpp:560:37:560:41 | dest2 | |
| taint.cpp:564:9:564:13 | ref arg dest2 | taint.cpp:565:7:565:11 | dest2 | |
| taint.cpp:564:16:564:20 | clean | taint.cpp:564:2:564:7 | call to strcat | TAINT |
| taint.cpp:564:16:564:20 | clean | taint.cpp:564:9:564:13 | ref arg dest2 | TAINT |
| taint.cpp:565:7:565:11 | ref arg dest2 | taint.cpp:560:37:560:41 | dest2 | |
| taint.cpp:572:37:572:41 | dest1 | taint.cpp:572:37:572:41 | dest1 | |
@@ -6405,9 +6413,12 @@
| taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:572:37:572:41 | dest1 | |
| taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:575:7:575:11 | dest1 | |
| taint.cpp:574:36:574:40 | ref arg dest1 | taint.cpp:576:8:576:12 | dest1 | |
| taint.cpp:574:43:574:45 | ptr | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
| taint.cpp:574:43:574:45 | ptr | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
| taint.cpp:574:48:574:48 | n | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
| taint.cpp:574:48:574:48 | n | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
| taint.cpp:574:51:574:56 | ref arg source | taint.cpp:573:49:573:54 | source | |
| taint.cpp:574:51:574:56 | source | taint.cpp:574:25:574:34 | call to _mbsncat_l | TAINT |
| taint.cpp:574:51:574:56 | source | taint.cpp:574:36:574:40 | ref arg dest1 | TAINT |
| taint.cpp:575:7:575:11 | ref arg dest1 | taint.cpp:572:37:572:41 | dest1 | |
| taint.cpp:575:7:575:11 | ref arg dest1 | taint.cpp:576:8:576:12 | dest1 | |
@@ -6421,8 +6432,11 @@
| taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:572:85:572:89 | dest3 | |
| taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:581:7:581:11 | dest3 | |
| taint.cpp:580:36:580:40 | ref arg dest3 | taint.cpp:582:8:582:12 | dest3 | |
| taint.cpp:580:43:580:45 | ptr | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
| taint.cpp:580:43:580:45 | ptr | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
| taint.cpp:580:48:580:48 | n | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
| taint.cpp:580:48:580:48 | n | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
| taint.cpp:580:51:580:55 | clean | taint.cpp:580:25:580:34 | call to _mbsncat_l | TAINT |
| taint.cpp:580:51:580:55 | clean | taint.cpp:580:36:580:40 | ref arg dest3 | TAINT |
| taint.cpp:580:51:580:55 | ref arg clean | taint.cpp:573:32:573:36 | clean | |
| taint.cpp:581:7:581:11 | ref arg dest3 | taint.cpp:572:85:572:89 | dest3 | |

8
cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
View File

@@ -27,6 +27,10 @@ public:
template<>
struct std::iterator_traits<int_iterator_by_trait> {
typedef input_iterator_tag iterator_category;
typedef int value_type;
typedef size_t difference_type;
typedef int* pointer;
typedef int& reference;
};
class non_iterator {
@@ -69,6 +73,10 @@ public:
template<>
struct std::iterator_traits<insert_iterator_by_trait> {
typedef output_iterator_tag iterator_category;
typedef int value_type;
typedef size_t difference_type;
typedef int* pointer;
typedef int& reference;
};
class container {

16
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -47,14 +47,14 @@ void do_source()
void do_sink()
{
sink(global1);
sink(global2); // $ MISSING: ast,ir
sink(global3); // $ MISSING: ast,ir
sink(global4); // $ MISSING: ast,ir
sink(global2); // $ ir MISSING: ast
sink(global3); // $ ir MISSING: ast
sink(global4); // $ ir MISSING: ast
sink(global5);
sink(global6);
sink(global7); // $ MISSING: ast,ir
sink(global8); // $ MISSING: ast,ir
sink(global9); // $ MISSING: ast,ir
sink(global7); // $ ir MISSING: ast
sink(global8); // $ ir MISSING: ast
sink(global9); // $ ir MISSING: ast
sink(global10);
}
@@ -574,8 +574,8 @@ void test__mbsncat_l(unsigned char* dest1, unsigned const char* ptr, unsigned ch
unsigned char* dest2 = _mbsncat_l(dest1, ptr, n, source);
sink(dest1); // $ SPURIOUS: ast,ir
sink(*dest1); // $ ast,ir
sink(dest2); // $ SPURIOUS: ir
sink(*dest2); // $ ir
sink(dest2); // $ SPURIOUS: ast,ir
sink(*dest2); // $ ast,ir
unsigned char* dest4 = _mbsncat_l(dest3, ptr, n, clean);
sink(dest3);

11
cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
View File

@@ -95,16 +95,7 @@ module IRTest {
override predicate isSink(DataFlow::Node sink) {
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asConvertedExpr() = call.getAnArgument()
or
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument() and
sink.asConvertedExpr() instanceof ReferenceDereferenceExpr
)
or
exists(ReadSideEffectInstruction read |
read.getSideEffectOperand() = sink.asOperand() and
read.getPrimaryInstruction().(CallInstruction).getStaticCallTarget().hasName("sink")
sink.asExpr() = call.getAnArgument()
)
}

8
cpp/ql/test/library-tests/declarationEntry/declarationEntry/declarationEntry.cpp
View File

@@ -33,3 +33,11 @@ public:
myTemplateClass<int> mtc_int;
myTemplateClass<short> mtc_short;
// Class (UserType)
class myClass
{
public:
int myMemberVariable;
};

6
cpp/ql/test/library-tests/declarationEntry/declarationEntry/declarationEntry.expected
View File

@@ -27,5 +27,11 @@
| declarationEntry.cpp:31:4:31:19 | myMemberVariable | declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | 1 | 1 |
| declarationEntry.cpp:34:22:34:28 | mtc_int | declarationEntry.cpp:34:22:34:28 | definition of mtc_int | 1 | 1 |
| declarationEntry.cpp:35:24:35:32 | mtc_short | declarationEntry.cpp:35:24:35:32 | definition of mtc_short | 1 | 1 |
| declarationEntry.cpp:39:7:39:7 | operator= | declarationEntry.cpp:39:7:39:7 | declaration of operator= | 1 | 1 |
| declarationEntry.cpp:39:7:39:7 | operator= | declarationEntry.cpp:39:7:39:7 | declaration of operator= | 1 | 1 |
| declarationEntry.cpp:39:7:39:13 | myClass | declarationEntry.cpp:39:7:39:13 | definition of myClass | 1 | 1 |
| declarationEntry.cpp:39:7:39:13 | myClass | forwardDeclaration.cpp:1:7:1:13 | declaration of myClass | 1 | 1 |
| declarationEntry.cpp:42:6:42:21 | myMemberVariable | declarationEntry.cpp:42:6:42:21 | definition of myMemberVariable | 1 | 1 |
| forwardDeclaration.cpp:3:10:3:19 | myClassPtr | forwardDeclaration.cpp:3:10:3:19 | definition of myClassPtr | 1 | 1 |
| macro.c:2:1:2:3 | foo | macro.c:2:1:2:3 | declaration of foo | 1 | 1 |
| macro.c:4:5:4:8 | main | macro.c:4:5:4:8 | definition of main | 1 | 1 |

2
cpp/ql/test/library-tests/declarationEntry/declarationEntry/fde.expected
View File

@@ -10,5 +10,7 @@
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | | 0 | |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | | 0 | |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | | 0 | |
| declarationEntry.cpp:39:7:39:7 | declaration of operator= | | 0 | |
| declarationEntry.cpp:39:7:39:7 | declaration of operator= | | 0 | |
| macro.c:2:1:2:3 | declaration of foo | | 2 | c_linkage, static |
| macro.c:4:5:4:8 | definition of main | | 1 | c_linkage |

3
cpp/ql/test/library-tests/declarationEntry/declarationEntry/forwardDeclaration.cpp Normal file
View File

@@ -0,0 +1,3 @@
class myClass;
myClass *myClassPtr;

45
cpp/ql/test/library-tests/declarationEntry/declarationEntry/roundTrip.expected Normal file
View File

@@ -0,0 +1,45 @@
| declarationEntry.c:2:6:2:20 | declaration of myFirstFunction | declarationEntry.c:2:6:2:20 | myFirstFunction | yes |
| declarationEntry.c:4:6:4:21 | definition of mySecondFunction | declarationEntry.c:4:6:4:21 | mySecondFunction | yes |
| declarationEntry.c:8:6:8:20 | definition of myThirdFunction | declarationEntry.c:8:6:8:20 | myThirdFunction | yes |
| declarationEntry.c:13:2:13:2 | declaration of myFourthFunction | declarationEntry.c:13:2:13:2 | myFourthFunction | yes |
| declarationEntry.c:13:2:13:2 | declaration of myFourthFunction | declarationEntry.c:17:6:17:21 | myFourthFunction | yes |
| declarationEntry.c:14:2:14:2 | declaration of myFifthFunction | declarationEntry.c:14:2:14:2 | myFifthFunction | yes |
| declarationEntry.c:17:6:17:21 | declaration of myFourthFunction | declarationEntry.c:13:2:13:2 | myFourthFunction | yes |
| declarationEntry.c:17:6:17:21 | declaration of myFourthFunction | declarationEntry.c:17:6:17:21 | myFourthFunction | yes |
| declarationEntry.cpp:3:12:3:21 | declaration of myVariable | declarationEntry.cpp:5:5:5:14 | myVariable | yes |
| declarationEntry.cpp:5:5:5:14 | definition of myVariable | declarationEntry.cpp:5:5:5:14 | myVariable | yes |
| declarationEntry.cpp:9:6:9:15 | declaration of myFunction | declarationEntry.cpp:11:6:11:15 | myFunction | yes |
| declarationEntry.cpp:9:21:9:31 | declaration of myParameter | declarationEntry.cpp:11:21:11:31 | myParameter | yes |
| declarationEntry.cpp:11:6:11:15 | definition of myFunction | declarationEntry.cpp:11:6:11:15 | myFunction | yes |
| declarationEntry.cpp:11:21:11:31 | definition of myParameter | declarationEntry.cpp:11:21:11:31 | myParameter | yes |
| declarationEntry.cpp:18:6:18:11 | declaration of myEnum | declarationEntry.cpp:20:6:20:11 | myEnum | yes |
| declarationEntry.cpp:20:6:20:11 | definition of myEnum | declarationEntry.cpp:20:6:20:11 | myEnum | yes |
| declarationEntry.cpp:27:20:27:20 | definition of T | declarationEntry.cpp:27:20:27:20 | T | yes |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
| declarationEntry.cpp:28:7:28:7 | declaration of operator= | declarationEntry.cpp:28:7:28:7 | operator= | yes |
| declarationEntry.cpp:28:7:28:21 | definition of myTemplateClass<T> | declarationEntry.cpp:28:7:28:21 | myTemplateClass<T> | yes |
| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
| declarationEntry.cpp:31:4:31:19 | definition of myMemberVariable | declarationEntry.cpp:31:4:31:19 | myMemberVariable | yes |
| declarationEntry.cpp:34:22:34:28 | definition of mtc_int | declarationEntry.cpp:34:22:34:28 | mtc_int | yes |
| declarationEntry.cpp:35:24:35:32 | definition of mtc_short | declarationEntry.cpp:35:24:35:32 | mtc_short | yes |
| declarationEntry.cpp:39:7:39:7 | declaration of operator= | declarationEntry.cpp:39:7:39:7 | operator= | yes |
| declarationEntry.cpp:39:7:39:7 | declaration of operator= | declarationEntry.cpp:39:7:39:7 | operator= | yes |
| declarationEntry.cpp:39:7:39:13 | definition of myClass | declarationEntry.cpp:39:7:39:13 | myClass | yes |
| declarationEntry.cpp:42:6:42:21 | definition of myMemberVariable | declarationEntry.cpp:42:6:42:21 | myMemberVariable | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | declaration of 1st parameter | file://:0:0:0:0 | (unnamed parameter 0) | yes |
| file://:0:0:0:0 | definition of fp_offset | file://:0:0:0:0 | fp_offset | yes |
| file://:0:0:0:0 | definition of gp_offset | file://:0:0:0:0 | gp_offset | yes |
| file://:0:0:0:0 | definition of overflow_arg_area | file://:0:0:0:0 | overflow_arg_area | yes |
| file://:0:0:0:0 | definition of reg_save_area | file://:0:0:0:0 | reg_save_area | yes |
| forwardDeclaration.cpp:1:7:1:13 | declaration of myClass | declarationEntry.cpp:39:7:39:13 | myClass | yes |
| forwardDeclaration.cpp:3:10:3:19 | definition of myClassPtr | forwardDeclaration.cpp:3:10:3:19 | myClassPtr | yes |
| macro.c:2:1:2:3 | declaration of foo | macro.c:2:1:2:3 | foo | yes |
| macro.c:4:5:4:8 | definition of main | macro.c:4:5:4:8 | main | yes |

7
cpp/ql/test/library-tests/declarationEntry/declarationEntry/roundTrip.ql Normal file
View File

@@ -0,0 +1,7 @@
import cpp
from DeclarationEntry de, Declaration d, string canRoundTrip
where
d = de.getDeclaration() and
if d.getADeclarationEntry() = de then canRoundTrip = "yes" else canRoundTrip = "no"
select de, d, canRoundTrip

2
cpp/ql/test/library-tests/exprs/value_categories/value_categories.expected
View File

@@ -7,7 +7,7 @@
| value_categories.cpp:38:5:38:5 | (reference dereference) | int | lvalue |
| value_categories.cpp:38:5:38:9 | ... = ... | int | lvalue |
| value_categories.cpp:42:12:42:12 | (reference dereference) | int | lvalue |
| value_categories.cpp:52:19:52:33 | (reference dereference) | int | xvalue |
| value_categories.cpp:52:31:52:33 | (reference dereference) | int | xvalue |
| value_categories.cpp:57:5:57:6 | (reference dereference) | int | lvalue |
| value_categories.cpp:57:5:57:10 | ... = ... | int | lvalue |
| value_categories.cpp:62:12:62:33 | static_cast<int>... | int | xvalue |

2
cpp/ql/test/library-tests/files/Files.ql
View File

@@ -7,7 +7,7 @@ string describe(File f) {
f.compiledAsCpp() and
result = "C++"
or
f instanceof XMLParent and
f instanceof XmlParent and
result = "XMLParent" // regression tests a bug in the characteristic predicate of XMLParent
}

3
cpp/ql/test/library-tests/floats/float128/errors.expected
View File

@@ -1,4 +1,3 @@
| file://:0:0:0:0 | There was an error during this compilation |
| float128.cpp:1:39:1:39 | 128-bit floating-point types are not supported in this configuration |
| float128.cpp:2:30:2:30 | an attribute specifies a mode incompatible with '<error-type>' |
| float128.cpp:2:41:2:41 | invalid combination of type specifiers |
| float128.cpp:2:30:2:30 | 128-bit floating-point types are not supported in this configuration |

Some files were not shown because too many files have changed in this diff Show More