hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'codeql-cli/latest'

Browse Source 
Compatible with the latest released version of the CodeQL CLI
This commit is contained in:
Dilan
2023-09-12 16:13:57 +00:00
parent cd16271a56 1a575ef297
commit bc2bb19491
325 changed files with 7529 additions and 3089 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
config/identical-files.json
View File

@@ -55,15 +55,6 @@
"ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
],
"DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
"java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
"cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
"python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
"ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
"swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
],
"DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
"java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",

6
cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
View File

@@ -11,12 +11,12 @@
<ItemGroup>
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
<PackageReference Include="xunit" Version="2.5.0" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
<PackageReference Include="xunit" Version="2.4.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
</ItemGroup>
<ItemGroup>

2
cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
View File

@@ -17,7 +17,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
</ItemGroup>
<ItemGroup>

15
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 0.9.2
### Deprecated APIs
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
### New Features
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
### Minor Analysis Improvements
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
## 0.9.1
No user-facing changes.

4
cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

4
cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`

4
cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.

14
cpp/ql/lib/change-notes/released/0.9.2.md Normal file
View File

@@ -0,0 +1,14 @@
## 0.9.2
### Deprecated APIs
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
### New Features
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
### Minor Analysis Improvements
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.1
lastReleaseVersion: 0.9.2

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.9.2-dev
version: 0.9.2
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

304
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
View File

@@ -3,297 +3,25 @@
* data-flow classes and predicates.
*/
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import tainttracking1.TaintTrackingParameter::Private
private import tainttracking1.TaintTrackingParameter::Public
private import cpp
private import DataFlowImplSpecific
private import TaintTrackingImplSpecific
private import codeql.dataflow.internal.DataFlowImplConsistency
module Consistency {
private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
/** A class for configuring the consistency queries. */
class ConsistencyConfiguration extends TConsistencyConfiguration {
string toString() { none() }
/** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
predicate uniqueEnclosingCallableExclude(Node n) { none() }
/** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
/** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
predicate uniqueNodeLocationExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `missingLocation`. */
predicate missingLocationExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
predicate postWithInFlowExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
/** Holds if `n` should be excluded from the consistency test `reverseRead`. */
predicate reverseReadExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
/** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
predicate uniquePostUpdateExclude(Node n) { none() }
/** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
predicate viableImplInCallContextTooLargeExclude(
DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
) {
none()
}
/** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
none()
}
/** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
none()
}
/** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
predicate identityLocalStepExclude(Node n) { none() }
}
private class RelevantNode extends Node {
RelevantNode() {
this instanceof ArgumentNode or
this instanceof ParameterNode or
this instanceof ReturnNode or
this = getAnOutNode(_, _) or
simpleLocalFlowStep(this, _) or
simpleLocalFlowStep(_, this) or
jumpStep(this, _) or
jumpStep(_, this) or
storeStep(this, _, _) or
storeStep(_, _, this) or
readStep(this, _, _) or
readStep(_, _, this) or
defaultAdditionalTaintStep(this, _) or
defaultAdditionalTaintStep(_, this)
}
}
query predicate uniqueEnclosingCallable(Node n, string msg) {
exists(int c |
n instanceof RelevantNode and
c = count(nodeGetEnclosingCallable(n)) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
msg = "Node should have one enclosing callable but has " + c + "."
)
}
query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
exists(int c |
c = count(call.getEnclosingCallable()) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
msg = "Call should have one enclosing callable but has " + c + "."
)
}
query predicate uniqueType(Node n, string msg) {
exists(int c |
n instanceof RelevantNode and
c = count(getNodeType(n)) and
c != 1 and
msg = "Node should have one type but has " + c + "."
)
}
query predicate uniqueNodeLocation(Node n, string msg) {
exists(int c |
c =
count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
msg = "Node should have one location but has " + c + "."
)
}
query predicate missingLocation(string msg) {
exists(int c |
c =
strictcount(Node n |
not n.hasLocationInfo(_, _, _, _, _) and
not any(ConsistencyConfiguration conf).missingLocationExclude(n)
) and
msg = "Nodes without location: " + c
)
}
query predicate uniqueNodeToString(Node n, string msg) {
exists(int c |
c = count(n.toString()) and
c != 1 and
msg = "Node should have one toString but has " + c + "."
)
}
query predicate missingToString(string msg) {
exists(int c |
c = strictcount(Node n | not exists(n.toString())) and
msg = "Nodes without toString: " + c
)
}
query predicate parameterCallable(ParameterNode p, string msg) {
exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
msg = "Callable mismatch for parameter."
}
query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
simpleLocalFlowStep(n1, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Local flow step does not preserve enclosing callable."
}
query predicate readStepIsLocal(Node n1, Node n2, string msg) {
readStep(n1, _, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Read step does not preserve enclosing callable."
}
query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
storeStep(n1, _, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Store step does not preserve enclosing callable."
}
private DataFlowType typeRepr() { result = getNodeType(_) }
query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
t = typeRepr() and
not compatibleTypes(t, t) and
msg = "Type compatibility predicate is not reflexive."
}
query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
isUnreachableInCall(n, call) and
exists(DataFlowCallable c |
c = nodeGetEnclosingCallable(n) and
not viableCallable(call) = c
) and
msg = "Call context for isUnreachableInCall is inconsistent with call graph."
}
query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
(
n = getAnOutNode(call, _) and
msg = "OutNode and call does not share enclosing callable."
private module Input implements InputSig<CppOldDataFlow> {
predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
// Is the null pointer (or something that's not really a pointer)
exists(n.asExpr().getValue())
or
n.(ArgumentNode).argumentOf(call, _) and
msg = "ArgumentNode and call does not share enclosing callable."
) and
nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
}
// This predicate helps the compiler forget that in some languages
// it is impossible for a result of `getPreUpdateNode` to be an
// instance of `PostUpdateNode`.
private Node getPre(PostUpdateNode n) {
result = n.getPreUpdateNode()
// Isn't a pointer or is a pointer to const
forall(DerivedType dt | dt = n.asExpr().getActualType() |
dt.getBaseType().isConst()
or
none()
}
query predicate postIsNotPre(PostUpdateNode n, string msg) {
getPre(n) = n and
msg = "PostUpdateNode should not equal its pre-update node."
}
query predicate postHasUniquePre(PostUpdateNode n, string msg) {
not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
exists(int c |
c = count(n.getPreUpdateNode()) and
c != 1 and
msg = "PostUpdateNode should have one pre-update node but has " + c + "."
dt.getBaseType() instanceof RoutineType
)
}
query predicate uniquePostUpdate(Node n, string msg) {
not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
msg = "Node has multiple PostUpdateNodes."
}
query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
msg = "PostUpdateNode does not share callable with its pre-update node."
}
private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
query predicate reverseRead(Node n, string msg) {
exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
msg = "Origin of readStep is missing a PostUpdateNode."
}
query predicate argHasPostUpdate(ArgumentNode n, string msg) {
not hasPost(n) and
not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
msg = "ArgumentNode is missing PostUpdateNode."
}
// This predicate helps the compiler forget that in some languages
// it is impossible for a `PostUpdateNode` to be the target of
// `simpleLocalFlowStep`.
private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
query predicate postWithInFlow(Node n, string msg) {
isPostUpdateNode(n) and
not clearsContent(n, _) and
simpleLocalFlowStep(_, n) and
not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
msg = "PostUpdateNode should not be the target of local flow."
}
query predicate viableImplInCallContextTooLarge(
DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
) {
callable = viableImplInCallContext(call, ctx) and
not callable = viableCallable(call) and
not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
}
query predicate uniqueParameterNodeAtPosition(
DataFlowCallable c, ParameterPosition pos, Node p, string msg
) {
not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
isParameterNode(p, c, pos) and
not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
msg = "Parameters with overlapping positions."
}
query predicate uniqueParameterNodePosition(
DataFlowCallable c, ParameterPosition pos, Node p, string msg
) {
not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
isParameterNode(p, c, pos) and
not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
msg = "Parameter node with multiple positions."
}
query predicate uniqueContentApprox(Content c, string msg) {
not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
msg = "Non-unique content approximation."
}
query predicate identityLocalStep(Node n, string msg) {
simpleLocalFlowStep(n, n) and
not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
msg = "Node steps to itself"
// The above list of cases isn't exhaustive, but it narrows down the
// consistency alerts enough that most of them are interesting.
}
}
module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;

17
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -2,7 +2,6 @@ private import cpp
private import DataFlowUtil
private import DataFlowDispatch
private import FlowVar
private import DataFlowImplConsistency
private import codeql.util.Unit
/** Gets the callable in which this node occurs. */
@@ -297,22 +296,6 @@ class ContentApprox = Unit;
pragma[inline]
ContentApprox getContentApprox(Content c) { any() }
private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
override predicate argHasPostUpdateExclude(ArgumentNode n) {
// Is the null pointer (or something that's not really a pointer)
exists(n.asExpr().getValue())
or
// Isn't a pointer or is a pointer to const
forall(DerivedType dt | dt = n.asExpr().getActualType() |
dt.getBaseType().isConst()
or
dt.getBaseType() instanceof RoutineType
)
// The above list of cases isn't exhaustive, but it narrows down the
// consistency alerts enough that most of them are interesting.
}
}
/**
* Gets an additional term that is added to the `join` and `branch` computations to reflect
* an additional forward or backwards branching factor that is not taken into account

300
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
View File

@@ -3,297 +3,17 @@
* data-flow classes and predicates.
*/
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import tainttracking1.TaintTrackingParameter::Private
private import tainttracking1.TaintTrackingParameter::Public
private import cpp
private import DataFlowImplSpecific
private import TaintTrackingImplSpecific
private import codeql.dataflow.internal.DataFlowImplConsistency
module Consistency {
private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
/** A class for configuring the consistency queries. */
class ConsistencyConfiguration extends TConsistencyConfiguration {
string toString() { none() }
/** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
predicate uniqueEnclosingCallableExclude(Node n) { none() }
/** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
/** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
predicate uniqueNodeLocationExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `missingLocation`. */
predicate missingLocationExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
predicate postWithInFlowExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
/** Holds if `n` should be excluded from the consistency test `reverseRead`. */
predicate reverseReadExclude(Node n) { none() }
/** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
/** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
predicate uniquePostUpdateExclude(Node n) { none() }
/** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
predicate viableImplInCallContextTooLargeExclude(
DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
) {
none()
}
/** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
none()
}
/** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
none()
}
/** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
predicate identityLocalStepExclude(Node n) { none() }
}
private class RelevantNode extends Node {
RelevantNode() {
this instanceof ArgumentNode or
this instanceof ParameterNode or
this instanceof ReturnNode or
this = getAnOutNode(_, _) or
simpleLocalFlowStep(this, _) or
simpleLocalFlowStep(_, this) or
jumpStep(this, _) or
jumpStep(_, this) or
storeStep(this, _, _) or
storeStep(_, _, this) or
readStep(this, _, _) or
readStep(_, _, this) or
defaultAdditionalTaintStep(this, _) or
defaultAdditionalTaintStep(_, this)
private module Input implements InputSig<CppDataFlow> {
predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
// The rules for whether an IR argument gets a post-update node are too
// complex to model here.
any()
}
}
query predicate uniqueEnclosingCallable(Node n, string msg) {
exists(int c |
n instanceof RelevantNode and
c = count(nodeGetEnclosingCallable(n)) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
msg = "Node should have one enclosing callable but has " + c + "."
)
}
query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
exists(int c |
c = count(call.getEnclosingCallable()) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
msg = "Call should have one enclosing callable but has " + c + "."
)
}
query predicate uniqueType(Node n, string msg) {
exists(int c |
n instanceof RelevantNode and
c = count(getNodeType(n)) and
c != 1 and
msg = "Node should have one type but has " + c + "."
)
}
query predicate uniqueNodeLocation(Node n, string msg) {
exists(int c |
c =
count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
) and
c != 1 and
not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
msg = "Node should have one location but has " + c + "."
)
}
query predicate missingLocation(string msg) {
exists(int c |
c =
strictcount(Node n |
not n.hasLocationInfo(_, _, _, _, _) and
not any(ConsistencyConfiguration conf).missingLocationExclude(n)
) and
msg = "Nodes without location: " + c
)
}
query predicate uniqueNodeToString(Node n, string msg) {
exists(int c |
c = count(n.toString()) and
c != 1 and
msg = "Node should have one toString but has " + c + "."
)
}
query predicate missingToString(string msg) {
exists(int c |
c = strictcount(Node n | not exists(n.toString())) and
msg = "Nodes without toString: " + c
)
}
query predicate parameterCallable(ParameterNode p, string msg) {
exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
msg = "Callable mismatch for parameter."
}
query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
simpleLocalFlowStep(n1, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Local flow step does not preserve enclosing callable."
}
query predicate readStepIsLocal(Node n1, Node n2, string msg) {
readStep(n1, _, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Read step does not preserve enclosing callable."
}
query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
storeStep(n1, _, n2) and
nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
msg = "Store step does not preserve enclosing callable."
}
private DataFlowType typeRepr() { result = getNodeType(_) }
query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
t = typeRepr() and
not compatibleTypes(t, t) and
msg = "Type compatibility predicate is not reflexive."
}
query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
isUnreachableInCall(n, call) and
exists(DataFlowCallable c |
c = nodeGetEnclosingCallable(n) and
not viableCallable(call) = c
) and
msg = "Call context for isUnreachableInCall is inconsistent with call graph."
}
query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
(
n = getAnOutNode(call, _) and
msg = "OutNode and call does not share enclosing callable."
or
n.(ArgumentNode).argumentOf(call, _) and
msg = "ArgumentNode and call does not share enclosing callable."
) and
nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
}
// This predicate helps the compiler forget that in some languages
// it is impossible for a result of `getPreUpdateNode` to be an
// instance of `PostUpdateNode`.
private Node getPre(PostUpdateNode n) {
result = n.getPreUpdateNode()
or
none()
}
query predicate postIsNotPre(PostUpdateNode n, string msg) {
getPre(n) = n and
msg = "PostUpdateNode should not equal its pre-update node."
}
query predicate postHasUniquePre(PostUpdateNode n, string msg) {
not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
exists(int c |
c = count(n.getPreUpdateNode()) and
c != 1 and
msg = "PostUpdateNode should have one pre-update node but has " + c + "."
)
}
query predicate uniquePostUpdate(Node n, string msg) {
not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
msg = "Node has multiple PostUpdateNodes."
}
query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
msg = "PostUpdateNode does not share callable with its pre-update node."
}
private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
query predicate reverseRead(Node n, string msg) {
exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
msg = "Origin of readStep is missing a PostUpdateNode."
}
query predicate argHasPostUpdate(ArgumentNode n, string msg) {
not hasPost(n) and
not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
msg = "ArgumentNode is missing PostUpdateNode."
}
// This predicate helps the compiler forget that in some languages
// it is impossible for a `PostUpdateNode` to be the target of
// `simpleLocalFlowStep`.
private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
query predicate postWithInFlow(Node n, string msg) {
isPostUpdateNode(n) and
not clearsContent(n, _) and
simpleLocalFlowStep(_, n) and
not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
msg = "PostUpdateNode should not be the target of local flow."
}
query predicate viableImplInCallContextTooLarge(
DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
) {
callable = viableImplInCallContext(call, ctx) and
not callable = viableCallable(call) and
not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
}
query predicate uniqueParameterNodeAtPosition(
DataFlowCallable c, ParameterPosition pos, Node p, string msg
) {
not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
isParameterNode(p, c, pos) and
not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
msg = "Parameters with overlapping positions."
}
query predicate uniqueParameterNodePosition(
DataFlowCallable c, ParameterPosition pos, Node p, string msg
) {
not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
isParameterNode(p, c, pos) and
not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
msg = "Parameter node with multiple positions."
}
query predicate uniqueContentApprox(Content c, string msg) {
not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
msg = "Non-unique content approximation."
}
query predicate identityLocalStep(Node n, string msg) {
simpleLocalFlowStep(n, n) and
not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
msg = "Node steps to itself"
}
}
module Consistency = MakeConsistency<CppDataFlow, CppTaintTracking, Input>;

27
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -2,7 +2,6 @@ private import cpp as Cpp
private import DataFlowUtil
private import semmle.code.cpp.ir.IR
private import DataFlowDispatch
private import DataFlowImplConsistency
private import semmle.code.cpp.ir.internal.IRCppLanguage
private import SsaInternals as Ssa
private import DataFlowImplCommon as DataFlowImplCommon
@@ -220,9 +219,10 @@ private module IndirectOperands {
int indirectionIndex;
IndirectOperandFromIRRepr() {
exists(Operand repr |
repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
nodeHasOperand(this, repr, indirectionIndex - 1)
exists(Operand repr, int indirectionIndexRepr |
Ssa::hasIRRepresentationOfIndirectOperand(operand, indirectionIndex, repr,
indirectionIndexRepr) and
nodeHasOperand(this, repr, indirectionIndexRepr)
)
}
@@ -262,9 +262,10 @@ private module IndirectInstructions {
int indirectionIndex;
IndirectInstructionFromIRRepr() {
exists(Instruction repr |
repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
nodeHasInstruction(this, repr, indirectionIndex - 1)
exists(Instruction repr, int indirectionIndexRepr |
Ssa::hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, repr,
indirectionIndexRepr) and
nodeHasInstruction(this, repr, indirectionIndexRepr)
)
}
@@ -690,7 +691,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1,
private predicate numberOfLoadsFromOperandRec(
Operand operandFrom, Operand operandTo, int ind, boolean certain
) {
exists(Instruction load | Ssa::isDereference(load, operandFrom) |
exists(Instruction load | Ssa::isDereference(load, operandFrom, _) |
operandTo = operandFrom and ind = 0 and certain = true
or
numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
@@ -714,7 +715,7 @@ private predicate numberOfLoadsFromOperand(
) {
numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
or
not Ssa::isDereference(_, operandFrom) and
not Ssa::isDereference(_, operandFrom, _) and
not conversionFlow(operandFrom, _, _, _) and
operandFrom = operandTo and
n = 0 and
@@ -1011,14 +1012,6 @@ ContentApprox getContentApprox(Content c) {
)
}
private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
override predicate argHasPostUpdateExclude(ArgumentNode n) {
// The rules for whether an IR argument gets a post-update node are too
// complex to model here.
any()
}
}
/**
* A local flow relation that includes both local steps, read steps and
* argument-to-return flow through summarized functions.

124
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
View File

@@ -74,7 +74,7 @@ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) {
type = getLanguageType(op) and
m = countIndirectionsForCppType(type) and
indirectionIndex = [1 .. m] and
not exists(getIRRepresentationOfIndirectOperand(op, indirectionIndex))
not hasIRRepresentationOfIndirectOperand(op, indirectionIndex, _, _)
)
}
@@ -88,7 +88,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
type = getResultLanguageType(instr) and
m = countIndirectionsForCppType(type) and
indirectionIndex = [1 .. m] and
not exists(getIRRepresentationOfIndirectInstruction(instr, indirectionIndex))
not hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, _, _)
)
}
@@ -108,7 +108,7 @@ private newtype TDefOrUseImpl =
} or
TUseImpl(BaseSourceVariableInstruction base, Operand operand, int indirectionIndex) {
isUse(_, operand, base, _, indirectionIndex) and
not isDef(_, _, operand, _, _, _)
not isDef(true, _, operand, _, _, _)
} or
TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
// Represents a final "use" of a global variable to ensure that
@@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
instr = op2.getDef() and
isDereference(instr, op1)
isDereference(instr, op1, _)
)
)
}
@@ -638,12 +638,24 @@ private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) {
)
}
private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
exists(UseOrPhi use |
/**
* Holds if `nodeFrom` flows to `nodeTo` because there is `def-use` or
* `use-use` flow from `defOrUse` to `use`.
*
* `uncertain` is `true` if the `defOrUse` is an uncertain definition.
*/
private predicate localSsaFlow(
SsaDefOrUse defOrUse, Node nodeFrom, UseOrPhi use, Node nodeTo, boolean uncertain
) {
nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
adjacentDefRead(defOrUse, use) and
useToNode(use, nodeTo) and
nodeFrom != nodeTo
}
private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
exists(UseOrPhi use |
localSsaFlow(defOrUse, nodeFrom, use, nodeTo, uncertain)
or
// Initial global variable value to a first use
nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and
@@ -684,19 +696,99 @@ predicate ssaFlow(Node nodeFrom, Node nodeTo) {
)
}
private predicate isArgumentOfCallable(DataFlowCall call, ArgumentNode arg) {
arg.argumentOf(call, _)
private predicate isArgumentOfCallableInstruction(DataFlowCall call, Instruction instr) {
isArgumentOfCallableOperand(call, unique( | | getAUse(instr)))
}
/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
exists(UseOrPhi use, Node preUpdate |
adjustForPointerArith(pun, use) and
useToNode(use, nodeTo) and
preUpdate = pun.getPreUpdateNode() and
not exists(DataFlowCall call |
isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo)
private predicate isArgumentOfCallableOperand(DataFlowCall call, Operand operand) {
operand.(ArgumentOperand).getCall() = call
or
exists(FieldAddressInstruction fai |
fai.getObjectAddressOperand() = operand and
isArgumentOfCallableInstruction(call, fai)
)
or
exists(Instruction deref |
isArgumentOfCallableInstruction(call, deref) and
isDereference(deref, operand, _)
)
or
exists(Instruction instr |
isArgumentOfCallableInstruction(call, instr) and
conversionFlow(operand, instr, _, _)
)
}
private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
isArgumentOfCallableOperand(call, n.asOperand())
or
exists(Operand op |
n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
isArgumentOfCallableOperand(call, op)
)
or
exists(Instruction instr |
n.(IndirectInstruction).hasInstructionAndIndirectionIndex(instr, _) and
isArgumentOfCallableInstruction(call, instr)
)
}
/**
* Holds if there is use-use flow from `pun`'s pre-update node to `n`.
*/
private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
exists(UseOrPhi use |
adjustForPointerArith(pun, use) and
useToNode(use, n)
)
}
private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) {
isArgumentOfCallable(call, n1) and
exists(Node mid | localSsaFlow(_, n1, _, mid, _) |
isArgumentOfCallable(call, mid) and
stepUntilNotInCall(call, mid, n2)
or
not isArgumentOfCallable(call, mid) and
mid = n2
)
}
bindingset[n1, n2]
pragma[inline_late]
private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) {
isArgumentOfCallable(call, n1) and isArgumentOfCallable(call, n2)
}
/**
* Holds if there is def-use or use-use flow from `pun` to `nodeTo`.
*
* Note: This is more complex than it sounds. Consider a call such as:
* ```cpp
* write_first_argument(x, x);
* sink(x);
* ```
* Assume flow comes out of the first argument to `write_first_argument`. We
* don't want flow to go to the `x` that's also an argument to
* `write_first_argument` (because we just flowed out of that function, and we
* don't want to flow back into it again).
*
* We do, however, want flow from the output argument to `x` on the next line, and
* similarly we want flow from the second argument of `write_first_argument` to `x`
* on the next line.
*/
predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
exists(Node preUpdate, Node mid |
preUpdate = pun.getPreUpdateNode() and
postUpdateNodeToFirstUse(pun, mid)
|
exists(DataFlowCall call |
isArgumentOfSameCall(call, preUpdate, mid) and
stepUntilNotInCall(call, mid, nodeTo)
)
or
not isArgumentOfSameCall(_, preUpdate, mid) and
nodeTo = mid
)
}

44
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
View File

@@ -320,10 +320,20 @@ private module IteratorIndirections {
}
}
predicate isDereference(Instruction deref, Operand address) {
any(Indirection ind).isAdditionalDereference(deref, address)
/**
* Holds if `deref` is the result of loading the value at the address
* represented by `address`.
*
* If `additional = true` then the dereference comes from an `Indirection`
* class (such as a call to an iterator's `operator*`), and if
* `additional = false` the dereference is a `LoadInstruction`.
*/
predicate isDereference(Instruction deref, Operand address, boolean additional) {
any(Indirection ind).isAdditionalDereference(deref, address) and
additional = true
or
deref.(LoadInstruction).getSourceAddressOperand() = address
deref.(LoadInstruction).getSourceAddressOperand() = address and
additional = false
}
predicate isWrite(Node0Impl value, Operand address, boolean certain) {
@@ -545,7 +555,7 @@ private module Cached {
isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
iteratorBase.getResultType() instanceof Interfaces::Iterator and
isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and
memory = read.getSideEffectOperand().getAnyDef()
)
}
@@ -781,11 +791,14 @@ private module Cached {
* instead associated with the operand returned by this predicate.
*/
cached
Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {
predicate hasIRRepresentationOfIndirectOperand(
Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
) {
indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
exists(Instruction load |
isDereference(load, operand) and
result = unique( | | getAUse(load)) and
isUseImpl(operand, _, indirectionIndex - 1)
isDereference(load, operand, false) and
operandRepr = unique( | | getAUse(load)) and
indirectionIndexRepr = indirectionIndex - 1
)
}
@@ -797,12 +810,15 @@ private module Cached {
* instead associated with the instruction returned by this predicate.
*/
cached
Instruction getIRRepresentationOfIndirectInstruction(Instruction instr, int indirectionIndex) {
predicate hasIRRepresentationOfIndirectInstruction(
Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
) {
indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
exists(Instruction load, Operand address |
address.getDef() = instr and
isDereference(load, address) and
isUseImpl(address, _, indirectionIndex - 1) and
result = load
isDereference(load, address, false) and
instrRepr = load and
indirectionIndexRepr = indirectionIndex - 1
)
}
@@ -823,7 +839,7 @@ private module Cached {
or
exists(int ind0 |
exists(Operand address |
isDereference(operand.getDef(), address) and
isDereference(operand.getDef(), address, _) and
isUseImpl(address, base, ind0)
)
or
@@ -893,7 +909,7 @@ private module Cached {
)
or
exists(Operand address, boolean certain0 |
isDereference(operand.getDef(), address) and
isDereference(operand.getDef(), address, _) and
isDefImpl(address, base, ind - 1, certain0)
|
if isCertainAddress(operand) then certain = certain0 else certain = false

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
)
or
// Taint flow from an address to its dereference.
Ssa::isDereference(instrTo, opFrom)
Ssa::isDereference(instrTo, opFrom, _)
or
// Unary instructions tend to preserve enough information in practice that we
// want taint to flow through.

10
cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
View File

@@ -55,6 +55,7 @@ private newtype TOpcode =
TVariableAddress() or
TFieldAddress() or
TFunctionAddress() or
TVirtualDeleteFunctionAddress() or
TElementsAddress() or
TConstant() or
TStringConstant() or
@@ -887,6 +888,15 @@ module Opcode {
final override string toString() { result = "FunctionAddress" }
}
/**
* The `Opcode` for a `VirtualDeleteFunctionAddress`.
*
* See the `VirtualDeleteFunctionAddressInstruction` documentation for more details.
*/
class VirtualDeleteFunctionAddress extends Opcode, TVirtualDeleteFunctionAddress {
final override string toString() { result = "VirtualDeleteFunctionAddress" }
}
/**
* The `Opcode` for a `ConstantInstruction`.
*

16
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
View File

@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
}
/**
* An instruction that returns the address of a "virtual" delete function.
*
* This function, which does not actually exist in the source code, is used to
* delete objects of a class with a virtual destructor. In that case the deacllocation
* function is selected at runtime based on the dynamic type of the object. So this
* function dynamically dispatches to the correct deallocation function.
* It also should pass in the required extra arguments to the deallocation function
* which may differ dynamically depending on the type of the object.
*/
class VirtualDeleteFunctionAddressInstruction extends Instruction {
VirtualDeleteFunctionAddressInstruction() {
this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
}
}
/**
* An instruction that initializes a parameter of the enclosing function with the value of the
* corresponding argument passed by the caller.

16
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
View File

@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
}
/**
* An instruction that returns the address of a "virtual" delete function.
*
* This function, which does not actually exist in the source code, is used to
* delete objects of a class with a virtual destructor. In that case the deacllocation
* function is selected at runtime based on the dynamic type of the object. So this
* function dynamically dispatches to the correct deallocation function.
* It also should pass in the required extra arguments to the deallocation function
* which may differ dynamically depending on the type of the object.
*/
class VirtualDeleteFunctionAddressInstruction extends Instruction {
VirtualDeleteFunctionAddressInstruction() {
this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
}
}
/**
* An instruction that initializes a parameter of the enclosing function with the value of the
* corresponding argument passed by the caller.

8
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
View File

@@ -120,9 +120,9 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
}
/**
* A `Call` or `NewOrNewArrayExpr`.
* A `Call` or `NewOrNewArrayExpr` or `DeleteOrDeleteArrayExpr`.
*
* Both kinds of expression invoke a function as part of their evaluation. This class provides a
* All kinds of expression invoke a function as part of their evaluation. This class provides a
* way to treat both kinds of function similarly, and to get the invoked `Function`.
*/
class CallOrAllocationExpr extends Expr {
@@ -130,6 +130,8 @@ class CallOrAllocationExpr extends Expr {
this instanceof Call
or
this instanceof NewOrNewArrayExpr
or
this instanceof DeleteOrDeleteArrayExpr
}
/** Gets the `Function` invoked by this expression, if known. */
@@ -137,6 +139,8 @@ class CallOrAllocationExpr extends Expr {
result = this.(Call).getTarget()
or
result = this.(NewOrNewArrayExpr).getAllocator()
or
result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
}
}

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
View File

@@ -350,6 +350,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
or
expr instanceof NewOrNewArrayExpr and
result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
or
expr instanceof DeleteOrDeleteArrayExpr and
result = getTranslatedDeleteOrDeleteArray(expr).getInstruction(CallTag())
}
}

29
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
View File

@@ -77,17 +77,17 @@ private predicate ignoreExprAndDescendants(Expr expr) {
newExpr.getInitializer().getFullyConverted() = expr
)
or
exists(DeleteOrDeleteArrayExpr deleteExpr |
// Ignore the deallocator call, because we always synthesize it.
deleteExpr.getDeallocatorCall() = expr
)
or
// Do not translate input/output variables in GNU asm statements
// getRealParent(expr) instanceof AsmStmt
// or
ignoreExprAndDescendants(getRealParent(expr)) // recursive case
or
// We do not yet translate destructors properly, so for now we ignore any
// custom deallocator call, if present.
exists(DeleteExpr deleteExpr | deleteExpr.getDeallocatorCall() = expr)
or
exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDeallocatorCall() = expr)
or
// va_start doesn't evaluate its argument, so we don't need to translate it.
exists(BuiltInVarArgsStart vaStartExpr |
vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
)
@@ -104,6 +104,12 @@ private predicate ignoreExprOnly(Expr expr) {
newExpr.getAllocatorCall() = expr
)
or
exists(DeleteOrDeleteArrayExpr deleteExpr |
// Ignore the destructor call as we don't model it yet. Don't ignore
// its arguments, though, as they are the arguments to the deallocator.
deleteExpr.getDestructorCall() = expr
)
or
// The extractor deliberately emits an `ErrorExpr` as the first argument to
// the allocator call, if any, of a `NewOrNewArrayExpr`. That `ErrorExpr`
// should not be translated.
@@ -111,13 +117,6 @@ private predicate ignoreExprOnly(Expr expr) {
or
not translateFunction(getEnclosingFunction(expr)) and
not Raw::varHasIRFunc(getEnclosingVariable(expr))
or
// We do not yet translate destructors properly, so for now we ignore the
// destructor call. We do, however, translate the expression being
// destructed, and that expression can be a child of the destructor call.
exists(DeleteExpr deleteExpr | deleteExpr.getDestructorCall() = expr)
or
exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDestructorCall() = expr)
}
/**
@@ -416,7 +415,9 @@ predicate hasTranslatedLoad(Expr expr) {
not ignoreExpr(expr) and
not isNativeCondition(expr) and
not isFlexibleCondition(expr) and
not ignoreLoad(expr)
not ignoreLoad(expr) and
// don't insert a load since we'll just substitute the constant value.
not isIRConstant(expr)
}
/**

132
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
View File

@@ -2017,6 +2017,66 @@ TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
result.getAst() = newExpr
}
/**
* The IR translation of a `delete` or `delete[]`
* expression.
*/
class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, TranslatedCall {
override DeleteOrDeleteArrayExpr expr;
final override Instruction getFirstCallTargetInstruction() {
result = this.getInstruction(CallTargetTag())
}
final override Instruction getCallTargetResult() { result = this.getInstruction(CallTargetTag()) }
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
TranslatedCall.super.hasInstruction(opcode, tag, resultType)
or
tag = CallTargetTag() and
resultType = getFunctionGLValueType() and
if exists(expr.getDeallocator())
then opcode instanceof Opcode::FunctionAddress
else opcode instanceof Opcode::VirtualDeleteFunctionAddress
}
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
result = TranslatedCall.super.getInstructionSuccessor(tag, kind)
or
tag = CallTargetTag() and
kind instanceof GotoEdge and
result = this.getFirstArgumentOrCallInstruction()
}
override Function getInstructionFunction(InstructionTag tag) {
tag = CallTargetTag() and result = expr.getDeallocator()
}
final override Type getCallResultType() { result = expr.getType() }
final override TranslatedExpr getQualifier() { none() }
final override predicate hasArguments() {
// All deallocator calls have at least one argument.
any()
}
final override int getNumberOfArguments() {
// We ignore the other arguments for now as we would have to synthesize them.
result = 1
}
final override TranslatedExpr getArgument(int index) {
// The only argument we define is the pointer to be deallocated.
index = 0 and
result = getTranslatedExpr(expr.getExpr().getFullyConverted())
}
}
TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {
result.getAst() = newExpr
}
/**
* Abstract class implemented by any `TranslatedElement` that has a child
* expression that is a call to a constructor or destructor, in order to
@@ -2954,78 +3014,6 @@ class TranslatedNewArrayExpr extends TranslatedNewOrNewArrayExpr {
}
}
/**
* A placeholder for the translation of a `delete[]` expression.
*
* Proper translation is not yet implemented, but this stub implementation
* ensures that code following a `delete[]` is not unreachable.
*/
class TranslatedDeleteArrayExprPlaceHolder extends TranslatedSingleInstructionExpr {
override DeleteArrayExpr expr;
final override Instruction getFirstInstruction() {
result = this.getOperand().getFirstInstruction()
}
final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
tag = OnlyInstructionTag() and
result = this.getParent().getChildSuccessor(this) and
kind instanceof GotoEdge
}
final override Instruction getChildSuccessor(TranslatedElement child) {
child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
}
final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
none()
}
final override Opcode getOpcode() { result instanceof Opcode::NoOp }
private TranslatedExpr getOperand() {
result = getTranslatedExpr(expr.getExpr().getFullyConverted())
}
}
/**
* A placeholder for the translation of a `delete` expression.
*
* Proper translation is not yet implemented, but this stub implementation
* ensures that code following a `delete` is not unreachable.
*/
class TranslatedDeleteExprPlaceHolder extends TranslatedSingleInstructionExpr {
override DeleteExpr expr;
final override Instruction getFirstInstruction() {
result = this.getOperand().getFirstInstruction()
}
final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
tag = OnlyInstructionTag() and
result = this.getParent().getChildSuccessor(this) and
kind instanceof GotoEdge
}
final override Instruction getChildSuccessor(TranslatedElement child) {
child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
}
final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
none()
}
final override Opcode getOpcode() { result instanceof Opcode::NoOp }
private TranslatedExpr getOperand() {
result = getTranslatedExpr(expr.getExpr().getFullyConverted())
}
}
/**
* The IR translation of a `ConditionDeclExpr`, which represents the value of the declared variable
* after conversion to `bool` in code such as:

16
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
View File

@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
}
/**
* An instruction that returns the address of a "virtual" delete function.
*
* This function, which does not actually exist in the source code, is used to
* delete objects of a class with a virtual destructor. In that case the deacllocation
* function is selected at runtime based on the dynamic type of the object. So this
* function dynamically dispatches to the correct deallocation function.
* It also should pass in the required extra arguments to the deallocation function
* which may differ dynamically depending on the type of the object.
*/
class VirtualDeleteFunctionAddressInstruction extends Instruction {
VirtualDeleteFunctionAddressInstruction() {
this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
}
}
/**
* An instruction that initializes a parameter of the enclosing function with the value of the
* corresponding argument passed by the caller.

12
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,15 @@
## 0.7.4
### New Queries
* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
### Minor Analysis Improvements
* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
## 0.7.3
No user-facing changes.

4
cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.

4
cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.

4
cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.

4
cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.

11
cpp/ql/src/change-notes/released/0.7.4.md Normal file
View File

@@ -0,0 +1,11 @@
## 0.7.4
### New Queries
* Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
### Minor Analysis Improvements
* The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
* The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.3
lastReleaseVersion: 0.7.4

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.7.4-dev
version: 0.7.4
groups:
- cpp
- queries

41
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
View File

@@ -9,44 +9,35 @@ edges
| test.cpp:22:5:22:7 | arr indirection [p] | test.cpp:19:9:19:16 | mk_array indirection [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | arr indirection [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | arr indirection [p] |
| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p indirection |
| test.cpp:31:13:31:13 | p indirection | test.cpp:31:13:31:13 | p |
| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p indirection |
| test.cpp:35:13:35:13 | p indirection | test.cpp:35:13:35:13 | p |
| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p indirection |
| test.cpp:41:13:41:13 | p indirection | test.cpp:41:13:41:13 | p |
| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p indirection |
| test.cpp:45:13:45:13 | p indirection | test.cpp:45:13:45:13 | p |
| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:56:5:56:7 | arr indirection [p] |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:59:9:59:11 | arr indirection [p] |
| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:63:9:63:11 | arr indirection [p] |
| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p indirection |
| test.cpp:59:13:59:13 | p indirection | test.cpp:59:13:59:13 | p |
| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p indirection |
| test.cpp:63:13:63:13 | p indirection | test.cpp:63:13:63:13 | p |
| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
| test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] |
| test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:10:69:10 | arr indirection [post update] [p] |
| test.cpp:69:10:69:10 | arr indirection [post update] [p] | test.cpp:70:5:70:7 | arr indirection [p] |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
| test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] |
| test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:70:5:70:7 | arr indirection [p] |
| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:79:9:79:11 | arr indirection [p] |
| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:83:9:83:11 | arr indirection [p] |
| test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p indirection |
| test.cpp:79:14:79:14 | p indirection | test.cpp:79:14:79:14 | p |
| test.cpp:83:9:83:11 | arr indirection [p] | test.cpp:83:14:83:14 | p indirection |
| test.cpp:83:14:83:14 | p indirection | test.cpp:83:14:83:14 | p |
| test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p |
| test.cpp:83:9:83:11 | arr indirection [p] | test.cpp:83:14:83:14 | p |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | arr indirection [p] |
| test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | arr indirection [p] |
| test.cpp:89:9:89:11 | arr indirection [p] | test.cpp:89:14:89:14 | p indirection |
| test.cpp:89:14:89:14 | p indirection | test.cpp:89:14:89:14 | p |
| test.cpp:93:9:93:11 | arr indirection [p] | test.cpp:93:14:93:14 | p indirection |
| test.cpp:93:14:93:14 | p indirection | test.cpp:93:14:93:14 | p |
| test.cpp:89:9:89:11 | arr indirection [p] | test.cpp:89:14:89:14 | p |
| test.cpp:93:9:93:11 | arr indirection [p] | test.cpp:93:14:93:14 | p |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
nodes
| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
@@ -60,17 +51,13 @@ nodes
| test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
| test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:31:13:31:13 | p | semmle.label | p |
| test.cpp:31:13:31:13 | p indirection | semmle.label | p indirection |
| test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:35:13:35:13 | p | semmle.label | p |
| test.cpp:35:13:35:13 | p indirection | semmle.label | p indirection |
| test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
| test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:41:13:41:13 | p | semmle.label | p |
| test.cpp:41:13:41:13 | p indirection | semmle.label | p indirection |
| test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:45:13:45:13 | p | semmle.label | p |
| test.cpp:45:13:45:13 | p indirection | semmle.label | p indirection |
| test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
| test.cpp:55:5:55:24 | ... = ... | semmle.label | ... = ... |
| test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
@@ -78,10 +65,8 @@ nodes
| test.cpp:56:5:56:7 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:59:13:59:13 | p | semmle.label | p |
| test.cpp:59:13:59:13 | p indirection | semmle.label | p indirection |
| test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:63:13:63:13 | p | semmle.label | p |
| test.cpp:63:13:63:13 | p indirection | semmle.label | p indirection |
| test.cpp:67:10:67:19 | mk_array_p indirection [p] | semmle.label | mk_array_p indirection [p] |
| test.cpp:69:5:69:25 | ... = ... | semmle.label | ... = ... |
| test.cpp:69:10:69:10 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
@@ -90,17 +75,13 @@ nodes
| test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
| test.cpp:79:9:79:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:79:14:79:14 | p | semmle.label | p |
| test.cpp:79:14:79:14 | p indirection | semmle.label | p indirection |
| test.cpp:83:9:83:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:83:14:83:14 | p | semmle.label | p |
| test.cpp:83:14:83:14 | p indirection | semmle.label | p indirection |
| test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:89:9:89:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:89:14:89:14 | p | semmle.label | p |
| test.cpp:89:14:89:14 | p indirection | semmle.label | p indirection |
| test.cpp:93:9:93:11 | arr indirection [p] | semmle.label | arr indirection [p] |
| test.cpp:93:14:93:14 | p | semmle.label | p |
| test.cpp:93:14:93:14 | p indirection | semmle.label | p indirection |
| test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
subpaths
#select

2
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
View File

@@ -1,4 +1,4 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
failures
testFailures
failures

14
cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp Normal file
View File

@@ -0,0 +1,14 @@
namespace {
struct Foo {
char string[10];
};
void acquire(char*);
Foo* test_self_argument_flow() {
Foo *info;
acquire(info->string); // clean
return info;
}
}

8
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -789,3 +789,11 @@ void test_sometimes_calls_sink_switch() {
sometimes_calls_sink_switch(0, 0);
sometimes_calls_sink_switch(source(), 0);
}
void intPointerSource(int *ref_source, const int* another_arg);
void test() {
MyStruct a;
intPointerSource(a.content, a.content);
indirect_sink(a.content); // $ ast ir
}

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
View File

@@ -5,5 +5,5 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (test.
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:40,25-33)
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:42,17-25)
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:46,20-28)
failures
testFailures
failures

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.expected Normal file
View File

@@ -0,0 +1,2 @@
testFailures
failures

33
cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.ql Normal file
View File

@@ -0,0 +1,33 @@
import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import TestUtilities.InlineExpectationsTest
module TestConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.getLocation().getFile().getBaseName() = "self_argument_flow.cpp" and
source.asDefiningArgument() =
any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
}
predicate isSink(DataFlow::Node sink) {
sink.asIndirectArgument() = any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
}
}
import DataFlow::Global<TestConfig>
module TestSelfArgumentFlow implements TestSig {
string getARelevantTag() { result = "self-arg-flow" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(DataFlow::Node sink |
flowTo(sink) and
location = sink.getLocation() and
element = sink.toString() and
tag = "self-arg-flow" and
value = ""
)
}
}
import MakeTest<TestSelfArgumentFlow>

5
cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
View File

@@ -14,6 +14,8 @@
| ref.cpp:120:17:120:18 | x3 | ref.cpp:129:10:129:11 | x3 |
| ref.cpp:120:21:120:22 | x4 | ref.cpp:131:15:131:16 | x4 |
| ref.cpp:120:21:120:22 | x4 | ref.cpp:132:10:132:11 | x4 |
| self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:10:13:10:16 | info |
| self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:12:12:12:15 | info |
| test.cpp:75:7:75:8 | u1 | test.cpp:76:8:76:9 | u1 |
| test.cpp:83:7:83:8 | u2 | test.cpp:84:13:84:14 | u2 |
| test.cpp:83:7:83:8 | u2 | test.cpp:85:8:85:9 | u2 |
@@ -44,3 +46,6 @@
| test.cpp:595:8:595:9 | xs | test.cpp:597:9:597:10 | xs |
| test.cpp:733:7:733:7 | x | test.cpp:734:41:734:41 | x |
| test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x |
| test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
| test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
| test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |

2
cpp/ql/test/library-tests/dataflow/fields/flow.expected
View File

@@ -1,2 +1,2 @@
failures
testFailures
failures

374
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -3,5 +3,5 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:61,22-30)
WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
failures
testFailures
failures

187
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -15553,6 +15553,193 @@ ir.cpp:
# 2030| Type = [IntType] int
# 2030| ValueCategory = prvalue
# 2031| getStmt(2): [ReturnStmt] return ...
# 2033| [TopLevelFunction] void NewDeleteMem()
# 2033| <params>:
# 2033| getEntryPoint(): [BlockStmt] { ... }
# 2034| getStmt(0): [DeclStmt] declaration
# 2034| getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
# 2034| Type = [IntPointerType] int *
# 2034| getVariable().getInitializer(): [Initializer] initializer for x
# 2034| getExpr(): [NewExpr] new
# 2034| Type = [IntPointerType] int *
# 2034| ValueCategory = prvalue
# 2035| getStmt(1): [ExprStmt] ExprStmt
# 2035| getExpr(): [AssignExpr] ... = ...
# 2035| Type = [IntType] int
# 2035| ValueCategory = lvalue
# 2035| getLValue(): [PointerDereferenceExpr] * ...
# 2035| Type = [IntType] int
# 2035| ValueCategory = lvalue
# 2035| getOperand(): [VariableAccess] x
# 2035| Type = [IntPointerType] int *
# 2035| ValueCategory = prvalue(load)
# 2035| getRValue(): [Literal] 6
# 2035| Type = [IntType] int
# 2035| Value = [Literal] 6
# 2035| ValueCategory = prvalue
# 2036| getStmt(2): [ExprStmt] ExprStmt
# 2036| getExpr(): [DeleteExpr] delete
# 2036| Type = [VoidType] void
# 2036| ValueCategory = prvalue
# 2036| getExpr(): [VariableAccess] x
# 2036| Type = [IntPointerType] int *
# 2036| ValueCategory = prvalue(load)
# 2037| getStmt(3): [ReturnStmt] return ...
# 2039| [CopyAssignmentOperator] Base2& Base2::operator=(Base2 const&)
# 2039| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const Base2 &
# 2039| [Constructor] void Base2::Base2()
# 2039| <params>:
# 2039| <initializations>:
# 2039| getEntryPoint(): [BlockStmt] { ... }
# 2039| getStmt(0): [ReturnStmt] return ...
# 2039| [CopyConstructor] void Base2::Base2(Base2 const&)
# 2039| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const Base2 &
# 2041| [MemberFunction] void Base2::operator delete(void*)
# 2041| <params>:
# 2041| getParameter(0): [Parameter] p
# 2041| Type = [VoidPointerType] void *
# 2041| getEntryPoint(): [BlockStmt] { ... }
# 2042| getStmt(0): [ReturnStmt] return ...
# 2043| [Destructor,VirtualFunction] void Base2::~Base2()
# 2043| <params>:
# 2043| getEntryPoint(): [BlockStmt] { ... }
# 2043| getStmt(0): [ReturnStmt] return ...
# 2043| <destructions>:
# 2046| [CopyAssignmentOperator] Derived2& Derived2::operator=(Derived2 const&)
# 2046| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const Derived2 &
# 2046| [Constructor] void Derived2::Derived2()
# 2046| <params>:
# 2046| <initializations>:
# 2046| getInitializer(0): [ConstructorDirectInit] call to Base2
# 2046| Type = [VoidType] void
# 2046| ValueCategory = prvalue
# 2046| getEntryPoint(): [BlockStmt] { ... }
# 2046| getStmt(0): [ReturnStmt] return ...
# 2046| [CopyConstructor] void Derived2::Derived2(Derived2 const&)
# 2046| <params>:
#-----| getParameter(0): [Parameter] (unnamed parameter 0)
#-----| Type = [LValueReferenceType] const Derived2 &
# 2049| [Destructor,VirtualFunction] void Derived2::~Derived2()
# 2049| <params>:
# 2049| getEntryPoint(): [BlockStmt] { ... }
# 2049| getStmt(0): [ReturnStmt] return ...
# 2049| <destructions>:
# 2049| getDestruction(0): [DestructorDirectDestruction] call to ~Base2
# 2049| Type = [VoidType] void
# 2049| ValueCategory = prvalue
# 2051| [MemberFunction] void Derived2::operator delete(void*)
# 2051| <params>:
# 2051| getParameter(0): [Parameter] p
# 2051| Type = [VoidPointerType] void *
# 2051| getEntryPoint(): [BlockStmt] { ... }
# 2052| getStmt(0): [ReturnStmt] return ...
# 2056| [TopLevelFunction] int virtual_delete()
# 2056| <params>:
# 2057| getEntryPoint(): [BlockStmt] { ... }
# 2058| getStmt(0): [DeclStmt] declaration
# 2058| getDeclarationEntry(0): [VariableDeclarationEntry] definition of b1
# 2058| Type = [PointerType] Base2 *
# 2058| getVariable().getInitializer(): [Initializer] initializer for b1
# 2058| getExpr(): [NewExpr] new
# 2058| Type = [PointerType] Base2 *
# 2058| ValueCategory = prvalue
# 2058| getInitializer(): [ConstructorCall] call to Base2
# 2058| Type = [VoidType] void
# 2058| ValueCategory = prvalue
# 2059| getStmt(1): [ExprStmt] ExprStmt
# 2059| getExpr(): [DeleteExpr] delete
# 2059| Type = [VoidType] void
# 2059| ValueCategory = prvalue
# 2059| getDeallocatorCall(): [FunctionCall] call to operator delete
# 2059| Type = [VoidType] void
# 2059| ValueCategory = prvalue
# 2059| getDestructorCall(): [DestructorCall] call to ~Base2
# 2059| Type = [VoidType] void
# 2059| ValueCategory = prvalue
# 2059| getQualifier(): [VariableAccess] b1
# 2059| Type = [PointerType] Base2 *
# 2059| ValueCategory = prvalue(load)
# 2061| getStmt(2): [DeclStmt] declaration
# 2061| getDeclarationEntry(0): [VariableDeclarationEntry] definition of b2
# 2061| Type = [PointerType] Base2 *
# 2061| getVariable().getInitializer(): [Initializer] initializer for b2
# 2061| getExpr(): [NewExpr] new
# 2061| Type = [PointerType] Derived2 *
# 2061| ValueCategory = prvalue
# 2061| getInitializer(): [ConstructorCall] call to Derived2
# 2061| Type = [VoidType] void
# 2061| ValueCategory = prvalue
# 2061| getExpr().getFullyConverted(): [CStyleCast] (Base2 *)...
# 2061| Conversion = [BaseClassConversion] base class conversion
# 2061| Type = [PointerType] Base2 *
# 2061| ValueCategory = prvalue
# 2062| getStmt(3): [ExprStmt] ExprStmt
# 2062| getExpr(): [DeleteExpr] delete
# 2062| Type = [VoidType] void
# 2062| ValueCategory = prvalue
# 2062| getDeallocatorCall(): [FunctionCall] call to operator delete
# 2062| Type = [VoidType] void
# 2062| ValueCategory = prvalue
# 2062| getDestructorCall(): [DestructorCall] call to ~Base2
# 2062| Type = [VoidType] void
# 2062| ValueCategory = prvalue
# 2062| getQualifier(): [VariableAccess] b2
# 2062| Type = [PointerType] Base2 *
# 2062| ValueCategory = prvalue(load)
# 2064| getStmt(4): [DeclStmt] declaration
# 2064| getDeclarationEntry(0): [VariableDeclarationEntry] definition of d
# 2064| Type = [PointerType] Derived2 *
# 2064| getVariable().getInitializer(): [Initializer] initializer for d
# 2064| getExpr(): [NewExpr] new
# 2064| Type = [PointerType] Derived2 *
# 2064| ValueCategory = prvalue
# 2064| getInitializer(): [ConstructorCall] call to Derived2
# 2064| Type = [VoidType] void
# 2064| ValueCategory = prvalue
# 2065| getStmt(5): [ExprStmt] ExprStmt
# 2065| getExpr(): [DeleteExpr] delete
# 2065| Type = [VoidType] void
# 2065| ValueCategory = prvalue
# 2065| getDeallocatorCall(): [FunctionCall] call to operator delete
# 2065| Type = [VoidType] void
# 2065| ValueCategory = prvalue
# 2065| getDestructorCall(): [DestructorCall] call to ~Derived2
# 2065| Type = [VoidType] void
# 2065| ValueCategory = prvalue
# 2065| getQualifier(): [VariableAccess] d
# 2065| Type = [PointerType] Derived2 *
# 2065| ValueCategory = prvalue(load)
# 2066| getStmt(6): [ReturnStmt] return ...
# 2068| [TopLevelFunction] void test_constant_folding_use(int)
# 2068| <params>:
# 2068| getParameter(0): [Parameter] (unnamed parameter 0)
# 2068| Type = [IntType] int
# 2070| [TopLevelFunction] void test_constant_folding()
# 2070| <params>:
# 2070| getEntryPoint(): [BlockStmt] { ... }
# 2071| getStmt(0): [DeclStmt] declaration
# 2071| getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
# 2071| Type = [SpecifiedType] const int
# 2071| getVariable().getInitializer(): [Initializer] initializer for x
# 2071| getExpr(): [Literal] 116
# 2071| Type = [IntType] int
# 2071| Value = [Literal] 116
# 2071| ValueCategory = prvalue
# 2072| getStmt(1): [ExprStmt] ExprStmt
# 2072| getExpr(): [FunctionCall] call to test_constant_folding_use
# 2072| Type = [VoidType] void
# 2072| ValueCategory = prvalue
# 2072| getArgument(0): [VariableAccess] x
# 2072| Type = [IntType] int
# 2072| Value = [VariableAccess] 116
# 2072| ValueCategory = prvalue(load)
# 2073| getStmt(2): [ReturnStmt] return ...
perf-regression.cpp:
# 4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
# 4| <params>:

42
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -2030,4 +2030,46 @@ unsigned int CommaTest(unsigned int x) {
(CommaTestHelper(x), 10);
}
void NewDeleteMem() {
int* x = new int; // No constructor
*x = 6;
delete x;
}
class Base2 {
public:
void operator delete(void* p) {
}
virtual ~Base2() {};
};
class Derived2 : public Base2 {
int i;
public:
~Derived2() {};
void operator delete(void* p) {
}
};
// Delete is kind-of virtual in these cases
int virtual_delete()
{
Base2* b1 = new Base2{};
delete b1;
Base2* b2 = new Derived2{};
delete b2;
Derived2* d = new Derived2{};
delete d;
}
void test_constant_folding_use(int);
void test_constant_folding() {
const int x = 116;
test_constant_folding_use(x);
}
// semmle-extractor-options: -std=c++17 --clang

234
cpp/ql/test/library-tests/ir/ir/operand_locations.expected
View File

@@ -4887,10 +4887,60 @@
| ir.cpp:1011:12:1011:12 | Unary | r1011_3 |
| ir.cpp:1015:6:1015:19 | ChiPartial | partial:m1015_3 |
| ir.cpp:1015:6:1015:19 | ChiTotal | total:m1015_2 |
| ir.cpp:1015:6:1015:19 | SideEffect | m1015_3 |
| ir.cpp:1015:6:1015:19 | SideEffect | ~m1020_5 |
| ir.cpp:1016:3:1016:35 | CallTarget | func:r1016_1 |
| ir.cpp:1016:3:1016:35 | ChiPartial | partial:m1016_4 |
| ir.cpp:1016:3:1016:35 | ChiTotal | total:m1015_4 |
| ir.cpp:1016:3:1016:35 | SideEffect | ~m1015_4 |
| ir.cpp:1016:10:1016:35 | Arg(0) | 0:r1016_2 |
| ir.cpp:1017:3:1017:38 | CallTarget | func:r1017_1 |
| ir.cpp:1017:3:1017:38 | ChiPartial | partial:m1017_4 |
| ir.cpp:1017:3:1017:38 | ChiTotal | total:m1016_5 |
| ir.cpp:1017:3:1017:38 | SideEffect | ~m1016_5 |
| ir.cpp:1017:10:1017:38 | Arg(0) | 0:r1017_2 |
| ir.cpp:1018:3:1018:44 | CallTarget | func:r1018_1 |
| ir.cpp:1018:3:1018:44 | ChiPartial | partial:m1018_4 |
| ir.cpp:1018:3:1018:44 | ChiTotal | total:m1017_5 |
| ir.cpp:1018:3:1018:44 | SideEffect | ~m1017_5 |
| ir.cpp:1018:10:1018:44 | Arg(0) | 0:r1018_2 |
| ir.cpp:1019:3:1019:43 | CallTarget | func:r1019_1 |
| ir.cpp:1019:3:1019:43 | ChiPartial | partial:m1019_4 |
| ir.cpp:1019:3:1019:43 | ChiTotal | total:m1018_5 |
| ir.cpp:1019:3:1019:43 | SideEffect | ~m1018_5 |
| ir.cpp:1019:10:1019:43 | Arg(0) | 0:r1019_2 |
| ir.cpp:1020:3:1020:47 | CallTarget | func:r1020_1 |
| ir.cpp:1020:3:1020:47 | ChiPartial | partial:m1020_4 |
| ir.cpp:1020:3:1020:47 | ChiTotal | total:m1019_5 |
| ir.cpp:1020:3:1020:47 | SideEffect | ~m1019_5 |
| ir.cpp:1020:10:1020:47 | Arg(0) | 0:r1020_2 |
| ir.cpp:1024:6:1024:24 | ChiPartial | partial:m1024_3 |
| ir.cpp:1024:6:1024:24 | ChiTotal | total:m1024_2 |
| ir.cpp:1024:6:1024:24 | SideEffect | m1024_3 |
| ir.cpp:1024:6:1024:24 | SideEffect | ~m1029_5 |
| ir.cpp:1025:3:1025:37 | CallTarget | func:r1025_1 |
| ir.cpp:1025:3:1025:37 | ChiPartial | partial:m1025_4 |
| ir.cpp:1025:3:1025:37 | ChiTotal | total:m1024_4 |
| ir.cpp:1025:3:1025:37 | SideEffect | ~m1024_4 |
| ir.cpp:1025:12:1025:37 | Arg(0) | 0:r1025_2 |
| ir.cpp:1026:3:1026:40 | CallTarget | func:r1026_1 |
| ir.cpp:1026:3:1026:40 | ChiPartial | partial:m1026_4 |
| ir.cpp:1026:3:1026:40 | ChiTotal | total:m1025_5 |
| ir.cpp:1026:3:1026:40 | SideEffect | ~m1025_5 |
| ir.cpp:1026:12:1026:40 | Arg(0) | 0:r1026_2 |
| ir.cpp:1027:3:1027:46 | CallTarget | func:r1027_1 |
| ir.cpp:1027:3:1027:46 | ChiPartial | partial:m1027_4 |
| ir.cpp:1027:3:1027:46 | ChiTotal | total:m1026_5 |
| ir.cpp:1027:3:1027:46 | SideEffect | ~m1026_5 |
| ir.cpp:1027:12:1027:46 | Arg(0) | 0:r1027_2 |
| ir.cpp:1028:3:1028:45 | CallTarget | func:r1028_1 |
| ir.cpp:1028:3:1028:45 | ChiPartial | partial:m1028_4 |
| ir.cpp:1028:3:1028:45 | ChiTotal | total:m1027_5 |
| ir.cpp:1028:3:1028:45 | SideEffect | ~m1027_5 |
| ir.cpp:1028:12:1028:45 | Arg(0) | 0:r1028_2 |
| ir.cpp:1029:3:1029:49 | CallTarget | func:r1029_1 |
| ir.cpp:1029:3:1029:49 | ChiPartial | partial:m1029_4 |
| ir.cpp:1029:3:1029:49 | ChiTotal | total:m1028_5 |
| ir.cpp:1029:3:1029:49 | SideEffect | ~m1028_5 |
| ir.cpp:1029:12:1029:49 | Arg(0) | 0:r1029_2 |
| ir.cpp:1034:6:1034:20 | ChiPartial | partial:m1034_3 |
| ir.cpp:1034:6:1034:20 | ChiTotal | total:m1034_2 |
| ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |
@@ -9576,6 +9626,186 @@
| ir.cpp:2030:22:2030:22 | Arg(0) | 0:r2030_3 |
| ir.cpp:2030:22:2030:22 | Load | m2026_6 |
| ir.cpp:2030:26:2030:27 | Unary | r2030_7 |
| ir.cpp:2033:6:2033:17 | ChiPartial | partial:m2033_3 |
| ir.cpp:2033:6:2033:17 | ChiTotal | total:m2033_2 |
| ir.cpp:2033:6:2033:17 | SideEffect | ~m2036_6 |
| ir.cpp:2034:8:2034:8 | Address | &:r2034_1 |
| ir.cpp:2034:12:2034:18 | Address | &:r2034_4 |
| ir.cpp:2034:12:2034:18 | Arg(0) | 0:r2034_3 |
| ir.cpp:2034:12:2034:18 | CallTarget | func:r2034_2 |
| ir.cpp:2034:12:2034:18 | ChiPartial | partial:m2034_5 |
| ir.cpp:2034:12:2034:18 | ChiTotal | total:m2033_4 |
| ir.cpp:2034:12:2034:18 | SideEffect | ~m2033_4 |
| ir.cpp:2034:12:2034:18 | StoreValue | r2034_8 |
| ir.cpp:2034:12:2034:18 | Unary | r2034_4 |
| ir.cpp:2035:3:2035:4 | Address | &:r2035_4 |
| ir.cpp:2035:3:2035:8 | ChiPartial | partial:m2035_5 |
| ir.cpp:2035:3:2035:8 | ChiTotal | total:m2034_7 |
| ir.cpp:2035:4:2035:4 | Address | &:r2035_2 |
| ir.cpp:2035:4:2035:4 | Load | m2034_9 |
| ir.cpp:2035:4:2035:4 | Unary | r2035_3 |
| ir.cpp:2035:8:2035:8 | StoreValue | r2035_1 |
| ir.cpp:2036:3:2036:10 | CallTarget | func:r2036_1 |
| ir.cpp:2036:3:2036:10 | ChiPartial | partial:m2036_5 |
| ir.cpp:2036:3:2036:10 | ChiTotal | total:m2034_6 |
| ir.cpp:2036:3:2036:10 | SideEffect | ~m2034_6 |
| ir.cpp:2036:10:2036:10 | Address | &:r2036_2 |
| ir.cpp:2036:10:2036:10 | Arg(0) | 0:r2036_3 |
| ir.cpp:2036:10:2036:10 | Load | m2034_9 |
| ir.cpp:2039:7:2039:7 | Address | &:r2039_5 |
| ir.cpp:2039:7:2039:7 | Address | &:r2039_5 |
| ir.cpp:2039:7:2039:7 | Address | &:r2039_7 |
| ir.cpp:2039:7:2039:7 | Address | &:r2039_7 |
| ir.cpp:2039:7:2039:7 | ChiPartial | partial:m2039_3 |
| ir.cpp:2039:7:2039:7 | ChiTotal | total:m2039_2 |
| ir.cpp:2039:7:2039:7 | Load | m2039_6 |
| ir.cpp:2039:7:2039:7 | SideEffect | m2039_3 |
| ir.cpp:2039:7:2039:7 | SideEffect | m2039_8 |
| ir.cpp:2041:10:2041:24 | ChiPartial | partial:m2041_3 |
| ir.cpp:2041:10:2041:24 | ChiTotal | total:m2041_2 |
| ir.cpp:2041:10:2041:24 | SideEffect | m2041_3 |
| ir.cpp:2041:32:2041:32 | Address | &:r2041_5 |
| ir.cpp:2041:32:2041:32 | Address | &:r2041_5 |
| ir.cpp:2041:32:2041:32 | Address | &:r2041_7 |
| ir.cpp:2041:32:2041:32 | Address | &:r2041_7 |
| ir.cpp:2041:32:2041:32 | Load | m2041_6 |
| ir.cpp:2041:32:2041:32 | SideEffect | m2041_8 |
| ir.cpp:2043:13:2043:18 | Address | &:r2043_5 |
| ir.cpp:2043:13:2043:18 | Address | &:r2043_5 |
| ir.cpp:2043:13:2043:18 | Address | &:r2043_7 |
| ir.cpp:2043:13:2043:18 | Address | &:r2043_7 |
| ir.cpp:2043:13:2043:18 | ChiPartial | partial:m2043_3 |
| ir.cpp:2043:13:2043:18 | ChiTotal | total:m2043_2 |
| ir.cpp:2043:13:2043:18 | Load | m2043_6 |
| ir.cpp:2043:13:2043:18 | SideEffect | m2043_3 |
| ir.cpp:2043:13:2043:18 | SideEffect | m2043_8 |
| ir.cpp:2046:7:2046:7 | Address | &:r2046_5 |
| ir.cpp:2046:7:2046:7 | Address | &:r2046_5 |
| ir.cpp:2046:7:2046:7 | Address | &:r2046_7 |
| ir.cpp:2046:7:2046:7 | Address | &:r2046_7 |
| ir.cpp:2046:7:2046:7 | Address | &:r2046_9 |
| ir.cpp:2046:7:2046:7 | Arg(this) | this:r2046_9 |
| ir.cpp:2046:7:2046:7 | CallTarget | func:r2046_10 |
| ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_3 |
| ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_12 |
| ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_14 |
| ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_2 |
| ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_4 |
| ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_8 |
| ir.cpp:2046:7:2046:7 | Load | m2046_6 |
| ir.cpp:2046:7:2046:7 | SideEffect | m2046_15 |
| ir.cpp:2046:7:2046:7 | SideEffect | ~m2046_4 |
| ir.cpp:2046:7:2046:7 | SideEffect | ~m2046_13 |
| ir.cpp:2046:7:2046:7 | Unary | m2046_6 |
| ir.cpp:2049:5:2049:13 | Address | &:r2049_5 |
| ir.cpp:2049:5:2049:13 | Address | &:r2049_5 |
| ir.cpp:2049:5:2049:13 | Address | &:r2049_7 |
| ir.cpp:2049:5:2049:13 | Address | &:r2049_7 |
| ir.cpp:2049:5:2049:13 | ChiPartial | partial:m2049_3 |
| ir.cpp:2049:5:2049:13 | ChiTotal | total:m2049_2 |
| ir.cpp:2049:5:2049:13 | Load | m2049_6 |
| ir.cpp:2049:5:2049:13 | SideEffect | m2049_8 |
| ir.cpp:2049:5:2049:13 | SideEffect | ~m2049_14 |
| ir.cpp:2049:5:2049:13 | Unary | m2049_6 |
| ir.cpp:2049:18:2049:18 | Arg(this) | this:r2049_10 |
| ir.cpp:2049:18:2049:18 | CallTarget | func:r2049_11 |
| ir.cpp:2049:18:2049:18 | ChiPartial | partial:m2049_13 |
| ir.cpp:2049:18:2049:18 | ChiTotal | total:m2049_4 |
| ir.cpp:2049:18:2049:18 | SideEffect | ~m2049_4 |
| ir.cpp:2051:10:2051:24 | ChiPartial | partial:m2051_3 |
| ir.cpp:2051:10:2051:24 | ChiTotal | total:m2051_2 |
| ir.cpp:2051:10:2051:24 | SideEffect | m2051_3 |
| ir.cpp:2051:32:2051:32 | Address | &:r2051_5 |
| ir.cpp:2051:32:2051:32 | Address | &:r2051_5 |
| ir.cpp:2051:32:2051:32 | Address | &:r2051_7 |
| ir.cpp:2051:32:2051:32 | Address | &:r2051_7 |
| ir.cpp:2051:32:2051:32 | Load | m2051_6 |
| ir.cpp:2051:32:2051:32 | SideEffect | m2051_8 |
| ir.cpp:2056:5:2056:18 | ChiPartial | partial:m2056_3 |
| ir.cpp:2056:5:2056:18 | ChiTotal | total:m2056_2 |
| ir.cpp:2058:12:2058:13 | Address | &:r2058_1 |
| ir.cpp:2058:17:2058:27 | Address | &:r2058_4 |
| ir.cpp:2058:17:2058:27 | Address | &:r2058_8 |
| ir.cpp:2058:17:2058:27 | Arg(0) | 0:r2058_3 |
| ir.cpp:2058:17:2058:27 | Arg(this) | this:r2058_8 |
| ir.cpp:2058:17:2058:27 | CallTarget | func:r2058_2 |
| ir.cpp:2058:17:2058:27 | CallTarget | func:r2058_9 |
| ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_5 |
| ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_11 |
| ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_13 |
| ir.cpp:2058:17:2058:27 | ChiTotal | total:m2056_4 |
| ir.cpp:2058:17:2058:27 | ChiTotal | total:m2058_6 |
| ir.cpp:2058:17:2058:27 | ChiTotal | total:m2058_7 |
| ir.cpp:2058:17:2058:27 | SideEffect | ~m2056_4 |
| ir.cpp:2058:17:2058:27 | SideEffect | ~m2058_6 |
| ir.cpp:2058:17:2058:27 | StoreValue | r2058_8 |
| ir.cpp:2058:17:2058:27 | Unary | r2058_4 |
| ir.cpp:2059:5:2059:13 | CallTarget | func:r2059_1 |
| ir.cpp:2059:5:2059:13 | ChiPartial | partial:m2059_5 |
| ir.cpp:2059:5:2059:13 | ChiTotal | total:m2058_12 |
| ir.cpp:2059:5:2059:13 | SideEffect | ~m2058_12 |
| ir.cpp:2059:12:2059:13 | Address | &:r2059_2 |
| ir.cpp:2059:12:2059:13 | Arg(0) | 0:r2059_3 |
| ir.cpp:2059:12:2059:13 | Load | m2058_15 |
| ir.cpp:2061:12:2061:13 | Address | &:r2061_1 |
| ir.cpp:2061:17:2061:30 | Address | &:r2061_4 |
| ir.cpp:2061:17:2061:30 | Address | &:r2061_8 |
| ir.cpp:2061:17:2061:30 | Arg(0) | 0:r2061_3 |
| ir.cpp:2061:17:2061:30 | Arg(this) | this:r2061_8 |
| ir.cpp:2061:17:2061:30 | CallTarget | func:r2061_2 |
| ir.cpp:2061:17:2061:30 | CallTarget | func:r2061_9 |
| ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_5 |
| ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_11 |
| ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_13 |
| ir.cpp:2061:17:2061:30 | ChiTotal | total:m2059_6 |
| ir.cpp:2061:17:2061:30 | ChiTotal | total:m2061_6 |
| ir.cpp:2061:17:2061:30 | ChiTotal | total:m2061_7 |
| ir.cpp:2061:17:2061:30 | SideEffect | ~m2059_6 |
| ir.cpp:2061:17:2061:30 | SideEffect | ~m2061_6 |
| ir.cpp:2061:17:2061:30 | StoreValue | r2061_15 |
| ir.cpp:2061:17:2061:30 | Unary | r2061_4 |
| ir.cpp:2061:17:2061:30 | Unary | r2061_8 |
| ir.cpp:2062:5:2062:13 | CallTarget | func:r2062_1 |
| ir.cpp:2062:5:2062:13 | ChiPartial | partial:m2062_5 |
| ir.cpp:2062:5:2062:13 | ChiTotal | total:m2061_12 |
| ir.cpp:2062:5:2062:13 | SideEffect | ~m2061_12 |
| ir.cpp:2062:12:2062:13 | Address | &:r2062_2 |
| ir.cpp:2062:12:2062:13 | Arg(0) | 0:r2062_3 |
| ir.cpp:2062:12:2062:13 | Load | m2061_16 |
| ir.cpp:2064:15:2064:15 | Address | &:r2064_1 |
| ir.cpp:2064:19:2064:32 | Address | &:r2064_4 |
| ir.cpp:2064:19:2064:32 | Address | &:r2064_8 |
| ir.cpp:2064:19:2064:32 | Arg(0) | 0:r2064_3 |
| ir.cpp:2064:19:2064:32 | Arg(this) | this:r2064_8 |
| ir.cpp:2064:19:2064:32 | CallTarget | func:r2064_2 |
| ir.cpp:2064:19:2064:32 | CallTarget | func:r2064_9 |
| ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_5 |
| ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_11 |
| ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_13 |
| ir.cpp:2064:19:2064:32 | ChiTotal | total:m2062_6 |
| ir.cpp:2064:19:2064:32 | ChiTotal | total:m2064_6 |
| ir.cpp:2064:19:2064:32 | ChiTotal | total:m2064_7 |
| ir.cpp:2064:19:2064:32 | SideEffect | ~m2062_6 |
| ir.cpp:2064:19:2064:32 | SideEffect | ~m2064_6 |
| ir.cpp:2064:19:2064:32 | StoreValue | r2064_8 |
| ir.cpp:2064:19:2064:32 | Unary | r2064_4 |
| ir.cpp:2065:5:2065:12 | CallTarget | func:r2065_1 |
| ir.cpp:2065:5:2065:12 | ChiPartial | partial:m2065_5 |
| ir.cpp:2065:5:2065:12 | ChiTotal | total:m2064_12 |
| ir.cpp:2065:5:2065:12 | SideEffect | ~m2064_12 |
| ir.cpp:2065:12:2065:12 | Address | &:r2065_2 |
| ir.cpp:2065:12:2065:12 | Arg(0) | 0:r2065_3 |
| ir.cpp:2065:12:2065:12 | Load | m2064_15 |
| ir.cpp:2070:6:2070:26 | ChiPartial | partial:m2070_3 |
| ir.cpp:2070:6:2070:26 | ChiTotal | total:m2070_2 |
| ir.cpp:2070:6:2070:26 | SideEffect | ~m2072_5 |
| ir.cpp:2071:13:2071:13 | Address | &:r2071_1 |
| ir.cpp:2071:16:2071:19 | StoreValue | r2071_2 |
| ir.cpp:2072:3:2072:27 | CallTarget | func:r2072_1 |
| ir.cpp:2072:3:2072:27 | ChiPartial | partial:m2072_4 |
| ir.cpp:2072:3:2072:27 | ChiTotal | total:m2070_4 |
| ir.cpp:2072:3:2072:27 | SideEffect | ~m2070_4 |
| ir.cpp:2072:29:2072:29 | Arg(0) | 0:r2072_2 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
| perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

269
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

@@ -5666,16 +5666,26 @@ ir.cpp:
# 1015| v1015_1(void) = EnterFunction :
# 1015| mu1015_2(unknown) = AliasedDefinition :
# 1015| mu1015_3(unknown) = InitializeNonLocal :
# 1016| r1016_1(int *) = Constant[0] :
# 1016| v1016_2(void) = NoOp :
# 1017| r1017_1(String *) = Constant[0] :
# 1017| v1017_2(void) = NoOp :
# 1018| r1018_1(SizedDealloc *) = Constant[0] :
# 1018| v1018_2(void) = NoOp :
# 1019| r1019_1(Overaligned *) = Constant[0] :
# 1019| v1019_2(void) = NoOp :
# 1020| r1020_1(PolymorphicBase *) = Constant[0] :
# 1020| v1020_2(void) = NoOp :
# 1016| r1016_1(glval<unknown>) = FunctionAddress[operator delete] :
# 1016| r1016_2(int *) = Constant[0] :
# 1016| v1016_3(void) = Call[operator delete] : func:r1016_1, 0:r1016_2
# 1016| mu1016_4(unknown) = ^CallSideEffect : ~m?
# 1017| r1017_1(glval<unknown>) = FunctionAddress[operator delete] :
# 1017| r1017_2(String *) = Constant[0] :
# 1017| v1017_3(void) = Call[operator delete] : func:r1017_1, 0:r1017_2
# 1017| mu1017_4(unknown) = ^CallSideEffect : ~m?
# 1018| r1018_1(glval<unknown>) = FunctionAddress[operator delete] :
# 1018| r1018_2(SizedDealloc *) = Constant[0] :
# 1018| v1018_3(void) = Call[operator delete] : func:r1018_1, 0:r1018_2
# 1018| mu1018_4(unknown) = ^CallSideEffect : ~m?
# 1019| r1019_1(glval<unknown>) = FunctionAddress[operator delete] :
# 1019| r1019_2(Overaligned *) = Constant[0] :
# 1019| v1019_3(void) = Call[operator delete] : func:r1019_1, 0:r1019_2
# 1019| mu1019_4(unknown) = ^CallSideEffect : ~m?
# 1020| r1020_1(glval<unknown>) = VirtualDeleteFunctionAddress :
# 1020| r1020_2(PolymorphicBase *) = Constant[0] :
# 1020| v1020_3(void) = Call[?] : func:r1020_1, 0:r1020_2
# 1020| mu1020_4(unknown) = ^CallSideEffect : ~m?
# 1021| v1021_1(void) = NoOp :
# 1015| v1015_4(void) = ReturnVoid :
# 1015| v1015_5(void) = AliasedUse : ~m?
@@ -5686,16 +5696,26 @@ ir.cpp:
# 1024| v1024_1(void) = EnterFunction :
# 1024| mu1024_2(unknown) = AliasedDefinition :
# 1024| mu1024_3(unknown) = InitializeNonLocal :
# 1025| r1025_1(int *) = Constant[0] :
# 1025| v1025_2(void) = NoOp :
# 1026| r1026_1(String *) = Constant[0] :
# 1026| v1026_2(void) = NoOp :
# 1027| r1027_1(SizedDealloc *) = Constant[0] :
# 1027| v1027_2(void) = NoOp :
# 1028| r1028_1(Overaligned *) = Constant[0] :
# 1028| v1028_2(void) = NoOp :
# 1029| r1029_1(PolymorphicBase *) = Constant[0] :
# 1029| v1029_2(void) = NoOp :
# 1025| r1025_1(glval<unknown>) = FunctionAddress[operator delete[]] :
# 1025| r1025_2(int *) = Constant[0] :
# 1025| v1025_3(void) = Call[operator delete[]] : func:r1025_1, 0:r1025_2
# 1025| mu1025_4(unknown) = ^CallSideEffect : ~m?
# 1026| r1026_1(glval<unknown>) = FunctionAddress[operator delete[]] :
# 1026| r1026_2(String *) = Constant[0] :
# 1026| v1026_3(void) = Call[operator delete[]] : func:r1026_1, 0:r1026_2
# 1026| mu1026_4(unknown) = ^CallSideEffect : ~m?
# 1027| r1027_1(glval<unknown>) = FunctionAddress[operator delete[]] :
# 1027| r1027_2(SizedDealloc *) = Constant[0] :
# 1027| v1027_3(void) = Call[operator delete[]] : func:r1027_1, 0:r1027_2
# 1027| mu1027_4(unknown) = ^CallSideEffect : ~m?
# 1028| r1028_1(glval<unknown>) = FunctionAddress[operator delete[]] :
# 1028| r1028_2(Overaligned *) = Constant[0] :
# 1028| v1028_3(void) = Call[operator delete[]] : func:r1028_1, 0:r1028_2
# 1028| mu1028_4(unknown) = ^CallSideEffect : ~m?
# 1029| r1029_1(glval<unknown>) = FunctionAddress[operator delete[]] :
# 1029| r1029_2(PolymorphicBase *) = Constant[0] :
# 1029| v1029_3(void) = Call[operator delete[]] : func:r1029_1, 0:r1029_2
# 1029| mu1029_4(unknown) = ^CallSideEffect : ~m?
# 1030| v1030_1(void) = NoOp :
# 1024| v1024_4(void) = ReturnVoid :
# 1024| v1024_5(void) = AliasedUse : ~m?
@@ -11091,6 +11111,215 @@ ir.cpp:
# 2028| mu2028_13(unsigned int) = Store[#temp2028:7] : &:r2028_12, r2030_8
#-----| Goto -> Block 2
# 2033| void NewDeleteMem()
# 2033| Block 0
# 2033| v2033_1(void) = EnterFunction :
# 2033| mu2033_2(unknown) = AliasedDefinition :
# 2033| mu2033_3(unknown) = InitializeNonLocal :
# 2034| r2034_1(glval<int *>) = VariableAddress[x] :
# 2034| r2034_2(glval<unknown>) = FunctionAddress[operator new] :
# 2034| r2034_3(unsigned long) = Constant[4] :
# 2034| r2034_4(void *) = Call[operator new] : func:r2034_2, 0:r2034_3
# 2034| mu2034_5(unknown) = ^CallSideEffect : ~m?
# 2034| mu2034_6(unknown) = ^InitializeDynamicAllocation : &:r2034_4
# 2034| r2034_7(int *) = Convert : r2034_4
# 2034| mu2034_8(int *) = Store[x] : &:r2034_1, r2034_7
# 2035| r2035_1(int) = Constant[6] :
# 2035| r2035_2(glval<int *>) = VariableAddress[x] :
# 2035| r2035_3(int *) = Load[x] : &:r2035_2, ~m?
# 2035| r2035_4(glval<int>) = CopyValue : r2035_3
# 2035| mu2035_5(int) = Store[?] : &:r2035_4, r2035_1
# 2036| r2036_1(glval<unknown>) = FunctionAddress[operator delete] :
# 2036| r2036_2(glval<int *>) = VariableAddress[x] :
# 2036| r2036_3(int *) = Load[x] : &:r2036_2, ~m?
# 2036| v2036_4(void) = Call[operator delete] : func:r2036_1, 0:r2036_3
# 2036| mu2036_5(unknown) = ^CallSideEffect : ~m?
# 2037| v2037_1(void) = NoOp :
# 2033| v2033_4(void) = ReturnVoid :
# 2033| v2033_5(void) = AliasedUse : ~m?
# 2033| v2033_6(void) = ExitFunction :
# 2039| void Base2::Base2()
# 2039| Block 0
# 2039| v2039_1(void) = EnterFunction :
# 2039| mu2039_2(unknown) = AliasedDefinition :
# 2039| mu2039_3(unknown) = InitializeNonLocal :
# 2039| r2039_4(glval<unknown>) = VariableAddress[#this] :
# 2039| mu2039_5(glval<Base2>) = InitializeParameter[#this] : &:r2039_4
# 2039| r2039_6(glval<Base2>) = Load[#this] : &:r2039_4, ~m?
# 2039| mu2039_7(Base2) = InitializeIndirection[#this] : &:r2039_6
# 2039| v2039_8(void) = NoOp :
# 2039| v2039_9(void) = ReturnIndirection[#this] : &:r2039_6, ~m?
# 2039| v2039_10(void) = ReturnVoid :
# 2039| v2039_11(void) = AliasedUse : ~m?
# 2039| v2039_12(void) = ExitFunction :
# 2041| void Base2::operator delete(void*)
# 2041| Block 0
# 2041| v2041_1(void) = EnterFunction :
# 2041| mu2041_2(unknown) = AliasedDefinition :
# 2041| mu2041_3(unknown) = InitializeNonLocal :
# 2041| r2041_4(glval<void *>) = VariableAddress[p] :
# 2041| mu2041_5(void *) = InitializeParameter[p] : &:r2041_4
# 2041| r2041_6(void *) = Load[p] : &:r2041_4, ~m?
# 2041| mu2041_7(unknown) = InitializeIndirection[p] : &:r2041_6
# 2042| v2042_1(void) = NoOp :
# 2041| v2041_8(void) = ReturnIndirection[p] : &:r2041_6, ~m?
# 2041| v2041_9(void) = ReturnVoid :
# 2041| v2041_10(void) = AliasedUse : ~m?
# 2041| v2041_11(void) = ExitFunction :
# 2043| void Base2::~Base2()
# 2043| Block 0
# 2043| v2043_1(void) = EnterFunction :
# 2043| mu2043_2(unknown) = AliasedDefinition :
# 2043| mu2043_3(unknown) = InitializeNonLocal :
# 2043| r2043_4(glval<unknown>) = VariableAddress[#this] :
# 2043| mu2043_5(glval<Base2>) = InitializeParameter[#this] : &:r2043_4
# 2043| r2043_6(glval<Base2>) = Load[#this] : &:r2043_4, ~m?
# 2043| mu2043_7(Base2) = InitializeIndirection[#this] : &:r2043_6
# 2043| v2043_8(void) = NoOp :
# 2043| v2043_9(void) = ReturnIndirection[#this] : &:r2043_6, ~m?
# 2043| v2043_10(void) = ReturnVoid :
# 2043| v2043_11(void) = AliasedUse : ~m?
# 2043| v2043_12(void) = ExitFunction :
# 2046| void Derived2::Derived2()
# 2046| Block 0
# 2046| v2046_1(void) = EnterFunction :
# 2046| mu2046_2(unknown) = AliasedDefinition :
# 2046| mu2046_3(unknown) = InitializeNonLocal :
# 2046| r2046_4(glval<unknown>) = VariableAddress[#this] :
# 2046| mu2046_5(glval<Derived2>) = InitializeParameter[#this] : &:r2046_4
# 2046| r2046_6(glval<Derived2>) = Load[#this] : &:r2046_4, ~m?
# 2046| mu2046_7(Derived2) = InitializeIndirection[#this] : &:r2046_6
# 2046| r2046_8(glval<Base2>) = ConvertToNonVirtualBase[Derived2 : Base2] : mu2046_5
# 2046| r2046_9(glval<unknown>) = FunctionAddress[Base2] :
# 2046| v2046_10(void) = Call[Base2] : func:r2046_9, this:r2046_8
# 2046| mu2046_11(unknown) = ^CallSideEffect : ~m?
# 2046| mu2046_12(Base2) = ^IndirectMayWriteSideEffect[-1] : &:r2046_8
# 2046| v2046_13(void) = NoOp :
# 2046| v2046_14(void) = ReturnIndirection[#this] : &:r2046_6, ~m?
# 2046| v2046_15(void) = ReturnVoid :
# 2046| v2046_16(void) = AliasedUse : ~m?
# 2046| v2046_17(void) = ExitFunction :
# 2049| void Derived2::~Derived2()
# 2049| Block 0
# 2049| v2049_1(void) = EnterFunction :
# 2049| mu2049_2(unknown) = AliasedDefinition :
# 2049| mu2049_3(unknown) = InitializeNonLocal :
# 2049| r2049_4(glval<unknown>) = VariableAddress[#this] :
# 2049| mu2049_5(glval<Derived2>) = InitializeParameter[#this] : &:r2049_4
# 2049| r2049_6(glval<Derived2>) = Load[#this] : &:r2049_4, ~m?
# 2049| mu2049_7(Derived2) = InitializeIndirection[#this] : &:r2049_6
# 2049| v2049_8(void) = NoOp :
# 2049| r2049_9(glval<Base2>) = ConvertToNonVirtualBase[Derived2 : Base2] : mu2049_5
# 2049| r2049_10(glval<unknown>) = FunctionAddress[~Base2] :
# 2049| v2049_11(void) = Call[~Base2] : func:r2049_10, this:r2049_9
# 2049| mu2049_12(unknown) = ^CallSideEffect : ~m?
# 2049| v2049_13(void) = ReturnIndirection[#this] : &:r2049_6, ~m?
# 2049| v2049_14(void) = ReturnVoid :
# 2049| v2049_15(void) = AliasedUse : ~m?
# 2049| v2049_16(void) = ExitFunction :
# 2051| void Derived2::operator delete(void*)
# 2051| Block 0
# 2051| v2051_1(void) = EnterFunction :
# 2051| mu2051_2(unknown) = AliasedDefinition :
# 2051| mu2051_3(unknown) = InitializeNonLocal :
# 2051| r2051_4(glval<void *>) = VariableAddress[p] :
# 2051| mu2051_5(void *) = InitializeParameter[p] : &:r2051_4
# 2051| r2051_6(void *) = Load[p] : &:r2051_4, ~m?
# 2051| mu2051_7(unknown) = InitializeIndirection[p] : &:r2051_6
# 2052| v2052_1(void) = NoOp :
# 2051| v2051_8(void) = ReturnIndirection[p] : &:r2051_6, ~m?
# 2051| v2051_9(void) = ReturnVoid :
# 2051| v2051_10(void) = AliasedUse : ~m?
# 2051| v2051_11(void) = ExitFunction :
# 2056| int virtual_delete()
# 2056| Block 0
# 2056| v2056_1(void) = EnterFunction :
# 2056| mu2056_2(unknown) = AliasedDefinition :
# 2056| mu2056_3(unknown) = InitializeNonLocal :
# 2058| r2058_1(glval<Base2 *>) = VariableAddress[b1] :
# 2058| r2058_2(glval<unknown>) = FunctionAddress[operator new] :
# 2058| r2058_3(unsigned long) = Constant[8] :
# 2058| r2058_4(void *) = Call[operator new] : func:r2058_2, 0:r2058_3
# 2058| mu2058_5(unknown) = ^CallSideEffect : ~m?
# 2058| mu2058_6(unknown) = ^InitializeDynamicAllocation : &:r2058_4
# 2058| r2058_7(Base2 *) = Convert : r2058_4
# 2058| r2058_8(glval<unknown>) = FunctionAddress[Base2] :
# 2058| v2058_9(void) = Call[Base2] : func:r2058_8, this:r2058_7
# 2058| mu2058_10(unknown) = ^CallSideEffect : ~m?
# 2058| mu2058_11(Base2) = ^IndirectMayWriteSideEffect[-1] : &:r2058_7
# 2058| mu2058_12(Base2 *) = Store[b1] : &:r2058_1, r2058_7
# 2059| r2059_1(glval<unknown>) = VirtualDeleteFunctionAddress :
# 2059| r2059_2(glval<Base2 *>) = VariableAddress[b1] :
# 2059| r2059_3(Base2 *) = Load[b1] : &:r2059_2, ~m?
# 2059| v2059_4(void) = Call[?] : func:r2059_1, 0:r2059_3
# 2059| mu2059_5(unknown) = ^CallSideEffect : ~m?
# 2061| r2061_1(glval<Base2 *>) = VariableAddress[b2] :
# 2061| r2061_2(glval<unknown>) = FunctionAddress[operator new] :
# 2061| r2061_3(unsigned long) = Constant[16] :
# 2061| r2061_4(void *) = Call[operator new] : func:r2061_2, 0:r2061_3
# 2061| mu2061_5(unknown) = ^CallSideEffect : ~m?
# 2061| mu2061_6(unknown) = ^InitializeDynamicAllocation : &:r2061_4
# 2061| r2061_7(Derived2 *) = Convert : r2061_4
# 2061| r2061_8(glval<unknown>) = FunctionAddress[Derived2] :
# 2061| v2061_9(void) = Call[Derived2] : func:r2061_8, this:r2061_7
# 2061| mu2061_10(unknown) = ^CallSideEffect : ~m?
# 2061| mu2061_11(Derived2) = ^IndirectMayWriteSideEffect[-1] : &:r2061_7
# 2061| r2061_12(Base2 *) = ConvertToNonVirtualBase[Derived2 : Base2] : r2061_7
# 2061| mu2061_13(Base2 *) = Store[b2] : &:r2061_1, r2061_12
# 2062| r2062_1(glval<unknown>) = VirtualDeleteFunctionAddress :
# 2062| r2062_2(glval<Base2 *>) = VariableAddress[b2] :
# 2062| r2062_3(Base2 *) = Load[b2] : &:r2062_2, ~m?
# 2062| v2062_4(void) = Call[?] : func:r2062_1, 0:r2062_3
# 2062| mu2062_5(unknown) = ^CallSideEffect : ~m?
# 2064| r2064_1(glval<Derived2 *>) = VariableAddress[d] :
# 2064| r2064_2(glval<unknown>) = FunctionAddress[operator new] :
# 2064| r2064_3(unsigned long) = Constant[16] :
# 2064| r2064_4(void *) = Call[operator new] : func:r2064_2, 0:r2064_3
# 2064| mu2064_5(unknown) = ^CallSideEffect : ~m?
# 2064| mu2064_6(unknown) = ^InitializeDynamicAllocation : &:r2064_4
# 2064| r2064_7(Derived2 *) = Convert : r2064_4
# 2064| r2064_8(glval<unknown>) = FunctionAddress[Derived2] :
# 2064| v2064_9(void) = Call[Derived2] : func:r2064_8, this:r2064_7
# 2064| mu2064_10(unknown) = ^CallSideEffect : ~m?
# 2064| mu2064_11(Derived2) = ^IndirectMayWriteSideEffect[-1] : &:r2064_7
# 2064| mu2064_12(Derived2 *) = Store[d] : &:r2064_1, r2064_7
# 2065| r2065_1(glval<unknown>) = VirtualDeleteFunctionAddress :
# 2065| r2065_2(glval<Derived2 *>) = VariableAddress[d] :
# 2065| r2065_3(Derived2 *) = Load[d] : &:r2065_2, ~m?
# 2065| v2065_4(void) = Call[?] : func:r2065_1, 0:r2065_3
# 2065| mu2065_5(unknown) = ^CallSideEffect : ~m?
# 2066| v2066_1(void) = Unreached :
# 2056| Block 1
# 2056| r2056_4(glval<int>) = VariableAddress[#return] :
# 2056| v2056_5(void) = ReturnValue : &:r2056_4, ~m?
# 2056| v2056_6(void) = AliasedUse : ~m?
# 2056| v2056_7(void) = ExitFunction :
# 2070| void test_constant_folding()
# 2070| Block 0
# 2070| v2070_1(void) = EnterFunction :
# 2070| mu2070_2(unknown) = AliasedDefinition :
# 2070| mu2070_3(unknown) = InitializeNonLocal :
# 2071| r2071_1(glval<int>) = VariableAddress[x] :
# 2071| r2071_2(int) = Constant[116] :
# 2071| mu2071_3(int) = Store[x] : &:r2071_1, r2071_2
# 2072| r2072_1(glval<unknown>) = FunctionAddress[test_constant_folding_use] :
# 2072| r2072_2(int) = Constant[116] :
# 2072| v2072_3(void) = Call[test_constant_folding_use] : func:r2072_1, 0:r2072_2
# 2072| mu2072_4(unknown) = ^CallSideEffect : ~m?
# 2073| v2073_1(void) = NoOp :
# 2070| v2070_4(void) = ReturnVoid :
# 2070| v2070_5(void) = AliasedUse : ~m?
# 2070| v2070_6(void) = ExitFunction :
perf-regression.cpp:
# 6| void Big::Big()
# 6| Block 0

8
cpp/ql/test/library-tests/ir/modulus-analysis/test.cpp
View File

@@ -10,7 +10,7 @@ void m(int i, bool cond, int x, int y) {
int seven = 7;
if (mul % c2 == seven) {
mod(mul); // congruent 3 mod 42, 7 mod 43
mod(mul); // $ mod=0,3,42
}
int j = cond
@@ -19,13 +19,11 @@ void m(int i, bool cond, int x, int y) {
mod(j); // $ mod=0,3,4
if (x % c1 == 3 && y % c1 == 7) {
// Need implies_v2
mod(x + y); // $ MISSING: 0,10,42
mod(x + y); // $ mod=0,10,42
}
if (x % c1 == 3 && y % c1 == 7) {
// Need implies_v2
mod(x - y); // $ MISSING: mod=0,38,42
mod(x - y); // $ mod=0,38,42
}
if (cond) {

8
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -1008,12 +1008,12 @@ label:
void test_overflow() {
const int x = 2147483647; // 2^31-1
range(x);
range(x); // $ range===2147483647
const int y = 256;
range(y);
range(y); // $ range===256
if ((x + y) <= 512) {
range(x);
range(y);
range(x); // $ range===2147483647
range(y); // $ range===256
range(x + y); // $ range===-2147483393
}
}

12
cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
View File

@@ -18,6 +18,7 @@ edges
| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
| test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a |
| test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a |
| test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... |
| test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
@@ -28,6 +29,8 @@ edges
| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
| test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p |
| test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p |
nodes
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -51,6 +54,8 @@ nodes
| test_free.cpp:69:10:69:10 | a | semmle.label | a |
| test_free.cpp:72:14:72:14 | a | semmle.label | a |
| test_free.cpp:72:14:72:14 | a | semmle.label | a |
| test_free.cpp:83:12:83:12 | a | semmle.label | a |
| test_free.cpp:85:12:85:12 | a | semmle.label | a |
| test_free.cpp:101:10:101:10 | a | semmle.label | a |
| test_free.cpp:103:10:103:10 | a | semmle.label | a |
| test_free.cpp:128:10:128:11 | * ... | semmle.label | * ... |
@@ -63,6 +68,10 @@ nodes
| test_free.cpp:207:10:207:10 | a | semmle.label | a |
| test_free.cpp:209:10:209:10 | a | semmle.label | a |
| test_free.cpp:209:10:209:10 | a | semmle.label | a |
| test_free.cpp:252:7:252:7 | p | semmle.label | p |
| test_free.cpp:255:10:255:10 | p | semmle.label | p |
| test_free.cpp:260:9:260:9 | p | semmle.label | p |
| test_free.cpp:263:12:263:12 | p | semmle.label | p |
subpaths
#select
| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -84,6 +93,7 @@ subpaths
| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
@@ -94,3 +104,5 @@ subpaths
| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
| test_free.cpp:255:10:255:10 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
| test_free.cpp:263:12:263:12 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |

4
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
View File

@@ -92,6 +92,10 @@
| test_free.cpp:233:14:233:15 | * ... |
| test_free.cpp:239:14:239:15 | * ... |
| test_free.cpp:245:10:245:11 | * ... |
| test_free.cpp:252:7:252:7 | p |
| test_free.cpp:255:10:255:10 | p |
| test_free.cpp:260:9:260:9 | p |
| test_free.cpp:263:12:263:12 | p |
| virtual.cpp:18:10:18:10 | a |
| virtual.cpp:19:10:19:10 | c |
| virtual.cpp:38:10:38:10 | b |

2
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
View File

@@ -12,3 +12,5 @@
| test.cpp:157:3:157:26 | new[] | This memory is never freed. |
| test.cpp:169:14:169:19 | call to strdup | This memory is never freed. |
| test_free.cpp:167:15:167:21 | call to realloc | This memory is never freed. |
| test_free.cpp:253:14:253:19 | call to malloc | This memory is never freed. |
| test_free.cpp:261:6:261:12 | new | This memory is never freed. |

12
cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
View File

@@ -9,6 +9,7 @@ edges
| test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
| test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
| test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
| test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a |
| test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
| test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
| test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a |
@@ -27,6 +28,8 @@ edges
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
| test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p |
| test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p |
nodes
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -41,6 +44,8 @@ nodes
| test_free.cpp:69:10:69:10 | a | semmle.label | a |
| test_free.cpp:69:10:69:10 | a | semmle.label | a |
| test_free.cpp:71:9:71:9 | a | semmle.label | a |
| test_free.cpp:83:12:83:12 | a | semmle.label | a |
| test_free.cpp:84:5:84:5 | a | semmle.label | a |
| test_free.cpp:90:10:90:10 | a | semmle.label | a |
| test_free.cpp:90:10:90:10 | a | semmle.label | a |
| test_free.cpp:91:5:91:5 | a | semmle.label | a |
@@ -63,6 +68,10 @@ nodes
| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
| test_free.cpp:252:7:252:7 | p | semmle.label | p |
| test_free.cpp:254:6:254:6 | p | semmle.label | p |
| test_free.cpp:260:9:260:9 | p | semmle.label | p |
| test_free.cpp:262:6:262:6 | p | semmle.label | p |
subpaths
#select
| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -75,6 +84,7 @@ subpaths
| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free |
@@ -93,3 +103,5 @@ subpaths
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
| test_free.cpp:254:6:254:6 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p | Memory may have been previously freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
| test_free.cpp:262:6:262:6 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p | Memory may have been previously freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |

21
cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
View File

@@ -81,8 +81,8 @@ public:
void test_new1() {
A *a = new A();
delete(a);
a->f(); // BAD [NOT DETECTED]
delete(a); // BAD [NOT DETECTED]
a->f(); // BAD
delete(a); // BAD
}
void test_dereference1(A *a) {
@@ -245,3 +245,20 @@ void test_deref(char **a) {
free(*a);
use(*a); // GOOD [FALSE POSITIVE]
}
// Refs
void test_ref(char *&p) {
free(p);
p = (char *)malloc(sizeof(char)*10);
use(p); // GOOD [FALSE POSITIVE]
free(p); // GOOD [FALSE POSITIVE]
}
void test_ref_delete(int *&p) {
delete p;
p = new int;
use(p); // GOOD [FALSE POSITIVE]
delete p; // GOOD [FALSE POSITIVE]
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
View File

@@ -2,9 +2,11 @@ edges
| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:45:22:52 | userName indirection |
| test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:35:50:43 | envCflags indirection |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
| test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |

51
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
View File

@@ -4,38 +4,29 @@ edges
| test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:19:5:19:7 | str indirection [string] |
| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
| test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string |
| test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string indirection |
| test.cpp:42:18:42:23 | string indirection | test.cpp:42:18:42:23 | string |
| test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string |
| test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string indirection |
| test.cpp:72:22:72:27 | string indirection | test.cpp:72:22:72:27 | string |
| test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string |
| test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string indirection |
| test.cpp:80:22:80:27 | string indirection | test.cpp:80:22:80:27 | string |
| test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:10:90:15 | str indirection [post update] [string] |
| test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:91:5:91:7 | str indirection [string] |
| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
| test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string |
| test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string indirection |
| test.cpp:99:18:99:23 | string indirection | test.cpp:99:18:99:23 | string |
| test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string |
| test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string indirection |
| test.cpp:129:22:129:27 | string indirection | test.cpp:129:22:129:27 | string |
| test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string |
| test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string indirection |
| test.cpp:137:22:137:27 | string indirection | test.cpp:137:22:137:27 | string |
| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] |
| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:148:5:148:7 | str indirection [string] |
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] |
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] |
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] |
@@ -46,32 +37,14 @@ edges
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:203:17:203:19 | str indirection [string] |
| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:207:17:207:19 | str indirection [string] |
| test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
| test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string indirection |
| test.cpp:152:18:152:23 | string indirection | test.cpp:152:18:152:23 | string |
| test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string |
| test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string indirection |
| test.cpp:154:18:154:23 | string indirection | test.cpp:154:18:154:23 | string |
| test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string |
| test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string indirection |
| test.cpp:156:18:156:23 | string indirection | test.cpp:156:18:156:23 | string |
| test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string |
| test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string indirection |
| test.cpp:175:22:175:27 | string indirection | test.cpp:175:22:175:27 | string |
| test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string |
| test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string indirection |
| test.cpp:187:22:187:27 | string indirection | test.cpp:187:22:187:27 | string |
| test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string |
| test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string indirection |
| test.cpp:195:22:195:27 | string indirection | test.cpp:195:22:195:27 | string |
| test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string |
| test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string indirection |
| test.cpp:199:22:199:27 | string indirection | test.cpp:199:22:199:27 | string |
| test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string |
| test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string indirection |
| test.cpp:203:22:203:27 | string indirection | test.cpp:203:22:203:27 | string |
| test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
| test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string indirection |
| test.cpp:207:22:207:27 | string indirection | test.cpp:207:22:207:27 | string |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
| test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
@@ -83,8 +56,6 @@ edges
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:16:243:21 | string indirection |
| test.cpp:243:16:243:21 | string indirection | test.cpp:243:12:243:21 | string |
| test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p |
| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
| test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
@@ -98,13 +69,10 @@ nodes
| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
| test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:42:18:42:23 | string | semmle.label | string |
| test.cpp:42:18:42:23 | string indirection | semmle.label | string indirection |
| test.cpp:72:17:72:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:72:22:72:27 | string | semmle.label | string |
| test.cpp:72:22:72:27 | string indirection | semmle.label | string indirection |
| test.cpp:80:17:80:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:80:22:80:27 | string | semmle.label | string |
| test.cpp:80:22:80:27 | string indirection | semmle.label | string indirection |
| test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | semmle.label | mk_string_t_plus_one indirection [string] |
| test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
| test.cpp:90:10:90:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
@@ -113,44 +81,32 @@ nodes
| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
| test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:99:18:99:23 | string | semmle.label | string |
| test.cpp:99:18:99:23 | string indirection | semmle.label | string indirection |
| test.cpp:129:17:129:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:129:22:129:27 | string | semmle.label | string |
| test.cpp:129:22:129:27 | string indirection | semmle.label | string indirection |
| test.cpp:137:17:137:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:137:22:137:27 | string | semmle.label | string |
| test.cpp:137:22:137:27 | string indirection | semmle.label | string indirection |
| test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
| test.cpp:147:10:147:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
| test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:148:5:148:7 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:152:18:152:23 | string | semmle.label | string |
| test.cpp:152:18:152:23 | string indirection | semmle.label | string indirection |
| test.cpp:154:13:154:15 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:154:18:154:23 | string | semmle.label | string |
| test.cpp:154:18:154:23 | string indirection | semmle.label | string indirection |
| test.cpp:156:13:156:15 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:156:18:156:23 | string | semmle.label | string |
| test.cpp:156:18:156:23 | string indirection | semmle.label | string indirection |
| test.cpp:175:17:175:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:175:22:175:27 | string | semmle.label | string |
| test.cpp:175:22:175:27 | string indirection | semmle.label | string indirection |
| test.cpp:187:17:187:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:187:22:187:27 | string | semmle.label | string |
| test.cpp:187:22:187:27 | string indirection | semmle.label | string indirection |
| test.cpp:195:17:195:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:195:22:195:27 | string | semmle.label | string |
| test.cpp:195:22:195:27 | string indirection | semmle.label | string indirection |
| test.cpp:199:17:199:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:199:22:199:27 | string | semmle.label | string |
| test.cpp:199:22:199:27 | string indirection | semmle.label | string indirection |
| test.cpp:203:17:203:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:203:22:203:27 | string | semmle.label | string |
| test.cpp:203:22:203:27 | string indirection | semmle.label | string indirection |
| test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:207:22:207:27 | string | semmle.label | string |
| test.cpp:207:22:207:27 | string indirection | semmle.label | string indirection |
| test.cpp:214:24:214:24 | p | semmle.label | p |
| test.cpp:216:10:216:10 | p | semmle.label | p |
| test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
@@ -165,7 +121,6 @@ nodes
| test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
| test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:243:12:243:21 | string | semmle.label | string |
| test.cpp:243:16:243:21 | string indirection | semmle.label | string indirection |
| test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc |
| test.cpp:250:12:250:12 | p | semmle.label | p |
| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |

9
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
View File

@@ -2,16 +2,13 @@ edges
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
| main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
| overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
| overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
| overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
| overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
@@ -23,17 +20,14 @@ nodes
| main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
| overflowdestination.cpp:46:15:46:17 | src indirection | semmle.label | src indirection |
| overflowdestination.cpp:50:52:50:54 | src indirection | semmle.label | src indirection |
| overflowdestination.cpp:53:9:53:12 | memcpy output argument | semmle.label | memcpy output argument |
| overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
| overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
| overflowdestination.cpp:54:9:54:12 | memcpy output argument | semmle.label | memcpy output argument |
| overflowdestination.cpp:57:52:57:54 | src indirection | semmle.label | src indirection |
| overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
| overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
| overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
@@ -43,9 +37,6 @@ subpaths
| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
#select
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

3
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
View File

@@ -1,13 +1,10 @@
edges
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
nodes
| test2.cpp:110:3:110:6 | call to gets indirection | semmle.label | call to gets indirection |
| test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
subpaths
#select
| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets indirection | test2.cpp:110:3:110:6 | call to gets indirection | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets indirection | user input (string read by gets) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |

15
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -1,6 +1,5 @@
edges
| test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
| test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
| test.cpp:24:13:24:17 | url_g indirection | test.cpp:38:11:38:15 | url_g indirection |
| test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
| test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
@@ -23,7 +22,6 @@ edges
nodes
| test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
| test.cpp:24:13:24:17 | url_g indirection | semmle.label | url_g indirection |
| test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
| test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
@@ -47,27 +45,14 @@ subpaths
#select
| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |

14
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
View File

@@ -11,6 +11,9 @@ edges
| test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
| test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c |
| test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... |
| test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c |
| test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
| test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
| test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
@@ -19,6 +22,7 @@ edges
| test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
| test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
| test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
| test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x |
nodes
| test.cpp:39:7:39:10 | data | semmle.label | data |
| test.cpp:39:7:39:10 | data | semmle.label | data |
@@ -38,6 +42,10 @@ nodes
| test.cpp:138:7:138:10 | data | semmle.label | data |
| test.cpp:138:7:138:10 | data | semmle.label | data |
| test.cpp:141:6:141:9 | data | semmle.label | data |
| test.cpp:164:9:164:9 | c | semmle.label | c |
| test.cpp:165:2:165:2 | c | semmle.label | c |
| test.cpp:166:3:166:4 | * ... | semmle.label | * ... |
| test.cpp:166:4:166:4 | c | semmle.label | c |
| test.cpp:181:7:181:10 | data | semmle.label | data |
| test.cpp:181:7:181:10 | data | semmle.label | data |
| test.cpp:186:6:186:9 | data | semmle.label | data |
@@ -50,6 +58,8 @@ nodes
| test.cpp:207:8:207:11 | data | semmle.label | data |
| test.cpp:209:6:209:9 | data | semmle.label | data |
| test.cpp:209:6:209:9 | data | semmle.label | data |
| test.cpp:216:9:216:9 | x | semmle.label | x |
| test.cpp:217:6:217:6 | x | semmle.label | x |
subpaths
#select
| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
@@ -64,6 +74,9 @@ subpaths
| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
| test.cpp:166:4:166:4 | c | test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
@@ -72,3 +85,4 @@ subpaths
| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete |

26
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,6 +1,5 @@
edges
| tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
| tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
| tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:50:13:50:19 | global1 indirection |
| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection |
| tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection |
@@ -8,29 +7,24 @@ edges
| tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection |
| tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection |
| tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
| tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
| tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
| tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
| tests2.cpp:109:3:109:36 | ... = ... indirection | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] |
| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] |
| tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:109:3:109:36 | ... = ... indirection |
| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:14:111:19 | ptr indirection |
| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:14:111:19 | ptr indirection |
| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
nodes
@@ -52,13 +46,10 @@ nodes
| tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
| tests2.cpp:81:14:81:19 | buffer indirection | semmle.label | buffer indirection |
| tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
| tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
| tests2.cpp:91:42:91:45 | str1 indirection | semmle.label | str1 indirection |
| tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
| tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
| tests2.cpp:101:8:101:15 | call to getpwuid indirection | semmle.label | call to getpwuid indirection |
| tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
| tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
| tests2.cpp:109:3:109:36 | ... = ... indirection | semmle.label | ... = ... indirection |
| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | semmle.label | c1 indirection [post update] [ptr indirection] |
| tests2.cpp:109:12:109:17 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -69,21 +60,16 @@ nodes
| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
subpaths
#select
| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
@@ -97,25 +83,17 @@ subpaths
| tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
| tests2.cpp:81:14:81:19 | buffer indirection | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
| tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
| tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
| tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
| tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
| tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
| tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
| tests2.cpp:111:14:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:14:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:17:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

21
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
View File

@@ -6,20 +6,15 @@ edges
| tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection |
| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection |
| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
| tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:62:7:62:18 | global_token indirection |
| tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
| tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:86:29:86:31 | msg indirection |
| tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
| tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
| tests.cpp:114:30:114:32 | msg indirection | tests.cpp:119:7:119:12 | buffer indirection |
| tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
| tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
| tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:131:14:131:35 | call to getenv indirection |
| tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:107:30:107:32 | msg indirection |
| tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:132:14:132:35 | call to getenv indirection |
@@ -28,8 +23,6 @@ edges
| tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
| tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:122:30:122:32 | msg indirection |
| tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
| tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
| tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
| tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
nodes
| tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -53,24 +46,19 @@ nodes
| tests.cpp:62:7:62:18 | global_token indirection | semmle.label | global_token indirection |
| tests.cpp:62:22:62:27 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
| tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
| tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
| tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
| tests.cpp:86:29:86:31 | msg indirection | semmle.label | msg indirection |
| tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
| tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:107:30:107:32 | msg indirection | semmle.label | msg indirection |
| tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
| tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
| tests.cpp:114:30:114:32 | msg indirection | semmle.label | msg indirection |
| tests.cpp:119:7:119:12 | buffer indirection | semmle.label | buffer indirection |
| tests.cpp:122:30:122:32 | msg indirection | semmle.label | msg indirection |
| tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
| tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
| tests.cpp:131:14:131:19 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:131:14:131:35 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests.cpp:132:14:132:19 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -81,8 +69,6 @@ nodes
| tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
| tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | semmle.label | call to getpwnam indirection |
| tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
| tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
| tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
| tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
subpaths
#select
@@ -99,21 +85,14 @@ subpaths
| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
| tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
| tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
| tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
| tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
| tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:119:7:119:12 | buffer indirection | tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:119:7:119:12 | buffer indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
| tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
| tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
| tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
| tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
| tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |

39
cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
View File

@@ -1,38 +1,25 @@
edges
| tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection |
| tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection |
| tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection |
| tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection |
| tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | p indirection |
| tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection |
| tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection |
| tests3.cpp:35:16:35:20 | p_3_3 indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection |
| tests3.cpp:35:16:35:20 | p_3_3 indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection |
| tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:35:16:35:20 | p_3_3 indirection |
| tests3.cpp:48:16:48:20 | p_3_5 indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection |
| tests3.cpp:48:16:48:20 | p_3_5 indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection |
| tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:48:16:48:20 | p_3_5 indirection |
| tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection |
| tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection |
| tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection |
| tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection |
| tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection |
| tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection |
| tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection |
| tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection |
| tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection |
| tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection |
| tests5.cpp:63:21:63:24 | g_p2 indirection | tests5.cpp:77:2:77:5 | g_p2 indirection |
| tests5.cpp:63:21:63:24 | g_p2 indirection | tests5.cpp:77:2:77:5 | g_p2 indirection |
| tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:63:21:63:24 | g_p2 indirection |
| tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
| tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
| tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
| tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:85:2:85:2 | p indirection |
| tests5.cpp:85:2:85:2 | p indirection | tests5.cpp:86:2:86:2 | p indirection |
| tests5.cpp:86:2:86:2 | p indirection | tests5.cpp:88:2:88:2 | p indirection |
| tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection |
| tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection |
| tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection |
| tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection |
| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:35:23:35:43 | new indirection |
@@ -63,29 +50,22 @@ edges
nodes
| tests2.cpp:20:17:20:31 | call to SAXParser | semmle.label | call to SAXParser |
| tests2.cpp:22:2:22:2 | p indirection | semmle.label | p indirection |
| tests2.cpp:22:2:22:2 | p indirection | semmle.label | p indirection |
| tests2.cpp:33:17:33:31 | call to SAXParser | semmle.label | call to SAXParser |
| tests2.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
| tests2.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
| tests2.cpp:49:12:49:12 | call to SAXParser | semmle.label | call to SAXParser |
| tests2.cpp:51:2:51:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:23:21:23:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
| tests3.cpp:25:2:25:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:25:2:25:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:35:16:35:20 | p_3_3 indirection | semmle.label | p_3_3 indirection |
| tests3.cpp:35:24:35:56 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
| tests3.cpp:38:2:38:6 | p_3_3 indirection | semmle.label | p_3_3 indirection |
| tests3.cpp:38:2:38:6 | p_3_3 indirection | semmle.label | p_3_3 indirection |
| tests3.cpp:48:16:48:20 | p_3_5 indirection | semmle.label | p_3_5 indirection |
| tests3.cpp:48:24:48:56 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
| tests3.cpp:56:2:56:6 | p_3_5 indirection | semmle.label | p_3_5 indirection |
| tests3.cpp:56:2:56:6 | p_3_5 indirection | semmle.label | p_3_5 indirection |
| tests3.cpp:60:21:60:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
| tests3.cpp:63:2:63:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:63:2:63:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:67:21:67:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
| tests3.cpp:70:2:70:2 | p indirection | semmle.label | p indirection |
| tests3.cpp:70:2:70:2 | p indirection | semmle.label | p indirection |
| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | semmle.label | XML_PARSE_NOENT |
| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | semmle.label | XML_PARSE_DTDLOAD |
| tests4.cpp:46:34:46:68 | ... \| ... | semmle.label | ... \| ... |
@@ -93,26 +73,20 @@ nodes
| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | semmle.label | XML_PARSE_DTDLOAD |
| tests5.cpp:27:25:27:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
| tests5.cpp:29:2:29:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:29:2:29:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:40:25:40:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
| tests5.cpp:43:2:43:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:43:2:43:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:55:25:55:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
| tests5.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:63:21:63:24 | g_p2 indirection | semmle.label | g_p2 indirection |
| tests5.cpp:70:17:70:30 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
| tests5.cpp:77:2:77:5 | g_p2 indirection | semmle.label | g_p2 indirection |
| tests5.cpp:77:2:77:5 | g_p2 indirection | semmle.label | g_p2 indirection |
| tests5.cpp:81:25:81:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
| tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:85:2:85:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:86:2:86:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:88:2:88:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:89:2:89:2 | p indirection | semmle.label | p indirection |
| tests5.cpp:89:2:89:2 | p indirection | semmle.label | p indirection |
| tests.cpp:15:23:15:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
| tests.cpp:17:2:17:2 | p indirection | semmle.label | p indirection |
| tests.cpp:28:23:28:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
@@ -152,19 +126,12 @@ nodes
subpaths
#select
| tests2.cpp:22:2:22:2 | p indirection | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |
| tests2.cpp:22:2:22:2 | p indirection | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |
| tests2.cpp:37:2:37:2 | p indirection | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser |
| tests2.cpp:37:2:37:2 | p indirection | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser |
| tests2.cpp:51:2:51:2 | p indirection | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser |
| tests3.cpp:25:2:25:2 | p indirection | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | XML parser |
| tests3.cpp:25:2:25:2 | p indirection | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | XML parser |
| tests3.cpp:38:2:38:6 | p_3_3 indirection | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | XML parser |
| tests3.cpp:38:2:38:6 | p_3_3 indirection | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | XML parser |
| tests3.cpp:56:2:56:6 | p_3_5 indirection | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | XML parser |
| tests3.cpp:56:2:56:6 | p_3_5 indirection | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | XML parser |
| tests3.cpp:63:2:63:2 | p indirection | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | XML parser |
| tests3.cpp:63:2:63:2 | p indirection | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | XML parser |
| tests3.cpp:70:2:70:2 | p indirection | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | XML parser |
| tests3.cpp:70:2:70:2 | p indirection | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | XML parser |
| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser |
| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser |
@@ -172,16 +139,10 @@ subpaths
| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser |
| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser |
| tests5.cpp:29:2:29:2 | p indirection | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:29:2:29:2 | p indirection | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:43:2:43:2 | p indirection | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:43:2:43:2 | p indirection | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:59:2:59:2 | p indirection | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:59:2:59:2 | p indirection | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:77:2:77:5 | g_p2 indirection | tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:77:2:77:5 | g_p2 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser indirection | XML parser |
| tests5.cpp:77:2:77:5 | g_p2 indirection | tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:77:2:77:5 | g_p2 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser indirection | XML parser |
| tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:89:2:89:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:89:2:89:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
| tests5.cpp:89:2:89:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:89:2:89:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
| tests.cpp:17:2:17:2 | p indirection | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser |
| tests.cpp:31:2:31:2 | p indirection | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser |

6
csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj
View File

@@ -8,12 +8,12 @@
<ItemGroup>
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
<PackageReference Include="xunit" Version="2.5.0" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
<PackageReference Include="xunit" Version="2.4.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Semmle.Autobuild.CSharp\Semmle.Autobuild.CSharp.csproj" />

4
csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj
View File

@@ -14,8 +14,8 @@
<Folder Include="Properties\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />

2
csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj
View File

@@ -11,7 +11,7 @@
<Folder Include="Properties\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />

2
csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj
View File

@@ -24,7 +24,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.DiaSymReader" Version="2.0.0" />
<PackageReference Include="Microsoft.DiaSymReader" Version="1.4.0" />
<PackageReference Include="Microsoft.DiaSymReader.Native" Version="1.7.0" />
<PackageReference Include="Microsoft.DiaSymReader.PortablePdb" Version="1.6.0"><IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>

5
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
View File

@@ -85,11 +85,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
}
}
if (options.UseMscorlib)
{
UseReference(typeof(object).Assembly.Location);
}
if (options.UseNuGet)
{
dllDirNames.Add(packageDirectory.DirInfo.FullName);

7
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyOptions.cs
View File

@@ -40,11 +40,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
/// </summary>
bool ScanNetFrameworkDlls { get; }
/// <summary>
/// Whether to use mscorlib as a reference.
/// </summary>
bool UseMscorlib { get; }
/// <summary>
/// Determine whether the given path should be excluded.
/// </summary>
@@ -74,8 +69,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
public bool ScanNetFrameworkDlls { get; set; } = true;
public bool UseMscorlib { get; set; } = true;
public bool ExcludesFile(string path) =>
Excludes.Any(path.Contains);

34
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotnetVersion.cs
View File

@@ -10,16 +10,44 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
private readonly Version? preReleaseVersion;
private readonly string? preReleaseVersionType;
private bool IsPreRelease => preReleaseVersionType is not null && preReleaseVersion is not null;
public string FullPath
private string FullVersion
{
get
{
var preRelease = IsPreRelease ? $"-{preReleaseVersionType}.{preReleaseVersion}" : "";
var version = this.version + preRelease;
return Path.Combine(dir, version);
return this.version + preRelease;
}
}
public string FullPath => Path.Combine(dir, FullVersion);
/**
* The full path to the reference assemblies for this runtime.
* This is the same as FullPath, except that we assume that the
* reference assemblies are in a directory called "packs" and
* the reference assemblies themselves are in a directory called
* "<Framework>.Ref/ref".
* Example:
* FullPath: /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.2
* FullPathReferenceAssemblies: /usr/share/dotnet/packs/Microsoft.NETCore.App.Ref/7.0.2/ref
*/
public string? FullPathReferenceAssemblies
{
get
{
var directories = dir.Split(Path.DirectorySeparatorChar);
if (directories.Length >= 2)
{
directories[^2] = "packs";
directories[^1] = $"{directories[^1]}.Ref";
return Path.Combine(string.Join(Path.DirectorySeparatorChar, directories), FullVersion, "ref");
}
return null;
}
}
public DotnetVersion(string dir, string version, string preReleaseVersionType, string preReleaseVersion)
{
this.dir = dir;

26
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Runtime.cs
View File

@@ -94,6 +94,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
}
}
private string? GetVersion(string framework)
{
if (NewestRuntimes.TryGetValue(framework, out var version))
{
var refAssemblies = version.FullPathReferenceAssemblies;
return Directory.Exists(refAssemblies)
? refAssemblies
: version.FullPath;
}
return null;
}
/// <summary>
/// Gets the .NET runtime location to use for extraction.
/// </summary>
@@ -105,9 +117,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
}
// Location of the newest .NET Core Runtime.
if (NewestRuntimes.TryGetValue(netCoreApp, out var netCoreVersion))
if (GetVersion(netCoreApp) is string path)
{
return netCoreVersion.FullPath;
return path;
}
if (DesktopRuntimes.Any())
@@ -122,14 +134,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
/// <summary>
/// Gets the ASP.NET runtime location to use for extraction, if one exists.
/// </summary>
public string? GetAspRuntime()
{
// Location of the newest ASP.NET Core Runtime.
if (NewestRuntimes.TryGetValue(aspNetCoreApp, out var aspNetCoreVersion))
{
return aspNetCoreVersion.FullPath;
}
return null;
}
public string? GetAspRuntime() => GetVersion(aspNetCoreApp);
}
}

6
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs
View File

@@ -29,9 +29,6 @@ namespace Semmle.Extraction.CSharp.Standalone
case "all-references":
AnalyseCsProjFiles = !value;
return true;
case "stdlib":
dependencies.UseMscorlib = value;
return true;
case "skip-dotnet":
dependencies.ScanNetFrameworkDlls = !value;
return true;
@@ -110,7 +107,7 @@ namespace Semmle.Extraction.CSharp.Standalone
/// <summary>
/// Outputs the command line options to the console.
/// </summary>
public static void ShowHelp(System.IO.TextWriter output)
public static void ShowHelp(TextWriter output)
{
output.WriteLine("C# standalone extractor\n\nExtracts a C# project in the current directory without performing a build.\n");
output.WriteLine("Additional options:\n");
@@ -121,7 +118,6 @@ namespace Semmle.Extraction.CSharp.Standalone
output.WriteLine(" --dry-run Stop before extraction");
output.WriteLine(" --skip-nuget Do not download nuget packages");
output.WriteLine(" --all-references Use all references (default is to only use references in .csproj files)");
output.WriteLine(" --nostdlib Do not link mscorlib.dll (use only for extracting mscorlib itself)");
output.WriteLine(" --threads:nnn Specify number of threads (default=CPU cores)");
output.WriteLine(" --verbose Produce more output");
output.WriteLine(" --pdb Cross-reference information from PDBs where available");

2
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj
View File

@@ -19,7 +19,7 @@
<Folder Include="Properties\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
<PackageReference Include="Microsoft.Win32.Primitives" Version="4.3.0" />
<PackageReference Include="System.Net.Primitives" Version="4.3.1" />
<PackageReference Include="System.Security.Principal" Version="4.3.0" />

4
csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj
View File

@@ -18,7 +18,7 @@
<Folder Include="Properties\" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.7.0" />
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.4.0" />
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
</ItemGroup>
</Project>

6
csharp/extractor/Semmle.Extraction.Tests/Options.cs
View File

@@ -135,9 +135,8 @@ namespace Semmle.Extraction.Tests
public void StandaloneDefaults()
{
standaloneOptions = CSharp.Standalone.Options.Create(Array.Empty<string>());
Assert.Equal(0, standaloneOptions.Dependencies.DllDirs.Count);
Assert.Empty(standaloneOptions.Dependencies.DllDirs);
Assert.True(standaloneOptions.Dependencies.UseNuGet);
Assert.True(standaloneOptions.Dependencies.UseMscorlib);
Assert.False(standaloneOptions.SkipExtraction);
Assert.Null(standaloneOptions.Dependencies.SolutionFile);
Assert.True(standaloneOptions.Dependencies.ScanNetFrameworkDlls);
@@ -147,12 +146,11 @@ namespace Semmle.Extraction.Tests
[Fact]
public void StandaloneOptions()
{
standaloneOptions = CSharp.Standalone.Options.Create(new string[] { "--references:foo", "--silent", "--skip-nuget", "--skip-dotnet", "--exclude", "bar", "--nostdlib" });
standaloneOptions = CSharp.Standalone.Options.Create(new string[] { "--references:foo", "--silent", "--skip-nuget", "--skip-dotnet", "--exclude", "bar" });
Assert.Equal("foo", standaloneOptions.Dependencies.DllDirs[0]);
Assert.Equal("bar", standaloneOptions.Dependencies.Excludes[0]);
Assert.Equal(Verbosity.Off, standaloneOptions.Verbosity);
Assert.False(standaloneOptions.Dependencies.UseNuGet);
Assert.False(standaloneOptions.Dependencies.UseMscorlib);
Assert.False(standaloneOptions.Dependencies.ScanNetFrameworkDlls);
Assert.False(standaloneOptions.Errors);
Assert.False(standaloneOptions.Help);

6
csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj
View File

@@ -8,12 +8,12 @@
<ItemGroup>
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
<PackageReference Include="xunit" Version="2.5.0" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
<PackageReference Include="xunit" Version="2.4.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Semmle.Extraction.CSharp.Standalone\Semmle.Extraction.CSharp.Standalone.csproj" />

6
csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj
View File

@@ -12,9 +12,9 @@
<DefineConstants>TRACE;DEBUG;DEBUG_LABELS</DefineConstants>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="17.7.2" />
<PackageReference Include="Microsoft.CodeAnalysis" Version="4.7.0" />
<PackageReference Include="GitInfo" Version="3.3.1">
<PackageReference Include="Microsoft.Build" Version="17.3.2" />
<PackageReference Include="Microsoft.CodeAnalysis" Version="4.4.0" />
<PackageReference Include="GitInfo" Version="2.2.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>

6
csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj
View File

@@ -6,12 +6,12 @@
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="xunit" Version="2.5.0" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
<PackageReference Include="xunit" Version="2.4.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />

2
csharp/extractor/Semmle.Util/Semmle.Util.csproj
View File

@@ -15,7 +15,7 @@
<ItemGroup>
<PackageReference Include="Mono.Posix.NETStandard" Version="1.0.0" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
</ItemGroup>
</Project>

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.4
No user-facing changes.
## 1.6.3
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.4
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.3
lastReleaseVersion: 1.6.4

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.6.4-dev
version: 1.6.4
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.4
No user-facing changes.
## 1.6.3
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.4
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.3
lastReleaseVersion: 1.6.4

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.6.4-dev
version: 1.6.4
groups:
- csharp
- solorigate

37
csharp/ql/consistency-queries/DataFlowConsistency.ql
View File

@@ -1,12 +1,13 @@
import csharp
import cil
import semmle.code.csharp.dataflow.internal.DataFlowPrivate
import semmle.code.csharp.dataflow.internal.DataFlowPublic
import semmle.code.csharp.dataflow.internal.DataFlowDispatch
import semmle.code.csharp.dataflow.internal.DataFlowImplConsistency::Consistency
private import semmle.code.csharp.dataflow.internal.DataFlowImplSpecific
private import semmle.code.csharp.dataflow.internal.TaintTrackingImplSpecific
private import codeql.dataflow.internal.DataFlowImplConsistency
private class MyConsistencyConfiguration extends ConsistencyConfiguration {
override predicate uniqueEnclosingCallableExclude(Node n) {
private module Input implements InputSig<CsharpDataFlow> {
private import CsharpDataFlow
predicate uniqueEnclosingCallableExclude(Node n) {
// TODO: Remove once static initializers are folded into the
// static constructors
exists(ControlFlow::Node cfn |
@@ -15,7 +16,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
)
}
override predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
// TODO: Remove once static initializers are folded into the
// static constructors
exists(ControlFlow::Node cfn |
@@ -24,25 +25,25 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
)
}
override predicate uniqueNodeLocationExclude(Node n) {
predicate uniqueNodeLocationExclude(Node n) {
// Methods with multiple implementations
n instanceof ParameterNode
or
this.missingLocationExclude(n)
missingLocationExclude(n)
}
override predicate missingLocationExclude(Node n) {
predicate missingLocationExclude(Node n) {
// Some CIL methods are missing locations
n.asParameter() instanceof CIL::Parameter
}
override predicate postWithInFlowExclude(Node n) {
predicate postWithInFlowExclude(Node n) {
n instanceof FlowSummaryNode
or
n.asExpr().(ObjectCreation).hasInitializer()
}
override predicate argHasPostUpdateExclude(ArgumentNode n) {
predicate argHasPostUpdateExclude(ArgumentNode n) {
n instanceof FlowSummaryNode
or
not exists(LocalFlow::getAPostUpdateNodeForArg(n.getControlFlowNode()))
@@ -54,7 +55,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
n.asExpr() instanceof CIL::Expr
}
override predicate postHasUniquePreExclude(PostUpdateNode n) {
predicate postHasUniquePreExclude(PostUpdateNode n) {
exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
e = LocalFlow::getAPostUpdateNodeForArg(arg) and
e != arg and
@@ -62,7 +63,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
)
}
override predicate uniquePostUpdateExclude(Node n) {
predicate uniquePostUpdateExclude(Node n) {
exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
e = LocalFlow::getAPostUpdateNodeForArg(arg) and
e != arg and
@@ -70,12 +71,12 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
)
}
override predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
override predicate identityLocalStepExclude(Node n) { none() }
predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
}
query predicate multipleToString(Node n, string s) {
import MakeConsistency<CsharpDataFlow, CsharpTaintTracking, Input>
query predicate multipleToString(DataFlow::Node n, string s) {
s = strictconcat(n.toString(), ",") and
strictcount(n.toString()) > 1
}

6
csharp/ql/integration-tests/posix-only/dotnet_test/dotnet_test.csproj
View File

@@ -8,10 +8,10 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
<PackageReference Include="NUnit" Version="3.13.3" />
<PackageReference Include="NUnit3TestAdapter" Version="4.5.0" />
<PackageReference Include="coverlet.collector" Version="6.0.0" />
<PackageReference Include="NUnit3TestAdapter" Version="4.3.0" />
<PackageReference Include="coverlet.collector" Version="3.2.0" />
</ItemGroup>
</Project>

8
csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj
View File

@@ -10,10 +10,10 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
<PackageReference Include="MSTest.TestAdapter" Version="3.1.1" />
<PackageReference Include="MSTest.TestFramework" Version="3.1.1" />
<PackageReference Include="coverlet.collector" Version="6.0.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.3.2" />
<PackageReference Include="MSTest.TestAdapter" Version="2.2.10" />
<PackageReference Include="MSTest.TestFramework" Version="2.2.10" />
<PackageReference Include="coverlet.collector" Version="3.1.2" />
</ItemGroup>
</Project>

6
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.7.4
### Minor Analysis Improvements
* The `--nostdlib` extractor option for the standalone extractor has been removed.
## 0.7.3
### Minor Analysis Improvements

5
csharp/ql/lib/change-notes/released/0.7.4.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.7.4
### Minor Analysis Improvements
* The `--nostdlib` extractor option for the standalone extractor has been removed.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.3
lastReleaseVersion: 0.7.4

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.7.4-dev
version: 0.7.4
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

10
csharp/ql/lib/semmle/code/cil/Stubs.qll
View File

@@ -32,11 +32,11 @@ private module Cached {
exists(Assembly asm |
asm = mi.getLocation() and
(assemblyIsStubImpl(asm) implies asm.getFile().extractedQlTest()) and
not exists(MethodImplementation better | mi.getMethod() = better.getMethod() |
mi.getNumberOfInstructions() < better.getNumberOfInstructions()
or
mi.getNumberOfInstructions() = better.getNumberOfInstructions() and
asm.getFile().toString() > better.getLocation().getFile().toString()
mi =
max(MethodImplementation impl |
mi.getMethod() = impl.getMethod()
|
impl order by impl.getNumberOfInstructions(), impl.getLocation().getFile().toString() desc
) and
exists(mi.getAnInstruction())
)

11
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
View File

@@ -109,8 +109,8 @@ private module Cached {
TExplicitDelegateLikeCall(ControlFlow::Nodes::ElementNode cfn, DelegateLikeCall dc) {
cfn.getAstNode() = dc
} or
TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn, Callable target) {
transitiveCapturedCallTarget(cfn, target)
TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn) {
transitiveCapturedCallTarget(cfn, _)
} or
TCilCall(CIL::Call call) {
// No need to include calls that are compiled from source
@@ -389,11 +389,12 @@ class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDe
*/
class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCall {
private ControlFlow::Nodes::ElementNode cfn;
private Callable target;
TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn, target) }
TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn) }
override DataFlowCallable getARuntimeTarget() { result.asCallable() = target }
override DataFlowCallable getARuntimeTarget() {
transitiveCapturedCallTarget(cfn, result.asCallable())
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }

2
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1564,7 +1564,7 @@ private module OutNodes {
additionalCalls = false and call = csharpCall(_, cfn)
or
additionalCalls = true and
call = TTransitiveCapturedCall(cfn, n.getEnclosingCallable())
call = TTransitiveCapturedCall(cfn)
)
}

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.7.4
No user-facing changes.
## 0.7.3
No user-facing changes.

3
csharp/ql/src/change-notes/released/0.7.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.7.4
No user-facing changes.

Some files were not shown because too many files have changed in this diff Show More