+
+The program performs an out-of-bounds read or write operation. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.
+
+
+
+
+Ensure that pointer dereferences are properly guarded to ensure that they cannot be used to read or write past the end of the allocation.
+
+
+
+The first example allocates a buffer of size size and creates a local variable that stores the location that is one byte past the end of the allocation.
+This local variable is then dereferenced which results in an out-of-bounds write.
+The second example subtracts one from the end variable before dereferencing it. This subtraction ensures that the write correctly updates the final byte of the allocation.
+
+
+
+
+
+CERT C Coding Standard:
+ARR30-C. Do not form or use out-of-bounds pointers or array subscripts.
+
+OWASP:
+Buffer Overflow.
+
+
+
+
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
new file mode 100644
index 00000000000..05327263386
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -0,0 +1,360 @@
+/**
+ * @name Invalid pointer dereference
+ * @description Dereferencing a pointer that points past it allocation is undefined behavior
+ * and may lead to security vulnerabilities.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/invalid-pointer-deref
+ * @tags reliability
+ * security
+ * external/cwe/cwe-119
+ * external/cwe/cwe-125
+ * external/cwe/cwe-193
+ * external/cwe/cwe-787
+ */
+
+import cpp
+import experimental.semmle.code.cpp.dataflow.ProductFlow
+import experimental.semmle.code.cpp.ir.dataflow.DataFlow3
+import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
+import experimental.semmle.code.cpp.semantic.SemanticBound
+import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
+import semmle.code.cpp.ir.IR
+
+pragma[nomagic]
+Instruction getABoundIn(SemBound b, IRFunction func) {
+ result = b.getExpr(0) and
+ result.getEnclosingIRFunction() = func
+}
+
+/**
+ * Holds if `i <= b + delta`.
+ */
+pragma[nomagic]
+predicate bounded(Instruction i, Instruction b, int delta) {
+ exists(SemBound bound, IRFunction func |
+ semBounded(getSemanticExpr(i), bound, delta, true, _) and
+ b = getABoundIn(bound, func) and
+ i.getEnclosingIRFunction() = func
+ )
+}
+
+/**
+ * Holds if the combination of `n` and `state` represents an appropriate
+ * source for the expression `e` suitable for use-use flow.
+ */
+private predicate hasSizeImpl(Expr e, DataFlow::Node n, string state) {
+ // The simple case: If the size is a variable access with no qualifier we can just use the
+ // dataflow node for that expression and no state.
+ exists(VariableAccess va |
+ va = e and
+ not va instanceof FieldAccess and
+ n.asConvertedExpr() = va.getFullyConverted() and
+ state = "0"
+ )
+ or
+ // If the size is a choice between two expressions we allow both to be nodes representing the size.
+ exists(ConditionalExpr cond | cond = e | hasSizeImpl([cond.getThen(), cond.getElse()], n, state))
+ or
+ // If the size is an expression plus a constant, we pick the dataflow node of the expression and
+ // remember the constant in the state.
+ exists(Expr const, Expr nonconst |
+ e.(AddExpr).hasOperands(const, nonconst) and
+ state = const.getValue() and
+ hasSizeImpl(nonconst, n, _)
+ )
+ or
+ exists(Expr const, Expr nonconst |
+ e.(SubExpr).hasOperands(const, nonconst) and
+ state = "-" + const.getValue() and
+ hasSizeImpl(nonconst, n, _)
+ )
+}
+
+/**
+ * Holds if `(n, state)` pair represents the source of flow for the size
+ * expression associated with `alloc`.
+ */
+predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
+ hasSizeImpl(alloc.getSizeExpr(), n, state)
+}
+
+/**
+ * A product-flow configuration for flow from an (allocation, size) pair to a
+ * pointer-arithmetic operation that is non-strictly upper-bounded by `allocation + size`.
+ *
+ * The goal of this query is to find patterns such as:
+ * ```cpp
+ * 1. char* begin = (char*)malloc(size);
+ * 2. char* end = begin + size;
+ * 3. for(int *p = begin; p <= end; p++) {
+ * 4. use(*p);
+ * 5. }
+ * ```
+ *
+ * We do this by splitting the task up into two configurations:
+ * 1. `AllocToInvalidPointerConf` find flow from `malloc(size)` to `begin + size`, and
+ * 2. `InvalidPointerToDerefConf` finds flow from `begin + size` to an `end` (on line 3).
+ *
+ * Finally, the range-analysis library will find a load from (or store to) an address that
+ * is non-strictly upper-bounded by `end` (which in this case is `*p`).
+ */
+class AllocToInvalidPointerConf extends ProductFlow::Configuration {
+ AllocToInvalidPointerConf() { this = "AllocToInvalidPointerConf" }
+
+ override predicate isSourcePair(
+ DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
+ ) {
+ // In the case of an allocation like
+ // ```cpp
+ // malloc(size + 1);
+ // ```
+ // we use `state2` to remember that there was an offset (in this case an offset of `1`) added
+ // to the size of the allocation. This state is then checked in `isSinkPair`.
+ state1 = "" and
+ hasSize(source1.asConvertedExpr(), source2, state2)
+ }
+
+ override predicate isSinkPair(
+ DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
+ DataFlow::FlowState state2
+ ) {
+ state1 = "" and
+ // We check that the delta computed by the range analysis matches the
+ // state value that we set in `isSourcePair`.
+ exists(int delta |
+ isSinkImpl(_, sink1, sink2, delta) and
+ state2 = delta.toString()
+ )
+ }
+}
+
+pragma[nomagic]
+predicate pointerAddInstructionHasOperands(
+ PointerAddInstruction pai, Instruction left, Instruction right
+) {
+ pai.getLeft() = left and
+ pai.getRight() = right
+}
+
+/**
+ * Holds if `pai` is non-strictly upper bounded by `sink2 + delta` and `sink1` is the
+ * left operand of the pointer-arithmetic operation.
+ *
+ * For example in,
+ * ```cpp
+ * char* end = p + (size + 1);
+ * ```
+ * We will have:
+ * - `pai` is `p + (size + 1)`,
+ * - `sink1` is `p`
+ * - `sink2` is `size`
+ * - `delta` is `1`.
+ */
+pragma[nomagic]
+predicate pointerAddInstructionHasBounds(
+ PointerAddInstruction pai, DataFlow::Node sink1, Instruction sink2, int delta
+) {
+ exists(Instruction right |
+ pointerAddInstructionHasOperands(pai, sink1.asInstruction(), right) and
+ bounded(right, sink2, delta)
+ )
+}
+
+/**
+ * Holds if `pai` is non-strictly upper bounded by `sink2 + delta` and `sink1` is the
+ * left operand of the pointer-arithmetic operation.
+ *
+ * See `pointerAddInstructionHasBounds` for an example.
+ */
+predicate isSinkImpl(
+ PointerAddInstruction pai, DataFlow::Node sink1, DataFlow::Node sink2, int delta
+) {
+ pointerAddInstructionHasBounds(pai, sink1, sink2.asInstruction(), delta)
+}
+
+/**
+ * Holds if `sink` is a sink for `InvalidPointerToDerefConf` and `i` is a `StoreInstruction` that
+ * writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
+ * reads from an address that non-strictly upper-bounds `sink`.
+ */
+predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation) {
+ exists(AddressOperand addr, int delta |
+ bounded(addr.getDef(), sink.asInstruction(), delta) and
+ delta >= 0 and
+ i.getAnOperand() = addr
+ |
+ i instanceof StoreInstruction and
+ operation = "write"
+ or
+ i instanceof LoadInstruction and
+ operation = "read"
+ )
+}
+
+/**
+ * A configuration to track flow from a pointer-arithmetic operation found
+ * by `AllocToInvalidPointerConf` to a dereference of the pointer.
+ */
+class InvalidPointerToDerefConf extends DataFlow3::Configuration {
+ InvalidPointerToDerefConf() { this = "InvalidPointerToDerefConf" }
+
+ override predicate isSource(DataFlow::Node source) { invalidPointerToDerefSource(_, source, _) }
+
+ override predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
+}
+
+/**
+ * Holds if `pai` is a pointer-arithmetic operation and `source` is a dataflow node with a
+ * pointer-value that is non-strictly upper bounded by `pai + delta`.
+ *
+ * For example, if `pai` is a pointer-arithmetic operation `p + size` in an expression such
+ * as `(p + size) + 1` and `source` is the node representing `(p + size) + 1`. In this
+ * case `delta` is 1.
+ */
+predicate invalidPointerToDerefSource(
+ PointerArithmeticInstruction pai, DataFlow::Node source, int delta
+) {
+ exists(ProductFlow::Configuration conf, DataFlow::PathNode p, DataFlow::Node sink1 |
+ p.getNode() = sink1 and
+ conf.hasFlowPath(_, _, p, _) and
+ isSinkImpl(pai, sink1, _, _) and
+ bounded(source.asInstruction(), pai, delta) and
+ delta >= 0
+ )
+}
+
+newtype TMergedPathNode =
+ // The path nodes computed by the first projection of `AllocToInvalidPointerConf`
+ TPathNode1(DataFlow::PathNode p) or
+ // The path nodes computed by `InvalidPointerToDerefConf`
+ TPathNode3(DataFlow3::PathNode p) or
+ // The read/write that uses the invalid pointer identified by `InvalidPointerToDerefConf`.
+ // This one is needed because the sink identified by `InvalidPointerToDerefConf` is the
+ // pointer, but we want to raise an alert at the dereference.
+ TPathNodeSink(Instruction i) {
+ exists(DataFlow::Node n |
+ any(InvalidPointerToDerefConf conf).hasFlow(_, n) and
+ isInvalidPointerDerefSink(n, i, _)
+ )
+ }
+
+class MergedPathNode extends TMergedPathNode {
+ string toString() { none() }
+
+ final DataFlow::PathNode asPathNode1() { this = TPathNode1(result) }
+
+ final DataFlow3::PathNode asPathNode3() { this = TPathNode3(result) }
+
+ final Instruction asSinkNode() { this = TPathNodeSink(result) }
+
+ predicate hasLocationInfo(
+ string filepath, int startline, int startcolumn, int endline, int endcolumn
+ ) {
+ none()
+ }
+}
+
+class PathNode1 extends MergedPathNode, TPathNode1 {
+ override string toString() {
+ exists(DataFlow::PathNode p |
+ this = TPathNode1(p) and
+ result = p.toString()
+ )
+ }
+
+ override predicate hasLocationInfo(
+ string filepath, int startline, int startcolumn, int endline, int endcolumn
+ ) {
+ this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+ }
+}
+
+class PathNode3 extends MergedPathNode, TPathNode3 {
+ override string toString() {
+ exists(DataFlow3::PathNode p |
+ this = TPathNode3(p) and
+ result = p.toString()
+ )
+ }
+
+ override predicate hasLocationInfo(
+ string filepath, int startline, int startcolumn, int endline, int endcolumn
+ ) {
+ this.asPathNode3().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+ }
+}
+
+class PathSinkNode extends MergedPathNode, TPathNodeSink {
+ override string toString() {
+ exists(Instruction i |
+ this = TPathNodeSink(i) and
+ result = i.toString()
+ )
+ }
+
+ override predicate hasLocationInfo(
+ string filepath, int startline, int startcolumn, int endline, int endcolumn
+ ) {
+ this.asSinkNode()
+ .getLocation()
+ .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+ }
+}
+
+query predicate edges(MergedPathNode node1, MergedPathNode node2) {
+ node1.asPathNode1().getASuccessor() = node2.asPathNode1()
+ or
+ joinOn1(_, node1.asPathNode1(), node2.asPathNode3())
+ or
+ node1.asPathNode3().getASuccessor() = node2.asPathNode3()
+ or
+ joinOn2(node1.asPathNode3(), node2.asSinkNode(), _)
+}
+
+/**
+ * Holds if `p1` is a sink of `AllocToInvalidPointerConf` and `p2` is a source
+ * of `InvalidPointerToDerefConf`, and they are connected through `pai`.
+ */
+predicate joinOn1(PointerArithmeticInstruction pai, DataFlow::PathNode p1, DataFlow3::PathNode p2) {
+ isSinkImpl(pai, p1.getNode(), _, _) and
+ invalidPointerToDerefSource(pai, p2.getNode(), _)
+}
+
+/**
+ * Holds if `p1` is a sink of `InvalidPointerToDerefConf` and `i` is the instruction
+ * that dereferences `p1`. The string `operation` describes whether the `i` is
+ * a `StoreInstruction` or `LoadInstruction`.
+ */
+predicate joinOn2(DataFlow3::PathNode p1, Instruction i, string operation) {
+ isInvalidPointerDerefSink(p1.getNode(), i, operation)
+}
+
+predicate hasFlowPath(
+ MergedPathNode source1, MergedPathNode sink, DataFlow3::PathNode source3,
+ PointerArithmeticInstruction pai, string operation
+) {
+ exists(
+ AllocToInvalidPointerConf conf1, InvalidPointerToDerefConf conf2, DataFlow3::PathNode sink3,
+ DataFlow::PathNode sink1
+ |
+ conf1.hasFlowPath(source1.asPathNode1(), _, sink1, _) and
+ joinOn1(pai, sink1, source3) and
+ conf2.hasFlowPath(source3, sink3) and
+ joinOn2(sink3, sink.asSinkNode(), operation)
+ )
+}
+
+from
+ MergedPathNode source, MergedPathNode sink, int k, string kstr, DataFlow3::PathNode source3,
+ PointerArithmeticInstruction pai, string operation, Expr offset, DataFlow::Node n
+where
+ hasFlowPath(source, sink, source3, pai, operation) and
+ invalidPointerToDerefSource(pai, source3.getNode(), k) and
+ offset = pai.getRight().getUnconvertedResultExpression() and
+ n = source.asPathNode1().getNode() and
+ if k = 0 then kstr = "" else kstr = " + " + k
+select sink, source, sink,
+ "This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr +
+ ".", n, n.toString(), offset, offset.toString()
diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml
index 6b0f6e7ed01..252f9baa0f4 100644
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
name: codeql/cpp-queries
-version: 0.3.4-dev
+version: 0.3.5-dev
groups:
- cpp
- queries
diff --git a/cpp/ql/test/experimental/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected b/cpp/ql/test/experimental/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
index ea8c8f8f577..106313c8707 100644
--- a/cpp/ql/test/experimental/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
+++ b/cpp/ql/test/experimental/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
@@ -20,10 +20,12 @@
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 3 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:62:10:62:13 | Load: iter | test.cpp:61:39:61:51 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
+| test.cpp:62:10:62:13 | Load: iter | test.cpp:61:48:61:50 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:61:32:61:51 | test.cpp:61:32:61:51 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:60:17:60:17 | ValueNumberBound | 3 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:32:61:35 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:39:61:51 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
+| test.cpp:67:10:67:13 | Load: iter | test.cpp:61:48:61:50 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:66:32:66:41 | test.cpp:66:32:66:41 |
| test.cpp:77:12:77:12 | Load: i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | file://:0:0:0:0 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:15:72:15 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
| test.cpp:77:12:77:12 | Load: i | test.cpp:72:22:72:22 | ValueNumberBound | -1 | true | CompareLT: ... < ... | test.cpp:76:20:76:24 | test.cpp:76:20:76:24 |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
index 56ae4e59a9a..dedb1d72a38 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
@@ -1,2 +1,2 @@
-| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:26:18:26:23 | string | test.cpp:26:31:26:39 | (size_t)... |
-| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:30:18:30:23 | string | test.cpp:30:31:30:39 | (size_t)... |
+| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:26:18:26:23 | Load | test.cpp:26:31:26:39 | Convert |
+| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:30:18:30:23 | Load | test.cpp:30:31:30:39 | Convert |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
index 2564193fb2e..8b82181b9f7 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -1,23 +1,20 @@
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:5:55:19 | Store |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | p | test.cpp:82:31:82:34 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:88:30:88:33 | size |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:92:31:92:34 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:5:25:5:28 | Load |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | Load | test.cpp:5:25:5:28 | Load |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | Load | test.cpp:9:26:9:29 | Load |
+| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:35:13:35:13 | Load | test.cpp:30:29:30:32 | Load |
+| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:35:13:35:13 | Load | test.cpp:34:30:34:33 | Load |
+| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:45:13:45:13 | Load | test.cpp:40:29:40:32 | Load |
+| test.cpp:22:13:22:18 | call to malloc | test.cpp:21:16:21:19 | size | test.cpp:45:13:45:13 | Load | test.cpp:44:30:44:33 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:5:55:19 | Store |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:5:55:19 | Store |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:55:16:55:19 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:56:20:56:23 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:58:29:58:32 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | Load | test.cpp:62:30:62:33 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | Load | test.cpp:58:29:58:32 | Load |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | Load | test.cpp:62:30:62:33 | Load |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | Load | test.cpp:82:31:82:34 | Load |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | Load | test.cpp:88:30:88:33 | Load |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | Load | test.cpp:92:31:92:34 | Load |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
index b3c4341f9b8..f35379db3e4 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
@@ -32,7 +32,7 @@ void test2(int size) {
}
for (int i = 0; i <= arr.size; i++) {
- arr.p[i] = i; // BAD [NOT DETECTED]
+ arr.p[i] = i; // BAD
}
}
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
}
for (int i = 0; i <= arr.size; i++) {
- arr.p[i] = i; // BAD [NOT DETECTED]
+ arr.p[i] = i; // BAD
}
}
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
new file mode 100644
index 00000000000..494713b124b
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -0,0 +1,627 @@
+edges
+| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:12:16:12:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:16:15:16:20 | call to malloc | test.cpp:17:15:17:15 | Load |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:36:16:36:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:48:16:48:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:62:39:62:39 | Load |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:66:39:66:39 | Load |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:70:38:70:38 | Load |
+| test.cpp:51:33:51:35 | Load indirection | test.cpp:60:34:60:37 | mk_array output argument |
+| test.cpp:52:19:52:24 | call to malloc | test.cpp:51:7:51:14 | VariableAddress indirection |
+| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:16 | Load |
+| test.cpp:53:5:53:23 | Store | test.cpp:51:33:51:35 | Load indirection |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
+| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | Load indirection |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:62:32:62:34 | Load |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:66:32:66:34 | Load |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:70:31:70:33 | Load |
+| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:91:20:91:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:95:20:95:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:99:20:99:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:119:18:119:25 | call to mk_array [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:91:36:91:38 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:95:36:95:38 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:99:35:99:37 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:119:18:119:25 | call to mk_array [end] |
+| test.cpp:82:5:82:28 | Store | test.cpp:82:9:82:13 | arr indirection [post update] [begin] |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:80:9:80:16 | VariableAddress indirection [begin] |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:83:15:83:17 | arr indirection [begin] |
+| test.cpp:82:17:82:22 | call to malloc | test.cpp:82:5:82:28 | Store |
+| test.cpp:83:5:83:30 | Store | test.cpp:83:9:83:11 | arr indirection [post update] [end] |
+| test.cpp:83:9:83:11 | arr indirection [post update] [end] | test.cpp:80:9:80:16 | VariableAddress indirection [end] |
+| test.cpp:83:15:83:17 | arr indirection [begin] | test.cpp:83:19:83:23 | begin |
+| test.cpp:83:15:83:30 | ... + ... | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
+| test.cpp:83:19:83:23 | begin | test.cpp:83:19:83:23 | Load |
+| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:24:91:28 | begin |
+| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:47:91:47 | Load |
+| test.cpp:91:24:91:28 | begin | test.cpp:91:47:91:47 | Load |
+| test.cpp:91:36:91:38 | arr indirection [end] | test.cpp:91:40:91:42 | end |
+| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:91:40:91:42 | end | test.cpp:91:40:91:42 | Load |
+| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:24:95:28 | begin |
+| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:47:95:47 | Load |
+| test.cpp:95:24:95:28 | begin | test.cpp:95:47:95:47 | Load |
+| test.cpp:95:36:95:38 | arr indirection [end] | test.cpp:95:40:95:42 | end |
+| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:95:40:95:42 | end | test.cpp:95:40:95:42 | Load |
+| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:24:99:28 | begin |
+| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:46:99:46 | Load |
+| test.cpp:99:24:99:28 | begin | test.cpp:99:46:99:46 | Load |
+| test.cpp:99:35:99:37 | arr indirection [end] | test.cpp:99:39:99:41 | end |
+| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:99:39:99:41 | end | test.cpp:99:39:99:41 | Load |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:105:20:105:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:109:20:109:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:113:20:113:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:105:36:105:38 | arr indirection [end] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:109:36:109:38 | arr indirection [end] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:113:35:113:37 | arr indirection [end] |
+| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:24:105:28 | begin |
+| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:47:105:47 | Load |
+| test.cpp:105:24:105:28 | begin | test.cpp:105:47:105:47 | Load |
+| test.cpp:105:36:105:38 | arr indirection [end] | test.cpp:105:40:105:42 | end |
+| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:105:40:105:42 | end | test.cpp:105:40:105:42 | Load |
+| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:24:109:28 | begin |
+| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:47:109:47 | Load |
+| test.cpp:109:24:109:28 | begin | test.cpp:109:47:109:47 | Load |
+| test.cpp:109:36:109:38 | arr indirection [end] | test.cpp:109:40:109:42 | end |
+| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:109:40:109:42 | end | test.cpp:109:40:109:42 | Load |
+| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:24:113:28 | begin |
+| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:46:113:46 | Load |
+| test.cpp:113:24:113:28 | begin | test.cpp:113:46:113:46 | Load |
+| test.cpp:113:35:113:37 | arr indirection [end] | test.cpp:113:39:113:41 | end |
+| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:113:39:113:41 | end | test.cpp:113:39:113:41 | Load |
+| test.cpp:119:18:119:25 | call to mk_array [begin] | test.cpp:104:27:104:29 | arr [begin] |
+| test.cpp:119:18:119:25 | call to mk_array [end] | test.cpp:104:27:104:29 | arr [end] |
+| test.cpp:124:15:124:20 | call to malloc | test.cpp:125:5:125:17 | Store |
+| test.cpp:124:15:124:20 | call to malloc | test.cpp:126:15:126:15 | Load |
+| test.cpp:125:5:125:17 | Store | test.cpp:125:9:125:13 | arr indirection [post update] [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:129:11:129:13 | arr indirection [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:133:11:133:13 | arr indirection [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:137:11:137:13 | arr indirection [begin] |
+| test.cpp:129:11:129:13 | arr indirection [begin] | test.cpp:129:15:129:19 | begin |
+| test.cpp:129:15:129:19 | begin | test.cpp:129:15:129:19 | Load |
+| test.cpp:133:11:133:13 | arr indirection [begin] | test.cpp:133:15:133:19 | begin |
+| test.cpp:133:15:133:19 | begin | test.cpp:133:15:133:19 | Load |
+| test.cpp:137:11:137:13 | arr indirection [begin] | test.cpp:137:15:137:19 | begin |
+| test.cpp:137:15:137:19 | begin | test.cpp:137:15:137:19 | Load |
+| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:150:20:150:29 | Call indirection [begin] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:150:20:150:29 | Call indirection [end] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:180:19:180:28 | call to mk_array_p indirection [end] |
+| test.cpp:143:5:143:29 | Store | test.cpp:143:10:143:14 | Load indirection [post update] [begin] |
+| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:141:10:141:19 | VariableAddress indirection [begin] |
+| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:144:16:144:18 | Load indirection [begin] |
+| test.cpp:143:18:143:23 | call to malloc | test.cpp:143:5:143:29 | Store |
+| test.cpp:144:5:144:32 | Store | test.cpp:144:10:144:12 | Load indirection [post update] [end] |
+| test.cpp:144:10:144:12 | Load indirection [post update] [end] | test.cpp:141:10:141:19 | VariableAddress indirection [end] |
+| test.cpp:144:16:144:18 | Load indirection [begin] | test.cpp:144:21:144:25 | begin |
+| test.cpp:144:16:144:32 | ... + ... | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
+| test.cpp:144:21:144:25 | begin | test.cpp:144:21:144:25 | Load |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:152:20:152:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:156:20:156:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:160:20:160:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [end] | test.cpp:156:37:156:39 | Load indirection [end] |
+| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:25:152:29 | begin |
+| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:49:152:49 | Load |
+| test.cpp:152:25:152:29 | begin | test.cpp:152:49:152:49 | Load |
+| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:25:156:29 | begin |
+| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:49:156:49 | Load |
+| test.cpp:156:25:156:29 | begin | test.cpp:156:49:156:49 | Load |
+| test.cpp:156:37:156:39 | Load indirection [end] | test.cpp:156:42:156:44 | end |
+| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
+| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
+| test.cpp:156:42:156:44 | end | test.cpp:156:42:156:44 | Load |
+| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:25:160:29 | begin |
+| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:48:160:48 | Load |
+| test.cpp:160:25:160:29 | begin | test.cpp:160:48:160:48 | Load |
+| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:166:20:166:22 | Load indirection [begin] |
+| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:170:20:170:22 | Load indirection [begin] |
+| test.cpp:165:29:165:31 | arr indirection [begin] | test.cpp:174:20:174:22 | Load indirection [begin] |
+| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:166:37:166:39 | Load indirection [end] |
+| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:170:37:170:39 | Load indirection [end] |
+| test.cpp:165:29:165:31 | arr indirection [end] | test.cpp:174:36:174:38 | Load indirection [end] |
+| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:25:166:29 | begin |
+| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:49:166:49 | Load |
+| test.cpp:166:25:166:29 | begin | test.cpp:166:49:166:49 | Load |
+| test.cpp:166:37:166:39 | Load indirection [end] | test.cpp:166:42:166:44 | end |
+| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:166:42:166:44 | end | test.cpp:166:42:166:44 | Load |
+| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:25:170:29 | begin |
+| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:49:170:49 | Load |
+| test.cpp:170:25:170:29 | begin | test.cpp:170:49:170:49 | Load |
+| test.cpp:170:37:170:39 | Load indirection [end] | test.cpp:170:42:170:44 | end |
+| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:170:42:170:44 | end | test.cpp:170:42:170:44 | Load |
+| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:25:174:29 | begin |
+| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:48:174:48 | Load |
+| test.cpp:174:25:174:29 | begin | test.cpp:174:48:174:48 | Load |
+| test.cpp:174:36:174:38 | Load indirection [end] | test.cpp:174:41:174:43 | end |
+| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:174:41:174:43 | end | test.cpp:174:41:174:43 | Load |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | test.cpp:165:29:165:31 | arr indirection [begin] |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | test.cpp:165:29:165:31 | arr indirection [end] |
+| test.cpp:188:15:188:20 | call to malloc | test.cpp:189:15:189:15 | Load |
+#select
+| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:20:14:20:21 | Load: * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
+| test.cpp:30:14:30:15 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:42:14:42:15 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:67:9:67:14 | Store: ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
+| test.cpp:96:9:96:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:96:9:96:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
+| test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
+| test.cpp:157:9:157:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:157:9:157:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
+| test.cpp:171:9:171:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:171:9:171:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref
new file mode 100644
index 00000000000..76da29dc7a0
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
new file mode 100644
index 00000000000..809c348c0b0
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -0,0 +1,191 @@
+char *malloc(int size);
+
+void test1(int size) {
+ char* p = malloc(size);
+ char* q = p + size;
+ char a = *q; // BAD
+ char b = *(q - 1); // GOOD
+ char c = *(q + 1); // BAD
+ char d = *(q + size); // BAD [NOT DETECTED]
+ char e = *(q - size); // GOOD
+ char f = *(q + size + 1); // BAD [NOT DETECTED]
+ char g = *(q - size - 1); // GOOD
+}
+
+void test2(int size) {
+ char* p = malloc(size);
+ char* q = p + size - 1;
+ char a = *q; // GOOD
+ char b = *(q - 1); // GOOD
+ char c = *(q + 1); // BAD
+ char d = *(q + size); // BAD [NOT DETECTED]
+ char e = *(q - size); // GOOD
+ char f = *(q + size + 1); // BAD [NOT DETECTED]
+ char g = *(q - size - 1); // GOOD
+}
+
+void test3(int size) {
+ char* p = malloc(size + 1);
+ char* q = p + (size + 1);
+ char a = *q; // BAD
+ char b = *(q - 1); // GOOD
+ char c = *(q + 1); // BAD
+ char d = *(q + size); // BAD [NOT DETECTED]
+ char e = *(q - size); // GOOD
+ char f = *(q + size + 1); // BAD [NOT DETECTED]
+ char g = *(q - size - 1); // GOOD
+}
+
+void test4(int size) {
+ char* p = malloc(size - 1);
+ char* q = p + (size - 1);
+ char a = *q; // BAD
+ char b = *(q - 1); // GOOD
+ char c = *(q + 1); // BAD
+ char d = *(q + size); // BAD [NOT DETECTED]
+ char e = *(q - size); // GOOD
+ char f = *(q + size + 1); // BAD [NOT DETECTED]
+ char g = *(q - size - 1); // GOOD
+}
+
+char* mk_array(int size, char** end) {
+ char* begin = malloc(size);
+ *end = begin + size;
+
+ return begin;
+}
+
+void test5(int size) {
+ char* end;
+ char* begin = mk_array(size, &end);
+
+ for (char* p = begin; p != end; ++p) {
+ *p = 0; // GOOD
+ }
+
+ for (char* p = begin; p <= end; ++p) {
+ *p = 0; // BAD
+ }
+
+ for (char* p = begin; p < end; ++p) {
+ *p = 0; // GOOD
+ }
+}
+
+struct array_t {
+ char* begin;
+ char* end;
+};
+
+array_t mk_array(int size) {
+ array_t arr;
+ arr.begin = malloc(size);
+ arr.end = arr.begin + size;
+
+ return arr;
+}
+
+void test6(int size) {
+ array_t arr = mk_array(size);
+
+ for (char* p = arr.begin; p != arr.end; ++p) {
+ *p = 0; // GOOD
+ }
+
+ for (char* p = arr.begin; p <= arr.end; ++p) {
+ *p = 0; // BAD
+ }
+
+ for (char* p = arr.begin; p < arr.end; ++p) {
+ *p = 0; // GOOD
+ }
+}
+
+void test7_callee(array_t arr) {
+ for (char* p = arr.begin; p != arr.end; ++p) {
+ *p = 0; // GOOD
+ }
+
+ for (char* p = arr.begin; p <= arr.end; ++p) {
+ *p = 0; // BAD
+ }
+
+ for (char* p = arr.begin; p < arr.end; ++p) {
+ *p = 0; // GOOD
+ }
+}
+
+void test7(int size) {
+ test7_callee(mk_array(size));
+}
+
+void test8(int size) {
+ array_t arr;
+ char* p = malloc(size);
+ arr.begin = p;
+ arr.end = p + size;
+
+ for (int i = 0; i < arr.end - arr.begin; i++) {
+ *(arr.begin + i) = 0; // GOOD
+ }
+
+ for (int i = 0; i != arr.end - arr.begin; i++) {
+ *(arr.begin + i) = 0; // GOOD
+ }
+
+ for (int i = 0; i <= arr.end - arr.begin; i++) {
+ *(arr.begin + i) = 0; // BAD [NOT DETECTED]
+ }
+}
+
+array_t *mk_array_p(int size) {
+ array_t *arr = (array_t*) malloc(sizeof(array_t));
+ arr->begin = malloc(size);
+ arr->end = arr->begin + size;
+
+ return arr;
+}
+
+void test9(int size) {
+ array_t *arr = mk_array_p(size);
+
+ for (char* p = arr->begin; p != arr->end; ++p) {
+ *p = 0; // GOOD
+ }
+
+ for (char* p = arr->begin; p <= arr->end; ++p) {
+ *p = 0; // BAD
+ }
+
+ for (char* p = arr->begin; p < arr->end; ++p) {
+ *p = 0; // GOOD
+ }
+}
+
+void test10_callee(array_t *arr) {
+ for (char* p = arr->begin; p != arr->end; ++p) {
+ *p = 0; // GOOD
+ }
+
+ for (char* p = arr->begin; p <= arr->end; ++p) {
+ *p = 0; // BAD
+ }
+
+ for (char* p = arr->begin; p < arr->end; ++p) {
+ *p = 0; // GOOD
+ }
+}
+
+void test10(int size) {
+ test10_callee(mk_array_p(size));
+}
+
+void deref_plus_one(char* q) {
+ char a = *(q + 1); // BAD [NOT DETECTED]
+}
+
+void test11(unsigned size) {
+ char *p = malloc(size);
+ char *q = p + size - 1;
+ deref_plus_one(q);
+}
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected
index 80d09858338..955668b4e7a 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected
@@ -64,6 +64,10 @@ edges
| test.cpp:201:5:201:17 | EnterFunction: maybe_deref_p | test.cpp:201:5:201:17 | VariableAddress: maybe_deref_p |
| test.cpp:210:3:210:9 | Call: call to escape1 | test.cpp:201:5:201:17 | EnterFunction: maybe_deref_p |
| test.cpp:210:3:210:9 | Call: call to escape1 | test.cpp:201:5:201:17 | VariableAddress: maybe_deref_p |
+| test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:238:3:238:9 | Call: call to escape2 |
+| test.cpp:238:3:238:9 | Call: call to escape2 | test.cpp:239:17:239:17 | Load: p |
+| test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:267:3:267:9 | Call: call to escape3 |
+| test.cpp:267:3:267:9 | Call: call to escape3 | test.cpp:268:17:268:17 | Load: p |
#select
| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | here |
| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | here |
@@ -90,3 +94,5 @@ edges
| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | here |
| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | here |
| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | here |
+| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | here |
+| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | here |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp
index 3e8a7e90b84..616305a8174 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp
@@ -209,4 +209,61 @@ int maybe_deref_p(bool b) {
int field_indirect_maybe_bad(bool b) {
escape1();
return maybe_deref_p(b);
+}
+
+// These next tests cover subsequent stores to the same address in the same basic block.
+
+static struct S100 s102;
+
+void not_escape1() {
+ int x;
+ s102.p = &x;
+ s102.p = nullptr;
+}
+
+void calls_not_escape1() {
+ not_escape1();
+ int x = *s102.p; // GOOD
+}
+
+static struct S100 s103;
+
+void escape2() {
+ int x;
+ s103.p = nullptr;
+ s103.p = &x;
+}
+
+void calls_escape2() {
+ escape2();
+ int x = *s103.p; // BAD
+}
+
+bool unknown();
+static struct S100 s104;
+
+void not_escape2() {
+ int x;
+ s104.p = &x;
+ if(unknown()) { }
+ s104.p = nullptr;
+}
+
+void calls_not_escape2() {
+ not_escape2();
+ int x = *s104.p; // GOOD
+}
+
+static struct S100 s105;
+
+void escape3() {
+ int x;
+ s105.p = nullptr;
+ if(unknown()) { }
+ s105.p = &x;
+}
+
+void calls_escape3() {
+ escape3();
+ int x = *s105.p; // BAD
}
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
index 5fc5f82768e..9a3747dd2df 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,5 +1,4 @@
edges
-| test2.cpp:52:44:52:57 | password_tries | test2.cpp:52:40:52:58 | * ... |
| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
| test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf |
| test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf |
@@ -9,8 +8,6 @@ nodes
| test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |
| test2.cpp:45:38:45:47 | accountkey | semmle.label | accountkey |
| test2.cpp:50:41:50:53 | passwd_config | semmle.label | passwd_config |
-| test2.cpp:52:40:52:58 | * ... | semmle.label | * ... |
-| test2.cpp:52:44:52:57 | password_tries | semmle.label | password_tries |
| test2.cpp:54:41:54:52 | widepassword | semmle.label | widepassword |
| test2.cpp:55:40:55:51 | widepassword | semmle.label | widepassword |
| test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |
diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
index 072581ceeec..d993fc0868f 100644
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 1.2.5
+
## 1.2.4
## 1.2.3
diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.5.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.5.md
new file mode 100644
index 00000000000..e040f831239
--- /dev/null
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.5.md
@@ -0,0 +1 @@
+## 1.2.5
diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
index 172090f46b6..40355f0807f 100644
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
---
-lastReleaseVersion: 1.2.4
+lastReleaseVersion: 1.2.5
diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
index db606ea8fbe..6d33146531d 100644
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
-version: 1.2.5-dev
+version: 1.2.6-dev
groups:
- csharp
- solorigate
diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
index 072581ceeec..d993fc0868f 100644
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 1.2.5
+
## 1.2.4
## 1.2.3
diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.5.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.5.md
new file mode 100644
index 00000000000..e040f831239
--- /dev/null
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.5.md
@@ -0,0 +1 @@
+## 1.2.5
diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
index 172090f46b6..40355f0807f 100644
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
---
-lastReleaseVersion: 1.2.4
+lastReleaseVersion: 1.2.5
diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
index 1eab4e25bb0..0b31bb4af53 100644
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
-version: 1.2.5-dev
+version: 1.2.6-dev
groups:
- csharp
- solorigate
diff --git a/csharp/ql/integration-tests/all-platforms/dotnet_pack/Program.cs b/csharp/ql/integration-tests/all-platforms/dotnet_pack/Program.cs
new file mode 100644
index 00000000000..3751555cbd3
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_pack/Program.cs
@@ -0,0 +1,2 @@
+// See https://aka.ms/new-console-template for more information
+Console.WriteLine("Hello, World!");
diff --git a/csharp/ql/integration-tests/all-platforms/dotnet_pack/dotnet_pack.csproj b/csharp/ql/integration-tests/all-platforms/dotnet_pack/dotnet_pack.csproj
new file mode 100644
index 00000000000..74abf5c9766
--- /dev/null
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_pack/dotnet_pack.csproj
@@ -0,0 +1,10 @@
+