Merge branch 'main' into rdmarsh2/cpp/cobo-handle-array-casts

2026-04-27 17:55:19 +02:00 · 2023-06-27 12:03:42 +01:00
parent d18fb646d1 06bc460868
commit f2cbbab419
2224 changed files with 78361 additions and 29416 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected
@@ -0,0 +1,35 @@
+| test.cpp:18:6:18:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:18:6:18:8 | ... + ... | addition |
+| test.cpp:19:6:19:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:19:6:19:8 | ... + ... | addition |
+| test.cpp:20:6:20:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:20:6:20:8 | ... + ... | addition |
+| test.cpp:21:6:21:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:21:6:21:8 | ... + ... | addition |
+| test.cpp:22:6:22:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:22:8:22:10 | ... + ... | addition |
+| test.cpp:23:6:23:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:23:8:23:10 | ... + ... | addition |
+| test.cpp:24:6:24:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:24:8:24:10 | ... + ... | addition |
+| test.cpp:25:6:25:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:25:8:25:10 | ... + ... | addition |
+| test.cpp:27:6:27:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:27:6:27:8 | ... + ... | addition |
+| test.cpp:28:6:28:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:28:6:28:8 | ... + ... | addition |
+| test.cpp:29:6:29:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:29:6:29:8 | ... + ... | addition |
+| test.cpp:30:6:30:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:30:6:30:8 | ... + ... | addition |
+| test.cpp:31:6:31:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:31:9:31:11 | ... + ... | addition |
+| test.cpp:32:6:32:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:32:9:32:11 | ... + ... | addition |
+| test.cpp:33:6:33:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:33:9:33:11 | ... + ... | addition |
+| test.cpp:34:6:34:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:34:9:34:11 | ... + ... | addition |
+| test.cpp:36:6:36:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:36:6:36:8 | ... + ... | addition |
+| test.cpp:37:6:37:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:37:6:37:8 | ... + ... | addition |
+| test.cpp:38:6:38:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:38:6:38:8 | ... + ... | addition |
+| test.cpp:39:6:39:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:39:6:39:8 | ... + ... | addition |
+| test.cpp:40:6:40:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:40:8:40:10 | ... + ... | addition |
+| test.cpp:41:6:41:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:41:8:41:10 | ... + ... | addition |
+| test.cpp:42:6:42:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:42:8:42:10 | ... + ... | addition |
+| test.cpp:43:6:43:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:43:8:43:10 | ... + ... | addition |
+| test.cpp:45:6:45:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:45:6:45:8 | ... + ... | addition |
+| test.cpp:46:6:46:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:46:6:46:8 | ... + ... | addition |
+| test.cpp:47:6:47:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:47:6:47:8 | ... + ... | addition |
+| test.cpp:48:6:48:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:48:6:48:8 | ... + ... | addition |
+| test.cpp:49:6:49:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:49:9:49:11 | ... + ... | addition |
+| test.cpp:50:6:50:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:50:9:50:11 | ... + ... | addition |
+| test.cpp:51:6:51:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:51:9:51:11 | ... + ... | addition |
+| test.cpp:52:6:52:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:52:9:52:11 | ... + ... | addition |
+| test.cpp:54:6:54:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:54:6:54:8 | ... + ... | addition |
+| test.cpp:61:6:61:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:61:6:61:8 | ... + ... | addition |
+| test.cpp:62:6:62:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:62:6:62:8 | ... + ... | addition |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp
@@ -0,0 +1,63 @@
+
+int getAnInt();
+double getADouble();
+unsigned short getAnUnsignedShort();
+
+void test()
+{
+	int a = getAnInt();
+	int b = getAnInt();
+	int c = getAnInt();
+	int x = getAnInt();
+	int y = getAnInt();
+	double d = getADouble();
+	unsigned short a1 = getAnUnsignedShort();
+	unsigned short b1 = getAnUnsignedShort();
+	unsigned short c1 = getAnUnsignedShort();
+
+	if (a+b>c) a = c-b; // BAD
+	if (a+b>c) { a = c-b; } // BAD
+	if (b+a>c) a = c-b; // BAD
+	if (b+a>c) { a = c-b; } // BAD
+	if (c>a+b) a = c-b; // BAD
+	if (c>a+b) { a = c-b; } // BAD
+	if (c>b+a) a = c-b; // BAD
+	if (c>b+a) { a = c-b; } // BAD
+
+	if (a+b>=c) a = c-b; // BAD
+	if (a+b>=c) { a = c-b; } // BAD
+	if (b+a>=c) a = c-b; // BAD
+	if (b+a>=c) { a = c-b; } // BAD
+	if (c>=a+b) a = c-b; // BAD
+	if (c>=a+b) { a = c-b; } // BAD
+	if (c>=b+a) a = c-b; // BAD
+	if (c>=b+a) { a = c-b; } // BAD
+
+	if (a+b<c) a = c-b; // BAD
+	if (a+b<c) { a = c-b; } // BAD
+	if (b+a<c) a = c-b; // BAD
+	if (b+a<c) { a = c-b; } // BAD
+	if (c<a+b) a = c-b; // BAD
+	if (c<a+b) { a = c-b; } // BAD
+	if (c<b+a) a = c-b; // BAD
+	if (c<b+a) { a = c-b; } // BAD
+
+	if (a+b<=c) a = c-b; // BAD
+	if (a+b<=c) { a = c-b; } // BAD
+	if (b+a<=c) a = c-b; // BAD
+	if (b+a<=c) { a = c-b; } // BAD
+	if (c<=a+b) a = c-b; // BAD
+	if (c<=a+b) { a = c-b; } // BAD
+	if (c<=b+a) a = c-b; // BAD
+	if (c<=b+a) { a = c-b; } // BAD
+
+	if (a+b>d) a = d-b; // BAD
+	if (a+(double)b>c) a = c-b; // GOOD
+	if (a+(-x)>c) a = c-(-y); // GOOD
+	if (a+b>c) { b++; a = c-b; } // GOOD
+	if (a+d>c) a = c-d; // GOOD
+	if (a1+b1>c1) a1 = c1-b1; // GOOD
+	
+	if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
+	if (a+b<=c) { return; } a = c-b; // BAD
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -11,8 +11,13 @@ edges
 | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
 | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
 | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
+| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array |
 | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array |
 | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array |
+| test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... |
+| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
+| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
+| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
 nodes
 | test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
 | test.cpp:35:10:35:12 | buf | semmle.label | buf |
@@ -36,9 +41,15 @@ nodes
 | test.cpp:79:27:79:34 | buf | semmle.label | buf |
 | test.cpp:79:32:79:34 | buf | semmle.label | buf |
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
+| test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
 | test.cpp:128:9:128:11 | arr | semmle.label | arr |
 | test.cpp:128:9:128:14 | access to array | semmle.label | access to array |
+| test.cpp:134:25:134:27 | arr | semmle.label | arr |
+| test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
+| test.cpp:138:13:138:15 | arr | semmle.label | arr |
+| test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
+| test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 subpaths
 #select
 | test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
@@ -52,3 +63,4 @@ subpaths
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
 | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
+| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
@@ -128,3 +128,17 @@ void testStackAllocated() {
        arr[i] = 0; // BAD
    }
 }
+
+int strncmp(const char*, const char*, int);
+
+char testStrncmp2(char *arr) {
+    if(strncmp(arr, "<test>", 6) == 0) {
+        arr += 6;
+    }
+    return *arr; // GOOD [FALSE POSITIVE]
+}
+
+void testStrncmp1() {
+    char asdf[5];
+    testStrncmp2(asdf);
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -663,26 +663,509 @@ edges
 | test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
 | test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... |
 | test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... |
-| test.cpp:342:8:342:17 | * ... | test.cpp:333:5:333:21 | Store: ... = ... |
-| test.cpp:342:8:342:17 | * ... | test.cpp:341:5:341:21 | Store: ... = ... |
 | test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs |
-| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
-| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
-| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:15:350:19 | Load: * ... |
-| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
-| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:16 | xs |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:359:16:359:31 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:26 | end | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:26 | end | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:359:16:359:27 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
+| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
+| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
+| test.cpp:378:15:378:16 | xs | test.cpp:384:14:384:16 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
+| test.cpp:381:5:381:7 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
+| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
+| test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
+| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | test.cpp:404:7:404:8 | val indirection [post update] [xs] |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:404:12:404:25 | new[] | test.cpp:404:3:404:25 | ... = ... |
+| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
+| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
+| test.cpp:407:3:407:18 | access to array | test.cpp:407:3:407:22 | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | test.cpp:407:3:407:18 | access to array |
+| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
+| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
+| test.cpp:419:7:419:8 | xs | test.cpp:419:7:419:11 | access to array |
+| test.cpp:419:7:419:11 | access to array | test.cpp:419:7:419:15 | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
+| test.cpp:433:5:433:6 | xs | test.cpp:433:5:433:17 | access to array |
+| test.cpp:433:5:433:17 | access to array | test.cpp:433:5:433:21 | Store: ... = ... |
+nodes
+| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:5:15:5:15 | p | semmle.label | p |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:6:14:6:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:6:15:6:15 | q | semmle.label | q |
+| test.cpp:6:15:6:15 | q | semmle.label | q |
+| test.cpp:7:16:7:16 | q | semmle.label | q |
+| test.cpp:7:16:7:16 | q | semmle.label | q |
+| test.cpp:8:14:8:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:8:16:8:16 | q | semmle.label | q |
+| test.cpp:8:16:8:16 | q | semmle.label | q |
+| test.cpp:8:16:8:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:9:16:9:16 | q | semmle.label | q |
+| test.cpp:9:16:9:16 | q | semmle.label | q |
+| test.cpp:10:16:10:16 | q | semmle.label | q |
+| test.cpp:10:16:10:16 | q | semmle.label | q |
+| test.cpp:11:16:11:16 | q | semmle.label | q |
+| test.cpp:11:16:11:16 | q | semmle.label | q |
+| test.cpp:12:16:12:16 | q | semmle.label | q |
+| test.cpp:16:15:16:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:17:15:17:15 | p | semmle.label | p |
+| test.cpp:17:15:17:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:20:14:20:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:28:15:28:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:29:15:29:15 | p | semmle.label | p |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:30:14:30:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:30:15:30:15 | q | semmle.label | q |
+| test.cpp:30:15:30:15 | q | semmle.label | q |
+| test.cpp:31:16:31:16 | q | semmle.label | q |
+| test.cpp:31:16:31:16 | q | semmle.label | q |
+| test.cpp:32:14:32:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:32:16:32:16 | q | semmle.label | q |
+| test.cpp:32:16:32:16 | q | semmle.label | q |
+| test.cpp:32:16:32:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:33:16:33:16 | q | semmle.label | q |
+| test.cpp:33:16:33:16 | q | semmle.label | q |
+| test.cpp:34:16:34:16 | q | semmle.label | q |
+| test.cpp:34:16:34:16 | q | semmle.label | q |
+| test.cpp:35:16:35:16 | q | semmle.label | q |
+| test.cpp:35:16:35:16 | q | semmle.label | q |
+| test.cpp:36:16:36:16 | q | semmle.label | q |
+| test.cpp:40:15:40:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:41:15:41:15 | p | semmle.label | p |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:42:14:42:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:42:15:42:15 | q | semmle.label | q |
+| test.cpp:42:15:42:15 | q | semmle.label | q |
+| test.cpp:43:16:43:16 | q | semmle.label | q |
+| test.cpp:43:16:43:16 | q | semmle.label | q |
+| test.cpp:44:14:44:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:44:16:44:16 | q | semmle.label | q |
+| test.cpp:44:16:44:16 | q | semmle.label | q |
+| test.cpp:44:16:44:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:16:45:16 | q | semmle.label | q |
+| test.cpp:45:16:45:16 | q | semmle.label | q |
+| test.cpp:46:16:46:16 | q | semmle.label | q |
+| test.cpp:46:16:46:16 | q | semmle.label | q |
+| test.cpp:47:16:47:16 | q | semmle.label | q |
+| test.cpp:47:16:47:16 | q | semmle.label | q |
+| test.cpp:48:16:48:16 | q | semmle.label | q |
+| test.cpp:51:7:51:14 | mk_array indirection | semmle.label | mk_array indirection |
+| test.cpp:51:33:51:35 | end | semmle.label | end |
+| test.cpp:52:19:52:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:53:5:53:23 | ... = ... | semmle.label | ... = ... |
+| test.cpp:53:12:53:16 | begin | semmle.label | begin |
+| test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:60:19:60:26 | call to mk_array | semmle.label | call to mk_array |
+| test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument |
+| test.cpp:62:32:62:34 | end | semmle.label | end |
+| test.cpp:62:39:62:39 | p | semmle.label | p |
+| test.cpp:66:32:66:34 | end | semmle.label | end |
+| test.cpp:66:39:66:39 | p | semmle.label | p |
+| test.cpp:67:9:67:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:70:31:70:33 | end | semmle.label | end |
+| test.cpp:70:38:70:38 | p | semmle.label | p |
+| test.cpp:80:9:80:16 | mk_array indirection [begin] | semmle.label | mk_array indirection [begin] |
+| test.cpp:80:9:80:16 | mk_array indirection [end] | semmle.label | mk_array indirection [end] |
+| test.cpp:82:5:82:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:82:17:82:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:83:5:83:30 | ... = ... | semmle.label | ... = ... |
+| test.cpp:83:9:83:11 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
+| test.cpp:83:15:83:17 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:83:15:83:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:83:19:83:23 | begin | semmle.label | begin |
+| test.cpp:83:19:83:23 | begin indirection | semmle.label | begin indirection |
+| test.cpp:89:19:89:26 | call to mk_array [begin] | semmle.label | call to mk_array [begin] |
+| test.cpp:89:19:89:26 | call to mk_array [end] | semmle.label | call to mk_array [end] |
+| test.cpp:91:20:91:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:91:24:91:28 | begin | semmle.label | begin |
+| test.cpp:91:24:91:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:91:36:91:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:91:40:91:42 | end | semmle.label | end |
+| test.cpp:91:40:91:42 | end indirection | semmle.label | end indirection |
+| test.cpp:91:47:91:47 | p | semmle.label | p |
+| test.cpp:95:20:95:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:95:24:95:28 | begin | semmle.label | begin |
+| test.cpp:95:24:95:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:95:36:95:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:95:40:95:42 | end | semmle.label | end |
+| test.cpp:95:40:95:42 | end indirection | semmle.label | end indirection |
+| test.cpp:95:47:95:47 | p | semmle.label | p |
+| test.cpp:96:9:96:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:99:20:99:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:99:24:99:28 | begin | semmle.label | begin |
+| test.cpp:99:24:99:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:99:35:99:37 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:99:39:99:41 | end | semmle.label | end |
+| test.cpp:99:39:99:41 | end indirection | semmle.label | end indirection |
+| test.cpp:99:46:99:46 | p | semmle.label | p |
+| test.cpp:104:27:104:29 | arr [begin] | semmle.label | arr [begin] |
+| test.cpp:104:27:104:29 | arr [end] | semmle.label | arr [end] |
+| test.cpp:105:20:105:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:105:24:105:28 | begin | semmle.label | begin |
+| test.cpp:105:24:105:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:105:36:105:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:105:40:105:42 | end | semmle.label | end |
+| test.cpp:105:40:105:42 | end indirection | semmle.label | end indirection |
+| test.cpp:105:47:105:47 | p | semmle.label | p |
+| test.cpp:109:20:109:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:109:24:109:28 | begin | semmle.label | begin |
+| test.cpp:109:24:109:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:109:36:109:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:109:40:109:42 | end | semmle.label | end |
+| test.cpp:109:40:109:42 | end indirection | semmle.label | end indirection |
+| test.cpp:109:47:109:47 | p | semmle.label | p |
+| test.cpp:110:9:110:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:113:20:113:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:113:24:113:28 | begin | semmle.label | begin |
+| test.cpp:113:24:113:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:113:35:113:37 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:113:39:113:41 | end | semmle.label | end |
+| test.cpp:113:39:113:41 | end indirection | semmle.label | end indirection |
+| test.cpp:113:46:113:46 | p | semmle.label | p |
+| test.cpp:119:18:119:25 | call to mk_array [begin] | semmle.label | call to mk_array [begin] |
+| test.cpp:119:18:119:25 | call to mk_array [end] | semmle.label | call to mk_array [end] |
+| test.cpp:124:15:124:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:125:5:125:17 | ... = ... | semmle.label | ... = ... |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:126:15:126:15 | p | semmle.label | p |
+| test.cpp:129:11:129:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:129:15:129:19 | begin | semmle.label | begin |
+| test.cpp:129:15:129:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:133:11:133:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:133:15:133:19 | begin | semmle.label | begin |
+| test.cpp:133:15:133:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:137:11:137:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:137:15:137:19 | begin | semmle.label | begin |
+| test.cpp:137:15:137:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:141:10:141:19 | mk_array_p indirection [begin] | semmle.label | mk_array_p indirection [begin] |
+| test.cpp:141:10:141:19 | mk_array_p indirection [end] | semmle.label | mk_array_p indirection [end] |
+| test.cpp:143:5:143:29 | ... = ... | semmle.label | ... = ... |
+| test.cpp:143:10:143:14 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:143:18:143:23 | call to malloc | semmle.label | call to malloc |
+| test.cpp:144:5:144:32 | ... = ... | semmle.label | ... = ... |
+| test.cpp:144:10:144:12 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
+| test.cpp:144:16:144:18 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:144:16:144:32 | ... + ... | semmle.label | ... + ... |
+| test.cpp:144:21:144:25 | begin | semmle.label | begin |
+| test.cpp:144:21:144:25 | begin indirection | semmle.label | begin indirection |
+| test.cpp:150:20:150:29 | call to mk_array_p indirection [begin] | semmle.label | call to mk_array_p indirection [begin] |
+| test.cpp:150:20:150:29 | call to mk_array_p indirection [end] | semmle.label | call to mk_array_p indirection [end] |
+| test.cpp:152:20:152:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:152:25:152:29 | begin | semmle.label | begin |
+| test.cpp:152:25:152:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:152:49:152:49 | p | semmle.label | p |
+| test.cpp:156:20:156:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:156:25:156:29 | begin | semmle.label | begin |
+| test.cpp:156:25:156:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:156:37:156:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:156:42:156:44 | end | semmle.label | end |
+| test.cpp:156:42:156:44 | end indirection | semmle.label | end indirection |
+| test.cpp:156:49:156:49 | p | semmle.label | p |
+| test.cpp:157:9:157:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:160:20:160:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:160:25:160:29 | begin | semmle.label | begin |
+| test.cpp:160:25:160:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:160:48:160:48 | p | semmle.label | p |
+| test.cpp:165:29:165:31 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:165:29:165:31 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:166:20:166:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:166:25:166:29 | begin | semmle.label | begin |
+| test.cpp:166:25:166:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:166:37:166:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:166:42:166:44 | end | semmle.label | end |
+| test.cpp:166:42:166:44 | end indirection | semmle.label | end indirection |
+| test.cpp:166:49:166:49 | p | semmle.label | p |
+| test.cpp:170:20:170:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:170:25:170:29 | begin | semmle.label | begin |
+| test.cpp:170:25:170:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:170:37:170:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:170:42:170:44 | end | semmle.label | end |
+| test.cpp:170:42:170:44 | end indirection | semmle.label | end indirection |
+| test.cpp:170:49:170:49 | p | semmle.label | p |
+| test.cpp:171:9:171:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:174:20:174:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:174:25:174:29 | begin | semmle.label | begin |
+| test.cpp:174:25:174:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:174:36:174:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:174:41:174:43 | end | semmle.label | end |
+| test.cpp:174:41:174:43 | end indirection | semmle.label | end indirection |
+| test.cpp:174:48:174:48 | p | semmle.label | p |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | semmle.label | call to mk_array_p indirection [begin] |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | semmle.label | call to mk_array_p indirection [end] |
+| test.cpp:188:15:188:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:189:15:189:15 | p | semmle.label | p |
+| test.cpp:194:23:194:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:195:17:195:17 | p | semmle.label | p |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:197:8:197:8 | p | semmle.label | p |
+| test.cpp:197:20:197:22 | end | semmle.label | end |
+| test.cpp:201:5:201:5 | p | semmle.label | p |
+| test.cpp:201:5:201:12 | access to array | semmle.label | access to array |
+| test.cpp:201:5:201:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:205:23:205:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:206:17:206:17 | p | semmle.label | p |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:208:15:208:15 | p | semmle.label | p |
+| test.cpp:209:12:209:14 | end | semmle.label | end |
+| test.cpp:213:5:213:6 | * ... | semmle.label | * ... |
+| test.cpp:213:5:213:13 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:213:6:213:6 | q | semmle.label | q |
+| test.cpp:213:6:213:6 | q | semmle.label | q |
+| test.cpp:221:17:221:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:222:5:222:5 | p | semmle.label | p |
+| test.cpp:231:18:231:30 | new[] | semmle.label | new[] |
+| test.cpp:232:3:232:9 | newname | semmle.label | newname |
+| test.cpp:232:3:232:16 | access to array | semmle.label | access to array |
+| test.cpp:232:3:232:20 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:238:20:238:32 | new[] | semmle.label | new[] |
+| test.cpp:239:5:239:11 | newname | semmle.label | newname |
+| test.cpp:239:5:239:18 | access to array | semmle.label | access to array |
+| test.cpp:239:5:239:22 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:248:24:248:30 | call to realloc | semmle.label | call to realloc |
+| test.cpp:249:9:249:9 | p | semmle.label | p |
+| test.cpp:250:22:250:22 | p | semmle.label | p |
+| test.cpp:254:9:254:9 | p | semmle.label | p |
+| test.cpp:254:9:254:12 | access to array | semmle.label | access to array |
+| test.cpp:254:9:254:16 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:260:13:260:24 | new[] | semmle.label | new[] |
+| test.cpp:261:14:261:15 | xs | semmle.label | xs |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:262:26:262:28 | end | semmle.label | end |
+| test.cpp:262:26:262:28 | end | semmle.label | end |
+| test.cpp:262:31:262:31 | x | semmle.label | x |
+| test.cpp:264:13:264:14 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:264:14:264:14 | x | semmle.label | x |
+| test.cpp:264:14:264:14 | x | semmle.label | x |
+| test.cpp:270:13:270:24 | new[] | semmle.label | new[] |
+| test.cpp:271:14:271:15 | xs | semmle.label | xs |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:272:26:272:28 | end | semmle.label | end |
+| test.cpp:272:26:272:28 | end | semmle.label | end |
+| test.cpp:272:31:272:31 | x | semmle.label | x |
+| test.cpp:272:31:272:31 | x | semmle.label | x |
+| test.cpp:274:5:274:6 | * ... | semmle.label | * ... |
+| test.cpp:274:5:274:10 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:274:6:274:6 | x | semmle.label | x |
+| test.cpp:274:6:274:6 | x | semmle.label | x |
+| test.cpp:280:13:280:24 | new[] | semmle.label | new[] |
+| test.cpp:281:14:281:15 | xs | semmle.label | xs |
+| test.cpp:290:13:290:24 | new[] | semmle.label | new[] |
+| test.cpp:291:14:291:15 | xs | semmle.label | xs |
+| test.cpp:292:30:292:30 | x | semmle.label | x |
+| test.cpp:304:15:304:26 | new[] | semmle.label | new[] |
+| test.cpp:307:5:307:6 | xs | semmle.label | xs |
+| test.cpp:308:5:308:6 | xs | semmle.label | xs |
+| test.cpp:308:5:308:11 | access to array | semmle.label | access to array |
+| test.cpp:308:5:308:29 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:313:14:313:27 | new[] | semmle.label | new[] |
+| test.cpp:314:15:314:16 | xs | semmle.label | xs |
+| test.cpp:325:14:325:27 | new[] | semmle.label | new[] |
+| test.cpp:326:15:326:16 | xs | semmle.label | xs |
+| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:338:8:338:15 | * ... | semmle.label | * ... |
+| test.cpp:341:8:341:17 | * ... | semmle.label | * ... |
+| test.cpp:342:8:342:17 | * ... | semmle.label | * ... |
+| test.cpp:347:14:347:27 | new[] | semmle.label | new[] |
+| test.cpp:348:15:348:16 | xs | semmle.label | xs |
+| test.cpp:355:14:355:27 | new[] | semmle.label | new[] |
+| test.cpp:356:15:356:16 | xs | semmle.label | xs |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:26 | end | semmle.label | end |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:358:14:358:26 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:358:15:358:26 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:359:14:359:32 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:359:16:359:27 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... |
+| test.cpp:363:14:363:27 | new[] | semmle.label | new[] |
+| test.cpp:365:15:365:15 | p | semmle.label | p |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:371:7:371:7 | p | semmle.label | p |
+| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:372:16:372:16 | p | semmle.label | p |
+| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
+| test.cpp:378:15:378:16 | xs | semmle.label | xs |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:381:5:381:7 | end | semmle.label | end |
+| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
+| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
+| test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:384:14:384:16 | end | semmle.label | end |
+| test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
+| test.cpp:389:16:389:17 | xs | semmle.label | xs |
+| test.cpp:392:5:392:6 | xs | semmle.label | xs |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:395:5:395:6 | xs | semmle.label | xs |
+| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:404:12:404:25 | new[] | semmle.label | new[] |
+| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
+| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
+| test.cpp:407:3:407:18 | access to array | semmle.label | access to array |
+| test.cpp:407:3:407:22 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | semmle.label | xs |
+| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
+| test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
+| test.cpp:419:7:419:8 | xs | semmle.label | xs |
+| test.cpp:419:7:419:11 | access to array | semmle.label | access to array |
+| test.cpp:419:7:419:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
+| test.cpp:433:5:433:6 | xs | semmle.label | xs |
+| test.cpp:433:5:433:17 | access to array | semmle.label | access to array |
+| test.cpp:433:5:433:21 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
-| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:20:14:20:21 | Load: * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
 | test.cpp:30:14:30:15 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
 | test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
-| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
 | test.cpp:42:14:42:15 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
-| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:67:9:67:14 | Store: ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
 | test.cpp:96:9:96:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:96:9:96:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
 | test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
@@ -696,6 +1179,11 @@ subpaths
 | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
 | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
-| test.cpp:333:5:333:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:333:5:333:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
-| test.cpp:341:5:341:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:341:5:341:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
-| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
+| test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
+| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
+| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
+| test.cpp:407:3:407:22 | Store: ... = ... | test.cpp:404:12:404:25 | new[] | test.cpp:407:3:407:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:404:12:404:25 | new[] | new[] | test.cpp:407:10:407:17 | ... - ... | ... - ... |
+| test.cpp:419:7:419:15 | Store: ... = ... | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:417:16:417:33 | new[] | new[] | test.cpp:419:10:419:10 | i | i |
+| test.cpp:433:5:433:21 | Store: ... = ... | test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:427:14:427:27 | new[] | new[] | test.cpp:433:8:433:16 | ... ++ | ... ++ |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -330,7 +330,7 @@ void test23(unsigned size, int val) {
    if(*current - xs < 1)
      return;

-    *--(*current) = 0; // GOOD [FALSE POSITIVE]
+    *--(*current) = 0; // GOOD
    return;
  }

@@ -338,7 +338,7 @@ void test23(unsigned size, int val) {
    if(*current - xs < 2)
      return;

-    *--(*current) = 0; // GOOD [FALSE POSITIVE]
+    *--(*current) = 0; // GOOD
    *--(*current) = 0; // GOOD
  }
 }
@@ -347,6 +347,89 @@ void test24(unsigned size) {
  char *xs = new char[size];
  char *end = xs + size;
  if (xs < end) {
-    int val = *xs++; // GOOD [FALSE POSITIVE]
+    int val = *xs++; // GOOD
+  }
+}
+
+void test25(unsigned size) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  char *end_plus_one = end + 1;
+  int val1 = *end_plus_one; // BAD
+  int val2 = *(end_plus_one + 1); // BAD
+}
+
+void test26(unsigned size) {
+  char *xs = new char[size];
+  char *p = xs;
+  char *end = p + size;
+
+  if (p + 4 <= end) {
+    p += 4;
+  }
+
+  if (p < end) {
+    int val = *p; // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test27(unsigned size, bool b) {
+  char *xs = new char[size];
+  char *end = xs + size;
+
+  if (b) {
+    end++;
+  }
+
+  int val = *end; // BAD
+}
+
+void test28(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+    if (xs >= end)
+      return;
+    xs++;
+    if (xs >= end)
+      return;
+    xs[0] = 0;  // GOOD [FALSE POSITIVE]
+}
+
+struct test29_struct {
+  char* xs;
+};
+
+void test29(unsigned size) {
+  test29_struct val;
+  val.xs = new char[size];
+  size++;
+  val.xs = new char[size];
+  val.xs[size - 1] = 0; // GOOD [FALSE POSITIVE]
+}
+
+void test30(int *size)
+{
+  int new_size = 0, tmp_size = 0;
+
+  test30(&tmp_size);
+  if (tmp_size + 1 > new_size) {
+    new_size = tmp_size + 1;
+    char *xs = new char[new_size];
+    for (int i = 0; i < new_size; i++) {
+      xs[i] = 0;  // GOOD [FALSE POSITIVE]
+    }
+  }
+  *size = new_size;
+}
+
+void test31(unsigned size, unsigned src_pos)
+{
+  char *xs = new char[size];
+  if (src_pos > size) {
+    src_pos = size;
+  }
+  unsigned dst_pos = src_pos;
+  if(dst_pos < size - 3) {
+    xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
  }
 }
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql`