Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams

cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected

@@ -1,5 +1,9 @@
 | test2.cpp:19:3:19:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:18:12:18:18 | new | new |
 | test2.cpp:26:3:26:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:25:7:25:13 | new | new |
+| test2.cpp:51:2:51:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:45:18:45:24 | new | new |
+| test2.cpp:55:2:55:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:46:20:46:33 | call to operator new | new |
+| test2.cpp:57:2:57:18 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test2.cpp:47:21:47:26 | call to malloc | malloc |
+| test2.cpp:58:2:58:18 | call to operator delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test2.cpp:47:21:47:26 | call to malloc | malloc |
 | test.cpp:36:2:36:17 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:27:18:27:23 | call to malloc | malloc |
 | test.cpp:41:2:41:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:26:7:26:17 | new | new |
 | test.cpp:68:3:68:11 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:64:28:64:33 | call to malloc | malloc |

cpp/ql/test/query-tests/Critical/NewFree/test2.cpp

@@ -34,3 +34,27 @@ public:
 };
 
 MyTest2Class<int> mt2c_i;
+
+// ---
+
+void* operator new(size_t);
+void operator delete(void*);
+
+void test_operator_new()
+{
+	void *ptr_new = new int;
+	void *ptr_opnew = ::operator new(sizeof(int));
+	void *ptr_malloc = malloc(sizeof(int));
+
+	delete ptr_new; // GOOD
+	::operator delete(ptr_new); // GOOD
+	free(ptr_new); // BAD
+
+	delete ptr_opnew; // GOOD
+	::operator delete(ptr_opnew); // GOOD
+	free(ptr_opnew); // BAD
+
+	delete ptr_malloc; // BAD
+	::operator delete(ptr_malloc); // BAD
+	free(ptr_malloc); // GOOD
+}

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -1 +1,13 @@
-| test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
+edges
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
+| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
+nodes
+| test.c:9:23:9:26 | argv | semmle.label | argv |
+| test.c:9:23:9:26 | argv | semmle.label | argv |
+| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
+| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
+| test.c:17:11:17:18 | fileName | semmle.label | fileName |
+#select
+| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -1,2 +1,30 @@
-| search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+edges
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:45:17:45:25 | raw_query | search.c:14:24:14:28 | query |
+| search.c:47:17:47:25 | raw_query | search.c:22:24:22:28 | query |
+nodes
+| search.c:14:24:14:28 | query | semmle.label | query |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:22:24:22:28 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:45:17:45:25 | raw_query | semmle.label | raw_query |
+| search.c:47:17:47:25 | raw_query | semmle.label | raw_query |
+#select
+| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,2 +1,25 @@
-| test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
+edges
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:24:30:24:36 | command |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:29:30:29:36 | command |
+nodes
+| test.cpp:24:30:24:36 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:29:30:29:36 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
+#select
+| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
+| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -1,5 +1,53 @@
-| tests.c:28:3:28:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:29:3:29:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
-| tests.c:34:25:34:33 | buffer100 | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
+edges
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+nodes
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+#select
+| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
+| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
+| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
+| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -1,28 +1,314 @@
-| argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
-| argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
-| argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
-| argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
-| argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
-| argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
-| argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
-| argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
-| argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
-| argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
-| argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
-| argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
-| argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
-| argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
+edges
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | argvLocal.c:117:15:117:16 | printWrapper output argument |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | argvLocal.c:128:15:128:16 | printWrapper output argument |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+nodes
+| argvLocal.c:9:25:9:31 | correct | semmle.label | correct |
+| argvLocal.c:10:9:10:15 | Chi | semmle.label | Chi |
+| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
+| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
+| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:95:9:95:15 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
+| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
+| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
+| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
+| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
+| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
+| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
+| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
+| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
+| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
+| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
+| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
+| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
+| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
+| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
+| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
+| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
+| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
+| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
+| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
+| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
+| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
+| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
+| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
+| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
+| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
+| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
+| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
+| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
+| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
+| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
+| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
+| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+#select
+| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:95:9:95:12 | argv | argv |
+| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:96:15:96:18 | argv | argv |
+| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
+| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
+| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
+| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
+| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
+| argvLocal.c:157:9:157:10 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
+| argvLocal.c:164:9:164:11 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
+| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
+| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected

@@ -1,8 +1,83 @@
-| funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
-| funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
-| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
-| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
-| funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
-| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
-| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
-| funcsLocal.c:58:9:58:10 | e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
+edges
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
+| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
+| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
+| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
+| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
+| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
+| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
+| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
+| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
+nodes
+| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
+| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
+| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
+| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
+| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
+| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
+| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
+| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
+| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
+| funcsLocal.c:31:19:31:21 | i41 | semmle.label | i41 |
+| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:32:9:32:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
+| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
+| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
+| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
+| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
+| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
+| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
+| funcsLocal.c:41:18:41:20 | i61 | semmle.label | i61 |
+| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:42:9:42:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
+| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
+| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
+#select
+| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
+| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
+| funcsLocal.c:37:9:37:10 | i5 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |
+| funcsLocal.c:58:9:58:10 | e1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected

@@ -1,5 +1,65 @@
-| globalVars.c:27:9:27:12 | copy | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:8:7:8:10 | copy | copy | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:30:15:30:18 | copy | This value may flow through $@, originating from $@, and is a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:8:7:8:10 | copy | copy | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:38:9:38:13 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:41:15:41:19 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:50:9:50:13 | copy2 | This value may flow through $@, originating from $@, and is a formatting argument to printf(format). | globalVars.c:9:7:9:11 | copy2 | copy2 | globalVars.c:24:11:24:14 | argv | argv |
+edges
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
+| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | Store |
+| globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy |
+| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store |
+| globalVars.c:16:2:16:12 | Store | globalVars.c:9:7:9:11 | copy2 |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
+| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
+| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+nodes
+| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
+| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
+| globalVars.c:11:22:11:25 | argv | semmle.label | argv |
+| globalVars.c:12:2:12:15 | Store | semmle.label | Store |
+| globalVars.c:15:21:15:23 | val | semmle.label | val |
+| globalVars.c:16:2:16:12 | Store | semmle.label | Store |
+| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
+| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
+| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:27:9:27:12 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
+| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
+| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
+#select
+| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:38:9:38:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:38:9:38:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:41:15:41:19 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:41:15:41:19 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
+| globalVars.c:50:9:50:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:50:9:50:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected

@@ -1,11 +1,157 @@
-| ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
-| ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
-| ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
-| ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
-| ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
-| ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
-| ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
-| ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
-| ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
-| ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
-| ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |
+edges
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | (const char *)... |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+nodes
+| ifs.c:61:8:61:11 | argv | semmle.label | argv |
+| ifs.c:61:8:61:11 | argv | semmle.label | argv |
+| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:62:9:62:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
+| ifs.c:68:8:68:11 | argv | semmle.label | argv |
+| ifs.c:68:8:68:11 | argv | semmle.label | argv |
+| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
+| ifs.c:74:8:74:11 | argv | semmle.label | argv |
+| ifs.c:74:8:74:11 | argv | semmle.label | argv |
+| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
+| ifs.c:80:8:80:11 | argv | semmle.label | argv |
+| ifs.c:80:8:80:11 | argv | semmle.label | argv |
+| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
+| ifs.c:86:8:86:11 | argv | semmle.label | argv |
+| ifs.c:86:8:86:11 | argv | semmle.label | argv |
+| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
+| ifs.c:92:8:92:11 | argv | semmle.label | argv |
+| ifs.c:92:8:92:11 | argv | semmle.label | argv |
+| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
+| ifs.c:98:8:98:11 | argv | semmle.label | argv |
+| ifs.c:98:8:98:11 | argv | semmle.label | argv |
+| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
+| ifs.c:105:8:105:11 | argv | semmle.label | argv |
+| ifs.c:105:8:105:11 | argv | semmle.label | argv |
+| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
+| ifs.c:111:8:111:11 | argv | semmle.label | argv |
+| ifs.c:111:8:111:11 | argv | semmle.label | argv |
+| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
+| ifs.c:117:8:117:11 | argv | semmle.label | argv |
+| ifs.c:117:8:117:11 | argv | semmle.label | argv |
+| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
+| ifs.c:123:8:123:11 | argv | semmle.label | argv |
+| ifs.c:123:8:123:11 | argv | semmle.label | argv |
+| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
+#select
+| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
+| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
+| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
+| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
+| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
+| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
+| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
+| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
+| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
+| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |
+| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:123:8:123:11 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -1,9 +1,151 @@
-| test.cpp:42:31:42:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:31:43:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:45:31:45:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:48:25:48:30 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:127:17:127:22 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:123:25:123:30 | call to getenv | user input (getenv) |
+edges
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | (unsigned long)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | (unsigned long)... |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | (unsigned long)... |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | (unsigned long)... |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:27 | size |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | (unsigned long)... |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | (unsigned long)... |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:13 | size |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | (unsigned long)... |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | (unsigned long)... |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+nodes
+| test.cpp:39:21:39:24 | argv | semmle.label | argv |
+| test.cpp:39:21:39:24 | argv | semmle.label | argv |
+| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:43:38:43:44 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:48:32:48:35 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:49:26:49:29 | size | semmle.label | size |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:52:54:52:60 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
+| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
+| test.cpp:52:54:52:60 | tainted | semmle.label | tainted |
+| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:127:24:127:27 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:127:24:127:27 | size | semmle.label | size |
+| test.cpp:127:24:127:27 | size | semmle.label | size |
+| test.cpp:127:24:127:27 | size | semmle.label | size |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:134:10:134:13 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:134:10:134:13 | size | semmle.label | size |
+| test.cpp:134:10:134:13 | size | semmle.label | size |
+| test.cpp:134:10:134:13 | size | semmle.label | size |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:142:11:142:14 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:142:11:142:14 | size | semmle.label | size |
+| test.cpp:142:11:142:14 | size | semmle.label | size |
+| test.cpp:142:11:142:14 | size | semmle.label | size |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+#select
+| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:43:38:43:63 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:52:35:52:60 | ... * ... | test.cpp:39:21:39:24 | argv | test.cpp:52:54:52:60 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
+| test.cpp:127:24:127:41 | ... * ... | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:27 | size | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
+| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
+| test.cpp:134:10:134:27 | ... * ... | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
+| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
+| test.cpp:142:11:142:28 | ... * ... | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -39,10 +39,10 @@ int main(int argc, char **argv) {
 	int tainted = atoi(argv[1]);
 
 	MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD
-	MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD
+	MyStruct *arr2 = (MyStruct *)malloc(tainted); // DUBIOUS (not multiplied by anything)
 	MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD
 	MyStruct *arr4 = (MyStruct *)malloc(getTainted() * sizeof(MyStruct)); // BAD [NOT DETECTED]
-	MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD [NOT DETECTED]
+	MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // DUBIOUS (not multiplied by anything)
 
 	int size = tainted * 8;
 	char *chars1 = (char *)malloc(size); // BAD
@@ -52,7 +52,7 @@ int main(int argc, char **argv) {
 	arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD
 
 	size = 8;
-	chars3 = new char[size]; // GOOD [FALSE POSITIVE]
+	chars3 = new char[size]; // GOOD
 
 	return 0;
 }
@@ -120,9 +120,73 @@ int bounded(int x, int limit) {
 }
 
 void open_file_bounded () {
-	int size = size = atoi(getenv("USER"));
+	int size = atoi(getenv("USER"));
 	int bounded_size = bounded(size, MAX_SIZE);
 	
-	int* a = (int*)malloc(bounded_size); // GOOD
-	int* b = (int*)malloc(size); // BAD
-}
+	int* a = (int*)malloc(bounded_size * sizeof(int)); // GOOD
+	int* b = (int*)malloc(size * sizeof(int)); // BAD
+}
+
+void more_bounded_tests() {
+	{
+		int size = atoi(getenv("USER"));
+
+		malloc(size * sizeof(int)); // BAD
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size > 0)
+		{
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size < 100)
+		{
+			malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((size > 0) && (size < 100))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((100 > size) && (0 < size))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+
+		if ((size > 0) && (size < 100))
+		{
+			// ...
+		}
+	}
+
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size > 100)
+		{
+			malloc(size * sizeof(int)); // BAD [NOT DETECTED]
+		}
+	}
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

@@ -1,11 +1,138 @@
-| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
-| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
-| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
-| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
-| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
-| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
-| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
-| test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
-| test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
+edges
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:13:2:13:15 | Chi | test.cpp:30:13:30:14 | get_rand2 output argument |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
+| test.cpp:18:2:18:14 | Chi | test.cpp:36:13:36:13 | get_rand3 output argument |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
+nodes
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.cpp:8:9:8:12 | Store | semmle.label | Store |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:13:2:13:15 | Chi | semmle.label | Chi |
+| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
+| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
+| test.cpp:18:2:18:14 | Chi | semmle.label | Chi |
+| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
+| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
+| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument | semmle.label | get_rand2 output argument |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:31:7:31:7 | r | semmle.label | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:37:7:37:7 | r | semmle.label | r |
+#select
+| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
+| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected

@@ -1,3 +1,33 @@
-| test.cpp:20:7:20:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
-| test.cpp:31:7:31:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
-| test.cpp:42:7:42:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
+edges
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+nodes
+| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+#select
+| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
+| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
+| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected

@@ -1 +1,13 @@
-| test.cpp:58:3:58:9 | call to sprintf | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
+edges
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+nodes
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+#select
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected

@@ -1,2 +1,37 @@
-| test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
-| test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
+edges
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
+nodes
+| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
+| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+#select
+| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
+| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |