From 3d208c0a6271967178f69c6b96c66c714684368d Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 17 Apr 2023 11:27:33 +0200 Subject: [PATCH 01/20] JS: Port Actions sources based on PR from R3x --- javascript/ql/lib/javascript.qll | 1 + .../javascript/frameworks/ActionsLib.qll | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll diff --git a/javascript/ql/lib/javascript.qll b/javascript/ql/lib/javascript.qll index 53bb91797aa..ed38db6550e 100644 --- a/javascript/ql/lib/javascript.qll +++ b/javascript/ql/lib/javascript.qll @@ -67,6 +67,7 @@ import semmle.javascript.YAML import semmle.javascript.dataflow.DataFlow import semmle.javascript.dataflow.TaintTracking import semmle.javascript.dataflow.TypeInference +import semmle.javascript.frameworks.ActionsLib import semmle.javascript.frameworks.Angular2 import semmle.javascript.frameworks.AngularJS import semmle.javascript.frameworks.Anser diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll new file mode 100644 index 00000000000..970c7d20ac5 --- /dev/null +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -0,0 +1,40 @@ +private import javascript + +private API::Node payload() { + result = API::moduleImport("@actions/github").getMember("context").getMember("payload") +} + +private API::Node workflowRun() { result = payload().getMember("workflow_run") } + +private API::Node commitObj() { + result = workflowRun().getMember("head_commit") + or + result = payload().getMember("commits").getAMember() +} + +private API::Node pullRequest() { + result = payload().getMember("pull_request") + or + result = commitObj().getMember("pull_requests").getAMember() +} + +private API::Node taintSource() { + result = pullRequest().getMember("head").getMember(["ref", "label"]) + or + result = + [pullRequest(), payload().getMember(["discussion", "issue"])].getMember(["title", "body"]) + or + result = payload().getMember(["review", "review_comment", "comment"]).getMember("body") + or + result = workflowRun().getMember("head_branch") + or + result = commitObj().getMember("message") + or + result = commitObj().getMember("author").getMember(["name", "email"]) +} + +private class GitHubActionsSource extends RemoteFlowSource { + GitHubActionsSource() { this = taintSource().asSource() } + + override string getSourceType() { result = "GitHub Actions input" } +} From cb9b01cbb7f12476df1be1a2cf2cb7397168b4e6 Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 1 May 2023 10:38:09 +0200 Subject: [PATCH 02/20] JS: Port new sources based on comment from JarLob --- .../ql/lib/semmle/javascript/frameworks/ActionsLib.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index 970c7d20ac5..c97cff73dfc 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -26,11 +26,13 @@ private API::Node taintSource() { or result = payload().getMember(["review", "review_comment", "comment"]).getMember("body") or - result = workflowRun().getMember("head_branch") + result = workflowRun().getMember(["head_branch", "display_title"]) + or + result = workflowRun().getMember("head_repository").getMember("description") or result = commitObj().getMember("message") or - result = commitObj().getMember("author").getMember(["name", "email"]) + result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"]) } private class GitHubActionsSource extends RemoteFlowSource { From 0497e60ce2c8efe07f8961146897a259a742903e Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 1 May 2023 11:05:59 +0200 Subject: [PATCH 03/20] JS: Model actions/exec --- .../semmle/javascript/frameworks/ActionsLib.qll | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index c97cff73dfc..74b65ee5adc 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -40,3 +40,17 @@ private class GitHubActionsSource extends RemoteFlowSource { override string getSourceType() { result = "GitHub Actions input" } } + +private class ExecActionsCall extends SystemCommandExecution, DataFlow::CallNode { + ExecActionsCall() { + this = API::moduleImport("@actions/exec").getMember(["exec", "getExecOutput"]).getACall() + } + + override DataFlow::Node getACommandArgument() { result = this.getArgument(0) } + + override DataFlow::Node getArgumentList() { result = this.getArgument(1) } + + override DataFlow::Node getOptionsArg() { result = this.getArgument(2) } + + override predicate isSync() { none() } +} From cb95dbfa14124e27ebb6dce58cb6dc30c61784fa Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 1 May 2023 11:06:13 +0200 Subject: [PATCH 04/20] JS: Add tests --- .../CommandInjection.expected | 24 +++++++++++++++++++ .../CWE-078/CommandInjection/actions.js | 22 +++++++++++++++++ .../CodeInjection/CodeInjection.expected | 5 ++++ .../HeuristicSourceCodeInjection.expected | 4 ++++ .../Security/CWE-094/CodeInjection/actions.js | 8 +++++++ 5 files changed, 63 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js create mode 100644 javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected index 3d18fcf4b2e..fb8bc60e673 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected @@ -1,4 +1,16 @@ nodes +| actions.js:8:9:8:57 | title | +| actions.js:8:17:8:57 | github. ... t.title | +| actions.js:8:17:8:57 | github. ... t.title | +| actions.js:9:8:9:22 | `echo ${title}` | +| actions.js:9:8:9:22 | `echo ${title}` | +| actions.js:9:16:9:20 | title | +| actions.js:18:9:18:63 | head_ref | +| actions.js:18:20:18:63 | github. ... ead.ref | +| actions.js:18:20:18:63 | github. ... ead.ref | +| actions.js:19:14:19:31 | `echo ${head_ref}` | +| actions.js:19:14:19:31 | `echo ${head_ref}` | +| actions.js:19:22:19:29 | head_ref | | child_process-test.js:6:9:6:49 | cmd | | child_process-test.js:6:15:6:38 | url.par ... , true) | | child_process-test.js:6:15:6:44 | url.par ... ).query | @@ -179,6 +191,16 @@ nodes | third-party-command-injection.js:6:21:6:27 | command | | third-party-command-injection.js:6:21:6:27 | command | edges +| actions.js:8:9:8:57 | title | actions.js:9:16:9:20 | title | +| actions.js:8:17:8:57 | github. ... t.title | actions.js:8:9:8:57 | title | +| actions.js:8:17:8:57 | github. ... t.title | actions.js:8:9:8:57 | title | +| actions.js:9:16:9:20 | title | actions.js:9:8:9:22 | `echo ${title}` | +| actions.js:9:16:9:20 | title | actions.js:9:8:9:22 | `echo ${title}` | +| actions.js:18:9:18:63 | head_ref | actions.js:19:22:19:29 | head_ref | +| actions.js:18:20:18:63 | github. ... ead.ref | actions.js:18:9:18:63 | head_ref | +| actions.js:18:20:18:63 | github. ... ead.ref | actions.js:18:9:18:63 | head_ref | +| actions.js:19:22:19:29 | head_ref | actions.js:19:14:19:31 | `echo ${head_ref}` | +| actions.js:19:22:19:29 | head_ref | actions.js:19:14:19:31 | `echo ${head_ref}` | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd | @@ -344,6 +366,8 @@ edges | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | #select +| actions.js:9:8:9:22 | `echo ${title}` | actions.js:8:17:8:57 | github. ... t.title | actions.js:9:8:9:22 | `echo ${title}` | This command line depends on a $@. | actions.js:8:17:8:57 | github. ... t.title | user-provided value | +| actions.js:19:14:19:31 | `echo ${head_ref}` | actions.js:18:20:18:63 | github. ... ead.ref | actions.js:19:14:19:31 | `echo ${head_ref}` | This command line depends on a $@. | actions.js:18:20:18:63 | github. ... ead.ref | user-provided value | | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | | child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | | child_process-test.js:19:17:19:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:19:17:19:19 | cmd | This command line depends on a $@. | child_process-test.js:6:25:6:31 | req.url | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js new file mode 100644 index 00000000000..1cfea0118bc --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -0,0 +1,22 @@ +const github = require('@actions/github'); +const aexec = require('@actions/exec'); +const { exec } = require('child_process'); + +// function to echo title +function echo_title() { + // get the title from the event pull request + const title = github.context.payload.pull_request.title; + exec(`echo ${title}`, (err, stdout, stderr) => { // NOT OK + if (err) { + return; + } + }); +} + +// function which passes the issue title into an exec +function exec_head_ref() { + const head_ref = github.context.payload.pull_request.head.ref; + aexec.exec(`echo ${head_ref}`).then((res) => { // NOT OK + console.log(res); + }); +} diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index 545b9d71d7c..ddfe2c78f07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -13,6 +13,9 @@ nodes | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | +| actions.js:5:10:5:50 | github. ... message | +| actions.js:5:10:5:50 | github. ... message | +| actions.js:5:10:5:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -191,6 +194,7 @@ edges | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | +| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | @@ -306,6 +310,7 @@ edges | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value | | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value | | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value | +| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | This code execution depends on a $@. | actions.js:5:10:5:50 | github. ... message | user-provided value | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 0c4f02406d6..64620c6d3bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -13,6 +13,9 @@ nodes | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | +| actions.js:5:10:5:50 | github. ... message | +| actions.js:5:10:5:50 | github. ... message | +| actions.js:5:10:5:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -195,6 +198,7 @@ edges | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | +| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js new file mode 100644 index 00000000000..ee49ec3888e --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js @@ -0,0 +1,8 @@ +const core = require('@actions/core'); +const github = require('@actions/github'); + +function test() { + eval(github.context.payload.commits[1].message); // NOT OK + eval(core.getInput('numbers')); // NOT OK + eval(core.getMultilineInput('numbers').join('\n')); // NOT OK +} From 08785a4063f2638100675aae4fe1c6b151088f3e Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 1 May 2023 11:03:24 +0200 Subject: [PATCH 05/20] JS: Add sources from actions/core --- .../semmle/javascript/frameworks/ActionsLib.qll | 3 +++ .../CWE-094/CodeInjection/CodeInjection.expected | 14 ++++++++++++++ .../HeuristicSourceCodeInjection.expected | 12 ++++++++++++ 3 files changed, 29 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index 74b65ee5adc..8f10144269c 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -33,6 +33,9 @@ private API::Node taintSource() { result = commitObj().getMember("message") or result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"]) + or + result = + API::moduleImport("@actions/core").getMember(["getInput", "getMultilineInput"]).getReturn() } private class GitHubActionsSource extends RemoteFlowSource { diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index ddfe2c78f07..181b4d91d34 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -16,6 +16,13 @@ nodes | actions.js:5:10:5:50 | github. ... message | | actions.js:5:10:5:50 | github. ... message | | actions.js:5:10:5:50 | github. ... message | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | +| actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:53 | core.ge ... n('\\n') | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -195,6 +202,11 @@ edges | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | +| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | @@ -311,6 +323,8 @@ edges | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value | | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value | | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | This code execution depends on a $@. | actions.js:5:10:5:50 | github. ... message | user-provided value | +| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | This code execution depends on a $@. | actions.js:6:10:6:33 | core.ge ... mbers') | user-provided value | +| actions.js:7:10:7:53 | core.ge ... n('\\n') | actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | This code execution depends on a $@. | actions.js:7:10:7:42 | core.ge ... mbers') | user-provided value | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 64620c6d3bf..841b942f82a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -16,6 +16,13 @@ nodes | actions.js:5:10:5:50 | github. ... message | | actions.js:5:10:5:50 | github. ... message | | actions.js:5:10:5:50 | github. ... message | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | +| actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:53 | core.ge ... n('\\n') | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -199,6 +206,11 @@ edges | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | +| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | From 5eaaa7e07410d2d61e2ed0c9990fd9b3f1c87895 Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 1 May 2023 11:42:55 +0200 Subject: [PATCH 06/20] JS: Add qldoc --- javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index 8f10144269c..2b0948cb721 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -1,3 +1,7 @@ +/** + * Contains models for `@actions/core` related libraries. + */ + private import javascript private API::Node payload() { From 04e393fcf8b83fe4c1dd1af4d2bce14f61fa2dc6 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 2 May 2023 11:02:58 +0200 Subject: [PATCH 07/20] JS: Change note --- .../ql/src/change-notes/2023-05-02-github-actions-sources.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md diff --git a/ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md b/ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md new file mode 100644 index 00000000000..a9cf1339421 --- /dev/null +++ b/ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md @@ -0,0 +1,5 @@ +--- +category: majorAnalysis +--- +* Added taint sources from the `@actions/core` and `@actions/github` packages. +* Added command-injection sinks from the `@actions/exec` package. From bdcda7ffe658291ad97e74560e4475071db74ea8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 3 May 2023 10:22:40 +0200 Subject: [PATCH 08/20] JS: Move change note to right location --- .../ql/src/change-notes/2023-05-02-github-actions-sources.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {ruby => javascript}/ql/src/change-notes/2023-05-02-github-actions-sources.md (100%) diff --git a/ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md b/javascript/ql/src/change-notes/2023-05-02-github-actions-sources.md similarity index 100% rename from ruby/ql/src/change-notes/2023-05-02-github-actions-sources.md rename to javascript/ql/src/change-notes/2023-05-02-github-actions-sources.md From 4c6711d0071f1990b4a5d3abde3aa8ad80467915 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 3 May 2023 10:30:04 +0200 Subject: [PATCH 09/20] JS: Clarify the difference between context and input sources --- .../javascript/frameworks/ActionsLib.qll | 31 +++++++++++++++---- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index 2b0948cb721..512abfc0379 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -37,15 +37,34 @@ private API::Node taintSource() { result = commitObj().getMember("message") or result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"]) - or - result = - API::moduleImport("@actions/core").getMember(["getInput", "getMultilineInput"]).getReturn() } -private class GitHubActionsSource extends RemoteFlowSource { - GitHubActionsSource() { this = taintSource().asSource() } +/** + * A source of taint originating from the context. + */ +private class GitHubActionsContextSource extends RemoteFlowSource { + GitHubActionsContextSource() { this = taintSource().asSource() } - override string getSourceType() { result = "GitHub Actions input" } + override string getSourceType() { result = "GitHub Actions context" } +} + +/** + * A source of taint originating from user input. + * + * At the momemnt this is treated as a remote flow source, although it is not + * always possible for an attacker to control this. In the future we might classify + * this differently. + */ +private class GitHubActionsInputSource extends RemoteFlowSource { + GitHubActionsInputSource() { + this = + API::moduleImport("@actions/core") + .getMember(["getInput", "getMultilineInput"]) + .getReturn() + .asSource() + } + + override string getSourceType() { result = "GitHub Actions user input" } } private class ExecActionsCall extends SystemCommandExecution, DataFlow::CallNode { From b9ad4177f90fd881bfd647f75ee8b1ab18587c88 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 3 May 2023 10:48:14 +0200 Subject: [PATCH 10/20] JS: List safe environment variables in IndirectCommandInjection --- ...IndirectCommandInjectionCustomizations.qll | 32 +++++++++++++++++++ .../IndirectCommandInjection.expected | 21 ++++++++++++ .../IndirectCommandInjection/actions.js | 11 +++++++ 3 files changed, 64 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll index 132f8c7979c..5d84291f1de 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll @@ -49,6 +49,38 @@ module IndirectCommandInjection { override string describe() { result = "environment variable" } } + /** Gets a data flow node referring to `process.env`. */ + private DataFlow::SourceNode envObject(DataFlow::TypeTracker t) { + t.start() and + result = NodeJSLib::process().getAPropertyRead("env") + or + exists(DataFlow::TypeTracker t2 | result = envObject(t2).track(t2, t)) + } + + /** Gets a data flow node referring to `process.env`. */ + DataFlow::SourceNode envObject() { result = envObject(DataFlow::TypeTracker::end()) } + + /** + * Gets the name of an environment variable that is assumed to be safe. + */ + private string getASafeEnvironmentVariable() { + result = + [ + "GITHUB_ACTION", "GITHUB_ACTION_PATH", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTIONS", + "GITHUB_ACTOR", "GITHUB_API_URL", "GITHUB_BASE_REF", "GITHUB_ENV", "GITHUB_EVENT_NAME", + "GITHUB_EVENT_PATH", "GITHUB_GRAPHQL_URL", "GITHUB_JOB", "GITHUB_PATH", "GITHUB_REF", + "GITHUB_REPOSITORY", "GITHUB_REPOSITORY_OWNER", "GITHUB_RUN_ID", "GITHUB_RUN_NUMBER", + "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKFLOW", "GITHUB_WORKSPACE" + ] + } + + /** Sanitizer that blocks flow through safe environment variables. */ + private class SafeEnvVariableSanitizer extends Sanitizer { + SafeEnvVariableSanitizer() { + this = envObject().getAPropertyRead(getASafeEnvironmentVariable()) + } + } + /** * An object containing parsed command-line arguments, considered as a flow source for command injection. */ diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected index 4173f8d67ad..9b504a68acd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected @@ -1,4 +1,14 @@ nodes +| actions.js:3:6:3:16 | process.env | +| actions.js:3:6:3:16 | process.env | +| actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:6:15:6:15 | e | +| actions.js:7:10:7:10 | e | +| actions.js:7:10:7:23 | e['TEST_DATA'] | +| actions.js:7:10:7:23 | e['TEST_DATA'] | +| actions.js:11:6:11:16 | process.env | +| actions.js:11:6:11:16 | process.env | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | @@ -212,6 +222,15 @@ nodes | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | edges +| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | +| actions.js:6:15:6:15 | e | actions.js:7:10:7:10 | e | +| actions.js:7:10:7:10 | e | actions.js:7:10:7:23 | e['TEST_DATA'] | +| actions.js:7:10:7:10 | e | actions.js:7:10:7:23 | e['TEST_DATA'] | +| actions.js:11:6:11:16 | process.env | actions.js:6:15:6:15 | e | +| actions.js:11:6:11:16 | process.env | actions.js:6:15:6:15 | e | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | @@ -400,6 +419,8 @@ edges | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | #select +| actions.js:3:6:3:29 | process ... _DATA'] | actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | This command depends on an unsanitized $@. | actions.js:3:6:3:16 | process.env | environment variable | +| actions.js:7:10:7:23 | e['TEST_DATA'] | actions.js:11:6:11:16 | process.env | actions.js:7:10:7:23 | e['TEST_DATA'] | This command depends on an unsanitized $@. | actions.js:11:6:11:16 | process.env | environment variable | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument | | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument | | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js new file mode 100644 index 00000000000..dc2238f777d --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -0,0 +1,11 @@ +import { exec } from "@actions/exec"; + +exec(process.env['TEST_DATA']); // NOT OK +exec(process.env['GITHUB_ACTION']); // OK + +function test(e) { + exec(e['TEST_DATA']); // NOT OK + exec(e['GITHUB_ACTION']); // OK +} + +test(process.env); From 1a9956354e64240846ce2ea8ed419617e8788fe7 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 3 May 2023 16:10:03 +0200 Subject: [PATCH 11/20] JS: Restrict getInput to indirect command injection query --- .../javascript/frameworks/ActionsLib.qll | 10 ++-- .../IndirectCommandInjection.expected | 47 ++++++++++--------- .../IndirectCommandInjection/actions.js | 3 ++ .../CodeInjection/CodeInjection.expected | 24 ++-------- .../HeuristicSourceCodeInjection.expected | 20 ++------ .../Security/CWE-094/CodeInjection/actions.js | 3 -- 6 files changed, 43 insertions(+), 64 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll index 512abfc0379..09733d783f1 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll @@ -3,6 +3,7 @@ */ private import javascript +private import semmle.javascript.security.dataflow.IndirectCommandInjectionCustomizations private API::Node payload() { result = API::moduleImport("@actions/github").getMember("context").getMember("payload") @@ -51,11 +52,10 @@ private class GitHubActionsContextSource extends RemoteFlowSource { /** * A source of taint originating from user input. * - * At the momemnt this is treated as a remote flow source, although it is not - * always possible for an attacker to control this. In the future we might classify - * this differently. + * At the momemnt this is only treated as a taint source for the indirect-command injection + * query. */ -private class GitHubActionsInputSource extends RemoteFlowSource { +private class GitHubActionsInputSource extends IndirectCommandInjection::Source { GitHubActionsInputSource() { this = API::moduleImport("@actions/core") @@ -64,7 +64,7 @@ private class GitHubActionsInputSource extends RemoteFlowSource { .asSource() } - override string getSourceType() { result = "GitHub Actions user input" } + override string describe() { result = "GitHub Actions user input" } } private class ExecActionsCall extends SystemCommandExecution, DataFlow::CallNode { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected index 9b504a68acd..47d8d4adcb1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/IndirectCommandInjection.expected @@ -1,14 +1,17 @@ nodes -| actions.js:3:6:3:16 | process.env | -| actions.js:3:6:3:16 | process.env | -| actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:6:15:6:15 | e | -| actions.js:7:10:7:10 | e | -| actions.js:7:10:7:23 | e['TEST_DATA'] | -| actions.js:7:10:7:23 | e['TEST_DATA'] | -| actions.js:11:6:11:16 | process.env | -| actions.js:11:6:11:16 | process.env | +| actions.js:4:6:4:16 | process.env | +| actions.js:4:6:4:16 | process.env | +| actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:7:15:7:15 | e | +| actions.js:8:10:8:10 | e | +| actions.js:8:10:8:23 | e['TEST_DATA'] | +| actions.js:8:10:8:23 | e['TEST_DATA'] | +| actions.js:12:6:12:16 | process.env | +| actions.js:12:6:12:16 | process.env | +| actions.js:14:6:14:21 | getInput('data') | +| actions.js:14:6:14:21 | getInput('data') | +| actions.js:14:6:14:21 | getInput('data') | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | @@ -222,15 +225,16 @@ nodes | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | edges -| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | -| actions.js:6:15:6:15 | e | actions.js:7:10:7:10 | e | -| actions.js:7:10:7:10 | e | actions.js:7:10:7:23 | e['TEST_DATA'] | -| actions.js:7:10:7:10 | e | actions.js:7:10:7:23 | e['TEST_DATA'] | -| actions.js:11:6:11:16 | process.env | actions.js:6:15:6:15 | e | -| actions.js:11:6:11:16 | process.env | actions.js:6:15:6:15 | e | +| actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | +| actions.js:7:15:7:15 | e | actions.js:8:10:8:10 | e | +| actions.js:8:10:8:10 | e | actions.js:8:10:8:23 | e['TEST_DATA'] | +| actions.js:8:10:8:10 | e | actions.js:8:10:8:23 | e['TEST_DATA'] | +| actions.js:12:6:12:16 | process.env | actions.js:7:15:7:15 | e | +| actions.js:12:6:12:16 | process.env | actions.js:7:15:7:15 | e | +| actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | @@ -419,8 +423,9 @@ edges | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | | command-line-parameter-command-injection.js:146:22:146:38 | program.pizzaType | command-line-parameter-command-injection.js:146:10:146:38 | "cmd.sh ... zzaType | #select -| actions.js:3:6:3:29 | process ... _DATA'] | actions.js:3:6:3:16 | process.env | actions.js:3:6:3:29 | process ... _DATA'] | This command depends on an unsanitized $@. | actions.js:3:6:3:16 | process.env | environment variable | -| actions.js:7:10:7:23 | e['TEST_DATA'] | actions.js:11:6:11:16 | process.env | actions.js:7:10:7:23 | e['TEST_DATA'] | This command depends on an unsanitized $@. | actions.js:11:6:11:16 | process.env | environment variable | +| actions.js:4:6:4:29 | process ... _DATA'] | actions.js:4:6:4:16 | process.env | actions.js:4:6:4:29 | process ... _DATA'] | This command depends on an unsanitized $@. | actions.js:4:6:4:16 | process.env | environment variable | +| actions.js:8:10:8:23 | e['TEST_DATA'] | actions.js:12:6:12:16 | process.env | actions.js:8:10:8:23 | e['TEST_DATA'] | This command depends on an unsanitized $@. | actions.js:12:6:12:16 | process.env | environment variable | +| actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | actions.js:14:6:14:21 | getInput('data') | This command depends on an unsanitized $@. | actions.js:14:6:14:21 | getInput('data') | GitHub Actions user input | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument | | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument | | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line argument | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index dc2238f777d..7a8f6982f17 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -1,4 +1,5 @@ import { exec } from "@actions/exec"; +import { getInput } from "@actions/core"; exec(process.env['TEST_DATA']); // NOT OK exec(process.env['GITHUB_ACTION']); // OK @@ -9,3 +10,5 @@ function test(e) { } test(process.env); + +exec(getInput('data')); // NOT OK diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index 181b4d91d34..d866329402a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -13,16 +13,9 @@ nodes | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | -| actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:4:10:4:50 | github. ... message | +| actions.js:4:10:4:50 | github. ... message | +| actions.js:4:10:4:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -201,12 +194,7 @@ edges | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | -| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | -| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | @@ -322,9 +310,7 @@ edges | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value | | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value | | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value | -| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | This code execution depends on a $@. | actions.js:5:10:5:50 | github. ... message | user-provided value | -| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | This code execution depends on a $@. | actions.js:6:10:6:33 | core.ge ... mbers') | user-provided value | -| actions.js:7:10:7:53 | core.ge ... n('\\n') | actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | This code execution depends on a $@. | actions.js:7:10:7:42 | core.ge ... mbers') | user-provided value | +| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | This code execution depends on a $@. | actions.js:4:10:4:50 | github. ... message | user-provided value | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 841b942f82a..be221820c07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -13,16 +13,9 @@ nodes | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:43 | req.body | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:5:10:5:50 | github. ... message | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | -| actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:4:10:4:50 | github. ... message | +| actions.js:4:10:4:50 | github. ... message | +| actions.js:4:10:4:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | @@ -205,12 +198,7 @@ edges | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | -| actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | -| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | -| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | +| actions.js:4:10:4:50 | github. ... message | actions.js:4:10:4:50 | github. ... message | | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js index ee49ec3888e..df5cd88971a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js @@ -1,8 +1,5 @@ -const core = require('@actions/core'); const github = require('@actions/github'); function test() { eval(github.context.payload.commits[1].message); // NOT OK - eval(core.getInput('numbers')); // NOT OK - eval(core.getMultilineInput('numbers').join('\n')); // NOT OK } From 0984fc7ccebea532f64afb06ecb6d306e0e4e6af Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Thu, 4 May 2023 13:17:51 -0700 Subject: [PATCH 12/20] JS: Add pragma[only_bind_out] to Locatable::toString() calls --- javascript/ql/lib/semmle/javascript/CFG.qll | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/CFG.qll b/javascript/ql/lib/semmle/javascript/CFG.qll index d0897f18948..81bbef4c6d2 100644 --- a/javascript/ql/lib/semmle/javascript/CFG.qll +++ b/javascript/ql/lib/semmle/javascript/CFG.qll @@ -364,7 +364,9 @@ class SyntheticControlFlowNode extends @synthetic_cfg_node, ControlFlowNode { class ControlFlowEntryNode extends SyntheticControlFlowNode, @entry_node { override predicate isUnreachable() { none() } - override string toString() { result = "entry node of " + this.getContainer().toString() } + override string toString() { + result = "entry node of " + pragma[only_bind_out](this.getContainer()).toString() + } } /** A synthetic CFG node marking the exit of a function or toplevel script. */ @@ -373,7 +375,9 @@ class ControlFlowExitNode extends SyntheticControlFlowNode, @exit_node { exit_cfg_node(this, container) } - override string toString() { result = "exit node of " + this.getContainer().toString() } + override string toString() { + result = "exit node of " + pragma[only_bind_out](this.getContainer()).toString() + } } /** From c0b3a1896b9cbd52fe87a791afaaf4b9e3010baf Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 5 May 2023 12:16:52 +0100 Subject: [PATCH 13/20] C++: No phi self-edges. --- .../cpp/ir/dataflow/internal/SsaInternals.qll | 1 + .../dataflow-ir-consistency.expected | 19 ------------------- .../fields/dataflow-ir-consistency.expected | 16 ---------------- 3 files changed, 1 insertion(+), 35 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index a1cfa44bb8e..71bf6aab3bc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -742,6 +742,7 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) { fromPhiNodeToUse(phi, sv, bb1, i1, use) or exists(PhiNode phiTo | + phi != phiTo and lastRefRedefExt(phi, _, _, phiTo) and nodeTo.(SsaPhiNode).getPhiNode() = phiTo ) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index 5a2e6ee9050..526361e6b0d 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -181,10 +181,6 @@ identityLocalStep | test.cpp:13:10:13:11 | t2 | Node steps to itself | | test.cpp:15:8:15:9 | t2 | Node steps to itself | | test.cpp:21:8:21:9 | t1 | Node steps to itself | -| test.cpp:23:19:23:19 | Phi | Node steps to itself | -| test.cpp:23:19:23:19 | Phi | Node steps to itself | -| test.cpp:23:19:23:19 | Phi | Node steps to itself | -| test.cpp:23:19:23:19 | Phi | Node steps to itself | | test.cpp:23:19:23:19 | i | Node steps to itself | | test.cpp:23:23:23:24 | t1 | Node steps to itself | | test.cpp:23:27:23:27 | i | Node steps to itself | @@ -351,9 +347,6 @@ identityLocalStep | test.cpp:489:20:489:20 | s | Node steps to itself | | test.cpp:489:20:489:20 | s indirection | Node steps to itself | | test.cpp:490:9:490:17 | p_content | Node steps to itself | -| test.cpp:497:10:497:16 | Phi | Node steps to itself | -| test.cpp:497:10:497:16 | Phi | Node steps to itself | -| test.cpp:497:10:497:16 | Phi | Node steps to itself | | test.cpp:498:9:498:14 | clean1 | Node steps to itself | | test.cpp:500:10:500:10 | x | Node steps to itself | | test.cpp:513:8:513:8 | x | Node steps to itself | @@ -384,46 +377,34 @@ identityLocalStep | test.cpp:673:9:673:16 | ptr_to_s | Node steps to itself | | test.cpp:679:9:679:16 | ptr_to_s | Node steps to itself | | test.cpp:687:9:687:16 | ptr_to_s | Node steps to itself | -| true_upon_entry.cpp:10:19:10:19 | Phi | Node steps to itself | | true_upon_entry.cpp:10:19:10:19 | i | Node steps to itself | | true_upon_entry.cpp:10:27:10:27 | i | Node steps to itself | | true_upon_entry.cpp:13:8:13:8 | x | Node steps to itself | -| true_upon_entry.cpp:18:19:18:19 | Phi | Node steps to itself | -| true_upon_entry.cpp:18:19:18:19 | Phi | Node steps to itself | -| true_upon_entry.cpp:18:19:18:19 | Phi | Node steps to itself | | true_upon_entry.cpp:18:19:18:19 | i | Node steps to itself | | true_upon_entry.cpp:18:23:18:32 | iterations | Node steps to itself | | true_upon_entry.cpp:18:35:18:35 | i | Node steps to itself | | true_upon_entry.cpp:21:8:21:8 | x | Node steps to itself | -| true_upon_entry.cpp:26:19:26:19 | Phi | Node steps to itself | | true_upon_entry.cpp:26:19:26:19 | i | Node steps to itself | | true_upon_entry.cpp:26:27:26:27 | i | Node steps to itself | | true_upon_entry.cpp:29:8:29:8 | x | Node steps to itself | -| true_upon_entry.cpp:34:19:34:19 | Phi | Node steps to itself | | true_upon_entry.cpp:34:19:34:19 | i | Node steps to itself | | true_upon_entry.cpp:34:27:34:27 | i | Node steps to itself | | true_upon_entry.cpp:39:8:39:8 | x | Node steps to itself | -| true_upon_entry.cpp:44:19:44:19 | Phi | Node steps to itself | | true_upon_entry.cpp:44:19:44:19 | i | Node steps to itself | | true_upon_entry.cpp:44:27:44:27 | i | Node steps to itself | | true_upon_entry.cpp:49:8:49:8 | x | Node steps to itself | -| true_upon_entry.cpp:55:19:55:19 | Phi | Node steps to itself | | true_upon_entry.cpp:55:19:55:19 | i | Node steps to itself | | true_upon_entry.cpp:55:38:55:38 | i | Node steps to itself | | true_upon_entry.cpp:57:8:57:8 | x | Node steps to itself | -| true_upon_entry.cpp:63:19:63:19 | Phi | Node steps to itself | | true_upon_entry.cpp:63:19:63:19 | i | Node steps to itself | | true_upon_entry.cpp:63:38:63:38 | i | Node steps to itself | | true_upon_entry.cpp:66:8:66:8 | x | Node steps to itself | -| true_upon_entry.cpp:76:19:76:19 | Phi | Node steps to itself | | true_upon_entry.cpp:76:19:76:19 | i | Node steps to itself | | true_upon_entry.cpp:76:38:76:38 | i | Node steps to itself | | true_upon_entry.cpp:78:8:78:8 | x | Node steps to itself | -| true_upon_entry.cpp:84:24:84:24 | Phi | Node steps to itself | | true_upon_entry.cpp:84:30:84:30 | i | Node steps to itself | | true_upon_entry.cpp:84:38:84:38 | i | Node steps to itself | | true_upon_entry.cpp:86:8:86:8 | x | Node steps to itself | -| true_upon_entry.cpp:91:24:91:24 | Phi | Node steps to itself | | true_upon_entry.cpp:91:30:91:30 | i | Node steps to itself | | true_upon_entry.cpp:91:38:91:38 | i | Node steps to itself | | true_upon_entry.cpp:93:8:93:8 | x | Node steps to itself | diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 29bb90d455c..06ad45a17b7 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -137,7 +137,6 @@ identityLocalStep | A.cpp:165:10:165:11 | l3 | Node steps to itself | | A.cpp:166:10:166:11 | l3 | Node steps to itself | | A.cpp:167:22:167:23 | l3 | Node steps to itself | -| A.cpp:167:26:167:26 | Phi | Node steps to itself | | A.cpp:167:26:167:26 | l | Node steps to itself | | A.cpp:167:44:167:44 | l | Node steps to itself | | A.cpp:167:44:167:44 | l indirection | Node steps to itself | @@ -361,30 +360,15 @@ identityLocalStep | realistic.cpp:27:12:27:12 | m | Node steps to itself | | realistic.cpp:32:13:32:13 | d | Node steps to itself | | realistic.cpp:32:17:32:19 | num | Node steps to itself | -| realistic.cpp:33:11:33:11 | Phi | Node steps to itself | -| realistic.cpp:33:11:33:11 | Phi | Node steps to itself | -| realistic.cpp:33:11:33:11 | Phi | Node steps to itself | -| realistic.cpp:33:11:33:11 | Phi | Node steps to itself | -| realistic.cpp:33:11:33:11 | Phi | Node steps to itself | | realistic.cpp:33:11:33:11 | d | Node steps to itself | | realistic.cpp:33:16:33:16 | e | Node steps to itself | | realistic.cpp:36:12:36:22 | destination | Node steps to itself | | realistic.cpp:42:20:42:20 | o | Node steps to itself | | realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | | realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | -| realistic.cpp:48:21:48:21 | Phi | Node steps to itself | -| realistic.cpp:48:21:48:21 | Phi | Node steps to itself | -| realistic.cpp:48:21:48:21 | Phi | Node steps to itself | -| realistic.cpp:48:21:48:21 | Phi | Node steps to itself | | realistic.cpp:48:21:48:21 | i | Node steps to itself | | realistic.cpp:48:34:48:34 | i | Node steps to itself | | realistic.cpp:49:17:49:17 | i | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | -| realistic.cpp:52:11:52:11 | Phi | Node steps to itself | | realistic.cpp:52:11:52:11 | i | Node steps to itself | | realistic.cpp:53:17:53:17 | i | Node steps to itself | | realistic.cpp:54:24:54:24 | i | Node steps to itself | From 4048915c8c59b7e263b290cb5dd4fd7dcb64c3d6 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 5 May 2023 15:45:44 +0100 Subject: [PATCH 14/20] C++: Remove self edges from non-post-update SSA. --- .../cpp/ir/dataflow/internal/SsaInternals.qll | 3 +- .../dataflow-ir-consistency.expected | 326 ------------------ .../fields/dataflow-ir-consistency.expected | 239 ------------- 3 files changed, 2 insertions(+), 566 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 71bf6aab3bc..b6c944206b2 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -677,7 +677,8 @@ private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, not nodeFrom = any(PostUpdateNode pun).getPreUpdateNode() and nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and adjacentDefRead(defOrUse, use) and - useToNode(use, nodeTo) + useToNode(use, nodeTo) and + nodeFrom != nodeTo or // Initial global variable value to a first use nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index 526361e6b0d..c675242e7a2 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -32,384 +32,58 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| BarrierGuard.cpp:6:15:6:20 | source | Node steps to itself | -| BarrierGuard.cpp:7:10:7:15 | source | Node steps to itself | -| BarrierGuard.cpp:9:10:9:15 | source | Node steps to itself | -| BarrierGuard.cpp:14:16:14:21 | source | Node steps to itself | -| BarrierGuard.cpp:15:10:15:15 | source | Node steps to itself | -| BarrierGuard.cpp:17:10:17:15 | source | Node steps to itself | -| BarrierGuard.cpp:22:15:22:20 | source | Node steps to itself | -| BarrierGuard.cpp:22:26:22:34 | arbitrary | Node steps to itself | -| BarrierGuard.cpp:23:10:23:15 | source | Node steps to itself | -| BarrierGuard.cpp:25:10:25:15 | source | Node steps to itself | -| BarrierGuard.cpp:30:15:30:20 | source | Node steps to itself | -| BarrierGuard.cpp:30:26:30:34 | arbitrary | Node steps to itself | -| BarrierGuard.cpp:31:10:31:15 | source | Node steps to itself | -| BarrierGuard.cpp:33:10:33:15 | source | Node steps to itself | -| BarrierGuard.cpp:38:16:38:21 | source | Node steps to itself | -| BarrierGuard.cpp:41:8:41:13 | source | Node steps to itself | -| BarrierGuard.cpp:60:3:60:4 | p1 | Node steps to itself | -| BarrierGuard.cpp:61:15:61:16 | p1 | Node steps to itself | -| BarrierGuard.cpp:62:10:62:11 | p1 | Node steps to itself | | BarrierGuard.cpp:62:10:62:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:63:22:63:23 | p1 | Node steps to itself | -| BarrierGuard.cpp:64:10:64:11 | p1 | Node steps to itself | | BarrierGuard.cpp:64:10:64:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:65:22:65:23 | p2 | Node steps to itself | | BarrierGuard.cpp:65:22:65:23 | p2 indirection | Node steps to itself | -| BarrierGuard.cpp:66:10:66:11 | p1 | Node steps to itself | | BarrierGuard.cpp:66:10:66:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:76:10:76:12 | buf | Node steps to itself | | BarrierGuard.cpp:76:10:76:12 | buf indirection | Node steps to itself | -| clang.cpp:8:27:8:28 | this | Node steps to itself | | clang.cpp:8:27:8:28 | this indirection | Node steps to itself | -| clang.cpp:20:8:20:19 | sourceArray1 | Node steps to itself | -| clang.cpp:21:9:21:20 | sourceArray1 | Node steps to itself | -| clang.cpp:25:8:25:24 | sourceStruct1_ptr | Node steps to itself | -| clang.cpp:26:8:26:24 | sourceStruct1_ptr | Node steps to itself | -| clang.cpp:28:3:28:19 | sourceStruct1_ptr | Node steps to itself | -| clang.cpp:29:8:29:24 | sourceStruct1_ptr | Node steps to itself | -| clang.cpp:30:8:30:24 | sourceStruct1_ptr | Node steps to itself | -| clang.cpp:31:8:31:24 | sourceStruct1_ptr | Node steps to itself | | clang.cpp:31:8:31:24 | sourceStruct1_ptr indirection | Node steps to itself | -| clang.cpp:47:8:47:28 | sourceFunctionPointer | Node steps to itself | -| dispatch.cpp:11:38:11:38 | x | Node steps to itself | -| dispatch.cpp:23:38:23:38 | x | Node steps to itself | -| dispatch.cpp:31:8:31:13 | topPtr | Node steps to itself | -| dispatch.cpp:32:8:32:13 | topPtr | Node steps to itself | -| dispatch.cpp:33:3:33:8 | topPtr | Node steps to itself | -| dispatch.cpp:35:8:35:13 | topPtr | Node steps to itself | -| dispatch.cpp:36:8:36:13 | topPtr | Node steps to itself | -| dispatch.cpp:37:3:37:8 | topPtr | Node steps to itself | | dispatch.cpp:37:3:37:8 | topPtr indirection | Node steps to itself | | dispatch.cpp:45:3:45:8 | topRef indirection | Node steps to itself | -| dispatch.cpp:51:10:51:21 | globalBottom | Node steps to itself | -| dispatch.cpp:55:8:55:19 | globalBottom | Node steps to itself | | dispatch.cpp:55:8:55:19 | globalBottom indirection | Node steps to itself | -| dispatch.cpp:56:8:56:19 | globalMiddle | Node steps to itself | | dispatch.cpp:56:8:56:19 | globalMiddle indirection | Node steps to itself | -| dispatch.cpp:69:3:69:5 | top | Node steps to itself | | dispatch.cpp:69:3:69:5 | top indirection | Node steps to itself | | dispatch.cpp:73:3:73:5 | top indirection | Node steps to itself | -| dispatch.cpp:81:3:81:3 | x | Node steps to itself | | dispatch.cpp:81:3:81:3 | x indirection | Node steps to itself | -| dispatch.cpp:85:10:85:12 | top | Node steps to itself | | dispatch.cpp:89:12:89:17 | bottom indirection | Node steps to itself | -| dispatch.cpp:90:12:90:14 | top | Node steps to itself | | dispatch.cpp:90:12:90:14 | top indirection | Node steps to itself | -| dispatch.cpp:96:8:96:8 | x | Node steps to itself | -| dispatch.cpp:104:7:104:7 | b | Node steps to itself | -| dispatch.cpp:107:3:107:15 | maybeCallSink | Node steps to itself | -| dispatch.cpp:108:3:108:14 | dontCallSink | Node steps to itself | -| dispatch.cpp:129:10:129:15 | topPtr | Node steps to itself | | dispatch.cpp:129:10:129:15 | topPtr indirection | Node steps to itself | | dispatch.cpp:130:10:130:15 | topRef indirection | Node steps to itself | -| dispatch.cpp:140:3:140:6 | func | Node steps to itself | -| dispatch.cpp:144:3:144:6 | func | Node steps to itself | -| dispatch.cpp:160:3:160:6 | func | Node steps to itself | -| dispatch.cpp:164:3:164:6 | func | Node steps to itself | -| example.c:19:6:19:6 | b | Node steps to itself | | example.c:19:6:19:6 | b indirection | Node steps to itself | -| example.c:24:24:24:26 | pos | Node steps to itself | -| file://:0:0:0:0 | this | Node steps to itself | | file://:0:0:0:0 | this indirection | Node steps to itself | -| globals.cpp:6:10:6:14 | local | Node steps to itself | -| globals.cpp:12:10:12:24 | flowTestGlobal1 | Node steps to itself | -| globals.cpp:19:10:19:24 | flowTestGlobal2 | Node steps to itself | -| lambdas.cpp:13:10:17:2 | [...](...){...} | Node steps to itself | | lambdas.cpp:13:11:13:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:13:12:13:12 | t | Node steps to itself | -| lambdas.cpp:13:15:13:15 | u | Node steps to itself | -| lambdas.cpp:14:3:14:6 | this | Node steps to itself | -| lambdas.cpp:15:3:15:6 | this | Node steps to itself | -| lambdas.cpp:20:10:24:2 | [...](...){...} | Node steps to itself | | lambdas.cpp:20:11:20:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:21:3:21:6 | this | Node steps to itself | -| lambdas.cpp:22:3:22:6 | this | Node steps to itself | -| lambdas.cpp:23:3:23:14 | this | Node steps to itself | | lambdas.cpp:23:3:23:14 | this indirection | Node steps to itself | -| lambdas.cpp:26:7:26:7 | v | Node steps to itself | -| lambdas.cpp:28:10:31:2 | [...](...){...} | Node steps to itself | -| lambdas.cpp:28:10:31:2 | t | Node steps to itself | -| lambdas.cpp:28:10:31:2 | u | Node steps to itself | | lambdas.cpp:28:11:28:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:29:3:29:6 | this | Node steps to itself | -| lambdas.cpp:30:3:30:6 | this | Node steps to itself | | lambdas.cpp:30:3:30:6 | this indirection | Node steps to itself | -| lambdas.cpp:34:11:37:2 | [...](...){...} | Node steps to itself | -| lambdas.cpp:35:8:35:8 | a | Node steps to itself | -| lambdas.cpp:36:8:36:8 | b | Node steps to itself | -| lambdas.cpp:38:4:38:4 | t | Node steps to itself | -| lambdas.cpp:38:7:38:7 | u | Node steps to itself | -| lambdas.cpp:40:11:44:2 | [...](...){...} | Node steps to itself | -| lambdas.cpp:41:8:41:8 | a | Node steps to itself | -| lambdas.cpp:42:8:42:8 | b | Node steps to itself | -| lambdas.cpp:46:7:46:7 | w | Node steps to itself | -| ref.cpp:11:11:11:13 | rhs | Node steps to itself | | ref.cpp:16:12:16:14 | lhs indirection | Node steps to itself | -| ref.cpp:16:17:16:19 | rhs | Node steps to itself | -| ref.cpp:20:11:20:13 | rhs | Node steps to itself | -| ref.cpp:21:9:21:17 | arbitrary | Node steps to itself | -| ref.cpp:30:9:30:17 | arbitrary | Node steps to itself | -| ref.cpp:36:9:36:17 | arbitrary | Node steps to itself | -| ref.cpp:45:9:45:17 | arbitrary | Node steps to itself | -| ref.cpp:56:10:56:11 | x1 | Node steps to itself | -| ref.cpp:59:10:59:11 | x2 | Node steps to itself | -| ref.cpp:62:10:62:11 | x3 | Node steps to itself | -| ref.cpp:65:10:65:11 | x4 | Node steps to itself | | ref.cpp:75:5:75:7 | lhs indirection | Node steps to itself | -| ref.cpp:75:15:75:17 | rhs | Node steps to itself | | ref.cpp:79:12:79:14 | lhs indirection | Node steps to itself | -| ref.cpp:79:17:79:19 | rhs | Node steps to itself | -| ref.cpp:83:15:83:17 | rhs | Node steps to itself | -| ref.cpp:86:9:86:17 | arbitrary | Node steps to itself | | ref.cpp:87:7:87:9 | lhs indirection | Node steps to itself | | ref.cpp:89:7:89:9 | lhs indirection | Node steps to itself | -| ref.cpp:95:9:95:17 | arbitrary | Node steps to itself | | ref.cpp:96:7:96:9 | out indirection | Node steps to itself | -| ref.cpp:101:9:101:17 | arbitrary | Node steps to itself | | ref.cpp:102:21:102:23 | out indirection | Node steps to itself | | ref.cpp:104:7:104:9 | out indirection | Node steps to itself | -| ref.cpp:112:9:112:17 | arbitrary | Node steps to itself | | ref.cpp:113:7:113:9 | out indirection | Node steps to itself | | ref.cpp:115:7:115:9 | out indirection | Node steps to itself | -| test.cpp:7:8:7:9 | t1 | Node steps to itself | -| test.cpp:8:8:8:9 | t1 | Node steps to itself | -| test.cpp:9:8:9:9 | t1 | Node steps to itself | -| test.cpp:10:8:10:9 | t2 | Node steps to itself | -| test.cpp:11:7:11:8 | t1 | Node steps to itself | -| test.cpp:13:10:13:11 | t2 | Node steps to itself | -| test.cpp:15:8:15:9 | t2 | Node steps to itself | -| test.cpp:21:8:21:9 | t1 | Node steps to itself | -| test.cpp:23:19:23:19 | i | Node steps to itself | -| test.cpp:23:23:23:24 | t1 | Node steps to itself | -| test.cpp:23:27:23:27 | i | Node steps to itself | -| test.cpp:24:10:24:11 | t2 | Node steps to itself | -| test.cpp:26:8:26:9 | t1 | Node steps to itself | -| test.cpp:30:8:30:8 | t | Node steps to itself | -| test.cpp:31:8:31:8 | c | Node steps to itself | -| test.cpp:43:10:43:10 | t | Node steps to itself | -| test.cpp:43:10:43:20 | ... ? ... : ... | Node steps to itself | -| test.cpp:43:14:43:15 | t1 | Node steps to itself | -| test.cpp:43:19:43:20 | t2 | Node steps to itself | -| test.cpp:45:9:45:9 | b | Node steps to itself | -| test.cpp:45:9:45:19 | ... ? ... : ... | Node steps to itself | -| test.cpp:45:13:45:14 | t1 | Node steps to itself | -| test.cpp:45:18:45:19 | t2 | Node steps to itself | -| test.cpp:46:10:46:10 | t | Node steps to itself | -| test.cpp:51:9:51:9 | b | Node steps to itself | -| test.cpp:52:11:52:12 | t1 | Node steps to itself | -| test.cpp:58:10:58:10 | t | Node steps to itself | -| test.cpp:69:14:69:15 | x2 | Node steps to itself | -| test.cpp:71:8:71:9 | x4 | Node steps to itself | -| test.cpp:76:8:76:9 | u1 | Node steps to itself | -| test.cpp:78:8:78:9 | u1 | Node steps to itself | -| test.cpp:81:8:81:9 | i1 | Node steps to itself | -| test.cpp:84:8:84:9 | i1 | Node steps to itself | -| test.cpp:84:8:84:18 | ... ? ... : ... | Node steps to itself | -| test.cpp:84:13:84:14 | u2 | Node steps to itself | -| test.cpp:85:8:85:9 | u2 | Node steps to itself | -| test.cpp:86:8:86:9 | i1 | Node steps to itself | -| test.cpp:90:8:90:14 | source1 | Node steps to itself | -| test.cpp:91:13:91:18 | clean1 | Node steps to itself | -| test.cpp:92:8:92:14 | source1 | Node steps to itself | -| test.cpp:102:9:102:14 | clean1 | Node steps to itself | -| test.cpp:103:10:103:12 | ref | Node steps to itself | -| test.cpp:107:13:107:18 | clean1 | Node steps to itself | -| test.cpp:110:10:110:12 | ref | Node steps to itself | -| test.cpp:125:10:125:11 | in | Node steps to itself | -| test.cpp:134:10:134:10 | p | Node steps to itself | -| test.cpp:139:11:139:11 | x | Node steps to itself | -| test.cpp:140:8:140:8 | y | Node steps to itself | -| test.cpp:144:8:144:8 | s | Node steps to itself | -| test.cpp:145:10:145:10 | s | Node steps to itself | -| test.cpp:150:8:150:8 | x | Node steps to itself | -| test.cpp:152:8:152:8 | y | Node steps to itself | -| test.cpp:156:11:156:11 | s | Node steps to itself | -| test.cpp:157:8:157:8 | x | Node steps to itself | -| test.cpp:158:10:158:10 | x | Node steps to itself | -| test.cpp:163:8:163:8 | x | Node steps to itself | -| test.cpp:165:8:165:8 | y | Node steps to itself | -| test.cpp:172:10:172:10 | x | Node steps to itself | -| test.cpp:177:11:177:11 | x | Node steps to itself | -| test.cpp:178:8:178:8 | y | Node steps to itself | -| test.cpp:190:12:190:12 | p | Node steps to itself | -| test.cpp:194:13:194:27 | this | Node steps to itself | | test.cpp:194:13:194:27 | this indirection | Node steps to itself | -| test.cpp:195:19:195:19 | x | Node steps to itself | -| test.cpp:196:13:196:19 | barrier | Node steps to itself | -| test.cpp:197:10:197:10 | y | Node steps to itself | -| test.cpp:201:19:201:24 | source | Node steps to itself | -| test.cpp:202:10:202:16 | barrier | Node steps to itself | -| test.cpp:203:12:203:18 | barrier | Node steps to itself | -| test.cpp:207:13:207:33 | this | Node steps to itself | -| test.cpp:208:10:208:10 | x | Node steps to itself | -| test.cpp:209:13:209:33 | this | Node steps to itself | | test.cpp:209:13:209:33 | this indirection | Node steps to itself | -| test.cpp:210:10:210:10 | y | Node steps to itself | -| test.cpp:214:19:214:24 | source | Node steps to itself | -| test.cpp:215:13:215:19 | barrier | Node steps to itself | -| test.cpp:216:10:216:10 | x | Node steps to itself | -| test.cpp:217:12:217:12 | x | Node steps to itself | -| test.cpp:221:13:221:34 | this | Node steps to itself | -| test.cpp:222:10:222:10 | x | Node steps to itself | -| test.cpp:223:13:223:34 | this | Node steps to itself | | test.cpp:223:13:223:34 | this indirection | Node steps to itself | -| test.cpp:224:10:224:10 | y | Node steps to itself | -| test.cpp:231:19:231:19 | x | Node steps to itself | -| test.cpp:232:12:232:18 | barrier | Node steps to itself | -| test.cpp:236:13:236:24 | this | Node steps to itself | | test.cpp:236:13:236:24 | this indirection | Node steps to itself | -| test.cpp:237:13:237:13 | x | Node steps to itself | -| test.cpp:238:10:238:10 | y | Node steps to itself | -| test.cpp:245:7:245:12 | this | Node steps to itself | -| test.cpp:246:7:246:16 | this | Node steps to itself | | test.cpp:246:7:246:16 | this indirection | Node steps to itself | -| test.cpp:250:15:250:15 | x | Node steps to itself | -| test.cpp:251:7:251:12 | this | Node steps to itself | | test.cpp:251:7:251:12 | this indirection | Node steps to itself | -| test.cpp:251:14:251:14 | y | Node steps to itself | -| test.cpp:255:21:255:21 | x | Node steps to itself | -| test.cpp:256:7:256:12 | this | Node steps to itself | | test.cpp:256:7:256:12 | this indirection | Node steps to itself | -| test.cpp:256:14:256:20 | barrier | Node steps to itself | -| test.cpp:260:12:260:12 | x | Node steps to itself | -| test.cpp:265:15:265:20 | this | Node steps to itself | -| test.cpp:266:12:266:12 | x | Node steps to itself | -| test.cpp:267:11:267:20 | this | Node steps to itself | | test.cpp:267:11:267:20 | this indirection | Node steps to itself | -| test.cpp:268:12:268:12 | x | Node steps to itself | -| test.cpp:272:15:272:15 | x | Node steps to itself | -| test.cpp:273:14:273:19 | this | Node steps to itself | | test.cpp:273:14:273:19 | this indirection | Node steps to itself | -| test.cpp:273:21:273:21 | y | Node steps to itself | -| test.cpp:277:21:277:21 | x | Node steps to itself | -| test.cpp:278:14:278:19 | this | Node steps to itself | | test.cpp:278:14:278:19 | this indirection | Node steps to itself | -| test.cpp:278:21:278:27 | barrier | Node steps to itself | -| test.cpp:282:15:282:15 | x | Node steps to itself | -| test.cpp:283:14:283:14 | y | Node steps to itself | -| test.cpp:288:17:288:22 | this | Node steps to itself | -| test.cpp:289:14:289:14 | x | Node steps to itself | -| test.cpp:290:13:290:22 | this | Node steps to itself | | test.cpp:290:13:290:22 | this indirection | Node steps to itself | -| test.cpp:291:14:291:14 | x | Node steps to itself | -| test.cpp:295:17:295:22 | this | Node steps to itself | | test.cpp:295:17:295:22 | this indirection | Node steps to itself | -| test.cpp:296:16:296:16 | y | Node steps to itself | -| test.cpp:300:23:300:28 | this | Node steps to itself | | test.cpp:300:23:300:28 | this indirection | Node steps to itself | -| test.cpp:301:16:301:22 | barrier | Node steps to itself | -| test.cpp:306:16:306:16 | y | Node steps to itself | -| test.cpp:314:2:314:2 | this | Node steps to itself | | test.cpp:314:2:314:2 | this indirection | Node steps to itself | -| test.cpp:317:10:317:10 | this | Node steps to itself | -| test.cpp:317:12:317:12 | p | Node steps to itself | -| test.cpp:318:7:318:7 | x | Node steps to itself | -| test.cpp:319:10:319:10 | this | Node steps to itself | -| test.cpp:320:7:320:7 | y | Node steps to itself | -| test.cpp:321:2:321:2 | this | Node steps to itself | | test.cpp:321:2:321:2 | this indirection | Node steps to itself | -| test.cpp:324:9:324:9 | p | Node steps to itself | -| test.cpp:337:10:337:18 | globalVar | Node steps to itself | -| test.cpp:339:10:339:18 | globalVar | Node steps to itself | -| test.cpp:343:10:343:18 | globalVar | Node steps to itself | -| test.cpp:349:10:349:18 | globalVar | Node steps to itself | -| test.cpp:359:5:359:9 | this | Node steps to itself | | test.cpp:359:5:359:9 | this indirection | Node steps to itself | -| test.cpp:363:10:363:14 | this | Node steps to itself | -| test.cpp:364:5:364:14 | this | Node steps to itself | -| test.cpp:365:10:365:14 | this | Node steps to itself | | test.cpp:365:10:365:14 | this indirection | Node steps to itself | -| test.cpp:369:10:369:14 | this | Node steps to itself | | test.cpp:369:10:369:14 | this indirection | Node steps to itself | -| test.cpp:373:5:373:9 | this | Node steps to itself | -| test.cpp:374:5:374:20 | this | Node steps to itself | -| test.cpp:375:10:375:14 | this | Node steps to itself | | test.cpp:375:10:375:14 | this indirection | Node steps to itself | -| test.cpp:385:8:385:10 | tmp | Node steps to itself | -| test.cpp:392:8:392:10 | tmp | Node steps to itself | -| test.cpp:393:7:393:7 | b | Node steps to itself | -| test.cpp:394:10:394:12 | tmp | Node steps to itself | -| test.cpp:401:8:401:10 | tmp | Node steps to itself | -| test.cpp:408:8:408:10 | tmp | Node steps to itself | -| test.cpp:418:8:418:12 | local | Node steps to itself | -| test.cpp:424:8:424:12 | local | Node steps to itself | -| test.cpp:436:8:436:13 | * ... | Node steps to itself | -| test.cpp:442:8:442:12 | local | Node steps to itself | -| test.cpp:451:8:451:13 | * ... | Node steps to itself | -| test.cpp:462:9:462:14 | clean1 | Node steps to itself | -| test.cpp:463:13:463:19 | source1 | Node steps to itself | -| test.cpp:465:13:465:18 | clean1 | Node steps to itself | -| test.cpp:468:8:468:12 | local | Node steps to itself | -| test.cpp:478:8:478:8 | x | Node steps to itself | -| test.cpp:488:21:488:21 | s | Node steps to itself | -| test.cpp:489:20:489:20 | s | Node steps to itself | | test.cpp:489:20:489:20 | s indirection | Node steps to itself | -| test.cpp:490:9:490:17 | p_content | Node steps to itself | -| test.cpp:498:9:498:14 | clean1 | Node steps to itself | -| test.cpp:500:10:500:10 | x | Node steps to itself | -| test.cpp:513:8:513:8 | x | Node steps to itself | -| test.cpp:520:19:520:23 | clean | Node steps to itself | -| test.cpp:532:9:532:9 | e | Node steps to itself | -| test.cpp:536:11:536:11 | p | Node steps to itself | -| test.cpp:541:10:541:10 | y | Node steps to itself | -| test.cpp:552:28:552:28 | y | Node steps to itself | -| test.cpp:566:11:566:19 | globalInt | Node steps to itself | -| test.cpp:568:11:568:19 | globalInt | Node steps to itself | -| test.cpp:572:11:572:19 | globalInt | Node steps to itself | -| test.cpp:578:11:578:19 | globalInt | Node steps to itself | -| test.cpp:590:8:590:8 | x | Node steps to itself | -| test.cpp:596:11:596:11 | p | Node steps to itself | -| test.cpp:601:20:601:20 | p | Node steps to itself | -| test.cpp:602:3:602:3 | p | Node steps to itself | -| test.cpp:603:9:603:9 | p | Node steps to itself | -| test.cpp:607:20:607:20 | p | Node steps to itself | -| test.cpp:609:9:609:9 | p | Node steps to itself | -| test.cpp:614:20:614:20 | p | Node steps to itself | -| test.cpp:624:7:624:7 | b | Node steps to itself | -| test.cpp:634:8:634:8 | x | Node steps to itself | -| test.cpp:640:8:640:8 | x | Node steps to itself | -| test.cpp:645:8:645:8 | x | Node steps to itself | -| test.cpp:651:8:651:8 | x | Node steps to itself | -| test.cpp:658:8:658:8 | x | Node steps to itself | -| test.cpp:666:9:666:16 | ptr_to_s | Node steps to itself | -| test.cpp:673:9:673:16 | ptr_to_s | Node steps to itself | -| test.cpp:679:9:679:16 | ptr_to_s | Node steps to itself | -| test.cpp:687:9:687:16 | ptr_to_s | Node steps to itself | -| true_upon_entry.cpp:10:19:10:19 | i | Node steps to itself | -| true_upon_entry.cpp:10:27:10:27 | i | Node steps to itself | -| true_upon_entry.cpp:13:8:13:8 | x | Node steps to itself | -| true_upon_entry.cpp:18:19:18:19 | i | Node steps to itself | -| true_upon_entry.cpp:18:23:18:32 | iterations | Node steps to itself | -| true_upon_entry.cpp:18:35:18:35 | i | Node steps to itself | -| true_upon_entry.cpp:21:8:21:8 | x | Node steps to itself | -| true_upon_entry.cpp:26:19:26:19 | i | Node steps to itself | -| true_upon_entry.cpp:26:27:26:27 | i | Node steps to itself | -| true_upon_entry.cpp:29:8:29:8 | x | Node steps to itself | -| true_upon_entry.cpp:34:19:34:19 | i | Node steps to itself | -| true_upon_entry.cpp:34:27:34:27 | i | Node steps to itself | -| true_upon_entry.cpp:39:8:39:8 | x | Node steps to itself | -| true_upon_entry.cpp:44:19:44:19 | i | Node steps to itself | -| true_upon_entry.cpp:44:27:44:27 | i | Node steps to itself | -| true_upon_entry.cpp:49:8:49:8 | x | Node steps to itself | -| true_upon_entry.cpp:55:19:55:19 | i | Node steps to itself | -| true_upon_entry.cpp:55:38:55:38 | i | Node steps to itself | -| true_upon_entry.cpp:57:8:57:8 | x | Node steps to itself | -| true_upon_entry.cpp:63:19:63:19 | i | Node steps to itself | -| true_upon_entry.cpp:63:38:63:38 | i | Node steps to itself | -| true_upon_entry.cpp:66:8:66:8 | x | Node steps to itself | -| true_upon_entry.cpp:76:19:76:19 | i | Node steps to itself | -| true_upon_entry.cpp:76:38:76:38 | i | Node steps to itself | -| true_upon_entry.cpp:78:8:78:8 | x | Node steps to itself | -| true_upon_entry.cpp:84:30:84:30 | i | Node steps to itself | -| true_upon_entry.cpp:84:38:84:38 | i | Node steps to itself | -| true_upon_entry.cpp:86:8:86:8 | x | Node steps to itself | -| true_upon_entry.cpp:91:30:91:30 | i | Node steps to itself | -| true_upon_entry.cpp:91:38:91:38 | i | Node steps to itself | -| true_upon_entry.cpp:93:8:93:8 | x | Node steps to itself | -| true_upon_entry.cpp:99:7:99:7 | b | Node steps to itself | -| true_upon_entry.cpp:101:10:101:10 | i | Node steps to itself | -| true_upon_entry.cpp:101:18:101:18 | i | Node steps to itself | -| true_upon_entry.cpp:101:23:101:23 | d | Node steps to itself | -| true_upon_entry.cpp:105:8:105:8 | x | Node steps to itself | diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 06ad45a17b7..82aea270495 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -42,363 +42,124 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| A.cpp:25:7:25:10 | this | Node steps to itself | | A.cpp:25:7:25:10 | this indirection | Node steps to itself | -| A.cpp:25:17:25:17 | c | Node steps to itself | -| A.cpp:27:22:27:25 | this | Node steps to itself | | A.cpp:27:22:27:25 | this indirection | Node steps to itself | -| A.cpp:27:32:27:32 | c | Node steps to itself | -| A.cpp:28:23:28:26 | this | Node steps to itself | | A.cpp:28:23:28:26 | this indirection | Node steps to itself | -| A.cpp:31:20:31:20 | c | Node steps to itself | | A.cpp:31:20:31:20 | c indirection | Node steps to itself | | A.cpp:41:15:41:21 | new indirection | Node steps to itself | -| A.cpp:48:20:48:20 | c | Node steps to itself | | A.cpp:48:20:48:20 | c indirection | Node steps to itself | -| A.cpp:49:10:49:10 | b | Node steps to itself | | A.cpp:49:10:49:10 | b indirection | Node steps to itself | -| A.cpp:55:5:55:5 | b | Node steps to itself | | A.cpp:55:12:55:19 | new indirection | Node steps to itself | -| A.cpp:56:10:56:10 | b | Node steps to itself | | A.cpp:56:10:56:10 | b indirection | Node steps to itself | -| A.cpp:64:10:64:15 | this | Node steps to itself | | A.cpp:64:10:64:15 | this indirection | Node steps to itself | -| A.cpp:64:17:64:18 | b1 | Node steps to itself | | A.cpp:64:21:64:28 | new indirection | Node steps to itself | -| A.cpp:65:10:65:11 | b1 | Node steps to itself | | A.cpp:65:10:65:11 | b1 indirection | Node steps to itself | -| A.cpp:66:10:66:11 | b2 | Node steps to itself | | A.cpp:66:10:66:11 | b2 indirection | Node steps to itself | -| A.cpp:73:10:73:19 | this | Node steps to itself | | A.cpp:73:10:73:19 | this indirection | Node steps to itself | -| A.cpp:73:21:73:22 | b1 | Node steps to itself | | A.cpp:73:25:73:32 | new indirection | Node steps to itself | -| A.cpp:74:10:74:11 | b1 | Node steps to itself | | A.cpp:74:10:74:11 | b1 indirection | Node steps to itself | -| A.cpp:75:10:75:11 | b2 | Node steps to itself | | A.cpp:75:10:75:11 | b2 indirection | Node steps to itself | -| A.cpp:81:10:81:15 | this | Node steps to itself | -| A.cpp:81:17:81:18 | b1 | Node steps to itself | -| A.cpp:81:21:81:21 | c | Node steps to itself | | A.cpp:81:21:81:21 | c indirection | Node steps to itself | -| A.cpp:82:12:82:12 | this | Node steps to itself | | A.cpp:82:12:82:12 | this indirection | Node steps to itself | -| A.cpp:82:12:82:24 | ... ? ... : ... | Node steps to itself | -| A.cpp:82:18:82:19 | b1 | Node steps to itself | -| A.cpp:82:23:82:24 | b2 | Node steps to itself | -| A.cpp:87:9:87:9 | this | Node steps to itself | | A.cpp:87:9:87:9 | this indirection | Node steps to itself | -| A.cpp:90:7:90:8 | b2 | Node steps to itself | -| A.cpp:90:15:90:15 | c | Node steps to itself | | A.cpp:90:15:90:15 | c indirection | Node steps to itself | -| A.cpp:91:14:91:15 | b2 | Node steps to itself | -| A.cpp:93:12:93:13 | b1 | Node steps to itself | -| A.cpp:100:5:100:6 | c1 | Node steps to itself | -| A.cpp:100:13:100:13 | a | Node steps to itself | -| A.cpp:101:5:101:6 | this | Node steps to itself | | A.cpp:101:5:101:6 | this indirection | Node steps to itself | | A.cpp:101:8:101:9 | c1 indirection | Node steps to itself | -| A.cpp:105:13:105:14 | c1 | Node steps to itself | -| A.cpp:107:12:107:13 | c1 | Node steps to itself | | A.cpp:107:12:107:13 | c1 indirection | Node steps to itself | -| A.cpp:110:13:110:14 | c2 | Node steps to itself | -| A.cpp:118:13:118:14 | c1 | Node steps to itself | -| A.cpp:120:12:120:13 | c1 | Node steps to itself | | A.cpp:120:12:120:13 | c1 indirection | Node steps to itself | -| A.cpp:126:5:126:5 | b | Node steps to itself | | A.cpp:126:5:126:5 | b indirection | Node steps to itself | -| A.cpp:131:5:131:6 | this | Node steps to itself | | A.cpp:131:5:131:6 | this indirection | Node steps to itself | -| A.cpp:131:8:131:8 | b | Node steps to itself | -| A.cpp:132:10:132:10 | b | Node steps to itself | | A.cpp:132:10:132:10 | b indirection | Node steps to itself | -| A.cpp:142:7:142:7 | b | Node steps to itself | -| A.cpp:143:7:143:10 | this | Node steps to itself | | A.cpp:143:7:143:10 | this indirection | Node steps to itself | -| A.cpp:143:17:143:17 | x | Node steps to itself | -| A.cpp:143:17:143:31 | ... ? ... : ... | Node steps to itself | -| A.cpp:143:21:143:21 | b | Node steps to itself | -| A.cpp:151:18:151:18 | b | Node steps to itself | -| A.cpp:151:21:151:21 | this | Node steps to itself | | A.cpp:151:21:151:21 | this indirection | Node steps to itself | -| A.cpp:152:10:152:10 | d | Node steps to itself | -| A.cpp:153:10:153:10 | d | Node steps to itself | | A.cpp:153:10:153:10 | d indirection | Node steps to itself | -| A.cpp:154:10:154:10 | b | Node steps to itself | | A.cpp:154:10:154:10 | b indirection | Node steps to itself | -| A.cpp:160:29:160:29 | b | Node steps to itself | | A.cpp:160:29:160:29 | b indirection | Node steps to itself | -| A.cpp:161:38:161:39 | l1 | Node steps to itself | | A.cpp:161:38:161:39 | l1 indirection | Node steps to itself | -| A.cpp:162:38:162:39 | l2 | Node steps to itself | | A.cpp:162:38:162:39 | l2 indirection | Node steps to itself | -| A.cpp:163:10:163:11 | l3 | Node steps to itself | -| A.cpp:164:10:164:11 | l3 | Node steps to itself | -| A.cpp:165:10:165:11 | l3 | Node steps to itself | -| A.cpp:166:10:166:11 | l3 | Node steps to itself | -| A.cpp:167:22:167:23 | l3 | Node steps to itself | -| A.cpp:167:26:167:26 | l | Node steps to itself | -| A.cpp:167:44:167:44 | l | Node steps to itself | | A.cpp:167:44:167:44 | l indirection | Node steps to itself | -| A.cpp:169:12:169:12 | l | Node steps to itself | -| A.cpp:183:7:183:10 | this | Node steps to itself | -| A.cpp:183:14:183:20 | newHead | Node steps to itself | -| A.cpp:184:7:184:10 | this | Node steps to itself | | A.cpp:184:7:184:10 | this indirection | Node steps to itself | -| A.cpp:184:20:184:23 | next | Node steps to itself | -| B.cpp:7:25:7:25 | e | Node steps to itself | | B.cpp:7:25:7:25 | e indirection | Node steps to itself | -| B.cpp:8:25:8:26 | b1 | Node steps to itself | | B.cpp:8:25:8:26 | b1 indirection | Node steps to itself | -| B.cpp:9:10:9:11 | b2 | Node steps to itself | -| B.cpp:10:10:10:11 | b2 | Node steps to itself | | B.cpp:10:10:10:11 | b2 indirection | Node steps to itself | -| B.cpp:16:37:16:37 | e | Node steps to itself | | B.cpp:16:37:16:37 | e indirection | Node steps to itself | -| B.cpp:17:25:17:26 | b1 | Node steps to itself | | B.cpp:17:25:17:26 | b1 indirection | Node steps to itself | -| B.cpp:18:10:18:11 | b2 | Node steps to itself | -| B.cpp:19:10:19:11 | b2 | Node steps to itself | | B.cpp:19:10:19:11 | b2 indirection | Node steps to itself | -| B.cpp:35:7:35:10 | this | Node steps to itself | -| B.cpp:35:21:35:22 | e1 | Node steps to itself | -| B.cpp:36:7:36:10 | this | Node steps to itself | | B.cpp:36:7:36:10 | this indirection | Node steps to itself | -| B.cpp:36:21:36:22 | e2 | Node steps to itself | -| B.cpp:46:7:46:10 | this | Node steps to itself | | B.cpp:46:7:46:10 | this indirection | Node steps to itself | -| B.cpp:46:20:46:21 | b1 | Node steps to itself | -| C.cpp:19:5:19:5 | c | Node steps to itself | | C.cpp:19:5:19:5 | c indirection | Node steps to itself | -| C.cpp:24:5:24:8 | this | Node steps to itself | | C.cpp:24:5:24:8 | this indirection | Node steps to itself | -| C.cpp:29:10:29:11 | this | Node steps to itself | -| C.cpp:30:10:30:11 | this | Node steps to itself | -| C.cpp:31:10:31:11 | this | Node steps to itself | | C.cpp:31:10:31:11 | this indirection | Node steps to itself | -| D.cpp:9:21:9:24 | this | Node steps to itself | | D.cpp:9:21:9:24 | this indirection | Node steps to itself | -| D.cpp:9:28:9:28 | e | Node steps to itself | -| D.cpp:10:30:10:33 | this | Node steps to itself | | D.cpp:10:30:10:33 | this indirection | Node steps to itself | -| D.cpp:11:29:11:32 | this | Node steps to itself | | D.cpp:11:29:11:32 | this indirection | Node steps to itself | -| D.cpp:11:36:11:36 | e | Node steps to itself | -| D.cpp:16:21:16:23 | this | Node steps to itself | | D.cpp:16:21:16:23 | this indirection | Node steps to itself | -| D.cpp:16:27:16:27 | b | Node steps to itself | -| D.cpp:17:30:17:32 | this | Node steps to itself | | D.cpp:17:30:17:32 | this indirection | Node steps to itself | -| D.cpp:18:29:18:31 | this | Node steps to itself | | D.cpp:18:29:18:31 | this indirection | Node steps to itself | -| D.cpp:18:35:18:35 | b | Node steps to itself | -| D.cpp:22:10:22:11 | b2 | Node steps to itself | | D.cpp:22:10:22:11 | b2 indirection | Node steps to itself | -| D.cpp:30:5:30:5 | b | Node steps to itself | -| D.cpp:30:20:30:20 | e | Node steps to itself | -| D.cpp:31:14:31:14 | b | Node steps to itself | | D.cpp:31:14:31:14 | b indirection | Node steps to itself | -| D.cpp:37:5:37:5 | b | Node steps to itself | -| D.cpp:37:21:37:21 | e | Node steps to itself | | D.cpp:37:21:37:21 | e indirection | Node steps to itself | -| D.cpp:38:14:38:14 | b | Node steps to itself | | D.cpp:38:14:38:14 | b indirection | Node steps to itself | -| D.cpp:44:5:44:5 | b | Node steps to itself | -| D.cpp:44:26:44:26 | e | Node steps to itself | -| D.cpp:45:14:45:14 | b | Node steps to itself | | D.cpp:45:14:45:14 | b indirection | Node steps to itself | -| D.cpp:51:5:51:5 | b | Node steps to itself | -| D.cpp:51:27:51:27 | e | Node steps to itself | | D.cpp:51:27:51:27 | e indirection | Node steps to itself | -| D.cpp:52:14:52:14 | b | Node steps to itself | | D.cpp:52:14:52:14 | b indirection | Node steps to itself | -| D.cpp:57:5:57:12 | this | Node steps to itself | -| D.cpp:58:5:58:12 | this | Node steps to itself | -| D.cpp:58:27:58:27 | e | Node steps to itself | -| D.cpp:59:5:59:7 | this | Node steps to itself | | D.cpp:59:5:59:7 | this indirection | Node steps to itself | -| D.cpp:64:10:64:17 | this | Node steps to itself | | D.cpp:64:10:64:17 | this indirection | Node steps to itself | -| E.cpp:21:10:21:10 | p | Node steps to itself | | E.cpp:21:10:21:10 | p indirection | Node steps to itself | -| E.cpp:29:21:29:21 | b | Node steps to itself | -| E.cpp:31:10:31:12 | raw | Node steps to itself | | E.cpp:31:10:31:12 | raw indirection | Node steps to itself | -| E.cpp:32:10:32:10 | b | Node steps to itself | | E.cpp:32:10:32:10 | b indirection | Node steps to itself | -| aliasing.cpp:9:3:9:3 | s | Node steps to itself | | aliasing.cpp:9:3:9:3 | s indirection | Node steps to itself | | aliasing.cpp:13:3:13:3 | s indirection | Node steps to itself | -| aliasing.cpp:27:14:27:15 | s3 | Node steps to itself | | aliasing.cpp:37:3:37:6 | ref1 indirection | Node steps to itself | | aliasing.cpp:43:8:43:11 | ref2 indirection | Node steps to itself | -| aliasing.cpp:48:13:48:14 | s1 | Node steps to itself | -| aliasing.cpp:53:13:53:14 | s2 | Node steps to itself | -| aliasing.cpp:61:13:61:14 | s2 | Node steps to itself | -| aliasing.cpp:79:3:79:3 | s | Node steps to itself | | aliasing.cpp:79:3:79:3 | s indirection | Node steps to itself | | aliasing.cpp:86:3:86:3 | s indirection | Node steps to itself | -| aliasing.cpp:100:14:100:14 | s | Node steps to itself | -| aliasing.cpp:102:9:102:10 | px | Node steps to itself | -| aliasing.cpp:121:15:121:16 | xs | Node steps to itself | -| aliasing.cpp:122:8:122:9 | xs | Node steps to itself | -| aliasing.cpp:126:15:126:16 | xs | Node steps to itself | -| aliasing.cpp:127:10:127:11 | xs | Node steps to itself | -| aliasing.cpp:131:15:131:16 | xs | Node steps to itself | -| aliasing.cpp:147:16:147:16 | s | Node steps to itself | -| aliasing.cpp:148:8:148:8 | s | Node steps to itself | -| aliasing.cpp:188:13:188:14 | s2 | Node steps to itself | -| aliasing.cpp:195:13:195:14 | s2 | Node steps to itself | -| aliasing.cpp:200:16:200:18 | ps2 | Node steps to itself | -| aliasing.cpp:201:8:201:10 | ps2 | Node steps to itself | | aliasing.cpp:201:8:201:10 | ps2 indirection | Node steps to itself | -| aliasing.cpp:205:16:205:18 | ps2 | Node steps to itself | -| aliasing.cpp:206:8:206:10 | ps2 | Node steps to itself | | aliasing.cpp:206:8:206:10 | ps2 indirection | Node steps to itself | -| arrays.cpp:9:8:9:11 | * ... | Node steps to itself | -| by_reference.cpp:12:5:12:5 | s | Node steps to itself | | by_reference.cpp:12:5:12:5 | s indirection | Node steps to itself | -| by_reference.cpp:12:12:12:16 | value | Node steps to itself | -| by_reference.cpp:16:5:16:8 | this | Node steps to itself | | by_reference.cpp:16:5:16:8 | this indirection | Node steps to itself | -| by_reference.cpp:16:15:16:19 | value | Node steps to itself | -| by_reference.cpp:20:5:20:8 | this | Node steps to itself | | by_reference.cpp:20:5:20:8 | this indirection | Node steps to itself | -| by_reference.cpp:20:23:20:27 | value | Node steps to itself | | by_reference.cpp:20:23:20:27 | value indirection | Node steps to itself | | by_reference.cpp:20:23:20:27 | value indirection | Node steps to itself | -| by_reference.cpp:24:19:24:22 | this | Node steps to itself | | by_reference.cpp:24:19:24:22 | this indirection | Node steps to itself | -| by_reference.cpp:24:25:24:29 | value | Node steps to itself | | by_reference.cpp:24:25:24:29 | value indirection | Node steps to itself | | by_reference.cpp:24:25:24:29 | value indirection | Node steps to itself | -| by_reference.cpp:32:12:32:12 | s | Node steps to itself | | by_reference.cpp:32:12:32:12 | s indirection | Node steps to itself | -| by_reference.cpp:36:12:36:15 | this | Node steps to itself | | by_reference.cpp:36:12:36:15 | this indirection | Node steps to itself | -| by_reference.cpp:40:12:40:15 | this | Node steps to itself | | by_reference.cpp:40:12:40:15 | this indirection | Node steps to itself | -| by_reference.cpp:44:26:44:29 | this | Node steps to itself | | by_reference.cpp:44:26:44:29 | this indirection | Node steps to itself | -| by_reference.cpp:84:3:84:7 | inner | Node steps to itself | | by_reference.cpp:84:3:84:7 | inner indirection | Node steps to itself | | by_reference.cpp:88:3:88:7 | inner indirection | Node steps to itself | -| by_reference.cpp:106:22:106:27 | pouter | Node steps to itself | -| by_reference.cpp:107:21:107:26 | pouter | Node steps to itself | -| by_reference.cpp:108:16:108:21 | pouter | Node steps to itself | -| by_reference.cpp:114:8:114:13 | pouter | Node steps to itself | -| by_reference.cpp:115:8:115:13 | pouter | Node steps to itself | -| by_reference.cpp:116:8:116:13 | pouter | Node steps to itself | | by_reference.cpp:116:8:116:13 | pouter indirection | Node steps to itself | -| by_reference.cpp:126:21:126:26 | pouter | Node steps to itself | -| by_reference.cpp:127:22:127:27 | pouter | Node steps to itself | -| by_reference.cpp:128:15:128:20 | pouter | Node steps to itself | -| by_reference.cpp:134:8:134:13 | pouter | Node steps to itself | -| by_reference.cpp:135:8:135:13 | pouter | Node steps to itself | -| by_reference.cpp:136:8:136:13 | pouter | Node steps to itself | | by_reference.cpp:136:8:136:13 | pouter indirection | Node steps to itself | -| complex.cpp:9:20:9:21 | this | Node steps to itself | | complex.cpp:9:20:9:21 | this indirection | Node steps to itself | -| complex.cpp:10:20:10:21 | this | Node steps to itself | | complex.cpp:10:20:10:21 | this indirection | Node steps to itself | -| complex.cpp:11:22:11:23 | this | Node steps to itself | | complex.cpp:11:22:11:23 | this indirection | Node steps to itself | -| complex.cpp:11:27:11:27 | a | Node steps to itself | -| complex.cpp:12:22:12:23 | this | Node steps to itself | | complex.cpp:12:22:12:23 | this indirection | Node steps to itself | -| complex.cpp:12:27:12:27 | b | Node steps to itself | -| complex.cpp:14:26:14:26 | a | Node steps to itself | -| complex.cpp:14:33:14:33 | b | Node steps to itself | | complex.cpp:43:8:43:8 | b indirection | Node steps to itself | | conflated.cpp:11:9:11:10 | ra indirection | Node steps to itself | | conflated.cpp:20:8:20:10 | raw indirection | Node steps to itself | -| conflated.cpp:29:3:29:4 | pa | Node steps to itself | -| conflated.cpp:30:8:30:9 | pa | Node steps to itself | | conflated.cpp:30:8:30:9 | pa indirection | Node steps to itself | -| conflated.cpp:35:8:35:14 | unknown | Node steps to itself | -| conflated.cpp:35:8:35:28 | ... ? ... : ... | Node steps to itself | -| conflated.cpp:35:18:35:20 | arg | Node steps to itself | -| conflated.cpp:36:3:36:4 | pa | Node steps to itself | -| conflated.cpp:37:8:37:9 | pa | Node steps to itself | | conflated.cpp:37:8:37:9 | pa indirection | Node steps to itself | -| conflated.cpp:45:39:45:42 | next | Node steps to itself | -| conflated.cpp:53:3:53:4 | ll | Node steps to itself | -| conflated.cpp:54:3:54:4 | ll | Node steps to itself | -| conflated.cpp:55:8:55:9 | ll | Node steps to itself | | conflated.cpp:55:8:55:9 | ll indirection | Node steps to itself | -| conflated.cpp:59:35:59:38 | next | Node steps to itself | | conflated.cpp:59:35:59:38 | next indirection | Node steps to itself | -| conflated.cpp:60:3:60:4 | ll | Node steps to itself | -| conflated.cpp:61:8:61:9 | ll | Node steps to itself | | conflated.cpp:61:8:61:9 | ll indirection | Node steps to itself | -| constructors.cpp:18:22:18:23 | this | Node steps to itself | | constructors.cpp:18:22:18:23 | this indirection | Node steps to itself | -| constructors.cpp:19:22:19:23 | this | Node steps to itself | | constructors.cpp:19:22:19:23 | this indirection | Node steps to itself | -| constructors.cpp:20:24:20:25 | this | Node steps to itself | | constructors.cpp:20:24:20:25 | this indirection | Node steps to itself | -| constructors.cpp:20:29:20:29 | a | Node steps to itself | -| constructors.cpp:21:24:21:25 | this | Node steps to itself | | constructors.cpp:21:24:21:25 | this indirection | Node steps to itself | -| constructors.cpp:21:29:21:29 | b | Node steps to itself | -| constructors.cpp:23:28:23:28 | a | Node steps to itself | -| constructors.cpp:23:35:23:35 | b | Node steps to itself | | constructors.cpp:29:10:29:10 | f indirection | Node steps to itself | -| qualifiers.cpp:9:30:9:33 | this | Node steps to itself | | qualifiers.cpp:9:30:9:33 | this indirection | Node steps to itself | -| qualifiers.cpp:9:40:9:44 | value | Node steps to itself | -| qualifiers.cpp:12:49:12:53 | inner | Node steps to itself | | qualifiers.cpp:12:49:12:53 | inner indirection | Node steps to itself | -| qualifiers.cpp:12:60:12:64 | value | Node steps to itself | | qualifiers.cpp:13:51:13:55 | inner indirection | Node steps to itself | -| qualifiers.cpp:13:61:13:65 | value | Node steps to itself | -| qualifiers.cpp:18:32:18:36 | this | Node steps to itself | | qualifiers.cpp:18:32:18:36 | this indirection | Node steps to itself | -| realistic.cpp:24:9:24:12 | size | Node steps to itself | -| realistic.cpp:25:30:25:35 | offset | Node steps to itself | -| realistic.cpp:26:15:26:18 | size | Node steps to itself | -| realistic.cpp:27:12:27:12 | m | Node steps to itself | -| realistic.cpp:32:13:32:13 | d | Node steps to itself | -| realistic.cpp:32:17:32:19 | num | Node steps to itself | -| realistic.cpp:33:11:33:11 | d | Node steps to itself | -| realistic.cpp:33:16:33:16 | e | Node steps to itself | -| realistic.cpp:36:12:36:22 | destination | Node steps to itself | -| realistic.cpp:42:20:42:20 | o | Node steps to itself | | realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | | realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | -| realistic.cpp:48:21:48:21 | i | Node steps to itself | -| realistic.cpp:48:34:48:34 | i | Node steps to itself | -| realistic.cpp:49:17:49:17 | i | Node steps to itself | -| realistic.cpp:52:11:52:11 | i | Node steps to itself | -| realistic.cpp:53:17:53:17 | i | Node steps to itself | -| realistic.cpp:54:24:54:24 | i | Node steps to itself | -| realistic.cpp:55:20:55:20 | i | Node steps to itself | -| realistic.cpp:57:96:57:96 | i | Node steps to itself | -| realistic.cpp:60:29:60:29 | i | Node steps to itself | -| realistic.cpp:60:63:60:63 | i | Node steps to itself | -| realistic.cpp:61:29:61:29 | i | Node steps to itself | -| realistic.cpp:65:29:65:29 | i | Node steps to itself | -| realistic.cpp:67:9:67:9 | i | Node steps to itself | -| simple.cpp:18:22:18:23 | this | Node steps to itself | | simple.cpp:18:22:18:23 | this indirection | Node steps to itself | -| simple.cpp:19:22:19:23 | this | Node steps to itself | | simple.cpp:19:22:19:23 | this indirection | Node steps to itself | -| simple.cpp:20:24:20:25 | this | Node steps to itself | | simple.cpp:20:24:20:25 | this indirection | Node steps to itself | -| simple.cpp:20:29:20:29 | a | Node steps to itself | -| simple.cpp:21:24:21:25 | this | Node steps to itself | | simple.cpp:21:24:21:25 | this indirection | Node steps to itself | -| simple.cpp:21:29:21:29 | b | Node steps to itself | -| simple.cpp:23:28:23:28 | a | Node steps to itself | -| simple.cpp:23:35:23:35 | b | Node steps to itself | | simple.cpp:29:10:29:10 | f indirection | Node steps to itself | -| simple.cpp:66:12:66:12 | a | Node steps to itself | -| simple.cpp:79:16:79:17 | this | Node steps to itself | | simple.cpp:79:16:79:17 | this indirection | Node steps to itself | -| simple.cpp:83:9:83:10 | this | Node steps to itself | -| simple.cpp:84:14:84:20 | this | Node steps to itself | | simple.cpp:84:14:84:20 | this indirection | Node steps to itself | -| simple.cpp:93:20:93:20 | a | Node steps to itself | -| struct_init.c:15:8:15:9 | ab | Node steps to itself | -| struct_init.c:16:8:16:9 | ab | Node steps to itself | | struct_init.c:16:8:16:9 | ab indirection | Node steps to itself | From b43702451f062566f85663b67295614f1c5c088b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 5 May 2023 15:47:00 +0100 Subject: [PATCH 15/20] C++: Remove self edges from post-update SSA. --- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 2 +- .../cpp/ir/dataflow/internal/SsaInternals.qll | 14 +- .../dataflow-ir-consistency.expected | 55 -------- .../fields/dataflow-ir-consistency.expected | 121 ------------------ 4 files changed, 14 insertions(+), 178 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index bdde7830c1e..ed3053258d8 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -1540,7 +1540,7 @@ private module Cached { cached predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { // Post update node -> Node flow - Ssa::ssaFlow(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo) + Ssa::postUpdateFlow(nodeFrom, nodeTo) or // Def-use/Use-use flow Ssa::ssaFlow(nodeFrom, nodeTo) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index b6c944206b2..d14b924b4a9 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -713,11 +713,23 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) { /** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */ predicate ssaFlow(Node nodeFrom, Node nodeTo) { exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse | - ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and + ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo + | if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom ) } +predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) { + exists(Node preUpdate, Node nFrom, boolean uncertain, SsaDefOrUse defOrUse | + preUpdate = pun.getPreUpdateNode() and + ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) + | + if uncertain = true + then preUpdate = [nFrom, getAPriorDefinition(defOrUse)] + else preUpdate = nFrom + ) +} + /** * Holds if `use` is a use of `sv` and is a next adjacent use of `phi` in * index `i1` in basic block `bb1`. diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index c675242e7a2..58049de095d 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -32,58 +32,3 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| BarrierGuard.cpp:62:10:62:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:64:10:64:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:65:22:65:23 | p2 indirection | Node steps to itself | -| BarrierGuard.cpp:66:10:66:11 | p1 indirection | Node steps to itself | -| BarrierGuard.cpp:76:10:76:12 | buf indirection | Node steps to itself | -| clang.cpp:8:27:8:28 | this indirection | Node steps to itself | -| clang.cpp:31:8:31:24 | sourceStruct1_ptr indirection | Node steps to itself | -| dispatch.cpp:37:3:37:8 | topPtr indirection | Node steps to itself | -| dispatch.cpp:45:3:45:8 | topRef indirection | Node steps to itself | -| dispatch.cpp:55:8:55:19 | globalBottom indirection | Node steps to itself | -| dispatch.cpp:56:8:56:19 | globalMiddle indirection | Node steps to itself | -| dispatch.cpp:69:3:69:5 | top indirection | Node steps to itself | -| dispatch.cpp:73:3:73:5 | top indirection | Node steps to itself | -| dispatch.cpp:81:3:81:3 | x indirection | Node steps to itself | -| dispatch.cpp:89:12:89:17 | bottom indirection | Node steps to itself | -| dispatch.cpp:90:12:90:14 | top indirection | Node steps to itself | -| dispatch.cpp:129:10:129:15 | topPtr indirection | Node steps to itself | -| dispatch.cpp:130:10:130:15 | topRef indirection | Node steps to itself | -| example.c:19:6:19:6 | b indirection | Node steps to itself | -| file://:0:0:0:0 | this indirection | Node steps to itself | -| lambdas.cpp:13:11:13:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:20:11:20:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:23:3:23:14 | this indirection | Node steps to itself | -| lambdas.cpp:28:11:28:11 | (unnamed parameter 0) indirection | Node steps to itself | -| lambdas.cpp:30:3:30:6 | this indirection | Node steps to itself | -| ref.cpp:16:12:16:14 | lhs indirection | Node steps to itself | -| ref.cpp:75:5:75:7 | lhs indirection | Node steps to itself | -| ref.cpp:79:12:79:14 | lhs indirection | Node steps to itself | -| ref.cpp:87:7:87:9 | lhs indirection | Node steps to itself | -| ref.cpp:89:7:89:9 | lhs indirection | Node steps to itself | -| ref.cpp:96:7:96:9 | out indirection | Node steps to itself | -| ref.cpp:102:21:102:23 | out indirection | Node steps to itself | -| ref.cpp:104:7:104:9 | out indirection | Node steps to itself | -| ref.cpp:113:7:113:9 | out indirection | Node steps to itself | -| ref.cpp:115:7:115:9 | out indirection | Node steps to itself | -| test.cpp:194:13:194:27 | this indirection | Node steps to itself | -| test.cpp:209:13:209:33 | this indirection | Node steps to itself | -| test.cpp:223:13:223:34 | this indirection | Node steps to itself | -| test.cpp:236:13:236:24 | this indirection | Node steps to itself | -| test.cpp:246:7:246:16 | this indirection | Node steps to itself | -| test.cpp:251:7:251:12 | this indirection | Node steps to itself | -| test.cpp:256:7:256:12 | this indirection | Node steps to itself | -| test.cpp:267:11:267:20 | this indirection | Node steps to itself | -| test.cpp:273:14:273:19 | this indirection | Node steps to itself | -| test.cpp:278:14:278:19 | this indirection | Node steps to itself | -| test.cpp:290:13:290:22 | this indirection | Node steps to itself | -| test.cpp:295:17:295:22 | this indirection | Node steps to itself | -| test.cpp:300:23:300:28 | this indirection | Node steps to itself | -| test.cpp:314:2:314:2 | this indirection | Node steps to itself | -| test.cpp:321:2:321:2 | this indirection | Node steps to itself | -| test.cpp:359:5:359:9 | this indirection | Node steps to itself | -| test.cpp:365:10:365:14 | this indirection | Node steps to itself | -| test.cpp:369:10:369:14 | this indirection | Node steps to itself | -| test.cpp:375:10:375:14 | this indirection | Node steps to itself | -| test.cpp:489:20:489:20 | s indirection | Node steps to itself | diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 82aea270495..ba007019708 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -42,124 +42,3 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| A.cpp:25:7:25:10 | this indirection | Node steps to itself | -| A.cpp:27:22:27:25 | this indirection | Node steps to itself | -| A.cpp:28:23:28:26 | this indirection | Node steps to itself | -| A.cpp:31:20:31:20 | c indirection | Node steps to itself | -| A.cpp:41:15:41:21 | new indirection | Node steps to itself | -| A.cpp:48:20:48:20 | c indirection | Node steps to itself | -| A.cpp:49:10:49:10 | b indirection | Node steps to itself | -| A.cpp:55:12:55:19 | new indirection | Node steps to itself | -| A.cpp:56:10:56:10 | b indirection | Node steps to itself | -| A.cpp:64:10:64:15 | this indirection | Node steps to itself | -| A.cpp:64:21:64:28 | new indirection | Node steps to itself | -| A.cpp:65:10:65:11 | b1 indirection | Node steps to itself | -| A.cpp:66:10:66:11 | b2 indirection | Node steps to itself | -| A.cpp:73:10:73:19 | this indirection | Node steps to itself | -| A.cpp:73:25:73:32 | new indirection | Node steps to itself | -| A.cpp:74:10:74:11 | b1 indirection | Node steps to itself | -| A.cpp:75:10:75:11 | b2 indirection | Node steps to itself | -| A.cpp:81:21:81:21 | c indirection | Node steps to itself | -| A.cpp:82:12:82:12 | this indirection | Node steps to itself | -| A.cpp:87:9:87:9 | this indirection | Node steps to itself | -| A.cpp:90:15:90:15 | c indirection | Node steps to itself | -| A.cpp:101:5:101:6 | this indirection | Node steps to itself | -| A.cpp:101:8:101:9 | c1 indirection | Node steps to itself | -| A.cpp:107:12:107:13 | c1 indirection | Node steps to itself | -| A.cpp:120:12:120:13 | c1 indirection | Node steps to itself | -| A.cpp:126:5:126:5 | b indirection | Node steps to itself | -| A.cpp:131:5:131:6 | this indirection | Node steps to itself | -| A.cpp:132:10:132:10 | b indirection | Node steps to itself | -| A.cpp:143:7:143:10 | this indirection | Node steps to itself | -| A.cpp:151:21:151:21 | this indirection | Node steps to itself | -| A.cpp:153:10:153:10 | d indirection | Node steps to itself | -| A.cpp:154:10:154:10 | b indirection | Node steps to itself | -| A.cpp:160:29:160:29 | b indirection | Node steps to itself | -| A.cpp:161:38:161:39 | l1 indirection | Node steps to itself | -| A.cpp:162:38:162:39 | l2 indirection | Node steps to itself | -| A.cpp:167:44:167:44 | l indirection | Node steps to itself | -| A.cpp:184:7:184:10 | this indirection | Node steps to itself | -| B.cpp:7:25:7:25 | e indirection | Node steps to itself | -| B.cpp:8:25:8:26 | b1 indirection | Node steps to itself | -| B.cpp:10:10:10:11 | b2 indirection | Node steps to itself | -| B.cpp:16:37:16:37 | e indirection | Node steps to itself | -| B.cpp:17:25:17:26 | b1 indirection | Node steps to itself | -| B.cpp:19:10:19:11 | b2 indirection | Node steps to itself | -| B.cpp:36:7:36:10 | this indirection | Node steps to itself | -| B.cpp:46:7:46:10 | this indirection | Node steps to itself | -| C.cpp:19:5:19:5 | c indirection | Node steps to itself | -| C.cpp:24:5:24:8 | this indirection | Node steps to itself | -| C.cpp:31:10:31:11 | this indirection | Node steps to itself | -| D.cpp:9:21:9:24 | this indirection | Node steps to itself | -| D.cpp:10:30:10:33 | this indirection | Node steps to itself | -| D.cpp:11:29:11:32 | this indirection | Node steps to itself | -| D.cpp:16:21:16:23 | this indirection | Node steps to itself | -| D.cpp:17:30:17:32 | this indirection | Node steps to itself | -| D.cpp:18:29:18:31 | this indirection | Node steps to itself | -| D.cpp:22:10:22:11 | b2 indirection | Node steps to itself | -| D.cpp:31:14:31:14 | b indirection | Node steps to itself | -| D.cpp:37:21:37:21 | e indirection | Node steps to itself | -| D.cpp:38:14:38:14 | b indirection | Node steps to itself | -| D.cpp:45:14:45:14 | b indirection | Node steps to itself | -| D.cpp:51:27:51:27 | e indirection | Node steps to itself | -| D.cpp:52:14:52:14 | b indirection | Node steps to itself | -| D.cpp:59:5:59:7 | this indirection | Node steps to itself | -| D.cpp:64:10:64:17 | this indirection | Node steps to itself | -| E.cpp:21:10:21:10 | p indirection | Node steps to itself | -| E.cpp:31:10:31:12 | raw indirection | Node steps to itself | -| E.cpp:32:10:32:10 | b indirection | Node steps to itself | -| aliasing.cpp:9:3:9:3 | s indirection | Node steps to itself | -| aliasing.cpp:13:3:13:3 | s indirection | Node steps to itself | -| aliasing.cpp:37:3:37:6 | ref1 indirection | Node steps to itself | -| aliasing.cpp:43:8:43:11 | ref2 indirection | Node steps to itself | -| aliasing.cpp:79:3:79:3 | s indirection | Node steps to itself | -| aliasing.cpp:86:3:86:3 | s indirection | Node steps to itself | -| aliasing.cpp:201:8:201:10 | ps2 indirection | Node steps to itself | -| aliasing.cpp:206:8:206:10 | ps2 indirection | Node steps to itself | -| by_reference.cpp:12:5:12:5 | s indirection | Node steps to itself | -| by_reference.cpp:16:5:16:8 | this indirection | Node steps to itself | -| by_reference.cpp:20:5:20:8 | this indirection | Node steps to itself | -| by_reference.cpp:20:23:20:27 | value indirection | Node steps to itself | -| by_reference.cpp:20:23:20:27 | value indirection | Node steps to itself | -| by_reference.cpp:24:19:24:22 | this indirection | Node steps to itself | -| by_reference.cpp:24:25:24:29 | value indirection | Node steps to itself | -| by_reference.cpp:24:25:24:29 | value indirection | Node steps to itself | -| by_reference.cpp:32:12:32:12 | s indirection | Node steps to itself | -| by_reference.cpp:36:12:36:15 | this indirection | Node steps to itself | -| by_reference.cpp:40:12:40:15 | this indirection | Node steps to itself | -| by_reference.cpp:44:26:44:29 | this indirection | Node steps to itself | -| by_reference.cpp:84:3:84:7 | inner indirection | Node steps to itself | -| by_reference.cpp:88:3:88:7 | inner indirection | Node steps to itself | -| by_reference.cpp:116:8:116:13 | pouter indirection | Node steps to itself | -| by_reference.cpp:136:8:136:13 | pouter indirection | Node steps to itself | -| complex.cpp:9:20:9:21 | this indirection | Node steps to itself | -| complex.cpp:10:20:10:21 | this indirection | Node steps to itself | -| complex.cpp:11:22:11:23 | this indirection | Node steps to itself | -| complex.cpp:12:22:12:23 | this indirection | Node steps to itself | -| complex.cpp:43:8:43:8 | b indirection | Node steps to itself | -| conflated.cpp:11:9:11:10 | ra indirection | Node steps to itself | -| conflated.cpp:20:8:20:10 | raw indirection | Node steps to itself | -| conflated.cpp:30:8:30:9 | pa indirection | Node steps to itself | -| conflated.cpp:37:8:37:9 | pa indirection | Node steps to itself | -| conflated.cpp:55:8:55:9 | ll indirection | Node steps to itself | -| conflated.cpp:59:35:59:38 | next indirection | Node steps to itself | -| conflated.cpp:61:8:61:9 | ll indirection | Node steps to itself | -| constructors.cpp:18:22:18:23 | this indirection | Node steps to itself | -| constructors.cpp:19:22:19:23 | this indirection | Node steps to itself | -| constructors.cpp:20:24:20:25 | this indirection | Node steps to itself | -| constructors.cpp:21:24:21:25 | this indirection | Node steps to itself | -| constructors.cpp:29:10:29:10 | f indirection | Node steps to itself | -| qualifiers.cpp:9:30:9:33 | this indirection | Node steps to itself | -| qualifiers.cpp:12:49:12:53 | inner indirection | Node steps to itself | -| qualifiers.cpp:13:51:13:55 | inner indirection | Node steps to itself | -| qualifiers.cpp:18:32:18:36 | this indirection | Node steps to itself | -| realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | -| realistic.cpp:42:20:42:20 | o indirection | Node steps to itself | -| simple.cpp:18:22:18:23 | this indirection | Node steps to itself | -| simple.cpp:19:22:19:23 | this indirection | Node steps to itself | -| simple.cpp:20:24:20:25 | this indirection | Node steps to itself | -| simple.cpp:21:24:21:25 | this indirection | Node steps to itself | -| simple.cpp:29:10:29:10 | f indirection | Node steps to itself | -| simple.cpp:79:16:79:17 | this indirection | Node steps to itself | -| simple.cpp:84:14:84:20 | this indirection | Node steps to itself | -| struct_init.c:16:8:16:9 | ab indirection | Node steps to itself | From 89bf3359009ac59e36238045680230e2d60e3787 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 5 May 2023 16:44:41 +0100 Subject: [PATCH 16/20] C++: Accept test changes. --- .../dataflow-ir-consistency.expected | 1164 ----------------- 1 file changed, 1164 deletions(-) diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected index 60aeccba797..eb1472ebfaa 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected @@ -54,1167 +54,3 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| VacuousDestructorCall.cpp:10:18:10:18 | i | Node steps to itself | -| abortingfunctions.cpp:20:9:20:9 | i | Node steps to itself | -| abortingfunctions.cpp:32:9:32:9 | i | Node steps to itself | -| aggregateinitializer.c:3:14:3:14 | a | Node steps to itself | -| aggregateinitializer.c:3:18:3:18 | b | Node steps to itself | -| aggregateinitializer.c:3:21:3:21 | c | Node steps to itself | -| aggregateinitializer.c:3:25:3:25 | d | Node steps to itself | -| allocators.cpp:3:34:3:34 | x | Node steps to itself | -| allocators.cpp:3:42:3:42 | y | Node steps to itself | -| allocators.cpp:4:18:4:20 | this | Node steps to itself | -| allocators.cpp:4:18:4:20 | this indirection | Node steps to itself | -| allocators.cpp:4:24:4:26 | this | Node steps to itself | -| assignexpr.cpp:11:8:11:8 | a | Node steps to itself | -| assignexpr.cpp:11:12:11:12 | b | Node steps to itself | -| bad_asts.cpp:10:22:10:22 | y | Node steps to itself | -| bad_asts.cpp:19:10:19:10 | (unnamed parameter 0) indirection | Node steps to itself | -| break_labels.c:4:9:4:9 | i | Node steps to itself | -| break_labels.c:5:9:5:14 | result | Node steps to itself | -| break_labels.c:6:16:6:16 | Phi | Node steps to itself | -| break_labels.c:6:16:6:16 | i | Node steps to itself | -| break_labels.c:13:12:13:17 | result | Node steps to itself | -| break_labels.c:20:16:20:16 | i | Node steps to itself | -| break_labels.c:20:24:20:24 | i | Node steps to itself | -| break_labels.c:21:13:21:13 | i | Node steps to itself | -| break_labels.c:24:13:24:13 | i | Node steps to itself | -| break_labels.c:27:9:27:9 | x | Node steps to itself | -| builtin.c:8:3:8:5 | acc | Node steps to itself | -| builtin.c:8:35:8:35 | x | Node steps to itself | -| builtin.c:8:40:8:40 | y | Node steps to itself | -| builtin.c:10:20:10:20 | x | Node steps to itself | -| builtin.c:12:3:12:5 | acc | Node steps to itself | -| builtin.c:15:54:15:56 | vec | Node steps to itself | -| builtin.c:18:33:18:35 | vec | Node steps to itself | -| builtin.c:20:3:20:5 | acc | Node steps to itself | -| builtin.c:20:33:20:33 | x | Node steps to itself | -| builtin.c:21:3:21:5 | acc | Node steps to itself | -| builtin.c:21:33:21:33 | x | Node steps to itself | -| builtin.c:21:38:21:38 | y | Node steps to itself | -| builtin.c:22:3:22:5 | acc | Node steps to itself | -| builtin.c:22:34:22:34 | x | Node steps to itself | -| builtin.c:22:39:22:39 | y | Node steps to itself | -| builtin.c:24:7:24:7 | y | Node steps to itself | -| builtin.c:28:31:28:33 | acc | Node steps to itself | -| builtin.c:29:12:29:14 | acc | Node steps to itself | -| builtin.c:34:3:34:5 | acc | Node steps to itself | -| builtin.c:34:34:34:34 | x | Node steps to itself | -| builtin.c:39:25:39:25 | x | Node steps to itself | -| builtin.c:43:26:43:26 | x | Node steps to itself | -| builtin.c:45:3:45:5 | acc | Node steps to itself | -| builtin.c:48:2:48:4 | acc | Node steps to itself | -| builtin.c:51:3:51:5 | acc | Node steps to itself | -| builtin.c:51:41:51:41 | x | Node steps to itself | -| builtin.c:51:43:51:43 | y | Node steps to itself | -| builtin.c:54:3:54:5 | acc | Node steps to itself | -| builtin.c:56:10:56:12 | acc | Node steps to itself | -| builtin.cpp:14:40:14:40 | x | Node steps to itself | -| builtin.cpp:14:44:14:44 | y | Node steps to itself | -| builtin.cpp:15:31:15:35 | * ... | Node steps to itself | -| builtin.cpp:15:31:15:35 | * ... indirection | Node steps to itself | -| builtin.cpp:15:31:15:35 | * ... indirection | Node steps to itself | -| condition_decl_int.cpp:3:9:3:21 | Phi | Node steps to itself | -| condition_decl_int.cpp:3:9:3:21 | Phi | Node steps to itself | -| condition_decl_int.cpp:3:9:3:21 | Phi | Node steps to itself | -| condition_decl_int.cpp:3:13:3:13 | k | Node steps to itself | -| condition_decl_int.cpp:3:17:3:17 | j | Node steps to itself | -| condition_decls.cpp:3:5:3:9 | this | Node steps to itself | -| condition_decls.cpp:3:5:3:9 | this indirection | Node steps to itself | -| condition_decls.cpp:3:21:3:21 | x | Node steps to itself | -| condition_decls.cpp:6:12:6:16 | this | Node steps to itself | -| condition_decls.cpp:6:12:6:16 | this indirection | Node steps to itself | -| condition_decls.cpp:9:13:9:17 | this | Node steps to itself | -| condition_decls.cpp:9:13:9:17 | this indirection | Node steps to itself | -| condition_decls.cpp:16:20:16:20 | x | Node steps to itself | -| condition_decls.cpp:26:24:26:24 | x | Node steps to itself | -| condition_decls.cpp:41:23:41:23 | x | Node steps to itself | -| condition_decls.cpp:48:24:48:24 | x | Node steps to itself | -| condition_decls.cpp:48:36:48:36 | x | Node steps to itself | -| condition_decls.cpp:48:53:48:53 | x | Node steps to itself | -| conditional_destructors.cpp:6:13:6:15 | this | Node steps to itself | -| conditional_destructors.cpp:6:13:6:15 | this indirection | Node steps to itself | -| conditional_destructors.cpp:6:19:6:19 | x | Node steps to itself | -| conditional_destructors.cpp:10:16:10:18 | this | Node steps to itself | -| conditional_destructors.cpp:10:16:10:18 | this indirection | Node steps to itself | -| conditional_destructors.cpp:10:23:10:27 | other indirection | Node steps to itself | -| conditional_destructors.cpp:18:13:18:15 | this | Node steps to itself | -| conditional_destructors.cpp:18:13:18:15 | this indirection | Node steps to itself | -| conditional_destructors.cpp:18:19:18:19 | x | Node steps to itself | -| conditional_destructors.cpp:25:16:25:18 | this | Node steps to itself | -| conditional_destructors.cpp:25:16:25:18 | this indirection | Node steps to itself | -| conditional_destructors.cpp:25:23:25:27 | other indirection | Node steps to itself | -| conditional_destructors.cpp:30:18:30:22 | call to C1 indirection | Node steps to itself | -| conditional_destructors.cpp:33:18:33:22 | call to C1 indirection | Node steps to itself | -| conditional_destructors.cpp:39:18:39:22 | call to C2 indirection | Node steps to itself | -| conditional_destructors.cpp:42:18:42:22 | call to C2 indirection | Node steps to itself | -| constmemberaccess.cpp:11:6:11:6 | c | Node steps to itself | -| constmemberaccess.cpp:11:6:11:6 | c indirection | Node steps to itself | -| constructorinitializer.cpp:10:6:10:6 | i | Node steps to itself | -| constructorinitializer.cpp:10:10:10:10 | j | Node steps to itself | -| constructorinitializer.cpp:10:13:10:13 | k | Node steps to itself | -| constructorinitializer.cpp:10:17:10:17 | l | Node steps to itself | -| cpp11.cpp:28:21:28:21 | (__range) indirection | Node steps to itself | -| cpp11.cpp:29:14:29:15 | el | Node steps to itself | -| cpp11.cpp:56:19:56:28 | global_int | Node steps to itself | -| cpp11.cpp:65:19:65:45 | [...](...){...} | Node steps to itself | -| cpp11.cpp:65:19:65:45 | x | Node steps to itself | -| cpp11.cpp:65:20:65:20 | (unnamed parameter 0) indirection | Node steps to itself | -| cpp11.cpp:77:19:77:21 | call to Val | Node steps to itself | -| cpp11.cpp:82:11:82:14 | call to Val | Node steps to itself | -| cpp11.cpp:82:17:82:17 | (unnamed parameter 0) indirection | Node steps to itself | -| cpp11.cpp:82:17:82:55 | [...](...){...} | Node steps to itself | -| cpp11.cpp:82:17:82:55 | binaryFunction | Node steps to itself | -| cpp11.cpp:82:30:82:52 | this | Node steps to itself | -| cpp11.cpp:82:45:82:48 | call to Val | Node steps to itself | -| cpp11.cpp:82:45:82:48 | this | Node steps to itself | -| cpp11.cpp:82:45:82:48 | this indirection | Node steps to itself | -| cpp11.cpp:82:51:82:51 | call to Val | Node steps to itself | -| cpp11.cpp:88:25:88:30 | call to Val | Node steps to itself | -| cpp11.cpp:88:33:88:38 | call to Val | Node steps to itself | -| cpp11.cpp:118:12:118:12 | Phi | Node steps to itself | -| cpp11.cpp:118:12:118:12 | Phi | Node steps to itself | -| cpp11.cpp:118:12:118:12 | x | Node steps to itself | -| cpp11.cpp:120:11:120:11 | x | Node steps to itself | -| cpp11.cpp:122:18:122:18 | x | Node steps to itself | -| cpp11.cpp:124:18:124:18 | x | Node steps to itself | -| cpp11.cpp:126:18:126:18 | x | Node steps to itself | -| cpp11.cpp:128:18:128:18 | x | Node steps to itself | -| cpp11.cpp:144:11:144:11 | x | Node steps to itself | -| cpp11.cpp:145:13:145:13 | x | Node steps to itself | -| cpp11.cpp:147:15:147:15 | x | Node steps to itself | -| cpp11.cpp:154:15:154:15 | x | Node steps to itself | -| cpp11.cpp:168:9:168:9 | x | Node steps to itself | -| cpp17.cpp:15:5:15:45 | new indirection | Node steps to itself | -| cpp17.cpp:15:11:15:21 | ptr indirection | Node steps to itself | -| cpp17.cpp:15:38:15:41 | (unnamed parameter 2) | Node steps to itself | -| cpp17.cpp:15:38:15:41 | args | Node steps to itself | -| cpp17.cpp:19:10:19:10 | p | Node steps to itself | -| cpp17.cpp:19:10:19:10 | p indirection | Node steps to itself | -| cpp17.cpp:19:13:19:13 | 1 indirection | Node steps to itself | -| cpp17.cpp:19:16:19:16 | 2 indirection | Node steps to itself | -| destructors.cpp:51:22:51:22 | x | Node steps to itself | -| dostmt.c:35:7:35:7 | Phi | Node steps to itself | -| dostmt.c:35:7:35:7 | i | Node steps to itself | -| dostmt.c:36:11:36:11 | i | Node steps to itself | -| duff2.c:3:14:3:14 | i | Node steps to itself | -| duff2.c:4:13:4:13 | i | Node steps to itself | -| duff2.c:13:16:13:16 | n | Node steps to itself | -| duff2.c:17:14:17:14 | i | Node steps to itself | -| duff2.c:18:13:18:13 | i | Node steps to itself | -| duff2.c:21:16:21:16 | n | Node steps to itself | -| duff.c:3:14:3:14 | i | Node steps to itself | -| duff.c:4:13:4:13 | i | Node steps to itself | -| duff.c:13:24:13:24 | n | Node steps to itself | -| ellipsisexceptionhandler.cpp:16:7:16:15 | condition | Node steps to itself | -| fieldaccess.cpp:11:6:11:6 | c | Node steps to itself | -| fieldaccess.cpp:11:6:11:6 | c indirection | Node steps to itself | -| file://:0:0:0:0 | (__begin) | Node steps to itself | -| file://:0:0:0:0 | (__begin) | Node steps to itself | -| file://:0:0:0:0 | (__begin) | Node steps to itself | -| file://:0:0:0:0 | (__begin) | Node steps to itself | -| file://:0:0:0:0 | (__end) | Node steps to itself | -| file://:0:0:0:0 | (__end) | Node steps to itself | -| file://:0:0:0:0 | (unnamed parameter 0) indirection | Node steps to itself | -| file://:0:0:0:0 | (unnamed parameter 0) indirection | Node steps to itself | -| file://:0:0:0:0 | (unnamed parameter 0) indirection | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | Phi | Node steps to itself | -| file://:0:0:0:0 | call to C | Node steps to itself | -| file://:0:0:0:0 | this | Node steps to itself | -| file://:0:0:0:0 | this indirection | Node steps to itself | -| forstmt.cpp:2:21:2:21 | Phi | Node steps to itself | -| forstmt.cpp:2:21:2:21 | i | Node steps to itself | -| forstmt.cpp:2:29:2:29 | i | Node steps to itself | -| forstmt.cpp:14:21:14:24 | Phi | Node steps to itself | -| forstmt.cpp:14:27:14:27 | i | Node steps to itself | -| forstmt.cpp:19:21:19:21 | Phi | Node steps to itself | -| forstmt.cpp:19:21:19:21 | i | Node steps to itself | -| forstmt.cpp:19:28:19:28 | i | Node steps to itself | -| ifelsestmt.c:38:6:38:6 | x | Node steps to itself | -| ifelsestmt.c:38:11:38:11 | y | Node steps to itself | -| ifstmt.c:28:6:28:6 | x | Node steps to itself | -| ifstmt.c:28:11:28:11 | y | Node steps to itself | -| initializer.c:3:10:3:10 | a | Node steps to itself | -| initializer.c:3:14:3:14 | b | Node steps to itself | -| ir.cpp:46:9:46:9 | x | Node steps to itself | -| ir.cpp:47:9:47:9 | x | Node steps to itself | -| ir.cpp:53:9:53:9 | x | Node steps to itself | -| ir.cpp:53:13:53:13 | y | Node steps to itself | -| ir.cpp:54:9:54:9 | x | Node steps to itself | -| ir.cpp:54:13:54:13 | y | Node steps to itself | -| ir.cpp:55:9:55:9 | x | Node steps to itself | -| ir.cpp:55:13:55:13 | y | Node steps to itself | -| ir.cpp:56:9:56:9 | x | Node steps to itself | -| ir.cpp:56:13:56:13 | y | Node steps to itself | -| ir.cpp:57:9:57:9 | x | Node steps to itself | -| ir.cpp:57:13:57:13 | y | Node steps to itself | -| ir.cpp:59:9:59:9 | x | Node steps to itself | -| ir.cpp:59:13:59:13 | y | Node steps to itself | -| ir.cpp:60:9:60:9 | x | Node steps to itself | -| ir.cpp:60:13:60:13 | y | Node steps to itself | -| ir.cpp:61:9:61:9 | x | Node steps to itself | -| ir.cpp:61:13:61:13 | y | Node steps to itself | -| ir.cpp:63:9:63:9 | x | Node steps to itself | -| ir.cpp:63:14:63:14 | y | Node steps to itself | -| ir.cpp:64:9:64:9 | x | Node steps to itself | -| ir.cpp:64:14:64:14 | y | Node steps to itself | -| ir.cpp:66:9:66:9 | x | Node steps to itself | -| ir.cpp:68:5:68:5 | z | Node steps to itself | -| ir.cpp:68:10:68:10 | x | Node steps to itself | -| ir.cpp:69:5:69:5 | z | Node steps to itself | -| ir.cpp:69:10:69:10 | x | Node steps to itself | -| ir.cpp:70:5:70:5 | z | Node steps to itself | -| ir.cpp:70:10:70:10 | x | Node steps to itself | -| ir.cpp:71:5:71:5 | z | Node steps to itself | -| ir.cpp:71:10:71:10 | x | Node steps to itself | -| ir.cpp:72:5:72:5 | z | Node steps to itself | -| ir.cpp:72:10:72:10 | x | Node steps to itself | -| ir.cpp:74:5:74:5 | z | Node steps to itself | -| ir.cpp:74:10:74:10 | x | Node steps to itself | -| ir.cpp:75:5:75:5 | z | Node steps to itself | -| ir.cpp:75:10:75:10 | x | Node steps to itself | -| ir.cpp:76:5:76:5 | z | Node steps to itself | -| ir.cpp:76:10:76:10 | x | Node steps to itself | -| ir.cpp:78:5:78:5 | z | Node steps to itself | -| ir.cpp:78:11:78:11 | x | Node steps to itself | -| ir.cpp:79:5:79:5 | z | Node steps to itself | -| ir.cpp:79:11:79:11 | x | Node steps to itself | -| ir.cpp:82:10:82:10 | x | Node steps to itself | -| ir.cpp:83:10:83:10 | x | Node steps to itself | -| ir.cpp:84:10:84:10 | x | Node steps to itself | -| ir.cpp:90:9:90:9 | x | Node steps to itself | -| ir.cpp:90:14:90:14 | y | Node steps to itself | -| ir.cpp:91:9:91:9 | x | Node steps to itself | -| ir.cpp:91:14:91:14 | y | Node steps to itself | -| ir.cpp:92:9:92:9 | x | Node steps to itself | -| ir.cpp:92:13:92:13 | y | Node steps to itself | -| ir.cpp:93:9:93:9 | x | Node steps to itself | -| ir.cpp:93:13:93:13 | y | Node steps to itself | -| ir.cpp:94:9:94:9 | x | Node steps to itself | -| ir.cpp:94:14:94:14 | y | Node steps to itself | -| ir.cpp:95:9:95:9 | x | Node steps to itself | -| ir.cpp:95:14:95:14 | y | Node steps to itself | -| ir.cpp:101:11:101:11 | x | Node steps to itself | -| ir.cpp:102:11:102:11 | x | Node steps to itself | -| ir.cpp:110:13:110:13 | x | Node steps to itself | -| ir.cpp:111:13:111:13 | x | Node steps to itself | -| ir.cpp:117:9:117:9 | x | Node steps to itself | -| ir.cpp:117:13:117:13 | y | Node steps to itself | -| ir.cpp:118:9:118:9 | x | Node steps to itself | -| ir.cpp:118:13:118:13 | y | Node steps to itself | -| ir.cpp:119:9:119:9 | x | Node steps to itself | -| ir.cpp:119:13:119:13 | y | Node steps to itself | -| ir.cpp:120:9:120:9 | x | Node steps to itself | -| ir.cpp:120:13:120:13 | y | Node steps to itself | -| ir.cpp:122:9:122:9 | x | Node steps to itself | -| ir.cpp:124:5:124:5 | z | Node steps to itself | -| ir.cpp:124:10:124:10 | x | Node steps to itself | -| ir.cpp:125:5:125:5 | z | Node steps to itself | -| ir.cpp:125:10:125:10 | x | Node steps to itself | -| ir.cpp:126:5:126:5 | z | Node steps to itself | -| ir.cpp:126:10:126:10 | x | Node steps to itself | -| ir.cpp:127:5:127:5 | z | Node steps to itself | -| ir.cpp:127:10:127:10 | x | Node steps to itself | -| ir.cpp:130:10:130:10 | x | Node steps to itself | -| ir.cpp:136:9:136:9 | x | Node steps to itself | -| ir.cpp:136:14:136:14 | y | Node steps to itself | -| ir.cpp:137:9:137:9 | x | Node steps to itself | -| ir.cpp:137:14:137:14 | y | Node steps to itself | -| ir.cpp:138:9:138:9 | x | Node steps to itself | -| ir.cpp:138:13:138:13 | y | Node steps to itself | -| ir.cpp:139:9:139:9 | x | Node steps to itself | -| ir.cpp:139:13:139:13 | y | Node steps to itself | -| ir.cpp:140:9:140:9 | x | Node steps to itself | -| ir.cpp:140:14:140:14 | y | Node steps to itself | -| ir.cpp:141:9:141:9 | x | Node steps to itself | -| ir.cpp:141:14:141:14 | y | Node steps to itself | -| ir.cpp:147:11:147:11 | x | Node steps to itself | -| ir.cpp:148:11:148:11 | x | Node steps to itself | -| ir.cpp:157:9:157:9 | p | Node steps to itself | -| ir.cpp:157:13:157:13 | i | Node steps to itself | -| ir.cpp:158:9:158:9 | i | Node steps to itself | -| ir.cpp:158:13:158:13 | p | Node steps to itself | -| ir.cpp:159:9:159:9 | p | Node steps to itself | -| ir.cpp:159:13:159:13 | i | Node steps to itself | -| ir.cpp:160:9:160:9 | p | Node steps to itself | -| ir.cpp:160:13:160:13 | q | Node steps to itself | -| ir.cpp:162:9:162:9 | p | Node steps to itself | -| ir.cpp:164:5:164:5 | q | Node steps to itself | -| ir.cpp:164:10:164:10 | i | Node steps to itself | -| ir.cpp:165:5:165:5 | q | Node steps to itself | -| ir.cpp:165:10:165:10 | i | Node steps to itself | -| ir.cpp:167:9:167:9 | p | Node steps to itself | -| ir.cpp:168:10:168:10 | p | Node steps to itself | -| ir.cpp:174:9:174:9 | p | Node steps to itself | -| ir.cpp:174:11:174:11 | i | Node steps to itself | -| ir.cpp:175:9:175:9 | i | Node steps to itself | -| ir.cpp:175:11:175:11 | p | Node steps to itself | -| ir.cpp:177:5:177:5 | p | Node steps to itself | -| ir.cpp:177:7:177:7 | i | Node steps to itself | -| ir.cpp:177:12:177:12 | x | Node steps to itself | -| ir.cpp:178:5:178:5 | i | Node steps to itself | -| ir.cpp:178:7:178:7 | p | Node steps to itself | -| ir.cpp:178:12:178:12 | x | Node steps to itself | -| ir.cpp:181:11:181:11 | i | Node steps to itself | -| ir.cpp:182:9:182:9 | i | Node steps to itself | -| ir.cpp:183:7:183:7 | i | Node steps to itself | -| ir.cpp:183:12:183:12 | x | Node steps to itself | -| ir.cpp:184:5:184:5 | i | Node steps to itself | -| ir.cpp:184:12:184:12 | x | Node steps to itself | -| ir.cpp:188:20:188:20 | i | Node steps to itself | -| ir.cpp:190:18:190:20 | pwc | Node steps to itself | -| ir.cpp:190:22:190:22 | i | Node steps to itself | -| ir.cpp:196:9:196:9 | p | Node steps to itself | -| ir.cpp:196:14:196:14 | q | Node steps to itself | -| ir.cpp:197:9:197:9 | p | Node steps to itself | -| ir.cpp:197:14:197:14 | q | Node steps to itself | -| ir.cpp:198:9:198:9 | p | Node steps to itself | -| ir.cpp:198:13:198:13 | q | Node steps to itself | -| ir.cpp:199:9:199:9 | p | Node steps to itself | -| ir.cpp:199:13:199:13 | q | Node steps to itself | -| ir.cpp:200:9:200:9 | p | Node steps to itself | -| ir.cpp:200:14:200:14 | q | Node steps to itself | -| ir.cpp:201:9:201:9 | p | Node steps to itself | -| ir.cpp:201:14:201:14 | q | Node steps to itself | -| ir.cpp:207:11:207:11 | p | Node steps to itself | -| ir.cpp:208:11:208:11 | p | Node steps to itself | -| ir.cpp:216:5:216:5 | x | Node steps to itself | -| ir.cpp:220:10:220:10 | x | Node steps to itself | -| ir.cpp:223:5:223:5 | y | Node steps to itself | -| ir.cpp:232:13:232:13 | x | Node steps to itself | -| ir.cpp:236:12:236:12 | x | Node steps to itself | -| ir.cpp:236:16:236:16 | y | Node steps to itself | -| ir.cpp:240:9:240:9 | b | Node steps to itself | -| ir.cpp:243:9:243:9 | b | Node steps to itself | -| ir.cpp:244:13:244:13 | y | Node steps to itself | -| ir.cpp:247:9:247:9 | x | Node steps to itself | -| ir.cpp:254:12:254:12 | Phi | Node steps to itself | -| ir.cpp:254:12:254:12 | n | Node steps to itself | -| ir.cpp:255:9:255:9 | n | Node steps to itself | -| ir.cpp:261:9:261:9 | n | Node steps to itself | -| ir.cpp:261:14:261:14 | Phi | Node steps to itself | -| ir.cpp:262:14:262:14 | n | Node steps to itself | -| ir.cpp:280:12:280:12 | Phi | Node steps to itself | -| ir.cpp:280:12:280:12 | Phi | Node steps to itself | -| ir.cpp:280:12:280:12 | i | Node steps to itself | -| ir.cpp:287:13:287:13 | i | Node steps to itself | -| ir.cpp:288:9:288:9 | Phi | Node steps to itself | -| ir.cpp:293:21:293:21 | Phi | Node steps to itself | -| ir.cpp:293:21:293:21 | Phi | Node steps to itself | -| ir.cpp:293:21:293:21 | i | Node steps to itself | -| ir.cpp:299:22:299:22 | i | Node steps to itself | -| ir.cpp:300:9:300:9 | Phi | Node steps to itself | -| ir.cpp:306:12:306:12 | Phi | Node steps to itself | -| ir.cpp:306:12:306:12 | i | Node steps to itself | -| ir.cpp:306:20:306:20 | i | Node steps to itself | -| ir.cpp:312:21:312:21 | Phi | Node steps to itself | -| ir.cpp:312:21:312:21 | i | Node steps to itself | -| ir.cpp:312:29:312:29 | i | Node steps to itself | -| ir.cpp:318:21:318:21 | Phi | Node steps to itself | -| ir.cpp:318:21:318:21 | i | Node steps to itself | -| ir.cpp:318:29:318:29 | i | Node steps to itself | -| ir.cpp:319:13:319:13 | i | Node steps to itself | -| ir.cpp:326:21:326:21 | Phi | Node steps to itself | -| ir.cpp:326:21:326:21 | i | Node steps to itself | -| ir.cpp:326:29:326:29 | i | Node steps to itself | -| ir.cpp:327:13:327:13 | i | Node steps to itself | -| ir.cpp:334:21:334:21 | Phi | Node steps to itself | -| ir.cpp:334:21:334:21 | Phi | Node steps to itself | -| ir.cpp:334:21:334:21 | i | Node steps to itself | -| ir.cpp:335:13:335:13 | i | Node steps to itself | -| ir.cpp:343:13:343:13 | p | Node steps to itself | -| ir.cpp:353:12:353:12 | Phi | Node steps to itself | -| ir.cpp:353:12:353:12 | n | Node steps to itself | -| ir.cpp:354:13:354:13 | n | Node steps to itself | -| ir.cpp:356:9:356:9 | n | Node steps to itself | -| ir.cpp:362:13:362:13 | n | Node steps to itself | -| ir.cpp:365:9:365:9 | n | Node steps to itself | -| ir.cpp:366:14:366:14 | n | Node steps to itself | -| ir.cpp:377:16:377:16 | x | Node steps to itself | -| ir.cpp:377:19:377:19 | y | Node steps to itself | -| ir.cpp:381:32:381:32 | x | Node steps to itself | -| ir.cpp:381:35:381:35 | y | Node steps to itself | -| ir.cpp:386:13:386:13 | x | Node steps to itself | -| ir.cpp:423:12:423:13 | pt | Node steps to itself | -| ir.cpp:435:9:435:9 | a | Node steps to itself | -| ir.cpp:435:14:435:14 | b | Node steps to itself | -| ir.cpp:439:9:439:9 | a | Node steps to itself | -| ir.cpp:439:14:439:14 | b | Node steps to itself | -| ir.cpp:449:9:449:9 | a | Node steps to itself | -| ir.cpp:449:14:449:14 | b | Node steps to itself | -| ir.cpp:453:9:453:9 | a | Node steps to itself | -| ir.cpp:453:14:453:14 | b | Node steps to itself | -| ir.cpp:463:10:463:10 | a | Node steps to itself | -| ir.cpp:467:11:467:11 | a | Node steps to itself | -| ir.cpp:467:16:467:16 | b | Node steps to itself | -| ir.cpp:477:9:477:9 | a | Node steps to itself | -| ir.cpp:477:9:477:14 | ... && ... | Node steps to itself | -| ir.cpp:477:14:477:14 | b | Node steps to itself | -| ir.cpp:478:9:478:9 | a | Node steps to itself | -| ir.cpp:478:9:478:14 | ... \|\| ... | Node steps to itself | -| ir.cpp:478:14:478:14 | b | Node steps to itself | -| ir.cpp:479:11:479:11 | a | Node steps to itself | -| ir.cpp:479:11:479:16 | ... \|\| ... | Node steps to itself | -| ir.cpp:479:16:479:16 | b | Node steps to itself | -| ir.cpp:483:13:483:13 | a | Node steps to itself | -| ir.cpp:483:13:483:21 | ... ? ... : ... | Node steps to itself | -| ir.cpp:483:17:483:17 | x | Node steps to itself | -| ir.cpp:483:21:483:21 | y | Node steps to itself | -| ir.cpp:489:6:489:6 | a | Node steps to itself | -| ir.cpp:493:5:493:5 | a | Node steps to itself | -| ir.cpp:504:19:504:19 | x | Node steps to itself | -| ir.cpp:505:19:505:19 | x | Node steps to itself | -| ir.cpp:514:19:514:19 | x | Node steps to itself | -| ir.cpp:515:19:515:19 | x | Node steps to itself | -| ir.cpp:515:29:515:29 | x | Node steps to itself | -| ir.cpp:516:19:516:19 | x | Node steps to itself | -| ir.cpp:516:26:516:26 | x | Node steps to itself | -| ir.cpp:521:19:521:19 | x | Node steps to itself | -| ir.cpp:522:19:522:19 | x | Node steps to itself | -| ir.cpp:536:9:536:9 | x | Node steps to itself | -| ir.cpp:536:13:536:13 | y | Node steps to itself | -| ir.cpp:540:9:540:9 | x | Node steps to itself | -| ir.cpp:544:9:544:9 | x | Node steps to itself | -| ir.cpp:544:13:544:13 | y | Node steps to itself | -| ir.cpp:545:16:545:16 | x | Node steps to itself | -| ir.cpp:548:12:548:12 | x | Node steps to itself | -| ir.cpp:548:16:548:16 | y | Node steps to itself | -| ir.cpp:552:12:552:14 | pfn | Node steps to itself | -| ir.cpp:623:5:623:5 | r indirection | Node steps to itself | -| ir.cpp:624:5:624:5 | p indirection | Node steps to itself | -| ir.cpp:632:16:632:16 | x | Node steps to itself | -| ir.cpp:636:16:636:16 | x | Node steps to itself | -| ir.cpp:640:16:640:16 | x | Node steps to itself | -| ir.cpp:644:9:644:12 | this | Node steps to itself | -| ir.cpp:646:9:646:11 | this | Node steps to itself | -| ir.cpp:648:13:648:16 | this | Node steps to itself | -| ir.cpp:650:13:650:15 | this | Node steps to itself | -| ir.cpp:650:13:650:15 | this indirection | Node steps to itself | -| ir.cpp:654:9:654:12 | this | Node steps to itself | -| ir.cpp:656:9:656:30 | this | Node steps to itself | -| ir.cpp:656:9:656:30 | this indirection | Node steps to itself | -| ir.cpp:678:12:678:12 | r | Node steps to itself | -| ir.cpp:707:10:707:24 | ... ? ... : ... | Node steps to itself | -| ir.cpp:707:11:707:11 | x | Node steps to itself | -| ir.cpp:707:15:707:15 | y | Node steps to itself | -| ir.cpp:707:20:707:20 | x | Node steps to itself | -| ir.cpp:707:24:707:24 | y | Node steps to itself | -| ir.cpp:711:14:711:14 | x | Node steps to itself | -| ir.cpp:711:17:711:17 | y | Node steps to itself | -| ir.cpp:718:12:718:14 | 0 | Node steps to itself | -| ir.cpp:729:9:729:9 | b | Node steps to itself | -| ir.cpp:732:14:732:14 | x | Node steps to itself | -| ir.cpp:738:18:738:18 | s | Node steps to itself | -| ir.cpp:747:8:747:8 | this | Node steps to itself | -| ir.cpp:756:8:756:8 | this | Node steps to itself | -| ir.cpp:762:3:762:3 | call to ~Base indirection | Node steps to itself | -| ir.cpp:765:8:765:8 | this | Node steps to itself | -| ir.cpp:771:3:771:3 | call to ~Middle indirection | Node steps to itself | -| ir.cpp:780:3:780:3 | call to ~Base indirection | Node steps to itself | -| ir.cpp:789:3:789:3 | call to ~Base indirection | Node steps to itself | -| ir.cpp:798:3:798:3 | call to ~Base indirection | Node steps to itself | -| ir.cpp:811:7:811:13 | call to Base indirection | Node steps to itself | -| ir.cpp:812:7:812:26 | call to Base indirection | Node steps to itself | -| ir.cpp:825:7:825:13 | call to Base indirection | Node steps to itself | -| ir.cpp:826:7:826:26 | call to Base indirection | Node steps to itself | -| ir.cpp:865:34:865:35 | pb | Node steps to itself | -| ir.cpp:866:47:866:48 | pd | Node steps to itself | -| ir.cpp:908:11:908:24 | ... ? ... : ... | Node steps to itself | -| ir.cpp:908:20:908:20 | x | Node steps to itself | -| ir.cpp:946:3:946:14 | new indirection | Node steps to itself | -| ir.cpp:947:3:947:27 | new indirection | Node steps to itself | -| landexpr.c:3:6:3:6 | a | Node steps to itself | -| landexpr.c:3:11:3:11 | b | Node steps to itself | -| lorexpr.c:3:6:3:6 | a | Node steps to itself | -| lorexpr.c:3:11:3:11 | b | Node steps to itself | -| ltrbinopexpr.c:5:5:5:5 | i | Node steps to itself | -| ltrbinopexpr.c:5:9:5:9 | j | Node steps to itself | -| ltrbinopexpr.c:6:5:6:5 | i | Node steps to itself | -| ltrbinopexpr.c:6:9:6:9 | j | Node steps to itself | -| ltrbinopexpr.c:7:5:7:5 | i | Node steps to itself | -| ltrbinopexpr.c:7:9:7:9 | j | Node steps to itself | -| ltrbinopexpr.c:8:5:8:5 | i | Node steps to itself | -| ltrbinopexpr.c:8:9:8:9 | j | Node steps to itself | -| ltrbinopexpr.c:9:5:9:5 | i | Node steps to itself | -| ltrbinopexpr.c:9:9:9:9 | j | Node steps to itself | -| ltrbinopexpr.c:11:5:11:5 | p | Node steps to itself | -| ltrbinopexpr.c:11:9:11:9 | i | Node steps to itself | -| ltrbinopexpr.c:12:5:12:5 | p | Node steps to itself | -| ltrbinopexpr.c:12:9:12:9 | i | Node steps to itself | -| ltrbinopexpr.c:15:5:15:5 | i | Node steps to itself | -| ltrbinopexpr.c:15:10:15:10 | j | Node steps to itself | -| ltrbinopexpr.c:16:5:16:5 | i | Node steps to itself | -| ltrbinopexpr.c:16:10:16:10 | j | Node steps to itself | -| ltrbinopexpr.c:18:5:18:5 | i | Node steps to itself | -| ltrbinopexpr.c:18:9:18:9 | j | Node steps to itself | -| ltrbinopexpr.c:19:5:19:5 | i | Node steps to itself | -| ltrbinopexpr.c:19:9:19:9 | j | Node steps to itself | -| ltrbinopexpr.c:20:5:20:5 | i | Node steps to itself | -| ltrbinopexpr.c:20:9:20:9 | j | Node steps to itself | -| ltrbinopexpr.c:21:5:21:5 | i | Node steps to itself | -| ltrbinopexpr.c:21:10:21:10 | j | Node steps to itself | -| ltrbinopexpr.c:22:5:22:5 | i | Node steps to itself | -| ltrbinopexpr.c:22:10:22:10 | j | Node steps to itself | -| ltrbinopexpr.c:23:5:23:5 | i | Node steps to itself | -| ltrbinopexpr.c:23:9:23:9 | j | Node steps to itself | -| ltrbinopexpr.c:24:5:24:5 | i | Node steps to itself | -| ltrbinopexpr.c:24:9:24:9 | j | Node steps to itself | -| ltrbinopexpr.c:25:5:25:5 | i | Node steps to itself | -| ltrbinopexpr.c:25:10:25:10 | j | Node steps to itself | -| ltrbinopexpr.c:26:5:26:5 | i | Node steps to itself | -| ltrbinopexpr.c:26:10:26:10 | j | Node steps to itself | -| ltrbinopexpr.c:28:5:28:5 | i | Node steps to itself | -| ltrbinopexpr.c:28:10:28:10 | j | Node steps to itself | -| ltrbinopexpr.c:29:5:29:5 | i | Node steps to itself | -| ltrbinopexpr.c:29:10:29:10 | j | Node steps to itself | -| ltrbinopexpr.c:30:5:30:5 | i | Node steps to itself | -| ltrbinopexpr.c:30:10:30:10 | j | Node steps to itself | -| ltrbinopexpr.c:31:5:31:5 | i | Node steps to itself | -| ltrbinopexpr.c:31:10:31:10 | j | Node steps to itself | -| ltrbinopexpr.c:32:5:32:5 | i | Node steps to itself | -| ltrbinopexpr.c:32:10:32:10 | j | Node steps to itself | -| ltrbinopexpr.c:33:5:33:5 | i | Node steps to itself | -| ltrbinopexpr.c:33:11:33:11 | j | Node steps to itself | -| ltrbinopexpr.c:34:5:34:5 | i | Node steps to itself | -| ltrbinopexpr.c:34:11:34:11 | j | Node steps to itself | -| ltrbinopexpr.c:35:5:35:5 | i | Node steps to itself | -| ltrbinopexpr.c:35:10:35:10 | j | Node steps to itself | -| ltrbinopexpr.c:36:5:36:5 | i | Node steps to itself | -| ltrbinopexpr.c:36:10:36:10 | j | Node steps to itself | -| ltrbinopexpr.c:37:5:37:5 | i | Node steps to itself | -| ltrbinopexpr.c:37:10:37:10 | j | Node steps to itself | -| ltrbinopexpr.c:39:5:39:5 | p | Node steps to itself | -| ltrbinopexpr.c:39:10:39:10 | i | Node steps to itself | -| ltrbinopexpr.c:40:5:40:5 | p | Node steps to itself | -| ltrbinopexpr.c:40:10:40:10 | i | Node steps to itself | -| membercallexpr.cpp:10:2:10:2 | c | Node steps to itself | -| membercallexpr.cpp:10:2:10:2 | c indirection | Node steps to itself | -| membercallexpr_args.cpp:12:2:12:2 | c | Node steps to itself | -| membercallexpr_args.cpp:12:2:12:2 | c indirection | Node steps to itself | -| membercallexpr_args.cpp:12:10:12:10 | i | Node steps to itself | -| membercallexpr_args.cpp:12:14:12:14 | j | Node steps to itself | -| membercallexpr_args.cpp:12:17:12:17 | k | Node steps to itself | -| membercallexpr_args.cpp:12:21:12:21 | l | Node steps to itself | -| misc.c:20:7:20:7 | i | Node steps to itself | -| misc.c:21:5:21:5 | i | Node steps to itself | -| misc.c:22:9:22:12 | argi | Node steps to itself | -| misc.c:22:17:22:20 | argj | Node steps to itself | -| misc.c:27:9:27:12 | argi | Node steps to itself | -| misc.c:27:17:27:20 | argj | Node steps to itself | -| misc.c:32:9:32:9 | i | Node steps to itself | -| misc.c:32:14:32:14 | j | Node steps to itself | -| misc.c:37:9:37:9 | i | Node steps to itself | -| misc.c:37:14:37:14 | j | Node steps to itself | -| misc.c:44:11:44:11 | Phi | Node steps to itself | -| misc.c:44:11:44:11 | Phi | Node steps to itself | -| misc.c:44:11:44:11 | Phi | Node steps to itself | -| misc.c:44:11:44:11 | i | Node steps to itself | -| misc.c:45:9:45:9 | j | Node steps to itself | -| misc.c:47:11:47:11 | Phi | Node steps to itself | -| misc.c:47:11:47:11 | Phi | Node steps to itself | -| misc.c:47:11:47:11 | Phi | Node steps to itself | -| misc.c:47:11:47:11 | i | Node steps to itself | -| misc.c:47:16:47:16 | j | Node steps to itself | -| misc.c:48:9:48:9 | j | Node steps to itself | -| misc.c:50:11:50:11 | Phi | Node steps to itself | -| misc.c:50:11:50:11 | Phi | Node steps to itself | -| misc.c:50:11:50:11 | i | Node steps to itself | -| misc.c:50:16:50:16 | j | Node steps to itself | -| misc.c:51:9:51:9 | j | Node steps to itself | -| misc.c:53:11:53:14 | Phi | Node steps to itself | -| misc.c:53:11:53:14 | Phi | Node steps to itself | -| misc.c:53:11:53:14 | Phi | Node steps to itself | -| misc.c:53:11:53:14 | argi | Node steps to itself | -| misc.c:54:9:54:9 | j | Node steps to itself | -| misc.c:57:9:57:9 | Phi | Node steps to itself | -| misc.c:57:9:57:9 | Phi | Node steps to itself | -| misc.c:57:9:57:9 | Phi | Node steps to itself | -| misc.c:57:9:57:9 | j | Node steps to itself | -| misc.c:58:13:58:13 | i | Node steps to itself | -| misc.c:60:9:60:9 | Phi | Node steps to itself | -| misc.c:60:9:60:9 | Phi | Node steps to itself | -| misc.c:60:9:60:9 | Phi | Node steps to itself | -| misc.c:60:9:60:9 | j | Node steps to itself | -| misc.c:61:13:61:16 | argi | Node steps to itself | -| misc.c:62:16:62:16 | Phi | Node steps to itself | -| misc.c:62:16:62:16 | i | Node steps to itself | -| misc.c:62:24:62:24 | i | Node steps to itself | -| misc.c:64:11:64:11 | Phi | Node steps to itself | -| misc.c:64:11:64:11 | i | Node steps to itself | -| misc.c:64:19:64:19 | i | Node steps to itself | -| misc.c:66:18:66:18 | i | Node steps to itself | -| misc.c:66:23:67:5 | Phi | Node steps to itself | -| misc.c:93:9:93:15 | ... ? ... : ... | Node steps to itself | -| misc.c:94:9:94:10 | sp | Node steps to itself | -| misc.c:94:9:94:10 | sp indirection | Node steps to itself | -| misc.c:94:9:94:19 | ... ? ... : ... | Node steps to itself | -| misc.c:94:19:94:19 | i | Node steps to itself | -| misc.c:100:13:100:13 | i | Node steps to itself | -| misc.c:105:13:105:13 | i | Node steps to itself | -| misc.c:110:13:110:13 | i | Node steps to itself | -| misc.c:115:13:115:13 | i | Node steps to itself | -| misc.c:119:13:119:13 | i | Node steps to itself | -| misc.c:123:13:123:13 | i | Node steps to itself | -| misc.c:123:17:123:17 | j | Node steps to itself | -| misc.c:124:14:124:14 | i | Node steps to itself | -| misc.c:124:18:124:18 | j | Node steps to itself | -| misc.c:124:30:124:30 | i | Node steps to itself | -| misc.c:130:11:130:11 | j | Node steps to itself | -| misc.c:131:5:131:6 | sp | Node steps to itself | -| misc.c:131:13:131:13 | j | Node steps to itself | -| misc.c:133:9:133:10 | sp | Node steps to itself | -| misc.c:135:9:135:9 | i | Node steps to itself | -| misc.c:135:13:135:13 | j | Node steps to itself | -| misc.c:136:9:136:9 | i | Node steps to itself | -| misc.c:136:13:136:13 | j | Node steps to itself | -| misc.c:137:9:137:9 | i | Node steps to itself | -| misc.c:137:13:137:13 | j | Node steps to itself | -| misc.c:139:10:139:11 | sp | Node steps to itself | -| misc.c:139:18:139:18 | j | Node steps to itself | -| misc.c:139:25:139:26 | sp | Node steps to itself | -| misc.c:139:25:139:26 | sp indirection | Node steps to itself | -| misc.c:139:33:139:33 | j | Node steps to itself | -| misc.c:140:9:140:9 | i | Node steps to itself | -| misc.c:140:14:140:14 | i | Node steps to itself | -| misc.c:140:19:140:19 | i | Node steps to itself | -| misc.c:141:9:141:9 | i | Node steps to itself | -| misc.c:141:14:141:14 | i | Node steps to itself | -| misc.c:141:19:141:19 | i | Node steps to itself | -| misc.c:147:9:147:14 | intFun | Node steps to itself | -| misc.c:147:16:147:16 | i | Node steps to itself | -| misc.c:147:19:147:19 | j | Node steps to itself | -| misc.c:149:5:149:10 | pfunvv | Node steps to itself | -| misc.c:157:18:157:18 | x | Node steps to itself | -| misc.c:158:18:158:18 | x | Node steps to itself | -| misc.c:171:15:171:15 | i | Node steps to itself | -| misc.c:188:12:188:12 | i | Node steps to itself | -| misc.c:216:10:216:25 | global_with_init | Node steps to itself | -| misc.c:220:9:223:3 | {...} | Node steps to itself | -| modeled-functions.cpp:6:10:6:16 | socket2 | Node steps to itself | -| ms_assume.cpp:16:6:16:9 | argc | Node steps to itself | -| ms_assume.cpp:19:13:19:16 | argc | Node steps to itself | -| ms_assume.cpp:28:31:28:31 | s | Node steps to itself | -| ms_assume.cpp:28:31:28:31 | s indirection | Node steps to itself | -| ms_try_mix.cpp:17:13:17:14 | b1 | Node steps to itself | -| ms_try_mix.cpp:34:13:34:14 | b2 | Node steps to itself | -| newexpr.cpp:10:2:10:20 | new indirection | Node steps to itself | -| newexpr.cpp:10:8:10:8 | a | Node steps to itself | -| newexpr.cpp:10:12:10:12 | b | Node steps to itself | -| newexpr.cpp:10:15:10:15 | c | Node steps to itself | -| newexpr.cpp:10:19:10:19 | d | Node steps to itself | -| nodefaultswitchstmt.c:2:14:2:14 | x | Node steps to itself | -| nonmemberfpcallexpr.c:3:2:3:2 | g | Node steps to itself | -| ops.cpp:21:33:21:33 | i | Node steps to itself | -| parameterinitializer.cpp:8:24:8:24 | i | Node steps to itself | -| pmcallexpr.cpp:10:3:10:3 | c | Node steps to itself | -| pmcallexpr.cpp:10:8:10:8 | d | Node steps to itself | -| pmcallexpr.cpp:10:8:10:8 | d indirection | Node steps to itself | -| pointer_to_member.cpp:26:19:26:20 | pm | Node steps to itself | -| pointer_to_member.cpp:29:12:29:14 | acc | Node steps to itself | -| pruning.c:70:9:70:9 | i | Node steps to itself | -| pruning.c:79:9:79:9 | i | Node steps to itself | -| pruning.c:88:9:88:9 | i | Node steps to itself | -| pruning.c:97:9:97:9 | i | Node steps to itself | -| pruning.c:106:9:106:9 | i | Node steps to itself | -| pruning.c:115:9:115:9 | i | Node steps to itself | -| pruning.c:124:9:124:9 | i | Node steps to itself | -| pruning.c:166:12:166:12 | i | Node steps to itself | -| pruning.c:173:12:173:12 | i | Node steps to itself | -| pruning.c:180:12:180:12 | i | Node steps to itself | -| pruning.c:187:12:187:12 | i | Node steps to itself | -| pruning.c:194:45:194:51 | faulted | Node steps to itself | -| pruning.c:195:13:195:19 | faulted | Node steps to itself | -| questionexpr.c:3:6:3:6 | a | Node steps to itself | -| questionexpr.c:3:6:3:27 | ... ? ... : ... | Node steps to itself | -| questionexpr.c:3:11:3:11 | b | Node steps to itself | -| questionexpr.c:3:15:3:15 | c | Node steps to itself | -| questionexpr.c:3:19:3:19 | b | Node steps to itself | -| questionexpr.c:3:23:3:23 | d | Node steps to itself | -| questionexpr.c:3:27:3:27 | b | Node steps to itself | -| range_analysis.c:7:10:7:10 | Phi | Node steps to itself | -| range_analysis.c:7:10:7:10 | Phi | Node steps to itself | -| range_analysis.c:7:10:7:10 | p | Node steps to itself | -| range_analysis.c:7:17:7:17 | p | Node steps to itself | -| range_analysis.c:7:17:7:17 | p indirection | Node steps to itself | -| range_analysis.c:8:13:8:17 | count | Node steps to itself | -| range_analysis.c:10:10:10:14 | count | Node steps to itself | -| range_analysis.c:15:10:15:10 | Phi | Node steps to itself | -| range_analysis.c:15:10:15:10 | Phi | Node steps to itself | -| range_analysis.c:15:10:15:10 | p | Node steps to itself | -| range_analysis.c:15:17:15:17 | p | Node steps to itself | -| range_analysis.c:15:17:15:17 | p indirection | Node steps to itself | -| range_analysis.c:16:14:16:18 | count | Node steps to itself | -| range_analysis.c:18:10:18:14 | count | Node steps to itself | -| range_analysis.c:23:10:23:10 | Phi | Node steps to itself | -| range_analysis.c:23:10:23:10 | Phi | Node steps to itself | -| range_analysis.c:23:10:23:10 | p | Node steps to itself | -| range_analysis.c:23:17:23:17 | p | Node steps to itself | -| range_analysis.c:23:17:23:17 | p indirection | Node steps to itself | -| range_analysis.c:24:5:24:9 | count | Node steps to itself | -| range_analysis.c:25:13:25:17 | count | Node steps to itself | -| range_analysis.c:27:10:27:14 | count | Node steps to itself | -| range_analysis.c:33:15:33:15 | Phi | Node steps to itself | -| range_analysis.c:33:15:33:15 | Phi | Node steps to itself | -| range_analysis.c:33:15:33:15 | i | Node steps to itself | -| range_analysis.c:33:26:33:26 | i | Node steps to itself | -| range_analysis.c:34:5:34:9 | total | Node steps to itself | -| range_analysis.c:34:14:34:14 | i | Node steps to itself | -| range_analysis.c:36:10:36:14 | total | Node steps to itself | -| range_analysis.c:36:18:36:18 | i | Node steps to itself | -| range_analysis.c:42:15:42:15 | Phi | Node steps to itself | -| range_analysis.c:42:15:42:15 | Phi | Node steps to itself | -| range_analysis.c:42:15:42:15 | i | Node steps to itself | -| range_analysis.c:42:22:42:22 | i | Node steps to itself | -| range_analysis.c:43:5:43:9 | total | Node steps to itself | -| range_analysis.c:43:14:43:14 | i | Node steps to itself | -| range_analysis.c:45:10:45:14 | total | Node steps to itself | -| range_analysis.c:45:18:45:18 | i | Node steps to itself | -| range_analysis.c:51:15:51:15 | Phi | Node steps to itself | -| range_analysis.c:51:15:51:15 | Phi | Node steps to itself | -| range_analysis.c:51:15:51:15 | i | Node steps to itself | -| range_analysis.c:51:28:51:28 | i | Node steps to itself | -| range_analysis.c:52:5:52:9 | total | Node steps to itself | -| range_analysis.c:52:14:52:14 | i | Node steps to itself | -| range_analysis.c:54:10:54:14 | total | Node steps to itself | -| range_analysis.c:54:18:54:18 | i | Node steps to itself | -| range_analysis.c:58:7:58:7 | i | Node steps to itself | -| range_analysis.c:59:9:59:9 | i | Node steps to itself | -| range_analysis.c:60:14:60:14 | i | Node steps to itself | -| range_analysis.c:67:15:67:15 | y | Node steps to itself | -| range_analysis.c:67:20:67:20 | y | Node steps to itself | -| range_analysis.c:68:9:68:9 | x | Node steps to itself | -| range_analysis.c:68:13:68:13 | y | Node steps to itself | -| range_analysis.c:69:14:69:14 | x | Node steps to itself | -| range_analysis.c:72:10:72:10 | y | Node steps to itself | -| range_analysis.c:76:7:76:7 | y | Node steps to itself | -| range_analysis.c:77:9:77:9 | x | Node steps to itself | -| range_analysis.c:81:9:81:9 | x | Node steps to itself | -| range_analysis.c:85:10:85:10 | x | Node steps to itself | -| range_analysis.c:89:7:89:7 | y | Node steps to itself | -| range_analysis.c:90:9:90:9 | x | Node steps to itself | -| range_analysis.c:90:13:90:13 | y | Node steps to itself | -| range_analysis.c:93:12:93:12 | x | Node steps to itself | -| range_analysis.c:100:8:100:8 | p | Node steps to itself | -| range_analysis.c:105:10:105:10 | p | Node steps to itself | -| range_analysis.c:124:11:124:15 | Phi | Node steps to itself | -| range_analysis.c:124:11:124:15 | Phi | Node steps to itself | -| range_analysis.c:124:11:124:15 | Start | Node steps to itself | -| range_analysis.c:127:6:127:10 | Start | Node steps to itself | -| range_analysis.c:127:15:127:20 | Length | Node steps to itself | -| range_analysis.c:137:20:137:20 | x | Node steps to itself | -| range_analysis.c:138:11:138:11 | i | Node steps to itself | -| range_analysis.c:139:23:139:23 | i | Node steps to itself | -| range_analysis.c:139:32:139:32 | x | Node steps to itself | -| range_analysis.c:139:36:139:36 | y | Node steps to itself | -| range_analysis.c:150:10:150:11 | x0 | Node steps to itself | -| range_analysis.c:150:15:150:16 | x1 | Node steps to itself | -| range_analysis.c:150:20:150:21 | x2 | Node steps to itself | -| range_analysis.c:150:25:150:26 | x3 | Node steps to itself | -| range_analysis.c:154:10:154:40 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:154:11:154:11 | x | Node steps to itself | -| range_analysis.c:154:35:154:35 | x | Node steps to itself | -| range_analysis.c:161:12:161:12 | a | Node steps to itself | -| range_analysis.c:161:17:161:17 | a | Node steps to itself | -| range_analysis.c:163:14:163:14 | a | Node steps to itself | -| range_analysis.c:164:5:164:9 | total | Node steps to itself | -| range_analysis.c:164:14:164:14 | b | Node steps to itself | -| range_analysis.c:164:16:164:16 | c | Node steps to itself | -| range_analysis.c:166:12:166:12 | a | Node steps to itself | -| range_analysis.c:166:17:166:17 | a | Node steps to itself | -| range_analysis.c:168:14:168:14 | a | Node steps to itself | -| range_analysis.c:169:5:169:9 | total | Node steps to itself | -| range_analysis.c:169:14:169:14 | b | Node steps to itself | -| range_analysis.c:169:16:169:16 | c | Node steps to itself | -| range_analysis.c:171:13:171:13 | a | Node steps to itself | -| range_analysis.c:171:18:171:18 | a | Node steps to itself | -| range_analysis.c:173:14:173:14 | a | Node steps to itself | -| range_analysis.c:174:5:174:9 | total | Node steps to itself | -| range_analysis.c:174:14:174:14 | b | Node steps to itself | -| range_analysis.c:174:16:174:16 | c | Node steps to itself | -| range_analysis.c:176:13:176:13 | a | Node steps to itself | -| range_analysis.c:176:18:176:18 | a | Node steps to itself | -| range_analysis.c:178:14:178:14 | a | Node steps to itself | -| range_analysis.c:179:5:179:9 | total | Node steps to itself | -| range_analysis.c:179:14:179:14 | b | Node steps to itself | -| range_analysis.c:179:16:179:16 | c | Node steps to itself | -| range_analysis.c:181:13:181:13 | a | Node steps to itself | -| range_analysis.c:181:18:181:18 | a | Node steps to itself | -| range_analysis.c:183:14:183:14 | a | Node steps to itself | -| range_analysis.c:184:5:184:9 | total | Node steps to itself | -| range_analysis.c:184:14:184:14 | b | Node steps to itself | -| range_analysis.c:184:16:184:16 | c | Node steps to itself | -| range_analysis.c:186:13:186:13 | a | Node steps to itself | -| range_analysis.c:186:18:186:18 | a | Node steps to itself | -| range_analysis.c:188:14:188:14 | a | Node steps to itself | -| range_analysis.c:189:5:189:9 | total | Node steps to itself | -| range_analysis.c:189:14:189:14 | b | Node steps to itself | -| range_analysis.c:189:16:189:16 | c | Node steps to itself | -| range_analysis.c:192:10:192:14 | total | Node steps to itself | -| range_analysis.c:200:12:200:12 | a | Node steps to itself | -| range_analysis.c:200:17:200:17 | a | Node steps to itself | -| range_analysis.c:200:33:200:33 | b | Node steps to itself | -| range_analysis.c:200:38:200:38 | b | Node steps to itself | -| range_analysis.c:201:13:201:13 | a | Node steps to itself | -| range_analysis.c:201:15:201:15 | b | Node steps to itself | -| range_analysis.c:202:5:202:9 | total | Node steps to itself | -| range_analysis.c:202:14:202:14 | r | Node steps to itself | -| range_analysis.c:204:12:204:12 | a | Node steps to itself | -| range_analysis.c:204:17:204:17 | a | Node steps to itself | -| range_analysis.c:204:33:204:33 | b | Node steps to itself | -| range_analysis.c:204:38:204:38 | b | Node steps to itself | -| range_analysis.c:205:13:205:13 | a | Node steps to itself | -| range_analysis.c:205:15:205:15 | b | Node steps to itself | -| range_analysis.c:206:5:206:9 | total | Node steps to itself | -| range_analysis.c:206:14:206:14 | r | Node steps to itself | -| range_analysis.c:208:12:208:12 | a | Node steps to itself | -| range_analysis.c:208:17:208:17 | a | Node steps to itself | -| range_analysis.c:208:35:208:35 | b | Node steps to itself | -| range_analysis.c:208:40:208:40 | b | Node steps to itself | -| range_analysis.c:209:13:209:13 | a | Node steps to itself | -| range_analysis.c:209:15:209:15 | b | Node steps to itself | -| range_analysis.c:210:5:210:9 | total | Node steps to itself | -| range_analysis.c:210:14:210:14 | r | Node steps to itself | -| range_analysis.c:212:12:212:12 | a | Node steps to itself | -| range_analysis.c:212:17:212:17 | a | Node steps to itself | -| range_analysis.c:212:35:212:35 | b | Node steps to itself | -| range_analysis.c:212:40:212:40 | b | Node steps to itself | -| range_analysis.c:213:13:213:13 | a | Node steps to itself | -| range_analysis.c:213:15:213:15 | b | Node steps to itself | -| range_analysis.c:214:5:214:9 | total | Node steps to itself | -| range_analysis.c:214:14:214:14 | r | Node steps to itself | -| range_analysis.c:216:12:216:12 | a | Node steps to itself | -| range_analysis.c:216:17:216:17 | a | Node steps to itself | -| range_analysis.c:216:35:216:35 | b | Node steps to itself | -| range_analysis.c:216:40:216:40 | b | Node steps to itself | -| range_analysis.c:217:13:217:13 | a | Node steps to itself | -| range_analysis.c:217:15:217:15 | b | Node steps to itself | -| range_analysis.c:218:5:218:9 | total | Node steps to itself | -| range_analysis.c:218:14:218:14 | r | Node steps to itself | -| range_analysis.c:221:10:221:14 | total | Node steps to itself | -| range_analysis.c:228:12:228:12 | a | Node steps to itself | -| range_analysis.c:228:17:228:17 | a | Node steps to itself | -| range_analysis.c:228:33:228:33 | b | Node steps to itself | -| range_analysis.c:228:38:228:38 | b | Node steps to itself | -| range_analysis.c:229:13:229:13 | a | Node steps to itself | -| range_analysis.c:229:15:229:15 | b | Node steps to itself | -| range_analysis.c:230:5:230:9 | total | Node steps to itself | -| range_analysis.c:230:14:230:14 | r | Node steps to itself | -| range_analysis.c:232:12:232:12 | a | Node steps to itself | -| range_analysis.c:232:17:232:17 | a | Node steps to itself | -| range_analysis.c:232:33:232:33 | b | Node steps to itself | -| range_analysis.c:232:38:232:38 | b | Node steps to itself | -| range_analysis.c:233:13:233:13 | a | Node steps to itself | -| range_analysis.c:233:15:233:15 | b | Node steps to itself | -| range_analysis.c:234:5:234:9 | total | Node steps to itself | -| range_analysis.c:234:14:234:14 | r | Node steps to itself | -| range_analysis.c:236:12:236:12 | a | Node steps to itself | -| range_analysis.c:236:17:236:17 | a | Node steps to itself | -| range_analysis.c:236:35:236:35 | b | Node steps to itself | -| range_analysis.c:236:40:236:40 | b | Node steps to itself | -| range_analysis.c:237:13:237:13 | a | Node steps to itself | -| range_analysis.c:237:15:237:15 | b | Node steps to itself | -| range_analysis.c:238:5:238:9 | total | Node steps to itself | -| range_analysis.c:238:14:238:14 | r | Node steps to itself | -| range_analysis.c:240:12:240:12 | a | Node steps to itself | -| range_analysis.c:240:17:240:17 | a | Node steps to itself | -| range_analysis.c:240:35:240:35 | b | Node steps to itself | -| range_analysis.c:240:40:240:40 | b | Node steps to itself | -| range_analysis.c:241:13:241:13 | a | Node steps to itself | -| range_analysis.c:241:15:241:15 | b | Node steps to itself | -| range_analysis.c:242:5:242:9 | total | Node steps to itself | -| range_analysis.c:242:14:242:14 | r | Node steps to itself | -| range_analysis.c:244:12:244:12 | a | Node steps to itself | -| range_analysis.c:244:17:244:17 | a | Node steps to itself | -| range_analysis.c:244:35:244:35 | b | Node steps to itself | -| range_analysis.c:244:40:244:40 | b | Node steps to itself | -| range_analysis.c:245:13:245:13 | a | Node steps to itself | -| range_analysis.c:245:15:245:15 | b | Node steps to itself | -| range_analysis.c:246:5:246:9 | total | Node steps to itself | -| range_analysis.c:246:14:246:14 | r | Node steps to itself | -| range_analysis.c:249:10:249:14 | total | Node steps to itself | -| range_analysis.c:256:14:256:14 | a | Node steps to itself | -| range_analysis.c:256:19:256:19 | a | Node steps to itself | -| range_analysis.c:256:35:256:35 | b | Node steps to itself | -| range_analysis.c:256:40:256:40 | b | Node steps to itself | -| range_analysis.c:257:13:257:13 | a | Node steps to itself | -| range_analysis.c:257:15:257:15 | b | Node steps to itself | -| range_analysis.c:258:5:258:9 | total | Node steps to itself | -| range_analysis.c:258:14:258:14 | r | Node steps to itself | -| range_analysis.c:260:14:260:14 | a | Node steps to itself | -| range_analysis.c:260:19:260:19 | a | Node steps to itself | -| range_analysis.c:260:35:260:35 | b | Node steps to itself | -| range_analysis.c:260:40:260:40 | b | Node steps to itself | -| range_analysis.c:261:13:261:13 | a | Node steps to itself | -| range_analysis.c:261:15:261:15 | b | Node steps to itself | -| range_analysis.c:262:5:262:9 | total | Node steps to itself | -| range_analysis.c:262:14:262:14 | r | Node steps to itself | -| range_analysis.c:264:14:264:14 | a | Node steps to itself | -| range_analysis.c:264:19:264:19 | a | Node steps to itself | -| range_analysis.c:264:37:264:37 | b | Node steps to itself | -| range_analysis.c:264:42:264:42 | b | Node steps to itself | -| range_analysis.c:265:13:265:13 | a | Node steps to itself | -| range_analysis.c:265:15:265:15 | b | Node steps to itself | -| range_analysis.c:266:5:266:9 | total | Node steps to itself | -| range_analysis.c:266:14:266:14 | r | Node steps to itself | -| range_analysis.c:268:14:268:14 | a | Node steps to itself | -| range_analysis.c:268:19:268:19 | a | Node steps to itself | -| range_analysis.c:268:37:268:37 | b | Node steps to itself | -| range_analysis.c:268:42:268:42 | b | Node steps to itself | -| range_analysis.c:269:13:269:13 | a | Node steps to itself | -| range_analysis.c:269:15:269:15 | b | Node steps to itself | -| range_analysis.c:270:5:270:9 | total | Node steps to itself | -| range_analysis.c:270:14:270:14 | r | Node steps to itself | -| range_analysis.c:272:14:272:14 | a | Node steps to itself | -| range_analysis.c:272:19:272:19 | a | Node steps to itself | -| range_analysis.c:272:37:272:37 | b | Node steps to itself | -| range_analysis.c:272:42:272:42 | b | Node steps to itself | -| range_analysis.c:273:13:273:13 | a | Node steps to itself | -| range_analysis.c:273:15:273:15 | b | Node steps to itself | -| range_analysis.c:274:5:274:9 | total | Node steps to itself | -| range_analysis.c:274:14:274:14 | r | Node steps to itself | -| range_analysis.c:277:10:277:14 | total | Node steps to itself | -| range_analysis.c:284:14:284:14 | a | Node steps to itself | -| range_analysis.c:284:19:284:19 | a | Node steps to itself | -| range_analysis.c:284:34:284:34 | b | Node steps to itself | -| range_analysis.c:284:39:284:39 | b | Node steps to itself | -| range_analysis.c:285:13:285:13 | a | Node steps to itself | -| range_analysis.c:285:15:285:15 | b | Node steps to itself | -| range_analysis.c:286:5:286:9 | total | Node steps to itself | -| range_analysis.c:286:14:286:14 | r | Node steps to itself | -| range_analysis.c:288:14:288:14 | a | Node steps to itself | -| range_analysis.c:288:19:288:19 | a | Node steps to itself | -| range_analysis.c:288:34:288:34 | b | Node steps to itself | -| range_analysis.c:288:39:288:39 | b | Node steps to itself | -| range_analysis.c:289:13:289:13 | a | Node steps to itself | -| range_analysis.c:289:15:289:15 | b | Node steps to itself | -| range_analysis.c:290:5:290:9 | total | Node steps to itself | -| range_analysis.c:290:14:290:14 | r | Node steps to itself | -| range_analysis.c:292:14:292:14 | a | Node steps to itself | -| range_analysis.c:292:19:292:19 | a | Node steps to itself | -| range_analysis.c:292:36:292:36 | b | Node steps to itself | -| range_analysis.c:292:41:292:41 | b | Node steps to itself | -| range_analysis.c:293:13:293:13 | a | Node steps to itself | -| range_analysis.c:293:15:293:15 | b | Node steps to itself | -| range_analysis.c:294:5:294:9 | total | Node steps to itself | -| range_analysis.c:294:14:294:14 | r | Node steps to itself | -| range_analysis.c:296:14:296:14 | a | Node steps to itself | -| range_analysis.c:296:19:296:19 | a | Node steps to itself | -| range_analysis.c:296:36:296:36 | b | Node steps to itself | -| range_analysis.c:296:41:296:41 | b | Node steps to itself | -| range_analysis.c:297:13:297:13 | a | Node steps to itself | -| range_analysis.c:297:15:297:15 | b | Node steps to itself | -| range_analysis.c:298:5:298:9 | total | Node steps to itself | -| range_analysis.c:298:14:298:14 | r | Node steps to itself | -| range_analysis.c:300:14:300:14 | a | Node steps to itself | -| range_analysis.c:300:19:300:19 | a | Node steps to itself | -| range_analysis.c:300:36:300:36 | b | Node steps to itself | -| range_analysis.c:300:41:300:41 | b | Node steps to itself | -| range_analysis.c:301:13:301:13 | a | Node steps to itself | -| range_analysis.c:301:15:301:15 | b | Node steps to itself | -| range_analysis.c:302:5:302:9 | total | Node steps to itself | -| range_analysis.c:302:14:302:14 | r | Node steps to itself | -| range_analysis.c:305:10:305:14 | total | Node steps to itself | -| range_analysis.c:312:14:312:14 | a | Node steps to itself | -| range_analysis.c:312:19:312:19 | a | Node steps to itself | -| range_analysis.c:312:35:312:35 | b | Node steps to itself | -| range_analysis.c:312:40:312:40 | b | Node steps to itself | -| range_analysis.c:313:13:313:13 | a | Node steps to itself | -| range_analysis.c:313:15:313:15 | b | Node steps to itself | -| range_analysis.c:314:5:314:9 | total | Node steps to itself | -| range_analysis.c:314:14:314:14 | r | Node steps to itself | -| range_analysis.c:316:14:316:14 | a | Node steps to itself | -| range_analysis.c:316:19:316:19 | a | Node steps to itself | -| range_analysis.c:316:35:316:35 | b | Node steps to itself | -| range_analysis.c:316:40:316:40 | b | Node steps to itself | -| range_analysis.c:317:13:317:13 | a | Node steps to itself | -| range_analysis.c:317:15:317:15 | b | Node steps to itself | -| range_analysis.c:318:5:318:9 | total | Node steps to itself | -| range_analysis.c:318:14:318:14 | r | Node steps to itself | -| range_analysis.c:320:14:320:14 | a | Node steps to itself | -| range_analysis.c:320:19:320:19 | a | Node steps to itself | -| range_analysis.c:320:37:320:37 | b | Node steps to itself | -| range_analysis.c:320:42:320:42 | b | Node steps to itself | -| range_analysis.c:321:13:321:13 | a | Node steps to itself | -| range_analysis.c:321:15:321:15 | b | Node steps to itself | -| range_analysis.c:322:5:322:9 | total | Node steps to itself | -| range_analysis.c:322:14:322:14 | r | Node steps to itself | -| range_analysis.c:324:14:324:14 | a | Node steps to itself | -| range_analysis.c:324:19:324:19 | a | Node steps to itself | -| range_analysis.c:324:37:324:37 | b | Node steps to itself | -| range_analysis.c:324:42:324:42 | b | Node steps to itself | -| range_analysis.c:325:13:325:13 | a | Node steps to itself | -| range_analysis.c:325:15:325:15 | b | Node steps to itself | -| range_analysis.c:326:5:326:9 | total | Node steps to itself | -| range_analysis.c:326:14:326:14 | r | Node steps to itself | -| range_analysis.c:328:14:328:14 | a | Node steps to itself | -| range_analysis.c:328:19:328:19 | a | Node steps to itself | -| range_analysis.c:328:37:328:37 | b | Node steps to itself | -| range_analysis.c:328:42:328:42 | b | Node steps to itself | -| range_analysis.c:329:13:329:13 | a | Node steps to itself | -| range_analysis.c:329:15:329:15 | b | Node steps to itself | -| range_analysis.c:330:5:330:9 | total | Node steps to itself | -| range_analysis.c:330:14:330:14 | r | Node steps to itself | -| range_analysis.c:333:10:333:14 | total | Node steps to itself | -| range_analysis.c:338:7:338:7 | x | Node steps to itself | -| range_analysis.c:342:10:342:10 | Phi | Node steps to itself | -| range_analysis.c:342:10:342:10 | i | Node steps to itself | -| range_analysis.c:343:5:343:5 | i | Node steps to itself | -| range_analysis.c:345:7:345:7 | i | Node steps to itself | -| range_analysis.c:346:7:346:7 | x | Node steps to itself | -| range_analysis.c:347:9:347:9 | d | Node steps to itself | -| range_analysis.c:347:14:347:14 | x | Node steps to itself | -| range_analysis.c:357:8:357:8 | x | Node steps to itself | -| range_analysis.c:357:8:357:23 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:357:18:357:18 | x | Node steps to itself | -| range_analysis.c:358:8:358:8 | x | Node steps to itself | -| range_analysis.c:358:8:358:24 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:358:24:358:24 | x | Node steps to itself | -| range_analysis.c:365:7:365:7 | x | Node steps to itself | -| range_analysis.c:366:10:366:15 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:367:10:367:17 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:368:10:368:21 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:368:11:368:11 | x | Node steps to itself | -| range_analysis.c:369:27:369:27 | x | Node steps to itself | -| range_analysis.c:370:27:370:27 | x | Node steps to itself | -| range_analysis.c:371:28:371:28 | x | Node steps to itself | -| range_analysis.c:373:10:373:11 | y1 | Node steps to itself | -| range_analysis.c:373:15:373:16 | y2 | Node steps to itself | -| range_analysis.c:373:20:373:21 | y3 | Node steps to itself | -| range_analysis.c:373:25:373:26 | y4 | Node steps to itself | -| range_analysis.c:373:30:373:31 | y5 | Node steps to itself | -| range_analysis.c:373:35:373:36 | y6 | Node steps to itself | -| range_analysis.c:373:40:373:41 | y7 | Node steps to itself | -| range_analysis.c:373:45:373:46 | y8 | Node steps to itself | -| range_analysis.c:379:8:379:8 | x | Node steps to itself | -| range_analysis.c:379:8:379:24 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:379:18:379:18 | x | Node steps to itself | -| range_analysis.c:380:8:380:8 | x | Node steps to itself | -| range_analysis.c:380:8:380:25 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:380:25:380:25 | x | Node steps to itself | -| range_analysis.c:384:7:384:7 | x | Node steps to itself | -| range_analysis.c:385:10:385:21 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:385:11:385:11 | x | Node steps to itself | -| range_analysis.c:386:10:386:21 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:386:11:386:11 | x | Node steps to itself | -| range_analysis.c:387:27:387:27 | x | Node steps to itself | -| range_analysis.c:389:10:389:11 | y1 | Node steps to itself | -| range_analysis.c:389:15:389:16 | y2 | Node steps to itself | -| range_analysis.c:389:20:389:21 | y3 | Node steps to itself | -| range_analysis.c:389:25:389:26 | y4 | Node steps to itself | -| range_analysis.c:389:30:389:31 | y5 | Node steps to itself | -| range_analysis.c:394:20:394:20 | x | Node steps to itself | -| range_analysis.c:394:20:394:36 | ... ? ... : ... | Node steps to itself | -| range_analysis.c:394:30:394:30 | x | Node steps to itself | -| range_analysis.c:397:11:397:11 | y | Node steps to itself | -| range_analysis.c:398:9:398:9 | y | Node steps to itself | -| range_analysis.c:398:14:398:14 | y | Node steps to itself | -| range_analysis.c:399:10:399:11 | y1 | Node steps to itself | -| range_analysis.c:399:15:399:16 | y2 | Node steps to itself | -| revsubscriptexpr.c:4:7:4:7 | a | Node steps to itself | -| revsubscriptexpr.c:4:11:4:11 | b | Node steps to itself | -| shortforstmt.cpp:34:8:34:8 | Phi | Node steps to itself | -| shortforstmt.cpp:34:8:34:8 | Phi | Node steps to itself | -| shortforstmt.cpp:34:8:34:8 | Phi | Node steps to itself | -| shortforstmt.cpp:34:8:34:8 | x | Node steps to itself | -| shortforstmt.cpp:34:12:34:12 | y | Node steps to itself | -| shortforstmt.cpp:35:9:35:9 | y | Node steps to itself | -| statements.cpp:14:6:14:6 | x | Node steps to itself | -| statements.cpp:23:6:23:6 | x | Node steps to itself | -| statements.cpp:32:29:32:29 | Phi | Node steps to itself | -| statements.cpp:32:29:32:29 | x | Node steps to itself | -| statements.cpp:32:39:32:39 | x | Node steps to itself | -| statements.cpp:45:6:45:6 | x | Node steps to itself | -| statements.cpp:48:22:48:22 | x | Node steps to itself | -| statements.cpp:51:8:51:8 | y | Node steps to itself | -| statements.cpp:56:5:56:5 | x | Node steps to itself | -| static_init_templates.cpp:21:2:21:4 | this | Node steps to itself | -| static_init_templates.cpp:21:2:21:4 | this indirection | Node steps to itself | -| static_init_templates.cpp:21:8:21:8 | b | Node steps to itself | -| static_init_templates.cpp:21:12:21:12 | f | Node steps to itself | -| static_init_templates.cpp:22:8:22:8 | c | Node steps to itself | -| static_init_templates.cpp:81:12:81:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:81:12:81:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:90:12:90:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:90:12:90:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:98:12:98:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:98:12:98:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:106:12:106:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:106:12:106:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:126:12:126:17 | my_ptr | Node steps to itself | -| static_init_templates.cpp:134:12:134:17 | my_ptr | Node steps to itself | -| staticlocals.cpp:18:10:18:10 | x | Node steps to itself | -| staticmembercallexpr_args.cpp:12:9:12:9 | i | Node steps to itself | -| staticmembercallexpr_args.cpp:12:13:12:13 | j | Node steps to itself | -| staticmembercallexpr_args.cpp:12:16:12:16 | k | Node steps to itself | -| staticmembercallexpr_args.cpp:12:20:12:20 | l | Node steps to itself | -| stream_it.cpp:11:16:11:16 | (__range) indirection | Node steps to itself | -| subscriptexpr.c:4:8:4:8 | a | Node steps to itself | -| subscriptexpr.c:4:12:4:12 | b | Node steps to itself | -| switchbody.c:5:11:5:11 | i | Node steps to itself | -| switchbody.c:5:11:5:24 | ... ? ... : ... | Node steps to itself | -| switchbody.c:5:20:5:20 | i | Node steps to itself | -| switchbody.c:5:24:5:24 | i | Node steps to itself | -| switchbody.c:9:12:9:12 | i | Node steps to itself | -| switchbody.c:16:11:16:11 | i | Node steps to itself | -| switchbody.c:16:11:16:24 | ... ? ... : ... | Node steps to itself | -| switchbody.c:16:20:16:20 | i | Node steps to itself | -| switchbody.c:16:24:16:24 | i | Node steps to itself | -| switchbody.c:19:12:19:12 | i | Node steps to itself | -| switchbody.c:28:11:28:11 | i | Node steps to itself | -| switchbody.c:28:11:28:24 | ... ? ... : ... | Node steps to itself | -| switchbody.c:28:20:28:20 | i | Node steps to itself | -| switchbody.c:28:24:28:24 | i | Node steps to itself | -| switchbody.c:33:16:33:16 | i | Node steps to itself | -| switchstmt.c:2:14:2:14 | x | Node steps to itself | -| test.c:3:9:3:9 | i | Node steps to itself | -| test.c:28:16:28:16 | Phi | Node steps to itself | -| test.c:28:16:28:16 | i | Node steps to itself | -| test.c:28:24:28:24 | i | Node steps to itself | -| test.c:36:16:36:16 | Phi | Node steps to itself | -| test.c:36:19:36:19 | i | Node steps to itself | -| test.c:51:11:51:11 | Phi | Node steps to itself | -| test.c:51:11:51:11 | i | Node steps to itself | -| test.c:52:9:52:9 | i | Node steps to itself | -| test.c:73:9:73:9 | Phi | Node steps to itself | -| test.c:73:9:73:9 | i | Node steps to itself | -| test.c:74:14:74:14 | i | Node steps to itself | -| test.c:93:13:93:13 | i | Node steps to itself | -| test.c:93:13:93:21 | ... ? ... : ... | Node steps to itself | -| test.c:108:12:108:12 | i | Node steps to itself | -| test.c:125:12:125:12 | i | Node steps to itself | -| test.c:204:12:204:12 | i | Node steps to itself | -| test.c:204:12:204:20 | ... ? ... : ... | Node steps to itself | -| test.c:219:7:219:7 | x | Node steps to itself | -| test.c:219:13:219:13 | y | Node steps to itself | -| test.c:220:12:220:12 | x | Node steps to itself | -| test.c:222:10:222:10 | y | Node steps to itself | -| test.c:226:9:226:9 | x | Node steps to itself | -| test.c:226:14:226:14 | y | Node steps to itself | -| test.c:227:12:227:12 | x | Node steps to itself | -| test.c:229:10:229:10 | y | Node steps to itself | -| test.c:233:7:233:7 | b | Node steps to itself | -| test.c:233:7:233:15 | ... ? ... : ... | Node steps to itself | -| test.c:233:11:233:11 | x | Node steps to itself | -| test.c:233:15:233:15 | y | Node steps to itself | -| try_catch.cpp:20:7:20:12 | select | Node steps to itself | -| unaryopexpr.c:5:6:5:6 | i | Node steps to itself | -| unaryopexpr.c:7:6:7:6 | i | Node steps to itself | -| unaryopexpr.c:8:6:8:6 | i | Node steps to itself | -| unaryopexpr.c:10:5:10:5 | i | Node steps to itself | -| unaryopexpr.c:11:5:11:5 | i | Node steps to itself | -| unaryopexpr.c:12:7:12:7 | i | Node steps to itself | -| unaryopexpr.c:13:7:13:7 | i | Node steps to itself | -| vla.c:5:27:5:30 | argv | Node steps to itself | -| whilestmt.c:10:10:10:13 | Phi | Node steps to itself | -| whilestmt.c:10:10:10:13 | done | Node steps to itself | -| whilestmt.c:41:9:41:9 | Phi | Node steps to itself | -| whilestmt.c:41:9:41:9 | i | Node steps to itself | -| whilestmt.c:42:7:42:7 | i | Node steps to itself | From c46898cb7585feb12150e87b830eff425468f44b Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 May 2023 13:15:54 +0200 Subject: [PATCH 17/20] C++: Make implicit this receivers explicit --- .../code/cpp/rangeanalysis/RangeAnalysis.qll | 8 +- .../code/cpp/rangeanalysis/RangeUtils.qll | 6 +- .../ConstantBitwiseAndExprRange.qll | 14 +- .../extensions/ConstantShiftExprRange.qll | 56 +++--- .../rangeanalysis/extensions/RangeNode.qll | 21 +- .../extensions/StrlenLiteralRangeExpr.qll | 6 +- .../rangeanalysis/extensions/SubtractSelf.qll | 4 +- cpp/ql/lib/semmle/code/cpp/Compilation.qll | 4 +- cpp/ql/lib/semmle/code/cpp/Field.qll | 7 +- cpp/ql/lib/semmle/code/cpp/Linkage.qll | 4 +- cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll | 12 +- cpp/ql/lib/semmle/code/cpp/NestedFields.qll | 2 +- cpp/ql/lib/semmle/code/cpp/PrintAST.qll | 46 +++-- cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll | 2 +- .../cpp/controlflow/DefinitionsAndUses.qll | 10 +- .../semmle/code/cpp/controlflow/SSAUtils.qll | 51 ++--- .../code/cpp/exprs/ComparisonOperation.qll | 16 +- .../internal/AliasConfiguration.qll | 2 +- .../aliased_ssa/internal/AliasedSSA.qll | 28 +-- .../raw/internal/TranslatedCall.qll | 138 +++++++------ .../raw/internal/TranslatedCondition.qll | 70 +++---- .../internal/TranslatedDeclarationEntry.qll | 42 ++-- .../raw/internal/TranslatedFunction.qll | 190 +++++++++--------- .../cpp/ir/internal/ASTValueNumbering.qll | 12 +- .../semmle/code/cpp/ir/internal/CppType.qll | 6 +- .../models/implementations/Deallocation.qll | 18 +- .../models/implementations/MemberFunction.qll | 4 +- .../cpp/models/implementations/Printf.qll | 60 +++--- .../cpp/models/implementations/Strdup.qll | 8 +- .../cpp/models/implementations/Strftime.qll | 2 +- .../cpp/models/implementations/Strset.qll | 2 +- .../cpp/models/implementations/System.qll | 14 +- .../code/cpp/models/interfaces/Allocation.qll | 8 +- .../cpp/models/interfaces/Deallocation.qll | 2 +- .../models/interfaces/FormattingFunction.qll | 44 ++-- .../new/internal/semantic/SemanticExpr.qll | 20 +- .../new/internal/semantic/SemanticSSA.qll | 2 +- .../new/internal/semantic/SemanticType.qll | 4 +- .../new/internal/semantic/analysis/Bound.qll | 2 +- .../semantic/analysis/RangeAnalysisImpl.qll | 2 +- .../semantic/analysis/RangeAnalysisStage.qll | 2 +- .../new/internal/semantic/analysis/Sign.qll | 32 +-- .../code/cpp/security/CommandExecution.qll | 30 +-- .../code/cpp/security/TaintTrackingImpl.qll | 16 +- .../GlobalValueNumberingImpl.qll | 4 +- .../code/cpp/valuenumbering/HashCons.qll | 4 +- cpp/ql/src/Critical/FileMayNotBeClosed.ql | 2 +- cpp/ql/src/Critical/MemoryMayNotBeFreed.ql | 2 +- .../JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql | 16 +- .../Likely Typos/UsingStrcpyAsBoolean.ql | 2 +- .../ImproperNullTermination.ql | 2 +- .../Memory Management/SuspiciousSizeof.ql | 4 +- .../Dependencies/ExternalDependencies.qll | 2 +- .../src/Security/CWE/CWE-020/ExternalAPIs.qll | 2 +- .../Security/CWE/CWE-020/ir/ExternalAPIs.qll | 2 +- cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql | 6 +- .../CWE/CWE-295/SSLResultConflation.ql | 2 +- .../CWE/CWE-295/SSLResultNotChecked.ql | 8 +- .../CWE/CWE-327/BrokenCryptoAlgorithm.ql | 2 +- .../Security/CWE/CWE-078/WordexpTainted.ql | 2 +- .../CWE/CWE-1041/FindWrapperFunctions.ql | 2 +- .../Security/CWE/CWE-675/DoubleRelease.ql | 2 +- cpp/ql/src/external/DefectFilter.qll | 4 +- cpp/ql/test/library-tests/blocks/cpp/exprs.ql | 2 +- .../library-tests/dataflow/fields/Nodes.qll | 4 +- .../identity_string/identity_string.ql | 40 ++-- .../locations/constants/locations.ql | 2 +- cpp/ql/test/library-tests/loops/loops.ql | 2 +- 68 files changed, 589 insertions(+), 560 deletions(-) diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll index ee0c70c3754..e5de44b396d 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll @@ -238,7 +238,7 @@ class NoReason extends Reason, TNoReason { class CondReason extends Reason, TCondReason { IRGuardCondition getCond() { this = TCondReason(result) } - override string toString() { result = getCond().toString() } + override string toString() { result = this.getCond().toString() } } /** @@ -260,14 +260,14 @@ private predicate typeBound(IRIntegerType typ, int lowerbound, int upperbound) { private class NarrowingCastInstruction extends ConvertInstruction { NarrowingCastInstruction() { not this instanceof SafeCastInstruction and - typeBound(getResultIRType(), _, _) + typeBound(this.getResultIRType(), _, _) } /** Gets the lower bound of the resulting type. */ - int getLowerBound() { typeBound(getResultIRType(), result, _) } + int getLowerBound() { typeBound(this.getResultIRType(), result, _) } /** Gets the upper bound of the resulting type. */ - int getUpperBound() { typeBound(getResultIRType(), _, result) } + int getUpperBound() { typeBound(this.getResultIRType(), _, result) } } /** diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll index bffd08fbe52..6cc7a024f88 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll @@ -109,8 +109,8 @@ private predicate safeCast(IRIntegerType fromtyp, IRIntegerType totyp) { */ class PtrToPtrCastInstruction extends ConvertInstruction { PtrToPtrCastInstruction() { - getResultIRType() instanceof IRAddressType and - getUnary().getResultIRType() instanceof IRAddressType + this.getResultIRType() instanceof IRAddressType and + this.getUnary().getResultIRType() instanceof IRAddressType } } @@ -119,7 +119,7 @@ class PtrToPtrCastInstruction extends ConvertInstruction { * that cannot overflow or underflow. */ class SafeIntCastInstruction extends ConvertInstruction { - SafeIntCastInstruction() { safeCast(getUnary().getResultIRType(), getResultIRType()) } + SafeIntCastInstruction() { safeCast(this.getUnary().getResultIRType(), this.getResultIRType()) } } /** diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll index 33776bd8105..20e3f6abb17 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll @@ -50,8 +50,8 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr { // If an operand can have negative values, the lower bound is unconstrained. // Otherwise, the lower bound is zero. exists(float lLower, float rLower | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and ( (lLower < 0 or rLower < 0) and result = exprMinVal(this) @@ -68,10 +68,10 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr { // If an operand can have negative values, the upper bound is unconstrained. // Otherwise, the upper bound is the minimum of the upper bounds of the operands exists(float lLower, float lUpper, float rLower, float rUpper | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and - rUpper = getFullyConvertedUpperBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and + rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and ( (lLower < 0 or rLower < 0) and result = exprMaxVal(this) @@ -85,6 +85,6 @@ private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr { } override predicate dependsOnChild(Expr child) { - child = getLeftOperand() or child = getRightOperand() + child = this.getLeftOperand() or child = this.getRightOperand() } } diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll index b4189b0f4cc..3f300d7aa8d 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll @@ -50,7 +50,7 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { * We don't handle the case where `a` and `b` are both non-constant values. */ ConstantRShiftExprRange() { - getUnspecifiedType() instanceof IntegralType and + this.getUnspecifiedType() instanceof IntegralType and exists(Expr l, Expr r | l = this.(RShiftExpr).getLeftOperand() and r = this.(RShiftExpr).getRightOperand() @@ -84,10 +84,10 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { override float getLowerBounds() { exists(int lLower, int lUpper, int rLower, int rUpper | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and - rUpper = getFullyConvertedUpperBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and + rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and lLower <= lUpper and rLower <= rUpper | @@ -95,8 +95,8 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { lLower < 0 or not ( - isValidShiftExprShift(rLower, getLeftOperand()) and - isValidShiftExprShift(rUpper, getLeftOperand()) + isValidShiftExprShift(rLower, this.getLeftOperand()) and + isValidShiftExprShift(rUpper, this.getLeftOperand()) ) then // We don't want to deal with shifting negative numbers at the moment, @@ -111,10 +111,10 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { override float getUpperBounds() { exists(int lLower, int lUpper, int rLower, int rUpper | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and - rUpper = getFullyConvertedUpperBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and + rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and lLower <= lUpper and rLower <= rUpper | @@ -122,8 +122,8 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { lLower < 0 or not ( - isValidShiftExprShift(rLower, getLeftOperand()) and - isValidShiftExprShift(rUpper, getLeftOperand()) + isValidShiftExprShift(rLower, this.getLeftOperand()) and + isValidShiftExprShift(rUpper, this.getLeftOperand()) ) then // We don't want to deal with shifting negative numbers at the moment, @@ -137,7 +137,7 @@ class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr { } override predicate dependsOnChild(Expr child) { - child = getLeftOperand() or child = getRightOperand() + child = this.getLeftOperand() or child = this.getRightOperand() } } @@ -163,7 +163,7 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { * We don't handle the case where `a` and `b` are both non-constant values. */ ConstantLShiftExprRange() { - getUnspecifiedType() instanceof IntegralType and + this.getUnspecifiedType() instanceof IntegralType and exists(Expr l, Expr r | l = this.(LShiftExpr).getLeftOperand() and r = this.(LShiftExpr).getRightOperand() @@ -197,10 +197,10 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { override float getLowerBounds() { exists(int lLower, int lUpper, int rLower, int rUpper | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and - rUpper = getFullyConvertedUpperBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and + rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and lLower <= lUpper and rLower <= rUpper | @@ -208,8 +208,8 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { lLower < 0 or not ( - isValidShiftExprShift(rLower, getLeftOperand()) and - isValidShiftExprShift(rUpper, getLeftOperand()) + isValidShiftExprShift(rLower, this.getLeftOperand()) and + isValidShiftExprShift(rUpper, this.getLeftOperand()) ) then // We don't want to deal with shifting negative numbers at the moment, @@ -228,10 +228,10 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { override float getUpperBounds() { exists(int lLower, int lUpper, int rLower, int rUpper | - lLower = getFullyConvertedLowerBounds(getLeftOperand()) and - lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and - rLower = getFullyConvertedLowerBounds(getRightOperand()) and - rUpper = getFullyConvertedUpperBounds(getRightOperand()) and + lLower = getFullyConvertedLowerBounds(this.getLeftOperand()) and + lUpper = getFullyConvertedUpperBounds(this.getLeftOperand()) and + rLower = getFullyConvertedLowerBounds(this.getRightOperand()) and + rUpper = getFullyConvertedUpperBounds(this.getRightOperand()) and lLower <= lUpper and rLower <= rUpper | @@ -239,8 +239,8 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { lLower < 0 or not ( - isValidShiftExprShift(rLower, getLeftOperand()) and - isValidShiftExprShift(rUpper, getLeftOperand()) + isValidShiftExprShift(rLower, this.getLeftOperand()) and + isValidShiftExprShift(rUpper, this.getLeftOperand()) ) then // We don't want to deal with shifting negative numbers at the moment, @@ -258,6 +258,6 @@ class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr { } override predicate dependsOnChild(Expr child) { - child = getLeftOperand() or child = getRightOperand() + child = this.getLeftOperand() or child = this.getRightOperand() } } diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll index d24d754a4ac..71a74c6c4fe 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll @@ -83,20 +83,23 @@ private class ExprRangeNode extends DataFlow::ExprNode { private string getCallBounds(Call e) { result = getExprBoundAsString(e) + "(" + - concat(Expr arg, int i | arg = e.getArgument(i) | getIntegralBounds(arg) order by i, ",") + - ")" + concat(Expr arg, int i | + arg = e.getArgument(i) + | + this.getIntegralBounds(arg) order by i, "," + ) + ")" } override string toString() { - exists(Expr e | e = getExpr() | + exists(Expr e | e = this.getExpr() | if hasIntegralOrReferenceIntegralType(e) then - result = super.toString() + ": " + getOperationBounds(e) + result = super.toString() + ": " + this.getOperationBounds(e) or - result = super.toString() + ": " + getCallBounds(e) + result = super.toString() + ": " + this.getCallBounds(e) or - not exists(getOperationBounds(e)) and - not exists(getCallBounds(e)) and + not exists(this.getOperationBounds(e)) and + not exists(this.getCallBounds(e)) and result = super.toString() + ": " + getExprBoundAsString(e) else result = super.toString() ) @@ -108,8 +111,8 @@ private class ExprRangeNode extends DataFlow::ExprNode { */ private class ReferenceArgumentRangeNode extends DataFlow::DefinitionByReferenceNode { override string toString() { - if hasIntegralOrReferenceIntegralType(asDefiningArgument()) - then result = super.toString() + ": " + getExprBoundAsString(getArgument()) + if hasIntegralOrReferenceIntegralType(this.asDefiningArgument()) + then result = super.toString() + ": " + getExprBoundAsString(this.getArgument()) else result = super.toString() } } diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll index 39326e89a51..f301263d0e3 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll @@ -7,12 +7,12 @@ private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysi */ class StrlenLiteralRangeExpr extends SimpleRangeAnalysisExpr, FunctionCall { StrlenLiteralRangeExpr() { - getTarget().hasGlobalOrStdName("strlen") and getArgument(0).isConstant() + this.getTarget().hasGlobalOrStdName("strlen") and this.getArgument(0).isConstant() } - override int getLowerBounds() { result = getArgument(0).getValue().length() } + override int getLowerBounds() { result = this.getArgument(0).getValue().length() } - override int getUpperBounds() { result = getArgument(0).getValue().length() } + override int getUpperBounds() { result = this.getArgument(0).getValue().length() } override predicate dependsOnChild(Expr e) { none() } } diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll index ff716d02d6f..32b4d2a4fba 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll @@ -3,8 +3,8 @@ import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr private class SelfSub extends SimpleRangeAnalysisExpr, SubExpr { SelfSub() { // Match `x - x` but not `myInt - (unsigned char)myInt`. - getLeftOperand().getExplicitlyConverted().(VariableAccess).getTarget() = - getRightOperand().getExplicitlyConverted().(VariableAccess).getTarget() + this.getLeftOperand().getExplicitlyConverted().(VariableAccess).getTarget() = + this.getRightOperand().getExplicitlyConverted().(VariableAccess).getTarget() } override float getLowerBounds() { result = 0 } diff --git a/cpp/ql/lib/semmle/code/cpp/Compilation.qll b/cpp/ql/lib/semmle/code/cpp/Compilation.qll index 812c417dbdd..1a8d90f991c 100644 --- a/cpp/ql/lib/semmle/code/cpp/Compilation.qll +++ b/cpp/ql/lib/semmle/code/cpp/Compilation.qll @@ -42,7 +42,7 @@ class Compilation extends @compilation { } /** Gets a file compiled during this invocation. */ - File getAFileCompiled() { result = getFileCompiled(_) } + File getAFileCompiled() { result = this.getFileCompiled(_) } /** Gets the `i`th file compiled during this invocation */ File getFileCompiled(int i) { compilation_compiling_files(this, i, unresolveElement(result)) } @@ -74,7 +74,7 @@ class Compilation extends @compilation { /** * Gets an argument passed to the extractor on this invocation. */ - string getAnArgument() { result = getArgument(_) } + string getAnArgument() { result = this.getArgument(_) } /** * Gets the `i`th argument passed to the extractor on this invocation. diff --git a/cpp/ql/lib/semmle/code/cpp/Field.qll b/cpp/ql/lib/semmle/code/cpp/Field.qll index 95e55568c4b..2e1f20e8d30 100644 --- a/cpp/ql/lib/semmle/code/cpp/Field.qll +++ b/cpp/ql/lib/semmle/code/cpp/Field.qll @@ -39,7 +39,8 @@ class Field extends MemberVariable { * complete most-derived object. */ int getAByteOffsetIn(Class mostDerivedClass) { - result = mostDerivedClass.getABaseClassByteOffset(getDeclaringType()) + getByteOffset() + result = + mostDerivedClass.getABaseClassByteOffset(this.getDeclaringType()) + this.getByteOffset() } /** @@ -116,10 +117,10 @@ class BitField extends Field { int getBitOffset() { fieldoffsets(underlyingElement(this), _, result) } /** Holds if this bitfield is anonymous. */ - predicate isAnonymous() { hasName("(unnamed bitfield)") } + predicate isAnonymous() { this.hasName("(unnamed bitfield)") } override predicate isInitializable() { // Anonymous bitfields are not initializable. - not isAnonymous() + not this.isAnonymous() } } diff --git a/cpp/ql/lib/semmle/code/cpp/Linkage.qll b/cpp/ql/lib/semmle/code/cpp/Linkage.qll index e604ce06dee..da192e57dee 100644 --- a/cpp/ql/lib/semmle/code/cpp/Linkage.qll +++ b/cpp/ql/lib/semmle/code/cpp/Linkage.qll @@ -24,10 +24,10 @@ class LinkTarget extends @link_target { * captured as part of the snapshot, then everything is grouped together * into a single dummy link target. */ - predicate isDummy() { getBinary().getAbsolutePath() = "" } + predicate isDummy() { this.getBinary().getAbsolutePath() = "" } /** Gets a textual representation of this element. */ - string toString() { result = getBinary().getAbsolutePath() } + string toString() { result = this.getBinary().getAbsolutePath() } /** * Gets a function which was compiled into this link target, or had its diff --git a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll index a5894e21071..df52735f653 100644 --- a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll +++ b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll @@ -24,7 +24,7 @@ class NameQualifier extends NameQualifiableElement, @namequalifier { * Gets the expression ultimately qualified by the chain of name * qualifiers. For example, `f()` in `N1::N2::f()`. */ - Expr getExpr() { result = getQualifiedElement+() } + Expr getExpr() { result = this.getQualifiedElement+() } /** Gets a location for this name qualifier. */ override Location getLocation() { namequalifiers(underlyingElement(this), _, _, result) } @@ -56,12 +56,12 @@ class NameQualifier extends NameQualifiableElement, @namequalifier { if nqe instanceof SpecialNameQualifyingElement then exists(Access a | - a = getQualifiedElement() and + a = this.getQualifiedElement() and result = a.getTarget().getDeclaringType() ) or exists(FunctionCall c | - c = getQualifiedElement() and + c = this.getQualifiedElement() and result = c.getTarget().getDeclaringType() ) else result = nqe @@ -109,7 +109,7 @@ class NameQualifiableElement extends Element, @namequalifiableelement { * namespace. */ predicate hasGlobalQualifiedName() { - getNameQualifier*().getQualifyingElement() instanceof GlobalNamespace + this.getNameQualifier*().getQualifyingElement() instanceof GlobalNamespace } /** @@ -119,7 +119,7 @@ class NameQualifiableElement extends Element, @namequalifiableelement { */ predicate hasSuperQualifiedName() { exists(NameQualifier nq, SpecialNameQualifyingElement snqe | - nq = getNameQualifier*() and + nq = this.getNameQualifier*() and namequalifiers(unresolveElement(nq), _, unresolveElement(snqe), _) and snqe.getName() = "__super" ) @@ -164,5 +164,5 @@ library class SpecialNameQualifyingElement extends NameQualifyingElement, /** Gets the name of this special qualifying element. */ override string getName() { specialnamequalifyingelements(underlyingElement(this), result) } - override string toString() { result = getName() } + override string toString() { result = this.getName() } } diff --git a/cpp/ql/lib/semmle/code/cpp/NestedFields.qll b/cpp/ql/lib/semmle/code/cpp/NestedFields.qll index ce67719a7e2..798c17e8cd0 100644 --- a/cpp/ql/lib/semmle/code/cpp/NestedFields.qll +++ b/cpp/ql/lib/semmle/code/cpp/NestedFields.qll @@ -37,7 +37,7 @@ class NestedFieldAccess extends FieldAccess { NestedFieldAccess() { ultimateQualifier = getUltimateQualifier(this) and - getTarget() = getANestedField(ultimateQualifier.getType().stripType()) + this.getTarget() = getANestedField(ultimateQualifier.getType().stripType()) } /** diff --git a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll index 1b04f5e7a7b..b4d89eb8c1d 100644 --- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll +++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll @@ -130,7 +130,7 @@ class PrintAstNode extends TPrintAstNode { // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order. result = rank[childIndex](PrintAstNode child, int nonConvertedIndex, boolean isConverted | - childAndAccessorPredicate(child, _, nonConvertedIndex, isConverted) + this.childAndAccessorPredicate(child, _, nonConvertedIndex, isConverted) | // Unconverted children come first, then sort by original child index within each group. child order by isConverted, nonConvertedIndex @@ -143,7 +143,7 @@ class PrintAstNode extends TPrintAstNode { */ private PrintAstNode getConvertedChild(int childIndex) { exists(Expr expr | - expr = getChildInternal(childIndex).(AstNode).getAst() and + expr = this.getChildInternal(childIndex).(AstNode).getAst() and expr.getFullyConverted() instanceof Conversion and result.(AstNode).getAst() = expr.getFullyConverted() and not expr instanceof Conversion @@ -155,8 +155,8 @@ class PrintAstNode extends TPrintAstNode { * at index `childIndex`, if that node has any conversions. */ private string getConvertedChildAccessorPredicate(int childIndex) { - exists(getConvertedChild(childIndex)) and - result = getChildAccessorPredicateInternal(childIndex) + ".getFullyConverted()" + exists(this.getConvertedChild(childIndex)) and + result = this.getChildAccessorPredicateInternal(childIndex) + ".getFullyConverted()" } /** @@ -164,12 +164,12 @@ class PrintAstNode extends TPrintAstNode { * within a function are printed, but the query can override * `PrintASTConfiguration.shouldPrintFunction` to filter the output. */ - final predicate shouldPrint() { shouldPrintFunction(getEnclosingFunction()) } + final predicate shouldPrint() { shouldPrintFunction(this.getEnclosingFunction()) } /** * Gets the children of this node. */ - final PrintAstNode getAChild() { result = getChild(_) } + final PrintAstNode getAChild() { result = this.getChild(_) } /** * Gets the parent of this node, if any. @@ -187,7 +187,7 @@ class PrintAstNode extends TPrintAstNode { */ string getProperty(string key) { key = "semmle.label" and - result = toString() + result = this.toString() } /** @@ -201,12 +201,12 @@ class PrintAstNode extends TPrintAstNode { private predicate childAndAccessorPredicate( PrintAstNode child, string childPredicate, int nonConvertedIndex, boolean isConverted ) { - child = getChildInternal(nonConvertedIndex) and - childPredicate = getChildAccessorPredicateInternal(nonConvertedIndex) and + child = this.getChildInternal(nonConvertedIndex) and + childPredicate = this.getChildAccessorPredicateInternal(nonConvertedIndex) and isConverted = false or - child = getConvertedChild(nonConvertedIndex) and - childPredicate = getConvertedChildAccessorPredicate(nonConvertedIndex) and + child = this.getConvertedChild(nonConvertedIndex) and + childPredicate = this.getConvertedChildAccessorPredicate(nonConvertedIndex) and isConverted = true } @@ -218,7 +218,7 @@ class PrintAstNode extends TPrintAstNode { // The exact value of `childIndex` doesn't matter, as long as we preserve the correct order. result = rank[childIndex](string childPredicate, int nonConvertedIndex, boolean isConverted | - childAndAccessorPredicate(_, childPredicate, nonConvertedIndex, isConverted) + this.childAndAccessorPredicate(_, childPredicate, nonConvertedIndex, isConverted) | // Unconverted children come first, then sort by original child index within each group. childPredicate order by isConverted, nonConvertedIndex @@ -234,7 +234,9 @@ class PrintAstNode extends TPrintAstNode { /** * Gets the `Function` that contains this node. */ - private Function getEnclosingFunction() { result = getParent*().(FunctionNode).getFunction() } + private Function getEnclosingFunction() { + result = this.getParent*().(FunctionNode).getFunction() + } } /** DEPRECATED: Alias for PrintAstNode */ @@ -253,7 +255,7 @@ private class PrintableElement extends Element { } pragma[noinline] - string getAPrimaryQlClass0() { result = getAPrimaryQlClass() } + string getAPrimaryQlClass0() { result = this.getAPrimaryQlClass() } } /** @@ -281,7 +283,7 @@ abstract class BaseAstNode extends PrintAstNode { final Locatable getAst() { result = ast } /** DEPRECATED: Alias for getAst */ - deprecated Locatable getAST() { result = getAst() } + deprecated Locatable getAST() { result = this.getAst() } } /** DEPRECATED: Alias for BaseAstNode */ @@ -311,7 +313,7 @@ class ExprNode extends AstNode { result = super.getProperty(key) or key = "Value" and - result = qlClass(expr) + getValue() + result = qlClass(expr) + this.getValue() or key = "Type" and result = qlClass(expr.getType()) + expr.getType().toString() @@ -321,7 +323,7 @@ class ExprNode extends AstNode { } override string getChildAccessorPredicateInternal(int childIndex) { - result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAst()) + result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst()) } /** @@ -441,7 +443,7 @@ class StmtNode extends AstNode { } override string getChildAccessorPredicateInternal(int childIndex) { - result = getChildAccessorWithoutConversions(ast, getChildInternal(childIndex).getAst()) + result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst()) } } @@ -517,7 +519,7 @@ class ParametersNode extends PrintAstNode, TParametersNode { } override string getChildAccessorPredicateInternal(int childIndex) { - exists(getChildInternal(childIndex)) and + exists(this.getChildInternal(childIndex)) and result = "getParameter(" + childIndex.toString() + ")" } @@ -544,7 +546,7 @@ class ConstructorInitializersNode extends PrintAstNode, TConstructorInitializers } final override string getChildAccessorPredicateInternal(int childIndex) { - exists(getChildInternal(childIndex)) and + exists(this.getChildInternal(childIndex)) and result = "getInitializer(" + childIndex.toString() + ")" } @@ -571,7 +573,7 @@ class DestructorDestructionsNode extends PrintAstNode, TDestructorDestructionsNo } final override string getChildAccessorPredicateInternal(int childIndex) { - exists(getChildInternal(childIndex)) and + exists(this.getChildInternal(childIndex)) and result = "getDestruction(" + childIndex.toString() + ")" } @@ -628,7 +630,7 @@ class FunctionNode extends AstNode { override string getProperty(string key) { result = super.getProperty(key) or - key = "semmle.order" and result = getOrder().toString() + key = "semmle.order" and result = this.getOrder().toString() } /** diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll index c9cd0b2ebdd..472de0c34b1 100644 --- a/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll +++ b/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll @@ -8,7 +8,7 @@ import cpp */ deprecated class StrcatFunction extends Function { StrcatFunction() { - getName() = + this.getName() = [ "strcat", // strcat(dst, src) "strncat", // strncat(dst, src, max_amount) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll index dcabba51ce2..6a18f6cc149 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll @@ -98,7 +98,7 @@ library class DefOrUse extends ControlFlowNodeBase { pragma[noinline] private predicate reaches_helper(boolean isDef, SemanticStackVariable v, BasicBlock bb, int i) { - getVariable(isDef) = v and + this.getVariable(isDef) = v and bb.getNode(i) = this } @@ -118,21 +118,21 @@ library class DefOrUse extends ControlFlowNodeBase { * predicates are duplicated for now. */ - exists(BasicBlock bb, int i | reaches_helper(isDef, v, bb, i) | + exists(BasicBlock bb, int i | this.reaches_helper(isDef, v, bb, i) | exists(int j | j > i and (bbDefAt(bb, j, v, defOrUse) or bbUseAt(bb, j, v, defOrUse)) and - not exists(int k | firstBarrierAfterThis(isDef, k, v) and k < j) + not exists(int k | this.firstBarrierAfterThis(isDef, k, v) and k < j) ) or - not firstBarrierAfterThis(isDef, _, v) and + not this.firstBarrierAfterThis(isDef, _, v) and bbSuccessorEntryReachesDefOrUse(bb, v, defOrUse, _) ) } private predicate firstBarrierAfterThis(boolean isDef, int j, SemanticStackVariable v) { exists(BasicBlock bb, int i | - getVariable(isDef) = v and + this.getVariable(isDef) = v and bb.getNode(i) = this and j = min(int k | bbBarrierAt(bb, k, v, _) and k > i) ) diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll index 2252864c249..45ef36f339d 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll @@ -130,7 +130,7 @@ library class SsaHelper extends int { * Remove any custom phi nodes that are invalid. */ private predicate sanitized_custom_phi_node(StackVariable v, BasicBlock b) { - custom_phi_node(v, b) and + this.custom_phi_node(v, b) and not addressTakenVariable(v) and not isReferenceVar(v) and b.isReachable() @@ -142,7 +142,7 @@ library class SsaHelper extends int { */ cached predicate phi_node(StackVariable v, BasicBlock b) { - frontier_phi_node(v, b) or sanitized_custom_phi_node(v, b) + this.frontier_phi_node(v, b) or this.sanitized_custom_phi_node(v, b) } /** @@ -154,14 +154,15 @@ library class SsaHelper extends int { */ private predicate frontier_phi_node(StackVariable v, BasicBlock b) { exists(BasicBlock x | - dominanceFrontier(x, b) and ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x)) + dominanceFrontier(x, b) and + this.ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x)) ) and /* We can also eliminate those nodes where the variable is not live on any incoming edge */ live_at_start_of_bb(pragma[only_bind_into](v), b) } private predicate ssa_defn_rec(StackVariable v, BasicBlock b) { - phi_node(v, b) + this.phi_node(v, b) or variableUpdate(v, _, b, _) } @@ -172,7 +173,7 @@ library class SsaHelper extends int { */ cached predicate ssa_defn(StackVariable v, ControlFlowNode node, BasicBlock b, int index) { - phi_node(v, b) and b.getStart() = node and index = -1 + this.phi_node(v, b) and b.getStart() = node and index = -1 or variableUpdate(v, node, b, index) } @@ -196,7 +197,7 @@ library class SsaHelper extends int { * basic blocks. */ private predicate defUseRank(StackVariable v, BasicBlock b, int rankix, int i) { - i = rank[rankix](int j | ssa_defn(v, _, b, j) or ssa_use(v, _, b, j)) + i = rank[rankix](int j | this.ssa_defn(v, _, b, j) or ssa_use(v, _, b, j)) } /** @@ -206,7 +207,7 @@ library class SsaHelper extends int { * the block. */ private int lastRank(StackVariable v, BasicBlock b) { - result = max(int rankix | defUseRank(v, b, rankix, _)) + 1 + result = max(int rankix | this.defUseRank(v, b, rankix, _)) + 1 } /** @@ -215,8 +216,8 @@ library class SsaHelper extends int { */ private predicate ssaDefRank(StackVariable v, ControlFlowNode def, BasicBlock b, int rankix) { exists(int i | - ssa_defn(v, def, b, i) and - defUseRank(v, b, rankix, i) + this.ssa_defn(v, def, b, i) and + this.defUseRank(v, b, rankix, i) ) } @@ -232,21 +233,21 @@ library class SsaHelper extends int { // use is understood to happen _before_ the definition. Phi nodes are // at rankidx -1 and will therefore always reach the first node in the // basic block. - ssaDefRank(v, def, b, rankix - 1) + this.ssaDefRank(v, def, b, rankix - 1) or - ssaDefReachesRank(v, def, b, rankix - 1) and - rankix <= lastRank(v, b) and // Without this, the predicate would be infinite. - not ssaDefRank(v, _, b, rankix - 1) // Range is inclusive of but not past next def. + this.ssaDefReachesRank(v, def, b, rankix - 1) and + rankix <= this.lastRank(v, b) and // Without this, the predicate would be infinite. + not this.ssaDefRank(v, _, b, rankix - 1) // Range is inclusive of but not past next def. } /** Holds if SSA variable `(v, def)` reaches the end of block `b`. */ cached predicate ssaDefinitionReachesEndOfBB(StackVariable v, ControlFlowNode def, BasicBlock b) { - live_at_exit_of_bb(v, b) and ssaDefReachesRank(v, def, b, lastRank(v, b)) + live_at_exit_of_bb(v, b) and this.ssaDefReachesRank(v, def, b, this.lastRank(v, b)) or exists(BasicBlock idom | - ssaDefinitionReachesEndOfBB(v, def, idom) and - noDefinitionsSinceIDominator(v, idom, b) + this.ssaDefinitionReachesEndOfBB(v, def, idom) and + this.noDefinitionsSinceIDominator(v, idom, b) ) } @@ -260,7 +261,7 @@ library class SsaHelper extends int { private predicate noDefinitionsSinceIDominator(StackVariable v, BasicBlock idom, BasicBlock b) { bbIDominates(idom, b) and // It is sufficient to traverse the dominator graph, cf. discussion above. live_at_exit_of_bb(v, b) and - not ssa_defn(v, _, b, _) + not this.ssa_defn(v, _, b, _) } /** @@ -269,8 +270,8 @@ library class SsaHelper extends int { */ private predicate ssaDefinitionReachesUseWithinBB(StackVariable v, ControlFlowNode def, Expr use) { exists(BasicBlock b, int rankix, int i | - ssaDefReachesRank(v, def, b, rankix) and - defUseRank(v, b, rankix, i) and + this.ssaDefReachesRank(v, def, b, rankix) and + this.defUseRank(v, b, rankix, i) and ssa_use(v, use, b, i) ) } @@ -279,12 +280,12 @@ library class SsaHelper extends int { * Holds if SSA variable `(v, def)` reaches the control-flow node `use`. */ private predicate ssaDefinitionReaches(StackVariable v, ControlFlowNode def, Expr use) { - ssaDefinitionReachesUseWithinBB(v, def, use) + this.ssaDefinitionReachesUseWithinBB(v, def, use) or exists(BasicBlock b | ssa_use(v, use, b, _) and - ssaDefinitionReachesEndOfBB(v, def, b.getAPredecessor()) and - not ssaDefinitionReachesUseWithinBB(v, _, use) + this.ssaDefinitionReachesEndOfBB(v, def, b.getAPredecessor()) and + not this.ssaDefinitionReachesUseWithinBB(v, _, use) ) } @@ -294,10 +295,10 @@ library class SsaHelper extends int { */ cached string toString(ControlFlowNode node, StackVariable v) { - if phi_node(v, node) + if this.phi_node(v, node) then result = "SSA phi(" + v.getName() + ")" else ( - ssa_defn(v, node, _, _) and result = "SSA def(" + v.getName() + ")" + this.ssa_defn(v, node, _, _) and result = "SSA def(" + v.getName() + ")" ) } @@ -307,7 +308,7 @@ library class SsaHelper extends int { */ cached VariableAccess getAUse(ControlFlowNode def, StackVariable v) { - ssaDefinitionReaches(v, def, result) and + this.ssaDefinitionReaches(v, def, result) and ssa_use(v, result, _, _) } } diff --git a/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll b/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll index 2c6387f1844..9135e15fb49 100644 --- a/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll +++ b/cpp/ql/lib/semmle/code/cpp/exprs/ComparisonOperation.qll @@ -76,9 +76,9 @@ class GTExpr extends RelationalOperation, @gtexpr { override string getOperator() { result = ">" } - override Expr getGreaterOperand() { result = getLeftOperand() } + override Expr getGreaterOperand() { result = this.getLeftOperand() } - override Expr getLesserOperand() { result = getRightOperand() } + override Expr getLesserOperand() { result = this.getRightOperand() } } /** @@ -92,9 +92,9 @@ class LTExpr extends RelationalOperation, @ltexpr { override string getOperator() { result = "<" } - override Expr getGreaterOperand() { result = getRightOperand() } + override Expr getGreaterOperand() { result = this.getRightOperand() } - override Expr getLesserOperand() { result = getLeftOperand() } + override Expr getLesserOperand() { result = this.getLeftOperand() } } /** @@ -108,9 +108,9 @@ class GEExpr extends RelationalOperation, @geexpr { override string getOperator() { result = ">=" } - override Expr getGreaterOperand() { result = getLeftOperand() } + override Expr getGreaterOperand() { result = this.getLeftOperand() } - override Expr getLesserOperand() { result = getRightOperand() } + override Expr getLesserOperand() { result = this.getRightOperand() } } /** @@ -124,7 +124,7 @@ class LEExpr extends RelationalOperation, @leexpr { override string getOperator() { result = "<=" } - override Expr getGreaterOperand() { result = getRightOperand() } + override Expr getGreaterOperand() { result = this.getRightOperand() } - override Expr getLesserOperand() { result = getLeftOperand() } + override Expr getLesserOperand() { result = this.getLeftOperand() } } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll index 7e12ebc1c90..8cf69dec6ef 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll @@ -22,7 +22,7 @@ private newtype TAllocation = abstract class Allocation extends TAllocation { abstract string toString(); - final string getAllocationString() { result = toString() } + final string getAllocationString() { result = this.toString() } abstract Instruction getABaseInstruction(); diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll index 4e606c1f9c5..1dd116d6c0e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll @@ -95,7 +95,9 @@ private newtype TMemoryLocation = */ abstract class MemoryLocation extends TMemoryLocation { final string toString() { - if isMayAccess() then result = "?" + toStringInternal() else result = toStringInternal() + if this.isMayAccess() + then result = "?" + this.toStringInternal() + else result = this.toStringInternal() } abstract string toStringInternal(); @@ -110,7 +112,7 @@ abstract class MemoryLocation extends TMemoryLocation { abstract Location getLocation(); - final IRType getIRType() { result = getType().getIRType() } + final IRType getIRType() { result = this.getType().getIRType() } abstract predicate isMayAccess(); @@ -136,7 +138,7 @@ abstract class MemoryLocation extends TMemoryLocation { final predicate canReuseSsa() { none() } /** DEPRECATED: Alias for canReuseSsa */ - deprecated predicate canReuseSSA() { canReuseSsa() } + deprecated predicate canReuseSSA() { this.canReuseSsa() } } /** @@ -191,19 +193,19 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo } private string getIntervalString() { - if coversEntireVariable() + if this.coversEntireVariable() then result = "" else result = Interval::getIntervalString(startBitOffset, endBitOffset) } private string getTypeString() { - if coversEntireVariable() and type = var.getIRType() + if this.coversEntireVariable() and type = var.getIRType() then result = "" else result = "<" + languageType.toString() + ">" } final override string toStringInternal() { - result = var.toString() + getIntervalString() + getTypeString() + result = var.toString() + this.getIntervalString() + this.getTypeString() } final override Language::LanguageType getType() { @@ -236,7 +238,7 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo /** * Holds if this memory location covers the entire variable. */ - final predicate coversEntireVariable() { varIRTypeHasBitRange(startBitOffset, endBitOffset) } + final predicate coversEntireVariable() { this.varIRTypeHasBitRange(startBitOffset, endBitOffset) } pragma[noinline] private predicate varIRTypeHasBitRange(int start, int end) { @@ -262,7 +264,7 @@ class EntireAllocationMemoryLocation extends TEntireAllocationMemoryLocation, class EntireAllocationVirtualVariable extends EntireAllocationMemoryLocation, VirtualVariable { EntireAllocationVirtualVariable() { not allocationEscapes(var) and - not isMayAccess() + not this.isMayAccess() } } @@ -275,8 +277,8 @@ class VariableVirtualVariable extends VariableMemoryLocation, VirtualVariable { VariableVirtualVariable() { not allocationEscapes(var) and type = var.getIRType() and - coversEntireVariable() and - not isMayAccess() + this.coversEntireVariable() and + not this.isMayAccess() } } @@ -337,7 +339,7 @@ class AllNonLocalMemory extends TAllNonLocalMemory, MemoryLocation { // instruction, which provides the initial definition for all memory outside of the current // function's stack frame. This memory includes string literals and other read-only globals, so // we allow such an access to be the definition for a use of a read-only location. - not isMayAccess() + not this.isMayAccess() } } @@ -360,7 +362,7 @@ class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation { final override Location getLocation() { result = irFunc.getLocation() } - final override string getUniqueId() { result = " " + toString() } + final override string getUniqueId() { result = " " + this.toString() } final override VirtualVariable getVirtualVariable() { result = TAllAliasedMemory(irFunc, false) } @@ -369,7 +371,7 @@ class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation { /** A virtual variable that groups all escaped memory within a function. */ class AliasedVirtualVariable extends AllAliasedMemory, VirtualVariable { - AliasedVirtualVariable() { not isMayAccess() } + AliasedVirtualVariable() { not this.isMayAccess() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll index 8eea58e170a..68f7a5fbdb4 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll @@ -31,42 +31,42 @@ abstract class TranslatedCall extends TranslatedExpr { // The qualifier is evaluated before the call target, because the value of // the call target may depend on the value of the qualifier for virtual // calls. - id = -2 and result = getQualifier() + id = -2 and result = this.getQualifier() or - id = -1 and result = getCallTarget() + id = -1 and result = this.getCallTarget() or - result = getArgument(id) + result = this.getArgument(id) or - id = getNumberOfArguments() and result = getSideEffects() + id = this.getNumberOfArguments() and result = this.getSideEffects() } final override Instruction getFirstInstruction() { - if exists(getQualifier()) - then result = getQualifier().getFirstInstruction() - else result = getFirstCallTargetInstruction() + if exists(this.getQualifier()) + then result = this.getQualifier().getFirstInstruction() + else result = this.getFirstCallTargetInstruction() } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = CallTag() and opcode instanceof Opcode::Call and - resultType = getTypeForPRValue(getCallResultType()) + resultType = getTypeForPRValue(this.getCallResultType()) } override Instruction getChildSuccessor(TranslatedElement child) { - child = getQualifier() and - result = getFirstCallTargetInstruction() + child = this.getQualifier() and + result = this.getFirstCallTargetInstruction() or - child = getCallTarget() and - result = getFirstArgumentOrCallInstruction() + child = this.getCallTarget() and + result = this.getFirstArgumentOrCallInstruction() or exists(int argIndex | - child = getArgument(argIndex) and - if exists(getArgument(argIndex + 1)) - then result = getArgument(argIndex + 1).getFirstInstruction() - else result = getInstruction(CallTag()) + child = this.getArgument(argIndex) and + if exists(this.getArgument(argIndex + 1)) + then result = this.getArgument(argIndex + 1).getFirstInstruction() + else result = this.getInstruction(CallTag()) ) or - child = getSideEffects() and + child = this.getSideEffects() and if this.isNoReturn() then result = @@ -79,26 +79,26 @@ abstract class TranslatedCall extends TranslatedExpr { override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { kind instanceof GotoEdge and tag = CallTag() and - result = getSideEffects().getFirstInstruction() + result = this.getSideEffects().getFirstInstruction() } override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag = CallTag() and ( operandTag instanceof CallTargetOperandTag and - result = getCallTargetResult() + result = this.getCallTargetResult() or operandTag instanceof ThisArgumentOperandTag and - result = getQualifierResult() + result = this.getQualifierResult() or exists(PositionalArgumentOperandTag argTag | argTag = operandTag and - result = getArgument(argTag.getArgIndex()).getResult() + result = this.getArgument(argTag.getArgIndex()).getResult() ) ) } - final override Instruction getResult() { result = getInstruction(CallTag()) } + final override Instruction getResult() { result = this.getInstruction(CallTag()) } /** * Gets the result type of the call. @@ -108,7 +108,7 @@ abstract class TranslatedCall extends TranslatedExpr { /** * Holds if the call has a `this` argument. */ - predicate hasQualifier() { exists(getQualifier()) } + predicate hasQualifier() { exists(this.getQualifier()) } /** * Gets the `TranslatedExpr` for the indirect target of the call, if any. @@ -121,7 +121,9 @@ abstract class TranslatedCall extends TranslatedExpr { * it can be overridden by a subclass for cases where there is a call target * that is not computed from an expression (e.g. a direct call). */ - Instruction getFirstCallTargetInstruction() { result = getCallTarget().getFirstInstruction() } + Instruction getFirstCallTargetInstruction() { + result = this.getCallTarget().getFirstInstruction() + } /** * Gets the instruction whose result value is the target of the call. By @@ -129,7 +131,7 @@ abstract class TranslatedCall extends TranslatedExpr { * overridden by a subclass for cases where there is a call target that is not * computed from an expression (e.g. a direct call). */ - Instruction getCallTargetResult() { result = getCallTarget().getResult() } + Instruction getCallTargetResult() { result = this.getCallTarget().getResult() } /** * Gets the `TranslatedExpr` for the qualifier of the call (i.e. the value @@ -143,7 +145,7 @@ abstract class TranslatedCall extends TranslatedExpr { * overridden by a subclass for cases where there is a `this` argument that is * not computed from a child expression (e.g. a constructor call). */ - Instruction getQualifierResult() { result = getQualifier().getResult() } + Instruction getQualifierResult() { result = this.getQualifier().getResult() } /** * Gets the argument with the specified `index`. Does not include the `this` @@ -158,9 +160,9 @@ abstract class TranslatedCall extends TranslatedExpr { * argument. Otherwise, returns the call instruction. */ final Instruction getFirstArgumentOrCallInstruction() { - if hasArguments() - then result = getArgument(0).getFirstInstruction() - else result = getInstruction(CallTag()) + if this.hasArguments() + then result = this.getArgument(0).getFirstInstruction() + else result = this.getInstruction(CallTag()) } /** @@ -184,17 +186,17 @@ abstract class TranslatedSideEffects extends TranslatedElement { /** Gets the expression whose side effects are being modeled. */ abstract Expr getExpr(); - final override Locatable getAst() { result = getExpr() } + final override Locatable getAst() { result = this.getExpr() } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } - final override Declaration getFunction() { result = getEnclosingDeclaration(getExpr()) } + final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) } final override TranslatedElement getChild(int i) { result = rank[i + 1](TranslatedSideEffect tse, int group, int indexInGroup | - tse.getPrimaryExpr() = getExpr() and + tse.getPrimaryExpr() = this.getExpr() and tse.sortOrder(group, indexInGroup) | tse order by group, indexInGroup @@ -203,10 +205,10 @@ abstract class TranslatedSideEffects extends TranslatedElement { final override Instruction getChildSuccessor(TranslatedElement te) { exists(int i | - getChild(i) = te and - if exists(getChild(i + 1)) - then result = getChild(i + 1).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + this.getChild(i) = te and + if exists(this.getChild(i + 1)) + then result = this.getChild(i + 1).getFirstInstruction() + else result = this.getParent().getChildSuccessor(this) ) } @@ -215,10 +217,10 @@ abstract class TranslatedSideEffects extends TranslatedElement { } final override Instruction getFirstInstruction() { - result = getChild(0).getFirstInstruction() + result = this.getChild(0).getFirstInstruction() or // Some functions, like `std::move()`, have no side effects whatsoever. - not exists(getChild(0)) and result = getParent().getChildSuccessor(this) + not exists(this.getChild(0)) and result = this.getParent().getChildSuccessor(this) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() } @@ -234,10 +236,10 @@ abstract class TranslatedSideEffects extends TranslatedElement { */ abstract class TranslatedDirectCall extends TranslatedCall { final override Instruction getFirstCallTargetInstruction() { - result = getInstruction(CallTargetTag()) + result = this.getInstruction(CallTargetTag()) } - final override Instruction getCallTargetResult() { result = getInstruction(CallTargetTag()) } + final override Instruction getCallTargetResult() { result = this.getInstruction(CallTargetTag()) } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { TranslatedCall.super.hasInstruction(opcode, tag, resultType) @@ -252,7 +254,7 @@ abstract class TranslatedDirectCall extends TranslatedCall { or tag = CallTargetTag() and kind instanceof GotoEdge and - result = getFirstArgumentOrCallInstruction() + result = this.getFirstArgumentOrCallInstruction() } } @@ -301,12 +303,12 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall { } override Instruction getQualifierResult() { - hasQualifier() and - result = getQualifier().getResult() + this.hasQualifier() and + result = this.getQualifier().getResult() } override predicate hasQualifier() { - exists(getQualifier()) and + exists(this.getQualifier()) and not exists(MemberFunction func | expr.getTarget() = func and func.isStatic()) } } @@ -322,7 +324,7 @@ class TranslatedStructorCall extends TranslatedFunctionCall { override Instruction getQualifierResult() { exists(StructorCallContext context | - context = getParent() and + context = this.getParent() and result = context.getReceiver() ) } @@ -373,24 +375,26 @@ abstract class TranslatedSideEffect extends TranslatedElement { final override Instruction getChildSuccessor(TranslatedElement child) { none() } - final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } + final override Instruction getFirstInstruction() { + result = this.getInstruction(OnlyInstructionTag()) + } final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { tag = OnlyInstructionTag() and - sideEffectInstruction(opcode, type) + this.sideEffectInstruction(opcode, type) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { - result = getParent().getChildSuccessor(this) and + result = this.getParent().getChildSuccessor(this) and tag = OnlyInstructionTag() and kind instanceof GotoEdge } - final override Declaration getFunction() { result = getParent().getFunction() } + final override Declaration getFunction() { result = this.getParent().getFunction() } final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) { tag = OnlyInstructionTag() and - result = getParent().(TranslatedSideEffects).getPrimaryInstruction() + result = this.getParent().(TranslatedSideEffects).getPrimaryInstruction() } /** @@ -428,18 +432,18 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect { TranslatedArgumentSideEffect() { any() } override string toString() { - isWrite() and - result = "(write side effect for " + getArgString() + ")" + this.isWrite() and + result = "(write side effect for " + this.getArgString() + ")" or - not isWrite() and - result = "(read side effect for " + getArgString() + ")" + not this.isWrite() and + result = "(read side effect for " + this.getArgString() + ")" } override Call getPrimaryExpr() { result = call } override predicate sortOrder(int group, int indexInGroup) { indexInGroup = index and - if isWrite() then group = argumentWriteGroup() else group = argumentReadGroup() + if this.isWrite() then group = argumentWriteGroup() else group = argumentReadGroup() } final override int getInstructionIndex(InstructionTag tag) { @@ -450,20 +454,20 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect { final override predicate sideEffectInstruction(Opcode opcode, CppType type) { opcode = sideEffectOpcode and ( - isWrite() and + this.isWrite() and ( opcode instanceof BufferAccessOpcode and type = getUnknownType() or not opcode instanceof BufferAccessOpcode and - exists(Type indirectionType | indirectionType = getIndirectionType() | + exists(Type indirectionType | indirectionType = this.getIndirectionType() | if indirectionType instanceof VoidType then type = getUnknownType() else type = getTypeForPRValueOrUnknown(indirectionType) ) ) or - not isWrite() and + not this.isWrite() and type = getVoidType() ) } @@ -471,7 +475,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect { final override CppType getInstructionMemoryOperandType( InstructionTag tag, TypedOperandTag operandTag ) { - not isWrite() and + not this.isWrite() and if sideEffectOpcode instanceof BufferAccessOpcode then result = getUnknownType() and @@ -480,7 +484,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect { else exists(Type operandType | tag instanceof OnlyInstructionTag and - operandType = getIndirectionType() and + operandType = this.getIndirectionType() and operandTag instanceof SideEffectOperandTag | // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will @@ -492,7 +496,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect { final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag instanceof OnlyInstructionTag and operandTag instanceof AddressOperandTag and - result = getArgInstruction() + result = this.getArgInstruction() or tag instanceof OnlyInstructionTag and operandTag instanceof BufferSizeOperandTag and @@ -533,7 +537,7 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect, final override Locatable getAst() { result = arg } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override Type getIndirectionType() { result = arg.getUnspecifiedType().(DerivedType).getBaseType() @@ -568,7 +572,7 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect final override Locatable getAst() { result = call } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() } @@ -592,7 +596,7 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide override Locatable getAst() { result = expr } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override Expr getPrimaryExpr() { result = expr } @@ -633,7 +637,7 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl override Locatable getAst() { result = expr } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override Expr getPrimaryExpr() { result = expr } @@ -646,7 +650,7 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag = OnlyInstructionTag() and operandTag = addressOperand() and - result = getPrimaryInstructionForSideEffect(OnlyInstructionTag()) + result = this.getPrimaryInstructionForSideEffect(OnlyInstructionTag()) } override predicate sideEffectInstruction(Opcode opcode, CppType type) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll index 29b931e0ab6..30755f0f000 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll @@ -22,9 +22,9 @@ abstract class TranslatedCondition extends TranslatedElement { final override Locatable getAst() { result = expr } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } - final ConditionContext getConditionContext() { result = getParent() } + final ConditionContext getConditionContext() { result = this.getParent() } final Expr getExpr() { result = expr } @@ -42,9 +42,11 @@ abstract class TranslatedFlexibleCondition extends TranslatedCondition, Conditio { TranslatedFlexibleCondition() { this = TTranslatedFlexibleCondition(expr) } - final override TranslatedElement getChild(int id) { id = 0 and result = getOperand() } + final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() } - final override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() } + final override Instruction getFirstInstruction() { + result = this.getOperand().getFirstInstruction() + } final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() @@ -61,13 +63,13 @@ class TranslatedParenthesisCondition extends TranslatedFlexibleCondition { override ParenthesisExpr expr; final override Instruction getChildTrueSuccessor(TranslatedCondition child) { - child = getOperand() and - result = getConditionContext().getChildTrueSuccessor(this) + child = this.getOperand() and + result = this.getConditionContext().getChildTrueSuccessor(this) } final override Instruction getChildFalseSuccessor(TranslatedCondition child) { - child = getOperand() and - result = getConditionContext().getChildFalseSuccessor(this) + child = this.getOperand() and + result = this.getConditionContext().getChildFalseSuccessor(this) } final override TranslatedCondition getOperand() { @@ -79,13 +81,13 @@ class TranslatedNotCondition extends TranslatedFlexibleCondition { override NotExpr expr; override Instruction getChildTrueSuccessor(TranslatedCondition child) { - child = getOperand() and - result = getConditionContext().getChildFalseSuccessor(this) + child = this.getOperand() and + result = this.getConditionContext().getChildFalseSuccessor(this) } override Instruction getChildFalseSuccessor(TranslatedCondition child) { - child = getOperand() and - result = getConditionContext().getChildTrueSuccessor(this) + child = this.getOperand() and + result = this.getConditionContext().getChildTrueSuccessor(this) } override TranslatedCondition getOperand() { @@ -103,13 +105,13 @@ abstract class TranslatedBinaryLogicalOperation extends TranslatedNativeConditio override BinaryLogicalOperation expr; final override TranslatedElement getChild(int id) { - id = 0 and result = getLeftOperand() + id = 0 and result = this.getLeftOperand() or - id = 1 and result = getRightOperand() + id = 1 and result = this.getRightOperand() } final override Instruction getFirstInstruction() { - result = getLeftOperand().getFirstInstruction() + result = this.getLeftOperand().getFirstInstruction() } final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { @@ -131,16 +133,16 @@ class TranslatedLogicalAndExpr extends TranslatedBinaryLogicalOperation { TranslatedLogicalAndExpr() { expr instanceof LogicalAndExpr } override Instruction getChildTrueSuccessor(TranslatedCondition child) { - child = getLeftOperand() and - result = getRightOperand().getFirstInstruction() + child = this.getLeftOperand() and + result = this.getRightOperand().getFirstInstruction() or - child = getRightOperand() and - result = getConditionContext().getChildTrueSuccessor(this) + child = this.getRightOperand() and + result = this.getConditionContext().getChildTrueSuccessor(this) } override Instruction getChildFalseSuccessor(TranslatedCondition child) { - (child = getLeftOperand() or child = getRightOperand()) and - result = getConditionContext().getChildFalseSuccessor(this) + (child = this.getLeftOperand() or child = this.getRightOperand()) and + result = this.getConditionContext().getChildFalseSuccessor(this) } } @@ -148,25 +150,25 @@ class TranslatedLogicalOrExpr extends TranslatedBinaryLogicalOperation { override LogicalOrExpr expr; override Instruction getChildTrueSuccessor(TranslatedCondition child) { - (child = getLeftOperand() or child = getRightOperand()) and - result = getConditionContext().getChildTrueSuccessor(this) + (child = this.getLeftOperand() or child = this.getRightOperand()) and + result = this.getConditionContext().getChildTrueSuccessor(this) } override Instruction getChildFalseSuccessor(TranslatedCondition child) { - child = getLeftOperand() and - result = getRightOperand().getFirstInstruction() + child = this.getLeftOperand() and + result = this.getRightOperand().getFirstInstruction() or - child = getRightOperand() and - result = getConditionContext().getChildFalseSuccessor(this) + child = this.getRightOperand() and + result = this.getConditionContext().getChildFalseSuccessor(this) } } class TranslatedValueCondition extends TranslatedCondition, TTranslatedValueCondition { TranslatedValueCondition() { this = TTranslatedValueCondition(expr) } - override TranslatedElement getChild(int id) { id = 0 and result = getValueExpr() } + override TranslatedElement getChild(int id) { id = 0 and result = this.getValueExpr() } - override Instruction getFirstInstruction() { result = getValueExpr().getFirstInstruction() } + override Instruction getFirstInstruction() { result = this.getValueExpr().getFirstInstruction() } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = ValueConditionConditionalBranchTag() and @@ -175,25 +177,25 @@ class TranslatedValueCondition extends TranslatedCondition, TTranslatedValueCond } override Instruction getChildSuccessor(TranslatedElement child) { - child = getValueExpr() and - result = getInstruction(ValueConditionConditionalBranchTag()) + child = this.getValueExpr() and + result = this.getInstruction(ValueConditionConditionalBranchTag()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { tag = ValueConditionConditionalBranchTag() and ( kind instanceof TrueEdge and - result = getConditionContext().getChildTrueSuccessor(this) + result = this.getConditionContext().getChildTrueSuccessor(this) or kind instanceof FalseEdge and - result = getConditionContext().getChildFalseSuccessor(this) + result = this.getConditionContext().getChildFalseSuccessor(this) ) } override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag = ValueConditionConditionalBranchTag() and operandTag instanceof ConditionOperandTag and - result = getValueExpr().getResult() + result = this.getValueExpr().getResult() } private TranslatedExpr getValueExpr() { result = getTranslatedExpr(expr) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll index 2b959f21df4..df2e8879341 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll @@ -47,7 +47,7 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated final override Locatable getAst() { result = entry.getAst() } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } } /** @@ -60,19 +60,19 @@ abstract class TranslatedLocalVariableDeclaration extends TranslatedVariableInit */ abstract LocalVariable getVariable(); - final override Type getTargetType() { result = getVariableType(getVariable()) } + final override Type getTargetType() { result = getVariableType(this.getVariable()) } final override TranslatedInitialization getInitialization() { result = - getTranslatedInitialization(getVariable().getInitializer().getExpr().getFullyConverted()) + getTranslatedInitialization(this.getVariable().getInitializer().getExpr().getFullyConverted()) } final override Instruction getInitializationSuccessor() { - result = getParent().getChildSuccessor(this) + result = this.getParent().getChildSuccessor(this) } final override IRVariable getIRVariable() { - result = getIRUserVariable(getFunction(), getVariable()) + result = getIRUserVariable(this.getFunction(), this.getVariable()) } } @@ -123,7 +123,7 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio TranslatedStaticLocalVariableDeclarationEntry() { var = entry.getDeclaration() } - final override TranslatedElement getChild(int id) { id = 0 and result = getInitialization() } + final override TranslatedElement getChild(int id) { id = 0 and result = this.getInitialization() } final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { tag = DynamicInitializationFlagAddressTag() and @@ -148,39 +148,39 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio } final override Instruction getFirstInstruction() { - result = getInstruction(DynamicInitializationFlagAddressTag()) + result = this.getInstruction(DynamicInitializationFlagAddressTag()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { tag = DynamicInitializationFlagAddressTag() and kind instanceof GotoEdge and - result = getInstruction(DynamicInitializationFlagLoadTag()) + result = this.getInstruction(DynamicInitializationFlagLoadTag()) or tag = DynamicInitializationFlagLoadTag() and kind instanceof GotoEdge and - result = getInstruction(DynamicInitializationConditionalBranchTag()) + result = this.getInstruction(DynamicInitializationConditionalBranchTag()) or tag = DynamicInitializationConditionalBranchTag() and ( kind instanceof TrueEdge and - result = getParent().getChildSuccessor(this) + result = this.getParent().getChildSuccessor(this) or kind instanceof FalseEdge and - result = getInitialization().getFirstInstruction() + result = this.getInitialization().getFirstInstruction() ) or tag = DynamicInitializationFlagConstantTag() and kind instanceof GotoEdge and - result = getInstruction(DynamicInitializationFlagStoreTag()) + result = this.getInstruction(DynamicInitializationFlagStoreTag()) or tag = DynamicInitializationFlagStoreTag() and kind instanceof GotoEdge and - result = getParent().getChildSuccessor(this) + result = this.getParent().getChildSuccessor(this) } final override Instruction getChildSuccessor(TranslatedElement child) { - child = getInitialization() and - result = getInstruction(DynamicInitializationFlagConstantTag()) + child = this.getInitialization() and + result = this.getInstruction(DynamicInitializationFlagConstantTag()) } final override IRDynamicInitializationFlag getInstructionVariable(InstructionTag tag) { @@ -196,20 +196,20 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio tag = DynamicInitializationFlagLoadTag() and ( operandTag instanceof AddressOperandTag and - result = getInstruction(DynamicInitializationFlagAddressTag()) + result = this.getInstruction(DynamicInitializationFlagAddressTag()) ) or tag = DynamicInitializationConditionalBranchTag() and operandTag instanceof ConditionOperandTag and - result = getInstruction(DynamicInitializationFlagLoadTag()) + result = this.getInstruction(DynamicInitializationFlagLoadTag()) or tag = DynamicInitializationFlagStoreTag() and ( operandTag instanceof AddressOperandTag and - result = getInstruction(DynamicInitializationFlagAddressTag()) + result = this.getInstruction(DynamicInitializationFlagAddressTag()) or operandTag instanceof StoreValueOperandTag and - result = getInstruction(DynamicInitializationFlagConstantTag()) + result = this.getInstruction(DynamicInitializationFlagConstantTag()) ) } @@ -238,7 +238,7 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement, final override Locatable getAst() { result = entry.getAst() } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override LocalVariable getVariable() { result = var } @@ -267,7 +267,7 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans override Locatable getAst() { result = conditionDeclExpr } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll index d02cb716fe5..5c5ee3c04c1 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll @@ -68,7 +68,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { final override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } /** * Gets the function being translated. @@ -76,15 +76,15 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { final override Function getFunction() { result = func } final override TranslatedElement getChild(int id) { - id = -5 and result = getReadEffects() + id = -5 and result = this.getReadEffects() or - id = -4 and result = getConstructorInitList() + id = -4 and result = this.getConstructorInitList() or - id = -3 and result = getBody() + id = -3 and result = this.getBody() or - id = -2 and result = getDestructorDestructionList() + id = -2 and result = this.getDestructorDestructionList() or - id >= -1 and result = getParameter(id) + id >= -1 and result = this.getParameter(id) } final private TranslatedConstructorInitList getConstructorInitList() { @@ -109,64 +109,66 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { result = getTranslatedEllipsisParameter(func) } - final override Instruction getFirstInstruction() { result = getInstruction(EnterFunctionTag()) } + final override Instruction getFirstInstruction() { + result = this.getInstruction(EnterFunctionTag()) + } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { kind instanceof GotoEdge and ( tag = EnterFunctionTag() and - result = getInstruction(AliasedDefinitionTag()) + result = this.getInstruction(AliasedDefinitionTag()) or tag = AliasedDefinitionTag() and - result = getInstruction(InitializeNonLocalTag()) + result = this.getInstruction(InitializeNonLocalTag()) or ( tag = InitializeNonLocalTag() and - if exists(getThisType()) - then result = getParameter(-1).getFirstInstruction() + if exists(this.getThisType()) + then result = this.getParameter(-1).getFirstInstruction() else - if exists(getParameter(0)) - then result = getParameter(0).getFirstInstruction() - else result = getBody().getFirstInstruction() + if exists(this.getParameter(0)) + then result = this.getParameter(0).getFirstInstruction() + else result = this.getBody().getFirstInstruction() ) or tag = ReturnValueAddressTag() and - result = getInstruction(ReturnTag()) + result = this.getInstruction(ReturnTag()) or tag = ReturnTag() and - result = getInstruction(AliasedUseTag()) + result = this.getInstruction(AliasedUseTag()) or tag = UnwindTag() and - result = getInstruction(AliasedUseTag()) + result = this.getInstruction(AliasedUseTag()) or tag = AliasedUseTag() and - result = getInstruction(ExitFunctionTag()) + result = this.getInstruction(ExitFunctionTag()) ) } final override Instruction getChildSuccessor(TranslatedElement child) { exists(int paramIndex | - child = getParameter(paramIndex) and + child = this.getParameter(paramIndex) and if exists(func.getParameter(paramIndex + 1)) or getEllipsisParameterIndexForFunction(func) = paramIndex + 1 - then result = getParameter(paramIndex + 1).getFirstInstruction() - else result = getConstructorInitList().getFirstInstruction() + then result = this.getParameter(paramIndex + 1).getFirstInstruction() + else result = this.getConstructorInitList().getFirstInstruction() ) or - child = getConstructorInitList() and - result = getBody().getFirstInstruction() + child = this.getConstructorInitList() and + result = this.getBody().getFirstInstruction() or - child = getBody() and - result = getReturnSuccessorInstruction() + child = this.getBody() and + result = this.getReturnSuccessorInstruction() or - child = getDestructorDestructionList() and - result = getReadEffects().getFirstInstruction() + child = this.getDestructorDestructionList() and + result = this.getReadEffects().getFirstInstruction() or - child = getReadEffects() and - if hasReturnValue() - then result = getInstruction(ReturnValueAddressTag()) - else result = getInstruction(ReturnTag()) + child = this.getReadEffects() and + if this.hasReturnValue() + then result = this.getInstruction(ReturnValueAddressTag()) + else result = this.getInstruction(ReturnTag()) } final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { @@ -185,13 +187,13 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { or tag = ReturnValueAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getTypeForGLValue(getReturnType()) and - hasReturnValue() + resultType = getTypeForGLValue(this.getReturnType()) and + this.hasReturnValue() or ( tag = ReturnTag() and resultType = getVoidType() and - if hasReturnValue() + if this.hasReturnValue() then opcode instanceof Opcode::ReturnValue else opcode instanceof Opcode::ReturnVoid ) @@ -217,23 +219,23 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { } final override Instruction getExceptionSuccessorInstruction() { - result = getInstruction(UnwindTag()) + result = this.getInstruction(UnwindTag()) } final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag = ReturnTag() and - hasReturnValue() and + this.hasReturnValue() and operandTag instanceof AddressOperandTag and - result = getInstruction(ReturnValueAddressTag()) + result = this.getInstruction(ReturnValueAddressTag()) } final override CppType getInstructionMemoryOperandType( InstructionTag tag, TypedOperandTag operandTag ) { tag = ReturnTag() and - hasReturnValue() and + this.hasReturnValue() and operandTag instanceof LoadOperandTag and - result = getTypeForPRValue(getReturnType()) + result = getTypeForPRValue(this.getReturnType()) or tag = AliasedUseTag() and operandTag instanceof SideEffectOperandTag and @@ -242,7 +244,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { final override IRVariable getInstructionVariable(InstructionTag tag) { tag = ReturnValueAddressTag() and - result = getReturnVariable() + result = this.getReturnVariable() } final override predicate needsUnknownOpaqueType(int byteSize) { @@ -251,15 +253,15 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { final override predicate hasTempVariable(TempVariableTag tag, CppType type) { tag = ReturnValueTempVar() and - hasReturnValue() and - type = getTypeForPRValue(getReturnType()) + this.hasReturnValue() and + type = getTypeForPRValue(this.getReturnType()) or tag = EllipsisTempVar() and func.isVarargs() and type = getEllipsisVariablePRValueType() or tag = ThisTempVar() and - type = getTypeForGLValue(getThisType()) + type = getTypeForGLValue(this.getThisType()) } /** @@ -267,7 +269,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction { * statement. */ final Instruction getReturnSuccessorInstruction() { - result = getDestructorDestructionList().getFirstInstruction() + result = this.getDestructorDestructionList().getFirstInstruction() } /** @@ -368,25 +370,25 @@ abstract class TranslatedParameter extends TranslatedElement { final override TranslatedElement getChild(int id) { none() } final override Instruction getFirstInstruction() { - result = getInstruction(InitializerVariableAddressTag()) + result = this.getInstruction(InitializerVariableAddressTag()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { kind instanceof GotoEdge and ( tag = InitializerVariableAddressTag() and - result = getInstruction(InitializerStoreTag()) + result = this.getInstruction(InitializerStoreTag()) or tag = InitializerStoreTag() and - if hasIndirection() - then result = getInstruction(InitializerIndirectAddressTag()) - else result = getParent().getChildSuccessor(this) + if this.hasIndirection() + then result = this.getInstruction(InitializerIndirectAddressTag()) + else result = this.getParent().getChildSuccessor(this) or tag = InitializerIndirectAddressTag() and - result = getInstruction(InitializerIndirectStoreTag()) + result = this.getInstruction(InitializerIndirectStoreTag()) or tag = InitializerIndirectStoreTag() and - result = getParent().getChildSuccessor(this) + result = this.getParent().getChildSuccessor(this) ) } @@ -395,21 +397,21 @@ abstract class TranslatedParameter extends TranslatedElement { final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getGLValueType() + resultType = this.getGLValueType() or tag = InitializerStoreTag() and opcode instanceof Opcode::InitializeParameter and - resultType = getPRValueType() + resultType = this.getPRValueType() or - hasIndirection() and + this.hasIndirection() and tag = InitializerIndirectAddressTag() and opcode instanceof Opcode::Load and - resultType = getPRValueType() + resultType = this.getPRValueType() or - hasIndirection() and + this.hasIndirection() and tag = InitializerIndirectStoreTag() and opcode instanceof Opcode::InitializeIndirection and - resultType = getInitializationResultType() + resultType = this.getInitializationResultType() } final override IRVariable getInstructionVariable(InstructionTag tag) { @@ -418,26 +420,26 @@ abstract class TranslatedParameter extends TranslatedElement { tag = InitializerVariableAddressTag() or tag = InitializerIndirectStoreTag() ) and - result = getIRVariable() + result = this.getIRVariable() } final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) { tag = InitializerStoreTag() and ( operandTag instanceof AddressOperandTag and - result = getInstruction(InitializerVariableAddressTag()) + result = this.getInstruction(InitializerVariableAddressTag()) ) or // this feels a little strange, but I think it's the best we can do tag = InitializerIndirectAddressTag() and ( operandTag instanceof AddressOperandTag and - result = getInstruction(InitializerVariableAddressTag()) + result = this.getInstruction(InitializerVariableAddressTag()) ) or tag = InitializerIndirectStoreTag() and operandTag instanceof AddressOperandTag and - result = getInstruction(InitializerIndirectAddressTag()) + result = this.getInstruction(InitializerIndirectAddressTag()) } abstract predicate hasIndirection(); @@ -465,7 +467,7 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame final override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override Function getFunction() { result = func } @@ -500,7 +502,7 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara final override Locatable getAst() { result = param } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override Function getFunction() { result = param.getFunction() or @@ -522,7 +524,7 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara final override CppType getInitializationResultType() { result = getUnknownType() } final override IRAutomaticUserVariable getIRVariable() { - result = getIRUserVariable(getFunction(), param) + result = getIRUserVariable(this.getFunction(), param) } } @@ -540,7 +542,7 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips final override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } final override Function getFunction() { result = func } @@ -579,7 +581,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override TranslatedElement getChild(int id) { exists(ConstructorFieldInit fieldInit | @@ -599,9 +601,9 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon } override Instruction getFirstInstruction() { - if exists(getChild(0)) - then result = getChild(0).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + if exists(this.getChild(0)) + then result = this.getChild(0).getFirstInstruction() + else result = this.getParent().getChildSuccessor(this) } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { @@ -614,10 +616,10 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon override Instruction getChildSuccessor(TranslatedElement child) { exists(int id | - child = getChild(id) and - if exists(getChild(id + 1)) - then result = getChild(id + 1).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + child = this.getChild(id) and + if exists(this.getChild(id + 1)) + then result = this.getChild(id + 1).getFirstInstruction() + else result = this.getParent().getChildSuccessor(this) ) } @@ -651,7 +653,7 @@ class TranslatedDestructorDestructionList extends TranslatedElement, override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override TranslatedElement getChild(int id) { exists(DestructorFieldDestruction fieldDestruction | @@ -666,9 +668,9 @@ class TranslatedDestructorDestructionList extends TranslatedElement, } override Instruction getFirstInstruction() { - if exists(getChild(0)) - then result = getChild(0).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + if exists(this.getChild(0)) + then result = this.getChild(0).getFirstInstruction() + else result = this.getParent().getChildSuccessor(this) } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { @@ -681,10 +683,10 @@ class TranslatedDestructorDestructionList extends TranslatedElement, override Instruction getChildSuccessor(TranslatedElement child) { exists(int id | - child = getChild(id) and - if exists(getChild(id + 1)) - then result = getChild(id + 1).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + child = this.getChild(id) and + if exists(this.getChild(id + 1)) + then result = this.getChild(id + 1).getFirstInstruction() + else result = this.getParent().getChildSuccessor(this) ) } } @@ -699,7 +701,7 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects { override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override Function getFunction() { result = func } @@ -713,25 +715,25 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects { } override Instruction getFirstInstruction() { - if exists(getAChild()) + if exists(this.getAChild()) then result = - min(TranslatedElement child, int id | child = getChild(id) | child order by id) + min(TranslatedElement child, int id | child = this.getChild(id) | child order by id) .getFirstInstruction() - else result = getParent().getChildSuccessor(this) + else result = this.getParent().getChildSuccessor(this) } override Instruction getChildSuccessor(TranslatedElement child) { - exists(int id | child = getChild(id) | - if exists(TranslatedReadEffect child2, int id2 | id2 > id and child2 = getChild(id2)) + exists(int id | child = this.getChild(id) | + if exists(TranslatedReadEffect child2, int id2 | id2 > id and child2 = this.getChild(id2)) then result = min(TranslatedReadEffect child2, int id2 | - child2 = getChild(id2) and id2 > id + child2 = this.getChild(id2) and id2 > id | child2 order by id2 ).getFirstInstruction() - else result = getParent().getChildSuccessor(this) + else result = this.getParent().getChildSuccessor(this) ) } @@ -758,10 +760,10 @@ abstract class TranslatedReadEffect extends TranslatedElement { override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { tag = OnlyInstructionTag() and kind = EdgeKind::gotoEdge() and - result = getParent().getChildSuccessor(this) + result = this.getParent().getChildSuccessor(this) } - override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } + override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) } override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { opcode instanceof Opcode::ReturnIndirection and @@ -786,7 +788,7 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead override Locatable getAst() { result = func } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override Function getFunction() { result = func } @@ -812,7 +814,7 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar override Locatable getAst() { result = param } /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = getAst() } + deprecated override Locatable getAST() { result = this.getAst() } override string toString() { result = "read effect: " + param.toString() } @@ -826,6 +828,6 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar final override IRVariable getInstructionVariable(InstructionTag tag) { tag = OnlyInstructionTag() and - result = getIRUserVariable(getFunction(), param) + result = getIRUserVariable(this.getFunction(), param) } } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/internal/ASTValueNumbering.qll b/cpp/ql/lib/semmle/code/cpp/ir/internal/ASTValueNumbering.qll index dcc013fd387..2dd51d39151 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/internal/ASTValueNumbering.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/ASTValueNumbering.qll @@ -62,14 +62,14 @@ class GVN extends TValueNumber { final string toString() { result = "GVN" } - final string getDebugString() { result = strictconcat(getAnExpr().toString(), ", ") } + final string getDebugString() { result = strictconcat(this.getAnExpr().toString(), ", ") } final Location getLocation() { - if exists(Expr e | e = getAnExpr() and not e.getLocation() instanceof UnknownLocation) + if exists(Expr e | e = this.getAnExpr() and not e.getLocation() instanceof UnknownLocation) then result = min(Location l | - l = getAnExpr().getLocation() and not l instanceof UnknownLocation + l = this.getAnExpr().getLocation() and not l instanceof UnknownLocation | l order by @@ -102,13 +102,13 @@ class GVN extends TValueNumber { } /** Gets an expression that has this GVN. */ - Expr getAnExpr() { result = getAnUnconvertedExpr() } + Expr getAnExpr() { result = this.getAnUnconvertedExpr() } /** Gets an expression that has this GVN. */ - Expr getAnUnconvertedExpr() { result = getAnInstruction().getUnconvertedResultExpression() } + Expr getAnUnconvertedExpr() { result = this.getAnInstruction().getUnconvertedResultExpression() } /** Gets an expression that has this GVN. */ - Expr getAConvertedExpr() { result = getAnInstruction().getConvertedResultExpression() } + Expr getAConvertedExpr() { result = this.getAnInstruction().getConvertedResultExpression() } } /** Gets the global value number of expression `e`. */ diff --git a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll index bace59a872b..315db83a5cc 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll @@ -208,10 +208,10 @@ class CppType extends TCppType { string toString() { none() } /** Gets a string used in IR dumps */ - string getDumpString() { result = toString() } + string getDumpString() { result = this.toString() } /** Gets the size of the type in bytes, if known. */ - final int getByteSize() { result = getIRType().getByteSize() } + final int getByteSize() { result = this.getIRType().getByteSize() } /** * Gets the `IRType` that represents this `CppType`. Many different `CppType`s can map to a single @@ -232,7 +232,7 @@ class CppType extends TCppType { */ final predicate hasUnspecifiedType(Type type, boolean isGLValue) { exists(Type specifiedType | - hasType(specifiedType, isGLValue) and + this.hasType(specifiedType, isGLValue) and type = specifiedType.getUnspecifiedType() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll index 6bd2916b733..de1c3389be0 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll @@ -13,19 +13,19 @@ private class StandardDeallocationFunction extends DeallocationFunction { int freedArg; StandardDeallocationFunction() { - hasGlobalOrStdOrBslName([ + this.hasGlobalOrStdOrBslName([ // --- C library allocation "free", "realloc" ]) and freedArg = 0 or - hasGlobalName([ + this.hasGlobalName([ // --- OpenSSL memory allocation "CRYPTO_free", "CRYPTO_secure_free" ]) and freedArg = 0 or - hasGlobalOrStdName([ + this.hasGlobalOrStdName([ // --- Windows Memory Management for Windows Drivers "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeMdl", "IoFreeWorkItem", "IoFreeErrorLogEntry", "MmFreeContiguousMemory", "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", @@ -44,7 +44,7 @@ private class StandardDeallocationFunction extends DeallocationFunction { ]) and freedArg = 0 or - hasGlobalOrStdName([ + this.hasGlobalOrStdName([ // --- Windows Memory Management for Windows Drivers "ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList", // --- NetBSD pool manager @@ -52,7 +52,7 @@ private class StandardDeallocationFunction extends DeallocationFunction { ]) and freedArg = 1 or - hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and + this.hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and freedArg = 2 } @@ -65,9 +65,9 @@ private class StandardDeallocationFunction extends DeallocationFunction { private class CallDeallocationExpr extends DeallocationExpr, FunctionCall { DeallocationFunction target; - CallDeallocationExpr() { target = getTarget() } + CallDeallocationExpr() { target = this.getTarget() } - override Expr getFreedExpr() { result = getArgument(target.getFreedArg()) } + override Expr getFreedExpr() { result = this.getArgument(target.getFreedArg()) } } /** @@ -76,7 +76,7 @@ private class CallDeallocationExpr extends DeallocationExpr, FunctionCall { private class DeleteDeallocationExpr extends DeallocationExpr, DeleteExpr { DeleteDeallocationExpr() { this instanceof DeleteExpr } - override Expr getFreedExpr() { result = getExpr() } + override Expr getFreedExpr() { result = this.getExpr() } } /** @@ -85,5 +85,5 @@ private class DeleteDeallocationExpr extends DeallocationExpr, DeleteExpr { private class DeleteArrayDeallocationExpr extends DeallocationExpr, DeleteArrayExpr { DeleteArrayDeallocationExpr() { this instanceof DeleteArrayExpr } - override Expr getFreedExpr() { result = getExpr() } + override Expr getFreedExpr() { result = this.getExpr() } } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MemberFunction.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MemberFunction.qll index 31752b304a4..70fd04859da 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/MemberFunction.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/MemberFunction.qll @@ -14,8 +14,8 @@ import semmle.code.cpp.models.interfaces.Taint */ private class ConversionConstructorModel extends Constructor, TaintFunction { ConversionConstructorModel() { - strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and - not hasSpecifier("explicit") + strictcount(Parameter p | p = this.getAParameter() and not p.hasInitializer()) = 1 and + not this.hasSpecifier("explicit") } override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll index e360fa7b2bb..f0a25dfa30d 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll @@ -15,10 +15,10 @@ private class Printf extends FormattingFunction, AliasFunction { Printf() { this instanceof TopLevelFunction and ( - hasGlobalOrStdOrBslName(["printf", "wprintf"]) or - hasGlobalName(["printf_s", "wprintf_s", "g_printf"]) + this.hasGlobalOrStdOrBslName(["printf", "wprintf"]) or + this.hasGlobalName(["printf_s", "wprintf_s", "g_printf"]) ) and - not exists(getDefinition().getFile().getRelativePath()) + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { result = 0 } @@ -39,10 +39,10 @@ private class Fprintf extends FormattingFunction { Fprintf() { this instanceof TopLevelFunction and ( - hasGlobalOrStdOrBslName(["fprintf", "fwprintf"]) or - hasGlobalName("g_fprintf") + this.hasGlobalOrStdOrBslName(["fprintf", "fwprintf"]) or + this.hasGlobalName("g_fprintf") ) and - not exists(getDefinition().getFile().getRelativePath()) + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { result = 1 } @@ -57,12 +57,12 @@ private class Sprintf extends FormattingFunction { Sprintf() { this instanceof TopLevelFunction and ( - hasGlobalOrStdOrBslName([ + this.hasGlobalOrStdOrBslName([ "sprintf", // sprintf(dst, format, args...) "wsprintf" // wsprintf(dst, format, args...) ]) or - hasGlobalName([ + this.hasGlobalName([ "_sprintf_l", // _sprintf_l(dst, format, locale, args...) "__swprintf_l", // __swprintf_l(dst, format, locale, args...) "g_strdup_printf", // g_strdup_printf(format, ...) @@ -70,24 +70,26 @@ private class Sprintf extends FormattingFunction { "__builtin___sprintf_chk" // __builtin___sprintf_chk(dst, flag, os, format, ...) ]) ) and - not exists(getDefinition().getFile().getRelativePath()) + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { - hasName("g_strdup_printf") and result = 0 + this.hasName("g_strdup_printf") and result = 0 or - hasName("__builtin___sprintf_chk") and result = 3 + this.hasName("__builtin___sprintf_chk") and result = 3 or - not getName() = ["g_strdup_printf", "__builtin___sprintf_chk"] and + not this.getName() = ["g_strdup_printf", "__builtin___sprintf_chk"] and result = 1 } override int getOutputParameterIndex(boolean isStream) { - not hasName("g_strdup_printf") and result = 0 and isStream = false + not this.hasName("g_strdup_printf") and result = 0 and isStream = false } override int getFirstFormatArgumentIndex() { - if hasName("__builtin___sprintf_chk") then result = 4 else result = getNumberOfParameters() + if this.hasName("__builtin___sprintf_chk") + then result = 4 + else result = this.getNumberOfParameters() } } @@ -98,46 +100,46 @@ private class SnprintfImpl extends Snprintf { SnprintfImpl() { this instanceof TopLevelFunction and ( - hasGlobalOrStdOrBslName([ + this.hasGlobalOrStdOrBslName([ "snprintf", // C99 defines snprintf "swprintf" // The s version of wide-char printf is also always the n version ]) or // Microsoft has _snprintf as well as several other variations - hasGlobalName([ + this.hasGlobalName([ "sprintf_s", "snprintf_s", "swprintf_s", "_snprintf", "_snprintf_s", "_snprintf_l", "_snprintf_s_l", "_snwprintf", "_snwprintf_s", "_snwprintf_l", "_snwprintf_s_l", "_sprintf_s_l", "_swprintf_l", "_swprintf_s_l", "g_snprintf", "wnsprintf", "__builtin___snprintf_chk" ]) ) and - not exists(getDefinition().getFile().getRelativePath()) + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { - if getName().matches("%\\_l") - then result = getFirstFormatArgumentIndex() - 2 - else result = getFirstFormatArgumentIndex() - 1 + if this.getName().matches("%\\_l") + then result = this.getFirstFormatArgumentIndex() - 2 + else result = this.getFirstFormatArgumentIndex() - 1 } override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false } override int getFirstFormatArgumentIndex() { exists(string name | - name = getQualifiedName() and + name = this.getQualifiedName() and ( name = "__builtin___snprintf_chk" and result = 5 or name != "__builtin___snprintf_chk" and - result = getNumberOfParameters() + result = this.getNumberOfParameters() ) ) } override predicate returnsFullFormatLength() { - hasName(["snprintf", "g_snprintf", "__builtin___snprintf_chk", "snprintf_s"]) and - not exists(getDefinition().getFile().getRelativePath()) + this.hasName(["snprintf", "g_snprintf", "__builtin___snprintf_chk", "snprintf_s"]) and + not exists(this.getDefinition().getFile().getRelativePath()) } override int getSizeParameterIndex() { result = 1 } @@ -149,15 +151,15 @@ private class SnprintfImpl extends Snprintf { private class StringCchPrintf extends FormattingFunction { StringCchPrintf() { this instanceof TopLevelFunction and - hasGlobalName([ + this.hasGlobalName([ "StringCchPrintf", "StringCchPrintfEx", "StringCchPrintf_l", "StringCchPrintf_lEx", "StringCbPrintf", "StringCbPrintfEx", "StringCbPrintf_l", "StringCbPrintf_lEx" ]) and - not exists(getDefinition().getFile().getRelativePath()) + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { - if getName().matches("%Ex") then result = 5 else result = 2 + if this.getName().matches("%Ex") then result = 5 else result = 2 } override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false } @@ -171,8 +173,8 @@ private class StringCchPrintf extends FormattingFunction { private class Syslog extends FormattingFunction { Syslog() { this instanceof TopLevelFunction and - hasGlobalName("syslog") and - not exists(getDefinition().getFile().getRelativePath()) + this.hasGlobalName("syslog") and + not exists(this.getDefinition().getFile().getRelativePath()) } override int getFormatParameterIndex() { result = 1 } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strdup.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strdup.qll index 51d496fc69e..e83178134a8 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strdup.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strdup.qll @@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.Taint */ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction { StrdupFunction() { - hasGlobalName([ + this.hasGlobalName([ // --- C library allocation "strdup", // strdup(str) "strdupa", // strdupa(str) - returns stack allocated buffer @@ -33,7 +33,7 @@ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlow output.isReturnValueDeref() } - override predicate requiresDealloc() { not hasGlobalName("strdupa") } + override predicate requiresDealloc() { not this.hasGlobalName("strdupa") } } /** @@ -41,7 +41,7 @@ private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlow */ private class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction { StrndupFunction() { - hasGlobalName([ + this.hasGlobalName([ // -- C library allocation "strndup", // strndup(str, maxlen) "strndupa" // strndupa(str, maxlen) -- returns stack allocated buffer @@ -60,5 +60,5 @@ private class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlo output.isReturnValueDeref() } - override predicate requiresDealloc() { not hasGlobalName("strndupa") } + override predicate requiresDealloc() { not this.hasGlobalName("strndupa") } } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strftime.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strftime.qll index 0dad89e950f..a0f00662d37 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strftime.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strftime.qll @@ -2,7 +2,7 @@ import semmle.code.cpp.models.interfaces.Taint import semmle.code.cpp.models.interfaces.ArrayFunction private class Strftime extends TaintFunction, ArrayFunction { - Strftime() { hasGlobalName("strftime") } + Strftime() { this.hasGlobalName("strftime") } override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { ( diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strset.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strset.qll index e5b493cc2ee..24ac6080aa6 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strset.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strset.qll @@ -16,7 +16,7 @@ private class StrsetFunction extends ArrayFunction, DataFlowFunction, AliasFunct SideEffectFunction { StrsetFunction() { - hasGlobalName([ + this.hasGlobalName([ "strset", "_strset", "_strset_l", "_wcsset", "_wcsset_l", "_mbsset", "_mbsset_l", "_mbsnbset", "_mbsnbset_l", "_strnset", "_strnset_l", "_wcsnset", "_wcsnset_l", "_mbsnset", "_mbsnset_l" diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/System.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/System.qll index de62517e5bb..8d473afb4ca 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/System.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/System.qll @@ -10,12 +10,12 @@ private class SystemFunction extends CommandExecutionFunction, ArrayFunction, Al SideEffectFunction { SystemFunction() { - hasGlobalOrStdName("system") or // system(command) - hasGlobalName("popen") or // popen(command, mode) + this.hasGlobalOrStdName("system") or // system(command) + this.hasGlobalName("popen") or // popen(command, mode) // Windows variants - hasGlobalName("_popen") or // _popen(command, mode) - hasGlobalName("_wpopen") or // _wpopen(command, mode) - hasGlobalName("_wsystem") // _wsystem(command) + this.hasGlobalName("_popen") or // _popen(command, mode) + this.hasGlobalName("_wpopen") or // _wpopen(command, mode) + this.hasGlobalName("_wsystem") // _wsystem(command) } override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) } @@ -33,8 +33,8 @@ private class SystemFunction extends CommandExecutionFunction, ArrayFunction, Al override predicate hasOnlySpecificReadSideEffects() { any() } override predicate hasOnlySpecificWriteSideEffects() { - hasGlobalOrStdName("system") or - hasGlobalName("_wsystem") + this.hasGlobalOrStdName("system") or + this.hasGlobalName("_wsystem") } override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) { diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll index 086cb9a6f73..d170783e31e 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll @@ -96,7 +96,7 @@ abstract class AllocationFunction extends Function { */ class OperatorNewAllocationFunction extends AllocationFunction { OperatorNewAllocationFunction() { - hasGlobalName([ + this.hasGlobalName([ "operator new", // operator new(bytes, ...) "operator new[]" // operator new[](bytes, ...) ]) @@ -104,15 +104,15 @@ class OperatorNewAllocationFunction extends AllocationFunction { override int getSizeArg() { result = 0 } - override predicate requiresDealloc() { not exists(getPlacementArgument()) } + override predicate requiresDealloc() { not exists(this.getPlacementArgument()) } /** * Gets the position of the placement pointer if this is a placement * `operator new` function. */ int getPlacementArgument() { - getNumberOfParameters() = 2 and - getParameter(1).getType() instanceof VoidPointerType and + this.getNumberOfParameters() = 2 and + this.getParameter(1).getType() instanceof VoidPointerType and result = 1 } } diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll index 569caebe36f..b7582e17f2c 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll @@ -41,7 +41,7 @@ abstract class DeallocationFunction extends Function { */ class OperatorDeleteDeallocationFunction extends DeallocationFunction { OperatorDeleteDeallocationFunction() { - hasGlobalName([ + this.hasGlobalName([ "operator delete", // operator delete(pointer, ...) "operator delete[]" // operator delete[](pointer, ...) ]) diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll index 0b14bf9cb0e..66f0a1dae01 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll @@ -57,7 +57,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { */ Type getFormatCharType() { result = - stripTopLevelSpecifiersOnly(stripTopLevelSpecifiersOnly(getParameter(getFormatParameterIndex()) + stripTopLevelSpecifiersOnly(stripTopLevelSpecifiersOnly(this.getParameter(this.getFormatParameterIndex()) .getType() .getUnderlyingType()).(PointerType).getBaseType()) } @@ -67,10 +67,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { * `char` or `wchar_t`. */ Type getDefaultCharType() { - isMicrosoft() and - result = getFormatCharType() + this.isMicrosoft() and + result = this.getFormatCharType() or - not isMicrosoft() and + not this.isMicrosoft() and result instanceof PlainCharType } @@ -80,10 +80,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { * which is correct for a particular function. */ Type getNonDefaultCharType() { - getDefaultCharType().getSize() = 1 and - result = getWideCharType() + this.getDefaultCharType().getSize() = 1 and + result = this.getWideCharType() or - not getDefaultCharType().getSize() = 1 and + not this.getDefaultCharType().getSize() = 1 and result instanceof PlainCharType } @@ -94,10 +94,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { */ pragma[nomagic] Type getWideCharType() { - result = getFormatCharType() and + result = this.getFormatCharType() and result.getSize() > 1 or - not getFormatCharType().getSize() > 1 and + not this.getFormatCharType().getSize() > 1 and result = getAFormatterWideTypeOrDefault() // may have more than one result } @@ -120,14 +120,14 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { * the first format specifier in the format string. */ int getFirstFormatArgumentIndex() { - result = getNumberOfParameters() and + result = this.getNumberOfParameters() and // the formatting function either has a definition in the snapshot, or all // `DeclarationEntry`s agree on the number of parameters (otherwise we don't // really know the correct number) ( - hasDefinition() + this.hasDefinition() or - forall(FunctionDeclarationEntry fde | fde = getADeclarationEntry() | + forall(FunctionDeclarationEntry fde | fde = this.getADeclarationEntry() | result = fde.getNumberOfParameters() ) ) @@ -139,30 +139,30 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction { int getSizeParameterIndex() { none() } override predicate hasArrayWithNullTerminator(int bufParam) { - bufParam = getFormatParameterIndex() + bufParam = this.getFormatParameterIndex() } override predicate hasArrayWithVariableSize(int bufParam, int countParam) { - bufParam = getOutputParameterIndex(false) and - countParam = getSizeParameterIndex() + bufParam = this.getOutputParameterIndex(false) and + countParam = this.getSizeParameterIndex() } override predicate hasArrayWithUnknownSize(int bufParam) { - bufParam = getOutputParameterIndex(false) and - not exists(getSizeParameterIndex()) + bufParam = this.getOutputParameterIndex(false) and + not exists(this.getSizeParameterIndex()) } - override predicate hasArrayInput(int bufParam) { bufParam = getFormatParameterIndex() } + override predicate hasArrayInput(int bufParam) { bufParam = this.getFormatParameterIndex() } - override predicate hasArrayOutput(int bufParam) { bufParam = getOutputParameterIndex(false) } + override predicate hasArrayOutput(int bufParam) { bufParam = this.getOutputParameterIndex(false) } override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { exists(int arg | - arg = getFormatParameterIndex() or - arg >= getFirstFormatArgumentIndex() + arg = this.getFormatParameterIndex() or + arg >= this.getFirstFormatArgumentIndex() | (input.isParameterDeref(arg) or input.isParameter(arg)) and - output.isParameterDeref(getOutputParameterIndex(_)) + output.isParameterDeref(this.getOutputParameterIndex(_)) ) } } diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll index 2ea958931da..46a5c735ca0 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll @@ -87,7 +87,7 @@ class SemIntegerLiteralExpr extends SemNumericLiteralExpr { final int getIntValue() { Specific::integerLiteral(this, _, result) } final override float getApproximateFloatValue() { - result = getIntValue() + result = this.getIntValue() or Specific::largeIntegerLiteral(this, _, result) } @@ -124,13 +124,13 @@ class SemBinaryExpr extends SemKnownExpr { /** Holds if `a` and `b` are the two operands, in either order. */ final predicate hasOperands(SemExpr a, SemExpr b) { - a = getLeftOperand() and b = getRightOperand() + a = this.getLeftOperand() and b = this.getRightOperand() or - a = getRightOperand() and b = getLeftOperand() + a = this.getRightOperand() and b = this.getLeftOperand() } /** Gets the two operands. */ - final SemExpr getAnOperand() { result = getLeftOperand() or result = getRightOperand() } + final SemExpr getAnOperand() { result = this.getLeftOperand() or result = this.getRightOperand() } } /** An expression that performs and ordered comparison of two operands. */ @@ -154,8 +154,8 @@ class SemRelationalExpr extends SemBinaryExpr { */ final SemExpr getLesserOperand() { if opcode instanceof Opcode::CompareLT or opcode instanceof Opcode::CompareLE - then result = getLeftOperand() - else result = getRightOperand() + then result = this.getLeftOperand() + else result = this.getRightOperand() } /** @@ -167,8 +167,8 @@ class SemRelationalExpr extends SemBinaryExpr { */ final SemExpr getGreaterOperand() { if opcode instanceof Opcode::CompareGT or opcode instanceof Opcode::CompareGE - then result = getLeftOperand() - else result = getRightOperand() + then result = this.getLeftOperand() + else result = this.getRightOperand() } /** Holds if this comparison returns `false` if the two operands are equal. */ @@ -280,11 +280,11 @@ class SemLoadExpr extends SemNullaryExpr { } class SemSsaLoadExpr extends SemLoadExpr { - SemSsaLoadExpr() { exists(getDef()) } + SemSsaLoadExpr() { exists(this.getDef()) } } class SemNonSsaLoadExpr extends SemLoadExpr { - SemNonSsaLoadExpr() { not exists(getDef()) } + SemNonSsaLoadExpr() { not exists(this.getDef()) } } class SemStoreExpr extends SemUnaryExpr { diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll index 307f6e386b5..29580c2c507 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll @@ -59,7 +59,7 @@ class SemSsaReadPositionBlock extends SemSsaReadPosition { SemBasicBlock getBlock() { result = block } - SemExpr getAnExpr() { result = getBlock().getAnExpr() } + SemExpr getAnExpr() { result = this.getBlock().getAnExpr() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticType.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticType.qll index b86db02702c..cf20bdfeff8 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticType.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticType.qll @@ -38,7 +38,7 @@ class SemType extends TSemType { * Gets a string that uniquely identifies this `SemType`. This string is often the same as the * result of `SemType.toString()`, but for some types it may be more verbose to ensure uniqueness. */ - string getIdentityString() { result = toString() } + string getIdentityString() { result = this.toString() } /** * Gets the size of the type, in bytes, if known. @@ -132,7 +132,7 @@ class SemIntegerType extends SemNumericType { final predicate isSigned() { signed = true } /** Holds if this integer type is unsigned. */ - final predicate isUnsigned() { not isSigned() } + final predicate isUnsigned() { not this.isSigned() } // Don't override `getByteSize()` here. The optimizer seems to generate better code when this is // overridden only in the leaf classes. } diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Bound.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Bound.qll index abff447ca87..27883aedf3e 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Bound.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Bound.qll @@ -45,7 +45,7 @@ abstract class Bound extends TBound { abstract Instruction getInstruction(int delta); /** Gets an expression that equals this bound. */ - Instruction getInstruction() { result = getInstruction(0) } + Instruction getInstruction() { result = this.getInstruction(0) } abstract Location getLocation(); } diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll index a5c129f638f..938857c0c2d 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll @@ -109,6 +109,6 @@ module Public { /** Gets the condition that is the reason for the bound. */ SemGuard getCond() { this = TSemCondReason(result) } - override string toString() { result = getCond().toString() } + override string toString() { result = this.getCond().toString() } } } diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll index 019d69c36cf..cbccb4a6ca8 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll @@ -536,7 +536,7 @@ module RangeStage< /** Gets the condition that is the reason for the bound. */ SemGuard getCond() { this = TSemCondReason(result) } - override string toString() { result = getCond().toString() } + override string toString() { result = this.getCond().toString() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Sign.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Sign.qll index 814691d9bcd..8c1de7c7b54 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Sign.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Sign.qll @@ -73,7 +73,7 @@ class Sign extends TSign { * Gets a possible sign after subtracting an expression with sign `s` from an expression * that has this sign. */ - Sign sub(Sign s) { result = add(s.neg()) } + Sign sub(Sign s) { result = this.add(s.neg()) } /** * Gets a possible sign after multiplying an expression with sign `s` to an expression @@ -231,37 +231,37 @@ class Sign extends TSign { or op instanceof Opcode::Store and result = this or - op instanceof Opcode::AddOne and result = inc() + op instanceof Opcode::AddOne and result = this.inc() or - op instanceof Opcode::SubOne and result = dec() + op instanceof Opcode::SubOne and result = this.dec() or - op instanceof Opcode::Negate and result = neg() + op instanceof Opcode::Negate and result = this.neg() or - op instanceof Opcode::BitComplement and result = bitnot() + op instanceof Opcode::BitComplement and result = this.bitnot() } /** Perform `op` on this sign and sign `s`. */ Sign applyBinaryOp(Sign s, Opcode op) { - op instanceof Opcode::Add and result = add(s) + op instanceof Opcode::Add and result = this.add(s) or - op instanceof Opcode::Sub and result = sub(s) + op instanceof Opcode::Sub and result = this.sub(s) or - op instanceof Opcode::Mul and result = mul(s) + op instanceof Opcode::Mul and result = this.mul(s) or - op instanceof Opcode::Div and result = div(s) + op instanceof Opcode::Div and result = this.div(s) or - op instanceof Opcode::Rem and result = rem(s) + op instanceof Opcode::Rem and result = this.rem(s) or - op instanceof Opcode::BitAnd and result = bitand(s) + op instanceof Opcode::BitAnd and result = this.bitand(s) or - op instanceof Opcode::BitOr and result = bitor(s) + op instanceof Opcode::BitOr and result = this.bitor(s) or - op instanceof Opcode::BitXor and result = bitxor(s) + op instanceof Opcode::BitXor and result = this.bitxor(s) or - op instanceof Opcode::ShiftLeft and result = lshift(s) + op instanceof Opcode::ShiftLeft and result = this.lshift(s) or - op instanceof Opcode::ShiftRight and result = rshift(s) + op instanceof Opcode::ShiftRight and result = this.rshift(s) or - op instanceof Opcode::ShiftRightUnsigned and result = urshift(s) + op instanceof Opcode::ShiftRightUnsigned and result = this.urshift(s) } } diff --git a/cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll b/cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll index 063c7300031..116f8a77216 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll @@ -28,7 +28,7 @@ class SystemFunction extends FunctionWithWrappers instanceof CommandExecutionFun */ class VarargsExecFunctionCall extends FunctionCall { VarargsExecFunctionCall() { - getTarget() + this.getTarget() .hasGlobalName([ "execl", "execle", "execlp", // Windows @@ -40,7 +40,7 @@ class VarargsExecFunctionCall extends FunctionCall { /** Whether the last argument to the function is an environment pointer */ predicate hasEnvironmentArgument() { - getTarget().hasGlobalName(["execle", "_execle", "_execlpe", "_wexecle", "_wexeclpe"]) + this.getTarget().hasGlobalName(["execle", "_execle", "_execlpe", "_wexecle", "_wexeclpe"]) } /** @@ -49,25 +49,27 @@ class VarargsExecFunctionCall extends FunctionCall { */ Expr getCommandArgument(int idx) { exists(int underlyingIdx | - result = getArgument(underlyingIdx) and - underlyingIdx > getCommandIdx() and + result = this.getArgument(underlyingIdx) and + underlyingIdx > this.getCommandIdx() and ( - underlyingIdx < getNumberOfArguments() - 1 or - not hasEnvironmentArgument() + underlyingIdx < this.getNumberOfArguments() - 1 or + not this.hasEnvironmentArgument() ) and - idx = underlyingIdx - getCommandIdx() - 1 + idx = underlyingIdx - this.getCommandIdx() - 1 ) } /** The expression denoting the program to execute */ - Expr getCommand() { result = getArgument(getCommandIdx()) } + Expr getCommand() { result = this.getArgument(this.getCommandIdx()) } /** * The index of the command. The spawn variants start with a mode, whereas * all the other ones start with the command. */ private int getCommandIdx() { - if getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) then result = 1 else result = 0 + if this.getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) + then result = 1 + else result = 0 } } @@ -78,7 +80,7 @@ class VarargsExecFunctionCall extends FunctionCall { */ class ArrayExecFunctionCall extends FunctionCall { ArrayExecFunctionCall() { - getTarget() + this.getTarget() .hasGlobalName([ "execv", "execvp", "execvpe", "execve", "fexecve", // Windows variants @@ -89,17 +91,19 @@ class ArrayExecFunctionCall extends FunctionCall { } /** The argument with the array of command arguments */ - Expr getArrayArgument() { result = getArgument(getCommandIdx() + 1) } + Expr getArrayArgument() { result = this.getArgument(this.getCommandIdx() + 1) } /** The expression denoting the program to execute */ - Expr getCommand() { result = getArgument(getCommandIdx()) } + Expr getCommand() { result = this.getArgument(this.getCommandIdx()) } /** * The index of the command. The spawn variants start with a mode, whereas * all the other ones start with the command. */ private int getCommandIdx() { - if getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) then result = 1 else result = 0 + if this.getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) + then result = 1 + else result = 0 } } diff --git a/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll index 285aba40e86..bf6bcc3acb6 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll @@ -564,9 +564,9 @@ abstract deprecated library class DataSensitiveCallExpr extends Expr { * Searches backwards from `getSrc()` to `src`. */ predicate flowsFrom(Element src, boolean allowFromArg) { - src = getSrc() and allowFromArg = true + src = this.getSrc() and allowFromArg = true or - exists(Element other, boolean allowOtherFromArg | flowsFrom(other, allowOtherFromArg) | + exists(Element other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) | exists(boolean otherFromArg | betweenFunctionsValueMoveToStatic(src, other, otherFromArg) | otherFromArg = true and allowOtherFromArg = true and allowFromArg = true or @@ -582,10 +582,10 @@ abstract deprecated library class DataSensitiveCallExpr extends Expr { /** Call through a function pointer. */ deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall { - override Expr getSrc() { result = getExpr() } + override Expr getSrc() { result = this.getExpr() } override Function resolve() { - exists(FunctionAccess fa | flowsFrom(fa, true) | result = fa.getTarget()) + exists(FunctionAccess fa | this.flowsFrom(fa, true) | result = fa.getTarget()) } } @@ -594,16 +594,16 @@ deprecated library class DataSensitiveOverriddenFunctionCall extends DataSensiti FunctionCall { DataSensitiveOverriddenFunctionCall() { - exists(getTarget().(VirtualFunction).getAnOverridingFunction()) + exists(this.getTarget().(VirtualFunction).getAnOverridingFunction()) } - override Expr getSrc() { result = getQualifier() } + override Expr getSrc() { result = this.getQualifier() } override MemberFunction resolve() { exists(NewExpr new | - flowsFrom(new, true) and + this.flowsFrom(new, true) and memberFunctionFromNewExpr(new, result) and - result.overrides*(getTarget().(VirtualFunction)) + result.overrides*(this.getTarget().(VirtualFunction)) ) } } diff --git a/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll b/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll index c1fe36e3430..8f43e19c7b5 100644 --- a/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll @@ -284,10 +284,10 @@ deprecated class GVN extends GvnBase { } /** Gets a textual representation of this element. */ - string toString() { result = exampleExpr().toString() } + string toString() { result = this.exampleExpr().toString() } /** Gets the primary location of this element. */ - Location getLocation() { result = exampleExpr().getLocation() } + Location getLocation() { result = this.exampleExpr().getLocation() } } private predicate analyzableIntConst(Expr e) { diff --git a/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll b/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll index 6570eb64425..78ab6c739bd 100644 --- a/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll +++ b/cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll @@ -282,10 +282,10 @@ class HashCons extends HCBase { } /** Gets a textual representation of this element. */ - string toString() { result = exampleExpr().toString() } + string toString() { result = this.exampleExpr().toString() } /** Gets the primary location of this element. */ - Location getLocation() { result = exampleExpr().getLocation() } + Location getLocation() { result = this.exampleExpr().getLocation() } } /** diff --git a/cpp/ql/src/Critical/FileMayNotBeClosed.ql b/cpp/ql/src/Critical/FileMayNotBeClosed.ql index 9a3aa6f8d4d..0c247441a3b 100644 --- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql +++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql @@ -118,7 +118,7 @@ class FOpenReachability extends StackVariableReachabilityExt { override predicate isBarrier( ControlFlowNode source, ControlFlowNode node, ControlFlowNode next, StackVariable v ) { - isSource(source, v) and + this.isSource(source, v) and next = node.getASuccessor() and // the file (stored in any variable `v0`) opened at `source` is closed or // assigned to a global at node, or NULL checked on the edge node -> next. diff --git a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql index d2afdad1306..d49a3bc4132 100644 --- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql +++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql @@ -144,7 +144,7 @@ class AllocReachability extends StackVariableReachabilityExt { override predicate isBarrier( ControlFlowNode source, ControlFlowNode node, ControlFlowNode next, StackVariable v ) { - isSource(source, v) and + this.isSource(source, v) and next = node.getASuccessor() and // the memory (stored in any variable `v0`) allocated at `source` is freed or // assigned to a global at node, or NULL checked on the edge node -> next. diff --git a/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql b/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql index 1e5fed2bfb7..f0faafbf855 100644 --- a/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql +++ b/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql @@ -19,20 +19,22 @@ class FileWithDirectives extends File { } int getDirectiveIndex(Directive d) { - exists(int line | line = getDirectiveLine(d) | line = rank[result](getDirectiveLine(_))) + exists(int line | line = this.getDirectiveLine(d) | + line = rank[result](this.getDirectiveLine(_)) + ) } int depth(Directive d) { - exists(int index | index = getDirectiveIndex(d) | + exists(int index | index = this.getDirectiveIndex(d) | index = 1 and result = d.depthChange() or - exists(Directive prev | getDirectiveIndex(prev) = index - 1 | - result = d.depthChange() + depth(prev) + exists(Directive prev | this.getDirectiveIndex(prev) = index - 1 | + result = d.depthChange() + this.depth(prev) ) ) } - Directive lastDirective() { getDirectiveIndex(result) = max(getDirectiveIndex(_)) } + Directive lastDirective() { this.getDirectiveIndex(result) = max(this.getDirectiveIndex(_)) } } abstract class Directive extends PreprocessorDirective { @@ -63,13 +65,13 @@ class ElseDirective extends Directive { override int depthChange() { result = 0 } - override predicate mismatched() { depth() < 1 } + override predicate mismatched() { this.depth() < 1 } } class EndifDirective extends Directive instanceof PreprocessorEndif { override int depthChange() { result = -1 } - override predicate mismatched() { depth() < 0 } + override predicate mismatched() { this.depth() < 0 } } from FileWithDirectives f, Directive d, string msg diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql b/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql index 3e7cdbe43b9..5b1d54b51f8 100644 --- a/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql +++ b/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql @@ -20,7 +20,7 @@ import semmle.code.cpp.ir.dataflow.DataFlow * code). */ class InterestingStrcpyFunction extends StrcpyFunction { - InterestingStrcpyFunction() { getType().getUnspecifiedType() instanceof PointerType } + InterestingStrcpyFunction() { this.getType().getUnspecifiedType() instanceof PointerType } } predicate isBoolean(Expr e1) { diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql index 025e50b246f..412e1b44e5b 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql @@ -56,7 +56,7 @@ class ImproperNullTerminationReachability extends StackVariableReachabilityWithR override predicate isBarrier(ControlFlowNode node, StackVariable v) { exprDefinition(v, node, _) or - isSinkActual(node, v) // only report first use + this.isSinkActual(node, v) // only report first use } } diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql index a80af562bda..f7fbec45994 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql @@ -19,10 +19,10 @@ import cpp class CandidateParameter extends Parameter { CandidateParameter() { // an array parameter - getUnspecifiedType() instanceof ArrayType + this.getUnspecifiedType() instanceof ArrayType or // a pointer parameter - getUnspecifiedType() instanceof PointerType and + this.getUnspecifiedType() instanceof PointerType and // whose address is never taken (rules out common // false positive patterns) not exists(AddressOfExpr aoe | aoe.getAddressable() = this) diff --git a/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll b/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll index b94212123ec..fed054262e6 100644 --- a/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll +++ b/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll @@ -56,7 +56,7 @@ class Library extends LibraryT { result = "unknown" } - string toString() { result = getName() + "-" + getVersion() } + string toString() { result = this.getName() + "-" + this.getVersion() } File getAFile() { exists(LibraryElement lib | diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll index 70247bdf4a4..5135aab8d83 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll @@ -38,7 +38,7 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { /** Gets the number of untrusted sources used with this external API. */ int getNumberOfUntrustedSources() { - result = strictcount(getUntrustedDataNode().getAnUntrustedSource()) + result = strictcount(this.getUntrustedDataNode().getAnUntrustedSource()) } /** Gets a textual representation of this element. */ diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll index 70247bdf4a4..5135aab8d83 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll @@ -38,7 +38,7 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { /** Gets the number of untrusted sources used with this external API. */ int getNumberOfUntrustedSources() { - result = strictcount(getUntrustedDataNode().getAnUntrustedSource()) + result = strictcount(this.getUntrustedDataNode().getAnUntrustedSource()) } /** Gets a textual representation of this element. */ diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql index ffadb381a76..e16f0568056 100644 --- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql +++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql @@ -19,14 +19,14 @@ import TaintedWithPath /** A call that prints its arguments to `stdout`. */ class PrintStdoutCall extends FunctionCall { PrintStdoutCall() { - getTarget().hasGlobalOrStdName("puts") or - getTarget().hasGlobalOrStdName("printf") + this.getTarget().hasGlobalOrStdName("puts") or + this.getTarget().hasGlobalOrStdName("printf") } } /** A read of the QUERY_STRING environment variable */ class QueryString extends EnvironmentRead { - QueryString() { getEnvironmentVariable() = "QUERY_STRING" } + QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" } } class Configuration extends TaintTrackingConfiguration { diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql index 5eab70c5cc9..8a3c2f3664d 100644 --- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql +++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql @@ -18,7 +18,7 @@ import semmle.code.cpp.ir.dataflow.DataFlow * A call to `SSL_get_verify_result`. */ class SslGetVerifyResultCall extends FunctionCall { - SslGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" } + SslGetVerifyResultCall() { this.getTarget().getName() = "SSL_get_verify_result" } } /** diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql index 0d972a734b3..de8520de1b3 100644 --- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql +++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql @@ -19,10 +19,10 @@ import semmle.code.cpp.controlflow.IRGuards */ class SslGetPeerCertificateCall extends FunctionCall { SslGetPeerCertificateCall() { - getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl) + this.getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl) } - Expr getSslArgument() { result = getArgument(0) } + Expr getSslArgument() { result = this.getArgument(0) } } /** @@ -30,10 +30,10 @@ class SslGetPeerCertificateCall extends FunctionCall { */ class SslGetVerifyResultCall extends FunctionCall { SslGetVerifyResultCall() { - getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl) + this.getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl) } - Expr getSslArgument() { result = getArgument(0) } + Expr getSslArgument() { result = this.getArgument(0) } } /** diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql index e6c7b186ce2..02ab64179c9 100644 --- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql +++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql @@ -150,7 +150,7 @@ class BlamedElement extends Element { */ predicate hasFileRank(File f, int num) { exists(int loc | - getLocation().charLoc(f, loc, _) and + this.getLocation().charLoc(f, loc, _) and loc = rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2) ) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql index cf346cb812e..095b4abea02 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql @@ -21,7 +21,7 @@ import WordexpTaint::PathGraph * The `wordexp` function, which can perform command substitution. */ private class WordexpFunction extends Function { - WordexpFunction() { hasGlobalName("wordexp") } + WordexpFunction() { this.hasGlobalName("wordexp") } } /** diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql index cc25326f0b4..649b4769c47 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql @@ -31,7 +31,7 @@ class CallUsedToHandleErrors extends FunctionCall { this.(ControlFlowNode).getASuccessor() instanceof FormattingFunction or // enabling recursive search - exists(CallUsedToHandleErrors fr | getTarget() = fr.getEnclosingFunction()) + exists(CallUsedToHandleErrors fr | this.getTarget() = fr.getEnclosingFunction()) } } diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql b/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql index a933ed063b2..5543e9dad66 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql @@ -25,7 +25,7 @@ class CallMayNotReturn extends FunctionCall { not exists(this.(ControlFlowNode).getASuccessor()) or // call to another function that may not return - exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction()) + exists(CallMayNotReturn exit | this.getTarget() = exit.getEnclosingFunction()) or this.(ControlFlowNode).getASuccessor() instanceof ThrowExpr } diff --git a/cpp/ql/src/external/DefectFilter.qll b/cpp/ql/src/external/DefectFilter.qll index b932ffd0470..ad786e9cbc9 100644 --- a/cpp/ql/src/external/DefectFilter.qll +++ b/cpp/ql/src/external/DefectFilter.qll @@ -49,7 +49,7 @@ class DefectResult extends int { /** Gets the URL corresponding to the location of this query result. */ string getURL() { result = - "file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" + - getEndLine() + ":" + getEndColumn() + "file://" + this.getFile().getAbsolutePath() + ":" + this.getStartLine() + ":" + + this.getStartColumn() + ":" + this.getEndLine() + ":" + this.getEndColumn() } } diff --git a/cpp/ql/test/library-tests/blocks/cpp/exprs.ql b/cpp/ql/test/library-tests/blocks/cpp/exprs.ql index bfc312e00ea..d930dea676f 100644 --- a/cpp/ql/test/library-tests/blocks/cpp/exprs.ql +++ b/cpp/ql/test/library-tests/blocks/cpp/exprs.ql @@ -6,7 +6,7 @@ import cpp */ class CStyleCastPlain extends CStyleCast { - override string toString() { result = "Conversion of " + getExpr().toString() } + override string toString() { result = "Conversion of " + this.getExpr().toString() } } from Expr e diff --git a/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll b/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll index 2c3186b3dfa..7313518af91 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll +++ b/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll @@ -14,7 +14,7 @@ class Node extends TNode { AST::DataFlow::Node asAst() { none() } /** DEPRECATED: Alias for asAst */ - deprecated AST::DataFlow::Node asAST() { result = asAst() } + deprecated AST::DataFlow::Node asAST() { result = this.asAst() } Location getLocation() { none() } } @@ -29,7 +29,7 @@ class AstNode extends Node, TAstNode { override AST::DataFlow::Node asAst() { result = n } /** DEPRECATED: Alias for asAst */ - deprecated override AST::DataFlow::Node asAST() { result = asAst() } + deprecated override AST::DataFlow::Node asAST() { result = this.asAst() } override Location getLocation() { result = n.getLocation() } } diff --git a/cpp/ql/test/library-tests/identity_string/identity_string.ql b/cpp/ql/test/library-tests/identity_string/identity_string.ql index c663bc6d89b..21f83f9ba3c 100644 --- a/cpp/ql/test/library-tests/identity_string/identity_string.ql +++ b/cpp/ql/test/library-tests/identity_string/identity_string.ql @@ -6,11 +6,11 @@ abstract class CheckCall extends FunctionCall { final string getExpectedString() { exists(int lastArgIndex | - lastArgIndex = getNumberOfArguments() - 1 and + lastArgIndex = this.getNumberOfArguments() - 1 and ( - result = getArgument(lastArgIndex).getValue() + result = this.getArgument(lastArgIndex).getValue() or - not exists(getArgument(lastArgIndex).getValue()) and result = "" + not exists(this.getArgument(lastArgIndex).getValue()) and result = "" ) ) } @@ -20,50 +20,54 @@ abstract class CheckCall extends FunctionCall { class CheckTypeCall extends CheckCall { CheckTypeCall() { - getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_type") + this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_type") } override string getActualString() { - result = getTypeIdentityString(getSpecifiedType()) + result = getTypeIdentityString(this.getSpecifiedType()) or - not exists(getTypeIdentityString(getSpecifiedType())) and result = "" + not exists(getTypeIdentityString(this.getSpecifiedType())) and result = "" } - override string explain() { result = getSpecifiedType().explain() } + override string explain() { result = this.getSpecifiedType().explain() } - final Type getSpecifiedType() { result = getTarget().getTemplateArgument(0) } + final Type getSpecifiedType() { result = this.getTarget().getTemplateArgument(0) } } class CheckFuncCall extends CheckCall { CheckFuncCall() { - getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_func") + this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_func") } override string getActualString() { - result = getIdentityString(getSpecifiedFunction()) + result = getIdentityString(this.getSpecifiedFunction()) or - not exists(getIdentityString(getSpecifiedFunction())) and result = "" + not exists(getIdentityString(this.getSpecifiedFunction())) and result = "" } - override string explain() { result = getSpecifiedFunction().toString() } + override string explain() { result = this.getSpecifiedFunction().toString() } - final Function getSpecifiedFunction() { result = getArgument(0).(FunctionAccess).getTarget() } + final Function getSpecifiedFunction() { + result = this.getArgument(0).(FunctionAccess).getTarget() + } } class CheckVarCall extends CheckCall { CheckVarCall() { - getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_var") + this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_var") } override string getActualString() { - result = getIdentityString(getSpecifiedVariable()) + result = getIdentityString(this.getSpecifiedVariable()) or - not exists(getIdentityString(getSpecifiedVariable())) and result = "" + not exists(getIdentityString(this.getSpecifiedVariable())) and result = "" } - override string explain() { result = getSpecifiedVariable().toString() } + override string explain() { result = this.getSpecifiedVariable().toString() } - final Variable getSpecifiedVariable() { result = getArgument(0).(VariableAccess).getTarget() } + final Variable getSpecifiedVariable() { + result = this.getArgument(0).(VariableAccess).getTarget() + } } bindingset[s] diff --git a/cpp/ql/test/library-tests/locations/constants/locations.ql b/cpp/ql/test/library-tests/locations/constants/locations.ql index 553a364d199..e6d512d2f94 100644 --- a/cpp/ql/test/library-tests/locations/constants/locations.ql +++ b/cpp/ql/test/library-tests/locations/constants/locations.ql @@ -6,7 +6,7 @@ import cpp */ class CStyleCastPlain extends CStyleCast { - override string toString() { result = "Conversion of " + getExpr().toString() } + override string toString() { result = "Conversion of " + this.getExpr().toString() } } from Expr e diff --git a/cpp/ql/test/library-tests/loops/loops.ql b/cpp/ql/test/library-tests/loops/loops.ql index b6d8f130586..bb68645d98c 100644 --- a/cpp/ql/test/library-tests/loops/loops.ql +++ b/cpp/ql/test/library-tests/loops/loops.ql @@ -1,7 +1,7 @@ import cpp class ExprStmt_ extends ExprStmt { - override string toString() { result = "ExprStmt: " + getExpr().toString() } + override string toString() { result = "ExprStmt: " + this.getExpr().toString() } } from Loop l, string s, Element e From c7d72e0d348bc7f38c0dbf5b68476d351b2690ef Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 May 2023 17:01:41 +0200 Subject: [PATCH 18/20] JS: Prevent join order regression --- .../dataflow/SecondOrderCommandInjectionCustomizations.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll index c405dec31f7..04e2c358788 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll @@ -117,6 +117,7 @@ module SecondOrderCommandInjection { int cmdIndex; int argIndex; + pragma[assume_small_delta] IndirectCmdFunc() { exists(CommandExecutingCall call | this.getParameter(cmdIndex).flowsTo(call.getCommandArg()) and From 4d84f92e8cce358996d0218b695ac0749ae61921 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 10 May 2023 08:15:15 +0200 Subject: [PATCH 19/20] Python: Update expected test output --- .../dataflow/variable-capture/dataflow-consistency.expected | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected index fab39a276d3..2b3497b283c 100644 --- a/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected @@ -29,6 +29,6 @@ uniqueParameterNodeAtPosition uniqueParameterNodePosition uniqueContentApprox identityLocalStep -| collections.py:36:10:36:15 | ControlFlowNode for SOURCE | Node steps to itself | -| collections.py:45:19:45:21 | ControlFlowNode for mod | Node steps to itself | -| collections.py:52:13:52:21 | ControlFlowNode for mod_local | Node steps to itself | +| test_collections.py:36:10:36:15 | ControlFlowNode for SOURCE | Node steps to itself | +| test_collections.py:45:19:45:21 | ControlFlowNode for mod | Node steps to itself | +| test_collections.py:52:13:52:21 | ControlFlowNode for mod_local | Node steps to itself | From b28254327a9c9f6edb1ffa8cc70cac6ed94933e5 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 10 May 2023 08:16:31 +0200 Subject: [PATCH 20/20] Update javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll Co-authored-by: Erik Krogh Kristensen --- .../dataflow/IndirectCommandInjectionCustomizations.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll index 5d84291f1de..511b8c2ae70 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll @@ -58,7 +58,7 @@ module IndirectCommandInjection { } /** Gets a data flow node referring to `process.env`. */ - DataFlow::SourceNode envObject() { result = envObject(DataFlow::TypeTracker::end()) } + private DataFlow::SourceNode envObject() { result = envObject(DataFlow::TypeTracker::end()) } /** * Gets the name of an environment variable that is assumed to be safe.