mirror of
https://github.com/github/codeql.git
synced 2026-05-26 09:01:22 +02:00
Compare commits
56 Commits
mbg/go/1.2
...
changedocs
| Author | SHA1 | Date | |
|---|---|---|---|
|
7cc545c8dc | ||
|
|
d99c96befa | ||
|
|
26c5e7b2d1 | ||
|
|
07fcd81e7e | ||
|
|
ffab199ea8 | ||
|
|
ae7bf6c97d | ||
|
|
1057bb443f | ||
|
|
ee6c255a7c | ||
|
|
e294c8e68f | ||
|
|
c082c256a2 | ||
|
|
660869e834 | ||
|
|
39a73303d1 | ||
|
|
4ebfafbec2 | ||
|
|
3490067316 | ||
|
|
d5bccd5373 | ||
|
|
092ce01d93 | ||
|
|
e7f059ae55 | ||
|
|
49a4f3a82f | ||
|
|
ea1870fbbd | ||
|
|
21a0109ca2 | ||
|
|
3e774476c6 | ||
|
|
f348b6cbf7 | ||
|
|
3d8c402b6f | ||
|
|
0db6379602 | ||
|
|
cf1f290b61 | ||
|
|
0f44cd3f62 | ||
|
|
e0013eec1b | ||
|
|
92910f961a | ||
|
|
7cb67a50be | ||
|
|
a832730a11 | ||
|
|
ab88b9b136 | ||
|
|
8fc3b00fb9 | ||
|
|
e7f788ae35 | ||
|
|
4e6d7fcb29 | ||
|
|
d8a2c08f12 | ||
|
|
59bb142e8b | ||
|
|
ec59492866 | ||
|
|
fa07f16bcc | ||
|
|
b3326babba | ||
|
|
c33568b602 | ||
|
|
437df5c2a5 | ||
|
|
a6e3b913d0 | ||
|
|
686f47af98 | ||
|
|
b6f1024114 | ||
|
|
ea6092ad3f | ||
|
|
28c333a327 | ||
|
|
55d325148d | ||
|
|
0724fd7ce2 | ||
|
|
ecb1428198 | ||
|
|
c4d37ebec7 | ||
|
|
17cd9624fb | ||
|
|
771992ca9f | ||
|
|
88cd77e459 | ||
|
|
0088ece3ea | ||
|
|
2d19d6f61e | ||
|
|
0126fbcb8f |
@@ -15,7 +15,7 @@ local_path_override(
|
||||
# see https://registry.bazel.build/ for a list of available packages
|
||||
|
||||
bazel_dep(name = "platforms", version = "0.0.10")
|
||||
bazel_dep(name = "rules_go", version = "0.49.0-codeql.1")
|
||||
bazel_dep(name = "rules_go", version = "0.49.0")
|
||||
bazel_dep(name = "rules_pkg", version = "0.10.1")
|
||||
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
||||
bazel_dep(name = "rules_python", version = "0.32.2")
|
||||
@@ -153,7 +153,7 @@ use_repo(
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(version = "1.23.0")
|
||||
go_sdk.download(version = "1.22.2")
|
||||
|
||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.4.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.4.0
|
||||
|
||||
### New Features
|
||||
|
||||
3
cpp/ql/lib/change-notes/released/1.4.1.md
Normal file
3
cpp/ql/lib/change-notes/released/1.4.1.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.4.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.4.0
|
||||
lastReleaseVersion: 1.4.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 1.4.1-dev
|
||||
version: 1.4.2-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
|
||||
|
||||
## 1.2.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
|
||||
* and `cpp/tainted-arithmetic`.
|
||||
* This file provides the `bounded` predicate that is used in `cpp/uncontrolled-arithmetic`,
|
||||
* `cpp/tainted-arithmetic` and `cpp/uncontrolled-allocation-size`.
|
||||
*/
|
||||
|
||||
private import cpp
|
||||
@@ -8,20 +8,18 @@ private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||
private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
|
||||
|
||||
/**
|
||||
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
|
||||
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
|
||||
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
|
||||
* An operand `operand` of a bitwise and expression `andExpr` (i.e., `andExpr` is either a
|
||||
* `BitwiseAndExpr` or an `AssignAndExpr`) is upper bounded by some number that is less than the
|
||||
* maximum integer allowed by the result type of `andExpr`.
|
||||
*/
|
||||
pragma[inline]
|
||||
private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
|
||||
operand1 != operand2 and
|
||||
e = operand1 and
|
||||
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
|
||||
private predicate boundedBitwiseAnd(Expr operand, Expr andExpr) {
|
||||
upperBound(operand.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
|
||||
* operation that may greatly reduce the range of possible values.
|
||||
* Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operation that
|
||||
* may greatly reduce the range of possible values.
|
||||
*/
|
||||
predicate bounded(Expr e) {
|
||||
// There can be two separate reasons for `convertedExprMightOverflow` not holding:
|
||||
@@ -35,25 +33,25 @@ predicate bounded(Expr e) {
|
||||
) and
|
||||
not convertedExprMightOverflow(e)
|
||||
or
|
||||
// Optimistically assume that a remainder expression always yields a much smaller value.
|
||||
e = any(RemExpr rem).getLeftOperand()
|
||||
// Optimistically assume that the following operations always yields a much smaller value.
|
||||
e instanceof RemExpr
|
||||
or
|
||||
e = any(AssignRemExpr rem).getLValue()
|
||||
e instanceof DivExpr
|
||||
or
|
||||
e instanceof RShiftExpr
|
||||
or
|
||||
exists(BitwiseAndExpr andExpr |
|
||||
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
|
||||
e = andExpr and boundedBitwiseAnd(andExpr.getAnOperand(), andExpr)
|
||||
)
|
||||
or
|
||||
exists(AssignAndExpr andExpr |
|
||||
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
|
||||
)
|
||||
or
|
||||
// Optimistically assume that a division always yields a much smaller value.
|
||||
e = any(DivExpr div).getLeftOperand()
|
||||
// For the assignment variant of the operations we place the barrier on the assigned lvalue.
|
||||
e = any(AssignRemExpr rem).getLValue()
|
||||
or
|
||||
e = any(AssignDivExpr div).getLValue()
|
||||
or
|
||||
e = any(RShiftExpr shift).getLeftOperand()
|
||||
or
|
||||
e = any(AssignRShiftExpr div).getLValue()
|
||||
or
|
||||
exists(AssignAndExpr andExpr |
|
||||
e = andExpr.getLValue() and boundedBitwiseAnd(andExpr.getRValue(), andExpr)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
|
||||
## 1.2.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `cpp/uncontrolled-allocation-size` ("Uncontrolled allocation size") query now considers arithmetic operations that might reduce the size of user input as a barrier. The query therefore produces fewer false positive results.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.2.0
|
||||
lastReleaseVersion: 1.2.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.2.1-dev
|
||||
version: 1.2.2-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -32,6 +32,8 @@ edges
|
||||
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | provenance | |
|
||||
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | provenance | |
|
||||
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | provenance | |
|
||||
| test.cpp:62:19:62:24 | call to rand | test.cpp:62:19:62:24 | call to rand | provenance | |
|
||||
| test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | provenance | |
|
||||
| test.cpp:86:10:86:13 | call to rand | test.cpp:86:10:86:13 | call to rand | provenance | |
|
||||
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | provenance | |
|
||||
| test.cpp:98:10:98:13 | call to rand | test.cpp:98:10:98:13 | call to rand | provenance | |
|
||||
@@ -105,6 +107,9 @@ nodes
|
||||
| test.cpp:31:7:31:7 | r | semmle.label | r |
|
||||
| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
|
||||
| test.cpp:37:7:37:7 | r | semmle.label | r |
|
||||
| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:62:19:62:24 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:65:9:65:9 | x | semmle.label | x |
|
||||
| test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:90:10:90:10 | x | semmle.label | x |
|
||||
@@ -156,6 +161,7 @@ subpaths
|
||||
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
|
||||
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
|
||||
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
|
||||
| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value |
|
||||
| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
|
||||
| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
|
||||
| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
|
||||
|
||||
@@ -62,7 +62,7 @@ unsigned int test_remainder_subtract_unsigned()
|
||||
unsigned int x = rand();
|
||||
unsigned int y = x % 100; // y <= x
|
||||
|
||||
return x - y; // GOOD (as y <= x)
|
||||
return x - y; // GOOD (as y <= x) [FALSE POSITIVE]
|
||||
}
|
||||
|
||||
typedef unsigned long size_t;
|
||||
|
||||
@@ -13,26 +13,30 @@ edges
|
||||
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:133:14:133:17 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:148:15:148:18 | call to atol | test.cpp:152:11:152:28 | ... * ... | provenance | |
|
||||
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:148:15:148:18 | call to atol | provenance | TaintFunction |
|
||||
| test.cpp:224:8:224:23 | *get_tainted_size | test.cpp:256:9:256:24 | call to get_tainted_size | provenance | |
|
||||
| test.cpp:226:9:226:42 | ... * ... | test.cpp:224:8:224:23 | *get_tainted_size | provenance | |
|
||||
| test.cpp:226:14:226:27 | *call to getenv | test.cpp:226:9:226:42 | ... * ... | provenance | TaintFunction |
|
||||
| test.cpp:245:21:245:21 | s | test.cpp:246:21:246:21 | s | provenance | |
|
||||
| test.cpp:252:19:252:52 | ... * ... | test.cpp:254:9:254:18 | local_size | provenance | |
|
||||
| test.cpp:252:19:252:52 | ... * ... | test.cpp:260:11:260:20 | local_size | provenance | |
|
||||
| test.cpp:252:19:252:52 | ... * ... | test.cpp:262:10:262:19 | local_size | provenance | |
|
||||
| test.cpp:252:24:252:37 | *call to getenv | test.cpp:252:19:252:52 | ... * ... | provenance | TaintFunction |
|
||||
| test.cpp:262:10:262:19 | local_size | test.cpp:245:21:245:21 | s | provenance | |
|
||||
| test.cpp:265:20:265:27 | *out_size | test.cpp:304:17:304:20 | get_size output argument | provenance | |
|
||||
| test.cpp:265:20:265:27 | *out_size | test.cpp:320:18:320:21 | get_size output argument | provenance | |
|
||||
| test.cpp:266:2:266:32 | ... = ... | test.cpp:265:20:265:27 | *out_size | provenance | |
|
||||
| test.cpp:266:18:266:31 | *call to getenv | test.cpp:266:2:266:32 | ... = ... | provenance | TaintFunction |
|
||||
| test.cpp:274:15:274:18 | call to atoi | test.cpp:278:11:278:29 | ... * ... | provenance | |
|
||||
| test.cpp:274:20:274:33 | *call to getenv | test.cpp:274:15:274:18 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:304:17:304:20 | get_size output argument | test.cpp:306:11:306:28 | ... * ... | provenance | |
|
||||
| test.cpp:320:18:320:21 | get_size output argument | test.cpp:323:10:323:27 | ... * ... | provenance | |
|
||||
| test.cpp:368:13:368:16 | call to atoi | test.cpp:370:35:370:38 | size | provenance | |
|
||||
| test.cpp:368:13:368:16 | call to atoi | test.cpp:371:35:371:38 | size | provenance | |
|
||||
| test.cpp:368:18:368:31 | *call to getenv | test.cpp:368:13:368:16 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:190:14:190:17 | call to atoi | test.cpp:194:11:194:28 | ... * ... | provenance | |
|
||||
| test.cpp:190:19:190:32 | *call to getenv | test.cpp:190:14:190:17 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:205:14:205:17 | call to atoi | test.cpp:209:11:209:28 | ... * ... | provenance | |
|
||||
| test.cpp:205:19:205:32 | *call to getenv | test.cpp:205:14:205:17 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:239:8:239:23 | *get_tainted_size | test.cpp:271:9:271:24 | call to get_tainted_size | provenance | |
|
||||
| test.cpp:241:9:241:42 | ... * ... | test.cpp:239:8:239:23 | *get_tainted_size | provenance | |
|
||||
| test.cpp:241:14:241:27 | *call to getenv | test.cpp:241:9:241:42 | ... * ... | provenance | TaintFunction |
|
||||
| test.cpp:260:21:260:21 | s | test.cpp:261:21:261:21 | s | provenance | |
|
||||
| test.cpp:267:19:267:52 | ... * ... | test.cpp:269:9:269:18 | local_size | provenance | |
|
||||
| test.cpp:267:19:267:52 | ... * ... | test.cpp:275:11:275:20 | local_size | provenance | |
|
||||
| test.cpp:267:19:267:52 | ... * ... | test.cpp:277:10:277:19 | local_size | provenance | |
|
||||
| test.cpp:267:24:267:37 | *call to getenv | test.cpp:267:19:267:52 | ... * ... | provenance | TaintFunction |
|
||||
| test.cpp:277:10:277:19 | local_size | test.cpp:260:21:260:21 | s | provenance | |
|
||||
| test.cpp:280:20:280:27 | *out_size | test.cpp:319:17:319:20 | get_size output argument | provenance | |
|
||||
| test.cpp:280:20:280:27 | *out_size | test.cpp:335:18:335:21 | get_size output argument | provenance | |
|
||||
| test.cpp:281:2:281:32 | ... = ... | test.cpp:280:20:280:27 | *out_size | provenance | |
|
||||
| test.cpp:281:18:281:31 | *call to getenv | test.cpp:281:2:281:32 | ... = ... | provenance | TaintFunction |
|
||||
| test.cpp:289:15:289:18 | call to atoi | test.cpp:293:11:293:29 | ... * ... | provenance | |
|
||||
| test.cpp:289:20:289:33 | *call to getenv | test.cpp:289:15:289:18 | call to atoi | provenance | TaintFunction |
|
||||
| test.cpp:319:17:319:20 | get_size output argument | test.cpp:321:11:321:28 | ... * ... | provenance | |
|
||||
| test.cpp:335:18:335:21 | get_size output argument | test.cpp:338:10:338:27 | ... * ... | provenance | |
|
||||
| test.cpp:383:13:383:16 | call to atoi | test.cpp:385:35:385:38 | size | provenance | |
|
||||
| test.cpp:383:13:383:16 | call to atoi | test.cpp:386:35:386:38 | size | provenance | |
|
||||
| test.cpp:383:18:383:31 | *call to getenv | test.cpp:383:13:383:16 | call to atoi | provenance | TaintFunction |
|
||||
nodes
|
||||
| test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
|
||||
| test.cpp:40:16:40:19 | call to atoi | semmle.label | call to atoi |
|
||||
@@ -52,31 +56,37 @@ nodes
|
||||
| test.cpp:148:15:148:18 | call to atol | semmle.label | call to atol |
|
||||
| test.cpp:148:20:148:33 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:224:8:224:23 | *get_tainted_size | semmle.label | *get_tainted_size |
|
||||
| test.cpp:226:9:226:42 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:226:14:226:27 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:245:21:245:21 | s | semmle.label | s |
|
||||
| test.cpp:246:21:246:21 | s | semmle.label | s |
|
||||
| test.cpp:252:19:252:52 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:252:24:252:37 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:254:9:254:18 | local_size | semmle.label | local_size |
|
||||
| test.cpp:256:9:256:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
|
||||
| test.cpp:260:11:260:20 | local_size | semmle.label | local_size |
|
||||
| test.cpp:262:10:262:19 | local_size | semmle.label | local_size |
|
||||
| test.cpp:265:20:265:27 | *out_size | semmle.label | *out_size |
|
||||
| test.cpp:266:2:266:32 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:266:18:266:31 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:274:15:274:18 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:274:20:274:33 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:278:11:278:29 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:304:17:304:20 | get_size output argument | semmle.label | get_size output argument |
|
||||
| test.cpp:306:11:306:28 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:320:18:320:21 | get_size output argument | semmle.label | get_size output argument |
|
||||
| test.cpp:323:10:323:27 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:368:13:368:16 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:368:18:368:31 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:370:35:370:38 | size | semmle.label | size |
|
||||
| test.cpp:371:35:371:38 | size | semmle.label | size |
|
||||
| test.cpp:190:14:190:17 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:190:19:190:32 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:194:11:194:28 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:205:14:205:17 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:205:19:205:32 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:209:11:209:28 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:239:8:239:23 | *get_tainted_size | semmle.label | *get_tainted_size |
|
||||
| test.cpp:241:9:241:42 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:241:14:241:27 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:260:21:260:21 | s | semmle.label | s |
|
||||
| test.cpp:261:21:261:21 | s | semmle.label | s |
|
||||
| test.cpp:267:19:267:52 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:267:24:267:37 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:269:9:269:18 | local_size | semmle.label | local_size |
|
||||
| test.cpp:271:9:271:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
|
||||
| test.cpp:275:11:275:20 | local_size | semmle.label | local_size |
|
||||
| test.cpp:277:10:277:19 | local_size | semmle.label | local_size |
|
||||
| test.cpp:280:20:280:27 | *out_size | semmle.label | *out_size |
|
||||
| test.cpp:281:2:281:32 | ... = ... | semmle.label | ... = ... |
|
||||
| test.cpp:281:18:281:31 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:289:15:289:18 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:289:20:289:33 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:293:11:293:29 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:319:17:319:20 | get_size output argument | semmle.label | get_size output argument |
|
||||
| test.cpp:321:11:321:28 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:335:18:335:21 | get_size output argument | semmle.label | get_size output argument |
|
||||
| test.cpp:338:10:338:27 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:383:13:383:16 | call to atoi | semmle.label | call to atoi |
|
||||
| test.cpp:383:18:383:31 | *call to getenv | semmle.label | *call to getenv |
|
||||
| test.cpp:385:35:385:38 | size | semmle.label | size |
|
||||
| test.cpp:386:35:386:38 | size | semmle.label | size |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
|
||||
@@ -88,12 +98,14 @@ subpaths
|
||||
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:246:14:246:19 | call to malloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:246:21:246:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:254:2:254:7 | call to malloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:254:9:254:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:256:2:256:7 | call to malloc | test.cpp:226:14:226:27 | *call to getenv | test.cpp:256:9:256:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:226:14:226:27 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:260:2:260:9 | call to my_alloc | test.cpp:252:24:252:37 | *call to getenv | test.cpp:260:11:260:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:252:24:252:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:278:4:278:9 | call to malloc | test.cpp:274:20:274:33 | *call to getenv | test.cpp:278:11:278:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:274:20:274:33 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:306:4:306:9 | call to malloc | test.cpp:266:18:266:31 | *call to getenv | test.cpp:306:11:306:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:266:18:266:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:323:3:323:8 | call to malloc | test.cpp:266:18:266:31 | *call to getenv | test.cpp:323:10:323:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:266:18:266:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:370:25:370:33 | call to MyMalloc1 | test.cpp:368:18:368:31 | *call to getenv | test.cpp:370:35:370:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:368:18:368:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:371:25:371:33 | call to MyMalloc2 | test.cpp:368:18:368:31 | *call to getenv | test.cpp:371:35:371:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:368:18:368:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |
|
||||
| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) |
|
||||
|
||||
@@ -191,7 +191,22 @@ void more_bounded_tests() {
|
||||
|
||||
if (size % 100)
|
||||
{
|
||||
malloc(size * sizeof(int)); // BAD [NOT DETECTED]
|
||||
malloc(size * sizeof(int)); // BAD
|
||||
}
|
||||
}
|
||||
|
||||
{
|
||||
int size = atoi(getenv("USER"));
|
||||
int size2 = size & 7; // Pick the first three bits of size
|
||||
malloc(size2 * sizeof(int)); // GOOD
|
||||
}
|
||||
|
||||
{
|
||||
int size = atoi(getenv("USER"));
|
||||
|
||||
if (size & 7)
|
||||
{
|
||||
malloc(size * sizeof(int)); // BAD
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -2,25 +2,25 @@
|
||||
| test.cpp:43:2:45:2 | for(...;...;...) ... | test.cpp:43:18:43:26 | ... < ... | | i | { ... } | i | ExprStmt |
|
||||
| test.cpp:74:2:77:2 | while (...) ... | test.cpp:74:9:74:17 | ... > ... | 1 | count | { ... } | count | ExprStmt |
|
||||
| test.cpp:84:2:88:2 | while (...) ... | test.cpp:84:9:84:17 | ... > ... | | count | { ... } | count | if (...) ... |
|
||||
| test.cpp:171:3:173:3 | while (...) ... | test.cpp:171:10:171:43 | ... != ... | 0 | | { ... } | 0 | return ... |
|
||||
| test.cpp:251:2:255:2 | while (...) ... | test.cpp:251:9:251:12 | loop | 1 | loop | { ... } | loop | return ... |
|
||||
| test.cpp:263:2:267:2 | while (...) ... | test.cpp:263:9:263:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
|
||||
| test.cpp:275:2:279:2 | while (...) ... | test.cpp:275:9:275:13 | ! ... | 1 | stop | { ... } | stop | return ... |
|
||||
| test.cpp:287:2:291:2 | while (...) ... | test.cpp:287:9:287:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
|
||||
| test.cpp:299:2:303:2 | while (...) ... | test.cpp:299:9:299:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
|
||||
| test.cpp:311:2:315:2 | while (...) ... | test.cpp:311:9:311:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
|
||||
| test.cpp:323:2:328:2 | while (...) ... | test.cpp:323:9:323:17 | ... ? ... : ... | | b, c | { ... } | c | return ... |
|
||||
| test.cpp:336:2:341:2 | while (...) ... | test.cpp:336:9:336:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
|
||||
| test.cpp:348:2:351:17 | do (...) ... | test.cpp:351:11:351:15 | 0 | | { ... } | { ... } | { ... } | return ... |
|
||||
| test.cpp:361:2:364:2 | while (...) ... | test.cpp:361:9:361:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
|
||||
| test.cpp:365:2:368:2 | while (...) ... | test.cpp:365:9:365:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
|
||||
| test.cpp:369:2:373:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
|
||||
| test.cpp:374:2:376:17 | do (...) ... | test.cpp:376:11:376:15 | 0 | | do (...) ... | { ... } | { ... } | return ... |
|
||||
| test.cpp:384:2:386:2 | while (...) ... | test.cpp:384:9:384:12 | 1 | 1 | 1 | { ... } | | return ... |
|
||||
| test.cpp:394:2:396:2 | while (...) ... | test.cpp:394:9:394:21 | ... , ... | | { ... } | { ... } | | |
|
||||
| test.cpp:404:3:408:3 | while (...) ... | test.cpp:404:10:404:13 | loop | 1 | loop | { ... } | | |
|
||||
| test.cpp:416:2:418:2 | for(...;...;...) ... | test.cpp:416:18:416:23 | ... < ... | 1 | i | { ... } | i | return ... |
|
||||
| test.cpp:424:2:425:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
|
||||
| test.cpp:433:2:434:2 | for(...;...;...) ... | test.cpp:433:18:433:22 | 0 | 0 | | { ... } | 0 | return ... |
|
||||
| test.cpp:559:3:564:3 | while (...) ... | test.cpp:559:9:559:15 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
|
||||
| test.cpp:574:3:579:3 | while (...) ... | test.cpp:574:10:574:16 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
|
||||
| test.cpp:172:3:174:3 | while (...) ... | test.cpp:172:10:172:43 | ... != ... | | args | { ... } | args | return ... |
|
||||
| test.cpp:259:2:263:2 | while (...) ... | test.cpp:259:9:259:12 | loop | 1 | loop | { ... } | loop | return ... |
|
||||
| test.cpp:271:2:275:2 | while (...) ... | test.cpp:271:9:271:20 | ... && ... | 1 | 1 | { ... } | ... && ... | return ... |
|
||||
| test.cpp:283:2:287:2 | while (...) ... | test.cpp:283:9:283:13 | ! ... | 1 | stop | { ... } | stop | return ... |
|
||||
| test.cpp:295:2:299:2 | while (...) ... | test.cpp:295:9:295:20 | ... && ... | 1 | loop | { ... } | loop | return ... |
|
||||
| test.cpp:307:2:311:2 | while (...) ... | test.cpp:307:9:307:20 | ... && ... | 1 | loop | { ... } | ... && ..., loop | return ... |
|
||||
| test.cpp:319:2:323:2 | while (...) ... | test.cpp:319:9:319:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | return ... |
|
||||
| test.cpp:331:2:336:2 | while (...) ... | test.cpp:331:9:331:17 | ... ? ... : ... | | b, c | { ... } | c | return ... |
|
||||
| test.cpp:344:2:349:2 | while (...) ... | test.cpp:344:9:344:21 | ... \|\| ... | 1 | b, c | { ... } | c | return ... |
|
||||
| test.cpp:356:2:359:17 | do (...) ... | test.cpp:359:11:359:15 | 0 | | { ... } | { ... } | { ... } | return ... |
|
||||
| test.cpp:369:2:372:2 | while (...) ... | test.cpp:369:9:369:21 | ... \|\| ... | 1 | ... \|\| ... | { ... } | 0 | while (...) ... |
|
||||
| test.cpp:373:2:376:2 | while (...) ... | test.cpp:373:9:373:13 | ! ... | 1 | stop | { ... } | stop | while (...) ... |
|
||||
| test.cpp:377:2:381:2 | while (...) ... | test.cpp:377:9:377:21 | ... \|\| ... | 1 | b, c | { ... } | c | do (...) ... |
|
||||
| test.cpp:382:2:384:17 | do (...) ... | test.cpp:384:11:384:15 | 0 | | do (...) ... | { ... } | { ... } | return ... |
|
||||
| test.cpp:392:2:394:2 | while (...) ... | test.cpp:392:9:392:12 | 1 | 1 | 1 | { ... } | | return ... |
|
||||
| test.cpp:402:2:404:2 | while (...) ... | test.cpp:402:9:402:21 | ... , ... | | { ... } | { ... } | | |
|
||||
| test.cpp:412:3:416:3 | while (...) ... | test.cpp:412:10:412:13 | loop | 1 | loop | { ... } | | |
|
||||
| test.cpp:424:2:426:2 | for(...;...;...) ... | test.cpp:424:18:424:23 | ... < ... | 1 | i | { ... } | i | return ... |
|
||||
| test.cpp:432:2:433:2 | for(...;...;...) ... | test.cpp:432:18:432:23 | ... < ... | 1 | i | { ... } | i | return ... |
|
||||
| test.cpp:441:2:442:2 | for(...;...;...) ... | test.cpp:441:18:441:22 | 0 | 0 | | { ... } | 0 | return ... |
|
||||
| test.cpp:567:3:572:3 | while (...) ... | test.cpp:567:9:567:15 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
|
||||
| test.cpp:582:3:587:3 | while (...) ... | test.cpp:582:10:582:16 | call to getBool | | call to getBool | { ... } | call to getBool | ExprStmt |
|
||||
|
||||
@@ -2,28 +2,28 @@ edges
|
||||
nodes
|
||||
| test.cpp:11:6:11:8 | definition of foo | semmle.label | definition of foo |
|
||||
| test.cpp:111:6:111:8 | definition of foo | semmle.label | definition of foo |
|
||||
| test.cpp:218:7:218:7 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:241:6:241:6 | definition of i | semmle.label | definition of i |
|
||||
| test.cpp:333:7:333:7 | definition of a | semmle.label | definition of a |
|
||||
| test.cpp:358:7:358:7 | definition of a | semmle.label | definition of a |
|
||||
| test.cpp:359:6:359:8 | definition of val | semmle.label | definition of val |
|
||||
| test.cpp:414:9:414:9 | definition of j | semmle.label | definition of j |
|
||||
| test.cpp:431:9:431:9 | definition of j | semmle.label | definition of j |
|
||||
| test.cpp:452:6:452:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:458:6:458:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:464:6:464:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:471:6:471:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:226:7:226:7 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:249:6:249:6 | definition of i | semmle.label | definition of i |
|
||||
| test.cpp:341:7:341:7 | definition of a | semmle.label | definition of a |
|
||||
| test.cpp:366:7:366:7 | definition of a | semmle.label | definition of a |
|
||||
| test.cpp:367:6:367:8 | definition of val | semmle.label | definition of val |
|
||||
| test.cpp:422:9:422:9 | definition of j | semmle.label | definition of j |
|
||||
| test.cpp:439:9:439:9 | definition of j | semmle.label | definition of j |
|
||||
| test.cpp:460:6:460:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x |
|
||||
| test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x |
|
||||
#select
|
||||
| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
|
||||
| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |
|
||||
| test.cpp:219:3:219:3 | x | test.cpp:218:7:218:7 | definition of x | test.cpp:218:7:218:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:218:7:218:7 | x | x |
|
||||
| test.cpp:243:13:243:13 | i | test.cpp:241:6:241:6 | definition of i | test.cpp:241:6:241:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:241:6:241:6 | i | i |
|
||||
| test.cpp:336:10:336:10 | a | test.cpp:333:7:333:7 | definition of a | test.cpp:333:7:333:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:333:7:333:7 | a | a |
|
||||
| test.cpp:369:10:369:10 | a | test.cpp:358:7:358:7 | definition of a | test.cpp:358:7:358:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:358:7:358:7 | a | a |
|
||||
| test.cpp:378:9:378:11 | val | test.cpp:359:6:359:8 | definition of val | test.cpp:359:6:359:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:359:6:359:8 | val | val |
|
||||
| test.cpp:417:10:417:10 | j | test.cpp:414:9:414:9 | definition of j | test.cpp:414:9:414:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:414:9:414:9 | j | j |
|
||||
| test.cpp:436:9:436:9 | j | test.cpp:431:9:431:9 | definition of j | test.cpp:431:9:431:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:431:9:431:9 | j | j |
|
||||
| test.cpp:454:2:454:2 | x | test.cpp:452:6:452:6 | definition of x | test.cpp:452:6:452:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:452:6:452:6 | x | x |
|
||||
| test.cpp:460:7:460:7 | x | test.cpp:458:6:458:6 | definition of x | test.cpp:458:6:458:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:458:6:458:6 | x | x |
|
||||
| test.cpp:467:2:467:2 | x | test.cpp:464:6:464:6 | definition of x | test.cpp:464:6:464:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:464:6:464:6 | x | x |
|
||||
| test.cpp:474:7:474:7 | x | test.cpp:471:6:471:6 | definition of x | test.cpp:471:6:471:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:471:6:471:6 | x | x |
|
||||
| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x |
|
||||
| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i |
|
||||
| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a |
|
||||
| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a |
|
||||
| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val |
|
||||
| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j |
|
||||
| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j |
|
||||
| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x |
|
||||
| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x |
|
||||
| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x |
|
||||
| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x |
|
||||
|
||||
@@ -156,11 +156,12 @@ int absCorrect2(int i) {
|
||||
return j; // correct: j always initialized before use
|
||||
}
|
||||
|
||||
typedef __builtin_va_list va_list;
|
||||
#define va_start(v, l) __builtin_va_start(v,l)
|
||||
#define va_end(v) __builtin_va_end(v)
|
||||
#define va_arg(v, l) __builtin_va_arg(v,l)
|
||||
#define va_copy(d, s) __builtin_va_copy(d,s)
|
||||
|
||||
typedef void *va_list;
|
||||
#define va_start(ap, parmN)
|
||||
#define va_end(ap)
|
||||
#define va_arg(ap, type) ((type)0)
|
||||
#define NULL 0
|
||||
|
||||
// Variadic initialisation
|
||||
@@ -176,7 +177,7 @@ void init(int val, ...) {
|
||||
void test15() {
|
||||
int foo;
|
||||
init(42, &foo, NULL);
|
||||
use(foo); //GOOD -- initialised by `init`
|
||||
use(foo); // GOOD -- initialised by `init`
|
||||
}
|
||||
|
||||
// Variadic non-initialisation
|
||||
@@ -192,6 +193,13 @@ void test16() {
|
||||
use(foo); // BAD (NOT REPORTED)
|
||||
}
|
||||
|
||||
void test_va_copy(va_list va) {
|
||||
va_list va2;
|
||||
va_copy(va2, va); // GOOD -- this is an initialization
|
||||
use(va2);
|
||||
va_end(va2);
|
||||
}
|
||||
|
||||
bool test17(bool b) {
|
||||
int foo;
|
||||
int *p = nullptr;
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.23
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.22
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.23
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.22
|
||||
lastReleaseVersion: 1.7.23
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.23-dev
|
||||
version: 1.7.24-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.23
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.22
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.23
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.22
|
||||
lastReleaseVersion: 1.7.23
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.23-dev
|
||||
version: 1.7.24-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user