mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
183 Commits
codeql-cli
...
security-s
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
47adf24b25 | ||
|
|
578ce1e512 | ||
|
|
fa36ba901a | ||
|
|
f8570bb293 | ||
|
|
cb736c8c82 | ||
|
|
972cc47f67 | ||
|
|
b4a2a9db25 | ||
|
|
4be183c7f6 | ||
|
|
fe57876fd8 | ||
|
|
97186b3d30 | ||
|
|
56ba0f080a | ||
|
|
392adf2a25 | ||
|
|
b29f35f564 | ||
|
|
64fed4cb10 | ||
|
|
b4f01c9afa | ||
|
|
53a320a810 | ||
|
|
447f339857 | ||
|
|
92508beb82 | ||
|
|
f43d427875 | ||
|
|
bc7cc2f7ce | ||
|
|
da36508714 | ||
|
|
591ac38c31 | ||
|
|
54c79bff74 | ||
|
|
44d2bf42d7 | ||
|
|
fd23e0bdda | ||
|
|
3b6cd0f681 | ||
|
|
9de8085571 | ||
|
|
2d0c9b6bf2 | ||
|
|
55723618a9 | ||
|
|
2965a1f204 | ||
|
|
5158e7964e | ||
|
|
36fe72246b | ||
|
|
4810308b16 | ||
|
|
419d25cbcf | ||
|
|
981c5deb57 | ||
|
|
d853f0c400 | ||
|
|
a6bb9ebb9f | ||
|
|
079c7e089d | ||
|
|
273e8ce4ef | ||
|
|
5f7d3d0d36 | ||
|
|
2890fe6d61 | ||
|
|
89a5acf6e8 | ||
|
|
a404faa302 | ||
|
|
7825a2cdfc | ||
|
|
1a4845f417 | ||
|
|
f93b68d4dc | ||
|
|
98d936d8b3 | ||
|
|
f341d5010d | ||
|
|
9b0ef2fe21 | ||
|
|
58d198261e | ||
|
|
646639bc73 | ||
|
|
f22b11881e | ||
|
|
45e1a61d7b | ||
|
|
e77117f902 | ||
|
|
929d9da4b4 | ||
|
|
7c13163413 | ||
|
|
15c103e42d | ||
|
|
dee974ff2d | ||
|
|
c37dbb2e68 | ||
|
|
3cfd30ef6f | ||
|
|
afd2f58f9f | ||
|
|
697b2dcde8 | ||
|
|
0102d68f38 | ||
|
|
e0fcb15739 | ||
|
|
b96b665262 | ||
|
|
037e6369ce | ||
|
|
d7f26dfc18 | ||
|
|
fda750ef26 | ||
|
|
423ff32d04 | ||
|
|
6d4ddc0329 | ||
|
|
bc56d16c18 | ||
|
|
dfc91b8331 | ||
|
|
bb23866cec | ||
|
|
d35a501121 | ||
|
|
a43698802f | ||
|
|
310a2c8bb3 | ||
|
|
2656a52880 | ||
|
|
abeefcaced | ||
|
|
5aeaab7c6d | ||
|
|
11bf982728 | ||
|
|
32737a17fb | ||
|
|
172d6139e2 | ||
|
|
c281e54d22 | ||
|
|
57016ddbde | ||
|
|
7d2a60e910 | ||
|
|
5446532e1d | ||
|
|
acd4cf2878 | ||
|
|
e8d835b422 | ||
|
|
c7686b1838 | ||
|
|
cf5f838b13 | ||
|
|
e003b04061 | ||
|
|
cd57e61f65 | ||
|
|
91d28fb8b0 | ||
|
|
63f087a8e9 | ||
|
|
364d48948f | ||
|
|
17c4bbbc4e | ||
|
|
10be2735ec | ||
|
|
9349e6922d | ||
|
|
8687c5c145 | ||
|
|
0a86642056 | ||
|
|
4e3791dc0d | ||
|
|
720fbaf301 | ||
|
|
1510fe370d | ||
|
|
2329b31601 | ||
|
|
a460e3ad3d | ||
|
|
cc4827600b | ||
|
|
04b0682bbf | ||
|
|
fd8f745468 | ||
|
|
f130616369 | ||
|
|
d2b874f217 | ||
|
|
6874b8d4b3 | ||
|
|
affdedd840 | ||
|
|
0a6aef71a2 | ||
|
|
11304b2ae1 | ||
|
|
7f01586bf1 | ||
|
|
e5bce548de | ||
|
|
956311457d | ||
|
|
9b3ccade43 | ||
|
|
02eb447a35 | ||
|
|
a6b486a448 | ||
|
|
d73ba13b28 | ||
|
|
b39a3ab12c | ||
|
|
83477439a1 | ||
|
|
b7483a5394 | ||
|
|
322bdcb703 | ||
|
|
8ce5c46e05 | ||
|
|
675de07c3e | ||
|
|
ed34c96357 | ||
|
|
eb9b41acab | ||
|
|
a764a79090 | ||
|
|
c13ee0859a | ||
|
|
3d8e173c57 | ||
|
|
80ac2aff26 | ||
|
|
6c69c1aeeb | ||
|
|
ed2a8db8c9 | ||
|
|
9c3b7e81c7 | ||
|
|
a93132daae | ||
|
|
43ae7462b4 | ||
|
|
b44db460f6 | ||
|
|
8e11abca40 | ||
|
|
32a8b9a857 | ||
|
|
480ce39618 | ||
|
|
ecbce88ec7 | ||
|
|
9ff894bf83 | ||
|
|
8159098dc0 | ||
|
|
1349bf7b0b | ||
|
|
3f215d0954 | ||
|
|
093c63ea3b | ||
|
|
5ce3f9d6ff | ||
|
|
a53cbc1631 | ||
|
|
a72b1340eb | ||
|
|
d33b04cd96 | ||
|
|
2ca95166d9 | ||
|
|
57bd3f3c14 | ||
|
|
fe0e7f5eac | ||
|
|
08c3bf26d5 | ||
|
|
c8a6e837b5 | ||
|
|
701b935564 | ||
|
|
6c24699403 | ||
|
|
adb1ed380a | ||
|
|
73e940de74 | ||
|
|
26bac9f425 | ||
|
|
1385b22642 | ||
|
|
1a2e341b7c | ||
|
|
c8b1bc3a89 | ||
|
|
0a35feef76 | ||
|
|
eeac7e322a | ||
|
|
a0a1ddee86 | ||
|
|
f0ddfc9283 | ||
|
|
72f28513eb | ||
|
|
48975fa7d2 | ||
|
|
31eaa80f5b | ||
|
|
a93aabab40 | ||
|
|
919c6b4b0a | ||
|
|
10cc574289 | ||
|
|
01c13c4703 | ||
|
|
502cf38fcc | ||
|
|
1b1c3f953b | ||
|
|
b366ffa69e | ||
|
|
95d1994196 | ||
|
|
26b030f8cc | ||
|
|
dc73fcc4e8 | ||
|
|
dc58f6fa87 |
30
.github/workflows/close-stale.yml
vendored
Normal file
30
.github/workflows/close-stale.yml
vendored
Normal file
@@ -0,0 +1,30 @@
|
|||||||
|
name: Mark stale issues
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
- cron: "30 1 * * *"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
stale:
|
||||||
|
if: github.repository == 'github/codeql'
|
||||||
|
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/stale@v3
|
||||||
|
with:
|
||||||
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
|
||||||
|
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
|
||||||
|
days-before-stale: 14
|
||||||
|
days-before-close: 7
|
||||||
|
only-labels: question
|
||||||
|
|
||||||
|
# do not mark PRs as stale
|
||||||
|
days-before-pr-stale: -1
|
||||||
|
days-before-pr-close: -1
|
||||||
|
|
||||||
|
# Uncomment for dry-run
|
||||||
|
# debug-only: true
|
||||||
|
# operations-per-run: 1000
|
||||||
@@ -56,6 +56,10 @@
|
|||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
|
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
|
||||||
],
|
],
|
||||||
|
"DataFlow Java/C# Flow Summaries": [
|
||||||
|
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
|
||||||
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
|
||||||
|
],
|
||||||
"SsaReadPosition Java/C#": [
|
"SsaReadPosition Java/C#": [
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description If an exception is allocated on the heap, then it should be deleted when caught.
|
* @description If an exception is allocated on the heap, then it should be deleted when caught.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/catch-missing-free
|
* @id cpp/catch-missing-free
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/offset-use-before-range-check
|
* @id cpp/offset-use-before-range-check
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/inconsistent-nullness-testing
|
* @id cpp/inconsistent-nullness-testing
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-may-not-be-freed
|
* @id cpp/memory-may-not-be-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-never-freed
|
* @id cpp/memory-never-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/missing-null-test
|
* @id cpp/missing-null-test
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/new-free-mismatch
|
* @id cpp/new-free-mismatch
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-calculated
|
* @id cpp/overflow-calculated
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-131
|
* external/cwe/cwe-131
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-destination
|
* @id cpp/overflow-destination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* may result in a buffer overflow.
|
* may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/static-buffer-overflow
|
* @id cpp/static-buffer-overflow
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/return-value-ignored
|
* @id cpp/return-value-ignored
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* an instance of the type of the pointer may result in a buffer overflow
|
* an instance of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/allocation-too-small
|
* @id cpp/allocation-too-small
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* multiple instances of the type of the pointer may result in a buffer overflow
|
* multiple instances of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/suspicious-allocation-size
|
* @id cpp/suspicious-allocation-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/use-after-free
|
* @id cpp/use-after-free
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-416
|
* external/cwe/cwe-416
|
||||||
|
|||||||
@@ -7,6 +7,7 @@
|
|||||||
* overflow.
|
* overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/ambiguously-signed-bit-field
|
* @id cpp/ambiguously-signed-bit-field
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* to a larger type.
|
* to a larger type.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/bad-addition-overflow-check
|
* @id cpp/bad-addition-overflow-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* be a sign that the result can overflow the type converted from.
|
* be a sign that the result can overflow the type converted from.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/integer-multiplication-cast-to-long
|
* @id cpp/integer-multiplication-cast-to-long
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* use the width of the base type, leading to misaligned reads.
|
* use the width of the base type, leading to misaligned reads.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* reliability
|
* reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* from an untrusted source, this can be used for exploits.
|
* from an untrusted source, this can be used for exploits.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/non-constant-format
|
* @id cpp/non-constant-format
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
|
* @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/inconsistent-call-on-result
|
* @id cpp/inconsistent-call-on-result
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* omitting the check could crash the program.
|
* omitting the check could crash the program.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/inconsistent-null-check
|
* @id cpp/inconsistent-null-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
|
* @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/inconsistent-loop-direction
|
* @id cpp/inconsistent-loop-direction
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description Using alloca in a loop can lead to a stack overflow
|
* @description Using alloca in a loop can lead to a stack overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/alloca-in-loop
|
* @id cpp/alloca-in-loop
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/improper-null-termination
|
* @id cpp/improper-null-termination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-170
|
* external/cwe/cwe-170
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* as the third argument may result in a buffer overflow.
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/bad-strncpy-size
|
* @id cpp/bad-strncpy-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* as the third argument may result in a buffer overflow.
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strncat
|
* @id cpp/unsafe-strncat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/uninitialized-local
|
* @id cpp/uninitialized-local
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* may result in a buffer overflow
|
* may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strcat
|
* @id cpp/unsafe-strcat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* it should be moved before the dereference.
|
* it should be moved before the dereference.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @id cpp/redundant-null-check-simple
|
* @id cpp/redundant-null-check-simple
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/ignore-return-value-sal
|
* @id cpp/ignore-return-value-sal
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* external/cwe/cwe-573
|
* external/cwe/cwe-573
|
||||||
* external/cwe/cwe-252
|
* external/cwe/cwe-252
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @precision low
|
* @precision low
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags security external/cwe/cwe-20
|
* @tags security external/cwe/cwe-20
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @precision low
|
* @precision low
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags security external/cwe/cwe-20
|
* @tags security external/cwe/cwe-20
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* attacker to access unexpected resources.
|
* attacker to access unexpected resources.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/path-injection
|
* @id cpp/path-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* to command injection.
|
* to command injection.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision low
|
* @precision low
|
||||||
* @id cpp/command-line-injection
|
* @id cpp/command-line-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* allows for a cross-site scripting vulnerability.
|
* allows for a cross-site scripting vulnerability.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity medium
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/cgi-xss
|
* @id cpp/cgi-xss
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* to SQL Injection.
|
* to SQL Injection.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/sql-injection
|
* @id cpp/sql-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* commands.
|
* commands.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/uncontrolled-process-operation
|
* @id cpp/uncontrolled-process-operation
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-buffer
|
* @id cpp/overflow-buffer
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-119
|
* external/cwe/cwe-119
|
||||||
* external/cwe/cwe-121
|
* external/cwe/cwe-121
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* overflow.
|
* overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/badly-bounded-write
|
* @id cpp/badly-bounded-write
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* of data written may overflow.
|
* of data written may overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/overrunning-write
|
* @id cpp/overrunning-write
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* take extreme values.
|
* take extreme values.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/overrunning-write-with-float
|
* @id cpp/overrunning-write-with-float
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* of data written may overflow.
|
* of data written may overflow.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unbounded-write
|
* @id cpp/unbounded-write
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* a specific value to terminate the argument list.
|
* a specific value to terminate the argument list.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unterminated-variadic-call
|
* @id cpp/unterminated-variadic-call
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/unclear-array-index-validation
|
* @id cpp/unclear-array-index-validation
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-129
|
* external/cwe/cwe-129
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* terminator can cause a buffer overrun.
|
* terminator can cause a buffer overrun.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/no-space-for-terminator
|
* @id cpp/no-space-for-terminator
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* or data representation problems.
|
* or data representation problems.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/tainted-format-string
|
* @id cpp/tainted-format-string
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* or data representation problems.
|
* or data representation problems.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/tainted-format-string-through-global
|
* @id cpp/tainted-format-string-through-global
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/user-controlled-null-termination-tainted
|
* @id cpp/user-controlled-null-termination-tainted
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-170
|
* external/cwe/cwe-170
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* not validated can cause overflows.
|
* not validated can cause overflows.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @id cpp/tainted-arithmetic
|
* @id cpp/tainted-arithmetic
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* validated can cause overflows.
|
* validated can cause overflows.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/uncontrolled-arithmetic
|
* @id cpp/uncontrolled-arithmetic
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/arithmetic-with-extreme-values
|
* @id cpp/arithmetic-with-extreme-values
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags security
|
* @tags security
|
||||||
* reliability
|
* reliability
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @id cpp/comparison-with-wider-type
|
* @id cpp/comparison-with-wider-type
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/integer-overflow-tainted
|
* @id cpp/integer-overflow-tainted
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-190
|
* external/cwe/cwe-190
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* user can result in integer overflow.
|
* user can result in integer overflow.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/uncontrolled-allocation-size
|
* @id cpp/uncontrolled-allocation-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/unsigned-difference-expression-compared-zero
|
* @id cpp/unsigned-difference-expression-compared-zero
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* vulnerable to spoofing attacks.
|
* vulnerable to spoofing attacks.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/user-controlled-bypass
|
* @id cpp/user-controlled-bypass
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* to an attacker.
|
* to an attacker.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/cleartext-storage-buffer
|
* @id cpp/cleartext-storage-buffer
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* an attacker to compromise security.
|
* an attacker to compromise security.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/weak-cryptographic-algorithm
|
* @id cpp/weak-cryptographic-algorithm
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* attackers to retrieve portions of memory.
|
* attackers to retrieve portions of memory.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/openssl-heartbleed
|
* @id cpp/openssl-heartbleed
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* the two operations.
|
* the two operations.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/toctou-race-condition
|
* @id cpp/toctou-race-condition
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* @id cpp/unsafe-create-process-call
|
* @id cpp/unsafe-create-process-call
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @msrc.severity important
|
* @msrc.severity important
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/incorrect-string-type-conversion
|
* @id cpp/incorrect-string-type-conversion
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-704
|
* external/cwe/cwe-704
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description Creating a file that is world-writable can allow an attacker to write to the file.
|
* @description Creating a file that is world-writable can allow an attacker to write to the file.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/world-writable-file-creation
|
* @id cpp/world-writable-file-creation
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -7,6 +7,7 @@
|
|||||||
* @id cpp/unsafe-dacl-security-descriptor
|
* @id cpp/unsafe-dacl-security-descriptor
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-732
|
* external/cwe/cwe-732
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
|
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-835
|
* external/cwe/cwe-835
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/redundant-null-check-param
|
* @id cpp/redundant-null-check-param
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/late-check-of-function-argument
|
* @id cpp/late-check-of-function-argument
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description Use of one of the scanf functions without a specified length.
|
* @description Use of one of the scanf functions without a specified length.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @id cpp/memory-unsafe-function-scan
|
* @id cpp/memory-unsafe-function-scan
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
|
* @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags security
|
* @tags security
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* from these methods is not checked.
|
* from these methods is not checked.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity critical
|
||||||
* @id cpp/drop-linux-privileges-outoforder
|
* @id cpp/drop-linux-privileges-outoforder
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-273
|
* external/cwe/cwe-273
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-leak-on-failed-call-to-realloc
|
* @id cpp/memory-leak-on-failed-call-to-realloc
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
|
||||||
|
...
|
||||||
|
if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
|
||||||
|
...
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
<!DOCTYPE qhelp PUBLIC
|
||||||
|
"-//Semmle//qhelp//EN"
|
||||||
|
"qhelp.dtd">
|
||||||
|
<qhelp>
|
||||||
|
<overview>
|
||||||
|
<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
|
||||||
|
|
||||||
|
|
||||||
|
</overview>
|
||||||
|
<recommendation>
|
||||||
|
|
||||||
|
<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
|
||||||
|
|
||||||
|
</recommendation>
|
||||||
|
<example>
|
||||||
|
<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
|
||||||
|
<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
|
||||||
|
|
||||||
|
</example>
|
||||||
|
<references>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CWE Common Weakness Enumeration:
|
||||||
|
<a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</references>
|
||||||
|
</qhelp>
|
||||||
@@ -0,0 +1,78 @@
|
|||||||
|
/**
|
||||||
|
* @name Errors When Using Bit Operations
|
||||||
|
* @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
|
||||||
|
* operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
|
||||||
|
* @kind problem
|
||||||
|
* @id cpp/errors-when-using-bit-operations
|
||||||
|
* @problem.severity warning
|
||||||
|
* @precision medium
|
||||||
|
* @tags correctness
|
||||||
|
* security
|
||||||
|
* external/cwe/cwe-691
|
||||||
|
*/
|
||||||
|
|
||||||
|
import cpp
|
||||||
|
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dangerous uses of bit operations.
|
||||||
|
* For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
|
||||||
|
* In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
|
||||||
|
*/
|
||||||
|
class DangerousBitOperations extends BinaryBitwiseOperation {
|
||||||
|
FunctionCall bfc;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The assignment indicates the conscious use of the bit operator.
|
||||||
|
* Use in comparison, conversion, or return value indicates conscious use of the bit operator.
|
||||||
|
* The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
|
||||||
|
*/
|
||||||
|
DangerousBitOperations() {
|
||||||
|
bfc = this.getRightOperand() and
|
||||||
|
not this.getParent*() instanceof Assignment and
|
||||||
|
not this.getParent*() instanceof Initializer and
|
||||||
|
not this.getParent*() instanceof ReturnStmt and
|
||||||
|
not this.getParent*() instanceof EqualityOperation and
|
||||||
|
not this.getParent*() instanceof UnaryLogicalOperation and
|
||||||
|
not this.getParent*() instanceof BinaryLogicalOperation and
|
||||||
|
not this.getAChild*() instanceof BitwiseXorExpr and
|
||||||
|
not this.getAChild*() instanceof LShiftExpr and
|
||||||
|
not this.getAChild*() instanceof RShiftExpr
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds when part of a bit expression is used in a logical operation. */
|
||||||
|
predicate useInLogicalOperations() {
|
||||||
|
exists(BinaryLogicalOperation blop, Expr exp |
|
||||||
|
blop.getAChild*() = exp and
|
||||||
|
exp.(FunctionCall).getTarget() = bfc.getTarget() and
|
||||||
|
not exp.getParent() instanceof ComparisonOperation and
|
||||||
|
not exp.getParent() instanceof BinaryBitwiseOperation
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
|
||||||
|
predicate useInOtherCalls() {
|
||||||
|
bfc.hasQualifier() or
|
||||||
|
bfc.getTarget() instanceof Operator or
|
||||||
|
exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
|
||||||
|
bfc.getTarget() instanceof BuiltInFunction
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds when the bit expression contains both arguments and a function call. */
|
||||||
|
predicate dangerousArgumentChecking() {
|
||||||
|
not this.getLeftOperand() instanceof Call and
|
||||||
|
globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds when function calls are present in the bit expression. */
|
||||||
|
predicate functionCallsInBitsExpression() {
|
||||||
|
this.getLeftOperand().getAChild*() instanceof FunctionCall
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
from DangerousBitOperations dbo
|
||||||
|
where
|
||||||
|
not dbo.useInOtherCalls() and
|
||||||
|
dbo.useInLogicalOperations() and
|
||||||
|
(not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
|
||||||
|
select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
|
||||||
|
...
|
||||||
|
if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
|
||||||
|
...
|
||||||
|
bool a=true;
|
||||||
|
a++;// BAD: variable `a` does not change its meaning
|
||||||
|
bool b;
|
||||||
|
b=-a;// BAD: variable `b` equal `true`
|
||||||
|
...
|
||||||
|
a=false;// GOOD: variable `a` equal `false`
|
||||||
|
b=!a;// GOOD: variable `b` equal `false`
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
<!DOCTYPE qhelp PUBLIC
|
||||||
|
"-//Semmle//qhelp//EN"
|
||||||
|
"qhelp.dtd">
|
||||||
|
<qhelp>
|
||||||
|
<overview>
|
||||||
|
<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
|
||||||
|
|
||||||
|
|
||||||
|
</overview>
|
||||||
|
<recommendation>
|
||||||
|
|
||||||
|
<p>we recommend making the code simpler.</p>
|
||||||
|
|
||||||
|
</recommendation>
|
||||||
|
<example>
|
||||||
|
<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
|
||||||
|
<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
|
||||||
|
|
||||||
|
</example>
|
||||||
|
<references>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CERT C Coding Standard:
|
||||||
|
<a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</references>
|
||||||
|
</qhelp>
|
||||||
@@ -0,0 +1,54 @@
|
|||||||
|
/**
|
||||||
|
* @name Operator Precedence Logic Error When Use Bool Type
|
||||||
|
* @description --Finding places of confusing use of boolean type.
|
||||||
|
* --For example, a unary minus does not work before a boolean type and an increment always gives true.
|
||||||
|
* @kind problem
|
||||||
|
* @id cpp/operator-precedence-logic-error-when-use-bool-type
|
||||||
|
* @problem.severity warning
|
||||||
|
* @precision medium
|
||||||
|
* @tags correctness
|
||||||
|
* security
|
||||||
|
* external/cwe/cwe-783
|
||||||
|
* external/cwe/cwe-480
|
||||||
|
*/
|
||||||
|
|
||||||
|
import cpp
|
||||||
|
import semmle.code.cpp.valuenumbering.HashCons
|
||||||
|
|
||||||
|
/** Holds if `exp` increments a boolean value. */
|
||||||
|
predicate incrementBoolType(IncrementOperation exp) {
|
||||||
|
exp.getOperand().getType() instanceof BoolType
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds if `exp` applies the unary minus operator to a boolean type. */
|
||||||
|
predicate revertSignBoolType(UnaryMinusExpr exp) {
|
||||||
|
exp.getAnOperand().getType() instanceof BoolType and
|
||||||
|
exp.getFullyConverted().getType() instanceof BoolType
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
|
||||||
|
predicate assignBoolType(Expr exp) {
|
||||||
|
exists(ComparisonOperation co |
|
||||||
|
exp.(AssignExpr).getRValue() = co and
|
||||||
|
exp.isCondition() and
|
||||||
|
not co.isParenthesised() and
|
||||||
|
not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
|
||||||
|
not exists(Expr exbl |
|
||||||
|
hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
|
||||||
|
not exbl.isCondition() and
|
||||||
|
exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
|
||||||
|
exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
|
||||||
|
) and
|
||||||
|
co.getLeftOperand() instanceof FunctionCall and
|
||||||
|
not co.getRightOperand().getType() instanceof BoolType and
|
||||||
|
not co.getRightOperand().getValue() = "0" and
|
||||||
|
not co.getRightOperand().getValue() = "1"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
from Expr exp
|
||||||
|
where
|
||||||
|
incrementBoolType(exp) or
|
||||||
|
revertSignBoolType(exp) or
|
||||||
|
assignBoolType(exp)
|
||||||
|
select exp, "this expression needs attention"
|
||||||
@@ -3,7 +3,7 @@
|
|||||||
* @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
|
* @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
|
||||||
* If terminal zero is present, then the specified expression is meaningless.
|
* If terminal zero is present, then the specified expression is meaningless.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/access-memory-location-after-end-buffer
|
* @id cpp/access-memory-location-after-end-buffer-strlen
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* @name Access Of Memory Location After The End Of A Buffer Using Strncat
|
* @name Access Of Memory Location After The End Of A Buffer Using Strncat
|
||||||
* @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
|
* @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/access-memory-location-after-end-buffer
|
* @id cpp/access-memory-location-after-end-buffer-strncat
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description All resources acquired by a class should be released by its destructor. Avoid the use of the 'open / close' pattern, since C++ constructors and destructors provide a safer way to handle resource acquisition and release. Best practice in C++ is to use the 'RAII' technique: constructors allocate resources and destructors free them.
|
* @description All resources acquired by a class should be released by its destructor. Avoid the use of the 'open / close' pattern, since C++ constructors and destructors provide a safer way to handle resource acquisition and release. Best practice in C++ is to use the 'RAII' technique: constructors allocate resources and destructors free them.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/resource-not-released-in-destructor
|
* @id cpp/resource-not-released-in-destructor
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
* may result in unexpected sign extension or overflow.
|
* may result in unexpected sign extension or overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @id cpp/signed-bit-field
|
* @id cpp/signed-bit-field
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
|
|||||||
@@ -15,6 +15,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
private import cpp
|
private import cpp
|
||||||
|
private import semmle.code.cpp.models.interfaces.PointerWrapper
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if `f` is an instantiation of the `std::move` or `std::forward`
|
* Holds if `f` is an instantiation of the `std::move` or `std::forward`
|
||||||
@@ -94,6 +95,12 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
|
|||||||
|
|
||||||
private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
|
private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
|
||||||
lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
|
lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
|
||||||
|
or
|
||||||
|
exists(PointerWrapper wrapper, Call call | call = referenceOut |
|
||||||
|
referenceOut.getUnspecifiedType() instanceof ReferenceType and
|
||||||
|
call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
|
||||||
|
lvalueIn = call.getQualifier().getFullyConverted()
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
|
private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
|
||||||
@@ -106,6 +113,13 @@ private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
|
|||||||
stdAddressOf(call.getTarget()) and
|
stdAddressOf(call.getTarget()) and
|
||||||
referenceIn = call.getArgument(0).getFullyConverted()
|
referenceIn = call.getArgument(0).getFullyConverted()
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
exists(CopyConstructor copy, Call call | call = pointerOut |
|
||||||
|
copy.getDeclaringType() instanceof PointerWrapper and
|
||||||
|
call.getTarget() = copy and
|
||||||
|
// The 0'th argument is the value being copied.
|
||||||
|
referenceIn = call.getArgument(0).getFullyConverted()
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
|
private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
|
||||||
@@ -190,6 +204,19 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
|
|||||||
// See the `lvalueToUpdate` case for an explanation of this conjunct.
|
// See the `lvalueToUpdate` case for an explanation of this conjunct.
|
||||||
call.getType().isDeeplyConstBelow()
|
call.getType().isDeeplyConstBelow()
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Pointer wrappers behave as raw pointers for dataflow purposes.
|
||||||
|
outer = call.getAnArgument().getFullyConverted() and
|
||||||
|
exists(PointerWrapper wrapper | wrapper = outer.getType().stripTopLevelSpecifiers() |
|
||||||
|
not wrapper.pointsToConst()
|
||||||
|
)
|
||||||
|
or
|
||||||
|
outer = call.getQualifier().getFullyConverted() and
|
||||||
|
outer.getUnspecifiedType() instanceof PointerWrapper and
|
||||||
|
not (
|
||||||
|
call.getTarget().hasSpecifier("const") and
|
||||||
|
call.getType().isDeeplyConstBelow()
|
||||||
|
)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(PointerFieldAccess fa |
|
exists(PointerFieldAccess fa |
|
||||||
@@ -218,7 +245,9 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
|
|||||||
not stdIdentityFunction(call.getTarget()) and
|
not stdIdentityFunction(call.getTarget()) and
|
||||||
not stdAddressOf(call.getTarget()) and
|
not stdAddressOf(call.getTarget()) and
|
||||||
exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
|
exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
|
||||||
not rt.getBaseType().isConst()
|
not rt.getBaseType().isConst() or
|
||||||
|
rt.getBaseType().getUnspecifiedType() =
|
||||||
|
any(PointerWrapper wrapper | not wrapper.pointsToConst())
|
||||||
)
|
)
|
||||||
) and
|
) and
|
||||||
reference = outer
|
reference = outer
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ class Node extends TNode {
|
|||||||
/**
|
/**
|
||||||
* INTERNAL: Do not use. Alternative name for `getFunction`.
|
* INTERNAL: Do not use. Alternative name for `getFunction`.
|
||||||
*/
|
*/
|
||||||
final Function getEnclosingCallable() { result = unique(Function f | f = this.getFunction() | f) }
|
final Function getEnclosingCallable() { result = this.getFunction() }
|
||||||
|
|
||||||
/** Gets the type of this node. */
|
/** Gets the type of this node. */
|
||||||
Type getType() { none() } // overridden in subclasses
|
Type getType() { none() } // overridden in subclasses
|
||||||
@@ -324,7 +324,7 @@ private class VariablePartialDefinitionNode extends PartialDefinitionNode {
|
|||||||
* A synthetic data flow node used for flow into a collection when an iterator
|
* A synthetic data flow node used for flow into a collection when an iterator
|
||||||
* write occurs in a callee.
|
* write occurs in a callee.
|
||||||
*/
|
*/
|
||||||
class IteratorPartialDefinitionNode extends PartialDefinitionNode {
|
private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
|
||||||
override IteratorPartialDefinition pd;
|
override IteratorPartialDefinition pd;
|
||||||
|
|
||||||
override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
|
override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
|
||||||
@@ -715,6 +715,7 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private module FieldFlow {
|
private module FieldFlow {
|
||||||
|
private import DataFlowImplCommon
|
||||||
private import DataFlowImplLocal
|
private import DataFlowImplLocal
|
||||||
private import DataFlowPrivate
|
private import DataFlowPrivate
|
||||||
|
|
||||||
@@ -747,7 +748,7 @@ private module FieldFlow {
|
|||||||
exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
|
exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
|
||||||
// This configuration should not be able to cross function boundaries, but
|
// This configuration should not be able to cross function boundaries, but
|
||||||
// we double-check here just to be sure.
|
// we double-check here just to be sure.
|
||||||
node1.getEnclosingCallable() = node2.getEnclosingCallable()
|
getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -7,6 +7,7 @@ private import semmle.code.cpp.controlflow.SSA
|
|||||||
private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
|
private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
|
||||||
private import semmle.code.cpp.dataflow.internal.AddressFlow
|
private import semmle.code.cpp.dataflow.internal.AddressFlow
|
||||||
private import semmle.code.cpp.models.implementations.Iterator
|
private import semmle.code.cpp.models.implementations.Iterator
|
||||||
|
private import semmle.code.cpp.models.interfaces.PointerWrapper
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A conceptual variable that is assigned only once, like an SSA variable. This
|
* A conceptual variable that is assigned only once, like an SSA variable. This
|
||||||
@@ -158,18 +159,14 @@ private module PartialDefinitions {
|
|||||||
Expr innerDefinedExpr;
|
Expr innerDefinedExpr;
|
||||||
|
|
||||||
IteratorPartialDefinition() {
|
IteratorPartialDefinition() {
|
||||||
exists(Expr convertedInner |
|
innerDefinedExpr = getInnerDefinedExpr(this, node) and
|
||||||
not this instanceof Conversion and
|
(
|
||||||
valueToUpdate(convertedInner, this.getFullyConverted(), node) and
|
innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
|
||||||
innerDefinedExpr = convertedInner.getUnconverted() and
|
or
|
||||||
(
|
innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
|
||||||
innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
|
collection instanceof IteratorParameter
|
||||||
or
|
) and
|
||||||
innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
|
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
|
||||||
collection instanceof IteratorParameter
|
|
||||||
) and
|
|
||||||
innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
|
|
||||||
)
|
|
||||||
or
|
or
|
||||||
// iterators passed by value without a copy constructor
|
// iterators passed by value without a copy constructor
|
||||||
exists(Call call |
|
exists(Call call |
|
||||||
@@ -207,16 +204,18 @@ private module PartialDefinitions {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Expr getInnerDefinedExpr(Expr e, ControlFlowNode node) {
|
||||||
|
not e instanceof Conversion and
|
||||||
|
exists(Expr convertedInner |
|
||||||
|
valueToUpdate(convertedInner, e.getFullyConverted(), node) and
|
||||||
|
result = convertedInner.getUnconverted()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
class VariablePartialDefinition extends PartialDefinition {
|
class VariablePartialDefinition extends PartialDefinition {
|
||||||
Expr innerDefinedExpr;
|
Expr innerDefinedExpr;
|
||||||
|
|
||||||
VariablePartialDefinition() {
|
VariablePartialDefinition() { innerDefinedExpr = getInnerDefinedExpr(this, node) }
|
||||||
not this instanceof Conversion and
|
|
||||||
exists(Expr convertedInner |
|
|
||||||
valueToUpdate(convertedInner, this.getFullyConverted(), node) and
|
|
||||||
innerDefinedExpr = convertedInner.getUnconverted()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
deprecated override predicate partiallyDefines(Variable v) {
|
deprecated override predicate partiallyDefines(Variable v) {
|
||||||
innerDefinedExpr = v.getAnAccess()
|
innerDefinedExpr = v.getAnAccess()
|
||||||
@@ -296,7 +295,8 @@ module FlowVar_internal {
|
|||||||
// treating them as immutable, but for data flow it gives better results in
|
// treating them as immutable, but for data flow it gives better results in
|
||||||
// practice to make the variable synonymous with its contents.
|
// practice to make the variable synonymous with its contents.
|
||||||
not v.getUnspecifiedType() instanceof ReferenceType and
|
not v.getUnspecifiedType() instanceof ReferenceType and
|
||||||
not v instanceof IteratorParameter
|
not v instanceof IteratorParameter and
|
||||||
|
not v instanceof PointerWrapperParameter
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -644,10 +644,19 @@ module FlowVar_internal {
|
|||||||
predicate parameterIsNonConstReference(Parameter p) {
|
predicate parameterIsNonConstReference(Parameter p) {
|
||||||
exists(ReferenceType refType |
|
exists(ReferenceType refType |
|
||||||
refType = p.getUnderlyingType() and
|
refType = p.getUnderlyingType() and
|
||||||
not refType.getBaseType().isConst()
|
(
|
||||||
|
not refType.getBaseType().isConst()
|
||||||
|
or
|
||||||
|
// A field of a parameter of type `const std::shared_ptr<A>& p` can still be changed even though
|
||||||
|
// the base type of the reference is `const`.
|
||||||
|
refType.getBaseType().getUnspecifiedType() =
|
||||||
|
any(PointerWrapper wrapper | not wrapper.pointsToConst())
|
||||||
|
)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
p instanceof IteratorParameter
|
p instanceof IteratorParameter
|
||||||
|
or
|
||||||
|
p instanceof PointerWrapperParameter
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -836,6 +845,10 @@ module FlowVar_internal {
|
|||||||
IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
|
IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class PointerWrapperParameter extends Parameter {
|
||||||
|
PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if `v` is initialized to have value `assignedExpr`.
|
* Holds if `v` is initialized to have value `assignedExpr`.
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -11,6 +11,7 @@
|
|||||||
private import semmle.code.cpp.models.interfaces.DataFlow
|
private import semmle.code.cpp.models.interfaces.DataFlow
|
||||||
private import semmle.code.cpp.models.interfaces.Taint
|
private import semmle.code.cpp.models.interfaces.Taint
|
||||||
private import semmle.code.cpp.models.interfaces.Iterator
|
private import semmle.code.cpp.models.interfaces.Iterator
|
||||||
|
private import semmle.code.cpp.models.interfaces.PointerWrapper
|
||||||
|
|
||||||
private module DataFlow {
|
private module DataFlow {
|
||||||
import semmle.code.cpp.dataflow.internal.DataFlowUtil
|
import semmle.code.cpp.dataflow.internal.DataFlowUtil
|
||||||
@@ -141,7 +142,10 @@ private predicate noFlowFromChildExpr(Expr e) {
|
|||||||
or
|
or
|
||||||
e instanceof LogicalOrExpr
|
e instanceof LogicalOrExpr
|
||||||
or
|
or
|
||||||
e instanceof Call
|
// Allow taint from `operator*` on smart pointers.
|
||||||
|
exists(Call call | e = call |
|
||||||
|
not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
|
||||||
|
)
|
||||||
or
|
or
|
||||||
e instanceof SizeofOperator
|
e instanceof SizeofOperator
|
||||||
or
|
or
|
||||||
|
|||||||
@@ -314,6 +314,7 @@ class OverloadedPointerDereferenceFunction extends Function {
|
|||||||
* T1 operator*(const T2 &);
|
* T1 operator*(const T2 &);
|
||||||
* T1 a; T2 b;
|
* T1 a; T2 b;
|
||||||
* a = *b;
|
* a = *b;
|
||||||
|
* ```
|
||||||
*/
|
*/
|
||||||
class OverloadedPointerDereferenceExpr extends FunctionCall {
|
class OverloadedPointerDereferenceExpr extends FunctionCall {
|
||||||
OverloadedPointerDereferenceExpr() {
|
OverloadedPointerDereferenceExpr() {
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -2133,11 +2133,8 @@ private module Stage4 {
|
|||||||
|
|
||||||
bindingset[node, cc, config]
|
bindingset[node, cc, config]
|
||||||
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
|
||||||
exists(Cc cc0 |
|
localFlowEntry(node, config) and
|
||||||
cc = pragma[only_bind_into](cc0) and
|
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
|
||||||
localFlowEntry(node, config) and
|
|
||||||
result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate localStep(
|
private predicate localStep(
|
||||||
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
|
|||||||
conf = mid.getConfiguration() and
|
conf = mid.getConfiguration() and
|
||||||
cc = mid.getCallContext() and
|
cc = mid.getCallContext() and
|
||||||
sc = mid.getSummaryCtx() and
|
sc = mid.getSummaryCtx() and
|
||||||
localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
|
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
|
||||||
ap0 = mid.getAp()
|
ap0 = mid.getAp()
|
||||||
|
|
|
|
||||||
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
localFlowBigStep(midnode, node, true, _, conf, localCC) and
|
||||||
|
|||||||
@@ -362,15 +362,22 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
|
* Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
|
||||||
* For instance, an update to a field of a struct containing only one field. For these cases we
|
* For instance, an update to a field of a struct containing only one field. Even if the store does
|
||||||
* attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
|
* have a chi instruction, a subsequent use of the result of the store may be linked directly to the
|
||||||
* (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
|
* result of the store as an inexact definition if the store totally overlaps the use. For these
|
||||||
|
* cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
|
||||||
|
* for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
|
||||||
|
* `none()`.
|
||||||
*/
|
*/
|
||||||
private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
|
private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
|
||||||
override StoreInstruction instr;
|
override StoreInstruction instr;
|
||||||
|
|
||||||
ExplicitSingleFieldStoreQualifierNode() {
|
ExplicitSingleFieldStoreQualifierNode() {
|
||||||
not exists(ChiInstruction chi | chi.getPartial() = instr) and
|
(
|
||||||
|
instr.getAUse().isDefinitionInexact()
|
||||||
|
or
|
||||||
|
not exists(ChiInstruction chi | chi.getPartial() = instr)
|
||||||
|
) and
|
||||||
// Without this condition any store would create a `PostUpdateNode`.
|
// Without this condition any store would create a `PostUpdateNode`.
|
||||||
instr.getDestinationAddress() instanceof FieldAddressInstruction
|
instr.getDestinationAddress() instanceof FieldAddressInstruction
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,34 +6,7 @@ private import semmle.code.cpp.ir.ValueNumbering
|
|||||||
private import semmle.code.cpp.ir.IR
|
private import semmle.code.cpp.ir.IR
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||||
|
private import PrintIRUtilities
|
||||||
/**
|
|
||||||
* Gets a short ID for an IR dataflow node.
|
|
||||||
* - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
|
|
||||||
* - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
|
|
||||||
* instruction and a dot (e.g. `m128.left`).
|
|
||||||
* - For `Variable`s, this is the qualified name of the variable.
|
|
||||||
*/
|
|
||||||
private string nodeId(DataFlow::Node node, int order1, int order2) {
|
|
||||||
exists(Instruction instruction | instruction = node.asInstruction() |
|
|
||||||
result = instruction.getResultId() and
|
|
||||||
order1 = instruction.getBlock().getDisplayIndex() and
|
|
||||||
order2 = instruction.getDisplayIndexInBlock()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
exists(Operand operand, Instruction instruction |
|
|
||||||
operand = node.asOperand() and
|
|
||||||
instruction = operand.getUse()
|
|
||||||
|
|
|
||||||
result = instruction.getResultId() + "." + operand.getDumpId() and
|
|
||||||
order1 = instruction.getBlock().getDisplayIndex() and
|
|
||||||
order2 = instruction.getDisplayIndexInBlock()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
result = "var(" + node.asVariable().getQualifiedName() + ")" and
|
|
||||||
order1 = 1000000 and
|
|
||||||
order2 = 0
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the local dataflow from other nodes in the same function to this node.
|
* Gets the local dataflow from other nodes in the same function to this node.
|
||||||
|
|||||||
@@ -0,0 +1,33 @@
|
|||||||
|
/**
|
||||||
|
* Print the dataflow local store steps in IR dumps.
|
||||||
|
*/
|
||||||
|
|
||||||
|
private import cpp
|
||||||
|
// The `ValueNumbering` library has to be imported right after `cpp` to ensure
|
||||||
|
// that the cached IR gets the same checksum here as it does in queries that use
|
||||||
|
// `ValueNumbering` without `DataFlow`.
|
||||||
|
private import semmle.code.cpp.ir.ValueNumbering
|
||||||
|
private import semmle.code.cpp.ir.IR
|
||||||
|
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||||
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||||
|
private import PrintIRUtilities
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Property provider for local IR dataflow store steps.
|
||||||
|
*/
|
||||||
|
class LocalFlowPropertyProvider extends IRPropertyProvider {
|
||||||
|
override string getInstructionProperty(Instruction instruction, string key) {
|
||||||
|
exists(DataFlow::Node objectNode, Content content |
|
||||||
|
key = "content[" + content.toString() + "]" and
|
||||||
|
instruction = objectNode.asInstruction() and
|
||||||
|
result =
|
||||||
|
strictconcat(string element, DataFlow::Node fieldNode |
|
||||||
|
storeStep(fieldNode, content, objectNode) and
|
||||||
|
element = nodeId(fieldNode, _, _)
|
||||||
|
|
|
||||||
|
element, ", "
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user