hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into rdmarsh2/cpp/constant-array-overflow-tests

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-07-05 13:49:17 +01:00
parent 60c0226dce f714de0040
commit d24a05a1b9
180 changed files with 3567 additions and 2411 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -460,7 +460,6 @@ module Impl<FullStateConfigSig Config> {
* The Boolean `cc` records whether the node is reached through an
* argument in a call.
*/
pragma[assume_small_delta]
private predicate fwdFlow(NodeEx node, Cc cc) {
sourceNode(node, _) and
if hasSourceCallCtx() then cc = true else cc = false
@@ -570,7 +569,6 @@ module Impl<FullStateConfigSig Config> {
/**
* Holds if `c` is the target of a store in the flow covered by `fwdFlow`.
*/
pragma[assume_small_delta]
pragma[nomagic]
private predicate fwdFlowConsCand(Content c) {
exists(NodeEx mid, NodeEx node |
@@ -1216,7 +1214,6 @@ module Impl<FullStateConfigSig Config> {
fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate fwdFlow0(
NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
@@ -2777,7 +2774,6 @@ module Impl<FullStateConfigSig Config> {
/**
* Gets the number of `AccessPath`s that correspond to `apa`.
*/
pragma[assume_small_delta]
private int countAps(AccessPathApprox apa) {
evalUnfold(apa, false) and
result = 1 and
@@ -2796,7 +2792,6 @@ module Impl<FullStateConfigSig Config> {
* that it is expanded to a precise head-tail representation.
*/
language[monotonicAggregates]
pragma[assume_small_delta]
private int countPotentialAps(AccessPathApprox apa) {
apa instanceof AccessPathApproxNil and result = 1
or
@@ -2833,7 +2828,6 @@ module Impl<FullStateConfigSig Config> {
}
private newtype TPathNode =
pragma[assume_small_delta]
TPathNodeMid(
NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap
) {
@@ -2918,7 +2912,6 @@ module Impl<FullStateConfigSig Config> {
override AccessPathFrontHead getFront() { result = TFrontHead(head_) }
pragma[assume_small_delta]
override AccessPathApproxCons getApprox() {
result = TConsNil(head_, t) and tail_ = TAccessPathNil()
or
@@ -2927,7 +2920,6 @@ module Impl<FullStateConfigSig Config> {
result = TCons1(head_, this.length())
}
pragma[assume_small_delta]
override int length() { result = 1 + tail_.length() }
private string toStringImpl(boolean needsSuffix) {
@@ -3379,7 +3371,6 @@ module Impl<FullStateConfigSig Config> {
* Holds if data may flow from `mid` to `node`. The last step in or out of
* a callable is recorded by `cc`.
*/
pragma[assume_small_delta]
pragma[nomagic]
private predicate pathStep0(
PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
@@ -3592,7 +3583,6 @@ module Impl<FullStateConfigSig Config> {
)
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate pathThroughCallable0(
DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, FlowState state, CallContext cc,

2
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -187,7 +187,6 @@ private module LambdaFlow {
else any()
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlow0(
DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,7 +273,6 @@ private module LambdaFlow {
)
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlowOut(
DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,

10
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -460,7 +460,6 @@ module Impl<FullStateConfigSig Config> {
* The Boolean `cc` records whether the node is reached through an
* argument in a call.
*/
pragma[assume_small_delta]
private predicate fwdFlow(NodeEx node, Cc cc) {
sourceNode(node, _) and
if hasSourceCallCtx() then cc = true else cc = false
@@ -570,7 +569,6 @@ module Impl<FullStateConfigSig Config> {
/**
* Holds if `c` is the target of a store in the flow covered by `fwdFlow`.
*/
pragma[assume_small_delta]
pragma[nomagic]
private predicate fwdFlowConsCand(Content c) {
exists(NodeEx mid, NodeEx node |
@@ -1216,7 +1214,6 @@ module Impl<FullStateConfigSig Config> {
fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate fwdFlow0(
NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
@@ -2777,7 +2774,6 @@ module Impl<FullStateConfigSig Config> {
/**
* Gets the number of `AccessPath`s that correspond to `apa`.
*/
pragma[assume_small_delta]
private int countAps(AccessPathApprox apa) {
evalUnfold(apa, false) and
result = 1 and
@@ -2796,7 +2792,6 @@ module Impl<FullStateConfigSig Config> {
* that it is expanded to a precise head-tail representation.
*/
language[monotonicAggregates]
pragma[assume_small_delta]
private int countPotentialAps(AccessPathApprox apa) {
apa instanceof AccessPathApproxNil and result = 1
or
@@ -2833,7 +2828,6 @@ module Impl<FullStateConfigSig Config> {
}
private newtype TPathNode =
pragma[assume_small_delta]
TPathNodeMid(
NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap
) {
@@ -2918,7 +2912,6 @@ module Impl<FullStateConfigSig Config> {
override AccessPathFrontHead getFront() { result = TFrontHead(head_) }
pragma[assume_small_delta]
override AccessPathApproxCons getApprox() {
result = TConsNil(head_, t) and tail_ = TAccessPathNil()
or
@@ -2927,7 +2920,6 @@ module Impl<FullStateConfigSig Config> {
result = TCons1(head_, this.length())
}
pragma[assume_small_delta]
override int length() { result = 1 + tail_.length() }
private string toStringImpl(boolean needsSuffix) {
@@ -3379,7 +3371,6 @@ module Impl<FullStateConfigSig Config> {
* Holds if data may flow from `mid` to `node`. The last step in or out of
* a callable is recorded by `cc`.
*/
pragma[assume_small_delta]
pragma[nomagic]
private predicate pathStep0(
PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
@@ -3592,7 +3583,6 @@ module Impl<FullStateConfigSig Config> {
)
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate pathThroughCallable0(
DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, FlowState state, CallContext cc,

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -187,7 +187,6 @@ private module LambdaFlow {
else any()
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlow0(
DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,7 +273,6 @@ private module LambdaFlow {
)
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlowOut(
DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,

76
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -321,9 +321,11 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode {
override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
this.getCallInstruction() = dfCall and
pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
super.hasAddressOperandAndIndirectionIndex(_, pos.(IndirectionPosition).getIndirectionIndex())
exists(int indirectionIndex |
pos = TIndirectionPosition(argumentIndex, pragma[only_bind_into](indirectionIndex)) and
this.getCallInstruction() = dfCall and
super.hasAddressOperandAndIndirectionIndex(_, pragma[only_bind_into](indirectionIndex))
)
}
}
@@ -854,7 +856,73 @@ class DataFlowCall extends CallInstruction {
Function getEnclosingCallable() { result = this.getEnclosingFunction() }
}
predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
module IsUnreachableInCall {
private import semmle.code.cpp.ir.ValueNumbering
private import semmle.code.cpp.controlflow.IRGuards as G
private class ConstantIntegralTypeArgumentNode extends PrimaryArgumentNode {
int value;
ConstantIntegralTypeArgumentNode() {
value = op.getDef().(IntegerConstantInstruction).getValue().toInt()
}
int getValue() { result = value }
}
pragma[nomagic]
private predicate ensuresEq(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
any(G::IRGuardCondition guard).ensuresEq(left, right, k, block, areEqual)
}
pragma[nomagic]
private predicate ensuresLt(Operand left, Operand right, int k, IRBlock block, boolean areEqual) {
any(G::IRGuardCondition guard).ensuresLt(left, right, k, block, areEqual)
}
predicate isUnreachableInCall(Node n, DataFlowCall call) {
exists(
DirectParameterNode paramNode, ConstantIntegralTypeArgumentNode arg,
IntegerConstantInstruction constant, int k, Operand left, Operand right, IRBlock block
|
// arg flows into `paramNode`
DataFlowImplCommon::viableParamArg(call, paramNode, arg) and
left = constant.getAUse() and
right = valueNumber(paramNode.getInstruction()).getAUse() and
block = n.getBasicBlock()
|
// and there's a guard condition which ensures that the result of `left == right + k` is `areEqual`
exists(boolean areEqual |
ensuresEq(pragma[only_bind_into](left), pragma[only_bind_into](right),
pragma[only_bind_into](k), pragma[only_bind_into](block), areEqual)
|
// this block ensures that left = right + k, but it holds that `left != right + k`
areEqual = true and
constant.getValue().toInt() != arg.getValue() + k
or
// this block ensures that or `left != right + k`, but it holds that `left = right + k`
areEqual = false and
constant.getValue().toInt() = arg.getValue() + k
)
or
// or there's a guard condition which ensures that the result of `left < right + k` is `isLessThan`
exists(boolean isLessThan |
ensuresLt(pragma[only_bind_into](left), pragma[only_bind_into](right),
pragma[only_bind_into](k), pragma[only_bind_into](block), isLessThan)
|
isLessThan = true and
// this block ensures that `left < right + k`, but it holds that `left >= right + k`
constant.getValue().toInt() >= arg.getValue() + k
or
// this block ensures that `left >= right + k`, but it holds that `left < right + k`
isLessThan = false and
constant.getValue().toInt() < arg.getValue() + k
)
)
}
}
import IsUnreachableInCall
int accessPathLimit() { result = 5 }

3
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
View File

@@ -359,7 +359,6 @@ module ProductFlow {
Config::isSinkPair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState())
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate fwdReachableInterprocEntry(Flow1::PathNode node1, Flow2::PathNode node2) {
isSourcePair(node1, node2)
@@ -396,7 +395,6 @@ module ProductFlow {
fwdIsSuccessorExit(pragma[only_bind_into](mid1), pragma[only_bind_into](mid2), succ1, succ2)
}
pragma[assume_small_delta]
private predicate fwdIsSuccessor(
Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
) {
@@ -406,7 +404,6 @@ module ProductFlow {
)
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate revReachableInterprocEntry(Flow1::PathNode node1, Flow2::PathNode node2) {
fwdReachableInterprocEntry(node1, node2) and

1
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
View File

@@ -588,7 +588,6 @@ private module Cached {
)
}
pragma[assume_small_delta]
private predicate convertsIntoArgumentRev(Instruction instr) {
convertsIntoArgumentFwd(instr) and
(

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
View File

@@ -176,7 +176,6 @@ private predicate binaryValueNumber0(
)
}
pragma[assume_small_delta]
private predicate binaryValueNumber(
BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
TValueNumber rightOperand
@@ -202,7 +201,6 @@ private predicate pointerArithmeticValueNumber0(
)
}
pragma[assume_small_delta]
private predicate pointerArithmeticValueNumber(
PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
TValueNumber leftOperand, TValueNumber rightOperand
@@ -249,7 +247,6 @@ private predicate loadTotalOverlapValueNumber0(
)
}
pragma[assume_small_delta]
private predicate loadTotalOverlapValueNumber(
LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
TValueNumber operand

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
View File

@@ -176,7 +176,6 @@ private predicate binaryValueNumber0(
)
}
pragma[assume_small_delta]
private predicate binaryValueNumber(
BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
TValueNumber rightOperand
@@ -202,7 +201,6 @@ private predicate pointerArithmeticValueNumber0(
)
}
pragma[assume_small_delta]
private predicate pointerArithmeticValueNumber(
PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
TValueNumber leftOperand, TValueNumber rightOperand
@@ -249,7 +247,6 @@ private predicate loadTotalOverlapValueNumber0(
)
}
pragma[assume_small_delta]
private predicate loadTotalOverlapValueNumber(
LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
TValueNumber operand

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll
View File

@@ -176,7 +176,6 @@ private predicate binaryValueNumber0(
)
}
pragma[assume_small_delta]
private predicate binaryValueNumber(
BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
TValueNumber rightOperand
@@ -202,7 +201,6 @@ private predicate pointerArithmeticValueNumber0(
)
}
pragma[assume_small_delta]
private predicate pointerArithmeticValueNumber(
PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
TValueNumber leftOperand, TValueNumber rightOperand
@@ -249,7 +247,6 @@ private predicate loadTotalOverlapValueNumber0(
)
}
pragma[assume_small_delta]
private predicate loadTotalOverlapValueNumber(
LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
TValueNumber operand

2
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
View File

@@ -70,7 +70,7 @@ predicate semBackEdge(SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionP
// Conservatively assume that every edge is a back edge if we don't have dominance information.
(
phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
irreducibleSccEdge(phi.getBasicBlock(), edge.getOrigBlock()) or
irreducibleSccEdge(edge.getOrigBlock(), phi.getBasicBlock()) or
not edge.getOrigBlock().hasDominanceInformation()
)
}

1
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll
View File

@@ -877,7 +877,6 @@ module RangeStage<
)
}
pragma[assume_small_delta]
pragma[nomagic]
private predicate boundedPhiRankStep(
SemSsaPhiNode phi, SemBound b, D::Delta delta, boolean upper, boolean fromBackEdge,

5
cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
View File

@@ -5,7 +5,7 @@
* @kind path-problem
* @problem.severity error
* @security-severity 9.3
* @precision low
* @precision medium
* @id cpp/overrun-write
* @tags reliability
* security
@@ -233,7 +233,8 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
// we use `state2` to remember that there was an offset (in this case an offset of `1`) added
// to the size of the allocation. This state is then checked in `isSinkPair`.
exists(state1) and
hasSize(bufSource.asConvertedExpr(), sizeSource, state2)
hasSize(bufSource.asConvertedExpr(), sizeSource, state2) and
validState(sizeSource, state2)
}
predicate isSinkPair(

9
cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
View File

@@ -45,13 +45,20 @@ Element friendlyLoc(Expr e) {
not e instanceof Access and not e instanceof Call and result = e
}
int getComparisonSizeAdjustment(Expr e) {
if e.getType().(IntegralType).isSigned() then result = 1 else result = 0
}
from Loop l, RelationalOperation rel, VariableAccess small, Expr large
where
small = rel.getLesserOperand() and
large = rel.getGreaterOperand() and
rel = l.getCondition().getAChild*() and
forall(Expr conv | conv = large.getConversion*() |
upperBound(conv).log2() > getComparisonSize(small) * 8
// We adjust the comparison size in the case of a signed integer type.
// This is to exclude the sign bit from the comparison that determines if the small type's size is sufficient to hold
// the value of the larger type determined with range analysis.
upperBound(conv).log2() > (getComparisonSize(small) * 8 - getComparisonSizeAdjustment(small))
) and
// Ignore cases where the smaller type is int or larger
// These are still bugs, but you should need a very large string or array to

4
cpp/ql/src/change-notes/2023-06-29-improve-comparison-wider-type.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `cpp/comparison-with-wider-type` query now correctly handles relational operations on signed operators. As a result the query may find more results.

10
cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
View File

@@ -80,14 +80,14 @@ predicate isInvalidPointerDerefSink2(DataFlow::Node sink, Instruction i, string
predicate arrayTypeCand(ArrayType arrayType) {
any(Variable v).getUnspecifiedType() = arrayType and
exists(arrayType.getArraySize())
exists(arrayType.getByteSize())
}
pragma[nomagic]
predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int arraySize) {
bindingset[baseTypeSize]
pragma[inline_late]
predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int size) {
arrayTypeCand(arr) and
arr.getBaseType().getSize() = baseTypeSize and
arr.getArraySize() = arraySize
arr.getByteSize() / baseTypeSize = size
}
bindingset[pai]

66
cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
View File

@@ -312,11 +312,13 @@ Instruction getASuccessor(Instruction instr) {
*/
pragma[inline]
predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) {
exists(AddressOperand addr, Instruction s |
exists(AddressOperand addr, Instruction s, IRBlock b |
s = sink.asInstruction() and
bounded1(addr.getDef(), s, delta) and
boundedImpl(addr.getDef(), s, delta) and
delta >= 0 and
i.getAnOperand() = addr
i.getAnOperand() = addr and
b = i.getBlock() and
not b = InvalidPointerToDerefBarrier::getABarrierBlock(delta)
|
i instanceof StoreInstruction and
operation = "write"
@@ -326,6 +328,60 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o
)
}
module InvalidPointerToDerefBarrier {
private module BarrierConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// The sources is the same as in the sources for `InvalidPointerToDerefConfig`.
invalidPointerToDerefSource(_, source, _)
}
additional predicate isSink(
DataFlow::Node left, DataFlow::Node right, IRGuardCondition g, int state, boolean testIsTrue
) {
// The sink is any "large" side of a relational comparison.
g.comparesLt(left.asOperand(), right.asOperand(), state, true, testIsTrue)
}
predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }
}
private import DataFlow::Global<BarrierConfig>
private int getInvalidPointerToDerefSourceDelta(DataFlow::Node node) {
exists(DataFlow::Node source |
flow(source, node) and
invalidPointerToDerefSource(_, source, result)
)
}
private predicate operandGuardChecks(
IRGuardCondition g, Operand left, Operand right, int state, boolean edge
) {
exists(DataFlow::Node nLeft, DataFlow::Node nRight, int state0 |
nRight.asOperand() = right and
nLeft.asOperand() = left and
BarrierConfig::isSink(nLeft, nRight, g, state0, edge) and
state = getInvalidPointerToDerefSourceDelta(nRight) and
state0 <= state
)
}
Instruction getABarrierInstruction(int state) {
exists(IRGuardCondition g, ValueNumber value, Operand use, boolean edge |
use = value.getAUse() and
operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](use), _, state,
pragma[only_bind_into](edge)) and
result = value.getAnInstruction() and
g.controls(result.getBlock(), edge)
)
}
DataFlow::Node getABarrierNode() { result.asOperand() = getABarrierInstruction(_).getAUse() }
pragma[nomagic]
IRBlock getABarrierBlock(int state) { result.getAnInstruction() = getABarrierInstruction(state) }
}
/**
* A configuration to track flow from a pointer-arithmetic operation found
* by `AllocToInvalidPointerConfig` to a dereference of the pointer.
@@ -338,6 +394,8 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
or
node = InvalidPointerToDerefBarrier::getABarrierNode()
}
}
@@ -382,7 +440,7 @@ newtype TMergedPathNode =
// pointer, but we want to raise an alert at the dereference.
TPathNodeSink(Instruction i) {
exists(DataFlow::Node n |
InvalidPointerToDerefFlow::flowTo(n) and
InvalidPointerToDerefFlow::flowTo(pragma[only_bind_into](n)) and
isInvalidPointerDerefSink(n, i, _, _) and
i = getASuccessor(n.asInstruction())
)

39
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
View File

@@ -39,6 +39,22 @@ edges
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
| test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 |
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p |
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 |
nodes
| test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
| test.cpp:34:10:34:12 | buf | semmle.label | buf |
@@ -96,6 +112,25 @@ nodes
| test.cpp:156:12:156:14 | buf | semmle.label | buf |
| test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
| test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
| test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
| test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
| test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
| test.cpp:229:25:229:29 | array | semmle.label | array |
| test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
| test.cpp:232:5:232:10 | access to array | semmle.label | access to array |
| test.cpp:245:30:245:30 | p | semmle.label | p |
| test.cpp:245:30:245:30 | p | semmle.label | p |
| test.cpp:261:27:261:30 | access to array | semmle.label | access to array |
| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
| test.cpp:277:35:277:35 | p | semmle.label | p |
| test.cpp:278:14:278:14 | p | semmle.label | p |
| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
subpaths
#select
| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
@@ -107,6 +142,10 @@ subpaths
| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |

78
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
View File

@@ -211,4 +211,80 @@ int countdownLength2() {
}
return p[5];
}
}
void pointer_size_larger_than_array_element_size() {
unsigned char buffer[100]; // getByteSize() = 100
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
}
struct vec2 { int x, y; };
struct vec3 { int x, y, z; };
void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
vec3 array[3]; // getByteSize() = 9 * sizeof(int)
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
ptr[3] = vec2{}; // GOOD: writes ints 6, 7
ptr[4] = vec2{}; // BAD: writes ints 8, 9
}
void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
vec2 array[2]; // getByteSize() = 4 * sizeof(int) = 4 * 4 = 16
vec3 *ptr = (vec3 *)array; // pai.getElementSize() will be 3 * sizeof(int) -> size = 1
ptr[0] = vec3{}; // GOOD: writes ints 0, 1, 2
ptr[1] = vec3{}; // BAD: writes ints 3, 4, 5 [NOT DETECTED]
}
void use(...);
void call_use(unsigned char* p, int n) {
if(n == 0) {
return;
}
if(n == 1) {
unsigned char x = p[0];
use(x);
}
if(n == 2) {
unsigned char x = p[0];
unsigned char y = p[1];
use(x, y);
}
if(n == 3) {
unsigned char x = p[0];
unsigned char y = p[1];
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
use(x, y, z);
}
}
void test_call_use() {
unsigned char buffer1[1];
call_use(buffer1,1);
unsigned char buffer2[2];
call_use(buffer2,2);
unsigned char buffer3[3];
call_use(buffer3,3);
}
void call_call_use(unsigned char* p, int n) {
call_use(p, n);
}
void test_call_use2() {
unsigned char buffer1[1];
call_call_use(buffer1,1);
unsigned char buffer2[2];
call_call_use(buffer2,2);
unsigned char buffer3[3];
call_call_use(buffer3,3);
}

573
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
View File

@@ -720,14 +720,6 @@ edges
| test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
| test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
| test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p |
| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs |
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
@@ -752,53 +744,303 @@ edges
| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
| test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
| test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
| test.cpp:439:14:439:27 | new[] | test.cpp:444:5:444:6 | xs |
| test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:6 | xs |
| test.cpp:455:5:455:6 | xs | test.cpp:455:5:455:15 | access to array |
| test.cpp:455:5:455:15 | access to array | test.cpp:455:5:455:19 | Store: ... = ... |
| test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:6 | xs |
| test.cpp:466:5:466:6 | xs | test.cpp:466:5:466:15 | access to array |
| test.cpp:466:5:466:15 | access to array | test.cpp:466:5:466:19 | Store: ... = ... |
| test.cpp:472:14:472:27 | new[] | test.cpp:477:5:477:6 | xs |
| test.cpp:483:14:483:27 | new[] | test.cpp:488:5:488:6 | xs |
| test.cpp:494:14:494:31 | new[] | test.cpp:499:5:499:6 | xs |
| test.cpp:505:14:505:31 | new[] | test.cpp:510:5:510:6 | xs |
| test.cpp:516:14:516:31 | new[] | test.cpp:521:5:521:6 | xs |
| test.cpp:527:14:527:31 | new[] | test.cpp:532:5:532:6 | xs |
| test.cpp:538:14:538:31 | new[] | test.cpp:543:5:543:6 | xs |
| test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:6 | xs |
| test.cpp:554:5:554:6 | xs | test.cpp:554:5:554:15 | access to array |
| test.cpp:554:5:554:15 | access to array | test.cpp:554:5:554:19 | Store: ... = ... |
| test.cpp:388:14:388:27 | new[] | test.cpp:392:3:392:4 | xs |
| test.cpp:399:14:399:27 | new[] | test.cpp:400:16:400:17 | xs |
| test.cpp:399:14:399:27 | new[] | test.cpp:402:5:402:6 | xs |
| test.cpp:410:14:410:27 | new[] | test.cpp:411:16:411:17 | xs |
| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:6 | xs |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array |
| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array |
| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end |
| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end |
| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:411:16:411:17 | xs | test.cpp:414:9:414:10 | xs |
| test.cpp:411:16:411:17 | xs | test.cpp:414:14:414:16 | end |
| test.cpp:411:16:411:17 | xs | test.cpp:415:7:415:11 | access to array |
| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end |
| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end |
| test.cpp:411:16:411:23 | access to array | test.cpp:414:14:414:16 | end |
| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:412:12:412:14 | end | test.cpp:414:14:414:16 | end |
| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:414:9:414:10 | xs | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:414:14:414:16 | end | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:415:7:415:11 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
| test.cpp:421:14:421:27 | new[] | test.cpp:422:16:422:17 | xs |
| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:6 | xs |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array |
| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array |
| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end |
| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end |
| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs |
| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs |
| test.cpp:422:16:422:17 | xs | test.cpp:425:18:425:20 | end |
| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:8 | xs |
| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:11 | access to array |
| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end |
| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end |
| test.cpp:422:16:422:23 | access to array | test.cpp:425:18:425:20 | end |
| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:423:12:423:14 | end | test.cpp:425:18:425:20 | end |
| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:8 | xs |
| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:425:18:425:20 | end | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:426:7:426:8 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:426:7:426:11 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
| test.cpp:432:14:432:27 | new[] | test.cpp:433:16:433:17 | xs |
| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:6 | xs |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array |
| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array |
| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end |
| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end |
| test.cpp:433:16:433:17 | xs | test.cpp:435:5:435:7 | end |
| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:433:16:433:17 | xs | test.cpp:437:9:437:10 | xs |
| test.cpp:433:16:433:17 | xs | test.cpp:438:7:438:11 | access to array |
| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end |
| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end |
| test.cpp:433:16:433:23 | access to array | test.cpp:435:5:435:7 | end |
| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:434:12:434:14 | end | test.cpp:435:5:435:7 | end |
| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:435:5:435:7 | end | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:437:9:437:10 | xs | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:438:7:438:11 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
| test.cpp:444:14:444:27 | new[] | test.cpp:445:16:445:17 | xs |
| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:6 | xs |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end |
| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array |
| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array |
| test.cpp:445:16:445:17 | xs | test.cpp:446:3:446:5 | end |
| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:445:16:445:17 | xs | test.cpp:449:9:449:10 | xs |
| test.cpp:445:16:445:17 | xs | test.cpp:450:7:450:11 | access to array |
| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:16:445:23 | access to array | test.cpp:446:3:446:5 | end |
| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:446:3:446:5 | end | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:449:9:449:10 | xs | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:450:7:450:11 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
| test.cpp:456:14:456:31 | new[] | test.cpp:457:16:457:17 | xs |
| test.cpp:456:14:456:31 | new[] | test.cpp:460:5:460:6 | xs |
| test.cpp:468:14:468:27 | new[] | test.cpp:469:16:469:17 | xs |
| test.cpp:468:14:468:27 | new[] | test.cpp:472:5:472:6 | xs |
| test.cpp:480:14:480:27 | new[] | test.cpp:481:16:481:17 | xs |
| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:6 | xs |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end |
| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array |
| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array |
| test.cpp:481:16:481:17 | xs | test.cpp:482:3:482:5 | end |
| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:481:16:481:17 | xs | test.cpp:485:9:485:10 | xs |
| test.cpp:481:16:481:17 | xs | test.cpp:486:7:486:11 | access to array |
| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:16:481:23 | access to array | test.cpp:482:3:482:5 | end |
| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:482:3:482:5 | end | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:485:9:485:10 | xs | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:486:7:486:11 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
| test.cpp:499:3:499:25 | ... = ... | test.cpp:499:7:499:8 | val indirection [post update] [xs] |
| test.cpp:499:7:499:8 | val indirection [post update] [xs] | test.cpp:500:3:500:5 | val indirection [xs] |
| test.cpp:499:12:499:25 | new[] | test.cpp:499:3:499:25 | ... = ... |
| test.cpp:500:3:500:5 | val indirection [xs] | test.cpp:500:7:500:8 | xs indirection |
| test.cpp:500:7:500:8 | xs indirection | test.cpp:500:7:500:8 | xs |
| test.cpp:510:16:510:33 | new[] | test.cpp:512:7:512:8 | xs |
| test.cpp:520:14:520:27 | new[] | test.cpp:526:5:526:6 | xs |
| test.cpp:532:14:532:27 | new[] | test.cpp:537:5:537:6 | xs |
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:6 | xs |
| test.cpp:548:5:548:6 | xs | test.cpp:548:5:548:15 | access to array |
| test.cpp:548:5:548:15 | access to array | test.cpp:548:5:548:19 | Store: ... = ... |
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:6 | xs |
| test.cpp:559:5:559:6 | xs | test.cpp:559:5:559:15 | access to array |
| test.cpp:559:5:559:15 | access to array | test.cpp:559:5:559:19 | Store: ... = ... |
| test.cpp:565:14:565:27 | new[] | test.cpp:570:5:570:6 | xs |
| test.cpp:576:14:576:27 | new[] | test.cpp:581:5:581:6 | xs |
| test.cpp:587:14:587:31 | new[] | test.cpp:592:5:592:6 | xs |
| test.cpp:598:14:598:31 | new[] | test.cpp:603:5:603:6 | xs |
| test.cpp:609:14:609:31 | new[] | test.cpp:614:5:614:6 | xs |
| test.cpp:620:14:620:31 | new[] | test.cpp:625:5:625:6 | xs |
| test.cpp:631:14:631:31 | new[] | test.cpp:636:5:636:6 | xs |
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:6 | xs |
| test.cpp:647:5:647:6 | xs | test.cpp:647:5:647:15 | access to array |
| test.cpp:647:5:647:15 | access to array | test.cpp:647:5:647:19 | Store: ... = ... |
| test.cpp:652:14:652:27 | new[] | test.cpp:653:16:653:17 | xs |
| test.cpp:652:14:652:27 | new[] | test.cpp:656:3:656:4 | xs |
| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:653:16:653:17 | xs | test.cpp:657:7:657:8 | xs |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:656:3:656:6 | ... ++ |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:657:7:657:8 | xs |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:657:7:657:8 | xs |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
| test.cpp:657:7:657:8 | xs | test.cpp:662:3:662:11 | Store: ... = ... |
| test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:8 | xs |
| test.cpp:675:7:675:8 | xs | test.cpp:675:7:675:19 | access to array |
| test.cpp:675:7:675:19 | access to array | test.cpp:675:7:675:23 | Store: ... = ... |
nodes
| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
| test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1125,11 +1367,6 @@ nodes
| test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... |
| test.cpp:363:14:363:27 | new[] | semmle.label | new[] |
| test.cpp:365:15:365:15 | p | semmle.label | p |
| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
| test.cpp:371:7:371:7 | p | semmle.label | p |
| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
| test.cpp:372:16:372:16 | p | semmle.label | p |
| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
| test.cpp:378:15:378:16 | xs | semmle.label | xs |
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
@@ -1143,53 +1380,160 @@ nodes
| test.cpp:384:14:384:16 | end | semmle.label | end |
| test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
| test.cpp:389:16:389:17 | xs | semmle.label | xs |
| test.cpp:392:5:392:6 | xs | semmle.label | xs |
| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:393:9:393:10 | xs | semmle.label | xs |
| test.cpp:393:9:393:10 | xs | semmle.label | xs |
| test.cpp:395:5:395:6 | xs | semmle.label | xs |
| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
| test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
| test.cpp:407:7:407:8 | xs | semmle.label | xs |
| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
| test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
| test.cpp:419:7:419:8 | xs | semmle.label | xs |
| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
| test.cpp:433:5:433:6 | xs | semmle.label | xs |
| test.cpp:439:14:439:27 | new[] | semmle.label | new[] |
| test.cpp:444:5:444:6 | xs | semmle.label | xs |
| test.cpp:450:14:450:27 | new[] | semmle.label | new[] |
| test.cpp:455:5:455:6 | xs | semmle.label | xs |
| test.cpp:455:5:455:15 | access to array | semmle.label | access to array |
| test.cpp:455:5:455:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:461:14:461:27 | new[] | semmle.label | new[] |
| test.cpp:466:5:466:6 | xs | semmle.label | xs |
| test.cpp:466:5:466:15 | access to array | semmle.label | access to array |
| test.cpp:466:5:466:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:472:14:472:27 | new[] | semmle.label | new[] |
| test.cpp:477:5:477:6 | xs | semmle.label | xs |
| test.cpp:483:14:483:27 | new[] | semmle.label | new[] |
| test.cpp:488:5:488:6 | xs | semmle.label | xs |
| test.cpp:494:14:494:31 | new[] | semmle.label | new[] |
| test.cpp:499:5:499:6 | xs | semmle.label | xs |
| test.cpp:505:14:505:31 | new[] | semmle.label | new[] |
| test.cpp:510:5:510:6 | xs | semmle.label | xs |
| test.cpp:516:14:516:31 | new[] | semmle.label | new[] |
| test.cpp:521:5:521:6 | xs | semmle.label | xs |
| test.cpp:527:14:527:31 | new[] | semmle.label | new[] |
| test.cpp:532:5:532:6 | xs | semmle.label | xs |
| test.cpp:538:14:538:31 | new[] | semmle.label | new[] |
| test.cpp:543:5:543:6 | xs | semmle.label | xs |
| test.cpp:549:14:549:31 | new[] | semmle.label | new[] |
| test.cpp:554:5:554:6 | xs | semmle.label | xs |
| test.cpp:554:5:554:15 | access to array | semmle.label | access to array |
| test.cpp:554:5:554:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:392:3:392:4 | xs | semmle.label | xs |
| test.cpp:399:14:399:27 | new[] | semmle.label | new[] |
| test.cpp:400:16:400:17 | xs | semmle.label | xs |
| test.cpp:402:5:402:6 | xs | semmle.label | xs |
| test.cpp:410:14:410:27 | new[] | semmle.label | new[] |
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
| test.cpp:411:16:411:17 | xs | semmle.label | xs |
| test.cpp:411:16:411:23 | access to array | semmle.label | access to array |
| test.cpp:411:16:411:23 | access to array | semmle.label | access to array |
| test.cpp:412:12:412:14 | end | semmle.label | end |
| test.cpp:412:12:412:14 | end | semmle.label | end |
| test.cpp:413:5:413:6 | xs | semmle.label | xs |
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:414:9:414:10 | xs | semmle.label | xs |
| test.cpp:414:14:414:16 | end | semmle.label | end |
| test.cpp:415:7:415:11 | access to array | semmle.label | access to array |
| test.cpp:415:7:415:15 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:421:14:421:27 | new[] | semmle.label | new[] |
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
| test.cpp:422:16:422:17 | xs | semmle.label | xs |
| test.cpp:422:16:422:23 | access to array | semmle.label | access to array |
| test.cpp:422:16:422:23 | access to array | semmle.label | access to array |
| test.cpp:423:12:423:14 | end | semmle.label | end |
| test.cpp:423:12:423:14 | end | semmle.label | end |
| test.cpp:424:5:424:6 | xs | semmle.label | xs |
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:425:9:425:10 | xs | semmle.label | xs |
| test.cpp:425:9:425:10 | xs | semmle.label | xs |
| test.cpp:425:18:425:20 | end | semmle.label | end |
| test.cpp:426:7:426:8 | xs | semmle.label | xs |
| test.cpp:426:7:426:11 | access to array | semmle.label | access to array |
| test.cpp:426:7:426:15 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:432:14:432:27 | new[] | semmle.label | new[] |
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
| test.cpp:433:16:433:17 | xs | semmle.label | xs |
| test.cpp:433:16:433:23 | access to array | semmle.label | access to array |
| test.cpp:433:16:433:23 | access to array | semmle.label | access to array |
| test.cpp:434:12:434:14 | end | semmle.label | end |
| test.cpp:434:12:434:14 | end | semmle.label | end |
| test.cpp:435:5:435:7 | end | semmle.label | end |
| test.cpp:436:5:436:6 | xs | semmle.label | xs |
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:437:9:437:10 | xs | semmle.label | xs |
| test.cpp:438:7:438:11 | access to array | semmle.label | access to array |
| test.cpp:438:7:438:15 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:444:14:444:27 | new[] | semmle.label | new[] |
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
| test.cpp:445:16:445:17 | xs | semmle.label | xs |
| test.cpp:445:16:445:23 | access to array | semmle.label | access to array |
| test.cpp:445:16:445:23 | access to array | semmle.label | access to array |
| test.cpp:446:3:446:5 | end | semmle.label | end |
| test.cpp:448:5:448:6 | xs | semmle.label | xs |
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:449:9:449:10 | xs | semmle.label | xs |
| test.cpp:450:7:450:11 | access to array | semmle.label | access to array |
| test.cpp:450:7:450:15 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:456:14:456:31 | new[] | semmle.label | new[] |
| test.cpp:457:16:457:17 | xs | semmle.label | xs |
| test.cpp:460:5:460:6 | xs | semmle.label | xs |
| test.cpp:468:14:468:27 | new[] | semmle.label | new[] |
| test.cpp:469:16:469:17 | xs | semmle.label | xs |
| test.cpp:472:5:472:6 | xs | semmle.label | xs |
| test.cpp:480:14:480:27 | new[] | semmle.label | new[] |
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
| test.cpp:481:16:481:17 | xs | semmle.label | xs |
| test.cpp:481:16:481:23 | access to array | semmle.label | access to array |
| test.cpp:481:16:481:23 | access to array | semmle.label | access to array |
| test.cpp:482:3:482:5 | end | semmle.label | end |
| test.cpp:484:5:484:6 | xs | semmle.label | xs |
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
| test.cpp:485:9:485:10 | xs | semmle.label | xs |
| test.cpp:486:7:486:11 | access to array | semmle.label | access to array |
| test.cpp:486:7:486:15 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:499:3:499:25 | ... = ... | semmle.label | ... = ... |
| test.cpp:499:7:499:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
| test.cpp:499:12:499:25 | new[] | semmle.label | new[] |
| test.cpp:500:3:500:5 | val indirection [xs] | semmle.label | val indirection [xs] |
| test.cpp:500:7:500:8 | xs | semmle.label | xs |
| test.cpp:500:7:500:8 | xs indirection | semmle.label | xs indirection |
| test.cpp:510:16:510:33 | new[] | semmle.label | new[] |
| test.cpp:512:7:512:8 | xs | semmle.label | xs |
| test.cpp:520:14:520:27 | new[] | semmle.label | new[] |
| test.cpp:526:5:526:6 | xs | semmle.label | xs |
| test.cpp:532:14:532:27 | new[] | semmle.label | new[] |
| test.cpp:537:5:537:6 | xs | semmle.label | xs |
| test.cpp:543:14:543:27 | new[] | semmle.label | new[] |
| test.cpp:548:5:548:6 | xs | semmle.label | xs |
| test.cpp:548:5:548:15 | access to array | semmle.label | access to array |
| test.cpp:548:5:548:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:554:14:554:27 | new[] | semmle.label | new[] |
| test.cpp:559:5:559:6 | xs | semmle.label | xs |
| test.cpp:559:5:559:15 | access to array | semmle.label | access to array |
| test.cpp:559:5:559:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:565:14:565:27 | new[] | semmle.label | new[] |
| test.cpp:570:5:570:6 | xs | semmle.label | xs |
| test.cpp:576:14:576:27 | new[] | semmle.label | new[] |
| test.cpp:581:5:581:6 | xs | semmle.label | xs |
| test.cpp:587:14:587:31 | new[] | semmle.label | new[] |
| test.cpp:592:5:592:6 | xs | semmle.label | xs |
| test.cpp:598:14:598:31 | new[] | semmle.label | new[] |
| test.cpp:603:5:603:6 | xs | semmle.label | xs |
| test.cpp:609:14:609:31 | new[] | semmle.label | new[] |
| test.cpp:614:5:614:6 | xs | semmle.label | xs |
| test.cpp:620:14:620:31 | new[] | semmle.label | new[] |
| test.cpp:625:5:625:6 | xs | semmle.label | xs |
| test.cpp:631:14:631:31 | new[] | semmle.label | new[] |
| test.cpp:636:5:636:6 | xs | semmle.label | xs |
| test.cpp:642:14:642:31 | new[] | semmle.label | new[] |
| test.cpp:647:5:647:6 | xs | semmle.label | xs |
| test.cpp:647:5:647:15 | access to array | semmle.label | access to array |
| test.cpp:647:5:647:19 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:652:14:652:27 | new[] | semmle.label | new[] |
| test.cpp:653:16:653:17 | xs | semmle.label | xs |
| test.cpp:656:3:656:4 | xs | semmle.label | xs |
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
| test.cpp:657:7:657:8 | xs | semmle.label | xs |
| test.cpp:662:3:662:11 | Store: ... = ... | semmle.label | Store: ... = ... |
| test.cpp:667:14:667:31 | new[] | semmle.label | new[] |
| test.cpp:675:7:675:8 | xs | semmle.label | xs |
| test.cpp:675:7:675:19 | access to array | semmle.label | access to array |
| test.cpp:675:7:675:23 | Store: ... = ... | semmle.label | Store: ... = ... |
subpaths
#select
| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1214,9 +1558,14 @@ subpaths
| test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
| test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
| test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
| test.cpp:455:5:455:19 | Store: ... = ... | test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:450:14:450:27 | new[] | new[] | test.cpp:455:8:455:14 | src_pos | src_pos |
| test.cpp:466:5:466:19 | Store: ... = ... | test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:461:14:461:27 | new[] | new[] | test.cpp:466:8:466:14 | src_pos | src_pos |
| test.cpp:554:5:554:19 | Store: ... = ... | test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:549:14:549:31 | new[] | new[] | test.cpp:554:8:554:14 | src_pos | src_pos |
| test.cpp:415:7:415:15 | Store: ... = ... | test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:410:14:410:27 | new[] | new[] | test.cpp:411:19:411:22 | size | size |
| test.cpp:426:7:426:15 | Store: ... = ... | test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:421:14:421:27 | new[] | new[] | test.cpp:422:19:422:22 | size | size |
| test.cpp:438:7:438:15 | Store: ... = ... | test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:432:14:432:27 | new[] | new[] | test.cpp:433:19:433:22 | size | size |
| test.cpp:450:7:450:15 | Store: ... = ... | test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:444:14:444:27 | new[] | new[] | test.cpp:445:19:445:22 | size | size |
| test.cpp:486:7:486:15 | Store: ... = ... | test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 498. | test.cpp:480:14:480:27 | new[] | new[] | test.cpp:481:19:481:22 | size | size |
| test.cpp:548:5:548:19 | Store: ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos |
| test.cpp:559:5:559:19 | Store: ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos |
| test.cpp:647:5:647:19 | Store: ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
| test.cpp:662:3:662:11 | Store: ... = ... | test.cpp:652:14:652:27 | new[] | test.cpp:662:3:662:11 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:652:14:652:27 | new[] | new[] | test.cpp:653:19:653:22 | size | size |
| test.cpp:675:7:675:23 | Store: ... = ... | test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:667:14:667:31 | new[] | new[] | test.cpp:675:10:675:18 | ... ++ | ... ++ |

157
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
View File

@@ -369,7 +369,7 @@ void test26(unsigned size) {
}
if (p < end) {
int val = *p; // GOOD [FALSE POSITIVE]
int val = *p; // GOOD
}
}
@@ -387,12 +387,105 @@ void test27(unsigned size, bool b) {
void test28(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs >= end)
return;
if (xs >= end)
return;
xs++;
if (xs >= end)
return;
xs[0] = 0; // GOOD
}
void test28_simple(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs < end) {
xs++;
if (xs >= end)
return;
xs[0] = 0; // GOOD [FALSE POSITIVE]
if (xs < end) {
xs[0] = 0; // GOOD
}
}
}
void test28_simple2(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs < end) {
xs++;
if (xs < end + 1) {
xs[0] = 0; // BAD
}
}
}
void test28_simple3(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs < end) {
xs++;
if (xs - 1 < end) {
xs[0] = 0; // BAD
}
}
}
void test28_simple4(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs < end) {
end++;
xs++;
if (xs < end) {
xs[0] = 0; // BAD
}
}
}
void test28_simple5(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
end++;
if (xs < end) {
xs++;
if (xs < end) {
xs[0] = 0; // BAD
}
}
}
void test28_simple6(unsigned size) {
char *xs = new char[size + 1];
char *end = &xs[size];
end++;
if (xs < end) {
xs++;
if (xs < end) {
xs[0] = 0; // GOOD
}
}
}
void test28_simple7(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
end++;
if (xs < end) {
xs++;
if (xs < end - 1) {
xs[0] = 0; // GOOD
}
}
}
void test28_simple8(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
end += 500;
if (xs < end) {
xs++;
if (xs < end - 1) {
xs[0] = 0; // BAD
}
}
}
struct test29_struct {
@@ -429,7 +522,7 @@ void test31(unsigned size, unsigned src_pos)
src_pos = size;
}
unsigned dst_pos = src_pos;
if(dst_pos < size - 3) {
if (dst_pos < size - 3) {
xs[dst_pos++] = 0; // GOOD
}
}
@@ -440,7 +533,7 @@ void test31_simple1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size) {
if (src_pos < size) {
xs[src_pos] = 0; // GOOD
}
}
@@ -451,7 +544,7 @@ void test31_simple2(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size + 1) {
if (src_pos < size + 1) {
xs[src_pos] = 0; // BAD
}
}
@@ -462,7 +555,7 @@ void test31_simple3(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos - 1 < size) {
if (src_pos - 1 < size) {
xs[src_pos] = 0; // BAD
}
}
@@ -473,7 +566,7 @@ void test31_simple4(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size - 1) {
if (src_pos < size - 1) {
xs[src_pos] = 0; // GOOD
}
}
@@ -484,7 +577,7 @@ void test31_simple5(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos + 1 < size) {
if (src_pos + 1 < size) {
xs[src_pos] = 0; // GOOD
}
}
@@ -495,7 +588,7 @@ void test31_simple1_plus1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size) {
if (src_pos < size) {
xs[src_pos] = 0; // GOOD
}
}
@@ -506,7 +599,7 @@ void test31_simple2_plus1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size + 1) {
if (src_pos < size + 1) {
xs[src_pos] = 0; // GOOD
}
}
@@ -517,7 +610,7 @@ void test31_simple3_plus1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos - 1 < size) {
if (src_pos - 1 < size) {
xs[src_pos] = 0; // GOOD
}
}
@@ -528,7 +621,7 @@ void test31_simple4_plus1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size - 1) {
if (src_pos < size - 1) {
xs[src_pos] = 0; // GOOD
}
}
@@ -539,7 +632,7 @@ void test31_simple5_plus1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos + 1 < size) {
if (src_pos + 1 < size) {
xs[src_pos] = 0; // GOOD
}
}
@@ -550,7 +643,35 @@ void test31_simple1_sub1(unsigned size, unsigned src_pos)
if (src_pos > size) {
src_pos = size;
}
if(src_pos < size) {
if (src_pos < size) {
xs[src_pos] = 0; // BAD
}
}
void test32(unsigned size) {
char *xs = new char[size];
char *end = &xs[size];
if (xs >= end)
return;
xs++;
if (xs >= end)
return;
xs++;
if (xs >= end)
return;
xs[0] = 0; // GOOD [FALSE POSITIVE]
}
void test33(unsigned size, unsigned src_pos)
{
char *xs = new char[size + 1];
if (src_pos > size) {
src_pos = size;
}
unsigned dst_pos = src_pos;
while (dst_pos < size - 1) {
dst_pos++;
if (true)
xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
}
}

55
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -734,3 +734,58 @@ void test_does_not_write_source_to_dereference()
does_not_write_source_to_dereference(&x);
sink(x); // $ ast,ir=733:7 SPURIOUS: ast,ir=726:11
}
void sometimes_calls_sink_eq(int x, int n) {
if(n == 0) {
sink(x); // $ ast,ir=751:27 ast,ir=755:32 SPURIOUS: ast=749:27 ast,ir=753:32 // IR spurious results because we only have call contexts of depth 1
}
}
void call_sometimes_calls_sink_eq(int x, int n) {
sometimes_calls_sink_eq(x, n);
}
void test_sometimes_calls_sink_eq_1() {
sometimes_calls_sink_eq(source(), 1);
sometimes_calls_sink_eq(0, 0);
sometimes_calls_sink_eq(source(), 0);
call_sometimes_calls_sink_eq(source(), 1);
call_sometimes_calls_sink_eq(0, 0);
call_sometimes_calls_sink_eq(source(), 0);
}
void sometimes_calls_sink_lt(int x, int n) {
if(n < 10) {
sink(x); // $ ast,ir=771:27 ast,ir=775:32 SPURIOUS: ast=769:27 ast,ir=773:32 // IR spurious results because we only have call contexts of depth 1
}
}
void call_sometimes_calls_sink_lt(int x, int n) {
sometimes_calls_sink_lt(x, n);
}
void test_sometimes_calls_sink_lt() {
sometimes_calls_sink_lt(source(), 10);
sometimes_calls_sink_lt(0, 0);
sometimes_calls_sink_lt(source(), 2);
call_sometimes_calls_sink_lt(source(), 10);
call_sometimes_calls_sink_lt(0, 0);
call_sometimes_calls_sink_lt(source(), 2);
}
void sometimes_calls_sink_switch(int x, int n) {
switch(n) {
case 0:
sink(x); // $ ast,ir=790:31 SPURIOUS: ast,ir=788:31 // IR spurious results because IRGuard doesn't understand switch statements.
break;
}
}
void test_sometimes_calls_sink_switch() {
sometimes_calls_sink_switch(source(), 1);
sometimes_calls_sink_switch(0, 0);
sometimes_calls_sink_switch(source(), 0);
}

3
cpp/ql/test/library-tests/ir/range-analysis/test.cpp
View File

@@ -90,7 +90,8 @@ void gotoLoop(bool b1, bool b2)
{
for (j = 0; j < 10; ++j)
{
int x;
main_decode_loop:
}
}
}
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
View File

@@ -1,6 +1,7 @@
| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
| test.c:42:15:42:29 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:41:9:41:10 | s1 | s1 | test.c:42:20:42:29 | 65535 | 65535 |
| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |
| test.c:87:14:87:18 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:84:15:84:15 | x | x |
| test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
@@ -13,3 +14,4 @@
| test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
| test.c:128:15:128:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
| test.c:139:15:139:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
| test.c:156:9:156:14 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:150:8:150:8 | s | s | test.c:151:6:151:7 | sx | sx |

21
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
View File

@@ -39,7 +39,7 @@ void test5 () {
void test6() {
short s1;
for (s1 = 0; s1 < 0x0000ffff; s1++) {}
for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD
}
void test7(long long l) {
@@ -145,3 +145,22 @@ void test13() {
sz = (unsigned)sx & (unsigned)sy;
for (uc = 0; uc < sz; uc++) {} // GOOD
}
void test14() {
short s = 0;
int sx = 0x7FFF + 1;
// BAD: 's' is compared with a value of a wider type.
// 's' overflows before reaching 'sx',
// causing an infinite loop
while (s < sx) {
s += 1;
}
unsigned int ux = 0;
// GOOD: 'ux' has a type at least as wide as 'max_get'
while (ux < sx) {
ux += 1;
}
}