mirror of
https://github.com/github/codeql.git
synced 2025-12-22 11:46:32 +01:00
Merge branch 'master' into rdmarsh/cpp/ir-constructor-side-effects
This commit is contained in:
Robert Marsh
@@ -39,6 +39,10 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
|
|||||||
definition of `x` when `x` is a variable of pointer type. It no longer
|
definition of `x` when `x` is a variable of pointer type. It no longer
|
||||||
considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
|
considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
|
||||||
changes are in line with the user expectations we've observed.
|
changes are in line with the user expectations we've observed.
|
||||||
|
* The data-flow library now makes it easier to specify barriers/sanitizers
|
||||||
|
arising from guards by overriding the predicate
|
||||||
|
`isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
|
||||||
|
configurations respectively.
|
||||||
* There is now a `DataFlow::localExprFlow` predicate and a
|
* There is now a `DataFlow::localExprFlow` predicate and a
|
||||||
`TaintTracking::localExprTaint` predicate to make it easy to use the most
|
`TaintTracking::localExprTaint` predicate to make it easy to use the most
|
||||||
common case of local data flow and taint: from one `Expr` to another.
|
common case of local data flow and taint: from one `Expr` to another.
|
||||||
@@ -50,3 +54,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
|
|||||||
lead to regressions (or improvements) in how queries are optimized because
|
lead to regressions (or improvements) in how queries are optimized because
|
||||||
optimization in QL relies on static size estimates, and the control-flow edge
|
optimization in QL relies on static size estimates, and the control-flow edge
|
||||||
relations will now have different size estimates than before.
|
relations will now have different size estimates than before.
|
||||||
|
* Support has been added for non-type template arguments. This means that the
|
||||||
|
return type of `Declaration::getTemplateArgument()` and
|
||||||
|
`Declaration::getATemplateArgument` have changed to `Locatable`. See the
|
||||||
|
documentation for `Declaration::getTemplateArgument()` and
|
||||||
|
`Declaration::getTemplateArgumentKind()` for details.
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ The following changes in version 1.23 affect C# analysis in all applications.
|
|||||||
|
|
||||||
| **Query** | **Tags** | **Purpose** |
|
| **Query** | **Tags** | **Purpose** |
|
||||||
|-----------------------------|-----------|--------------------------------------------------------------------|
|
|-----------------------------|-----------|--------------------------------------------------------------------|
|
||||||
|
| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
|
||||||
| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
|
| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
|
||||||
| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
|
| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
|
||||||
|
|
||||||
@@ -43,5 +44,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
|
|||||||
* There is now a `DataFlow::localExprFlow` predicate and a
|
* There is now a `DataFlow::localExprFlow` predicate and a
|
||||||
`TaintTracking::localExprTaint` predicate to make it easy to use the most
|
`TaintTracking::localExprTaint` predicate to make it easy to use the most
|
||||||
common case of local data flow and taint: from one `Expr` to another.
|
common case of local data flow and taint: from one `Expr` to another.
|
||||||
|
* Data is now tracked through null-coalescing expressions (`??`).
|
||||||
|
|
||||||
## Changes to autobuilder
|
## Changes to autobuilder
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
## General improvements
|
## General improvements
|
||||||
|
|
||||||
* Suppor for `globalThis` has been added.
|
* Support for `globalThis` has been added.
|
||||||
|
|
||||||
* Support for the following frameworks and libraries has been improved:
|
* Support for the following frameworks and libraries has been improved:
|
||||||
- [firebase](https://www.npmjs.com/package/firebase)
|
- [firebase](https://www.npmjs.com/package/firebase)
|
||||||
@@ -12,8 +12,9 @@
|
|||||||
|
|
||||||
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
|
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
|
||||||
|
|
||||||
* TypeScript 3.6 features are supported.
|
* TypeScript 3.6 and 3.7 features are now supported.
|
||||||
|
|
||||||
|
* Automatic classification of generated files has been improved, in particular files generated by Doxygen are now recognized.
|
||||||
|
|
||||||
## New queries
|
## New queries
|
||||||
|
|
||||||
@@ -26,11 +27,13 @@
|
|||||||
| Use of returnless function (`js/use-of-returnless-function`) | maintainability, correctness | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
|
| Use of returnless function (`js/use-of-returnless-function`) | maintainability, correctness | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
|
||||||
| Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
|
| Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
|
||||||
| Unreachable method overloads (`js/unreachable-method-overloads`) | correctness, typescript | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
|
| Unreachable method overloads (`js/unreachable-method-overloads`) | correctness, typescript | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
|
||||||
|
| Ignoring result from pure array method (`js/ignore-array-result`) | maintainability, correctness | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
|
||||||
|
|
||||||
## Changes to existing queries
|
## Changes to existing queries
|
||||||
|
|
||||||
| **Query** | **Expected impact** | **Change** |
|
| **Query** | **Expected impact** | **Change** |
|
||||||
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
|
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
|
||||||
|
| Double escaping or unescaping (`js/double-escaping`) | More results | This rule now detects additional escaping and unescaping functions. |
|
||||||
| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
|
| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
|
||||||
| Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
|
| Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
|
||||||
| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
|
| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
|
||||||
|
|||||||
@@ -20,3 +20,8 @@
|
|||||||
|----------------------------|------------------------|------------|
|
|----------------------------|------------------------|------------|
|
||||||
| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
|
| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
|
||||||
| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |
|
| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |
|
||||||
|
|
||||||
|
|
||||||
|
## Changes to QL libraries
|
||||||
|
|
||||||
|
* Django library now recognizes positional arguments from a `django.conf.urls.url` regex (Django version 1.x)
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ from Variable v
|
|||||||
where
|
where
|
||||||
v.isStatic() and
|
v.isStatic() and
|
||||||
v.hasDefinition() and
|
v.hasDefinition() and
|
||||||
|
not v.isConstexpr() and
|
||||||
not exists(VariableAccess a | a.getTarget() = v) and
|
not exists(VariableAccess a | a.getTarget() = v) and
|
||||||
not v instanceof MemberVariable and
|
not v instanceof MemberVariable and
|
||||||
not declarationHasSideEffects(v) and
|
not declarationHasSideEffects(v) and
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ byte order function, such as <code>ntohl</code>.
|
|||||||
The use of a network-to-host byte order function is therefore a good indicator that the returned
|
The use of a network-to-host byte order function is therefore a good indicator that the returned
|
||||||
value is unvalidated data retrieved from the network, and should not be used without further
|
value is unvalidated data retrieved from the network, and should not be used without further
|
||||||
validation. In particular, the returned value should not be used as an array index or array length
|
validation. In particular, the returned value should not be used as an array index or array length
|
||||||
value without validation, which may result in a buffer overflow vulnerability.
|
value without validation, as this could result in a buffer overflow vulnerability.
|
||||||
</p>
|
</p>
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ which is then subsequently accessed to fetch properties of the device. However,
|
|||||||
check the return value from the function call to <code>initDeviceConfig</code>. If the
|
check the return value from the function call to <code>initDeviceConfig</code>. If the
|
||||||
device number passed to the <code>notify</code> function was invalid, the
|
device number passed to the <code>notify</code> function was invalid, the
|
||||||
<code>initDeviceConfig</code> function will leave the <code>config</code> variable uninitialized,
|
<code>initDeviceConfig</code> function will leave the <code>config</code> variable uninitialized,
|
||||||
which would result in the <code>notify</code> function accessing uninitialized memory.</p>
|
which will result in the <code>notify</code> function accessing uninitialized memory.</p>
|
||||||
|
|
||||||
<sample src="ConditionallyUninitializedVariableBad.c" />
|
<sample src="ConditionallyUninitializedVariableBad.c" />
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* @name Conditionally uninitialized variable
|
* @name Conditionally uninitialized variable
|
||||||
* @description When an initialization function is used to initialize a local variable, but the
|
* @description When an initialization function is used to initialize a local variable, but the
|
||||||
* returned status code is not checked, the variable may be left in an uninitialized
|
* returned status code is not checked, the variable may be left in an uninitialized
|
||||||
* state, and reading the variable may result in undefined behaviour.
|
* state, and reading the variable may result in undefined behavior.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @opaque-id SM02313
|
* @opaque-id SM02313
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ int notify(int deviceNumber) {
|
|||||||
DeviceConfig config;
|
DeviceConfig config;
|
||||||
initDeviceConfig(&config, deviceNumber);
|
initDeviceConfig(&config, deviceNumber);
|
||||||
// BAD: Using config without checking the status code that is returned
|
// BAD: Using config without checking the status code that is returned
|
||||||
if (config->isEnabled) {
|
if (config.isEnabled) {
|
||||||
notifyChannel(config->channel);
|
notifyChannel(config.channel);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -20,8 +20,8 @@ void notify(int deviceNumber) {
|
|||||||
int statusCode = initDeviceConfig(&config, deviceNumber);
|
int statusCode = initDeviceConfig(&config, deviceNumber);
|
||||||
if (statusCode == 0) {
|
if (statusCode == 0) {
|
||||||
// GOOD: Status code returned by initialization function is checked, so this is safe
|
// GOOD: Status code returned by initialization function is checked, so this is safe
|
||||||
if (config->isEnabled) {
|
if (config.isEnabled) {
|
||||||
notifyChannel(config->channel);
|
notifyChannel(config.channel);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -620,32 +620,47 @@ Function getAPossibleDefinition(Function undefinedFunction) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a possible target for the Call, using the name and parameter matching if we did not associate
|
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
|
||||||
|
*
|
||||||
|
* If there is at least one defined target after performing some simple virtual dispatch
|
||||||
|
* resolution, then the result is all the defined targets.
|
||||||
|
*/
|
||||||
|
private Function getTarget1(Call c) {
|
||||||
|
result = VirtualDispatch::getAViableTarget(c) and
|
||||||
|
result.isDefined()
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
|
||||||
|
*
|
||||||
|
* If we can use the heuristic matching of functions to find definitions for some of the viable
|
||||||
|
* targets, return those.
|
||||||
|
*/
|
||||||
|
private Function getTarget2(Call c) {
|
||||||
|
not exists(getTarget1(c)) and
|
||||||
|
result = getAPossibleDefinition(VirtualDispatch::getAViableTarget(c))
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
|
||||||
|
*
|
||||||
|
* Otherwise, the result is the undefined `Function` instances.
|
||||||
|
*/
|
||||||
|
private Function getTarget3(Call c) {
|
||||||
|
not exists(getTarget1(c)) and
|
||||||
|
not exists(getTarget2(c)) and
|
||||||
|
result = VirtualDispatch::getAViableTarget(c)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a possible target for the `Call`, using the name and parameter matching if we did not associate
|
||||||
* this call with a specific definition at link or compile time, and performing simple virtual
|
* this call with a specific definition at link or compile time, and performing simple virtual
|
||||||
* dispatch resolution.
|
* dispatch resolution.
|
||||||
*/
|
*/
|
||||||
Function getTarget(Call c) {
|
Function getTarget(Call c) {
|
||||||
if VirtualDispatch::getAViableTarget(c).isDefined()
|
result = getTarget1(c) or
|
||||||
then
|
result = getTarget2(c) or
|
||||||
/*
|
result = getTarget3(c)
|
||||||
* If there is at least one defined target after performing some simple virtual dispatch
|
|
||||||
* resolution, then the result is all the defined targets.
|
|
||||||
*/
|
|
||||||
|
|
||||||
result = VirtualDispatch::getAViableTarget(c) and
|
|
||||||
result.isDefined()
|
|
||||||
else
|
|
||||||
if exists(getAPossibleDefinition(VirtualDispatch::getAViableTarget(c)))
|
|
||||||
then
|
|
||||||
/*
|
|
||||||
* If we can use the heuristic matching of functions to find definitions for some of the viable
|
|
||||||
* targets, return those.
|
|
||||||
*/
|
|
||||||
|
|
||||||
result = getAPossibleDefinition(VirtualDispatch::getAViableTarget(c))
|
|
||||||
else
|
|
||||||
// Otherwise, the result is the undefined `Function` instances
|
|
||||||
result = VirtualDispatch::getAViableTarget(c)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -605,15 +605,6 @@ class Class extends UserType {
|
|||||||
class_instantiation(underlyingElement(this), unresolveElement(c))
|
class_instantiation(underlyingElement(this), unresolveElement(c))
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the `i`th template argument used to instantiate this class from a
|
|
||||||
* class template. When called on a class template, this will return the
|
|
||||||
* `i`th template parameter.
|
|
||||||
*/
|
|
||||||
override Type getTemplateArgument(int i) {
|
|
||||||
class_template_argument(underlyingElement(this), i, unresolveElement(result))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if this class/struct is polymorphic (has a virtual function, or
|
* Holds if this class/struct is polymorphic (has a virtual function, or
|
||||||
* inherits one).
|
* inherits one).
|
||||||
@@ -623,7 +614,7 @@ class Class extends UserType {
|
|||||||
}
|
}
|
||||||
|
|
||||||
override predicate involvesTemplateParameter() {
|
override predicate involvesTemplateParameter() {
|
||||||
getATemplateArgument().involvesTemplateParameter()
|
getATemplateArgument().(Type).involvesTemplateParameter()
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Holds if this class, struct or union was declared 'final'. */
|
/** Holds if this class, struct or union was declared 'final'. */
|
||||||
|
|||||||
@@ -193,20 +193,83 @@ abstract class Declaration extends Locatable, @declaration {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a template argument used to instantiate this declaration from a template.
|
* Gets a template argument used to instantiate this declaration from a template.
|
||||||
* When called on a template, this will return a template parameter.
|
* When called on a template, this will return a template parameter type for
|
||||||
|
* both typed and non-typed parameters.
|
||||||
*/
|
*/
|
||||||
final Type getATemplateArgument() { result = getTemplateArgument(_) }
|
final Locatable getATemplateArgument() { result = getTemplateArgument(_) }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a template argument used to instantiate this declaration from a template.
|
||||||
|
* When called on a template, this will return a non-typed template
|
||||||
|
* parameter value.
|
||||||
|
*/
|
||||||
|
final Locatable getATemplateArgumentKind() { result = getTemplateArgumentKind(_) }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the `i`th template argument used to instantiate this declaration from a
|
* Gets the `i`th template argument used to instantiate this declaration from a
|
||||||
* template. When called on a template, this will return the `i`th template parameter.
|
* template.
|
||||||
|
*
|
||||||
|
* For example:
|
||||||
|
*
|
||||||
|
* `template<typename T, T X> class Foo;`
|
||||||
|
*
|
||||||
|
* Will have `getTemplateArgument(0)` return `T`, and
|
||||||
|
* `getTemplateArgument(1)` return `X`.
|
||||||
|
*
|
||||||
|
* `Foo<int, 1> bar;
|
||||||
|
*
|
||||||
|
* Will have `getTemplateArgument())` return `int`, and
|
||||||
|
* `getTemplateArgument(1)` return `1`.
|
||||||
*/
|
*/
|
||||||
Type getTemplateArgument(int index) { none() }
|
final Locatable getTemplateArgument(int index) {
|
||||||
|
if exists(getTemplateArgumentValue(index))
|
||||||
|
then result = getTemplateArgumentValue(index)
|
||||||
|
else result = getTemplateArgumentType(index)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the `i`th template argument value used to instantiate this declaration
|
||||||
|
* from a template. When called on a template, this will return the `i`th template
|
||||||
|
* parameter value if it exists.
|
||||||
|
*
|
||||||
|
* For example:
|
||||||
|
*
|
||||||
|
* `template<typename T, T X> class Foo;`
|
||||||
|
*
|
||||||
|
* Will have `getTemplateArgumentKind(1)` return `T`, and no result for
|
||||||
|
* `getTemplateArgumentKind(0)`.
|
||||||
|
*
|
||||||
|
* `Foo<int, 10> bar;
|
||||||
|
*
|
||||||
|
* Will have `getTemplateArgumentKind(1)` return `int`, and no result for
|
||||||
|
* `getTemplateArgumentKind(0)`.
|
||||||
|
*/
|
||||||
|
final Locatable getTemplateArgumentKind(int index) {
|
||||||
|
if exists(getTemplateArgumentValue(index))
|
||||||
|
then result = getTemplateArgumentType(index)
|
||||||
|
else none()
|
||||||
|
}
|
||||||
|
|
||||||
/** Gets the number of template arguments for this declaration. */
|
/** Gets the number of template arguments for this declaration. */
|
||||||
final int getNumberOfTemplateArguments() {
|
final int getNumberOfTemplateArguments() {
|
||||||
result = count(int i | exists(getTemplateArgument(i)))
|
result = count(int i | exists(getTemplateArgument(i)))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Type getTemplateArgumentType(int index) {
|
||||||
|
class_template_argument(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
or
|
||||||
|
function_template_argument(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
or
|
||||||
|
variable_template_argument(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
}
|
||||||
|
|
||||||
|
private Expr getTemplateArgumentValue(int index) {
|
||||||
|
class_template_argument_value(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
or
|
||||||
|
function_template_argument_value(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
or
|
||||||
|
variable_template_argument_value(underlyingElement(this), index, unresolveElement(result))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -343,15 +343,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
|
|||||||
function_instantiation(underlyingElement(this), unresolveElement(f))
|
function_instantiation(underlyingElement(this), unresolveElement(f))
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the `i`th template argument used to instantiate this function from a
|
|
||||||
* function template. When called on a function template, this will return the
|
|
||||||
* `i`th template parameter.
|
|
||||||
*/
|
|
||||||
override Type getTemplateArgument(int index) {
|
|
||||||
function_template_argument(underlyingElement(this), index, unresolveElement(result))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if this function is defined in several files. This is illegal in
|
* Holds if this function is defined in several files. This is illegal in
|
||||||
* C (though possible in some C++ compilers), and likely indicates that
|
* C (though possible in some C++ compilers), and likely indicates that
|
||||||
|
|||||||
@@ -35,6 +35,14 @@ private string getParameterTypeString(Type parameterType) {
|
|||||||
else result = parameterType.(DumpType).getTypeIdentityString()
|
else result = parameterType.(DumpType).getTypeIdentityString()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private string getTemplateArgumentString(Declaration d, int i) {
|
||||||
|
if exists(d.getTemplateArgumentKind(i))
|
||||||
|
then
|
||||||
|
result = d.getTemplateArgumentKind(i).(DumpType).getTypeIdentityString() + " " +
|
||||||
|
d.getTemplateArgument(i)
|
||||||
|
else result = d.getTemplateArgument(i).(DumpType).getTypeIdentityString()
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A `Declaration` extended to add methods for generating strings useful only for dumps and debugging.
|
* A `Declaration` extended to add methods for generating strings useful only for dumps and debugging.
|
||||||
*/
|
*/
|
||||||
@@ -56,7 +64,7 @@ abstract private class DumpDeclaration extends Declaration {
|
|||||||
strictconcat(int i |
|
strictconcat(int i |
|
||||||
exists(this.getTemplateArgument(i))
|
exists(this.getTemplateArgument(i))
|
||||||
|
|
|
|
||||||
this.getTemplateArgument(i).(DumpType).getTypeIdentityString(), ", " order by i
|
getTemplateArgumentString(this, i), ", " order by i
|
||||||
) + ">"
|
) + ">"
|
||||||
else result = ""
|
else result = ""
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,3 +7,15 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import PrintAST
|
import PrintAST
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Temporarily tweak this class or make a copy to control which functions are
|
||||||
|
* printed.
|
||||||
|
*/
|
||||||
|
class Cfg extends PrintASTConfiguration {
|
||||||
|
/**
|
||||||
|
* TWEAK THIS PREDICATE AS NEEDED.
|
||||||
|
* Holds if the AST for `func` should be printed.
|
||||||
|
*/
|
||||||
|
override predicate shouldPrintFunction(Function func) { any() }
|
||||||
|
}
|
||||||
|
|||||||
@@ -210,7 +210,7 @@ class Type extends Locatable, @type {
|
|||||||
// A function call that provides an explicit template argument that refers to T uses T.
|
// A function call that provides an explicit template argument that refers to T uses T.
|
||||||
// We exclude calls within instantiations, since they do not appear directly in the source.
|
// We exclude calls within instantiations, since they do not appear directly in the source.
|
||||||
exists(FunctionCall c |
|
exists(FunctionCall c |
|
||||||
c.getAnExplicitTemplateArgument().refersTo(this) and
|
c.getAnExplicitTemplateArgument().(Type).refersTo(this) and
|
||||||
result = c and
|
result = c and
|
||||||
not c.getEnclosingFunction().isConstructedFrom(_)
|
not c.getEnclosingFunction().isConstructedFrom(_)
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -155,15 +155,6 @@ class Variable extends Declaration, @variable {
|
|||||||
variable_instantiation(underlyingElement(this), unresolveElement(v))
|
variable_instantiation(underlyingElement(this), unresolveElement(v))
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the `i`th template argument used to instantiate this variable from a
|
|
||||||
* variable template. When called on a variable template, this will return the
|
|
||||||
* `i`th template parameter.
|
|
||||||
*/
|
|
||||||
override Type getTemplateArgument(int index) {
|
|
||||||
variable_template_argument(underlyingElement(this), index, unresolveElement(result))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if this is a compiler-generated variable. For example, a
|
* Holds if this is a compiler-generated variable. For example, a
|
||||||
* [range-based for loop](http://en.cppreference.com/w/cpp/language/range-for)
|
* [range-based for loop](http://en.cppreference.com/w/cpp/language/range-for)
|
||||||
|
|||||||
@@ -5,6 +5,8 @@
|
|||||||
private import cpp
|
private import cpp
|
||||||
private import semmle.code.cpp.dataflow.internal.FlowVar
|
private import semmle.code.cpp.dataflow.internal.FlowVar
|
||||||
private import semmle.code.cpp.models.interfaces.DataFlow
|
private import semmle.code.cpp.models.interfaces.DataFlow
|
||||||
|
private import semmle.code.cpp.controlflow.Guards
|
||||||
|
private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
||||||
|
|
||||||
cached
|
cached
|
||||||
private newtype TNode =
|
private newtype TNode =
|
||||||
@@ -680,12 +682,16 @@ VariableAccess getAnAccessToAssignedVariable(Expr assign) {
|
|||||||
*
|
*
|
||||||
* It is important that all extending classes in scope are disjoint.
|
* It is important that all extending classes in scope are disjoint.
|
||||||
*/
|
*/
|
||||||
class BarrierGuard extends Expr {
|
class BarrierGuard extends GuardCondition {
|
||||||
/** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `branch`. */
|
/** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
|
||||||
abstract deprecated predicate checks(Expr e, boolean branch);
|
abstract predicate checks(Expr e, boolean b);
|
||||||
|
|
||||||
/** Gets a node guarded by this guard. */
|
/** Gets a node guarded by this guard. */
|
||||||
final Node getAGuardedNode() {
|
final ExprNode getAGuardedNode() {
|
||||||
none() // stub
|
exists(GVN value, boolean branch |
|
||||||
|
result.getExpr() = value.getAnExpr() and
|
||||||
|
this.checks(value.getAnExpr(), branch) and
|
||||||
|
this.controls(result.getExpr().getBasicBlock(), branch)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,6 +28,19 @@ module VirtualDispatch {
|
|||||||
not result.hasName("IUnknown")
|
not result.hasName("IUnknown")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper predicate for `getAViableTarget`, which computes the viable targets for
|
||||||
|
* virtual calls based on the qualifier type.
|
||||||
|
*/
|
||||||
|
private Function getAViableVirtualCallTarget(Class qualifierType, MemberFunction staticTarget) {
|
||||||
|
exists(Class qualifierSubType |
|
||||||
|
result = getAPossibleImplementation(staticTarget) and
|
||||||
|
qualifierType = qualifierSubType.getABaseClass*() and
|
||||||
|
mayInherit(qualifierSubType, result) and
|
||||||
|
not cannotInherit(qualifierSubType, result)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a viable target for the given function call.
|
* Gets a viable target for the given function call.
|
||||||
*
|
*
|
||||||
@@ -42,18 +55,9 @@ module VirtualDispatch {
|
|||||||
* If `c` is not a virtual call, the result will be `c.getTarget()`.
|
* If `c` is not a virtual call, the result will be `c.getTarget()`.
|
||||||
*/
|
*/
|
||||||
Function getAViableTarget(Call c) {
|
Function getAViableTarget(Call c) {
|
||||||
exists(Function staticTarget | staticTarget = c.getTarget() |
|
if c.(FunctionCall).isVirtual() and c.getTarget() instanceof MemberFunction
|
||||||
if c.(FunctionCall).isVirtual() and staticTarget instanceof MemberFunction
|
then result = getAViableVirtualCallTarget(getCallQualifierType(c), c.getTarget())
|
||||||
then
|
else result = c.getTarget()
|
||||||
exists(Class qualifierType, Class qualifierSubType |
|
|
||||||
result = getAPossibleImplementation(staticTarget) and
|
|
||||||
qualifierType = getCallQualifierType(c) and
|
|
||||||
qualifierType = qualifierSubType.getABaseClass*() and
|
|
||||||
mayInherit(qualifierSubType, result) and
|
|
||||||
not cannotInherit(qualifierSubType, result)
|
|
||||||
)
|
|
||||||
else result = staticTarget
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Holds if `f` is declared in `c` or a transitive base class of `c`. */
|
/** Holds if `f` is declared in `c` or a transitive base class of `c`. */
|
||||||
|
|||||||
@@ -139,17 +139,29 @@ class FunctionCall extends Call, @funbindexpr {
|
|||||||
override string getCanonicalQLClass() { result = "FunctionCall" }
|
override string getCanonicalQLClass() { result = "FunctionCall" }
|
||||||
|
|
||||||
/** Gets an explicit template argument for this call. */
|
/** Gets an explicit template argument for this call. */
|
||||||
Type getAnExplicitTemplateArgument() { result = getExplicitTemplateArgument(_) }
|
Locatable getAnExplicitTemplateArgument() { result = getExplicitTemplateArgument(_) }
|
||||||
|
|
||||||
|
/** Gets an explicit template argument value for this call. */
|
||||||
|
Locatable getAnExplicitTemplateArgumentKind() { result = getExplicitTemplateArgumentKind(_) }
|
||||||
|
|
||||||
/** Gets a template argument for this call. */
|
/** Gets a template argument for this call. */
|
||||||
Type getATemplateArgument() { result = getTarget().getATemplateArgument() }
|
Locatable getATemplateArgument() { result = getTarget().getATemplateArgument() }
|
||||||
|
|
||||||
|
/** Gets a template argument value for this call. */
|
||||||
|
Locatable getATemplateArgumentKind() { result = getTarget().getATemplateArgumentKind() }
|
||||||
|
|
||||||
/** Gets the nth explicit template argument for this call. */
|
/** Gets the nth explicit template argument for this call. */
|
||||||
Type getExplicitTemplateArgument(int n) {
|
Locatable getExplicitTemplateArgument(int n) {
|
||||||
n < getNumberOfExplicitTemplateArguments() and
|
n < getNumberOfExplicitTemplateArguments() and
|
||||||
result = getTemplateArgument(n)
|
result = getTemplateArgument(n)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Gets the nth explicit template argument value for this call. */
|
||||||
|
Locatable getExplicitTemplateArgumentKind(int n) {
|
||||||
|
n < getNumberOfExplicitTemplateArguments() and
|
||||||
|
result = getTemplateArgumentKind(n)
|
||||||
|
}
|
||||||
|
|
||||||
/** Gets the number of explicit template arguments for this call. */
|
/** Gets the number of explicit template arguments for this call. */
|
||||||
int getNumberOfExplicitTemplateArguments() {
|
int getNumberOfExplicitTemplateArguments() {
|
||||||
if numtemplatearguments(underlyingElement(this), _)
|
if numtemplatearguments(underlyingElement(this), _)
|
||||||
@@ -161,7 +173,10 @@ class FunctionCall extends Call, @funbindexpr {
|
|||||||
int getNumberOfTemplateArguments() { result = count(int i | exists(getTemplateArgument(i))) }
|
int getNumberOfTemplateArguments() { result = count(int i | exists(getTemplateArgument(i))) }
|
||||||
|
|
||||||
/** Gets the nth template argument for this call (indexed from 0). */
|
/** Gets the nth template argument for this call (indexed from 0). */
|
||||||
Type getTemplateArgument(int n) { result = getTarget().getTemplateArgument(n) }
|
Locatable getTemplateArgument(int n) { result = getTarget().getTemplateArgument(n) }
|
||||||
|
|
||||||
|
/** Gets the nth template argument value for this call (indexed from 0). */
|
||||||
|
Locatable getTemplateArgumentKind(int n) { result = getTarget().getTemplateArgumentKind(n) }
|
||||||
|
|
||||||
/** Holds if any template arguments for this call are implicit / deduced. */
|
/** Holds if any template arguments for this call are implicit / deduced. */
|
||||||
predicate hasImplicitTemplateArguments() {
|
predicate hasImplicitTemplateArguments() {
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private predicate accessesVariable(CopyInstruction copy, Variable var) {
|
private predicate accessesVariable(CopyInstruction copy, Variable var) {
|
||||||
exists(VariableAddressInstruction va | va.getVariable().getAST() = var |
|
exists(VariableAddressInstruction va | va.getASTVariable() = var |
|
||||||
copy.(StoreInstruction).getDestinationAddress() = va
|
copy.(StoreInstruction).getDestinationAddress() = va
|
||||||
or
|
or
|
||||||
copy.(LoadInstruction).getSourceAddress() = va
|
copy.(LoadInstruction).getSourceAddress() = va
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
private import cpp
|
private import cpp
|
||||||
private import semmle.code.cpp.ir.IR
|
private import semmle.code.cpp.ir.IR
|
||||||
private import semmle.code.cpp.controlflow.IRGuards
|
private import semmle.code.cpp.controlflow.IRGuards
|
||||||
|
private import semmle.code.cpp.ir.ValueNumbering
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A newtype wrapper to prevent accidental casts between `Node` and
|
* A newtype wrapper to prevent accidental casts between `Node` and
|
||||||
@@ -213,6 +214,14 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
|
|||||||
*/
|
*/
|
||||||
predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
|
predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if data can flow from `i1` to `i2` in zero or more
|
||||||
|
* local (intra-procedural) steps.
|
||||||
|
*/
|
||||||
|
predicate localInstructionFlow(Instruction e1, Instruction e2) {
|
||||||
|
localFlow(instructionNode(e1), instructionNode(e2))
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if data can flow from `e1` to `e2` in zero or more
|
* Holds if data can flow from `e1` to `e2` in zero or more
|
||||||
* local (intra-procedural) steps.
|
* local (intra-procedural) steps.
|
||||||
@@ -220,7 +229,7 @@ predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
|
|||||||
predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
|
predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A guard that validates some expression.
|
* A guard that validates some instruction.
|
||||||
*
|
*
|
||||||
* To use this in a configuration, extend the class and provide a
|
* To use this in a configuration, extend the class and provide a
|
||||||
* characteristic predicate precisely specifying the guard, and override
|
* characteristic predicate precisely specifying the guard, and override
|
||||||
@@ -229,11 +238,15 @@ predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)
|
|||||||
* It is important that all extending classes in scope are disjoint.
|
* It is important that all extending classes in scope are disjoint.
|
||||||
*/
|
*/
|
||||||
class BarrierGuard extends IRGuardCondition {
|
class BarrierGuard extends IRGuardCondition {
|
||||||
/** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `b`. */
|
/** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
|
||||||
abstract deprecated predicate checks(Instruction e, boolean b);
|
abstract predicate checks(Instruction instr, boolean b);
|
||||||
|
|
||||||
/** Gets a node guarded by this guard. */
|
/** Gets a node guarded by this guard. */
|
||||||
final Node getAGuardedNode() {
|
final Node getAGuardedNode() {
|
||||||
none() // stub
|
exists(ValueNumber value, boolean edge |
|
||||||
|
result.asInstruction() = value.getAnInstruction() and
|
||||||
|
this.checks(value.getAnInstruction(), edge) and
|
||||||
|
this.controls(result.asInstruction().getBlock(), edge)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -53,6 +53,14 @@ private predicate localInstructionTaintStep(Instruction nodeFrom, Instruction no
|
|||||||
*/
|
*/
|
||||||
predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
|
predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if taint can flow from `i1` to `i2` in zero or more
|
||||||
|
* local (intra-procedural) steps.
|
||||||
|
*/
|
||||||
|
predicate localInstructionTaint(Instruction i1, Instruction i2) {
|
||||||
|
localTaint(DataFlow::instructionNode(i1), DataFlow::instructionNode(i2))
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if taint can flow from `e1` to `e2` in zero or more
|
* Holds if taint can flow from `e1` to `e2` in zero or more
|
||||||
* local (intra-procedural) steps.
|
* local (intra-procedural) steps.
|
||||||
|
|||||||
@@ -486,6 +486,12 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
|
|||||||
}
|
}
|
||||||
|
|
||||||
override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
|
override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) {
|
||||||
|
if hasSpecificReadSideEffect(any(Opcode::BufferReadSideEffect op))
|
||||||
|
then
|
||||||
|
result = getUnknownType() and
|
||||||
|
tag instanceof OnlyInstructionTag and
|
||||||
|
operandTag instanceof SideEffectOperandTag
|
||||||
|
else
|
||||||
exists(Type operandType |
|
exists(Type operandType |
|
||||||
tag instanceof OnlyInstructionTag and
|
tag instanceof OnlyInstructionTag and
|
||||||
operandType = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and
|
operandType = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and
|
||||||
@@ -549,7 +555,7 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
|
|||||||
)
|
)
|
||||||
or
|
or
|
||||||
not call.getTarget() instanceof SideEffectFunction and
|
not call.getTarget() instanceof SideEffectFunction and
|
||||||
op instanceof Opcode::IndirectReadSideEffect
|
op instanceof Opcode::BufferReadSideEffect
|
||||||
}
|
}
|
||||||
|
|
||||||
override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
|
override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
|
||||||
|
|||||||
@@ -731,6 +731,11 @@ class_template_argument(
|
|||||||
int index: int ref,
|
int index: int ref,
|
||||||
int arg_type: @type ref
|
int arg_type: @type ref
|
||||||
);
|
);
|
||||||
|
class_template_argument_value(
|
||||||
|
int type_id: @usertype ref,
|
||||||
|
int index: int ref,
|
||||||
|
int arg_value: @expr ref
|
||||||
|
);
|
||||||
|
|
||||||
is_proxy_class_for(
|
is_proxy_class_for(
|
||||||
unique int id: @usertype ref,
|
unique int id: @usertype ref,
|
||||||
@@ -755,6 +760,11 @@ function_template_argument(
|
|||||||
int index: int ref,
|
int index: int ref,
|
||||||
int arg_type: @type ref
|
int arg_type: @type ref
|
||||||
);
|
);
|
||||||
|
function_template_argument_value(
|
||||||
|
int function_id: @function ref,
|
||||||
|
int index: int ref,
|
||||||
|
int arg_value: @expr ref
|
||||||
|
);
|
||||||
|
|
||||||
is_variable_template(unique int id: @variable ref);
|
is_variable_template(unique int id: @variable ref);
|
||||||
variable_instantiation(
|
variable_instantiation(
|
||||||
@@ -766,6 +776,11 @@ variable_template_argument(
|
|||||||
int index: int ref,
|
int index: int ref,
|
||||||
int arg_type: @type ref
|
int arg_type: @type ref
|
||||||
);
|
);
|
||||||
|
variable_template_argument_value(
|
||||||
|
int variable_id: @variable ref,
|
||||||
|
int index: int ref,
|
||||||
|
int arg_value: @expr ref
|
||||||
|
);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Fixed point types
|
Fixed point types
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,68 @@
|
|||||||
|
int source();
|
||||||
|
void sink(int);
|
||||||
|
bool guarded(int);
|
||||||
|
|
||||||
|
void bg_basic(int source) {
|
||||||
|
if (guarded(source)) {
|
||||||
|
sink(source); // no flow
|
||||||
|
} else {
|
||||||
|
sink(source); // flow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void bg_not(int source) {
|
||||||
|
if (!guarded(source)) {
|
||||||
|
sink(source); // flow
|
||||||
|
} else {
|
||||||
|
sink(source); // no flow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void bg_and(int source, bool arbitrary) {
|
||||||
|
if (guarded(source) && arbitrary) {
|
||||||
|
sink(source); // no flow
|
||||||
|
} else {
|
||||||
|
sink(source); // flow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void bg_or(int source, bool arbitrary) {
|
||||||
|
if (guarded(source) || arbitrary) {
|
||||||
|
sink(source); // flow
|
||||||
|
} else {
|
||||||
|
sink(source); // flow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void bg_return(int source) {
|
||||||
|
if (!guarded(source)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
sink(source); // no flow
|
||||||
|
}
|
||||||
|
|
||||||
|
struct XY {
|
||||||
|
int x, y;
|
||||||
|
};
|
||||||
|
|
||||||
|
void bg_stackstruct(XY s1, XY s2) {
|
||||||
|
s1.x = source();
|
||||||
|
if (guarded(s1.x)) {
|
||||||
|
sink(s1.x); // no flow
|
||||||
|
} else if (guarded(s1.y)) {
|
||||||
|
sink(s1.x); // flow
|
||||||
|
} else if (guarded(s2.y)) {
|
||||||
|
sink(s1.x); // flow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void bg_structptr(XY *p1, XY *p2) {
|
||||||
|
p1->x = source();
|
||||||
|
if (guarded(p1->x)) {
|
||||||
|
sink(p1->x); // no flow [FALSE POSITIVE in AST]
|
||||||
|
} else if (guarded(p1->y)) {
|
||||||
|
sink(p1->x); // flow [NOT DETECTED in IR]
|
||||||
|
} else if (guarded(p2->x)) {
|
||||||
|
sink(p1->x); // flow [NOT DETECTED in IR]
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1,6 +1,20 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.dataflow.DataFlow
|
import semmle.code.cpp.dataflow.DataFlow
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
||||||
|
* S in `if (guarded(x)) S`.
|
||||||
|
*/
|
||||||
|
// This is tested in `BarrierGuard.cpp`.
|
||||||
|
class TestBarrierGuard extends DataFlow::BarrierGuard {
|
||||||
|
TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" }
|
||||||
|
|
||||||
|
override predicate checks(Expr checked, boolean isTrue) {
|
||||||
|
checked = this.(FunctionCall).getArgument(0) and
|
||||||
|
isTrue = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/** Common data flow configuration to be used by tests. */
|
/** Common data flow configuration to be used by tests. */
|
||||||
class TestAllocationConfig extends DataFlow::Configuration {
|
class TestAllocationConfig extends DataFlow::Configuration {
|
||||||
TestAllocationConfig() { this = "TestAllocationConfig" }
|
TestAllocationConfig() { this = "TestAllocationConfig" }
|
||||||
@@ -26,4 +40,6 @@ class TestAllocationConfig extends DataFlow::Configuration {
|
|||||||
override predicate isBarrier(DataFlow::Node barrier) {
|
override predicate isBarrier(DataFlow::Node barrier) {
|
||||||
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
|
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,20 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.ir.dataflow.DataFlow
|
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
|
import semmle.code.cpp.ir.IR
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
||||||
|
* S in `if (guarded(x)) S`.
|
||||||
|
*/
|
||||||
|
// This is tested in `BarrierGuard.cpp`.
|
||||||
|
class TestBarrierGuard extends DataFlow::BarrierGuard {
|
||||||
|
TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" }
|
||||||
|
|
||||||
|
override predicate checks(Instruction checked, boolean isTrue) {
|
||||||
|
checked = this.(CallInstruction).getPositionalArgument(0) and
|
||||||
|
isTrue = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/** Common data flow configuration to be used by tests. */
|
/** Common data flow configuration to be used by tests. */
|
||||||
class TestAllocationConfig extends DataFlow::Configuration {
|
class TestAllocationConfig extends DataFlow::Configuration {
|
||||||
@@ -24,4 +39,6 @@ class TestAllocationConfig extends DataFlow::Configuration {
|
|||||||
override predicate isBarrier(DataFlow::Node barrier) {
|
override predicate isBarrier(DataFlow::Node barrier) {
|
||||||
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
|
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,3 +1,13 @@
|
|||||||
|
| BarrierGuard.cpp:9:10:9:15 | source | BarrierGuard.cpp:5:19:5:24 | source |
|
||||||
|
| BarrierGuard.cpp:15:10:15:15 | source | BarrierGuard.cpp:13:17:13:22 | source |
|
||||||
|
| BarrierGuard.cpp:25:10:25:15 | source | BarrierGuard.cpp:21:17:21:22 | source |
|
||||||
|
| BarrierGuard.cpp:31:10:31:15 | source | BarrierGuard.cpp:29:16:29:21 | source |
|
||||||
|
| BarrierGuard.cpp:33:10:33:15 | source | BarrierGuard.cpp:29:16:29:21 | source |
|
||||||
|
| BarrierGuard.cpp:53:13:53:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source |
|
||||||
|
| BarrierGuard.cpp:55:13:55:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source |
|
||||||
|
| BarrierGuard.cpp:62:14:62:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
|
||||||
|
| BarrierGuard.cpp:64:14:64:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
|
||||||
|
| BarrierGuard.cpp:66:14:66:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source |
|
||||||
| acrossLinkTargets.cpp:12:8:12:8 | x | acrossLinkTargets.cpp:19:27:19:32 | call to source |
|
| acrossLinkTargets.cpp:12:8:12:8 | x | acrossLinkTargets.cpp:19:27:19:32 | call to source |
|
||||||
| clang.cpp:18:8:18:19 | sourceArray1 | clang.cpp:12:9:12:20 | sourceArray1 |
|
| clang.cpp:18:8:18:19 | sourceArray1 | clang.cpp:12:9:12:20 | sourceArray1 |
|
||||||
| clang.cpp:22:8:22:20 | & ... | clang.cpp:12:9:12:20 | sourceArray1 |
|
| clang.cpp:22:8:22:20 | & ... | clang.cpp:12:9:12:20 | sourceArray1 |
|
||||||
|
|||||||
@@ -1,3 +1,6 @@
|
|||||||
|
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:62:14:62:14 | AST only |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:64:14:64:14 | AST only |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:66:14:66:14 | AST only |
|
||||||
| clang.cpp:12:9:12:20 | clang.cpp:22:8:22:20 | AST only |
|
| clang.cpp:12:9:12:20 | clang.cpp:22:8:22:20 | AST only |
|
||||||
| clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only |
|
| clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only |
|
||||||
| clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only |
|
| clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only |
|
||||||
|
|||||||
@@ -1,3 +1,10 @@
|
|||||||
|
| BarrierGuard.cpp:9:10:9:15 | Load: source | BarrierGuard.cpp:5:19:5:24 | InitializeParameter: source |
|
||||||
|
| BarrierGuard.cpp:15:10:15:15 | Load: source | BarrierGuard.cpp:13:17:13:22 | InitializeParameter: source |
|
||||||
|
| BarrierGuard.cpp:25:10:25:15 | Load: source | BarrierGuard.cpp:21:17:21:22 | InitializeParameter: source |
|
||||||
|
| BarrierGuard.cpp:31:10:31:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source |
|
||||||
|
| BarrierGuard.cpp:33:10:33:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source |
|
||||||
|
| BarrierGuard.cpp:53:13:53:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source |
|
||||||
|
| BarrierGuard.cpp:55:13:55:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source |
|
||||||
| acrossLinkTargets.cpp:12:8:12:8 | Convert: (int)... | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
|
| acrossLinkTargets.cpp:12:8:12:8 | Convert: (int)... | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
|
||||||
| acrossLinkTargets.cpp:12:8:12:8 | Load: x | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
|
| acrossLinkTargets.cpp:12:8:12:8 | Load: x | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source |
|
||||||
| clang.cpp:18:8:18:19 | Convert: (const int *)... | clang.cpp:12:9:12:20 | InitializeParameter: sourceArray1 |
|
| clang.cpp:18:8:18:19 | Convert: (const int *)... | clang.cpp:12:9:12:20 | InitializeParameter: sourceArray1 |
|
||||||
|
|||||||
@@ -67,31 +67,7 @@ bad_asts.cpp:
|
|||||||
# 5| params:
|
# 5| params:
|
||||||
#-----| 0: [Parameter] p#0
|
#-----| 0: [Parameter] p#0
|
||||||
#-----| Type = [RValueReferenceType] S &&
|
#-----| Type = [RValueReferenceType] S &&
|
||||||
# 9| [MemberFunction] int Bad::S::MemberFunction(int)
|
# 9| [FunctionTemplateInstantiation,MemberFunction] int Bad::S::MemberFunction<int 6>(int)
|
||||||
# 9| params:
|
|
||||||
# 9| 0: [Parameter] y
|
|
||||||
# 9| Type = [IntType] int
|
|
||||||
# 9| body: [Block] { ... }
|
|
||||||
# 10| 0: [ReturnStmt] return ...
|
|
||||||
# 10| 0: [AddExpr] ... + ...
|
|
||||||
# 10| Type = [IntType] int
|
|
||||||
# 10| ValueCategory = prvalue
|
|
||||||
# 10| 0: [AddExpr] ... + ...
|
|
||||||
# 10| Type = [IntType] int
|
|
||||||
# 10| ValueCategory = prvalue
|
|
||||||
# 10| 0: [Literal] Unknown literal
|
|
||||||
# 10| Type = [IntType] int
|
|
||||||
# 10| ValueCategory = prvalue
|
|
||||||
# 10| 1: [PointerFieldAccess] x
|
|
||||||
# 10| Type = [IntType] int
|
|
||||||
# 10| ValueCategory = prvalue(load)
|
|
||||||
#-----| -1: [ThisExpr] this
|
|
||||||
#-----| Type = [PointerType] S *
|
|
||||||
#-----| ValueCategory = prvalue(load)
|
|
||||||
# 10| 1: [VariableAccess] y
|
|
||||||
# 10| Type = [IntType] int
|
|
||||||
# 10| ValueCategory = prvalue(load)
|
|
||||||
# 9| [TopLevelFunction] int MemberFunction(int)
|
|
||||||
# 9| params:
|
# 9| params:
|
||||||
# 9| 0: [Parameter] y
|
# 9| 0: [Parameter] y
|
||||||
# 9| Type = [IntType] int
|
# 9| Type = [IntType] int
|
||||||
@@ -116,6 +92,31 @@ bad_asts.cpp:
|
|||||||
# 10| 1: [VariableAccess] y
|
# 10| 1: [VariableAccess] y
|
||||||
# 10| Type = [IntType] int
|
# 10| Type = [IntType] int
|
||||||
# 10| ValueCategory = prvalue(load)
|
# 10| ValueCategory = prvalue(load)
|
||||||
|
# 9| [MemberFunction,TemplateFunction] int Bad::S::MemberFunction<int t>(int)
|
||||||
|
# 9| params:
|
||||||
|
# 9| 0: [Parameter] y
|
||||||
|
# 9| Type = [IntType] int
|
||||||
|
# 9| body: [Block] { ... }
|
||||||
|
# 10| 0: [ReturnStmt] return ...
|
||||||
|
# 10| 0: [AddExpr] ... + ...
|
||||||
|
# 10| Type = [IntType] int
|
||||||
|
# 10| ValueCategory = prvalue
|
||||||
|
# 10| 0: [AddExpr] ... + ...
|
||||||
|
# 10| Type = [IntType] int
|
||||||
|
# 10| ValueCategory = prvalue
|
||||||
|
# 10| 0: [Literal] t
|
||||||
|
# 10| Type = [IntType] int
|
||||||
|
# 10| Value = [Literal] t
|
||||||
|
# 10| ValueCategory = prvalue
|
||||||
|
# 10| 1: [PointerFieldAccess] x
|
||||||
|
# 10| Type = [IntType] int
|
||||||
|
# 10| ValueCategory = prvalue(load)
|
||||||
|
#-----| -1: [ThisExpr] this
|
||||||
|
#-----| Type = [PointerType] S *
|
||||||
|
#-----| ValueCategory = prvalue(load)
|
||||||
|
# 10| 1: [VariableAccess] y
|
||||||
|
# 10| Type = [IntType] int
|
||||||
|
# 10| ValueCategory = prvalue(load)
|
||||||
# 14| [TopLevelFunction] void Bad::CallBadMemberFunction()
|
# 14| [TopLevelFunction] void Bad::CallBadMemberFunction()
|
||||||
# 14| params:
|
# 14| params:
|
||||||
# 14| body: [Block] { ... }
|
# 14| body: [Block] { ... }
|
||||||
|
|||||||
@@ -1,4 +1,28 @@
|
|||||||
bad_asts.cpp:
|
bad_asts.cpp:
|
||||||
|
# 9| int Bad::S::MemberFunction<int 6>(int)
|
||||||
|
# 9| Block 0
|
||||||
|
# 9| v0_0(void) = EnterFunction :
|
||||||
|
# 9| mu0_1(unknown) = AliasedDefinition :
|
||||||
|
# 9| mu0_2(unknown) = UnmodeledDefinition :
|
||||||
|
# 9| r0_3(glval<S>) = InitializeThis :
|
||||||
|
# 9| r0_4(glval<int>) = VariableAddress[y] :
|
||||||
|
# 9| mu0_5(int) = InitializeParameter[y] : &:r0_4
|
||||||
|
# 10| r0_6(glval<int>) = VariableAddress[#return] :
|
||||||
|
# 10| r0_7(int) = Constant[6] :
|
||||||
|
#-----| r0_8(S *) = CopyValue : r0_3
|
||||||
|
# 10| r0_9(glval<int>) = FieldAddress[x] : r0_8
|
||||||
|
# 10| r0_10(int) = Load : &:r0_9, ~mu0_2
|
||||||
|
# 10| r0_11(int) = Add : r0_7, r0_10
|
||||||
|
# 10| r0_12(glval<int>) = VariableAddress[y] :
|
||||||
|
# 10| r0_13(int) = Load : &:r0_12, ~mu0_2
|
||||||
|
# 10| r0_14(int) = Add : r0_11, r0_13
|
||||||
|
# 10| mu0_15(int) = Store : &:r0_6, r0_14
|
||||||
|
# 9| r0_16(glval<int>) = VariableAddress[#return] :
|
||||||
|
# 9| v0_17(void) = ReturnValue : &:r0_16, ~mu0_2
|
||||||
|
# 9| v0_18(void) = UnmodeledUse : mu*
|
||||||
|
# 9| v0_19(void) = AliasedUse : ~mu0_2
|
||||||
|
# 9| v0_20(void) = ExitFunction :
|
||||||
|
|
||||||
# 14| void Bad::CallBadMemberFunction()
|
# 14| void Bad::CallBadMemberFunction()
|
||||||
# 14| Block 0
|
# 14| Block 0
|
||||||
# 14| v0_0(void) = EnterFunction :
|
# 14| v0_0(void) = EnterFunction :
|
||||||
@@ -14,7 +38,7 @@ bad_asts.cpp:
|
|||||||
# 16| r0_10(int) = Constant[1] :
|
# 16| r0_10(int) = Constant[1] :
|
||||||
# 16| r0_11(int) = Call : func:r0_9, this:r0_8, 0:r0_10
|
# 16| r0_11(int) = Call : func:r0_9, this:r0_8, 0:r0_10
|
||||||
# 16| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
# 16| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 16| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2
|
# 16| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2
|
||||||
# 16| mu0_14(S) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
# 16| mu0_14(S) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
||||||
# 17| v0_15(void) = NoOp :
|
# 17| v0_15(void) = NoOp :
|
||||||
# 14| v0_16(void) = ReturnVoid :
|
# 14| v0_16(void) = ReturnVoid :
|
||||||
@@ -2738,8 +2762,8 @@ ir.cpp:
|
|||||||
# 585| r0_8(char *) = Convert : r0_7
|
# 585| r0_8(char *) = Convert : r0_7
|
||||||
# 585| v0_9(void) = Call : func:r0_3, 0:r0_5, 1:r0_6, 2:r0_8
|
# 585| v0_9(void) = Call : func:r0_3, 0:r0_5, 1:r0_6, 2:r0_8
|
||||||
# 585| mu0_10(unknown) = ^CallSideEffect : ~mu0_2
|
# 585| mu0_10(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 585| v0_11(void) = ^IndirectReadSideEffect[0] : &:r0_5, ~mu0_2
|
# 585| v0_11(void) = ^BufferReadSideEffect[0] : &:r0_5, ~mu0_2
|
||||||
# 585| v0_12(void) = ^IndirectReadSideEffect[2] : &:r0_8, ~mu0_2
|
# 585| v0_12(void) = ^BufferReadSideEffect[2] : &:r0_8, ~mu0_2
|
||||||
# 585| mu0_13(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5
|
# 585| mu0_13(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5
|
||||||
# 585| mu0_14(unknown) = ^BufferMayWriteSideEffect[2] : &:r0_8
|
# 585| mu0_14(unknown) = ^BufferMayWriteSideEffect[2] : &:r0_8
|
||||||
# 586| v0_15(void) = NoOp :
|
# 586| v0_15(void) = NoOp :
|
||||||
@@ -2790,7 +2814,7 @@ ir.cpp:
|
|||||||
# 617| v0_14(void) = Call : func:r0_11, this:r0_9, 0:r0_13
|
# 617| v0_14(void) = Call : func:r0_11, this:r0_9, 0:r0_13
|
||||||
# 617| mu0_15(unknown) = ^CallSideEffect : ~mu0_2
|
# 617| mu0_15(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 617| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
# 617| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
||||||
# 617| v0_17(void) = ^IndirectReadSideEffect[0] : &:r0_13, ~mu0_2
|
# 617| v0_17(void) = ^BufferReadSideEffect[0] : &:r0_13, ~mu0_2
|
||||||
# 617| mu0_18(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_13
|
# 617| mu0_18(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_13
|
||||||
# 618| r0_19(glval<String>) = VariableAddress[s3] :
|
# 618| r0_19(glval<String>) = VariableAddress[s3] :
|
||||||
# 618| r0_20(glval<unknown>) = FunctionAddress[ReturnObject] :
|
# 618| r0_20(glval<unknown>) = FunctionAddress[ReturnObject] :
|
||||||
@@ -2805,7 +2829,7 @@ ir.cpp:
|
|||||||
# 619| v0_29(void) = Call : func:r0_26, this:r0_24, 0:r0_28
|
# 619| v0_29(void) = Call : func:r0_26, this:r0_24, 0:r0_28
|
||||||
# 619| mu0_30(unknown) = ^CallSideEffect : ~mu0_2
|
# 619| mu0_30(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 619| mu0_31(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_24
|
# 619| mu0_31(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_24
|
||||||
# 619| v0_32(void) = ^IndirectReadSideEffect[0] : &:r0_28, ~mu0_2
|
# 619| v0_32(void) = ^BufferReadSideEffect[0] : &:r0_28, ~mu0_2
|
||||||
# 619| mu0_33(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_28
|
# 619| mu0_33(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_28
|
||||||
# 620| v0_34(void) = NoOp :
|
# 620| v0_34(void) = NoOp :
|
||||||
# 615| v0_35(void) = ReturnVoid :
|
# 615| v0_35(void) = ReturnVoid :
|
||||||
@@ -2830,7 +2854,7 @@ ir.cpp:
|
|||||||
# 623| r0_12(glval<unknown>) = FunctionAddress[c_str] :
|
# 623| r0_12(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 623| r0_13(char *) = Call : func:r0_12, this:r0_11
|
# 623| r0_13(char *) = Call : func:r0_12, this:r0_11
|
||||||
# 623| mu0_14(unknown) = ^CallSideEffect : ~mu0_2
|
# 623| mu0_14(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 623| v0_15(void) = ^IndirectReadSideEffect[-1] : &:r0_11, ~mu0_2
|
# 623| v0_15(void) = ^BufferReadSideEffect[-1] : &:r0_11, ~mu0_2
|
||||||
# 623| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
# 623| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
||||||
# 624| r0_17(glval<String *>) = VariableAddress[p] :
|
# 624| r0_17(glval<String *>) = VariableAddress[p] :
|
||||||
# 624| r0_18(String *) = Load : &:r0_17, ~mu0_2
|
# 624| r0_18(String *) = Load : &:r0_17, ~mu0_2
|
||||||
@@ -2838,14 +2862,14 @@ ir.cpp:
|
|||||||
# 624| r0_20(glval<unknown>) = FunctionAddress[c_str] :
|
# 624| r0_20(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 624| r0_21(char *) = Call : func:r0_20, this:r0_19
|
# 624| r0_21(char *) = Call : func:r0_20, this:r0_19
|
||||||
# 624| mu0_22(unknown) = ^CallSideEffect : ~mu0_2
|
# 624| mu0_22(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 624| v0_23(void) = ^IndirectReadSideEffect[-1] : &:r0_19, ~mu0_2
|
# 624| v0_23(void) = ^BufferReadSideEffect[-1] : &:r0_19, ~mu0_2
|
||||||
# 624| mu0_24(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
# 624| mu0_24(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
||||||
# 625| r0_25(glval<String>) = VariableAddress[s] :
|
# 625| r0_25(glval<String>) = VariableAddress[s] :
|
||||||
# 625| r0_26(glval<String>) = Convert : r0_25
|
# 625| r0_26(glval<String>) = Convert : r0_25
|
||||||
# 625| r0_27(glval<unknown>) = FunctionAddress[c_str] :
|
# 625| r0_27(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 625| r0_28(char *) = Call : func:r0_27, this:r0_26
|
# 625| r0_28(char *) = Call : func:r0_27, this:r0_26
|
||||||
# 625| mu0_29(unknown) = ^CallSideEffect : ~mu0_2
|
# 625| mu0_29(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 625| v0_30(void) = ^IndirectReadSideEffect[-1] : &:r0_26, ~mu0_2
|
# 625| v0_30(void) = ^BufferReadSideEffect[-1] : &:r0_26, ~mu0_2
|
||||||
# 625| mu0_31(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_26
|
# 625| mu0_31(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_26
|
||||||
# 626| v0_32(void) = NoOp :
|
# 626| v0_32(void) = NoOp :
|
||||||
# 622| v0_33(void) = ReturnVoid :
|
# 622| v0_33(void) = ReturnVoid :
|
||||||
@@ -2958,21 +2982,21 @@ ir.cpp:
|
|||||||
# 653| r0_6(int) = Constant[0] :
|
# 653| r0_6(int) = Constant[0] :
|
||||||
# 653| r0_7(int) = Call : func:r0_5, this:r0_4, 0:r0_6
|
# 653| r0_7(int) = Call : func:r0_5, this:r0_4, 0:r0_6
|
||||||
# 653| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
# 653| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 653| v0_9(void) = ^IndirectReadSideEffect[-1] : &:r0_4, ~mu0_2
|
# 653| v0_9(void) = ^BufferReadSideEffect[-1] : &:r0_4, ~mu0_2
|
||||||
# 653| mu0_10(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_4
|
# 653| mu0_10(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_4
|
||||||
# 654| r0_11(C *) = CopyValue : r0_3
|
# 654| r0_11(C *) = CopyValue : r0_3
|
||||||
# 654| r0_12(glval<unknown>) = FunctionAddress[InstanceMemberFunction] :
|
# 654| r0_12(glval<unknown>) = FunctionAddress[InstanceMemberFunction] :
|
||||||
# 654| r0_13(int) = Constant[1] :
|
# 654| r0_13(int) = Constant[1] :
|
||||||
# 654| r0_14(int) = Call : func:r0_12, this:r0_11, 0:r0_13
|
# 654| r0_14(int) = Call : func:r0_12, this:r0_11, 0:r0_13
|
||||||
# 654| mu0_15(unknown) = ^CallSideEffect : ~mu0_2
|
# 654| mu0_15(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 654| v0_16(void) = ^IndirectReadSideEffect[-1] : &:r0_11, ~mu0_2
|
# 654| v0_16(void) = ^BufferReadSideEffect[-1] : &:r0_11, ~mu0_2
|
||||||
# 654| mu0_17(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
# 654| mu0_17(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
||||||
#-----| r0_18(C *) = CopyValue : r0_3
|
#-----| r0_18(C *) = CopyValue : r0_3
|
||||||
# 655| r0_19(glval<unknown>) = FunctionAddress[InstanceMemberFunction] :
|
# 655| r0_19(glval<unknown>) = FunctionAddress[InstanceMemberFunction] :
|
||||||
# 655| r0_20(int) = Constant[2] :
|
# 655| r0_20(int) = Constant[2] :
|
||||||
# 655| r0_21(int) = Call : func:r0_19, this:r0_18, 0:r0_20
|
# 655| r0_21(int) = Call : func:r0_19, this:r0_18, 0:r0_20
|
||||||
# 655| mu0_22(unknown) = ^CallSideEffect : ~mu0_2
|
# 655| mu0_22(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_23(void) = ^IndirectReadSideEffect[-1] : &:r0_18, ~mu0_2
|
#-----| v0_23(void) = ^BufferReadSideEffect[-1] : &:r0_18, ~mu0_2
|
||||||
#-----| mu0_24(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_18
|
#-----| mu0_24(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_18
|
||||||
# 656| v0_25(void) = NoOp :
|
# 656| v0_25(void) = NoOp :
|
||||||
# 652| v0_26(void) = ReturnVoid :
|
# 652| v0_26(void) = ReturnVoid :
|
||||||
@@ -3007,7 +3031,7 @@ ir.cpp:
|
|||||||
# 662| v0_22(void) = Call : func:r0_19, this:r0_18, 0:r0_21
|
# 662| v0_22(void) = Call : func:r0_19, this:r0_18, 0:r0_21
|
||||||
# 662| mu0_23(unknown) = ^CallSideEffect : ~mu0_2
|
# 662| mu0_23(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 662| mu0_24(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_18
|
# 662| mu0_24(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_18
|
||||||
# 662| v0_25(void) = ^IndirectReadSideEffect[0] : &:r0_21, ~mu0_2
|
# 662| v0_25(void) = ^BufferReadSideEffect[0] : &:r0_21, ~mu0_2
|
||||||
# 662| mu0_26(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_21
|
# 662| mu0_26(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_21
|
||||||
# 664| v0_27(void) = NoOp :
|
# 664| v0_27(void) = NoOp :
|
||||||
# 658| v0_28(void) = ReturnVoid :
|
# 658| v0_28(void) = ReturnVoid :
|
||||||
@@ -3216,7 +3240,7 @@ ir.cpp:
|
|||||||
# 721| r0_6(char) = Constant[111] :
|
# 721| r0_6(char) = Constant[111] :
|
||||||
# 721| r0_7(long) = Call : func:r0_4, 0:r0_5, 1:r0_6
|
# 721| r0_7(long) = Call : func:r0_4, 0:r0_5, 1:r0_6
|
||||||
# 721| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
# 721| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 721| v0_9(void) = ^IndirectReadSideEffect[0] : &:r0_5, ~mu0_2
|
# 721| v0_9(void) = ^BufferReadSideEffect[0] : &:r0_5, ~mu0_2
|
||||||
# 721| mu0_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5
|
# 721| mu0_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5
|
||||||
# 721| r0_11(double) = Convert : r0_7
|
# 721| r0_11(double) = Convert : r0_7
|
||||||
# 721| mu0_12(double) = Store : &:r0_3, r0_11
|
# 721| mu0_12(double) = Store : &:r0_3, r0_11
|
||||||
@@ -3293,7 +3317,7 @@ ir.cpp:
|
|||||||
# 731| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3
|
# 731| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3
|
||||||
# 731| mu7_5(unknown) = ^CallSideEffect : ~mu0_2
|
# 731| mu7_5(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 731| mu7_6(String) = ^IndirectMayWriteSideEffect[-1] : &:r7_0
|
# 731| mu7_6(String) = ^IndirectMayWriteSideEffect[-1] : &:r7_0
|
||||||
# 731| v7_7(void) = ^IndirectReadSideEffect[0] : &:r7_3, ~mu0_2
|
# 731| v7_7(void) = ^BufferReadSideEffect[0] : &:r7_3, ~mu0_2
|
||||||
# 731| mu7_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3
|
# 731| mu7_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3
|
||||||
# 731| v7_9(void) = ThrowValue : &:r7_0, ~mu0_2
|
# 731| v7_9(void) = ThrowValue : &:r7_0, ~mu0_2
|
||||||
#-----| Exception -> Block 9
|
#-----| Exception -> Block 9
|
||||||
@@ -3319,7 +3343,7 @@ ir.cpp:
|
|||||||
# 736| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5
|
# 736| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5
|
||||||
# 736| mu10_7(unknown) = ^CallSideEffect : ~mu0_2
|
# 736| mu10_7(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 736| mu10_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r10_2
|
# 736| mu10_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r10_2
|
||||||
# 736| v10_9(void) = ^IndirectReadSideEffect[0] : &:r10_5, ~mu0_2
|
# 736| v10_9(void) = ^BufferReadSideEffect[0] : &:r10_5, ~mu0_2
|
||||||
# 736| mu10_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5
|
# 736| mu10_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5
|
||||||
# 736| v10_11(void) = ThrowValue : &:r10_2, ~mu0_2
|
# 736| v10_11(void) = ThrowValue : &:r10_2, ~mu0_2
|
||||||
#-----| Exception -> Block 2
|
#-----| Exception -> Block 2
|
||||||
@@ -3361,8 +3385,8 @@ ir.cpp:
|
|||||||
#-----| r0_11(glval<String>) = FieldAddress[base_s] : r0_10
|
#-----| r0_11(glval<String>) = FieldAddress[base_s] : r0_10
|
||||||
# 745| r0_12(String &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
# 745| r0_12(String &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
||||||
# 745| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
# 745| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~mu0_2
|
#-----| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~mu0_2
|
||||||
#-----| v0_15(void) = ^IndirectReadSideEffect[0] : &:r0_11, ~mu0_2
|
#-----| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_11, ~mu0_2
|
||||||
#-----| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
#-----| mu0_16(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
||||||
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
||||||
#-----| r0_18(glval<Base &>) = VariableAddress[#return] :
|
#-----| r0_18(glval<Base &>) = VariableAddress[#return] :
|
||||||
@@ -3442,8 +3466,8 @@ ir.cpp:
|
|||||||
#-----| r0_11(Base *) = ConvertToBase[Middle : Base] : r0_10
|
#-----| r0_11(Base *) = ConvertToBase[Middle : Base] : r0_10
|
||||||
# 754| r0_12(Base &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
# 754| r0_12(Base &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
||||||
# 754| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
# 754| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~mu0_2
|
#-----| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~mu0_2
|
||||||
#-----| v0_15(void) = ^IndirectReadSideEffect[0] : &:r0_11, ~mu0_2
|
#-----| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_11, ~mu0_2
|
||||||
#-----| mu0_16(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
#-----| mu0_16(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
||||||
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
||||||
#-----| r0_18(Middle *) = CopyValue : r0_3
|
#-----| r0_18(Middle *) = CopyValue : r0_3
|
||||||
@@ -3454,8 +3478,8 @@ ir.cpp:
|
|||||||
#-----| r0_23(glval<String>) = FieldAddress[middle_s] : r0_22
|
#-----| r0_23(glval<String>) = FieldAddress[middle_s] : r0_22
|
||||||
# 754| r0_24(String &) = Call : func:r0_20, this:r0_19, 0:r0_23
|
# 754| r0_24(String &) = Call : func:r0_20, this:r0_19, 0:r0_23
|
||||||
# 754| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
# 754| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_26(void) = ^IndirectReadSideEffect[-1] : &:r0_19, ~mu0_2
|
#-----| v0_26(void) = ^BufferReadSideEffect[-1] : &:r0_19, ~mu0_2
|
||||||
#-----| v0_27(void) = ^IndirectReadSideEffect[0] : &:r0_23, ~mu0_2
|
#-----| v0_27(void) = ^BufferReadSideEffect[0] : &:r0_23, ~mu0_2
|
||||||
#-----| mu0_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
#-----| mu0_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
||||||
#-----| mu0_29(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
#-----| mu0_29(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
||||||
#-----| r0_30(glval<Middle &>) = VariableAddress[#return] :
|
#-----| r0_30(glval<Middle &>) = VariableAddress[#return] :
|
||||||
@@ -3525,8 +3549,8 @@ ir.cpp:
|
|||||||
#-----| r0_11(Middle *) = ConvertToBase[Derived : Middle] : r0_10
|
#-----| r0_11(Middle *) = ConvertToBase[Derived : Middle] : r0_10
|
||||||
# 763| r0_12(Middle &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
# 763| r0_12(Middle &) = Call : func:r0_8, this:r0_7, 0:r0_11
|
||||||
# 763| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
# 763| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~mu0_2
|
#-----| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~mu0_2
|
||||||
#-----| v0_15(void) = ^IndirectReadSideEffect[0] : &:r0_11, ~mu0_2
|
#-----| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_11, ~mu0_2
|
||||||
#-----| mu0_16(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
#-----| mu0_16(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_7
|
||||||
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
#-----| mu0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
||||||
#-----| r0_18(Derived *) = CopyValue : r0_3
|
#-----| r0_18(Derived *) = CopyValue : r0_3
|
||||||
@@ -3537,8 +3561,8 @@ ir.cpp:
|
|||||||
#-----| r0_23(glval<String>) = FieldAddress[derived_s] : r0_22
|
#-----| r0_23(glval<String>) = FieldAddress[derived_s] : r0_22
|
||||||
# 763| r0_24(String &) = Call : func:r0_20, this:r0_19, 0:r0_23
|
# 763| r0_24(String &) = Call : func:r0_20, this:r0_19, 0:r0_23
|
||||||
# 763| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
# 763| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_26(void) = ^IndirectReadSideEffect[-1] : &:r0_19, ~mu0_2
|
#-----| v0_26(void) = ^BufferReadSideEffect[-1] : &:r0_19, ~mu0_2
|
||||||
#-----| v0_27(void) = ^IndirectReadSideEffect[0] : &:r0_23, ~mu0_2
|
#-----| v0_27(void) = ^BufferReadSideEffect[0] : &:r0_23, ~mu0_2
|
||||||
#-----| mu0_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
#-----| mu0_28(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_19
|
||||||
#-----| mu0_29(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
#-----| mu0_29(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
||||||
#-----| r0_30(glval<Derived &>) = VariableAddress[#return] :
|
#-----| r0_30(glval<Derived &>) = VariableAddress[#return] :
|
||||||
@@ -3774,8 +3798,8 @@ ir.cpp:
|
|||||||
# 808| r0_33(glval<Base>) = ConvertToBase[Middle : Base] : r0_32
|
# 808| r0_33(glval<Base>) = ConvertToBase[Middle : Base] : r0_32
|
||||||
# 808| r0_34(Base &) = Call : func:r0_31, this:r0_30, 0:r0_33
|
# 808| r0_34(Base &) = Call : func:r0_31, this:r0_30, 0:r0_33
|
||||||
# 808| mu0_35(unknown) = ^CallSideEffect : ~mu0_2
|
# 808| mu0_35(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 808| v0_36(void) = ^IndirectReadSideEffect[-1] : &:r0_30, ~mu0_2
|
# 808| v0_36(void) = ^BufferReadSideEffect[-1] : &:r0_30, ~mu0_2
|
||||||
# 808| v0_37(void) = ^IndirectReadSideEffect[0] : &:r0_33, ~mu0_2
|
# 808| v0_37(void) = ^BufferReadSideEffect[0] : &:r0_33, ~mu0_2
|
||||||
# 808| mu0_38(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_30
|
# 808| mu0_38(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_30
|
||||||
# 808| mu0_39(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_33
|
# 808| mu0_39(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_33
|
||||||
# 809| r0_40(glval<Base>) = VariableAddress[b] :
|
# 809| r0_40(glval<Base>) = VariableAddress[b] :
|
||||||
@@ -3786,13 +3810,13 @@ ir.cpp:
|
|||||||
# 809| v0_45(void) = Call : func:r0_42, 0:r0_44
|
# 809| v0_45(void) = Call : func:r0_42, 0:r0_44
|
||||||
# 809| mu0_46(unknown) = ^CallSideEffect : ~mu0_2
|
# 809| mu0_46(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 809| mu0_47(Base) = ^IndirectMayWriteSideEffect[-1] :
|
# 809| mu0_47(Base) = ^IndirectMayWriteSideEffect[-1] :
|
||||||
# 809| v0_48(void) = ^IndirectReadSideEffect[0] : &:r0_44, ~mu0_2
|
# 809| v0_48(void) = ^BufferReadSideEffect[0] : &:r0_44, ~mu0_2
|
||||||
# 809| mu0_49(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_44
|
# 809| mu0_49(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_44
|
||||||
# 809| r0_50(glval<Base>) = Convert : v0_45
|
# 809| r0_50(glval<Base>) = Convert : v0_45
|
||||||
# 809| r0_51(Base &) = Call : func:r0_41, this:r0_40, 0:r0_50
|
# 809| r0_51(Base &) = Call : func:r0_41, this:r0_40, 0:r0_50
|
||||||
# 809| mu0_52(unknown) = ^CallSideEffect : ~mu0_2
|
# 809| mu0_52(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 809| v0_53(void) = ^IndirectReadSideEffect[-1] : &:r0_40, ~mu0_2
|
# 809| v0_53(void) = ^BufferReadSideEffect[-1] : &:r0_40, ~mu0_2
|
||||||
# 809| v0_54(void) = ^IndirectReadSideEffect[0] : &:r0_50, ~mu0_2
|
# 809| v0_54(void) = ^BufferReadSideEffect[0] : &:r0_50, ~mu0_2
|
||||||
# 809| mu0_55(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_40
|
# 809| mu0_55(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_40
|
||||||
# 809| mu0_56(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_50
|
# 809| mu0_56(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_50
|
||||||
# 810| r0_57(glval<Base>) = VariableAddress[b] :
|
# 810| r0_57(glval<Base>) = VariableAddress[b] :
|
||||||
@@ -3803,13 +3827,13 @@ ir.cpp:
|
|||||||
# 810| v0_62(void) = Call : func:r0_59, 0:r0_61
|
# 810| v0_62(void) = Call : func:r0_59, 0:r0_61
|
||||||
# 810| mu0_63(unknown) = ^CallSideEffect : ~mu0_2
|
# 810| mu0_63(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 810| mu0_64(Base) = ^IndirectMayWriteSideEffect[-1] :
|
# 810| mu0_64(Base) = ^IndirectMayWriteSideEffect[-1] :
|
||||||
# 810| v0_65(void) = ^IndirectReadSideEffect[0] : &:r0_61, ~mu0_2
|
# 810| v0_65(void) = ^BufferReadSideEffect[0] : &:r0_61, ~mu0_2
|
||||||
# 810| mu0_66(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_61
|
# 810| mu0_66(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_61
|
||||||
# 810| r0_67(glval<Base>) = Convert : v0_62
|
# 810| r0_67(glval<Base>) = Convert : v0_62
|
||||||
# 810| r0_68(Base &) = Call : func:r0_58, this:r0_57, 0:r0_67
|
# 810| r0_68(Base &) = Call : func:r0_58, this:r0_57, 0:r0_67
|
||||||
# 810| mu0_69(unknown) = ^CallSideEffect : ~mu0_2
|
# 810| mu0_69(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 810| v0_70(void) = ^IndirectReadSideEffect[-1] : &:r0_57, ~mu0_2
|
# 810| v0_70(void) = ^BufferReadSideEffect[-1] : &:r0_57, ~mu0_2
|
||||||
# 810| v0_71(void) = ^IndirectReadSideEffect[0] : &:r0_67, ~mu0_2
|
# 810| v0_71(void) = ^BufferReadSideEffect[0] : &:r0_67, ~mu0_2
|
||||||
# 810| mu0_72(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_57
|
# 810| mu0_72(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_57
|
||||||
# 810| mu0_73(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_67
|
# 810| mu0_73(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_67
|
||||||
# 811| r0_74(glval<Middle *>) = VariableAddress[pm] :
|
# 811| r0_74(glval<Middle *>) = VariableAddress[pm] :
|
||||||
@@ -3839,8 +3863,8 @@ ir.cpp:
|
|||||||
# 816| r0_98(glval<Middle>) = Convert : r0_97
|
# 816| r0_98(glval<Middle>) = Convert : r0_97
|
||||||
# 816| r0_99(Middle &) = Call : func:r0_95, this:r0_94, 0:r0_98
|
# 816| r0_99(Middle &) = Call : func:r0_95, this:r0_94, 0:r0_98
|
||||||
# 816| mu0_100(unknown) = ^CallSideEffect : ~mu0_2
|
# 816| mu0_100(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 816| v0_101(void) = ^IndirectReadSideEffect[-1] : &:r0_94, ~mu0_2
|
# 816| v0_101(void) = ^BufferReadSideEffect[-1] : &:r0_94, ~mu0_2
|
||||||
# 816| v0_102(void) = ^IndirectReadSideEffect[0] : &:r0_98, ~mu0_2
|
# 816| v0_102(void) = ^BufferReadSideEffect[0] : &:r0_98, ~mu0_2
|
||||||
# 816| mu0_103(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_94
|
# 816| mu0_103(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_94
|
||||||
# 816| mu0_104(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_98
|
# 816| mu0_104(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_98
|
||||||
# 817| r0_105(glval<Middle>) = VariableAddress[m] :
|
# 817| r0_105(glval<Middle>) = VariableAddress[m] :
|
||||||
@@ -3850,8 +3874,8 @@ ir.cpp:
|
|||||||
# 817| r0_109(glval<Middle>) = Convert : r0_108
|
# 817| r0_109(glval<Middle>) = Convert : r0_108
|
||||||
# 817| r0_110(Middle &) = Call : func:r0_106, this:r0_105, 0:r0_109
|
# 817| r0_110(Middle &) = Call : func:r0_106, this:r0_105, 0:r0_109
|
||||||
# 817| mu0_111(unknown) = ^CallSideEffect : ~mu0_2
|
# 817| mu0_111(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 817| v0_112(void) = ^IndirectReadSideEffect[-1] : &:r0_105, ~mu0_2
|
# 817| v0_112(void) = ^BufferReadSideEffect[-1] : &:r0_105, ~mu0_2
|
||||||
# 817| v0_113(void) = ^IndirectReadSideEffect[0] : &:r0_109, ~mu0_2
|
# 817| v0_113(void) = ^BufferReadSideEffect[0] : &:r0_109, ~mu0_2
|
||||||
# 817| mu0_114(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_105
|
# 817| mu0_114(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_105
|
||||||
# 817| mu0_115(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_109
|
# 817| mu0_115(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_109
|
||||||
# 818| r0_116(glval<Base *>) = VariableAddress[pb] :
|
# 818| r0_116(glval<Base *>) = VariableAddress[pb] :
|
||||||
@@ -3876,8 +3900,8 @@ ir.cpp:
|
|||||||
# 822| r0_135(glval<Base>) = ConvertToBase[Middle : Base] : r0_134
|
# 822| r0_135(glval<Base>) = ConvertToBase[Middle : Base] : r0_134
|
||||||
# 822| r0_136(Base &) = Call : func:r0_132, this:r0_131, 0:r0_135
|
# 822| r0_136(Base &) = Call : func:r0_132, this:r0_131, 0:r0_135
|
||||||
# 822| mu0_137(unknown) = ^CallSideEffect : ~mu0_2
|
# 822| mu0_137(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 822| v0_138(void) = ^IndirectReadSideEffect[-1] : &:r0_131, ~mu0_2
|
# 822| v0_138(void) = ^BufferReadSideEffect[-1] : &:r0_131, ~mu0_2
|
||||||
# 822| v0_139(void) = ^IndirectReadSideEffect[0] : &:r0_135, ~mu0_2
|
# 822| v0_139(void) = ^BufferReadSideEffect[0] : &:r0_135, ~mu0_2
|
||||||
# 822| mu0_140(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_131
|
# 822| mu0_140(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_131
|
||||||
# 822| mu0_141(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_135
|
# 822| mu0_141(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_135
|
||||||
# 823| r0_142(glval<Base>) = VariableAddress[b] :
|
# 823| r0_142(glval<Base>) = VariableAddress[b] :
|
||||||
@@ -3889,13 +3913,13 @@ ir.cpp:
|
|||||||
# 823| v0_148(void) = Call : func:r0_144, 0:r0_147
|
# 823| v0_148(void) = Call : func:r0_144, 0:r0_147
|
||||||
# 823| mu0_149(unknown) = ^CallSideEffect : ~mu0_2
|
# 823| mu0_149(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 823| mu0_150(Base) = ^IndirectMayWriteSideEffect[-1] :
|
# 823| mu0_150(Base) = ^IndirectMayWriteSideEffect[-1] :
|
||||||
# 823| v0_151(void) = ^IndirectReadSideEffect[0] : &:r0_147, ~mu0_2
|
# 823| v0_151(void) = ^BufferReadSideEffect[0] : &:r0_147, ~mu0_2
|
||||||
# 823| mu0_152(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_147
|
# 823| mu0_152(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_147
|
||||||
# 823| r0_153(glval<Base>) = Convert : v0_148
|
# 823| r0_153(glval<Base>) = Convert : v0_148
|
||||||
# 823| r0_154(Base &) = Call : func:r0_143, this:r0_142, 0:r0_153
|
# 823| r0_154(Base &) = Call : func:r0_143, this:r0_142, 0:r0_153
|
||||||
# 823| mu0_155(unknown) = ^CallSideEffect : ~mu0_2
|
# 823| mu0_155(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 823| v0_156(void) = ^IndirectReadSideEffect[-1] : &:r0_142, ~mu0_2
|
# 823| v0_156(void) = ^BufferReadSideEffect[-1] : &:r0_142, ~mu0_2
|
||||||
# 823| v0_157(void) = ^IndirectReadSideEffect[0] : &:r0_153, ~mu0_2
|
# 823| v0_157(void) = ^BufferReadSideEffect[0] : &:r0_153, ~mu0_2
|
||||||
# 823| mu0_158(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_142
|
# 823| mu0_158(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_142
|
||||||
# 823| mu0_159(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_153
|
# 823| mu0_159(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_153
|
||||||
# 824| r0_160(glval<Base>) = VariableAddress[b] :
|
# 824| r0_160(glval<Base>) = VariableAddress[b] :
|
||||||
@@ -3907,13 +3931,13 @@ ir.cpp:
|
|||||||
# 824| v0_166(void) = Call : func:r0_162, 0:r0_165
|
# 824| v0_166(void) = Call : func:r0_162, 0:r0_165
|
||||||
# 824| mu0_167(unknown) = ^CallSideEffect : ~mu0_2
|
# 824| mu0_167(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 824| mu0_168(Base) = ^IndirectMayWriteSideEffect[-1] :
|
# 824| mu0_168(Base) = ^IndirectMayWriteSideEffect[-1] :
|
||||||
# 824| v0_169(void) = ^IndirectReadSideEffect[0] : &:r0_165, ~mu0_2
|
# 824| v0_169(void) = ^BufferReadSideEffect[0] : &:r0_165, ~mu0_2
|
||||||
# 824| mu0_170(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_165
|
# 824| mu0_170(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_165
|
||||||
# 824| r0_171(glval<Base>) = Convert : v0_166
|
# 824| r0_171(glval<Base>) = Convert : v0_166
|
||||||
# 824| r0_172(Base &) = Call : func:r0_161, this:r0_160, 0:r0_171
|
# 824| r0_172(Base &) = Call : func:r0_161, this:r0_160, 0:r0_171
|
||||||
# 824| mu0_173(unknown) = ^CallSideEffect : ~mu0_2
|
# 824| mu0_173(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 824| v0_174(void) = ^IndirectReadSideEffect[-1] : &:r0_160, ~mu0_2
|
# 824| v0_174(void) = ^BufferReadSideEffect[-1] : &:r0_160, ~mu0_2
|
||||||
# 824| v0_175(void) = ^IndirectReadSideEffect[0] : &:r0_171, ~mu0_2
|
# 824| v0_175(void) = ^BufferReadSideEffect[0] : &:r0_171, ~mu0_2
|
||||||
# 824| mu0_176(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_160
|
# 824| mu0_176(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_160
|
||||||
# 824| mu0_177(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_171
|
# 824| mu0_177(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_171
|
||||||
# 825| r0_178(glval<Derived *>) = VariableAddress[pd] :
|
# 825| r0_178(glval<Derived *>) = VariableAddress[pd] :
|
||||||
@@ -3947,8 +3971,8 @@ ir.cpp:
|
|||||||
# 830| r0_206(glval<Derived>) = Convert : r0_205
|
# 830| r0_206(glval<Derived>) = Convert : r0_205
|
||||||
# 830| r0_207(Derived &) = Call : func:r0_202, this:r0_201, 0:r0_206
|
# 830| r0_207(Derived &) = Call : func:r0_202, this:r0_201, 0:r0_206
|
||||||
# 830| mu0_208(unknown) = ^CallSideEffect : ~mu0_2
|
# 830| mu0_208(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 830| v0_209(void) = ^IndirectReadSideEffect[-1] : &:r0_201, ~mu0_2
|
# 830| v0_209(void) = ^BufferReadSideEffect[-1] : &:r0_201, ~mu0_2
|
||||||
# 830| v0_210(void) = ^IndirectReadSideEffect[0] : &:r0_206, ~mu0_2
|
# 830| v0_210(void) = ^BufferReadSideEffect[0] : &:r0_206, ~mu0_2
|
||||||
# 830| mu0_211(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_201
|
# 830| mu0_211(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_201
|
||||||
# 830| mu0_212(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_206
|
# 830| mu0_212(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_206
|
||||||
# 831| r0_213(glval<Derived>) = VariableAddress[d] :
|
# 831| r0_213(glval<Derived>) = VariableAddress[d] :
|
||||||
@@ -3959,8 +3983,8 @@ ir.cpp:
|
|||||||
# 831| r0_218(glval<Derived>) = Convert : r0_217
|
# 831| r0_218(glval<Derived>) = Convert : r0_217
|
||||||
# 831| r0_219(Derived &) = Call : func:r0_214, this:r0_213, 0:r0_218
|
# 831| r0_219(Derived &) = Call : func:r0_214, this:r0_213, 0:r0_218
|
||||||
# 831| mu0_220(unknown) = ^CallSideEffect : ~mu0_2
|
# 831| mu0_220(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 831| v0_221(void) = ^IndirectReadSideEffect[-1] : &:r0_213, ~mu0_2
|
# 831| v0_221(void) = ^BufferReadSideEffect[-1] : &:r0_213, ~mu0_2
|
||||||
# 831| v0_222(void) = ^IndirectReadSideEffect[0] : &:r0_218, ~mu0_2
|
# 831| v0_222(void) = ^BufferReadSideEffect[0] : &:r0_218, ~mu0_2
|
||||||
# 831| mu0_223(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_213
|
# 831| mu0_223(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_213
|
||||||
# 831| mu0_224(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_218
|
# 831| mu0_224(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_218
|
||||||
# 832| r0_225(glval<Base *>) = VariableAddress[pb] :
|
# 832| r0_225(glval<Base *>) = VariableAddress[pb] :
|
||||||
@@ -4116,7 +4140,7 @@ ir.cpp:
|
|||||||
# 868| v0_7(void) = Call : func:r0_4, this:r0_3, 0:r0_6
|
# 868| v0_7(void) = Call : func:r0_4, this:r0_3, 0:r0_6
|
||||||
# 868| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
# 868| mu0_8(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 868| mu0_9(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
|
# 868| mu0_9(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_3
|
||||||
# 868| v0_10(void) = ^IndirectReadSideEffect[0] : &:r0_6, ~mu0_2
|
# 868| v0_10(void) = ^BufferReadSideEffect[0] : &:r0_6, ~mu0_2
|
||||||
# 868| mu0_11(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_6
|
# 868| mu0_11(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_6
|
||||||
# 869| v0_12(void) = NoOp :
|
# 869| v0_12(void) = NoOp :
|
||||||
# 867| v0_13(void) = ReturnVoid :
|
# 867| v0_13(void) = ReturnVoid :
|
||||||
@@ -4341,7 +4365,7 @@ ir.cpp:
|
|||||||
# 945| v0_39(void) = Call : func:r0_36, this:r0_35, 0:r0_38
|
# 945| v0_39(void) = Call : func:r0_36, this:r0_35, 0:r0_38
|
||||||
# 945| mu0_40(unknown) = ^CallSideEffect : ~mu0_2
|
# 945| mu0_40(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 945| mu0_41(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_35
|
# 945| mu0_41(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_35
|
||||||
# 945| v0_42(void) = ^IndirectReadSideEffect[0] : &:r0_38, ~mu0_2
|
# 945| v0_42(void) = ^BufferReadSideEffect[0] : &:r0_38, ~mu0_2
|
||||||
# 945| mu0_43(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_38
|
# 945| mu0_43(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_38
|
||||||
# 946| r0_44(glval<unknown>) = FunctionAddress[operator new] :
|
# 946| r0_44(glval<unknown>) = FunctionAddress[operator new] :
|
||||||
# 946| r0_45(unsigned long) = Constant[256] :
|
# 946| r0_45(unsigned long) = Constant[256] :
|
||||||
@@ -4842,7 +4866,7 @@ ir.cpp:
|
|||||||
# 1035| r0_28(float) = Constant[1.0] :
|
# 1035| r0_28(float) = Constant[1.0] :
|
||||||
# 1035| r0_29(char) = Call : func:r0_27, this:r0_26, 0:r0_28
|
# 1035| r0_29(char) = Call : func:r0_27, this:r0_26, 0:r0_28
|
||||||
# 1035| mu0_30(unknown) = ^CallSideEffect : ~mu0_2
|
# 1035| mu0_30(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1035| v0_31(void) = ^IndirectReadSideEffect[-1] : &:r0_26, ~mu0_2
|
# 1035| v0_31(void) = ^BufferReadSideEffect[-1] : &:r0_26, ~mu0_2
|
||||||
# 1035| mu0_32(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_26
|
# 1035| mu0_32(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_26
|
||||||
# 1036| r0_33(glval<decltype([...](...){...})>) = VariableAddress[lambda_val] :
|
# 1036| r0_33(glval<decltype([...](...){...})>) = VariableAddress[lambda_val] :
|
||||||
# 1036| mu0_34(decltype([...](...){...})) = Uninitialized[lambda_val] : &:r0_33
|
# 1036| mu0_34(decltype([...](...){...})) = Uninitialized[lambda_val] : &:r0_33
|
||||||
@@ -4862,7 +4886,7 @@ ir.cpp:
|
|||||||
# 1036| v0_48(void) = Call : func:r0_35, this:r0_33, 0:r0_47
|
# 1036| v0_48(void) = Call : func:r0_35, this:r0_33, 0:r0_47
|
||||||
# 1036| mu0_49(unknown) = ^CallSideEffect : ~mu0_2
|
# 1036| mu0_49(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1036| mu0_50(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_33
|
# 1036| mu0_50(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_33
|
||||||
# 1036| v0_51(void) = ^IndirectReadSideEffect[0] : &:r0_47, ~mu0_2
|
# 1036| v0_51(void) = ^BufferReadSideEffect[0] : &:r0_47, ~mu0_2
|
||||||
# 1036| mu0_52(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_47
|
# 1036| mu0_52(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_47
|
||||||
# 1037| r0_53(glval<decltype([...](...){...})>) = VariableAddress[lambda_val] :
|
# 1037| r0_53(glval<decltype([...](...){...})>) = VariableAddress[lambda_val] :
|
||||||
# 1037| r0_54(glval<decltype([...](...){...})>) = Convert : r0_53
|
# 1037| r0_54(glval<decltype([...](...){...})>) = Convert : r0_53
|
||||||
@@ -4870,7 +4894,7 @@ ir.cpp:
|
|||||||
# 1037| r0_56(float) = Constant[2.0] :
|
# 1037| r0_56(float) = Constant[2.0] :
|
||||||
# 1037| r0_57(char) = Call : func:r0_55, this:r0_54, 0:r0_56
|
# 1037| r0_57(char) = Call : func:r0_55, this:r0_54, 0:r0_56
|
||||||
# 1037| mu0_58(unknown) = ^CallSideEffect : ~mu0_2
|
# 1037| mu0_58(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1037| v0_59(void) = ^IndirectReadSideEffect[-1] : &:r0_54, ~mu0_2
|
# 1037| v0_59(void) = ^BufferReadSideEffect[-1] : &:r0_54, ~mu0_2
|
||||||
# 1037| mu0_60(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_54
|
# 1037| mu0_60(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_54
|
||||||
# 1038| r0_61(glval<decltype([...](...){...})>) = VariableAddress[lambda_ref_explicit] :
|
# 1038| r0_61(glval<decltype([...](...){...})>) = VariableAddress[lambda_ref_explicit] :
|
||||||
# 1038| r0_62(glval<decltype([...](...){...})>) = VariableAddress[#temp1038:30] :
|
# 1038| r0_62(glval<decltype([...](...){...})>) = VariableAddress[#temp1038:30] :
|
||||||
@@ -4887,7 +4911,7 @@ ir.cpp:
|
|||||||
# 1039| r0_73(float) = Constant[3.0] :
|
# 1039| r0_73(float) = Constant[3.0] :
|
||||||
# 1039| r0_74(char) = Call : func:r0_72, this:r0_71, 0:r0_73
|
# 1039| r0_74(char) = Call : func:r0_72, this:r0_71, 0:r0_73
|
||||||
# 1039| mu0_75(unknown) = ^CallSideEffect : ~mu0_2
|
# 1039| mu0_75(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1039| v0_76(void) = ^IndirectReadSideEffect[-1] : &:r0_71, ~mu0_2
|
# 1039| v0_76(void) = ^BufferReadSideEffect[-1] : &:r0_71, ~mu0_2
|
||||||
# 1039| mu0_77(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_71
|
# 1039| mu0_77(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_71
|
||||||
# 1040| r0_78(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit] :
|
# 1040| r0_78(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit] :
|
||||||
# 1040| mu0_79(decltype([...](...){...})) = Uninitialized[lambda_val_explicit] : &:r0_78
|
# 1040| mu0_79(decltype([...](...){...})) = Uninitialized[lambda_val_explicit] : &:r0_78
|
||||||
@@ -4903,7 +4927,7 @@ ir.cpp:
|
|||||||
# 1040| v0_89(void) = Call : func:r0_80, this:r0_78, 0:r0_88
|
# 1040| v0_89(void) = Call : func:r0_80, this:r0_78, 0:r0_88
|
||||||
# 1040| mu0_90(unknown) = ^CallSideEffect : ~mu0_2
|
# 1040| mu0_90(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1040| mu0_91(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_78
|
# 1040| mu0_91(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_78
|
||||||
# 1040| v0_92(void) = ^IndirectReadSideEffect[0] : &:r0_88, ~mu0_2
|
# 1040| v0_92(void) = ^BufferReadSideEffect[0] : &:r0_88, ~mu0_2
|
||||||
# 1040| mu0_93(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_88
|
# 1040| mu0_93(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_88
|
||||||
# 1041| r0_94(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit] :
|
# 1041| r0_94(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit] :
|
||||||
# 1041| r0_95(glval<decltype([...](...){...})>) = Convert : r0_94
|
# 1041| r0_95(glval<decltype([...](...){...})>) = Convert : r0_94
|
||||||
@@ -4911,7 +4935,7 @@ ir.cpp:
|
|||||||
# 1041| r0_97(float) = Constant[4.0] :
|
# 1041| r0_97(float) = Constant[4.0] :
|
||||||
# 1041| r0_98(char) = Call : func:r0_96, this:r0_95, 0:r0_97
|
# 1041| r0_98(char) = Call : func:r0_96, this:r0_95, 0:r0_97
|
||||||
# 1041| mu0_99(unknown) = ^CallSideEffect : ~mu0_2
|
# 1041| mu0_99(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1041| v0_100(void) = ^IndirectReadSideEffect[-1] : &:r0_95, ~mu0_2
|
# 1041| v0_100(void) = ^BufferReadSideEffect[-1] : &:r0_95, ~mu0_2
|
||||||
# 1041| mu0_101(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_95
|
# 1041| mu0_101(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_95
|
||||||
# 1042| r0_102(glval<decltype([...](...){...})>) = VariableAddress[lambda_mixed_explicit] :
|
# 1042| r0_102(glval<decltype([...](...){...})>) = VariableAddress[lambda_mixed_explicit] :
|
||||||
# 1042| r0_103(glval<decltype([...](...){...})>) = VariableAddress[#temp1042:32] :
|
# 1042| r0_103(glval<decltype([...](...){...})>) = VariableAddress[#temp1042:32] :
|
||||||
@@ -4932,7 +4956,7 @@ ir.cpp:
|
|||||||
# 1043| r0_118(float) = Constant[5.0] :
|
# 1043| r0_118(float) = Constant[5.0] :
|
||||||
# 1043| r0_119(char) = Call : func:r0_117, this:r0_116, 0:r0_118
|
# 1043| r0_119(char) = Call : func:r0_117, this:r0_116, 0:r0_118
|
||||||
# 1043| mu0_120(unknown) = ^CallSideEffect : ~mu0_2
|
# 1043| mu0_120(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1043| v0_121(void) = ^IndirectReadSideEffect[-1] : &:r0_116, ~mu0_2
|
# 1043| v0_121(void) = ^BufferReadSideEffect[-1] : &:r0_116, ~mu0_2
|
||||||
# 1043| mu0_122(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_116
|
# 1043| mu0_122(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_116
|
||||||
# 1044| r0_123(glval<int>) = VariableAddress[r] :
|
# 1044| r0_123(glval<int>) = VariableAddress[r] :
|
||||||
# 1044| r0_124(glval<int>) = VariableAddress[x] :
|
# 1044| r0_124(glval<int>) = VariableAddress[x] :
|
||||||
@@ -4968,7 +4992,7 @@ ir.cpp:
|
|||||||
# 1046| r0_154(float) = Constant[6.0] :
|
# 1046| r0_154(float) = Constant[6.0] :
|
||||||
# 1046| r0_155(char) = Call : func:r0_153, this:r0_152, 0:r0_154
|
# 1046| r0_155(char) = Call : func:r0_153, this:r0_152, 0:r0_154
|
||||||
# 1046| mu0_156(unknown) = ^CallSideEffect : ~mu0_2
|
# 1046| mu0_156(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1046| v0_157(void) = ^IndirectReadSideEffect[-1] : &:r0_152, ~mu0_2
|
# 1046| v0_157(void) = ^BufferReadSideEffect[-1] : &:r0_152, ~mu0_2
|
||||||
# 1046| mu0_158(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_152
|
# 1046| mu0_158(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_152
|
||||||
# 1047| v0_159(void) = NoOp :
|
# 1047| v0_159(void) = NoOp :
|
||||||
# 1031| v0_160(void) = ReturnVoid :
|
# 1031| v0_160(void) = ReturnVoid :
|
||||||
@@ -5037,7 +5061,7 @@ ir.cpp:
|
|||||||
# 1034| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
# 1034| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1034| r0_11(char *) = Call : func:r0_10, this:r0_9
|
# 1034| r0_11(char *) = Call : func:r0_10, this:r0_9
|
||||||
# 1034| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
# 1034| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1034| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_9, ~mu0_2
|
# 1034| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_9, ~mu0_2
|
||||||
# 1034| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
# 1034| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
||||||
#-----| r0_15(lambda [] type at line 1034, col. 21 *) = CopyValue : r0_3
|
#-----| r0_15(lambda [] type at line 1034, col. 21 *) = CopyValue : r0_3
|
||||||
#-----| r0_16(glval<int &>) = FieldAddress[x] : r0_15
|
#-----| r0_16(glval<int &>) = FieldAddress[x] : r0_15
|
||||||
@@ -5082,7 +5106,7 @@ ir.cpp:
|
|||||||
# 1036| r0_9(glval<unknown>) = FunctionAddress[c_str] :
|
# 1036| r0_9(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1036| r0_10(char *) = Call : func:r0_9, this:r0_8
|
# 1036| r0_10(char *) = Call : func:r0_9, this:r0_8
|
||||||
# 1036| mu0_11(unknown) = ^CallSideEffect : ~mu0_2
|
# 1036| mu0_11(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_12(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2
|
#-----| v0_12(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2
|
||||||
#-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
#-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
||||||
#-----| r0_14(lambda [] type at line 1036, col. 21 *) = CopyValue : r0_3
|
#-----| r0_14(lambda [] type at line 1036, col. 21 *) = CopyValue : r0_3
|
||||||
#-----| r0_15(glval<int>) = FieldAddress[x] : r0_14
|
#-----| r0_15(glval<int>) = FieldAddress[x] : r0_14
|
||||||
@@ -5111,7 +5135,7 @@ ir.cpp:
|
|||||||
# 1038| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
# 1038| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1038| r0_11(char *) = Call : func:r0_10, this:r0_9
|
# 1038| r0_11(char *) = Call : func:r0_10, this:r0_9
|
||||||
# 1038| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
# 1038| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1038| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_9, ~mu0_2
|
# 1038| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_9, ~mu0_2
|
||||||
# 1038| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
# 1038| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
||||||
# 1038| r0_15(int) = Constant[0] :
|
# 1038| r0_15(int) = Constant[0] :
|
||||||
# 1038| r0_16(glval<char>) = PointerAdd[1] : r0_11, r0_15
|
# 1038| r0_16(glval<char>) = PointerAdd[1] : r0_11, r0_15
|
||||||
@@ -5172,7 +5196,7 @@ ir.cpp:
|
|||||||
# 1040| r0_9(glval<unknown>) = FunctionAddress[c_str] :
|
# 1040| r0_9(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1040| r0_10(char *) = Call : func:r0_9, this:r0_8
|
# 1040| r0_10(char *) = Call : func:r0_9, this:r0_8
|
||||||
# 1040| mu0_11(unknown) = ^CallSideEffect : ~mu0_2
|
# 1040| mu0_11(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_12(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2
|
#-----| v0_12(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2
|
||||||
#-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
#-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8
|
||||||
# 1040| r0_14(int) = Constant[0] :
|
# 1040| r0_14(int) = Constant[0] :
|
||||||
# 1040| r0_15(glval<char>) = PointerAdd[1] : r0_10, r0_14
|
# 1040| r0_15(glval<char>) = PointerAdd[1] : r0_10, r0_14
|
||||||
@@ -5199,7 +5223,7 @@ ir.cpp:
|
|||||||
# 1042| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
# 1042| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1042| r0_11(char *) = Call : func:r0_10, this:r0_9
|
# 1042| r0_11(char *) = Call : func:r0_10, this:r0_9
|
||||||
# 1042| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
# 1042| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1042| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_9, ~mu0_2
|
# 1042| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_9, ~mu0_2
|
||||||
# 1042| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
# 1042| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
||||||
#-----| r0_15(lambda [] type at line 1042, col. 32 *) = CopyValue : r0_3
|
#-----| r0_15(lambda [] type at line 1042, col. 32 *) = CopyValue : r0_3
|
||||||
#-----| r0_16(glval<int>) = FieldAddress[x] : r0_15
|
#-----| r0_16(glval<int>) = FieldAddress[x] : r0_15
|
||||||
@@ -5228,7 +5252,7 @@ ir.cpp:
|
|||||||
# 1045| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
# 1045| r0_10(glval<unknown>) = FunctionAddress[c_str] :
|
||||||
# 1045| r0_11(char *) = Call : func:r0_10, this:r0_9
|
# 1045| r0_11(char *) = Call : func:r0_10, this:r0_9
|
||||||
# 1045| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
# 1045| mu0_12(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1045| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_9, ~mu0_2
|
# 1045| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_9, ~mu0_2
|
||||||
# 1045| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
# 1045| mu0_14(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_9
|
||||||
#-----| r0_15(lambda [] type at line 1045, col. 23 *) = CopyValue : r0_3
|
#-----| r0_15(lambda [] type at line 1045, col. 23 *) = CopyValue : r0_3
|
||||||
#-----| r0_16(glval<int>) = FieldAddress[x] : r0_15
|
#-----| r0_16(glval<int>) = FieldAddress[x] : r0_15
|
||||||
@@ -5268,7 +5292,7 @@ ir.cpp:
|
|||||||
# 1069| r0_12(glval<unknown>) = FunctionAddress[begin] :
|
# 1069| r0_12(glval<unknown>) = FunctionAddress[begin] :
|
||||||
# 1069| r0_13(iterator) = Call : func:r0_12, this:r0_11
|
# 1069| r0_13(iterator) = Call : func:r0_12, this:r0_11
|
||||||
# 1069| mu0_14(unknown) = ^CallSideEffect : ~mu0_2
|
# 1069| mu0_14(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_15(void) = ^IndirectReadSideEffect[-1] : &:r0_11, ~mu0_2
|
#-----| v0_15(void) = ^BufferReadSideEffect[-1] : &:r0_11, ~mu0_2
|
||||||
#-----| mu0_16(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
#-----| mu0_16(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r0_11
|
||||||
# 1069| mu0_17(iterator) = Store : &:r0_9, r0_13
|
# 1069| mu0_17(iterator) = Store : &:r0_9, r0_13
|
||||||
# 1069| r0_18(glval<iterator>) = VariableAddress[(__end)] :
|
# 1069| r0_18(glval<iterator>) = VariableAddress[(__end)] :
|
||||||
@@ -5277,7 +5301,7 @@ ir.cpp:
|
|||||||
# 1069| r0_21(glval<unknown>) = FunctionAddress[end] :
|
# 1069| r0_21(glval<unknown>) = FunctionAddress[end] :
|
||||||
# 1069| r0_22(iterator) = Call : func:r0_21, this:r0_20
|
# 1069| r0_22(iterator) = Call : func:r0_21, this:r0_20
|
||||||
# 1069| mu0_23(unknown) = ^CallSideEffect : ~mu0_2
|
# 1069| mu0_23(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v0_24(void) = ^IndirectReadSideEffect[-1] : &:r0_20, ~mu0_2
|
#-----| v0_24(void) = ^BufferReadSideEffect[-1] : &:r0_20, ~mu0_2
|
||||||
#-----| mu0_25(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
|
#-----| mu0_25(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
|
||||||
# 1069| mu0_26(iterator) = Store : &:r0_18, r0_22
|
# 1069| mu0_26(iterator) = Store : &:r0_18, r0_22
|
||||||
#-----| Goto -> Block 4
|
#-----| Goto -> Block 4
|
||||||
@@ -5289,7 +5313,7 @@ ir.cpp:
|
|||||||
# 1075| r1_3(glval<unknown>) = FunctionAddress[operator*] :
|
# 1075| r1_3(glval<unknown>) = FunctionAddress[operator*] :
|
||||||
# 1075| r1_4(int &) = Call : func:r1_3, this:r1_2
|
# 1075| r1_4(int &) = Call : func:r1_3, this:r1_2
|
||||||
# 1075| mu1_5(unknown) = ^CallSideEffect : ~mu0_2
|
# 1075| mu1_5(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v1_6(void) = ^IndirectReadSideEffect[-1] : &:r1_2, ~mu0_2
|
#-----| v1_6(void) = ^BufferReadSideEffect[-1] : &:r1_2, ~mu0_2
|
||||||
#-----| mu1_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r1_2
|
#-----| mu1_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r1_2
|
||||||
# 1075| r1_8(glval<int>) = Convert : r1_4
|
# 1075| r1_8(glval<int>) = Convert : r1_4
|
||||||
# 1075| mu1_9(int &) = Store : &:r1_0, r1_8
|
# 1075| mu1_9(int &) = Store : &:r1_0, r1_8
|
||||||
@@ -5322,7 +5346,7 @@ ir.cpp:
|
|||||||
#-----| r4_4(iterator) = Load : &:r4_3, ~mu0_2
|
#-----| r4_4(iterator) = Load : &:r4_3, ~mu0_2
|
||||||
# 1069| r4_5(bool) = Call : func:r4_2, this:r4_1, 0:r4_4
|
# 1069| r4_5(bool) = Call : func:r4_2, this:r4_1, 0:r4_4
|
||||||
# 1069| mu4_6(unknown) = ^CallSideEffect : ~mu0_2
|
# 1069| mu4_6(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v4_7(void) = ^IndirectReadSideEffect[-1] : &:r4_1, ~mu0_2
|
#-----| v4_7(void) = ^BufferReadSideEffect[-1] : &:r4_1, ~mu0_2
|
||||||
#-----| mu4_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r4_1
|
#-----| mu4_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r4_1
|
||||||
# 1069| v4_9(void) = ConditionalBranch : r4_5
|
# 1069| v4_9(void) = ConditionalBranch : r4_5
|
||||||
#-----| False -> Block 8
|
#-----| False -> Block 8
|
||||||
@@ -5335,7 +5359,7 @@ ir.cpp:
|
|||||||
# 1069| r5_3(glval<unknown>) = FunctionAddress[operator*] :
|
# 1069| r5_3(glval<unknown>) = FunctionAddress[operator*] :
|
||||||
# 1069| r5_4(int &) = Call : func:r5_3, this:r5_2
|
# 1069| r5_4(int &) = Call : func:r5_3, this:r5_2
|
||||||
# 1069| mu5_5(unknown) = ^CallSideEffect : ~mu0_2
|
# 1069| mu5_5(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v5_6(void) = ^IndirectReadSideEffect[-1] : &:r5_2, ~mu0_2
|
#-----| v5_6(void) = ^BufferReadSideEffect[-1] : &:r5_2, ~mu0_2
|
||||||
#-----| mu5_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r5_2
|
#-----| mu5_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r5_2
|
||||||
# 1069| r5_8(int) = Load : &:r5_4, ~mu0_2
|
# 1069| r5_8(int) = Load : &:r5_4, ~mu0_2
|
||||||
# 1069| mu5_9(int) = Store : &:r5_0, r5_8
|
# 1069| mu5_9(int) = Store : &:r5_0, r5_8
|
||||||
@@ -5357,7 +5381,7 @@ ir.cpp:
|
|||||||
# 1069| r7_2(glval<unknown>) = FunctionAddress[operator++] :
|
# 1069| r7_2(glval<unknown>) = FunctionAddress[operator++] :
|
||||||
# 1069| r7_3(iterator &) = Call : func:r7_2, this:r7_1
|
# 1069| r7_3(iterator &) = Call : func:r7_2, this:r7_1
|
||||||
# 1069| mu7_4(unknown) = ^CallSideEffect : ~mu0_2
|
# 1069| mu7_4(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v7_5(void) = ^IndirectReadSideEffect[-1] : &:r7_1, ~mu0_2
|
#-----| v7_5(void) = ^BufferReadSideEffect[-1] : &:r7_1, ~mu0_2
|
||||||
#-----| mu7_6(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r7_1
|
#-----| mu7_6(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r7_1
|
||||||
#-----| Goto (back edge) -> Block 4
|
#-----| Goto (back edge) -> Block 4
|
||||||
|
|
||||||
@@ -5372,7 +5396,7 @@ ir.cpp:
|
|||||||
# 1075| r8_7(glval<unknown>) = FunctionAddress[begin] :
|
# 1075| r8_7(glval<unknown>) = FunctionAddress[begin] :
|
||||||
# 1075| r8_8(iterator) = Call : func:r8_7, this:r8_6
|
# 1075| r8_8(iterator) = Call : func:r8_7, this:r8_6
|
||||||
# 1075| mu8_9(unknown) = ^CallSideEffect : ~mu0_2
|
# 1075| mu8_9(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v8_10(void) = ^IndirectReadSideEffect[-1] : &:r8_6, ~mu0_2
|
#-----| v8_10(void) = ^BufferReadSideEffect[-1] : &:r8_6, ~mu0_2
|
||||||
#-----| mu8_11(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r8_6
|
#-----| mu8_11(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r8_6
|
||||||
# 1075| mu8_12(iterator) = Store : &:r8_4, r8_8
|
# 1075| mu8_12(iterator) = Store : &:r8_4, r8_8
|
||||||
# 1075| r8_13(glval<iterator>) = VariableAddress[(__end)] :
|
# 1075| r8_13(glval<iterator>) = VariableAddress[(__end)] :
|
||||||
@@ -5381,7 +5405,7 @@ ir.cpp:
|
|||||||
# 1075| r8_16(glval<unknown>) = FunctionAddress[end] :
|
# 1075| r8_16(glval<unknown>) = FunctionAddress[end] :
|
||||||
# 1075| r8_17(iterator) = Call : func:r8_16, this:r8_15
|
# 1075| r8_17(iterator) = Call : func:r8_16, this:r8_15
|
||||||
# 1075| mu8_18(unknown) = ^CallSideEffect : ~mu0_2
|
# 1075| mu8_18(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v8_19(void) = ^IndirectReadSideEffect[-1] : &:r8_15, ~mu0_2
|
#-----| v8_19(void) = ^BufferReadSideEffect[-1] : &:r8_15, ~mu0_2
|
||||||
#-----| mu8_20(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r8_15
|
#-----| mu8_20(vector<int>) = ^IndirectMayWriteSideEffect[-1] : &:r8_15
|
||||||
# 1075| mu8_21(iterator) = Store : &:r8_13, r8_17
|
# 1075| mu8_21(iterator) = Store : &:r8_13, r8_17
|
||||||
#-----| Goto -> Block 9
|
#-----| Goto -> Block 9
|
||||||
@@ -5394,7 +5418,7 @@ ir.cpp:
|
|||||||
#-----| r9_4(iterator) = Load : &:r9_3, ~mu0_2
|
#-----| r9_4(iterator) = Load : &:r9_3, ~mu0_2
|
||||||
# 1075| r9_5(bool) = Call : func:r9_2, this:r9_1, 0:r9_4
|
# 1075| r9_5(bool) = Call : func:r9_2, this:r9_1, 0:r9_4
|
||||||
# 1075| mu9_6(unknown) = ^CallSideEffect : ~mu0_2
|
# 1075| mu9_6(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v9_7(void) = ^IndirectReadSideEffect[-1] : &:r9_1, ~mu0_2
|
#-----| v9_7(void) = ^BufferReadSideEffect[-1] : &:r9_1, ~mu0_2
|
||||||
#-----| mu9_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r9_1
|
#-----| mu9_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r9_1
|
||||||
# 1075| v9_9(void) = ConditionalBranch : r9_5
|
# 1075| v9_9(void) = ConditionalBranch : r9_5
|
||||||
#-----| False -> Block 3
|
#-----| False -> Block 3
|
||||||
@@ -5405,7 +5429,7 @@ ir.cpp:
|
|||||||
# 1075| r10_1(glval<unknown>) = FunctionAddress[operator++] :
|
# 1075| r10_1(glval<unknown>) = FunctionAddress[operator++] :
|
||||||
# 1075| r10_2(iterator &) = Call : func:r10_1, this:r10_0
|
# 1075| r10_2(iterator &) = Call : func:r10_1, this:r10_0
|
||||||
# 1075| mu10_3(unknown) = ^CallSideEffect : ~mu0_2
|
# 1075| mu10_3(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
#-----| v10_4(void) = ^IndirectReadSideEffect[-1] : &:r10_0, ~mu0_2
|
#-----| v10_4(void) = ^BufferReadSideEffect[-1] : &:r10_0, ~mu0_2
|
||||||
#-----| mu10_5(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r10_0
|
#-----| mu10_5(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r10_0
|
||||||
#-----| Goto (back edge) -> Block 9
|
#-----| Goto (back edge) -> Block 9
|
||||||
|
|
||||||
@@ -5574,7 +5598,7 @@ ir.cpp:
|
|||||||
# 1140| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3
|
# 1140| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3
|
||||||
# 1140| mu7_5(unknown) = ^CallSideEffect : ~mu0_2
|
# 1140| mu7_5(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1140| mu7_6(String) = ^IndirectMayWriteSideEffect[-1] : &:r7_0
|
# 1140| mu7_6(String) = ^IndirectMayWriteSideEffect[-1] : &:r7_0
|
||||||
# 1140| v7_7(void) = ^IndirectReadSideEffect[0] : &:r7_3, ~mu0_2
|
# 1140| v7_7(void) = ^BufferReadSideEffect[0] : &:r7_3, ~mu0_2
|
||||||
# 1140| mu7_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3
|
# 1140| mu7_8(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3
|
||||||
# 1140| v7_9(void) = ThrowValue : &:r7_0, ~mu0_2
|
# 1140| v7_9(void) = ThrowValue : &:r7_0, ~mu0_2
|
||||||
#-----| Exception -> Block 9
|
#-----| Exception -> Block 9
|
||||||
@@ -5600,7 +5624,7 @@ ir.cpp:
|
|||||||
# 1145| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5
|
# 1145| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5
|
||||||
# 1145| mu10_7(unknown) = ^CallSideEffect : ~mu0_2
|
# 1145| mu10_7(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 1145| mu10_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r10_2
|
# 1145| mu10_8(String) = ^IndirectMayWriteSideEffect[-1] : &:r10_2
|
||||||
# 1145| v10_9(void) = ^IndirectReadSideEffect[0] : &:r10_5, ~mu0_2
|
# 1145| v10_9(void) = ^BufferReadSideEffect[0] : &:r10_5, ~mu0_2
|
||||||
# 1145| mu10_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5
|
# 1145| mu10_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5
|
||||||
# 1145| v10_11(void) = ThrowValue : &:r10_2, ~mu0_2
|
# 1145| v10_11(void) = ThrowValue : &:r10_2, ~mu0_2
|
||||||
#-----| Exception -> Block 2
|
#-----| Exception -> Block 2
|
||||||
|
|||||||
@@ -334,7 +334,7 @@ ssa.cpp:
|
|||||||
# 97| v0_13(void) = Call : func:r0_10, 0:r0_12
|
# 97| v0_13(void) = Call : func:r0_10, 0:r0_12
|
||||||
# 97| m0_14(unknown) = ^CallSideEffect : ~m0_5
|
# 97| m0_14(unknown) = ^CallSideEffect : ~m0_5
|
||||||
# 97| m0_15(unknown) = Chi : total:m0_5, partial:m0_14
|
# 97| m0_15(unknown) = Chi : total:m0_5, partial:m0_14
|
||||||
# 97| v0_16(void) = ^IndirectReadSideEffect[0] : &:r0_12, ~m0_15
|
# 97| v0_16(void) = ^BufferReadSideEffect[0] : &:r0_12, ~m0_15
|
||||||
# 97| m0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_12
|
# 97| m0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_12
|
||||||
# 97| m0_18(unknown) = Chi : total:m0_15, partial:m0_17
|
# 97| m0_18(unknown) = Chi : total:m0_15, partial:m0_17
|
||||||
# 98| v0_19(void) = NoOp :
|
# 98| v0_19(void) = NoOp :
|
||||||
@@ -390,7 +390,7 @@ ssa.cpp:
|
|||||||
# 108| v0_19(void) = Call : func:r0_16, 0:r0_18
|
# 108| v0_19(void) = Call : func:r0_16, 0:r0_18
|
||||||
# 108| m0_20(unknown) = ^CallSideEffect : ~m0_5
|
# 108| m0_20(unknown) = ^CallSideEffect : ~m0_5
|
||||||
# 108| m0_21(unknown) = Chi : total:m0_5, partial:m0_20
|
# 108| m0_21(unknown) = Chi : total:m0_5, partial:m0_20
|
||||||
# 108| v0_22(void) = ^IndirectReadSideEffect[0] : &:r0_18, ~m0_21
|
# 108| v0_22(void) = ^BufferReadSideEffect[0] : &:r0_18, ~m0_21
|
||||||
# 108| m0_23(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_18
|
# 108| m0_23(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_18
|
||||||
# 108| m0_24(unknown) = Chi : total:m0_21, partial:m0_23
|
# 108| m0_24(unknown) = Chi : total:m0_21, partial:m0_23
|
||||||
# 109| v0_25(void) = NoOp :
|
# 109| v0_25(void) = NoOp :
|
||||||
@@ -462,7 +462,7 @@ ssa.cpp:
|
|||||||
# 119| v0_27(void) = Call : func:r0_24, 0:r0_26
|
# 119| v0_27(void) = Call : func:r0_24, 0:r0_26
|
||||||
# 119| m0_28(unknown) = ^CallSideEffect : ~m0_19
|
# 119| m0_28(unknown) = ^CallSideEffect : ~m0_19
|
||||||
# 119| m0_29(unknown) = Chi : total:m0_19, partial:m0_28
|
# 119| m0_29(unknown) = Chi : total:m0_19, partial:m0_28
|
||||||
# 119| v0_30(void) = ^IndirectReadSideEffect[0] : &:r0_26, ~m0_29
|
# 119| v0_30(void) = ^BufferReadSideEffect[0] : &:r0_26, ~m0_29
|
||||||
# 119| m0_31(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_26
|
# 119| m0_31(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_26
|
||||||
# 119| m0_32(unknown) = Chi : total:m0_29, partial:m0_31
|
# 119| m0_32(unknown) = Chi : total:m0_29, partial:m0_31
|
||||||
# 120| v0_33(void) = NoOp :
|
# 120| v0_33(void) = NoOp :
|
||||||
@@ -915,7 +915,7 @@ ssa.cpp:
|
|||||||
# 221| v0_14(void) = Call : func:r0_13, this:r0_12
|
# 221| v0_14(void) = Call : func:r0_13, this:r0_12
|
||||||
# 221| m0_15(unknown) = ^CallSideEffect : ~m0_9
|
# 221| m0_15(unknown) = ^CallSideEffect : ~m0_9
|
||||||
# 221| m0_16(unknown) = Chi : total:m0_9, partial:m0_15
|
# 221| m0_16(unknown) = Chi : total:m0_9, partial:m0_15
|
||||||
# 221| v0_17(void) = ^IndirectReadSideEffect[-1] : &:r0_12, m0_11
|
# 221| v0_17(void) = ^BufferReadSideEffect[-1] : &:r0_12, ~m0_11
|
||||||
# 221| m0_18(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_12
|
# 221| m0_18(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_12
|
||||||
# 221| m0_19(Constructible) = Chi : total:m0_11, partial:m0_18
|
# 221| m0_19(Constructible) = Chi : total:m0_11, partial:m0_18
|
||||||
# 222| r0_20(glval<Constructible>) = VariableAddress[c] :
|
# 222| r0_20(glval<Constructible>) = VariableAddress[c] :
|
||||||
@@ -923,7 +923,7 @@ ssa.cpp:
|
|||||||
# 222| v0_22(void) = Call : func:r0_21, this:r0_20
|
# 222| v0_22(void) = Call : func:r0_21, this:r0_20
|
||||||
# 222| m0_23(unknown) = ^CallSideEffect : ~m0_16
|
# 222| m0_23(unknown) = ^CallSideEffect : ~m0_16
|
||||||
# 222| m0_24(unknown) = Chi : total:m0_16, partial:m0_23
|
# 222| m0_24(unknown) = Chi : total:m0_16, partial:m0_23
|
||||||
# 222| v0_25(void) = ^IndirectReadSideEffect[-1] : &:r0_20, m0_19
|
# 222| v0_25(void) = ^BufferReadSideEffect[-1] : &:r0_20, ~m0_19
|
||||||
# 222| m0_26(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
|
# 222| m0_26(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_20
|
||||||
# 222| m0_27(Constructible) = Chi : total:m0_19, partial:m0_26
|
# 222| m0_27(Constructible) = Chi : total:m0_19, partial:m0_26
|
||||||
# 223| r0_28(glval<Constructible>) = VariableAddress[c2] :
|
# 223| r0_28(glval<Constructible>) = VariableAddress[c2] :
|
||||||
@@ -940,7 +940,7 @@ ssa.cpp:
|
|||||||
# 224| v0_39(void) = Call : func:r0_38, this:r0_37
|
# 224| v0_39(void) = Call : func:r0_38, this:r0_37
|
||||||
# 224| m0_40(unknown) = ^CallSideEffect : ~m0_34
|
# 224| m0_40(unknown) = ^CallSideEffect : ~m0_34
|
||||||
# 224| m0_41(unknown) = Chi : total:m0_34, partial:m0_40
|
# 224| m0_41(unknown) = Chi : total:m0_34, partial:m0_40
|
||||||
# 224| v0_42(void) = ^IndirectReadSideEffect[-1] : &:r0_37, m0_36
|
# 224| v0_42(void) = ^BufferReadSideEffect[-1] : &:r0_37, ~m0_36
|
||||||
# 224| m0_43(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_37
|
# 224| m0_43(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_37
|
||||||
# 224| m0_44(Constructible) = Chi : total:m0_36, partial:m0_43
|
# 224| m0_44(Constructible) = Chi : total:m0_36, partial:m0_43
|
||||||
# 225| v0_45(void) = NoOp :
|
# 225| v0_45(void) = NoOp :
|
||||||
|
|||||||
@@ -333,7 +333,7 @@ ssa.cpp:
|
|||||||
# 97| r0_11(void *) = Convert : r0_10
|
# 97| r0_11(void *) = Convert : r0_10
|
||||||
# 97| v0_12(void) = Call : func:r0_9, 0:r0_11
|
# 97| v0_12(void) = Call : func:r0_9, 0:r0_11
|
||||||
# 97| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
# 97| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 97| v0_14(void) = ^IndirectReadSideEffect[0] : &:r0_11, ~mu0_2
|
# 97| v0_14(void) = ^BufferReadSideEffect[0] : &:r0_11, ~mu0_2
|
||||||
# 97| mu0_15(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
# 97| mu0_15(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
|
||||||
# 98| v0_16(void) = NoOp :
|
# 98| v0_16(void) = NoOp :
|
||||||
# 95| v0_17(void) = ReturnVoid :
|
# 95| v0_17(void) = ReturnVoid :
|
||||||
@@ -386,7 +386,7 @@ ssa.cpp:
|
|||||||
# 108| r0_17(void *) = Convert : r0_16
|
# 108| r0_17(void *) = Convert : r0_16
|
||||||
# 108| v0_18(void) = Call : func:r0_15, 0:r0_17
|
# 108| v0_18(void) = Call : func:r0_15, 0:r0_17
|
||||||
# 108| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
|
# 108| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 108| v0_20(void) = ^IndirectReadSideEffect[0] : &:r0_17, ~mu0_2
|
# 108| v0_20(void) = ^BufferReadSideEffect[0] : &:r0_17, ~mu0_2
|
||||||
# 108| mu0_21(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_17
|
# 108| mu0_21(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_17
|
||||||
# 109| v0_22(void) = NoOp :
|
# 109| v0_22(void) = NoOp :
|
||||||
# 105| v0_23(void) = ReturnVoid :
|
# 105| v0_23(void) = ReturnVoid :
|
||||||
@@ -451,7 +451,7 @@ ssa.cpp:
|
|||||||
# 119| r0_23(void *) = Convert : r0_22
|
# 119| r0_23(void *) = Convert : r0_22
|
||||||
# 119| v0_24(void) = Call : func:r0_21, 0:r0_23
|
# 119| v0_24(void) = Call : func:r0_21, 0:r0_23
|
||||||
# 119| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
# 119| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 119| v0_26(void) = ^IndirectReadSideEffect[0] : &:r0_23, ~mu0_2
|
# 119| v0_26(void) = ^BufferReadSideEffect[0] : &:r0_23, ~mu0_2
|
||||||
# 119| mu0_27(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
# 119| mu0_27(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
|
||||||
# 120| v0_28(void) = NoOp :
|
# 120| v0_28(void) = NoOp :
|
||||||
# 116| v0_29(void) = ReturnVoid :
|
# 116| v0_29(void) = ReturnVoid :
|
||||||
@@ -876,13 +876,13 @@ ssa.cpp:
|
|||||||
# 221| r0_11(glval<unknown>) = FunctionAddress[g] :
|
# 221| r0_11(glval<unknown>) = FunctionAddress[g] :
|
||||||
# 221| v0_12(void) = Call : func:r0_11, this:r0_10
|
# 221| v0_12(void) = Call : func:r0_11, this:r0_10
|
||||||
# 221| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
# 221| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 221| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_10, ~mu0_2
|
# 221| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2
|
||||||
# 221| mu0_15(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_10
|
# 221| mu0_15(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_10
|
||||||
# 222| r0_16(glval<Constructible>) = VariableAddress[c] :
|
# 222| r0_16(glval<Constructible>) = VariableAddress[c] :
|
||||||
# 222| r0_17(glval<unknown>) = FunctionAddress[g] :
|
# 222| r0_17(glval<unknown>) = FunctionAddress[g] :
|
||||||
# 222| v0_18(void) = Call : func:r0_17, this:r0_16
|
# 222| v0_18(void) = Call : func:r0_17, this:r0_16
|
||||||
# 222| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
|
# 222| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 222| v0_20(void) = ^IndirectReadSideEffect[-1] : &:r0_16, ~mu0_2
|
# 222| v0_20(void) = ^BufferReadSideEffect[-1] : &:r0_16, ~mu0_2
|
||||||
# 222| mu0_21(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_16
|
# 222| mu0_21(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_16
|
||||||
# 223| r0_22(glval<Constructible>) = VariableAddress[c2] :
|
# 223| r0_22(glval<Constructible>) = VariableAddress[c2] :
|
||||||
# 223| mu0_23(Constructible) = Uninitialized[c2] : &:r0_22
|
# 223| mu0_23(Constructible) = Uninitialized[c2] : &:r0_22
|
||||||
@@ -895,7 +895,7 @@ ssa.cpp:
|
|||||||
# 224| r0_30(glval<unknown>) = FunctionAddress[g] :
|
# 224| r0_30(glval<unknown>) = FunctionAddress[g] :
|
||||||
# 224| v0_31(void) = Call : func:r0_30, this:r0_29
|
# 224| v0_31(void) = Call : func:r0_30, this:r0_29
|
||||||
# 224| mu0_32(unknown) = ^CallSideEffect : ~mu0_2
|
# 224| mu0_32(unknown) = ^CallSideEffect : ~mu0_2
|
||||||
# 224| v0_33(void) = ^IndirectReadSideEffect[-1] : &:r0_29, ~mu0_2
|
# 224| v0_33(void) = ^BufferReadSideEffect[-1] : &:r0_29, ~mu0_2
|
||||||
# 224| mu0_34(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_29
|
# 224| mu0_34(Constructible) = ^IndirectMayWriteSideEffect[-1] : &:r0_29
|
||||||
# 225| v0_35(void) = NoOp :
|
# 225| v0_35(void) = NoOp :
|
||||||
# 219| v0_36(void) = ReturnVoid :
|
# 219| v0_36(void) = ReturnVoid :
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
| file://:0:0:0:0 | __i | file://:0:0:0:0 | unsigned long |
|
||||||
|
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
|
||||||
|
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
|
||||||
|
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
|
||||||
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
|
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
|
||||||
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
|
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
|
||||||
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |
|
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |
|
||||||
|
|||||||
@@ -1,53 +1,108 @@
|
|||||||
| staticlocals__staticlocals_f2_extractor | false | 22465 | 22465 | f2 |
|
| pointer_to_member__pmIsConstT_extractor | false | 15733 | 15733 | pmIsConstT |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22470 | 22470 | declaration |
|
| pointer_to_member__pmIsConstT_extractor | false | 15741 | 15741 | declaration |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22472 | 22472 | declaration |
|
| pointer_to_member__pmIsConstT_extractor | false | 15743 | 15743 | return ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22474 | 22474 | declaration |
|
| pointer_to_member__pmIsConstT_extractor | false | 15745 | 15745 | { ... } |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22476 | 22476 | declaration |
|
| pointer_to_member__pmIsConstT_extractor | false | 15748 | 15748 | {...} |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22478 | 22478 | return ... |
|
| pointer_to_member__pmIsConstT_extractor | false | 15753 | 15753 | x1 |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22480 | 22480 | { ... } |
|
| pointer_to_member__pmIsConstT_extractor | false | 15755 | 15755 | & ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22482 | 22482 | call to C |
|
| pointer_to_member__pmIsConstT_extractor | false | 15760 | 15760 | f1 |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22484 | 22484 | initializer for c |
|
| pointer_to_member__pmIsConstT_extractor | false | 15762 | 15762 | & ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22486 | 22486 | call to addOne |
|
| pointer_to_member__pmIsConstT_extractor | false | 15764 | 15764 | initializer for pms |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22490 | 22490 | 2 |
|
| pointer_to_member__pmIsConstT_extractor | true | 15741 | 15743 | |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22493 | 22493 | initializer for j |
|
| pointer_to_member__pmIsConstT_extractor | true | 15743 | 15733 | |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22494 | 22494 | call to addOne |
|
| pointer_to_member__pmIsConstT_extractor | true | 15745 | 15741 | |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22499 | 22499 | 2 |
|
| pointer_to_member__pmIsConstT_ql | false | 15733 | 15733 | pmIsConstT |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22500 | 22500 | initializer for two |
|
| pointer_to_member__pmIsConstT_ql | false | 15741 | 15741 | declaration |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22503 | 22503 | two |
|
| pointer_to_member__pmIsConstT_ql | false | 15743 | 15743 | return ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | false | 22508 | 22508 | initializer for i |
|
| pointer_to_member__pmIsConstT_ql | false | 15745 | 15745 | { ... } |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22470 | 22500 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15748 | 15748 | {...} |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22472 | 22474 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15753 | 15753 | x1 |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22474 | 22476 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15755 | 15755 | & ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22476 | 22478 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15760 | 15760 | f1 |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22478 | 22465 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15762 | 15762 | & ... |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22480 | 22470 | |
|
| pointer_to_member__pmIsConstT_ql | false | 15764 | 15764 | initializer for pms |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22499 | 22472 | |
|
| pointer_to_member__pmIsConstT_ql | true | 15741 | 15764 | |
|
||||||
| staticlocals__staticlocals_f2_extractor | true | 22500 | 22499 | |
|
| pointer_to_member__pmIsConstT_ql | true | 15743 | 15733 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22465 | 22465 | f2 |
|
| pointer_to_member__pmIsConstT_ql | true | 15745 | 15741 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22470 | 22470 | declaration |
|
| pointer_to_member__pmIsConstT_ql | true | 15748 | 15743 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22472 | 22472 | declaration |
|
| pointer_to_member__pmIsConstT_ql | true | 15753 | 15755 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22474 | 22474 | declaration |
|
| pointer_to_member__pmIsConstT_ql | true | 15755 | 15760 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22476 | 22476 | declaration |
|
| pointer_to_member__pmIsConstT_ql | true | 15760 | 15762 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22478 | 22478 | return ... |
|
| pointer_to_member__pmIsConstT_ql | true | 15762 | 15748 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22480 | 22480 | { ... } |
|
| pointer_to_member__pmIsConstT_ql | true | 15764 | 15753 | |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22482 | 22482 | call to C |
|
| staticlocals__staticlocals_f2_extractor | false | 22550 | 22550 | f2 |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22484 | 22484 | initializer for c |
|
| staticlocals__staticlocals_f2_extractor | false | 22555 | 22555 | declaration |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22486 | 22486 | call to addOne |
|
| staticlocals__staticlocals_f2_extractor | false | 22557 | 22557 | declaration |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22490 | 22490 | 2 |
|
| staticlocals__staticlocals_f2_extractor | false | 22559 | 22559 | declaration |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22493 | 22493 | initializer for j |
|
| staticlocals__staticlocals_f2_extractor | false | 22561 | 22561 | declaration |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22494 | 22494 | call to addOne |
|
| staticlocals__staticlocals_f2_extractor | false | 22563 | 22563 | return ... |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22499 | 22499 | 2 |
|
| staticlocals__staticlocals_f2_extractor | false | 22565 | 22565 | { ... } |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22500 | 22500 | initializer for two |
|
| staticlocals__staticlocals_f2_extractor | false | 22567 | 22567 | call to C |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22503 | 22503 | two |
|
| staticlocals__staticlocals_f2_extractor | false | 22569 | 22569 | initializer for c |
|
||||||
| staticlocals__staticlocals_f2_ql | false | 22508 | 22508 | initializer for i |
|
| staticlocals__staticlocals_f2_extractor | false | 22571 | 22571 | call to addOne |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22470 | 22500 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22575 | 22575 | 2 |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22472 | 22474 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22578 | 22578 | initializer for j |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22474 | 22476 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22579 | 22579 | call to addOne |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22476 | 22478 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22584 | 22584 | 2 |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22476 | 22484 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22585 | 22585 | initializer for two |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22478 | 22465 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22588 | 22588 | two |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22480 | 22470 | |
|
| staticlocals__staticlocals_f2_extractor | false | 22593 | 22593 | initializer for i |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22482 | 22478 | |
|
| staticlocals__staticlocals_f2_extractor | true | 22555 | 22585 | |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22484 | 22482 | |
|
| staticlocals__staticlocals_f2_extractor | true | 22557 | 22559 | |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22499 | 22472 | |
|
| staticlocals__staticlocals_f2_extractor | true | 22559 | 22561 | |
|
||||||
| staticlocals__staticlocals_f2_ql | true | 22500 | 22499 | |
|
| staticlocals__staticlocals_f2_extractor | true | 22561 | 22563 | |
|
||||||
|
| staticlocals__staticlocals_f2_extractor | true | 22563 | 22550 | |
|
||||||
|
| staticlocals__staticlocals_f2_extractor | true | 22565 | 22555 | |
|
||||||
|
| staticlocals__staticlocals_f2_extractor | true | 22584 | 22557 | |
|
||||||
|
| staticlocals__staticlocals_f2_extractor | true | 22585 | 22584 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22550 | 22550 | f2 |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22555 | 22555 | declaration |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22557 | 22557 | declaration |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22559 | 22559 | declaration |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22561 | 22561 | declaration |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22563 | 22563 | return ... |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22565 | 22565 | { ... } |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22567 | 22567 | call to C |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22569 | 22569 | initializer for c |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22571 | 22571 | call to addOne |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22575 | 22575 | 2 |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22578 | 22578 | initializer for j |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22579 | 22579 | call to addOne |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22584 | 22584 | 2 |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22585 | 22585 | initializer for two |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22588 | 22588 | two |
|
||||||
|
| staticlocals__staticlocals_f2_ql | false | 22593 | 22593 | initializer for i |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22555 | 22585 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22557 | 22559 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22559 | 22561 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22561 | 22563 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22561 | 22569 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22563 | 22550 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22565 | 22555 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22567 | 22563 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22569 | 22567 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22584 | 22557 | |
|
||||||
|
| staticlocals__staticlocals_f2_ql | true | 22585 | 22584 | |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22529 | 22529 | f3 |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22532 | 22532 | declaration |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22534 | 22534 | return ... |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22536 | 22536 | { ... } |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22543 | 22543 | value |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22545 | 22545 | (int)... |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | false | 22546 | 22546 | initializer for i |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | true | 22532 | 22534 | |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | true | 22534 | 22529 | |
|
||||||
|
| staticlocals__staticlocals_f3_extractor | true | 22536 | 22532 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22529 | 22529 | f3 |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22532 | 22532 | declaration |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22534 | 22534 | return ... |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22536 | 22536 | { ... } |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22543 | 22543 | value |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22545 | 22545 | (int)... |
|
||||||
|
| staticlocals__staticlocals_f3_ql | false | 22546 | 22546 | initializer for i |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22532 | 22534 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22532 | 22546 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22534 | 22529 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22536 | 22532 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22543 | 22534 | |
|
||||||
|
| staticlocals__staticlocals_f3_ql | true | 22546 | 22543 | |
|
||||||
|
|||||||
@@ -1,3 +1,14 @@
|
|||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:41:3:44:29 | declaration | pointer_to_member.cpp:44:11:44:28 | initializer for pms | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:41:3:44:29 | declaration | pointer_to_member.cpp:45:1:45:1 | return ... | Standard edge, only from extractor | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:11:44:28 | initializer for pms | pointer_to_member.cpp:44:14:44:18 | x1 | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:11:44:28 | {...} | pointer_to_member.cpp:45:1:45:1 | return ... | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:13:44:18 | & ... | pointer_to_member.cpp:44:22:44:26 | f1 | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:14:44:18 | x1 | pointer_to_member.cpp:44:13:44:18 | & ... | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:21:44:26 | & ... | pointer_to_member.cpp:44:11:44:28 | {...} | Standard edge, only from QL | uninstantiated |
|
||||||
|
| pointer_to_member__pmIsConstT | pointer_to_member.cpp:44:22:44:26 | f1 | pointer_to_member.cpp:44:21:44:26 | & ... | Standard edge, only from QL | uninstantiated |
|
||||||
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | call to C | staticlocals.cpp:30:1:30:1 | return ... | Standard edge, only from QL | |
|
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | call to C | staticlocals.cpp:30:1:30:1 | return ... | Standard edge, only from QL | |
|
||||||
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | initializer for c | file://:0:0:0:0 | call to C | Standard edge, only from QL | |
|
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | initializer for c | file://:0:0:0:0 | call to C | Standard edge, only from QL | |
|
||||||
| staticlocals__staticlocals_f2 | staticlocals.cpp:29:5:29:17 | declaration | file://:0:0:0:0 | initializer for c | Standard edge, only from QL | |
|
| staticlocals__staticlocals_f2 | staticlocals.cpp:29:5:29:17 | declaration | file://:0:0:0:0 | initializer for c | Standard edge, only from QL | |
|
||||||
|
| staticlocals__staticlocals_f3 | staticlocals.cpp:39:3:39:34 | declaration | staticlocals.cpp:39:18:39:33 | initializer for i | Standard edge, only from QL | uninstantiated |
|
||||||
|
| staticlocals__staticlocals_f3 | staticlocals.cpp:39:18:39:33 | initializer for i | staticlocals.cpp:39:18:39:33 | value | Standard edge, only from QL | uninstantiated |
|
||||||
|
| staticlocals__staticlocals_f3 | staticlocals.cpp:39:18:39:33 | value | staticlocals.cpp:40:1:40:1 | return ... | Standard edge, only from QL | uninstantiated |
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
| file://:0:0:0:0 | __va_list_tag | <none> |
|
| file://:0:0:0:0 | __va_list_tag | <none> |
|
||||||
| test.cpp:3:8:3:9 | s1<<expression>> | <none> |
|
| test.cpp:3:8:3:9 | s1<<expression>> | {...} |
|
||||||
| test.cpp:3:8:3:9 | s1<<unnamed>> | <none> |
|
| test.cpp:3:8:3:9 | s1<<unnamed>> | (null) |
|
||||||
| test.cpp:5:8:5:9 | s2<T> | T |
|
| test.cpp:5:8:5:9 | s2<T> | T |
|
||||||
| test.cpp:5:8:5:9 | s2<T> | T |
|
| test.cpp:5:8:5:9 | s2<T> | T |
|
||||||
| test.cpp:7:8:7:9 | s3<T, <unnamed>> | (unnamed) |
|
| test.cpp:7:8:7:9 | s3<T, <unnamed>> | (unnamed) |
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
| file://:0:0:0:0 | |
|
| file://:0:0:0:0 | |
|
||||||
| file://:0:0:0:0 | 0 |
|
| file://:0:0:0:0 | 0 |
|
||||||
| file://:0:0:0:0 | (global namespace) |
|
| file://:0:0:0:0 | (global namespace) |
|
||||||
|
| file://:0:0:0:0 | B |
|
||||||
|
| file://:0:0:0:0 | X |
|
||||||
|
| file://:0:0:0:0 | X |
|
||||||
|
| file://:0:0:0:0 | X |
|
||||||
|
| file://:0:0:0:0 | X |
|
||||||
|
| file://:0:0:0:0 | Y |
|
||||||
| file://:0:0:0:0 | __va_list_tag |
|
| file://:0:0:0:0 | __va_list_tag |
|
||||||
| file://:0:0:0:0 | __va_list_tag & |
|
| file://:0:0:0:0 | __va_list_tag & |
|
||||||
| file://:0:0:0:0 | __va_list_tag && |
|
| file://:0:0:0:0 | __va_list_tag && |
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
template <int i>
|
||||||
|
class Int { };
|
||||||
|
|
||||||
|
Int<10> i;
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
| test.cpp:2:7:2:9 | Int<10> | file://:0:0:0:0 | int | test.cpp:4:5:4:6 | 10 |
|
||||||
|
| test.cpp:2:7:2:9 | Int<i> | file://:0:0:0:0 | int | file://:0:0:0:0 | i |
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
import cpp
|
||||||
|
|
||||||
|
from Class c
|
||||||
|
select c, c.getATemplateArgumentKind(), c.getATemplateArgument()
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
// semmle-extractor-options: --edg --trap_container=folder --edg --trap-compression=none
|
||||||
|
template <int i>
|
||||||
|
int addToSelf() { return i + i; };
|
||||||
|
|
||||||
|
int bar() { return addToSelf<10>(); }
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
| test.cpp:3:5:3:5 | addToSelf | file://:0:0:0:0 | int | test.cpp:5:30:5:31 | 10 |
|
||||||
|
| test.cpp:3:5:3:13 | addToSelf | file://:0:0:0:0 | int | file://:0:0:0:0 | i |
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
import cpp
|
||||||
|
|
||||||
|
from Function f
|
||||||
|
select f, f.getATemplateArgumentKind(), f.getATemplateArgument()
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
// semmle-extractor-options: --edg --trap_container=folder --edg --trap-compression=none
|
||||||
|
template<int x>
|
||||||
|
struct C { };
|
||||||
|
|
||||||
|
static const int one1 = 1, one2 = 1;
|
||||||
|
C<one1> c = C<one2>();
|
||||||
|
C<one1 + one2> e;
|
||||||
|
|
||||||
|
template<typename T, T X>
|
||||||
|
struct D { };
|
||||||
|
|
||||||
|
D<int, 2> a;
|
||||||
|
D<long, 2> b;
|
||||||
|
|
||||||
|
template<typename T, T* X>
|
||||||
|
struct E { };
|
||||||
|
|
||||||
|
E<int, nullptr> z;
|
||||||
|
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 |
|
||||||
|
| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 |
|
||||||
|
| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x |
|
||||||
|
| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T |
|
||||||
|
| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X |
|
||||||
|
| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int |
|
||||||
|
| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 |
|
||||||
|
| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long |
|
||||||
|
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 |
|
||||||
|
| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T |
|
||||||
|
| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X |
|
||||||
|
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int |
|
||||||
|
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 |
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
import cpp
|
||||||
|
|
||||||
|
string maybeGetTemplateArgumentKind(Declaration d, int i) {
|
||||||
|
(
|
||||||
|
if exists(d.getTemplateArgumentKind(i))
|
||||||
|
then result = d.getTemplateArgumentKind(i).toString()
|
||||||
|
else result = "<none>"
|
||||||
|
) and
|
||||||
|
i = [0 .. d.getNumberOfTemplateArguments()]
|
||||||
|
}
|
||||||
|
|
||||||
|
from Declaration d, int i
|
||||||
|
where i >= 0 and i < d.getNumberOfTemplateArguments()
|
||||||
|
select d, i, maybeGetTemplateArgumentKind(d, i), d.getTemplateArgument(i)
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
| examples.cpp:38:3:38:18 | call to initDeviceConfig | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | examples.cpp:13:5:13:20 | initDeviceConfig | initDeviceConfig | examples.cpp:37:16:37:21 | config | config |
|
||||||
|
| test.cpp:22:2:22:17 | call to maybeInitialize1 | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | test.cpp:4:5:4:20 | maybeInitialize1 | maybeInitialize1 | test.cpp:19:6:19:6 | a | a |
|
||||||
|
| test.cpp:68:2:68:17 | call to maybeInitialize2 | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | test.cpp:51:6:51:21 | maybeInitialize2 | maybeInitialize2 | test.cpp:66:6:66:6 | a | a |
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
|
||||||
@@ -0,0 +1,43 @@
|
|||||||
|
// based on the qhelp
|
||||||
|
|
||||||
|
int getMaxDevices();
|
||||||
|
bool fetchIsDeviceEnabled(int deviceNumber);
|
||||||
|
int fetchDeviceChannel(int deviceNumber);
|
||||||
|
void notifyChannel(int channel);
|
||||||
|
|
||||||
|
struct DeviceConfig {
|
||||||
|
bool isEnabled;
|
||||||
|
int channel;
|
||||||
|
};
|
||||||
|
|
||||||
|
int initDeviceConfig(DeviceConfig *ref, int deviceNumber) {
|
||||||
|
if (deviceNumber >= getMaxDevices()) {
|
||||||
|
// No device with that number, return -1 to indicate failure
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
// Device with that number, fetch parameters and initialize struct
|
||||||
|
ref->isEnabled = fetchIsDeviceEnabled(deviceNumber);
|
||||||
|
ref->channel = fetchDeviceChannel(deviceNumber);
|
||||||
|
// Return 0 to indicate success
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void notifyGood(int deviceNumber) {
|
||||||
|
DeviceConfig config;
|
||||||
|
int statusCode = initDeviceConfig(&config, deviceNumber);
|
||||||
|
if (statusCode == 0) {
|
||||||
|
// GOOD: Status code returned by initialization function is checked, so this is safe
|
||||||
|
if (config.isEnabled) {
|
||||||
|
notifyChannel(config.channel);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int notifyBad(int deviceNumber) {
|
||||||
|
DeviceConfig config;
|
||||||
|
initDeviceConfig(&config, deviceNumber);
|
||||||
|
// BAD: Using config without checking the status code that is returned
|
||||||
|
if (config.isEnabled) {
|
||||||
|
notifyChannel(config.channel);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,96 @@
|
|||||||
|
|
||||||
|
void use(int i);
|
||||||
|
|
||||||
|
int maybeInitialize1(int *v)
|
||||||
|
{
|
||||||
|
static int resources = 100;
|
||||||
|
|
||||||
|
if (resources == 0)
|
||||||
|
{
|
||||||
|
return 0; // FAIL
|
||||||
|
}
|
||||||
|
|
||||||
|
*v = resources--;
|
||||||
|
return 1; // SUCCESS
|
||||||
|
}
|
||||||
|
|
||||||
|
void test1()
|
||||||
|
{
|
||||||
|
int a, b, c, d, e, f;
|
||||||
|
int result1, result2;
|
||||||
|
|
||||||
|
maybeInitialize1(&a); // BAD (initialization not checked)
|
||||||
|
use(a);
|
||||||
|
|
||||||
|
if (maybeInitialize1(&b) == 1) // GOOD
|
||||||
|
{
|
||||||
|
use(b);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (maybeInitialize1(&c) == 0) // BAD (initialization check is wrong) [NOT DETECTED]
|
||||||
|
{
|
||||||
|
use(c);
|
||||||
|
}
|
||||||
|
|
||||||
|
result1 = maybeInitialize1(&d); // BAD (initialization stored but not checked) [NOT DETECTED]
|
||||||
|
use(d);
|
||||||
|
|
||||||
|
result2 = maybeInitialize1(&e); // GOOD
|
||||||
|
if (result2 == 1)
|
||||||
|
{
|
||||||
|
use(e);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (maybeInitialize1(&f) == 0) // GOOD
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
use(f);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool maybeInitialize2(int *v)
|
||||||
|
{
|
||||||
|
static int resources = 100;
|
||||||
|
|
||||||
|
if (resources > 0)
|
||||||
|
{
|
||||||
|
*v = resources--;
|
||||||
|
return true; // SUCCESS
|
||||||
|
}
|
||||||
|
|
||||||
|
return false; // FAIL
|
||||||
|
}
|
||||||
|
|
||||||
|
void test2()
|
||||||
|
{
|
||||||
|
int a, b;
|
||||||
|
|
||||||
|
maybeInitialize2(&a); // BAD (initialization not checked)
|
||||||
|
use(a);
|
||||||
|
|
||||||
|
if (maybeInitialize2(&b)) // GOOD
|
||||||
|
{
|
||||||
|
use(b);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int alwaysInitialize(int *v)
|
||||||
|
{
|
||||||
|
static int resources = 0;
|
||||||
|
|
||||||
|
*v = resources++;
|
||||||
|
return 1; // SUCCESS
|
||||||
|
}
|
||||||
|
|
||||||
|
void test3()
|
||||||
|
{
|
||||||
|
int a, b;
|
||||||
|
|
||||||
|
alwaysInitialize(&a); // GOOD (initialization never fails)
|
||||||
|
use(a);
|
||||||
|
|
||||||
|
if (alwaysInitialize(&b) == 1) // GOOD
|
||||||
|
{
|
||||||
|
use(b);
|
||||||
|
}
|
||||||
|
}
|
||||||
1918
cpp/upgrades/98a075d5495d7be7ede26557708cf22cfa3964ef/old.dbscheme
Normal file
1918
cpp/upgrades/98a075d5495d7be7ede26557708cf22cfa3964ef/old.dbscheme
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,2 @@
|
|||||||
|
description: Add support for value template parameters.
|
||||||
|
compatibility: partial
|
||||||
@@ -36,10 +36,10 @@ which ensures the content is appropriately escaped.</p>
|
|||||||
|
|
||||||
<references>
|
<references>
|
||||||
<li>
|
<li>
|
||||||
<a href="http://projects.webappsec.org/w/page/13247004/XML%20Injection">XML Injection</a> (The Web Application Security Consortium).
|
Web Application Security Consortium: <a href="http://projects.webappsec.org/w/page/13247004/XML%20Injection">XML Injection</a>.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmlwriter.writeraw?view=netframework-4.8">WriteRaw</a> (Microsoft documentation).
|
Microsoft Docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmlwriter.writeraw?view=netframework-4.8">WriteRaw</a>.
|
||||||
</li>
|
</li>
|
||||||
</references>
|
</references>
|
||||||
</qhelp>
|
</qhelp>
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ was not intended to be loaded, and executing arbitrary code.
|
|||||||
<p>
|
<p>
|
||||||
Avoid loading assemblies based on user provided input. If this is not possible, ensure that the path
|
Avoid loading assemblies based on user provided input. If this is not possible, ensure that the path
|
||||||
is validated before being used with <code>Assembly</code>. For example, compare the provided input
|
is validated before being used with <code>Assembly</code>. For example, compare the provided input
|
||||||
against a whitelist of known safe assemblies, or confirm that path is restricted to a single
|
against a whitelist of known safe assemblies, or confirm that the path is restricted to a single
|
||||||
directory which only contains safe assemblies.
|
directory which only contains safe assemblies.
|
||||||
</p>
|
</p>
|
||||||
</recommendation>
|
</recommendation>
|
||||||
@@ -30,8 +30,8 @@ is only loaded if the user input matches one of those options.</p>
|
|||||||
</example>
|
</example>
|
||||||
|
|
||||||
<references>
|
<references>
|
||||||
<li>
|
<li>Microsoft:
|
||||||
<a href="https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.8">System.Reflection.Assembly</a> (Microsoft documentation).
|
<a href="https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=netframework-4.8">System.Reflection.Assembly</a>.
|
||||||
</li>
|
</li>
|
||||||
</references>
|
</references>
|
||||||
</qhelp>
|
</qhelp>
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
/**
|
/**
|
||||||
* @name Do not use hard-coded encryption keys.
|
* @name Hard-coded encryption key
|
||||||
* @description The .Key property or rgbKey parameter of a SymmetricAlgorithm should never be a hardcoded value.
|
* @description The .Key property or rgbKey parameter of a SymmetricAlgorithm should never be a hard-coded value.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cs/hardcoded-key
|
* @id cs/hardcoded-key
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>Finds uses of insecure SQL Connections string by not enabling the <code>Encrypt</code> option.</p>
|
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
|
SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
|
||||||
@@ -29,18 +28,17 @@
|
|||||||
|
|
||||||
</example>
|
</example>
|
||||||
<references>
|
<references>
|
||||||
|
<li>Microsoft, SQL Protocols blog:
|
||||||
<li>
|
<a href="https://blogs.msdn.microsoft.com/sql_protocols/2009/10/19/selectively-using-secure-connection-to-sql-server/">Selectively using secure connection to SQL Server</a>.
|
||||||
<a href="https://blogs.msdn.microsoft.com/sql_protocols/2009/10/19/selectively-using-secure-connection-to-sql-server/">Selectively using secure connection to SQL Server</a>
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>Microsoft:
|
||||||
<a href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.110).aspx">Net SqlClient (ADO .Net)</a>
|
<a href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.110).aspx">SqlConnection.ConnectionString Property</a>.
|
||||||
|
</li>
|
||||||
|
<li>Microsoft:
|
||||||
|
<a href="https://msdn.microsoft.com/en-us/library/ms130822.aspx">Using Connection String Keywords with SQL Server Native Client</a>.
|
||||||
|
</li>
|
||||||
|
<li>Microsoft:
|
||||||
|
<a href="https://msdn.microsoft.com/en-us/library/ms378988(v=sql.110).aspx">Setting the connection properties</a>.
|
||||||
</li>
|
</li>
|
||||||
<li><a href="https://msdn.microsoft.com/en-us/library/ms130822.aspx">SQL native driver (SNAC)</a>
|
|
||||||
</li>
|
|
||||||
<li>
|
|
||||||
<a href="https://msdn.microsoft.com/en-us/library/ms378988(v=sql.110).aspx">JDBC driver</a>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</references>
|
</references>
|
||||||
</qhelp>
|
</qhelp>
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
/**
|
/**
|
||||||
* @name Insecure SQL connection
|
* @name Insecure SQL connection
|
||||||
* @description TODO.
|
* @description Using an SQL Server connection without enforcing encryption is a security vulnerability.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @id cs/insecure-sql-connection
|
* @id cs/insecure-sql-connection
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
|||||||
@@ -5,14 +5,11 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cs/deserialized-delegate
|
* @id cs/deserialized-delegate
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @precision high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-502
|
* external/cwe/cwe-502
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
|
||||||
* consider: @precision high
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
import csharp
|
||||||
import semmle.code.csharp.frameworks.system.linq.Expressions
|
import semmle.code.csharp.frameworks.system.linq.Expressions
|
||||||
import semmle.code.csharp.serialization.Deserializers
|
import semmle.code.csharp.serialization.Deserializers
|
||||||
|
|||||||
@@ -86,6 +86,10 @@ module LocalFlow {
|
|||||||
scope = e2 and
|
scope = e2 and
|
||||||
isSuccessor = true
|
isSuccessor = true
|
||||||
or
|
or
|
||||||
|
e1 = e2.(NullCoalescingExpr).getAnOperand() and
|
||||||
|
scope = e2 and
|
||||||
|
isSuccessor = false
|
||||||
|
or
|
||||||
e1 = e2.(SuppressNullableWarningExpr).getExpr() and
|
e1 = e2.(SuppressNullableWarningExpr).getExpr() and
|
||||||
scope = e2 and
|
scope = e2 and
|
||||||
isSuccessor = true
|
isSuccessor = true
|
||||||
|
|||||||
@@ -12,6 +12,8 @@
|
|||||||
| dataflow.cs:46:35:46:39 | "t1b" | dataflow.cs:46:18:46:40 | call to method Taint1 |
|
| dataflow.cs:46:35:46:39 | "t1b" | dataflow.cs:46:18:46:40 | call to method Taint1 |
|
||||||
| dataflow.cs:49:35:49:38 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
|
| dataflow.cs:49:35:49:38 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
|
||||||
| dataflow.cs:49:41:49:44 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
|
| dataflow.cs:49:41:49:44 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
|
||||||
|
| dataflow.cs:102:30:102:33 | null | dataflow.cs:74:21:74:52 | ... ?? ... |
|
||||||
| dataflow.cs:102:30:102:33 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
|
| dataflow.cs:102:30:102:33 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
|
||||||
| dataflow.cs:102:30:102:33 | null | dataflow.cs:108:20:108:33 | call to method IndirectNull |
|
| dataflow.cs:102:30:102:33 | null | dataflow.cs:108:20:108:33 | call to method IndirectNull |
|
||||||
|
| dataflow.cs:109:23:109:26 | null | dataflow.cs:74:21:74:52 | ... ?? ... |
|
||||||
| dataflow.cs:109:23:109:26 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
|
| dataflow.cs:109:23:109:26 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
|
||||||
|
|||||||
@@ -8,7 +8,9 @@
|
|||||||
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
|
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
|
||||||
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
||||||
| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
|
| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
|
||||||
|
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
|
||||||
|
| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
|
||||||
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
|
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
|
||||||
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
|
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
|
||||||
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
|
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
|
||||||
|
|||||||
@@ -545,7 +545,10 @@
|
|||||||
| LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 |
|
| LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
| LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) |
|
| LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) |
|
||||||
|
| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 |
|
||||||
|
| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 |
|
||||||
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... |
|
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... |
|
||||||
|
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) |
|
||||||
| LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 |
|
| LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 |
|
||||||
@@ -562,12 +565,23 @@
|
|||||||
| LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) |
|
| LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) |
|
||||||
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
||||||
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
|
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
|
||||||
|
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
|
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
|
||||||
| LocalDataFlow.cs:458:28:458:30 | this | LocalDataFlow.cs:458:41:458:45 | this access |
|
| LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
|
||||||
| LocalDataFlow.cs:458:50:458:52 | this | LocalDataFlow.cs:458:56:458:60 | this access |
|
| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... |
|
||||||
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
|
| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
|
| LocalDataFlow.cs:443:22:443:38 | ... ?? ... | LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) |
|
||||||
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
|
| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... |
|
||||||
|
| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 |
|
||||||
|
| LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
|
||||||
|
| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
|
||||||
|
| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
|
||||||
|
| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
|
||||||
|
| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
|
||||||
|
| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
|
||||||
|
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
|
||||||
|
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
|
||||||
|
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
|
||||||
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
|
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
|
||||||
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
|
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
|
||||||
| SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |
|
| SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |
|
||||||
|
|||||||
@@ -438,6 +438,12 @@ public class LocalDataFlow
|
|||||||
Check(nonSink17);
|
Check(nonSink17);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Null-coalescing expressions
|
||||||
|
var sink73 = nonSink0 ?? sink0;
|
||||||
|
var sink74 = sink0 ?? nonSink0;
|
||||||
|
Check(sink73);
|
||||||
|
Check(sink74);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void Check<T>(T x) { }
|
static void Check<T>(T x) { }
|
||||||
|
|||||||
@@ -62,7 +62,9 @@
|
|||||||
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
|
| LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 |
|
||||||
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
||||||
| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
|
| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
|
||||||
|
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
|
||||||
|
| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
|
||||||
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
|
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
|
||||||
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
|
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
|
||||||
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
|
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |
|
||||||
|
|||||||
@@ -690,7 +690,10 @@
|
|||||||
| LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 |
|
| LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
| LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) |
|
| LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) |
|
||||||
|
| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 |
|
||||||
|
| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 |
|
||||||
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... |
|
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... |
|
||||||
|
| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) |
|
||||||
| LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
| LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 |
|
||||||
| LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 |
|
| LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 |
|
||||||
@@ -707,15 +710,26 @@
|
|||||||
| LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) |
|
| LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) |
|
||||||
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
|
||||||
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
|
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
|
||||||
|
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
|
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
|
||||||
| LocalDataFlow.cs:458:28:458:30 | this | LocalDataFlow.cs:458:41:458:45 | this access |
|
| LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
|
||||||
| LocalDataFlow.cs:458:50:458:52 | this | LocalDataFlow.cs:458:56:458:60 | this access |
|
| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... |
|
||||||
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:50:458:52 | value |
|
| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 |
|
||||||
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
|
| LocalDataFlow.cs:443:22:443:38 | ... ?? ... | LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) |
|
||||||
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:464:41:464:47 | tainted |
|
| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... |
|
||||||
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
|
| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 |
|
||||||
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:469:44:469:53 | nonTainted |
|
| LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
|
||||||
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
|
| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
|
||||||
|
| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
|
||||||
|
| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
|
||||||
|
| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
|
||||||
|
| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
|
||||||
|
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:50:464:52 | value |
|
||||||
|
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
|
||||||
|
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:470:41:470:47 | tainted |
|
||||||
|
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
|
||||||
|
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:475:44:475:53 | nonTainted |
|
||||||
|
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
|
||||||
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
|
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
|
||||||
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
|
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
|
||||||
| SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |
|
| SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |
|
||||||
|
|||||||
@@ -83,6 +83,11 @@ class Test
|
|||||||
// GOOD: Disposed automatically.
|
// GOOD: Disposed automatically.
|
||||||
using var c2 = new Timer(TimerProc);
|
using var c2 = new Timer(TimerProc);
|
||||||
|
|
||||||
|
// GOOD: ownership taken via ??
|
||||||
|
StringReader source = null;
|
||||||
|
using(XmlReader.Create(source ?? new StringReader("xml"), null))
|
||||||
|
;
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -61,7 +61,7 @@
|
|||||||
</div>
|
</div>
|
||||||
<div class="linkcontainer">
|
<div class="linkcontainer">
|
||||||
<div class="linkbar">
|
<div class="linkbar">
|
||||||
<a href="https://help.semmle.com/QL/learn-ql/" target="_blank">Learn QL</a>
|
<a href="https://help.semmle.com/QL/learn-ql/" target="_blank">Learn CodeQL</a>
|
||||||
<a href="https://help.semmle.com/QL/learn-ql/ql-training.html" target="_blank">QL for variant analysis</a>
|
<a href="https://help.semmle.com/QL/learn-ql/ql-training.html" target="_blank">QL for variant analysis</a>
|
||||||
<a href="https://help.semmle.com/QL/ql-tools.html" target="_blank">QL tools</a>
|
<a href="https://help.semmle.com/QL/ql-tools.html" target="_blank">QL tools</a>
|
||||||
<a href="https://help.semmle.com/QL/ql-explore-queries.html" target="_blank">Queries</a>
|
<a href="https://help.semmle.com/QL/ql-explore-queries.html" target="_blank">Queries</a>
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
About QL
|
About QL
|
||||||
========
|
========
|
||||||
|
|
||||||
This section is aimed at users with a background in general purpose programming as well as in databases. For a basic introduction and information on how to get started, see :doc:`Introduction to the QL language <introduction-to-ql>` and :doc:`Learning QL <../index>`.
|
This section is aimed at users with a background in general purpose programming as well as in databases. For a basic introduction and information on how to get started, see :doc:`Introduction to QL <introduction-to-ql>` and :doc:`Learning CodeQL <../index>`.
|
||||||
|
|
||||||
QL is a declarative, object-oriented query language that is optimized to enable efficient analysis of hierarchical data structures, in particular, databases representing software artifacts.
|
QL is a declarative, object-oriented query language that is optimized to enable efficient analysis of hierarchical data structures, in particular, databases representing software artifacts.
|
||||||
|
|
||||||
The queries and metrics used in LGTM are implemented using QL. This ensures that they can be extended or revised easily to keep up with changes in definitions of best coding practice. We continually improve existing queries as we work towards the ultimate goal of 100% precision.
|
The queries and metrics used in LGTM are implemented using CodeQL, which uses QL to analyze code. This ensures that they can be extended or revised easily to keep up with changes in definitions of best coding practice. We continually improve existing queries as we work towards the ultimate goal of 100% precision.
|
||||||
|
|
||||||
You can write queries to identify security vulnerabilities, find coding errors and bugs, or find code that breaks your team's guidelines for best practice. You can also create customized versions of the default queries to accommodate a new framework.
|
You can write queries to identify security vulnerabilities, find coding errors and bugs, or find code that breaks your team's guidelines for best practice. You can also create customized versions of the default queries to accommodate a new framework.
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ Semantics of abstract classes
|
|||||||
Concrete classes
|
Concrete classes
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Concrete QL classes, as described in the QL language handbook topic on `Classes <https://help.semmle.com/QL/ql-handbook/types.html#classes>`__, lend themselves well to top-down modeling. We start from general superclasses representing large sets of values, and carve out individual subclasses representing more restricted sets of values.
|
Concrete classes, as described in the QL language handbook topic on `Classes <https://help.semmle.com/QL/ql-handbook/types.html#classes>`__, lend themselves well to top-down modeling. We start from general superclasses representing large sets of values, and carve out individual subclasses representing more restricted sets of values.
|
||||||
|
|
||||||
A classic example where this approach is useful is when modeling ASTs (Abstract Syntax Trees): the node types of an AST form a natural inheritance hierarchy, where, for example, there is a class ``Expr`` representing all expression nodes, with many different subclasses for different categories of expressions. There might be a class ``ArithmeticExpr`` representing arithmetic expressions, which in turn could have subclasses ``AddExpr`` and ``SubExpr``.
|
A classic example where this approach is useful is when modeling ASTs (Abstract Syntax Trees): the node types of an AST form a natural inheritance hierarchy, where, for example, there is a class ``Expr`` representing all expression nodes, with many different subclasses for different categories of expressions. There might be a class ``ArithmeticExpr`` representing arithmetic expressions, which in turn could have subclasses ``AddExpr`` and ``SubExpr``.
|
||||||
|
|
||||||
@@ -57,7 +57,7 @@ Like a concrete class, an abstract class has one or more superclasses and a char
|
|||||||
Example
|
Example
|
||||||
~~~~~~~
|
~~~~~~~
|
||||||
|
|
||||||
The following example is taken from the standard QL library for Java:
|
The following example is taken from the CodeQL library for Java:
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ Advanced QL
|
|||||||
./*
|
./*
|
||||||
|
|
||||||
|
|
||||||
Topics on advanced uses of QL. These topics assume that you are familiar with the QL language and the basics of query writing.
|
Topics on advanced uses of QL. These topics assume that you are familiar with QL and the basics of query writing.
|
||||||
|
|
||||||
- :doc:`Semantics of abstract classes <abstract-classes>`
|
- :doc:`Semantics of abstract classes <abstract-classes>`
|
||||||
- :doc:`Choosing appropriate ways to constrain types <constraining-types>`
|
- :doc:`Choosing appropriate ways to constrain types <constraining-types>`
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ Type constraint methods
|
|||||||
|
|
||||||
Note
|
Note
|
||||||
|
|
||||||
The examples below use the Java QL library. All QL libraries support using these methods to constrain variables, the only difference is in the names of the classes used.
|
The examples below use the CodeQL library for Java. All libraries support using these methods to constrain variables, the only difference is in the names of the classes used.
|
||||||
|
|
||||||
There are several ways of imposing type constraints on variables:
|
There are several ways of imposing type constraints on variables:
|
||||||
|
|
||||||
|
|||||||
@@ -1,14 +1,14 @@
|
|||||||
Determining the most specific types of a variable
|
Determining the most specific types of a variable
|
||||||
=================================================
|
=================================================
|
||||||
|
|
||||||
It is sometimes useful to be able to determine what QL types an entity has -- especially when you are unfamiliar with the QL library used by a query. To help with this, QL provides a predicate called ``getAQlClass()``, which returns the most specific QL types of the entity that it is called on.
|
It is sometimes useful to be able to determine what types an entity has -- especially when you are unfamiliar with the library used by a query. To help with this, there is a predicate called ``getAQlClass()``, which returns the most specific QL types of the entity that it is called on.
|
||||||
|
|
||||||
This can be useful when you are not sure of the most precise class of a value. Discovering a more precise class can allow you to cast to it and use predicates that are not available on the more general class.
|
This can be useful when you are not sure of the most precise class of a value. Discovering a more precise class can allow you to cast to it and use predicates that are not available on the more general class.
|
||||||
|
|
||||||
Example
|
Example
|
||||||
-------
|
-------
|
||||||
|
|
||||||
If you were working with a Java snapshot database, you might use ``getAQlClass()`` on every ``Expr`` in a callable called ``c``:
|
If you were working with a Java database, you might use ``getAQlClass()`` on every ``Expr`` in a callable called ``c``:
|
||||||
|
|
||||||
**Java example**
|
**Java example**
|
||||||
|
|
||||||
@@ -23,6 +23,6 @@ If you were working with a Java snapshot database, you might use ``getAQlClass()
|
|||||||
and e.getEnclosingCallable() = c
|
and e.getEnclosingCallable() = c
|
||||||
select e, e.getAQlClass()
|
select e, e.getAQlClass()
|
||||||
|
|
||||||
The result of this query is a list of the most specific types of every ``Expr`` in that function. You will see multiple results for some expressions because that expression is represented by more than one QL type.
|
The result of this query is a list of the most specific types of every ``Expr`` in that function. You will see multiple results for some expressions because that expression is represented by more than one type.
|
||||||
|
|
||||||
For example, ``StringLiteral``\ s like ``"Hello"`` in Java belong to both the ``StringLiteral`` QL class (a specialization of the ``Literal`` QL class) and the ``CompileTimeConstantExpr`` QL class. So any instances of ``StringLiteral``\ s in the results will produce more than one result, one for each of the QL classes to which they belong.
|
For example, ``StringLiteral``\ s like ``"Hello"`` in Java belong to both the ``StringLiteral`` class (a specialization of the ``Literal`` class) and the ``CompileTimeConstantExpr`` class. So any instances of ``StringLiteral``\ s in the results will produce more than one result, one for each of the classes to which they belong.
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ The two expressions:
|
|||||||
#. ``a() != b()``
|
#. ``a() != b()``
|
||||||
#. ``not(a() = b())``
|
#. ``not(a() = b())``
|
||||||
|
|
||||||
look equivalent - so much so that inexperienced (and even experienced) QL programmers have been known to rewrite one as the other. However, they are not equivalent due to the quantifiers involved.
|
look equivalent - so much so that inexperienced (and even experienced) programmers have been known to rewrite one as the other. However, they are not equivalent due to the quantifiers involved.
|
||||||
|
|
||||||
Thinking of ``a()`` and ``b()`` as sets of values, the first expression says that there is a pair of values (one from each side of the inequality) which are different.
|
Thinking of ``a()`` and ``b()`` as sets of values, the first expression says that there is a pair of values (one from each side of the inequality) which are different.
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
Monotonic aggregates in QL
|
Monotonic aggregates in QL
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
In addition to standard QL aggregates, QL also supports *monotonic* aggregates. These are a slightly different way of computing aggregates which have some advantages, notably the ability to be used recursively, which normal aggregates do not have. You can enable them in a scope by adding the \ ``language[monotonicAggregates]`` pragma on a predicate, class, or module.
|
In addition to standard aggregates, QL also supports *monotonic* aggregates. These are a slightly different way of computing aggregates which have some advantages, notably the ability to be used recursively, which normal aggregates do not have. You can enable them in a scope by adding the \ ``language[monotonicAggregates]`` pragma on a predicate, class, or module.
|
||||||
|
|
||||||
Syntax
|
Syntax
|
||||||
------
|
------
|
||||||
|
|||||||
@@ -77,4 +77,4 @@ What next?
|
|||||||
|
|
||||||
- Help the villagers track down another criminal in the :doc:`next tutorial <fire-1>`.
|
- Help the villagers track down another criminal in the :doc:`next tutorial <fire-1>`.
|
||||||
- Find out more about the concepts you discovered in this tutorial in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
- Find out more about the concepts you discovered in this tutorial in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
||||||
- Explore the libraries that help you get data about code in :doc:`Learning QL <../../index>`.
|
- Explore the libraries that help you get data about code in :doc:`Learning CodeQL <../../index>`.
|
||||||
|
|||||||
@@ -40,4 +40,4 @@ What next?
|
|||||||
|
|
||||||
- Find out who will be the new ruler of the village in the :doc:`next tutorial <heir>`.
|
- Find out who will be the new ruler of the village in the :doc:`next tutorial <heir>`.
|
||||||
- Learn more about predicates and classes in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
- Learn more about predicates and classes in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
||||||
- Explore the libraries that help you get data about code in :doc:`Learning QL <../../index>`.
|
- Explore the libraries that help you get data about code in :doc:`Learning CodeQL <../../index>`.
|
||||||
|
|||||||
@@ -161,4 +161,4 @@ What next?
|
|||||||
|
|
||||||
- Learn more about recursion in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
- Learn more about recursion in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
||||||
- Put your QL skills to the test and solve the :doc:`River crossing puzzle <../ql-etudes/river-crossing>`.
|
- Put your QL skills to the test and solve the :doc:`River crossing puzzle <../ql-etudes/river-crossing>`.
|
||||||
- Start using QL to analyze projects. See :doc:`Learning QL <../../index>` for a summary of the available languages and resources.
|
- Start using QL to analyze projects. See :doc:`Learning CodeQL <../../index>` for a summary of the available languages and resources.
|
||||||
|
|||||||
@@ -7,18 +7,21 @@ QL detective tutorials
|
|||||||
|
|
||||||
./*
|
./*
|
||||||
|
|
||||||
Welcome to QL! These tutorials are aimed at complete beginners. They teach you how to write QL queries and introduce you to key logic concepts along the way.
|
Welcome to the detective tutorials! These are aimed at complete beginners who would like to learn the basics of QL,
|
||||||
|
before analyzing code with CodeQL.
|
||||||
|
The tutorials teach you how to write queries and introduce you to key logic concepts along the way.
|
||||||
|
|
||||||
We recommend you first read the :doc:`Introduction to the QL language <../introduction-to-ql>` page for a basic description of QL.
|
We recommend you first read the :doc:`Introduction to QL <../introduction-to-ql>` page for a description of the language and
|
||||||
|
some simple examples.
|
||||||
|
|
||||||
Currently the following tutorials are available:
|
Currently the following detective tutorials are available:
|
||||||
|
|
||||||
- :doc:`Find the thief <find-thief-1>` - a three part mystery that introduces logical connectives, quantifiers and aggregates
|
- :doc:`Find the thief <find-thief-1>` - a three part mystery that introduces logical connectives, quantifiers, and aggregates
|
||||||
- :doc:`Catch the fire starter <fire-1>` - an intriguing search that introduces predicates and classes
|
- :doc:`Catch the fire starter <fire-1>` - an intriguing search that introduces predicates and classes
|
||||||
- :doc:`Crown the rightful heir <heir>` - a detective puzzle that introduces recursion
|
- :doc:`Crown the rightful heir <heir>` - a detective puzzle that introduces recursion
|
||||||
|
|
||||||
Further resources
|
Further resources
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
- For a summary of available learning resources, see :doc:`Learning QL <../../index>`.
|
- For a summary of available learning resources, see :doc:`Learning CodeQL <../../index>`.
|
||||||
- For an overview of the important concepts in QL, see the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
- For an overview of the important concepts in QL, see the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__.
|
||||||
|
|||||||
@@ -1,10 +1,10 @@
|
|||||||
Introducing the QL libraries for COBOL
|
Introducing the CodeQL libraries for COBOL
|
||||||
======================================
|
==========================================
|
||||||
|
|
||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
There is an extensive QL library for analyzing COBOL code. The classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks.
|
There is an extensive library for analyzing COBOL code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks.
|
||||||
|
|
||||||
The library is implemented as a set of QL modules–that is, files with the extension ``.qll``. The module ``cobol.qll`` imports most other standard library modules, so you can include the complete library by beginning your query with:
|
The library is implemented as a set of QL modules–that is, files with the extension ``.qll``. The module ``cobol.qll`` imports most other standard library modules, so you can include the complete library by beginning your query with:
|
||||||
|
|
||||||
@@ -12,12 +12,12 @@ The library is implemented as a set of QL modules–that is, files with the exte
|
|||||||
|
|
||||||
import cobol
|
import cobol
|
||||||
|
|
||||||
The rest of this tutorial briefly summarizes the most important QL classes and predicates provided by this library, including references to the `detailed API documentation <https://help.semmle.com/qldoc/cobol/>`__ where applicable.
|
The rest of this tutorial briefly summarizes the most important classes and predicates provided by this library, including references to the `detailed API documentation <https://help.semmle.com/qldoc/cobol/>`__ where applicable.
|
||||||
|
|
||||||
Introducing the library
|
Introducing the library
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
The QL COBOL library presents information about COBOL source code at different levels:
|
The CodeQL library for COBOL presents information about COBOL source code at different levels:
|
||||||
|
|
||||||
- **Textual** — classes that represent source code as unstructured text files
|
- **Textual** — classes that represent source code as unstructured text files
|
||||||
- **Lexical** — classes that represent comments and other tokens of interest
|
- **Lexical** — classes that represent comments and other tokens of interest
|
||||||
@@ -36,7 +36,7 @@ At its most basic level, a COBOL code base can simply be viewed as a collection
|
|||||||
Files and folders
|
Files and folders
|
||||||
^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
In QL, files are represented as entities of class `File <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$File.html>`__, and folders as entities of class `Folder <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Folder.html>`__, both of which are subclasses of class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__.
|
Files are represented as entities of class `File <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$File.html>`__, and folders as entities of class `Folder <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Folder.html>`__, both of which are subclasses of class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__.
|
||||||
|
|
||||||
Class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__ provides the following member predicates:
|
Class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__ provides the following member predicates:
|
||||||
|
|
||||||
@@ -48,7 +48,7 @@ Note that while ``getAFile`` and ``getAFolder`` are declared on class `Container
|
|||||||
|
|
||||||
Both files and folders have paths, which can be accessed by the predicate ``Container.getAbsolutePath()``. For example, if ``f`` represents a file with the path ``/home/user/project/src/main.cbl``, then ``f.getAbsolutePath()`` evaluates to the string ``"/home/user/project/src/main.cbl"``, while ``f.getParentContainer().getAbsolutePath()`` returns ``"/home/user/project/src"``.
|
Both files and folders have paths, which can be accessed by the predicate ``Container.getAbsolutePath()``. For example, if ``f`` represents a file with the path ``/home/user/project/src/main.cbl``, then ``f.getAbsolutePath()`` evaluates to the string ``"/home/user/project/src/main.cbl"``, while ``f.getParentContainer().getAbsolutePath()`` returns ``"/home/user/project/src"``.
|
||||||
|
|
||||||
These paths are absolute file system paths. If you want to obtain the path of a file relative to the snapshot source location, use ``Container.getRelativePath()`` instead. Note, however, that a snapshot may contain files that are not located underneath the snapshot source location; for such files, ``getRelativePath()`` will not return anything.
|
These paths are absolute file system paths. If you want to obtain the path of a file relative to the source location in the CodeQL database, use ``Container.getRelativePath()`` instead. Note, however, that a database may contain files that are not located underneath the source location; for such files, ``getRelativePath()`` will not return anything.
|
||||||
|
|
||||||
The following member predicates of class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__ provide more information about the name of a file or folder:
|
The following member predicates of class `Container <https://help.semmle.com/qldoc/cobol/semmle/cobol/Files.qll/type.Files$Container.html>`__ provide more information about the name of a file or folder:
|
||||||
|
|
||||||
@@ -68,9 +68,9 @@ For example, the following query computes, for each folder, the number of COBOL
|
|||||||
Locations
|
Locations
|
||||||
^^^^^^^^^
|
^^^^^^^^^
|
||||||
|
|
||||||
Most entities in a snapshot database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive.
|
Most entities in a CodeQL database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive.
|
||||||
|
|
||||||
All entities associated with a source location belong to the QL class `Locatable <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Locatable.html>`__. The location itself is modeled by the QL class `Location <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Location.html>`__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Location.html>`__ class provides the following member predicates:
|
All entities associated with a source location belong to the class `Locatable <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Locatable.html>`__. The location itself is modeled by the class `Location <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Location.html>`__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location <https://help.semmle.com/qldoc/cobol/semmle/cobol/Location.qll/type.Location$Location.html>`__ class provides the following member predicates:
|
||||||
|
|
||||||
- ``Location.getFile()``, ``Location.getStartLine()``, ``Location.getStartColumn()``, ``Location.getEndLine()``, ``Location.getEndColumn()`` return detailed information about the location.
|
- ``Location.getFile()``, ``Location.getStartLine()``, ``Location.getStartColumn()``, ``Location.getEndLine()``, ``Location.getEndColumn()`` return detailed information about the location.
|
||||||
- ``Location.getNumLines()`` returns the number of (whole or partial) lines covered by the location.
|
- ``Location.getNumLines()`` returns the number of (whole or partial) lines covered by the location.
|
||||||
@@ -104,13 +104,13 @@ The most important member predicates are as follows:
|
|||||||
Syntactic level
|
Syntactic level
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
The majority of classes in the QL COBOL library is concerned with representing a COBOL program as a collection of `abstract syntax trees <http://en.wikipedia.org/wiki/Abstract_syntax_tree>`__ (ASTs).
|
The majority of classes in the CodeQL library for COBOL are concerned with representing a COBOL program as a collection of `abstract syntax trees <http://en.wikipedia.org/wiki/Abstract_syntax_tree>`__ (ASTs).
|
||||||
|
|
||||||
The QL class `ASTNode <https://help.semmle.com/qldoc/cobol/semmle/cobol/AstNode.qll/type.AstNode$AstNode.html>`__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates:
|
The class `ASTNode <https://help.semmle.com/qldoc/cobol/semmle/cobol/AstNode.qll/type.AstNode$AstNode.html>`__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates:
|
||||||
|
|
||||||
- ``ASTNode.getParent()``: returns the parent node of this AST node, if any.
|
- ``ASTNode.getParent()``: returns the parent node of this AST node, if any.
|
||||||
|
|
||||||
Please note that the QL libraries for COBOL do not currently represent all possible parts of a COBOL program. Due to the complexity of the language, and its many dialects, this is an ongoing task. We prioritize elements that are of interest to queries, and expand this selection over time. Please check the `detailed API documentation <https://help.semmle.com/qldoc/cobol/>`__ to see what is currently available.
|
Please note that the libraries for COBOL do not currently represent all possible parts of a COBOL program. Due to the complexity of the language, and its many dialects, this is an ongoing task. We prioritize elements that are of interest to queries, and expand this selection over time. Please check the `detailed API documentation <https://help.semmle.com/qldoc/cobol/>`__ to see what is currently available.
|
||||||
|
|
||||||
The main structure of any COBOL program is represented by the `Unit <https://help.semmle.com/qldoc/cobol/semmle/cobol/Units.qll/type.Units$Unit.html>`__ class and its subclasses. For example, each program definition has a `ProgramDefinition <https://help.semmle.com/qldoc/cobol/semmle/cobol/Units.qll/type.Units$ProgramDefinition.html>`__ counterpart. For each ``PROCEDURE DIVISION`` in the program, there will be a `ProcedureDivision <https://help.semmle.com/qldoc/cobol/semmle/cobol/AST_extended.qll/type.AST_extended$ProcedureDivision.html>`__ class.
|
The main structure of any COBOL program is represented by the `Unit <https://help.semmle.com/qldoc/cobol/semmle/cobol/Units.qll/type.Units$Unit.html>`__ class and its subclasses. For example, each program definition has a `ProgramDefinition <https://help.semmle.com/qldoc/cobol/semmle/cobol/Units.qll/type.Units$ProgramDefinition.html>`__ counterpart. For each ``PROCEDURE DIVISION`` in the program, there will be a `ProcedureDivision <https://help.semmle.com/qldoc/cobol/semmle/cobol/AST_extended.qll/type.AST_extended$ProcedureDivision.html>`__ class.
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
QL for COBOL
|
CodeQL for COBOL
|
||||||
============
|
================
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:glob:
|
:glob:
|
||||||
@@ -7,14 +7,14 @@ QL for COBOL
|
|||||||
|
|
||||||
introduce-libraries-cobol
|
introduce-libraries-cobol
|
||||||
|
|
||||||
This page provides an overview of the QL for COBOL documentation that is currently available.
|
This page provides an overview of the CodeQL for COBOL documentation that is currently available.
|
||||||
|
|
||||||
- `Basic COBOL query <https://lgtm.com/help/lgtm/console/ql-cobol-basic-example>`__ describes how to write and run queries using LGTM.
|
- `Basic COBOL query <https://lgtm.com/help/lgtm/console/ql-cobol-basic-example>`__ describes how to write and run queries using LGTM.
|
||||||
- :doc:`Introducing the QL libraries for COBOL <introduce-libraries-cobol>` introduces the standard libraries used to write queries for COBOL code.
|
- :doc:`Introducing the CodeQL libraries for COBOL <introduce-libraries-cobol>` introduces the standard libraries used to write queries for COBOL code.
|
||||||
|
|
||||||
|
|
||||||
Other resources
|
Other resources
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
- For the queries used in LGTM, display a `COBOL query <https://lgtm.com/search?q=language%3Acobol&t=rules>`__ and click **Open in query console** to see the QL code used to find alerts.
|
- For the queries used in LGTM, display a `COBOL query <https://lgtm.com/search?q=language%3Acobol&t=rules>`__ and click **Open in query console** to see the code used to find alerts.
|
||||||
- For more information about the COBOL QL library see the `QL library for COBOL <https://help.semmle.com/qldoc/cobol/>`__.
|
- For more information about the library for COBOL see the `CodeQL library for COBOL <https://help.semmle.com/qldoc/cobol/>`__.
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
#
|
#
|
||||||
# Learn QL documentation build configuration file, created by
|
# Learn CodeQL documentation build configuration file, created by
|
||||||
# on Tuesday Nov 13 2018.
|
# on Tuesday Nov 13 2018.
|
||||||
#
|
#
|
||||||
# This file is execfile()d with the current directory set to its
|
# This file is execfile()d with the current directory set to its
|
||||||
@@ -41,16 +41,16 @@ highlight_language = 'ql'
|
|||||||
master_doc = 'index'
|
master_doc = 'index'
|
||||||
|
|
||||||
# General information about the project.
|
# General information about the project.
|
||||||
project = u'Learning QL'
|
project = u'Learning CodeQL'
|
||||||
|
|
||||||
# -- Project-specifc options for HTML output ----------------------------------------------
|
# -- Project-specifc options for HTML output ----------------------------------------------
|
||||||
|
|
||||||
# The name for this set of Sphinx documents. If None, it defaults to
|
# The name for this set of Sphinx documents. If None, it defaults to
|
||||||
# "<project> v<release> documentation".
|
# "<project> v<release> documentation".
|
||||||
html_title = 'Learn QL'
|
html_title = 'Learn CodeQL'
|
||||||
|
|
||||||
# Output file base name for HTML help builder.
|
# Output file base name for HTML help builder.
|
||||||
htmlhelp_basename = 'Learn QL'
|
htmlhelp_basename = 'Learn CodeQL'
|
||||||
|
|
||||||
# The version info for this project, if different from version and release in main conf.py file.
|
# The version info for this project, if different from version and release in main conf.py file.
|
||||||
# The short X.Y version.
|
# The short X.Y version.
|
||||||
|
|||||||
@@ -4,12 +4,12 @@ Tutorial: Conversions and classes
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ conversions and classes.
|
This topic contains worked examples of how to write queries using the CodeQL library classes for C/C++ conversions and classes.
|
||||||
|
|
||||||
Conversions
|
Conversions
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
Let us take a look at the QL ``Conversion`` class in the standard library:
|
Let us take a look at the ``Conversion`` class in the standard library:
|
||||||
|
|
||||||
- ``Expr``
|
- ``Expr``
|
||||||
|
|
||||||
@@ -128,26 +128,26 @@ Unlike the earlier versions of the query, this query would return each side of t
|
|||||||
|
|
||||||
Note
|
Note
|
||||||
|
|
||||||
In general, QL predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``.
|
In general, predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``.
|
||||||
|
|
||||||
Classes
|
Classes
|
||||||
-------
|
-------
|
||||||
|
|
||||||
Next we're going to look at C++ classes, using the following QL classes:
|
Next we're going to look at C++ classes, using the following CodeQL classes:
|
||||||
|
|
||||||
- ``Type``
|
- ``Type``
|
||||||
|
|
||||||
- ``UserType``—includes classes, typedefs and enums
|
- ``UserType``—includes classes, typedefs, and enums
|
||||||
|
|
||||||
- ``Class``—a class or struct
|
- ``Class``—a class or struct
|
||||||
|
|
||||||
- ``Struct``—a struct, which is treated as a subtype of Class in QL.
|
- ``Struct``—a struct, which is treated as a subtype of ``Class``
|
||||||
- ``TemplateClass``—a C++ class template
|
- ``TemplateClass``—a C++ class template
|
||||||
|
|
||||||
Finding derived classes
|
Finding derived classes
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. A ``Destructor`` in QL is a subtype of ``MemberFunction``:
|
We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. In the CodeQL library, ``Destructor`` is a subtype of ``MemberFunction``:
|
||||||
|
|
||||||
- ``Function``
|
- ``Function``
|
||||||
|
|
||||||
@@ -221,13 +221,13 @@ Our last change is to use ``Function.isVirtual()`` to find cases where the base
|
|||||||
|
|
||||||
That completes the query.
|
That completes the query.
|
||||||
|
|
||||||
There is a similar built-in LGTM `query <https://lgtm.com/rules/2158670642/>`__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the QL code for this query by clicking **Open in query console** at the top of that page.
|
There is a similar built-in LGTM `query <https://lgtm.com/rules/2158670642/>`__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the code for this query by clicking **Open in query console** at the top of that page.
|
||||||
|
|
||||||
What next?
|
What next?
|
||||||
----------
|
----------
|
||||||
|
|
||||||
- Explore other ways of querying classes using examples from the `C/C++ cookbook <https://help.semmle.com/wiki/label/CBCPP/class>`__.
|
- Explore other ways of querying classes using examples from the `C/C++ cookbook <https://help.semmle.com/wiki/label/CBCPP/class>`__.
|
||||||
- Take a look at the :doc:`Analyzing data flow in C/C++ <dataflow>` tutorial.
|
- Take a look at the :doc:`Analyzing data flow in C/C++ <dataflow>` tutorial.
|
||||||
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>` and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator <zero-space-terminator>`.
|
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>`, and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator <zero-space-terminator>`.
|
||||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||||
|
|||||||
@@ -4,10 +4,10 @@ Analyzing data flow in C/C++
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic describes how data flow analysis is implemented in the QL for C/C++ library and includes examples to help you write your own data flow queries.
|
This topic describes how data flow analysis is implemented in the CodeQL libraries for C/C++ and includes examples to help you write your own data flow queries.
|
||||||
The following sections describe how to utilize the QL libraries for local data flow, global data flow and taint tracking.
|
The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking.
|
||||||
|
|
||||||
For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`.
|
For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`.
|
||||||
|
|
||||||
Local data flow
|
Local data flow
|
||||||
---------------
|
---------------
|
||||||
@@ -166,6 +166,7 @@ The following predicates are defined in the configuration:
|
|||||||
- ``isSource``—defines where data may flow from
|
- ``isSource``—defines where data may flow from
|
||||||
- ``isSink``—defines where data may flow to
|
- ``isSink``—defines where data may flow to
|
||||||
- ``isBarrier``—optional, restricts the data flow
|
- ``isBarrier``—optional, restricts the data flow
|
||||||
|
- ``isBarrierGuard``—optional, restricts the data flow
|
||||||
- ``isAdditionalFlowStep``—optional, adds additional flow steps
|
- ``isAdditionalFlowStep``—optional, adds additional flow steps
|
||||||
|
|
||||||
The characteristic predicate ``MyDataFlowConfiguration()`` defines the name of the configuration, so ``"MyDataFlowConfiguration"`` should be replaced by the name of your class.
|
The characteristic predicate ``MyDataFlowConfiguration()`` defines the name of the configuration, so ``"MyDataFlowConfiguration"`` should be replaced by the name of your class.
|
||||||
@@ -204,6 +205,7 @@ The following predicates are defined in the configuration:
|
|||||||
- ``isSource``—defines where taint may flow from
|
- ``isSource``—defines where taint may flow from
|
||||||
- ``isSink``—defines where taint may flow to
|
- ``isSink``—defines where taint may flow to
|
||||||
- ``isSanitizer``—optional, restricts the taint flow
|
- ``isSanitizer``—optional, restricts the taint flow
|
||||||
|
- ``isSanitizerGuard``—optional, restricts the taint flow
|
||||||
- ``isAdditionalTaintStep``—optional, adds additional taint steps
|
- ``isAdditionalTaintStep``—optional, adds additional taint steps
|
||||||
|
|
||||||
Similar to global data flow, the characteristic predicate ``MyTaintTrackingConfiguration()`` defines the unique name of the configuration, so ``"MyTaintTrackingConfiguration"`` should be replaced by the name of your class.
|
Similar to global data flow, the characteristic predicate ``MyTaintTrackingConfiguration()`` defines the unique name of the configuration, so ``"MyTaintTrackingConfiguration"`` should be replaced by the name of your class.
|
||||||
|
|||||||
@@ -4,12 +4,12 @@ Tutorial: Expressions, types and statements
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ expressions, types, and statements.
|
This topic contains worked examples of how to write queries using the standard CodeQL library classes for C/C++ expressions, types, and statements.
|
||||||
|
|
||||||
Expressions and types
|
Expressions and types
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
Each part of an expression in C becomes an instance of the QL ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these QL classes extend ``Expr``.
|
Each part of an expression in C becomes an instance of the ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these CodeQL classes extend ``Expr``.
|
||||||
|
|
||||||
Finding assignments to zero
|
Finding assignments to zero
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
@@ -26,7 +26,7 @@ In the following example we find instances of ``AssignExpr`` which assign the co
|
|||||||
|
|
||||||
➤ `See this in the query console <https://lgtm.com/query/1505908086530/>`__
|
➤ `See this in the query console <https://lgtm.com/query/1505908086530/>`__
|
||||||
|
|
||||||
The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated QL predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line.
|
The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line.
|
||||||
|
|
||||||
It is also worth noting that the query above would find this C code:
|
It is also worth noting that the query above would find this C code:
|
||||||
|
|
||||||
@@ -34,7 +34,7 @@ It is also worth noting that the query above would find this C code:
|
|||||||
|
|
||||||
yPtr = NULL;
|
yPtr = NULL;
|
||||||
|
|
||||||
This is because the snapshot contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the snapshot. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers.
|
This is because the database contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the database. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers.
|
||||||
|
|
||||||
Finding assignments of 0 to an integer
|
Finding assignments of 0 to an integer
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|||||||
@@ -4,14 +4,14 @@ Tutorial: Function classes
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
The standard QL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`).
|
The standard CodeQL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`).
|
||||||
|
|
||||||
The example queries in this topic explore some of the most useful library predicates for querying functions.
|
The example queries in this topic explore some of the most useful library predicates for querying functions.
|
||||||
|
|
||||||
Finding all static functions
|
Finding all static functions
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
Using the member predicate ``Function.isStatic()`` we can list all of the static functions in a snapshot:
|
Using the member predicate ``Function.isStatic()`` we can list all the static functions in a database:
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
@@ -26,7 +26,7 @@ This query is very general, so there are probably too many results to be interes
|
|||||||
Finding functions that are not called
|
Finding functions that are not called
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
|
|
||||||
It might be more interesting to find functions that are not called, using the standard QL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
|
It might be more interesting to find functions that are not called, using the standard CodeQL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
@@ -58,9 +58,9 @@ You can modify the query to remove functions where a function pointer is used to
|
|||||||
|
|
||||||
This query returns fewer results. However, if you examine the results then you can probably still find potential refinements.
|
This query returns fewer results. However, if you examine the results then you can probably still find potential refinements.
|
||||||
|
|
||||||
For example, there is a more complicated LGTM `query <https://lgtm.com/rules/2152580467/>`__ that finds unused static functions. To see the QL code for this query, click **Open in query console** at the top of the page.
|
For example, there is a more complicated LGTM `query <https://lgtm.com/rules/2152580467/>`__ that finds unused static functions. To see the code for this query, click **Open in query console** at the top of the page.
|
||||||
|
|
||||||
You can explore the definition of an element in the standard QL libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted.
|
You can explore the definition of an element in the standard libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted.
|
||||||
|
|
||||||
Finding a specific function
|
Finding a specific function
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|||||||
@@ -1,23 +1,23 @@
|
|||||||
Introducing the C/C++ libraries
|
Introducing the CodeQL libraries for C/C++
|
||||||
===============================
|
==========================================
|
||||||
|
|
||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
There is an extensive QL library for analyzing snapshots extracted from C/C++ projects. The QL classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all of the core C/C++ library modules, so you can include the complete library by beginning your query with:
|
There is an extensive library for analyzing CodeQL databases extracted from C/C++ projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all the core C/C++ library modules, so you can include the complete library by beginning your query with:
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|
||||||
The rest of this topic summarizes available QL classes and corresponding C/C++ constructs.
|
The rest of this topic summarizes the available CodeQL classes and corresponding C/C++ constructs.
|
||||||
|
|
||||||
NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; QL library files are opened in new tabs in the console.
|
NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; library files are opened in new tabs in the console.
|
||||||
|
|
||||||
Summary of the library classes
|
Summary of the library classes
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
The most commonly used standard QL library classes are listed below. The listing is broken down by functionality. Each QL library class is annotated with a C/C++ construct it corresponds to.
|
The most commonly used standard library classes are listed below. The listing is broken down by functionality. Each library class is annotated with a C/C++ construct it corresponds to.
|
||||||
|
|
||||||
Declaration classes
|
Declaration classes
|
||||||
~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~
|
||||||
@@ -25,7 +25,7 @@ Declaration classes
|
|||||||
This table lists `Declaration <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Declaration.qll/type.Declaration$Declaration.html>`__ classes representing C/C++ declarations.
|
This table lists `Declaration <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Declaration.qll/type.Declaration$Declaration.html>`__ classes representing C/C++ declarations.
|
||||||
|
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
| Example syntax | QL class | Remarks |
|
| Example syntax | CodeQL class | Remarks |
|
||||||
+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================================================================================================================================================================+====================================================================================================================================================================================================+
|
+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================================================================================================================================================================+====================================================================================================================================================================================================+
|
||||||
| ``int`` *var* ``;`` | `GlobalVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$GlobalVariable.html>`__ | |
|
| ``int`` *var* ``;`` | `GlobalVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$GlobalVariable.html>`__ | |
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
@@ -154,7 +154,7 @@ Statement classes
|
|||||||
This table lists subclasses of `Stmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$Stmt.html>`__ representing C/C++ statements.
|
This table lists subclasses of `Stmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$Stmt.html>`__ representing C/C++ statements.
|
||||||
|
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
| Example syntax | QL class | Remarks |
|
| Example syntax | CodeQL class | Remarks |
|
||||||
+===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================================+
|
+===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================================+
|
||||||
| ``__asm__ ("`` *movb %bh, (%eax)* ``");`` | `AsmStmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$AsmStmt.html>`__ | Specific to a given CPU instruction set |
|
| ``__asm__ ("`` *movb %bh, (%eax)* ``");`` | `AsmStmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$AsmStmt.html>`__ | Specific to a given CPU instruction set |
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
@@ -215,7 +215,7 @@ Expression classes
|
|||||||
This table lists subclasses of `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ representing C/C++ expressions.
|
This table lists subclasses of `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ representing C/C++ expressions.
|
||||||
|
|
||||||
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
| Example syntax | QL class(es) | Remarks |
|
| Example syntax | CodeQL class(es) | Remarks |
|
||||||
+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==========================================================================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================+
|
+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==========================================================================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================+
|
||||||
| ``{`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__... ``}`` | | `ArrayAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ArrayAggregateLiteral.html>`__ | |
|
| ``{`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__... ``}`` | | `ArrayAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ArrayAggregateLiteral.html>`__ | |
|
||||||
| | | `ClassAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ClassAggregateLiteral.html>`__ | |
|
| | | `ClassAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ClassAggregateLiteral.html>`__ | |
|
||||||
@@ -417,7 +417,7 @@ Type classes
|
|||||||
This table lists subclasses of `Type <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$Type.html>`__ representing C/C++ types.
|
This table lists subclasses of `Type <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$Type.html>`__ representing C/C++ types.
|
||||||
|
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
| Example syntax | QL class | Remarks |
|
| Example syntax | CodeQL class | Remarks |
|
||||||
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+==================================================================================================================================================================================================================================================================================+
|
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+==================================================================================================================================================================================================================================================================================+
|
||||||
| ``void`` | `VoidType <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$VoidType.html>`__ | |
|
| ``void`` | `VoidType <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$VoidType.html>`__ | |
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
@@ -485,7 +485,7 @@ Preprocessor classes
|
|||||||
This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/module.Preprocessor.html>`__ classes representing C/C++ preprocessing directives.
|
This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/module.Preprocessor.html>`__ classes representing C/C++ preprocessing directives.
|
||||||
|
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
| Example syntax | QL class | Remarks |
|
| Example syntax | CodeQL class | Remarks |
|
||||||
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================+
|
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================+
|
||||||
| ``#elif`` *condition* | `PreprocessorElif <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/type.Preprocessor$PreprocessorElif.html>`__ | |
|
| ``#elif`` *condition* | `PreprocessorElif <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/type.Preprocessor$PreprocessorElif.html>`__ | |
|
||||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||||
@@ -522,6 +522,6 @@ This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cp
|
|||||||
What next?
|
What next?
|
||||||
----------
|
----------
|
||||||
|
|
||||||
- Experiment with the worked examples in the QL for C/C++ topics: :doc:`Function classes <function-classes>`, :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
|
- Experiment with the worked examples in the CodeQL for C/C++ topics: :doc:`Function classes <function-classes>`, :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
|
||||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ Example: Checking that constructors initialize all private fields
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ <ql-for-cpp>`.
|
This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ <ql-for-cpp>`.
|
||||||
|
|
||||||
Problem—finding every private field and checking for initialization
|
Problem—finding every private field and checking for initialization
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
@@ -29,7 +29,7 @@ We can start by looking at every private field in a class and checking that ever
|
|||||||
#. ``f.isPrivate()`` checks if the field is private.
|
#. ``f.isPrivate()`` checks if the field is private.
|
||||||
#. ``not exists(Assignment a | a = f.getAnAssignment() and a.getEnclosingFunction() = c)`` checks that there is no assignment to the field in the constructor.
|
#. ``not exists(Assignment a | a = f.getAnAssignment() and a.getEnclosingFunction() = c)`` checks that there is no assignment to the field in the constructor.
|
||||||
|
|
||||||
This QL code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked.
|
This code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked.
|
||||||
|
|
||||||
Refinement 1—excluding fields initialized by lists
|
Refinement 1—excluding fields initialized by lists
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
@@ -62,7 +62,7 @@ These can be excluded by adding an extra condition to check for this special con
|
|||||||
Refinement 2—excluding fields initialized by external libraries
|
Refinement 2—excluding fields initialized by external libraries
|
||||||
---------------------------------------------------------------
|
---------------------------------------------------------------
|
||||||
|
|
||||||
When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the snapshot is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body:
|
When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the CodeQL database is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body:
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
QL for C/C++
|
CodeQL for C/C++
|
||||||
============
|
================
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:glob:
|
:glob:
|
||||||
@@ -13,19 +13,19 @@ QL for C/C++
|
|||||||
private-field-initialization
|
private-field-initialization
|
||||||
zero-space-terminator
|
zero-space-terminator
|
||||||
|
|
||||||
These topics provide an overview of the QL C/C++ standard libraries and show examples of how to write queries that use them.
|
These topics provide an overview of the CodeQL libraries for C/C++ and show examples of how to write queries that use them.
|
||||||
|
|
||||||
- `Basic C/C++ QL query <https://lgtm.com/help/lgtm/console/ql-cpp-basic-example>`__ describes how to write and run queries using LGTM.
|
- `Basic C/C++ query <https://lgtm.com/help/lgtm/console/ql-cpp-basic-example>`__ describes how to write and run queries using LGTM.
|
||||||
|
|
||||||
- :doc:`Introducing the QL libraries for C/C++ <introduce-libraries-cpp>` introduces the standard libraries used to write queries for C and C++ code.
|
- :doc:`Introducing the CodeQL libraries for C/C++ <introduce-libraries-cpp>` introduces the standard libraries used to write queries for C and C++ code.
|
||||||
|
|
||||||
- :doc:`Tutorial: Function classes <function-classes>` demonstrates how to write queries using the standard QL library classes for C/C++ functions.
|
- :doc:`Tutorial: Function classes <function-classes>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ functions.
|
||||||
|
|
||||||
- :doc:`Tutorial: Expressions, types and statements <expressions-types>` demonstrates how to write queries using the standard QL library classes for C/C++ expressions, types and statements.
|
- :doc:`Tutorial: Expressions, types and statements <expressions-types>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ expressions, types and statements.
|
||||||
|
|
||||||
- :doc:`Tutorial: Conversions and classes <conversions-classes>` demonstrates how to write queries using the standard QL library classes for C/C++ conversions and classes.
|
- :doc:`Tutorial: Conversions and classes <conversions-classes>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ conversions and classes.
|
||||||
|
|
||||||
- :doc:`Tutorial: Analyzing data flow in C/C++ <dataflow>` demonstrates how to write queries using the standard QL for C/C++ data flow and taint tracking libraries.
|
- :doc:`Tutorial: Analyzing data flow in C/C++ <dataflow>` demonstrates how to write queries using the standard data flow and taint tracking libraries for C/C++.
|
||||||
|
|
||||||
- :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>` works through the development of a query. It introduces recursive predicates and shows the typical workflow used to refine a query.
|
- :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>` works through the development of a query. It introduces recursive predicates and shows the typical workflow used to refine a query.
|
||||||
|
|
||||||
@@ -51,6 +51,8 @@ Advanced libraries
|
|||||||
Other resources
|
Other resources
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
- For examples of how to query common C/C++ elements, see the `C/C++ QL cookbook <https://help.semmle.com/wiki/display/CBCPP>`__.
|
.. TODO: Rename the cookbooks: C/C++ cookbook, or C/C++ CodeQL cookbook, or CodeQL cookbook for C/C++, or...?
|
||||||
- For the queries used in LGTM, display a `C/C++ query <https://lgtm.com/search?q=language%3Acpp&t=rules>`__ and click **Open in query console** to see the QL code used to find alerts.
|
|
||||||
- For more information about the C/C++ QL library see the `QL library for C/C++ <https://help.semmle.com/qldoc/cpp>`__.
|
- For examples of how to query common C/C++ elements, see the `C/C++ cookbook <https://help.semmle.com/wiki/display/CBCPP>`__.
|
||||||
|
- For the queries used in LGTM, display a `C/C++ query <https://lgtm.com/search?q=language%3Acpp&t=rules>`__ and click **Open in query console** to see the code used to find alerts.
|
||||||
|
- For more information about the library for C/C++ see the `CodeQL library for C/C++ <https://help.semmle.com/qldoc/cpp>`__.
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ Hash consing and value numbering
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
In C and C++ QL databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically.
|
In C and C++ databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically.
|
||||||
|
|
||||||
The `hash consing <https://en.wikipedia.org/wiki/Hash_consing>`__ library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. The `global value numbering <https://en.wikipedia.org/wiki/Value_numbering>`__ library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime.
|
The `hash consing <https://en.wikipedia.org/wiki/Hash_consing>`__ library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. The `global value numbering <https://en.wikipedia.org/wiki/Value_numbering>`__ library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime.
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ Example: Checking for allocations equal to ``strlen(string)`` without space for
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ <ql-for-cpp>`.
|
This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ <ql-for-cpp>`.
|
||||||
|
|
||||||
Problem—detecting memory allocation that omits space for a null termination character
|
Problem—detecting memory allocation that omits space for a null termination character
|
||||||
-------------------------------------------------------------------------------------
|
-------------------------------------------------------------------------------------
|
||||||
@@ -32,7 +32,7 @@ Defining the entities of interest
|
|||||||
|
|
||||||
You could approach this problem either by searching for code similar to the call to ``malloc`` in line 3 or the call to ``strcpy`` in line 5 (see example above). For our basic query, we start with a simple assumption: any call to ``malloc`` with only a ``strlen`` to define the memory size is likely to cause an error when the memory is populated.
|
You could approach this problem either by searching for code similar to the call to ``malloc`` in line 3 or the call to ``strcpy`` in line 5 (see example above). For our basic query, we start with a simple assumption: any call to ``malloc`` with only a ``strlen`` to define the memory size is likely to cause an error when the memory is populated.
|
||||||
|
|
||||||
Calls to ``strlen`` can be identified using the library `StrlenCall <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/commons/StringAnalysis.qll/type.StringAnalysis$StrlenCall.html>`__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard QL class ``FunctionCall``, with the added restriction of the function name that they apply to:
|
Calls to ``strlen`` can be identified using the library `StrlenCall <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/commons/StringAnalysis.qll/type.StringAnalysis$StrlenCall.html>`__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard class ``FunctionCall``, with the added restriction of the function name that they apply to:
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
@@ -52,7 +52,7 @@ Calls to ``strlen`` can be identified using the library `StrlenCall <https://hel
|
|||||||
Finding the ``strlen(string)`` pattern
|
Finding the ``strlen(string)`` pattern
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Before we start to write our query, there's one remaining task. We need to modify our new ``MallocCall`` class, so it returns an expression for the size of the allocation. Currently this will be the first argument to the ``malloc`` call, ``FunctionCall.getArgument(0)``, but converting this into a QL predicate makes it more flexible for future refinements.
|
Before we start to write our query, there's one remaining task. We need to modify our new ``MallocCall`` class, so it returns an expression for the size of the allocation. Currently this will be the first argument to the ``malloc`` call, ``FunctionCall.getArgument(0)``, but converting this into a predicate makes it more flexible for future refinements.
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
@@ -106,7 +106,7 @@ The query above works for simple cases, but does not identify a common coding pa
|
|||||||
int len = strlen(input);
|
int len = strlen(input);
|
||||||
buffer = malloc(len);
|
buffer = malloc(len);
|
||||||
|
|
||||||
To identify this case we can use the standard QL library ``SSA.qll`` (imported as ``semmle.code.cpp.controlflow.SSA``).
|
To identify this case we can use the standard library ``SSA.qll`` (imported as ``semmle.code.cpp.controlflow.SSA``).
|
||||||
|
|
||||||
This library helps us identify where values assigned to local variables may subsequently be used.
|
This library helps us identify where values assigned to local variables may subsequently be used.
|
||||||
|
|
||||||
|
|||||||
@@ -4,10 +4,10 @@ Analyzing data flow in C#
|
|||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
This topic describes how data flow analysis is implemented in the QL for C# library and includes examples to help you write your own data flow queries.
|
This topic describes how data flow analysis is implemented in the CodeQL libraries for C# and includes examples to help you write your own data flow queries.
|
||||||
The following sections describe how to utilize the QL libraries for local data flow, global data flow and taint tracking.
|
The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking.
|
||||||
|
|
||||||
For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`.
|
For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`.
|
||||||
|
|
||||||
Local data flow
|
Local data flow
|
||||||
---------------
|
---------------
|
||||||
@@ -548,6 +548,6 @@ This can be adapted from the ``SystemUriFlow`` class:
|
|||||||
What next?
|
What next?
|
||||||
----------
|
----------
|
||||||
|
|
||||||
- Learn about the QL standard libraries used to write queries for C# in :doc:`Introducing the C# libraries <introduce-libraries-csharp>`.
|
- Learn about the standard libraries used to write queries for C# in :doc:`Introducing the C# libraries <introduce-libraries-csharp>`.
|
||||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||||
|
|||||||
@@ -1,25 +1,23 @@
|
|||||||
Introducing the C# libraries
|
Introducing the CodeQL libraries for C#
|
||||||
============================
|
=======================================
|
||||||
|
|
||||||
Overview
|
Overview
|
||||||
--------
|
--------
|
||||||
|
|
||||||
The C# QL libraries are a data model for analysis of C# code. QL is an object-oriented language, so the data model is represented as *QL classes*, which are organized into *QL libraries*. The QL classes are a layer of logic built on top of an underlying database.
|
There is an extensive library for analyzing CodeQL databases extracted from C# projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``csharp.qll`` imports all the core C# library modules, so you can include the complete library by beginning your query with:
|
||||||
|
|
||||||
The core library is imported at the top of each query using:
|
|
||||||
|
|
||||||
.. code-block:: ql
|
.. code-block:: ql
|
||||||
|
|
||||||
import csharp
|
import csharp
|
||||||
|
|
||||||
Since this is required for all C# queries, it is omitted from QL snippets below.
|
Since this is required for all C# queries, it is omitted from code snippets below.
|
||||||
|
|
||||||
The core library contains all the program elements, including `files <#files>`__, `types <#types>`__, methods, `variables <#variables>`__, `statements <#statements>`__, and `expressions <#expressions>`__. This is sufficient for most queries, however additional libraries can be imported for bespoke functionality such as control flow and data flow. See :doc:`QL for C# <ql-for-csharp>` for information about these additional libraries.
|
The core library contains all the program elements, including `files <#files>`__, `types <#types>`__, methods, `variables <#variables>`__, `statements <#statements>`__, and `expressions <#expressions>`__. This is sufficient for most queries, however additional libraries can be imported for bespoke functionality such as control flow and data flow. See :doc:`CodeQL for C# <ql-for-csharp>` for information about these additional libraries.
|
||||||
|
|
||||||
Class hierarchies
|
Class hierarchies
|
||||||
~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Each section contains a QL class hierarchy, showing the inheritance structure between QL classes. For example:
|
Each section contains a class hierarchy, showing the inheritance structure between CodeQL classes. For example:
|
||||||
|
|
||||||
- ``Expr``
|
- ``Expr``
|
||||||
|
|
||||||
@@ -46,13 +44,13 @@ Each section contains a QL class hierarchy, showing the inheritance structure be
|
|||||||
|
|
||||||
This means that the class ``AddExpr`` extends class ``BinaryArithmeticOperation``, which in turn extends class ``ArithmeticOperation`` and so on. If you want to query any arithmetic operation, then use the class ``ArithmeticOperation``, but if you specifically want to limit the query to addition operations, then use the class ``AddExpr``.
|
This means that the class ``AddExpr`` extends class ``BinaryArithmeticOperation``, which in turn extends class ``ArithmeticOperation`` and so on. If you want to query any arithmetic operation, then use the class ``ArithmeticOperation``, but if you specifically want to limit the query to addition operations, then use the class ``AddExpr``.
|
||||||
|
|
||||||
QL classes can also be considered to be *sets*, and the ``extends`` relation between classes defines a subset. Every member of class ``AddExpr`` is also in the class ``BinaryArithmeticOperation``. In general, QL classes overlap and an entity can be a member of several classes.
|
Classes can also be considered to be *sets*, and the ``extends`` relation between classes defines a subset. Every member of class ``AddExpr`` is also in the class ``BinaryArithmeticOperation``. In general, classes overlap and an entity can be a member of several classes.
|
||||||
|
|
||||||
This overview omits some of the less important or intermediate classes from the class hierarchy.
|
This overview omits some of the less important or intermediate classes from the class hierarchy.
|
||||||
|
|
||||||
Each class has predicates, which are logical propositions about that class. They also define navigable relationships between classes. Predicates are inherited, so for example the ``AddExpr`` class inherits the predicates ``getLeftOperand()`` and ``getRightOperand()`` from ``BinaryArithmeticOperation``, and ``getType()`` from class ``Expr``. This is similar to how methods are inherited in object-oriented programming languages.
|
Each class has predicates, which are logical propositions about that class. They also define navigable relationships between classes. Predicates are inherited, so for example the ``AddExpr`` class inherits the predicates ``getLeftOperand()`` and ``getRightOperand()`` from ``BinaryArithmeticOperation``, and ``getType()`` from class ``Expr``. This is similar to how methods are inherited in object-oriented programming languages.
|
||||||
|
|
||||||
In this overview, we present the most common and useful predicates. Consult the reference, QL source code, and autocomplete in the editor for the complete list of predicates available on each class.
|
In this overview, we present the most common and useful predicates. Consult the `reference <https://help.semmle.com/qldoc/csharp>`__, the CodeQL source code, and autocomplete in the editor for the complete list of predicates available on each class.
|
||||||
|
|
||||||
Exercises
|
Exercises
|
||||||
~~~~~~~~~
|
~~~~~~~~~
|
||||||
@@ -72,7 +70,7 @@ Exercise 1: Simplify the following query:
|
|||||||
Files
|
Files
|
||||||
-----
|
-----
|
||||||
|
|
||||||
Files are represented by the QL class `File <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/File.qll/type.File$File.html>`__, and directories by the QL class `Folder <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/File.qll/type.File$Folder.html>`__. The database contains all of the source files and assemblies used during the compilation.
|
Files are represented by the class `File <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/File.qll/type.File$File.html>`__, and directories by the class `Folder <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/File.qll/type.File$Folder.html>`__. The database contains all of the source files and assemblies used during the compilation.
|
||||||
|
|
||||||
Class hierarchy
|
Class hierarchy
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
@@ -143,7 +141,7 @@ To list all elements in ``Main.cs``, their QL class and location:
|
|||||||
where e.getFile().getShortName() = "Main"
|
where e.getFile().getShortName() = "Main"
|
||||||
select e, e.getAQlClass(), e.getLocation()
|
select e, e.getAQlClass(), e.getLocation()
|
||||||
|
|
||||||
Note that ``getAQlClass()`` is available on all QL classes and is a useful way to figure out the QL class of something. Often the same element will have several QL classes which are all returned by ``getAQlClass()``.
|
Note that ``getAQlClass()`` is available on all entities and is a useful way to figure out the QL class of something. Often the same element will have several classes which are all returned by ``getAQlClass()``.
|
||||||
|
|
||||||
Locations
|
Locations
|
||||||
---------
|
---------
|
||||||
@@ -234,7 +232,7 @@ Find declarations containing a username:
|
|||||||
Variables
|
Variables
|
||||||
---------
|
---------
|
||||||
|
|
||||||
The QL class `Variable <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Variable.qll/type.Variable$Variable.html>`__ represents C# variables, such as fields, parameters and local variables. The database contains all variables from the source code, as well as all fields and parameters from assemblies referenced by the program.
|
The class `Variable <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Variable.qll/type.Variable$Variable.html>`__ represents C# variables, such as fields, parameters and local variables. The database contains all variables from the source code, as well as all fields and parameters from assemblies referenced by the program.
|
||||||
|
|
||||||
Class hierarchy
|
Class hierarchy
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
@@ -283,7 +281,7 @@ Find all unused local variables:
|
|||||||
Types
|
Types
|
||||||
-----
|
-----
|
||||||
|
|
||||||
Types are represented by the QL class `Type <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Type.qll/type.Type$Type.html>`__ and consist of builtin types, interfaces, classes, structs, enums, and type parameters. The database contains types from the program and all referenced assemblies including mscorlib and the .NET framework.
|
Types are represented by the CodeQL class `Type <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Type.qll/type.Type$Type.html>`__ and consist of builtin types, interfaces, classes, structs, enums, and type parameters. The database contains types from the program and all referenced assemblies including mscorlib and the .NET framework.
|
||||||
|
|
||||||
The builtin types (``object``, ``int``, ``double`` etc.) have corresponding types (``System.Object``, ``System.Int32`` etc.) in mscorlib.
|
The builtin types (``object``, ``int``, ``double`` etc.) have corresponding types (``System.Object``, ``System.Int32`` etc.) in mscorlib.
|
||||||
|
|
||||||
@@ -438,7 +436,7 @@ Exercise 5: Write a query to find all classes starting with the letter ``A``. (`
|
|||||||
Callables
|
Callables
|
||||||
---------
|
---------
|
||||||
|
|
||||||
Callables are represented by the QL class `Callable <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/Callable.qll/type.Callable$Callable.html>`__ and are anything that can be called independently, such as methods, constructors, destructors, operators, anonymous functions, indexers, and property accessors.
|
Callables are represented by the class `Callable <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/Callable.qll/type.Callable$Callable.html>`__ and are anything that can be called independently, such as methods, constructors, destructors, operators, anonymous functions, indexers, and property accessors.
|
||||||
|
|
||||||
The database contains all of the callables in your program and in all referenced assemblies.
|
The database contains all of the callables in your program and in all referenced assemblies.
|
||||||
|
|
||||||
@@ -564,7 +562,7 @@ Find ``Main`` methods which are not ``private``:
|
|||||||
Statements
|
Statements
|
||||||
----------
|
----------
|
||||||
|
|
||||||
Statements are represented by the QL class `Stmt <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/Stmt.qll/type.Stmt$Stmt.html>`__ and make up the body of methods (and other callables). The database contains all statements in the source code, but does not contain any statements from referenced assemblies where the source code is not available.
|
Statements are represented by the class `Stmt <https://help.semmle.com/qldoc/csharp/semmle/code/csharp/Stmt.qll/type.Stmt$Stmt.html>`__ and make up the body of methods (and other callables). The database contains all statements in the source code, but does not contain any statements from referenced assemblies where the source code is not available.
|
||||||
|
|
||||||
Class hierarchy
|
Class hierarchy
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
@@ -922,7 +920,7 @@ Exercise 9: Limit the previous query to string types. Exclude empty passwords or
|
|||||||
Attributes
|
Attributes
|
||||||
----------
|
----------
|
||||||
|
|
||||||
C# attributes are represented by the QL class `Attribute <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Attribute.qll/type.Attribute$Attribute.html>`__. They can be present on many C# elements, such as classes, methods, fields, and parameters. The database contains attributes from the source code and all assembly references.
|
C# attributes are represented by the class `Attribute <https://help.semmle.com/qldoc/csharp/semmle/code/cil/Attribute.qll/type.Attribute$Attribute.html>`__. They can be present on many C# elements, such as classes, methods, fields, and parameters. The database contains attributes from the source code and all assembly references.
|
||||||
|
|
||||||
The attribute of any ``Element`` can be obtained via ``getAnAttribute()``, whereas if you have an attribute, you can find its element via ``getTarget()``. The following two query fragments are identical:
|
The attribute of any ``Element`` can be obtained via ``getAnAttribute()``, whereas if you have an attribute, you can find its element via ``getTarget()``. The following two query fragments are identical:
|
||||||
|
|
||||||
@@ -1122,6 +1120,6 @@ Here is the fixed version:
|
|||||||
What next?
|
What next?
|
||||||
----------
|
----------
|
||||||
|
|
||||||
- Visit :doc:`Tutorial: Analyzing data flow in C# <dataflow>` to learn more about writing queries using the standard QL for C# data flow and taint tracking libraries.
|
- Visit :doc:`Tutorial: Analyzing data flow in C# <dataflow>` to learn more about writing queries using the standard data flow and taint tracking libraries.
|
||||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
QL for C#
|
CodeQL for C#
|
||||||
=========
|
=============
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:glob:
|
:glob:
|
||||||
@@ -8,17 +8,17 @@ QL for C#
|
|||||||
introduce-libraries-csharp
|
introduce-libraries-csharp
|
||||||
dataflow
|
dataflow
|
||||||
|
|
||||||
These topics provide an overview of the QL C# libraries and show examples of how to use them.
|
These topics provide an overview of the CodeQL libraries for C# and show examples of how to use them.
|
||||||
|
|
||||||
- `Basic C# QL query <https://lgtm.com/help/lgtm/console/ql-csharp-basic-example>`__ describes how to write and run queries using LGTM.
|
- `Basic C# query <https://lgtm.com/help/lgtm/console/ql-csharp-basic-example>`__ describes how to write and run queries using LGTM.
|
||||||
|
|
||||||
- :doc:`Introducing the C# libraries <introduce-libraries-csharp>` introduces the standard libraries used to write queries for C# code.
|
- :doc:`Introducing the CodeQL libraries for C# <introduce-libraries-csharp>` introduces the standard libraries used to write queries for C# code.
|
||||||
|
|
||||||
.. raw:: html
|
.. raw:: html
|
||||||
|
|
||||||
<!-- Working with generic types and methods(generics) - how to query generic types and methods. -->
|
<!-- Working with generic types and methods(generics) - how to query generic types and methods. -->
|
||||||
|
|
||||||
- :doc:`Tutorial: Analyzing data flow in C# <dataflow>` demonstrates how to write queries using the standard QL for C# data flow and taint tracking libraries.
|
- :doc:`Tutorial: Analyzing data flow in C# <dataflow>` demonstrates how to write queries using the standard data flow and taint tracking libraries for C#.
|
||||||
|
|
||||||
.. raw:: html
|
.. raw:: html
|
||||||
|
|
||||||
@@ -35,6 +35,6 @@ These topics provide an overview of the QL C# libraries and show examples of how
|
|||||||
Other resources
|
Other resources
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
- For examples of how to query common C# elements, see the `C# QL cookbook <https://help.semmle.com/wiki/display/CBCSHARP>`__.
|
- For examples of how to query common C# elements, see the `C# cookbook <https://help.semmle.com/wiki/display/CBCSHARP>`__.
|
||||||
- For the queries used in LGTM, display a `C# query <https://lgtm.com/search?q=language%3Acsharp&t=rules>`__ and click **Open in query console** to see the QL code used to find alerts.
|
- For the queries used in LGTM, display a `C# query <https://lgtm.com/search?q=language%3Acsharp&t=rules>`__ and click **Open in query console** to see the code used to find alerts.
|
||||||
- For more information about the C/C++ QL library see the `QL library for C# <https://help.semmle.com/qldoc/csharp>`__.
|
- For more information about the library for C# see the `CodeQL library for C# <https://help.semmle.com/qldoc/csharp>`__.
|
||||||
|
|||||||
33
docs/language/learn-ql/database.rst
Normal file
33
docs/language/learn-ql/database.rst
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
What's in a CodeQL database?
|
||||||
|
============================
|
||||||
|
|
||||||
|
A CodeQL database contains a variety of data related to a particular code base at a particular point in time. For details of how the database is generated see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__.
|
||||||
|
|
||||||
|
The database contains a full, hierarchical representation of the program defined by the code base. The database schema varies according to the language analyzed. The schema provides an interface between the initial lexical analysis during the extraction process, and the actual complex analysis using CodeQL. When the source code languages being analyzed change (such as Java 7 evolving into Java 8), this interface between the analysis phases can also change.
|
||||||
|
|
||||||
|
For each language, a CodeQL library defines classes to provide a layer of abstraction over the database tables. This provides an object-oriented view of the data which makes it easier to write queries. This is easiest to explain using an example.
|
||||||
|
|
||||||
|
Example
|
||||||
|
-------
|
||||||
|
|
||||||
|
For a Java program, two key tables are:
|
||||||
|
|
||||||
|
- The ``expressions`` table containing a row for every single expression in the source code that was analyzed during the build process.
|
||||||
|
- The ``statements`` table containing a row for every single statement in the source code that was analyzed during the build process.
|
||||||
|
|
||||||
|
The CodeQL library defines classes to provide a layer of abstraction over each of these tables (and the related auxiliary tables): ``Expr`` and ``Stmt``.
|
||||||
|
|
||||||
|
Most classes in the library are similar: they are abstractions over one or more database tables. Looking at one of the libraries illustrates this:
|
||||||
|
|
||||||
|
.. code-block:: ql
|
||||||
|
|
||||||
|
class Expr extends StmtParent, @expr {
|
||||||
|
...
|
||||||
|
|
||||||
|
/** the location of this expression */
|
||||||
|
Location getLocation() { exprs(this,_,_,result) }
|
||||||
|
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
The ``Expr`` class, shown here, extends from the database type ``@expr``. Member predicates of the ``Expr`` class are implemented in terms of the database-provided ``exprs`` table.
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user