mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
494 Commits
codeql-cli
...
hackathon-
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
1ce091de96 | ||
|
|
deaef2e9da | ||
|
|
2cb100393e | ||
|
|
753d0eec89 | ||
|
|
cb3954e16d | ||
|
|
6b515dc051 | ||
|
|
9a004d8b51 | ||
|
|
f42cfb0f84 | ||
|
|
e7439e636e | ||
|
|
1f062baf06 | ||
|
|
ffa73c39a6 | ||
|
|
db3f8b1b21 | ||
|
|
6d27375f52 | ||
|
|
b2070af9d6 | ||
|
|
be6f0e9b96 | ||
|
|
4575583ebf | ||
|
|
0521851011 | ||
|
|
410a60c2c2 | ||
|
|
174a4f9712 | ||
|
|
5e424ff962 | ||
|
|
01bc801217 | ||
|
|
38cb350103 | ||
|
|
099751b761 | ||
|
|
0be9d0de1f | ||
|
|
ebe27a231f | ||
|
|
011d2b9caa | ||
|
|
19933ca2f8 | ||
|
|
b7b73d4de7 | ||
|
|
e0f368a513 | ||
|
|
6e1f80f597 | ||
|
|
ec10d05964 | ||
|
|
2c0f8e5d0a | ||
|
|
b0a3671040 | ||
|
|
f532961ca7 | ||
|
|
eed4031e05 | ||
|
|
2dcda65a65 | ||
|
|
f5f0d45226 | ||
|
|
e9d1d91823 | ||
|
|
bf40878668 | ||
|
|
785bfaf6f2 | ||
|
|
1bc854850c | ||
|
|
89c16ed22a | ||
|
|
823fefcb7a | ||
|
|
3c0a5260b1 | ||
|
|
685ec84bff | ||
|
|
a639e3eef8 | ||
|
|
78598fc9e8 | ||
|
|
b9234e3603 | ||
|
|
4469acfd8d | ||
|
|
91e0c3df79 | ||
|
|
79a64412cc | ||
|
|
77d4d95714 | ||
|
|
43116d556a | ||
|
|
1e16ea0d75 | ||
|
|
39de0d41dd | ||
|
|
f1688f5c7d | ||
|
|
7d260192c3 | ||
|
|
2e1bccf198 | ||
|
|
445df836f9 | ||
|
|
9878c52ad9 | ||
|
|
a3ec05e45d | ||
|
|
7aff31d669 | ||
|
|
263aecf553 | ||
|
|
b446982fae | ||
|
|
050a18f240 | ||
|
|
658fa944ed | ||
|
|
03473c2147 | ||
|
|
34b21af46f | ||
|
|
cef3ce1cde | ||
|
|
17234d3939 | ||
|
|
9b6d00b737 | ||
|
|
267f9acc4c | ||
|
|
e349611f86 | ||
|
|
c12053287e | ||
|
|
3c82653b63 | ||
|
|
d2cad03e28 | ||
|
|
f05c86239f | ||
|
|
7560573b89 | ||
|
|
70e0b33ce6 | ||
|
|
d1c4e772f0 | ||
|
|
68a7734e08 | ||
|
|
59ee3e16b4 | ||
|
|
865cbab242 | ||
|
|
dfdc502525 | ||
|
|
2e93c1d7b6 | ||
|
|
73138f1913 | ||
|
|
e89d8e2967 | ||
|
|
04338215cd | ||
|
|
06ae374206 | ||
|
|
1638796173 | ||
|
|
2b481bbb48 | ||
|
|
ee35bfb290 | ||
|
|
a7d820ce62 | ||
|
|
14031bf351 | ||
|
|
60b27a4e69 | ||
|
|
e438671846 | ||
|
|
631dc98d72 | ||
|
|
2e5971bb57 | ||
|
|
9eaebfcf60 | ||
|
|
d239a30866 | ||
|
|
fc2142feb4 | ||
|
|
04c90a684c | ||
|
|
b33fcf3719 | ||
|
|
8ccce5891d | ||
|
|
6b48b3643e | ||
|
|
2681617f28 | ||
|
|
0c924c2b27 | ||
|
|
e1c326642c | ||
|
|
6f9a70475d | ||
|
|
22bdcad0c6 | ||
|
|
2783c6dcd0 | ||
|
|
7676ad316c | ||
|
|
a4da1a0748 | ||
|
|
20e95137f4 | ||
|
|
d7d546e97f | ||
|
|
6a673e700b | ||
|
|
5cd74213cc | ||
|
|
cca05e0a82 | ||
|
|
ba098c3b1b | ||
|
|
6045f59721 | ||
|
|
b514bd8d1c | ||
|
|
cc6da2829c | ||
|
|
0b57ecf0c7 | ||
|
|
2d34fec0a2 | ||
|
|
9264b2a6d6 | ||
|
|
abb8d65483 | ||
|
|
43c76468c9 | ||
|
|
0d0152f892 | ||
|
|
1b615e25d8 | ||
|
|
a8fcfd154f | ||
|
|
5604fd7d80 | ||
|
|
97319854e2 | ||
|
|
6f5cfca84c | ||
|
|
cc261bfabb | ||
|
|
98bf748e64 | ||
|
|
7364634a6b | ||
|
|
3af3a72161 | ||
|
|
257d94be20 | ||
|
|
a18f1ef7cd | ||
|
|
f5ea133067 | ||
|
|
f6f6c98306 | ||
|
|
f77fd812a9 | ||
|
|
149fb7bbc2 | ||
|
|
c4d3d505ca | ||
|
|
2c99e70e2b | ||
|
|
401a378598 | ||
|
|
b774ae07c8 | ||
|
|
7834626e26 | ||
|
|
436fd9e736 | ||
|
|
197e5d0267 | ||
|
|
25a2aef623 | ||
|
|
79adc9bfe9 | ||
|
|
25d5104468 | ||
|
|
561b769a79 | ||
|
|
4e0cca9a41 | ||
|
|
60b422a35c | ||
|
|
7588813864 | ||
|
|
69cfc79561 | ||
|
|
befb1ccd84 | ||
|
|
e4edb19f43 | ||
|
|
f24c042d04 | ||
|
|
aa3fd6add0 | ||
|
|
33186ac797 | ||
|
|
82fbae3e5a | ||
|
|
26c048a650 | ||
|
|
e2e4642037 | ||
|
|
7a098dde50 | ||
|
|
9af44ed0a2 | ||
|
|
052166f17e | ||
|
|
96bddde7c1 | ||
|
|
ef15980bb6 | ||
|
|
2416040854 | ||
|
|
047f8e485a | ||
|
|
0ed7b3c3ad | ||
|
|
7371751801 | ||
|
|
826111dc08 | ||
|
|
f2c3d83d9e | ||
|
|
7bd7cc5dbe | ||
|
|
f1b0f1a35d | ||
|
|
7194113a64 | ||
|
|
7691cbce87 | ||
|
|
f84b2a96af | ||
|
|
4f5ecb899b | ||
|
|
ac3f642b45 | ||
|
|
12a579e0aa | ||
|
|
40a7223620 | ||
|
|
d056706af5 | ||
|
|
ef8d38e9e0 | ||
|
|
3d46129bbf | ||
|
|
dd1e71ace9 | ||
|
|
ff529c34b4 | ||
|
|
ca56b0157d | ||
|
|
257fe1ad6b | ||
|
|
a130c0f6b3 | ||
|
|
dd8fb29a65 | ||
|
|
98ddbe0d83 | ||
|
|
bcf76b1ac0 | ||
|
|
1fbe23228e | ||
|
|
bb1945f899 | ||
|
|
640e2f56d5 | ||
|
|
306440ce6e | ||
|
|
29c950035d | ||
|
|
012dc59bf3 | ||
|
|
5723a75f3c | ||
|
|
1f2d9dc95c | ||
|
|
0783758bd1 | ||
|
|
979bcf4ef3 | ||
|
|
94cb09e539 | ||
|
|
3dee16c50c | ||
|
|
288fbfd2ec | ||
|
|
369431125e | ||
|
|
f5633be837 | ||
|
|
418118fc89 | ||
|
|
30891ca4aa | ||
|
|
ace633cb1d | ||
|
|
1a6886cf99 | ||
|
|
eb552b7c93 | ||
|
|
0328a2986d | ||
|
|
999ec7053e | ||
|
|
45bbcccd1a | ||
|
|
30161b0f12 | ||
|
|
d659709695 | ||
|
|
e40c53a340 | ||
|
|
7ba199a8c3 | ||
|
|
d288c4a709 | ||
|
|
4f7fde7b87 | ||
|
|
1fb19191ba | ||
|
|
f48cc1a526 | ||
|
|
b4fd95bd6a | ||
|
|
5b724a7aaf | ||
|
|
dd6c5ba383 | ||
|
|
7b74478e47 | ||
|
|
63fcaca82f | ||
|
|
a0867b4f66 | ||
|
|
c552bc5eb1 | ||
|
|
077e51c6c6 | ||
|
|
4857960f72 | ||
|
|
1998e29639 | ||
|
|
6bd269502f | ||
|
|
f2de449ce4 | ||
|
|
b9952618ff | ||
|
|
b269b79bb3 | ||
|
|
2c5ce3216e | ||
|
|
dde2ad1290 | ||
|
|
f138fc0d2d | ||
|
|
37d03ee0f3 | ||
|
|
1bc8a6de61 | ||
|
|
08383eaea5 | ||
|
|
2c2dccabe9 | ||
|
|
36a846ee32 | ||
|
|
c51c15ae74 | ||
|
|
d26dc68baa | ||
|
|
5f26790b90 | ||
|
|
0668b71538 | ||
|
|
dfffa1e237 | ||
|
|
d8e7c9c986 | ||
|
|
253c658ad2 | ||
|
|
f0e20fa69e | ||
|
|
71c017f053 | ||
|
|
7263d4d650 | ||
|
|
5611a3e417 | ||
|
|
10b3efa667 | ||
|
|
dde9a7cd7e | ||
|
|
75f860595a | ||
|
|
c8301fc5f0 | ||
|
|
95de7495d1 | ||
|
|
72bafd86df | ||
|
|
452b68c0ca | ||
|
|
db1499d5b0 | ||
|
|
b5c92408f4 | ||
|
|
620e8dcb37 | ||
|
|
5b4a8884b4 | ||
|
|
737aab66f5 | ||
|
|
ab6260600e | ||
|
|
10b72a0c39 | ||
|
|
36201105b9 | ||
|
|
e34a9de008 | ||
|
|
9bdc2d1c02 | ||
|
|
212a515fa9 | ||
|
|
d84501d65c | ||
|
|
dcba8e5408 | ||
|
|
8039e117ba | ||
|
|
27a2781954 | ||
|
|
b8a2716ced | ||
|
|
d147faba4e | ||
|
|
1bed9f9003 | ||
|
|
fab6813a49 | ||
|
|
cf696f2639 | ||
|
|
a9a55dfcd6 | ||
|
|
d3e047f078 | ||
|
|
db180d9872 | ||
|
|
e5cc540475 | ||
|
|
c65c2489cf | ||
|
|
db76681744 | ||
|
|
5c36e63dfe | ||
|
|
7531852ea6 | ||
|
|
cd9786a952 | ||
|
|
bad499e360 | ||
|
|
7c3122aade | ||
|
|
007f181ff5 | ||
|
|
90ba3812fe | ||
|
|
e63ddd2071 | ||
|
|
8f8f5f8826 | ||
|
|
584ba80ec7 | ||
|
|
4ad874a089 | ||
|
|
a3ed965032 | ||
|
|
2bd18ab41d | ||
|
|
713695f8f9 | ||
|
|
bb1d5d3c8c | ||
|
|
737e9d8844 | ||
|
|
02ed6e03e2 | ||
|
|
0a4ba8e8c7 | ||
|
|
081a4ad021 | ||
|
|
23d881baa4 | ||
|
|
91a48856c5 | ||
|
|
b97f4401c0 | ||
|
|
11a664d707 | ||
|
|
46e155d327 | ||
|
|
5ab2e30ba3 | ||
|
|
b4534fe9ff | ||
|
|
8099a8c851 | ||
|
|
0f9afca2ab | ||
|
|
2151b6d8c5 | ||
|
|
ad1906e871 | ||
|
|
400f892376 | ||
|
|
5db6afa84a | ||
|
|
da606dd77b | ||
|
|
fc59b7f3a7 | ||
|
|
4fafed2542 | ||
|
|
366b919107 | ||
|
|
2b24298d7f | ||
|
|
7a49d6e9bd | ||
|
|
cb088c3ee1 | ||
|
|
3a0c4c4d6f | ||
|
|
d52f2e510b | ||
|
|
ed8e105452 | ||
|
|
f1cfc5d1b8 | ||
|
|
e3f4bb84d4 | ||
|
|
905583e00a | ||
|
|
e6f31c965e | ||
|
|
b2c8049a77 | ||
|
|
9e5a80ac59 | ||
|
|
7bf7e59017 | ||
|
|
8a8031df0e | ||
|
|
b7b10ce549 | ||
|
|
49b2209c62 | ||
|
|
890cba6e95 | ||
|
|
e89fe8ddde | ||
|
|
98dbbe907e | ||
|
|
7b75a30851 | ||
|
|
20b31d0b4e | ||
|
|
4f6421946c | ||
|
|
9a8ad7d590 | ||
|
|
43f100fd69 | ||
|
|
96646abab9 | ||
|
|
0091b83258 | ||
|
|
8ff38321a3 | ||
|
|
d7760de4c6 | ||
|
|
cca78ca190 | ||
|
|
93eaeaec75 | ||
|
|
9b840aa20c | ||
|
|
8b6a9180dc | ||
|
|
cb7213d87a | ||
|
|
9a4b56162e | ||
|
|
f3482684a6 | ||
|
|
a10f94af81 | ||
|
|
de3d15b277 | ||
|
|
114b694553 | ||
|
|
216cd88225 | ||
|
|
c5d2866948 | ||
|
|
635bcd4fa2 | ||
|
|
74a195b4f4 | ||
|
|
e9800d11b6 | ||
|
|
40a07de566 | ||
|
|
ca334021ad | ||
|
|
69ab389d9f | ||
|
|
da2215e7e5 | ||
|
|
30f0b8ab2b | ||
|
|
b2f1022e5c | ||
|
|
078f223052 | ||
|
|
a5e7ef424e | ||
|
|
84e58b77aa | ||
|
|
3092640115 | ||
|
|
143e1680bd | ||
|
|
d7c97d9d92 | ||
|
|
30925da7d9 | ||
|
|
d25c24b64d | ||
|
|
5a7cb8f25a | ||
|
|
799873113f | ||
|
|
f8feb84958 | ||
|
|
6a1504b91c | ||
|
|
947b094387 | ||
|
|
009d58034f | ||
|
|
fd750a3bf0 | ||
|
|
2eb67549e6 | ||
|
|
afe318edbe | ||
|
|
8b628e3ad3 | ||
|
|
c49f05aa2b | ||
|
|
96b4a12af7 | ||
|
|
697c3df74a | ||
|
|
1040561ec1 | ||
|
|
615a128770 | ||
|
|
a6fe620bcb | ||
|
|
3a38f3b947 | ||
|
|
0ae04de7f0 | ||
|
|
8a24daf293 | ||
|
|
72af41b196 | ||
|
|
64bf6cc62b | ||
|
|
1ac3a9e8d3 | ||
|
|
e0879969c9 | ||
|
|
aaa8f9c41f | ||
|
|
2b897a9825 | ||
|
|
5af3e119a6 | ||
|
|
7877082869 | ||
|
|
7129ffc199 | ||
|
|
1f5be03137 | ||
|
|
423c85377b | ||
|
|
8b126fe51a | ||
|
|
1ed4d2ada7 | ||
|
|
1e915720e9 | ||
|
|
d5f254781e | ||
|
|
fa1fa0d19d | ||
|
|
74f1344ac5 | ||
|
|
a46a7fadb2 | ||
|
|
fdefcd6a84 | ||
|
|
9178cec0e6 | ||
|
|
b1702ab87e | ||
|
|
9548a0e8fb | ||
|
|
ba672e5b35 | ||
|
|
2cea720f6e | ||
|
|
dbdf9e1a4f | ||
|
|
ec7309c735 | ||
|
|
9f63613cf8 | ||
|
|
e576650293 | ||
|
|
47ef123601 | ||
|
|
bf59c94d24 | ||
|
|
2f50618e62 | ||
|
|
5468767fa0 | ||
|
|
a007d6edb0 | ||
|
|
1c0aa679a6 | ||
|
|
4317e58414 | ||
|
|
78a6522190 | ||
|
|
95395322a8 | ||
|
|
1eb1293230 | ||
|
|
cfdeb0edf5 | ||
|
|
e1c47f5584 | ||
|
|
ffc27b5301 | ||
|
|
c3fa3f26a7 | ||
|
|
943b2a2ed1 | ||
|
|
c85d99d949 | ||
|
|
3023d3b8c0 | ||
|
|
4943fc5a57 | ||
|
|
851c30e797 | ||
|
|
ea4761d3b6 | ||
|
|
36f0a78450 | ||
|
|
d7f1e19d40 | ||
|
|
cc5dd3180a | ||
|
|
c858e4974d | ||
|
|
75e6de8311 | ||
|
|
f67c68da9a | ||
|
|
878299823c | ||
|
|
9cd1e0e546 | ||
|
|
e8209a6a10 | ||
|
|
2e77b8d3c2 | ||
|
|
c397f707a1 | ||
|
|
01e7d57dba | ||
|
|
7f4bcdfa64 | ||
|
|
eecf32db4d | ||
|
|
4192d09e5c | ||
|
|
b4d89f7554 | ||
|
|
3d45944649 | ||
|
|
bd62ec294e | ||
|
|
1067dd9dd3 | ||
|
|
ec075f8fbe | ||
|
|
e8f548ab52 | ||
|
|
24687b4156 | ||
|
|
8b23140a08 | ||
|
|
60e7786b04 | ||
|
|
46e44a0036 | ||
|
|
e3dbdc3887 | ||
|
|
a24e168ec0 | ||
|
|
242f7e1c53 | ||
|
|
18edef6ea4 | ||
|
|
bbeb7b39d7 | ||
|
|
a23904ca39 | ||
|
|
3ab5fd5ca4 | ||
|
|
97c27ac11b | ||
|
|
58f4cd77dc | ||
|
|
0eb0c238f3 | ||
|
|
bafe357500 | ||
|
|
0c40223192 | ||
|
|
a8aeb1d03e | ||
|
|
522a2e2594 | ||
|
|
54a44777b7 |
@@ -8,6 +8,8 @@
|
|||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-swift
|
||||||
/misc/codegen/ @github/codeql-swift
|
/misc/codegen/ @github/codeql-swift
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
|
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||||
|
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||||
|
|
||||||
# ML-powered queries
|
# ML-powered queries
|
||||||
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
provide:
|
provide:
|
||||||
- "*/ql/src/qlpack.yml"
|
- "*/ql/src/qlpack.yml"
|
||||||
- "*/ql/lib/qlpack.yml"
|
- "*/ql/lib/qlpack.yml"
|
||||||
- "*/ql/test/qlpack.yml"
|
- "*/ql/test*/qlpack.yml"
|
||||||
- "*/ql/examples/qlpack.yml"
|
- "*/ql/examples/qlpack.yml"
|
||||||
- "*/ql/consistency-queries/qlpack.yml"
|
- "*/ql/consistency-queries/qlpack.yml"
|
||||||
- "*/ql/automodel/src/qlpack.yml"
|
- "*/ql/automodel/src/qlpack.yml"
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-all
|
name: codeql/cpp-all
|
||||||
version: 0.12.0
|
version: 0.12.1-dev
|
||||||
groups: cpp
|
groups: cpp
|
||||||
dbscheme: semmlecode.cpp.dbscheme
|
dbscheme: semmlecode.cpp.dbscheme
|
||||||
extractor: cpp
|
extractor: cpp
|
||||||
|
|||||||
@@ -30,11 +30,6 @@ class GuardCondition extends Expr {
|
|||||||
or
|
or
|
||||||
// no binary operators in the IR
|
// no binary operators in the IR
|
||||||
this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
|
this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
|
||||||
or
|
|
||||||
// the IR short-circuits if(!x)
|
|
||||||
// don't produce a guard condition for `y = !x` and other non-short-circuited cases
|
|
||||||
not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
|
|
||||||
exists(IRGuardCondition ir | this.(NotExpr).getOperand() = ir.getAst())
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -140,39 +135,6 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* A `!` operator in the AST that guards one or more basic blocks, and does not have a corresponding
|
|
||||||
* IR instruction.
|
|
||||||
*/
|
|
||||||
private class GuardConditionFromShortCircuitNot extends GuardCondition, NotExpr {
|
|
||||||
GuardConditionFromShortCircuitNot() {
|
|
||||||
not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
|
|
||||||
exists(IRGuardCondition ir | this.getOperand() = ir.getAst())
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate controls(BasicBlock controlled, boolean testIsTrue) {
|
|
||||||
this.getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
|
|
||||||
this.getOperand()
|
|
||||||
.(GuardCondition)
|
|
||||||
.comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
|
|
||||||
this.getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
|
|
||||||
this.getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
|
|
||||||
this.getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A Boolean condition in the AST that guards one or more basic blocks and has a corresponding IR
|
* A Boolean condition in the AST that guards one or more basic blocks and has a corresponding IR
|
||||||
* instruction.
|
* instruction.
|
||||||
|
|||||||
@@ -645,6 +645,24 @@ class GlobalLikeVariable extends Variable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the smallest indirection for the type `t`.
|
||||||
|
*
|
||||||
|
* For most types this is `1`, but for `ArrayType`s (which are allocated on
|
||||||
|
* the stack) this is `0`
|
||||||
|
*/
|
||||||
|
int getMinIndirectionsForType(Type t) {
|
||||||
|
if t.getUnspecifiedType() instanceof Cpp::ArrayType then result = 0 else result = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
private int getMinIndirectionForGlobalUse(Ssa::GlobalUse use) {
|
||||||
|
result = getMinIndirectionsForType(use.getUnspecifiedType())
|
||||||
|
}
|
||||||
|
|
||||||
|
private int getMinIndirectionForGlobalDef(Ssa::GlobalDef def) {
|
||||||
|
result = getMinIndirectionsForType(def.getUnspecifiedType())
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if data can flow from `node1` to `node2` in a way that loses the
|
* Holds if data can flow from `node1` to `node2` in a way that loses the
|
||||||
* calling context. For example, this would happen with flow through a
|
* calling context. For example, this would happen with flow through a
|
||||||
@@ -656,7 +674,7 @@ predicate jumpStep(Node n1, Node n2) {
|
|||||||
v = globalUse.getVariable() and
|
v = globalUse.getVariable() and
|
||||||
n1.(FinalGlobalValue).getGlobalUse() = globalUse
|
n1.(FinalGlobalValue).getGlobalUse() = globalUse
|
||||||
|
|
|
|
||||||
globalUse.getIndirection() = 1 and
|
globalUse.getIndirection() = getMinIndirectionForGlobalUse(globalUse) and
|
||||||
v = n2.asVariable()
|
v = n2.asVariable()
|
||||||
or
|
or
|
||||||
v = n2.asIndirectVariable(globalUse.getIndirection())
|
v = n2.asIndirectVariable(globalUse.getIndirection())
|
||||||
@@ -666,7 +684,7 @@ predicate jumpStep(Node n1, Node n2) {
|
|||||||
v = globalDef.getVariable() and
|
v = globalDef.getVariable() and
|
||||||
n2.(InitialGlobalValue).getGlobalDef() = globalDef
|
n2.(InitialGlobalValue).getGlobalDef() = globalDef
|
||||||
|
|
|
|
||||||
globalDef.getIndirection() = 1 and
|
globalDef.getIndirection() = getMinIndirectionForGlobalDef(globalDef) and
|
||||||
v = n1.asVariable()
|
v = n1.asVariable()
|
||||||
or
|
or
|
||||||
v = n1.asIndirectVariable(globalDef.getIndirection())
|
v = n1.asIndirectVariable(globalDef.getIndirection())
|
||||||
|
|||||||
@@ -34,7 +34,8 @@ cached
|
|||||||
private newtype TIRDataFlowNode =
|
private newtype TIRDataFlowNode =
|
||||||
TNode0(Node0Impl node) { DataFlowImplCommon::forceCachingInSameStage() } or
|
TNode0(Node0Impl node) { DataFlowImplCommon::forceCachingInSameStage() } or
|
||||||
TVariableNode(Variable var, int indirectionIndex) {
|
TVariableNode(Variable var, int indirectionIndex) {
|
||||||
indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
|
indirectionIndex =
|
||||||
|
[getMinIndirectionsForType(var.getUnspecifiedType()) .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
|
||||||
} or
|
} or
|
||||||
TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
|
TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
|
||||||
indirectionIndex =
|
indirectionIndex =
|
||||||
@@ -346,7 +347,9 @@ class Node extends TIRDataFlowNode {
|
|||||||
* Gets the variable corresponding to this node, if any. This can be used for
|
* Gets the variable corresponding to this node, if any. This can be used for
|
||||||
* modeling flow in and out of global variables.
|
* modeling flow in and out of global variables.
|
||||||
*/
|
*/
|
||||||
Variable asVariable() { this = TVariableNode(result, 1) }
|
Variable asVariable() {
|
||||||
|
this = TVariableNode(result, getMinIndirectionsForType(result.getUnspecifiedType()))
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the `indirectionIndex`'th indirection of this node's underlying variable, if any.
|
* Gets the `indirectionIndex`'th indirection of this node's underlying variable, if any.
|
||||||
@@ -354,7 +357,7 @@ class Node extends TIRDataFlowNode {
|
|||||||
* This can be used for modeling flow in and out of global variables.
|
* This can be used for modeling flow in and out of global variables.
|
||||||
*/
|
*/
|
||||||
Variable asIndirectVariable(int indirectionIndex) {
|
Variable asIndirectVariable(int indirectionIndex) {
|
||||||
indirectionIndex > 1 and
|
indirectionIndex > getMinIndirectionsForType(result.getUnspecifiedType()) and
|
||||||
this = TVariableNode(result, indirectionIndex)
|
this = TVariableNode(result, indirectionIndex)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1273,31 +1276,90 @@ abstract private class IndirectExprNodeBase extends Node {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
|
/** A signature for converting an indirect node to an expression. */
|
||||||
{
|
private signature module IndirectNodeToIndirectExprSig {
|
||||||
IndirectOperandIndirectExprNode() {
|
/** The indirect node class to be converted to an expression */
|
||||||
exists(Expr e, int n, int indirectionIndex |
|
class IndirectNode;
|
||||||
indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
|
|
||||||
not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
|
/**
|
||||||
)
|
* Holds if the indirect expression at indirection index `indirectionIndex`
|
||||||
|
* of `node` is `e`. The integer `n` specifies how many conversions has been
|
||||||
|
* applied to `node`.
|
||||||
|
*/
|
||||||
|
predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A module that implements the logic for deciding whether an indirect node
|
||||||
|
* should be an `IndirectExprNode`.
|
||||||
|
*/
|
||||||
|
private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
|
||||||
|
import Sig
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This predicate shifts the indirection index by one when `conv` is a
|
||||||
|
* `ReferenceDereferenceExpr`.
|
||||||
|
*
|
||||||
|
* This is necessary because `ReferenceDereferenceExpr` is a conversion
|
||||||
|
* in the AST, but appears as a `LoadInstruction` in the IR.
|
||||||
|
*/
|
||||||
|
bindingset[e, indirectionIndex]
|
||||||
|
private predicate adjustForReference(
|
||||||
|
Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
|
||||||
|
) {
|
||||||
|
conv.(ReferenceDereferenceExpr).getExpr() = e and
|
||||||
|
adjustedIndirectionIndex = indirectionIndex - 1
|
||||||
|
or
|
||||||
|
not conv instanceof ReferenceDereferenceExpr and
|
||||||
|
conv = e and
|
||||||
|
adjustedIndirectionIndex = indirectionIndex
|
||||||
}
|
}
|
||||||
|
|
||||||
final override Expr getConvertedExpr(int n, int index) {
|
/** Holds if `node` should be an `IndirectExprNode`. */
|
||||||
indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
|
predicate charpred(IndirectNode node) {
|
||||||
|
exists(Expr e, int n, int indirectionIndex |
|
||||||
|
indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
|
||||||
|
not exists(Expr conv, int adjustedIndirectionIndex |
|
||||||
|
adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
|
||||||
|
indirectNodeHasIndirectExpr(_, conv, n + 1, adjustedIndirectionIndex)
|
||||||
|
)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
|
private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
|
||||||
|
class IndirectNode = IndirectOperand;
|
||||||
|
|
||||||
|
predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
module IndirectOperandToIndirectExpr =
|
||||||
|
IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
|
||||||
|
|
||||||
|
private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
|
||||||
{
|
{
|
||||||
IndirectInstructionIndirectExprNode() {
|
IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
|
||||||
exists(Expr e, int n, int indirectionIndex |
|
|
||||||
indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
|
|
||||||
not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
final override Expr getConvertedExpr(int n, int index) {
|
final override Expr getConvertedExpr(int n, int index) {
|
||||||
indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
|
IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
|
||||||
|
class IndirectNode = IndirectInstruction;
|
||||||
|
|
||||||
|
predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
|
||||||
|
}
|
||||||
|
|
||||||
|
module IndirectInstructionToIndirectExpr =
|
||||||
|
IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
|
||||||
|
|
||||||
|
private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
|
||||||
|
{
|
||||||
|
IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
|
||||||
|
|
||||||
|
final override Expr getConvertedExpr(int n, int index) {
|
||||||
|
IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -59,6 +59,9 @@ private module SourceVariables {
|
|||||||
then result = base.getType()
|
then result = base.getType()
|
||||||
else result = getTypeImpl(base.getType(), ind - 1)
|
else result = getTypeImpl(base.getType(), ind - 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Gets the location of this variable. */
|
||||||
|
Location getLocation() { result = this.getBaseVariable().getLocation() }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -869,7 +872,7 @@ private predicate sourceVariableIsGlobal(
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
private module SsaInput implements SsaImplCommon::InputSig {
|
private module SsaInput implements SsaImplCommon::InputSig<Location> {
|
||||||
import InputSigCommon
|
import InputSigCommon
|
||||||
import SourceVariables
|
import SourceVariables
|
||||||
|
|
||||||
@@ -1092,7 +1095,7 @@ class Def extends DefOrUse {
|
|||||||
predicate isCertain() { defOrUse.isCertain() }
|
predicate isCertain() { defOrUse.isCertain() }
|
||||||
}
|
}
|
||||||
|
|
||||||
private module SsaImpl = SsaImplCommon::Make<SsaInput>;
|
private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
|
||||||
|
|
||||||
class PhiNode extends SsaImpl::DefinitionExt {
|
class PhiNode extends SsaImpl::DefinitionExt {
|
||||||
PhiNode() {
|
PhiNode() {
|
||||||
|
|||||||
@@ -377,6 +377,9 @@ abstract private class AbstractBaseSourceVariable extends TBaseSourceVariable {
|
|||||||
/** Gets a textual representation of this element. */
|
/** Gets a textual representation of this element. */
|
||||||
abstract string toString();
|
abstract string toString();
|
||||||
|
|
||||||
|
/** Gets the location of this variable. */
|
||||||
|
abstract Location getLocation();
|
||||||
|
|
||||||
/** Gets the type of this base source variable. */
|
/** Gets the type of this base source variable. */
|
||||||
final DataFlowType getType() { this.getLanguageType().hasUnspecifiedType(result, _) }
|
final DataFlowType getType() { this.getLanguageType().hasUnspecifiedType(result, _) }
|
||||||
|
|
||||||
@@ -395,6 +398,8 @@ class BaseIRVariable extends AbstractBaseSourceVariable, TBaseIRVariable {
|
|||||||
|
|
||||||
override string toString() { result = var.toString() }
|
override string toString() { result = var.toString() }
|
||||||
|
|
||||||
|
override Location getLocation() { result = var.getLocation() }
|
||||||
|
|
||||||
override CppType getLanguageType() { result = var.getLanguageType() }
|
override CppType getLanguageType() { result = var.getLanguageType() }
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -407,6 +412,8 @@ class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {
|
|||||||
|
|
||||||
override string toString() { result = call.toString() }
|
override string toString() { result = call.toString() }
|
||||||
|
|
||||||
|
override Location getLocation() { result = call.getLocation() }
|
||||||
|
|
||||||
override CppType getLanguageType() { result = getResultLanguageType(call) }
|
override CppType getLanguageType() { result = getResultLanguageType(call) }
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -872,7 +879,7 @@ private module Cached {
|
|||||||
upper = countIndirectionsForCppType(type) and
|
upper = countIndirectionsForCppType(type) and
|
||||||
ind = ind0 + [lower .. upper] and
|
ind = ind0 + [lower .. upper] and
|
||||||
indirectionIndex = ind - (ind0 + lower) and
|
indirectionIndex = ind - (ind0 + lower) and
|
||||||
(if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1)
|
lower = getMinIndirectionsForType(any(Type t | type.hasUnspecifiedType(t, _)))
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -72,6 +72,16 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
|
|||||||
or
|
or
|
||||||
instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Taint from int to boolean casts. This ensures that we have flow to `!x` in:
|
||||||
|
// ```cpp
|
||||||
|
// x = integer_source();
|
||||||
|
// if(!x) { ... }
|
||||||
|
// ```
|
||||||
|
exists(Operand zero |
|
||||||
|
zero.getDef().(ConstantValueInstruction).getValue() = "0" and
|
||||||
|
instrTo.(CompareNEInstruction).hasOperands(opFrom, zero)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -229,7 +229,7 @@ private class FinalParameterUse extends UseImpl, TFinalParameterUse {
|
|||||||
override predicate isCertain() { any() }
|
override predicate isCertain() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
private module SsaInput implements SsaImplCommon::InputSig {
|
private module SsaInput implements SsaImplCommon::InputSig<Location> {
|
||||||
import InputSigCommon
|
import InputSigCommon
|
||||||
import SourceVariables
|
import SourceVariables
|
||||||
|
|
||||||
@@ -335,7 +335,7 @@ class Def extends DefOrUse {
|
|||||||
predicate isIteratorDef() { defOrUse instanceof IteratorDef }
|
predicate isIteratorDef() { defOrUse instanceof IteratorDef }
|
||||||
}
|
}
|
||||||
|
|
||||||
private module SsaImpl = SsaImplCommon::Make<SsaInput>;
|
private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
|
||||||
|
|
||||||
class PhiNode extends SsaImpl::DefinitionExt {
|
class PhiNode extends SsaImpl::DefinitionExt {
|
||||||
PhiNode() {
|
PhiNode() {
|
||||||
|
|||||||
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
|
|||||||
or
|
or
|
||||||
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
||||||
or
|
or
|
||||||
|
getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
|
||||||
|
result = 0
|
||||||
|
or
|
||||||
exists(PhiInstruction phi |
|
exists(PhiInstruction phi |
|
||||||
phi = instr and
|
phi = instr and
|
||||||
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
||||||
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
|
|||||||
|
|
||||||
pragma[noinline]
|
pragma[noinline]
|
||||||
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
||||||
exists(int left, int right |
|
exists(int left, int right | binaryInstructionOperands(instr, left, right) |
|
||||||
binaryInstructionOperands(instr, left, right) and
|
instr instanceof AddInstruction and result = add(left, right)
|
||||||
(
|
or
|
||||||
instr instanceof AddInstruction and result = add(left, right)
|
instr instanceof SubInstruction and result = sub(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof SubInstruction and result = sub(left, right)
|
instr instanceof MulInstruction and result = mul(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof MulInstruction and result = mul(left, right)
|
instr instanceof DivInstruction and result = div(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof DivInstruction and result = div(left, right)
|
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
||||||
or
|
|
||||||
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
|
|||||||
or
|
or
|
||||||
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
||||||
or
|
or
|
||||||
|
getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
|
||||||
|
result = 0
|
||||||
|
or
|
||||||
exists(PhiInstruction phi |
|
exists(PhiInstruction phi |
|
||||||
phi = instr and
|
phi = instr and
|
||||||
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
||||||
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
|
|||||||
|
|
||||||
pragma[noinline]
|
pragma[noinline]
|
||||||
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
||||||
exists(int left, int right |
|
exists(int left, int right | binaryInstructionOperands(instr, left, right) |
|
||||||
binaryInstructionOperands(instr, left, right) and
|
instr instanceof AddInstruction and result = add(left, right)
|
||||||
(
|
or
|
||||||
instr instanceof AddInstruction and result = add(left, right)
|
instr instanceof SubInstruction and result = sub(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof SubInstruction and result = sub(left, right)
|
instr instanceof MulInstruction and result = mul(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof MulInstruction and result = mul(left, right)
|
instr instanceof DivInstruction and result = div(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof DivInstruction and result = div(left, right)
|
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
||||||
or
|
|
||||||
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -77,24 +77,6 @@ class TranslatedParenthesisCondition extends TranslatedFlexibleCondition {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class TranslatedNotCondition extends TranslatedFlexibleCondition {
|
|
||||||
override NotExpr expr;
|
|
||||||
|
|
||||||
override Instruction getChildTrueSuccessor(TranslatedCondition child) {
|
|
||||||
child = this.getOperand() and
|
|
||||||
result = this.getConditionContext().getChildFalseSuccessor(this)
|
|
||||||
}
|
|
||||||
|
|
||||||
override Instruction getChildFalseSuccessor(TranslatedCondition child) {
|
|
||||||
child = this.getOperand() and
|
|
||||||
result = this.getConditionContext().getChildTrueSuccessor(this)
|
|
||||||
}
|
|
||||||
|
|
||||||
override TranslatedCondition getOperand() {
|
|
||||||
result = getTranslatedCondition(expr.getOperand().getFullyConverted())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
abstract class TranslatedNativeCondition extends TranslatedCondition, TTranslatedNativeCondition {
|
abstract class TranslatedNativeCondition extends TranslatedCondition, TTranslatedNativeCondition {
|
||||||
TranslatedNativeCondition() { this = TTranslatedNativeCondition(expr) }
|
TranslatedNativeCondition() { this = TTranslatedNativeCondition(expr) }
|
||||||
|
|
||||||
|
|||||||
@@ -190,10 +190,7 @@ private predicate isNativeCondition(Expr expr) {
|
|||||||
* depending on context.
|
* depending on context.
|
||||||
*/
|
*/
|
||||||
private predicate isFlexibleCondition(Expr expr) {
|
private predicate isFlexibleCondition(Expr expr) {
|
||||||
(
|
expr instanceof ParenthesisExpr and
|
||||||
expr instanceof ParenthesisExpr or
|
|
||||||
expr instanceof NotExpr
|
|
||||||
) and
|
|
||||||
usedAsCondition(expr) and
|
usedAsCondition(expr) and
|
||||||
not isIRConstant(expr)
|
not isIRConstant(expr)
|
||||||
}
|
}
|
||||||
@@ -218,11 +215,6 @@ private predicate usedAsCondition(Expr expr) {
|
|||||||
condExpr.getCondition().getFullyConverted() = expr and not condExpr.isTwoOperand()
|
condExpr.getCondition().getFullyConverted() = expr and not condExpr.isTwoOperand()
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(NotExpr notExpr |
|
|
||||||
notExpr.getOperand().getFullyConverted() = expr and
|
|
||||||
usedAsCondition(notExpr)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
exists(ParenthesisExpr paren |
|
exists(ParenthesisExpr paren |
|
||||||
paren.getExpr() = expr and
|
paren.getExpr() = expr and
|
||||||
usedAsCondition(paren)
|
usedAsCondition(paren)
|
||||||
|
|||||||
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
|
|||||||
or
|
or
|
||||||
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
result = getConstantValue(instr.(CopyInstruction).getSourceValue())
|
||||||
or
|
or
|
||||||
|
getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
|
||||||
|
result = 0
|
||||||
|
or
|
||||||
exists(PhiInstruction phi |
|
exists(PhiInstruction phi |
|
||||||
phi = instr and
|
phi = instr and
|
||||||
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
|
||||||
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
|
|||||||
|
|
||||||
pragma[noinline]
|
pragma[noinline]
|
||||||
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
private int getBinaryInstructionValue(BinaryInstruction instr) {
|
||||||
exists(int left, int right |
|
exists(int left, int right | binaryInstructionOperands(instr, left, right) |
|
||||||
binaryInstructionOperands(instr, left, right) and
|
instr instanceof AddInstruction and result = add(left, right)
|
||||||
(
|
or
|
||||||
instr instanceof AddInstruction and result = add(left, right)
|
instr instanceof SubInstruction and result = sub(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof SubInstruction and result = sub(left, right)
|
instr instanceof MulInstruction and result = mul(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof MulInstruction and result = mul(left, right)
|
instr instanceof DivInstruction and result = div(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof DivInstruction and result = div(left, right)
|
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareEQInstruction and result = compareEQ(left, right)
|
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareNEInstruction and result = compareNE(left, right)
|
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLTInstruction and result = compareLT(left, right)
|
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareGTInstruction and result = compareGT(left, right)
|
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
||||||
or
|
or
|
||||||
instr instanceof CompareLEInstruction and result = compareLE(left, right)
|
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
||||||
or
|
|
||||||
instr instanceof CompareGEInstruction and result = compareGE(left, right)
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -16,10 +16,7 @@ class Getenv extends LocalFlowSourceFunction {
|
|||||||
}
|
}
|
||||||
|
|
||||||
override predicate hasLocalFlowSource(FunctionOutput output, string description) {
|
override predicate hasLocalFlowSource(FunctionOutput output, string description) {
|
||||||
(
|
output.isReturnValueDeref() and
|
||||||
output.isReturnValueDeref() or
|
|
||||||
output.isReturnValue()
|
|
||||||
) and
|
|
||||||
description = "an environment variable"
|
description = "an environment variable"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -51,7 +51,6 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
|
|||||||
override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
|
override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
|
||||||
(
|
(
|
||||||
output.isParameterDeref(0) or
|
output.isParameterDeref(0) or
|
||||||
output.isReturnValue() or
|
|
||||||
output.isReturnValueDeref()
|
output.isReturnValueDeref()
|
||||||
) and
|
) and
|
||||||
description = "string read by " + this.getName()
|
description = "string read by " + this.getName()
|
||||||
@@ -102,7 +101,6 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
|
|||||||
override predicate hasLocalFlowSource(FunctionOutput output, string description) {
|
override predicate hasLocalFlowSource(FunctionOutput output, string description) {
|
||||||
(
|
(
|
||||||
output.isParameterDeref(0) or
|
output.isParameterDeref(0) or
|
||||||
output.isReturnValue() or
|
|
||||||
output.isReturnValueDeref()
|
output.isReturnValueDeref()
|
||||||
) and
|
) and
|
||||||
description = "string read by " + this.getName()
|
description = "string read by " + this.getName()
|
||||||
|
|||||||
@@ -27,10 +27,7 @@ predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperat
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isSource(FlowSource source, string sourceType) {
|
predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
|
||||||
not source instanceof DataFlow::ExprNode and
|
|
||||||
sourceType = source.getSourceType()
|
|
||||||
}
|
|
||||||
|
|
||||||
module Config implements DataFlow::ConfigSig {
|
module Config implements DataFlow::ConfigSig {
|
||||||
predicate isSource(DataFlow::Node node) { isSource(node, _) }
|
predicate isSource(DataFlow::Node node) { isSource(node, _) }
|
||||||
|
|||||||
@@ -16,22 +16,47 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.Security
|
import semmle.code.cpp.security.Security
|
||||||
import semmle.code.cpp.security.FunctionWithWrappers
|
import semmle.code.cpp.security.FunctionWithWrappers
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import semmle.code.cpp.security.FlowSources
|
||||||
import TaintedWithPath
|
import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
import semmle.code.cpp.ir.IR
|
||||||
|
import Flow::PathGraph
|
||||||
|
|
||||||
class Configuration extends TaintTrackingConfiguration {
|
predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
|
||||||
override predicate isSink(Element tainted) {
|
|
||||||
exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
|
module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node node) { isSource(node, _) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node node) {
|
||||||
|
exists(PrintfLikeFunction printf |
|
||||||
|
printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
private predicate isArithmeticNonCharType(ArithmeticType type) {
|
||||||
|
not type instanceof CharType and
|
||||||
|
not type instanceof Char8Type and
|
||||||
|
not type instanceof Char16Type and
|
||||||
|
not type instanceof Char32Type
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node node) {
|
||||||
|
isSink(node) and isArithmeticNonCharType(node.asExpr().getUnspecifiedType())
|
||||||
|
or
|
||||||
|
isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
from
|
from
|
||||||
PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
|
PrintfLikeFunction printf, string printfFunction, string sourceType, DataFlow::Node source,
|
||||||
string printfFunction, Expr userValue, string cause
|
DataFlow::Node sink, Flow::PathNode sourceNode, Flow::PathNode sinkNode
|
||||||
where
|
where
|
||||||
printf.outermostWrapperFunctionCall(arg, printfFunction) and
|
source = sourceNode.getNode() and
|
||||||
taintedWithPath(userValue, arg, sourceNode, sinkNode) and
|
sink = sinkNode.getNode() and
|
||||||
isUserInput(userValue, cause)
|
isSource(source, sourceType) and
|
||||||
select arg, sourceNode, sinkNode,
|
printf.outermostWrapperFunctionCall([sink.asExpr(), sink.asIndirectExpr()], printfFunction) and
|
||||||
|
Flow::flowPath(sourceNode, sinkNode)
|
||||||
|
select sink, sourceNode, sinkNode,
|
||||||
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
||||||
printfFunction + ".", userValue, cause
|
printfFunction + ".", source, sourceType
|
||||||
|
|||||||
@@ -1,24 +0,0 @@
|
|||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
char *copy;
|
|
||||||
|
|
||||||
void copyArgv(char **argv) {
|
|
||||||
copy = argv[1];
|
|
||||||
}
|
|
||||||
|
|
||||||
void printWrapper(char *str) {
|
|
||||||
printf(str);
|
|
||||||
}
|
|
||||||
|
|
||||||
int main(int argc, char **argv) {
|
|
||||||
copyArgv(argv);
|
|
||||||
|
|
||||||
// This should be avoided
|
|
||||||
printf(copy);
|
|
||||||
|
|
||||||
// This should be avoided too, because it has the same effect
|
|
||||||
printWrapper(copy);
|
|
||||||
|
|
||||||
// This is fine
|
|
||||||
printf("%s", copy);
|
|
||||||
}
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>The program uses input from the user, propagated via a global variable, as a format string for <code>printf</code> style functions.
|
|
||||||
This can lead to buffer overflows or data representation problems. An attacker can exploit this weakness to crash the program,
|
|
||||||
disclose information or even execute arbitrary code.</p>
|
|
||||||
|
|
||||||
<p>This rule only identifies inputs from the user that are transferred through global variables before being used in <code>printf</code> style functions.
|
|
||||||
Analyzing the flow of data through global variables is more prone to errors and so this rule may identify some examples of code where
|
|
||||||
the input is not really from the user. For example, when a global variable is set in two places, one that comes from the user and one that does not.
|
|
||||||
In this case we would mark all usages of the global variable as input from the user, but the input from the user may always came after the call to the
|
|
||||||
<code>printf</code> style functions.</p>
|
|
||||||
|
|
||||||
<p>The results of this rule should be considered alongside the related rule "Uncontrolled format string" which tracks the flow of the
|
|
||||||
values input by a user, excluding global variables, until the values are used as the format argument for a <code>printf</code> like function call.</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<recommendation>
|
|
||||||
<p>Use constant expressions as the format strings. If you need to print a value from the user, use <code>printf("%s", value_from_user)</code>.</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<example>
|
|
||||||
<sample src="UncontrolledFormatStringThroughGlobalVar.c" />
|
|
||||||
|
|
||||||
</example>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
<li>CERT C Coding
|
|
||||||
Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings">FIO30-C. Exclude
|
|
||||||
user input from format strings</a>.</li>
|
|
||||||
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Uncontrolled format string (through global variable)
|
|
||||||
* @description Using externally-controlled format strings in
|
|
||||||
* printf-style functions can lead to buffer overflows
|
|
||||||
* or data representation problems.
|
|
||||||
* @kind path-problem
|
|
||||||
* @problem.severity warning
|
|
||||||
* @security-severity 9.3
|
|
||||||
* @precision high
|
|
||||||
* @id cpp/tainted-format-string-through-global
|
|
||||||
* @tags reliability
|
|
||||||
* security
|
|
||||||
* external/cwe/cwe-134
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import semmle.code.cpp.security.FunctionWithWrappers
|
|
||||||
import semmle.code.cpp.security.Security
|
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
|
||||||
import TaintedWithPath
|
|
||||||
|
|
||||||
class Configuration extends TaintTrackingConfiguration {
|
|
||||||
override predicate isSink(Element tainted) {
|
|
||||||
exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate taintThroughGlobals() { any() }
|
|
||||||
}
|
|
||||||
|
|
||||||
from
|
|
||||||
PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
|
|
||||||
string printfFunction, Expr userValue, string cause
|
|
||||||
where
|
|
||||||
printf.outermostWrapperFunctionCall(arg, printfFunction) and
|
|
||||||
not taintedWithoutGlobals(arg) and
|
|
||||||
taintedWithPath(userValue, arg, sourceNode, sinkNode) and
|
|
||||||
isUserInput(userValue, cause)
|
|
||||||
select arg, sourceNode, sinkNode,
|
|
||||||
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
|
||||||
printfFunction + ".", userValue, cause
|
|
||||||
@@ -12,79 +12,44 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.commons.NullTermination
|
import semmle.code.cpp.commons.NullTermination
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import semmle.code.cpp.security.FlowSources as FS
|
||||||
|
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||||
|
import semmle.code.cpp.ir.IR
|
||||||
|
|
||||||
/** A user-controlled expression that may not be null terminated. */
|
predicate isSource(FS::FlowSource source, string sourceType) {
|
||||||
class TaintSource extends VariableAccess {
|
sourceType = source.getSourceType() and
|
||||||
TaintSource() {
|
exists(VariableAccess va, Call call |
|
||||||
exists(SecurityOptions x, string cause |
|
va = source.asDefiningArgument() and
|
||||||
this.getTarget() instanceof SemanticStackVariable and
|
call.getAnArgument() = va and
|
||||||
x.isUserInput(this, cause)
|
va.getTarget() instanceof SemanticStackVariable and
|
||||||
|
|
call.getTarget().hasGlobalName(["read", "fread", "recv", "recvfrom", "recvmsg"])
|
||||||
cause = ["read", "fread", "recv", "recvfrom", "recvmsg"]
|
)
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `sink` is a tainted variable access that must be null
|
|
||||||
* terminated.
|
|
||||||
*/
|
|
||||||
private predicate isSink(VariableAccess sink) {
|
|
||||||
tainted(this, sink) and
|
|
||||||
variableMustBeNullTerminated(sink)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if this source can reach `va`, possibly using intermediate
|
|
||||||
* reassignments.
|
|
||||||
*/
|
|
||||||
private predicate sourceReaches(VariableAccess va) {
|
|
||||||
definitionUsePair(_, this, va)
|
|
||||||
or
|
|
||||||
exists(VariableAccess mid, Expr def |
|
|
||||||
this.sourceReaches(mid) and
|
|
||||||
exprDefinition(_, def, mid) and
|
|
||||||
definitionUsePair(_, def, va)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if the sink `sink` is reachable both from this source and
|
|
||||||
* from `va`, possibly using intermediate reassignments.
|
|
||||||
*/
|
|
||||||
private predicate reachesSink(VariableAccess va, VariableAccess sink) {
|
|
||||||
this.isSink(sink) and
|
|
||||||
va = sink
|
|
||||||
or
|
|
||||||
exists(VariableAccess mid, Expr def |
|
|
||||||
this.reachesSink(mid, sink) and
|
|
||||||
exprDefinition(_, def, va) and
|
|
||||||
definitionUsePair(_, def, mid)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `sink` is a tainted variable access that must be null
|
|
||||||
* terminated, and no access which null terminates its contents can
|
|
||||||
* either reach the sink or be reached from the source. (Ideally,
|
|
||||||
* we should instead look for such accesses only on the path from
|
|
||||||
* this source to `sink` found via `tainted(source, sink)`.)
|
|
||||||
*/
|
|
||||||
predicate reaches(VariableAccess sink) {
|
|
||||||
this.isSink(sink) and
|
|
||||||
not exists(VariableAccess va |
|
|
||||||
va != this and
|
|
||||||
va != sink and
|
|
||||||
mayAddNullTerminator(_, va)
|
|
||||||
|
|
|
||||||
this.sourceReaches(va)
|
|
||||||
or
|
|
||||||
this.reachesSink(va, sink)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from TaintSource source, VariableAccess sink
|
predicate isSink(DataFlow::Node sink, VariableAccess va) {
|
||||||
where source.reaches(sink)
|
va = [sink.asExpr(), sink.asIndirectExpr()] and
|
||||||
select sink, "String operation depends on a $@ that may not be null terminated.", source,
|
variableMustBeNullTerminated(va)
|
||||||
"user-provided value"
|
}
|
||||||
|
|
||||||
|
private module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) { isSource(source, _) }
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node node) {
|
||||||
|
isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
|
||||||
|
or
|
||||||
|
node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
|
||||||
|
or
|
||||||
|
mayAddNullTerminator(_, node.asIndirectExpr())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
|
||||||
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
|
from DataFlow::Node source, DataFlow::Node sink, VariableAccess va, string sourceType
|
||||||
|
where
|
||||||
|
Flow::flow(source, sink) and
|
||||||
|
isSource(source, sourceType) and
|
||||||
|
isSink(sink, va)
|
||||||
|
select va, "String operation depends on $@ that may not be null terminated.", source, sourceType
|
||||||
|
|||||||
@@ -16,45 +16,30 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.Overflow
|
import semmle.code.cpp.security.Overflow
|
||||||
import semmle.code.cpp.security.Security
|
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import semmle.code.cpp.ir.IR
|
||||||
|
import semmle.code.cpp.controlflow.IRGuards as IRGuards
|
||||||
|
|
||||||
predicate isMaxValue(Expr mie) {
|
predicate isMaxValue(Expr mie) {
|
||||||
exists(MacroInvocation mi |
|
exists(MacroInvocation mi |
|
||||||
mi.getExpr() = mie and
|
mi.getExpr() = mie and
|
||||||
(
|
mi.getMacroName() = ["CHAR_MAX", "LLONG_MAX", "INT_MAX", "SHRT_MAX", "UINT_MAX"]
|
||||||
mi.getMacroName() = "CHAR_MAX" or
|
|
||||||
mi.getMacroName() = "LLONG_MAX" or
|
|
||||||
mi.getMacroName() = "INT_MAX" or
|
|
||||||
mi.getMacroName() = "SHRT_MAX" or
|
|
||||||
mi.getMacroName() = "UINT_MAX"
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isMinValue(Expr mie) {
|
predicate isMinValue(Expr mie) {
|
||||||
exists(MacroInvocation mi |
|
exists(MacroInvocation mi |
|
||||||
mi.getExpr() = mie and
|
mi.getExpr() = mie and
|
||||||
(
|
mi.getMacroName() = ["CHAR_MIN", "LLONG_MIN", "INT_MIN", "SHRT_MIN"]
|
||||||
mi.getMacroName() = "CHAR_MIN" or
|
|
||||||
mi.getMacroName() = "LLONG_MIN" or
|
|
||||||
mi.getMacroName() = "INT_MIN" or
|
|
||||||
mi.getMacroName() = "SHRT_MIN"
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
class SecurityOptionsArith extends SecurityOptions {
|
predicate isSource(DataFlow::Node source, string cause) {
|
||||||
override predicate isUserInput(Expr expr, string cause) {
|
exists(Expr expr | expr = source.asExpr() |
|
||||||
isMaxValue(expr) and cause = "max value"
|
isMaxValue(expr) and cause = "max value"
|
||||||
or
|
or
|
||||||
isMinValue(expr) and cause = "min value"
|
isMinValue(expr) and cause = "min value"
|
||||||
}
|
)
|
||||||
}
|
|
||||||
|
|
||||||
predicate taintedVarAccess(Expr origin, VariableAccess va, string cause) {
|
|
||||||
isUserInput(origin, cause) and
|
|
||||||
tainted(origin, va)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate causeEffectCorrespond(string cause, string effect) {
|
predicate causeEffectCorrespond(string cause, string effect) {
|
||||||
@@ -65,16 +50,79 @@ predicate causeEffectCorrespond(string cause, string effect) {
|
|||||||
effect = "underflow"
|
effect = "underflow"
|
||||||
}
|
}
|
||||||
|
|
||||||
from Expr origin, Operation op, VariableAccess va, string cause, string effect
|
predicate isSink(DataFlow::Node sink, VariableAccess va, string effect) {
|
||||||
where
|
exists(Operation op |
|
||||||
taintedVarAccess(origin, va, cause) and
|
sink.asExpr() = va and
|
||||||
op.getAnOperand() = va and
|
op.getAnOperand() = va
|
||||||
(
|
|
|
||||||
missingGuardAgainstUnderflow(op, va) and effect = "underflow"
|
missingGuardAgainstUnderflow(op, va) and effect = "underflow"
|
||||||
or
|
or
|
||||||
missingGuardAgainstOverflow(op, va) and effect = "overflow"
|
missingGuardAgainstOverflow(op, va) and effect = "overflow"
|
||||||
) and
|
)
|
||||||
causeEffectCorrespond(cause, effect)
|
}
|
||||||
|
|
||||||
|
predicate hasUpperBoundsCheck(Variable var) {
|
||||||
|
exists(RelationalOperation oper, VariableAccess access |
|
||||||
|
oper.getAnOperand() = access and
|
||||||
|
access.getTarget() = var and
|
||||||
|
// Comparing to 0 is not an upper bound check
|
||||||
|
not oper.getAnOperand().getValue() = "0"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate constantInstruction(Instruction instr) {
|
||||||
|
instr instanceof ConstantInstruction or
|
||||||
|
constantInstruction(instr.(UnaryInstruction).getUnary())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate readsVariable(LoadInstruction load, Variable var) {
|
||||||
|
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
|
||||||
|
exists(Instruction instr | instr = node.asInstruction() |
|
||||||
|
readsVariable(instr, checkedVar) and
|
||||||
|
any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) { isSource(source, _) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node node) {
|
||||||
|
// Block flow if there's an upper bound check of the variable anywhere in the program
|
||||||
|
exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
|
||||||
|
readsVariable(instr, checkedVar) and
|
||||||
|
hasUpperBoundsCheck(checkedVar)
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Block flow if the node is guarded by an equality check
|
||||||
|
exists(Variable checkedVar, Operand access |
|
||||||
|
nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
|
||||||
|
readsVariable(access.getDef(), checkedVar)
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Block flow to any binary instruction whose operands are both non-constants.
|
||||||
|
exists(BinaryInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
|
not constantInstruction(iTo.getLeft()) and
|
||||||
|
not constantInstruction(iTo.getRight()) and
|
||||||
|
// propagate taint from either the pointer or the offset, regardless of constantness
|
||||||
|
not iTo instanceof PointerArithmeticInstruction
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
|
from DataFlow::Node source, DataFlow::Node sink, VariableAccess va, string cause, string effect
|
||||||
|
where
|
||||||
|
Flow::flow(source, sink) and
|
||||||
|
isSource(source, cause) and
|
||||||
|
causeEffectCorrespond(cause, effect) and
|
||||||
|
isSink(sink, va, effect)
|
||||||
select va,
|
select va,
|
||||||
"$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
|
"$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
|
||||||
origin, "Extreme value"
|
source, "Extreme value"
|
||||||
|
|||||||
@@ -15,7 +15,11 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import semmle.code.cpp.dataflow.new.DataFlow
|
||||||
|
import semmle.code.cpp.security.FlowSources as FS
|
||||||
|
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||||
|
import semmle.code.cpp.ir.IR
|
||||||
|
import semmle.code.cpp.controlflow.IRGuards as IRGuards
|
||||||
|
|
||||||
/** Holds if `expr` might overflow. */
|
/** Holds if `expr` might overflow. */
|
||||||
predicate outOfBoundsExpr(Expr expr, string kind) {
|
predicate outOfBoundsExpr(Expr expr, string kind) {
|
||||||
@@ -27,13 +31,76 @@ predicate outOfBoundsExpr(Expr expr, string kind) {
|
|||||||
else none()
|
else none()
|
||||||
}
|
}
|
||||||
|
|
||||||
from Expr use, Expr origin, string kind
|
predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink, string kind) {
|
||||||
|
exists(Expr use |
|
||||||
|
use = sink.asExpr() and
|
||||||
|
not use.getUnspecifiedType() instanceof PointerType and
|
||||||
|
outOfBoundsExpr(use, kind) and
|
||||||
|
not inSystemMacroExpansion(use)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate hasUpperBoundsCheck(Variable var) {
|
||||||
|
exists(RelationalOperation oper, VariableAccess access |
|
||||||
|
oper.getAnOperand() = access and
|
||||||
|
access.getTarget() = var and
|
||||||
|
// Comparing to 0 is not an upper bound check
|
||||||
|
not oper.getAnOperand().getValue() = "0"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate constantInstruction(Instruction instr) {
|
||||||
|
instr instanceof ConstantInstruction or
|
||||||
|
constantInstruction(instr.(UnaryInstruction).getUnary())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate readsVariable(LoadInstruction load, Variable var) {
|
||||||
|
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
|
||||||
|
exists(Instruction instr | instr = node.asInstruction() |
|
||||||
|
readsVariable(instr, checkedVar) and
|
||||||
|
any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) { isSource(source, _) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node node) {
|
||||||
|
// Block flow if there's an upper bound check of the variable anywhere in the program
|
||||||
|
exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
|
||||||
|
readsVariable(instr, checkedVar) and
|
||||||
|
hasUpperBoundsCheck(checkedVar)
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Block flow if the node is guarded by an equality check
|
||||||
|
exists(Variable checkedVar, Operand access |
|
||||||
|
nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
|
||||||
|
readsVariable(access.getDef(), checkedVar)
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Block flow to any binary instruction whose operands are both non-constants.
|
||||||
|
exists(BinaryInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
|
not constantInstruction(iTo.getLeft()) and
|
||||||
|
not constantInstruction(iTo.getRight()) and
|
||||||
|
// propagate taint from either the pointer or the offset, regardless of constantness
|
||||||
|
not iTo instanceof PointerArithmeticInstruction
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
|
from DataFlow::Node source, DataFlow::Node sink, string kind, string sourceType
|
||||||
where
|
where
|
||||||
not use.getUnspecifiedType() instanceof PointerType and
|
Flow::flow(source, sink) and
|
||||||
outOfBoundsExpr(use, kind) and
|
isSource(source, sourceType) and
|
||||||
tainted(origin, use) and
|
isSink(sink, kind)
|
||||||
origin != use and
|
select sink, "$@ flows an expression which might " + kind + ".", source, sourceType
|
||||||
not inSystemMacroExpansion(use) and
|
|
||||||
// Avoid double-counting: don't include all the conversions of `use`.
|
|
||||||
not use instanceof Conversion
|
|
||||||
select use, "$@ flows an expression which might " + kind + ".", origin, "User-provided value"
|
|
||||||
|
|||||||
@@ -12,8 +12,10 @@
|
|||||||
* external/cwe/cwe-290
|
* external/cwe/cwe-290
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import cpp
|
||||||
import TaintedWithPath
|
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||||
|
import semmle.code.cpp.security.FlowSources as FS
|
||||||
|
import Flow::PathGraph
|
||||||
|
|
||||||
string getATopLevelDomain() {
|
string getATopLevelDomain() {
|
||||||
result =
|
result =
|
||||||
@@ -60,13 +62,26 @@ predicate hardCodedAddressInCondition(Expr subexpression, Expr condition) {
|
|||||||
condition = any(IfStmt ifStmt).getCondition()
|
condition = any(IfStmt ifStmt).getCondition()
|
||||||
}
|
}
|
||||||
|
|
||||||
class Configuration extends TaintTrackingConfiguration {
|
predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }
|
||||||
override predicate isSink(Element sink) { hardCodedAddressInCondition(sink, _) }
|
|
||||||
|
predicate isSink(DataFlow::Node sink, Expr condition) {
|
||||||
|
hardCodedAddressInCondition([sink.asExpr(), sink.asIndirectExpr()], condition)
|
||||||
}
|
}
|
||||||
|
|
||||||
from Expr subexpression, Expr source, Expr condition, PathNode sourceNode, PathNode sinkNode
|
module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) { isSource(source, _) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
|
||||||
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
|
from
|
||||||
|
Expr subexpression, Expr condition, Flow::PathNode source, Flow::PathNode sink, string sourceType
|
||||||
where
|
where
|
||||||
hardCodedAddressInCondition(subexpression, condition) and
|
hardCodedAddressInCondition(subexpression, condition) and
|
||||||
taintedWithPath(source, subexpression, sourceNode, sinkNode)
|
isSource(source.getNode(), sourceType) and
|
||||||
select condition, sourceNode, sinkNode,
|
Flow::flowPath(source, sink) and
|
||||||
"Untrusted input $@ might be vulnerable to a spoofing attack.", source, source.toString()
|
isSink(sink.getNode(), condition)
|
||||||
|
select condition, source, sink, "Untrusted input $@ might be vulnerable to a spoofing attack.",
|
||||||
|
source, sourceType
|
||||||
|
|||||||
@@ -12,8 +12,12 @@
|
|||||||
* external/cwe/cwe-807
|
* external/cwe/cwe-807
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
|
import cpp
|
||||||
import TaintedWithPath
|
import semmle.code.cpp.security.Security
|
||||||
|
import semmle.code.cpp.security.FlowSources
|
||||||
|
import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
import semmle.code.cpp.ir.IR
|
||||||
|
import Flow::PathGraph
|
||||||
|
|
||||||
predicate sensitiveCondition(Expr condition, Expr raise) {
|
predicate sensitiveCondition(Expr condition, Expr raise) {
|
||||||
raisesPrivilege(raise) and
|
raisesPrivilege(raise) and
|
||||||
@@ -23,19 +27,62 @@ predicate sensitiveCondition(Expr condition, Expr raise) {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
class Configuration extends TaintTrackingConfiguration {
|
private predicate constantInstruction(Instruction instr) {
|
||||||
override predicate isSink(Element tainted) { sensitiveCondition(tainted, _) }
|
instr instanceof ConstantInstruction
|
||||||
|
or
|
||||||
|
instr instanceof StringConstantInstruction
|
||||||
|
or
|
||||||
|
constantInstruction(instr.(UnaryInstruction).getUnary())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
|
||||||
|
|
||||||
|
module Config implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node node) { isSource(node, _) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node node) {
|
||||||
|
sensitiveCondition([node.asExpr(), node.asIndirectExpr()], _)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node node) {
|
||||||
|
// Block flow into binary instructions if both operands are non-constant
|
||||||
|
exists(BinaryInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
|
not constantInstruction(iTo.getLeft()) and
|
||||||
|
not constantInstruction(iTo.getRight()) and
|
||||||
|
// propagate taint from either the pointer or the offset, regardless of constant-ness
|
||||||
|
not iTo instanceof PointerArithmeticInstruction
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Block flow through calls to pure functions if two or more operands are non-constant
|
||||||
|
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
|
isPureFunction(iTo.getStaticCallTarget().getName()) and
|
||||||
|
iFrom1 = iTo.getAnArgument() and
|
||||||
|
iFrom2 = iTo.getAnArgument() and
|
||||||
|
not constantInstruction(iFrom1) and
|
||||||
|
not constantInstruction(iFrom2) and
|
||||||
|
iFrom1 != iFrom2
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Produce an alert if there is an 'if' statement whose condition `condition`
|
* Produce an alert if there is an 'if' statement whose condition `condition`
|
||||||
* is influenced by tainted data `source`, and the body contains
|
* is influenced by tainted data `source`, and the body contains
|
||||||
* `raise` which escalates privilege.
|
* `raise` which escalates privilege.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
from Expr source, Expr condition, Expr raise, PathNode sourceNode, PathNode sinkNode
|
from
|
||||||
|
Expr raise, string sourceType, DataFlow::Node source, DataFlow::Node sink,
|
||||||
|
Flow::PathNode sourceNode, Flow::PathNode sinkNode
|
||||||
where
|
where
|
||||||
taintedWithPath(source, condition, sourceNode, sinkNode) and
|
source = sourceNode.getNode() and
|
||||||
sensitiveCondition(condition, raise)
|
sink = sinkNode.getNode() and
|
||||||
select condition, sourceNode, sinkNode, "Reliance on untrusted input $@ to raise privilege at $@.",
|
isSource(source, sourceType) and
|
||||||
source, source.toString(), raise, raise.toString()
|
sensitiveCondition([sink.asExpr(), sink.asIndirectExpr()], raise) and
|
||||||
|
Flow::flowPath(sourceNode, sinkNode)
|
||||||
|
select sink, sourceNode, sinkNode, "Reliance on $@ to raise privilege at $@.", source, sourceType,
|
||||||
|
raise, raise.toString()
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: breaking
|
||||||
|
---
|
||||||
|
* The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
|
||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/all-asymmetric-algorithms
|
* @id cpp/quantum-readiness/cbom/all-asymmetric-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/all-cryptographic-algorithms
|
* @id cpp/quantum-readiness/cbom/all-cryptographic-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/all-asymmetric-encryption-algorithms
|
* @id cpp/quantum-readiness/cbom/all-asymmetric-encryption-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/authenticated-encryption-algorithms
|
* @id cpp/quantum-readiness/cbom/authenticated-encryption-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/block-cipher-mode
|
* @id cpp/quantum-readiness/cbom/block-cipher-mode
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/iv-sources
|
* @id cpp/quantum-readiness/cbom/iv-sources
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/unkown-iv-sources
|
* @id cpp/quantum-readiness/cbom/unkown-iv-sources
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/elliptic-curve-key-length
|
* @id cpp/quantum-readiness/cbom/elliptic-curve-key-length
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/elliptic-curve-algorithms
|
* @id cpp/quantum-readiness/cbom/elliptic-curve-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/hash-algorithms
|
* @id cpp/quantum-readiness/cbom/hash-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/key-exchange
|
* @id cpp/quantum-readiness/cbom/key-exchange
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/asymmetric-key-generation
|
* @id cpp/quantum-readiness/cbom/asymmetric-key-generation
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/signing-algorithms
|
* @id cpp/quantum-readiness/cbom/signing-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/symmetric-encryption-algorithms
|
* @id cpp/quantum-readiness/cbom/symmetric-encryption-algorithms
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/quantum-readiness/cbom/unkwon-asymmetric-key-generation
|
* @id cpp/quantum-readiness/cbom/unkwon-asymmetric-key-generation
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @precision high
|
|
||||||
* @tags cbom
|
* @tags cbom
|
||||||
* cryptography
|
* cryptography
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-queries
|
name: codeql/cpp-queries
|
||||||
version: 0.8.3
|
version: 0.8.4-dev
|
||||||
groups:
|
groups:
|
||||||
- cpp
|
- cpp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -450,6 +450,7 @@ irGuards
|
|||||||
| test.c:126:12:126:26 | Call: call to test3_condition |
|
| test.c:126:12:126:26 | Call: call to test3_condition |
|
||||||
| test.c:131:7:131:7 | Load: b |
|
| test.c:131:7:131:7 | Load: b |
|
||||||
| test.c:137:7:137:7 | Constant: 0 |
|
| test.c:137:7:137:7 | Constant: 0 |
|
||||||
|
| test.c:146:7:146:8 | LogicalNot: ! ... |
|
||||||
| test.c:146:8:146:8 | Load: x |
|
| test.c:146:8:146:8 | Load: x |
|
||||||
| test.c:152:10:152:10 | Load: x |
|
| test.c:152:10:152:10 | Load: x |
|
||||||
| test.c:152:15:152:15 | Load: y |
|
| test.c:152:15:152:15 | Load: y |
|
||||||
@@ -640,6 +641,7 @@ irGuardsControl
|
|||||||
| test.c:126:12:126:26 | Call: call to test3_condition | true | 127 | 127 |
|
| test.c:126:12:126:26 | Call: call to test3_condition | true | 127 | 127 |
|
||||||
| test.c:131:7:131:7 | Load: b | true | 132 | 132 |
|
| test.c:131:7:131:7 | Load: b | true | 132 | 132 |
|
||||||
| test.c:137:7:137:7 | Constant: 0 | false | 142 | 142 |
|
| test.c:137:7:137:7 | Constant: 0 | false | 142 | 142 |
|
||||||
|
| test.c:146:7:146:8 | LogicalNot: ! ... | true | 147 | 147 |
|
||||||
| test.c:146:8:146:8 | Load: x | false | 147 | 147 |
|
| test.c:146:8:146:8 | Load: x | false | 147 | 147 |
|
||||||
| test.c:152:10:152:10 | Load: x | true | 152 | 152 |
|
| test.c:152:10:152:10 | Load: x | true | 152 | 152 |
|
||||||
| test.c:152:15:152:15 | Load: y | true | 152 | 152 |
|
| test.c:152:15:152:15 | Load: y | true | 152 | 152 |
|
||||||
|
|||||||
111
cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll
Normal file
111
cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll
Normal file
@@ -0,0 +1,111 @@
|
|||||||
|
module AstTest {
|
||||||
|
import semmle.code.cpp.dataflow.DataFlow
|
||||||
|
private import semmle.code.cpp.controlflow.Guards
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
||||||
|
* S in `if (guarded(x)) S`.
|
||||||
|
*/
|
||||||
|
// This is tested in `BarrierGuard.cpp`.
|
||||||
|
predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
|
||||||
|
g.(FunctionCall).getTarget().getName() = "guarded" and
|
||||||
|
checked = g.(FunctionCall).getArgument(0) and
|
||||||
|
isTrue = true
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Common data flow configuration to be used by tests. */
|
||||||
|
module AstTestAllocationConfig implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
or
|
||||||
|
source.asParameter().getName().matches("source%")
|
||||||
|
or
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "indirect_source"
|
||||||
|
or
|
||||||
|
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
|
||||||
|
or
|
||||||
|
// Track uninitialized variables
|
||||||
|
exists(source.asUninitialized())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call |
|
||||||
|
call.getTarget().getName() = ["sink", "indirect_sink"] and
|
||||||
|
sink.asExpr() = call.getAnArgument()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node barrier) {
|
||||||
|
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
|
||||||
|
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module AstFlow = DataFlow::Global<AstTestAllocationConfig>;
|
||||||
|
}
|
||||||
|
|
||||||
|
module IRTest {
|
||||||
|
private import cpp
|
||||||
|
import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
|
private import semmle.code.cpp.ir.IR
|
||||||
|
private import semmle.code.cpp.controlflow.IRGuards
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
||||||
|
* S in `if (guarded(x)) S`.
|
||||||
|
*/
|
||||||
|
// This is tested in `BarrierGuard.cpp`.
|
||||||
|
predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean isTrue) {
|
||||||
|
exists(Call call |
|
||||||
|
call = g.getUnconvertedResultExpression() and
|
||||||
|
call.getTarget().hasName("guarded") and
|
||||||
|
checked = call.getArgument(0) and
|
||||||
|
isTrue = true
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Common data flow configuration to be used by tests. */
|
||||||
|
module IRTestAllocationConfig implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
or
|
||||||
|
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
|
||||||
|
or
|
||||||
|
source.asExpr().(StringLiteral).getValue() = "source"
|
||||||
|
or
|
||||||
|
// indirect_source(n) gives the dataflow node representing the indirect node after n dereferences.
|
||||||
|
exists(int n, string s |
|
||||||
|
n = s.regexpCapture("indirect_source\\((\\d)\\)", 1).toInt() and
|
||||||
|
source.asIndirectExpr(n).(StringLiteral).getValue() = s
|
||||||
|
)
|
||||||
|
or
|
||||||
|
source.asParameter().getName().matches("source%")
|
||||||
|
or
|
||||||
|
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
|
||||||
|
or
|
||||||
|
exists(source.asUninitialized())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call, Expr e | e = call.getAnArgument() |
|
||||||
|
call.getTarget().getName() = "sink" and
|
||||||
|
sink.asExpr() = e
|
||||||
|
or
|
||||||
|
call.getTarget().getName() = "indirect_sink" and
|
||||||
|
sink.asIndirectExpr() = e
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node barrier) {
|
||||||
|
exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
|
||||||
|
barrierExpr.(VariableAccess).getTarget().hasName("barrier")
|
||||||
|
)
|
||||||
|
or
|
||||||
|
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
|
||||||
|
or
|
||||||
|
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module IRFlow = DataFlow::Global<IRTestAllocationConfig>;
|
||||||
|
}
|
||||||
@@ -1,5 +1,11 @@
|
|||||||
uniqueEnclosingCallable
|
uniqueEnclosingCallable
|
||||||
|
| test.cpp:864:44:864:58 | {...} | Node should have one enclosing callable but has 0. |
|
||||||
|
| test.cpp:864:47:864:54 | call to source | Node should have one enclosing callable but has 0. |
|
||||||
|
| test.cpp:872:46:872:51 | call to source | Node should have one enclosing callable but has 0. |
|
||||||
|
| test.cpp:872:53:872:56 | 1 | Node should have one enclosing callable but has 0. |
|
||||||
uniqueCallEnclosingCallable
|
uniqueCallEnclosingCallable
|
||||||
|
| test.cpp:864:47:864:54 | call to source | Call should have one enclosing callable but has 0. |
|
||||||
|
| test.cpp:872:46:872:51 | call to source | Call should have one enclosing callable but has 0. |
|
||||||
uniqueType
|
uniqueType
|
||||||
uniqueNodeLocation
|
uniqueNodeLocation
|
||||||
missingLocation
|
missingLocation
|
||||||
@@ -24,6 +30,7 @@ argHasPostUpdate
|
|||||||
| lambdas.cpp:45:2:45:2 | e | ArgumentNode is missing PostUpdateNode. |
|
| lambdas.cpp:45:2:45:2 | e | ArgumentNode is missing PostUpdateNode. |
|
||||||
| test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
|
| test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
|
||||||
| test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
|
| test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
|
||||||
|
| test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. |
|
||||||
postWithInFlow
|
postWithInFlow
|
||||||
| BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
|
| BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
|
||||||
| BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
|
| BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
|
||||||
|
|||||||
@@ -0,0 +1,306 @@
|
|||||||
|
WARNING: Module DataFlow has been deprecated and may be removed in future (test-source-sink.ql:3,25-42)
|
||||||
|
WARNING: Module DataFlow has been deprecated and may be removed in future (test-source-sink.ql:3,57-74)
|
||||||
|
astFlow
|
||||||
|
| BarrierGuard.cpp:5:19:5:24 | source | BarrierGuard.cpp:9:10:9:15 | source |
|
||||||
|
| BarrierGuard.cpp:13:17:13:22 | source | BarrierGuard.cpp:15:10:15:15 | source |
|
||||||
|
| BarrierGuard.cpp:21:17:21:22 | source | BarrierGuard.cpp:25:10:25:15 | source |
|
||||||
|
| BarrierGuard.cpp:29:16:29:21 | source | BarrierGuard.cpp:31:10:31:15 | source |
|
||||||
|
| BarrierGuard.cpp:29:16:29:21 | source | BarrierGuard.cpp:33:10:33:15 | source |
|
||||||
|
| BarrierGuard.cpp:49:10:49:15 | call to source | BarrierGuard.cpp:51:13:51:13 | x |
|
||||||
|
| BarrierGuard.cpp:49:10:49:15 | call to source | BarrierGuard.cpp:53:13:53:13 | x |
|
||||||
|
| BarrierGuard.cpp:49:10:49:15 | call to source | BarrierGuard.cpp:55:13:55:13 | x |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:62:14:62:14 | x |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:64:14:64:14 | x |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:66:14:66:14 | x |
|
||||||
|
| acrossLinkTargets.cpp:19:27:19:32 | call to source | acrossLinkTargets.cpp:12:8:12:8 | x |
|
||||||
|
| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:18:8:18:19 | sourceArray1 |
|
||||||
|
| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:22:8:22:20 | & ... |
|
||||||
|
| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:23:17:23:29 | & ... |
|
||||||
|
| clang.cpp:29:27:29:32 | call to source | clang.cpp:30:27:30:28 | m1 |
|
||||||
|
| clang.cpp:29:27:29:32 | call to source | clang.cpp:31:27:31:34 | call to getFirst |
|
||||||
|
| clang.cpp:35:32:35:37 | call to source | clang.cpp:38:10:38:11 | m2 |
|
||||||
|
| clang.cpp:44:35:44:40 | call to source | clang.cpp:46:17:46:18 | m2 |
|
||||||
|
| clang.cpp:51:19:51:24 | call to source | clang.cpp:52:8:52:17 | stackArray |
|
||||||
|
| clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | stackArray |
|
||||||
|
| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 |
|
||||||
|
| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 |
|
||||||
|
| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 |
|
||||||
|
| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:44:15:44:24 | call to notSource2 |
|
||||||
|
| dispatch.cpp:37:19:37:24 | call to source | dispatch.cpp:11:38:11:38 | x |
|
||||||
|
| dispatch.cpp:45:18:45:23 | call to source | dispatch.cpp:11:38:11:38 | x |
|
||||||
|
| globals.cpp:5:17:5:22 | call to source | globals.cpp:6:10:6:14 | local |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:14:3:14:6 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:18:8:18:8 | call to operator() |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:21:3:21:6 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:29:3:29:6 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:35:8:35:8 | a |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:41:8:41:8 | a |
|
||||||
|
| lambdas.cpp:43:7:43:12 | call to source | lambdas.cpp:46:7:46:7 | w |
|
||||||
|
| ref.cpp:29:11:29:16 | call to source | ref.cpp:62:10:62:11 | x3 |
|
||||||
|
| ref.cpp:53:9:53:10 | x1 | ref.cpp:56:10:56:11 | x1 |
|
||||||
|
| ref.cpp:53:13:53:14 | x2 | ref.cpp:59:10:59:11 | x2 |
|
||||||
|
| ref.cpp:53:17:53:18 | x3 | ref.cpp:62:10:62:11 | x3 |
|
||||||
|
| ref.cpp:53:21:53:22 | x4 | ref.cpp:65:10:65:11 | x4 |
|
||||||
|
| ref.cpp:55:23:55:28 | call to source | ref.cpp:56:10:56:11 | x1 |
|
||||||
|
| ref.cpp:94:15:94:20 | call to source | ref.cpp:129:13:129:15 | val |
|
||||||
|
| ref.cpp:109:15:109:20 | call to source | ref.cpp:132:13:132:15 | val |
|
||||||
|
| ref.cpp:122:23:122:28 | call to source | ref.cpp:123:13:123:15 | val |
|
||||||
|
| ref.cpp:125:19:125:24 | call to source | ref.cpp:126:13:126:15 | val |
|
||||||
|
| self-Iterator.cpp:19:23:19:28 | call to source | self-Iterator.cpp:20:10:20:10 | x |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:7:8:7:9 | t1 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:9:8:9:9 | t1 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:10:8:10:9 | t2 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:15:8:15:9 | t2 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:26:8:26:9 | t1 |
|
||||||
|
| test.cpp:35:10:35:15 | call to source | test.cpp:30:8:30:8 | t |
|
||||||
|
| test.cpp:36:13:36:18 | call to source | test.cpp:31:8:31:8 | c |
|
||||||
|
| test.cpp:50:14:50:19 | call to source | test.cpp:58:10:58:10 | t |
|
||||||
|
| test.cpp:66:30:66:36 | source1 | test.cpp:71:8:71:9 | x4 |
|
||||||
|
| test.cpp:75:7:75:8 | u1 | test.cpp:76:8:76:9 | u1 |
|
||||||
|
| test.cpp:83:7:83:8 | u2 | test.cpp:84:8:84:18 | ... ? ... : ... |
|
||||||
|
| test.cpp:83:7:83:8 | u2 | test.cpp:86:8:86:9 | i1 |
|
||||||
|
| test.cpp:89:28:89:34 | source1 | test.cpp:90:8:90:14 | source1 |
|
||||||
|
| test.cpp:100:13:100:18 | call to source | test.cpp:103:10:103:12 | ref |
|
||||||
|
| test.cpp:138:27:138:32 | call to source | test.cpp:140:8:140:8 | y |
|
||||||
|
| test.cpp:151:33:151:38 | call to source | test.cpp:144:8:144:8 | s |
|
||||||
|
| test.cpp:151:33:151:38 | call to source | test.cpp:152:8:152:8 | y |
|
||||||
|
| test.cpp:164:34:164:39 | call to source | test.cpp:157:8:157:8 | x |
|
||||||
|
| test.cpp:164:34:164:39 | call to source | test.cpp:165:8:165:8 | y |
|
||||||
|
| test.cpp:171:11:171:16 | call to source | test.cpp:178:8:178:8 | y |
|
||||||
|
| test.cpp:245:14:245:19 | call to source | test.cpp:260:12:260:12 | x |
|
||||||
|
| test.cpp:265:22:265:27 | call to source | test.cpp:266:12:266:12 | x |
|
||||||
|
| test.cpp:305:17:305:22 | call to source | test.cpp:289:14:289:14 | x |
|
||||||
|
| test.cpp:314:4:314:9 | call to source | test.cpp:318:7:318:7 | x |
|
||||||
|
| test.cpp:347:17:347:22 | call to source | test.cpp:349:10:349:18 | globalVar |
|
||||||
|
| test.cpp:359:13:359:18 | call to source | test.cpp:365:10:365:14 | field |
|
||||||
|
| test.cpp:373:13:373:18 | call to source | test.cpp:369:10:369:14 | field |
|
||||||
|
| test.cpp:373:13:373:18 | call to source | test.cpp:375:10:375:14 | field |
|
||||||
|
| test.cpp:382:48:382:54 | source1 | test.cpp:385:8:385:10 | tmp |
|
||||||
|
| test.cpp:388:53:388:59 | source1 | test.cpp:392:8:392:10 | tmp |
|
||||||
|
| test.cpp:388:53:388:59 | source1 | test.cpp:394:10:394:12 | tmp |
|
||||||
|
| test.cpp:399:7:399:9 | tmp | test.cpp:401:8:401:10 | tmp |
|
||||||
|
| test.cpp:405:7:405:9 | tmp | test.cpp:408:8:408:10 | tmp |
|
||||||
|
| test.cpp:416:7:416:11 | local | test.cpp:418:8:418:12 | local |
|
||||||
|
| test.cpp:417:16:417:20 | ref arg local | test.cpp:418:8:418:12 | local |
|
||||||
|
| test.cpp:422:7:422:11 | local | test.cpp:424:8:424:12 | local |
|
||||||
|
| test.cpp:423:20:423:25 | ref arg & ... | test.cpp:424:8:424:12 | local |
|
||||||
|
| test.cpp:433:7:433:11 | local | test.cpp:435:8:435:12 | local |
|
||||||
|
| test.cpp:433:7:433:11 | local | test.cpp:436:8:436:13 | * ... |
|
||||||
|
| test.cpp:434:20:434:24 | ref arg local | test.cpp:435:8:435:12 | local |
|
||||||
|
| test.cpp:434:20:434:24 | ref arg local | test.cpp:436:8:436:13 | * ... |
|
||||||
|
| test.cpp:440:7:440:11 | local | test.cpp:442:8:442:12 | local |
|
||||||
|
| test.cpp:441:18:441:23 | ref arg & ... | test.cpp:442:8:442:12 | local |
|
||||||
|
| test.cpp:448:7:448:11 | local | test.cpp:450:8:450:12 | local |
|
||||||
|
| test.cpp:448:7:448:11 | local | test.cpp:451:8:451:13 | * ... |
|
||||||
|
| test.cpp:449:18:449:22 | ref arg local | test.cpp:450:8:450:12 | local |
|
||||||
|
| test.cpp:449:18:449:22 | ref arg local | test.cpp:451:8:451:13 | * ... |
|
||||||
|
| test.cpp:456:26:456:32 | source1 | test.cpp:457:9:457:22 | (statement expression) |
|
||||||
|
| test.cpp:456:26:456:32 | source1 | test.cpp:468:8:468:12 | local |
|
||||||
|
| test.cpp:472:8:472:13 | call to source | test.cpp:478:8:478:8 | x |
|
||||||
|
| test.cpp:506:8:506:13 | call to source | test.cpp:513:8:513:8 | x |
|
||||||
|
| test.cpp:517:7:517:16 | stackArray | test.cpp:521:8:521:20 | access to array |
|
||||||
|
| test.cpp:519:19:519:24 | call to source | test.cpp:521:8:521:20 | access to array |
|
||||||
|
| test.cpp:551:9:551:9 | y | test.cpp:541:10:541:10 | y |
|
||||||
|
| test.cpp:583:11:583:16 | call to source | test.cpp:590:8:590:8 | x |
|
||||||
|
| test.cpp:628:20:628:25 | ref arg buffer | test.cpp:629:17:629:22 | buffer |
|
||||||
|
| test.cpp:633:18:633:23 | call to source | test.cpp:634:8:634:8 | x |
|
||||||
|
| test.cpp:702:38:702:43 | source | test.cpp:695:8:695:10 | buf |
|
||||||
|
| test.cpp:726:11:726:16 | call to source | test.cpp:735:8:735:8 | x |
|
||||||
|
| test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x |
|
||||||
|
| test.cpp:749:27:749:32 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:751:27:751:32 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:753:32:753:37 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:755:32:755:37 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:769:27:769:32 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:771:27:771:32 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:773:32:773:37 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:775:32:775:37 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:788:31:788:36 | call to source | test.cpp:782:12:782:12 | x |
|
||||||
|
| test.cpp:790:31:790:36 | call to source | test.cpp:782:12:782:12 | x |
|
||||||
|
| test.cpp:797:22:797:28 | ref arg content | test.cpp:798:19:798:25 | content |
|
||||||
|
| test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
|
||||||
|
| test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
|
||||||
|
| test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
|
||||||
|
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
|
||||||
|
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
|
||||||
|
| true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
|
||||||
|
| true_upon_entry.cpp:43:11:43:16 | call to source | true_upon_entry.cpp:49:8:49:8 | x |
|
||||||
|
| true_upon_entry.cpp:54:11:54:16 | call to source | true_upon_entry.cpp:57:8:57:8 | x |
|
||||||
|
| true_upon_entry.cpp:70:11:70:16 | call to source | true_upon_entry.cpp:78:8:78:8 | x |
|
||||||
|
| true_upon_entry.cpp:83:11:83:16 | call to source | true_upon_entry.cpp:86:8:86:8 | x |
|
||||||
|
irFlow
|
||||||
|
| BarrierGuard.cpp:5:19:5:24 | source | BarrierGuard.cpp:9:10:9:15 | source |
|
||||||
|
| BarrierGuard.cpp:13:17:13:22 | source | BarrierGuard.cpp:15:10:15:15 | source |
|
||||||
|
| BarrierGuard.cpp:21:17:21:22 | source | BarrierGuard.cpp:25:10:25:15 | source |
|
||||||
|
| BarrierGuard.cpp:29:16:29:21 | source | BarrierGuard.cpp:31:10:31:15 | source |
|
||||||
|
| BarrierGuard.cpp:29:16:29:21 | source | BarrierGuard.cpp:33:10:33:15 | source |
|
||||||
|
| BarrierGuard.cpp:49:10:49:15 | call to source | BarrierGuard.cpp:53:13:53:13 | x |
|
||||||
|
| BarrierGuard.cpp:49:10:49:15 | call to source | BarrierGuard.cpp:55:13:55:13 | x |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:64:14:64:14 | x |
|
||||||
|
| BarrierGuard.cpp:60:11:60:16 | call to source | BarrierGuard.cpp:66:14:66:14 | x |
|
||||||
|
| acrossLinkTargets.cpp:19:27:19:32 | call to source | acrossLinkTargets.cpp:12:8:12:8 | x |
|
||||||
|
| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:18:8:18:19 | sourceArray1 |
|
||||||
|
| clang.cpp:12:9:12:20 | sourceArray1 | clang.cpp:23:17:23:29 | & ... indirection |
|
||||||
|
| clang.cpp:29:27:29:32 | call to source | clang.cpp:30:27:30:28 | m1 |
|
||||||
|
| clang.cpp:29:27:29:32 | call to source | clang.cpp:31:27:31:34 | call to getFirst |
|
||||||
|
| clang.cpp:35:32:35:37 | call to source | clang.cpp:38:10:38:11 | m2 |
|
||||||
|
| clang.cpp:40:42:40:47 | call to source | clang.cpp:42:18:42:19 | m2 |
|
||||||
|
| clang.cpp:44:35:44:40 | call to source | clang.cpp:46:17:46:18 | m2 |
|
||||||
|
| clang.cpp:50:7:50:16 | definition of stackArray | clang.cpp:52:8:52:17 | stackArray |
|
||||||
|
| clang.cpp:50:25:50:30 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
|
||||||
|
| clang.cpp:50:35:50:40 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
|
||||||
|
| clang.cpp:51:19:51:24 | call to source | clang.cpp:53:17:53:26 | stackArray indirection |
|
||||||
|
| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:35:16:35:25 | call to notSource1 |
|
||||||
|
| dispatch.cpp:9:37:9:42 | call to source | dispatch.cpp:43:15:43:24 | call to notSource1 |
|
||||||
|
| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:36:16:36:25 | call to notSource2 |
|
||||||
|
| dispatch.cpp:10:37:10:42 | call to source | dispatch.cpp:44:15:44:24 | call to notSource2 |
|
||||||
|
| dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:32:16:32:24 | call to isSource2 |
|
||||||
|
| dispatch.cpp:16:37:16:42 | call to source | dispatch.cpp:40:15:40:23 | call to isSource2 |
|
||||||
|
| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:31:16:31:24 | call to isSource1 |
|
||||||
|
| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:39:15:39:23 | call to isSource1 |
|
||||||
|
| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:55:22:55:30 | call to isSource1 |
|
||||||
|
| dispatch.cpp:22:37:22:42 | call to source | dispatch.cpp:58:28:58:36 | call to isSource1 |
|
||||||
|
| dispatch.cpp:33:18:33:23 | call to source | dispatch.cpp:23:38:23:38 | x |
|
||||||
|
| dispatch.cpp:37:19:37:24 | call to source | dispatch.cpp:11:38:11:38 | x |
|
||||||
|
| dispatch.cpp:41:17:41:22 | call to source | dispatch.cpp:23:38:23:38 | x |
|
||||||
|
| dispatch.cpp:45:18:45:23 | call to source | dispatch.cpp:11:38:11:38 | x |
|
||||||
|
| dispatch.cpp:69:15:69:20 | call to source | dispatch.cpp:23:38:23:38 | x |
|
||||||
|
| dispatch.cpp:73:14:73:19 | call to source | dispatch.cpp:23:38:23:38 | x |
|
||||||
|
| dispatch.cpp:81:13:81:18 | call to source | dispatch.cpp:23:38:23:38 | x |
|
||||||
|
| dispatch.cpp:107:17:107:22 | call to source | dispatch.cpp:96:8:96:8 | x |
|
||||||
|
| dispatch.cpp:140:8:140:13 | call to source | dispatch.cpp:96:8:96:8 | x |
|
||||||
|
| dispatch.cpp:144:8:144:13 | call to source | dispatch.cpp:96:8:96:8 | x |
|
||||||
|
| flowOut.cpp:5:16:5:21 | call to source | flowOut.cpp:19:9:19:9 | x |
|
||||||
|
| globals.cpp:5:17:5:22 | call to source | globals.cpp:6:10:6:14 | local |
|
||||||
|
| globals.cpp:13:23:13:28 | call to source | globals.cpp:12:10:12:24 | flowTestGlobal1 |
|
||||||
|
| globals.cpp:23:23:23:28 | call to source | globals.cpp:19:10:19:24 | flowTestGlobal2 |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:14:8:14:8 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:18:8:18:8 | call to operator() |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:21:8:21:8 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:29:8:29:8 | t |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:35:8:35:8 | a |
|
||||||
|
| lambdas.cpp:8:10:8:15 | call to source | lambdas.cpp:41:8:41:8 | a |
|
||||||
|
| lambdas.cpp:43:7:43:12 | call to source | lambdas.cpp:46:7:46:7 | w |
|
||||||
|
| ref.cpp:29:11:29:16 | call to source | ref.cpp:62:10:62:11 | x3 |
|
||||||
|
| ref.cpp:53:9:53:10 | definition of x1 | ref.cpp:56:10:56:11 | x1 |
|
||||||
|
| ref.cpp:53:13:53:14 | definition of x2 | ref.cpp:59:10:59:11 | x2 |
|
||||||
|
| ref.cpp:53:17:53:18 | definition of x3 | ref.cpp:62:10:62:11 | x3 |
|
||||||
|
| ref.cpp:53:21:53:22 | definition of x4 | ref.cpp:65:10:65:11 | x4 |
|
||||||
|
| ref.cpp:55:23:55:28 | call to source | ref.cpp:56:10:56:11 | x1 |
|
||||||
|
| ref.cpp:94:15:94:20 | call to source | ref.cpp:129:13:129:15 | val |
|
||||||
|
| ref.cpp:109:15:109:20 | call to source | ref.cpp:132:13:132:15 | val |
|
||||||
|
| ref.cpp:122:23:122:28 | call to source | ref.cpp:123:13:123:15 | val |
|
||||||
|
| ref.cpp:125:19:125:24 | call to source | ref.cpp:126:13:126:15 | val |
|
||||||
|
| self-Iterator.cpp:19:23:19:30 | call to source | self-Iterator.cpp:20:10:20:10 | x |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:7:8:7:9 | t1 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:9:8:9:9 | t1 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:10:8:10:9 | t2 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:15:8:15:9 | t2 |
|
||||||
|
| test.cpp:6:12:6:17 | call to source | test.cpp:26:8:26:9 | t1 |
|
||||||
|
| test.cpp:35:10:35:15 | call to source | test.cpp:30:8:30:8 | t |
|
||||||
|
| test.cpp:36:13:36:18 | call to source | test.cpp:31:8:31:8 | c |
|
||||||
|
| test.cpp:50:14:50:19 | call to source | test.cpp:58:10:58:10 | t |
|
||||||
|
| test.cpp:66:30:66:36 | source1 | test.cpp:71:8:71:9 | x4 |
|
||||||
|
| test.cpp:75:7:75:8 | definition of u1 | test.cpp:76:8:76:9 | u1 |
|
||||||
|
| test.cpp:83:7:83:8 | definition of u2 | test.cpp:84:8:84:18 | ... ? ... : ... |
|
||||||
|
| test.cpp:83:7:83:8 | definition of u2 | test.cpp:86:8:86:9 | i1 |
|
||||||
|
| test.cpp:89:28:89:34 | source1 indirection | test.cpp:90:8:90:14 | source1 |
|
||||||
|
| test.cpp:100:13:100:18 | call to source | test.cpp:103:10:103:12 | ref |
|
||||||
|
| test.cpp:138:27:138:32 | call to source | test.cpp:140:8:140:8 | y |
|
||||||
|
| test.cpp:151:33:151:38 | call to source | test.cpp:144:8:144:8 | s |
|
||||||
|
| test.cpp:151:33:151:38 | call to source | test.cpp:152:8:152:8 | y |
|
||||||
|
| test.cpp:164:34:164:39 | call to source | test.cpp:157:8:157:8 | x |
|
||||||
|
| test.cpp:164:34:164:39 | call to source | test.cpp:165:8:165:8 | y |
|
||||||
|
| test.cpp:171:11:171:16 | call to source | test.cpp:178:8:178:8 | y |
|
||||||
|
| test.cpp:245:14:245:19 | call to source | test.cpp:260:12:260:12 | x |
|
||||||
|
| test.cpp:265:22:265:27 | call to source | test.cpp:266:12:266:12 | x |
|
||||||
|
| test.cpp:305:17:305:22 | call to source | test.cpp:289:14:289:14 | x |
|
||||||
|
| test.cpp:314:4:314:9 | call to source | test.cpp:318:7:318:7 | x |
|
||||||
|
| test.cpp:333:17:333:22 | call to source | test.cpp:337:10:337:18 | globalVar |
|
||||||
|
| test.cpp:333:17:333:22 | call to source | test.cpp:339:10:339:18 | globalVar |
|
||||||
|
| test.cpp:333:17:333:22 | call to source | test.cpp:343:10:343:18 | globalVar |
|
||||||
|
| test.cpp:333:17:333:22 | call to source | test.cpp:349:10:349:18 | globalVar |
|
||||||
|
| test.cpp:347:17:347:22 | call to source | test.cpp:337:10:337:18 | globalVar |
|
||||||
|
| test.cpp:347:17:347:22 | call to source | test.cpp:339:10:339:18 | globalVar |
|
||||||
|
| test.cpp:347:17:347:22 | call to source | test.cpp:343:10:343:18 | globalVar |
|
||||||
|
| test.cpp:347:17:347:22 | call to source | test.cpp:349:10:349:18 | globalVar |
|
||||||
|
| test.cpp:359:13:359:18 | call to source | test.cpp:365:10:365:14 | field |
|
||||||
|
| test.cpp:373:13:373:18 | call to source | test.cpp:369:10:369:14 | field |
|
||||||
|
| test.cpp:373:13:373:18 | call to source | test.cpp:375:10:375:14 | field |
|
||||||
|
| test.cpp:382:48:382:54 | source1 | test.cpp:385:8:385:10 | tmp |
|
||||||
|
| test.cpp:388:53:388:59 | source1 | test.cpp:392:8:392:10 | tmp |
|
||||||
|
| test.cpp:388:53:388:59 | source1 | test.cpp:394:10:394:12 | tmp |
|
||||||
|
| test.cpp:399:7:399:9 | definition of tmp | test.cpp:401:8:401:10 | tmp |
|
||||||
|
| test.cpp:405:7:405:9 | definition of tmp | test.cpp:408:8:408:10 | tmp |
|
||||||
|
| test.cpp:416:7:416:11 | definition of local | test.cpp:418:8:418:12 | local |
|
||||||
|
| test.cpp:417:16:417:20 | intRefSource output argument | test.cpp:418:8:418:12 | local |
|
||||||
|
| test.cpp:422:7:422:11 | definition of local | test.cpp:424:8:424:12 | local |
|
||||||
|
| test.cpp:423:20:423:25 | intPointerSource output argument | test.cpp:424:8:424:12 | local |
|
||||||
|
| test.cpp:433:7:433:11 | definition of local | test.cpp:435:8:435:12 | local |
|
||||||
|
| test.cpp:434:20:434:24 | intPointerSource output argument | test.cpp:436:8:436:13 | * ... |
|
||||||
|
| test.cpp:440:7:440:11 | definition of local | test.cpp:442:8:442:12 | local |
|
||||||
|
| test.cpp:441:18:441:23 | intArraySource output argument | test.cpp:442:8:442:12 | local |
|
||||||
|
| test.cpp:448:7:448:11 | definition of local | test.cpp:450:8:450:12 | local |
|
||||||
|
| test.cpp:449:18:449:22 | intArraySource output argument | test.cpp:451:8:451:13 | * ... |
|
||||||
|
| test.cpp:456:26:456:32 | source1 | test.cpp:457:9:457:22 | (statement expression) |
|
||||||
|
| test.cpp:456:26:456:32 | source1 | test.cpp:468:8:468:12 | local |
|
||||||
|
| test.cpp:472:8:472:13 | call to source | test.cpp:478:8:478:8 | x |
|
||||||
|
| test.cpp:506:8:506:13 | call to source | test.cpp:513:8:513:8 | x |
|
||||||
|
| test.cpp:519:19:519:24 | call to source | test.cpp:521:8:521:20 | access to array |
|
||||||
|
| test.cpp:531:29:531:34 | call to source | test.cpp:532:8:532:9 | * ... |
|
||||||
|
| test.cpp:547:9:547:9 | definition of x | test.cpp:536:10:536:11 | * ... |
|
||||||
|
| test.cpp:551:9:551:9 | definition of y | test.cpp:541:10:541:10 | y |
|
||||||
|
| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:566:10:566:19 | * ... |
|
||||||
|
| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:568:10:568:19 | * ... |
|
||||||
|
| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:572:10:572:19 | * ... |
|
||||||
|
| test.cpp:562:17:562:31 | call to indirect_source indirection | test.cpp:578:10:578:19 | * ... |
|
||||||
|
| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:566:10:566:19 | * ... |
|
||||||
|
| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:568:10:568:19 | * ... |
|
||||||
|
| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:572:10:572:19 | * ... |
|
||||||
|
| test.cpp:576:17:576:31 | call to indirect_source indirection | test.cpp:578:10:578:19 | * ... |
|
||||||
|
| test.cpp:594:12:594:26 | call to indirect_source indirection | test.cpp:597:8:597:13 | * ... |
|
||||||
|
| test.cpp:601:20:601:20 | intPointerSource output argument | test.cpp:603:8:603:9 | * ... |
|
||||||
|
| test.cpp:607:20:607:20 | intPointerSource output argument | test.cpp:609:8:609:9 | * ... |
|
||||||
|
| test.cpp:614:20:614:20 | intPointerSource output argument | test.cpp:616:8:616:17 | * ... |
|
||||||
|
| test.cpp:628:20:628:25 | intPointerSource output argument | test.cpp:629:17:629:22 | buffer indirection |
|
||||||
|
| test.cpp:633:18:633:23 | call to source | test.cpp:634:8:634:8 | x |
|
||||||
|
| test.cpp:646:7:646:12 | call to source | test.cpp:645:8:645:8 | x |
|
||||||
|
| test.cpp:660:7:660:12 | call to source | test.cpp:658:8:658:8 | x |
|
||||||
|
| test.cpp:664:18:664:23 | call to source | test.cpp:666:8:666:16 | * ... |
|
||||||
|
| test.cpp:681:7:681:12 | call to source | test.cpp:679:8:679:16 | * ... |
|
||||||
|
| test.cpp:733:7:733:7 | definition of x | test.cpp:735:8:735:8 | x |
|
||||||
|
| test.cpp:751:27:751:32 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:753:32:753:37 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:755:32:755:37 | call to source | test.cpp:740:10:740:10 | x |
|
||||||
|
| test.cpp:771:27:771:32 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:773:32:773:37 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:775:32:775:37 | call to source | test.cpp:760:10:760:10 | x |
|
||||||
|
| test.cpp:788:31:788:36 | call to source | test.cpp:782:12:782:12 | x |
|
||||||
|
| test.cpp:790:31:790:36 | call to source | test.cpp:782:12:782:12 | x |
|
||||||
|
| test.cpp:797:22:797:28 | intPointerSource output argument | test.cpp:798:19:798:25 | content indirection |
|
||||||
|
| test.cpp:808:25:808:39 | call to indirect_source indirection | test.cpp:813:19:813:35 | * ... indirection |
|
||||||
|
| test.cpp:818:26:818:31 | call to source | test.cpp:823:10:823:27 | * ... |
|
||||||
|
| test.cpp:832:21:832:26 | call to source | test.cpp:836:10:836:22 | global_direct |
|
||||||
|
| test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
|
||||||
|
| test.cpp:846:13:846:27 | call to indirect_source indirection | test.cpp:848:17:848:25 | rpx indirection |
|
||||||
|
| test.cpp:853:55:853:62 | call to source | test.cpp:854:10:854:36 | * ... |
|
||||||
|
| test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
|
||||||
|
| test.cpp:872:46:872:51 | call to source | test.cpp:875:10:875:31 | global_pointer_dynamic |
|
||||||
|
| test.cpp:880:64:880:83 | indirect_source(1) indirection | test.cpp:883:10:883:45 | static_local_array_static_indirect_1 |
|
||||||
|
| test.cpp:881:64:881:83 | indirect_source(2) indirection | test.cpp:886:19:886:54 | static_local_array_static_indirect_2 indirection |
|
||||||
|
| test.cpp:890:54:890:61 | source | test.cpp:893:10:893:36 | static_local_pointer_static |
|
||||||
|
| test.cpp:891:65:891:84 | indirect_source(1) indirection | test.cpp:895:19:895:56 | static_local_pointer_static_indirect_1 indirection |
|
||||||
|
| test.cpp:901:56:901:75 | indirect_source(1) indirection | test.cpp:907:10:907:39 | global_array_static_indirect_1 |
|
||||||
|
| test.cpp:902:56:902:75 | indirect_source(2) indirection | test.cpp:911:19:911:48 | global_array_static_indirect_2 indirection |
|
||||||
|
| test.cpp:914:46:914:53 | source | test.cpp:919:10:919:30 | global_pointer_static |
|
||||||
|
| test.cpp:915:57:915:76 | indirect_source(1) indirection | test.cpp:921:19:921:50 | global_pointer_static_indirect_1 indirection |
|
||||||
|
| true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
|
||||||
|
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
|
||||||
|
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
|
||||||
|
| true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
|
||||||
|
| true_upon_entry.cpp:43:11:43:16 | call to source | true_upon_entry.cpp:49:8:49:8 | x |
|
||||||
|
| true_upon_entry.cpp:54:11:54:16 | call to source | true_upon_entry.cpp:57:8:57:8 | x |
|
||||||
|
| true_upon_entry.cpp:62:11:62:16 | call to source | true_upon_entry.cpp:66:8:66:8 | x |
|
||||||
|
| true_upon_entry.cpp:70:11:70:16 | call to source | true_upon_entry.cpp:78:8:78:8 | x |
|
||||||
|
| true_upon_entry.cpp:83:11:83:16 | call to source | true_upon_entry.cpp:86:8:86:8 | x |
|
||||||
|
| true_upon_entry.cpp:98:11:98:16 | call to source | true_upon_entry.cpp:105:8:105:8 | x |
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
import TestBase
|
||||||
|
|
||||||
|
query predicate astFlow(AstTest::DataFlow::Node source, AstTest::DataFlow::Node sink) {
|
||||||
|
AstTest::AstFlow::flow(source, sink)
|
||||||
|
}
|
||||||
|
|
||||||
|
query predicate irFlow(IRTest::DataFlow::Node source, IRTest::DataFlow::Node sink) {
|
||||||
|
IRTest::IRFlow::flow(source, sink)
|
||||||
|
}
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
int source();
|
int source();
|
||||||
void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);
|
void sink(...); void indirect_sink(...);
|
||||||
|
|
||||||
void intraprocedural_with_local_flow() {
|
void intraprocedural_with_local_flow() {
|
||||||
int t2;
|
int t2;
|
||||||
@@ -836,4 +836,90 @@ namespace MoreGlobalTests {
|
|||||||
sink(global_direct); // $ ir MISSING: ast
|
sink(global_direct); // $ ir MISSING: ast
|
||||||
indirect_sink(global_direct); // clean
|
indirect_sink(global_direct); // clean
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_references() {
|
||||||
|
int x = source();
|
||||||
|
int &y = x;
|
||||||
|
sink(y); // $ ast,ir
|
||||||
|
|
||||||
|
int* px = indirect_source();
|
||||||
|
int*& rpx = px;
|
||||||
|
indirect_sink((int*)rpx); // $ ast,ir
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace GlobalArrays {
|
||||||
|
void test1() {
|
||||||
|
static const int static_local_array_dynamic[] = { ::source() };
|
||||||
|
sink(*static_local_array_dynamic); // $ ir MISSING: ast
|
||||||
|
}
|
||||||
|
|
||||||
|
const int* source(bool);
|
||||||
|
|
||||||
|
void test2() {
|
||||||
|
static const int* static_local_pointer_dynamic = source(true);
|
||||||
|
sink(static_local_pointer_dynamic); // $ ast,ir
|
||||||
|
}
|
||||||
|
|
||||||
|
static const int global_array_dynamic[] = { ::source() };
|
||||||
|
|
||||||
|
void test3() {
|
||||||
|
sink(*global_array_dynamic); // $ MISSING: ir,ast // Missing in IR because no 'IRFunction' for global_array is generated because the type of global_array_dynamic is "deeply const".
|
||||||
|
}
|
||||||
|
|
||||||
|
const int* source(bool);
|
||||||
|
|
||||||
|
static const int* global_pointer_dynamic = source(true);
|
||||||
|
|
||||||
|
void test4() {
|
||||||
|
sink(global_pointer_dynamic); // $ ir MISSING: ast
|
||||||
|
}
|
||||||
|
|
||||||
|
void test5() {
|
||||||
|
static const char static_local_array_static[] = "source";
|
||||||
|
static const char static_local_array_static_indirect_1[] = "indirect_source(1)";
|
||||||
|
static const char static_local_array_static_indirect_2[] = "indirect_source(2)";
|
||||||
|
sink(static_local_array_static); // clean
|
||||||
|
sink(static_local_array_static_indirect_1); // $ ir MISSING: ast
|
||||||
|
indirect_sink(static_local_array_static_indirect_1); // clean
|
||||||
|
sink(static_local_array_static_indirect_2); // clean
|
||||||
|
indirect_sink(static_local_array_static_indirect_2); // $ ir MISSING: ast
|
||||||
|
}
|
||||||
|
|
||||||
|
void test6() {
|
||||||
|
static const char* static_local_pointer_static = "source";
|
||||||
|
static const char* static_local_pointer_static_indirect_1 = "indirect_source(1)";
|
||||||
|
static const char* static_local_pointer_static_indirect_2 = "indirect_source(2)";
|
||||||
|
sink(static_local_pointer_static); // $ ir MISSING: ast
|
||||||
|
sink(static_local_pointer_static_indirect_1); // clean
|
||||||
|
indirect_sink(static_local_pointer_static_indirect_1); // $ ir MISSING: ast
|
||||||
|
sink(static_local_pointer_static_indirect_2); // clean: static_local_pointer_static_indirect_2 does not have 2 indirections
|
||||||
|
indirect_sink(static_local_pointer_static_indirect_2); // clean: static_local_pointer_static_indirect_2 does not have 2 indirections
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char global_array_static[] = "source";
|
||||||
|
static const char global_array_static_indirect_1[] = "indirect_source(1)";
|
||||||
|
static const char global_array_static_indirect_2[] = "indirect_source(2)";
|
||||||
|
|
||||||
|
void test7() {
|
||||||
|
sink(global_array_static); // clean
|
||||||
|
sink(*global_array_static); // clean
|
||||||
|
sink(global_array_static_indirect_1); // $ ir MISSING: ast
|
||||||
|
sink(*global_array_static_indirect_1); // clean
|
||||||
|
indirect_sink(global_array_static); // clean
|
||||||
|
indirect_sink(global_array_static_indirect_1); // clean
|
||||||
|
indirect_sink(global_array_static_indirect_2); // $ ir MISSING: ast
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char* global_pointer_static = "source";
|
||||||
|
static const char* global_pointer_static_indirect_1 = "indirect_source(1)";
|
||||||
|
static const char* global_pointer_static_indirect_2 = "indirect_source(2)";
|
||||||
|
|
||||||
|
void test8() {
|
||||||
|
sink(global_pointer_static); // $ ir MISSING: ast
|
||||||
|
sink(global_pointer_static_indirect_1); // clean
|
||||||
|
indirect_sink(global_pointer_static_indirect_1); // $ ir MISSING: ast
|
||||||
|
sink(global_pointer_static_indirect_2); // clean: global_pointer_static_indirect_2 does not have 2 indirections
|
||||||
|
indirect_sink(global_pointer_static_indirect_2); // clean: global_pointer_static_indirect_2 does not have 2 indirections
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@@ -1,9 +1,2 @@
|
|||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:19,45-53)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:20,24-32)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:27,15-23)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:33,22-30)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:40,25-33)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:42,17-25)
|
|
||||||
WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:46,20-28)
|
|
||||||
testFailures
|
testFailures
|
||||||
failures
|
failures
|
||||||
|
|||||||
@@ -1,107 +1,3 @@
|
|||||||
|
import TestBase
|
||||||
import TestUtilities.dataflow.FlowTestCommon
|
import TestUtilities.dataflow.FlowTestCommon
|
||||||
|
|
||||||
module AstTest {
|
|
||||||
private import semmle.code.cpp.dataflow.DataFlow
|
|
||||||
private import semmle.code.cpp.controlflow.Guards
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
|
||||||
* S in `if (guarded(x)) S`.
|
|
||||||
*/
|
|
||||||
// This is tested in `BarrierGuard.cpp`.
|
|
||||||
predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
|
|
||||||
g.(FunctionCall).getTarget().getName() = "guarded" and
|
|
||||||
checked = g.(FunctionCall).getArgument(0) and
|
|
||||||
isTrue = true
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Common data flow configuration to be used by tests. */
|
|
||||||
module AstTestAllocationConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) {
|
|
||||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
|
||||||
or
|
|
||||||
source.asParameter().getName().matches("source%")
|
|
||||||
or
|
|
||||||
source.asExpr().(FunctionCall).getTarget().getName() = "indirect_source"
|
|
||||||
or
|
|
||||||
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
|
|
||||||
or
|
|
||||||
// Track uninitialized variables
|
|
||||||
exists(source.asUninitialized())
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(FunctionCall call |
|
|
||||||
call.getTarget().getName() = ["sink", "indirect_sink"] and
|
|
||||||
sink.asExpr() = call.getAnArgument()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node barrier) {
|
|
||||||
barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
|
|
||||||
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module AstFlow = DataFlow::Global<AstTestAllocationConfig>;
|
|
||||||
}
|
|
||||||
|
|
||||||
module IRTest {
|
|
||||||
private import cpp
|
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
|
||||||
private import semmle.code.cpp.ir.IR
|
|
||||||
private import semmle.code.cpp.controlflow.IRGuards
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A `BarrierGuard` that stops flow to all occurrences of `x` within statement
|
|
||||||
* S in `if (guarded(x)) S`.
|
|
||||||
*/
|
|
||||||
// This is tested in `BarrierGuard.cpp`.
|
|
||||||
predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean isTrue) {
|
|
||||||
exists(Call call |
|
|
||||||
call = g.getUnconvertedResultExpression() and
|
|
||||||
call.getTarget().hasName("guarded") and
|
|
||||||
checked = call.getArgument(0) and
|
|
||||||
isTrue = true
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Common data flow configuration to be used by tests. */
|
|
||||||
module IRTestAllocationConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) {
|
|
||||||
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
|
||||||
or
|
|
||||||
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
|
|
||||||
or
|
|
||||||
source.asParameter().getName().matches("source%")
|
|
||||||
or
|
|
||||||
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
|
|
||||||
or
|
|
||||||
exists(source.asUninitialized())
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(FunctionCall call, Expr e | e = call.getAnArgument() |
|
|
||||||
call.getTarget().getName() = "sink" and
|
|
||||||
sink.asExpr() = e
|
|
||||||
or
|
|
||||||
call.getTarget().getName() = "indirect_sink" and
|
|
||||||
sink.asIndirectExpr() = e
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node barrier) {
|
|
||||||
exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
|
|
||||||
barrierExpr.(VariableAccess).getTarget().hasName("barrier")
|
|
||||||
)
|
|
||||||
or
|
|
||||||
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
|
|
||||||
or
|
|
||||||
barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
module IRFlow = DataFlow::Global<IRTestAllocationConfig>;
|
|
||||||
}
|
|
||||||
|
|
||||||
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
|
||||||
|
|||||||
@@ -2770,43 +2770,65 @@ ir.cpp:
|
|||||||
# 462| m462_2(int) = Uninitialized[x] : &:r462_1
|
# 462| m462_2(int) = Uninitialized[x] : &:r462_1
|
||||||
# 463| r463_1(glval<bool>) = VariableAddress[a] :
|
# 463| r463_1(glval<bool>) = VariableAddress[a] :
|
||||||
# 463| r463_2(bool) = Load[a] : &:r463_1, m461_6
|
# 463| r463_2(bool) = Load[a] : &:r463_1, m461_6
|
||||||
# 463| v463_3(void) = ConditionalBranch : r463_2
|
# 463| r463_3(bool) = LogicalNot : r463_2
|
||||||
#-----| False -> Block 1
|
# 463| v463_4(void) = ConditionalBranch : r463_3
|
||||||
#-----| True -> Block 2
|
#-----| False -> Block 5
|
||||||
|
#-----| True -> Block 1
|
||||||
|
|
||||||
# 464| Block 1
|
# 464| Block 1
|
||||||
# 464| r464_1(int) = Constant[1] :
|
# 464| r464_1(int) = Constant[1] :
|
||||||
# 464| r464_2(glval<int>) = VariableAddress[x] :
|
# 464| r464_2(glval<int>) = VariableAddress[x] :
|
||||||
# 464| m464_3(int) = Store[x] : &:r464_2, r464_1
|
# 464| m464_3(int) = Store[x] : &:r464_2, r464_1
|
||||||
#-----| Goto -> Block 2
|
#-----| Goto -> Block 5
|
||||||
|
|
||||||
# 467| Block 2
|
# 467| Block 2
|
||||||
# 467| r467_1(glval<bool>) = VariableAddress[a] :
|
# 467| r467_1(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
# 467| r467_2(bool) = Load[a] : &:r467_1, m461_6
|
# 467| r467_2(bool) = Constant[0] :
|
||||||
# 467| v467_3(void) = ConditionalBranch : r467_2
|
# 467| m467_3(bool) = Store[#temp467:11] : &:r467_1, r467_2
|
||||||
#-----| False -> Block 4
|
#-----| Goto -> Block 3
|
||||||
#-----| True -> Block 3
|
|
||||||
|
|
||||||
# 467| Block 3
|
# 467| Block 3
|
||||||
# 467| r467_4(glval<bool>) = VariableAddress[b] :
|
# 467| m467_4(bool) = Phi : from 2:m467_3, from 4:m467_11
|
||||||
# 467| r467_5(bool) = Load[b] : &:r467_4, m461_8
|
# 467| r467_5(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
# 467| v467_6(void) = ConditionalBranch : r467_5
|
# 467| r467_6(bool) = Load[#temp467:11] : &:r467_5, m467_4
|
||||||
#-----| False -> Block 4
|
# 467| r467_7(bool) = LogicalNot : r467_6
|
||||||
#-----| True -> Block 5
|
# 467| v467_8(void) = ConditionalBranch : r467_7
|
||||||
|
#-----| False -> Block 8
|
||||||
|
#-----| True -> Block 7
|
||||||
|
|
||||||
# 468| Block 4
|
# 467| Block 4
|
||||||
|
# 467| r467_9(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
|
# 467| r467_10(bool) = Constant[1] :
|
||||||
|
# 467| m467_11(bool) = Store[#temp467:11] : &:r467_9, r467_10
|
||||||
|
#-----| Goto -> Block 3
|
||||||
|
|
||||||
|
# 467| Block 5
|
||||||
|
# 467| r467_12(glval<bool>) = VariableAddress[a] :
|
||||||
|
# 467| r467_13(bool) = Load[a] : &:r467_12, m461_6
|
||||||
|
# 467| v467_14(void) = ConditionalBranch : r467_13
|
||||||
|
#-----| False -> Block 2
|
||||||
|
#-----| True -> Block 6
|
||||||
|
|
||||||
|
# 467| Block 6
|
||||||
|
# 467| r467_15(glval<bool>) = VariableAddress[b] :
|
||||||
|
# 467| r467_16(bool) = Load[b] : &:r467_15, m461_8
|
||||||
|
# 467| v467_17(void) = ConditionalBranch : r467_16
|
||||||
|
#-----| False -> Block 2
|
||||||
|
#-----| True -> Block 4
|
||||||
|
|
||||||
|
# 468| Block 7
|
||||||
# 468| r468_1(int) = Constant[2] :
|
# 468| r468_1(int) = Constant[2] :
|
||||||
# 468| r468_2(glval<int>) = VariableAddress[x] :
|
# 468| r468_2(glval<int>) = VariableAddress[x] :
|
||||||
# 468| m468_3(int) = Store[x] : &:r468_2, r468_1
|
# 468| m468_3(int) = Store[x] : &:r468_2, r468_1
|
||||||
#-----| Goto -> Block 6
|
#-----| Goto -> Block 9
|
||||||
|
|
||||||
# 471| Block 5
|
# 471| Block 8
|
||||||
# 471| r471_1(int) = Constant[3] :
|
# 471| r471_1(int) = Constant[3] :
|
||||||
# 471| r471_2(glval<int>) = VariableAddress[x] :
|
# 471| r471_2(glval<int>) = VariableAddress[x] :
|
||||||
# 471| m471_3(int) = Store[x] : &:r471_2, r471_1
|
# 471| m471_3(int) = Store[x] : &:r471_2, r471_1
|
||||||
#-----| Goto -> Block 6
|
#-----| Goto -> Block 9
|
||||||
|
|
||||||
# 473| Block 6
|
# 473| Block 9
|
||||||
# 473| v473_1(void) = NoOp :
|
# 473| v473_1(void) = NoOp :
|
||||||
# 461| v461_9(void) = ReturnVoid :
|
# 461| v461_9(void) = ReturnVoid :
|
||||||
# 461| v461_10(void) = AliasedUse : m461_3
|
# 461| v461_10(void) = AliasedUse : m461_3
|
||||||
|
|||||||
@@ -2398,16 +2398,27 @@
|
|||||||
| ir.cpp:461:22:461:22 | Address | &:r461_5 |
|
| ir.cpp:461:22:461:22 | Address | &:r461_5 |
|
||||||
| ir.cpp:461:30:461:30 | Address | &:r461_7 |
|
| ir.cpp:461:30:461:30 | Address | &:r461_7 |
|
||||||
| ir.cpp:462:9:462:9 | Address | &:r462_1 |
|
| ir.cpp:462:9:462:9 | Address | &:r462_1 |
|
||||||
|
| ir.cpp:463:9:463:10 | Condition | r463_3 |
|
||||||
| ir.cpp:463:10:463:10 | Address | &:r463_1 |
|
| ir.cpp:463:10:463:10 | Address | &:r463_1 |
|
||||||
| ir.cpp:463:10:463:10 | Condition | r463_2 |
|
|
||||||
| ir.cpp:463:10:463:10 | Load | m461_6 |
|
| ir.cpp:463:10:463:10 | Load | m461_6 |
|
||||||
|
| ir.cpp:463:10:463:10 | Unary | r463_2 |
|
||||||
| ir.cpp:464:9:464:9 | Address | &:r464_2 |
|
| ir.cpp:464:9:464:9 | Address | &:r464_2 |
|
||||||
| ir.cpp:464:13:464:13 | StoreValue | r464_1 |
|
| ir.cpp:464:13:464:13 | StoreValue | r464_1 |
|
||||||
| ir.cpp:467:11:467:11 | Address | &:r467_1 |
|
| ir.cpp:467:9:467:17 | Condition | r467_7 |
|
||||||
| ir.cpp:467:11:467:11 | Condition | r467_2 |
|
| ir.cpp:467:11:467:11 | Address | &:r467_12 |
|
||||||
|
| ir.cpp:467:11:467:11 | Condition | r467_13 |
|
||||||
| ir.cpp:467:11:467:11 | Load | m461_6 |
|
| ir.cpp:467:11:467:11 | Load | m461_6 |
|
||||||
| ir.cpp:467:16:467:16 | Address | &:r467_4 |
|
| ir.cpp:467:11:467:16 | Address | &:r467_1 |
|
||||||
| ir.cpp:467:16:467:16 | Condition | r467_5 |
|
| ir.cpp:467:11:467:16 | Address | &:r467_5 |
|
||||||
|
| ir.cpp:467:11:467:16 | Address | &:r467_9 |
|
||||||
|
| ir.cpp:467:11:467:16 | Load | m467_4 |
|
||||||
|
| ir.cpp:467:11:467:16 | Phi | from 2:m467_3 |
|
||||||
|
| ir.cpp:467:11:467:16 | Phi | from 4:m467_11 |
|
||||||
|
| ir.cpp:467:11:467:16 | StoreValue | r467_2 |
|
||||||
|
| ir.cpp:467:11:467:16 | StoreValue | r467_10 |
|
||||||
|
| ir.cpp:467:11:467:16 | Unary | r467_6 |
|
||||||
|
| ir.cpp:467:16:467:16 | Address | &:r467_15 |
|
||||||
|
| ir.cpp:467:16:467:16 | Condition | r467_16 |
|
||||||
| ir.cpp:467:16:467:16 | Load | m461_8 |
|
| ir.cpp:467:16:467:16 | Load | m461_8 |
|
||||||
| ir.cpp:468:9:468:9 | Address | &:r468_2 |
|
| ir.cpp:468:9:468:9 | Address | &:r468_2 |
|
||||||
| ir.cpp:468:13:468:13 | StoreValue | r468_1 |
|
| ir.cpp:468:13:468:13 | StoreValue | r468_1 |
|
||||||
|
|||||||
@@ -2725,43 +2725,64 @@ ir.cpp:
|
|||||||
# 462| mu462_2(int) = Uninitialized[x] : &:r462_1
|
# 462| mu462_2(int) = Uninitialized[x] : &:r462_1
|
||||||
# 463| r463_1(glval<bool>) = VariableAddress[a] :
|
# 463| r463_1(glval<bool>) = VariableAddress[a] :
|
||||||
# 463| r463_2(bool) = Load[a] : &:r463_1, ~m?
|
# 463| r463_2(bool) = Load[a] : &:r463_1, ~m?
|
||||||
# 463| v463_3(void) = ConditionalBranch : r463_2
|
# 463| r463_3(bool) = LogicalNot : r463_2
|
||||||
#-----| False -> Block 1
|
# 463| v463_4(void) = ConditionalBranch : r463_3
|
||||||
#-----| True -> Block 2
|
#-----| False -> Block 5
|
||||||
|
#-----| True -> Block 1
|
||||||
|
|
||||||
# 464| Block 1
|
# 464| Block 1
|
||||||
# 464| r464_1(int) = Constant[1] :
|
# 464| r464_1(int) = Constant[1] :
|
||||||
# 464| r464_2(glval<int>) = VariableAddress[x] :
|
# 464| r464_2(glval<int>) = VariableAddress[x] :
|
||||||
# 464| mu464_3(int) = Store[x] : &:r464_2, r464_1
|
# 464| mu464_3(int) = Store[x] : &:r464_2, r464_1
|
||||||
#-----| Goto -> Block 2
|
#-----| Goto -> Block 5
|
||||||
|
|
||||||
# 467| Block 2
|
# 467| Block 2
|
||||||
# 467| r467_1(glval<bool>) = VariableAddress[a] :
|
# 467| r467_1(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
# 467| r467_2(bool) = Load[a] : &:r467_1, ~m?
|
# 467| r467_2(bool) = Constant[0] :
|
||||||
# 467| v467_3(void) = ConditionalBranch : r467_2
|
# 467| mu467_3(bool) = Store[#temp467:11] : &:r467_1, r467_2
|
||||||
#-----| False -> Block 4
|
#-----| Goto -> Block 3
|
||||||
#-----| True -> Block 3
|
|
||||||
|
|
||||||
# 467| Block 3
|
# 467| Block 3
|
||||||
# 467| r467_4(glval<bool>) = VariableAddress[b] :
|
# 467| r467_4(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
# 467| r467_5(bool) = Load[b] : &:r467_4, ~m?
|
# 467| r467_5(bool) = Load[#temp467:11] : &:r467_4, ~m?
|
||||||
# 467| v467_6(void) = ConditionalBranch : r467_5
|
# 467| r467_6(bool) = LogicalNot : r467_5
|
||||||
#-----| False -> Block 4
|
# 467| v467_7(void) = ConditionalBranch : r467_6
|
||||||
#-----| True -> Block 5
|
#-----| False -> Block 8
|
||||||
|
#-----| True -> Block 7
|
||||||
|
|
||||||
# 468| Block 4
|
# 467| Block 4
|
||||||
|
# 467| r467_8(glval<bool>) = VariableAddress[#temp467:11] :
|
||||||
|
# 467| r467_9(bool) = Constant[1] :
|
||||||
|
# 467| mu467_10(bool) = Store[#temp467:11] : &:r467_8, r467_9
|
||||||
|
#-----| Goto -> Block 3
|
||||||
|
|
||||||
|
# 467| Block 5
|
||||||
|
# 467| r467_11(glval<bool>) = VariableAddress[a] :
|
||||||
|
# 467| r467_12(bool) = Load[a] : &:r467_11, ~m?
|
||||||
|
# 467| v467_13(void) = ConditionalBranch : r467_12
|
||||||
|
#-----| False -> Block 2
|
||||||
|
#-----| True -> Block 6
|
||||||
|
|
||||||
|
# 467| Block 6
|
||||||
|
# 467| r467_14(glval<bool>) = VariableAddress[b] :
|
||||||
|
# 467| r467_15(bool) = Load[b] : &:r467_14, ~m?
|
||||||
|
# 467| v467_16(void) = ConditionalBranch : r467_15
|
||||||
|
#-----| False -> Block 2
|
||||||
|
#-----| True -> Block 4
|
||||||
|
|
||||||
|
# 468| Block 7
|
||||||
# 468| r468_1(int) = Constant[2] :
|
# 468| r468_1(int) = Constant[2] :
|
||||||
# 468| r468_2(glval<int>) = VariableAddress[x] :
|
# 468| r468_2(glval<int>) = VariableAddress[x] :
|
||||||
# 468| mu468_3(int) = Store[x] : &:r468_2, r468_1
|
# 468| mu468_3(int) = Store[x] : &:r468_2, r468_1
|
||||||
#-----| Goto -> Block 6
|
#-----| Goto -> Block 9
|
||||||
|
|
||||||
# 471| Block 5
|
# 471| Block 8
|
||||||
# 471| r471_1(int) = Constant[3] :
|
# 471| r471_1(int) = Constant[3] :
|
||||||
# 471| r471_2(glval<int>) = VariableAddress[x] :
|
# 471| r471_2(glval<int>) = VariableAddress[x] :
|
||||||
# 471| mu471_3(int) = Store[x] : &:r471_2, r471_1
|
# 471| mu471_3(int) = Store[x] : &:r471_2, r471_1
|
||||||
#-----| Goto -> Block 6
|
#-----| Goto -> Block 9
|
||||||
|
|
||||||
# 473| Block 6
|
# 473| Block 9
|
||||||
# 473| v473_1(void) = NoOp :
|
# 473| v473_1(void) = NoOp :
|
||||||
# 461| v461_8(void) = ReturnVoid :
|
# 461| v461_8(void) = ReturnVoid :
|
||||||
# 461| v461_9(void) = AliasedUse : ~m?
|
# 461| v461_9(void) = AliasedUse : ~m?
|
||||||
|
|||||||
@@ -1,2 +1,2 @@
|
|||||||
| test.cpp:466:10:466:15 | buffer | String operation depends on a $@ that may not be null terminated. | test.cpp:465:18:465:23 | buffer | user-provided value |
|
| test.cpp:466:10:466:15 | buffer | String operation depends on $@ that may not be null terminated. | test.cpp:465:18:465:23 | read output argument | buffer read by read |
|
||||||
| test.cpp:481:10:481:15 | buffer | String operation depends on a $@ that may not be null terminated. | test.cpp:480:9:480:14 | buffer | user-provided value |
|
| test.cpp:481:10:481:15 | buffer | String operation depends on $@ that may not be null terminated. | test.cpp:480:9:480:14 | fread output argument | string read by fread |
|
||||||
|
|||||||
@@ -14,18 +14,15 @@ edges
|
|||||||
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | filename indirection |
|
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | filename indirection |
|
||||||
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | path indirection |
|
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | path indirection |
|
||||||
| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
|
| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
|
||||||
| test.cpp:106:20:106:38 | call to getenv | test.cpp:107:33:107:36 | path indirection |
|
|
||||||
| test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:107:33:107:36 | path indirection |
|
| test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:107:33:107:36 | path indirection |
|
||||||
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | call to c_str indirection |
|
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | call to c_str indirection |
|
||||||
| test.cpp:107:33:107:36 | path indirection | test.cpp:107:31:107:31 | call to operator+ |
|
| test.cpp:107:33:107:36 | path indirection | test.cpp:107:31:107:31 | call to operator+ |
|
||||||
| test.cpp:113:20:113:38 | call to getenv | test.cpp:114:19:114:22 | path indirection |
|
|
||||||
| test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:19:114:22 | path indirection |
|
| test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:19:114:22 | path indirection |
|
||||||
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
|
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
|
||||||
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
|
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | call to c_str indirection |
|
||||||
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ |
|
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ |
|
||||||
| test.cpp:114:19:114:22 | path indirection | test.cpp:114:10:114:23 | call to operator+ |
|
| test.cpp:114:19:114:22 | path indirection | test.cpp:114:10:114:23 | call to operator+ |
|
||||||
| test.cpp:114:19:114:22 | path indirection | test.cpp:114:17:114:17 | call to operator+ |
|
| test.cpp:114:19:114:22 | path indirection | test.cpp:114:17:114:17 | call to operator+ |
|
||||||
| test.cpp:119:20:119:38 | call to getenv | test.cpp:120:19:120:22 | path indirection |
|
|
||||||
| test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:19:120:22 | path indirection |
|
| test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:19:120:22 | path indirection |
|
||||||
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | call to data indirection |
|
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | call to data indirection |
|
||||||
| test.cpp:120:19:120:22 | path indirection | test.cpp:120:17:120:17 | call to operator+ |
|
| test.cpp:120:19:120:22 | path indirection | test.cpp:120:17:120:17 | call to operator+ |
|
||||||
@@ -89,12 +86,10 @@ nodes
|
|||||||
| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
|
| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
|
||||||
| test.cpp:93:17:93:24 | filename indirection | semmle.label | filename indirection |
|
| test.cpp:93:17:93:24 | filename indirection | semmle.label | filename indirection |
|
||||||
| test.cpp:94:45:94:48 | path indirection | semmle.label | path indirection |
|
| test.cpp:94:45:94:48 | path indirection | semmle.label | path indirection |
|
||||||
| test.cpp:106:20:106:38 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:106:20:106:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:106:20:106:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
|
| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
|
||||||
| test.cpp:107:33:107:36 | path indirection | semmle.label | path indirection |
|
| test.cpp:107:33:107:36 | path indirection | semmle.label | path indirection |
|
||||||
| test.cpp:108:18:108:22 | call to c_str indirection | semmle.label | call to c_str indirection |
|
| test.cpp:108:18:108:22 | call to c_str indirection | semmle.label | call to c_str indirection |
|
||||||
| test.cpp:113:20:113:38 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:113:20:113:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:113:20:113:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
|
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
|
||||||
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
|
| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
|
||||||
@@ -102,7 +97,6 @@ nodes
|
|||||||
| test.cpp:114:19:114:22 | path indirection | semmle.label | path indirection |
|
| test.cpp:114:19:114:22 | path indirection | semmle.label | path indirection |
|
||||||
| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
|
| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
|
||||||
| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
|
| test.cpp:114:25:114:29 | call to c_str indirection | semmle.label | call to c_str indirection |
|
||||||
| test.cpp:119:20:119:38 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:119:20:119:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:119:20:119:38 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:120:10:120:30 | call to data indirection | semmle.label | call to data indirection |
|
| test.cpp:120:10:120:30 | call to data indirection | semmle.label | call to data indirection |
|
||||||
| test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
|
| test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
|
||||||
@@ -156,13 +150,9 @@ subpaths
|
|||||||
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
|
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
|
||||||
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
|
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
|
||||||
| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
|
| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
|
||||||
| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | call to getenv | test.cpp:108:18:108:22 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
|
|
||||||
| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:108:18:108:22 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | call to getenv indirection | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
|
| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | call to getenv indirection | test.cpp:108:18:108:22 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | call to getenv indirection | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
|
||||||
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
|
|
||||||
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
|
|
||||||
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
|
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
|
||||||
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
|
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | call to getenv indirection | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | call to getenv indirection | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
|
||||||
| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | call to getenv | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
|
|
||||||
| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | call to getenv indirection | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
|
| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | call to getenv indirection | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | call to getenv indirection | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
|
||||||
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
|
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
|
||||||
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
|
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
|
||||||
|
|||||||
@@ -5,7 +5,6 @@ edges
|
|||||||
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
|
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection |
|
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
|
||||||
@@ -22,7 +21,6 @@ nodes
|
|||||||
| test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
|
| test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
||||||
| test.cpp:64:10:64:16 | (reference dereference) indirection | semmle.label | (reference dereference) indirection |
|
|
||||||
| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
|
| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
|
||||||
| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
|
| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
||||||
@@ -39,7 +37,6 @@ subpaths
|
|||||||
| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | an environment variable |
|
| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
||||||
| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
||||||
| test.cpp:64:10:64:16 | (reference dereference) indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
|
||||||
| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
||||||
| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
|
||||||
| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
|
| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
|
||||||
|
|||||||
@@ -1,31 +1,16 @@
|
|||||||
edges
|
edges
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
|
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection |
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
|
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection |
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
|
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection |
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
|
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
|
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
|
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
|
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
|
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | semmle.label | ... + ... |
|
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
|
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | semmle.label | ... + ... |
|
|
||||||
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
|
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
|
| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
|
||||||
| char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
|
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
|
| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
|
||||||
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
|
subpaths
|
||||||
| char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
|
|
||||||
| char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
|
|
||||||
#select
|
#select
|
||||||
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | recv |
|
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv |
|
||||||
| char_console_fprintf_01_bad.c:49:21:49:24 | data | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | fgets |
|
| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets |
|
||||||
| char_environment_fprintf_01_bad.c:36:21:36:24 | data | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | getenv |
|
| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv indirection | an environment variable |
|
||||||
|
|||||||
@@ -164,7 +164,7 @@ int main(int argc, char **argv) {
|
|||||||
printf(i91);
|
printf(i91);
|
||||||
printWrapper(i91);
|
printWrapper(i91);
|
||||||
|
|
||||||
// BAD: i10 value comes from argv
|
// BAD: i10 value comes from argv [NOT DETECTED]
|
||||||
int i10 = (int) argv[1];
|
int i10 = (int) argv[1];
|
||||||
printf((char *) i10);
|
printf((char *) i10);
|
||||||
printWrapper((char *) i10);
|
printWrapper((char *) i10);
|
||||||
|
|||||||
@@ -1,211 +1,80 @@
|
|||||||
edges
|
edges
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:95:9:95:15 | access to array indirection |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:96:15:96:21 | access to array indirection |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:101:9:101:10 | i1 indirection |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:102:15:102:16 | i1 indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:106:9:106:13 | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:107:15:107:19 | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:110:9:110:11 | * ... indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:111:15:111:17 | * ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:116:9:116:10 | i3 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:127:9:127:10 | i5 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:144:9:144:10 | i7 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:145:15:145:16 | i7 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:150:9:150:10 | i8 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:151:15:151:16 | i8 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
|
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
|
| argvLocal.c:13:27:13:30 | argv indirection | semmle.label | argv indirection |
|
||||||
| argvLocal.c:95:9:95:12 | argv | semmle.label | argv |
|
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | semmle.label | ... ? ... : ... indirection |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | semmle.label | ... ? ... : ... indirection |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
subpaths
|
||||||
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
|
||||||
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
|
||||||
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
|
||||||
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
|
||||||
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
|
||||||
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
|
||||||
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
|
||||||
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
|
||||||
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
|
||||||
| argvLocal.c:135:9:135:10 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
|
||||||
| argvLocal.c:136:17:136:18 | i4 | semmle.label | i4 |
|
|
||||||
| argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
|
||||||
| argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
|
||||||
| argvLocal.c:140:15:140:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
|
||||||
| argvLocal.c:140:15:140:32 | ... ? ... : ... | semmle.label | ... ? ... : ... |
|
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
|
||||||
| argvLocal.c:169:9:169:20 | i10 | semmle.label | i10 |
|
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
|
||||||
| argvLocal.c:170:15:170:26 | i10 | semmle.label | i10 |
|
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
|
||||||
#select
|
#select
|
||||||
| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:95:9:95:12 | argv | argv |
|
| argvLocal.c:95:9:95:15 | access to array indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:95:9:95:15 | access to array indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:96:15:96:18 | argv | argv |
|
| argvLocal.c:96:15:96:21 | access to array indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:96:15:96:21 | access to array indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:100:7:100:10 | argv | argv |
|
| argvLocal.c:101:9:101:10 | i1 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:101:9:101:10 | i1 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:100:7:100:10 | argv | argv |
|
| argvLocal.c:102:15:102:16 | i1 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:102:15:102:16 | i1 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:105:14:105:17 | argv | argv |
|
| argvLocal.c:106:9:106:13 | access to array indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:106:9:106:13 | access to array indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:105:14:105:17 | argv | argv |
|
| argvLocal.c:107:15:107:19 | access to array indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:107:15:107:19 | access to array indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:105:14:105:17 | argv | argv |
|
| argvLocal.c:110:9:110:11 | * ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:110:9:110:11 | * ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:105:14:105:17 | argv | argv |
|
| argvLocal.c:111:15:111:17 | * ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:111:15:111:17 | * ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:116:9:116:10 | i3 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:116:9:116:10 | i3 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:117:15:117:16 | i3 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:121:9:121:10 | i4 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:121:9:121:10 | i4 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:122:15:122:16 | i4 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:127:9:127:10 | i5 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:127:9:127:10 | i5 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:128:15:128:16 | i5 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:131:9:131:14 | ... + ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:132:15:132:20 | ... + ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:115:13:115:16 | argv | argv |
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:139:9:139:26 | ... ? ... : ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:139:9:139:26 | ... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:136:15:136:18 | -- ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:136:15:136:18 | -- ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:140:15:140:32 | ... ? ... : ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:140:15:140:32 | ... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:126:10:126:13 | argv | argv |
|
| argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:100:7:100:10 | argv | argv |
|
| argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:100:7:100:10 | argv | argv |
|
| argvLocal.c:144:9:144:10 | i7 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:144:9:144:10 | i7 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:149:11:149:14 | argv | argv |
|
| argvLocal.c:145:15:145:16 | i7 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:145:15:145:16 | i7 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:149:11:149:14 | argv | argv |
|
| argvLocal.c:150:9:150:10 | i8 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:150:9:150:10 | i8 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
|
| argvLocal.c:151:15:151:16 | i8 indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:151:15:151:16 | i8 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
|
|
||||||
|
|||||||
@@ -1,88 +1,35 @@
|
|||||||
edges
|
edges
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:31:13:31:17 | call to fgets indirection | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:41:13:41:16 | call to gets indirection | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:52:8:52:11 | call to gets indirection | funcsLocal.c:53:9:53:11 | * ... indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... |
|
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
|
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
|
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
|
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
| funcsLocal.c:31:13:31:17 | call to fgets indirection | semmle.label | call to fgets indirection |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
| funcsLocal.c:41:13:41:16 | call to gets indirection | semmle.label | call to gets indirection |
|
||||||
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | * ... | semmle.label | * ... |
|
|
||||||
| funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument |
|
||||||
| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
|
| funcsLocal.c:47:9:47:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... |
|
| funcsLocal.c:52:8:52:11 | call to gets indirection | semmle.label | call to gets indirection |
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:53:9:53:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
|
||||||
| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
|
subpaths
|
||||||
| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... |
|
|
||||||
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
|
||||||
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
|
||||||
#select
|
#select
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | i1 | fread |
|
| funcsLocal.c:17:9:17:10 | i1 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
| funcsLocal.c:27:9:27:10 | i3 indirection | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets |
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
|
| funcsLocal.c:32:9:32:10 | i4 indirection | funcsLocal.c:31:13:31:17 | call to fgets indirection | funcsLocal.c:32:9:32:10 | i4 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | call to fgets indirection | string read by fgets |
|
||||||
| funcsLocal.c:37:9:37:10 | i5 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | i5 | gets |
|
| funcsLocal.c:37:9:37:10 | i5 indirection | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets |
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | call to gets | gets |
|
| funcsLocal.c:42:9:42:10 | i6 indirection | funcsLocal.c:41:13:41:16 | call to gets indirection | funcsLocal.c:42:9:42:10 | i6 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | call to gets indirection | string read by gets |
|
||||||
| funcsLocal.c:47:9:47:11 | * ... | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | * ... | gets |
|
| funcsLocal.c:47:9:47:11 | * ... indirection | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets |
|
||||||
| funcsLocal.c:53:9:53:11 | * ... | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | call to gets | gets |
|
| funcsLocal.c:53:9:53:11 | * ... indirection | funcsLocal.c:52:8:52:11 | call to gets indirection | funcsLocal.c:53:9:53:11 | * ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | call to gets indirection | string read by gets |
|
||||||
| funcsLocal.c:58:9:58:10 | e1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | i1 | fread |
|
| funcsLocal.c:58:9:58:10 | e1 indirection | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
|
||||||
|
|||||||
@@ -1,42 +1,32 @@
|
|||||||
edges
|
edges
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
|
| globalVars.c:8:7:8:10 | copy indirection | globalVars.c:27:9:27:12 | copy indirection |
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
|
| globalVars.c:8:7:8:10 | copy indirection | globalVars.c:30:15:30:18 | copy indirection |
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:8:7:8:10 | copy indirection | globalVars.c:35:11:35:14 | copy indirection |
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:9:7:9:11 | copy2 indirection | globalVars.c:38:9:38:13 | copy2 indirection |
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
|
| globalVars.c:9:7:9:11 | copy2 indirection | globalVars.c:41:15:41:19 | copy2 indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
| globalVars.c:9:7:9:11 | copy2 indirection | globalVars.c:50:9:50:13 | copy2 indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
| globalVars.c:11:22:11:25 | argv indirection | globalVars.c:8:7:8:10 | copy indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:15:21:15:23 | val indirection | globalVars.c:9:7:9:11 | copy2 indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:23:27:23:30 | argv indirection | globalVars.c:24:11:24:14 | argv indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | argv indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
| globalVars.c:35:11:35:14 | copy indirection | globalVars.c:15:21:15:23 | val indirection |
|
||||||
| globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
|
|
||||||
| globalVars.c:15:21:15:23 | val | globalVars.c:9:7:9:11 | copy2 |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
|
|
||||||
| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
| globalVars.c:8:7:8:10 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
| globalVars.c:9:7:9:11 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:11:22:11:25 | argv | semmle.label | argv |
|
| globalVars.c:11:22:11:25 | argv indirection | semmle.label | argv indirection |
|
||||||
| globalVars.c:15:21:15:23 | val | semmle.label | val |
|
| globalVars.c:15:21:15:23 | val indirection | semmle.label | val indirection |
|
||||||
| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
|
| globalVars.c:23:27:23:30 | argv indirection | semmle.label | argv indirection |
|
||||||
| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
|
| globalVars.c:24:11:24:14 | argv indirection | semmle.label | argv indirection |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:35:11:35:14 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
subpaths
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
|
||||||
#select
|
#select
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:27:9:27:12 | copy indirection | globalVars.c:23:27:23:30 | argv indirection | globalVars.c:27:9:27:12 | copy indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | argv indirection | a command-line argument |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:30:15:30:18 | copy indirection | globalVars.c:23:27:23:30 | argv indirection | globalVars.c:30:15:30:18 | copy indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | argv indirection | a command-line argument |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:38:9:38:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:38:9:38:13 | copy2 indirection | globalVars.c:23:27:23:30 | argv indirection | globalVars.c:38:9:38:13 | copy2 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | argv indirection | a command-line argument |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:41:15:41:19 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:41:15:41:19 | copy2 indirection | globalVars.c:23:27:23:30 | argv indirection | globalVars.c:41:15:41:19 | copy2 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | argv indirection | a command-line argument |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:50:9:50:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:50:9:50:13 | copy2 indirection | globalVars.c:23:27:23:30 | argv indirection | globalVars.c:50:9:50:13 | copy2 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | argv indirection | a command-line argument |
|
||||||
|
|||||||
@@ -1,69 +0,0 @@
|
|||||||
edges
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:33:15:33:18 | copy |
|
|
||||||
| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:44:15:44:19 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
| globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
|
|
||||||
| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | ... = ... |
|
|
||||||
| globalVars.c:12:2:12:15 | ... = ... | globalVars.c:8:7:8:10 | copy |
|
|
||||||
| globalVars.c:15:21:15:23 | val | globalVars.c:9:7:9:11 | copy2 |
|
|
||||||
| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | ... = ... |
|
|
||||||
| globalVars.c:16:2:16:12 | ... = ... | globalVars.c:9:7:9:11 | copy2 |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:35:11:35:14 | copy |
|
|
||||||
| globalVars.c:33:15:33:18 | copy | globalVars.c:35:11:35:14 | copy |
|
|
||||||
| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
|
|
||||||
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:11:35:14 | copy |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
|
||||||
subpaths
|
|
||||||
nodes
|
|
||||||
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:11:22:11:25 | argv | semmle.label | argv |
|
|
||||||
| globalVars.c:12:2:12:15 | ... = ... | semmle.label | ... = ... |
|
|
||||||
| globalVars.c:15:21:15:23 | val | semmle.label | val |
|
|
||||||
| globalVars.c:16:2:16:12 | ... = ... | semmle.label | ... = ... |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
|
|
||||||
| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
|
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:33:15:33:18 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
|
||||||
#select
|
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:38:9:38:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:41:15:41:19 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:50:9:50:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
|
|
||||||
@@ -1,103 +1,38 @@
|
|||||||
edges
|
edges
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:62:9:62:10 | c7 indirection |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:69:9:69:10 | c8 indirection |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:75:9:75:10 | i1 indirection |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:81:9:81:10 | i2 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:87:9:87:10 | i3 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:93:9:93:10 | i4 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:99:9:99:10 | i5 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:106:9:106:10 | i6 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:112:9:112:10 | i7 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:118:9:118:10 | i8 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:16:27:16:30 | argv indirection | ifs.c:124:9:124:10 | i9 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:16:27:16:30 | argv indirection | semmle.label | argv indirection |
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
subpaths
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
|
||||||
#select
|
#select
|
||||||
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:61:8:61:11 | argv | argv |
|
| ifs.c:62:9:62:10 | c7 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:62:9:62:10 | c7 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:68:8:68:11 | argv | argv |
|
| ifs.c:69:9:69:10 | c8 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:69:9:69:10 | c8 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:74:8:74:11 | argv | argv |
|
| ifs.c:75:9:75:10 | i1 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:75:9:75:10 | i1 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:80:8:80:11 | argv | argv |
|
| ifs.c:81:9:81:10 | i2 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:81:9:81:10 | i2 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:86:8:86:11 | argv | argv |
|
| ifs.c:87:9:87:10 | i3 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:87:9:87:10 | i3 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:92:8:92:11 | argv | argv |
|
| ifs.c:93:9:93:10 | i4 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:93:9:93:10 | i4 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:98:8:98:11 | argv | argv |
|
| ifs.c:99:9:99:10 | i5 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:99:9:99:10 | i5 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:105:8:105:11 | argv | argv |
|
| ifs.c:106:9:106:10 | i6 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:106:9:106:10 | i6 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:111:8:111:11 | argv | argv |
|
| ifs.c:112:9:112:10 | i7 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:112:9:112:10 | i7 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:117:8:117:11 | argv | argv |
|
| ifs.c:118:9:118:10 | i8 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:118:9:118:10 | i8 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
| ifs.c:124:9:124:10 | i9 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:123:8:123:11 | argv | argv |
|
| ifs.c:124:9:124:10 | i9 indirection | ifs.c:16:27:16:30 | argv indirection | ifs.c:124:9:124:10 | i9 indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | argv indirection | a command-line argument |
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
| examples.cpp:66:9:66:14 | -- ... | $@ flows an expression which might overflow negatively. | examples.cpp:63:26:63:30 | & ... | User-provided value |
|
| examples.cpp:66:9:66:14 | -- ... | $@ flows an expression which might overflow negatively. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf |
|
||||||
|
|||||||
@@ -5,33 +5,22 @@ edges
|
|||||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
|
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
|
||||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size |
|
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size |
|
||||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
|
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
|
||||||
| test.cpp:124:18:124:31 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
|
|
||||||
| test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
|
| test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
|
||||||
| test.cpp:133:19:133:32 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
|
|
||||||
| test.cpp:133:19:133:32 | call to getenv indirection | test.cpp:135:10:135:27 | ... * ... |
|
| test.cpp:133:19:133:32 | call to getenv indirection | test.cpp:135:10:135:27 | ... * ... |
|
||||||
| test.cpp:148:20:148:33 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
|
|
||||||
| test.cpp:148:20:148:33 | call to getenv indirection | test.cpp:152:11:152:28 | ... * ... |
|
| test.cpp:148:20:148:33 | call to getenv indirection | test.cpp:152:11:152:28 | ... * ... |
|
||||||
| test.cpp:209:8:209:23 | get_tainted_size indirection | test.cpp:241:9:241:24 | call to get_tainted_size |
|
| test.cpp:209:8:209:23 | get_tainted_size indirection | test.cpp:241:9:241:24 | call to get_tainted_size |
|
||||||
| test.cpp:211:14:211:27 | call to getenv | test.cpp:209:8:209:23 | get_tainted_size indirection |
|
|
||||||
| test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:209:8:209:23 | get_tainted_size indirection |
|
| test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:209:8:209:23 | get_tainted_size indirection |
|
||||||
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
|
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
|
||||||
| test.cpp:237:24:237:37 | call to getenv | test.cpp:239:9:239:18 | local_size |
|
|
||||||
| test.cpp:237:24:237:37 | call to getenv | test.cpp:245:11:245:20 | local_size |
|
|
||||||
| test.cpp:237:24:237:37 | call to getenv | test.cpp:247:10:247:19 | local_size |
|
|
||||||
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size |
|
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size |
|
||||||
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size |
|
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size |
|
||||||
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:247:10:247:19 | local_size |
|
| test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:247:10:247:19 | local_size |
|
||||||
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
|
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
|
||||||
| test.cpp:250:20:250:27 | out_size | test.cpp:289:17:289:20 | get_size output argument |
|
| test.cpp:250:20:250:27 | out_size | test.cpp:289:17:289:20 | get_size output argument |
|
||||||
| test.cpp:250:20:250:27 | out_size | test.cpp:305:18:305:21 | get_size output argument |
|
| test.cpp:250:20:250:27 | out_size | test.cpp:305:18:305:21 | get_size output argument |
|
||||||
| test.cpp:251:18:251:31 | call to getenv | test.cpp:250:20:250:27 | out_size |
|
|
||||||
| test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:250:20:250:27 | out_size |
|
| test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:250:20:250:27 | out_size |
|
||||||
| test.cpp:259:20:259:33 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
|
|
||||||
| test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... |
|
| test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... |
|
||||||
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... |
|
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... |
|
||||||
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... |
|
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... |
|
||||||
| test.cpp:353:18:353:31 | call to getenv | test.cpp:355:35:355:38 | size |
|
|
||||||
| test.cpp:353:18:353:31 | call to getenv | test.cpp:356:35:356:38 | size |
|
|
||||||
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size |
|
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size |
|
||||||
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size |
|
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size |
|
||||||
nodes
|
nodes
|
||||||
@@ -42,37 +31,29 @@ nodes
|
|||||||
| test.cpp:49:32:49:35 | size | semmle.label | size |
|
| test.cpp:49:32:49:35 | size | semmle.label | size |
|
||||||
| test.cpp:50:17:50:30 | size | semmle.label | size |
|
| test.cpp:50:17:50:30 | size | semmle.label | size |
|
||||||
| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:124:18:124:31 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:124:18:124:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:124:18:124:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:133:19:133:32 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:133:19:133:32 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:133:19:133:32 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:148:20:148:33 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:148:20:148:33 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:148:20:148:33 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:209:8:209:23 | get_tainted_size indirection | semmle.label | get_tainted_size indirection |
|
| test.cpp:209:8:209:23 | get_tainted_size indirection | semmle.label | get_tainted_size indirection |
|
||||||
| test.cpp:211:14:211:27 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:211:14:211:27 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:211:14:211:27 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:230:21:230:21 | s | semmle.label | s |
|
| test.cpp:230:21:230:21 | s | semmle.label | s |
|
||||||
| test.cpp:231:21:231:21 | s | semmle.label | s |
|
| test.cpp:231:21:231:21 | s | semmle.label | s |
|
||||||
| test.cpp:237:24:237:37 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:237:24:237:37 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:237:24:237:37 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
|
| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
|
||||||
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
|
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
|
||||||
| test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
|
| test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
|
||||||
| test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
|
| test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
|
||||||
| test.cpp:250:20:250:27 | out_size | semmle.label | out_size |
|
| test.cpp:250:20:250:27 | out_size | semmle.label | out_size |
|
||||||
| test.cpp:251:18:251:31 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:251:18:251:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:251:18:251:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:259:20:259:33 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:259:20:259:33 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:259:20:259:33 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:289:17:289:20 | get_size output argument | semmle.label | get_size output argument |
|
| test.cpp:289:17:289:20 | get_size output argument | semmle.label | get_size output argument |
|
||||||
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:305:18:305:21 | get_size output argument | semmle.label | get_size output argument |
|
| test.cpp:305:18:305:21 | get_size output argument | semmle.label | get_size output argument |
|
||||||
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:353:18:353:31 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:353:18:353:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
| test.cpp:353:18:353:31 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:355:35:355:38 | size | semmle.label | size |
|
| test.cpp:355:35:355:38 | size | semmle.label | size |
|
||||||
| test.cpp:356:35:356:38 | size | semmle.label | size |
|
| test.cpp:356:35:356:38 | size | semmle.label | size |
|
||||||
@@ -84,27 +65,15 @@ subpaths
|
|||||||
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||||
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||||
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||||
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:32 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | call to getenv indirection | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:32 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | call to getenv indirection | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:32 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:33 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | call to getenv indirection | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:33 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | call to getenv indirection | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:33 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:37 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:37 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:27 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:27 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:27 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:27 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:37 | call to getenv | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:33 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:33 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:33 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:33 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:31 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:31 | call to getenv | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |
|
||||||
| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:31 | call to getenv | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv | user input (an environment variable) |
|
|
||||||
| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |
|
| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |
|
||||||
|
|||||||
@@ -1,18 +1,23 @@
|
|||||||
| test2.cpp:14:11:14:15 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
|
| test2.cpp:14:11:14:15 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
|
||||||
| test2.cpp:15:11:15:19 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
|
| test2.cpp:15:11:15:19 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
|
||||||
| test2.cpp:16:11:16:21 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
|
| test2.cpp:16:11:16:21 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
|
||||||
| test2.cpp:17:11:17:22 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
|
| test2.cpp:17:11:17:22 | ... * ... | $@ flows an expression which might overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
|
||||||
| test2.cpp:39:9:39:18 | ... + ... | $@ flows an expression which might overflow. | test2.cpp:36:9:36:14 | buffer | User-provided value |
|
| test2.cpp:39:9:39:18 | ... + ... | $@ flows an expression which might overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets |
|
||||||
| test2.cpp:40:3:40:13 | ... += ... | $@ flows an expression which might overflow. | test2.cpp:36:9:36:14 | buffer | User-provided value |
|
| test2.cpp:40:3:40:13 | ... += ... | $@ flows an expression which might overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets |
|
||||||
| test3.c:12:31:12:34 | * ... | $@ flows an expression which might overflow negatively. | test3.c:11:15:11:18 | argv | User-provided value |
|
| test3.c:12:11:12:34 | * ... | $@ flows an expression which might overflow negatively. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
| test3.c:13:16:13:19 | * ... | $@ flows an expression which might overflow negatively. | test3.c:11:15:11:18 | argv | User-provided value |
|
| test3.c:12:11:12:34 | * ... | $@ flows an expression which might overflow negatively. | test.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
| test4.cpp:13:17:13:20 | access to array | $@ flows an expression which might overflow negatively. | test4.cpp:9:13:9:16 | argv | User-provided value |
|
| test3.c:13:11:13:20 | * ... | $@ flows an expression which might overflow negatively. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
| test5.cpp:10:9:10:15 | call to strtoul | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
|
| test3.c:13:11:13:20 | * ... | $@ flows an expression which might overflow negatively. | test.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
| test5.cpp:17:6:17:27 | ... * ... | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
|
| test4.cpp:13:7:13:20 | access to array | $@ flows an expression which might overflow negatively. | test4.cpp:8:27:8:30 | argv indirection | a command-line argument |
|
||||||
| test5.cpp:19:6:19:13 | ... * ... | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
|
| test5.cpp:10:9:10:27 | call to strtoul | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
|
||||||
| test6.cpp:11:15:11:15 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
|
| test5.cpp:17:6:17:27 | ... * ... | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
|
||||||
| test6.cpp:16:15:16:15 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
|
| test5.cpp:19:6:19:13 | ... * ... | $@ flows an expression which might overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
|
||||||
| test6.cpp:30:16:30:16 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
|
| test6.cpp:11:10:11:15 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | fscanf output argument | value read by fscanf |
|
||||||
| test.c:14:15:14:35 | ... * ... | $@ flows an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
|
| test6.cpp:16:10:16:15 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | fscanf output argument | value read by fscanf |
|
||||||
| test.c:44:7:44:12 | ... -- | $@ flows an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
|
| test6.cpp:30:11:30:16 | s | $@ flows an expression which might overflow. | test6.cpp:39:23:39:24 | fscanf output argument | value read by fscanf |
|
||||||
| test.c:54:7:54:12 | ... -- | $@ flows an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |
|
| test.c:14:15:14:35 | ... * ... | $@ flows an expression which might overflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
| test.c:14:15:14:35 | ... * ... | $@ flows an expression which might overflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
| test.c:44:7:44:12 | ... -- | $@ flows an expression which might overflow negatively. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
| test.c:44:7:44:12 | ... -- | $@ flows an expression which might overflow negatively. | test.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
| test.c:54:7:54:12 | ... -- | $@ flows an expression which might overflow negatively. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
| test.c:54:7:54:12 | ... -- | $@ flows an expression which might overflow negatively. | test.c:10:27:10:30 | argv indirection | a command-line argument |
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
| tests.cpp:38:31:38:34 | data | $@ flows an expression which might overflow. | tests.cpp:57:27:57:31 | & ... | User-provided value |
|
| tests.cpp:38:25:38:34 | data | $@ flows an expression which might overflow. | tests.cpp:57:27:57:31 | fscanf output argument | value read by fscanf |
|
||||||
|
|||||||
@@ -1,54 +1,26 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:42 | call to getenv indirection | test.cpp:20:14:20:20 | address indirection |
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:27:25:27:42 | call to getenv indirection | test.cpp:31:14:31:20 | address indirection |
|
||||||
| test.cpp:16:25:16:42 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:38:25:38:42 | call to getenv indirection | test.cpp:42:14:42:20 | address indirection |
|
||||||
| test.cpp:16:25:16:42 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:52:14:52:20 | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:56:14:56:20 | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:60:14:60:20 | address indirection |
|
||||||
| test.cpp:27:25:27:42 | call to getenv | test.cpp:31:14:31:20 | address |
|
|
||||||
| test.cpp:27:25:27:42 | call to getenv | test.cpp:31:14:31:20 | address |
|
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
|
||||||
| test.cpp:38:25:38:42 | call to getenv | test.cpp:42:14:42:20 | address |
|
|
||||||
| test.cpp:38:25:38:42 | call to getenv | test.cpp:42:14:42:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:52:14:52:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:52:14:52:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:56:14:56:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:56:14:56:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:60:14:60:20 | address |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | test.cpp:60:14:60:20 | address |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:16:25:16:42 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:16:25:16:42 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:27:25:27:42 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:38:25:38:42 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:27:25:27:42 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:49:25:49:42 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:52:14:52:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:56:14:56:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:38:25:38:42 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:60:14:60:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
subpaths
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:49:25:49:30 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:49:25:49:42 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:52:14:52:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:52:14:52:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:56:14:56:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:56:14:56:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:60:14:60:20 | address | semmle.label | address |
|
|
||||||
| test.cpp:60:14:60:20 | address | semmle.label | address |
|
|
||||||
#select
|
#select
|
||||||
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
|
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | call to getenv indirection | test.cpp:20:14:20:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
|
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | call to getenv indirection | test.cpp:31:14:31:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
|
| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | call to getenv indirection | test.cpp:42:14:42:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
|
| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:52:14:52:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
|
| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:56:14:56:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
|
||||||
| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
|
| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:60:14:60:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
|
||||||
|
|||||||
@@ -1,13 +1,8 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
| test.cpp:20:29:20:47 | call to getenv indirection | test.cpp:24:10:24:35 | ! ... |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:47 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
|
||||||
| test.cpp:20:29:20:47 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
subpaths
|
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:20:29:20:47 | call to getenv indirection | semmle.label | call to getenv indirection |
|
||||||
| test.cpp:20:29:20:47 | call to getenv | semmle.label | call to getenv |
|
|
||||||
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
subpaths
|
||||||
#select
|
#select
|
||||||
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@. | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | call to getenv indirection | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | call to getenv indirection | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
|
using System.Diagnostics.CodeAnalysis;
|
||||||
using System.IO;
|
using System.IO;
|
||||||
using System.Linq;
|
using System.Linq;
|
||||||
using Newtonsoft.Json.Linq;
|
using Newtonsoft.Json.Linq;
|
||||||
@@ -14,14 +15,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
{
|
{
|
||||||
private readonly ProgressMonitor progressMonitor;
|
private readonly ProgressMonitor progressMonitor;
|
||||||
|
|
||||||
private static readonly string[] netFrameworks = new[] {
|
|
||||||
"microsoft.aspnetcore.app.ref",
|
|
||||||
"microsoft.netcore.app.ref",
|
|
||||||
"microsoft.netframework.referenceassemblies",
|
|
||||||
"microsoft.windowsdesktop.app.ref",
|
|
||||||
"netstandard.library.ref"
|
|
||||||
};
|
|
||||||
|
|
||||||
internal Assets(ProgressMonitor progressMonitor)
|
internal Assets(ProgressMonitor progressMonitor)
|
||||||
{
|
{
|
||||||
this.progressMonitor = progressMonitor;
|
this.progressMonitor = progressMonitor;
|
||||||
@@ -68,19 +61,19 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
/// }
|
/// }
|
||||||
/// }
|
/// }
|
||||||
///
|
///
|
||||||
/// Returns dependencies
|
/// Adds the following dependencies
|
||||||
/// RequiredPaths = {
|
/// Paths: {
|
||||||
/// "castle.core/4.4.1/lib/netstandard1.5/Castle.Core.dll",
|
/// "castle.core/4.4.1/lib/netstandard1.5/Castle.Core.dll",
|
||||||
/// "json.net/1.0.33/lib/netstandard2.0/Json.Net.dll"
|
/// "json.net/1.0.33/lib/netstandard2.0/Json.Net.dll"
|
||||||
/// }
|
/// }
|
||||||
/// UsedPackages = {
|
/// Packages: {
|
||||||
/// "castle.core",
|
/// "castle.core",
|
||||||
/// "json.net"
|
/// "json.net"
|
||||||
/// }
|
/// }
|
||||||
/// </summary>
|
/// </summary>
|
||||||
private DependencyContainer AddPackageDependencies(JObject json, DependencyContainer dependencies)
|
private void AddPackageDependencies(JObject json, DependencyContainer dependencies)
|
||||||
{
|
{
|
||||||
// If there are more than one framework we need to pick just one.
|
// If there is more than one framework we need to pick just one.
|
||||||
// To ensure stability we pick one based on the lexicographic order of
|
// To ensure stability we pick one based on the lexicographic order of
|
||||||
// the framework names.
|
// the framework names.
|
||||||
var references = json
|
var references = json
|
||||||
@@ -93,7 +86,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
if (references is null)
|
if (references is null)
|
||||||
{
|
{
|
||||||
progressMonitor.LogDebug("No references found in the targets section in the assets file.");
|
progressMonitor.LogDebug("No references found in the targets section in the assets file.");
|
||||||
return dependencies;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Find all the compile dependencies for each reference and
|
// Find all the compile dependencies for each reference and
|
||||||
@@ -108,19 +101,83 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If this is a .NET framework reference then include everything.
|
if (info.Compile is null || !info.Compile.Any())
|
||||||
if (netFrameworks.Any(framework => name.StartsWith(framework)))
|
|
||||||
{
|
{
|
||||||
dependencies.Add(name);
|
// If this is a framework reference then include everything.
|
||||||
}
|
if (FrameworkPackageNames.AllFrameworks.Any(framework => name.StartsWith(framework)))
|
||||||
else
|
{
|
||||||
{
|
dependencies.AddFramework(name);
|
||||||
info.Compile?
|
}
|
||||||
.ForEach(r => dependencies.Add(name, r.Key));
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
info.Compile
|
||||||
|
.ForEach(r => dependencies.Add(name, r.Key));
|
||||||
});
|
});
|
||||||
|
|
||||||
return dependencies;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Add the framework dependencies from the assets file to dependencies.
|
||||||
|
///
|
||||||
|
/// Example:
|
||||||
|
/// "project": {
|
||||||
|
// "version": "1.0.0",
|
||||||
|
// "frameworks": {
|
||||||
|
// "net7.0": {
|
||||||
|
// "frameworkReferences": {
|
||||||
|
// "Microsoft.AspNetCore.App": {
|
||||||
|
// "privateAssets": "none"
|
||||||
|
// },
|
||||||
|
// "Microsoft.NETCore.App": {
|
||||||
|
// "privateAssets": "all"
|
||||||
|
// }
|
||||||
|
// }
|
||||||
|
// }
|
||||||
|
// }
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
/// Adds the following dependencies
|
||||||
|
/// Paths: {
|
||||||
|
/// "microsoft.aspnetcore.app.ref",
|
||||||
|
/// "microsoft.netcore.app.ref"
|
||||||
|
/// }
|
||||||
|
/// Packages: {
|
||||||
|
/// "microsoft.aspnetcore.app.ref",
|
||||||
|
/// "microsoft.netcore.app.ref"
|
||||||
|
/// }
|
||||||
|
/// </summary>
|
||||||
|
private void AddFrameworkDependencies(JObject json, DependencyContainer dependencies)
|
||||||
|
{
|
||||||
|
|
||||||
|
var frameworks = json
|
||||||
|
.GetProperty("project")?
|
||||||
|
.GetProperty("frameworks");
|
||||||
|
|
||||||
|
if (frameworks is null)
|
||||||
|
{
|
||||||
|
progressMonitor.LogDebug("No framework section in assets.json.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there is more than one framework we need to pick just one.
|
||||||
|
// To ensure stability we pick one based on the lexicographic order of
|
||||||
|
// the framework names.
|
||||||
|
var references = frameworks
|
||||||
|
.Properties()?
|
||||||
|
.MaxBy(p => p.Name)?
|
||||||
|
.Value["frameworkReferences"] as JObject;
|
||||||
|
|
||||||
|
if (references is null)
|
||||||
|
{
|
||||||
|
progressMonitor.LogDebug("No framework references in assets.json.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
references
|
||||||
|
.Properties()
|
||||||
|
.ForEach(f => dependencies.AddFramework($"{f.Name}.Ref".ToLowerInvariant()));
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -134,6 +191,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
{
|
{
|
||||||
var obj = JObject.Parse(json);
|
var obj = JObject.Parse(json);
|
||||||
AddPackageDependencies(obj, dependencies);
|
AddPackageDependencies(obj, dependencies);
|
||||||
|
AddFrameworkDependencies(obj, dependencies);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
catch (Exception e)
|
catch (Exception e)
|
||||||
@@ -143,14 +201,31 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static bool TryReadAllText(string path, ProgressMonitor progressMonitor, [NotNullWhen(returnValue: true)] out string? content)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
content = File.ReadAllText(path);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
progressMonitor.LogInfo($"Failed to read assets file '{path}': {e.Message}");
|
||||||
|
content = null;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public static DependencyContainer GetCompilationDependencies(ProgressMonitor progressMonitor, IEnumerable<string> assets)
|
public static DependencyContainer GetCompilationDependencies(ProgressMonitor progressMonitor, IEnumerable<string> assets)
|
||||||
{
|
{
|
||||||
var parser = new Assets(progressMonitor);
|
var parser = new Assets(progressMonitor);
|
||||||
var dependencies = new DependencyContainer();
|
var dependencies = new DependencyContainer();
|
||||||
assets.ForEach(asset =>
|
assets.ForEach(asset =>
|
||||||
{
|
{
|
||||||
var json = File.ReadAllText(asset);
|
if (TryReadAllText(asset, progressMonitor, out var json))
|
||||||
parser.TryParse(json, dependencies);
|
{
|
||||||
|
parser.TryParse(json, dependencies);
|
||||||
|
}
|
||||||
});
|
});
|
||||||
return dependencies;
|
return dependencies;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9,14 +9,19 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
/// </summary>
|
/// </summary>
|
||||||
internal class DependencyContainer
|
internal class DependencyContainer
|
||||||
{
|
{
|
||||||
private readonly List<string> requiredPaths = new();
|
/// <summary>
|
||||||
private readonly HashSet<string> usedPackages = new();
|
/// Paths to dependencies required for compilation.
|
||||||
|
/// </summary>
|
||||||
|
public List<string> Paths { get; } = new();
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// In most cases paths in asset files point to dll's or the empty _._ file, which
|
/// Packages that are used as a part of the required dependencies.
|
||||||
/// is sometimes there to avoid the directory being empty.
|
/// </summary>
|
||||||
/// That is, if the path specifically adds a .dll we use that, otherwise we as a fallback
|
public HashSet<string> Packages { get; } = new();
|
||||||
/// add the entire directory (which should be fine in case of _._ as well).
|
|
||||||
|
/// <summary>
|
||||||
|
/// If the path specifically adds a .dll we use that, otherwise we as a fallback
|
||||||
|
/// add the entire directory.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
private static string ParseFilePath(string path)
|
private static string ParseFilePath(string path)
|
||||||
{
|
{
|
||||||
@@ -32,16 +37,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
.Split(Path.DirectorySeparatorChar)
|
.Split(Path.DirectorySeparatorChar)
|
||||||
.First();
|
.First();
|
||||||
|
|
||||||
/// <summary>
|
|
||||||
/// Paths to dependencies required for compilation.
|
|
||||||
/// </summary>
|
|
||||||
public IEnumerable<string> RequiredPaths => requiredPaths;
|
|
||||||
|
|
||||||
/// <summary>
|
|
||||||
/// Packages that are used as a part of the required dependencies.
|
|
||||||
/// </summary>
|
|
||||||
public HashSet<string> UsedPackages => usedPackages;
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Add a dependency inside a package.
|
/// Add a dependency inside a package.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
@@ -50,20 +45,27 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
var p = package.Replace('/', Path.DirectorySeparatorChar);
|
var p = package.Replace('/', Path.DirectorySeparatorChar);
|
||||||
var d = dependency.Replace('/', Path.DirectorySeparatorChar);
|
var d = dependency.Replace('/', Path.DirectorySeparatorChar);
|
||||||
|
|
||||||
|
// In most cases paths in asset files point to dll's or the empty _._ file.
|
||||||
|
// That is, for _._ we don't need to add anything.
|
||||||
|
if (Path.GetFileName(d) == "_._")
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
var path = Path.Combine(p, ParseFilePath(d));
|
var path = Path.Combine(p, ParseFilePath(d));
|
||||||
requiredPaths.Add(path);
|
Paths.Add(path);
|
||||||
usedPackages.Add(GetPackageName(p));
|
Packages.Add(GetPackageName(p));
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Add a dependency to an entire package
|
/// Add a dependency to an entire framework package.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
public void Add(string package)
|
public void AddFramework(string framework)
|
||||||
{
|
{
|
||||||
var p = package.Replace('/', Path.DirectorySeparatorChar);
|
var p = framework.Replace('/', Path.DirectorySeparatorChar);
|
||||||
|
|
||||||
requiredPaths.Add(p);
|
Paths.Add(p);
|
||||||
usedPackages.Add(GetPackageName(p));
|
Packages.Add(GetPackageName(p));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -119,7 +119,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
var dependencies = Assets.GetCompilationDependencies(progressMonitor, assets1.Union(assets2));
|
var dependencies = Assets.GetCompilationDependencies(progressMonitor, assets1.Union(assets2));
|
||||||
|
|
||||||
var paths = dependencies
|
var paths = dependencies
|
||||||
.RequiredPaths
|
.Paths
|
||||||
.Select(d => Path.Combine(packageDirectory.DirInfo.FullName, d))
|
.Select(d => Path.Combine(packageDirectory.DirInfo.FullName, d))
|
||||||
.ToList();
|
.ToList();
|
||||||
dllPaths.UnionWith(paths);
|
dllPaths.UnionWith(paths);
|
||||||
@@ -232,13 +232,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
{
|
{
|
||||||
// Multiple dotnet framework packages could be present.
|
// Multiple dotnet framework packages could be present.
|
||||||
// The order of the packages is important, we're adding the first one that is present in the nuget cache.
|
// The order of the packages is important, we're adding the first one that is present in the nuget cache.
|
||||||
var packagesInPrioOrder = new string[]
|
var packagesInPrioOrder = FrameworkPackageNames.NetFrameworks;
|
||||||
{
|
|
||||||
"microsoft.netcore.app.ref", // net7.0, ... net5.0, netcoreapp3.1, netcoreapp3.0
|
|
||||||
"microsoft.netframework.referenceassemblies.", // net48, ..., net20
|
|
||||||
"netstandard.library.ref", // netstandard2.1
|
|
||||||
"netstandard.library" // netstandard2.0
|
|
||||||
};
|
|
||||||
|
|
||||||
var frameworkPath = packagesInPrioOrder
|
var frameworkPath = packagesInPrioOrder
|
||||||
.Select((s, index) => (Index: index, Path: GetPackageDirectory(s)))
|
.Select((s, index) => (Index: index, Path: GetPackageDirectory(s)))
|
||||||
@@ -308,7 +302,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
}
|
}
|
||||||
|
|
||||||
// First try to find ASP.NET Core assemblies in the NuGet packages
|
// First try to find ASP.NET Core assemblies in the NuGet packages
|
||||||
if (GetPackageDirectory("microsoft.aspnetcore.app.ref") is string aspNetCorePackage)
|
if (GetPackageDirectory(FrameworkPackageNames.AspNetCoreFramework) is string aspNetCorePackage)
|
||||||
{
|
{
|
||||||
progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
|
progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
|
||||||
dllPaths.Add(aspNetCorePackage);
|
dllPaths.Add(aspNetCorePackage);
|
||||||
@@ -322,7 +316,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
|
|
||||||
private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
|
private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
|
||||||
{
|
{
|
||||||
if (GetPackageDirectory("microsoft.windowsdesktop.app.ref") is string windowsDesktopApp)
|
if (GetPackageDirectory(FrameworkPackageNames.WindowsDesktopFramework) is string windowsDesktopApp)
|
||||||
{
|
{
|
||||||
progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
|
progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
|
||||||
dllPaths.Add(windowsDesktopApp);
|
dllPaths.Add(windowsDesktopApp);
|
||||||
@@ -356,7 +350,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
|
|
||||||
private void LogAllUnusedPackages(DependencyContainer dependencies) =>
|
private void LogAllUnusedPackages(DependencyContainer dependencies) =>
|
||||||
GetAllPackageDirectories()
|
GetAllPackageDirectories()
|
||||||
.Where(package => !dependencies.UsedPackages.Contains(package))
|
.Where(package => !dependencies.Packages.Contains(package))
|
||||||
.ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));
|
.ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));
|
||||||
|
|
||||||
private void GenerateSourceFileFromImplicitUsings()
|
private void GenerateSourceFileFromImplicitUsings()
|
||||||
|
|||||||
@@ -128,7 +128,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
|||||||
[GeneratedRegex("Restored\\s+(.+\\.csproj)", RegexOptions.Compiled)]
|
[GeneratedRegex("Restored\\s+(.+\\.csproj)", RegexOptions.Compiled)]
|
||||||
private static partial Regex RestoredProjectRegex();
|
private static partial Regex RestoredProjectRegex();
|
||||||
|
|
||||||
[GeneratedRegex("[Assets\\sfile\\shas\\snot\\schanged.\\sSkipping\\sassets\\sfile\\swriting.|Writing\\sassets\\sfile\\sto\\sdisk.]\\sPath:\\s(.*)", RegexOptions.Compiled)]
|
[GeneratedRegex("[Assets\\sfile\\shas\\snot\\schanged.\\sSkipping\\sassets\\sfile\\swriting.|Writing\\sassets\\sfile\\sto\\sdisk.]\\sPath:\\s(.+)", RegexOptions.Compiled)]
|
||||||
private static partial Regex AssetsFileRegex();
|
private static partial Regex AssetsFileRegex();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,25 @@
|
|||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Linq;
|
||||||
|
|
||||||
|
namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||||
|
{
|
||||||
|
internal static class FrameworkPackageNames
|
||||||
|
{
|
||||||
|
public static string AspNetCoreFramework { get; } = "microsoft.aspnetcore.app.ref";
|
||||||
|
|
||||||
|
public static string WindowsDesktopFramework { get; } = "microsoft.windowsdesktop.app.ref";
|
||||||
|
|
||||||
|
// The order of the packages is important.
|
||||||
|
public static string[] NetFrameworks { get; } = new string[]
|
||||||
|
{
|
||||||
|
"microsoft.netcore.app.ref", // net7.0, ... net5.0, netcoreapp3.1, netcoreapp3.0
|
||||||
|
"microsoft.netframework.referenceassemblies.", // net48, ..., net20
|
||||||
|
"netstandard.library.ref", // netstandard2.1
|
||||||
|
"netstandard.library" // netstandard2.0
|
||||||
|
};
|
||||||
|
|
||||||
|
public static IEnumerable<string> AllFrameworks { get; } =
|
||||||
|
NetFrameworks
|
||||||
|
.Union(new string[] { AspNetCoreFramework, WindowsDesktopFramework });
|
||||||
|
}
|
||||||
|
}
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-all
|
name: codeql/csharp-solorigate-all
|
||||||
version: 1.7.3
|
version: 1.7.4-dev
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-queries
|
name: codeql/csharp-solorigate-queries
|
||||||
version: 1.7.3
|
version: 1.7.4-dev
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
namespace test;
|
||||||
|
|
||||||
|
using System.Net;
|
||||||
|
using Microsoft.AspNetCore.Mvc;
|
||||||
|
using Microsoft.AspNetCore.Mvc.Razor;
|
||||||
|
|
||||||
|
public class UserData
|
||||||
|
{
|
||||||
|
public string Name { get; set; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public class TestController : Controller {
|
||||||
|
public IActionResult Test(UserData tainted1) {
|
||||||
|
return View("Test", tainted1);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
@page
|
||||||
|
|
||||||
|
@model UserData
|
||||||
|
|
||||||
|
@if (Model != null)
|
||||||
|
{
|
||||||
|
<h3>Hello "@Html.Raw(Model.Name)"</h3>
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
@using test
|
||||||
|
|
||||||
|
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
| Views/Test/Test.cshtml:7:27:7:36 | access to property Name | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | Views/Test/Test.cshtml:7:27:7:36 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | User-provided value |
|
||||||
@@ -0,0 +1,21 @@
|
|||||||
|
/**
|
||||||
|
* @name Cross-site scripting
|
||||||
|
* @description Writing user input directly to a web page
|
||||||
|
* allows for a cross-site scripting vulnerability.
|
||||||
|
* @kind path-problem
|
||||||
|
* @problem.severity error
|
||||||
|
* @security-severity 6.1
|
||||||
|
* @precision high
|
||||||
|
* @id cs/web/xss
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-079
|
||||||
|
* external/cwe/cwe-116
|
||||||
|
*/
|
||||||
|
|
||||||
|
import csharp
|
||||||
|
import semmle.code.csharp.security.dataflow.XSSQuery
|
||||||
|
|
||||||
|
// import PathGraph // exclude query predicates with output dependant on the absolute filepath the tests are run in
|
||||||
|
from XssNode source, XssNode sink, string message
|
||||||
|
where xssFlow(source, sink, message)
|
||||||
|
select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value"
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
<Project Sdk="Microsoft.NET.Sdk.Web">
|
||||||
|
|
||||||
|
<PropertyGroup>
|
||||||
|
<TargetFramework>net7.0</TargetFramework>
|
||||||
|
<Nullable>enable</Nullable>
|
||||||
|
<ImplicitUsings>enable</ImplicitUsings>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
</Project>
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
import os
|
||||||
|
from create_database_utils import *
|
||||||
|
|
||||||
|
|
||||||
|
os.environ['CODEQL_EXTRACTOR_CSHARP_STANDALONE_EXTRACT_WEB_VIEWS'] = 'true'
|
||||||
|
run_codeql_database_create(lang="csharp", extra_args=["--extractor-option=buildless=true", "--extractor-option=cil=false"])
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
{
|
||||||
|
"sdk": {
|
||||||
|
"version": "7.0.102"
|
||||||
|
}
|
||||||
|
}
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user