diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 7af7a3df7f6..36d26046a70 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -193,13 +193,23 @@ class Node extends TIRDataFlowNode { * a `Conversion`, then the result is the underlying non-`Conversion` base * expression. */ - Expr asExpr() { result = this.(ExprNode).getExpr() } + Expr asExpr() { result = this.asExpr(_) } + + /** + * INTERNAL: Do not use. + */ + Expr asExpr(int n) { result = this.(ExprNode).getExpr(n) } + + /** + * INTERNAL: Do not use. + */ + Expr asIndirectExpr(int n, int index) { result = this.(IndirectExprNode).getExpr(n, index) } /** * Gets the non-conversion expression that's indirectly tracked by this node * under `index` number of indirections. */ - Expr asIndirectExpr(int index) { result = this.(IndirectExprNode).getExpr(index) } + Expr asIndirectExpr(int index) { result = this.asIndirectExpr(_, index) } /** * Gets the non-conversion expression that's indirectly tracked by this node @@ -211,15 +221,26 @@ class Node extends TIRDataFlowNode { * Gets the expression corresponding to this node, if any. The returned * expression may be a `Conversion`. */ - Expr asConvertedExpr() { result = this.(ExprNode).getConvertedExpr() } + Expr asConvertedExpr() { result = this.asConvertedExpr(_) } + + /** + * Gets the expression corresponding to this node, if any. The returned + * expression may be a `Conversion`. + */ + Expr asConvertedExpr(int n) { result = this.(ExprNode).getConvertedExpr(n) } + + /** + * INTERNAL: Do not use. + */ + Expr asIndirectConvertedExpr(int n, int index) { + result = this.(IndirectExprNode).getConvertedExpr(n, index) + } /** * Gets the expression that's indirectly tracked by this node * behind `index` number of indirections. */ - Expr asIndirectConvertedExpr(int index) { - result = this.(IndirectExprNode).getConvertedExpr(index) - } + Expr asIndirectConvertedExpr(int index) { result = this.asIndirectConvertedExpr(_, index) } /** * Gets the expression that's indirectly tracked by this node behind a @@ -1090,46 +1111,46 @@ private module GetConvertedResultExpression { private import GetConvertedResultExpression /** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */ -predicate exprNodeShouldBeOperand(OperandNode node, Expr e) { +predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) { exists(Instruction def | unique( | | getAUse(def)) = node.getOperand() and - e = getConvertedResultExpression(def) + e = getConvertedResultExpression(def, n) ) } /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */ private predicate indirectExprNodeShouldBeIndirectOperand( - IndirectOperand node, Expr e, int indirectionIndex + IndirectOperand node, Expr e, int n, int indirectionIndex ) { exists(Instruction def | node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and - e = getConvertedResultExpression(def) + e = getConvertedResultExpression(def, n) ) } -private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) { +private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) { exists(CallInstruction call | call.getStaticCallTarget() instanceof Constructor and - e = getConvertedResultExpression(call) and + e = getConvertedResultExpression(call, n) and call.getThisArgumentOperand() = node.getAddressOperand() ) } /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */ -predicate exprNodeShouldBeInstruction(Node node, Expr e) { - not exprNodeShouldBeOperand(_, e) and - not exprNodeShouldBeIndirectOutNode(_, e) and - e = getConvertedResultExpression(node.asInstruction()) +predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) { + not exprNodeShouldBeOperand(_, e, n) and + not exprNodeShouldBeIndirectOutNode(_, e, n) and + e = getConvertedResultExpression(node.asInstruction(), n) } /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */ predicate indirectExprNodeShouldBeIndirectInstruction( - IndirectInstruction node, Expr e, int indirectionIndex + IndirectInstruction node, Expr e, int n, int indirectionIndex ) { - not indirectExprNodeShouldBeIndirectOperand(_, e, indirectionIndex) and + not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and exists(Instruction instr | node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and - e = getConvertedResultExpression(instr) + e = getConvertedResultExpression(instr, n) ) } @@ -1138,22 +1159,32 @@ abstract private class ExprNodeBase extends Node { * Gets the expression corresponding to this node, if any. The returned * expression may be a `Conversion`. */ - abstract Expr getConvertedExpr(); + abstract Expr getConvertedExpr(int n); /** Gets the non-conversion expression corresponding to this node, if any. */ - final Expr getExpr() { result = this.getConvertedExpr().getUnconverted() } + final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() } } private class InstructionExprNode extends ExprNodeBase, InstructionNode { - InstructionExprNode() { exprNodeShouldBeInstruction(this, _) } + InstructionExprNode() { + exists(Expr e, int n | + exprNodeShouldBeInstruction(this, e, n) and + not exprNodeShouldBeInstruction(_, e, n + 1) + ) + } - final override Expr getConvertedExpr() { exprNodeShouldBeInstruction(this, result) } + final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) } } private class OperandExprNode extends ExprNodeBase, OperandNode { - OperandExprNode() { exprNodeShouldBeOperand(this, _) } + OperandExprNode() { + exists(Expr e, int n | + exprNodeShouldBeOperand(this, e, n) and + not exprNodeShouldBeOperand(_, e, n + 1) + ) + } - final override Expr getConvertedExpr() { exprNodeShouldBeOperand(this, result) } + final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) } } abstract private class IndirectExprNodeBase extends Node { @@ -1161,55 +1192,75 @@ abstract private class IndirectExprNodeBase extends Node { * Gets the expression corresponding to this node, if any. The returned * expression may be a `Conversion`. */ - abstract Expr getConvertedExpr(int indirectionIndex); + abstract Expr getConvertedExpr(int n, int indirectionIndex); /** Gets the non-conversion expression corresponding to this node, if any. */ - final Expr getExpr(int indirectionIndex) { - result = this.getConvertedExpr(indirectionIndex).getUnconverted() + final Expr getExpr(int n, int indirectionIndex) { + result = this.getConvertedExpr(n, indirectionIndex).getUnconverted() } } private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand { - IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _, _) } + IndirectOperandIndirectExprNode() { + exists(Expr e, int n, int indirectionIndex | + indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and + not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex) + ) + } - final override Expr getConvertedExpr(int index) { - indirectExprNodeShouldBeIndirectOperand(this, result, index) + final override Expr getConvertedExpr(int n, int index) { + indirectExprNodeShouldBeIndirectOperand(this, result, n, index) } } private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction { - IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _, _) } + IndirectInstructionIndirectExprNode() { + exists(Expr e, int n, int indirectionIndex | + indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and + not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex) + ) + } - final override Expr getConvertedExpr(int index) { - indirectExprNodeShouldBeIndirectInstruction(this, result, index) + final override Expr getConvertedExpr(int n, int index) { + indirectExprNodeShouldBeIndirectInstruction(this, result, n, index) } } private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode { - IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) } + IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) } - final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) } + final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) } } /** * An expression, viewed as a node in a data flow graph. */ class ExprNode extends Node instanceof ExprNodeBase { + /** + * INTERNAL: Do not use. + */ + Expr getExpr(int n) { result = super.getExpr(n) } + /** * Gets the non-conversion expression corresponding to this node, if any. If * this node strictly (in the sense of `getConvertedExpr`) corresponds to a * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base * expression. */ - Expr getExpr() { result = super.getExpr() } + final Expr getExpr() { result = this.getExpr(_) } + + /** + * INTERNAL: Do not use. + */ + Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) } /** * Gets the expression corresponding to this node, if any. The returned * expression may be a `Conversion`. */ - Expr getConvertedExpr() { result = super.getConvertedExpr() } + final Expr getConvertedExpr() { result = this.getConvertedExpr(_) } } /** @@ -1222,13 +1273,27 @@ class IndirectExprNode extends Node instanceof IndirectExprNodeBase { * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base * expression. */ - Expr getExpr(int indirectionIndex) { result = super.getExpr(indirectionIndex) } + final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) } + + /** + * INTERNAL: Do not use. + */ + Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) } + + /** + * INTERNAL: Do not use. + */ + Expr getConvertedExpr(int n, int indirectionIndex) { + result = super.getConvertedExpr(n, indirectionIndex) + } /** * Gets the expression corresponding to this node, if any. The returned * expression may be a `Conversion`. */ - Expr getConvertedExpr(int indirectionIndex) { result = super.getConvertedExpr(indirectionIndex) } + Expr getConvertedExpr(int indirectionIndex) { + result = this.getConvertedExpr(_, indirectionIndex) + } } /** diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 618aeec1791..adae4f412ce 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -57,16 +57,6 @@ uniqueNodeToString | aliasing.cpp:132:9:132:14 | & ... | Node should have one toString but has 3. | | aliasing.cpp:132:9:132:14 | * ... | Node should have one toString but has 3. | | aliasing.cpp:132:9:132:14 | xs | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | & ... | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | & ... indirection | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | * ... | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | * ... indirection | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | xs | Node should have one toString but has 3. | -| aliasing.cpp:132:10:132:14 | xs indirection | Node should have one toString but has 3. | -| aliasing.cpp:132:11:132:14 | * ... | Node should have one toString but has 2. | -| aliasing.cpp:132:11:132:14 | * ... indirection | Node should have one toString but has 2. | -| aliasing.cpp:132:11:132:14 | xs | Node should have one toString but has 2. | -| aliasing.cpp:132:11:132:14 | xs indirection | Node should have one toString but has 2. | | aliasing.cpp:136:15:136:17 | + ... | Node should have one toString but has 2. | | aliasing.cpp:136:15:136:17 | + ... indirection | Node should have one toString but has 2. | | aliasing.cpp:136:15:136:17 | xs | Node should have one toString but has 2. | diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index 816a3b91edf..60c691b0939 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -13,6 +13,8 @@ edges | A.cpp:41:5:41:6 | insert output argument | A.cpp:43:10:43:12 | & ... indirection | | A.cpp:41:5:41:6 | insert output argument | A.cpp:43:10:43:12 | ct indirection | | A.cpp:41:15:41:21 | new | A.cpp:41:5:41:6 | insert output argument | +| A.cpp:41:15:41:21 | new | A.cpp:41:5:41:6 | insert output argument | +| A.cpp:41:15:41:21 | new | A.cpp:41:15:41:21 | new | | A.cpp:47:12:47:18 | new | A.cpp:48:20:48:20 | c | | A.cpp:48:12:48:18 | call to make indirection [c] | A.cpp:49:10:49:10 | b indirection [c] | | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | @@ -21,6 +23,7 @@ edges | A.cpp:55:5:55:5 | set output argument [c] | A.cpp:56:10:56:10 | b indirection [c] | | A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c | | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] | +| A.cpp:55:12:55:19 | new | A.cpp:55:12:55:19 | new | | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | this indirection [c] | | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:56:10:56:17 | call to get | | A.cpp:57:11:57:24 | call to B [c] | A.cpp:57:11:57:24 | new indirection [c] | @@ -31,10 +34,12 @@ edges | A.cpp:57:17:57:23 | new | A.cpp:57:17:57:23 | new | | A.cpp:64:10:64:15 | call to setOnB indirection [c] | A.cpp:66:10:66:11 | b2 indirection [c] | | A.cpp:64:21:64:28 | new | A.cpp:64:10:64:15 | call to setOnB indirection [c] | +| A.cpp:64:21:64:28 | new | A.cpp:64:21:64:28 | new | | A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c | | A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:10:66:14 | c | | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | A.cpp:75:10:75:11 | b2 indirection [c] | | A.cpp:73:25:73:32 | new | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | +| A.cpp:73:25:73:32 | new | A.cpp:73:25:73:32 | new | | A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c | | A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:10:75:14 | c | | A.cpp:78:27:78:27 | c | A.cpp:81:21:81:21 | c | @@ -853,6 +858,7 @@ nodes | A.cpp:31:20:31:20 | c | semmle.label | c | | A.cpp:41:5:41:6 | insert output argument | semmle.label | insert output argument | | A.cpp:41:15:41:21 | new | semmle.label | new | +| A.cpp:41:15:41:21 | new | semmle.label | new | | A.cpp:43:10:43:12 | & ... indirection | semmle.label | & ... indirection | | A.cpp:43:10:43:12 | & ... indirection | semmle.label | ct indirection | | A.cpp:43:10:43:12 | ct indirection | semmle.label | & ... indirection | @@ -864,6 +870,7 @@ nodes | A.cpp:49:10:49:13 | c | semmle.label | c | | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] | | A.cpp:55:12:55:19 | new | semmle.label | new | +| A.cpp:55:12:55:19 | new | semmle.label | new | | A.cpp:56:10:56:10 | b indirection [c] | semmle.label | b indirection [c] | | A.cpp:56:10:56:17 | call to get | semmle.label | call to get | | A.cpp:57:10:57:32 | call to get | semmle.label | call to get | @@ -873,10 +880,12 @@ nodes | A.cpp:57:17:57:23 | new | semmle.label | new | | A.cpp:64:10:64:15 | call to setOnB indirection [c] | semmle.label | call to setOnB indirection [c] | | A.cpp:64:21:64:28 | new | semmle.label | new | +| A.cpp:64:21:64:28 | new | semmle.label | new | | A.cpp:66:10:66:11 | b2 indirection [c] | semmle.label | b2 indirection [c] | | A.cpp:66:10:66:14 | c | semmle.label | c | | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | semmle.label | call to setOnBWrap indirection [c] | | A.cpp:73:25:73:32 | new | semmle.label | new | +| A.cpp:73:25:73:32 | new | semmle.label | new | | A.cpp:75:10:75:11 | b2 indirection [c] | semmle.label | b2 indirection [c] | | A.cpp:75:10:75:14 | c | semmle.label | c | | A.cpp:78:6:78:15 | setOnBWrap indirection [c] | semmle.label | setOnBWrap indirection [c] | @@ -1788,17 +1797,28 @@ subpaths | simple.cpp:84:14:84:20 | this indirection [f2, f1] | simple.cpp:78:9:78:15 | this indirection [f2, f1] | simple.cpp:78:9:78:15 | getf2f1 indirection | simple.cpp:84:14:84:20 | call to getf2f1 | #select | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new | +| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new | | A.cpp:49:10:49:13 | c | A.cpp:47:12:47:18 | new | A.cpp:49:10:49:13 | c | c flows from $@ | A.cpp:47:12:47:18 | new | new | | A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new | +| A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new | | A.cpp:57:10:57:32 | call to get | A.cpp:57:17:57:23 | new | A.cpp:57:10:57:32 | call to get | call to get flows from $@ | A.cpp:57:17:57:23 | new | new | | A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new | +| A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new | +| A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new | | A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new | | A.cpp:107:12:107:16 | a | A.cpp:98:12:98:18 | new | A.cpp:107:12:107:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new | | A.cpp:120:12:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:12:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected index c5f6133af0f..4f08af09a7b 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected @@ -4,8 +4,46 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33) WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33) testFailures -| map.cpp:172:20:172:30 | // $ ast,ir | Missing result:ir= | -| map.cpp:174:20:174:30 | // $ ast,ir | Missing result:ir= | -| map.cpp:324:20:324:30 | // $ ast,ir | Missing result:ir= | -| map.cpp:326:20:326:30 | // $ ast,ir | Missing result:ir= | +| map.cpp:168:7:168:27 | ... = ... | Unexpected result: ir=168:7 | +| map.cpp:168:7:168:27 | ... = ... | Unexpected result: ir=168:20 | +| map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:7 | +| map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:20 | +| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:7 | +| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:20 | +| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:7 | +| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:20 | +| map.cpp:168:31:168:41 | // $ ast,ir | Missing result:ir= | +| map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:7 | +| map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:23 | +| map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:7 | +| map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:23 | +| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:7 | +| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:23 | +| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:7 | +| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:23 | +| map.cpp:170:34:170:44 | // $ ast,ir | Missing result:ir= | +| map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:7 | +| map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:20 | +| map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:7 | +| map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:20 | +| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:7 | +| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:20 | +| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:7 | +| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:20 | +| map.cpp:320:31:320:41 | // $ ast,ir | Missing result:ir= | +| map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:7 | +| map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:23 | +| map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:7 | +| map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:23 | +| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:7 | +| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:23 | +| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:7 | +| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:23 | +| map.cpp:322:34:322:44 | // $ ast,ir | Missing result:ir= | +| taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:13 | +| taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:22 | +| taint.cpp:16:18:16:28 | // $ ast,ir | Missing result:ir= | +| taint.cpp:17:8:17:16 | ++ ... | Unexpected result: ir=12:13 | +| taint.cpp:17:8:17:16 | ++ ... | Unexpected result: ir=12:22 | +| taint.cpp:17:20:17:30 | // $ ast,ir | Missing result:ir= | failures diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected index 3723c5bf32a..c65f76cec0f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected @@ -3,47 +3,23 @@ edges | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | | test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b | | test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b | -| test.cpp:57:19:57:19 | d | test.cpp:57:19:57:19 | d | | test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d | -| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d | -| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d | | test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d | | test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b | -| test.cpp:58:25:58:25 | d | test.cpp:58:25:58:25 | d | -| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d | | test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d | | test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b | -| test.cpp:59:21:59:21 | d | test.cpp:59:21:59:21 | d | | test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b | -| test.cpp:74:19:74:21 | dss | test.cpp:74:19:74:21 | dss | | test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss | -| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss | -| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss | | test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss | | test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b | -| test.cpp:75:25:75:27 | dss | test.cpp:75:25:75:27 | dss | -| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss | | test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss | | test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b | -| test.cpp:76:21:76:23 | dss | test.cpp:76:21:76:23 | dss | | test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b | -| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 | -| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 | | test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | -| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | -| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | -| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | -| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | | test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | | test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b | -| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 | -| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 | -| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | -| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | | test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | | test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b | -| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 | -| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 | nodes | test.cpp:26:29:26:29 | b | semmle.label | b | | test.cpp:27:2:27:2 | b | semmle.label | b | @@ -52,67 +28,31 @@ nodes | test.cpp:34:31:34:31 | b | semmle.label | b | | test.cpp:35:2:35:2 | b | semmle.label | b | | test.cpp:57:19:57:19 | d | semmle.label | d | -| test.cpp:57:19:57:19 | d | semmle.label | d | -| test.cpp:58:25:58:25 | d | semmle.label | d | | test.cpp:58:25:58:25 | d | semmle.label | d | | test.cpp:59:21:59:21 | d | semmle.label | d | -| test.cpp:59:21:59:21 | d | semmle.label | d | -| test.cpp:74:19:74:21 | dss | semmle.label | dss | | test.cpp:74:19:74:21 | dss | semmle.label | dss | | test.cpp:75:25:75:27 | dss | semmle.label | dss | -| test.cpp:75:25:75:27 | dss | semmle.label | dss | -| test.cpp:76:21:76:23 | dss | semmle.label | dss | | test.cpp:76:21:76:23 | dss | semmle.label | dss | | test.cpp:86:19:86:20 | d2 | semmle.label | d2 | -| test.cpp:86:19:86:20 | d2 | semmle.label | d2 | -| test.cpp:86:19:86:20 | d2 | semmle.label | d2 | | test.cpp:87:25:87:26 | d2 | semmle.label | d2 | -| test.cpp:87:25:87:26 | d2 | semmle.label | d2 | -| test.cpp:87:25:87:26 | d2 | semmle.label | d2 | -| test.cpp:88:21:88:22 | d2 | semmle.label | d2 | -| test.cpp:88:21:88:22 | d2 | semmle.label | d2 | | test.cpp:88:21:88:22 | d2 | semmle.label | d2 | subpaths #select | test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | | test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | | test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | | test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | | test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | | test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | | test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | | test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | | test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | | test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | | test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | | test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | | test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index c2d7723194d..4f0f81569dd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -47,19 +47,25 @@ edges | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string | | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p | | test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer | +| test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer | | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | | test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer | +| test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer | | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | | test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer | +| test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer | | test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] | | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] | | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string | | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | | test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p | +| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p | | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | +| test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | | test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p | +| test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p | nodes | test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] | | test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... | @@ -110,13 +116,16 @@ nodes | test.cpp:214:24:214:24 | p | semmle.label | p | | test.cpp:216:10:216:10 | p | semmle.label | p | | test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc | +| test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc | | test.cpp:222:15:222:20 | buffer | semmle.label | buffer | | test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc | +| test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc | | test.cpp:232:10:232:15 | buffer | semmle.label | buffer | | test.cpp:235:40:235:45 | buffer | semmle.label | buffer | | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... | | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] | | test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc | +| test.cpp:241:27:241:32 | call to malloc | semmle.label | call to malloc | | test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] | | test.cpp:242:22:242:27 | buffer | semmle.label | buffer | | test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] | @@ -124,9 +133,12 @@ nodes | test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc | | test.cpp:250:12:250:12 | p | semmle.label | p | | test.cpp:256:9:256:25 | call to malloc | semmle.label | call to malloc | +| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc | | test.cpp:257:12:257:12 | p | semmle.label | p | | test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc | +| test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc | | test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc | +| test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc | | test.cpp:266:12:266:12 | p | semmle.label | p | subpaths | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] | @@ -147,5 +159,7 @@ subpaths | test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | | test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | | test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | +| test.cpp:243:5:243:10 | call to memset | test.cpp:241:27:241:32 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | | test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | | test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | +| test.cpp:266:5:266:10 | call to memset | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected index b75eda8eec1..62289825220 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected @@ -49,9 +49,6 @@ | tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array | | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer | | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer | -| unions.cpp:27:2:27:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer | -| unions.cpp:29:2:29:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer | -| unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer | | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer | | unions.cpp:34:2:34:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:16:7:16:11 | large | destination buffer | | var_size_struct.cpp:71:3:71:8 | call to memset | This 'memset' operation accesses 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected index 022ae91391e..641be44149e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected @@ -17,6 +17,5 @@ | tests.c:186:3:186:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 2 bytes. | | tests.c:189:3:189:9 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. | | unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. | -| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 15 bytes. | | unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. | | var_size_struct.cpp:22:3:22:8 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 9 bytes. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 9b269a1f95a..1b70f69d75d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -57,12 +57,14 @@ edges | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | +| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 | -| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | @@ -107,8 +109,6 @@ edges | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 | -| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 | @@ -164,12 +164,13 @@ nodes | argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | +| argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 | +| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ | | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ | | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ | | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | i4 | | argvLocal.c:135:9:135:12 | i4 | semmle.label | ... ++ | | argvLocal.c:135:9:135:12 | i4 | semmle.label | i4 | -| argvLocal.c:135:9:135:12 | i4 | semmle.label | i4 | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | @@ -191,7 +192,6 @@ nodes | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 | -| argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:170:15:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index c576b4d1b12..64e14db1f04 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -11,7 +11,6 @@ edges | test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection | | test.cpp:49:11:49:16 | buffer indirection | test.cpp:11:26:11:28 | url indirection | | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection | -| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection | | test.cpp:121:11:121:13 | ptr indirection | test.cpp:11:26:11:28 | url indirection | nodes | test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection | @@ -27,7 +26,6 @@ nodes | test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection | | test.cpp:49:11:49:16 | buffer indirection | semmle.label | buffer indirection | | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection | -| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection | | test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection | subpaths #select @@ -37,4 +35,3 @@ subpaths | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. | | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. | | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. | -| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected index f71eb606bd3..d07199fde5d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected @@ -1,11 +1,8 @@ edges | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | -| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | nodes | tests.c:57:21:57:28 | password indirection | semmle.label | password indirection | -| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection | | tests.c:70:70:70:77 | password indirection | semmle.label | password indirection | subpaths #select | tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection | -| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 6d794450b60..f24a5f8d04a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -52,8 +52,6 @@ edges | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection | | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | p indirection | | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | -| tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | -| tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | | tests.cpp:112:39:112:39 | p indirection | tests.cpp:113:2:113:2 | p indirection | | tests.cpp:116:39:116:39 | p indirection | tests.cpp:117:2:117:2 | p indirection | @@ -134,10 +132,8 @@ nodes | tests.cpp:80:2:80:2 | p indirection | semmle.label | p indirection | | tests.cpp:85:24:85:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | | tests.cpp:88:3:88:3 | q indirection | semmle.label | q indirection | -| tests.cpp:88:3:88:3 | q indirection | semmle.label | q indirection | | tests.cpp:100:24:100:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | | tests.cpp:104:3:104:3 | q indirection | semmle.label | q indirection | -| tests.cpp:104:3:104:3 | q indirection | semmle.label | q indirection | | tests.cpp:112:39:112:39 | p indirection | semmle.label | p indirection | | tests.cpp:113:2:113:2 | p indirection | semmle.label | p indirection | | tests.cpp:116:39:116:39 | p indirection | semmle.label | p indirection | @@ -174,8 +170,6 @@ subpaths | tests.cpp:69:2:69:2 | p indirection | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | | tests.cpp:80:2:80:2 | p indirection | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | | tests.cpp:88:3:88:3 | q indirection | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | -| tests.cpp:88:3:88:3 | q indirection | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | -| tests.cpp:104:3:104:3 | q indirection | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | | tests.cpp:104:3:104:3 | q indirection | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | | tests.cpp:113:2:113:2 | p indirection | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | | tests.cpp:117:2:117:2 | p indirection | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser |