hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into property-stringify

Browse Source
This commit is contained in:
tyage
2022-10-04 09:57:54 +01:00
committed by GitHub
parent 6ec2abbd2d 2593120300
commit f47c02431a
404 changed files with 9236 additions and 4706 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/qhelp-pr-preview.yml vendored
View File

@@ -27,7 +27,7 @@ on:
- main
- "rc/*"
paths:
- "ruby/**/*.qhelp"
- "**/*.qhelp"
jobs:
qhelp:

3
README.md
View File

@@ -4,8 +4,7 @@ This open source repository contains the standard CodeQL libraries and queries t
## How do I learn CodeQL and run queries?
There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
## Contributing

108
cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
View File

@@ -20,7 +20,8 @@ module ProductFlow {
* `source1` and `source2` must belong to the same callable.
*/
predicate isSourcePair(
DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
DataFlow::Node source1, DataFlow::FlowState state1, DataFlow::Node source2,
DataFlow::FlowState state2
) {
state1 = "" and
state2 = "" and
@@ -89,6 +90,61 @@ module ProductFlow {
*/
predicate isBarrierOut2(DataFlow::Node node) { none() }
/*
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
* the first projection of the product dataflow graph.
*/
predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
/**
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
* the first projection of the product dataflow graph.
*
* This step is only applicable in `state1` and updates the flow state to `state2`.
*/
predicate isAdditionalFlowStep1(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
) {
state1 instanceof DataFlow::FlowStateEmpty and
state2 instanceof DataFlow::FlowStateEmpty and
this.isAdditionalFlowStep1(node1, node2)
}
/**
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
* the second projection of the product dataflow graph.
*/
predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
/**
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
* the second projection of the product dataflow graph.
*
* This step is only applicable in `state1` and updates the flow state to `state2`.
*/
predicate isAdditionalFlowStep2(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
) {
state1 instanceof DataFlow::FlowStateEmpty and
state2 instanceof DataFlow::FlowStateEmpty and
this.isAdditionalFlowStep2(node1, node2)
}
/**
* Holds if data flow into `node` is prohibited in the first projection of the product
* dataflow graph.
*/
predicate isBarrierIn1(DataFlow::Node node) { none() }
/**
* Holds if data flow into `node` is prohibited in the second projection of the product
* dataflow graph.
*/
predicate isBarrierIn2(DataFlow::Node node) { none() }
predicate hasFlowPath(
DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
DataFlow2::PathNode sink2
@@ -103,54 +159,78 @@ module ProductFlow {
class Conf1 extends DataFlow::Configuration {
Conf1() { this = "Conf1" }
override predicate isSource(DataFlow::Node source, string state) {
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
exists(Configuration conf | conf.isSourcePair(source, state, _, _))
}
override predicate isSink(DataFlow::Node sink, string state) {
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
}
override predicate isBarrier(DataFlow::Node node, string state) {
override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
exists(Configuration conf | conf.isBarrier1(node, state))
}
override predicate isBarrierOut(DataFlow::Node node) {
exists(Configuration conf | conf.isBarrierOut1(node))
}
override predicate isAdditionalFlowStep(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
) {
exists(Configuration conf | conf.isAdditionalFlowStep1(node1, state1, node2, state2))
}
override predicate isBarrierIn(DataFlow::Node node) {
exists(Configuration conf | conf.isBarrierIn1(node))
}
}
class Conf2 extends DataFlow2::Configuration {
Conf2() { this = "Conf2" }
override predicate isSource(DataFlow::Node source, string state) {
exists(Configuration conf, DataFlow::Node source1 |
conf.isSourcePair(source1, _, source, state) and
any(Conf1 c).hasFlow(source1, _)
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
exists(Configuration conf, DataFlow::PathNode source1 |
conf.isSourcePair(source1.getNode(), source1.getState(), source, state) and
any(Conf1 c).hasFlowPath(source1, _)
)
}
override predicate isSink(DataFlow::Node sink, string state) {
exists(Configuration conf, DataFlow::Node sink1 |
conf.isSinkPair(sink1, _, sink, state) and any(Conf1 c).hasFlow(_, sink1)
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
exists(Configuration conf, DataFlow::PathNode sink1 |
conf.isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
any(Conf1 c).hasFlowPath(_, sink1)
)
}
override predicate isBarrier(DataFlow::Node node, string state) {
override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
exists(Configuration conf | conf.isBarrier2(node, state))
}
override predicate isBarrierOut(DataFlow::Node node) {
exists(Configuration conf | conf.isBarrierOut2(node))
}
override predicate isAdditionalFlowStep(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
) {
exists(Configuration conf | conf.isAdditionalFlowStep2(node1, state1, node2, state2))
}
override predicate isBarrierIn(DataFlow::Node node) {
exists(Configuration conf | conf.isBarrierIn2(node))
}
}
}
pragma[nomagic]
private predicate reachableInterprocEntry(
Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
DataFlow::PathNode node1, DataFlow2::PathNode node2
) {
conf.isSourcePair(node1.getNode(), _, node2.getNode(), _) and
conf.isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
node1 = source1 and
node2 = source2
or
@@ -213,7 +293,7 @@ module ProductFlow {
) {
exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
conf.isSinkPair(sink1.getNode(), _, sink2.getNode(), _) and
conf.isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
localPathStep1*(mid1, sink1) and
localPathStep2*(mid2, sink2)
)

272
cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
View File

@@ -205,57 +205,149 @@ private predicate deconstructSizeExpr(Expr sizeExpr, Expr lengthExpr, int sizeof
sizeof = 1
}
/** A `Function` that is a call target of an allocation. */
private signature class CallAllocationExprTarget extends Function;
/**
* An allocation expression that is a function call, such as call to `malloc`.
* This module abstracts over the type of allocation call-targets and provides a
* class `CallAllocationExprImpl` which contains the implementation of the various
* predicates required by the `Allocation` class.
*
* This module is then instantiated for two types of allocation call-targets:
* - `AllocationFunction`: Functions that we've explicitly modeled as functions that
* perform allocations (i.e., `malloc`).
* - `HeuristicAllocationFunction`: Functions that we deduce as behaving like an allocation
* function using various heuristics.
*/
private class CallAllocationExpr extends AllocationExpr, FunctionCall {
AllocationFunction target;
private module CallAllocationExprBase<CallAllocationExprTarget Target> {
/** A module that contains the collection of member-predicates required on `Target`. */
signature module Param {
/**
* Gets the index of the input pointer argument to be reallocated, if
* this is a `realloc` function.
*/
int getReallocPtrArg(Target target);
CallAllocationExpr() {
target = this.getTarget() and
// realloc(ptr, 0) only frees the pointer
not (
exists(target.getReallocPtrArg()) and
this.getArgument(target.getSizeArg()).getValue().toInt() = 0
) and
// these are modeled directly (and more accurately), avoid duplication
not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
/**
* Gets the index of the argument for the allocation size, if any. The actual
* allocation size is the value of this argument multiplied by the result of
* `getSizeMult()`, in bytes.
*/
int getSizeArg(Target target);
/**
* Gets the index of an argument that multiplies the allocation size given
* by `getSizeArg`, if any.
*/
int getSizeMult(Target target);
/**
* Holds if this allocation requires a
* corresponding deallocation of some sort (most do, but `alloca` for example
* does not). If it is unclear, we default to no (for example a placement `new`
* allocation may or may not require a corresponding `delete`).
*/
predicate requiresDealloc(Target target);
}
override Expr getSizeExpr() {
exists(Expr sizeExpr | sizeExpr = this.getArgument(target.getSizeArg()) |
if exists(target.getSizeMult())
then result = sizeExpr
else
exists(Expr lengthExpr |
deconstructSizeExpr(sizeExpr, lengthExpr, _) and
result = lengthExpr
/**
* A module that abstracts over a collection of predicates in
* the `Param` module). This should really be member-predicates
* on `CallAllocationExprTarget`, but we cannot yet write this in QL.
*/
module With<Param P> {
private import P
/**
* An allocation expression that is a function call, such as call to `malloc`.
*/
class CallAllocationExprImpl instanceof FunctionCall {
Target target;
CallAllocationExprImpl() {
target = this.getTarget() and
// realloc(ptr, 0) only frees the pointer
not (
exists(getReallocPtrArg(target)) and
this.getArgument(getSizeArg(target)).getValue().toInt() = 0
) and
// these are modeled directly (and more accurately), avoid duplication
not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
}
string toString() { result = super.toString() }
Expr getSizeExprImpl() {
exists(Expr sizeExpr | sizeExpr = super.getArgument(getSizeArg(target)) |
if exists(getSizeMult(target))
then result = sizeExpr
else
exists(Expr lengthExpr |
deconstructSizeExpr(sizeExpr, lengthExpr, _) and
result = lengthExpr
)
)
)
}
int getSizeMultImpl() {
// malloc with multiplier argument that is a constant
result = super.getArgument(getSizeMult(target)).getValue().toInt()
or
// malloc with no multiplier argument
not exists(getSizeMult(target)) and
deconstructSizeExpr(super.getArgument(getSizeArg(target)), _, result)
}
int getSizeBytesImpl() {
result = this.getSizeExprImpl().getValue().toInt() * this.getSizeMultImpl()
}
Expr getReallocPtrImpl() { result = super.getArgument(getReallocPtrArg(target)) }
Type getAllocatedElementTypeImpl() {
result =
super.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
not result instanceof VoidType
}
predicate requiresDeallocImpl() { requiresDealloc(target) }
}
}
}
private module CallAllocationExpr {
private module Param implements CallAllocationExprBase<AllocationFunction>::Param {
int getReallocPtrArg(AllocationFunction f) { result = f.getReallocPtrArg() }
int getSizeArg(AllocationFunction f) { result = f.getSizeArg() }
int getSizeMult(AllocationFunction f) { result = f.getSizeMult() }
predicate requiresDealloc(AllocationFunction f) { f.requiresDealloc() }
}
override int getSizeMult() {
// malloc with multiplier argument that is a constant
result = this.getArgument(target.getSizeMult()).getValue().toInt()
or
// malloc with no multiplier argument
not exists(target.getSizeMult()) and
deconstructSizeExpr(this.getArgument(target.getSizeArg()), _, result)
/**
* A class that provides the implementation of `AllocationExpr` for an allocation
* that calls an `AllocationFunction`.
*/
private class Base =
CallAllocationExprBase<AllocationFunction>::With<Param>::CallAllocationExprImpl;
class CallAllocationExpr extends AllocationExpr, Base {
override Expr getSizeExpr() { result = super.getSizeExprImpl() }
override int getSizeMult() { result = super.getSizeMultImpl() }
override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
override predicate requiresDealloc() { super.requiresDeallocImpl() }
override int getSizeBytes() { result = super.getSizeBytesImpl() }
override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
override string toString() { result = AllocationExpr.super.toString() }
}
override int getSizeBytes() {
result = this.getSizeExpr().getValue().toInt() * this.getSizeMult()
}
override Expr getReallocPtr() { result = this.getArgument(target.getReallocPtrArg()) }
override Type getAllocatedElementType() {
result =
this.getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
not result instanceof VoidType
}
override predicate requiresDealloc() { target.requiresDealloc() }
}
/**
@@ -294,3 +386,99 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
}
private module HeuristicAllocation {
/** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr {
override Expr getSizeExpr() { result = AllocationExpr.super.getSizeExpr() }
override int getSizeMult() { result = AllocationExpr.super.getSizeMult() }
override int getSizeBytes() { result = AllocationExpr.super.getSizeBytes() }
override Expr getReallocPtr() { result = AllocationExpr.super.getReallocPtr() }
override Type getAllocatedElementType() {
result = AllocationExpr.super.getAllocatedElementType()
}
override predicate requiresDealloc() { AllocationExpr.super.requiresDealloc() }
}
/** A class that maps an `AllocationFunction` to an `HeuristicAllocationFunction`. */
private class HeuristicAllocationFunctionModeled extends HeuristicAllocationFunction instanceof AllocationFunction {
override int getSizeArg() { result = AllocationFunction.super.getSizeArg() }
override int getSizeMult() { result = AllocationFunction.super.getSizeMult() }
override int getReallocPtrArg() { result = AllocationFunction.super.getReallocPtrArg() }
override predicate requiresDealloc() { AllocationFunction.super.requiresDealloc() }
}
private int getAnUnsignedParameter(Function f) {
f.getParameter(result).getUnspecifiedType().(IntegralType).isUnsigned()
}
private int getAPointerParameter(Function f) {
f.getParameter(result).getUnspecifiedType() instanceof PointerType
}
/**
* A class that uses heuristics to find additional allocation functions. The required are as follows:
* 1. The word `alloc` must appear in the function name
* 2. The function must return a pointer type
* 3. There must be a unique parameter of unsigned integral type.
*/
private class HeuristicAllocationFunctionByName extends HeuristicAllocationFunction instanceof Function {
int sizeArg;
HeuristicAllocationFunctionByName() {
Function.super.getName().matches("%alloc%") and
Function.super.getUnspecifiedType() instanceof PointerType and
sizeArg = unique( | | getAnUnsignedParameter(this))
}
override int getSizeArg() { result = sizeArg }
override int getReallocPtrArg() {
Function.super.getName().matches("%realloc%") and
result = unique( | | getAPointerParameter(this))
}
override predicate requiresDealloc() { none() }
}
private module Param implements CallAllocationExprBase<HeuristicAllocationFunction>::Param {
int getReallocPtrArg(HeuristicAllocationFunction f) { result = f.getReallocPtrArg() }
int getSizeArg(HeuristicAllocationFunction f) { result = f.getSizeArg() }
int getSizeMult(HeuristicAllocationFunction f) { result = f.getSizeMult() }
predicate requiresDealloc(HeuristicAllocationFunction f) { f.requiresDealloc() }
}
/**
* A class that provides the implementation of `AllocationExpr` for an allocation
* that calls an `HeuristicAllocationFunction`.
*/
private class Base =
CallAllocationExprBase<HeuristicAllocationFunction>::With<Param>::CallAllocationExprImpl;
private class CallAllocationExpr extends HeuristicAllocationExpr, Base {
override Expr getSizeExpr() { result = super.getSizeExprImpl() }
override int getSizeMult() { result = super.getSizeMultImpl() }
override Type getAllocatedElementType() { result = super.getAllocatedElementTypeImpl() }
override predicate requiresDealloc() { super.requiresDeallocImpl() }
override int getSizeBytes() { result = super.getSizeBytesImpl() }
override Expr getReallocPtr() { result = super.getReallocPtrImpl() }
override string toString() { result = HeuristicAllocationExpr.super.toString() }
}
}

81
cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
View File

@@ -113,3 +113,84 @@ class OperatorNewAllocationFunction extends AllocationFunction {
result = 1
}
}
/**
* An expression that _might_ allocate memory.
*
* Unlike `AllocationExpr`, this class uses heuristics (such as a call target's
* name and parameters) to include additional expressions.
*/
abstract class HeuristicAllocationExpr extends Expr {
/**
* Gets an expression for the allocation size, if any. The actual allocation
* size is the value of this expression multiplied by the result of
* `getSizeMult()`, in bytes.
*/
Expr getSizeExpr() { none() }
/**
* Gets a constant multiplier for the allocation size given by `getSizeExpr`,
* in bytes.
*/
int getSizeMult() { none() }
/**
* Gets the size of this allocation in bytes, if it is a fixed size and that
* size can be determined.
*/
int getSizeBytes() { none() }
/**
* Gets the expression for the input pointer argument to be reallocated, if
* this is a `realloc` function.
*/
Expr getReallocPtr() { none() }
/**
* Gets the type of the elements that are allocated, if it can be determined.
*/
Type getAllocatedElementType() { none() }
/**
* Whether or not this allocation requires a corresponding deallocation of
* some sort (most do, but `alloca` for example does not). If it is unclear,
* we default to no (for example a placement `new` allocation may or may not
* require a corresponding `delete`).
*/
predicate requiresDealloc() { any() }
}
/**
* An function that _might_ allocate memory.
*
* Unlike `AllocationFunction`, this class uses heuristics (such as the function's
* name and its parameters) to include additional functions.
*/
abstract class HeuristicAllocationFunction extends Function {
/**
* Gets the index of the argument for the allocation size, if any. The actual
* allocation size is the value of this argument multiplied by the result of
* `getSizeMult()`, in bytes.
*/
int getSizeArg() { none() }
/**
* Gets the index of an argument that multiplies the allocation size given by
* `getSizeArg`, if any.
*/
int getSizeMult() { none() }
/**
* Gets the index of the input pointer argument to be reallocated, if this
* is a `realloc` function.
*/
int getReallocPtrArg() { none() }
/**
* Whether or not this allocation requires a corresponding deallocation of
* some sort (most do, but `alloca` for example does not). If it is unclear,
* we default to no (for example a placement `new` allocation may or may not
* require a corresponding `delete`).
*/
predicate requiresDealloc() { any() }
}

9
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.cpp Normal file
View File

@@ -0,0 +1,9 @@
int f(char * s, unsigned size) {
char* buf = (char*)malloc(size);
strncpy(buf, s, size + 1); // wrong: copy may exceed size of buf
for (int i = 0; i <= size; i++) { // wrong: upper limit that is higher than size of buf
cout << buf[i];
}
}

29
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.qhelp Normal file
View File

@@ -0,0 +1,29 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>You must ensure that you do not exceed the size of an allocation during write and read operations.
If an operation attempts to write to or access an element that is outside the range of the allocation then this results in a buffer overflow.
Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.
</p>
</overview>
<recommendation>
<p>
Check the offsets and sizes used in the highlighted operations to ensure that a buffer overflow will not occur.
</p>
</recommendation>
<example><sample src="OverrunWriteProductFlow.cpp" />
</example>
<references>
<li>I. Gerg. <em>An Overview and Example of the Buffer-Overflow Exploit</em>. IANewsletter vol 7 no 4. 2005.</li>
<li>M. Donaldson. <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room. 2002.</li>
</references>
</qhelp>

119
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
View File

@@ -1,42 +1,131 @@
/**
* @name Overrunning write
* @description TODO
* @description Exceeding the size of a static array during write or access operations
* may result in a buffer overflow.
* @kind path-problem
* @problem.severity error
* @id cpp/overrun-write
* @tags reliability
* security
* external/cwe/cwe-119
* external/cwe/cwe-131
*/
import cpp
import experimental.semmle.code.cpp.dataflow.ProductFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.models.interfaces.Allocation
import semmle.code.cpp.models.interfaces.ArrayFunction
import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
import experimental.semmle.code.cpp.semantic.SemanticBound
import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
import DataFlow::PathGraph
pragma[nomagic]
Instruction getABoundIn(SemBound b, IRFunction func) {
result = b.getExpr(0) and
result.getEnclosingIRFunction() = func
}
/**
* Holds if `i <= b + delta`.
*/
pragma[nomagic]
predicate bounded(Instruction i, Instruction b, int delta) {
exists(SemBound bound, IRFunction func |
semBounded(getSemanticExpr(i), bound, delta, true, _) and
b = getABoundIn(bound, func) and
i.getEnclosingIRFunction() = func
)
}
VariableAccess getAVariableAccess(Expr e) { e.getAChild*() = result }
/**
* Holds if `(n, state)` pair represents the source of flow for the size
* expression associated with `alloc`.
*/
predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
exists(VariableAccess va, Expr size, int delta |
size = alloc.getSizeExpr() and
// Get the unique variable in a size expression like `x` in `malloc(x + 1)`.
va = unique( | | getAVariableAccess(size)) and
// Compute `delta` as the constant difference between `x` and `x + 1`.
bounded(any(Instruction instr | instr.getUnconvertedResultExpression() = size),
any(LoadInstruction load | load.getUnconvertedResultExpression() = va), delta) and
n.asConvertedExpr() = va.getFullyConverted() and
state = delta.toString()
)
}
predicate isSinkPairImpl(
CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
) {
exists(int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr |
bufInstr = bufSink.asInstruction() and
c.getArgument(bufIndex) = bufInstr and
sizeInstr = sizeSink.asInstruction() and
c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
eBuf = bufInstr.getUnconvertedResultExpression()
)
}
class StringSizeConfiguration extends ProductFlow::Configuration {
StringSizeConfiguration() { this = "StringSizeConfiguration" }
override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) {
bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeSource.asConvertedExpr()
override predicate isSourcePair(
DataFlow::Node bufSource, DataFlow::FlowState state1, DataFlow::Node sizeSource,
DataFlow::FlowState state2
) {
// In the case of an allocation like
// ```cpp
// malloc(size + 1);
// ```
// we use `state2` to remember that there was an offset (in this case an offset of `1`) added
// to the size of the allocation. This state is then checked in `isSinkPair`.
state1 instanceof DataFlow::FlowStateEmpty and
hasSize(bufSource.asConvertedExpr(), sizeSource, state2)
}
override predicate isSinkPair(DataFlow::Node bufSink, DataFlow::Node sizeSink) {
exists(CallInstruction c, int bufIndex, int sizeIndex |
c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
c.getArgument(bufIndex) = bufSink.asInstruction() and
c.getArgument(sizeIndex) = sizeSink.asInstruction()
override predicate isSinkPair(
DataFlow::Node bufSink, DataFlow::FlowState state1, DataFlow::Node sizeSink,
DataFlow::FlowState state2
) {
state1 instanceof DataFlow::FlowStateEmpty and
state2 = [-32 .. 32].toString() and // An arbitrary bound because we need to bound `state2`
exists(int delta |
isSinkPairImpl(_, bufSink, sizeSink, delta, _) and
delta > state2.toInt()
)
}
override predicate isAdditionalFlowStep2(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2
) {
exists(AddInstruction add, Operand op, int delta, int s1, int s2 |
s1 = [-32 .. 32] and // An arbitrary bound because we need to bound `state`
state1 = s1.toString() and
state2 = s2.toString() and
add.hasOperands(node1.asOperand(), op) and
semBounded(op.getDef(), any(SemZeroBound zero), delta, true, _) and
node2.asInstruction() = add and
s1 = s2 + delta
)
}
}
// we don't actually check correctness yet. Right now the query just finds relevant source/sink pairs.
from
StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
DataFlow::PathNode sink1, DataFlow2::PathNode sink2
where conf.hasFlowPath(source1, source2, sink1, sink2)
// TODO: pull delta out and display it
select sink1.getNode(), source1, sink1, "Overrunning write allocated at $@ bounded by $@.", source1,
source1.toString(), sink2, sink2.toString()
DataFlow::PathNode sink1, DataFlow2::PathNode sink2, int overflow, int sinkState,
CallInstruction c, DataFlow::Node sourceNode, Expr buffer, string element
where
conf.hasFlowPath(source1, source2, sink1, sink2) and
sinkState = sink2.getState().toInt() and
isSinkPairImpl(c, sink1.getNode(), sink2.getNode(), overflow + sinkState, buffer) and
overflow > 0 and
sourceNode = source1.getNode() and
if overflow = 1 then element = " element." else element = " elements."
select c.getUnconvertedResultExpression(), source1, sink1,
"This write may overflow $@ by " + overflow + element, buffer, buffer.toString()

4
cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
View File

@@ -76,7 +76,7 @@ private predicate hasSizeImpl(Expr e, DataFlow::Node n, string state) {
* Holds if `(n, state)` pair represents the source of flow for the size
* expression associated with `alloc`.
*/
predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, string state) {
hasSizeImpl(alloc.getSizeExpr(), n, state)
}
@@ -132,6 +132,8 @@ class AllocToInvalidPointerConf extends ProductFlow::Configuration {
override predicate isBarrierOut2(DataFlow::Node node) {
node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
}
override predicate isBarrierIn1(DataFlow::Node node) { this.isSourcePair(node, _, _, _) }
}
pragma[nomagic]

315
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
View File

@@ -1,6 +1,7 @@
edges
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:24:21:24:31 | Call indirection [string] |
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:34:21:34:31 | Call indirection [string] |
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:39:21:39:31 | Call indirection [string] |
| test.cpp:18:5:18:30 | Store | test.cpp:18:10:18:15 | Load indirection [post update] [string] |
| test.cpp:18:10:18:15 | Load indirection [post update] [string] | test.cpp:16:11:16:21 | VariableAddress indirection [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | Store |
@@ -12,6 +13,153 @@ edges
| test.cpp:30:18:30:23 | FieldAddress indirection | test.cpp:30:18:30:23 | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | test.cpp:35:21:35:23 | str indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | test.cpp:29:32:29:34 | str indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:41:13:41:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:42:13:42:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:44:13:44:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:45:13:45:15 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:48:17:48:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:52:17:52:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:56:17:56:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:60:17:60:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:64:17:64:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:68:17:68:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:72:17:72:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:76:17:76:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:80:17:80:19 | Load indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | test.cpp:84:17:84:19 | Load indirection [string] |
| test.cpp:41:13:41:15 | Load indirection [string] | test.cpp:41:18:41:23 | FieldAddress indirection |
| test.cpp:41:18:41:23 | FieldAddress indirection | test.cpp:41:18:41:23 | Load |
| test.cpp:42:13:42:15 | Load indirection [string] | test.cpp:42:18:42:23 | FieldAddress indirection |
| test.cpp:42:18:42:23 | FieldAddress indirection | test.cpp:42:18:42:23 | Load |
| test.cpp:44:13:44:15 | Load indirection [string] | test.cpp:44:18:44:23 | FieldAddress indirection |
| test.cpp:44:18:44:23 | FieldAddress indirection | test.cpp:44:18:44:23 | Load |
| test.cpp:45:13:45:15 | Load indirection [string] | test.cpp:45:18:45:23 | FieldAddress indirection |
| test.cpp:45:18:45:23 | FieldAddress indirection | test.cpp:45:18:45:23 | Load |
| test.cpp:48:17:48:19 | Load indirection [string] | test.cpp:48:22:48:27 | FieldAddress indirection |
| test.cpp:48:22:48:27 | FieldAddress indirection | test.cpp:48:22:48:27 | Load |
| test.cpp:52:17:52:19 | Load indirection [string] | test.cpp:52:22:52:27 | FieldAddress indirection |
| test.cpp:52:22:52:27 | FieldAddress indirection | test.cpp:52:22:52:27 | Load |
| test.cpp:56:17:56:19 | Load indirection [string] | test.cpp:56:22:56:27 | FieldAddress indirection |
| test.cpp:56:22:56:27 | FieldAddress indirection | test.cpp:56:22:56:27 | Load |
| test.cpp:60:17:60:19 | Load indirection [string] | test.cpp:60:22:60:27 | FieldAddress indirection |
| test.cpp:60:22:60:27 | FieldAddress indirection | test.cpp:60:22:60:27 | Load |
| test.cpp:64:17:64:19 | Load indirection [string] | test.cpp:64:22:64:27 | FieldAddress indirection |
| test.cpp:64:22:64:27 | FieldAddress indirection | test.cpp:64:22:64:27 | Load |
| test.cpp:68:17:68:19 | Load indirection [string] | test.cpp:68:22:68:27 | FieldAddress indirection |
| test.cpp:68:22:68:27 | FieldAddress indirection | test.cpp:68:22:68:27 | Load |
| test.cpp:72:17:72:19 | Load indirection [string] | test.cpp:72:22:72:27 | FieldAddress indirection |
| test.cpp:72:22:72:27 | FieldAddress indirection | test.cpp:72:22:72:27 | Load |
| test.cpp:76:17:76:19 | Load indirection [string] | test.cpp:76:22:76:27 | FieldAddress indirection |
| test.cpp:76:22:76:27 | FieldAddress indirection | test.cpp:76:22:76:27 | Load |
| test.cpp:80:17:80:19 | Load indirection [string] | test.cpp:80:22:80:27 | FieldAddress indirection |
| test.cpp:80:22:80:27 | FieldAddress indirection | test.cpp:80:22:80:27 | Load |
| test.cpp:84:17:84:19 | Load indirection [string] | test.cpp:84:22:84:27 | FieldAddress indirection |
| test.cpp:84:22:84:27 | FieldAddress indirection | test.cpp:84:22:84:27 | Load |
| test.cpp:88:11:88:30 | VariableAddress indirection [string] | test.cpp:96:21:96:40 | Call indirection [string] |
| test.cpp:90:5:90:34 | Store | test.cpp:90:10:90:15 | Load indirection [post update] [string] |
| test.cpp:90:10:90:15 | Load indirection [post update] [string] | test.cpp:88:11:88:30 | VariableAddress indirection [string] |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | Store |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:98:13:98:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:99:13:99:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:101:13:101:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:102:13:102:15 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:105:17:105:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:109:17:109:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:113:17:113:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:117:17:117:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:121:17:121:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:125:17:125:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:129:17:129:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:133:17:133:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:137:17:137:19 | Load indirection [string] |
| test.cpp:96:21:96:40 | Call indirection [string] | test.cpp:141:17:141:19 | Load indirection [string] |
| test.cpp:98:13:98:15 | Load indirection [string] | test.cpp:98:18:98:23 | FieldAddress indirection |
| test.cpp:98:18:98:23 | FieldAddress indirection | test.cpp:98:18:98:23 | Load |
| test.cpp:99:13:99:15 | Load indirection [string] | test.cpp:99:18:99:23 | FieldAddress indirection |
| test.cpp:99:18:99:23 | FieldAddress indirection | test.cpp:99:18:99:23 | Load |
| test.cpp:101:13:101:15 | Load indirection [string] | test.cpp:101:18:101:23 | FieldAddress indirection |
| test.cpp:101:18:101:23 | FieldAddress indirection | test.cpp:101:18:101:23 | Load |
| test.cpp:102:13:102:15 | Load indirection [string] | test.cpp:102:18:102:23 | FieldAddress indirection |
| test.cpp:102:18:102:23 | FieldAddress indirection | test.cpp:102:18:102:23 | Load |
| test.cpp:105:17:105:19 | Load indirection [string] | test.cpp:105:22:105:27 | FieldAddress indirection |
| test.cpp:105:22:105:27 | FieldAddress indirection | test.cpp:105:22:105:27 | Load |
| test.cpp:109:17:109:19 | Load indirection [string] | test.cpp:109:22:109:27 | FieldAddress indirection |
| test.cpp:109:22:109:27 | FieldAddress indirection | test.cpp:109:22:109:27 | Load |
| test.cpp:113:17:113:19 | Load indirection [string] | test.cpp:113:22:113:27 | FieldAddress indirection |
| test.cpp:113:22:113:27 | FieldAddress indirection | test.cpp:113:22:113:27 | Load |
| test.cpp:117:17:117:19 | Load indirection [string] | test.cpp:117:22:117:27 | FieldAddress indirection |
| test.cpp:117:22:117:27 | FieldAddress indirection | test.cpp:117:22:117:27 | Load |
| test.cpp:121:17:121:19 | Load indirection [string] | test.cpp:121:22:121:27 | FieldAddress indirection |
| test.cpp:121:22:121:27 | FieldAddress indirection | test.cpp:121:22:121:27 | Load |
| test.cpp:125:17:125:19 | Load indirection [string] | test.cpp:125:22:125:27 | FieldAddress indirection |
| test.cpp:125:22:125:27 | FieldAddress indirection | test.cpp:125:22:125:27 | Load |
| test.cpp:129:17:129:19 | Load indirection [string] | test.cpp:129:22:129:27 | FieldAddress indirection |
| test.cpp:129:22:129:27 | FieldAddress indirection | test.cpp:129:22:129:27 | Load |
| test.cpp:133:17:133:19 | Load indirection [string] | test.cpp:133:22:133:27 | FieldAddress indirection |
| test.cpp:133:22:133:27 | FieldAddress indirection | test.cpp:133:22:133:27 | Load |
| test.cpp:137:17:137:19 | Load indirection [string] | test.cpp:137:22:137:27 | FieldAddress indirection |
| test.cpp:137:22:137:27 | FieldAddress indirection | test.cpp:137:22:137:27 | Load |
| test.cpp:141:17:141:19 | Load indirection [string] | test.cpp:141:22:141:27 | FieldAddress indirection |
| test.cpp:141:22:141:27 | FieldAddress indirection | test.cpp:141:22:141:27 | Load |
| test.cpp:147:5:147:34 | Store | test.cpp:147:10:147:15 | Load indirection [post update] [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:150:13:150:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:151:13:151:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:152:13:152:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:154:13:154:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:155:13:155:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:156:13:156:15 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:159:17:159:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:163:17:163:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:167:17:167:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:171:17:171:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:175:17:175:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:179:17:179:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:183:17:183:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:187:17:187:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:191:17:191:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:195:17:195:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:199:17:199:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:203:17:203:19 | Load indirection [string] |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | test.cpp:207:17:207:19 | Load indirection [string] |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | Store |
| test.cpp:150:13:150:15 | Load indirection [string] | test.cpp:150:18:150:23 | FieldAddress indirection |
| test.cpp:150:18:150:23 | FieldAddress indirection | test.cpp:150:18:150:23 | Load |
| test.cpp:151:13:151:15 | Load indirection [string] | test.cpp:151:18:151:23 | FieldAddress indirection |
| test.cpp:151:18:151:23 | FieldAddress indirection | test.cpp:151:18:151:23 | Load |
| test.cpp:152:13:152:15 | Load indirection [string] | test.cpp:152:18:152:23 | FieldAddress indirection |
| test.cpp:152:18:152:23 | FieldAddress indirection | test.cpp:152:18:152:23 | Load |
| test.cpp:154:13:154:15 | Load indirection [string] | test.cpp:154:18:154:23 | FieldAddress indirection |
| test.cpp:154:18:154:23 | FieldAddress indirection | test.cpp:154:18:154:23 | Load |
| test.cpp:155:13:155:15 | Load indirection [string] | test.cpp:155:18:155:23 | FieldAddress indirection |
| test.cpp:155:18:155:23 | FieldAddress indirection | test.cpp:155:18:155:23 | Load |
| test.cpp:156:13:156:15 | Load indirection [string] | test.cpp:156:18:156:23 | FieldAddress indirection |
| test.cpp:156:18:156:23 | FieldAddress indirection | test.cpp:156:18:156:23 | Load |
| test.cpp:159:17:159:19 | Load indirection [string] | test.cpp:159:22:159:27 | FieldAddress indirection |
| test.cpp:159:22:159:27 | FieldAddress indirection | test.cpp:159:22:159:27 | Load |
| test.cpp:163:17:163:19 | Load indirection [string] | test.cpp:163:22:163:27 | FieldAddress indirection |
| test.cpp:163:22:163:27 | FieldAddress indirection | test.cpp:163:22:163:27 | Load |
| test.cpp:167:17:167:19 | Load indirection [string] | test.cpp:167:22:167:27 | FieldAddress indirection |
| test.cpp:167:22:167:27 | FieldAddress indirection | test.cpp:167:22:167:27 | Load |
| test.cpp:171:17:171:19 | Load indirection [string] | test.cpp:171:22:171:27 | FieldAddress indirection |
| test.cpp:171:22:171:27 | FieldAddress indirection | test.cpp:171:22:171:27 | Load |
| test.cpp:175:17:175:19 | Load indirection [string] | test.cpp:175:22:175:27 | FieldAddress indirection |
| test.cpp:175:22:175:27 | FieldAddress indirection | test.cpp:175:22:175:27 | Load |
| test.cpp:179:17:179:19 | Load indirection [string] | test.cpp:179:22:179:27 | FieldAddress indirection |
| test.cpp:179:22:179:27 | FieldAddress indirection | test.cpp:179:22:179:27 | Load |
| test.cpp:183:17:183:19 | Load indirection [string] | test.cpp:183:22:183:27 | FieldAddress indirection |
| test.cpp:183:22:183:27 | FieldAddress indirection | test.cpp:183:22:183:27 | Load |
| test.cpp:187:17:187:19 | Load indirection [string] | test.cpp:187:22:187:27 | FieldAddress indirection |
| test.cpp:187:22:187:27 | FieldAddress indirection | test.cpp:187:22:187:27 | Load |
| test.cpp:191:17:191:19 | Load indirection [string] | test.cpp:191:22:191:27 | FieldAddress indirection |
| test.cpp:191:22:191:27 | FieldAddress indirection | test.cpp:191:22:191:27 | Load |
| test.cpp:195:17:195:19 | Load indirection [string] | test.cpp:195:22:195:27 | FieldAddress indirection |
| test.cpp:195:22:195:27 | FieldAddress indirection | test.cpp:195:22:195:27 | Load |
| test.cpp:199:17:199:19 | Load indirection [string] | test.cpp:199:22:199:27 | FieldAddress indirection |
| test.cpp:199:22:199:27 | FieldAddress indirection | test.cpp:199:22:199:27 | Load |
| test.cpp:203:17:203:19 | Load indirection [string] | test.cpp:203:22:203:27 | FieldAddress indirection |
| test.cpp:203:22:203:27 | FieldAddress indirection | test.cpp:203:22:203:27 | Load |
| test.cpp:207:17:207:19 | Load indirection [string] | test.cpp:207:22:207:27 | FieldAddress indirection |
| test.cpp:207:22:207:27 | FieldAddress indirection | test.cpp:207:22:207:27 | Load |
nodes
| test.cpp:16:11:16:21 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
| test.cpp:18:5:18:30 | Store | semmle.label | Store |
@@ -27,7 +175,170 @@ nodes
| test.cpp:30:18:30:23 | Load | semmle.label | Load |
| test.cpp:34:21:34:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:35:21:35:23 | str indirection [string] | semmle.label | str indirection [string] |
| test.cpp:39:21:39:31 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:41:13:41:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:41:18:41:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:41:18:41:23 | Load | semmle.label | Load |
| test.cpp:42:13:42:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:42:18:42:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:42:18:42:23 | Load | semmle.label | Load |
| test.cpp:44:13:44:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:44:18:44:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:44:18:44:23 | Load | semmle.label | Load |
| test.cpp:45:13:45:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:45:18:45:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:45:18:45:23 | Load | semmle.label | Load |
| test.cpp:48:17:48:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:48:22:48:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:48:22:48:27 | Load | semmle.label | Load |
| test.cpp:52:17:52:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:52:22:52:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:52:22:52:27 | Load | semmle.label | Load |
| test.cpp:56:17:56:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:56:22:56:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:56:22:56:27 | Load | semmle.label | Load |
| test.cpp:60:17:60:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:60:22:60:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:60:22:60:27 | Load | semmle.label | Load |
| test.cpp:64:17:64:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:64:22:64:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:64:22:64:27 | Load | semmle.label | Load |
| test.cpp:68:17:68:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:68:22:68:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:68:22:68:27 | Load | semmle.label | Load |
| test.cpp:72:17:72:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:72:22:72:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:72:22:72:27 | Load | semmle.label | Load |
| test.cpp:76:17:76:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:76:22:76:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:76:22:76:27 | Load | semmle.label | Load |
| test.cpp:80:17:80:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:80:22:80:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:80:22:80:27 | Load | semmle.label | Load |
| test.cpp:84:17:84:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:84:22:84:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:84:22:84:27 | Load | semmle.label | Load |
| test.cpp:88:11:88:30 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
| test.cpp:90:5:90:34 | Store | semmle.label | Store |
| test.cpp:90:10:90:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:90:19:90:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:96:21:96:40 | Call indirection [string] | semmle.label | Call indirection [string] |
| test.cpp:98:13:98:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:98:18:98:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:98:18:98:23 | Load | semmle.label | Load |
| test.cpp:99:13:99:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:99:18:99:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:99:18:99:23 | Load | semmle.label | Load |
| test.cpp:101:13:101:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:101:18:101:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:101:18:101:23 | Load | semmle.label | Load |
| test.cpp:102:13:102:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:102:18:102:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:102:18:102:23 | Load | semmle.label | Load |
| test.cpp:105:17:105:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:105:22:105:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:105:22:105:27 | Load | semmle.label | Load |
| test.cpp:109:17:109:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:109:22:109:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:109:22:109:27 | Load | semmle.label | Load |
| test.cpp:113:17:113:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:113:22:113:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:113:22:113:27 | Load | semmle.label | Load |
| test.cpp:117:17:117:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:117:22:117:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:117:22:117:27 | Load | semmle.label | Load |
| test.cpp:121:17:121:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:121:22:121:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:121:22:121:27 | Load | semmle.label | Load |
| test.cpp:125:17:125:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:125:22:125:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:125:22:125:27 | Load | semmle.label | Load |
| test.cpp:129:17:129:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:129:22:129:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:129:22:129:27 | Load | semmle.label | Load |
| test.cpp:133:17:133:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:133:22:133:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:133:22:133:27 | Load | semmle.label | Load |
| test.cpp:137:17:137:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:137:22:137:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:137:22:137:27 | Load | semmle.label | Load |
| test.cpp:141:17:141:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:141:22:141:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:141:22:141:27 | Load | semmle.label | Load |
| test.cpp:147:5:147:34 | Store | semmle.label | Store |
| test.cpp:147:10:147:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
| test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
| test.cpp:150:13:150:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:150:18:150:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:150:18:150:23 | Load | semmle.label | Load |
| test.cpp:151:13:151:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:151:18:151:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:151:18:151:23 | Load | semmle.label | Load |
| test.cpp:152:13:152:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:152:18:152:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:152:18:152:23 | Load | semmle.label | Load |
| test.cpp:154:13:154:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:154:18:154:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:154:18:154:23 | Load | semmle.label | Load |
| test.cpp:155:13:155:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:155:18:155:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:155:18:155:23 | Load | semmle.label | Load |
| test.cpp:156:13:156:15 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:156:18:156:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:156:18:156:23 | Load | semmle.label | Load |
| test.cpp:159:17:159:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:159:22:159:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:159:22:159:27 | Load | semmle.label | Load |
| test.cpp:163:17:163:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:163:22:163:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:163:22:163:27 | Load | semmle.label | Load |
| test.cpp:167:17:167:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:167:22:167:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:167:22:167:27 | Load | semmle.label | Load |
| test.cpp:171:17:171:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:171:22:171:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:171:22:171:27 | Load | semmle.label | Load |
| test.cpp:175:17:175:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:175:22:175:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:175:22:175:27 | Load | semmle.label | Load |
| test.cpp:179:17:179:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:179:22:179:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:179:22:179:27 | Load | semmle.label | Load |
| test.cpp:183:17:183:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:183:22:183:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:183:22:183:27 | Load | semmle.label | Load |
| test.cpp:187:17:187:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:187:22:187:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:187:22:187:27 | Load | semmle.label | Load |
| test.cpp:191:17:191:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:191:22:191:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:191:22:191:27 | Load | semmle.label | Load |
| test.cpp:195:17:195:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:195:22:195:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:195:22:195:27 | Load | semmle.label | Load |
| test.cpp:199:17:199:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:199:22:199:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:199:22:199:27 | Load | semmle.label | Load |
| test.cpp:203:17:203:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:203:22:203:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:203:22:203:27 | Load | semmle.label | Load |
| test.cpp:207:17:207:19 | Load indirection [string] | semmle.label | Load indirection [string] |
| test.cpp:207:22:207:27 | FieldAddress indirection | semmle.label | FieldAddress indirection |
| test.cpp:207:22:207:27 | Load | semmle.label | Load |
subpaths
#select
| test.cpp:26:18:26:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:26:18:26:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:26:31:26:39 | Convert | Convert |
| test.cpp:30:18:30:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:30:18:30:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:30:31:30:39 | Convert | Convert |
| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | Load | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |
| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | Load | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string |
| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string |
| test.cpp:99:5:99:11 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:99:18:99:23 | Load | This write may overflow $@ by 1 element. | test.cpp:99:18:99:23 | string | string |
| test.cpp:129:9:129:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:129:22:129:27 | Load | This write may overflow $@ by 1 element. | test.cpp:129:22:129:27 | string | string |
| test.cpp:137:9:137:15 | call to strncpy | test.cpp:90:19:90:24 | call to malloc | test.cpp:137:22:137:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:137:22:137:27 | string | string |
| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | Load | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string |
| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | Load | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string |
| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | Load | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string |
| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | Load | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string |
| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | Load | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string |
| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | Load | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string |
| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string |
| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | Load | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | Load | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |

181
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
View File

@@ -1,5 +1,5 @@
typedef unsigned long long size_t;
typedef unsigned size_t;
int sprintf(char *s, const char *format, ...);
int snprintf(char *s, size_t n, const char *format, ...);
int scanf(const char *format, ...);
@@ -10,7 +10,7 @@ char *strncpy(char *dst, const char *src, size_t n);
typedef struct
{
char *string;
int size;
unsigned size;
} string_t;
string_t *mk_string_t(int size) {
@@ -23,11 +23,11 @@ string_t *mk_string_t(int size) {
void test1(int size, char *buf) {
string_t *str = mk_string_t(size);
strncpy(str->string, buf, str->size);
strncpy(str->string, buf, str->size); // GOOD
}
void strncpy_wrapper(string_t *str, char *buf) {
strncpy(str->string, buf, str->size);
strncpy(str->string, buf, str->size); // GOOD
}
void test2(int size, char *buf) {
@@ -35,3 +35,176 @@ void test2(int size, char *buf) {
strncpy_wrapper(str, buf);
}
void test3(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = mk_string_t(size);
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // GOOD
strncpy(str->string, buf, size + 1); // BAD [NOT DETECTED]
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
}
string_t *mk_string_t_plus_one(int size) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->string = malloc(size + 1);
str->size = size + 1;
return str;
}
void test4(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = mk_string_t_plus_one(size);
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // GOOD
strncpy(str->string, buf, size + 1); // GOOD
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD [NOT DETECTED]
}
}
void test5(unsigned size, char *buf, unsigned anotherSize) {
string_t *str = (string_t *) malloc(sizeof(string_t));
str->string = malloc(size - 1);
str->size = size - 1;
strncpy(str->string, buf, str->size); // GOOD
strncpy(str->string, buf, str->size - 1); // GOOD
strncpy(str->string, buf, str->size + 1); // BAD
strncpy(str->string, buf, size); // BAD
strncpy(str->string, buf, size - 1); // GOOD
strncpy(str->string, buf, size + 1); // BAD
if(anotherSize < str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= size) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < str->size + 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize < size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize < size - 1) {
strncpy(str->string, buf, anotherSize); // GOOD
}
if(anotherSize <= str->size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 1) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= str->size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
if(anotherSize <= size + 2) {
strncpy(str->string, buf, anotherSize); // BAD
}
}

5
cpp/ql/test/library-tests/ir/range-analysis/RangeAnalysis.ql
View File

@@ -17,7 +17,7 @@ class RangeAnalysisTest extends InlineExpectationsTest {
tag = "range" and
element = e.toString() and
location = e.getLocation() and
value = getARangeString(e)
value = quote(getARangeString(e))
)
}
}
@@ -33,6 +33,9 @@ private string getOffsetString(int value) {
if value >= 0 then result = "+" + value.toString() else result = value.toString()
}
bindingset[s]
string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
bindingset[delta]
private string getBoundString(SemBound b, int delta) {
b instanceof SemZeroBound and result = delta.toString()

999
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp Normal file
View File

@@ -0,0 +1,999 @@
#include "test_util.h"
struct List {
struct List* next;
};
int test1(struct List* p) {
int count = 0;
for (; p; p = p->next) {
count = count+1;
range(count); // $ range===count:p+1 range=>=1
}
range(count); // $ range=>=0
return count;
}
int test2(struct List* p) {
int count = 0;
for (; p; p = p->next) {
count = (count+1) % 10;
range(count); // $ range=<=9
}
range(count); // $ range=<=9
return count;
}
int test3(struct List* p) {
int count = 0;
for (; p; p = p->next) {
range(count++); // $ range=<=9
count = count % 10;
range(count); // $ range=<=9
}
range(count); // $ range=<=9
return count;
}
int test4() {
int i = 0;
int total = 0;
for (i = 0; i < 2; i = i+1) {
range(i); // $ range=<=1 range=>=0
range(total);
total += i;
range(total);
}
range(total);
range(i); // $ range===2
range(total + i); // $ range=>=i+1
return total + i;
}
int test5() {
int i = 0;
int total = 0;
for (i = 0; i < 2; i++) {
range(i); // $ range=<=1 range=>=0
range(total);
total += i;
range(total);
}
range(total);
range(i); // $ range===2
range(total + i); // $ range=>=i+1
return total + i;
}
int test6() {
int i = 0;
int total = 0;
for (i = 0; i+2 < 4; i = i+1) {
range(i); // $ range=<=1 range=>=0
range(total);
total += i;
range(total);
}
return total + i;
}
int test7(int i) {
if (i < 4) {
if (i < 5) {
range(i); // $ range=<=3
return i;
}
range(i); // $ range=<=3 range=>=5
}
range(i);
return 1;
}
int test8(int x, int y) {
if (-1000 < y && y < 10) {
range(y); // $ range=<=9 range=>=-999
if (x < y-2) {
range(x); // $ range=<=6 range=<=y-3
range(y); // $ range=<=9 range=>=-999 range=>=x+3
return x;
}
range(x); // $ range=>=-1001 range=>=y-2
range(y); // $ range=<=9 range=<=x+2 range=>=-999
}
range(x);
range(y);
return y;
}
int test9(int x, int y) {
if (y == 0) {
if (x < 4) {
range(x); // $ range=<=3
return 0;
}
range(x); // $ range=>=4
} else {
if (x < 4) {
range(x); // $ range=<=3
return 1;
}
range(x); // $ range=>=4
}
return x;
}
int test10(int x, int y) {
if (y > 7) {
range(y); // $ range=>=8
if (x < y) {
range(x); // $ range=<=y-1
range(y); // $ range=>=8 range=>=x+1
return 0;
}
range(x); // $ range=>=8 range=>=y+0
range(y); // $ range=<=x+0 range=>=8
return x;
}
range(y); // $ range=<=7
return 1;
}
int test11(char *p) {
char c;
c = *p;
range(*p);
if (c != '\0') {
*p++ = '\0';
range(p); // $ range===p+1
range(*p);
}
if (c == ':') {
range(c);
c = *p;
range(*p);
if (c != '\0') {
range(c);
*p++ = '\0';
range(p); // $ range=<=p+2 range===c+1 range=>=p+1
}
if (c != ',') {
return 1;
}
}
return 0;
}
typedef unsigned long long size_type;
size_type test12_helper() {
static size_type n = 0;
return n++;
}
int test12() {
size_type Start = 0;
while (Start <= test12_helper()-1)
{
range(Start); // $ range=>=0
const size_type Length = test12_helper();
Start += Length + 1;
range(Start); // $ range=>=1 range=>=Start+1 range=">=call to test12_helper+1"
}
range(Start); // $ range=>=0
return 1;
}
// Tests for overflow conditions.
int test13(char c, int i) {
unsigned char uc = c;
range(uc);
unsigned int x = 0;
unsigned int y = x-1;
range(y); // $ range===-1
int z = i+1;
range(z); // $ range===i+1
range(c + i + uc + x + y + z); // $ range=>=1 range=">=... - ...+0"
range((double)(c + i + uc + x + y + z)); // $ range=>=1 range=">=... - ...+0"
return (double)(c + i + uc + x + y + z);
}
// Regression test for ODASA-6013.
int test14(int x) {
int x0 = (int)(char)x;
range(x0);
int x1 = (int)(unsigned char)x;
range(x1);
int x2 = (int)(unsigned short)x;
range(x2);
int x3 = (int)(unsigned int)x;
range(x3);
char c0 = x;
range(c0);
unsigned short s0 = x;
range(s0);
range(x0 + x1 + x2 + x3 + c0 + s0);
return x0 + x1 + x2 + x3 + c0 + s0;
}
long long test15(long long x) {
return (x > 0 && (range(x), x == (int)x)) ? // $ range=>=1
(range(x), x) : // $ range=>=1
(range(x), -1);
}
// Tests for unary operators.
int test_unary(int a) {
int total = 0;
if (3 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=3
int b = +a;
range(b); // $ range=<=11 range=>=3
int c = -a;
range(c);
range(b+c); // $ range=<=10 range="<=+ ...:a-1" range=">=- ...+1"
total += b+c;
range(total);
}
if (0 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=0
int b = +a;
range(b); // $ range=<=11 range=>=0
int c = -a;
range(c);
range(b+c); // $ range=<=11 range="<=+ ...:a+0" range=">=- ...+0"
total += b+c;
range(total);
}
if (-7 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=-7
int b = +a;
range(b); // $ range=<=11 range=>=-7
int c = -a;
range(c);
range(b+c);
total += b+c;
range(total);
}
if (-7 <= a && a <= 1) {
range(a); // $ range=<=1 range=>=-7
int b = +a;
range(b); // $ range=<=1 range=>=-7
int c = -a;
range(c);
range(b+c);
total += b+c;
range(total);
}
if (-7 <= a && a <= 0) {
range(a); // $ range=<=0 range=>=-7
int b = +a;
range(b); // $ range=<=0 range=>=-7
int c = -a;
range(c);
range(b+c); // $ range="<=- ...+0" range=">=+ ...:a+0" range=>=-7
total += b+c;
range(total);
}
if (-7 <= a && a <= -2) {
range(a); // $ range=<=-2 range=>=-7
int b = +a;
range(b); // $ range=<=-2 range=>=-7
int c = -a;
range(c);
range(b+c); // $ range="<=- ...-1" range=">=+ ...:a+1" range=>=-6
total += b+c;
range(total);
}
range(total);
return total;
}
// Tests for multiplication.
int test_mult01(int a, int b) {
int total = 0;
if (3 <= a && a <= 11 && 5 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=5
int r = a*b; // 15 .. 253
range(r);
total += r;
range(total); // $ range=>=1
}
if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=>=0 range=>=3+0
}
if (3 <= a && a <= 11 && -13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=-13
int r = a*b; // -143 .. 253
range(r);
total += r;
range(total);
}
if (3 <= a && a <= 11 && -13 <= b && b <= 0) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=0 range=>=-13
int r = a*b; // -143 .. 0
range(r);
total += r;
range(total); // $ range=<=3+0
}
if (3 <= a && a <= 11 && -13 <= b && b <= -7) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // -143 .. -21
range(r);
total += r;
range(total); // $ range=<=3-1
}
range(total); // $ range=<=3+0
return total;
}
// Tests for multiplication.
int test_mult02(int a, int b) {
int total = 0;
if (0 <= a && a <= 11 && 5 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=23 range=>=5
int r = a*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=>=0
}
if (0 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=>=0 range=>=0+0
}
if (0 <= a && a <= 11 && -13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=23 range=>=-13
int r = a*b; // -143 .. 253
range(r);
total += r;
range(total);
}
if (0 <= a && a <= 11 && -13 <= b && b <= 0) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=0 range=>=-13
int r = a*b; // -143 .. 0
range(r);
total += r;
range(total); // $ range=<=0+0
}
if (0 <= a && a <= 11 && -13 <= b && b <= -7) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // -143 .. 0
range(r);
total += r;
range(total); // $ range=<=0+0
}
range(total); // $ range=<=0+0
return total;
}
// Tests for multiplication.
int test_mult03(int a, int b) {
int total = 0;
if (-17 <= a && a <= 11 && 5 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=-17
range(b); // $ range=<=23 range=>=5
int r = a*b; // -391 .. 253
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=-17
range(b); // $ range=<=23 range=>=0
int r = a*b; // -391 .. 253
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= 11 && -13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=-17
range(b); // $ range=<=23 range=>=-13
int r = a*b; // -391 .. 253
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= 11 && -13 <= b && b <= 0) {
range(a); // $ range=<=11 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // -143 .. 221
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= 11 && -13 <= b && b <= -7) {
range(a); // $ range=<=11 range=>=-17
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // -143 .. 221
range(r);
total += r;
range(total);
}
range(total);
return total;
}
// Tests for multiplication.
int test_mult04(int a, int b) {
int total = 0;
if (-17 <= a && a <= 0 && 5 <= b && b <= 23) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=23 range=>=5
int r = a*b; // -391 .. 0
total += r;
range(total); // $ range=<=0
}
if (-17 <= a && a <= 0 && 0 <= b && b <= 23) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=23 range=>=0
int r = a*b; // -391 .. 0
range(r);
total += r;
range(total); // $ range="<=- ...+0" range=<=0
}
if (-17 <= a && a <= 0 && -13 <= b && b <= 23) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=23 range=>=-13
int r = a*b; // -391 .. 221
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= 0 && -13 <= b && b <= 0) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // 0 .. 221
range(r);
total += r;
range(total); // $ range=">=- ...+0"
}
if (-17 <= a && a <= 0 && -13 <= b && b <= -7) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // 0 .. 221
range(r);
total += r;
range(total); // $ range=">=- ...+0"
}
range(total); // $ range=">=- ...+0"
return total;
}
// Tests for multiplication.
int test_mult05(int a, int b) {
int total = 0;
if (-17 <= a && a <= -2 && 5 <= b && b <= 23) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=23 range=>=5
int r = a*b; // -391 .. -10
range(r);
total += r;
range(total); // $ range=<=-1
}
if (-17 <= a && a <= -2 && 0 <= b && b <= 23) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=23 range=>=0
int r = a*b; // -391 .. 0
range(r);
total += r;
range(total); // $ range="<=- ...+0" range=<=0
}
if (-17 <= a && a <= -2 && -13 <= b && b <= 23) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=23 range=>=-13
int r = a*b; // -391 .. 221
range(r);
total += r;
range(total);
}
if (-17 <= a && a <= -2 && -13 <= b && b <= 0) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // 0 .. 221
range(r);
total += r;
range(total); // $ range=">=- ...+0"
}
if (-17 <= a && a <= -2 && -13 <= b && b <= -7) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // 14 .. 221
range(r);
total += r;
range(total); // $ range=">=- ...+1"
}
range(total); // $ range=">=- ...+0"
return total;
}
int test16(int x) {
int d, i = 0;
if (x < 0) {
range(x); // $ range=<=-1
return -1;
}
while (i < 3) {
range(i); // $ range=<=2 range=>=0
i++;
range(i); // $ range="==... = ...:i+1" range=<=3 range=>=1
}
range(d);
d = i;
range(d); // $ range===3
if (x < 0) { // Comparison is always false.
range(x); // $ range=<=-1 range=>=0
if (d > -x) { // Unreachable code.
range(d); // $ range===3
range(x); // $ range=<=-1 range=>=0
return 1;
}
range(d); // $ range===3
range(x); // $ range=<=-1 range=>=0
}
range(x); // $ range=>=0
return 0;
}
// Test ternary expression upper bounds.
unsigned int test_ternary01(unsigned int x) {
unsigned int y1, y2, y3, y4, y5, y6, y7, y8;
y1 = x < 100 ?
(range(x), x) : // $ range=<=99
(range(x), 10); // $ range=>=100
range(y1);
y2 = x >= 100 ?
(range(x), 10) : // $ range=>=100
(range(x), x); // $ range=<=99
range(y2);
y3 = 0;
y4 = 0;
y5 = 0;
y6 = 0;
y7 = 0;
y8 = 0;
if (x < 300) {
range(x); // $ range=<=299
y3 = x ?:
(range(x), 5); // y3 < 300
range(y3);
y4 = x ?:
(range(x), 500); // y4 <= 500
range(y4);
y5 = (x+1) ?:
(range(x), 500); // $ range===-1
range(y5); // y5 <= 300
y6 = ((unsigned char)(x+1)) ?:
(range(x), 5); // $ range=<=299
range(y6); // y6 < 256
y7 = ((unsigned char)(x+1)) ?:
(range(x), 500); // $ range=<=299
range(y7); // y7 <= 500
y8 = ((unsigned short)(x+1)) ?:
(range(x), 500); // $ range=<=299
range(y8); // y8 <= 300
}
range(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
return y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8;
}
// Test ternary expression lower bounds.
unsigned int test_ternary02(unsigned int x) {
unsigned int y1, y2, y3, y4, y5;
y1 = x > 100 ?
(range(x), x) : // $ range=>=101
(range(x), 110); // $ range=<=100
range(y1); // y1 > 100
y2 = x <= 100 ?
(range(x), 110) : // $ range=<=100
(range(x), x); // $ range=>=101
range(y2); // y2 > 100
y3 = 1000;
y4 = 1000;
y5 = 1000;
if (x >= 300) {
range(x); // $ range=>=300
y3 = (x-300) ?:
(range(x), 5); // $ range===300
range(y3); // y3 >= 0
y4 = (x-200) ?:
(range(x), 5); // $ range=<=200 range=>=300
range(y4); // y4 >= 100
y5 = ((unsigned char)(x-200)) ?:
(range(x), 5); // $ range=>=300
range(y5); // y6 >= 0
}
range(y1 + y2 + y3 + y4 + y5); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
return y1 + y2 + y3 + y4 + y5;
}
// Test the comma expression.
unsigned int test_comma01(unsigned int x) {
unsigned int y = x < 100 ?
(range(x), x) : // $ range=<=99
(range(x), 100); // $ range=>=100
unsigned int y1;
unsigned int y2;
y1 = (++y, y);
range(y1); // $ range="==... ? ... : ...+1"
y2 = (y++,
range(y), // $ range="==++ ...:... = ...+1" range="==... ? ... : ...+2"
y += 3,
range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
y);
range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
range(y1 + y2); // $ range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
return y1 + y2;
}
void test17() {
int i, j;
i = 10;
range(i); // $ range===10
i = 10;
i += 10;
range(i); // $ range===20
i = 40;
i -= 10;
range(i); // $ range===30
i = j = 40;
range(i); // $ range===40
i = (j += 10);
range(i); // $ range===50
i = 20 + (j -= 10);
range(i); // $ range="==... += ...:... = ...+10" range===60
}
// Tests for unsigned multiplication.
int test_unsigned_mult01(unsigned int a, unsigned b) {
int total = 0;
if (3 <= a && a <= 11 && 5 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=5
int r = a*b; // 15 .. 253
range(r);
total += r;
range(total); // $ range=>=1
}
if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+0" range=>=0
}
if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=13
int r = a*b; // 39 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+1" range=>=1
}
range(total); // $ range=">=(unsigned int)...+0" range=>=0
return total;
}
int test_unsigned_mult02(unsigned b) {
int total = 0;
if (5 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=5
int r = 11*b; // 55 .. 253
range(r);
total += r;
range(total); // $ range=>=1
}
if (0 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=0
int r = 11*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+0" range=>=0
}
if (13 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=13
int r = 11*b; // 143 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+1" range=>=1
}
range(total); // $ range=">=(unsigned int)...+0" range=>=0
return total;
}
unsigned long mult_rounding() {
unsigned long x, y, xy;
x = y = 1000000003UL; // 1e9 + 3
range(y); // $ range===1000000003
range(x); // $ range===1000000003
xy = x * y;
range(xy);
return xy; // BUG: upper bound should be >= 1000000006000000009UL
}
unsigned long mult_overflow() {
unsigned long x, y, xy;
x = 274177UL;
range(x); // $ range===274177
y = 67280421310721UL;
range(y);
xy = x * y;
range(xy);
return xy; // BUG: upper bound should be >= 18446744073709551617UL
}
unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
if (ui >= 10) {
range(ui); // $ range=>=10
range((unsigned long)ui); // $ range=>=10
unsigned long result = (unsigned long)ui * ui;
range(result);
return result; // BUG: upper bound should be >= 18446744065119617025
}
if (ul >= 10) {
range(ul); // $ range=>=10
unsigned long result = ul * ul;
range(result);
return result; // BUG: lower bound should be 0 (overflow is possible)
}
return 0;
}
unsigned long mul_assign(unsigned int ui) {
if (ui <= 10 && ui >= 2) {
range(ui); // $ range=<=10 range=>=2
ui *= ui + 0;
range(ui);
return ui; // 4 .. 100
}
unsigned int uiconst = 10;
range(uiconst); // $ range===10
uiconst *= 4;
range(uiconst); // $ range===40
unsigned long ulconst = 10;
range(ulconst); // $ range===10
ulconst *= 4;
range(ulconst); // $ range===40
range(uiconst + ulconst); // $ range=">=... *= ...+1" range=>=41
return uiconst + ulconst; // 40 .. 40 for both
}
int mul_by_constant(int i, int j) {
if (i >= -1 && i <= 2) {
range(i); // $ range=<=2 range=>=-1
i = 5 * i;
range(i); // $ range=<=10 range=>=-5
i = i * -3;
range(i); // -30 .. 15
i *= 7;
range(i); // -210 .. 105
i *= -11;
range(i); // -1155 .. 2310
}
if (i == -1) {
range(i); // $ range===-1
range((int)0xffFFffFF); // $ range===-1
i = i * (int)0xffFFffFF; // fully converted literal is -1
range(i); // 1 .. 1
}
i = i * -1;
range( i); // -2^31 .. 2^31-1
signed char sc = 1;
range(sc); // $ range===1
i = (*&sc *= 2);
range(sc); // $ range===2
range(i); // $ range===2
return 0;
}
int notequal_type_endpoint(unsigned n) {
range(n); // 0 ..
if (n > 0) {
range(n); // $ range=>=1
}
if (n != 0) {
range(n); // 1 ..
} else {
range(n); // 0 .. 0
}
if (!n) {
range(n); // 0 .. 0
} else {
range(n); // 1 ..
}
while (n != 0) {
n--; // 1 ..
}
range(n); // $ range=<=n+0 // 0 .. 0
}
void notequal_refinement(short n) {
if (n < 0) {
range(n);
return;
}
if (n == 0) {
range(n); // 0 .. 0
} else {
range(n); // 1 ..
}
if (n) {
range(n); // 1 ..
} else {
range(n); // 0 .. 0
}
while (n != 0) {
range(n); // $ range=<=n+0
n--; // 1 ..
}
range(n); // $ range=<=n+0 // 0 .. 0
}
void notequal_variations(short n, float f) {
if (n != 0) {
if (n >= 0) {
range(n); // 1 .. [BUG: we can't handle `!=` coming first]
}
}
if (n >= 5) {
if (2 * n - 10 == 0) { // Same as `n == 10/2` (modulo overflow)
range(n);
return;
}
range(n); // 6 ..
}
if (n != -32768 && n != -32767) {
range(n); // -32766 ..
}
if (n >= 0) {
n ? (range(n), n) : (range(n), n); // ? 1.. : 0..0
!n ? (range(n), n) : (range(n), n); // ? 0..0 : 1..
}
}
void two_bounds_from_one_test(short ss, unsigned short us) {
// These tests demonstrate how the range analysis is often able to deduce
// both an upper bound and a lower bound even when there is only one
// inequality in the source. For example `signedInt < 4U` establishes that
// `signedInt >= 0` since if `signedInt` were negative then it would be
// greater than 4 in the unsigned comparison.
if (ss < sizeof(int)) { // Lower bound added in `linearBoundFromGuard`
range(ss); // 0 .. 3
}
if (ss < 0x8001) { // Lower bound removed in `getDefLowerBounds`
range(ss); // -32768 .. 32767
}
if ((short)us >= 0) {
range(us); // 0 .. 32767
}
if ((short)us >= -1) {
range(us); // 0 .. 65535
}
if (ss >= sizeof(int)) { // test is true for negative numbers
range(ss); // -32768 .. 32767
}
if (ss + 1 < sizeof(int)) {
range(ss); // -1 .. 2
}
}
void widen_recursive_expr() {
int s;
for (s = 0; s < 10; s++) {
range(s); // $ range=<=9 range=>=0
int result = s + s;
range(result); // 0 .. 18
}
}
void guard_bound_out_of_range(void) {
int i = 0;
if (i < 0) {
range(i); // unreachable [BUG: is -max .. +max]
}
unsigned int u = 0;
if (u < 0) {
range(u); // unreachable [BUG: is 0 .. +max]
}
}
void test_mod(int s) {
int s2 = s % 5;
range(s2); // $ range=<=4 // -4 .. 4
}
void exit(int);
void guard_with_exit(int x, int y) {
if (x) {
if (y != 0) {
exit(0);
}
}
range(y); // ..
// This test ensures that we correctly identify
// that the upper bound for y is max_int when calling `range(y)`.
}
void test(int x) {
if (x >= 10) {
range(x); // $ range=>=10
return;
}
// The basic below has two predecessors.
label:
range(x); // $ range=<=9
goto label;
}
void test_overflow() {
const int x = 2147483647; // 2^31-1
range(x);
const int y = 256;
range(y);
if ((x + y) <= 512) {
range(x);
range(y);
range(x + y); // $ range===-2147483393
}
}

2
cpp/ql/test/library-tests/ir/range-analysis/test.cpp
View File

@@ -1,4 +1,4 @@
template<typename T> void range(T value);
#include "test_util.h"
int f1(int x, int y) {
if (x < 500) {
if (x > 400) {

1
cpp/ql/test/library-tests/ir/range-analysis/test_util.h Normal file
View File

@@ -0,0 +1 @@
template<typename T> void range(T value);

5
csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql
View File

@@ -27,6 +27,5 @@ where
xor2.getAnOperand() = v.getAnAccess()
)
)
select l,
"The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@.",
v, v.toString(), additional_xor, "xor", l, l.toString()
select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
additional_xor, "additional xor", v, v.toString()

4
csharp/ql/campaigns/Solorigate/src/NumberOfKnownCommandsAboveThreshold.ql
View File

@@ -34,5 +34,5 @@ where
total = countSolorigateCommandInEnum(e) and
total > 10
select e,
"The enum $@ may be related to Solorigate. It matches " + total +
" of the values used for commands in the enum.", e, e.getName()
"This enum may be related to Solorigate. It matches " + total +
" of the values used for commands in the enum."

4
csharp/ql/campaigns/Solorigate/src/NumberOfKnownHashesAboveThreshold.ql
View File

@@ -29,5 +29,5 @@ where
isSolorigateHash(l) and
total > threshold
select l,
"The Hash literal $@ may be related to the Solorigate campaign. Total count = " + total +
" is above the threshold " + threshold + ".", l, l.getValue()
"This Hash literal may be related to the Solorigate campaign. Total count = " + total +
" is above the threshold " + threshold + "."

4
csharp/ql/campaigns/Solorigate/src/NumberOfKnownLiteralsAboveThreshold.ql
View File

@@ -29,5 +29,5 @@ where
isSolorigateLiteral(l) and
total > threshold
select l,
"The literal $@ may be related to the Solorigate campaign. Total count = " + total +
" is above the threshold " + threshold + ".", l, l.getValue()
"This literal may be related to the Solorigate campaign. Total count = " + total +
" is above the threshold " + threshold + "."

4
csharp/ql/campaigns/Solorigate/src/NumberOfKnownMethodNamesAboveThreshold.ql
View File

@@ -28,5 +28,5 @@ where
isSolorigateSuspiciousMethodName(m) and
total > threshold
select m,
"The method $@ may be related to Solorigate. Total count = " + total + " is above the threshold " +
threshold + ".", m, m.getName()
"This method may be related to Solorigate. Total count = " + total + " is above the threshold " +
threshold + "."

2
csharp/ql/campaigns/Solorigate/test/Solorigate/ModifiedFnvFunctionDetection.expected
View File

@@ -1 +1 @@
| test.cs:39:16:39:36 | 6605813339339102567 | The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@. | test.cs:25:9:25:11 | num | num | test.cs:39:10:39:36 | ... ^ ... | xor | test.cs:39:16:39:36 | 6605813339339102567 | 6605813339339102567 |
| test.cs:39:16:39:36 | 6605813339339102567 | This literal is used in an $@ after a FNV-like hash calculation with variable $@. | test.cs:39:10:39:36 | ... ^ ... | additional xor | test.cs:25:9:25:11 | num | num |

24
csharp/ql/consistency-queries/DataFlowConsistency.ql
View File

@@ -35,13 +35,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
override predicate argHasPostUpdateExclude(ArgumentNode n) {
n instanceof SummaryNode
or
n.asExpr().(Expr).stripCasts().getType() =
any(Type t |
not t instanceof RefType and
not t = any(TypeParameter tp | not tp.isValueType())
or
t instanceof NullType
)
not exists(LocalFlow::getAPostUpdateNodeForArg(n.getControlFlowNode()))
or
n instanceof ImplicitCapturedArgumentNode
or
@@ -50,5 +44,21 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
n.asExpr() instanceof CIL::Expr
}
override predicate postHasUniquePreExclude(PostUpdateNode n) {
exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
e = LocalFlow::getAPostUpdateNodeForArg(arg) and
e != arg and
n = TExprPostUpdateNode(e)
)
}
override predicate uniquePostUpdateExclude(Node n) {
exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
e = LocalFlow::getAPostUpdateNodeForArg(arg) and
e != arg and
n.asExpr() = arg.getExpr()
)
}
override predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
}

50
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -410,6 +410,34 @@ module LocalFlow {
n instanceof SummaryNode or
n instanceof ImplicitCapturedArgumentNode
}
/**
* Gets a node that may execute last in `n`, and which, when it executes last,
* will be the value of `n`.
*/
private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
exists(Expr e | any(LocalExprStepConfiguration x).hasExprPath(_, result, e, cfn) |
e instanceof ConditionalExpr or
e instanceof Cast or
e instanceof NullCoalescingExpr or
e instanceof SwitchExpr or
e instanceof SuppressNullableWarningExpr or
e instanceof AssignExpr
)
}
/** Gets a node for which to construct a post-update node for argument `arg`. */
ControlFlow::Nodes::ExprNode getAPostUpdateNodeForArg(ControlFlow::Nodes::ExprNode arg) {
arg.getExpr() instanceof Argument and
result = getALastEvalNode*(arg) and
exists(Expr e, Type t | result.getExpr() = e and t = e.stripCasts().getType() |
t instanceof RefType and
not t instanceof NullType
or
t = any(TypeParameter tp | not tp.isValueType())
) and
not exists(getALastEvalNode(result))
}
}
/**
@@ -719,14 +747,9 @@ private module Cached {
cfn.getElement().(ObjectCreation).hasInitializer()
} or
TExprPostUpdateNode(ControlFlow::Nodes::ExprNode cfn) {
cfn = LocalFlow::getAPostUpdateNodeForArg(_)
or
exists(Expr e | e = cfn.getExpr() |
exists(Type t | t = e.(Argument).stripCasts().getType() |
t instanceof RefType and
not t instanceof NullType
or
t = any(TypeParameter tp | not tp.isValueType())
)
or
fieldOrPropertyStore(_, _, _, e, true)
or
arrayStore(_, _, e, true)
@@ -1921,7 +1944,18 @@ private module PostUpdateNodes {
ExprPostUpdateNode() { this = TExprPostUpdateNode(cfn) }
override ExprNode getPreUpdateNode() { cfn = result.getControlFlowNode() }
override ExprNode getPreUpdateNode() {
// For compund arguments, such as `m(b ? x : y)`, we want the leaf nodes
// `[post] x` and `[post] y` to have two pre-update nodes: (1) the compund argument,
// `if b then x else y`; and the (2) the underlying expressions; `x` and `y`,
// respectively.
//
// This ensures that we get flow out of the call into both leafs (1), while still
// maintaining the invariant that the underlying expression is a pre-update node (2).
cfn = LocalFlow::getAPostUpdateNodeForArg(result.getControlFlowNode())
or
cfn = result.getControlFlowNode()
}
override DataFlowCallable getEnclosingCallableImpl() {
result.asCallable() = cfn.getEnclosingCallable()

4
csharp/ql/src/API Abuse/ClassDoesNotImplementEquals.ql
View File

@@ -23,9 +23,9 @@ where
exists(MethodCall callToEquals |
callToEquals.getTarget() instanceof EqualsMethod and
callToEquals.getQualifier().getType() = c and
message = "but it is called $@" and
message = "but $@" and
item = callToEquals and
itemText = "here"
itemText = "'Equals' is called on an instance of this class"
)
or
item = c.getAnOperator().(EQOperator) and

2
csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql
View File

@@ -106,4 +106,4 @@ predicate mayNotBeDisposed(LocalScopeDisposableCreation disposable) {
from LocalScopeDisposableCreation disposable
where mayNotBeDisposed(disposable)
select disposable, "Disposable '" + disposable.getType() + "' is created here but is not disposed."
select disposable, "Disposable '" + disposable.getType() + "' is created but not disposed."

2
csharp/ql/src/CSI/NullAlways.ql
View File

@@ -16,4 +16,4 @@ import semmle.code.csharp.dataflow.Nullness
from Dereference d, Ssa::SourceVariable v
where d.isFirstAlwaysNull(v)
select d, "Variable $@ is always null here.", v, v.toString()
select d, "Variable $@ is always null at this dereference.", v, v.toString()

3
csharp/ql/src/CSI/NullMaybe.ql
View File

@@ -19,4 +19,5 @@ import PathGraph
from
Dereference d, PathNode source, PathNode sink, Ssa::SourceVariable v, string msg, Element reason
where d.isFirstMaybeNull(v.getAnSsaDefinition(), source, sink, msg, reason)
select d, source, sink, "Variable $@ may be null here " + msg + ".", v, v.toString(), reason, "this"
select d, source, sink, "Variable $@ may be null at this access " + msg + ".", v, v.toString(),
reason, "this"

2
csharp/ql/src/Concurrency/SynchSetUnsynchGet.ql
View File

@@ -28,4 +28,4 @@ where
readaccess.getEnclosingCallable() = getter and
not exists(LockStmt readlock | readlock.getAChildStmt+().getAChildExpr+() = readaccess)
)
select p, "Field '$@' is guarded by a lock in the setter but not in the getter.", f, f.getName()
select p, "Field $@ is guarded by a lock in the setter but not in the getter.", f, f.getName()

5
csharp/ql/src/Dead Code/NonAssignedFields.ql
View File

@@ -111,6 +111,5 @@ where
fa.getTarget() = g and
g.getUnboundDeclaration() = f
)
select f,
"The field '" + f.getName() + "' is never explicitly assigned a value, yet it is read $@.", fa,
"here"
select f, "The field '" + f.getName() + "' is never explicitly assigned a value, yet $@.", fa,
"the field is read"

2
csharp/ql/src/Dead Code/UnusedField.ql
View File

@@ -19,4 +19,4 @@ where
f.fromSource() and
isDeadField(f) and
not f.getDeclaringType().isPartial()
select f, "Unused field (or field used from dead method only)"
select f, "Unused field (or field used from dead method only)."

2
csharp/ql/src/Dead Code/UnusedMethod.ql
View File

@@ -20,4 +20,4 @@ where
m.fromSource() and
isDeadMethod(m) and
not m.getDeclaringType().isPartial()
select m, "Unused method (or method called from dead method only)"
select m, "Unused method (or method called from dead method only)."

2
csharp/ql/src/Language Abuse/ForeachCapture.ql
View File

@@ -111,5 +111,5 @@ predicate declaredInsideLoop(ForeachStmt loop, LocalVariable v) {
from LambdaDataFlowConfiguration c, AnonymousFunctionExpr lambda, Variable loopVar, Element storage
where c.capturesLoopVarAndIsStoredIn(lambda, loopVar, storage)
select lambda, "Function which may be stored in $@ captures variable $@", storage,
select lambda, "Function which may be stored in $@ captures variable $@.", storage,
storage.toString(), loopVar, loopVar.getName()

4
csharp/ql/src/Language Abuse/UselessIsBeforeAs.ql
View File

@@ -35,5 +35,5 @@ where
uselessIsBeforeAs(ae, ie) and
not exists(MethodCall mc | ae = mc.getAnArgument().getAChildExpr*())
select ae,
"This 'as' expression performs a type test - it should be directly compared against null, rendering the 'is' $@ potentially redundant.",
ie, "here"
"This 'as' expression performs a type test - it should be directly compared against null, rendering the $@ potentially redundant.",
ie, "is"

5
csharp/ql/src/Linq/BadMultipleIteration.ql
View File

@@ -59,6 +59,5 @@ where
va = seq.getAnAccess() and
potentiallyConsumingAccess(va) and
count(VariableAccess x | x = seq.getAnAccess() and potentiallyConsumingAccess(x)) > 1
select seq,
"This enumerable sequence may not be repeatable, but is potentially consumed multiple times $@.",
va, "here"
select seq, "This enumerable sequence may not be repeatable, but $@.", va,
"it is potentially consumed multiple times"

4
csharp/ql/src/Linq/MissedCastOpportunity.ql
View File

@@ -16,5 +16,5 @@ import Linq.Helpers
from ForeachStmt fes, LocalVariableDeclStmt s
where missedCastOpportunity(fes, s)
select fes,
"This foreach loop immediately casts its iteration variable to another type $@ - consider casting the sequence explicitly using '.Cast(...)'.",
s, "here"
"This foreach loop immediately $@ - consider casting the sequence explicitly using '.Cast(...)'.",
s, "casts its iteration variable to another type"

4
csharp/ql/src/Linq/MissedOfTypeOpportunity.ql
View File

@@ -16,5 +16,5 @@ import Linq.Helpers
from ForeachStmt fes, LocalVariableDeclStmt s
where missedOfTypeOpportunity(fes, s)
select fes,
"This foreach loop immediately uses 'as' to coerce its iteration variable to another type $@ - consider using '.OfType(...)' instead.",
s, "here"
"This foreach loop immediately uses 'as' to $@ - consider using '.OfType(...)' instead.", s,
"coerce its iteration variable to another type"

4
csharp/ql/src/Linq/MissedSelectOpportunity.ql
View File

@@ -25,5 +25,5 @@ where
missedSelectOpportunity(fes, s) and
not oversized(s)
select fes,
"This foreach loop immediately maps its iteration variable to another variable $@ - consider mapping the sequence explicitly using '.Select(...)'.",
s, "here"
"This foreach loop immediately $@ - consider mapping the sequence explicitly using '.Select(...)'.",
s, "maps its iteration variable to another variable"

4
csharp/ql/src/Linq/MissedWhereOpportunity.ql
View File

@@ -17,5 +17,5 @@ where
missedWhereOpportunity(fes, is) and
not missedAllOpportunity(fes)
select fes,
"This foreach loop implicitly filters its target sequence $@ - consider filtering the sequence explicitly using '.Where(...)'.",
is.getCondition(), "here"
"This foreach loop $@ - consider filtering the sequence explicitly using '.Where(...)'.",
is.getCondition(), "implicitly filters its target sequence"

4
csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
View File

@@ -20,5 +20,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a path.", source.getNode(),
"User-provided value"
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
View File

@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a command.", source.getNode(),
"User-provided value"
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql
View File

@@ -24,5 +24,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a command.", source.getNode(),
"Stored user-provided value"
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
"stored (potentially user-provided) value"

8
csharp/ql/src/Security Features/CWE-079/StoredXSS.ql
View File

@@ -29,8 +29,8 @@ from
where
c.hasFlowPath(source, sink) and
if exists(sink.getNode().(Sink).explanation())
then explanation = ": " + sink.getNode().(Sink).explanation() + "."
else explanation = "."
then explanation = " (" + sink.getNode().(Sink).explanation() + ")"
else explanation = ""
select sink.getNode(), source, sink,
"$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(),
"Stored user-provided value"
"This HTML or JavaScript write" + explanation + " depends on a $@.", source.getNode(),
"stored (potentially user-provided) value"

4
csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
View File

@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfig
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an SQL query.",
source.getNode(), "Stored user-provided value"
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
"stored user-provided value"

2
csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
View File

@@ -25,5 +25,5 @@ string getSourceType(DataFlow::Node node) {
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Query might include code from $@.", source,
select sink.getNode(), source, sink, "This query depends on $@.", source,
("this " + getSourceType(source.getNode()))

4
csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
View File

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an LDAP query.",
source.getNode(), "User-provided value"
select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql
View File

@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an LDAP query.",
source.getNode(), "Stored user-provided value"
select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
"stored (potentially user-provided) value"

3
csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
View File

@@ -48,4 +48,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink, source, sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
select sink.getNode(), source, sink, "This XML element depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
View File

@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is compiled as code.", source.getNode(),
"User-provided value"
select sink.getNode(), source, sink, "This code compilation depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
View File

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a resource descriptor.",
source.getNode(), "User-provided value"
select sink.getNode(), source, sink, "This resource descriptor depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
View File

@@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is processed as XML without validation because " +
sink.getNode().(Sink).getReason(), source.getNode(), "User-provided value"
"This XML processing depends on a $@ without validation because " +
sink.getNode().(Sink).getReason(), source.getNode(), "user-provided value"

3
csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
View File

@@ -49,5 +49,4 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used as the path to dynamically load an assembly.", source,
"User-provided value"
select sink, "This assembly path depends on a $@.", source, "user-provided value"

4
csharp/ql/src/Security Features/CWE-117/LogForging.ql
View File

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
"User-provided value"
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
"user-provided value"

10
csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
View File

@@ -31,7 +31,13 @@ class FormatStringConfiguration extends TaintTracking::Configuration {
}
}
string getSourceType(DataFlow::Node node) {
result = node.(RemoteFlowSource).getSourceType()
or
result = node.(LocalFlowSource).getSourceType()
}
from FormatStringConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used as a format string.",
source.getNode(), source.getNode().toString()
select sink.getNode(), source, sink, "This format string depends on $@.", source.getNode(),
("this" + getSourceType(source.getNode()))

5
csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
View File

@@ -47,6 +47,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink
where configuration.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Sensitive information from $@ flows to here, and is transmitted to the user.", source.getNode(),
source.toString()
select sink.getNode(), source, sink, "This data transmitted to the user depends on $@.",
source.getNode(), "sensitive information"

5
csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
View File

@@ -64,6 +64,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Exception information from $@ flows to here, and is exposed to the user.", source.getNode(),
source.toString()
select sink.getNode(), source, sink, "This information exposed to the user depends on $@.",
source.getNode(), "exception information"

2
csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
View File

@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
select sink.getNode(), source, sink, "This stores sensitive data returned by $@ as clear text.",
source.getNode(), source.toString()

4
csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
View File

@@ -38,5 +38,5 @@ class StringLiteralSource extends KeySource {
from SymmetricKeyTaintTrackingConfiguration keyFlow, KeySource src, SymmetricEncryptionKeySink sink
where keyFlow.hasFlow(src, sink)
select sink, "Hard-coded symmetric $@ is used in symmetric algorithm in " + sink.getDescription(),
src, "key"
select sink, "This hard-coded $@ is used in symmetric algorithm in " + sink.getDescription(), src,
"symmetric key"

2
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
View File

@@ -41,4 +41,4 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config
where config.hasFlowPath(oc, mc)
select mc.getNode(), oc, mc, "Certificate added to the root certificate store."
select mc.getNode(), oc, mc, "This certificate is added to the root certificate store."

5
csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
View File

@@ -41,5 +41,6 @@ class TaintTrackingConfiguration extends DataFlow::Configuration {
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and does not specify `Encrypt=True`.",
source.getNode(), "Connection string"
select sink.getNode(), source, sink,
"$@ flows to this SQL connection and does not specify `Encrypt=True`.", source.getNode(),
"Connection string"

2
csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
View File

@@ -69,5 +69,5 @@ where
loginMethod(loginMethod, fromLoginFlow) and
sessionUse(sessionUse.getElement()) and
controlStep+(loginCall.getASuccessorByType(fromLoginFlow), sessionUse)
select sessionUse, "This session has not been invalidated following the call to '$@'.", loginCall,
select sessionUse, "This session has not been invalidated following the call to $@.", loginCall,
loginMethod.getName()

4
csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
View File

@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is loaded insecurely as XML (" + sink.getNode().(Sink).getReason() + ").",
source.getNode(), "User-provided value"
"This insecure XML processing depends on a $@ (" + sink.getNode().(Sink).getReason() + ").",
source.getNode(), "user-provided value"

4
csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql
View File

@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConf
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
source.getNode(), "Stored user-provided value"
select sink.getNode(), source, sink, "This XPath expression depends on a $@.", source.getNode(),
"stored (potentially user-provided) value"

4
csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
View File

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
source.getNode(), "User-provided value"
select sink.getNode(), source, sink, "This XPath expression depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/Security Features/CWE-730/ReDoS.ql
View File

@@ -29,5 +29,5 @@ where
sink.getNode() instanceof ExponentialRegexSink
)
select sink.getNode(), source, sink,
"$@ flows to regular expression operation with dangerous regex.", source.getNode(),
"User-provided value"
"This regex operation with dangerous complexity depends on a $@.", source.getNode(),
"user-provided value"

5
csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
View File

@@ -19,6 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode().(Sink).getSensitiveMethodCall(), source, sink,
"Sensitive method may not be executed depending on $@, which flows from $@.", sink.getNode(),
"this condition", source.getNode(), "user input"
select sink.getNode(), source, sink, "This condition guards a sensitive $@, but a $@ controls it.",
sink.getNode().(Sink).getSensitiveMethodCall(), "action", source.getNode(), "user-provided value"

2
csharp/ql/src/Security Features/InsecureRandomness.ql
View File

@@ -117,5 +117,5 @@ from
DataFlow::PathNode sink
where randomTracking.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Cryptographically insecure random number is generated at $@ and used here in a security context.",
"This uses a cryptographically insecure random number generated at $@ in a security context.",
source.getNode(), source.getNode().toString()

4
csharp/ql/src/change-notes/2022-09-29-alert-messages.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

4
csharp/ql/src/experimental/CWE-918/RequestForgery.ql
View File

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
from RequestForgeryConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in a server side web request.",
source.getNode(), "User-provided value"
select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
"user-provided value"

4
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
View File

@@ -175,6 +175,6 @@ where
isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall,
timeComparisonCall, selStatement)
select selStatement, source, sink,
"Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger.",
timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "an offset",
"Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger.",
timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "offset",
getLastWriteTimeMethodCall, "last modification time of a file"

2
csharp/ql/test/experimental/CWE-918/RequestForgery.expected
View File

@@ -5,4 +5,4 @@ nodes
| RequestForgery.cs:16:66:16:68 | access to parameter url | semmle.label | access to parameter url |
subpaths
#select
| RequestForgery.cs:16:66:16:68 | access to parameter url | RequestForgery.cs:14:52:14:54 | url : String | RequestForgery.cs:16:66:16:68 | access to parameter url | $@ flows to here and is used in a server side web request. | RequestForgery.cs:14:52:14:54 | url | User-provided value |
| RequestForgery.cs:16:66:16:68 | access to parameter url | RequestForgery.cs:14:52:14:54 | url : String | RequestForgery.cs:16:66:16:68 | access to parameter url | The URL of this request depends on a $@. | RequestForgery.cs:14:52:14:54 | url | user-provided value |

8
csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected
View File

@@ -10,10 +10,10 @@ edges
| test.cs:70:36:70:70 | call to method AddHours : DateTime | test.cs:70:13:70:71 | call to method CompareTo |
| test.cs:70:36:70:70 | call to method AddHours : DateTime | test.cs:70:13:70:71 | call to method CompareTo : Int32 |
#select
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo : Int32 | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... : Boolean | Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | an offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:71 | call to method CompareTo : Int32 | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
| test.cs:70:9:73:9 | if (...) ... | test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | test.cs:70:13:70:76 | ... >= ... : Boolean | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:70:13:70:71 | call to method CompareTo | call to method CompareTo | test.cs:70:36:70:70 | call to method AddHours | offset | test.cs:68:34:68:76 | call to method GetLastWriteTime | last modification time of a file |
nodes
| test.cs:68:34:68:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime |
| test.cs:70:13:70:71 | call to method CompareTo | semmle.label | call to method CompareTo |

13
csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
View File

@@ -53,6 +53,19 @@
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

120
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
View File

@@ -129,7 +129,7 @@ edges
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:570:71:570:71 | e [element] : String |
| GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
| GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@@ -262,11 +262,51 @@ edges
| GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String |
| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String |
| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String | GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String | GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String | GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String | GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String | GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String | GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String | GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String | GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String | GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String | GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e [element] : String | GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String | GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -522,11 +562,52 @@ nodes
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | semmle.label | e [element] : String |
| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
| GlobalDataFlow.cs:501:44:501:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | semmle.label | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String | semmle.label | [post] access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String | semmle.label | [post] access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String | semmle.label | access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String | semmle.label | access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String | semmle.label | [post] access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String | semmle.label | [post] access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String | semmle.label | [post] access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String | semmle.label | access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String | semmle.label | access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String | semmle.label | access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String | semmle.label | [post] access to parameter x [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String | semmle.label | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String | semmle.label | access to parameter x [field field] : String |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String | semmle.label | access to local variable y [field field] : String |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String | semmle.label | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String | semmle.label | [post] access to local variable z [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String | semmle.label | access to local variable y [field field] : String |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String | semmle.label | access to local variable z [field field] : String |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String | semmle.label | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String | semmle.label | access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e [element] : String | semmle.label | e [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
| GlobalDataFlow.cs:575:44:575:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -564,7 +645,7 @@ subpaths
| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:570:71:570:71 | e [element] : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
@@ -572,7 +653,7 @@ subpaths
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@@ -585,6 +666,19 @@ subpaths
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | access to field SinkField0 |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:508:15:508:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:22 | access to field field | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:534:15:534:21 | access to field field | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:548:15:548:21 | access to field field | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:549:15:549:21 | access to field field | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:550:15:550:21 | access to field field | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:556:15:556:22 | access to field field | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:564:15:564:21 | access to field field | access to field field |
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |

13
csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
View File

@@ -158,7 +158,18 @@
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait | normal | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter | normal | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult | normal | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult |
| GlobalDataFlow.cs:501:44:501:47 | delegate call | normal | GlobalDataFlow.cs:501:44:501:47 | delegate call |
| GlobalDataFlow.cs:505:18:505:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:505:18:505:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:506:18:506:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:506:18:506:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:511:18:511:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:511:18:511:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:512:18:512:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:512:18:512:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:513:18:513:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:513:18:513:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:524:17:524:36 | object creation of type SubSimpleClass | normal | GlobalDataFlow.cs:524:17:524:36 | object creation of type SubSimpleClass |
| GlobalDataFlow.cs:531:17:531:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:531:17:531:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:539:17:539:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:539:17:539:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:540:17:540:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:540:17:540:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:541:17:541:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:541:17:541:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:562:17:562:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:562:17:562:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:575:44:575:47 | delegate call | normal | GlobalDataFlow.cs:575:44:575:47 | delegate call |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> |
| Splitting.cs:20:22:20:30 | call to method Return<String> | normal | Splitting.cs:20:22:20:30 | call to method Return<String> |

74
csharp/ql/test/library-tests/dataflow/global/GlobalDataFlow.cs
View File

@@ -489,6 +489,80 @@ public class DataFlow
Inner(_ => { }, b, "taint source");
}
public class SimpleClass
{
public string field = "";
}
private void TaintField(SimpleClass sc)
{
sc.field = "taint source";
}
public void M6(bool b1, bool b2, bool b3)
{
var x1 = new SimpleClass();
var x2 = new SimpleClass();
TaintField(b1 ? x1 : x2);
Check(x1.field);
Check(x2.field);
var y1 = new SimpleClass();
var y2 = new SimpleClass();
var y3 = new SimpleClass();
TaintField(b2 ? (b3 ? y1 : y2) : y3);
Check(y1.field);
Check(y2.field);
Check(y3.field);
}
private class SubSimpleClass : SimpleClass { }
public void M7()
{
var x = new SubSimpleClass();
TaintField((SimpleClass)x);
Check(x.field);
}
public void M8(SimpleClass x)
{
var y = new SimpleClass();
TaintField(x ?? y);
Check(x.field);
Check(y.field);
}
public void M9(string choice)
{
var x = new SimpleClass();
var y = new SimpleClass();
var z = new SimpleClass();
TaintField(choice switch
{
"x" => x,
"y" => y,
_ => z
});
Check(x.field);
Check(y.field);
Check(z.field);
}
public void M10(SimpleClass? sc)
{
TaintField(sc!);
Check(sc.field);
}
public void M11()
{
SimpleClass y = null;
var x = new SimpleClass();
TaintField(y = x);
Check(x.field);
}
}
static class IEnumerableExtensions

13
csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
View File

@@ -60,6 +60,19 @@
| GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

120
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
View File

@@ -129,7 +129,7 @@ edges
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:570:71:570:71 | e [element] : String |
| GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String |
| GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } [element] : String |
| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@@ -288,11 +288,51 @@ edges
| GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String |
| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String |
| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String | GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String | GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String | GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String | GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String | GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String | GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String | GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String | GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String | GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String | GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String | GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String | GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String | GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e [element] : String | GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String | GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -576,11 +616,52 @@ nodes
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:496:71:496:71 | e [element] : String | semmle.label | e [element] : String |
| GlobalDataFlow.cs:499:22:499:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:499:27:499:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
| GlobalDataFlow.cs:501:44:501:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc [field field] : String | semmle.label | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 [field field] : String | semmle.label | [post] access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 [field field] : String | semmle.label | [post] access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 [field field] : String | semmle.label | access to local variable x1 [field field] : String |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 [field field] : String | semmle.label | access to local variable x2 [field field] : String |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 [field field] : String | semmle.label | [post] access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 [field field] : String | semmle.label | [post] access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 [field field] : String | semmle.label | [post] access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 [field field] : String | semmle.label | access to local variable y1 [field field] : String |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 [field field] : String | semmle.label | access to local variable y2 [field field] : String |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 [field field] : String | semmle.label | access to local variable y3 [field field] : String |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x [field field] : String | semmle.label | [post] access to parameter x [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y [field field] : String | semmle.label | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x [field field] : String | semmle.label | access to parameter x [field field] : String |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y [field field] : String | semmle.label | access to local variable y [field field] : String |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y [field field] : String | semmle.label | [post] access to local variable y [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z [field field] : String | semmle.label | [post] access to local variable z [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y [field field] : String | semmle.label | access to local variable y [field field] : String |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z [field field] : String | semmle.label | access to local variable z [field field] : String |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc [field field] : String | semmle.label | [post] access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc [field field] : String | semmle.label | access to parameter sc [field field] : String |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x [field field] : String | semmle.label | [post] access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x [field field] : String | semmle.label | access to local variable x [field field] : String |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e [element] : String | semmle.label | e [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e [element] : String | semmle.label | access to parameter e [element] : String |
| GlobalDataFlow.cs:575:44:575:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -618,7 +699,7 @@ subpaths
| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:496:71:496:71 | e [element] : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... [element] : String | GlobalDataFlow.cs:570:71:570:71 | e [element] : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> [element] : String |
| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
@@ -627,7 +708,7 @@ subpaths
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb [element] : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb [element] : String |
| GlobalDataFlow.cs:501:46:501:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:501:44:501:47 | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@@ -697,6 +778,19 @@ subpaths
| GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 | GlobalDataFlow.cs:465:51:465:64 | "taint source" : String | GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 | access to local variable sink44 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:508:15:508:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:22 | access to field field | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:534:15:534:21 | access to field field | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:548:15:548:21 | access to field field | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:549:15:549:21 | access to field field | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:550:15:550:21 | access to field field | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:556:15:556:22 | access to field field | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:564:15:564:21 | access to field field | access to field field |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |

1
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -760,6 +760,7 @@
| Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): true] access to parameter b |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:39:15:39:25 | [b (line 32): true] ... ? ... : ... |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:19:39:19 | [post] [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:23:39:25 | [b (line 32): false] "c" | Splitting.cs:39:15:39:25 | [b (line 32): false] ... ? ... : ... |
| Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): false] (...) ... |
| Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): true] (...) ... |

1
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

@@ -889,6 +889,7 @@
| Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b | Splitting.cs:42:13:42:13 | [b (line 32): true] access to parameter b |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:39:15:39:25 | [b (line 32): true] ... ? ... : ... |
| Splitting.cs:39:19:39:19 | [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:19:39:19 | [post] [b (line 32): true] access to local variable x | Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x |
| Splitting.cs:39:23:39:25 | [b (line 32): false] "c" | Splitting.cs:39:15:39:25 | [b (line 32): false] ... ? ... : ... |
| Splitting.cs:40:23:40:23 | [b (line 32): false] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): false] (...) ... |
| Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): true] (...) ... |

4
csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.expected
View File

@@ -1,5 +1,5 @@
| ClassDoesNotImplementEquals.cs:4:7:4:15 | Incorrect | Class 'Incorrect' does not implement Equals(object), but it implements $@. | ClassDoesNotImplementEquals.cs:6:33:6:34 | == | operator == |
| ClassDoesNotImplementEquals.cs:24:7:24:24 | IncorrectOverrides | Class 'IncorrectOverrides' does not implement Equals(object), but $@. | ClassDoesNotImplementEquals.cs:42:17:42:53 | call to method Equals | 'Equals' is called on an instance of this class |
| ClassDoesNotImplementEquals.cs:24:7:24:24 | IncorrectOverrides | Class 'IncorrectOverrides' does not implement Equals(object), but it implements $@. | ClassDoesNotImplementEquals.cs:26:33:26:34 | == | operator == |
| ClassDoesNotImplementEquals.cs:24:7:24:24 | IncorrectOverrides | Class 'IncorrectOverrides' does not implement Equals(object), but it is called $@. | ClassDoesNotImplementEquals.cs:42:17:42:53 | call to method Equals | here |
| ClassDoesNotImplementEquals.cs:50:7:50:17 | MyEquatable | Class 'MyEquatable' does not implement Equals(object), but it implements $@. | ClassDoesNotImplementEquals.cs:52:17:52:22 | Equals | IEquatable<MyEquatable>.Equals |
| ClassDoesNotImplementEqualsBad.cs:24:11:24:21 | GasolineCar | Class 'GasolineCar' does not implement Equals(object), but it is called $@. | ClassDoesNotImplementEqualsBad.cs:38:38:38:54 | call to method Equals | here |
| ClassDoesNotImplementEqualsBad.cs:24:11:24:21 | GasolineCar | Class 'GasolineCar' does not implement Equals(object), but $@. | ClassDoesNotImplementEqualsBad.cs:38:38:38:54 | call to method Equals | 'Equals' is called on an instance of this class |

10
csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/NoDisposeCallOnLocalIDisposable.expected
View File

@@ -1,5 +1,5 @@
| NoDisposeCallOnLocalIDisposable.cs:50:19:50:38 | object creation of type Timer | Disposable 'Timer' is created here but is not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:51:18:51:73 | object creation of type FileStream | Disposable 'FileStream' is created here but is not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:52:9:52:64 | object creation of type FileStream | Disposable 'FileStream' is created here but is not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:74:25:74:71 | call to method Create | Disposable 'XmlReader' is created here but is not disposed. |
| NoDisposeCallOnLocalIDisposableBad.cs:8:22:8:56 | object creation of type FileStream | Disposable 'FileStream' is created here but is not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:50:19:50:38 | object creation of type Timer | Disposable 'Timer' is created but not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:51:18:51:73 | object creation of type FileStream | Disposable 'FileStream' is created but not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:52:9:52:64 | object creation of type FileStream | Disposable 'FileStream' is created but not disposed. |
| NoDisposeCallOnLocalIDisposable.cs:74:25:74:71 | call to method Create | Disposable 'XmlReader' is created but not disposed. |
| NoDisposeCallOnLocalIDisposableBad.cs:8:22:8:56 | object creation of type FileStream | Disposable 'FileStream' is created but not disposed. |

4
csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.expected
View File

@@ -1,2 +1,2 @@
| SynchSetUnsynchGet.cs:9:9:9:20 | BadProperty1 | Field '$@' is guarded by a lock in the setter but not in the getter. | SynchSetUnsynchGet.cs:5:9:5:17 | property1 | property1 |
| SynchSetUnsynchGet.cs:23:9:23:20 | BadProperty2 | Field '$@' is guarded by a lock in the setter but not in the getter. | SynchSetUnsynchGet.cs:5:9:5:17 | property1 | property1 |
| SynchSetUnsynchGet.cs:9:9:9:20 | BadProperty1 | Field $@ is guarded by a lock in the setter but not in the getter. | SynchSetUnsynchGet.cs:5:9:5:17 | property1 | property1 |
| SynchSetUnsynchGet.cs:23:9:23:20 | BadProperty2 | Field $@ is guarded by a lock in the setter but not in the getter. | SynchSetUnsynchGet.cs:5:9:5:17 | property1 | property1 |

4
csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.expected
View File

@@ -1,2 +1,2 @@
| NonAssignedFields.cs:87:9:87:22 | BadNonAssigned | The field 'BadNonAssigned' is never explicitly assigned a value, yet it is read $@. | NonAssignedFields.cs:109:20:109:33 | access to field BadNonAssigned | here |
| NonAssignedFields.cs:88:12:88:26 | BadAssignedNull | The field 'BadAssignedNull' is never explicitly assigned a value, yet it is read $@. | NonAssignedFields.cs:113:13:113:27 | access to field BadAssignedNull | here |
| NonAssignedFields.cs:87:9:87:22 | BadNonAssigned | The field 'BadNonAssigned' is never explicitly assigned a value, yet $@. | NonAssignedFields.cs:109:20:109:33 | access to field BadNonAssigned | the field is read |
| NonAssignedFields.cs:88:12:88:26 | BadAssignedNull | The field 'BadAssignedNull' is never explicitly assigned a value, yet $@. | NonAssignedFields.cs:113:13:113:27 | access to field BadAssignedNull | the field is read |

10
csharp/ql/test/query-tests/Dead Code/Tests/UnusedField.expected
View File

@@ -1,5 +1,5 @@
| deadcode.cs:85:7:85:11 | Field | Unused field (or field used from dead method only) |
| regression.cs:7:20:7:23 | dead | Unused field (or field used from dead method only) |
| regression.cs:113:9:113:17 | deadField | Unused field (or field used from dead method only) |
| regression.cs:116:9:116:24 | deadWrittenField | Unused field (or field used from dead method only) |
| regression.cs:129:9:129:17 | deadField | Unused field (or field used from dead method only) |
| deadcode.cs:85:7:85:11 | Field | Unused field (or field used from dead method only). |
| regression.cs:7:20:7:23 | dead | Unused field (or field used from dead method only). |
| regression.cs:113:9:113:17 | deadField | Unused field (or field used from dead method only). |
| regression.cs:116:9:116:24 | deadWrittenField | Unused field (or field used from dead method only). |
| regression.cs:129:9:129:17 | deadField | Unused field (or field used from dead method only). |

12
csharp/ql/test/query-tests/Dead Code/Tests/UnusedMethod.expected
View File

@@ -1,6 +1,6 @@
| regression.cs:51:18:51:33 | ActualDeadMethod | Unused method (or method called from dead method only) |
| regression.cs:60:18:60:37 | NotDynamicallyCalled | Unused method (or method called from dead method only) |
| regression.cs:77:10:77:19 | DeadCaller | Unused method (or method called from dead method only) |
| regression.cs:84:10:84:23 | DeadGeneric<> | Unused method (or method called from dead method only) |
| regression.cs:105:10:105:21 | DeadGeneric1 | Unused method (or method called from dead method only) |
| regression.cs:110:10:110:24 | DeadGeneric2<> | Unused method (or method called from dead method only) |
| regression.cs:51:18:51:33 | ActualDeadMethod | Unused method (or method called from dead method only). |
| regression.cs:60:18:60:37 | NotDynamicallyCalled | Unused method (or method called from dead method only). |
| regression.cs:77:10:77:19 | DeadCaller | Unused method (or method called from dead method only). |
| regression.cs:84:10:84:23 | DeadGeneric<> | Unused method (or method called from dead method only). |
| regression.cs:105:10:105:21 | DeadGeneric1 | Unused method (or method called from dead method only). |
| regression.cs:110:10:110:24 | DeadGeneric2<> | Unused method (or method called from dead method only). |

4
csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.expected
View File

@@ -1,2 +1,2 @@
| ForeachCapture.cs:14:23:14:31 | (...) => ... | Function which may be stored in $@ captures variable $@ | ForeachCapture.cs:7:22:7:27 | event1 | event1 | ForeachCapture.cs:11:22:11:24 | arg | arg |
| ForeachCapture.cs:24:30:24:38 | (...) => ... | Function which may be stored in $@ captures variable $@ | ForeachCapture.cs:41:22:41:28 | actions | actions | ForeachCapture.cs:11:22:11:24 | arg | arg |
| ForeachCapture.cs:14:23:14:31 | (...) => ... | Function which may be stored in $@ captures variable $@. | ForeachCapture.cs:7:22:7:27 | event1 | event1 | ForeachCapture.cs:11:22:11:24 | arg | arg |
| ForeachCapture.cs:24:30:24:38 | (...) => ... | Function which may be stored in $@ captures variable $@. | ForeachCapture.cs:41:22:41:28 | actions | actions | ForeachCapture.cs:11:22:11:24 | arg | arg |

2
csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.expected
View File

@@ -1 +1 @@
| UselessIsBeforeAs.cs:8:21:8:31 | ... as ... | This 'as' expression performs a type test - it should be directly compared against null, rendering the 'is' $@ potentially redundant. | UselessIsBeforeAs.cs:5:13:5:23 | ... is ... | here |
| UselessIsBeforeAs.cs:8:21:8:31 | ... as ... | This 'as' expression performs a type test - it should be directly compared against null, rendering the $@ potentially redundant. | UselessIsBeforeAs.cs:5:13:5:23 | ... is ... | is |

84
csharp/ql/test/query-tests/Nullness/NullAlways.expected
View File

@@ -1,42 +1,42 @@
| A.cs:8:15:8:32 | access to local variable synchronizedAlways | Variable $@ is always null here. | A.cs:7:16:7:33 | synchronizedAlways | synchronizedAlways |
| A.cs:17:9:17:17 | access to local variable arrayNull | Variable $@ is always null here. | A.cs:16:15:16:23 | arrayNull | arrayNull |
| A.cs:31:27:31:37 | access to local variable arrayAccess | Variable $@ is always null here. | A.cs:26:15:26:25 | arrayAccess | arrayAccess |
| A.cs:32:27:32:37 | access to local variable fieldAccess | Variable $@ is always null here. | A.cs:27:18:27:28 | fieldAccess | fieldAccess |
| A.cs:33:28:33:39 | access to local variable methodAccess | Variable $@ is always null here. | A.cs:28:16:28:27 | methodAccess | methodAccess |
| A.cs:34:27:34:36 | access to local variable methodCall | Variable $@ is always null here. | A.cs:29:16:29:25 | methodCall | methodCall |
| A.cs:50:9:50:14 | access to local variable varRef | Variable $@ is always null here. | A.cs:48:16:48:21 | varRef | varRef |
| Assert.cs:15:27:15:27 | access to local variable s | Variable $@ is always null here. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:23:27:23:27 | access to local variable s | Variable $@ is always null here. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:31:27:31:27 | access to local variable s | Variable $@ is always null here. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:47:27:47:27 | access to local variable s | Variable $@ is always null here. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:51:27:51:27 | access to local variable s | Variable $@ is always null here. | Assert.cs:9:16:9:16 | s | s |
| B.cs:13:13:13:24 | access to local variable eqCallAlways | Variable $@ is always null here. | B.cs:7:11:7:22 | eqCallAlways | eqCallAlways |
| B.cs:24:13:24:25 | access to local variable neqCallAlways | Variable $@ is always null here. | B.cs:10:11:10:23 | neqCallAlways | neqCallAlways |
| C.cs:18:13:18:13 | access to local variable o | Variable $@ is always null here. | C.cs:10:16:10:16 | o | o |
| C.cs:42:9:42:9 | access to local variable s | Variable $@ is always null here. | C.cs:40:13:40:13 | s | s |
| C.cs:57:9:57:10 | access to local variable o2 | Variable $@ is always null here. | C.cs:55:13:55:14 | o2 | o2 |
| C.cs:162:13:162:13 | access to local variable s | Variable $@ is always null here. | C.cs:151:13:151:13 | s | s |
| C.cs:170:13:170:13 | access to local variable s | Variable $@ is always null here. | C.cs:151:13:151:13 | s | s |
| C.cs:196:13:196:13 | access to local variable s | Variable $@ is always null here. | C.cs:185:13:185:13 | s | s |
| C.cs:218:13:218:13 | access to local variable s | Variable $@ is always null here. | C.cs:210:13:210:13 | s | s |
| C.cs:233:9:233:9 | access to local variable s | Variable $@ is always null here. | C.cs:228:16:228:16 | s | s |
| C.cs:237:13:237:13 | access to local variable s | Variable $@ is always null here. | C.cs:228:16:228:16 | s | s |
| C.cs:249:9:249:9 | access to local variable a | Variable $@ is always null here. | C.cs:248:15:248:15 | a | a |
| C.cs:260:9:260:10 | access to local variable ia | Variable $@ is always null here. | C.cs:257:15:257:16 | ia | ia |
| C.cs:261:20:261:21 | access to local variable sa | Variable $@ is always null here. | C.cs:258:18:258:19 | sa | sa |
| D.cs:120:13:120:13 | access to local variable x | Variable $@ is always null here. | D.cs:117:13:117:13 | x | x |
| D.cs:197:13:197:13 | access to local variable o | Variable $@ is always null here. | D.cs:195:13:195:13 | o | o |
| D.cs:207:17:207:17 | access to local variable e | Variable $@ is always null here. | D.cs:204:26:204:26 | e | e |
| D.cs:217:13:217:14 | access to local variable o3 | Variable $@ is always null here. | D.cs:215:13:215:14 | o3 | o3 |
| D.cs:222:13:222:14 | access to local variable o4 | Variable $@ is always null here. | D.cs:220:13:220:14 | o4 | o4 |
| D.cs:385:13:385:15 | access to local variable ioe | Variable $@ is always null here. | D.cs:378:19:378:21 | ioe | ioe |
| E.cs:210:16:210:16 | access to parameter s | Variable $@ is always null here. | E.cs:206:28:206:28 | s | s |
| E.cs:220:13:220:13 | access to local variable x | Variable $@ is always null here. | E.cs:215:13:215:13 | x | x |
| E.cs:229:13:229:13 | access to local variable x | Variable $@ is always null here. | E.cs:225:13:225:13 | x | x |
| E.cs:323:13:323:14 | access to parameter s1 | Variable $@ is always null here. | E.cs:319:29:319:30 | s1 | s1 |
| E.cs:324:13:324:14 | access to parameter s2 | Variable $@ is always null here. | E.cs:319:40:319:41 | s2 | s2 |
| E.cs:331:9:331:9 | access to local variable x | Variable $@ is always null here. | E.cs:330:13:330:13 | x | x |
| E.cs:405:16:405:16 | access to local variable i | Variable $@ is always null here. | E.cs:403:14:403:14 | i | i |
| Forwarding.cs:36:31:36:31 | access to local variable s | Variable $@ is always null here. | Forwarding.cs:7:16:7:16 | s | s |
| Forwarding.cs:40:27:40:27 | access to local variable s | Variable $@ is always null here. | Forwarding.cs:7:16:7:16 | s | s |
| NullAlwaysBad.cs:9:30:9:30 | access to parameter s | Variable $@ is always null here. | NullAlwaysBad.cs:7:29:7:29 | s | s |
| A.cs:8:15:8:32 | access to local variable synchronizedAlways | Variable $@ is always null at this dereference. | A.cs:7:16:7:33 | synchronizedAlways | synchronizedAlways |
| A.cs:17:9:17:17 | access to local variable arrayNull | Variable $@ is always null at this dereference. | A.cs:16:15:16:23 | arrayNull | arrayNull |
| A.cs:31:27:31:37 | access to local variable arrayAccess | Variable $@ is always null at this dereference. | A.cs:26:15:26:25 | arrayAccess | arrayAccess |
| A.cs:32:27:32:37 | access to local variable fieldAccess | Variable $@ is always null at this dereference. | A.cs:27:18:27:28 | fieldAccess | fieldAccess |
| A.cs:33:28:33:39 | access to local variable methodAccess | Variable $@ is always null at this dereference. | A.cs:28:16:28:27 | methodAccess | methodAccess |
| A.cs:34:27:34:36 | access to local variable methodCall | Variable $@ is always null at this dereference. | A.cs:29:16:29:25 | methodCall | methodCall |
| A.cs:50:9:50:14 | access to local variable varRef | Variable $@ is always null at this dereference. | A.cs:48:16:48:21 | varRef | varRef |
| Assert.cs:15:27:15:27 | access to local variable s | Variable $@ is always null at this dereference. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:23:27:23:27 | access to local variable s | Variable $@ is always null at this dereference. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:31:27:31:27 | access to local variable s | Variable $@ is always null at this dereference. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:47:27:47:27 | access to local variable s | Variable $@ is always null at this dereference. | Assert.cs:9:16:9:16 | s | s |
| Assert.cs:51:27:51:27 | access to local variable s | Variable $@ is always null at this dereference. | Assert.cs:9:16:9:16 | s | s |
| B.cs:13:13:13:24 | access to local variable eqCallAlways | Variable $@ is always null at this dereference. | B.cs:7:11:7:22 | eqCallAlways | eqCallAlways |
| B.cs:24:13:24:25 | access to local variable neqCallAlways | Variable $@ is always null at this dereference. | B.cs:10:11:10:23 | neqCallAlways | neqCallAlways |
| C.cs:18:13:18:13 | access to local variable o | Variable $@ is always null at this dereference. | C.cs:10:16:10:16 | o | o |
| C.cs:42:9:42:9 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:40:13:40:13 | s | s |
| C.cs:57:9:57:10 | access to local variable o2 | Variable $@ is always null at this dereference. | C.cs:55:13:55:14 | o2 | o2 |
| C.cs:162:13:162:13 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:151:13:151:13 | s | s |
| C.cs:170:13:170:13 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:151:13:151:13 | s | s |
| C.cs:196:13:196:13 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:185:13:185:13 | s | s |
| C.cs:218:13:218:13 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:210:13:210:13 | s | s |
| C.cs:233:9:233:9 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:228:16:228:16 | s | s |
| C.cs:237:13:237:13 | access to local variable s | Variable $@ is always null at this dereference. | C.cs:228:16:228:16 | s | s |
| C.cs:249:9:249:9 | access to local variable a | Variable $@ is always null at this dereference. | C.cs:248:15:248:15 | a | a |
| C.cs:260:9:260:10 | access to local variable ia | Variable $@ is always null at this dereference. | C.cs:257:15:257:16 | ia | ia |
| C.cs:261:20:261:21 | access to local variable sa | Variable $@ is always null at this dereference. | C.cs:258:18:258:19 | sa | sa |
| D.cs:120:13:120:13 | access to local variable x | Variable $@ is always null at this dereference. | D.cs:117:13:117:13 | x | x |
| D.cs:197:13:197:13 | access to local variable o | Variable $@ is always null at this dereference. | D.cs:195:13:195:13 | o | o |
| D.cs:207:17:207:17 | access to local variable e | Variable $@ is always null at this dereference. | D.cs:204:26:204:26 | e | e |
| D.cs:217:13:217:14 | access to local variable o3 | Variable $@ is always null at this dereference. | D.cs:215:13:215:14 | o3 | o3 |
| D.cs:222:13:222:14 | access to local variable o4 | Variable $@ is always null at this dereference. | D.cs:220:13:220:14 | o4 | o4 |
| D.cs:385:13:385:15 | access to local variable ioe | Variable $@ is always null at this dereference. | D.cs:378:19:378:21 | ioe | ioe |
| E.cs:210:16:210:16 | access to parameter s | Variable $@ is always null at this dereference. | E.cs:206:28:206:28 | s | s |
| E.cs:220:13:220:13 | access to local variable x | Variable $@ is always null at this dereference. | E.cs:215:13:215:13 | x | x |
| E.cs:229:13:229:13 | access to local variable x | Variable $@ is always null at this dereference. | E.cs:225:13:225:13 | x | x |
| E.cs:323:13:323:14 | access to parameter s1 | Variable $@ is always null at this dereference. | E.cs:319:29:319:30 | s1 | s1 |
| E.cs:324:13:324:14 | access to parameter s2 | Variable $@ is always null at this dereference. | E.cs:319:40:319:41 | s2 | s2 |
| E.cs:331:9:331:9 | access to local variable x | Variable $@ is always null at this dereference. | E.cs:330:13:330:13 | x | x |
| E.cs:405:16:405:16 | access to local variable i | Variable $@ is always null at this dereference. | E.cs:403:14:403:14 | i | i |
| Forwarding.cs:36:31:36:31 | access to local variable s | Variable $@ is always null at this dereference. | Forwarding.cs:7:16:7:16 | s | s |
| Forwarding.cs:40:27:40:27 | access to local variable s | Variable $@ is always null at this dereference. | Forwarding.cs:7:16:7:16 | s | s |
| NullAlwaysBad.cs:9:30:9:30 | access to parameter s | Variable $@ is always null at this dereference. | NullAlwaysBad.cs:7:29:7:29 | s | s |

170
csharp/ql/test/query-tests/Nullness/NullMaybe.expected
View File

@@ -829,88 +829,88 @@ edges
| StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:15:16:15:16 | access to local variable s |
| StringConcatenation.cs:15:16:15:16 | access to local variable s | StringConcatenation.cs:16:17:16:17 | access to local variable s |
#select
| C.cs:64:9:64:10 | access to local variable o1 | C.cs:62:13:62:46 | SSA def(o1) | C.cs:64:9:64:10 | access to local variable o1 | Variable $@ may be null here because of $@ assignment. | C.cs:62:13:62:14 | o1 | o1 | C.cs:62:13:62:46 | Object o1 = ... | this |
| C.cs:68:9:68:10 | access to local variable o2 | C.cs:66:13:66:46 | SSA def(o2) | C.cs:68:9:68:10 | access to local variable o2 | Variable $@ may be null here because of $@ assignment. | C.cs:66:13:66:14 | o2 | o2 | C.cs:66:13:66:46 | Object o2 = ... | this |
| C.cs:95:15:95:15 | access to local variable o | C.cs:94:13:94:45 | SSA def(o) | C.cs:95:15:95:15 | access to local variable o | Variable $@ may be null here because of $@ assignment. | C.cs:94:13:94:13 | o | o | C.cs:94:13:94:45 | Object o = ... | this |
| C.cs:103:27:103:30 | access to parameter list | C.cs:102:13:102:23 | SSA def(list) | C.cs:103:27:103:30 | access to parameter list | Variable $@ may be null here because of $@ assignment. | C.cs:99:42:99:45 | list | list | C.cs:102:13:102:23 | ... = ... | this |
| C.cs:177:13:177:13 | access to local variable s | C.cs:178:13:178:20 | SSA def(s) | C.cs:177:13:177:13 | access to local variable s | Variable $@ may be null here because of $@ assignment. | C.cs:151:13:151:13 | s | s | C.cs:178:13:178:20 | ... = ... | this |
| C.cs:203:13:203:13 | access to local variable s | C.cs:204:13:204:20 | SSA def(s) | C.cs:203:13:203:13 | access to local variable s | Variable $@ may be null here because of $@ assignment. | C.cs:185:13:185:13 | s | s | C.cs:204:13:204:20 | ... = ... | this |
| C.cs:223:9:223:9 | access to local variable s | C.cs:222:13:222:20 | SSA def(s) | C.cs:223:9:223:9 | access to local variable s | Variable $@ may be null here because of $@ assignment. | C.cs:210:13:210:13 | s | s | C.cs:222:13:222:20 | ... = ... | this |
| C.cs:242:13:242:13 | access to local variable s | C.cs:240:24:240:31 | SSA def(s) | C.cs:242:13:242:13 | access to local variable s | Variable $@ may be null here because of $@ assignment. | C.cs:228:16:228:16 | s | s | C.cs:240:24:240:31 | ... = ... | this |
| D.cs:23:9:23:13 | access to parameter param | D.cs:17:17:17:20 | null | D.cs:23:9:23:13 | access to parameter param | Variable $@ may be null here because of $@ null argument. | D.cs:21:32:21:36 | param | param | D.cs:17:17:17:20 | null | this |
| D.cs:32:9:32:13 | access to parameter param | D.cs:26:32:26:36 | SSA param(param) | D.cs:32:9:32:13 | access to parameter param | Variable $@ may be null here as suggested by $@ null check. | D.cs:26:32:26:36 | param | param | D.cs:28:13:28:25 | ... != ... | this |
| D.cs:62:13:62:14 | access to local variable o5 | D.cs:58:13:58:41 | SSA def(o5) | D.cs:62:13:62:14 | access to local variable o5 | Variable $@ may be null here because of $@ assignment. | D.cs:58:13:58:14 | o5 | o5 | D.cs:58:13:58:41 | String o5 = ... | this |
| D.cs:73:13:73:14 | access to local variable o7 | D.cs:68:13:68:34 | SSA def(o7) | D.cs:73:13:73:14 | access to local variable o7 | Variable $@ may be null here because of $@ assignment. | D.cs:68:13:68:14 | o7 | o7 | D.cs:68:13:68:34 | String o7 = ... | this |
| D.cs:82:13:82:14 | access to local variable o8 | D.cs:75:13:75:34 | SSA def(o8) | D.cs:82:13:82:14 | access to local variable o8 | Variable $@ may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
| D.cs:84:13:84:14 | access to local variable o8 | D.cs:75:13:75:34 | SSA def(o8) | D.cs:84:13:84:14 | access to local variable o8 | Variable $@ may be null here because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
| D.cs:91:13:91:14 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:91:13:91:14 | access to local variable xs | Variable $@ may be null here because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:94:21:94:22 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:94:21:94:22 | access to local variable xs | Variable $@ may be null here because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:98:21:98:22 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:98:21:98:22 | access to local variable xs | Variable $@ may be null here because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:102:31:102:32 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:102:31:102:32 | access to local variable xs | Variable $@ may be null here because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:105:19:105:20 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:105:19:105:20 | access to local variable xs | Variable $@ may be null here because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:134:24:134:24 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:134:24:134:24 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:127:20:127:28 | ... == ... | this |
| D.cs:134:24:134:24 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:134:24:134:24 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:139:13:139:21 | ... != ... | this |
| D.cs:135:24:135:24 | access to parameter b | D.cs:125:44:125:44 | SSA param(b) | D.cs:135:24:135:24 | access to parameter b | Variable $@ may be null here as suggested by $@ null check. | D.cs:125:44:125:44 | b | b | D.cs:128:20:128:28 | ... == ... | this |
| D.cs:145:20:145:20 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:145:20:145:20 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:127:20:127:28 | ... == ... | this |
| D.cs:145:20:145:20 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:145:20:145:20 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:139:13:139:21 | ... != ... | this |
| D.cs:151:9:151:11 | access to parameter obj | D.cs:149:36:149:38 | SSA param(obj) | D.cs:151:9:151:11 | access to parameter obj | Variable $@ may be null here as suggested by $@ null check. | D.cs:149:36:149:38 | obj | obj | D.cs:152:17:152:27 | ... != ... | this |
| D.cs:171:9:171:11 | access to local variable obj | D.cs:163:16:163:25 | SSA def(obj) | D.cs:171:9:171:11 | access to local variable obj | Variable $@ may be null here because of $@ assignment. | D.cs:163:16:163:18 | obj | obj | D.cs:163:16:163:25 | Object obj = ... | this |
| D.cs:245:13:245:13 | access to local variable o | D.cs:240:9:240:16 | SSA def(o) | D.cs:245:13:245:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:228:16:228:16 | o | o | D.cs:240:9:240:16 | ... = ... | this |
| D.cs:247:13:247:13 | access to local variable o | D.cs:240:9:240:16 | SSA def(o) | D.cs:247:13:247:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:228:16:228:16 | o | o | D.cs:240:9:240:16 | ... = ... | this |
| D.cs:253:13:253:14 | access to local variable o2 | D.cs:249:13:249:38 | SSA def(o2) | D.cs:253:13:253:14 | access to local variable o2 | Variable $@ may be null here because of $@ assignment. | D.cs:249:13:249:14 | o2 | o2 | D.cs:249:13:249:38 | String o2 = ... | this |
| D.cs:267:13:267:13 | access to local variable o | D.cs:258:16:258:23 | SSA def(o) | D.cs:267:13:267:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:258:16:258:23 | Object o = ... | this |
| D.cs:291:13:291:13 | access to local variable o | D.cs:269:9:269:16 | SSA def(o) | D.cs:291:13:291:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:269:9:269:16 | ... = ... | this |
| D.cs:291:13:291:13 | access to local variable o | D.cs:283:17:283:24 | SSA def(o) | D.cs:291:13:291:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:283:17:283:24 | ... = ... | this |
| D.cs:294:13:294:13 | access to local variable o | D.cs:269:9:269:16 | SSA def(o) | D.cs:294:13:294:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:269:9:269:16 | ... = ... | this |
| D.cs:294:13:294:13 | access to local variable o | D.cs:283:17:283:24 | SSA def(o) | D.cs:294:13:294:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:283:17:283:24 | ... = ... | this |
| D.cs:300:17:300:20 | access to local variable prev | D.cs:296:16:296:26 | SSA def(prev) | D.cs:300:17:300:20 | access to local variable prev | Variable $@ may be null here because of $@ assignment. | D.cs:296:16:296:19 | prev | prev | D.cs:296:16:296:26 | Object prev = ... | this |
| D.cs:313:17:313:17 | access to local variable s | D.cs:304:16:304:23 | SSA def(s) | D.cs:313:17:313:17 | access to local variable s | Variable $@ may be null here because of $@ assignment. | D.cs:304:16:304:16 | s | s | D.cs:304:16:304:23 | String s = ... | this |
| D.cs:324:9:324:9 | access to local variable r | D.cs:316:16:316:23 | SSA def(r) | D.cs:324:9:324:9 | access to local variable r | Variable $@ may be null here because of $@ assignment. | D.cs:316:16:316:16 | r | r | D.cs:316:16:316:23 | Object r = ... | this |
| D.cs:356:13:356:13 | access to local variable a | D.cs:351:15:351:22 | SSA def(a) | D.cs:356:13:356:13 | access to local variable a | Variable $@ may be null here because of $@ assignment. | D.cs:351:15:351:15 | a | a | D.cs:351:15:351:22 | Int32[] a = ... | this |
| D.cs:363:13:363:16 | access to local variable last | D.cs:360:20:360:30 | SSA def(last) | D.cs:363:13:363:16 | access to local variable last | Variable $@ may be null here because of $@ assignment. | D.cs:360:20:360:23 | last | last | D.cs:360:20:360:30 | String last = ... | this |
| D.cs:372:13:372:13 | access to local variable b | D.cs:366:15:366:47 | SSA def(b) | D.cs:372:13:372:13 | access to local variable b | Variable $@ may be null here because of $@ assignment. | D.cs:366:15:366:15 | b | b | D.cs:366:15:366:47 | Int32[] b = ... | this |
| D.cs:395:20:395:20 | access to parameter a | D.cs:388:36:388:36 | SSA param(a) | D.cs:395:20:395:20 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | D.cs:388:36:388:36 | a | a | D.cs:390:20:390:28 | ... == ... | this |
| D.cs:400:20:400:20 | access to parameter b | D.cs:388:45:388:45 | SSA param(b) | D.cs:400:20:400:20 | access to parameter b | Variable $@ may be null here as suggested by $@ null check. | D.cs:388:45:388:45 | b | b | D.cs:397:20:397:28 | ... == ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:407:27:407:35 | ... == ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:407:55:407:63 | ... != ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:411:13:411:21 | ... != ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:407:14:407:22 | ... != ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:407:42:407:50 | ... == ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null here as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:409:13:409:21 | ... != ... | this |
| E.cs:12:38:12:39 | access to local variable a2 | E.cs:9:18:9:26 | SSA def(a2) | E.cs:12:38:12:39 | access to local variable a2 | Variable $@ may be null here because of $@ assignment. | E.cs:9:18:9:19 | a2 | a2 | E.cs:9:18:9:26 | Int64[][] a2 = ... | this |
| E.cs:14:13:14:14 | access to local variable a3 | E.cs:11:16:11:24 | SSA def(a3) | E.cs:14:13:14:14 | access to local variable a3 | Variable $@ may be null here because of $@ assignment. | E.cs:11:16:11:17 | a3 | a3 | E.cs:11:16:11:24 | Int64[] a3 = ... | this |
| E.cs:27:13:27:14 | access to local variable s1 | E.cs:23:13:23:30 | SSA def(s1) | E.cs:27:13:27:14 | access to local variable s1 | Variable $@ may be null here because of $@ assignment. | E.cs:19:13:19:14 | s1 | s1 | E.cs:23:13:23:30 | ... = ... | this |
| E.cs:61:13:61:17 | access to local variable slice | E.cs:51:22:51:33 | SSA def(slice) | E.cs:61:13:61:17 | access to local variable slice | Variable $@ may be null here because of $@ assignment. | E.cs:51:22:51:26 | slice | slice | E.cs:51:22:51:33 | List<String> slice = ... | this |
| E.cs:73:13:73:15 | access to parameter arr | E.cs:66:40:66:42 | SSA param(arr) | E.cs:73:13:73:15 | access to parameter arr | Variable $@ may be null here as suggested by $@ null check. | E.cs:66:40:66:42 | arr | arr | E.cs:70:22:70:32 | ... == ... | this |
| E.cs:112:13:112:16 | access to local variable arr2 | E.cs:107:15:107:25 | SSA def(arr2) | E.cs:112:13:112:16 | access to local variable arr2 | Variable $@ may be null here because of $@ assignment. | E.cs:107:15:107:18 | arr2 | arr2 | E.cs:107:15:107:25 | Int32[] arr2 = ... | this |
| E.cs:125:33:125:35 | access to local variable obj | E.cs:137:25:137:34 | SSA def(obj) | E.cs:125:33:125:35 | access to local variable obj | Variable $@ may be null here because of $@ assignment. | E.cs:119:13:119:15 | obj | obj | E.cs:137:25:137:34 | ... = ... | this |
| E.cs:159:13:159:16 | access to local variable obj2 | E.cs:152:16:152:26 | SSA def(obj2) | E.cs:159:13:159:16 | access to local variable obj2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:152:16:152:19 | obj2 | obj2 | E.cs:153:13:153:24 | ... != ... | this |
| E.cs:167:21:167:21 | access to parameter a | E.cs:162:28:162:28 | SSA param(a) | E.cs:167:21:167:21 | access to parameter a | Variable $@ may be null here as suggested by $@ null check. | E.cs:162:28:162:28 | a | a | E.cs:164:17:164:25 | ... == ... | this |
| E.cs:178:13:178:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:178:13:178:15 | access to parameter obj | Variable $@ may be null here as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:175:19:175:29 | ... == ... | this |
| E.cs:178:13:178:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:178:13:178:15 | access to parameter obj | Variable $@ may be null here as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:180:13:180:23 | ... == ... | this |
| E.cs:186:13:186:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:186:13:186:15 | access to parameter obj | Variable $@ may be null here as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:175:19:175:29 | ... == ... | this |
| E.cs:186:13:186:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:186:13:186:15 | access to parameter obj | Variable $@ may be null here as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:180:13:180:23 | ... == ... | this |
| E.cs:192:17:192:17 | access to parameter o | E.cs:190:29:190:29 | SSA param(o) | E.cs:192:17:192:17 | access to parameter o | Variable $@ may be null here as suggested by $@ null check. | E.cs:190:29:190:29 | o | o | E.cs:193:17:193:17 | access to parameter o | this |
| E.cs:201:13:201:13 | access to local variable o | E.cs:198:13:198:29 | [b (line 196): true] SSA def(o) | E.cs:201:13:201:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | E.cs:198:13:198:13 | o | o | E.cs:198:13:198:29 | String o = ... | this |
| E.cs:203:13:203:13 | access to local variable o | E.cs:198:13:198:29 | [b (line 196): false] SSA def(o) | E.cs:203:13:203:13 | access to local variable o | Variable $@ may be null here because of $@ assignment. | E.cs:198:13:198:13 | o | o | E.cs:198:13:198:29 | String o = ... | this |
| E.cs:218:9:218:9 | access to local variable x | E.cs:217:13:217:20 | [b (line 213): true] SSA def(x) | E.cs:218:9:218:9 | access to local variable x | Variable $@ may be null here because of $@ assignment. | E.cs:215:13:215:13 | x | x | E.cs:217:13:217:20 | ... = ... | this |
| E.cs:230:9:230:9 | access to local variable x | E.cs:227:13:227:20 | [b (line 223): true] SSA def(x) | E.cs:230:9:230:9 | access to local variable x | Variable $@ may be null here because of $@ assignment. | E.cs:225:13:225:13 | x | x | E.cs:227:13:227:20 | ... = ... | this |
| E.cs:235:16:235:16 | access to parameter i | E.cs:233:26:233:26 | SSA param(i) | E.cs:235:16:235:16 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:233:26:233:26 | i | i | E.cs:233:26:233:26 | i | this |
| E.cs:240:21:240:21 | access to parameter i | E.cs:238:26:238:26 | SSA param(i) | E.cs:240:21:240:21 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:238:26:238:26 | i | i | E.cs:238:26:238:26 | i | this |
| E.cs:285:9:285:9 | access to local variable o | E.cs:283:13:283:22 | [b (line 279): false] SSA def(o) | E.cs:285:9:285:9 | access to local variable o | Variable $@ may be null here as suggested by $@ null check. | E.cs:283:13:283:13 | o | o | E.cs:284:9:284:9 | access to local variable o | this |
| E.cs:285:9:285:9 | access to local variable o | E.cs:283:13:283:22 | [b (line 279): true] SSA def(o) | E.cs:285:9:285:9 | access to local variable o | Variable $@ may be null here as suggested by $@ null check. | E.cs:283:13:283:13 | o | o | E.cs:284:9:284:9 | access to local variable o | this |
| E.cs:302:9:302:9 | access to local variable s | E.cs:301:13:301:27 | SSA def(s) | E.cs:302:9:302:9 | access to local variable s | Variable $@ may be null here because of $@ assignment. | E.cs:301:13:301:13 | s | s | E.cs:301:13:301:27 | String s = ... | this |
| E.cs:343:9:343:9 | access to local variable x | E.cs:342:13:342:32 | SSA def(x) | E.cs:343:9:343:9 | access to local variable x | Variable $@ may be null here because of $@ assignment. | E.cs:342:13:342:13 | x | x | E.cs:342:13:342:32 | String x = ... | this |
| E.cs:349:9:349:9 | access to local variable x | E.cs:348:17:348:36 | SSA def(x) | E.cs:349:9:349:9 | access to local variable x | Variable $@ may be null here because of $@ assignment. | E.cs:348:17:348:17 | x | x | E.cs:348:17:348:36 | dynamic x = ... | this |
| E.cs:366:41:366:41 | access to parameter s | E.cs:366:28:366:28 | SSA param(s) | E.cs:366:41:366:41 | access to parameter s | Variable $@ may be null here because the parameter has a null default value. | E.cs:366:28:366:28 | s | s | E.cs:366:32:366:35 | null | this |
| E.cs:375:20:375:20 | access to local variable s | E.cs:374:17:374:31 | SSA def(s) | E.cs:375:20:375:20 | access to local variable s | Variable $@ may be null here because of $@ assignment. | E.cs:374:17:374:17 | s | s | E.cs:374:17:374:31 | String s = ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:382:14:382:23 | ... == ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:382:44:382:53 | ... != ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:384:13:384:22 | ... == ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:382:28:382:37 | ... != ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:382:58:382:67 | ... == ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null here as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:384:27:384:36 | ... == ... | this |
| E.cs:417:34:417:34 | access to parameter i | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i | Variable $@ may be null here because it has a nullable type. | E.cs:415:27:415:27 | i | i | E.cs:415:27:415:27 | i | this |
| GuardedString.cs:35:31:35:31 | access to local variable s | GuardedString.cs:7:16:7:32 | SSA def(s) | GuardedString.cs:35:31:35:31 | access to local variable s | Variable $@ may be null here because of $@ assignment. | GuardedString.cs:7:16:7:16 | s | s | GuardedString.cs:7:16:7:32 | String s = ... | this |
| NullMaybeBad.cs:7:27:7:27 | access to parameter o | NullMaybeBad.cs:13:17:13:20 | null | NullMaybeBad.cs:7:27:7:27 | access to parameter o | Variable $@ may be null here because of $@ null argument. | NullMaybeBad.cs:5:25:5:25 | o | o | NullMaybeBad.cs:13:17:13:20 | null | this |
| StringConcatenation.cs:16:17:16:17 | access to local variable s | StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:16:17:16:17 | access to local variable s | Variable $@ may be null here because of $@ assignment. | StringConcatenation.cs:14:16:14:16 | s | s | StringConcatenation.cs:14:16:14:23 | String s = ... | this |
| C.cs:64:9:64:10 | access to local variable o1 | C.cs:62:13:62:46 | SSA def(o1) | C.cs:64:9:64:10 | access to local variable o1 | Variable $@ may be null at this access because of $@ assignment. | C.cs:62:13:62:14 | o1 | o1 | C.cs:62:13:62:46 | Object o1 = ... | this |
| C.cs:68:9:68:10 | access to local variable o2 | C.cs:66:13:66:46 | SSA def(o2) | C.cs:68:9:68:10 | access to local variable o2 | Variable $@ may be null at this access because of $@ assignment. | C.cs:66:13:66:14 | o2 | o2 | C.cs:66:13:66:46 | Object o2 = ... | this |
| C.cs:95:15:95:15 | access to local variable o | C.cs:94:13:94:45 | SSA def(o) | C.cs:95:15:95:15 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | C.cs:94:13:94:13 | o | o | C.cs:94:13:94:45 | Object o = ... | this |
| C.cs:103:27:103:30 | access to parameter list | C.cs:102:13:102:23 | SSA def(list) | C.cs:103:27:103:30 | access to parameter list | Variable $@ may be null at this access because of $@ assignment. | C.cs:99:42:99:45 | list | list | C.cs:102:13:102:23 | ... = ... | this |
| C.cs:177:13:177:13 | access to local variable s | C.cs:178:13:178:20 | SSA def(s) | C.cs:177:13:177:13 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | C.cs:151:13:151:13 | s | s | C.cs:178:13:178:20 | ... = ... | this |
| C.cs:203:13:203:13 | access to local variable s | C.cs:204:13:204:20 | SSA def(s) | C.cs:203:13:203:13 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | C.cs:185:13:185:13 | s | s | C.cs:204:13:204:20 | ... = ... | this |
| C.cs:223:9:223:9 | access to local variable s | C.cs:222:13:222:20 | SSA def(s) | C.cs:223:9:223:9 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | C.cs:210:13:210:13 | s | s | C.cs:222:13:222:20 | ... = ... | this |
| C.cs:242:13:242:13 | access to local variable s | C.cs:240:24:240:31 | SSA def(s) | C.cs:242:13:242:13 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | C.cs:228:16:228:16 | s | s | C.cs:240:24:240:31 | ... = ... | this |
| D.cs:23:9:23:13 | access to parameter param | D.cs:17:17:17:20 | null | D.cs:23:9:23:13 | access to parameter param | Variable $@ may be null at this access because of $@ null argument. | D.cs:21:32:21:36 | param | param | D.cs:17:17:17:20 | null | this |
| D.cs:32:9:32:13 | access to parameter param | D.cs:26:32:26:36 | SSA param(param) | D.cs:32:9:32:13 | access to parameter param | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:26:32:26:36 | param | param | D.cs:28:13:28:25 | ... != ... | this |
| D.cs:62:13:62:14 | access to local variable o5 | D.cs:58:13:58:41 | SSA def(o5) | D.cs:62:13:62:14 | access to local variable o5 | Variable $@ may be null at this access because of $@ assignment. | D.cs:58:13:58:14 | o5 | o5 | D.cs:58:13:58:41 | String o5 = ... | this |
| D.cs:73:13:73:14 | access to local variable o7 | D.cs:68:13:68:34 | SSA def(o7) | D.cs:73:13:73:14 | access to local variable o7 | Variable $@ may be null at this access because of $@ assignment. | D.cs:68:13:68:14 | o7 | o7 | D.cs:68:13:68:34 | String o7 = ... | this |
| D.cs:82:13:82:14 | access to local variable o8 | D.cs:75:13:75:34 | SSA def(o8) | D.cs:82:13:82:14 | access to local variable o8 | Variable $@ may be null at this access because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
| D.cs:84:13:84:14 | access to local variable o8 | D.cs:75:13:75:34 | SSA def(o8) | D.cs:84:13:84:14 | access to local variable o8 | Variable $@ may be null at this access because of $@ assignment. | D.cs:75:13:75:14 | o8 | o8 | D.cs:75:13:75:34 | String o8 = ... | this |
| D.cs:91:13:91:14 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:91:13:91:14 | access to local variable xs | Variable $@ may be null at this access because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:94:21:94:22 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:94:21:94:22 | access to local variable xs | Variable $@ may be null at this access because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:98:21:98:22 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:98:21:98:22 | access to local variable xs | Variable $@ may be null at this access because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:102:31:102:32 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:102:31:102:32 | access to local variable xs | Variable $@ may be null at this access because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:105:19:105:20 | access to local variable xs | D.cs:89:15:89:44 | SSA def(xs) | D.cs:105:19:105:20 | access to local variable xs | Variable $@ may be null at this access because of $@ assignment. | D.cs:89:15:89:16 | xs | xs | D.cs:89:15:89:44 | Int32[] xs = ... | this |
| D.cs:134:24:134:24 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:134:24:134:24 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:127:20:127:28 | ... == ... | this |
| D.cs:134:24:134:24 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:134:24:134:24 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:139:13:139:21 | ... != ... | this |
| D.cs:135:24:135:24 | access to parameter b | D.cs:125:44:125:44 | SSA param(b) | D.cs:135:24:135:24 | access to parameter b | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:125:44:125:44 | b | b | D.cs:128:20:128:28 | ... == ... | this |
| D.cs:145:20:145:20 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:145:20:145:20 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:127:20:127:28 | ... == ... | this |
| D.cs:145:20:145:20 | access to parameter a | D.cs:125:35:125:35 | SSA param(a) | D.cs:145:20:145:20 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:125:35:125:35 | a | a | D.cs:139:13:139:21 | ... != ... | this |
| D.cs:151:9:151:11 | access to parameter obj | D.cs:149:36:149:38 | SSA param(obj) | D.cs:151:9:151:11 | access to parameter obj | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:149:36:149:38 | obj | obj | D.cs:152:17:152:27 | ... != ... | this |
| D.cs:171:9:171:11 | access to local variable obj | D.cs:163:16:163:25 | SSA def(obj) | D.cs:171:9:171:11 | access to local variable obj | Variable $@ may be null at this access because of $@ assignment. | D.cs:163:16:163:18 | obj | obj | D.cs:163:16:163:25 | Object obj = ... | this |
| D.cs:245:13:245:13 | access to local variable o | D.cs:240:9:240:16 | SSA def(o) | D.cs:245:13:245:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:228:16:228:16 | o | o | D.cs:240:9:240:16 | ... = ... | this |
| D.cs:247:13:247:13 | access to local variable o | D.cs:240:9:240:16 | SSA def(o) | D.cs:247:13:247:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:228:16:228:16 | o | o | D.cs:240:9:240:16 | ... = ... | this |
| D.cs:253:13:253:14 | access to local variable o2 | D.cs:249:13:249:38 | SSA def(o2) | D.cs:253:13:253:14 | access to local variable o2 | Variable $@ may be null at this access because of $@ assignment. | D.cs:249:13:249:14 | o2 | o2 | D.cs:249:13:249:38 | String o2 = ... | this |
| D.cs:267:13:267:13 | access to local variable o | D.cs:258:16:258:23 | SSA def(o) | D.cs:267:13:267:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:258:16:258:23 | Object o = ... | this |
| D.cs:291:13:291:13 | access to local variable o | D.cs:269:9:269:16 | SSA def(o) | D.cs:291:13:291:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:269:9:269:16 | ... = ... | this |
| D.cs:291:13:291:13 | access to local variable o | D.cs:283:17:283:24 | SSA def(o) | D.cs:291:13:291:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:283:17:283:24 | ... = ... | this |
| D.cs:294:13:294:13 | access to local variable o | D.cs:269:9:269:16 | SSA def(o) | D.cs:294:13:294:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:269:9:269:16 | ... = ... | this |
| D.cs:294:13:294:13 | access to local variable o | D.cs:283:17:283:24 | SSA def(o) | D.cs:294:13:294:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | D.cs:258:16:258:16 | o | o | D.cs:283:17:283:24 | ... = ... | this |
| D.cs:300:17:300:20 | access to local variable prev | D.cs:296:16:296:26 | SSA def(prev) | D.cs:300:17:300:20 | access to local variable prev | Variable $@ may be null at this access because of $@ assignment. | D.cs:296:16:296:19 | prev | prev | D.cs:296:16:296:26 | Object prev = ... | this |
| D.cs:313:17:313:17 | access to local variable s | D.cs:304:16:304:23 | SSA def(s) | D.cs:313:17:313:17 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | D.cs:304:16:304:16 | s | s | D.cs:304:16:304:23 | String s = ... | this |
| D.cs:324:9:324:9 | access to local variable r | D.cs:316:16:316:23 | SSA def(r) | D.cs:324:9:324:9 | access to local variable r | Variable $@ may be null at this access because of $@ assignment. | D.cs:316:16:316:16 | r | r | D.cs:316:16:316:23 | Object r = ... | this |
| D.cs:356:13:356:13 | access to local variable a | D.cs:351:15:351:22 | SSA def(a) | D.cs:356:13:356:13 | access to local variable a | Variable $@ may be null at this access because of $@ assignment. | D.cs:351:15:351:15 | a | a | D.cs:351:15:351:22 | Int32[] a = ... | this |
| D.cs:363:13:363:16 | access to local variable last | D.cs:360:20:360:30 | SSA def(last) | D.cs:363:13:363:16 | access to local variable last | Variable $@ may be null at this access because of $@ assignment. | D.cs:360:20:360:23 | last | last | D.cs:360:20:360:30 | String last = ... | this |
| D.cs:372:13:372:13 | access to local variable b | D.cs:366:15:366:47 | SSA def(b) | D.cs:372:13:372:13 | access to local variable b | Variable $@ may be null at this access because of $@ assignment. | D.cs:366:15:366:15 | b | b | D.cs:366:15:366:47 | Int32[] b = ... | this |
| D.cs:395:20:395:20 | access to parameter a | D.cs:388:36:388:36 | SSA param(a) | D.cs:395:20:395:20 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:388:36:388:36 | a | a | D.cs:390:20:390:28 | ... == ... | this |
| D.cs:400:20:400:20 | access to parameter b | D.cs:388:45:388:45 | SSA param(b) | D.cs:400:20:400:20 | access to parameter b | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:388:45:388:45 | b | b | D.cs:397:20:397:28 | ... == ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:407:27:407:35 | ... == ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:407:55:407:63 | ... != ... | this |
| D.cs:410:13:410:13 | access to parameter y | D.cs:405:45:405:45 | SSA param(y) | D.cs:410:13:410:13 | access to parameter y | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:45:405:45 | y | y | D.cs:411:13:411:21 | ... != ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:407:14:407:22 | ... != ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:407:42:407:50 | ... == ... | this |
| D.cs:412:13:412:13 | access to parameter x | D.cs:405:35:405:35 | SSA param(x) | D.cs:412:13:412:13 | access to parameter x | Variable $@ may be null at this access as suggested by $@ null check. | D.cs:405:35:405:35 | x | x | D.cs:409:13:409:21 | ... != ... | this |
| E.cs:12:38:12:39 | access to local variable a2 | E.cs:9:18:9:26 | SSA def(a2) | E.cs:12:38:12:39 | access to local variable a2 | Variable $@ may be null at this access because of $@ assignment. | E.cs:9:18:9:19 | a2 | a2 | E.cs:9:18:9:26 | Int64[][] a2 = ... | this |
| E.cs:14:13:14:14 | access to local variable a3 | E.cs:11:16:11:24 | SSA def(a3) | E.cs:14:13:14:14 | access to local variable a3 | Variable $@ may be null at this access because of $@ assignment. | E.cs:11:16:11:17 | a3 | a3 | E.cs:11:16:11:24 | Int64[] a3 = ... | this |
| E.cs:27:13:27:14 | access to local variable s1 | E.cs:23:13:23:30 | SSA def(s1) | E.cs:27:13:27:14 | access to local variable s1 | Variable $@ may be null at this access because of $@ assignment. | E.cs:19:13:19:14 | s1 | s1 | E.cs:23:13:23:30 | ... = ... | this |
| E.cs:61:13:61:17 | access to local variable slice | E.cs:51:22:51:33 | SSA def(slice) | E.cs:61:13:61:17 | access to local variable slice | Variable $@ may be null at this access because of $@ assignment. | E.cs:51:22:51:26 | slice | slice | E.cs:51:22:51:33 | List<String> slice = ... | this |
| E.cs:73:13:73:15 | access to parameter arr | E.cs:66:40:66:42 | SSA param(arr) | E.cs:73:13:73:15 | access to parameter arr | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:66:40:66:42 | arr | arr | E.cs:70:22:70:32 | ... == ... | this |
| E.cs:112:13:112:16 | access to local variable arr2 | E.cs:107:15:107:25 | SSA def(arr2) | E.cs:112:13:112:16 | access to local variable arr2 | Variable $@ may be null at this access because of $@ assignment. | E.cs:107:15:107:18 | arr2 | arr2 | E.cs:107:15:107:25 | Int32[] arr2 = ... | this |
| E.cs:125:33:125:35 | access to local variable obj | E.cs:137:25:137:34 | SSA def(obj) | E.cs:125:33:125:35 | access to local variable obj | Variable $@ may be null at this access because of $@ assignment. | E.cs:119:13:119:15 | obj | obj | E.cs:137:25:137:34 | ... = ... | this |
| E.cs:159:13:159:16 | access to local variable obj2 | E.cs:152:16:152:26 | SSA def(obj2) | E.cs:159:13:159:16 | access to local variable obj2 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:152:16:152:19 | obj2 | obj2 | E.cs:153:13:153:24 | ... != ... | this |
| E.cs:167:21:167:21 | access to parameter a | E.cs:162:28:162:28 | SSA param(a) | E.cs:167:21:167:21 | access to parameter a | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:162:28:162:28 | a | a | E.cs:164:17:164:25 | ... == ... | this |
| E.cs:178:13:178:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:178:13:178:15 | access to parameter obj | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:175:19:175:29 | ... == ... | this |
| E.cs:178:13:178:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:178:13:178:15 | access to parameter obj | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:180:13:180:23 | ... == ... | this |
| E.cs:186:13:186:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:186:13:186:15 | access to parameter obj | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:175:19:175:29 | ... == ... | this |
| E.cs:186:13:186:15 | access to parameter obj | E.cs:173:29:173:31 | SSA param(obj) | E.cs:186:13:186:15 | access to parameter obj | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:173:29:173:31 | obj | obj | E.cs:180:13:180:23 | ... == ... | this |
| E.cs:192:17:192:17 | access to parameter o | E.cs:190:29:190:29 | SSA param(o) | E.cs:192:17:192:17 | access to parameter o | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:190:29:190:29 | o | o | E.cs:193:17:193:17 | access to parameter o | this |
| E.cs:201:13:201:13 | access to local variable o | E.cs:198:13:198:29 | [b (line 196): true] SSA def(o) | E.cs:201:13:201:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | E.cs:198:13:198:13 | o | o | E.cs:198:13:198:29 | String o = ... | this |
| E.cs:203:13:203:13 | access to local variable o | E.cs:198:13:198:29 | [b (line 196): false] SSA def(o) | E.cs:203:13:203:13 | access to local variable o | Variable $@ may be null at this access because of $@ assignment. | E.cs:198:13:198:13 | o | o | E.cs:198:13:198:29 | String o = ... | this |
| E.cs:218:9:218:9 | access to local variable x | E.cs:217:13:217:20 | [b (line 213): true] SSA def(x) | E.cs:218:9:218:9 | access to local variable x | Variable $@ may be null at this access because of $@ assignment. | E.cs:215:13:215:13 | x | x | E.cs:217:13:217:20 | ... = ... | this |
| E.cs:230:9:230:9 | access to local variable x | E.cs:227:13:227:20 | [b (line 223): true] SSA def(x) | E.cs:230:9:230:9 | access to local variable x | Variable $@ may be null at this access because of $@ assignment. | E.cs:225:13:225:13 | x | x | E.cs:227:13:227:20 | ... = ... | this |
| E.cs:235:16:235:16 | access to parameter i | E.cs:233:26:233:26 | SSA param(i) | E.cs:235:16:235:16 | access to parameter i | Variable $@ may be null at this access because it has a nullable type. | E.cs:233:26:233:26 | i | i | E.cs:233:26:233:26 | i | this |
| E.cs:240:21:240:21 | access to parameter i | E.cs:238:26:238:26 | SSA param(i) | E.cs:240:21:240:21 | access to parameter i | Variable $@ may be null at this access because it has a nullable type. | E.cs:238:26:238:26 | i | i | E.cs:238:26:238:26 | i | this |
| E.cs:285:9:285:9 | access to local variable o | E.cs:283:13:283:22 | [b (line 279): false] SSA def(o) | E.cs:285:9:285:9 | access to local variable o | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:283:13:283:13 | o | o | E.cs:284:9:284:9 | access to local variable o | this |
| E.cs:285:9:285:9 | access to local variable o | E.cs:283:13:283:22 | [b (line 279): true] SSA def(o) | E.cs:285:9:285:9 | access to local variable o | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:283:13:283:13 | o | o | E.cs:284:9:284:9 | access to local variable o | this |
| E.cs:302:9:302:9 | access to local variable s | E.cs:301:13:301:27 | SSA def(s) | E.cs:302:9:302:9 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | E.cs:301:13:301:13 | s | s | E.cs:301:13:301:27 | String s = ... | this |
| E.cs:343:9:343:9 | access to local variable x | E.cs:342:13:342:32 | SSA def(x) | E.cs:343:9:343:9 | access to local variable x | Variable $@ may be null at this access because of $@ assignment. | E.cs:342:13:342:13 | x | x | E.cs:342:13:342:32 | String x = ... | this |
| E.cs:349:9:349:9 | access to local variable x | E.cs:348:17:348:36 | SSA def(x) | E.cs:349:9:349:9 | access to local variable x | Variable $@ may be null at this access because of $@ assignment. | E.cs:348:17:348:17 | x | x | E.cs:348:17:348:36 | dynamic x = ... | this |
| E.cs:366:41:366:41 | access to parameter s | E.cs:366:28:366:28 | SSA param(s) | E.cs:366:41:366:41 | access to parameter s | Variable $@ may be null at this access because the parameter has a null default value. | E.cs:366:28:366:28 | s | s | E.cs:366:32:366:35 | null | this |
| E.cs:375:20:375:20 | access to local variable s | E.cs:374:17:374:31 | SSA def(s) | E.cs:375:20:375:20 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | E.cs:374:17:374:17 | s | s | E.cs:374:17:374:31 | String s = ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:382:14:382:23 | ... == ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:382:44:382:53 | ... != ... | this |
| E.cs:386:16:386:17 | access to parameter e1 | E.cs:380:24:380:25 | SSA param(e1) | E.cs:386:16:386:17 | access to parameter e1 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:24:380:25 | e1 | e1 | E.cs:384:13:384:22 | ... == ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:382:28:382:37 | ... != ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:382:58:382:67 | ... == ... | this |
| E.cs:386:27:386:28 | access to parameter e2 | E.cs:380:30:380:31 | SSA param(e2) | E.cs:386:27:386:28 | access to parameter e2 | Variable $@ may be null at this access as suggested by $@ null check. | E.cs:380:30:380:31 | e2 | e2 | E.cs:384:27:384:36 | ... == ... | this |
| E.cs:417:34:417:34 | access to parameter i | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i | Variable $@ may be null at this access because it has a nullable type. | E.cs:415:27:415:27 | i | i | E.cs:415:27:415:27 | i | this |
| GuardedString.cs:35:31:35:31 | access to local variable s | GuardedString.cs:7:16:7:32 | SSA def(s) | GuardedString.cs:35:31:35:31 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | GuardedString.cs:7:16:7:16 | s | s | GuardedString.cs:7:16:7:32 | String s = ... | this |
| NullMaybeBad.cs:7:27:7:27 | access to parameter o | NullMaybeBad.cs:13:17:13:20 | null | NullMaybeBad.cs:7:27:7:27 | access to parameter o | Variable $@ may be null at this access because of $@ null argument. | NullMaybeBad.cs:5:25:5:25 | o | o | NullMaybeBad.cs:13:17:13:20 | null | this |
| StringConcatenation.cs:16:17:16:17 | access to local variable s | StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:16:17:16:17 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | StringConcatenation.cs:14:16:14:16 | s | s | StringConcatenation.cs:14:16:14:23 | String s = ... | this |

14
csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -26,10 +26,10 @@ nodes
| TaintedPath.cs:51:26:51:29 | access to local variable path | semmle.label | access to local variable path |
subpaths
#select
| TaintedPath.cs:12:50:12:53 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:12:50:12:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:17:51:17:54 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:17:51:17:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:25:30:25:33 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:25:30:25:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:31:30:31:33 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:31:30:31:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:36:25:36:31 | access to local variable badPath | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:36:25:36:31 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:38:49:38:55 | access to local variable badPath | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:38:49:38:55 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:51:26:51:29 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:51:26:51:29 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:10:23:10:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:12:50:12:53 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:12:50:12:53 | access to local variable path | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:17:51:17:54 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:17:51:17:54 | access to local variable path | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:25:30:25:33 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:25:30:25:33 | access to local variable path | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:31:30:31:33 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:31:30:31:33 | access to local variable path | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:36:25:36:31 | access to local variable badPath | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:36:25:36:31 | access to local variable badPath | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:38:49:38:55 | access to local variable badPath | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:38:49:38:55 | access to local variable badPath | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |
| TaintedPath.cs:51:26:51:29 | access to local variable path | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:51:26:51:29 | access to local variable path | This path depends on a $@. | TaintedPath.cs:10:23:10:45 | access to property QueryString | user-provided value |

18
csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected
View File

@@ -44,12 +44,12 @@ nodes
| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
subpaths
#select
| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |

2
csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected
View File

@@ -5,4 +5,4 @@ nodes
| StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | semmle.label | call to method GetString : String |
subpaths
#select
| StoredCommandInjection.cs:22:46:22:80 | ... + ... | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:22:54:22:80 | call to method GetString | Stored user-provided value |
| StoredCommandInjection.cs:22:46:22:80 | ... + ... | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | This command line depends on a $@. | StoredCommandInjection.cs:22:54:22:80 | call to method GetString | stored (potentially user-provided) value |

2
csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected
View File

@@ -5,4 +5,4 @@ nodes
| StoredXSS.cs:24:60:24:86 | call to method GetString : String | semmle.label | call to method GetString : String |
subpaths
#select
| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value |
| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:24:60:24:86 | call to method GetString | stored (potentially user-provided) value |

6
csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected
View File

@@ -35,6 +35,6 @@ nodes
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
subpaths
#select
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | Stored user-provided value |
| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream | Stored user-provided value |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | $@ flows to here and is used in an SQL query. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream | Stored user-provided value |
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | stored user-provided value |
| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream | stored user-provided value |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This SQL query depends on a $@. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream | stored user-provided value |

38
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
View File

@@ -84,22 +84,22 @@ nodes
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
subpaths
#select
| SqlInjection.cs:34:50:34:55 | access to local variable query1 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:34:50:34:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:69:56:69:61 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:69:56:69:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:70:55:70:60 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:70:55:70:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:83:50:83:55 | access to local variable query1 | SqlInjection.cs:82:21:82:29 | access to property Text : String | SqlInjection.cs:83:50:83:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:82:21:82:29 | access to property Text : String | this TextBox text |
| SqlInjection.cs:93:42:93:52 | access to local variable queryString | SqlInjection.cs:92:21:92:29 | access to property Text : String | SqlInjection.cs:93:42:93:52 | access to local variable queryString | Query might include code from $@. | SqlInjection.cs:92:21:92:29 | access to property Text : String | this TextBox text |
| SqlInjection.cs:94:50:94:52 | access to local variable cmd | SqlInjection.cs:92:21:92:29 | access to property Text : String | SqlInjection.cs:94:50:94:52 | access to local variable cmd | Query might include code from $@. | SqlInjection.cs:92:21:92:29 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | this TextBox text |
| SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | Query might include code from $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | Query might include code from $@. | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjection.cs:34:50:34:55 | access to local variable query1 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:34:50:34:55 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:69:56:69:61 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:69:56:69:61 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:70:55:70:60 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:70:55:70:60 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
| SqlInjection.cs:83:50:83:55 | access to local variable query1 | SqlInjection.cs:82:21:82:29 | access to property Text : String | SqlInjection.cs:83:50:83:55 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:82:21:82:29 | access to property Text : String | this TextBox text |
| SqlInjection.cs:93:42:93:52 | access to local variable queryString | SqlInjection.cs:92:21:92:29 | access to property Text : String | SqlInjection.cs:93:42:93:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:92:21:92:29 | access to property Text : String | this TextBox text |
| SqlInjection.cs:94:50:94:52 | access to local variable cmd | SqlInjection.cs:92:21:92:29 | access to property Text : String | SqlInjection.cs:94:50:94:52 | access to local variable cmd | This query depends on $@. | SqlInjection.cs:92:21:92:29 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | this TextBox text |
| SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | This query depends on $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This query depends on $@. | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | this ASP.NET user input |

12
csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected
View File

@@ -23,9 +23,9 @@ nodes
| LDAPInjection.cs:29:20:29:42 | ... + ... | semmle.label | ... + ... |
subpaths
#select
| LDAPInjection.cs:14:54:14:78 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:16:21:16:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:23:21:23:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:23:21:23:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:24:53:24:77 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:53:24:77 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:27:48:27:70 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:27:48:27:70 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:29:20:29:42 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:29:20:29:42 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:14:54:14:78 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
| LDAPInjection.cs:16:21:16:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
| LDAPInjection.cs:23:21:23:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:23:21:23:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
| LDAPInjection.cs:24:53:24:77 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:53:24:77 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
| LDAPInjection.cs:27:48:27:70 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:27:48:27:70 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
| LDAPInjection.cs:29:20:29:42 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:29:20:29:42 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |

2
csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected
View File

@@ -5,4 +5,4 @@ nodes
| StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | semmle.label | call to method GetString : String |
subpaths
#select
| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString | Stored user-provided value |
| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | This LDAP query depends on a $@. | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString | stored (potentially user-provided) value |

2
csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.expected
View File

@@ -8,4 +8,4 @@ nodes
| Test.cs:15:25:15:80 | ... + ... | semmle.label | ... + ... |
subpaths
#select
| Test.cs:15:25:15:80 | ... + ... | Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:15:25:15:80 | ... + ... | $@ flows to here and is inserted as XML. | Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | User-provided value |
| Test.cs:15:25:15:80 | ... + ... | Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:15:25:15:80 | ... + ... | This XML element depends on a $@. | Test.cs:8:27:8:49 | access to property QueryString | user-provided value |

6
csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected
View File

@@ -12,6 +12,6 @@ nodes
| CodeInjection.cs:56:36:56:44 | access to property Text | semmle.label | access to property Text |
subpaths
#select
| CodeInjection.cs:29:64:29:67 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:29:64:29:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:23:23:23:45 | access to property QueryString | User-provided value |
| CodeInjection.cs:40:36:40:39 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:40:36:40:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:23:23:23:45 | access to property QueryString | User-provided value |
| CodeInjection.cs:56:36:56:44 | access to property Text | CodeInjection.cs:56:36:56:44 | access to property Text | CodeInjection.cs:56:36:56:44 | access to property Text | $@ flows to here and is compiled as code. | CodeInjection.cs:56:36:56:44 | access to property Text | User-provided value |
| CodeInjection.cs:29:64:29:67 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:29:64:29:67 | access to local variable code | This code compilation depends on a $@. | CodeInjection.cs:23:23:23:45 | access to property QueryString | user-provided value |
| CodeInjection.cs:40:36:40:39 | access to local variable code | CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:40:36:40:39 | access to local variable code | This code compilation depends on a $@. | CodeInjection.cs:23:23:23:45 | access to property QueryString | user-provided value |
| CodeInjection.cs:56:36:56:44 | access to property Text | CodeInjection.cs:56:36:56:44 | access to property Text | CodeInjection.cs:56:36:56:44 | access to property Text | This code compilation depends on a $@. | CodeInjection.cs:56:36:56:44 | access to property Text | user-provided value |

4
csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected
View File

@@ -11,5 +11,5 @@ nodes
| ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | semmle.label | access to local variable connectionString |
subpaths
#select
| ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | User-provided value |
| ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | User-provided value |
| ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | This resource descriptor depends on a $@. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | user-provided value |
| ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | This resource descriptor depends on a $@. | ResourceInjection.cs:8:27:8:49 | access to property QueryString | user-provided value |

Some files were not shown because too many files have changed in this diff Show More