hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use the index to to get the 'most converted' and 'least converted' instruction in a bunch of places.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-09-01 13:03:29 +01:00
parent 4dfaf9225c
commit d2bb73ba1f
12 changed files with 187 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -193,13 +193,23 @@ class Node extends TIRDataFlowNode {
* a `Conversion`, then the result is the underlying non-`Conversion` base
* expression.
*/
Expr asExpr() { result = this.(ExprNode).getExpr() }
Expr asExpr() { result = this.asExpr(_) }
/**
* INTERNAL: Do not use.
*/
Expr asExpr(int n) { result = this.(ExprNode).getExpr(n) }
/**
* INTERNAL: Do not use.
*/
Expr asIndirectExpr(int n, int index) { result = this.(IndirectExprNode).getExpr(n, index) }
/**
* Gets the non-conversion expression that's indirectly tracked by this node
* under `index` number of indirections.
*/
Expr asIndirectExpr(int index) { result = this.(IndirectExprNode).getExpr(index) }
Expr asIndirectExpr(int index) { result = this.asIndirectExpr(_, index) }
/**
* Gets the non-conversion expression that's indirectly tracked by this node
@@ -211,15 +221,26 @@ class Node extends TIRDataFlowNode {
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
Expr asConvertedExpr() { result = this.(ExprNode).getConvertedExpr() }
Expr asConvertedExpr() { result = this.asConvertedExpr(_) }
/**
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
Expr asConvertedExpr(int n) { result = this.(ExprNode).getConvertedExpr(n) }
/**
* INTERNAL: Do not use.
*/
Expr asIndirectConvertedExpr(int n, int index) {
result = this.(IndirectExprNode).getConvertedExpr(n, index)
}
/**
* Gets the expression that's indirectly tracked by this node
* behind `index` number of indirections.
*/
Expr asIndirectConvertedExpr(int index) {
result = this.(IndirectExprNode).getConvertedExpr(index)
}
Expr asIndirectConvertedExpr(int index) { result = this.asIndirectConvertedExpr(_, index) }
/**
* Gets the expression that's indirectly tracked by this node behind a
@@ -1090,46 +1111,46 @@ private module GetConvertedResultExpression {
private import GetConvertedResultExpression
/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
predicate exprNodeShouldBeOperand(OperandNode node, Expr e) {
predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
exists(Instruction def |
unique( | | getAUse(def)) = node.getOperand() and
e = getConvertedResultExpression(def)
e = getConvertedResultExpression(def, n)
)
}
/** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
private predicate indirectExprNodeShouldBeIndirectOperand(
IndirectOperand node, Expr e, int indirectionIndex
IndirectOperand node, Expr e, int n, int indirectionIndex
) {
exists(Instruction def |
node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
e = getConvertedResultExpression(def)
e = getConvertedResultExpression(def, n)
)
}
private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
exists(CallInstruction call |
call.getStaticCallTarget() instanceof Constructor and
e = getConvertedResultExpression(call) and
e = getConvertedResultExpression(call, n) and
call.getThisArgumentOperand() = node.getAddressOperand()
)
}
/** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
predicate exprNodeShouldBeInstruction(Node node, Expr e) {
not exprNodeShouldBeOperand(_, e) and
not exprNodeShouldBeIndirectOutNode(_, e) and
e = getConvertedResultExpression(node.asInstruction())
predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
not exprNodeShouldBeOperand(_, e, n) and
not exprNodeShouldBeIndirectOutNode(_, e, n) and
e = getConvertedResultExpression(node.asInstruction(), n)
}
/** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
predicate indirectExprNodeShouldBeIndirectInstruction(
IndirectInstruction node, Expr e, int indirectionIndex
IndirectInstruction node, Expr e, int n, int indirectionIndex
) {
not indirectExprNodeShouldBeIndirectOperand(_, e, indirectionIndex) and
not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
exists(Instruction instr |
node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
e = getConvertedResultExpression(instr)
e = getConvertedResultExpression(instr, n)
)
}
@@ -1138,22 +1159,32 @@ abstract private class ExprNodeBase extends Node {
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
abstract Expr getConvertedExpr();
abstract Expr getConvertedExpr(int n);
/** Gets the non-conversion expression corresponding to this node, if any. */
final Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
}
private class InstructionExprNode extends ExprNodeBase, InstructionNode {
InstructionExprNode() { exprNodeShouldBeInstruction(this, _) }
InstructionExprNode() {
exists(Expr e, int n |
exprNodeShouldBeInstruction(this, e, n) and
not exprNodeShouldBeInstruction(_, e, n + 1)
)
}
final override Expr getConvertedExpr() { exprNodeShouldBeInstruction(this, result) }
final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
}
private class OperandExprNode extends ExprNodeBase, OperandNode {
OperandExprNode() { exprNodeShouldBeOperand(this, _) }
OperandExprNode() {
exists(Expr e, int n |
exprNodeShouldBeOperand(this, e, n) and
not exprNodeShouldBeOperand(_, e, n + 1)
)
}
final override Expr getConvertedExpr() { exprNodeShouldBeOperand(this, result) }
final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
}
abstract private class IndirectExprNodeBase extends Node {
@@ -1161,55 +1192,75 @@ abstract private class IndirectExprNodeBase extends Node {
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
abstract Expr getConvertedExpr(int indirectionIndex);
abstract Expr getConvertedExpr(int n, int indirectionIndex);
/** Gets the non-conversion expression corresponding to this node, if any. */
final Expr getExpr(int indirectionIndex) {
result = this.getConvertedExpr(indirectionIndex).getUnconverted()
final Expr getExpr(int n, int indirectionIndex) {
result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
}
}
private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
{
IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _, _) }
IndirectOperandIndirectExprNode() {
exists(Expr e, int n, int indirectionIndex |
indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
)
}
final override Expr getConvertedExpr(int index) {
indirectExprNodeShouldBeIndirectOperand(this, result, index)
final override Expr getConvertedExpr(int n, int index) {
indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
}
}
private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
{
IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _, _) }
IndirectInstructionIndirectExprNode() {
exists(Expr e, int n, int indirectionIndex |
indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
)
}
final override Expr getConvertedExpr(int index) {
indirectExprNodeShouldBeIndirectInstruction(this, result, index)
final override Expr getConvertedExpr(int n, int index) {
indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
}
}
private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) }
final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
}
/**
* An expression, viewed as a node in a data flow graph.
*/
class ExprNode extends Node instanceof ExprNodeBase {
/**
* INTERNAL: Do not use.
*/
Expr getExpr(int n) { result = super.getExpr(n) }
/**
* Gets the non-conversion expression corresponding to this node, if any. If
* this node strictly (in the sense of `getConvertedExpr`) corresponds to a
* `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
* expression.
*/
Expr getExpr() { result = super.getExpr() }
final Expr getExpr() { result = this.getExpr(_) }
/**
* INTERNAL: Do not use.
*/
Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
/**
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
Expr getConvertedExpr() { result = super.getConvertedExpr() }
final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
}
/**
@@ -1222,13 +1273,27 @@ class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
* `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
* expression.
*/
Expr getExpr(int indirectionIndex) { result = super.getExpr(indirectionIndex) }
final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
/**
* INTERNAL: Do not use.
*/
Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
/**
* INTERNAL: Do not use.
*/
Expr getConvertedExpr(int n, int indirectionIndex) {
result = super.getConvertedExpr(n, indirectionIndex)
}
/**
* Gets the expression corresponding to this node, if any. The returned
* expression may be a `Conversion`.
*/
Expr getConvertedExpr(int indirectionIndex) { result = super.getConvertedExpr(indirectionIndex) }
Expr getConvertedExpr(int indirectionIndex) {
result = this.getConvertedExpr(_, indirectionIndex)
}
}
/**

10
cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
View File

@@ -57,16 +57,6 @@ uniqueNodeToString
| aliasing.cpp:132:9:132:14 | & ... | Node should have one toString but has 3. |
| aliasing.cpp:132:9:132:14 | * ... | Node should have one toString but has 3. |
| aliasing.cpp:132:9:132:14 | xs | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | & ... | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | & ... indirection | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | * ... | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | * ... indirection | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | xs | Node should have one toString but has 3. |
| aliasing.cpp:132:10:132:14 | xs indirection | Node should have one toString but has 3. |
| aliasing.cpp:132:11:132:14 | * ... | Node should have one toString but has 2. |
| aliasing.cpp:132:11:132:14 | * ... indirection | Node should have one toString but has 2. |
| aliasing.cpp:132:11:132:14 | xs | Node should have one toString but has 2. |
| aliasing.cpp:132:11:132:14 | xs indirection | Node should have one toString but has 2. |
| aliasing.cpp:136:15:136:17 | + ... | Node should have one toString but has 2. |
| aliasing.cpp:136:15:136:17 | + ... indirection | Node should have one toString but has 2. |
| aliasing.cpp:136:15:136:17 | xs | Node should have one toString but has 2. |

20
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

@@ -13,6 +13,8 @@ edges
| A.cpp:41:5:41:6 | insert output argument | A.cpp:43:10:43:12 | & ... indirection |
| A.cpp:41:5:41:6 | insert output argument | A.cpp:43:10:43:12 | ct indirection |
| A.cpp:41:15:41:21 | new | A.cpp:41:5:41:6 | insert output argument |
| A.cpp:41:15:41:21 | new | A.cpp:41:5:41:6 | insert output argument |
| A.cpp:41:15:41:21 | new | A.cpp:41:15:41:21 | new |
| A.cpp:47:12:47:18 | new | A.cpp:48:20:48:20 | c |
| A.cpp:48:12:48:18 | call to make indirection [c] | A.cpp:49:10:49:10 | b indirection [c] |
| A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c |
@@ -21,6 +23,7 @@ edges
| A.cpp:55:5:55:5 | set output argument [c] | A.cpp:56:10:56:10 | b indirection [c] |
| A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c |
| A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] |
| A.cpp:55:12:55:19 | new | A.cpp:55:12:55:19 | new |
| A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | this indirection [c] |
| A.cpp:56:10:56:10 | b indirection [c] | A.cpp:56:10:56:17 | call to get |
| A.cpp:57:11:57:24 | call to B [c] | A.cpp:57:11:57:24 | new indirection [c] |
@@ -31,10 +34,12 @@ edges
| A.cpp:57:17:57:23 | new | A.cpp:57:17:57:23 | new |
| A.cpp:64:10:64:15 | call to setOnB indirection [c] | A.cpp:66:10:66:11 | b2 indirection [c] |
| A.cpp:64:21:64:28 | new | A.cpp:64:10:64:15 | call to setOnB indirection [c] |
| A.cpp:64:21:64:28 | new | A.cpp:64:21:64:28 | new |
| A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c |
| A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:10:66:14 | c |
| A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | A.cpp:75:10:75:11 | b2 indirection [c] |
| A.cpp:73:25:73:32 | new | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] |
| A.cpp:73:25:73:32 | new | A.cpp:73:25:73:32 | new |
| A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c |
| A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:10:75:14 | c |
| A.cpp:78:27:78:27 | c | A.cpp:81:21:81:21 | c |
@@ -853,6 +858,7 @@ nodes
| A.cpp:31:20:31:20 | c | semmle.label | c |
| A.cpp:41:5:41:6 | insert output argument | semmle.label | insert output argument |
| A.cpp:41:15:41:21 | new | semmle.label | new |
| A.cpp:41:15:41:21 | new | semmle.label | new |
| A.cpp:43:10:43:12 | & ... indirection | semmle.label | & ... indirection |
| A.cpp:43:10:43:12 | & ... indirection | semmle.label | ct indirection |
| A.cpp:43:10:43:12 | ct indirection | semmle.label | & ... indirection |
@@ -864,6 +870,7 @@ nodes
| A.cpp:49:10:49:13 | c | semmle.label | c |
| A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] |
| A.cpp:55:12:55:19 | new | semmle.label | new |
| A.cpp:55:12:55:19 | new | semmle.label | new |
| A.cpp:56:10:56:10 | b indirection [c] | semmle.label | b indirection [c] |
| A.cpp:56:10:56:17 | call to get | semmle.label | call to get |
| A.cpp:57:10:57:32 | call to get | semmle.label | call to get |
@@ -873,10 +880,12 @@ nodes
| A.cpp:57:17:57:23 | new | semmle.label | new |
| A.cpp:64:10:64:15 | call to setOnB indirection [c] | semmle.label | call to setOnB indirection [c] |
| A.cpp:64:21:64:28 | new | semmle.label | new |
| A.cpp:64:21:64:28 | new | semmle.label | new |
| A.cpp:66:10:66:11 | b2 indirection [c] | semmle.label | b2 indirection [c] |
| A.cpp:66:10:66:14 | c | semmle.label | c |
| A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | semmle.label | call to setOnBWrap indirection [c] |
| A.cpp:73:25:73:32 | new | semmle.label | new |
| A.cpp:73:25:73:32 | new | semmle.label | new |
| A.cpp:75:10:75:11 | b2 indirection [c] | semmle.label | b2 indirection [c] |
| A.cpp:75:10:75:14 | c | semmle.label | c |
| A.cpp:78:6:78:15 | setOnBWrap indirection [c] | semmle.label | setOnBWrap indirection [c] |
@@ -1788,17 +1797,28 @@ subpaths
| simple.cpp:84:14:84:20 | this indirection [f2, f1] | simple.cpp:78:9:78:15 | this indirection [f2, f1] | simple.cpp:78:9:78:15 | getf2f1 indirection | simple.cpp:84:14:84:20 | call to getf2f1 |
#select
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | & ... indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | & ... indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | & ... indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:43:10:43:12 | ct indirection | A.cpp:41:15:41:21 | new | A.cpp:43:10:43:12 | ct indirection | ct indirection flows from $@ | A.cpp:41:15:41:21 | new | new |
| A.cpp:49:10:49:13 | c | A.cpp:47:12:47:18 | new | A.cpp:49:10:49:13 | c | c flows from $@ | A.cpp:47:12:47:18 | new | new |
| A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
| A.cpp:56:10:56:17 | call to get | A.cpp:55:12:55:19 | new | A.cpp:56:10:56:17 | call to get | call to get flows from $@ | A.cpp:55:12:55:19 | new | new |
| A.cpp:57:10:57:32 | call to get | A.cpp:57:17:57:23 | new | A.cpp:57:10:57:32 | call to get | call to get flows from $@ | A.cpp:57:17:57:23 | new | new |
| A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
| A.cpp:66:10:66:14 | c | A.cpp:64:21:64:28 | new | A.cpp:66:10:66:14 | c | c flows from $@ | A.cpp:64:21:64:28 | new | new |
| A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
| A.cpp:75:10:75:14 | c | A.cpp:73:25:73:32 | new | A.cpp:75:10:75:14 | c | c flows from $@ | A.cpp:73:25:73:32 | new | new |
| A.cpp:107:12:107:16 | a | A.cpp:98:12:98:18 | new | A.cpp:107:12:107:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |
| A.cpp:120:12:120:16 | a | A.cpp:98:12:98:18 | new | A.cpp:120:12:120:16 | a | a flows from $@ | A.cpp:98:12:98:18 | new | new |

46
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -4,8 +4,46 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
testFailures
| map.cpp:172:20:172:30 | // $ ast,ir | Missing result:ir= |
| map.cpp:174:20:174:30 | // $ ast,ir | Missing result:ir= |
| map.cpp:324:20:324:30 | // $ ast,ir | Missing result:ir= |
| map.cpp:326:20:326:30 | // $ ast,ir | Missing result:ir= |
| map.cpp:168:7:168:27 | ... = ... | Unexpected result: ir=168:7 |
| map.cpp:168:7:168:27 | ... = ... | Unexpected result: ir=168:20 |
| map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:7 |
| map.cpp:168:7:168:27 | ... = ... indirection | Unexpected result: ir=168:20 |
| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:7 |
| map.cpp:168:7:168:27 | call to source | Unexpected result: ir=168:20 |
| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:7 |
| map.cpp:168:7:168:27 | call to source indirection | Unexpected result: ir=168:20 |
| map.cpp:168:31:168:41 | // $ ast,ir | Missing result:ir= |
| map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:7 |
| map.cpp:170:7:170:30 | ... = ... | Unexpected result: ir=170:23 |
| map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:7 |
| map.cpp:170:7:170:30 | ... = ... indirection | Unexpected result: ir=170:23 |
| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:7 |
| map.cpp:170:7:170:30 | call to source | Unexpected result: ir=170:23 |
| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:7 |
| map.cpp:170:7:170:30 | call to source indirection | Unexpected result: ir=170:23 |
| map.cpp:170:34:170:44 | // $ ast,ir | Missing result:ir= |
| map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:7 |
| map.cpp:320:7:320:27 | ... = ... | Unexpected result: ir=320:20 |
| map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:7 |
| map.cpp:320:7:320:27 | ... = ... indirection | Unexpected result: ir=320:20 |
| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:7 |
| map.cpp:320:7:320:27 | call to source | Unexpected result: ir=320:20 |
| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:7 |
| map.cpp:320:7:320:27 | call to source indirection | Unexpected result: ir=320:20 |
| map.cpp:320:31:320:41 | // $ ast,ir | Missing result:ir= |
| map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:7 |
| map.cpp:322:7:322:30 | ... = ... | Unexpected result: ir=322:23 |
| map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:7 |
| map.cpp:322:7:322:30 | ... = ... indirection | Unexpected result: ir=322:23 |
| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:7 |
| map.cpp:322:7:322:30 | call to source | Unexpected result: ir=322:23 |
| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:7 |
| map.cpp:322:7:322:30 | call to source indirection | Unexpected result: ir=322:23 |
| map.cpp:322:34:322:44 | // $ ast,ir | Missing result:ir= |
| taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:13 |
| taint.cpp:16:8:16:14 | source1 | Unexpected result: ir=12:22 |
| taint.cpp:16:18:16:28 | // $ ast,ir | Missing result:ir= |
| taint.cpp:17:8:17:16 | ++ ... | Unexpected result: ir=12:13 |
| taint.cpp:17:8:17:16 | ++ ... | Unexpected result: ir=12:22 |
| taint.cpp:17:20:17:30 | // $ ast,ir | Missing result:ir= |
failures

60
cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
View File

@@ -3,47 +3,23 @@ edges
| test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b |
| test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b |
| test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b |
| test.cpp:57:19:57:19 | d | test.cpp:57:19:57:19 | d |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
| test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b |
| test.cpp:58:25:58:25 | d | test.cpp:58:25:58:25 | d |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
| test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b |
| test.cpp:59:21:59:21 | d | test.cpp:59:21:59:21 | d |
| test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b |
| test.cpp:74:19:74:21 | dss | test.cpp:74:19:74:21 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b |
| test.cpp:75:25:75:27 | dss | test.cpp:75:25:75:27 | dss |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b |
| test.cpp:76:21:76:23 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b |
| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:86:19:86:20 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b |
| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b |
| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:88:21:88:22 | d2 | test.cpp:88:21:88:22 | d2 |
nodes
| test.cpp:26:29:26:29 | b | semmle.label | b |
| test.cpp:27:2:27:2 | b | semmle.label | b |
@@ -52,67 +28,31 @@ nodes
| test.cpp:34:31:34:31 | b | semmle.label | b |
| test.cpp:35:2:35:2 | b | semmle.label | b |
| test.cpp:57:19:57:19 | d | semmle.label | d |
| test.cpp:57:19:57:19 | d | semmle.label | d |
| test.cpp:58:25:58:25 | d | semmle.label | d |
| test.cpp:58:25:58:25 | d | semmle.label | d |
| test.cpp:59:21:59:21 | d | semmle.label | d |
| test.cpp:59:21:59:21 | d | semmle.label | d |
| test.cpp:74:19:74:21 | dss | semmle.label | dss |
| test.cpp:74:19:74:21 | dss | semmle.label | dss |
| test.cpp:75:25:75:27 | dss | semmle.label | dss |
| test.cpp:75:25:75:27 | dss | semmle.label | dss |
| test.cpp:76:21:76:23 | dss | semmle.label | dss |
| test.cpp:76:21:76:23 | dss | semmle.label | dss |
| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
| test.cpp:86:19:86:20 | d2 | semmle.label | d2 |
| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
| test.cpp:87:25:87:26 | d2 | semmle.label | d2 |
| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
subpaths
#select
| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |
| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |

14
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
View File

@@ -47,19 +47,25 @@ edges
| test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
| test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
| test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer |
| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] |
| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
| test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer |
| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] |
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p |
nodes
| test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] |
| test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... |
@@ -110,13 +116,16 @@ nodes
| test.cpp:214:24:214:24 | p | semmle.label | p |
| test.cpp:216:10:216:10 | p | semmle.label | p |
| test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc |
| test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
| test.cpp:222:15:222:20 | buffer | semmle.label | buffer |
| test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc |
| test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc |
| test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
| test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
| test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
| test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] |
| test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc |
| test.cpp:241:27:241:32 | call to malloc | semmle.label | call to malloc |
| test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] |
| test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
| test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
@@ -124,9 +133,12 @@ nodes
| test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc |
| test.cpp:250:12:250:12 | p | semmle.label | p |
| test.cpp:256:9:256:25 | call to malloc | semmle.label | call to malloc |
| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |
| test.cpp:257:12:257:12 | p | semmle.label | p |
| test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc |
| test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc |
| test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc |
| test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc |
| test.cpp:266:12:266:12 | p | semmle.label | p |
subpaths
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
@@ -147,5 +159,7 @@ subpaths
| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |
| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
| test.cpp:243:5:243:10 | call to memset | test.cpp:241:27:241:32 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p |
| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |
| test.cpp:266:5:266:10 | call to memset | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |

3
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
View File

@@ -49,9 +49,6 @@
| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
| tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
| unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
| unions.cpp:27:2:27:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
| unions.cpp:29:2:29:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
| unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
| unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
| unions.cpp:34:2:34:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:16:7:16:11 | large | destination buffer |
| var_size_struct.cpp:71:3:71:8 | call to memset | This 'memset' operation accesses 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer |

1
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected
View File

@@ -17,6 +17,5 @@
| tests.c:186:3:186:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 2 bytes. |
| tests.c:189:3:189:9 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
| unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 15 bytes. |
| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
| var_size_struct.cpp:22:3:22:8 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 9 bytes. |

12
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
View File

@@ -57,12 +57,14 @@ edges
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
@@ -107,8 +109,6 @@ edges
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 |
@@ -164,12 +164,13 @@ nodes
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 |
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | i4 |
| argvLocal.c:135:9:135:12 | i4 | semmle.label | ... ++ |
| argvLocal.c:135:9:135:12 | i4 | semmle.label | i4 |
| argvLocal.c:135:9:135:12 | i4 | semmle.label | i4 |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
@@ -191,7 +192,6 @@ nodes
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
| argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:170:15:170:26 | i10 | semmle.label | i10 |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |

3
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -11,7 +11,6 @@ edges
| test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
| test.cpp:49:11:49:16 | buffer indirection | test.cpp:11:26:11:28 | url indirection |
| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
| test.cpp:121:11:121:13 | ptr indirection | test.cpp:11:26:11:28 | url indirection |
nodes
| test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
@@ -27,7 +26,6 @@ nodes
| test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection |
| test.cpp:49:11:49:16 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
| test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection |
subpaths
#select
@@ -37,4 +35,3 @@ subpaths
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |

3
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected
View File

@@ -1,11 +1,8 @@
edges
| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
nodes
| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
| tests.c:70:70:70:77 | password indirection | semmle.label | password indirection |
subpaths
#select
| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |

6
cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
View File

@@ -52,8 +52,6 @@ edges
| tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection |
| tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | p indirection |
| tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection |
| tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection |
| tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection |
| tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection |
| tests.cpp:112:39:112:39 | p indirection | tests.cpp:113:2:113:2 | p indirection |
| tests.cpp:116:39:116:39 | p indirection | tests.cpp:117:2:117:2 | p indirection |
@@ -134,10 +132,8 @@ nodes
| tests.cpp:80:2:80:2 | p indirection | semmle.label | p indirection |
| tests.cpp:85:24:85:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
| tests.cpp:88:3:88:3 | q indirection | semmle.label | q indirection |
| tests.cpp:88:3:88:3 | q indirection | semmle.label | q indirection |
| tests.cpp:100:24:100:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
| tests.cpp:104:3:104:3 | q indirection | semmle.label | q indirection |
| tests.cpp:104:3:104:3 | q indirection | semmle.label | q indirection |
| tests.cpp:112:39:112:39 | p indirection | semmle.label | p indirection |
| tests.cpp:113:2:113:2 | p indirection | semmle.label | p indirection |
| tests.cpp:116:39:116:39 | p indirection | semmle.label | p indirection |
@@ -174,8 +170,6 @@ subpaths
| tests.cpp:69:2:69:2 | p indirection | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser |
| tests.cpp:80:2:80:2 | p indirection | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser |
| tests.cpp:88:3:88:3 | q indirection | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser |
| tests.cpp:88:3:88:3 | q indirection | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser |
| tests.cpp:104:3:104:3 | q indirection | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser |
| tests.cpp:104:3:104:3 | q indirection | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | q indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser |
| tests.cpp:113:2:113:2 | p indirection | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser |
| tests.cpp:117:2:117:2 | p indirection | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser |