hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into SimpleRangeAnalysis-extensible-base

Browse Source
This commit is contained in:
Jonas Jensen
2020-08-14 12:26:59 +02:00
parent 0638b512bc 82f9826966
commit cdddf5fd40
1165 changed files with 52967 additions and 35464 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cpp/ql/examples/qlpack.yml Normal file
View File

@@ -0,0 +1,3 @@
name: codeql-cpp-examples
version: 0.0.0
libraryPathDependencies: codeql-cpp

7
cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
View File

@@ -50,7 +50,12 @@ predicate illDefinedDecrForStmt(
DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
// `initialCondition` < `terminalCondition`
(
upperBound(initialCondition) < lowerBound(terminalCondition)
upperBound(initialCondition) < lowerBound(terminalCondition) and
(
// exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
v.getUnspecifiedType().(IntegralType).isSigned() or
initialCondition.getValue().toInt() = 0
)
or
(forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
)

62
cpp/ql/src/Microsoft/SAL.qll
View File

@@ -1,5 +1,13 @@
/**
* Provides classes for identifying and reasoning about Microsoft source code
* annotation language (SAL) macros.
*/
import cpp
/**
* A SAL macro defined in `sal.h` or a similar header file.
*/
class SALMacro extends Macro {
SALMacro() {
exists(string filename | filename = this.getFile().getBaseName() |
@@ -20,27 +28,34 @@ class SALMacro extends Macro {
}
pragma[noinline]
predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
private predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
/**
* An invocation of a SAL macro (excluding invocations inside other macros).
*/
class SALAnnotation extends MacroInvocation {
SALAnnotation() {
this.getMacro() instanceof SALMacro and
isTopLevelMacroAccess(this)
}
/** Returns the `Declaration` annotated by `this`. */
/** Gets the `Declaration` annotated by `this`. */
Declaration getDeclaration() {
annotatesAt(this, result.getADeclarationEntry(), _, _) and
not result instanceof Type // exclude typedefs
}
/** Returns the `DeclarationEntry` annotated by `this`. */
/** Gets the `DeclarationEntry` annotated by `this`. */
DeclarationEntry getDeclarationEntry() {
annotatesAt(this, result, _, _) and
not result instanceof TypeDeclarationEntry // exclude typedefs
}
}
/**
* A SAL macro indicating that the return value of a function should always be
* checked.
*/
class SALCheckReturn extends SALAnnotation {
SALCheckReturn() {
exists(SALMacro m | m = this.getMacro() |
@@ -50,6 +65,10 @@ class SALCheckReturn extends SALAnnotation {
}
}
/**
* A SAL macro indicating that a pointer variable or return value should not be
* `NULL`.
*/
class SALNotNull extends SALAnnotation {
SALNotNull() {
exists(SALMacro m | m = this.getMacro() |
@@ -69,6 +88,9 @@ class SALNotNull extends SALAnnotation {
}
}
/**
* A SAL macro indicating that a value may be `NULL`.
*/
class SALMaybeNull extends SALAnnotation {
SALMaybeNull() {
exists(SALMacro m | m = this.getMacro() |
@@ -79,13 +101,29 @@ class SALMaybeNull extends SALAnnotation {
}
}
/**
* A parameter annotated by one or more SAL annotations.
*/
class SALParameter extends Parameter {
/** One of this parameter's annotations. */
SALAnnotation a;
SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
}
///////////////////////////////////////////////////////////////////////////////
// Implementation details
/**
* Holds if `a` annotates the declaration entry `d` and
* its start position is the `idx`th position in `file` that holds a SAL element.
*/
predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx)
}
@@ -109,22 +147,6 @@ private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File
)
}
/**
* A parameter annotated by one or more SAL annotations.
*/
class SALParameter extends Parameter {
/** One of this parameter's annotations. */
SALAnnotation a;
SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
}
/**
* A SAL element, that is, a SAL annotation or a declaration entry
* that may have SAL annotations.

7
cpp/ql/src/codeql-suites/cpp-lgtm-full.qls
View File

@@ -9,3 +9,10 @@
tags contain:
- ide-contextual-queries/local-definitions
- ide-contextual-queries/local-references
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
- query: Metrics/Files/FLinesOfCode.ql
- query: Metrics/Files/FLinesOfCommentedOutCode.ql
- query: Metrics/Files/FLinesOfComments.ql
- query: Metrics/Files/FLinesOfDuplicatedCode.ql
- query: Metrics/Files/FNumberOfTests.ql

25
cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.cpp Normal file
View File

@@ -0,0 +1,25 @@
///// Library routines /////
int scanf(const char *format, ...);
int sscanf(const char *str, const char *format, ...);
int fscanf(const char *str, const char *format, ...);
///// EXAMPLES /////
int main(int argc, char **argv)
{
// BAD, do not use scanf without specifying a length first
char buf1[10];
scanf("%s", buf1);
// GOOD, length is specified. The length should be one less than the size of the buffer, since the last character is the NULL terminator.
char buf2[10];
sscanf(buf2, "%9s");
// BAD, do not use scanf without specifying a length first
char file[10];
fscanf(file, "%s", buf2);
return 0;
}

25
cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp Normal file
View File

@@ -0,0 +1,25 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>It is bad practice to use any of the <code>scanf</code> functions without including a specified length within the format parameter, as it will be vulnerable to buffer overflows.</p>
</overview>
<recommendation>
<p>Specify a length within the format string parameter, and make this length one less than the size of the buffer, since the last character should be reserved for the NULL terminator.</p>
</recommendation>
<example>
<p>The following example demonstrates safe and unsafe uses of <code>scanf</code> type functions.</p>
<sample src="MemoryUnsafeFunctionScan.cpp" />
</example>
<references>
</references>
</qhelp>

19
cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql Normal file
View File

@@ -0,0 +1,19 @@
/**
* @name Scanf function without a specified length
* @description Use of one of the scanf functions without a specified length.
* @kind problem
* @problem.severity warning
* @id cpp/memory-unsafe-function-scan
* @tags reliability
* security
* external/cwe/cwe-120
*/
import cpp
import semmle.code.cpp.commons.Scanf
from FunctionCall call, ScanfFunction sff
where
call.getTarget() = sff and
call.getArgument(sff.getFormatParameterIndex()).getValue().regexpMatch(".*%l?s.*")
select call, "Dangerous use of one of the scanf functions"

32
cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.qhelp Normal file
View File

@@ -0,0 +1,32 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Private data that is stored in a file or buffer unencrypted is accessible to an attacker who gains access to the
storage.</p>
</overview>
<recommendation>
<p>Ensure that private data is always encrypted before being stored.
It may be wise to encrypt information before it is put into a buffer that may be readable in memory.</p>
<p>In general, decrypt private data only at the point where it is necessary for it to be used in
cleartext.</p>
</recommendation>
<references>
<li><a href="https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Sensitive_Data_Exposure</a></li>
<li>M. Dowd, J. McDonald and J. Schuhm, <i>The Art of Software Security Assessment</i>, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.</li>
<li>M. Howard and D. LeBlanc, <i>Writing Secure Code</i>, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.</li>
<!-- LocalWords: CWE
-->
</references>
</qhelp>

21
cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql Normal file
View File

@@ -0,0 +1,21 @@
/**
* @name Exposure of private information
* @description If private information is written to an external location, it may be accessible by
* unauthorized persons.
* @kind path-problem
* @problem.severity error
* @id cpp/private-cleartext-write
* @tags security
* external/cwe/cwe-359
*/
import cpp
import experimental.semmle.code.cpp.security.PrivateCleartextWrite
import experimental.semmle.code.cpp.security.PrivateCleartextWrite::PrivateCleartextWrite
import DataFlow::PathGraph
from WriteConfig b, DataFlow::PathNode source, DataFlow::PathNode sink
where b.hasFlowPath(source, sink)
select sink.getNode(),
"This write into the external location '" + sink + "' may contain unencrypted data from $@",
source, "this source."

4
cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/Bound.qll
View File

@@ -8,8 +8,8 @@ private newtype TBound =
exists(Instruction i |
vn.getAnInstruction() = i and
(
i.getResultType() instanceof IntegralType or
i.getResultType() instanceof PointerType
i.getResultIRType() instanceof IRIntegerType or
i.getResultIRType() instanceof IRAddressType
) and
not vn.getAnInstruction() instanceof ConstantInstruction
|

16
cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
View File

@@ -244,14 +244,14 @@ class CondReason extends Reason, TCondReason {
/**
* Holds if `typ` is a small integral type with the given lower and upper bounds.
*/
private predicate typeBound(IntegralType typ, int lowerbound, int upperbound) {
typ.isSigned() and typ.getSize() = 1 and lowerbound = -128 and upperbound = 127
private predicate typeBound(IRIntegerType typ, int lowerbound, int upperbound) {
typ.isSigned() and typ.getByteSize() = 1 and lowerbound = -128 and upperbound = 127
or
typ.isUnsigned() and typ.getSize() = 1 and lowerbound = 0 and upperbound = 255
typ.isUnsigned() and typ.getByteSize() = 1 and lowerbound = 0 and upperbound = 255
or
typ.isSigned() and typ.getSize() = 2 and lowerbound = -32768 and upperbound = 32767
typ.isSigned() and typ.getByteSize() = 2 and lowerbound = -32768 and upperbound = 32767
or
typ.isUnsigned() and typ.getSize() = 2 and lowerbound = 0 and upperbound = 65535
typ.isUnsigned() and typ.getByteSize() = 2 and lowerbound = 0 and upperbound = 65535
}
/**
@@ -260,14 +260,14 @@ private predicate typeBound(IntegralType typ, int lowerbound, int upperbound) {
private class NarrowingCastInstruction extends ConvertInstruction {
NarrowingCastInstruction() {
not this instanceof SafeCastInstruction and
typeBound(getResultType(), _, _)
typeBound(getResultIRType(), _, _)
}
/** Gets the lower bound of the resulting type. */
int getLowerBound() { typeBound(getResultType(), result, _) }
int getLowerBound() { typeBound(getResultIRType(), result, _) }
/** Gets the upper bound of the resulting type. */
int getUpperBound() { typeBound(getResultType(), _, result) }
int getUpperBound() { typeBound(getResultIRType(), _, result) }
}
/**

12
cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll
View File

@@ -86,15 +86,15 @@ predicate backEdge(PhiInstruction phi, PhiInputOperand op) {
* range analysis.
*/
pragma[inline]
private predicate safeCast(IntegralType fromtyp, IntegralType totyp) {
fromtyp.getSize() < totyp.getSize() and
private predicate safeCast(IRIntegerType fromtyp, IRIntegerType totyp) {
fromtyp.getByteSize() < totyp.getByteSize() and
(
fromtyp.isUnsigned()
or
totyp.isSigned()
)
or
fromtyp.getSize() <= totyp.getSize() and
fromtyp.getByteSize() <= totyp.getByteSize() and
(
fromtyp.isSigned() and
totyp.isSigned()
@@ -109,8 +109,8 @@ private predicate safeCast(IntegralType fromtyp, IntegralType totyp) {
*/
class PtrToPtrCastInstruction extends ConvertInstruction {
PtrToPtrCastInstruction() {
getResultType() instanceof PointerType and
getUnary().getResultType() instanceof PointerType
getResultIRType() instanceof IRAddressType and
getUnary().getResultIRType() instanceof IRAddressType
}
}
@@ -119,7 +119,7 @@ class PtrToPtrCastInstruction extends ConvertInstruction {
* that cannot overflow or underflow.
*/
class SafeIntCastInstruction extends ConvertInstruction {
SafeIntCastInstruction() { safeCast(getUnary().getResultType(), getResultType()) }
SafeIntCastInstruction() { safeCast(getUnary().getResultIRType(), getResultIRType()) }
}
/**

14
cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/SignAnalysis.qll
View File

@@ -469,7 +469,7 @@ module SignAnalysisCached {
not exists(certainInstructionSign(i)) and
not (
result = TNeg() and
i.getResultType().(IntegralType).isUnsigned()
i.getResultIRType().(IRIntegerType).isUnsigned()
) and
(
unknownSign(i)
@@ -477,9 +477,13 @@ module SignAnalysisCached {
exists(ConvertInstruction ci, Instruction prior, boolean fromSigned, boolean toSigned |
i = ci and
prior = ci.getUnary() and
(if ci.getResultType().(IntegralType).isSigned() then toSigned = true else toSigned = false) and
(
if prior.getResultType().(IntegralType).isSigned()
if ci.getResultIRType().(IRIntegerType).isSigned()
then toSigned = true
else toSigned = false
) and
(
if prior.getResultIRType().(IRIntegerType).isSigned()
then fromSigned = true
else fromSigned = false
) and
@@ -512,11 +516,11 @@ module SignAnalysisCached {
i instanceof ShiftLeftInstruction and result = s1.lshift(s2)
or
i instanceof ShiftRightInstruction and
i.getResultType().(IntegralType).isSigned() and
i.getResultIRType().(IRIntegerType).isSigned() and
result = s1.rshift(s2)
or
i instanceof ShiftRightInstruction and
not i.getResultType().(IntegralType).isSigned() and
not i.getResultIRType().(IRIntegerType).isSigned() and
result = s1.urshift(s2)
)
or

63
cpp/ql/src/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll Normal file
View File

@@ -0,0 +1,63 @@
/**
* Provides a taint-tracking configuration for reasoning about private information flowing unencrypted to an external location.
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import experimental.semmle.code.cpp.security.PrivateData
import semmle.code.cpp.security.FileWrite
import semmle.code.cpp.security.BufferWrite
import semmle.code.cpp.dataflow.TaintTracking
module PrivateCleartextWrite {
/**
* A data flow source for private information flowing unencrypted to an external location.
*/
abstract class Source extends DataFlow::ExprNode { }
/**
* A data flow sink for private information flowing unencrypted to an external location.
*/
abstract class Sink extends DataFlow::ExprNode { }
/**
* A sanitizer for private information flowing unencrypted to an external location.
*/
abstract class Sanitizer extends DataFlow::ExprNode { }
/** A call to any method whose name suggests that it encodes or encrypts the parameter. */
class ProtectSanitizer extends Sanitizer {
ProtectSanitizer() {
exists(Function m, string s |
this.getExpr().(FunctionCall).getTarget() = m and
m.getName().regexpMatch("(?i).*" + s + ".*")
|
s = "protect" or s = "encode" or s = "encrypt"
)
}
}
class WriteConfig extends TaintTracking::Configuration {
WriteConfig() { this = "Write configuration" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
}
class PrivateDataSource extends Source {
PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
}
class WriteSink extends Sink {
WriteSink() {
exists(FileWrite f, BufferWrite b |
this.asExpr() = f.getASource()
or
this.asExpr() = b.getAChild()
)
}
}
}

53
cpp/ql/src/experimental/semmle/code/cpp/security/PrivateData.qll Normal file
View File

@@ -0,0 +1,53 @@
/**
* Provides classes and predicates for identifying private data and functions for security.
*
* 'Private' data in general is anything that would compromise user privacy if exposed. This
* library tries to guess where private data may either be stored in a variable or produced by a
* function.
*
* This library is not concerned with credentials. See `SensitiveActions` for expressions related
* to credentials.
*/
import cpp
/** A string for `match` that identifies strings that look like they represent private data. */
private string privateNames() {
// Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
// Government identifiers, such as Social Security Numbers
result = "%social%security%number%" or
// Contact information, such as home addresses and telephone numbers
result = "%postcode%" or
result = "%zipcode%" or
// result = "%telephone%" or
// Geographic location - where the user is (or was)
result = "%latitude%" or
result = "%longitude%" or
// Financial data - such as credit card numbers, salary, bank accounts, and debts
result = "%creditcard%" or
result = "%salary%" or
result = "%bankaccount%" or
// Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
// result = "%email%" or
// result = "%mobile%" or
result = "%employer%" or
// Health - medical conditions, insurance status, prescription records
result = "%medical%"
}
/** An expression that might contain private data. */
abstract class PrivateDataExpr extends Expr { }
/** A functiond call that might produce private data. */
class PrivateFunctionCall extends PrivateDataExpr, FunctionCall {
PrivateFunctionCall() {
exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
}
}
/** An access to a variable that might contain private data. */
class PrivateVariableAccess extends PrivateDataExpr, VariableAccess {
PrivateVariableAccess() {
exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
}
}

27
cpp/ql/src/printAst.ql Normal file
View File

@@ -0,0 +1,27 @@
/**
* @name Print AST
* @description Outputs a representation of a file's Abstract Syntax Tree. This
* query is used by the VS Code extension.
* @id cpp/print-ast
* @kind graph
* @tags ide-contextual-queries/print-ast
*/
import cpp
import semmle.code.cpp.PrintAST
import definitions
/**
* The source file to generate an AST from.
*/
external string selectedSourceFile();
class Cfg extends PrintASTConfiguration {
/**
* Holds if the AST for `func` should be printed.
* Print All functions from the selected file.
*/
override predicate shouldPrintFunction(Function func) {
func.getFile() = getEncodedFile(selectedSourceFile())
}
}

9
cpp/ql/src/semmle/code/cpp/Element.qll
View File

@@ -197,7 +197,8 @@ class Element extends ElementBase {
initialisers(underlyingElement(this), unresolveElement(result), _, _) or
exprconv(unresolveElement(result), underlyingElement(this)) or
param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
using_container(unresolveElement(result), underlyingElement(this))
using_container(unresolveElement(result), underlyingElement(this)) or
static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
}
/** Gets the closest `Element` enclosing this one. */
@@ -278,12 +279,12 @@ class StaticAssert extends Locatable, @static_assert {
/**
* Gets the expression which this static assertion ensures is true.
*/
Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _) }
Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
/**
* Gets the message which will be reported by the compiler if this static assertion fails.
*/
string getMessage() { static_asserts(underlyingElement(this), _, result, _) }
string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
override Location getLocation() { static_asserts(underlyingElement(this), _, _, result) }
override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
}

8
cpp/ql/src/semmle/code/cpp/Location.qll
View File

@@ -15,16 +15,16 @@ class Location extends @location {
/** Gets the file corresponding to this location, if any. */
File getFile() { result = this.getContainer() }
/** Gets the start line of this location. */
/** Gets the 1-based line number (inclusive) where this location starts. */
int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }
/** Gets the start column of this location. */
/** Gets the 1-based column number (inclusive) where this location starts. */
int getStartColumn() { this.fullLocationInfo(_, _, result, _, _) }
/** Gets the end line of this location. */
/** Gets the 1-based line number (inclusive) where this location ends. */
int getEndLine() { this.fullLocationInfo(_, _, _, result, _) }
/** Gets the end column of this location. */
/** Gets the 1-based column number (inclusive) where this location ends. */
int getEndColumn() { this.fullLocationInfo(_, _, _, _, result) }
/**

12
cpp/ql/src/semmle/code/cpp/MemberFunction.qll
View File

@@ -214,6 +214,9 @@ abstract class ImplicitConversionFunction extends MemberFunction {
}
/**
* DEPRECATED: as of C++11 this class does not correspond perfectly with the
* language definition of a converting constructor.
*
* A C++ constructor that also defines an implicit conversion. For example the
* function `MyClass` in the following code is a `ConversionConstructor`:
* ```
@@ -225,15 +228,16 @@ abstract class ImplicitConversionFunction extends MemberFunction {
* };
* ```
*/
class ConversionConstructor extends Constructor, ImplicitConversionFunction {
deprecated class ConversionConstructor extends Constructor, ImplicitConversionFunction {
ConversionConstructor() {
strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
not hasSpecifier("explicit") and
not this instanceof CopyConstructor
not hasSpecifier("explicit")
}
override string getAPrimaryQlClass() {
not this instanceof MoveConstructor and result = "ConversionConstructor"
not this instanceof CopyConstructor and
not this instanceof MoveConstructor and
result = "ConversionConstructor"
}
/** Gets the type this `ConversionConstructor` takes as input. */

4
cpp/ql/src/semmle/code/cpp/Preprocessor.qll
View File

@@ -33,11 +33,13 @@ class PreprocessorDirective extends Locatable, @preprocdirect {
}
}
private class TPreprocessorBranchDirective = @ppd_branch or @ppd_else or @ppd_endif;
/**
* A C/C++ preprocessor branch related directive: `#if`, `#ifdef`,
* `#ifndef`, `#elif`, `#else` or `#endif`.
*/
abstract class PreprocessorBranchDirective extends PreprocessorDirective {
class PreprocessorBranchDirective extends PreprocessorDirective, TPreprocessorBranchDirective {
/**
* Gets the `#if`, `#ifdef` or `#ifndef` directive which matches this
* branching directive.

2
cpp/ql/src/semmle/code/cpp/Variable.qll
View File

@@ -582,7 +582,7 @@ class TemplateVariable extends Variable {
* float a;
* }
*
* template<type T>
* template<typename T>
* void myTemplateFunction() {
* T b;
* }

34
cpp/ql/src/semmle/code/cpp/commons/Printf.qll
View File

@@ -49,6 +49,18 @@ predicate primitiveVariadicFormatter(TopLevelFunction f, int formatParamIndex) {
)
}
/**
* A standard function such as `vsprintf` that has an output parameter
* and a variable argument list of type `va_arg`.
*/
private predicate primitiveVariadicFormatterOutput(TopLevelFunction f, int outputParamIndex) {
// note: this might look like the regular expression in `primitiveVariadicFormatter`, but
// there is one important difference: the [fs] part is not optional, as these classify
// the `printf` variants that write to a buffer.
// Conveniently, these buffer parameters are all at index 0.
f.getName().regexpMatch("_?_?va?[fs]n?w?printf(_s)?(_p)?(_l)?") and outputParamIndex = 0
}
private predicate callsVariadicFormatter(Function f, int formatParamIndex) {
exists(FunctionCall fc, int i |
variadicFormatter(fc.getTarget(), i) and
@@ -57,6 +69,26 @@ private predicate callsVariadicFormatter(Function f, int formatParamIndex) {
)
}
private predicate callsVariadicFormatterOutput(Function f, int outputParamIndex) {
exists(FunctionCall fc, int i |
fc.getEnclosingFunction() = f and
variadicFormatterOutput(fc.getTarget(), i) and
fc.getArgument(i) = f.getParameter(outputParamIndex).getAnAccess()
)
}
/**
* Holds if `f` is a function such as `vprintf` that takes variable argument list
* of type `va_arg` and writes formatted output to a buffer given as a parameter at
* index `outputParamIndex`, if any.
*/
private predicate variadicFormatterOutput(Function f, int outputParamIndex) {
primitiveVariadicFormatterOutput(f, outputParamIndex)
or
not f.isVarargs() and
callsVariadicFormatterOutput(f, outputParamIndex)
}
/**
* Holds if `f` is a function such as `vprintf` that has a format parameter
* (at `formatParamIndex`) and a variable argument list of type `va_arg`.
@@ -78,6 +110,8 @@ class UserDefinedFormattingFunction extends FormattingFunction {
UserDefinedFormattingFunction() { isVarargs() and callsVariadicFormatter(this, _) }
override int getFormatParameterIndex() { callsVariadicFormatter(this, result) }
override int getOutputParameterIndex() { callsVariadicFormatterOutput(this, result) }
}
/**

9
cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -65,6 +65,15 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
// tracking. The flow from expression `x` into `x++` etc. is handled in the
// case above.
exprTo = DataFlow::getAnAccessToAssignedVariable(exprFrom.(PostfixCrementOperation))
or
// In `for (char c : s) { ... c ... }`, this rule propagates taint from `s`
// to `c`.
exists(RangeBasedForStmt rbf |
exprFrom = rbf.getRange() and
// It's guaranteed up to at least C++20 that the range-based for loop
// desugars to a variable with an initializer.
exprTo = rbf.getVariable().getInitializer().getExpr()
)
)
or
// Taint can flow through modeled functions

12
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -234,20 +234,20 @@ predicate clearsContent(Node n, Content c) {
}
/** Gets the type of `n` used for type pruning. */
Type getNodeType(Node n) {
IRType getNodeType(Node n) {
suppressUnusedNode(n) and
result instanceof VoidType // stub implementation
result instanceof IRVoidType // stub implementation
}
/** Gets a string representation of a type returned by `getNodeType`. */
string ppReprType(Type t) { none() } // stub implementation
string ppReprType(IRType t) { none() } // stub implementation
/**
* Holds if `t1` and `t2` are compatible, that is, whether data can flow from
* a node of type `t1` to a node of type `t2`.
*/
pragma[inline]
predicate compatibleTypes(Type t1, Type t2) {
predicate compatibleTypes(IRType t1, IRType t2) {
any() // stub implementation
}
@@ -271,7 +271,7 @@ class DataFlowCallable = Declaration;
class DataFlowExpr = Expr;
class DataFlowType = Type;
class DataFlowType = IRType;
/** A function call relevant for data flow. */
class DataFlowCall extends CallInstruction {
@@ -303,4 +303,4 @@ predicate isImmutableOrUnobservable(Node n) {
}
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) { none() }
predicate nodeIsHidden(Node n) { n instanceof OperandNode }

71
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -13,6 +13,7 @@ private import semmle.code.cpp.models.interfaces.DataFlow
private newtype TIRDataFlowNode =
TInstructionNode(Instruction i) or
TOperandNode(Operand op) or
TVariableNode(Variable var)
/**
@@ -32,11 +33,14 @@ class Node extends TIRDataFlowNode {
Function getFunction() { none() } // overridden in subclasses
/** Gets the type of this node. */
Type getType() { none() } // overridden in subclasses
IRType getType() { none() } // overridden in subclasses
/** Gets the instruction corresponding to this node, if any. */
Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
/** Gets the operands corresponding to this node, if any. */
Operand asOperand() { result = this.(OperandNode).getOperand() }
/**
* Gets the non-conversion expression corresponding to this node, if any. If
* this node strictly (in the sense of `asConvertedExpr`) corresponds to a
@@ -84,7 +88,7 @@ class Node extends TIRDataFlowNode {
/**
* Gets an upper bound on the type of this node.
*/
Type getTypeBound() { result = getType() }
IRType getTypeBound() { result = getType() }
/** Gets the location of this element. */
Location getLocation() { none() } // overridden by subclasses
@@ -121,7 +125,7 @@ class InstructionNode extends Node, TInstructionNode {
override Function getFunction() { result = instr.getEnclosingFunction() }
override Type getType() { result = instr.getResultType() }
override IRType getType() { result = instr.getResultIRType() }
override Location getLocation() { result = instr.getLocation() }
@@ -132,6 +136,28 @@ class InstructionNode extends Node, TInstructionNode {
}
}
/**
* An operand, viewed as a node in a data flow graph.
*/
class OperandNode extends Node, TOperandNode {
Operand op;
OperandNode() { this = TOperandNode(op) }
/** Gets the operand corresponding to this node. */
Operand getOperand() { result = op }
override Declaration getEnclosingCallable() { result = this.getFunction() }
override Function getFunction() { result = op.getUse().getEnclosingFunction() }
override IRType getType() { result = op.getIRType() }
override Location getLocation() { result = op.getLocation() }
override string toString() { result = this.getOperand().toString() }
}
/**
* An expression, viewed as a node in a data flow graph.
*/
@@ -291,7 +317,7 @@ abstract class PostUpdateNode extends InstructionNode {
* setY(&x); // a partial definition of the object `x`.
* ```
*/
abstract private class PartialDefinitionNode extends PostUpdateNode, TInstructionNode {
abstract private class PartialDefinitionNode extends PostUpdateNode {
abstract Expr getDefinedExpr();
}
@@ -306,11 +332,11 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
)
}
// There might be multiple `ChiInstructions` that has a particular instruction as
// the total operand - so this definition gives consistency errors in
// DataFlowImplConsistency::Consistency. However, it's not clear what (if any) implications
// this consistency failure has.
override Node getPreUpdateNode() { result.asInstruction() = instr.getTotal() }
// By using an operand as the result of this predicate we avoid the dataflow inconsistency errors
// caused by having multiple nodes sharing the same pre update node. This inconsistency error can cause
// a tuple explosion in the big step dataflow relation since it can make many nodes be the entry node
// into a big step.
override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
override Expr getDefinedExpr() {
result = field.getObjectAddress().getUnconvertedResultExpression()
@@ -423,7 +449,7 @@ class VariableNode extends Node, TVariableNode {
result = v
}
override Type getType() { result = v.getType() }
override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
override Location getLocation() { result = v.getLocation() }
@@ -482,7 +508,11 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
* data flow. It may have less flow than the `localFlowStep` predicate.
*/
predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
// Instruction -> Instruction flow
simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
or
// Operand -> Instruction flow
simpleOperandLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
}
pragma[noinline]
@@ -494,6 +524,16 @@ private predicate getFieldSizeOfClass(Class c, Type type, int size) {
)
}
private predicate simpleOperandLocalFlowStep(Operand opFrom, Instruction iTo) {
// Certain dataflow steps (for instance `PostUpdateNode.getPreUpdateNode()`) generates flow to
// operands, so we include dataflow from those operands to the "result" of the instruction (i.e., to
// the instruction itself).
exists(PostUpdateNode post |
opFrom = post.getPreUpdateNode().asOperand() and
iTo.getAnOperand() = opFrom
)
}
cached
private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction iTo) {
iTo.(CopyInstruction).getSourceValue() = iFrom
@@ -659,13 +699,20 @@ predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)
*/
class BarrierGuard extends IRGuardCondition {
/** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
abstract predicate checks(Instruction instr, boolean b);
predicate checksInstr(Instruction instr, boolean b) { none() }
/** Override this predicate to hold if this guard validates `expr` upon evaluating to `b`. */
predicate checks(Expr e, boolean b) { none() }
/** Gets a node guarded by this guard. */
final Node getAGuardedNode() {
exists(ValueNumber value, boolean edge |
(
this.checksInstr(value.getAnInstruction(), edge)
or
this.checks(value.getAnInstruction().getConvertedResultExpression(), edge)
) and
result.asInstruction() = value.getAnInstruction() and
this.checks(value.getAnInstruction(), edge) and
this.controls(result.asInstruction().getBlock(), edge)
)
}

10
cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll
View File

@@ -152,6 +152,12 @@ class IRIntegerType extends IRNumericType {
this = TIRSignedIntegerType(byteSize) or
this = TIRUnsignedIntegerType(byteSize)
}
/** Holds if this integer type is signed. */
predicate isSigned() { none() }
/** Holds if this integer type is unsigned. */
predicate isUnsigned() { none() }
// Don't override `getByteSize()` here. The optimizer seems to generate better code when this is
// overridden only in the leaf classes.
}
@@ -169,6 +175,8 @@ class IRSignedIntegerType extends IRIntegerType, TIRSignedIntegerType {
pragma[noinline]
final override int getByteSize() { result = byteSize }
override predicate isSigned() { any() }
}
/**
@@ -184,6 +192,8 @@ class IRUnsignedIntegerType extends IRIntegerType, TIRUnsignedIntegerType {
pragma[noinline]
final override int getByteSize() { result = byteSize }
override predicate isUnsigned() { any() }
}
/**

12
cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll
View File

@@ -7,9 +7,17 @@ import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Taint
/**
* Model for C++ conversion constructors.
* Model for C++ conversion constructors. As of C++11 this does not correspond
* perfectly with the language definition of a converting constructor, however,
* it does correspond with the constructors we are confident taint should flow
* through.
*/
class ConversionConstructorModel extends ConversionConstructor, TaintFunction {
class ConversionConstructorModel extends Constructor, TaintFunction {
ConversionConstructorModel() {
strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
not hasSpecifier("explicit")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// taint flow from the first constructor argument to the returned object
input.isParameter(0) and

55
cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -1,5 +1,12 @@
import semmle.code.cpp.models.interfaces.Taint
/**
* The `std::basic_string` template class.
*/
class StdBasicString extends TemplateClass {
StdBasicString() { this.hasQualifiedName("std", "basic_string") }
}
/**
* The standard function `std::string.c_str`.
*/
@@ -12,3 +19,51 @@ class StdStringCStr extends TaintFunction {
output.isReturnValue()
}
}
/**
* The `std::string` function `operator+`.
*/
class StdStringPlus extends TaintFunction {
StdStringPlus() {
this.hasQualifiedName("std", "operator+") and
this.getUnspecifiedType() = any(StdBasicString s).getAnInstantiation()
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from parameters to return value
(
input.isParameterDeref(0) or
input.isParameterDeref(1)
) and
output.isReturnValue()
}
}
/**
* The `std::string` functions `operator+=` and `append`.
*/
class StdStringAppend extends TaintFunction {
StdStringAppend() {
this.hasQualifiedName("std", "basic_string", "operator+=") or
this.hasQualifiedName("std", "basic_string", "append")
}
/**
* Gets the index of a parameter to this function that is a string (or
* character).
*/
int getAStringParameter() {
getParameter(result).getType() instanceof PointerType or
getParameter(result).getType() instanceof ReferenceType or
getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from parameter to string itself (qualifier) and return value
input.isParameterDeref(getAStringParameter()) and
(
output.isQualifierObject() or
output.isReturnValueDeref()
)
}
}

28
cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
View File

@@ -157,6 +157,10 @@ float safeFloor(float v) {
result = v
}
private class UnsignedMulExpr extends MulExpr {
UnsignedMulExpr() { this.getType().(IntegralType).isUnsigned() }
}
/** Set of expressions which we know how to analyze. */
private predicate analyzableExpr(Expr e) {
// The type of the expression must be arithmetic. We reuse the logic in
@@ -179,6 +183,8 @@ private predicate analyzableExpr(Expr e) {
or
e instanceof SubExpr
or
e instanceof UnsignedMulExpr
or
e instanceof AssignExpr
or
e instanceof AssignAddExpr
@@ -282,6 +288,10 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
or
exists(SubExpr subExpr | e = subExpr | exprDependsOnDef(subExpr.getAnOperand(), srcDef, srcVar))
or
exists(UnsignedMulExpr mulExpr | e = mulExpr |
exprDependsOnDef(mulExpr.getAnOperand(), srcDef, srcVar)
)
or
exists(AssignExpr addExpr | e = addExpr | exprDependsOnDef(addExpr.getRValue(), srcDef, srcVar))
or
exists(AssignAddExpr addExpr | e = addExpr |
@@ -634,6 +644,13 @@ private float getLowerBoundsImpl(Expr expr) {
result = addRoundingDown(xLow, -yHigh)
)
or
exists(UnsignedMulExpr mulExpr, float xLow, float yLow |
expr = mulExpr and
xLow = getFullyConvertedLowerBounds(mulExpr.getLeftOperand()) and
yLow = getFullyConvertedLowerBounds(mulExpr.getRightOperand()) and
result = xLow * yLow
)
or
exists(AssignExpr assign |
expr = assign and
result = getFullyConvertedLowerBounds(assign.getRValue())
@@ -735,7 +752,7 @@ private float getLowerBoundsImpl(Expr expr) {
exists(RShiftExpr rsExpr, float left, int right |
rsExpr = expr and
left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
right = rsExpr.getRightOperand().getValue().toInt() and
right = rsExpr.getRightOperand().getFullyConverted().getValue().toInt() and
result = safeFloor(left / 2.pow(right))
)
or
@@ -811,6 +828,13 @@ private float getUpperBoundsImpl(Expr expr) {
result = addRoundingUp(xHigh, -yLow)
)
or
exists(UnsignedMulExpr mulExpr, float xHigh, float yHigh |
expr = mulExpr and
xHigh = getFullyConvertedUpperBounds(mulExpr.getLeftOperand()) and
yHigh = getFullyConvertedUpperBounds(mulExpr.getRightOperand()) and
result = xHigh * yHigh
)
or
exists(AssignExpr assign |
expr = assign and
result = getFullyConvertedUpperBounds(assign.getRValue())
@@ -912,7 +936,7 @@ private float getUpperBoundsImpl(Expr expr) {
exists(RShiftExpr rsExpr, float left, int right |
rsExpr = expr and
left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
right = rsExpr.getRightOperand().getValue().toInt() and
right = rsExpr.getRightOperand().getFullyConverted().getValue().toInt() and
result = safeFloor(left / 2.pow(right))
)
or

24
cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
View File

@@ -137,12 +137,14 @@ class Stmt extends StmtParent, @stmt {
predicate isCompilerGenerated() { compgenerated(underlyingElement(this)) }
}
private class TStmtParent = @stmt or @expr;
/**
* An element that is the parent of a statement in the C/C++ AST.
*
* This is normally a statement, but may be a `StmtExpr`.
*/
abstract class StmtParent extends ControlFlowNode { }
class StmtParent extends ControlFlowNode, TStmtParent { }
/**
* A C/C++ 'expression' statement.
@@ -179,28 +181,32 @@ class ExprStmt extends Stmt, @stmt_expr {
}
}
private class TControlStructure = TConditionalStmt or TLoop;
/**
* A C/C++ control structure, that is, either a conditional statement or
* a loop.
*/
abstract class ControlStructure extends Stmt {
class ControlStructure extends Stmt, TControlStructure {
/**
* Gets the controlling expression of this control structure.
*
* This is the condition of 'if' statements and loops, and the
* switched expression for 'switch' statements.
*/
abstract Expr getControllingExpr();
Expr getControllingExpr() { none() } // overridden by subclasses
/** Gets a child declaration of this scope. */
Declaration getADeclaration() { none() }
}
private class TConditionalStmt = @stmt_if or @stmt_constexpr_if or @stmt_switch;
/**
* A C/C++ conditional statement, that is, either an 'if' statement or a
* 'switch' statement.
*/
abstract class ConditionalStmt extends ControlStructure { }
class ConditionalStmt extends ControlStructure, TConditionalStmt { }
/**
* A C/C++ 'if' statement. For example, the `if` statement in the following
@@ -374,16 +380,18 @@ class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
}
}
private class TLoop = @stmt_while or @stmt_end_test_while or @stmt_range_based_for or @stmt_for;
/**
* A C/C++ loop, that is, either a 'while' loop, a 'for' loop, or a
* 'do' loop.
*/
abstract class Loop extends ControlStructure {
class Loop extends ControlStructure, TLoop {
/** Gets the condition expression of this loop. */
abstract Expr getCondition();
Expr getCondition() { none() } // overridden in subclasses
/** Gets the body statement of this loop. */
abstract Stmt getStmt();
Stmt getStmt() { none() } // overridden in subclasses
}
/**
@@ -461,7 +469,7 @@ class WhileStmt extends Loop, @stmt_while {
/**
* A C/C++ jump statement.
*/
abstract class JumpStmt extends Stmt, @jump {
class JumpStmt extends Stmt, @jump {
override string getAPrimaryQlClass() { result = "JumpStmt" }
/** Gets the target of this jump statement. */

3
cpp/ql/src/semmlecode.cpp.dbscheme
View File

@@ -508,7 +508,8 @@ static_asserts(
unique int id: @static_assert,
int condition : @expr ref,
string message : string ref,
int location: @location_default ref
int location: @location_default ref,
int enclosing : @element ref
);
// each function has an ordered list of parameters

3312
cpp/ql/src/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

21
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected Normal file
View File

@@ -0,0 +1,21 @@
edges
| test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
| test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 |
| test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func |
nodes
| test.cpp:57:9:57:18 | theZipcode | semmle.label | theZipcode |
| test.cpp:74:24:74:30 | medical | semmle.label | medical |
| test.cpp:77:16:77:22 | medical | semmle.label | medical |
| test.cpp:78:24:78:27 | temp | semmle.label | temp |
| test.cpp:81:17:81:20 | call to func | semmle.label | call to func |
| test.cpp:81:22:81:28 | medical | semmle.label | medical |
| test.cpp:82:24:82:28 | buff5 | semmle.label | buff5 |
| test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
| test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
#select
| test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
| test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
| test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
| test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
| test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
| test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql

105
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp Normal file
View File

@@ -0,0 +1,105 @@
#define FILE int
#define wchar char
#define size_t int
typedef int streamsize;
size_t fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
int fputs(const char *s, FILE *stream);
int fputc(int c, FILE *stream);
int fprintf(FILE *stream, const char *format, ...);
int sprintf(char *s, const char *format, ...);
size_t strlen(const char *s);
namespace std
{
template <class charT>
struct char_traits;
template <class charT, class traits = char_traits<charT>>
class basic_ostream /*: virtual public basic_ios<charT,traits> - not needed for this test */
{
public:
typedef charT char_type;
basic_ostream<charT, traits> &write(const char_type *s, streamsize n);
};
template <class charT, class traits = char_traits<charT>>
class basic_ofstream : public basic_ostream<charT, traits>
{
public:
};
template <class charT, class traits>
basic_ostream<charT, traits> &operator<<(basic_ostream<charT, traits> &, const charT *);
typedef basic_ostream<char> ostream;
typedef basic_ofstream<char> ofstream;
}; // namespace std
using namespace std;
char *encrypt(char *buffer)
{
return buffer;
}
char *func(char *buffer)
{
return buffer;
}
// test for CleartextFileWrite
void file()
{
char *theZipcode = "cleartext zipcode!";
FILE *file;
// BAD: write zipcode to file in cleartext
fputs(theZipcode, file);
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);
fwrite(encrypted, sizeof(encrypted), 1, file);
}
// test for CleartextBufferWrite
int main(int argc, char **argv)
{
char *medical = "medical";
char *buff1;
char *buff2;
char *buff3;
char *buff4;
// BAD: write medical to buffer in cleartext
sprintf(buff1, "%s", medical);
// BAD: write medical to buffer in cleartext
char *temp = medical;
sprintf(buff2, "%s", temp);
// BAD: write medical to buffer in cleartext
char *buff5 = func(medical);
sprintf(buff3, "%s", buff5);
char *buff6 = encrypt(medical);
// GOOD: encrypt first
sprintf(buff4, "%s", buff6);
}
// test for CleartextFileWrite
void stream()
{
char *theZipcode = "cleartext zipcode!";
ofstream mystream;
// BAD: write zipcode to file in cleartext
mystream << "the zipcode is: " << theZipcode;
// BAD: write zipcode to file in cleartext
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);
mystream << "the zipcode is: " << encrypted;
(mystream << "the zipcode is: ").write(encrypted, strlen(encrypted));
}

25
cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp Normal file
View File

@@ -0,0 +1,25 @@
///// Library routines /////
int scanf(const char *format, ...);
int sscanf(const char *str, const char *format, ...);
int fscanf(const char *str, const char *format, ...);
///// Test code /////
int main(int argc, char **argv)
{
// BAD, do not use scanf without specifying a length first
char buf1[10];
scanf("%s", buf1);
// GOOD, length is specified
char buf2[10];
sscanf(buf2, "%9s");
// BAD, do not use scanf without specifying a length first
char file[10];
fscanf(file, "%s", buf2);
return 0;
}

2
cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.expected Normal file
View File

@@ -0,0 +1,2 @@
| MemoryUnsafeFunctionScan.cpp:14:5:14:9 | call to scanf | Dangerous use of one of the scanf functions |
| MemoryUnsafeFunctionScan.cpp:22:5:22:10 | call to fscanf | Dangerous use of one of the scanf functions |

1
cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll
View File

@@ -10,7 +10,7 @@ import semmle.code.cpp.ir.IR
class TestBarrierGuard extends DataFlow::BarrierGuard {
TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
override predicate checks(Instruction checked, boolean isTrue) {
override predicate checksInstr(Instruction checked, boolean isTrue) {
checked = this.(CallInstruction).getPositionalArgument(0) and
isTrue = true
}

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -27,8 +27,6 @@ localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
| ref.cpp:83:5:83:17 | Chi | Node has multiple PostUpdateNodes. |
| ref.cpp:109:5:109:22 | Chi | Node has multiple PostUpdateNodes. |
postIsInSameCallable
reverseRead
storeIsPostUpdate

69
cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass_declonly.cpp Normal file
View File

@@ -0,0 +1,69 @@
int source();
void sink(...) {};
class MyCopyableClassDeclOnly {
public:
MyCopyableClassDeclOnly(); // Constructor
MyCopyableClassDeclOnly(int _v); // ConversionConstructor
MyCopyableClassDeclOnly(const MyCopyableClassDeclOnly &other); // CopyConstructor
MyCopyableClassDeclOnly &operator=(const MyCopyableClassDeclOnly &other); // CopyAssignmentOperator
int v;
};
void test_copyableclass()
{
{
MyCopyableClassDeclOnly s1(1);
MyCopyableClassDeclOnly s2 = 1;
MyCopyableClassDeclOnly s3(s1);
MyCopyableClassDeclOnly s4;
s4 = 1;
sink(s1);
sink(s2);
sink(s3);
sink(s4);
}
{
MyCopyableClassDeclOnly s1(source());
MyCopyableClassDeclOnly s2 = source();
MyCopyableClassDeclOnly s3(s1);
MyCopyableClassDeclOnly s4;
s4 = source();
sink(s1); // tainted
sink(s2); // tainted
sink(s3); // tainted
sink(s4); // tainted
}
{
MyCopyableClassDeclOnly s1;
MyCopyableClassDeclOnly s2 = s1;
MyCopyableClassDeclOnly s3(s1);
MyCopyableClassDeclOnly s4;
s4 = s1;
sink(s1);
sink(s2);
sink(s3);
sink(s4);
}
{
MyCopyableClassDeclOnly s1 = MyCopyableClassDeclOnly(source());
MyCopyableClassDeclOnly s2;
MyCopyableClassDeclOnly s3;
s2 = MyCopyableClassDeclOnly(source());
sink(s1); // tainted
sink(s2); // tainted
sink(s3 = source()); // tainted
}
}

2
cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp
View File

@@ -112,7 +112,7 @@ void test1()
{
char buffer[256] = {0};
sink(mysprintf(buffer, 256, "%s", string::source()));
sink(buffer); // tainted [NOT DETECTED - implement UserDefinedFormattingFunction.getOutputParameterIndex()]
sink(buffer); // tainted
}
{

858
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -62,6 +62,57 @@
| copyableclass.cpp:67:13:67:18 | call to source | copyableclass.cpp:67:13:67:20 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:67:13:67:20 | call to MyCopyableClass | copyableclass.cpp:67:8:67:9 | ref arg s3 | TAINT |
| copyableclass.cpp:67:13:67:20 | call to MyCopyableClass | copyableclass.cpp:67:11:67:11 | call to operator= | TAINT |
| copyableclass_declonly.cpp:21:30:21:30 | 1 | copyableclass_declonly.cpp:21:30:21:31 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:21:30:21:31 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:23:30:23:31 | s1 | |
| copyableclass_declonly.cpp:21:30:21:31 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:27:8:27:9 | s1 | |
| copyableclass_declonly.cpp:22:31:22:32 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:28:8:28:9 | s2 | |
| copyableclass_declonly.cpp:22:32:22:32 | 1 | copyableclass_declonly.cpp:22:31:22:32 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:23:30:23:31 | s1 | copyableclass_declonly.cpp:23:30:23:32 | call to MyCopyableClassDeclOnly | |
| copyableclass_declonly.cpp:23:30:23:32 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:29:8:29:9 | s3 | |
| copyableclass_declonly.cpp:24:27:24:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:25:3:25:4 | s4 | |
| copyableclass_declonly.cpp:24:27:24:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:30:8:30:9 | s4 | |
| copyableclass_declonly.cpp:25:3:25:4 | ref arg s4 | copyableclass_declonly.cpp:30:8:30:9 | s4 | |
| copyableclass_declonly.cpp:25:8:25:8 | 1 | copyableclass_declonly.cpp:25:8:25:8 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:25:8:25:8 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:25:3:25:4 | ref arg s4 | TAINT |
| copyableclass_declonly.cpp:25:8:25:8 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:25:6:25:6 | call to operator= | TAINT |
| copyableclass_declonly.cpp:34:30:34:35 | call to source | copyableclass_declonly.cpp:34:30:34:38 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:34:30:34:38 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:36:30:36:31 | s1 | |
| copyableclass_declonly.cpp:34:30:34:38 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:40:8:40:9 | s1 | |
| copyableclass_declonly.cpp:35:31:35:39 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:41:8:41:9 | s2 | |
| copyableclass_declonly.cpp:35:32:35:37 | call to source | copyableclass_declonly.cpp:35:31:35:39 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:36:30:36:31 | s1 | copyableclass_declonly.cpp:36:30:36:32 | call to MyCopyableClassDeclOnly | |
| copyableclass_declonly.cpp:36:30:36:32 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:42:8:42:9 | s3 | |
| copyableclass_declonly.cpp:37:27:37:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:38:3:38:4 | s4 | |
| copyableclass_declonly.cpp:37:27:37:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:43:8:43:9 | s4 | |
| copyableclass_declonly.cpp:38:3:38:4 | ref arg s4 | copyableclass_declonly.cpp:43:8:43:9 | s4 | |
| copyableclass_declonly.cpp:38:8:38:13 | call to source | copyableclass_declonly.cpp:38:8:38:15 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:38:8:38:15 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:38:3:38:4 | ref arg s4 | TAINT |
| copyableclass_declonly.cpp:38:8:38:15 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:38:6:38:6 | call to operator= | TAINT |
| copyableclass_declonly.cpp:47:27:47:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:48:32:48:33 | s1 | |
| copyableclass_declonly.cpp:47:27:47:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:49:30:49:31 | s1 | |
| copyableclass_declonly.cpp:47:27:47:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:51:8:51:9 | s1 | |
| copyableclass_declonly.cpp:47:27:47:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:53:8:53:9 | s1 | |
| copyableclass_declonly.cpp:48:31:48:33 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:54:8:54:9 | s2 | |
| copyableclass_declonly.cpp:48:32:48:33 | s1 | copyableclass_declonly.cpp:48:31:48:33 | call to MyCopyableClassDeclOnly | |
| copyableclass_declonly.cpp:49:30:49:31 | s1 | copyableclass_declonly.cpp:49:30:49:32 | call to MyCopyableClassDeclOnly | |
| copyableclass_declonly.cpp:49:30:49:32 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:55:8:55:9 | s3 | |
| copyableclass_declonly.cpp:50:27:50:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:51:3:51:4 | s4 | |
| copyableclass_declonly.cpp:50:27:50:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:56:8:56:9 | s4 | |
| copyableclass_declonly.cpp:51:3:51:4 | ref arg s4 | copyableclass_declonly.cpp:56:8:56:9 | s4 | |
| copyableclass_declonly.cpp:51:8:51:9 | s1 | copyableclass_declonly.cpp:51:3:51:4 | ref arg s4 | TAINT |
| copyableclass_declonly.cpp:51:8:51:9 | s1 | copyableclass_declonly.cpp:51:6:51:6 | call to operator= | TAINT |
| copyableclass_declonly.cpp:60:31:60:64 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:65:8:65:9 | s1 | |
| copyableclass_declonly.cpp:60:56:60:61 | call to source | copyableclass_declonly.cpp:60:31:60:64 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:61:27:61:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:63:3:63:4 | s2 | |
| copyableclass_declonly.cpp:61:27:61:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:66:8:66:9 | s2 | |
| copyableclass_declonly.cpp:62:27:62:28 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:67:8:67:9 | s3 | |
| copyableclass_declonly.cpp:63:3:63:4 | ref arg s2 | copyableclass_declonly.cpp:66:8:66:9 | s2 | |
| copyableclass_declonly.cpp:63:8:63:40 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:63:3:63:4 | ref arg s2 | TAINT |
| copyableclass_declonly.cpp:63:8:63:40 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:63:6:63:6 | call to operator= | TAINT |
| copyableclass_declonly.cpp:63:32:63:37 | call to source | copyableclass_declonly.cpp:63:8:63:40 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:67:13:67:18 | call to source | copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | TAINT |
| copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:67:8:67:9 | ref arg s3 | TAINT |
| copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:67:11:67:11 | call to operator= | TAINT |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
@@ -155,6 +206,8 @@
| format.cpp:113:21:113:24 | {...} | format.cpp:115:8:115:13 | buffer | |
| format.cpp:113:23:113:23 | 0 | format.cpp:113:21:113:24 | {...} | TAINT |
| format.cpp:114:18:114:23 | ref arg buffer | format.cpp:115:8:115:13 | buffer | |
| format.cpp:114:31:114:34 | %s | format.cpp:114:18:114:23 | ref arg buffer | TAINT |
| format.cpp:114:37:114:50 | call to source | format.cpp:114:18:114:23 | ref arg buffer | TAINT |
| format.cpp:119:10:119:11 | 0 | format.cpp:120:29:120:29 | i | |
| format.cpp:119:10:119:11 | 0 | format.cpp:121:8:121:8 | i | |
| format.cpp:120:28:120:29 | ref arg & ... | format.cpp:120:29:120:29 | i [inner post update] | |
@@ -255,99 +308,284 @@
| movableclass.cpp:65:13:65:18 | call to source | movableclass.cpp:65:13:65:20 | call to MyMovableClass | TAINT |
| movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:8:65:9 | ref arg s3 | TAINT |
| movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:11:65:11 | call to operator= | TAINT |
| stl.cpp:67:12:67:17 | call to source | stl.cpp:71:7:71:7 | a | |
| stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string | TAINT |
| stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:72:7:72:7 | b | |
| stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:74:7:74:7 | b | |
| stl.cpp:69:16:69:21 | call to source | stl.cpp:69:16:69:24 | call to basic_string | TAINT |
| stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:73:7:73:7 | c | |
| stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:75:7:75:7 | c | |
| stl.cpp:74:7:74:7 | b | stl.cpp:74:9:74:13 | call to c_str | TAINT |
| stl.cpp:75:7:75:7 | c | stl.cpp:75:9:75:13 | call to c_str | TAINT |
| stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:83:2:83:4 | ss1 | |
| stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:89:7:89:9 | ss1 | |
| stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:94:7:94:9 | ss1 | |
| stl.cpp:80:25:80:27 | call to basic_stringstream | stl.cpp:84:2:84:4 | ss2 | |
| stl.cpp:80:25:80:27 | call to basic_stringstream | stl.cpp:90:7:90:9 | ss2 | |
| stl.cpp:80:25:80:27 | call to basic_stringstream | stl.cpp:95:7:95:9 | ss2 | |
| stl.cpp:80:30:80:32 | call to basic_stringstream | stl.cpp:85:2:85:4 | ss3 | |
| stl.cpp:80:30:80:32 | call to basic_stringstream | stl.cpp:91:7:91:9 | ss3 | |
| stl.cpp:80:30:80:32 | call to basic_stringstream | stl.cpp:96:7:96:9 | ss3 | |
| stl.cpp:80:35:80:37 | call to basic_stringstream | stl.cpp:86:2:86:4 | ss4 | |
| stl.cpp:80:35:80:37 | call to basic_stringstream | stl.cpp:92:7:92:9 | ss4 | |
| stl.cpp:80:35:80:37 | call to basic_stringstream | stl.cpp:97:7:97:9 | ss4 | |
| stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:87:2:87:4 | ss5 | |
| stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:93:7:93:9 | ss5 | |
| stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:98:7:98:9 | ss5 | |
| stl.cpp:81:16:81:21 | call to source | stl.cpp:81:16:81:24 | call to basic_string | TAINT |
| stl.cpp:81:16:81:24 | call to basic_string | stl.cpp:87:9:87:9 | t | |
| stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:89:7:89:9 | ss1 | |
| stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:94:7:94:9 | ss1 | |
| stl.cpp:84:2:84:4 | ref arg ss2 | stl.cpp:90:7:90:9 | ss2 | |
| stl.cpp:84:2:84:4 | ref arg ss2 | stl.cpp:95:7:95:9 | ss2 | |
| stl.cpp:85:2:85:4 | ref arg ss3 | stl.cpp:91:7:91:9 | ss3 | |
| stl.cpp:85:2:85:4 | ref arg ss3 | stl.cpp:96:7:96:9 | ss3 | |
| stl.cpp:86:2:86:4 | ref arg ss4 | stl.cpp:92:7:92:9 | ss4 | |
| stl.cpp:86:2:86:4 | ref arg ss4 | stl.cpp:97:7:97:9 | ss4 | |
| stl.cpp:87:2:87:4 | ref arg ss5 | stl.cpp:93:7:93:9 | ss5 | |
| stl.cpp:87:2:87:4 | ref arg ss5 | stl.cpp:98:7:98:9 | ss5 | |
| stl.cpp:101:32:101:37 | source | stl.cpp:106:9:106:14 | source | |
| stl.cpp:103:20:103:22 | call to basic_stringstream | stl.cpp:105:2:105:4 | ss1 | |
| stl.cpp:103:20:103:22 | call to basic_stringstream | stl.cpp:108:7:108:9 | ss1 | |
| stl.cpp:103:20:103:22 | call to basic_stringstream | stl.cpp:110:7:110:9 | ss1 | |
| stl.cpp:103:25:103:27 | call to basic_stringstream | stl.cpp:106:2:106:4 | ss2 | |
| stl.cpp:103:25:103:27 | call to basic_stringstream | stl.cpp:109:7:109:9 | ss2 | |
| stl.cpp:103:25:103:27 | call to basic_stringstream | stl.cpp:111:7:111:9 | ss2 | |
| stl.cpp:105:2:105:4 | ref arg ss1 | stl.cpp:108:7:108:9 | ss1 | |
| stl.cpp:105:2:105:4 | ref arg ss1 | stl.cpp:110:7:110:9 | ss1 | |
| stl.cpp:106:2:106:4 | ref arg ss2 | stl.cpp:109:7:109:9 | ss2 | |
| stl.cpp:106:2:106:4 | ref arg ss2 | stl.cpp:111:7:111:9 | ss2 | |
| stl.cpp:124:16:124:28 | call to basic_string | stl.cpp:125:7:125:11 | path1 | |
| stl.cpp:124:17:124:26 | call to user_input | stl.cpp:124:16:124:28 | call to basic_string | TAINT |
| stl.cpp:125:7:125:11 | path1 | stl.cpp:125:13:125:17 | call to c_str | TAINT |
| stl.cpp:128:10:128:19 | call to user_input | stl.cpp:128:10:128:21 | call to basic_string | TAINT |
| stl.cpp:128:10:128:21 | call to basic_string | stl.cpp:128:2:128:21 | ... = ... | |
| stl.cpp:128:10:128:21 | call to basic_string | stl.cpp:129:7:129:11 | path2 | |
| stl.cpp:129:7:129:11 | path2 | stl.cpp:129:13:129:17 | call to c_str | TAINT |
| stl.cpp:131:15:131:24 | call to user_input | stl.cpp:131:15:131:27 | call to basic_string | TAINT |
| stl.cpp:131:15:131:27 | call to basic_string | stl.cpp:132:7:132:11 | path3 | |
| stl.cpp:132:7:132:11 | path3 | stl.cpp:132:13:132:17 | call to c_str | TAINT |
| stl.cpp:137:19:137:24 | call to source | stl.cpp:140:17:140:18 | cs | |
| stl.cpp:137:19:137:24 | call to source | stl.cpp:142:7:142:8 | cs | |
| stl.cpp:140:17:140:18 | cs | stl.cpp:140:17:140:19 | call to basic_string | TAINT |
| stl.cpp:140:17:140:19 | call to basic_string | stl.cpp:143:7:143:8 | ss | |
| stl.cpp:148:19:148:24 | call to source | stl.cpp:151:17:151:18 | cs | |
| stl.cpp:151:17:151:18 | cs | stl.cpp:151:17:151:19 | call to basic_string | TAINT |
| stl.cpp:151:17:151:19 | call to basic_string | stl.cpp:154:7:154:8 | ss | |
| stl.cpp:151:17:151:19 | call to basic_string | stl.cpp:157:7:157:8 | ss | |
| stl.cpp:154:7:154:8 | ss | stl.cpp:154:10:154:14 | call to c_str | TAINT |
| stl.cpp:154:10:154:14 | call to c_str | stl.cpp:154:2:154:16 | ... = ... | |
| stl.cpp:154:10:154:14 | call to c_str | stl.cpp:156:7:156:8 | cs | |
| stl.cpp:163:18:163:24 | hello | stl.cpp:163:18:163:25 | call to basic_string | TAINT |
| stl.cpp:163:18:163:25 | call to basic_string | stl.cpp:168:8:168:9 | s1 | |
| stl.cpp:164:19:164:26 | call to basic_string | stl.cpp:169:8:169:9 | s2 | |
| stl.cpp:164:20:164:26 | hello | stl.cpp:164:19:164:26 | call to basic_string | TAINT |
| stl.cpp:166:8:166:14 | call to basic_string | stl.cpp:166:3:166:14 | ... = ... | |
| stl.cpp:166:8:166:14 | call to basic_string | stl.cpp:170:8:170:9 | s3 | |
| stl.cpp:166:8:166:14 | hello | stl.cpp:166:8:166:14 | call to basic_string | TAINT |
| stl.cpp:174:18:174:23 | call to source | stl.cpp:174:18:174:26 | call to basic_string | TAINT |
| stl.cpp:174:18:174:26 | call to basic_string | stl.cpp:179:8:179:9 | s1 | |
| stl.cpp:175:19:175:27 | call to basic_string | stl.cpp:180:8:180:9 | s2 | |
| stl.cpp:175:20:175:25 | call to source | stl.cpp:175:19:175:27 | call to basic_string | TAINT |
| stl.cpp:177:8:177:13 | call to source | stl.cpp:177:8:177:15 | call to basic_string | TAINT |
| stl.cpp:177:8:177:15 | call to basic_string | stl.cpp:177:3:177:15 | ... = ... | |
| stl.cpp:177:8:177:15 | call to basic_string | stl.cpp:181:8:181:9 | s3 | |
| stl.cpp:185:15:185:16 | call to basic_string | stl.cpp:186:20:186:21 | s1 | |
| stl.cpp:185:15:185:16 | call to basic_string | stl.cpp:188:8:188:9 | s1 | |
| stl.cpp:185:15:185:16 | call to basic_string | stl.cpp:190:8:190:9 | s1 | |
| stl.cpp:186:20:186:21 | s1 | stl.cpp:191:8:191:9 | s2 | |
| stl.cpp:188:8:188:9 | s1 | stl.cpp:188:3:188:9 | ... = ... | |
| stl.cpp:188:8:188:9 | s1 | stl.cpp:192:8:192:9 | s3 | |
| stl.cpp:196:19:196:40 | call to basic_string | stl.cpp:200:8:200:9 | s1 | |
| stl.cpp:196:32:196:37 | call to source | stl.cpp:196:19:196:40 | call to basic_string | TAINT |
| stl.cpp:198:8:198:28 | call to basic_string | stl.cpp:198:3:198:28 | ... = ... | |
| stl.cpp:198:8:198:28 | call to basic_string | stl.cpp:201:8:201:9 | s2 | |
| stl.cpp:198:20:198:25 | call to source | stl.cpp:198:8:198:28 | call to basic_string | TAINT |
| stl.cpp:109:12:109:17 | call to source | stl.cpp:113:7:113:7 | a | |
| stl.cpp:110:16:110:20 | 123 | stl.cpp:110:16:110:21 | call to basic_string | TAINT |
| stl.cpp:110:16:110:21 | call to basic_string | stl.cpp:114:7:114:7 | b | |
| stl.cpp:110:16:110:21 | call to basic_string | stl.cpp:116:7:116:7 | b | |
| stl.cpp:111:16:111:21 | call to source | stl.cpp:111:16:111:24 | call to basic_string | TAINT |
| stl.cpp:111:16:111:24 | call to basic_string | stl.cpp:115:7:115:7 | c | |
| stl.cpp:111:16:111:24 | call to basic_string | stl.cpp:117:7:117:7 | c | |
| stl.cpp:116:7:116:7 | b | stl.cpp:116:9:116:13 | call to c_str | TAINT |
| stl.cpp:117:7:117:7 | c | stl.cpp:117:9:117:13 | call to c_str | TAINT |
| stl.cpp:122:20:122:22 | call to basic_stringstream | stl.cpp:125:2:125:4 | ss1 | |
| stl.cpp:122:20:122:22 | call to basic_stringstream | stl.cpp:131:7:131:9 | ss1 | |
| stl.cpp:122:20:122:22 | call to basic_stringstream | stl.cpp:136:7:136:9 | ss1 | |
| stl.cpp:122:25:122:27 | call to basic_stringstream | stl.cpp:126:2:126:4 | ss2 | |
| stl.cpp:122:25:122:27 | call to basic_stringstream | stl.cpp:132:7:132:9 | ss2 | |
| stl.cpp:122:25:122:27 | call to basic_stringstream | stl.cpp:137:7:137:9 | ss2 | |
| stl.cpp:122:30:122:32 | call to basic_stringstream | stl.cpp:127:2:127:4 | ss3 | |
| stl.cpp:122:30:122:32 | call to basic_stringstream | stl.cpp:133:7:133:9 | ss3 | |
| stl.cpp:122:30:122:32 | call to basic_stringstream | stl.cpp:138:7:138:9 | ss3 | |
| stl.cpp:122:35:122:37 | call to basic_stringstream | stl.cpp:128:2:128:4 | ss4 | |
| stl.cpp:122:35:122:37 | call to basic_stringstream | stl.cpp:134:7:134:9 | ss4 | |
| stl.cpp:122:35:122:37 | call to basic_stringstream | stl.cpp:139:7:139:9 | ss4 | |
| stl.cpp:122:40:122:42 | call to basic_stringstream | stl.cpp:129:2:129:4 | ss5 | |
| stl.cpp:122:40:122:42 | call to basic_stringstream | stl.cpp:135:7:135:9 | ss5 | |
| stl.cpp:122:40:122:42 | call to basic_stringstream | stl.cpp:140:7:140:9 | ss5 | |
| stl.cpp:123:16:123:21 | call to source | stl.cpp:123:16:123:24 | call to basic_string | TAINT |
| stl.cpp:123:16:123:24 | call to basic_string | stl.cpp:129:9:129:9 | t | |
| stl.cpp:125:2:125:4 | ref arg ss1 | stl.cpp:131:7:131:9 | ss1 | |
| stl.cpp:125:2:125:4 | ref arg ss1 | stl.cpp:136:7:136:9 | ss1 | |
| stl.cpp:126:2:126:4 | ref arg ss2 | stl.cpp:132:7:132:9 | ss2 | |
| stl.cpp:126:2:126:4 | ref arg ss2 | stl.cpp:137:7:137:9 | ss2 | |
| stl.cpp:127:2:127:4 | ref arg ss3 | stl.cpp:133:7:133:9 | ss3 | |
| stl.cpp:127:2:127:4 | ref arg ss3 | stl.cpp:138:7:138:9 | ss3 | |
| stl.cpp:128:2:128:4 | ref arg ss4 | stl.cpp:134:7:134:9 | ss4 | |
| stl.cpp:128:2:128:4 | ref arg ss4 | stl.cpp:139:7:139:9 | ss4 | |
| stl.cpp:129:2:129:4 | ref arg ss5 | stl.cpp:135:7:135:9 | ss5 | |
| stl.cpp:129:2:129:4 | ref arg ss5 | stl.cpp:140:7:140:9 | ss5 | |
| stl.cpp:143:32:143:37 | source | stl.cpp:148:9:148:14 | source | |
| stl.cpp:145:20:145:22 | call to basic_stringstream | stl.cpp:147:2:147:4 | ss1 | |
| stl.cpp:145:20:145:22 | call to basic_stringstream | stl.cpp:150:7:150:9 | ss1 | |
| stl.cpp:145:20:145:22 | call to basic_stringstream | stl.cpp:152:7:152:9 | ss1 | |
| stl.cpp:145:25:145:27 | call to basic_stringstream | stl.cpp:148:2:148:4 | ss2 | |
| stl.cpp:145:25:145:27 | call to basic_stringstream | stl.cpp:151:7:151:9 | ss2 | |
| stl.cpp:145:25:145:27 | call to basic_stringstream | stl.cpp:153:7:153:9 | ss2 | |
| stl.cpp:147:2:147:4 | ref arg ss1 | stl.cpp:150:7:150:9 | ss1 | |
| stl.cpp:147:2:147:4 | ref arg ss1 | stl.cpp:152:7:152:9 | ss1 | |
| stl.cpp:148:2:148:4 | ref arg ss2 | stl.cpp:151:7:151:9 | ss2 | |
| stl.cpp:148:2:148:4 | ref arg ss2 | stl.cpp:153:7:153:9 | ss2 | |
| stl.cpp:166:16:166:28 | call to basic_string | stl.cpp:167:7:167:11 | path1 | |
| stl.cpp:166:17:166:26 | call to user_input | stl.cpp:166:16:166:28 | call to basic_string | TAINT |
| stl.cpp:167:7:167:11 | path1 | stl.cpp:167:13:167:17 | call to c_str | TAINT |
| stl.cpp:170:10:170:19 | call to user_input | stl.cpp:170:10:170:21 | call to basic_string | TAINT |
| stl.cpp:170:10:170:21 | call to basic_string | stl.cpp:170:2:170:21 | ... = ... | |
| stl.cpp:170:10:170:21 | call to basic_string | stl.cpp:171:7:171:11 | path2 | |
| stl.cpp:171:7:171:11 | path2 | stl.cpp:171:13:171:17 | call to c_str | TAINT |
| stl.cpp:173:15:173:24 | call to user_input | stl.cpp:173:15:173:27 | call to basic_string | TAINT |
| stl.cpp:173:15:173:27 | call to basic_string | stl.cpp:174:7:174:11 | path3 | |
| stl.cpp:174:7:174:11 | path3 | stl.cpp:174:13:174:17 | call to c_str | TAINT |
| stl.cpp:179:19:179:24 | call to source | stl.cpp:182:17:182:18 | cs | |
| stl.cpp:179:19:179:24 | call to source | stl.cpp:184:7:184:8 | cs | |
| stl.cpp:182:17:182:18 | cs | stl.cpp:182:17:182:19 | call to basic_string | TAINT |
| stl.cpp:182:17:182:19 | call to basic_string | stl.cpp:185:7:185:8 | ss | |
| stl.cpp:190:19:190:24 | call to source | stl.cpp:193:17:193:18 | cs | |
| stl.cpp:193:17:193:18 | cs | stl.cpp:193:17:193:19 | call to basic_string | TAINT |
| stl.cpp:193:17:193:19 | call to basic_string | stl.cpp:196:7:196:8 | ss | |
| stl.cpp:193:17:193:19 | call to basic_string | stl.cpp:199:7:199:8 | ss | |
| stl.cpp:196:7:196:8 | ss | stl.cpp:196:10:196:14 | call to c_str | TAINT |
| stl.cpp:196:10:196:14 | call to c_str | stl.cpp:196:2:196:16 | ... = ... | |
| stl.cpp:196:10:196:14 | call to c_str | stl.cpp:198:7:198:8 | cs | |
| stl.cpp:205:18:205:24 | hello | stl.cpp:205:18:205:25 | call to basic_string | TAINT |
| stl.cpp:205:18:205:25 | call to basic_string | stl.cpp:210:8:210:9 | s1 | |
| stl.cpp:206:19:206:26 | call to basic_string | stl.cpp:211:8:211:9 | s2 | |
| stl.cpp:206:20:206:26 | hello | stl.cpp:206:19:206:26 | call to basic_string | TAINT |
| stl.cpp:208:8:208:14 | call to basic_string | stl.cpp:208:3:208:14 | ... = ... | |
| stl.cpp:208:8:208:14 | call to basic_string | stl.cpp:212:8:212:9 | s3 | |
| stl.cpp:208:8:208:14 | hello | stl.cpp:208:8:208:14 | call to basic_string | TAINT |
| stl.cpp:216:18:216:23 | call to source | stl.cpp:216:18:216:26 | call to basic_string | TAINT |
| stl.cpp:216:18:216:26 | call to basic_string | stl.cpp:221:8:221:9 | s1 | |
| stl.cpp:217:19:217:27 | call to basic_string | stl.cpp:222:8:222:9 | s2 | |
| stl.cpp:217:20:217:25 | call to source | stl.cpp:217:19:217:27 | call to basic_string | TAINT |
| stl.cpp:219:8:219:13 | call to source | stl.cpp:219:8:219:15 | call to basic_string | TAINT |
| stl.cpp:219:8:219:15 | call to basic_string | stl.cpp:219:3:219:15 | ... = ... | |
| stl.cpp:219:8:219:15 | call to basic_string | stl.cpp:223:8:223:9 | s3 | |
| stl.cpp:227:15:227:16 | call to basic_string | stl.cpp:228:20:228:21 | s1 | |
| stl.cpp:227:15:227:16 | call to basic_string | stl.cpp:230:8:230:9 | s1 | |
| stl.cpp:227:15:227:16 | call to basic_string | stl.cpp:232:8:232:9 | s1 | |
| stl.cpp:228:20:228:21 | s1 | stl.cpp:233:8:233:9 | s2 | |
| stl.cpp:230:8:230:9 | s1 | stl.cpp:230:3:230:9 | ... = ... | |
| stl.cpp:230:8:230:9 | s1 | stl.cpp:234:8:234:9 | s3 | |
| stl.cpp:238:19:238:40 | call to basic_string | stl.cpp:242:8:242:9 | s1 | |
| stl.cpp:238:32:238:37 | call to source | stl.cpp:238:19:238:40 | call to basic_string | TAINT |
| stl.cpp:240:8:240:28 | call to basic_string | stl.cpp:240:3:240:28 | ... = ... | |
| stl.cpp:240:8:240:28 | call to basic_string | stl.cpp:243:8:243:9 | s2 | |
| stl.cpp:240:20:240:25 | call to source | stl.cpp:240:8:240:28 | call to basic_string | TAINT |
| stl.cpp:250:16:250:21 | call to source | stl.cpp:250:16:250:24 | call to basic_string | TAINT |
| stl.cpp:250:16:250:24 | call to basic_string | stl.cpp:251:15:251:15 | s | |
| stl.cpp:250:16:250:24 | call to basic_string | stl.cpp:255:33:255:33 | s | |
| stl.cpp:250:16:250:24 | call to basic_string | stl.cpp:255:50:255:50 | s | |
| stl.cpp:250:16:250:24 | call to basic_string | stl.cpp:259:16:259:16 | s | |
| stl.cpp:251:15:251:15 | call to begin | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | call to begin | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | call to begin | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | call to end | stl.cpp:251:15:251:15 | (__end) | |
| stl.cpp:251:15:251:15 | call to operator* | stl.cpp:252:8:252:8 | c | |
| stl.cpp:251:15:251:15 | ref arg (__begin) | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | ref arg (__begin) | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | ref arg (__begin) | stl.cpp:251:15:251:15 | (__begin) | |
| stl.cpp:251:15:251:15 | ref arg (__range) | stl.cpp:251:15:251:15 | (__range) | |
| stl.cpp:251:15:251:15 | s | stl.cpp:251:15:251:15 | (__range) | |
| stl.cpp:251:15:251:15 | s | stl.cpp:251:15:251:15 | (__range) | |
| stl.cpp:251:15:251:15 | s | stl.cpp:251:15:251:15 | call to operator* | TAINT |
| stl.cpp:255:33:255:33 | ref arg s | stl.cpp:255:50:255:50 | s | |
| stl.cpp:255:33:255:33 | ref arg s | stl.cpp:259:16:259:16 | s | |
| stl.cpp:255:35:255:39 | call to begin | stl.cpp:255:44:255:45 | it | |
| stl.cpp:255:35:255:39 | call to begin | stl.cpp:255:61:255:62 | it | |
| stl.cpp:255:35:255:39 | call to begin | stl.cpp:256:9:256:10 | it | |
| stl.cpp:255:50:255:50 | ref arg s | stl.cpp:255:50:255:50 | s | |
| stl.cpp:255:50:255:50 | ref arg s | stl.cpp:259:16:259:16 | s | |
| stl.cpp:255:61:255:62 | ref arg it | stl.cpp:255:44:255:45 | it | |
| stl.cpp:255:61:255:62 | ref arg it | stl.cpp:255:61:255:62 | it | |
| stl.cpp:255:61:255:62 | ref arg it | stl.cpp:256:9:256:10 | it | |
| stl.cpp:259:16:259:16 | call to begin | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | call to begin | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | call to begin | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | call to end | stl.cpp:259:16:259:16 | (__end) | |
| stl.cpp:259:16:259:16 | call to operator* | stl.cpp:260:8:260:8 | c | |
| stl.cpp:259:16:259:16 | ref arg (__begin) | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | ref arg (__begin) | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | ref arg (__begin) | stl.cpp:259:16:259:16 | (__begin) | |
| stl.cpp:259:16:259:16 | ref arg (__range) | stl.cpp:259:16:259:16 | (__range) | |
| stl.cpp:259:16:259:16 | s | stl.cpp:259:16:259:16 | (__range) | |
| stl.cpp:259:16:259:16 | s | stl.cpp:259:16:259:16 | (__range) | |
| stl.cpp:259:16:259:16 | s | stl.cpp:259:16:259:16 | call to operator* | TAINT |
| stl.cpp:263:28:263:33 | call to source | stl.cpp:263:28:263:36 | call to basic_string | TAINT |
| stl.cpp:263:28:263:36 | call to basic_string | stl.cpp:264:22:264:28 | const_s | |
| stl.cpp:264:22:264:22 | call to begin | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:22 | call to begin | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:22 | call to begin | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:22 | call to end | stl.cpp:264:22:264:22 | (__end) | |
| stl.cpp:264:22:264:22 | call to operator* | stl.cpp:265:8:265:8 | c | |
| stl.cpp:264:22:264:22 | ref arg (__begin) | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:22 | ref arg (__begin) | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:22 | ref arg (__begin) | stl.cpp:264:22:264:22 | (__begin) | |
| stl.cpp:264:22:264:28 | const_s | stl.cpp:264:22:264:22 | (__range) | |
| stl.cpp:264:22:264:28 | const_s | stl.cpp:264:22:264:22 | (__range) | |
| stl.cpp:264:22:264:28 | const_s | stl.cpp:264:22:264:22 | call to operator* | TAINT |
| stl.cpp:300:43:300:49 | source1 | stl.cpp:304:21:304:27 | source1 | |
| stl.cpp:300:43:300:49 | source1 | stl.cpp:318:33:318:39 | source1 | |
| stl.cpp:304:21:304:27 | source1 | stl.cpp:304:21:304:28 | call to vector | TAINT |
| stl.cpp:304:21:304:28 | call to vector | stl.cpp:306:14:306:14 | v | |
| stl.cpp:304:21:304:28 | call to vector | stl.cpp:310:38:310:38 | v | |
| stl.cpp:304:21:304:28 | call to vector | stl.cpp:310:55:310:55 | v | |
| stl.cpp:304:21:304:28 | call to vector | stl.cpp:314:15:314:15 | v | |
| stl.cpp:306:14:306:14 | call to begin | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | call to begin | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | call to begin | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | call to end | stl.cpp:306:14:306:14 | (__end) | |
| stl.cpp:306:14:306:14 | call to operator* | stl.cpp:307:8:307:8 | x | |
| stl.cpp:306:14:306:14 | ref arg (__begin) | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | ref arg (__begin) | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | ref arg (__begin) | stl.cpp:306:14:306:14 | (__begin) | |
| stl.cpp:306:14:306:14 | ref arg (__range) | stl.cpp:306:14:306:14 | (__range) | |
| stl.cpp:306:14:306:14 | v | stl.cpp:306:14:306:14 | (__range) | |
| stl.cpp:306:14:306:14 | v | stl.cpp:306:14:306:14 | (__range) | |
| stl.cpp:306:14:306:14 | v | stl.cpp:306:14:306:14 | call to operator* | TAINT |
| stl.cpp:310:38:310:38 | ref arg v | stl.cpp:310:55:310:55 | v | |
| stl.cpp:310:38:310:38 | ref arg v | stl.cpp:314:15:314:15 | v | |
| stl.cpp:310:40:310:44 | call to begin | stl.cpp:310:49:310:50 | it | |
| stl.cpp:310:40:310:44 | call to begin | stl.cpp:310:66:310:67 | it | |
| stl.cpp:310:40:310:44 | call to begin | stl.cpp:311:9:311:10 | it | |
| stl.cpp:310:55:310:55 | ref arg v | stl.cpp:310:55:310:55 | v | |
| stl.cpp:310:55:310:55 | ref arg v | stl.cpp:314:15:314:15 | v | |
| stl.cpp:310:66:310:67 | ref arg it | stl.cpp:310:49:310:50 | it | |
| stl.cpp:310:66:310:67 | ref arg it | stl.cpp:310:66:310:67 | it | |
| stl.cpp:310:66:310:67 | ref arg it | stl.cpp:311:9:311:10 | it | |
| stl.cpp:314:15:314:15 | call to begin | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | call to begin | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | call to begin | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | call to end | stl.cpp:314:15:314:15 | (__end) | |
| stl.cpp:314:15:314:15 | call to operator* | stl.cpp:315:8:315:8 | x | |
| stl.cpp:314:15:314:15 | ref arg (__begin) | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | ref arg (__begin) | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | ref arg (__begin) | stl.cpp:314:15:314:15 | (__begin) | |
| stl.cpp:314:15:314:15 | ref arg (__range) | stl.cpp:314:15:314:15 | (__range) | |
| stl.cpp:314:15:314:15 | v | stl.cpp:314:15:314:15 | (__range) | |
| stl.cpp:314:15:314:15 | v | stl.cpp:314:15:314:15 | (__range) | |
| stl.cpp:314:15:314:15 | v | stl.cpp:314:15:314:15 | call to operator* | TAINT |
| stl.cpp:318:33:318:39 | source1 | stl.cpp:318:33:318:40 | call to vector | TAINT |
| stl.cpp:318:33:318:40 | call to vector | stl.cpp:319:21:319:27 | const_v | |
| stl.cpp:319:21:319:21 | call to begin | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:21 | call to begin | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:21 | call to begin | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:21 | call to end | stl.cpp:319:21:319:21 | (__end) | |
| stl.cpp:319:21:319:21 | call to operator* | stl.cpp:320:8:320:8 | x | |
| stl.cpp:319:21:319:21 | ref arg (__begin) | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:21 | ref arg (__begin) | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:21 | ref arg (__begin) | stl.cpp:319:21:319:21 | (__begin) | |
| stl.cpp:319:21:319:27 | const_v | stl.cpp:319:21:319:21 | (__range) | |
| stl.cpp:319:21:319:27 | const_v | stl.cpp:319:21:319:21 | (__range) | |
| stl.cpp:319:21:319:27 | const_v | stl.cpp:319:21:319:21 | call to operator* | TAINT |
| stl.cpp:331:18:331:24 | hello | stl.cpp:331:18:331:25 | call to basic_string | TAINT |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:334:8:334:9 | s1 | |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:334:13:334:14 | s1 | |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:335:8:335:9 | s1 | |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:336:13:336:14 | s1 | |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:339:8:339:9 | s1 | |
| stl.cpp:331:18:331:25 | call to basic_string | stl.cpp:340:8:340:9 | s1 | |
| stl.cpp:332:18:332:23 | call to source | stl.cpp:332:18:332:26 | call to basic_string | TAINT |
| stl.cpp:332:18:332:26 | call to basic_string | stl.cpp:335:13:335:14 | s2 | |
| stl.cpp:332:18:332:26 | call to basic_string | stl.cpp:336:8:336:9 | s2 | |
| stl.cpp:332:18:332:26 | call to basic_string | stl.cpp:337:8:337:9 | s2 | |
| stl.cpp:332:18:332:26 | call to basic_string | stl.cpp:337:13:337:14 | s2 | |
| stl.cpp:334:8:334:9 | s1 | stl.cpp:334:11:334:11 | call to operator+ | TAINT |
| stl.cpp:334:13:334:14 | s1 | stl.cpp:334:11:334:11 | call to operator+ | TAINT |
| stl.cpp:335:8:335:9 | s1 | stl.cpp:335:11:335:11 | call to operator+ | TAINT |
| stl.cpp:335:13:335:14 | s2 | stl.cpp:335:11:335:11 | call to operator+ | TAINT |
| stl.cpp:336:8:336:9 | s2 | stl.cpp:336:11:336:11 | call to operator+ | TAINT |
| stl.cpp:336:13:336:14 | s1 | stl.cpp:336:11:336:11 | call to operator+ | TAINT |
| stl.cpp:337:8:337:9 | s2 | stl.cpp:337:11:337:11 | call to operator+ | TAINT |
| stl.cpp:337:13:337:14 | s2 | stl.cpp:337:11:337:11 | call to operator+ | TAINT |
| stl.cpp:339:8:339:9 | s1 | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
| stl.cpp:339:13:339:20 | world | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
| stl.cpp:340:8:340:9 | s1 | stl.cpp:340:11:340:11 | call to operator+ | TAINT |
| stl.cpp:340:13:340:18 | call to source | stl.cpp:340:11:340:11 | call to operator+ | TAINT |
| stl.cpp:344:18:344:22 | abc | stl.cpp:344:18:344:23 | call to basic_string | TAINT |
| stl.cpp:344:18:344:23 | call to basic_string | stl.cpp:348:8:348:9 | s3 | |
| stl.cpp:344:18:344:23 | call to basic_string | stl.cpp:351:8:351:9 | s3 | |
| stl.cpp:344:18:344:23 | call to basic_string | stl.cpp:355:8:355:9 | s3 | |
| stl.cpp:344:18:344:23 | call to basic_string | stl.cpp:360:8:360:9 | s3 | |
| stl.cpp:344:18:344:23 | call to basic_string | stl.cpp:364:8:364:9 | s3 | |
| stl.cpp:345:18:345:23 | call to source | stl.cpp:345:18:345:26 | call to basic_string | TAINT |
| stl.cpp:345:18:345:26 | call to basic_string | stl.cpp:348:13:348:14 | s4 | |
| stl.cpp:345:18:345:26 | call to basic_string | stl.cpp:352:9:352:10 | s4 | |
| stl.cpp:345:18:345:26 | call to basic_string | stl.cpp:361:13:361:14 | s4 | |
| stl.cpp:348:8:348:9 | s3 | stl.cpp:348:11:348:11 | call to operator+ | TAINT |
| stl.cpp:348:11:348:11 | call to operator+ | stl.cpp:348:3:348:14 | ... = ... | |
| stl.cpp:348:11:348:11 | call to operator+ | stl.cpp:349:8:349:9 | s5 | |
| stl.cpp:348:13:348:14 | s4 | stl.cpp:348:11:348:11 | call to operator+ | TAINT |
| stl.cpp:351:8:351:9 | s3 | stl.cpp:351:3:351:9 | ... = ... | |
| stl.cpp:351:8:351:9 | s3 | stl.cpp:352:3:352:4 | s6 | |
| stl.cpp:351:8:351:9 | s3 | stl.cpp:353:8:353:9 | s6 | |
| stl.cpp:352:3:352:4 | ref arg s6 | stl.cpp:353:8:353:9 | s6 | |
| stl.cpp:352:9:352:10 | s4 | stl.cpp:352:3:352:4 | ref arg s6 | TAINT |
| stl.cpp:352:9:352:10 | s4 | stl.cpp:352:6:352:6 | call to operator+= | TAINT |
| stl.cpp:355:8:355:9 | s3 | stl.cpp:355:3:355:9 | ... = ... | |
| stl.cpp:355:8:355:9 | s3 | stl.cpp:356:3:356:4 | s7 | |
| stl.cpp:355:8:355:9 | s3 | stl.cpp:357:3:357:4 | s7 | |
| stl.cpp:355:8:355:9 | s3 | stl.cpp:358:8:358:9 | s7 | |
| stl.cpp:356:3:356:4 | ref arg s7 | stl.cpp:357:3:357:4 | s7 | |
| stl.cpp:356:3:356:4 | ref arg s7 | stl.cpp:358:8:358:9 | s7 | |
| stl.cpp:356:9:356:14 | call to source | stl.cpp:356:3:356:4 | ref arg s7 | TAINT |
| stl.cpp:356:9:356:14 | call to source | stl.cpp:356:6:356:6 | call to operator+= | TAINT |
| stl.cpp:357:3:357:4 | ref arg s7 | stl.cpp:358:8:358:9 | s7 | |
| stl.cpp:357:9:357:11 | | stl.cpp:357:3:357:4 | ref arg s7 | TAINT |
| stl.cpp:357:9:357:11 | | stl.cpp:357:6:357:6 | call to operator+= | TAINT |
| stl.cpp:360:8:360:9 | s3 | stl.cpp:360:3:360:9 | ... = ... | |
| stl.cpp:360:8:360:9 | s3 | stl.cpp:361:3:361:4 | s8 | |
| stl.cpp:360:8:360:9 | s3 | stl.cpp:362:8:362:9 | s8 | |
| stl.cpp:361:3:361:4 | ref arg s8 | stl.cpp:362:8:362:9 | s8 | |
| stl.cpp:361:13:361:14 | s4 | stl.cpp:361:3:361:4 | ref arg s8 | TAINT |
| stl.cpp:361:13:361:14 | s4 | stl.cpp:361:6:361:11 | call to append | TAINT |
| stl.cpp:364:8:364:9 | s3 | stl.cpp:364:3:364:9 | ... = ... | |
| stl.cpp:364:8:364:9 | s3 | stl.cpp:365:3:365:4 | s9 | |
| stl.cpp:364:8:364:9 | s3 | stl.cpp:366:3:366:4 | s9 | |
| stl.cpp:364:8:364:9 | s3 | stl.cpp:367:8:367:9 | s9 | |
| stl.cpp:365:3:365:4 | ref arg s9 | stl.cpp:366:3:366:4 | s9 | |
| stl.cpp:365:3:365:4 | ref arg s9 | stl.cpp:367:8:367:9 | s9 | |
| stl.cpp:365:13:365:18 | call to source | stl.cpp:365:3:365:4 | ref arg s9 | TAINT |
| stl.cpp:365:13:365:18 | call to source | stl.cpp:365:6:365:11 | call to append | TAINT |
| stl.cpp:366:3:366:4 | ref arg s9 | stl.cpp:367:8:367:9 | s9 | |
| stl.cpp:366:13:366:15 | | stl.cpp:366:3:366:4 | ref arg s9 | TAINT |
| stl.cpp:366:13:366:15 | | stl.cpp:366:6:366:11 | call to append | TAINT |
| stl.cpp:371:19:371:23 | abc | stl.cpp:371:19:371:24 | call to basic_string | TAINT |
| stl.cpp:371:19:371:24 | call to basic_string | stl.cpp:374:3:374:5 | s10 | |
| stl.cpp:371:19:371:24 | call to basic_string | stl.cpp:375:8:375:10 | s10 | |
| stl.cpp:372:12:372:26 | call to source | stl.cpp:374:17:374:17 | c | |
| stl.cpp:374:3:374:5 | ref arg s10 | stl.cpp:375:8:375:10 | s10 | |
| stl.cpp:374:17:374:17 | c | stl.cpp:374:3:374:5 | ref arg s10 | TAINT |
| stl.cpp:374:17:374:17 | c | stl.cpp:374:7:374:12 | call to append | TAINT |
| structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
| structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
| structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] | |
@@ -414,88 +652,133 @@
| swap1.cpp:36:13:36:16 | this | swap1.cpp:37:21:37:24 | this | |
| swap1.cpp:36:18:36:21 | ref arg that | swap1.cpp:34:34:34:37 | that | |
| swap1.cpp:37:21:37:24 | this | swap1.cpp:37:20:37:24 | * ... | TAINT |
| swap1.cpp:40:14:40:17 | this | swap1.cpp:43:18:43:22 | this | |
| swap1.cpp:40:26:40:29 | that | swap1.cpp:40:26:40:29 | that | |
| swap1.cpp:40:26:40:29 | that | swap1.cpp:43:25:43:28 | that | |
| swap1.cpp:43:18:43:22 | data1 | swap1.cpp:43:30:43:34 | ref arg data1 | |
| swap1.cpp:43:25:43:28 | that | swap1.cpp:43:18:43:22 | ref arg data1 | |
| swap1.cpp:43:25:43:28 | that [post update] | swap1.cpp:40:26:40:29 | that | |
| swap1.cpp:43:30:43:34 | data1 | swap1.cpp:43:18:43:22 | ref arg data1 | |
| swap1.cpp:48:22:48:22 | x | swap1.cpp:48:22:48:22 | x | |
| swap1.cpp:48:22:48:22 | x | swap1.cpp:50:9:50:9 | x | |
| swap1.cpp:48:22:48:22 | x | swap2.cpp:48:22:48:22 | x | |
| swap1.cpp:48:22:48:22 | x | swap2.cpp:50:9:50:9 | x | |
| swap1.cpp:48:32:48:32 | y | swap1.cpp:48:32:48:32 | y | |
| swap1.cpp:48:32:48:32 | y | swap1.cpp:50:16:50:16 | y | |
| swap1.cpp:48:32:48:32 | y | swap2.cpp:48:32:48:32 | y | |
| swap1.cpp:48:32:48:32 | y | swap2.cpp:50:16:50:16 | y | |
| swap1.cpp:50:9:50:9 | ref arg x | swap1.cpp:48:22:48:22 | x | |
| swap1.cpp:50:9:50:9 | ref arg x | swap2.cpp:48:22:48:22 | x | |
| swap1.cpp:50:16:50:16 | ref arg y | swap1.cpp:48:32:48:32 | y | |
| swap1.cpp:50:16:50:16 | ref arg y | swap2.cpp:48:32:48:32 | y | |
| swap1.cpp:56:23:56:23 | x | swap1.cpp:58:5:58:5 | x | |
| swap1.cpp:56:23:56:23 | x | swap1.cpp:60:10:60:10 | x | |
| swap1.cpp:56:23:56:23 | x | swap1.cpp:63:9:63:9 | x | |
| swap1.cpp:56:23:56:23 | x | swap1.cpp:66:10:66:10 | x | |
| swap1.cpp:57:23:57:23 | y | swap1.cpp:61:10:61:10 | y | |
| swap1.cpp:57:23:57:23 | y | swap1.cpp:63:5:63:5 | y | |
| swap1.cpp:57:23:57:23 | y | swap1.cpp:65:10:65:10 | y | |
| swap1.cpp:58:5:58:5 | x [post update] | swap1.cpp:60:10:60:10 | x | |
| swap1.cpp:58:5:58:5 | x [post update] | swap1.cpp:63:9:63:9 | x | |
| swap1.cpp:58:5:58:5 | x [post update] | swap1.cpp:66:10:66:10 | x | |
| swap1.cpp:58:5:58:22 | ... = ... | swap1.cpp:60:12:60:16 | data1 | |
| swap1.cpp:58:5:58:22 | ... = ... | swap1.cpp:66:12:66:16 | data1 | |
| swap1.cpp:58:15:58:20 | call to source | swap1.cpp:58:5:58:22 | ... = ... | |
| swap1.cpp:63:5:63:5 | ref arg y | swap1.cpp:65:10:65:10 | y | |
| swap1.cpp:63:9:63:9 | x | swap1.cpp:63:5:63:5 | ref arg y | TAINT |
| swap1.cpp:63:9:63:9 | x | swap1.cpp:63:7:63:7 | call to operator= | TAINT |
| swap1.cpp:68:23:68:24 | z1 | swap1.cpp:69:5:69:6 | z1 | |
| swap1.cpp:68:23:68:24 | z1 | swap1.cpp:70:10:70:11 | z1 | |
| swap1.cpp:68:23:68:24 | z1 | swap1.cpp:72:10:72:11 | z1 | |
| swap1.cpp:68:23:68:24 | z1 | swap1.cpp:75:10:75:11 | z1 | |
| swap1.cpp:68:27:68:28 | z2 | swap1.cpp:72:14:72:15 | z2 | |
| swap1.cpp:68:27:68:28 | z2 | swap1.cpp:74:10:74:11 | z2 | |
| swap1.cpp:69:5:69:6 | z1 [post update] | swap1.cpp:70:10:70:11 | z1 | |
| swap1.cpp:69:5:69:6 | z1 [post update] | swap1.cpp:72:10:72:11 | z1 | |
| swap1.cpp:69:5:69:6 | z1 [post update] | swap1.cpp:75:10:75:11 | z1 | |
| swap1.cpp:69:5:69:23 | ... = ... | swap1.cpp:70:13:70:17 | data1 | |
| swap1.cpp:69:5:69:23 | ... = ... | swap1.cpp:75:13:75:17 | data1 | |
| swap1.cpp:69:16:69:21 | call to source | swap1.cpp:69:5:69:23 | ... = ... | |
| swap1.cpp:72:10:72:11 | ref arg z1 | swap1.cpp:75:10:75:11 | z1 | |
| swap1.cpp:72:14:72:15 | ref arg z2 | swap1.cpp:74:10:74:11 | z2 | |
| swap1.cpp:80:23:80:23 | x | swap1.cpp:82:5:82:5 | x | |
| swap1.cpp:80:23:80:23 | x | swap1.cpp:84:10:84:10 | x | |
| swap1.cpp:80:23:80:23 | x | swap1.cpp:87:19:87:19 | x | |
| swap1.cpp:80:23:80:23 | x | swap1.cpp:90:10:90:10 | x | |
| swap1.cpp:81:23:81:23 | y | swap1.cpp:85:10:85:10 | y | |
| swap1.cpp:81:23:81:23 | y | swap1.cpp:87:5:87:5 | y | |
| swap1.cpp:81:23:81:23 | y | swap1.cpp:89:10:89:10 | y | |
| swap1.cpp:82:5:82:5 | x [post update] | swap1.cpp:84:10:84:10 | x | |
| swap1.cpp:82:5:82:5 | x [post update] | swap1.cpp:87:19:87:19 | x | |
| swap1.cpp:82:5:82:5 | x [post update] | swap1.cpp:90:10:90:10 | x | |
| swap1.cpp:82:5:82:22 | ... = ... | swap1.cpp:84:12:84:16 | data1 | |
| swap1.cpp:82:5:82:22 | ... = ... | swap1.cpp:90:12:90:16 | data1 | |
| swap1.cpp:82:15:82:20 | call to source | swap1.cpp:82:5:82:22 | ... = ... | |
| swap1.cpp:87:5:87:5 | ref arg y | swap1.cpp:89:10:89:10 | y | |
| swap1.cpp:87:9:87:17 | call to move | swap1.cpp:87:5:87:5 | ref arg y | TAINT |
| swap1.cpp:87:9:87:17 | call to move | swap1.cpp:87:7:87:7 | call to operator= | TAINT |
| swap1.cpp:87:9:87:17 | ref arg call to move | swap1.cpp:87:19:87:19 | x [inner post update] | |
| swap1.cpp:87:9:87:17 | ref arg call to move | swap1.cpp:90:10:90:10 | x | |
| swap1.cpp:87:19:87:19 | x | swap1.cpp:87:5:87:5 | ref arg y | TAINT |
| swap1.cpp:87:19:87:19 | x | swap1.cpp:87:7:87:7 | call to operator= | TAINT |
| swap1.cpp:87:19:87:19 | x | swap1.cpp:87:9:87:17 | call to move | |
| swap1.cpp:95:23:95:31 | move_from | swap1.cpp:96:5:96:13 | move_from | |
| swap1.cpp:95:23:95:31 | move_from | swap1.cpp:98:10:98:18 | move_from | |
| swap1.cpp:95:23:95:31 | move_from | swap1.cpp:100:41:100:49 | move_from | |
| swap1.cpp:96:5:96:13 | move_from [post update] | swap1.cpp:98:10:98:18 | move_from | |
| swap1.cpp:96:5:96:13 | move_from [post update] | swap1.cpp:100:41:100:49 | move_from | |
| swap1.cpp:96:5:96:30 | ... = ... | swap1.cpp:98:20:98:24 | data1 | |
| swap1.cpp:96:5:96:30 | ... = ... | swap1.cpp:102:18:102:22 | data1 | |
| swap1.cpp:96:23:96:28 | call to source | swap1.cpp:96:5:96:30 | ... = ... | |
| swap1.cpp:100:31:100:39 | call to move | swap1.cpp:100:31:100:51 | call to Class | |
| swap1.cpp:100:31:100:39 | ref arg call to move | swap1.cpp:100:41:100:49 | move_from [inner post update] | |
| swap1.cpp:100:31:100:51 | call to Class | swap1.cpp:102:10:102:16 | move_to | |
| swap1.cpp:100:41:100:49 | move_from | swap1.cpp:100:31:100:39 | call to move | |
| swap1.cpp:40:16:40:26 | this | swap1.cpp:43:13:43:16 | this | |
| swap1.cpp:40:41:40:44 | that | swap1.cpp:42:24:42:27 | that | |
| swap1.cpp:42:23:42:27 | call to Class | swap1.cpp:43:18:43:20 | tmp | |
| swap1.cpp:42:24:42:27 | that | swap1.cpp:42:23:42:27 | call to Class | |
| swap1.cpp:43:13:43:16 | ref arg this | swap1.cpp:44:21:44:24 | this | |
| swap1.cpp:43:13:43:16 | this | swap1.cpp:44:21:44:24 | this | |
| swap1.cpp:44:21:44:24 | this | swap1.cpp:44:20:44:24 | * ... | TAINT |
| swap1.cpp:47:16:47:26 | this | swap1.cpp:49:13:49:16 | this | |
| swap1.cpp:47:36:47:39 | that | swap1.cpp:47:36:47:39 | that | |
| swap1.cpp:47:36:47:39 | that | swap1.cpp:49:18:49:21 | that | |
| swap1.cpp:49:13:49:16 | ref arg this | swap1.cpp:50:21:50:24 | this | |
| swap1.cpp:49:13:49:16 | this | swap1.cpp:50:21:50:24 | this | |
| swap1.cpp:49:18:49:21 | ref arg that | swap1.cpp:47:36:47:39 | that | |
| swap1.cpp:50:21:50:24 | this | swap1.cpp:50:20:50:24 | * ... | TAINT |
| swap1.cpp:53:14:53:17 | this | swap1.cpp:56:18:56:22 | this | |
| swap1.cpp:53:26:53:29 | that | swap1.cpp:53:26:53:29 | that | |
| swap1.cpp:53:26:53:29 | that | swap1.cpp:56:25:56:28 | that | |
| swap1.cpp:56:18:56:22 | data1 | swap1.cpp:56:30:56:34 | ref arg data1 | |
| swap1.cpp:56:25:56:28 | that | swap1.cpp:56:18:56:22 | ref arg data1 | |
| swap1.cpp:56:25:56:28 | that [post update] | swap1.cpp:53:26:53:29 | that | |
| swap1.cpp:56:30:56:34 | data1 | swap1.cpp:56:18:56:22 | ref arg data1 | |
| swap1.cpp:61:22:61:22 | x | swap1.cpp:61:22:61:22 | x | |
| swap1.cpp:61:22:61:22 | x | swap1.cpp:63:9:63:9 | x | |
| swap1.cpp:61:22:61:22 | x | swap2.cpp:61:22:61:22 | x | |
| swap1.cpp:61:22:61:22 | x | swap2.cpp:63:9:63:9 | x | |
| swap1.cpp:61:32:61:32 | y | swap1.cpp:61:32:61:32 | y | |
| swap1.cpp:61:32:61:32 | y | swap1.cpp:63:16:63:16 | y | |
| swap1.cpp:61:32:61:32 | y | swap2.cpp:61:32:61:32 | y | |
| swap1.cpp:61:32:61:32 | y | swap2.cpp:63:16:63:16 | y | |
| swap1.cpp:63:9:63:9 | ref arg x | swap1.cpp:61:22:61:22 | x | |
| swap1.cpp:63:9:63:9 | ref arg x | swap2.cpp:61:22:61:22 | x | |
| swap1.cpp:63:16:63:16 | ref arg y | swap1.cpp:61:32:61:32 | y | |
| swap1.cpp:63:16:63:16 | ref arg y | swap2.cpp:61:32:61:32 | y | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:71:5:71:5 | x | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:73:10:73:10 | x | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:76:9:76:9 | x | |
| swap1.cpp:69:23:69:23 | x | swap1.cpp:79:10:79:10 | x | |
| swap1.cpp:70:23:70:23 | y | swap1.cpp:74:10:74:10 | y | |
| swap1.cpp:70:23:70:23 | y | swap1.cpp:76:5:76:5 | y | |
| swap1.cpp:70:23:70:23 | y | swap1.cpp:78:10:78:10 | y | |
| swap1.cpp:71:5:71:5 | x [post update] | swap1.cpp:73:10:73:10 | x | |
| swap1.cpp:71:5:71:5 | x [post update] | swap1.cpp:76:9:76:9 | x | |
| swap1.cpp:71:5:71:5 | x [post update] | swap1.cpp:79:10:79:10 | x | |
| swap1.cpp:71:5:71:22 | ... = ... | swap1.cpp:73:12:73:16 | data1 | |
| swap1.cpp:71:5:71:22 | ... = ... | swap1.cpp:79:12:79:16 | data1 | |
| swap1.cpp:71:15:71:20 | call to source | swap1.cpp:71:5:71:22 | ... = ... | |
| swap1.cpp:76:5:76:5 | ref arg y | swap1.cpp:78:10:78:10 | y | |
| swap1.cpp:76:9:76:9 | x | swap1.cpp:76:5:76:5 | ref arg y | TAINT |
| swap1.cpp:76:9:76:9 | x | swap1.cpp:76:7:76:7 | call to operator= | TAINT |
| swap1.cpp:81:23:81:24 | z1 | swap1.cpp:82:5:82:6 | z1 | |
| swap1.cpp:81:23:81:24 | z1 | swap1.cpp:83:10:83:11 | z1 | |
| swap1.cpp:81:23:81:24 | z1 | swap1.cpp:85:10:85:11 | z1 | |
| swap1.cpp:81:23:81:24 | z1 | swap1.cpp:88:10:88:11 | z1 | |
| swap1.cpp:81:27:81:28 | z2 | swap1.cpp:85:14:85:15 | z2 | |
| swap1.cpp:81:27:81:28 | z2 | swap1.cpp:87:10:87:11 | z2 | |
| swap1.cpp:82:5:82:6 | z1 [post update] | swap1.cpp:83:10:83:11 | z1 | |
| swap1.cpp:82:5:82:6 | z1 [post update] | swap1.cpp:85:10:85:11 | z1 | |
| swap1.cpp:82:5:82:6 | z1 [post update] | swap1.cpp:88:10:88:11 | z1 | |
| swap1.cpp:82:5:82:23 | ... = ... | swap1.cpp:83:13:83:17 | data1 | |
| swap1.cpp:82:5:82:23 | ... = ... | swap1.cpp:88:13:88:17 | data1 | |
| swap1.cpp:82:16:82:21 | call to source | swap1.cpp:82:5:82:23 | ... = ... | |
| swap1.cpp:85:10:85:11 | ref arg z1 | swap1.cpp:88:10:88:11 | z1 | |
| swap1.cpp:85:14:85:15 | ref arg z2 | swap1.cpp:87:10:87:11 | z2 | |
| swap1.cpp:93:23:93:23 | x | swap1.cpp:95:5:95:5 | x | |
| swap1.cpp:93:23:93:23 | x | swap1.cpp:97:10:97:10 | x | |
| swap1.cpp:93:23:93:23 | x | swap1.cpp:100:19:100:19 | x | |
| swap1.cpp:93:23:93:23 | x | swap1.cpp:103:10:103:10 | x | |
| swap1.cpp:94:23:94:23 | y | swap1.cpp:98:10:98:10 | y | |
| swap1.cpp:94:23:94:23 | y | swap1.cpp:100:5:100:5 | y | |
| swap1.cpp:94:23:94:23 | y | swap1.cpp:102:10:102:10 | y | |
| swap1.cpp:95:5:95:5 | x [post update] | swap1.cpp:97:10:97:10 | x | |
| swap1.cpp:95:5:95:5 | x [post update] | swap1.cpp:100:19:100:19 | x | |
| swap1.cpp:95:5:95:5 | x [post update] | swap1.cpp:103:10:103:10 | x | |
| swap1.cpp:95:5:95:22 | ... = ... | swap1.cpp:97:12:97:16 | data1 | |
| swap1.cpp:95:5:95:22 | ... = ... | swap1.cpp:103:12:103:16 | data1 | |
| swap1.cpp:95:15:95:20 | call to source | swap1.cpp:95:5:95:22 | ... = ... | |
| swap1.cpp:100:5:100:5 | ref arg y | swap1.cpp:102:10:102:10 | y | |
| swap1.cpp:100:9:100:17 | call to move | swap1.cpp:100:5:100:5 | ref arg y | TAINT |
| swap1.cpp:100:9:100:17 | call to move | swap1.cpp:100:7:100:7 | call to operator= | TAINT |
| swap1.cpp:100:9:100:17 | ref arg call to move | swap1.cpp:100:19:100:19 | x [inner post update] | |
| swap1.cpp:100:9:100:17 | ref arg call to move | swap1.cpp:103:10:103:10 | x | |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:5:100:5 | ref arg y | TAINT |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:7:100:7 | call to operator= | TAINT |
| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move | |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:109:5:109:13 | move_from | |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:111:10:111:18 | move_from | |
| swap1.cpp:108:23:108:31 | move_from | swap1.cpp:113:41:113:49 | move_from | |
| swap1.cpp:109:5:109:13 | move_from [post update] | swap1.cpp:111:10:111:18 | move_from | |
| swap1.cpp:109:5:109:13 | move_from [post update] | swap1.cpp:113:41:113:49 | move_from | |
| swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:111:20:111:24 | data1 | |
| swap1.cpp:109:5:109:30 | ... = ... | swap1.cpp:115:18:115:22 | data1 | |
| swap1.cpp:109:23:109:28 | call to source | swap1.cpp:109:5:109:30 | ... = ... | |
| swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | |
| swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] | |
| swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to | |
| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:127:19:127:19 | x | |
| swap1.cpp:120:23:120:23 | x | swap1.cpp:130:10:130:10 | x | |
| swap1.cpp:121:23:121:23 | y | swap1.cpp:125:10:125:10 | y | |
| swap1.cpp:121:23:121:23 | y | swap1.cpp:127:5:127:5 | y | |
| swap1.cpp:121:23:121:23 | y | swap1.cpp:129:10:129:10 | y | |
| swap1.cpp:122:5:122:5 | x [post update] | swap1.cpp:124:10:124:10 | x | |
| swap1.cpp:122:5:122:5 | x [post update] | swap1.cpp:127:19:127:19 | x | |
| swap1.cpp:122:5:122:5 | x [post update] | swap1.cpp:130:10:130:10 | x | |
| swap1.cpp:122:5:122:22 | ... = ... | swap1.cpp:124:12:124:16 | data1 | |
| swap1.cpp:122:5:122:22 | ... = ... | swap1.cpp:130:12:130:16 | data1 | |
| swap1.cpp:122:15:122:20 | call to source | swap1.cpp:122:5:122:22 | ... = ... | |
| swap1.cpp:127:5:127:5 | ref arg y | swap1.cpp:129:10:129:10 | y | |
| swap1.cpp:135:23:135:23 | x | swap1.cpp:137:5:137:5 | x | |
| swap1.cpp:135:23:135:23 | x | swap1.cpp:139:10:139:10 | x | |
| swap1.cpp:135:23:135:23 | x | swap1.cpp:142:29:142:29 | x | |
| swap1.cpp:135:23:135:23 | x | swap1.cpp:145:10:145:10 | x | |
| swap1.cpp:136:23:136:23 | y | swap1.cpp:140:10:140:10 | y | |
| swap1.cpp:136:23:136:23 | y | swap1.cpp:142:5:142:5 | y | |
| swap1.cpp:136:23:136:23 | y | swap1.cpp:144:10:144:10 | y | |
| swap1.cpp:137:5:137:5 | x [post update] | swap1.cpp:139:10:139:10 | x | |
| swap1.cpp:137:5:137:5 | x [post update] | swap1.cpp:142:29:142:29 | x | |
| swap1.cpp:137:5:137:5 | x [post update] | swap1.cpp:145:10:145:10 | x | |
| swap1.cpp:137:5:137:22 | ... = ... | swap1.cpp:139:12:139:16 | data1 | |
| swap1.cpp:137:5:137:22 | ... = ... | swap1.cpp:145:12:145:16 | data1 | |
| swap1.cpp:137:15:137:20 | call to source | swap1.cpp:137:5:137:22 | ... = ... | |
| swap1.cpp:142:5:142:5 | ref arg y | swap1.cpp:144:10:144:10 | y | |
| swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:142:29:142:29 | x [inner post update] | |
| swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:145:10:145:10 | x | |
| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move | |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t | |
@@ -527,96 +810,141 @@
| swap2.cpp:36:13:36:16 | this | swap2.cpp:37:21:37:24 | this | |
| swap2.cpp:36:18:36:21 | ref arg that | swap2.cpp:34:34:34:37 | that | |
| swap2.cpp:37:21:37:24 | this | swap2.cpp:37:20:37:24 | * ... | TAINT |
| swap2.cpp:40:14:40:17 | this | swap2.cpp:43:18:43:22 | this | |
| swap2.cpp:40:26:40:29 | that | swap2.cpp:40:26:40:29 | that | |
| swap2.cpp:40:26:40:29 | that | swap2.cpp:43:25:43:28 | that | |
| swap2.cpp:40:26:40:29 | that | swap2.cpp:43:50:43:53 | that | |
| swap2.cpp:43:18:43:22 | data1 | swap2.cpp:43:30:43:34 | ref arg data1 | |
| swap2.cpp:43:18:43:22 | this | swap2.cpp:43:43:43:47 | this | |
| swap2.cpp:43:18:43:22 | this [post update] | swap2.cpp:43:43:43:47 | this | |
| swap2.cpp:43:25:43:28 | that | swap2.cpp:43:18:43:22 | ref arg data1 | |
| swap2.cpp:43:25:43:28 | that [post update] | swap2.cpp:40:26:40:29 | that | |
| swap2.cpp:43:25:43:28 | that [post update] | swap2.cpp:43:50:43:53 | that | |
| swap2.cpp:43:30:43:34 | data1 | swap2.cpp:43:18:43:22 | ref arg data1 | |
| swap2.cpp:43:43:43:47 | data2 | swap2.cpp:43:55:43:59 | ref arg data2 | |
| swap2.cpp:43:50:43:53 | that | swap2.cpp:43:43:43:47 | ref arg data2 | |
| swap2.cpp:43:50:43:53 | that [post update] | swap2.cpp:40:26:40:29 | that | |
| swap2.cpp:43:55:43:59 | data2 | swap2.cpp:43:43:43:47 | ref arg data2 | |
| swap2.cpp:48:22:48:22 | x | swap1.cpp:48:22:48:22 | x | |
| swap2.cpp:48:22:48:22 | x | swap1.cpp:50:9:50:9 | x | |
| swap2.cpp:48:22:48:22 | x | swap2.cpp:48:22:48:22 | x | |
| swap2.cpp:48:22:48:22 | x | swap2.cpp:50:9:50:9 | x | |
| swap2.cpp:48:32:48:32 | y | swap1.cpp:48:32:48:32 | y | |
| swap2.cpp:48:32:48:32 | y | swap1.cpp:50:16:50:16 | y | |
| swap2.cpp:48:32:48:32 | y | swap2.cpp:48:32:48:32 | y | |
| swap2.cpp:48:32:48:32 | y | swap2.cpp:50:16:50:16 | y | |
| swap2.cpp:50:9:50:9 | ref arg x | swap1.cpp:48:22:48:22 | x | |
| swap2.cpp:50:9:50:9 | ref arg x | swap2.cpp:48:22:48:22 | x | |
| swap2.cpp:50:16:50:16 | ref arg y | swap1.cpp:48:32:48:32 | y | |
| swap2.cpp:50:16:50:16 | ref arg y | swap2.cpp:48:32:48:32 | y | |
| swap2.cpp:56:23:56:23 | x | swap2.cpp:58:5:58:5 | x | |
| swap2.cpp:56:23:56:23 | x | swap2.cpp:60:10:60:10 | x | |
| swap2.cpp:56:23:56:23 | x | swap2.cpp:63:9:63:9 | x | |
| swap2.cpp:56:23:56:23 | x | swap2.cpp:66:10:66:10 | x | |
| swap2.cpp:57:23:57:23 | y | swap2.cpp:61:10:61:10 | y | |
| swap2.cpp:57:23:57:23 | y | swap2.cpp:63:5:63:5 | y | |
| swap2.cpp:57:23:57:23 | y | swap2.cpp:65:10:65:10 | y | |
| swap2.cpp:58:5:58:5 | x [post update] | swap2.cpp:60:10:60:10 | x | |
| swap2.cpp:58:5:58:5 | x [post update] | swap2.cpp:63:9:63:9 | x | |
| swap2.cpp:58:5:58:5 | x [post update] | swap2.cpp:66:10:66:10 | x | |
| swap2.cpp:58:5:58:22 | ... = ... | swap2.cpp:60:12:60:16 | data1 | |
| swap2.cpp:58:5:58:22 | ... = ... | swap2.cpp:66:12:66:16 | data1 | |
| swap2.cpp:58:15:58:20 | call to source | swap2.cpp:58:5:58:22 | ... = ... | |
| swap2.cpp:63:5:63:5 | ref arg y | swap2.cpp:65:10:65:10 | y | |
| swap2.cpp:63:9:63:9 | x | swap2.cpp:63:5:63:5 | ref arg y | TAINT |
| swap2.cpp:63:9:63:9 | x | swap2.cpp:63:7:63:7 | call to operator= | TAINT |
| swap2.cpp:68:23:68:24 | z1 | swap2.cpp:69:5:69:6 | z1 | |
| swap2.cpp:68:23:68:24 | z1 | swap2.cpp:70:10:70:11 | z1 | |
| swap2.cpp:68:23:68:24 | z1 | swap2.cpp:72:10:72:11 | z1 | |
| swap2.cpp:68:23:68:24 | z1 | swap2.cpp:75:10:75:11 | z1 | |
| swap2.cpp:68:27:68:28 | z2 | swap2.cpp:72:14:72:15 | z2 | |
| swap2.cpp:68:27:68:28 | z2 | swap2.cpp:74:10:74:11 | z2 | |
| swap2.cpp:69:5:69:6 | z1 [post update] | swap2.cpp:70:10:70:11 | z1 | |
| swap2.cpp:69:5:69:6 | z1 [post update] | swap2.cpp:72:10:72:11 | z1 | |
| swap2.cpp:69:5:69:6 | z1 [post update] | swap2.cpp:75:10:75:11 | z1 | |
| swap2.cpp:69:5:69:23 | ... = ... | swap2.cpp:70:13:70:17 | data1 | |
| swap2.cpp:69:5:69:23 | ... = ... | swap2.cpp:75:13:75:17 | data1 | |
| swap2.cpp:69:16:69:21 | call to source | swap2.cpp:69:5:69:23 | ... = ... | |
| swap2.cpp:72:10:72:11 | ref arg z1 | swap2.cpp:75:10:75:11 | z1 | |
| swap2.cpp:72:14:72:15 | ref arg z2 | swap2.cpp:74:10:74:11 | z2 | |
| swap2.cpp:80:23:80:23 | x | swap2.cpp:82:5:82:5 | x | |
| swap2.cpp:80:23:80:23 | x | swap2.cpp:84:10:84:10 | x | |
| swap2.cpp:80:23:80:23 | x | swap2.cpp:87:19:87:19 | x | |
| swap2.cpp:80:23:80:23 | x | swap2.cpp:90:10:90:10 | x | |
| swap2.cpp:81:23:81:23 | y | swap2.cpp:85:10:85:10 | y | |
| swap2.cpp:81:23:81:23 | y | swap2.cpp:87:5:87:5 | y | |
| swap2.cpp:81:23:81:23 | y | swap2.cpp:89:10:89:10 | y | |
| swap2.cpp:82:5:82:5 | x [post update] | swap2.cpp:84:10:84:10 | x | |
| swap2.cpp:82:5:82:5 | x [post update] | swap2.cpp:87:19:87:19 | x | |
| swap2.cpp:82:5:82:5 | x [post update] | swap2.cpp:90:10:90:10 | x | |
| swap2.cpp:82:5:82:22 | ... = ... | swap2.cpp:84:12:84:16 | data1 | |
| swap2.cpp:82:5:82:22 | ... = ... | swap2.cpp:90:12:90:16 | data1 | |
| swap2.cpp:82:15:82:20 | call to source | swap2.cpp:82:5:82:22 | ... = ... | |
| swap2.cpp:87:5:87:5 | ref arg y | swap2.cpp:89:10:89:10 | y | |
| swap2.cpp:87:9:87:17 | call to move | swap2.cpp:87:5:87:5 | ref arg y | TAINT |
| swap2.cpp:87:9:87:17 | call to move | swap2.cpp:87:7:87:7 | call to operator= | TAINT |
| swap2.cpp:87:9:87:17 | ref arg call to move | swap2.cpp:87:19:87:19 | x [inner post update] | |
| swap2.cpp:87:9:87:17 | ref arg call to move | swap2.cpp:90:10:90:10 | x | |
| swap2.cpp:87:19:87:19 | x | swap2.cpp:87:5:87:5 | ref arg y | TAINT |
| swap2.cpp:87:19:87:19 | x | swap2.cpp:87:7:87:7 | call to operator= | TAINT |
| swap2.cpp:87:19:87:19 | x | swap2.cpp:87:9:87:17 | call to move | |
| swap2.cpp:95:23:95:31 | move_from | swap2.cpp:96:5:96:13 | move_from | |
| swap2.cpp:95:23:95:31 | move_from | swap2.cpp:98:10:98:18 | move_from | |
| swap2.cpp:95:23:95:31 | move_from | swap2.cpp:100:41:100:49 | move_from | |
| swap2.cpp:96:5:96:13 | move_from [post update] | swap2.cpp:98:10:98:18 | move_from | |
| swap2.cpp:96:5:96:13 | move_from [post update] | swap2.cpp:100:41:100:49 | move_from | |
| swap2.cpp:96:5:96:30 | ... = ... | swap2.cpp:98:20:98:24 | data1 | |
| swap2.cpp:96:5:96:30 | ... = ... | swap2.cpp:102:18:102:22 | data1 | |
| swap2.cpp:96:23:96:28 | call to source | swap2.cpp:96:5:96:30 | ... = ... | |
| swap2.cpp:100:31:100:39 | call to move | swap2.cpp:100:31:100:51 | call to Class | |
| swap2.cpp:100:31:100:39 | ref arg call to move | swap2.cpp:100:41:100:49 | move_from [inner post update] | |
| swap2.cpp:100:31:100:51 | call to Class | swap2.cpp:102:10:102:16 | move_to | |
| swap2.cpp:100:41:100:49 | move_from | swap2.cpp:100:31:100:39 | call to move | |
| swap2.cpp:40:16:40:26 | this | swap2.cpp:43:13:43:16 | this | |
| swap2.cpp:40:41:40:44 | that | swap2.cpp:42:24:42:27 | that | |
| swap2.cpp:42:23:42:27 | call to Class | swap2.cpp:43:18:43:20 | tmp | |
| swap2.cpp:42:24:42:27 | that | swap2.cpp:42:23:42:27 | call to Class | |
| swap2.cpp:43:13:43:16 | ref arg this | swap2.cpp:44:21:44:24 | this | |
| swap2.cpp:43:13:43:16 | this | swap2.cpp:44:21:44:24 | this | |
| swap2.cpp:44:21:44:24 | this | swap2.cpp:44:20:44:24 | * ... | TAINT |
| swap2.cpp:47:16:47:26 | this | swap2.cpp:49:13:49:16 | this | |
| swap2.cpp:47:36:47:39 | that | swap2.cpp:47:36:47:39 | that | |
| swap2.cpp:47:36:47:39 | that | swap2.cpp:49:18:49:21 | that | |
| swap2.cpp:49:13:49:16 | ref arg this | swap2.cpp:50:21:50:24 | this | |
| swap2.cpp:49:13:49:16 | this | swap2.cpp:50:21:50:24 | this | |
| swap2.cpp:49:18:49:21 | ref arg that | swap2.cpp:47:36:47:39 | that | |
| swap2.cpp:50:21:50:24 | this | swap2.cpp:50:20:50:24 | * ... | TAINT |
| swap2.cpp:53:14:53:17 | this | swap2.cpp:56:18:56:22 | this | |
| swap2.cpp:53:26:53:29 | that | swap2.cpp:53:26:53:29 | that | |
| swap2.cpp:53:26:53:29 | that | swap2.cpp:56:25:56:28 | that | |
| swap2.cpp:53:26:53:29 | that | swap2.cpp:56:50:56:53 | that | |
| swap2.cpp:56:18:56:22 | data1 | swap2.cpp:56:30:56:34 | ref arg data1 | |
| swap2.cpp:56:18:56:22 | this | swap2.cpp:56:43:56:47 | this | |
| swap2.cpp:56:18:56:22 | this [post update] | swap2.cpp:56:43:56:47 | this | |
| swap2.cpp:56:25:56:28 | that | swap2.cpp:56:18:56:22 | ref arg data1 | |
| swap2.cpp:56:25:56:28 | that [post update] | swap2.cpp:53:26:53:29 | that | |
| swap2.cpp:56:25:56:28 | that [post update] | swap2.cpp:56:50:56:53 | that | |
| swap2.cpp:56:30:56:34 | data1 | swap2.cpp:56:18:56:22 | ref arg data1 | |
| swap2.cpp:56:43:56:47 | data2 | swap2.cpp:56:55:56:59 | ref arg data2 | |
| swap2.cpp:56:50:56:53 | that | swap2.cpp:56:43:56:47 | ref arg data2 | |
| swap2.cpp:56:50:56:53 | that [post update] | swap2.cpp:53:26:53:29 | that | |
| swap2.cpp:56:55:56:59 | data2 | swap2.cpp:56:43:56:47 | ref arg data2 | |
| swap2.cpp:61:22:61:22 | x | swap1.cpp:61:22:61:22 | x | |
| swap2.cpp:61:22:61:22 | x | swap1.cpp:63:9:63:9 | x | |
| swap2.cpp:61:22:61:22 | x | swap2.cpp:61:22:61:22 | x | |
| swap2.cpp:61:22:61:22 | x | swap2.cpp:63:9:63:9 | x | |
| swap2.cpp:61:32:61:32 | y | swap1.cpp:61:32:61:32 | y | |
| swap2.cpp:61:32:61:32 | y | swap1.cpp:63:16:63:16 | y | |
| swap2.cpp:61:32:61:32 | y | swap2.cpp:61:32:61:32 | y | |
| swap2.cpp:61:32:61:32 | y | swap2.cpp:63:16:63:16 | y | |
| swap2.cpp:63:9:63:9 | ref arg x | swap1.cpp:61:22:61:22 | x | |
| swap2.cpp:63:9:63:9 | ref arg x | swap2.cpp:61:22:61:22 | x | |
| swap2.cpp:63:16:63:16 | ref arg y | swap1.cpp:61:32:61:32 | y | |
| swap2.cpp:63:16:63:16 | ref arg y | swap2.cpp:61:32:61:32 | y | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:71:5:71:5 | x | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:73:10:73:10 | x | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:76:9:76:9 | x | |
| swap2.cpp:69:23:69:23 | x | swap2.cpp:79:10:79:10 | x | |
| swap2.cpp:70:23:70:23 | y | swap2.cpp:74:10:74:10 | y | |
| swap2.cpp:70:23:70:23 | y | swap2.cpp:76:5:76:5 | y | |
| swap2.cpp:70:23:70:23 | y | swap2.cpp:78:10:78:10 | y | |
| swap2.cpp:71:5:71:5 | x [post update] | swap2.cpp:73:10:73:10 | x | |
| swap2.cpp:71:5:71:5 | x [post update] | swap2.cpp:76:9:76:9 | x | |
| swap2.cpp:71:5:71:5 | x [post update] | swap2.cpp:79:10:79:10 | x | |
| swap2.cpp:71:5:71:22 | ... = ... | swap2.cpp:73:12:73:16 | data1 | |
| swap2.cpp:71:5:71:22 | ... = ... | swap2.cpp:79:12:79:16 | data1 | |
| swap2.cpp:71:15:71:20 | call to source | swap2.cpp:71:5:71:22 | ... = ... | |
| swap2.cpp:76:5:76:5 | ref arg y | swap2.cpp:78:10:78:10 | y | |
| swap2.cpp:76:9:76:9 | x | swap2.cpp:76:5:76:5 | ref arg y | TAINT |
| swap2.cpp:76:9:76:9 | x | swap2.cpp:76:7:76:7 | call to operator= | TAINT |
| swap2.cpp:81:23:81:24 | z1 | swap2.cpp:82:5:82:6 | z1 | |
| swap2.cpp:81:23:81:24 | z1 | swap2.cpp:83:10:83:11 | z1 | |
| swap2.cpp:81:23:81:24 | z1 | swap2.cpp:85:10:85:11 | z1 | |
| swap2.cpp:81:23:81:24 | z1 | swap2.cpp:88:10:88:11 | z1 | |
| swap2.cpp:81:27:81:28 | z2 | swap2.cpp:85:14:85:15 | z2 | |
| swap2.cpp:81:27:81:28 | z2 | swap2.cpp:87:10:87:11 | z2 | |
| swap2.cpp:82:5:82:6 | z1 [post update] | swap2.cpp:83:10:83:11 | z1 | |
| swap2.cpp:82:5:82:6 | z1 [post update] | swap2.cpp:85:10:85:11 | z1 | |
| swap2.cpp:82:5:82:6 | z1 [post update] | swap2.cpp:88:10:88:11 | z1 | |
| swap2.cpp:82:5:82:23 | ... = ... | swap2.cpp:83:13:83:17 | data1 | |
| swap2.cpp:82:5:82:23 | ... = ... | swap2.cpp:88:13:88:17 | data1 | |
| swap2.cpp:82:16:82:21 | call to source | swap2.cpp:82:5:82:23 | ... = ... | |
| swap2.cpp:85:10:85:11 | ref arg z1 | swap2.cpp:88:10:88:11 | z1 | |
| swap2.cpp:85:14:85:15 | ref arg z2 | swap2.cpp:87:10:87:11 | z2 | |
| swap2.cpp:93:23:93:23 | x | swap2.cpp:95:5:95:5 | x | |
| swap2.cpp:93:23:93:23 | x | swap2.cpp:97:10:97:10 | x | |
| swap2.cpp:93:23:93:23 | x | swap2.cpp:100:19:100:19 | x | |
| swap2.cpp:93:23:93:23 | x | swap2.cpp:103:10:103:10 | x | |
| swap2.cpp:94:23:94:23 | y | swap2.cpp:98:10:98:10 | y | |
| swap2.cpp:94:23:94:23 | y | swap2.cpp:100:5:100:5 | y | |
| swap2.cpp:94:23:94:23 | y | swap2.cpp:102:10:102:10 | y | |
| swap2.cpp:95:5:95:5 | x [post update] | swap2.cpp:97:10:97:10 | x | |
| swap2.cpp:95:5:95:5 | x [post update] | swap2.cpp:100:19:100:19 | x | |
| swap2.cpp:95:5:95:5 | x [post update] | swap2.cpp:103:10:103:10 | x | |
| swap2.cpp:95:5:95:22 | ... = ... | swap2.cpp:97:12:97:16 | data1 | |
| swap2.cpp:95:5:95:22 | ... = ... | swap2.cpp:103:12:103:16 | data1 | |
| swap2.cpp:95:15:95:20 | call to source | swap2.cpp:95:5:95:22 | ... = ... | |
| swap2.cpp:100:5:100:5 | ref arg y | swap2.cpp:102:10:102:10 | y | |
| swap2.cpp:100:9:100:17 | call to move | swap2.cpp:100:5:100:5 | ref arg y | TAINT |
| swap2.cpp:100:9:100:17 | call to move | swap2.cpp:100:7:100:7 | call to operator= | TAINT |
| swap2.cpp:100:9:100:17 | ref arg call to move | swap2.cpp:100:19:100:19 | x [inner post update] | |
| swap2.cpp:100:9:100:17 | ref arg call to move | swap2.cpp:103:10:103:10 | x | |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:5:100:5 | ref arg y | TAINT |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:7:100:7 | call to operator= | TAINT |
| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move | |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:109:5:109:13 | move_from | |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:111:10:111:18 | move_from | |
| swap2.cpp:108:23:108:31 | move_from | swap2.cpp:113:41:113:49 | move_from | |
| swap2.cpp:109:5:109:13 | move_from [post update] | swap2.cpp:111:10:111:18 | move_from | |
| swap2.cpp:109:5:109:13 | move_from [post update] | swap2.cpp:113:41:113:49 | move_from | |
| swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:111:20:111:24 | data1 | |
| swap2.cpp:109:5:109:30 | ... = ... | swap2.cpp:115:18:115:22 | data1 | |
| swap2.cpp:109:23:109:28 | call to source | swap2.cpp:109:5:109:30 | ... = ... | |
| swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | |
| swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] | |
| swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to | |
| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:127:19:127:19 | x | |
| swap2.cpp:120:23:120:23 | x | swap2.cpp:130:10:130:10 | x | |
| swap2.cpp:121:23:121:23 | y | swap2.cpp:125:10:125:10 | y | |
| swap2.cpp:121:23:121:23 | y | swap2.cpp:127:5:127:5 | y | |
| swap2.cpp:121:23:121:23 | y | swap2.cpp:129:10:129:10 | y | |
| swap2.cpp:122:5:122:5 | x [post update] | swap2.cpp:124:10:124:10 | x | |
| swap2.cpp:122:5:122:5 | x [post update] | swap2.cpp:127:19:127:19 | x | |
| swap2.cpp:122:5:122:5 | x [post update] | swap2.cpp:130:10:130:10 | x | |
| swap2.cpp:122:5:122:22 | ... = ... | swap2.cpp:124:12:124:16 | data1 | |
| swap2.cpp:122:5:122:22 | ... = ... | swap2.cpp:130:12:130:16 | data1 | |
| swap2.cpp:122:15:122:20 | call to source | swap2.cpp:122:5:122:22 | ... = ... | |
| swap2.cpp:127:5:127:5 | ref arg y | swap2.cpp:129:10:129:10 | y | |
| swap2.cpp:135:23:135:23 | x | swap2.cpp:137:5:137:5 | x | |
| swap2.cpp:135:23:135:23 | x | swap2.cpp:139:10:139:10 | x | |
| swap2.cpp:135:23:135:23 | x | swap2.cpp:142:29:142:29 | x | |
| swap2.cpp:135:23:135:23 | x | swap2.cpp:145:10:145:10 | x | |
| swap2.cpp:136:23:136:23 | y | swap2.cpp:140:10:140:10 | y | |
| swap2.cpp:136:23:136:23 | y | swap2.cpp:142:5:142:5 | y | |
| swap2.cpp:136:23:136:23 | y | swap2.cpp:144:10:144:10 | y | |
| swap2.cpp:137:5:137:5 | x [post update] | swap2.cpp:139:10:139:10 | x | |
| swap2.cpp:137:5:137:5 | x [post update] | swap2.cpp:142:29:142:29 | x | |
| swap2.cpp:137:5:137:5 | x [post update] | swap2.cpp:145:10:145:10 | x | |
| swap2.cpp:137:5:137:22 | ... = ... | swap2.cpp:139:12:139:16 | data1 | |
| swap2.cpp:137:5:137:22 | ... = ... | swap2.cpp:145:12:145:16 | data1 | |
| swap2.cpp:137:15:137:20 | call to source | swap2.cpp:137:5:137:22 | ... = ... | |
| swap2.cpp:142:5:142:5 | ref arg y | swap2.cpp:144:10:144:10 | y | |
| swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:142:29:142:29 | x [inner post update] | |
| swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:145:10:145:10 | x | |
| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move | |
| taint.cpp:4:27:4:33 | source1 | taint.cpp:6:13:6:19 | source1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:5:8:5:13 | clean1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:6:3:6:8 | clean1 | |

173
cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
View File

@@ -7,20 +7,62 @@ namespace std
typedef size_t streamsize;
struct ptrdiff_t;
template <class iterator_category,
class value_type,
class difference_type = ptrdiff_t,
class pointer_type = value_type*,
class reference_type = value_type&>
struct iterator {
iterator &operator++();
iterator operator++(int);
bool operator==(iterator other) const;
bool operator!=(iterator other) const;
reference_type operator*() const;
};
struct input_iterator_tag {};
struct forward_iterator_tag : public input_iterator_tag {};
struct bidirectional_iterator_tag : public forward_iterator_tag {};
struct random_access_iterator_tag : public bidirectional_iterator_tag {};
template <class T> class allocator {
public:
allocator() throw();
typedef size_t size_type;
};
template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
class basic_string {
public:
typedef typename Allocator::size_type size_type;
explicit basic_string(const Allocator& a = Allocator());
basic_string(const charT* s, const Allocator& a = Allocator());
const charT* c_str() const;
typedef std::iterator<random_access_iterator_tag, charT> iterator;
typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
iterator begin();
iterator end();
const_iterator begin() const;
const_iterator end() const;
const_iterator cbegin() const;
const_iterator cend() const;
template<class T> basic_string& operator+=(const T& t);
basic_string& operator+=(const charT* s);
basic_string& append(const basic_string& str);
basic_string& append(const charT* s);
basic_string& append(size_type n, charT c);
};
template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
typedef basic_string<char> string;
template <class charT, class traits = char_traits<charT> >
@@ -202,3 +244,134 @@ void test_string_constructors_assignments()
}
}
void sink(char) {}
void test_range_based_for_loop_string() {
std::string s(source());
for(char c : s) {
sink(c); // tainted [NOT DETECTED by IR]
}
for(std::string::iterator it = s.begin(); it != s.end(); ++it) {
sink(*it); // tainted [NOT DETECTED]
}
for(char& c : s) {
sink(c); // tainted [NOT DETECTED by IR]
}
const std::string const_s(source());
for(const char& c : const_s) {
sink(c); // tainted [NOT DETECTED by IR]
}
}
namespace std {
template <class T>
class vector {
private:
void *data_;
public:
vector(int size);
T& operator[](int idx);
const T& operator[](int idx) const;
typedef std::iterator<random_access_iterator_tag, T> iterator;
typedef std::iterator<random_access_iterator_tag, const T> const_iterator;
iterator begin() noexcept;
iterator end() noexcept;
const_iterator begin() const noexcept;
const_iterator end() const noexcept;
};
}
void sink(int);
void test_range_based_for_loop_vector(int source1) {
// Tainting the vector by allocating a tainted length. This doesn't represent
// how a vector would typically get tainted, but it allows this test to avoid
// being concerned with std::vector modeling.
std::vector<int> v(source1);
for(int x : v) {
sink(x); // tainted [NOT DETECTED by IR]
}
for(std::vector<int>::iterator it = v.begin(); it != v.end(); ++it) {
sink(*it); // tainted [NOT DETECTED]
}
for(int& x : v) {
sink(x); // tainted [NOT DETECTED by IR]
}
const std::vector<int> const_v(source1);
for(const int& x : const_v) {
sink(x); // tainted [NOT DETECTED by IR]
}
}
namespace ns_char
{
char source();
}
void test_string_append() {
{
std::string s1("hello");
std::string s2(source());
sink(s1 + s1);
sink(s1 + s2); // tainted
sink(s2 + s1); // tainted
sink(s2 + s2); // tainted
sink(s1 + " world");
sink(s1 + source()); // tainted
}
{
std::string s3("abc");
std::string s4(source());
std::string s5, s6, s7, s8, s9;
s5 = s3 + s4;
sink(s5); // tainted
s6 = s3;
s6 += s4;
sink(s6); // tainted
s7 = s3;
s7 += source();
s7 += " ";
sink(s7); // tainted
s8 = s3;
s8.append(s4);
sink(s8); // tainted
s9 = s3;
s9.append(source());
s9.append(" ");
sink(s9); // tainted
}
{
std::string s10("abc");
char c = ns_char::source();
s10.append(1, c);
sink(s10); // tainted
}
}

43
cpp/ql/test/library-tests/dataflow/taint-tests/swap1.cpp
View File

@@ -37,6 +37,19 @@ namespace IntWrapper
return *this;
}
Class &copy_assign(const Class &that) // copy assignment without the usual signature
{
auto tmp = that;
swap(tmp);
return *this;
}
Class &move_assign(Class &&that) // move assignment without the usual signature
{
swap(that);
return *this;
}
void swap(Class &that) noexcept
{
using std::swap;
@@ -101,3 +114,33 @@ void test_move_constructor()
sink(move_to.data1); // tainted
}
void test_copy_assignment_method()
{
IntWrapper::Class x;
IntWrapper::Class y;
x.data1 = source();
sink(x.data1); // tainted
sink(y.data1); // clean
y.copy_assign(x);
sink(y.data1); // tainted
sink(x.data1); // tainted
}
void test_move_assignment_method()
{
IntWrapper::Class x;
IntWrapper::Class y;
x.data1 = source();
sink(x.data1); // tainted
sink(y.data1); // clean
y.move_assign(std::move(x));
sink(y.data1); // tainted
sink(x.data1); // tainted
}

43
cpp/ql/test/library-tests/dataflow/taint-tests/swap2.cpp
View File

@@ -37,6 +37,19 @@ namespace IntWrapper
return *this;
}
Class &copy_assign(const Class &that) // copy assignment without the usual signature
{
auto tmp = that;
swap(tmp);
return *this;
}
Class &move_assign(Class &&that) // move assignment without the usual signature
{
swap(that);
return *this;
}
void swap(Class &that) noexcept
{
using std::swap;
@@ -101,3 +114,33 @@ void test_move_constructor()
sink(move_to.data1); // tainted
}
void test_copy_assignment_method()
{
IntWrapper::Class x;
IntWrapper::Class y;
x.data1 = source();
sink(x.data1); // tainted
sink(y.data1); // clean
y.copy_assign(x);
sink(y.data1); // tainted
sink(x.data1); // tainted
}
void test_move_assignment_method()
{
IntWrapper::Class x;
IntWrapper::Class y;
x.data1 = source();
sink(x.data1); // tainted
sink(y.data1); // clean
y.move_assign(std::move(x));
sink(y.data1); // tainted
sink(x.data1); // tainted
}

129
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -5,6 +5,13 @@
| copyableclass.cpp:65:8:65:9 | s1 | copyableclass.cpp:60:40:60:45 | call to source |
| copyableclass.cpp:66:8:66:9 | s2 | copyableclass.cpp:63:24:63:29 | call to source |
| copyableclass.cpp:67:11:67:11 | call to operator= | copyableclass.cpp:67:13:67:18 | call to source |
| copyableclass_declonly.cpp:40:8:40:9 | s1 | copyableclass_declonly.cpp:34:30:34:35 | call to source |
| copyableclass_declonly.cpp:41:8:41:9 | s2 | copyableclass_declonly.cpp:35:32:35:37 | call to source |
| copyableclass_declonly.cpp:42:8:42:9 | s3 | copyableclass_declonly.cpp:34:30:34:35 | call to source |
| copyableclass_declonly.cpp:43:8:43:9 | s4 | copyableclass_declonly.cpp:38:8:38:13 | call to source |
| copyableclass_declonly.cpp:65:8:65:9 | s1 | copyableclass_declonly.cpp:60:56:60:61 | call to source |
| copyableclass_declonly.cpp:66:8:66:9 | s2 | copyableclass_declonly.cpp:63:32:63:37 | call to source |
| copyableclass_declonly.cpp:67:11:67:11 | call to operator= | copyableclass_declonly.cpp:67:13:67:18 | call to source |
| format.cpp:57:8:57:13 | buffer | format.cpp:56:36:56:49 | call to source |
| format.cpp:62:8:62:13 | buffer | format.cpp:61:30:61:43 | call to source |
| format.cpp:67:8:67:13 | buffer | format.cpp:66:52:66:65 | call to source |
@@ -15,6 +22,7 @@
| format.cpp:100:8:100:13 | buffer | format.cpp:99:30:99:43 | call to source |
| format.cpp:105:8:105:13 | buffer | format.cpp:104:31:104:45 | call to source |
| format.cpp:110:8:110:14 | wbuffer | format.cpp:109:38:109:52 | call to source |
| format.cpp:115:8:115:13 | buffer | format.cpp:114:37:114:50 | call to source |
| format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
| format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
| movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
@@ -24,21 +32,37 @@
| movableclass.cpp:55:8:55:9 | s2 | movableclass.cpp:52:23:52:28 | call to source |
| movableclass.cpp:64:8:64:9 | s2 | movableclass.cpp:23:55:23:60 | call to source |
| movableclass.cpp:65:11:65:11 | call to operator= | movableclass.cpp:65:13:65:18 | call to source |
| stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
| stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
| stl.cpp:75:9:75:13 | call to c_str | stl.cpp:69:16:69:21 | call to source |
| stl.cpp:125:13:125:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
| stl.cpp:129:13:129:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
| stl.cpp:132:13:132:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
| stl.cpp:142:7:142:8 | cs | stl.cpp:137:19:137:24 | call to source |
| stl.cpp:143:7:143:8 | ss | stl.cpp:137:19:137:24 | call to source |
| stl.cpp:156:7:156:8 | cs | stl.cpp:148:19:148:24 | call to source |
| stl.cpp:157:7:157:8 | ss | stl.cpp:148:19:148:24 | call to source |
| stl.cpp:179:8:179:9 | s1 | stl.cpp:174:18:174:23 | call to source |
| stl.cpp:180:8:180:9 | s2 | stl.cpp:175:20:175:25 | call to source |
| stl.cpp:181:8:181:9 | s3 | stl.cpp:177:8:177:13 | call to source |
| stl.cpp:200:8:200:9 | s1 | stl.cpp:196:32:196:37 | call to source |
| stl.cpp:201:8:201:9 | s2 | stl.cpp:198:20:198:25 | call to source |
| stl.cpp:113:7:113:7 | a | stl.cpp:109:12:109:17 | call to source |
| stl.cpp:115:7:115:7 | c | stl.cpp:111:16:111:21 | call to source |
| stl.cpp:117:9:117:13 | call to c_str | stl.cpp:111:16:111:21 | call to source |
| stl.cpp:167:13:167:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
| stl.cpp:171:13:171:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
| stl.cpp:174:13:174:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:24 | call to source |
| stl.cpp:185:7:185:8 | ss | stl.cpp:179:19:179:24 | call to source |
| stl.cpp:198:7:198:8 | cs | stl.cpp:190:19:190:24 | call to source |
| stl.cpp:199:7:199:8 | ss | stl.cpp:190:19:190:24 | call to source |
| stl.cpp:221:8:221:9 | s1 | stl.cpp:216:18:216:23 | call to source |
| stl.cpp:222:8:222:9 | s2 | stl.cpp:217:20:217:25 | call to source |
| stl.cpp:223:8:223:9 | s3 | stl.cpp:219:8:219:13 | call to source |
| stl.cpp:242:8:242:9 | s1 | stl.cpp:238:32:238:37 | call to source |
| stl.cpp:243:8:243:9 | s2 | stl.cpp:240:20:240:25 | call to source |
| stl.cpp:252:8:252:8 | c | stl.cpp:250:16:250:21 | call to source |
| stl.cpp:260:8:260:8 | c | stl.cpp:250:16:250:21 | call to source |
| stl.cpp:265:8:265:8 | c | stl.cpp:263:28:263:33 | call to source |
| stl.cpp:307:8:307:8 | x | stl.cpp:300:43:300:49 | source1 |
| stl.cpp:315:8:315:8 | x | stl.cpp:300:43:300:49 | source1 |
| stl.cpp:320:8:320:8 | x | stl.cpp:300:43:300:49 | source1 |
| stl.cpp:335:11:335:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
| stl.cpp:336:11:336:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
| stl.cpp:337:11:337:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
| stl.cpp:340:11:340:11 | call to operator+ | stl.cpp:340:13:340:18 | call to source |
| stl.cpp:349:8:349:9 | s5 | stl.cpp:345:18:345:23 | call to source |
| stl.cpp:353:8:353:9 | s6 | stl.cpp:345:18:345:23 | call to source |
| stl.cpp:358:8:358:9 | s7 | stl.cpp:356:9:356:14 | call to source |
| stl.cpp:362:8:362:9 | s8 | stl.cpp:345:18:345:23 | call to source |
| stl.cpp:367:8:367:9 | s9 | stl.cpp:365:13:365:18 | call to source |
| stl.cpp:375:8:375:10 | s10 | stl.cpp:372:12:372:26 | call to source |
| structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
| structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
| structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -46,36 +70,51 @@
| structlikeclass.cpp:60:8:60:9 | s1 | structlikeclass.cpp:55:40:55:45 | call to source |
| structlikeclass.cpp:61:8:61:9 | s2 | structlikeclass.cpp:58:24:58:29 | call to source |
| structlikeclass.cpp:62:8:62:20 | ... = ... | structlikeclass.cpp:62:13:62:18 | call to source |
| swap1.cpp:60:12:60:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:65:12:65:16 | data1 | swap1.cpp:56:23:56:23 | x |
| swap1.cpp:65:12:65:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:66:12:66:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:70:13:70:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
| swap1.cpp:74:13:74:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
| swap1.cpp:75:13:75:17 | data1 | swap1.cpp:68:27:68:28 | z2 |
| swap1.cpp:75:13:75:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
| swap1.cpp:84:12:84:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:89:12:89:16 | data1 | swap1.cpp:80:23:80:23 | x |
| swap1.cpp:89:12:89:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:90:12:90:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:98:20:98:24 | data1 | swap1.cpp:96:23:96:28 | call to source |
| swap1.cpp:102:18:102:22 | data1 | swap1.cpp:95:23:95:31 | move_from |
| swap1.cpp:102:18:102:22 | data1 | swap1.cpp:96:23:96:28 | call to source |
| swap2.cpp:60:12:60:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:65:12:65:16 | data1 | swap2.cpp:56:23:56:23 | x |
| swap2.cpp:65:12:65:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:66:12:66:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:70:13:70:17 | data1 | swap2.cpp:69:16:69:21 | call to source |
| swap2.cpp:74:13:74:17 | data1 | swap2.cpp:69:16:69:21 | call to source |
| swap2.cpp:75:13:75:17 | data1 | swap2.cpp:68:27:68:28 | z2 |
| swap2.cpp:75:13:75:17 | data1 | swap2.cpp:69:16:69:21 | call to source |
| swap2.cpp:84:12:84:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:89:12:89:16 | data1 | swap2.cpp:80:23:80:23 | x |
| swap2.cpp:89:12:89:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:90:12:90:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:98:20:98:24 | data1 | swap2.cpp:96:23:96:28 | call to source |
| swap2.cpp:102:18:102:22 | data1 | swap2.cpp:95:23:95:31 | move_from |
| swap2.cpp:102:18:102:22 | data1 | swap2.cpp:96:23:96:28 | call to source |
| swap1.cpp:73:12:73:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:78:12:78:16 | data1 | swap1.cpp:69:23:69:23 | x |
| swap1.cpp:78:12:78:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:79:12:79:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:83:13:83:17 | data1 | swap1.cpp:82:16:82:21 | call to source |
| swap1.cpp:87:13:87:17 | data1 | swap1.cpp:82:16:82:21 | call to source |
| swap1.cpp:88:13:88:17 | data1 | swap1.cpp:81:27:81:28 | z2 |
| swap1.cpp:88:13:88:17 | data1 | swap1.cpp:82:16:82:21 | call to source |
| swap1.cpp:97:12:97:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:102:12:102:16 | data1 | swap1.cpp:93:23:93:23 | x |
| swap1.cpp:102:12:102:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:103:12:103:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:111:20:111:24 | data1 | swap1.cpp:109:23:109:28 | call to source |
| swap1.cpp:115:18:115:22 | data1 | swap1.cpp:108:23:108:31 | move_from |
| swap1.cpp:115:18:115:22 | data1 | swap1.cpp:109:23:109:28 | call to source |
| swap1.cpp:124:12:124:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:129:12:129:16 | data1 | swap1.cpp:120:23:120:23 | x |
| swap1.cpp:129:12:129:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:130:12:130:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:139:12:139:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap1.cpp:144:12:144:16 | data1 | swap1.cpp:135:23:135:23 | x |
| swap1.cpp:144:12:144:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap1.cpp:145:12:145:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap2.cpp:73:12:73:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:78:12:78:16 | data1 | swap2.cpp:69:23:69:23 | x |
| swap2.cpp:78:12:78:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:79:12:79:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:83:13:83:17 | data1 | swap2.cpp:82:16:82:21 | call to source |
| swap2.cpp:88:13:88:17 | data1 | swap2.cpp:81:27:81:28 | z2 |
| swap2.cpp:88:13:88:17 | data1 | swap2.cpp:82:16:82:21 | call to source |
| swap2.cpp:97:12:97:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:102:12:102:16 | data1 | swap2.cpp:93:23:93:23 | x |
| swap2.cpp:102:12:102:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:103:12:103:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:111:20:111:24 | data1 | swap2.cpp:109:23:109:28 | call to source |
| swap2.cpp:115:18:115:22 | data1 | swap2.cpp:108:23:108:31 | move_from |
| swap2.cpp:115:18:115:22 | data1 | swap2.cpp:109:23:109:28 | call to source |
| swap2.cpp:124:12:124:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:129:12:129:16 | data1 | swap2.cpp:120:23:120:23 | x |
| swap2.cpp:129:12:129:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:130:12:130:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:139:12:139:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| swap2.cpp:144:12:144:16 | data1 | swap2.cpp:135:23:135:23 | x |
| swap2.cpp:144:12:144:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| swap2.cpp:145:12:145:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
| taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
| taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |

75
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -5,6 +5,13 @@
| copyableclass.cpp:65:8:65:9 | copyableclass.cpp:60:40:60:45 | AST only |
| copyableclass.cpp:66:8:66:9 | copyableclass.cpp:63:24:63:29 | AST only |
| copyableclass.cpp:67:11:67:11 | copyableclass.cpp:67:13:67:18 | AST only |
| copyableclass_declonly.cpp:40:8:40:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
| copyableclass_declonly.cpp:41:8:41:9 | copyableclass_declonly.cpp:35:32:35:37 | AST only |
| copyableclass_declonly.cpp:42:8:42:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
| copyableclass_declonly.cpp:43:8:43:9 | copyableclass_declonly.cpp:38:8:38:13 | AST only |
| copyableclass_declonly.cpp:65:8:65:9 | copyableclass_declonly.cpp:60:56:60:61 | AST only |
| copyableclass_declonly.cpp:66:8:66:9 | copyableclass_declonly.cpp:63:32:63:37 | AST only |
| copyableclass_declonly.cpp:67:11:67:11 | copyableclass_declonly.cpp:67:13:67:18 | AST only |
| format.cpp:57:8:57:13 | format.cpp:56:36:56:49 | AST only |
| format.cpp:62:8:62:13 | format.cpp:61:30:61:43 | AST only |
| format.cpp:67:8:67:13 | format.cpp:66:52:66:65 | AST only |
@@ -15,6 +22,7 @@
| format.cpp:100:8:100:13 | format.cpp:99:30:99:43 | AST only |
| format.cpp:105:8:105:13 | format.cpp:104:31:104:45 | AST only |
| format.cpp:110:8:110:14 | format.cpp:109:38:109:52 | AST only |
| format.cpp:115:8:115:13 | format.cpp:114:37:114:50 | AST only |
| movableclass.cpp:44:8:44:9 | movableclass.cpp:39:21:39:26 | AST only |
| movableclass.cpp:45:8:45:9 | movableclass.cpp:40:23:40:28 | AST only |
| movableclass.cpp:46:8:46:9 | movableclass.cpp:42:8:42:13 | AST only |
@@ -22,34 +30,53 @@
| movableclass.cpp:55:8:55:9 | movableclass.cpp:52:23:52:28 | AST only |
| movableclass.cpp:64:8:64:9 | movableclass.cpp:23:55:23:60 | AST only |
| movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
| stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
| stl.cpp:75:9:75:13 | stl.cpp:69:16:69:21 | AST only |
| stl.cpp:125:13:125:17 | stl.cpp:117:10:117:15 | AST only |
| stl.cpp:129:13:129:17 | stl.cpp:117:10:117:15 | AST only |
| stl.cpp:132:13:132:17 | stl.cpp:117:10:117:15 | AST only |
| stl.cpp:142:7:142:8 | stl.cpp:137:19:137:26 | IR only |
| stl.cpp:143:7:143:8 | stl.cpp:137:19:137:24 | AST only |
| stl.cpp:156:7:156:8 | stl.cpp:148:19:148:24 | AST only |
| stl.cpp:157:7:157:8 | stl.cpp:148:19:148:24 | AST only |
| stl.cpp:179:8:179:9 | stl.cpp:174:18:174:23 | AST only |
| stl.cpp:180:8:180:9 | stl.cpp:175:20:175:25 | AST only |
| stl.cpp:181:8:181:9 | stl.cpp:177:8:177:13 | AST only |
| stl.cpp:200:8:200:9 | stl.cpp:196:32:196:37 | AST only |
| stl.cpp:201:8:201:9 | stl.cpp:198:20:198:25 | AST only |
| stl.cpp:115:7:115:7 | stl.cpp:111:16:111:21 | AST only |
| stl.cpp:117:9:117:13 | stl.cpp:111:16:111:21 | AST only |
| stl.cpp:167:13:167:17 | stl.cpp:159:10:159:15 | AST only |
| stl.cpp:171:13:171:17 | stl.cpp:159:10:159:15 | AST only |
| stl.cpp:174:13:174:17 | stl.cpp:159:10:159:15 | AST only |
| stl.cpp:184:7:184:8 | stl.cpp:179:19:179:26 | IR only |
| stl.cpp:185:7:185:8 | stl.cpp:179:19:179:24 | AST only |
| stl.cpp:198:7:198:8 | stl.cpp:190:19:190:24 | AST only |
| stl.cpp:199:7:199:8 | stl.cpp:190:19:190:24 | AST only |
| stl.cpp:221:8:221:9 | stl.cpp:216:18:216:23 | AST only |
| stl.cpp:222:8:222:9 | stl.cpp:217:20:217:25 | AST only |
| stl.cpp:223:8:223:9 | stl.cpp:219:8:219:13 | AST only |
| stl.cpp:242:8:242:9 | stl.cpp:238:32:238:37 | AST only |
| stl.cpp:243:8:243:9 | stl.cpp:240:20:240:25 | AST only |
| stl.cpp:252:8:252:8 | stl.cpp:250:16:250:21 | AST only |
| stl.cpp:260:8:260:8 | stl.cpp:250:16:250:21 | AST only |
| stl.cpp:265:8:265:8 | stl.cpp:263:28:263:33 | AST only |
| stl.cpp:307:8:307:8 | stl.cpp:300:43:300:49 | AST only |
| stl.cpp:315:8:315:8 | stl.cpp:300:43:300:49 | AST only |
| stl.cpp:320:8:320:8 | stl.cpp:300:43:300:49 | AST only |
| stl.cpp:335:11:335:11 | stl.cpp:332:18:332:23 | AST only |
| stl.cpp:336:11:336:11 | stl.cpp:332:18:332:23 | AST only |
| stl.cpp:337:11:337:11 | stl.cpp:332:18:332:23 | AST only |
| stl.cpp:340:11:340:11 | stl.cpp:340:13:340:18 | AST only |
| stl.cpp:349:8:349:9 | stl.cpp:345:18:345:23 | AST only |
| stl.cpp:353:8:353:9 | stl.cpp:345:18:345:23 | AST only |
| stl.cpp:358:8:358:9 | stl.cpp:356:9:356:14 | AST only |
| stl.cpp:362:8:362:9 | stl.cpp:345:18:345:23 | AST only |
| stl.cpp:367:8:367:9 | stl.cpp:365:13:365:18 | AST only |
| stl.cpp:375:8:375:10 | stl.cpp:372:12:372:26 | AST only |
| structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
| structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
| structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |
| structlikeclass.cpp:60:8:60:9 | structlikeclass.cpp:55:40:55:45 | AST only |
| swap1.cpp:65:12:65:16 | swap1.cpp:56:23:56:23 | AST only |
| swap1.cpp:74:13:74:17 | swap1.cpp:69:16:69:21 | AST only |
| swap1.cpp:75:13:75:17 | swap1.cpp:68:27:68:28 | AST only |
| swap1.cpp:89:12:89:16 | swap1.cpp:80:23:80:23 | AST only |
| swap1.cpp:102:18:102:22 | swap1.cpp:95:23:95:31 | AST only |
| swap2.cpp:65:12:65:16 | swap2.cpp:56:23:56:23 | AST only |
| swap2.cpp:74:13:74:17 | swap2.cpp:69:16:69:21 | AST only |
| swap2.cpp:75:13:75:17 | swap2.cpp:68:27:68:28 | AST only |
| swap2.cpp:89:12:89:16 | swap2.cpp:80:23:80:23 | AST only |
| swap2.cpp:102:18:102:22 | swap2.cpp:95:23:95:31 | AST only |
| swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
| swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
| swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |
| swap1.cpp:102:12:102:16 | swap1.cpp:93:23:93:23 | AST only |
| swap1.cpp:115:18:115:22 | swap1.cpp:108:23:108:31 | AST only |
| swap1.cpp:129:12:129:16 | swap1.cpp:120:23:120:23 | AST only |
| swap1.cpp:144:12:144:16 | swap1.cpp:135:23:135:23 | AST only |
| swap2.cpp:78:12:78:16 | swap2.cpp:69:23:69:23 | AST only |
| swap2.cpp:88:13:88:17 | swap2.cpp:81:27:81:28 | AST only |
| swap2.cpp:102:12:102:16 | swap2.cpp:93:23:93:23 | AST only |
| swap2.cpp:115:18:115:22 | swap2.cpp:108:23:108:31 | AST only |
| swap2.cpp:129:12:129:16 | swap2.cpp:120:23:120:23 | AST only |
| swap2.cpp:144:12:144:16 | swap2.cpp:135:23:135:23 | AST only |
| taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
| taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
| taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |

60
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -1,33 +1,45 @@
| format.cpp:157:7:157:22 | (int)... | format.cpp:147:12:147:25 | call to source |
| format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
| format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
| stl.cpp:71:7:71:7 | (const char *)... | stl.cpp:67:12:67:17 | call to source |
| stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
| stl.cpp:142:7:142:8 | cs | stl.cpp:137:19:137:24 | call to source |
| stl.cpp:142:7:142:8 | cs | stl.cpp:137:19:137:26 | (const char *)... |
| stl.cpp:113:7:113:7 | (const char *)... | stl.cpp:109:12:109:17 | call to source |
| stl.cpp:113:7:113:7 | a | stl.cpp:109:12:109:17 | call to source |
| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:24 | call to source |
| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:26 | (const char *)... |
| structlikeclass.cpp:38:8:38:9 | s4 | structlikeclass.cpp:33:8:33:13 | call to source |
| structlikeclass.cpp:61:8:61:9 | s2 | structlikeclass.cpp:58:24:58:29 | call to source |
| structlikeclass.cpp:62:8:62:20 | ... = ... | structlikeclass.cpp:62:13:62:18 | call to source |
| swap1.cpp:60:12:60:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:65:12:65:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:66:12:66:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
| swap1.cpp:70:13:70:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
| swap1.cpp:75:13:75:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
| swap1.cpp:84:12:84:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:89:12:89:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:90:12:90:16 | data1 | swap1.cpp:82:15:82:20 | call to source |
| swap1.cpp:98:20:98:24 | data1 | swap1.cpp:96:23:96:28 | call to source |
| swap1.cpp:102:18:102:22 | data1 | swap1.cpp:96:23:96:28 | call to source |
| swap2.cpp:60:12:60:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:65:12:65:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:66:12:66:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
| swap2.cpp:70:13:70:17 | data1 | swap2.cpp:69:16:69:21 | call to source |
| swap2.cpp:75:13:75:17 | data1 | swap2.cpp:69:16:69:21 | call to source |
| swap2.cpp:84:12:84:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:89:12:89:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:90:12:90:16 | data1 | swap2.cpp:82:15:82:20 | call to source |
| swap2.cpp:98:20:98:24 | data1 | swap2.cpp:96:23:96:28 | call to source |
| swap2.cpp:102:18:102:22 | data1 | swap2.cpp:96:23:96:28 | call to source |
| swap1.cpp:73:12:73:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:78:12:78:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:79:12:79:16 | data1 | swap1.cpp:71:15:71:20 | call to source |
| swap1.cpp:83:13:83:17 | data1 | swap1.cpp:82:16:82:21 | call to source |
| swap1.cpp:88:13:88:17 | data1 | swap1.cpp:82:16:82:21 | call to source |
| swap1.cpp:97:12:97:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:102:12:102:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:103:12:103:16 | data1 | swap1.cpp:95:15:95:20 | call to source |
| swap1.cpp:111:20:111:24 | data1 | swap1.cpp:109:23:109:28 | call to source |
| swap1.cpp:115:18:115:22 | data1 | swap1.cpp:109:23:109:28 | call to source |
| swap1.cpp:124:12:124:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:129:12:129:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:130:12:130:16 | data1 | swap1.cpp:122:15:122:20 | call to source |
| swap1.cpp:139:12:139:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap1.cpp:144:12:144:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap1.cpp:145:12:145:16 | data1 | swap1.cpp:137:15:137:20 | call to source |
| swap2.cpp:73:12:73:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:78:12:78:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:79:12:79:16 | data1 | swap2.cpp:71:15:71:20 | call to source |
| swap2.cpp:83:13:83:17 | data1 | swap2.cpp:82:16:82:21 | call to source |
| swap2.cpp:88:13:88:17 | data1 | swap2.cpp:82:16:82:21 | call to source |
| swap2.cpp:97:12:97:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:102:12:102:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:103:12:103:16 | data1 | swap2.cpp:95:15:95:20 | call to source |
| swap2.cpp:111:20:111:24 | data1 | swap2.cpp:109:23:109:28 | call to source |
| swap2.cpp:115:18:115:22 | data1 | swap2.cpp:109:23:109:28 | call to source |
| swap2.cpp:124:12:124:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:129:12:129:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:130:12:130:16 | data1 | swap2.cpp:122:15:122:20 | call to source |
| swap2.cpp:139:12:139:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| swap2.cpp:144:12:144:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| swap2.cpp:145:12:145:16 | data1 | swap2.cpp:137:15:137:20 | call to source |
| taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
| taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
| taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |

4
cpp/ql/test/library-tests/functions/functions/Functions2.expected
View File

@@ -20,7 +20,7 @@
| functions.cpp:23:7:23:11 | Table | Class | functions.cpp:30:8:30:13 | insert | |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:33:7:33:7 | operator= | |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:36:2:36:8 | MyClass | Constructor, NoArgConstructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:37:2:37:8 | MyClass | Constructor, ConversionConstructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:37:2:37:8 | MyClass | Constructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:38:2:38:8 | MyClass | Constructor, CopyConstructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:39:2:39:8 | MyClass | Constructor, ConversionConstructor, MoveConstructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:39:2:39:8 | MyClass | Constructor, MoveConstructor, getAConstructor() |
| functions.cpp:33:7:33:13 | MyClass | Class | functions.cpp:40:2:40:13 | operator int | ConversionOperator |

3
cpp/ql/test/library-tests/functions/functions/Functions2.ql
View File

@@ -19,9 +19,6 @@ string describe(Class c, MemberFunction f) {
f instanceof Destructor and
result = "Destructor"
or
f instanceof ConversionConstructor and
result = "ConversionConstructor"
or
f instanceof CopyConstructor and
result = "CopyConstructor"
or

1027
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.ql
View File

@@ -1,4 +1,4 @@
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
from VariableAccess expr
select expr, lowerBound(expr)
select expr, lowerBound(expr).toString()

66
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
View File

@@ -424,3 +424,69 @@ void test17() {
i = 20 + (j -= 10);
out(i); // 60 [BUG: the analysis thinks it's 2^-31 .. 2^31-1]
}
// Tests for unsigned multiplication.
int test_unsigned_mult01(unsigned int a, unsigned b) {
int total = 0;
if (3 <= a && a <= 11 && 5 <= b && b <= 23) {
int r = a*b; // 15 .. 253
total += r;
}
if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
int r = a*b; // 0 .. 253
total += r;
}
if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
int r = a*b; // 39 .. 253
total += r;
}
return total;
}
int test_unsigned_mult02(unsigned b) {
int total = 0;
if (5 <= b && b <= 23) {
int r = 11*b; // 55 .. 253
total += r;
}
if (0 <= b && b <= 23) {
int r = 11*b; // 0 .. 253
total += r;
}
if (13 <= b && b <= 23) {
int r = 11*b; // 143 .. 253
total += r;
}
return total;
}
unsigned long mult_rounding() {
unsigned long x, y, xy;
x = y = 1000000003UL; // 1e9 + 3
xy = x * y;
return xy; // BUG: upper bound should be >= 1000000006000000009UL
}
unsigned long mult_overflow() {
unsigned long x, y, xy;
x = 274177UL;
y = 67280421310721UL;
xy = x * y;
return xy; // BUG: lower bound should be <= 18446744073709551617UL
}
unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
if (ui >= 10) {
unsigned long result = (unsigned long)ui * ui;
return result; // BUG: upper bound should be >= 18446744065119617025 (possibly a pretty-printing bug)
}
if (ul >= 10) {
unsigned long result = ul * ul;
return result; // lower bound is correctly 0 (overflow is possible)
}
return 0;
}

1027
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.ql
View File

@@ -1,4 +1,4 @@
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
from VariableAccess expr
select expr, upperBound(expr)
select expr, upperBound(expr).toString()

4
cpp/ql/test/library-tests/specifiers2/specifiers2.expected
View File

@@ -62,6 +62,8 @@
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | extern |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | inline |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | inline |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | is_constexpr |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | is_constexpr |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:29:7:29:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:33:5:33:18 | fun | fun | public |
@@ -69,6 +71,8 @@
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | extern |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | inline |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | inline |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | is_constexpr |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | is_constexpr |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:35:7:35:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:40:12:40:18 | someFun | someFun | extern |

810
cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
View File

File diff suppressed because it is too large Load Diff

43
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c
View File

@@ -365,7 +365,7 @@ int callCommand(void)
return 0;
}
int shifts(void)
void shifts(void)
{
unsigned int x = 3;
@@ -374,7 +374,7 @@ int shifts(void)
if (x >> 1 == 1) {} // always true [NOT DETECTED]
}
int bitwise_ands()
void bitwise_ands()
{
unsigned int x = 0xFF;
@@ -382,3 +382,42 @@ int bitwise_ands()
if ((x & 2) >= 2) {}
if ((x & 2) >= 3) {} // always false
}
void unsigned_mult(unsigned int x, unsigned int y) {
if(x < 13 && y < 35) {
if(x * y > 1024) {} // always false
if(x * y < 204) {}
if(x >= 3 && y >= 2) {
if(x * y < 5) {} // always false
}
}
}
void mult_rounding() {
unsigned long x, y, xy;
x = y = 1000000003UL; // 1e9 + 3
xy = 1000000006000000009UL; // x * y, precisely
// Even though the range analysis wrongly considers x*y to be xy - 9, there
// are no PointlessComparison false positives in these tests because alerts
// are suppressed when ulp() < 1, which roughly means that the number is
// larger than 2^53.
if (x * y < xy) {} // always false [NOT DETECTED]
if (x * y > xy) {} // always false [NOT DETECTED]
}
void mult_overflow() {
unsigned long x, y;
// The following two numbers multiply to 2^64 + 1, which is 1 when truncated
// to 64-bit unsigned.
x = 274177UL;
y = 67280421310721UL;
if (x * y == 1) {} // always true [BUG: reported as always false]
// This bug appears to be caused by
// `RangeAnalysisUtils::typeUpperBound(unsigned long)` having a result of
// 2**64 + 384, making the range analysis think that the multiplication can't
// overflow. The correct `typeUpperBound` would be 2**64 - 1, but we can't
// represent that with a QL float or int. We could make `typeUpperBound`
// exclusive instead of inclusive, but there is no exclusive upper bound for
// floats.
}

3
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected
View File

@@ -41,6 +41,9 @@
| PointlessComparison.c:372:6:372:16 | ... >= ... | Comparison is always true because ... >> ... >= 1. |
| PointlessComparison.c:373:6:373:16 | ... >= ... | Comparison is always false because ... >> ... <= 1. |
| PointlessComparison.c:383:6:383:17 | ... >= ... | Comparison is always false because ... & ... <= 2. |
| PointlessComparison.c:388:10:388:21 | ... > ... | Comparison is always false because ... * ... <= 408. |
| PointlessComparison.c:391:12:391:20 | ... < ... | Comparison is always false because ... * ... >= 6. |
| PointlessComparison.c:414:7:414:16 | ... == ... | Comparison is always false because ... * ... >= 18446744073709552000. |
| PointlessComparison.cpp:36:6:36:33 | ... >= ... | Comparison is always false because ... >> ... <= 9223372036854776000. |
| PointlessComparison.cpp:41:6:41:29 | ... >= ... | Comparison is always false because ... >> ... <= 140737488355327.5. |
| PointlessComparison.cpp:42:6:42:29 | ... >= ... | Comparison is always false because ... >> ... <= 140737488355327.5. |

41
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp
View File

@@ -177,4 +177,43 @@ void FalseNegativeTestCases()
for (int i = 100; i > 0; i += 2) {}
// For comparison
for (int i = 100; i > 0; i ++ ) {} // BUG
}
}
void IntendedOverflow(unsigned char p)
{
const unsigned char m = 10;
unsigned char i;
signed char s;
for (i = 63; i < 64; i--) {} // GOOD (legitimate way to count down with an unsigned)
for (i = 63; i < 128; i--) {} // DUBIOUS (could still be a typo?)
for (i = 63; i < 255; i--) {} // GOOD
for (i = m - 1; i < m; i--) {} // GOOD
for (i = m - 2; i < m; i--) {} // DUBIOUS
for (i = m; i < m + 1; i--) {} // GOOD
for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all)
for (s = m + 1; s < m; s--) {} // BAD (never runs)
for (i = p - 1; i < p; i--) {} // GOOD
for (s = p - 1; s < p; s--) {} // BAD [NOT DETECTED]
{
int n;
n = 64;
for (i = n - 1; i < n; i--) {} // GOOD
n = 64;
for (i = n - 1; i < 64; i--) {} // GOOD
n = 64;
for (i = 63; i < n; i--) {} // GOOD
n = 64;
for (s = n - 1; s < n; s--) {} // BAD [NOT DETECTED]
n = 64;
for (s = n - 1; s < 64; s--) {} // BAD
n = 64;
for (s = 63; s < n; s--) {} // BAD [NOT DETECTED]
}
}

3
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.expected
View File

@@ -20,3 +20,6 @@
| inconsistentLoopDirection.cpp:140:5:142:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (200), but the terminal condition is lower (0). |
| inconsistentLoopDirection.cpp:175:5:175:36 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (10). |
| inconsistentLoopDirection.cpp:179:5:179:38 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
| inconsistentLoopDirection.cpp:196:5:196:32 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "s" counts downward from a value (63), but the terminal condition is higher (64). |
| inconsistentLoopDirection.cpp:197:5:197:34 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "s" counts downward from a value (... + ...), but the terminal condition is always false. |
| inconsistentLoopDirection.cpp:215:3:215:33 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "s" counts downward from a value (... - ...), but the terminal condition is higher (64). |

1
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
View File

@@ -2,3 +2,4 @@
| tests.cpp:259:2:259:8 | call to sprintf | This 'call to sprintf' operation requires 17 bytes but the destination is only 10 bytes. |
| tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
| tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |

19
cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
View File

@@ -289,3 +289,22 @@ void test5(va_list args, float f)
vsprintf(buffer4, "123", args); // GOOD
vsprintf(buffer4, "1234", args); // BAD: buffer overflow [NOT DETECTED]
}
namespace custom_sprintf_impl {
int sprintf(char *buf, const char *format, ...)
{
__builtin_va_list args;
int i;
__builtin_va_start(args, format);
i = vsprintf(buf, format, args);
__builtin_va_end(args);
return i;
}
void regression_test1()
{
char buffer8[8];
sprintf(buffer8, "12345678"); // BAD: potential buffer overflow
}
}