hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Semmle/ql into rdmarsh/cpp/uninit-string-initializers

Browse Source
This commit is contained in:
Robert Marsh
2019-11-07 14:36:58 -08:00
parent ae1377447e ee185ea92e
commit f483ec152b
353 changed files with 13419 additions and 7867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c
View File

@@ -19,7 +19,7 @@ int notify(int deviceNumber) {
DeviceConfig config;
initDeviceConfig(&config, deviceNumber);
// BAD: Using config without checking the status code that is returned
if (config->isEnabled) {
notifyChannel(config->channel);
if (config.isEnabled) {
notifyChannel(config.channel);
}
}
}

6
cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c
View File

@@ -20,8 +20,8 @@ void notify(int deviceNumber) {
int statusCode = initDeviceConfig(&config, deviceNumber);
if (statusCode == 0) {
// GOOD: Status code returned by initialization function is checked, so this is safe
if (config->isEnabled) {
notifyChannel(config->channel);
if (config.isEnabled) {
notifyChannel(config.channel);
}
}
}
}

59
cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
View File

@@ -620,32 +620,47 @@ Function getAPossibleDefinition(Function undefinedFunction) {
}
/**
* Gets a possible target for the Call, using the name and parameter matching if we did not associate
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
*
* If there is at least one defined target after performing some simple virtual dispatch
* resolution, then the result is all the defined targets.
*/
private Function getTarget1(Call c) {
result = VirtualDispatch::getAViableTarget(c) and
result.isDefined()
}
/**
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
*
* If we can use the heuristic matching of functions to find definitions for some of the viable
* targets, return those.
*/
private Function getTarget2(Call c) {
not exists(getTarget1(c)) and
result = getAPossibleDefinition(VirtualDispatch::getAViableTarget(c))
}
/**
* Helper predicate for `getTarget`, that computes possible targets of a `Call`.
*
* Otherwise, the result is the undefined `Function` instances.
*/
private Function getTarget3(Call c) {
not exists(getTarget1(c)) and
not exists(getTarget2(c)) and
result = VirtualDispatch::getAViableTarget(c)
}
/**
* Gets a possible target for the `Call`, using the name and parameter matching if we did not associate
* this call with a specific definition at link or compile time, and performing simple virtual
* dispatch resolution.
*/
Function getTarget(Call c) {
if VirtualDispatch::getAViableTarget(c).isDefined()
then
/*
* If there is at least one defined target after performing some simple virtual dispatch
* resolution, then the result is all the defined targets.
*/
result = VirtualDispatch::getAViableTarget(c) and
result.isDefined()
else
if exists(getAPossibleDefinition(VirtualDispatch::getAViableTarget(c)))
then
/*
* If we can use the heuristic matching of functions to find definitions for some of the viable
* targets, return those.
*/
result = getAPossibleDefinition(VirtualDispatch::getAViableTarget(c))
else
// Otherwise, the result is the undefined `Function` instances
result = VirtualDispatch::getAViableTarget(c)
result = getTarget1(c) or
result = getTarget2(c) or
result = getTarget3(c)
}
/**

11
cpp/ql/src/semmle/code/cpp/Class.qll
View File

@@ -605,15 +605,6 @@ class Class extends UserType {
class_instantiation(underlyingElement(this), unresolveElement(c))
}
/**
* Gets the `i`th template argument used to instantiate this class from a
* class template. When called on a class template, this will return the
* `i`th template parameter.
*/
override Type getTemplateArgument(int i) {
class_template_argument(underlyingElement(this), i, unresolveElement(result))
}
/**
* Holds if this class/struct is polymorphic (has a virtual function, or
* inherits one).
@@ -623,7 +614,7 @@ class Class extends UserType {
}
override predicate involvesTemplateParameter() {
getATemplateArgument().involvesTemplateParameter()
getATemplateArgument().(Type).involvesTemplateParameter()
}
/** Holds if this class, struct or union was declared 'final'. */

71
cpp/ql/src/semmle/code/cpp/Declaration.qll
View File

@@ -193,20 +193,83 @@ abstract class Declaration extends Locatable, @declaration {
/**
* Gets a template argument used to instantiate this declaration from a template.
* When called on a template, this will return a template parameter.
* When called on a template, this will return a template parameter type for
* both typed and non-typed parameters.
*/
final Type getATemplateArgument() { result = getTemplateArgument(_) }
final Locatable getATemplateArgument() { result = getTemplateArgument(_) }
/**
* Gets a template argument used to instantiate this declaration from a template.
* When called on a template, this will return a non-typed template
* parameter value.
*/
final Locatable getATemplateArgumentKind() { result = getTemplateArgumentKind(_) }
/**
* Gets the `i`th template argument used to instantiate this declaration from a
* template. When called on a template, this will return the `i`th template parameter.
* template.
*
* For example:
*
* `template<typename T, T X> class Foo;`
*
* Will have `getTemplateArgument(0)` return `T`, and
* `getTemplateArgument(1)` return `X`.
*
* `Foo<int, 1> bar;
*
* Will have `getTemplateArgument())` return `int`, and
* `getTemplateArgument(1)` return `1`.
*/
Type getTemplateArgument(int index) { none() }
final Locatable getTemplateArgument(int index) {
if exists(getTemplateArgumentValue(index))
then result = getTemplateArgumentValue(index)
else result = getTemplateArgumentType(index)
}
/**
* Gets the `i`th template argument value used to instantiate this declaration
* from a template. When called on a template, this will return the `i`th template
* parameter value if it exists.
*
* For example:
*
* `template<typename T, T X> class Foo;`
*
* Will have `getTemplateArgumentKind(1)` return `T`, and no result for
* `getTemplateArgumentKind(0)`.
*
* `Foo<int, 10> bar;
*
* Will have `getTemplateArgumentKind(1)` return `int`, and no result for
* `getTemplateArgumentKind(0)`.
*/
final Locatable getTemplateArgumentKind(int index) {
if exists(getTemplateArgumentValue(index))
then result = getTemplateArgumentType(index)
else none()
}
/** Gets the number of template arguments for this declaration. */
final int getNumberOfTemplateArguments() {
result = count(int i | exists(getTemplateArgument(i)))
}
private Type getTemplateArgumentType(int index) {
class_template_argument(underlyingElement(this), index, unresolveElement(result))
or
function_template_argument(underlyingElement(this), index, unresolveElement(result))
or
variable_template_argument(underlyingElement(this), index, unresolveElement(result))
}
private Expr getTemplateArgumentValue(int index) {
class_template_argument_value(underlyingElement(this), index, unresolveElement(result))
or
function_template_argument_value(underlyingElement(this), index, unresolveElement(result))
or
variable_template_argument_value(underlyingElement(this), index, unresolveElement(result))
}
}
/**

9
cpp/ql/src/semmle/code/cpp/Function.qll
View File

@@ -343,15 +343,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
function_instantiation(underlyingElement(this), unresolveElement(f))
}
/**
* Gets the `i`th template argument used to instantiate this function from a
* function template. When called on a function template, this will return the
* `i`th template parameter.
*/
override Type getTemplateArgument(int index) {
function_template_argument(underlyingElement(this), index, unresolveElement(result))
}
/**
* Holds if this function is defined in several files. This is illegal in
* C (though possible in some C++ compilers), and likely indicates that

10
cpp/ql/src/semmle/code/cpp/Print.qll
View File

@@ -35,6 +35,14 @@ private string getParameterTypeString(Type parameterType) {
else result = parameterType.(DumpType).getTypeIdentityString()
}
private string getTemplateArgumentString(Declaration d, int i) {
if exists(d.getTemplateArgumentKind(i))
then
result = d.getTemplateArgumentKind(i).(DumpType).getTypeIdentityString() + " " +
d.getTemplateArgument(i)
else result = d.getTemplateArgument(i).(DumpType).getTypeIdentityString()
}
/**
* A `Declaration` extended to add methods for generating strings useful only for dumps and debugging.
*/
@@ -56,7 +64,7 @@ abstract private class DumpDeclaration extends Declaration {
strictconcat(int i |
exists(this.getTemplateArgument(i))
|
this.getTemplateArgument(i).(DumpType).getTypeIdentityString(), ", " order by i
getTemplateArgumentString(this, i), ", " order by i
) + ">"
else result = ""
}

2
cpp/ql/src/semmle/code/cpp/Type.qll
View File

@@ -210,7 +210,7 @@ class Type extends Locatable, @type {
// A function call that provides an explicit template argument that refers to T uses T.
// We exclude calls within instantiations, since they do not appear directly in the source.
exists(FunctionCall c |
c.getAnExplicitTemplateArgument().refersTo(this) and
c.getAnExplicitTemplateArgument().(Type).refersTo(this) and
result = c and
not c.getEnclosingFunction().isConstructedFrom(_)
)

9
cpp/ql/src/semmle/code/cpp/Variable.qll
View File

@@ -155,15 +155,6 @@ class Variable extends Declaration, @variable {
variable_instantiation(underlyingElement(this), unresolveElement(v))
}
/**
* Gets the `i`th template argument used to instantiate this variable from a
* variable template. When called on a variable template, this will return the
* `i`th template parameter.
*/
override Type getTemplateArgument(int index) {
variable_template_argument(underlyingElement(this), index, unresolveElement(result))
}
/**
* Holds if this is a compiler-generated variable. For example, a
* [range-based for loop](http://en.cppreference.com/w/cpp/language/range-for)

28
cpp/ql/src/semmle/code/cpp/dispatch/VirtualDispatch.qll
View File

@@ -28,6 +28,19 @@ module VirtualDispatch {
not result.hasName("IUnknown")
}
/**
* Helper predicate for `getAViableTarget`, which computes the viable targets for
* virtual calls based on the qualifier type.
*/
private Function getAViableVirtualCallTarget(Class qualifierType, MemberFunction staticTarget) {
exists(Class qualifierSubType |
result = getAPossibleImplementation(staticTarget) and
qualifierType = qualifierSubType.getABaseClass*() and
mayInherit(qualifierSubType, result) and
not cannotInherit(qualifierSubType, result)
)
}
/**
* Gets a viable target for the given function call.
*
@@ -42,18 +55,9 @@ module VirtualDispatch {
* If `c` is not a virtual call, the result will be `c.getTarget()`.
*/
Function getAViableTarget(Call c) {
exists(Function staticTarget | staticTarget = c.getTarget() |
if c.(FunctionCall).isVirtual() and staticTarget instanceof MemberFunction
then
exists(Class qualifierType, Class qualifierSubType |
result = getAPossibleImplementation(staticTarget) and
qualifierType = getCallQualifierType(c) and
qualifierType = qualifierSubType.getABaseClass*() and
mayInherit(qualifierSubType, result) and
not cannotInherit(qualifierSubType, result)
)
else result = staticTarget
)
if c.(FunctionCall).isVirtual() and c.getTarget() instanceof MemberFunction
then result = getAViableVirtualCallTarget(getCallQualifierType(c), c.getTarget())
else result = c.getTarget()
}
/** Holds if `f` is declared in `c` or a transitive base class of `c`. */

23
cpp/ql/src/semmle/code/cpp/exprs/Call.qll
View File

@@ -139,17 +139,29 @@ class FunctionCall extends Call, @funbindexpr {
override string getCanonicalQLClass() { result = "FunctionCall" }
/** Gets an explicit template argument for this call. */
Type getAnExplicitTemplateArgument() { result = getExplicitTemplateArgument(_) }
Locatable getAnExplicitTemplateArgument() { result = getExplicitTemplateArgument(_) }
/** Gets an explicit template argument value for this call. */
Locatable getAnExplicitTemplateArgumentKind() { result = getExplicitTemplateArgumentKind(_) }
/** Gets a template argument for this call. */
Type getATemplateArgument() { result = getTarget().getATemplateArgument() }
Locatable getATemplateArgument() { result = getTarget().getATemplateArgument() }
/** Gets a template argument value for this call. */
Locatable getATemplateArgumentKind() { result = getTarget().getATemplateArgumentKind() }
/** Gets the nth explicit template argument for this call. */
Type getExplicitTemplateArgument(int n) {
Locatable getExplicitTemplateArgument(int n) {
n < getNumberOfExplicitTemplateArguments() and
result = getTemplateArgument(n)
}
/** Gets the nth explicit template argument value for this call. */
Locatable getExplicitTemplateArgumentKind(int n) {
n < getNumberOfExplicitTemplateArguments() and
result = getTemplateArgumentKind(n)
}
/** Gets the number of explicit template arguments for this call. */
int getNumberOfExplicitTemplateArguments() {
if numtemplatearguments(underlyingElement(this), _)
@@ -161,7 +173,10 @@ class FunctionCall extends Call, @funbindexpr {
int getNumberOfTemplateArguments() { result = count(int i | exists(getTemplateArgument(i))) }
/** Gets the nth template argument for this call (indexed from 0). */
Type getTemplateArgument(int n) { result = getTarget().getTemplateArgument(n) }
Locatable getTemplateArgument(int n) { result = getTarget().getTemplateArgument(n) }
/** Gets the nth template argument value for this call (indexed from 0). */
Locatable getTemplateArgumentKind(int n) { result = getTarget().getTemplateArgumentKind(n) }
/** Holds if any template arguments for this call are implicit / deduced. */
predicate hasImplicitTemplateArguments() {

8
cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
View File

@@ -2,6 +2,7 @@ import cpp
import semmle.code.cpp.security.Security
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
/**
* A predictable instruction is one where an external user can predict
@@ -145,7 +146,8 @@ GlobalOrNamespaceVariable globalVarFromId(string id) {
}
Function resolveCall(Call call) {
// TODO: improve virtual dispatch. This will help in the test for
// `UncontrolledProcessOperation.ql`.
result = call.getTarget()
exists(CallInstruction callInstruction |
callInstruction.getAST() = call and
result = Dispatch::viableCallable(callInstruction)
)
}

53
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
View File

@@ -1,5 +1,6 @@
private import cpp
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.DataFlow
Function viableImpl(CallInstruction call) { result = viableCallable(call) }
@@ -20,6 +21,58 @@ Function viableCallable(CallInstruction call) {
functionSignatureWithBody(qualifiedName, nparams, result) and
strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
)
or
// Rudimentary virtual dispatch support. It's essentially local data flow
// where the source is a derived-to-base conversion and the target is the
// qualifier of a call.
exists(Class derived, DataFlow::Node thisArgument |
nodeMayHaveClass(derived, thisArgument) and
overrideMayAffectCall(derived, thisArgument, _, result, call)
)
}
/**
* Holds if `call` is a virtual function call with qualifier `thisArgument` in
* `enclosingFunction`, whose static target is overridden by
* `overridingFunction` in `overridingClass`.
*/
pragma[noinline]
private predicate overrideMayAffectCall(
Class overridingClass, DataFlow::Node thisArgument, Function enclosingFunction,
MemberFunction overridingFunction, CallInstruction call
) {
call.getEnclosingFunction() = enclosingFunction and
overridingFunction.getAnOverriddenFunction+() = call.getStaticCallTarget() and
overridingFunction.getDeclaringType() = overridingClass and
thisArgument = DataFlow::instructionNode(call.getThisArgument())
}
/**
* Holds if `node` may have dynamic class `derived`, where `derived` is a class
* that may affect virtual dispatch within the enclosing function.
*
* For the sake of performance, this recursion is written out manually to make
* it a relation on `Class x Node` rather than `Node x Node` or `MemberFunction
* x Node`, both of which would be larger. It's a forward search since there
* should usually be fewer classes than calls.
*
* If a value is cast several classes up in the hierarchy, that will be modeled
* as a chain of `ConvertToBaseInstruction`s and will cause the search to start
* from each of them and pass through subsequent ones. There might be
* performance to gain by stopping before a second upcast and reconstructing
* the full chain in a "big-step" recursion after this one.
*/
private predicate nodeMayHaveClass(Class derived, DataFlow::Node node) {
exists(ConvertToBaseInstruction toBase |
derived = toBase.getDerivedClass() and
overrideMayAffectCall(derived, _, toBase.getEnclosingFunction(), _, _) and
node.asInstruction() = toBase
)
or
exists(DataFlow::Node prev |
nodeMayHaveClass(derived, prev) and
DataFlow::localFlowStep(prev, node)
)
}
/**

3
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -205,7 +205,8 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
iTo.(CopyInstruction).getSourceValue() = iFrom or
iTo.(PhiInstruction).getAnOperand().getDef() = iFrom or
// Treat all conversions as flow, even conversions between different numeric types.
iTo.(ConvertInstruction).getUnary() = iFrom
iTo.(ConvertInstruction).getUnary() = iFrom or
iTo.(InheritanceConversionInstruction).getUnary() = iFrom
}
/**

28
cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll
View File

@@ -4,6 +4,7 @@
private import internal.IRTypeInternal
cached
private newtype TIRType =
TIRVoidType() or
TIRUnknownType() or
@@ -42,6 +43,10 @@ class IRType extends TIRType {
*
* This will hold for all `IRType` objects except `IRUnknownType`.
*/
// This predicate is overridden with `pragma[noinline]` in every leaf subclass.
// This allows callers to ask for things like _the_ floating-point type of
// size 4 without getting a join that first finds all types of size 4 and
// _then_ restricts them to floating-point types.
int getByteSize() { none() }
/**
@@ -104,8 +109,6 @@ private class IRSizedType extends IRType {
this = TIRFunctionAddressType(byteSize) or
this = TIROpaqueType(_, byteSize)
}
final override int getByteSize() { result = byteSize }
}
/**
@@ -117,6 +120,9 @@ class IRBooleanType extends IRSizedType, TIRBooleanType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalBooleanType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -141,6 +147,9 @@ class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalSignedIntegerType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -153,6 +162,9 @@ class IRUnsignedIntegerType extends IRNumericType, TIRUnsignedIntegerType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalUnsignedIntegerType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -164,6 +176,9 @@ class IRFloatingPointType extends IRNumericType, TIRFloatingPointType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalFloatingPointType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -178,6 +193,9 @@ class IRAddressType extends IRSizedType, TIRAddressType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalAddressType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -190,6 +208,9 @@ class IRFunctionAddressType extends IRSizedType, TIRFunctionAddressType {
final override Language::LanguageType getCanonicalLanguageType() {
result = Language::getCanonicalFunctionAddressType(byteSize)
}
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
/**
@@ -218,6 +239,9 @@ class IROpaqueType extends IRSizedType, TIROpaqueType {
* same size.
*/
final Language::OpaqueTypeTag getTag() { result = tag }
pragma[noinline]
final override int getByteSize() { result = byteSize }
}
module IRTypeSanity {

11
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
View File

@@ -51,20 +51,23 @@ private module Cached {
Expr getInstructionConvertedResultExpression(Instruction instruction) {
exists(TranslatedExpr translatedExpr |
translatedExpr = getTranslatedExpr(result) and
instruction = translatedExpr.getResult()
instruction = translatedExpr.getResult() and
// Only associate `instruction` with this expression if the translated
// expression actually produced the instruction; not if it merely
// forwarded the result of another translated expression.
instruction = translatedExpr.getInstruction(_)
)
}
cached
Expr getInstructionUnconvertedResultExpression(Instruction instruction) {
exists(Expr converted, TranslatedExpr translatedExpr |
exists(Expr converted |
result = converted.(Conversion).getExpr+()
or
result = converted
|
not result instanceof Conversion and
translatedExpr = getTranslatedExpr(converted) and
instruction = translatedExpr.getResult()
converted = getInstructionConvertedResultExpression(instruction)
)
}

1
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
View File

@@ -45,6 +45,7 @@ newtype TInstructionTag =
ConditionValueResultLoadTag() or
BoolConversionConstantTag() or
BoolConversionCompareTag() or
ResultCopyTag() or
LoadTag() or // Implicit load due to lvalue-to-rvalue conversion
CatchTag() or
ThrowTag() or

10
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
View File

@@ -9,6 +9,7 @@ private import InstructionTag
private import TranslatedCondition
private import TranslatedFunction
private import TranslatedStmt
private import TranslatedExpr
private import IRConstruction
private import semmle.code.cpp.models.interfaces.SideEffect
@@ -235,6 +236,15 @@ newtype TTranslatedElement =
expr.hasLValueToRValueConversion() and
not ignoreLoad(expr)
} or
TTranslatedResultCopy(Expr expr) {
not ignoreExpr(expr) and
exprNeedsCopyIfNotLoaded(expr) and
// Doesn't have a TTranslatedLoad
not (
expr.hasLValueToRValueConversion() and
not ignoreLoad(expr)
)
} or
// An expression most naturally translated as control flow.
TTranslatedNativeCondition(Expr expr) {
not ignoreExpr(expr) and

127
cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
View File

@@ -62,12 +62,11 @@ abstract class TranslatedExpr extends TranslatedElement {
/**
* Holds if the result of this `TranslatedExpr` is a glvalue.
*/
private predicate isResultGLValue() {
predicate isResultGLValue() {
// This implementation is overridden in `TranslatedCoreExpr` to mark them
// as glvalues if they have loads on them. It's not overridden in
// `TranslatedResultCopy` since result copies never have loads.
expr.isGLValueCategory()
or
// If this TranslatedExpr doesn't produce the result, then it must represent
// a glvalue that is then loaded by a TranslatedLoad.
not producesExprResult()
}
final override Locatable getAST() { result = expr }
@@ -96,14 +95,28 @@ abstract class TranslatedExpr extends TranslatedElement {
abstract class TranslatedCoreExpr extends TranslatedExpr {
final override string toString() { result = expr.toString() }
/**
* Holds if the result of this `TranslatedExpr` is a glvalue.
*/
override predicate isResultGLValue() {
super.isResultGLValue()
or
// If this TranslatedExpr doesn't produce the result, then it must represent
// a glvalue that is then loaded by a TranslatedLoad.
hasLoad()
}
final predicate hasLoad() {
expr.hasLValueToRValueConversion() and
not ignoreLoad(expr)
}
final override predicate producesExprResult() {
// If there's no load, then this is the only TranslatedExpr for this
// expression.
not expr.hasLValueToRValueConversion()
or
// If we're supposed to ignore the load on this expression, then this
// is the only TranslatedExpr.
ignoreLoad(expr)
not hasLoad() and
// If there's a result copy, then this expression's result is the copy.
not exprNeedsCopyIfNotLoaded(expr)
}
}
@@ -288,6 +301,48 @@ class TranslatedLoad extends TranslatedExpr, TTranslatedLoad {
private TranslatedCoreExpr getOperand() { result.getExpr() = expr }
}
/**
* IR translation of an implicit lvalue-to-rvalue conversion on the result of
* an expression.
*/
class TranslatedResultCopy extends TranslatedExpr, TTranslatedResultCopy {
TranslatedResultCopy() { this = TTranslatedResultCopy(expr) }
override string toString() { result = "Result of " + expr.toString() }
override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() }
override TranslatedElement getChild(int id) { id = 0 and result = getOperand() }
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
tag = ResultCopyTag() and
opcode instanceof Opcode::CopyValue and
resultType = getOperand().getResultType()
}
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
tag = ResultCopyTag() and
result = getParent().getChildSuccessor(this) and
kind instanceof GotoEdge
}
override Instruction getChildSuccessor(TranslatedElement child) {
child = getOperand() and result = getInstruction(ResultCopyTag())
}
override Instruction getResult() { result = getInstruction(ResultCopyTag()) }
override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
tag = ResultCopyTag() and
operandTag instanceof UnaryOperandTag and
result = getOperand().getResult()
}
final override predicate producesExprResult() { any() }
private TranslatedCoreExpr getOperand() { result.getExpr() = expr }
}
class TranslatedCommaExpr extends TranslatedNonConstantExpr {
override CommaExpr expr;
@@ -2403,6 +2458,58 @@ class TranslatedErrorExpr extends TranslatedSingleInstructionExpr {
final override Opcode getOpcode() { result instanceof Opcode::Error }
}
/**
* Holds if the translation of `expr` will not directly generate any
* `Instruction` for use as result. For such instructions we can synthesize a
* `CopyValue` instruction to ensure that there is a 1-to-1 mapping between
* expressions and result-bearing instructions.
*/
// This should ideally be a dispatch predicate on TranslatedNonConstantExpr,
// but it doesn't look monotonic to QL.
predicate exprNeedsCopyIfNotLoaded(Expr expr) {
(
expr instanceof AssignExpr
or
expr instanceof AssignOperation and
not expr.isPRValueCategory() // is C++
or
expr instanceof PrefixCrementOperation and
not expr.isPRValueCategory() // is C++
or
expr instanceof PointerDereferenceExpr
or
expr instanceof AddressOfExpr
or
expr instanceof BuiltInOperationBuiltInAddressOf
or
// No case for ParenthesisExpr to avoid getting too many instructions
expr instanceof ReferenceDereferenceExpr
or
expr instanceof ReferenceToExpr
or
expr instanceof CommaExpr
or
expr instanceof ConditionDeclExpr
// TODO: simplify TranslatedStmtExpr too
) and
not exprImmediatelyDiscarded(expr)
}
/**
* Holds if `expr` is immediately discarded. Such expressions do not need a
* `CopyValue` because it's unlikely that anyone is interested in their value.
*/
private predicate exprImmediatelyDiscarded(Expr expr) {
exists(ExprStmt s |
s = expr.getParent() and
not exists(StmtExpr se | s = se.getStmt().(Block).getLastStmt())
)
or
exists(CommaExpr c | c.getLeftOperand() = expr)
or
exists(ForStmt for | for.getUpdate() = expr)
}
/**
* The IR translation of an `__assume` expression. We currently translate these as `NoOp`. In the
* future, we will probably want to do something better. At a minimum, we can model `__assume(0)` as

2
cpp/ql/src/semmle/code/cpp/ir/internal/CppType.qll
View File

@@ -175,6 +175,7 @@ private IRType getIRTypeForPRValue(Type type) {
)
}
cached
private newtype TCppType =
TPRValueType(Type type) { exists(getIRTypeForPRValue(type)) } or
TFunctionGLValueType() or
@@ -203,6 +204,7 @@ class CppType extends TCppType {
* Gets the `IRType` that represents this `CppType`. Many different `CppType`s can map to a single
* `IRType`.
*/
cached
IRType getIRType() { none() }
/**

15
cpp/ql/src/semmlecode.cpp.dbscheme
View File

@@ -731,6 +731,11 @@ class_template_argument(
int index: int ref,
int arg_type: @type ref
);
class_template_argument_value(
int type_id: @usertype ref,
int index: int ref,
int arg_value: @expr ref
);
is_proxy_class_for(
unique int id: @usertype ref,
@@ -755,6 +760,11 @@ function_template_argument(
int index: int ref,
int arg_type: @type ref
);
function_template_argument_value(
int function_id: @function ref,
int index: int ref,
int arg_value: @expr ref
);
is_variable_template(unique int id: @variable ref);
variable_instantiation(
@@ -766,6 +776,11 @@ variable_template_argument(
int index: int ref,
int arg_type: @type ref
);
variable_template_argument_value(
int variable_id: @variable ref,
int index: int ref,
int arg_value: @expr ref
);
/*
Fixed point types

10940
cpp/ql/src/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

46
cpp/ql/test/library-tests/dataflow/dataflow-tests/dispatch.cpp Normal file
View File

@@ -0,0 +1,46 @@
int source();
void sink(int);
// This class has the opposite behavior of what the member function names suggest.
struct Top {
virtual int isSource1() { return 0; }
virtual int isSource2() { return 0; }
virtual void isSink(int x) { }
virtual int notSource1() { return source(); }
virtual int notSource2() { return source(); }
virtual void notSink(int x) { sink(x); }
};
// This class has the correct behavior for just the functions ending in 2.
struct Middle : Top {
int isSource2() override { return source(); }
int notSource2() override { return 0; }
};
// This class has all the behavior suggested by the function names.
struct Bottom : Middle {
int isSource1() override { return source(); }
void isSink(int x) override { sink(x); }
int notSource1() override { return 0; }
void notSink(int x) override { }
};
void VirtualDispatch(Bottom *bottomPtr, Bottom &bottomRef) {
Top *topPtr = bottomPtr, &topRef = bottomRef;
sink(topPtr->isSource1()); // flow [NOT DETECTED by AST]
sink(topPtr->isSource2()); // flow [NOT DETECTED by AST]
topPtr->isSink(source()); // flow [NOT DETECTED by AST]
sink(topPtr->notSource1()); // no flow [FALSE POSITIVE]
sink(topPtr->notSource2()); // no flow [FALSE POSITIVE]
topPtr->notSink(source()); // no flow [FALSE POSITIVE]
sink(topRef.isSource1()); // flow [NOT DETECTED by AST]
sink(topRef.isSource2()); // flow [NOT DETECTED by AST]
topRef.isSink(source()); // flow [NOT DETECTED by AST]
sink(topRef.notSource1()); // no flow [FALSE POSITIVE]
sink(topRef.notSource2()); // no flow [FALSE POSITIVE]
topRef.notSink(source()); // no flow [FALSE POSITIVE]
}

6
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
View File

@@ -15,6 +15,12 @@
| clang.cpp:30:27:30:34 | call to getFirst | clang.cpp:28:27:28:32 | call to source |
| clang.cpp:37:10:37:11 | m2 | clang.cpp:34:32:34:37 | call to source |
| clang.cpp:45:17:45:18 | m2 | clang.cpp:43:35:43:40 | call to source |
| dispatch.cpp:11:38:11:38 | x | dispatch.cpp:37:19:37:24 | call to source |
| dispatch.cpp:11:38:11:38 | x | dispatch.cpp:45:18:45:23 | call to source |
| dispatch.cpp:35:16:35:25 | call to notSource1 | dispatch.cpp:9:37:9:42 | call to source |
| dispatch.cpp:36:16:36:25 | call to notSource2 | dispatch.cpp:10:37:10:42 | call to source |
| dispatch.cpp:43:15:43:24 | call to notSource1 | dispatch.cpp:9:37:9:42 | call to source |
| dispatch.cpp:44:15:44:24 | call to notSource2 | dispatch.cpp:10:37:10:42 | call to source |
| lambdas.cpp:14:3:14:6 | t | lambdas.cpp:8:10:8:15 | call to source |
| lambdas.cpp:18:8:18:8 | call to operator() | lambdas.cpp:8:10:8:15 | call to source |
| lambdas.cpp:21:3:21:6 | t | lambdas.cpp:8:10:8:15 | call to source |

6
cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
View File

@@ -5,6 +5,12 @@
| clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only |
| clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only |
| clang.cpp:39:42:39:47 | clang.cpp:41:18:41:19 | IR only |
| dispatch.cpp:16:37:16:42 | dispatch.cpp:32:16:32:24 | IR only |
| dispatch.cpp:16:37:16:42 | dispatch.cpp:40:15:40:23 | IR only |
| dispatch.cpp:22:37:22:42 | dispatch.cpp:31:16:31:24 | IR only |
| dispatch.cpp:22:37:22:42 | dispatch.cpp:39:15:39:23 | IR only |
| dispatch.cpp:33:18:33:23 | dispatch.cpp:23:38:23:38 | IR only |
| dispatch.cpp:41:17:41:22 | dispatch.cpp:23:38:23:38 | IR only |
| lambdas.cpp:8:10:8:15 | lambdas.cpp:14:3:14:6 | AST only |
| lambdas.cpp:8:10:8:15 | lambdas.cpp:18:8:18:8 | AST only |
| lambdas.cpp:8:10:8:15 | lambdas.cpp:21:3:21:6 | AST only |

12
cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
View File

@@ -12,6 +12,18 @@
| clang.cpp:37:10:37:11 | Load: m2 | clang.cpp:34:32:34:37 | Call: call to source |
| clang.cpp:41:18:41:19 | Load: m2 | clang.cpp:39:42:39:47 | Call: call to source |
| clang.cpp:45:17:45:18 | Load: m2 | clang.cpp:43:35:43:40 | Call: call to source |
| dispatch.cpp:11:38:11:38 | Load: x | dispatch.cpp:37:19:37:24 | Call: call to source |
| dispatch.cpp:11:38:11:38 | Load: x | dispatch.cpp:45:18:45:23 | Call: call to source |
| dispatch.cpp:23:38:23:38 | Load: x | dispatch.cpp:33:18:33:23 | Call: call to source |
| dispatch.cpp:23:38:23:38 | Load: x | dispatch.cpp:41:17:41:22 | Call: call to source |
| dispatch.cpp:31:16:31:24 | Call: call to isSource1 | dispatch.cpp:22:37:22:42 | Call: call to source |
| dispatch.cpp:32:16:32:24 | Call: call to isSource2 | dispatch.cpp:16:37:16:42 | Call: call to source |
| dispatch.cpp:35:16:35:25 | Call: call to notSource1 | dispatch.cpp:9:37:9:42 | Call: call to source |
| dispatch.cpp:36:16:36:25 | Call: call to notSource2 | dispatch.cpp:10:37:10:42 | Call: call to source |
| dispatch.cpp:39:15:39:23 | Call: call to isSource1 | dispatch.cpp:22:37:22:42 | Call: call to source |
| dispatch.cpp:40:15:40:23 | Call: call to isSource2 | dispatch.cpp:16:37:16:42 | Call: call to source |
| dispatch.cpp:43:15:43:24 | Call: call to notSource1 | dispatch.cpp:9:37:9:42 | Call: call to source |
| dispatch.cpp:44:15:44:24 | Call: call to notSource2 | dispatch.cpp:10:37:10:42 | Call: call to source |
| test.cpp:7:8:7:9 | Load: t1 | test.cpp:6:12:6:17 | Call: call to source |
| test.cpp:9:8:9:9 | Load: t1 | test.cpp:6:12:6:17 | Call: call to source |
| test.cpp:10:8:10:9 | Load: t2 | test.cpp:6:12:6:17 | Call: call to source |

39
cpp/ql/test/library-tests/ir/escape/points_to.expected
View File

@@ -1,6 +1,16 @@
| escape.cpp:111:18:111:21 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:115:19:115:28 | PointerAdd[4] | no_+0:0 | no_+0:0 |
| escape.cpp:115:20:115:23 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:116:19:116:28 | PointerSub[4] | no_+0:0 | no_+0:0 |
| escape.cpp:116:20:116:23 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:117:19:117:26 | PointerAdd[4] | no_+0:0 | no_+0:0 |
| escape.cpp:117:23:117:26 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:118:9:118:12 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:120:12:120:15 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:123:14:123:17 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:124:15:124:18 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:127:9:127:12 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:129:12:129:15 | CopyValue | no_+0:0 | no_+0:0 |
| escape.cpp:134:5:134:18 | Convert | no_Array+0:0 | no_Array+0:0 |
| escape.cpp:134:11:134:18 | Convert | no_Array+0:0 | no_Array+0:0 |
| escape.cpp:135:5:135:12 | Convert | no_Array+0:0 | no_Array+0:0 |
@@ -16,9 +26,14 @@
| escape.cpp:140:21:140:32 | FieldAddress[z] | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:141:27:141:27 | FieldAddress[x] | no_Point+0:0 | no_Point+0:0 |
| escape.cpp:142:14:142:14 | FieldAddress[y] | no_Point+4:0 | no_Point+4:0 |
| escape.cpp:143:19:143:27 | CopyValue | no_Point+0:0 | no_Point+0:0 |
| escape.cpp:143:31:143:31 | FieldAddress[y] | no_Point+4:0 | no_Point+4:0 |
| escape.cpp:144:6:144:14 | CopyValue | no_Point+0:0 | no_Point+0:0 |
| escape.cpp:144:18:144:18 | FieldAddress[y] | no_Point+4:0 | no_Point+4:0 |
| escape.cpp:145:20:145:30 | CopyValue | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:145:30:145:30 | FieldAddress[z] | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:146:5:146:18 | CopyValue | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:146:7:146:17 | CopyValue | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:146:17:146:17 | FieldAddress[z] | no_Point+8:0 | no_Point+8:0 |
| escape.cpp:149:5:149:14 | ConvertToBase[Derived : Intermediate1] | no_Derived+0:0 | no_Derived+0:0 |
| escape.cpp:149:5:149:14 | ConvertToBase[Intermediate1 : Base] | no_Derived+0:0 | no_Derived+0:0 |
@@ -30,18 +45,42 @@
| escape.cpp:151:16:151:17 | FieldAddress[i2] | no_Derived+16:0 | no_Derived+16:0 |
| escape.cpp:152:19:152:28 | ConvertToBase[Derived : Intermediate2] | no_Derived+12:0 | no_Derived+12:0 |
| escape.cpp:152:30:152:31 | FieldAddress[i2] | no_Derived+16:0 | no_Derived+16:0 |
| escape.cpp:155:17:155:30 | CopyValue | no_ssa_addrOf+0:0 | no_ssa_addrOf+0:0 |
| escape.cpp:155:17:155:30 | Store | no_ssa_addrOf+0:0 | no_ssa_addrOf+0:0 |
| escape.cpp:158:17:158:28 | CopyValue | no_ssa_refTo+0:0 | no_ssa_refTo+0:0 |
| escape.cpp:158:17:158:28 | Store | no_ssa_refTo+0:0 | no_ssa_refTo+0:0 |
| escape.cpp:161:19:161:42 | Convert | no_ssa_refToArrayElement+0:0 | no_ssa_refToArrayElement+0:0 |
| escape.cpp:161:19:161:45 | CopyValue | no_ssa_refToArrayElement+20:0 | no_ssa_refToArrayElement+20:0 |
| escape.cpp:161:19:161:45 | PointerAdd[4] | no_ssa_refToArrayElement+20:0 | no_ssa_refToArrayElement+20:0 |
| escape.cpp:161:19:161:45 | Store | no_ssa_refToArrayElement+20:0 | no_ssa_refToArrayElement+20:0 |
| escape.cpp:164:24:164:40 | CopyValue | no_ssa_refToArray+0:0 | no_ssa_refToArray+0:0 |
| escape.cpp:164:24:164:40 | Store | no_ssa_refToArray+0:0 | no_ssa_refToArray+0:0 |
| escape.cpp:167:19:167:28 | CopyValue | passByPtr+0:0 | passByPtr+0:0 |
| escape.cpp:170:21:170:29 | CopyValue | passByRef+0:0 | passByRef+0:0 |
| escape.cpp:173:22:173:38 | CopyValue | no_ssa_passByPtr+0:0 | no_ssa_passByPtr+0:0 |
| escape.cpp:176:24:176:39 | CopyValue | no_ssa_passByRef+0:0 | no_ssa_passByRef+0:0 |
| escape.cpp:179:22:179:42 | CopyValue | no_ssa_passByPtr_ret+0:0 | no_ssa_passByPtr_ret+0:0 |
| escape.cpp:182:24:182:43 | CopyValue | no_ssa_passByRef_ret+0:0 | no_ssa_passByRef_ret+0:0 |
| escape.cpp:185:30:185:40 | CopyValue | passByPtr2+0:0 | passByPtr2+0:0 |
| escape.cpp:188:32:188:41 | CopyValue | passByRef2+0:0 | passByRef2+0:0 |
| escape.cpp:191:30:191:42 | Call | none | passByPtr3+0:0 |
| escape.cpp:191:44:191:54 | CopyValue | passByPtr3+0:0 | passByPtr3+0:0 |
| escape.cpp:194:32:194:46 | Call | none | passByRef3+0:0 |
| escape.cpp:194:32:194:59 | CopyValue | none | passByRef3+0:0 |
| escape.cpp:194:48:194:57 | CopyValue | passByRef3+0:0 | passByRef3+0:0 |
| escape.cpp:199:17:199:34 | CopyValue | no_ssa_passByPtr4+0:0 | no_ssa_passByPtr4+0:0 |
| escape.cpp:199:37:199:54 | CopyValue | no_ssa_passByPtr5+0:0 | no_ssa_passByPtr5+0:0 |
| escape.cpp:202:5:202:19 | Call | none | passByRef6+0:0 |
| escape.cpp:202:5:202:32 | CopyValue | none | passByRef6+0:0 |
| escape.cpp:202:21:202:30 | CopyValue | passByRef6+0:0 | passByRef6+0:0 |
| escape.cpp:205:5:205:19 | Call | none | no_ssa_passByRef7+0:0 |
| escape.cpp:205:5:205:39 | CopyValue | none | no_ssa_passByRef7+0:0 |
| escape.cpp:205:21:205:37 | CopyValue | no_ssa_passByRef7+0:0 | no_ssa_passByRef7+0:0 |
| escape.cpp:209:14:209:25 | Call | none | no_ssa_c+0:0 |
| escape.cpp:217:14:217:16 | CopyValue | c2+0:0 | c2+0:0 |
| escape.cpp:221:8:221:19 | Call | none | c3+0:0 |
| escape.cpp:225:17:225:28 | Call | none | c4+0:0 |
| escape.cpp:247:2:247:27 | Store | condEscape1+0:0 | condEscape1+0:0 |
| escape.cpp:247:16:247:27 | CopyValue | condEscape1+0:0 | condEscape1+0:0 |
| escape.cpp:249:9:249:34 | Store | condEscape2+0:0 | condEscape2+0:0 |
| escape.cpp:249:23:249:34 | CopyValue | condEscape2+0:0 | condEscape2+0:0 |

51
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

@@ -67,31 +67,7 @@ bad_asts.cpp:
# 5| params:
#-----| 0: [Parameter] p#0
#-----| Type = [RValueReferenceType] S &&
# 9| [MemberFunction] int Bad::S::MemberFunction(int)
# 9| params:
# 9| 0: [Parameter] y
# 9| Type = [IntType] int
# 9| body: [Block] { ... }
# 10| 0: [ReturnStmt] return ...
# 10| 0: [AddExpr] ... + ...
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue
# 10| 0: [AddExpr] ... + ...
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue
# 10| 0: [Literal] Unknown literal
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue
# 10| 1: [PointerFieldAccess] x
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue(load)
#-----| -1: [ThisExpr] this
#-----| Type = [PointerType] S *
#-----| ValueCategory = prvalue(load)
# 10| 1: [VariableAccess] y
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue(load)
# 9| [TopLevelFunction] int MemberFunction(int)
# 9| [FunctionTemplateInstantiation,MemberFunction] int Bad::S::MemberFunction<int 6>(int)
# 9| params:
# 9| 0: [Parameter] y
# 9| Type = [IntType] int
@@ -116,6 +92,31 @@ bad_asts.cpp:
# 10| 1: [VariableAccess] y
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue(load)
# 9| [MemberFunction,TemplateFunction] int Bad::S::MemberFunction<int t>(int)
# 9| params:
# 9| 0: [Parameter] y
# 9| Type = [IntType] int
# 9| body: [Block] { ... }
# 10| 0: [ReturnStmt] return ...
# 10| 0: [AddExpr] ... + ...
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue
# 10| 0: [AddExpr] ... + ...
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue
# 10| 0: [Literal] t
# 10| Type = [IntType] int
# 10| Value = [Literal] t
# 10| ValueCategory = prvalue
# 10| 1: [PointerFieldAccess] x
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue(load)
#-----| -1: [ThisExpr] this
#-----| Type = [PointerType] S *
#-----| ValueCategory = prvalue(load)
# 10| 1: [VariableAccess] y
# 10| Type = [IntType] int
# 10| ValueCategory = prvalue(load)
# 14| [TopLevelFunction] void Bad::CallBadMemberFunction()
# 14| params:
# 14| body: [Block] { ... }

2130
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

File diff suppressed because it is too large Load Diff

150
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -215,8 +215,9 @@ ssa.cpp:
# 70| r1_3(int) = Constant[1] :
# 70| r1_4(char *) = PointerAdd[1] : r1_2, r1_3
# 70| m1_5(char *) = Store : &:r1_1, r1_4
# 70| m1_6(char) = Store : &:r1_2, r1_0
# 70| m1_7(unknown) = Chi : total:m3_0, partial:m1_6
# 70| r1_6(glval<char>) = CopyValue : r1_2
# 70| m1_7(char) = Store : &:r1_6, r1_0
# 70| m1_8(unknown) = Chi : total:m3_0, partial:m1_7
#-----| Goto (back edge) -> Block 3
# 71| Block 2
@@ -227,7 +228,7 @@ ssa.cpp:
# 68| v2_4(void) = ExitFunction :
# 69| Block 3
# 69| m3_0(unknown) = Phi : from 0:~m0_1, from 1:~m1_7
# 69| m3_0(unknown) = Phi : from 0:~m0_1, from 1:~m1_8
# 69| m3_1(int) = Phi : from 0:m0_4, from 1:m3_7
# 69| m3_2(char *) = Phi : from 0:m0_6, from 1:m1_5
# 69| r3_3(glval<int>) = VariableAddress[n] :
@@ -330,18 +331,19 @@ ssa.cpp:
# 96| m0_9(Point) = Store : &:r0_6, r0_8
# 97| r0_10(glval<unknown>) = FunctionAddress[Escape] :
# 97| r0_11(glval<Point>) = VariableAddress[a] :
# 97| r0_12(void *) = Convert : r0_11
# 97| v0_13(void) = Call : func:r0_10, 0:r0_12
# 97| m0_14(unknown) = ^CallSideEffect : ~m0_5
# 97| m0_15(unknown) = Chi : total:m0_5, partial:m0_14
# 97| v0_16(void) = ^BufferReadSideEffect[0] : &:r0_12, ~m0_15
# 97| m0_17(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_12
# 97| m0_18(unknown) = Chi : total:m0_15, partial:m0_17
# 98| v0_19(void) = NoOp :
# 95| v0_20(void) = ReturnVoid :
# 95| v0_21(void) = UnmodeledUse : mu*
# 95| v0_22(void) = AliasedUse : ~m0_15
# 95| v0_23(void) = ExitFunction :
# 97| r0_12(Point *) = CopyValue : r0_11
# 97| r0_13(void *) = Convert : r0_12
# 97| v0_14(void) = Call : func:r0_10, 0:r0_13
# 97| m0_15(unknown) = ^CallSideEffect : ~m0_5
# 97| m0_16(unknown) = Chi : total:m0_5, partial:m0_15
# 97| v0_17(void) = ^BufferReadSideEffect[0] : &:r0_13, ~m0_16
# 97| m0_18(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_13
# 97| m0_19(unknown) = Chi : total:m0_16, partial:m0_18
# 98| v0_20(void) = NoOp :
# 95| v0_21(void) = ReturnVoid :
# 95| v0_22(void) = UnmodeledUse : mu*
# 95| v0_23(void) = AliasedUse : ~m0_16
# 95| v0_24(void) = ExitFunction :
# 100| void MustTotallyOverlap(Point)
# 100| Block 0
@@ -386,18 +388,19 @@ ssa.cpp:
# 107| m0_15(int) = Store : &:r0_11, r0_14
# 108| r0_16(glval<unknown>) = FunctionAddress[Escape] :
# 108| r0_17(glval<Point>) = VariableAddress[a] :
# 108| r0_18(void *) = Convert : r0_17
# 108| v0_19(void) = Call : func:r0_16, 0:r0_18
# 108| m0_20(unknown) = ^CallSideEffect : ~m0_5
# 108| m0_21(unknown) = Chi : total:m0_5, partial:m0_20
# 108| v0_22(void) = ^BufferReadSideEffect[0] : &:r0_18, ~m0_21
# 108| m0_23(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_18
# 108| m0_24(unknown) = Chi : total:m0_21, partial:m0_23
# 109| v0_25(void) = NoOp :
# 105| v0_26(void) = ReturnVoid :
# 105| v0_27(void) = UnmodeledUse : mu*
# 105| v0_28(void) = AliasedUse : ~m0_21
# 105| v0_29(void) = ExitFunction :
# 108| r0_18(Point *) = CopyValue : r0_17
# 108| r0_19(void *) = Convert : r0_18
# 108| v0_20(void) = Call : func:r0_16, 0:r0_19
# 108| m0_21(unknown) = ^CallSideEffect : ~m0_5
# 108| m0_22(unknown) = Chi : total:m0_5, partial:m0_21
# 108| v0_23(void) = ^BufferReadSideEffect[0] : &:r0_19, ~m0_22
# 108| m0_24(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_19
# 108| m0_25(unknown) = Chi : total:m0_22, partial:m0_24
# 109| v0_26(void) = NoOp :
# 105| v0_27(void) = ReturnVoid :
# 105| v0_28(void) = UnmodeledUse : mu*
# 105| v0_29(void) = AliasedUse : ~m0_22
# 105| v0_30(void) = ExitFunction :
# 111| void MayPartiallyOverlap(int, int)
# 111| Block 0
@@ -458,18 +461,19 @@ ssa.cpp:
# 118| m0_23(Point) = Store : &:r0_20, r0_22
# 119| r0_24(glval<unknown>) = FunctionAddress[Escape] :
# 119| r0_25(glval<Point>) = VariableAddress[a] :
# 119| r0_26(void *) = Convert : r0_25
# 119| v0_27(void) = Call : func:r0_24, 0:r0_26
# 119| m0_28(unknown) = ^CallSideEffect : ~m0_19
# 119| m0_29(unknown) = Chi : total:m0_19, partial:m0_28
# 119| v0_30(void) = ^BufferReadSideEffect[0] : &:r0_26, ~m0_29
# 119| m0_31(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_26
# 119| m0_32(unknown) = Chi : total:m0_29, partial:m0_31
# 120| v0_33(void) = NoOp :
# 116| v0_34(void) = ReturnVoid :
# 116| v0_35(void) = UnmodeledUse : mu*
# 116| v0_36(void) = AliasedUse : ~m0_29
# 116| v0_37(void) = ExitFunction :
# 119| r0_26(Point *) = CopyValue : r0_25
# 119| r0_27(void *) = Convert : r0_26
# 119| v0_28(void) = Call : func:r0_24, 0:r0_27
# 119| m0_29(unknown) = ^CallSideEffect : ~m0_19
# 119| m0_30(unknown) = Chi : total:m0_19, partial:m0_29
# 119| v0_31(void) = ^BufferReadSideEffect[0] : &:r0_27, ~m0_30
# 119| m0_32(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_27
# 119| m0_33(unknown) = Chi : total:m0_30, partial:m0_32
# 120| v0_34(void) = NoOp :
# 116| v0_35(void) = ReturnVoid :
# 116| v0_36(void) = UnmodeledUse : mu*
# 116| v0_37(void) = AliasedUse : ~m0_30
# 116| v0_38(void) = ExitFunction :
# 122| void MergeMustExactlyOverlap(bool, int, int)
# 122| Block 0
@@ -773,21 +777,23 @@ ssa.cpp:
# 184| m0_10(unsigned int &) = InitializeParameter[d] : &:r0_9
# 189| r0_11(glval<unsigned int &>) = VariableAddress[a] :
# 189| r0_12(unsigned int &) = Load : &:r0_11, m0_4
# 189| r0_13(glval<unsigned int &>) = VariableAddress[b] :
# 189| r0_14(unsigned int &) = Load : &:r0_13, m0_6
# 190| r0_15(glval<unsigned int &>) = VariableAddress[c] :
# 190| r0_16(unsigned int &) = Load : &:r0_15, m0_8
# 190| r0_17(unsigned int) = Load : &:r0_16, ~m0_1
# 190| r0_18(glval<unsigned int &>) = VariableAddress[d] :
# 190| r0_19(unsigned int &) = Load : &:r0_18, m0_10
# 190| r0_20(unsigned int) = Load : &:r0_19, ~m0_1
# 186| m0_21(unknown) = InlineAsm : ~mu0_2, 0:r0_12, 1:r0_14, 2:r0_17, 3:r0_20
# 186| m0_22(unknown) = Chi : total:m0_1, partial:m0_21
# 192| v0_23(void) = NoOp :
# 184| v0_24(void) = ReturnVoid :
# 184| v0_25(void) = UnmodeledUse : mu*
# 184| v0_26(void) = AliasedUse : ~m0_22
# 184| v0_27(void) = ExitFunction :
# 189| r0_13(glval<unsigned int>) = CopyValue : r0_12
# 189| r0_14(glval<unsigned int &>) = VariableAddress[b] :
# 189| r0_15(unsigned int &) = Load : &:r0_14, m0_6
# 189| r0_16(glval<unsigned int>) = CopyValue : r0_15
# 190| r0_17(glval<unsigned int &>) = VariableAddress[c] :
# 190| r0_18(unsigned int &) = Load : &:r0_17, m0_8
# 190| r0_19(unsigned int) = Load : &:r0_18, ~m0_1
# 190| r0_20(glval<unsigned int &>) = VariableAddress[d] :
# 190| r0_21(unsigned int &) = Load : &:r0_20, m0_10
# 190| r0_22(unsigned int) = Load : &:r0_21, ~m0_1
# 186| m0_23(unknown) = InlineAsm : ~mu0_2, 0:r0_13, 1:r0_16, 2:r0_19, 3:r0_22
# 186| m0_24(unknown) = Chi : total:m0_1, partial:m0_23
# 192| v0_25(void) = NoOp :
# 184| v0_26(void) = ReturnVoid :
# 184| v0_27(void) = UnmodeledUse : mu*
# 184| v0_28(void) = AliasedUse : ~m0_24
# 184| v0_29(void) = ExitFunction :
# 198| int PureFunctions(char*, char*, int)
# 198| Block 0
@@ -852,23 +858,25 @@ ssa.cpp:
# 208| m0_8(unknown) = Chi : total:m0_5, partial:m0_7
# 209| r0_9(glval<unknown>) = FunctionAddress[memcpy] :
# 209| r0_10(glval<int>) = VariableAddress[y] :
# 209| r0_11(void *) = Convert : r0_10
# 209| r0_12(glval<int>) = VariableAddress[x] :
# 209| r0_13(void *) = Convert : r0_12
# 209| r0_14(int) = Constant[4] :
# 209| r0_15(void *) = Call : func:r0_9, 0:r0_11, 1:r0_13, 2:r0_14
# 209| v0_16(void) = ^SizedBufferReadSideEffect[1] : &:r0_13, r0_14, ~mu0_2
# 209| m0_17(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r0_11, r0_14
# 209| m0_18(unknown) = Chi : total:m0_8, partial:m0_17
# 210| r0_19(glval<int>) = VariableAddress[#return] :
# 210| r0_20(glval<int>) = VariableAddress[y] :
# 210| r0_21(int) = Load : &:r0_20, ~m0_18
# 210| m0_22(int) = Store : &:r0_19, r0_21
# 207| r0_23(glval<int>) = VariableAddress[#return] :
# 207| v0_24(void) = ReturnValue : &:r0_23, m0_22
# 207| v0_25(void) = UnmodeledUse : mu*
# 207| v0_26(void) = AliasedUse : ~m0_1
# 207| v0_27(void) = ExitFunction :
# 209| r0_11(int *) = CopyValue : r0_10
# 209| r0_12(void *) = Convert : r0_11
# 209| r0_13(glval<int>) = VariableAddress[x] :
# 209| r0_14(int *) = CopyValue : r0_13
# 209| r0_15(void *) = Convert : r0_14
# 209| r0_16(int) = Constant[4] :
# 209| r0_17(void *) = Call : func:r0_9, 0:r0_12, 1:r0_15, 2:r0_16
# 209| v0_18(void) = ^SizedBufferReadSideEffect[1] : &:r0_15, r0_16, ~mu0_2
# 209| m0_19(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r0_12, r0_16
# 209| m0_20(unknown) = Chi : total:m0_8, partial:m0_19
# 210| r0_21(glval<int>) = VariableAddress[#return] :
# 210| r0_22(glval<int>) = VariableAddress[y] :
# 210| r0_23(int) = Load : &:r0_22, ~m0_20
# 210| m0_24(int) = Store : &:r0_21, r0_23
# 207| r0_25(glval<int>) = VariableAddress[#return] :
# 207| v0_26(void) = ReturnValue : &:r0_25, m0_24
# 207| v0_27(void) = UnmodeledUse : mu*
# 207| v0_28(void) = AliasedUse : ~m0_1
# 207| v0_29(void) = ExitFunction :
# 213| void InitArray()
# 213| Block 0

130
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
View File

@@ -218,7 +218,8 @@ ssa.cpp:
# 70| r1_3(int) = Constant[1] :
# 70| r1_4(char *) = PointerAdd[1] : r1_2, r1_3
# 70| m1_5(char *) = Store : &:r1_1, r1_4
# 70| mu1_6(char) = Store : &:r1_2, r1_0
# 70| r1_6(glval<char>) = CopyValue : r1_2
# 70| mu1_7(char) = Store : &:r1_6, r1_0
#-----| Goto (back edge) -> Block 3
# 71| Block 2
@@ -330,16 +331,17 @@ ssa.cpp:
# 96| m0_8(Point) = Store : &:r0_5, r0_7
# 97| r0_9(glval<unknown>) = FunctionAddress[Escape] :
# 97| r0_10(glval<Point>) = VariableAddress[a] :
# 97| r0_11(void *) = Convert : r0_10
# 97| v0_12(void) = Call : func:r0_9, 0:r0_11
# 97| mu0_13(unknown) = ^CallSideEffect : ~mu0_2
# 97| v0_14(void) = ^BufferReadSideEffect[0] : &:r0_11, ~mu0_2
# 97| mu0_15(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_11
# 98| v0_16(void) = NoOp :
# 95| v0_17(void) = ReturnVoid :
# 95| v0_18(void) = UnmodeledUse : mu*
# 95| v0_19(void) = AliasedUse : ~mu0_2
# 95| v0_20(void) = ExitFunction :
# 97| r0_11(Point *) = CopyValue : r0_10
# 97| r0_12(void *) = Convert : r0_11
# 97| v0_13(void) = Call : func:r0_9, 0:r0_12
# 97| mu0_14(unknown) = ^CallSideEffect : ~mu0_2
# 97| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_12, ~mu0_2
# 97| mu0_16(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_12
# 98| v0_17(void) = NoOp :
# 95| v0_18(void) = ReturnVoid :
# 95| v0_19(void) = UnmodeledUse : mu*
# 95| v0_20(void) = AliasedUse : ~mu0_2
# 95| v0_21(void) = ExitFunction :
# 100| void MustTotallyOverlap(Point)
# 100| Block 0
@@ -383,16 +385,17 @@ ssa.cpp:
# 107| m0_14(int) = Store : &:r0_10, r0_13
# 108| r0_15(glval<unknown>) = FunctionAddress[Escape] :
# 108| r0_16(glval<Point>) = VariableAddress[a] :
# 108| r0_17(void *) = Convert : r0_16
# 108| v0_18(void) = Call : func:r0_15, 0:r0_17
# 108| mu0_19(unknown) = ^CallSideEffect : ~mu0_2
# 108| v0_20(void) = ^BufferReadSideEffect[0] : &:r0_17, ~mu0_2
# 108| mu0_21(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_17
# 109| v0_22(void) = NoOp :
# 105| v0_23(void) = ReturnVoid :
# 105| v0_24(void) = UnmodeledUse : mu*
# 105| v0_25(void) = AliasedUse : ~mu0_2
# 105| v0_26(void) = ExitFunction :
# 108| r0_17(Point *) = CopyValue : r0_16
# 108| r0_18(void *) = Convert : r0_17
# 108| v0_19(void) = Call : func:r0_15, 0:r0_18
# 108| mu0_20(unknown) = ^CallSideEffect : ~mu0_2
# 108| v0_21(void) = ^BufferReadSideEffect[0] : &:r0_18, ~mu0_2
# 108| mu0_22(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_18
# 109| v0_23(void) = NoOp :
# 105| v0_24(void) = ReturnVoid :
# 105| v0_25(void) = UnmodeledUse : mu*
# 105| v0_26(void) = AliasedUse : ~mu0_2
# 105| v0_27(void) = ExitFunction :
# 111| void MayPartiallyOverlap(int, int)
# 111| Block 0
@@ -448,16 +451,17 @@ ssa.cpp:
# 118| m0_20(Point) = Store : &:r0_17, r0_19
# 119| r0_21(glval<unknown>) = FunctionAddress[Escape] :
# 119| r0_22(glval<Point>) = VariableAddress[a] :
# 119| r0_23(void *) = Convert : r0_22
# 119| v0_24(void) = Call : func:r0_21, 0:r0_23
# 119| mu0_25(unknown) = ^CallSideEffect : ~mu0_2
# 119| v0_26(void) = ^BufferReadSideEffect[0] : &:r0_23, ~mu0_2
# 119| mu0_27(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23
# 120| v0_28(void) = NoOp :
# 116| v0_29(void) = ReturnVoid :
# 116| v0_30(void) = UnmodeledUse : mu*
# 116| v0_31(void) = AliasedUse : ~mu0_2
# 116| v0_32(void) = ExitFunction :
# 119| r0_23(Point *) = CopyValue : r0_22
# 119| r0_24(void *) = Convert : r0_23
# 119| v0_25(void) = Call : func:r0_21, 0:r0_24
# 119| mu0_26(unknown) = ^CallSideEffect : ~mu0_2
# 119| v0_27(void) = ^BufferReadSideEffect[0] : &:r0_24, ~mu0_2
# 119| mu0_28(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_24
# 120| v0_29(void) = NoOp :
# 116| v0_30(void) = ReturnVoid :
# 116| v0_31(void) = UnmodeledUse : mu*
# 116| v0_32(void) = AliasedUse : ~mu0_2
# 116| v0_33(void) = ExitFunction :
# 122| void MergeMustExactlyOverlap(bool, int, int)
# 122| Block 0
@@ -741,20 +745,22 @@ ssa.cpp:
# 184| m0_10(unsigned int &) = InitializeParameter[d] : &:r0_9
# 189| r0_11(glval<unsigned int &>) = VariableAddress[a] :
# 189| r0_12(unsigned int &) = Load : &:r0_11, m0_4
# 189| r0_13(glval<unsigned int &>) = VariableAddress[b] :
# 189| r0_14(unsigned int &) = Load : &:r0_13, m0_6
# 190| r0_15(glval<unsigned int &>) = VariableAddress[c] :
# 190| r0_16(unsigned int &) = Load : &:r0_15, m0_8
# 190| r0_17(unsigned int) = Load : &:r0_16, ~mu0_2
# 190| r0_18(glval<unsigned int &>) = VariableAddress[d] :
# 190| r0_19(unsigned int &) = Load : &:r0_18, m0_10
# 190| r0_20(unsigned int) = Load : &:r0_19, ~mu0_2
# 186| mu0_21(unknown) = InlineAsm : ~mu0_2, 0:r0_12, 1:r0_14, 2:r0_17, 3:r0_20
# 192| v0_22(void) = NoOp :
# 184| v0_23(void) = ReturnVoid :
# 184| v0_24(void) = UnmodeledUse : mu*
# 184| v0_25(void) = AliasedUse : ~mu0_2
# 184| v0_26(void) = ExitFunction :
# 189| r0_13(glval<unsigned int>) = CopyValue : r0_12
# 189| r0_14(glval<unsigned int &>) = VariableAddress[b] :
# 189| r0_15(unsigned int &) = Load : &:r0_14, m0_6
# 189| r0_16(glval<unsigned int>) = CopyValue : r0_15
# 190| r0_17(glval<unsigned int &>) = VariableAddress[c] :
# 190| r0_18(unsigned int &) = Load : &:r0_17, m0_8
# 190| r0_19(unsigned int) = Load : &:r0_18, ~mu0_2
# 190| r0_20(glval<unsigned int &>) = VariableAddress[d] :
# 190| r0_21(unsigned int &) = Load : &:r0_20, m0_10
# 190| r0_22(unsigned int) = Load : &:r0_21, ~mu0_2
# 186| mu0_23(unknown) = InlineAsm : ~mu0_2, 0:r0_13, 1:r0_16, 2:r0_19, 3:r0_22
# 192| v0_24(void) = NoOp :
# 184| v0_25(void) = ReturnVoid :
# 184| v0_26(void) = UnmodeledUse : mu*
# 184| v0_27(void) = AliasedUse : ~mu0_2
# 184| v0_28(void) = ExitFunction :
# 198| int PureFunctions(char*, char*, int)
# 198| Block 0
@@ -817,22 +823,24 @@ ssa.cpp:
# 208| mu0_6(int) = Uninitialized[y] : &:r0_5
# 209| r0_7(glval<unknown>) = FunctionAddress[memcpy] :
# 209| r0_8(glval<int>) = VariableAddress[y] :
# 209| r0_9(void *) = Convert : r0_8
# 209| r0_10(glval<int>) = VariableAddress[x] :
# 209| r0_11(void *) = Convert : r0_10
# 209| r0_12(int) = Constant[4] :
# 209| r0_13(void *) = Call : func:r0_7, 0:r0_9, 1:r0_11, 2:r0_12
# 209| v0_14(void) = ^SizedBufferReadSideEffect[1] : &:r0_11, r0_12, ~mu0_2
# 209| mu0_15(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r0_9, r0_12
# 210| r0_16(glval<int>) = VariableAddress[#return] :
# 210| r0_17(glval<int>) = VariableAddress[y] :
# 210| r0_18(int) = Load : &:r0_17, ~mu0_2
# 210| m0_19(int) = Store : &:r0_16, r0_18
# 207| r0_20(glval<int>) = VariableAddress[#return] :
# 207| v0_21(void) = ReturnValue : &:r0_20, m0_19
# 207| v0_22(void) = UnmodeledUse : mu*
# 207| v0_23(void) = AliasedUse : ~mu0_2
# 207| v0_24(void) = ExitFunction :
# 209| r0_9(int *) = CopyValue : r0_8
# 209| r0_10(void *) = Convert : r0_9
# 209| r0_11(glval<int>) = VariableAddress[x] :
# 209| r0_12(int *) = CopyValue : r0_11
# 209| r0_13(void *) = Convert : r0_12
# 209| r0_14(int) = Constant[4] :
# 209| r0_15(void *) = Call : func:r0_7, 0:r0_10, 1:r0_13, 2:r0_14
# 209| v0_16(void) = ^SizedBufferReadSideEffect[1] : &:r0_13, r0_14, ~mu0_2
# 209| mu0_17(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r0_10, r0_14
# 210| r0_18(glval<int>) = VariableAddress[#return] :
# 210| r0_19(glval<int>) = VariableAddress[y] :
# 210| r0_20(int) = Load : &:r0_19, ~mu0_2
# 210| m0_21(int) = Store : &:r0_18, r0_20
# 207| r0_22(glval<int>) = VariableAddress[#return] :
# 207| v0_23(void) = ReturnValue : &:r0_22, m0_21
# 207| v0_24(void) = UnmodeledUse : mu*
# 207| v0_25(void) = AliasedUse : ~mu0_2
# 207| v0_26(void) = ExitFunction :
# 213| void InitArray()
# 213| Block 0

2
cpp/ql/test/library-tests/noexcept/copy_from_prototype/copy_from_prototype.expected
View File

@@ -13,7 +13,7 @@
| copy_from_prototype.cpp:13:7:13:7 | c | c<int>::c(const c<int> &) -> void | copy_from_prototype.cpp:13:7:13:7 | c<int> | <no expr> |
| copy_from_prototype.cpp:13:7:13:7 | operator= | c<int>::operator=(c<int> &&) -> c<int> & | copy_from_prototype.cpp:13:7:13:7 | c<int> | <no expr> |
| copy_from_prototype.cpp:13:7:13:7 | operator= | c<int>::operator=(const c<int> &) -> c<int> & | copy_from_prototype.cpp:13:7:13:7 | c<int> | <no expr> |
| copy_from_prototype.cpp:14:26:14:26 | c | c<T>::c<(unnamed)>() -> void | copy_from_prototype.cpp:13:7:13:7 | c<T> | Unknown literal |
| copy_from_prototype.cpp:14:26:14:26 | c | c<T>::c<(unnamed)>() -> void | copy_from_prototype.cpp:13:7:13:7 | c<T> | X |
| copy_from_prototype.cpp:14:26:14:26 | c | c<int>::c<(unnamed)>() -> void | copy_from_prototype.cpp:13:7:13:7 | c<int> | <no expr> |
| copy_from_prototype.cpp:17:7:17:7 | d | d::d() -> void | copy_from_prototype.cpp:17:7:17:7 | d | <no expr> |
| copy_from_prototype.cpp:17:7:17:7 | d | d::d(const d &) -> void | copy_from_prototype.cpp:17:7:17:7 | d | <no expr> |

4
cpp/ql/test/library-tests/ptr_to_member/segfault/exprs.expected
View File

@@ -1,3 +1,7 @@
| file://:0:0:0:0 | __i | file://:0:0:0:0 | unsigned long |
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
| file://:0:0:0:0 | uls | file://:0:0:0:0 | unsigned long |
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
| segfault.cpp:25:46:25:65 | call to S | file://:0:0:0:0 | void |
| segfault.cpp:25:48:25:55 | __second | segfault.cpp:15:7:15:11 | tuple |

2
cpp/ql/test/library-tests/rangeanalysis/signanalysis/SignAnalysis.expected
View File

@@ -649,12 +649,14 @@
| test.c:397:9:397:11 | Constant: ++ ... | positive strictlyPositive |
| test.c:397:9:397:11 | Load: ++ ... | positive |
| test.c:397:9:397:11 | Store: ++ ... | positive strictlyPositive |
| test.c:397:9:397:14 | CopyValue: ... , ... | positive strictlyPositive |
| test.c:397:14:397:14 | Load: y | positive strictlyPositive |
| test.c:398:3:398:23 | Store: ... = ... | positive strictlyPositive |
| test.c:398:9:398:11 | Add: ... ++ | positive strictlyPositive |
| test.c:398:9:398:11 | Constant: ... ++ | positive strictlyPositive |
| test.c:398:9:398:11 | Load: ... ++ | positive strictlyPositive |
| test.c:398:9:398:11 | Store: ... ++ | positive strictlyPositive |
| test.c:398:9:398:22 | CopyValue: ... , ... | positive strictlyPositive |
| test.c:398:14:398:19 | Add: ... += ... | positive strictlyPositive |
| test.c:398:14:398:19 | Load: ... += ... | positive strictlyPositive |
| test.c:398:14:398:19 | Store: ... += ... | positive strictlyPositive |

53
cpp/ql/test/library-tests/syntax-zoo/drawDifferent.expected
View File

@@ -1,53 +0,0 @@
| staticlocals__staticlocals_f2_extractor | false | 22465 | 22465 | f2 |
| staticlocals__staticlocals_f2_extractor | false | 22470 | 22470 | declaration |
| staticlocals__staticlocals_f2_extractor | false | 22472 | 22472 | declaration |
| staticlocals__staticlocals_f2_extractor | false | 22474 | 22474 | declaration |
| staticlocals__staticlocals_f2_extractor | false | 22476 | 22476 | declaration |
| staticlocals__staticlocals_f2_extractor | false | 22478 | 22478 | return ... |
| staticlocals__staticlocals_f2_extractor | false | 22480 | 22480 | { ... } |
| staticlocals__staticlocals_f2_extractor | false | 22482 | 22482 | call to C |
| staticlocals__staticlocals_f2_extractor | false | 22484 | 22484 | initializer for c |
| staticlocals__staticlocals_f2_extractor | false | 22486 | 22486 | call to addOne |
| staticlocals__staticlocals_f2_extractor | false | 22490 | 22490 | 2 |
| staticlocals__staticlocals_f2_extractor | false | 22493 | 22493 | initializer for j |
| staticlocals__staticlocals_f2_extractor | false | 22494 | 22494 | call to addOne |
| staticlocals__staticlocals_f2_extractor | false | 22499 | 22499 | 2 |
| staticlocals__staticlocals_f2_extractor | false | 22500 | 22500 | initializer for two |
| staticlocals__staticlocals_f2_extractor | false | 22503 | 22503 | two |
| staticlocals__staticlocals_f2_extractor | false | 22508 | 22508 | initializer for i |
| staticlocals__staticlocals_f2_extractor | true | 22470 | 22500 | |
| staticlocals__staticlocals_f2_extractor | true | 22472 | 22474 | |
| staticlocals__staticlocals_f2_extractor | true | 22474 | 22476 | |
| staticlocals__staticlocals_f2_extractor | true | 22476 | 22478 | |
| staticlocals__staticlocals_f2_extractor | true | 22478 | 22465 | |
| staticlocals__staticlocals_f2_extractor | true | 22480 | 22470 | |
| staticlocals__staticlocals_f2_extractor | true | 22499 | 22472 | |
| staticlocals__staticlocals_f2_extractor | true | 22500 | 22499 | |
| staticlocals__staticlocals_f2_ql | false | 22465 | 22465 | f2 |
| staticlocals__staticlocals_f2_ql | false | 22470 | 22470 | declaration |
| staticlocals__staticlocals_f2_ql | false | 22472 | 22472 | declaration |
| staticlocals__staticlocals_f2_ql | false | 22474 | 22474 | declaration |
| staticlocals__staticlocals_f2_ql | false | 22476 | 22476 | declaration |
| staticlocals__staticlocals_f2_ql | false | 22478 | 22478 | return ... |
| staticlocals__staticlocals_f2_ql | false | 22480 | 22480 | { ... } |
| staticlocals__staticlocals_f2_ql | false | 22482 | 22482 | call to C |
| staticlocals__staticlocals_f2_ql | false | 22484 | 22484 | initializer for c |
| staticlocals__staticlocals_f2_ql | false | 22486 | 22486 | call to addOne |
| staticlocals__staticlocals_f2_ql | false | 22490 | 22490 | 2 |
| staticlocals__staticlocals_f2_ql | false | 22493 | 22493 | initializer for j |
| staticlocals__staticlocals_f2_ql | false | 22494 | 22494 | call to addOne |
| staticlocals__staticlocals_f2_ql | false | 22499 | 22499 | 2 |
| staticlocals__staticlocals_f2_ql | false | 22500 | 22500 | initializer for two |
| staticlocals__staticlocals_f2_ql | false | 22503 | 22503 | two |
| staticlocals__staticlocals_f2_ql | false | 22508 | 22508 | initializer for i |
| staticlocals__staticlocals_f2_ql | true | 22470 | 22500 | |
| staticlocals__staticlocals_f2_ql | true | 22472 | 22474 | |
| staticlocals__staticlocals_f2_ql | true | 22474 | 22476 | |
| staticlocals__staticlocals_f2_ql | true | 22476 | 22478 | |
| staticlocals__staticlocals_f2_ql | true | 22476 | 22484 | |
| staticlocals__staticlocals_f2_ql | true | 22478 | 22465 | |
| staticlocals__staticlocals_f2_ql | true | 22480 | 22470 | |
| staticlocals__staticlocals_f2_ql | true | 22482 | 22478 | |
| staticlocals__staticlocals_f2_ql | true | 22484 | 22482 | |
| staticlocals__staticlocals_f2_ql | true | 22499 | 22472 | |
| staticlocals__staticlocals_f2_ql | true | 22500 | 22499 | |

10
cpp/ql/test/library-tests/syntax-zoo/drawDifferent.ql
View File

@@ -1,10 +0,0 @@
// query-type: graph
import Compare
from
Element scopeElement, string scopeString, boolean isEdge, ControlFlowNode x, ControlFlowNode y,
string label
where
AllCFG::qltestGraph(scopeElement, scopeString, isEdge, x, y, label) and
differentScope(scopeElement)
select scopeString, isEdge, x, y, label

8
cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected
View File

@@ -1,8 +1,8 @@
missingOperand
| condition_decls.cpp:16:6:16:20 | ConditionalBranch: (condition decl) | Instruction 'ConditionalBranch' is missing an expected operand with tag 'Condition' in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) |
| condition_decls.cpp:26:3:36:3 | Switch: switch (...) ... | Instruction 'Switch' is missing an expected operand with tag 'Condition' in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) |
| condition_decls.cpp:41:9:41:23 | ConditionalBranch: (condition decl) | Instruction 'ConditionalBranch' is missing an expected operand with tag 'Condition' in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) |
| condition_decls.cpp:48:39:48:53 | ConditionalBranch: (condition decl) | Instruction 'ConditionalBranch' is missing an expected operand with tag 'Condition' in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) |
| condition_decls.cpp:16:6:16:20 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) |
| condition_decls.cpp:26:10:26:24 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) |
| condition_decls.cpp:41:9:41:23 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) |
| condition_decls.cpp:48:39:48:53 | CopyValue: (condition decl) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) |
| misc.c:125:5:125:11 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:97:6:97:10 | IR: misc3 | void misc3() |
| misc.c:220:3:223:3 | Store: ... = ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) |
| misc.c:220:9:223:3 | FieldAddress: {...} | Instruction 'FieldAddress' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) |

3
cpp/ql/test/library-tests/syntax-zoo/tellDifferent.expected
View File

@@ -1,3 +0,0 @@
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | call to C | staticlocals.cpp:30:1:30:1 | return ... | Standard edge, only from QL | |
| staticlocals__staticlocals_f2 | file://:0:0:0:0 | initializer for c | file://:0:0:0:0 | call to C | Standard edge, only from QL | |
| staticlocals__staticlocals_f2 | staticlocals.cpp:29:5:29:17 | declaration | file://:0:0:0:0 | initializer for c | Standard edge, only from QL | |

13
cpp/ql/test/library-tests/syntax-zoo/tellDifferent.ql
View File

@@ -1,13 +0,0 @@
import Compare
string describeTemplate(ControlFlowNode node) {
node.isFromTemplateInstantiation(_) and
result = "instantiation"
or
node.isFromUninstantiatedTemplate(_) and
result = "uninstantiated"
}
from ControlFlowNode n1, ControlFlowNode n2, string msg
where differentEdge(n1, n2, msg)
select getScopeName(n1), n1, n2, msg, concat(describeTemplate(n1), ", ")

19
cpp/ql/test/library-tests/templates/CPP-172-template-members/test.cpp Normal file
View File

@@ -0,0 +1,19 @@
class A {
public:
void foo();
int k;
};
class B {
public:
template <typename T>
B(T x) {
int k = x.k;
x.foo();
}
};
A a;
B b(a);

2
cpp/ql/test/library-tests/templates/CPP-172-template-members/test.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.cpp:13:15:13:15 | k |
| test.cpp:14:7:14:9 | foo |

4
cpp/ql/test/library-tests/templates/CPP-172-template-members/test.ql Normal file
View File

@@ -0,0 +1,4 @@
import cpp
from Literal l
select l

4
cpp/ql/test/library-tests/templates/CPP-202/template_args.expected
View File

@@ -1,6 +1,6 @@
| file://:0:0:0:0 | __va_list_tag | <none> |
| test.cpp:3:8:3:9 | s1<<expression>> | <none> |
| test.cpp:3:8:3:9 | s1<<unnamed>> | <none> |
| test.cpp:3:8:3:9 | s1<<expression>> | {...} |
| test.cpp:3:8:3:9 | s1<<unnamed>> | (null) |
| test.cpp:5:8:5:9 | s2<T> | T |
| test.cpp:5:8:5:9 | s2<T> | T |
| test.cpp:7:8:7:9 | s3<T, <unnamed>> | (unnamed) |

6
cpp/ql/test/library-tests/templates/CPP-204/element.expected
View File

@@ -1,6 +1,12 @@
| file://:0:0:0:0 | |
| file://:0:0:0:0 | 0 |
| file://:0:0:0:0 | (global namespace) |
| file://:0:0:0:0 | B |
| file://:0:0:0:0 | X |
| file://:0:0:0:0 | X |
| file://:0:0:0:0 | X |
| file://:0:0:0:0 | X |
| file://:0:0:0:0 | Y |
| file://:0:0:0:0 | __va_list_tag |
| file://:0:0:0:0 | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && |

4
cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected
View File

@@ -317,8 +317,8 @@
| test.cpp:19:9:19:24 | call to expression |
| test.cpp:19:9:19:25 | ExprStmt |
| test.cpp:19:9:19:25 | ExprStmt |
| test.cpp:19:15:19:18 | Unknown literal |
| test.cpp:19:15:19:18 | call to funx |
| test.cpp:19:15:19:18 | funx |
| test.cpp:19:20:19:23 | (reference to) |
| test.cpp:19:20:19:23 | valx |
| test.cpp:19:20:19:23 | valx |
@@ -356,8 +356,8 @@
| test.cpp:30:13:30:22 | call to expression |
| test.cpp:30:13:30:23 | ExprStmt |
| test.cpp:30:13:30:23 | ExprStmt |
| test.cpp:30:15:30:20 | Unknown literal |
| test.cpp:30:15:30:20 | call to eparse |
| test.cpp:30:15:30:20 | eparse |
| test.cpp:31:9:31:9 | return ... |
| test.cpp:31:9:31:9 | return ... |
| test.cpp:34:6:34:11 | define |

4
cpp/ql/test/library-tests/templates/nontype_instantiations/classes/test.cpp Normal file
View File

@@ -0,0 +1,4 @@
template <int i>
class Int { };
Int<10> i;

2
cpp/ql/test/library-tests/templates/nontype_instantiations/classes/test.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.cpp:2:7:2:9 | Int<10> | file://:0:0:0:0 | int | test.cpp:4:5:4:6 | 10 |
| test.cpp:2:7:2:9 | Int<i> | file://:0:0:0:0 | int | file://:0:0:0:0 | i |

4
cpp/ql/test/library-tests/templates/nontype_instantiations/classes/test.ql Normal file
View File

@@ -0,0 +1,4 @@
import cpp
from Class c
select c, c.getATemplateArgumentKind(), c.getATemplateArgument()

5
cpp/ql/test/library-tests/templates/nontype_instantiations/functions/test.cpp Normal file
View File

@@ -0,0 +1,5 @@
// semmle-extractor-options: --edg --trap_container=folder --edg --trap-compression=none
template <int i>
int addToSelf() { return i + i; };
int bar() { return addToSelf<10>(); }

2
cpp/ql/test/library-tests/templates/nontype_instantiations/functions/test.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.cpp:3:5:3:5 | addToSelf | file://:0:0:0:0 | int | test.cpp:5:30:5:31 | 10 |
| test.cpp:3:5:3:13 | addToSelf | file://:0:0:0:0 | int | file://:0:0:0:0 | i |

4
cpp/ql/test/library-tests/templates/nontype_instantiations/functions/test.ql Normal file
View File

@@ -0,0 +1,4 @@
import cpp
from Function f
select f, f.getATemplateArgumentKind(), f.getATemplateArgument()

19
cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.cpp Normal file
View File

@@ -0,0 +1,19 @@
// semmle-extractor-options: --edg --trap_container=folder --edg --trap-compression=none
template<int x>
struct C { };
static const int one1 = 1, one2 = 1;
C<one1> c = C<one2>();
C<one1 + one2> e;
template<typename T, T X>
struct D { };
D<int, 2> a;
D<long, 2> b;
template<typename T, T* X>
struct E { };
E<int, nullptr> z;

13
cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.expected Normal file
View File

@@ -0,0 +1,13 @@
| test.cpp:3:8:3:8 | C<1> | 0 | int | test.cpp:5:25:5:25 | 1 |
| test.cpp:3:8:3:8 | C<2> | 0 | int | file://:0:0:0:0 | 2 |
| test.cpp:3:8:3:8 | C<x> | 0 | int | file://:0:0:0:0 | x |
| test.cpp:10:8:10:8 | D<T, X> | 0 | <none> | test.cpp:9:19:9:19 | T |
| test.cpp:10:8:10:8 | D<T, X> | 1 | T | file://:0:0:0:0 | X |
| test.cpp:10:8:10:8 | D<int, 2> | 0 | <none> | file://:0:0:0:0 | int |
| test.cpp:10:8:10:8 | D<int, 2> | 1 | int | test.cpp:12:8:12:8 | 2 |
| test.cpp:10:8:10:8 | D<long, 2L> | 0 | <none> | file://:0:0:0:0 | long |
| test.cpp:10:8:10:8 | D<long, 2L> | 1 | long | file://:0:0:0:0 | 2 |
| test.cpp:16:8:16:8 | E<T, X> | 0 | <none> | test.cpp:15:19:15:19 | T |
| test.cpp:16:8:16:8 | E<T, X> | 1 | T * | file://:0:0:0:0 | X |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 0 | <none> | file://:0:0:0:0 | int |
| test.cpp:16:8:16:8 | E<int, (int *)nullptr> | 1 | int * | file://:0:0:0:0 | 0 |

14
cpp/ql/test/library-tests/templates/nontype_instantiations/general/test.ql Normal file
View File

@@ -0,0 +1,14 @@
import cpp
string maybeGetTemplateArgumentKind(Declaration d, int i) {
(
if exists(d.getTemplateArgumentKind(i))
then result = d.getTemplateArgumentKind(i).toString()
else result = "<none>"
) and
i = [0 .. d.getNumberOfTemplateArguments()]
}
from Declaration d, int i
where i >= 0 and i < d.getNumberOfTemplateArguments()
select d, i, maybeGetTemplateArgumentKind(d, i), d.getTemplateArgument(i)

80
cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected
View File

@@ -300,45 +300,47 @@ test.cpp:
# 44| valnum = r0_7
# 44| r0_27(int *) = Load : &:r0_26, m0_8
# 44| valnum = m0_8
# 44| m0_28(int) = Store : &:r0_27, r0_25
# 44| r0_28(glval<int>) = CopyValue : r0_27
# 44| valnum = m0_8
# 44| m0_29(int) = Store : &:r0_28, r0_25
# 44| valnum = r0_25
# 44| m0_29(unknown) = Chi : total:m0_1, partial:m0_28
# 44| m0_30(unknown) = Chi : total:m0_1, partial:m0_29
# 44| valnum = unique
# 45| r0_30(glval<int>) = VariableAddress[p0] :
# 45| r0_31(glval<int>) = VariableAddress[p0] :
# 45| valnum = r0_3
# 45| r0_31(int) = Load : &:r0_30, m0_4
# 45| r0_32(int) = Load : &:r0_31, m0_4
# 45| valnum = m0_4
# 45| r0_32(glval<int>) = VariableAddress[p1] :
# 45| r0_33(glval<int>) = VariableAddress[p1] :
# 45| valnum = r0_5
# 45| r0_33(int) = Load : &:r0_32, m0_6
# 45| r0_34(int) = Load : &:r0_33, m0_6
# 45| valnum = m0_6
# 45| r0_34(int) = Add : r0_31, r0_33
# 45| r0_35(int) = Add : r0_32, r0_34
# 45| valnum = r0_19
# 45| r0_35(glval<int>) = VariableAddress[global03] :
# 45| r0_36(glval<int>) = VariableAddress[global03] :
# 45| valnum = r0_20
# 45| r0_36(int) = Load : &:r0_35, ~m0_29
# 45| r0_37(int) = Load : &:r0_36, ~m0_30
# 45| valnum = unique
# 45| r0_37(int) = Add : r0_34, r0_36
# 45| valnum = r0_37
# 45| r0_38(glval<int>) = VariableAddress[x] :
# 45| r0_38(int) = Add : r0_35, r0_37
# 45| valnum = r0_38
# 45| r0_39(glval<int>) = VariableAddress[x] :
# 45| valnum = r0_9
# 45| m0_39(int) = Store : &:r0_38, r0_37
# 45| valnum = r0_37
# 46| r0_40(glval<int>) = VariableAddress[x] :
# 45| m0_40(int) = Store : &:r0_39, r0_38
# 45| valnum = r0_38
# 46| r0_41(glval<int>) = VariableAddress[x] :
# 46| valnum = r0_9
# 46| r0_41(int) = Load : &:r0_40, m0_39
# 46| valnum = r0_37
# 46| r0_42(glval<int>) = VariableAddress[y] :
# 46| r0_42(int) = Load : &:r0_41, m0_40
# 46| valnum = r0_38
# 46| r0_43(glval<int>) = VariableAddress[y] :
# 46| valnum = r0_11
# 46| m0_43(int) = Store : &:r0_42, r0_41
# 46| valnum = r0_37
# 47| v0_44(void) = NoOp :
# 39| r0_45(glval<int>) = VariableAddress[#return] :
# 46| m0_44(int) = Store : &:r0_43, r0_42
# 46| valnum = r0_38
# 47| v0_45(void) = NoOp :
# 39| r0_46(glval<int>) = VariableAddress[#return] :
# 39| valnum = unique
# 39| v0_46(void) = ReturnValue : &:r0_45
# 39| v0_47(void) = UnmodeledUse : mu*
# 39| v0_48(void) = AliasedUse : ~m0_29
# 39| v0_49(void) = ExitFunction :
# 39| v0_47(void) = ReturnValue : &:r0_46
# 39| v0_48(void) = UnmodeledUse : mu*
# 39| v0_49(void) = AliasedUse : ~m0_30
# 39| v0_50(void) = ExitFunction :
# 49| unsigned int my_strspn(char const*, char const*)
# 49| Block 0
@@ -677,22 +679,24 @@ test.cpp:
# 92| valnum = r0_3
# 92| m0_6(int) = Store : &:r0_5, r0_4
# 92| valnum = r0_4
# 92| m0_7(int) = Store : &:r0_3, r0_4
# 92| r0_7(int) = CopyValue : r0_4
# 92| valnum = r0_4
# 93| r0_8(glval<int>) = VariableAddress[#return] :
# 93| valnum = r0_8
# 93| r0_9(glval<int>) = VariableAddress[x] :
# 92| m0_8(int) = Store : &:r0_3, r0_7
# 92| valnum = r0_4
# 93| r0_9(glval<int>) = VariableAddress[#return] :
# 93| valnum = r0_9
# 93| r0_10(glval<int>) = VariableAddress[x] :
# 93| valnum = r0_3
# 93| r0_10(int) = Load : &:r0_9, m0_7
# 93| r0_11(int) = Load : &:r0_10, m0_8
# 93| valnum = r0_4
# 93| m0_11(int) = Store : &:r0_8, r0_10
# 93| m0_12(int) = Store : &:r0_9, r0_11
# 93| valnum = r0_4
# 91| r0_12(glval<int>) = VariableAddress[#return] :
# 91| valnum = r0_8
# 91| v0_13(void) = ReturnValue : &:r0_12, m0_11
# 91| v0_14(void) = UnmodeledUse : mu*
# 91| v0_15(void) = AliasedUse : ~m0_1
# 91| v0_16(void) = ExitFunction :
# 91| r0_13(glval<int>) = VariableAddress[#return] :
# 91| valnum = r0_9
# 91| v0_14(void) = ReturnValue : &:r0_13, m0_12
# 91| v0_15(void) = UnmodeledUse : mu*
# 91| v0_16(void) = AliasedUse : ~m0_1
# 91| v0_17(void) = ExitFunction :
# 104| int inheritanceConversions(Derived*)
# 104| Block 0

8
cpp/ql/test/query-tests/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound/NtohlArrayNoBound.expected Normal file
View File

@@ -0,0 +1,8 @@
| test.cpp:12:25:12:29 | call to ntohl | Unchecked use of data from network function $@ | test.cpp:12:25:12:29 | call to ntohl | call to ntohl |
| test.cpp:21:26:21:29 | len2 | Unchecked use of data from network function $@ | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
| test.cpp:31:26:31:29 | len2 | Unchecked use of data from network function $@ | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
| test.cpp:61:26:61:29 | len2 | Unchecked use of data from network function $@ | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
| test.cpp:64:9:64:12 | len2 | Unchecked use of data from network function $@ | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
| test.cpp:73:10:73:13 | lens | Unchecked use of data from network function $@ | test.cpp:10:16:10:20 | call to ntohl | call to ntohl |
| test.cpp:86:10:86:13 | len3 | Unchecked use of data from network function $@ | test.cpp:85:10:85:14 | call to ntohl | call to ntohl |
| test.cpp:94:9:94:11 | len | Unchecked use of data from network function $@ | test.cpp:99:8:99:12 | call to ntohl | call to ntohl |

1
cpp/ql/test/query-tests/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound/NtohlArrayNoBound.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.ql

100
cpp/ql/test/query-tests/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound/test.cpp Normal file
View File

@@ -0,0 +1,100 @@
typedef unsigned int size_t;
void *memcpy(void *s1, const void *s2, size_t n);
size_t strlen(const char *s);
int ntohl(int x);
void test1(const char *source, size_t len)
{
char buffer[256];
size_t len2 = ntohl(len);
memcpy(buffer, source, ntohl(len)); // BAD
if (len2 < 256)
{
memcpy(buffer, source, len2); // GOOD
}
if (source != 0)
{
memcpy(buffer, source, len2); // BAD
}
if ((len2 < 256) && (source != 0))
{
memcpy(buffer, source, len2); // GOOD
}
if ((len2 < 256) || (source != 0))
{
memcpy(buffer, source, len2); // BAD
}
if (len2 < 256)
{
if (source != 0)
{
memcpy(buffer, source, len2); // GOOD
}
}
if (len2 >= 256)
{
// fail
} else {
memcpy(buffer, source, len2); // GOOD
}
if (len2 + 1 < 256)
{
memcpy(buffer, source, len2 + 1); // GOOD
}
if (strlen(source) < 256)
{
memcpy(buffer, source, strlen(source)); // GOOD
}
if (strlen(source) < 256)
{
memcpy(buffer, source, len2); // BAD
}
buffer[len2] = 0; // BAD
if (len2 < 256)
{
buffer[len2] = 0; // GOOD
}
{
unsigned short lens = len2;
buffer[lens] = 0; // BAD
}
if (len2 < 256)
{
unsigned short lens = len2;
buffer[lens] = 0; // GOOD
}
size_t len3 = 0;
if (len3 < 256)
{
len3 = ntohl(len);
buffer[len3] = 0; // BAD
}
}
void test2(size_t len)
{
char buffer[256];
buffer[len] = 0; // BAD
}
void test3(size_t len)
{
test2(ntohl(len));
}

3
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.expected Normal file
View File

@@ -0,0 +1,3 @@
| examples.cpp:38:3:38:18 | call to initDeviceConfig | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | examples.cpp:13:5:13:20 | initDeviceConfig | initDeviceConfig | examples.cpp:37:16:37:21 | config | config |
| test.cpp:22:2:22:17 | call to maybeInitialize1 | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | test.cpp:4:5:4:20 | maybeInitialize1 | maybeInitialize1 | test.cpp:19:6:19:6 | a | a |
| test.cpp:68:2:68:17 | call to maybeInitialize2 | The status of this call to $@ is not checked, potentially leaving $@ uninitialized. | test.cpp:51:6:51:21 | maybeInitialize2 | maybeInitialize2 | test.cpp:66:6:66:6 | a | a |

1
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql

43
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp Normal file
View File

@@ -0,0 +1,43 @@
// based on the qhelp
int getMaxDevices();
bool fetchIsDeviceEnabled(int deviceNumber);
int fetchDeviceChannel(int deviceNumber);
void notifyChannel(int channel);
struct DeviceConfig {
bool isEnabled;
int channel;
};
int initDeviceConfig(DeviceConfig *ref, int deviceNumber) {
if (deviceNumber >= getMaxDevices()) {
// No device with that number, return -1 to indicate failure
return -1;
}
// Device with that number, fetch parameters and initialize struct
ref->isEnabled = fetchIsDeviceEnabled(deviceNumber);
ref->channel = fetchDeviceChannel(deviceNumber);
// Return 0 to indicate success
return 0;
}
void notifyGood(int deviceNumber) {
DeviceConfig config;
int statusCode = initDeviceConfig(&config, deviceNumber);
if (statusCode == 0) {
// GOOD: Status code returned by initialization function is checked, so this is safe
if (config.isEnabled) {
notifyChannel(config.channel);
}
}
}
int notifyBad(int deviceNumber) {
DeviceConfig config;
initDeviceConfig(&config, deviceNumber);
// BAD: Using config without checking the status code that is returned
if (config.isEnabled) {
notifyChannel(config.channel);
}
}

96
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp Normal file
View File

@@ -0,0 +1,96 @@
void use(int i);
int maybeInitialize1(int *v)
{
static int resources = 100;
if (resources == 0)
{
return 0; // FAIL
}
*v = resources--;
return 1; // SUCCESS
}
void test1()
{
int a, b, c, d, e, f;
int result1, result2;
maybeInitialize1(&a); // BAD (initialization not checked)
use(a);
if (maybeInitialize1(&b) == 1) // GOOD
{
use(b);
}
if (maybeInitialize1(&c) == 0) // BAD (initialization check is wrong) [NOT DETECTED]
{
use(c);
}
result1 = maybeInitialize1(&d); // BAD (initialization stored but not checked) [NOT DETECTED]
use(d);
result2 = maybeInitialize1(&e); // GOOD
if (result2 == 1)
{
use(e);
}
if (maybeInitialize1(&f) == 0) // GOOD
{
return;
}
use(f);
}
bool maybeInitialize2(int *v)
{
static int resources = 100;
if (resources > 0)
{
*v = resources--;
return true; // SUCCESS
}
return false; // FAIL
}
void test2()
{
int a, b;
maybeInitialize2(&a); // BAD (initialization not checked)
use(a);
if (maybeInitialize2(&b)) // GOOD
{
use(b);
}
}
int alwaysInitialize(int *v)
{
static int resources = 0;
*v = resources++;
return 1; // SUCCESS
}
void test3()
{
int a, b;
alwaysInitialize(&a); // GOOD (initialization never fails)
use(a);
if (alwaysInitialize(&b) == 1) // GOOD
{
use(b);
}
}

1918
cpp/upgrades/98a075d5495d7be7ede26557708cf22cfa3964ef/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1933
cpp/upgrades/98a075d5495d7be7ede26557708cf22cfa3964ef/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/upgrades/98a075d5495d7be7ede26557708cf22cfa3964ef/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Add support for value template parameters.
compatibility: partial