From a51ac7b4e750c8247cfce40f9655dd0776655499 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 11 Nov 2022 11:02:07 +0000 Subject: [PATCH 1/7] C++: Remove some unnecessary IPA values from 'IndirectInstruction' and 'IndirectOperand' when the semantically identical value already exists in the IR. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 22 --- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 148 ++++++++++-------- .../cpp/ir/dataflow/internal/SsaInternals.qll | 18 ++- .../dataflow/internal/SsaInternalsCommon.qll | 32 ++++ 4 files changed, 130 insertions(+), 90 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index ce9ba14ed026..365f8843e797 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -47,24 +47,6 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode { override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { op = call.getArgumentOperand(pos.(DirectPosition).getIndex()) } - - override string toStringImpl() { result = argumentOperandToString(op) } -} - -private string argumentOperandToString(ArgumentOperand op) { - exists(Expr unconverted | - unconverted = op.getDef().getUnconvertedResultExpression() and - result = unconverted.toString() - ) - or - // Certain instructions don't map to an unconverted result expression. For these cases - // we fall back to a simpler naming scheme. This can happen in IR-generated constructors. - not exists(op.getDef().getUnconvertedResultExpression()) and - ( - result = "Argument " + op.(PositionalArgumentOperand).getIndex() - or - op instanceof ThisArgumentOperand and result = "Argument this" - ) } private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode { @@ -73,10 +55,6 @@ private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex() } - - override string toStringImpl() { - result = argumentOperandToString(this.getAddressOperand()) + " indirection" - } } /** A parameter position represented by an integer. */ diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 12caadc552f2..1298478faf26 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -26,9 +26,9 @@ private module Cached { * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA library. * - `IndirectArgumentOutNode`, which represents the value of an argument (and its indirections) after * it leaves a function call. - * - `IndirectOperand`, which represents the value of `operand` after loading the address a number + * - `RawIndirectOperand`, which represents the value of `operand` after loading the address a number * of times. - * - `IndirectInstruction`, which represents the value of `instr` after loading the address a number + * - `RawIndirectInstruction`, which represents the value of `instr` after loading the address a number * of times. */ cached @@ -52,11 +52,11 @@ private module Cached { Ssa::isModifiableByCall(operand) and indirectionIndex = [1 .. Ssa::countIndirectionsForCppType(operand.getLanguageType())] } or - TIndirectOperand(Operand op, int indirectionIndex) { - Ssa::hasIndirectOperand(op, indirectionIndex) + TRawIndirectOperand(Operand op, int indirectionIndex) { + Ssa::hasRawIndirectOperand(op, indirectionIndex) } or - TIndirectInstruction(Instruction instr, int indirectionIndex) { - Ssa::hasIndirectInstruction(instr, indirectionIndex) + TRawIndirectInstruction(Instruction instr, int indirectionIndex) { + Ssa::hasRawIndirectInstruction(instr, indirectionIndex) } } @@ -583,7 +583,7 @@ class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PartialDef pragma[nomagic] predicate indirectReturnOutNodeOperand0(CallInstruction call, Operand operand, int indirectionIndex) { - Ssa::hasIndirectInstruction(call, indirectionIndex) and + Ssa::hasRawIndirectInstruction(call, indirectionIndex) and operandForfullyConvertedCall(operand, call) } @@ -591,7 +591,7 @@ pragma[nomagic] predicate indirectReturnOutNodeInstruction0( CallInstruction call, Instruction instr, int indirectionIndex ) { - Ssa::hasIndirectInstruction(call, indirectionIndex) and + Ssa::hasRawIndirectInstruction(call, indirectionIndex) and instructionForfullyConvertedCall(instr, call) } @@ -637,11 +637,11 @@ private Type getTypeImpl(Type t, int indirectionIndex) { * A node that represents the indirect value of an operand in the IR * after `index` number of loads. */ -class IndirectOperand extends Node, TIndirectOperand { +private class RawIndirectOperand extends Node, TRawIndirectOperand { Operand operand; int indirectionIndex; - IndirectOperand() { this = TIndirectOperand(operand, indirectionIndex) } + RawIndirectOperand() { this = TRawIndirectOperand(operand, indirectionIndex) } /** Gets the underlying instruction. */ Operand getOperand() { result = operand } @@ -665,6 +665,31 @@ class IndirectOperand extends Node, TIndirectOperand { } } +class IndirectOperand extends Node { + Operand operand; + int indirectionIndex; + + IndirectOperand() { + this.(RawIndirectOperand).getOperand() = operand and + this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex + or + this.(OperandNode).getOperand() = + Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) + } + + Operand getOperand() { result = operand } + + int getIndirectionIndex() { result = indirectionIndex } + + predicate isIRRepresentationOf(Operand op, int index) { + this instanceof OperandNode and + ( + op = operand and + index = indirectionIndex + ) + } +} + /** * The value of an uninitialized local variable, viewed as a node in a data * flow graph. @@ -690,11 +715,11 @@ class UninitializedNode extends Node { * A node that represents the indirect value of an instruction in the IR * after `index` number of loads. */ -class IndirectInstruction extends Node, TIndirectInstruction { +private class RawIndirectInstruction extends Node, TRawIndirectInstruction { Instruction instr; int indirectionIndex; - IndirectInstruction() { this = TIndirectInstruction(instr, indirectionIndex) } + RawIndirectInstruction() { this = TRawIndirectInstruction(instr, indirectionIndex) } /** Gets the underlying instruction. */ Instruction getInstruction() { result = instr } @@ -718,6 +743,31 @@ class IndirectInstruction extends Node, TIndirectInstruction { } } +class IndirectInstruction extends Node { + Instruction instr; + int indirectionIndex; + + IndirectInstruction() { + this.(RawIndirectInstruction).getInstruction() = instr and + this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex + or + this.(InstructionNode).getInstruction() = + Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) + } + + Instruction getInstruction() { result = instr } + + int getIndirectionIndex() { result = indirectionIndex } + + predicate isIRRepresentationOf(Instruction i, int index) { + this instanceof InstructionNode and + ( + i = instr and + index = indirectionIndex + ) + } +} + private predicate isFullyConvertedArgument(Expr e) { e = any(Call call).getAnArgument().getFullyConverted() } @@ -732,32 +782,20 @@ private predicate convertedExprMustBeOperand(Expr e) { } /** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */ -predicate exprNodeShouldBeOperand(Node node, Expr e) { - e = node.asOperand().getDef().getConvertedResultExpression() and - convertedExprMustBeOperand(e) -} - -/** - * Holds if `load` is a `LoadInstruction` that is the result of evaluating `e` - * and `node` is an `IndirectOperandNode` that should map `node.asExpr()` to `e`. - * - * We map `e` to `node.asExpr()` when `node` semantically represents the - * same value as `load`. A subsequent flow step will flow `node` to - * the `LoadInstruction`. - */ -private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, LoadInstruction load) { - node.getIndirectionIndex() = 1 and - e = load.getConvertedResultExpression() and - load.getSourceAddressOperand() = node.getOperand() and - not convertedExprMustBeOperand(e) +predicate exprNodeShouldBeOperand(OperandNode node, Expr e) { + exists(Operand operand | + node.getOperand() = operand and + e = operand.getDef().getConvertedResultExpression() + | + convertedExprMustBeOperand(e) + or + node.(IndirectOperand).isIRRepresentationOf(_, _) + ) } /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */ -private predicate indirectExprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e) { - exists(Instruction instr | - instr = node.getOperand().getDef() and - not node instanceof ExprNode - | +private predicate indirectExprNodeShouldBeIndirectOperand(RawIndirectOperand node, Expr e) { + exists(Instruction instr | instr = node.getOperand().getDef() | e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted() or not instr instanceof VariableAddressInstruction and @@ -777,7 +815,6 @@ private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, predicate exprNodeShouldBeInstruction(Node node, Expr e) { e = node.asInstruction().getConvertedResultExpression() and not exprNodeShouldBeOperand(_, e) and - not exprNodeShouldBeIndirectOperand(_, e, _) and not exprNodeShouldBeIndirectOutNode(_, e) } @@ -821,23 +858,6 @@ private class OperandExprNode extends ExprNodeBase, OperandNode { final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() } - final override string toStringImpl() { - // Avoid generating multiple `toString` results for `ArgumentNode`s - // since they have a better `toString`. - result = this.(ArgumentNode).toStringImpl() - or - not this instanceof ArgumentNode and - result = this.getConvertedExpr().toString() - } -} - -private class IndirectOperandExprNode extends ExprNodeBase, IndirectOperand { - IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) } - - final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOperand(this, result, _) } - - final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() } - final override string toStringImpl() { result = this.getConvertedExpr().toString() } } @@ -852,7 +872,7 @@ abstract private class IndirectExprNodeBase extends Node { abstract Expr getExpr(int indirectionIndex); } -private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, IndirectOperand { +private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, RawIndirectOperand { IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _) } final override Expr getConvertedExpr(int index) { @@ -866,7 +886,8 @@ private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, Indi } } -private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase, IndirectInstruction { +private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase, + RawIndirectInstruction { IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _) } final override Expr getConvertedExpr(int index) { @@ -886,8 +907,6 @@ private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgument final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) } final override Expr getExpr() { result = this.getConvertedExpr() } - - final override string toStringImpl() { result = this.getConvertedExpr().toString() } } /** @@ -1154,7 +1173,7 @@ Node uninitializedNode(LocalVariable v) { none() } */ predicate localFlowStep = simpleLocalFlowStep/2; -private predicate indirectionOperandFlow(IndirectOperand nodeFrom, Node nodeTo) { +private predicate indirectionOperandFlow(RawIndirectOperand nodeFrom, Node nodeTo) { // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`. exists(int ind, LoadInstruction load | hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and @@ -1191,7 +1210,7 @@ predicate hasInstructionAndIndex( indirectInstr.getIndirectionIndex() = indirectionIndex } -private predicate indirectionInstructionFlow(IndirectInstruction nodeFrom, IndirectOperand nodeTo) { +private predicate indirectionInstructionFlow(RawIndirectInstruction nodeFrom, IndirectOperand nodeTo) { // If there's flow from an instruction to an operand, then there's also flow from the // indirect instruction to the indirect operand. exists(Operand operand, Instruction instr, int indirectionIndex | @@ -1470,9 +1489,9 @@ private IRBlock getBasicBlock(Node node) { or node.(SsaPhiNode).getPhiNode().getBasicBlock() = result or - node.(IndirectOperand).getOperand().getUse().getBlock() = result + node.(RawIndirectOperand).getOperand().getUse().getBlock() = result or - node.(IndirectInstruction).getInstruction().getBlock() = result + node.(RawIndirectInstruction).getInstruction().getBlock() = result or result = getBasicBlock(node.(PostUpdateNode).getPreUpdateNode()) } @@ -1518,10 +1537,11 @@ signature predicate instructionGuardChecksSig(IRGuardCondition g, Instruction in module InstructionBarrierGuard { /** Gets a node that is safely guarded by the given guard check. */ ExprNode getABarrierNode() { - exists(IRGuardCondition g, ValueNumber value, boolean edge | + exists(IRGuardCondition g, ValueNumber value, boolean edge, Operand use | instructionGuardChecks(g, value.getAnInstruction(), edge) and - result.asInstruction() = value.getAnInstruction() and - g.controls(result.asInstruction().getBlock(), edge) + use = value.getAnInstruction().getAUse() and + result.asOperand() = use and + g.controls(use.getDef().getBlock(), edge) ) } } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index e1ffd9af9a1d..77acc76223e4 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -86,21 +86,31 @@ private module SourceVariables { import SourceVariables -predicate hasIndirectOperand(Operand op, int indirectionIndex) { +/** + * Holds if the `(operand, indirectionIndex)` columns should be + * assigned an `RawIndirectOperand` value. + */ +predicate hasRawIndirectOperand(Operand op, int indirectionIndex) { exists(CppType type, int m | not ignoreOperand(op) and type = getLanguageType(op) and m = countIndirectionsForCppType(type) and - indirectionIndex = [1 .. m] + indirectionIndex = [1 .. m] and + not exists(getIRRepresentationOfIndirectOperand(op, indirectionIndex)) ) } -predicate hasIndirectInstruction(Instruction instr, int indirectionIndex) { +/** + * Holds if the `(instr, indirectionIndex)` columns should be + * assigned an `RawIndirectInstruction` value. + */ +predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) { exists(CppType type, int m | not ignoreInstruction(instr) and type = getResultLanguageType(instr) and m = countIndirectionsForCppType(type) and - indirectionIndex = [1 .. m] + indirectionIndex = [1 .. m] and + not exists(getIRRepresentationOfIndirectInstruction(instr, indirectionIndex)) ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll index 2e0a20fcfdcc..a07796fc6e29 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll @@ -166,6 +166,38 @@ private module Cached { ) } + /** + * Holds if the underlying IR has a suitable operand to represent a value + * that would otherwise need to be represented by a dedicated `RawIndirectOperand` value. + * + * Such operands do not create new `RawIndirectOperand` values, but are + * instead associated with the operand returned by this predicate. + */ + cached + Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) { + exists(LoadInstruction load | + operand = load.getSourceAddressOperand() and + result = unique( | | load.getAUse()) and + isUseImpl(operand, _, indirectionIndex - 1) + ) + } + + /** + * Holds if the underlying IR has a suitable instruction to represent a value + * that would otherwise need to be represented by a dedicated `RawIndirectInstruction` value. + * + * Such instruction do not create new `RawIndirectOperand` values, but are + * instead associated with the instruction returned by this predicate. + */ + cached + Instruction getIRRepresentationOfIndirectInstruction(Instruction instr, int indirectionIndex) { + exists(LoadInstruction load | + load.getSourceAddress() = instr and + isUseImpl(load.getSourceAddressOperand(), _, indirectionIndex - 1) and + result = instr + ) + } + /** * Holds if `operand` is a use of an SSA variable rooted at `base`, and the * path from `base` to `operand` passes through `ind` load-like instructions. From c999704d1e0594f7e3cdde4b0ad9a0b0b2d26aba Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 11 Nov 2022 11:04:09 +0000 Subject: [PATCH 2/7] C++: Now that we sometimes target an operand where we'd target an instruction before we should pick the operand as the 'sink' in the call-target resolution recursion. --- .../semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll index 85cb4da6ef1a..7bc51e3e2fcb 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll @@ -143,7 +143,7 @@ private module VirtualDispatch { private class DataSensitiveExprCall extends DataSensitiveCall { DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) } - override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getCallTarget() } + override DataFlow::Node getDispatchValue() { result.asOperand() = this.getCallTargetOperand() } override Function resolve() { exists(FunctionInstruction fi | From 1a1f07868453c22480a4a6c5c55248b7b1dd1b60 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 11 Nov 2022 11:04:47 +0000 Subject: [PATCH 3/7] C++: Also pick the operand as the 'ExprNode' when the expression is the qualifier of a call (and not just when it's an argument of a call). --- .../semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 1298478faf26..08c630f1606c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -769,7 +769,11 @@ class IndirectInstruction extends Node { } private predicate isFullyConvertedArgument(Expr e) { - e = any(Call call).getAnArgument().getFullyConverted() + exists(Call call | + e = call.getAnArgument().getFullyConverted() + or + e = call.getQualifier().getFullyConverted() + ) } private predicate isFullyConvertedCall(Expr e) { e = any(Call call).getFullyConverted() } From e0a6c1622853a9f749f2a46011bbb352c5599a5b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 10 Nov 2022 19:57:39 +0000 Subject: [PATCH 4/7] C++: Add missing QLDoc. --- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 08c630f1606c..512063c7ae9e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -646,6 +646,7 @@ private class RawIndirectOperand extends Node, TRawIndirectOperand { /** Gets the underlying instruction. */ Operand getOperand() { result = operand } + /** Gets the underlying indirection index. */ int getIndirectionIndex() { result = indirectionIndex } override Function getFunction() { result = this.getOperand().getDef().getEnclosingFunction() } @@ -665,6 +666,15 @@ private class RawIndirectOperand extends Node, TRawIndirectOperand { } } +/** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an operand in the IR + * after `index` number of loads. + * + * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may + * be an `OperandNode`. + */ class IndirectOperand extends Node { Operand operand; int indirectionIndex; @@ -677,10 +687,16 @@ class IndirectOperand extends Node { Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) } + /** Gets the underlying operand. */ Operand getOperand() { result = operand } + /** Gets the underlying indirection index. */ int getIndirectionIndex() { result = indirectionIndex } + /** + * Holds if this `IndirectOperand` is represented directly in the IR instead of + * a `RawIndirectionOperand` with operand `op` and indirection index `index`. + */ predicate isIRRepresentationOf(Operand op, int index) { this instanceof OperandNode and ( @@ -724,6 +740,7 @@ private class RawIndirectInstruction extends Node, TRawIndirectInstruction { /** Gets the underlying instruction. */ Instruction getInstruction() { result = instr } + /** Gets the underlying indirection index. */ int getIndirectionIndex() { result = indirectionIndex } override Function getFunction() { result = this.getInstruction().getEnclosingFunction() } @@ -743,6 +760,15 @@ private class RawIndirectInstruction extends Node, TRawIndirectInstruction { } } +/** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an instruction in the IR + * after `index` number of loads. + * + * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may + * be an `InstructionNode`. + */ class IndirectInstruction extends Node { Instruction instr; int indirectionIndex; @@ -755,10 +781,16 @@ class IndirectInstruction extends Node { Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) } + /** Gets the underlying instruction. */ Instruction getInstruction() { result = instr } + /** Gets the underlying indirection index. */ int getIndirectionIndex() { result = indirectionIndex } + /** + * Holds if this `IndirectInstruction` is represented directly in the IR instead of + * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`. + */ predicate isIRRepresentationOf(Instruction i, int index) { this instanceof InstructionNode and ( From f53476871515b4740a81ab84e1d45dee4dbe7589 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 10 Nov 2022 17:45:22 +0000 Subject: [PATCH 5/7] C++: Fix join orders. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 365f8843e797..8072e3a7cc48 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -178,15 +178,21 @@ private predicate hasNonInitializeParameterDef(IRVariable v) { class ReturnIndirectionNode extends IndirectReturnNode, ReturnNode { override ReturnKind getKind() { - exists(int argumentIndex, ReturnIndirectionInstruction returnInd | - returnInd.hasIndex(argumentIndex) and - this.getAddressOperand() = returnInd.getSourceAddressOperand() and - result = TIndirectReturnKind(argumentIndex, this.getIndirectionIndex()) and - hasNonInitializeParameterDef(returnInd.getIRVariable()) + exists(Operand op, int i | + hasOperandAndIndex(this, pragma[only_bind_into](op), pragma[only_bind_into](i)) + | + exists(int argumentIndex, ReturnIndirectionInstruction returnInd | + op = returnInd.getSourceAddressOperand() and + returnInd.hasIndex(argumentIndex) and + hasNonInitializeParameterDef(returnInd.getIRVariable()) and + result = TIndirectReturnKind(argumentIndex, pragma[only_bind_into](i)) + ) + or + exists(ReturnValueInstruction return | + op = return.getReturnAddressOperand() and + result = TNormalReturnKind(i - 1) + ) ) - or - this.getAddressOperand() = any(ReturnValueInstruction r).getReturnAddressOperand() and - result = TNormalReturnKind(this.getIndirectionIndex() - 1) } } From 0c7f57e0c4a5594a9f8c2f3e9406038ce8d17f94 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 11 Nov 2022 11:05:32 +0000 Subject: [PATCH 6/7] C++: Accept test changes. --- .../tests/PrivateCleartextWrite.expected | 9 + .../annotate_path_to_sink/test_diff.cpp | 2 +- .../dataflow/dataflow-tests/BarrierGuard.cpp | 12 +- .../dataflow-ir-consistency.expected | 2 +- .../dataflow/dataflow-tests/test.cpp | 2 +- .../fields/dataflow-ir-consistency.expected | 106 +++++----- .../dataflow/fields/ir-path-flow.expected | 186 +++++++++--------- .../dataflow-ir-consistency.expected | 23 +-- .../CWE-134/semmle/argv/argvLocal.expected | 3 + .../CWE-134/semmle/funcs/funcsLocal.expected | 18 +- .../UncontrolledFormatString.expected | 6 + ...olledFormatStringThroughGlobalVar.expected | 6 + .../CWE-190/SAMATE/ArithmeticTainted.expected | 3 + .../ArithmeticUncontrolled.expected | 13 -- .../TaintedAllocationSize.expected | 30 --- .../semmle/tests/CleartextFileWrite.expected | 9 + .../semmle/tests/ExposedSystemData.expected | 8 +- .../Security/CWE/CWE-611/XXE.expected | 68 ++++++- 18 files changed, 272 insertions(+), 234 deletions(-) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected index 637460886290..88a296d82ea5 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected @@ -1,5 +1,7 @@ edges | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | | test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical | | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | @@ -7,6 +9,8 @@ edges | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | @@ -14,6 +18,8 @@ edges | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | nodes @@ -40,6 +46,7 @@ subpaths | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | | test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | | test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | @@ -49,6 +56,7 @@ subpaths | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | @@ -56,5 +64,6 @@ subpaths | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp index 247564f63642..667eef4ac91e 100644 --- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp +++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp @@ -101,7 +101,7 @@ int main(int argc, char *argv[]) { calls_sink_with_argv(*p[i]); // $ ir-path=96:26 ir-path=98:18 MISSING:ast - sink(*(argv + 1)); // $ ast ir-path ir-sink=96:26 ir-sink=98:18 ir-sink=104:12 + sink(*(argv + 1)); // $ ast ir-path ir-sink BaseWithPureVirtual* b = new DerivedCallsSink; diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp index 2dfd59d96143..758c46d942c0 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp @@ -4,7 +4,7 @@ bool guarded(int); void bg_basic(int source) { if (guarded(source)) { - sink(source); // $ SPURIOUS: ir + sink(source); } else { sink(source); // $ ast,ir } @@ -14,13 +14,13 @@ void bg_not(int source) { if (!guarded(source)) { sink(source); // $ ast,ir } else { - sink(source); // $ SPURIOUS: ir + sink(source); } } void bg_and(int source, bool arbitrary) { if (guarded(source) && arbitrary) { - sink(source); // $ SPURIOUS: ir + sink(source); } else { sink(source); // $ ast,ir } @@ -38,7 +38,7 @@ void bg_return(int source) { if (!guarded(source)) { return; } - sink(source); // $ SPURIOUS: ir + sink(source); } struct XY { @@ -48,7 +48,7 @@ struct XY { void bg_stackstruct(XY s1, XY s2) { s1.x = source(); if (guarded(s1.x)) { - sink(s1.x); // $ SPURIOUS: ast,ir + sink(s1.x); // $ SPURIOUS: ast } else if (guarded(s1.y)) { sink(s1.x); // $ ast,ir } else if (guarded(s2.y)) { @@ -59,7 +59,7 @@ void bg_stackstruct(XY s1, XY s2) { void bg_structptr(XY *p1, XY *p2) { p1->x = source(); if (guarded(p1->x)) { - sink(p1->x); // $ SPURIOUS: ast,ir + sink(p1->x); // $ SPURIOUS: ast } else if (guarded(p1->y)) { sink(p1->x); // $ ast,ir } else if (guarded(p2->x)) { diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index 7880941abd87..5d587c227b7b 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -36,7 +36,7 @@ reverseRead | dispatch.cpp:168:3:168:4 | Unary | Origin of readStep is missing a PostUpdateNode. | | dispatch.cpp:173:37:173:38 | Unary | Origin of readStep is missing a PostUpdateNode. | | dispatch.cpp:174:37:174:38 | Unary | Origin of readStep is missing a PostUpdateNode. | -| test.cpp:481:21:481:21 | Unary | Origin of readStep is missing a PostUpdateNode. | +| test.cpp:481:21:481:21 | s | Origin of readStep is missing a PostUpdateNode. | argHasPostUpdate postWithInFlow | test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index 11c8b2a78f81..e2be2a87e1be 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -346,7 +346,7 @@ namespace FlowThroughGlobals { void taintAndCall() { globalVar = source(); calledAfterTaint(); - sink(globalVar); // $ ast ir ir=333:17 ir=347:17 + sink(globalVar); // $ ast ir=333:17 ir=347:17 } } diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 3ee4797f0eee..eb70b9affbee 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -37,52 +37,52 @@ uniquePostUpdate | struct_init.c:41:16:41:20 | VariableAddress indirection | Node has multiple PostUpdateNodes. | postIsInSameCallable reverseRead -| A.cpp:49:10:49:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:65:10:65:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:66:10:66:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:74:10:74:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:75:10:75:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:107:12:107:13 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:120:12:120:13 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:132:10:132:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:152:10:152:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:153:10:153:10 | Unary | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:49:10:49:10 | b | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:65:10:65:11 | b1 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:66:10:66:11 | b2 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:74:10:74:11 | b1 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:75:10:75:11 | b2 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:107:12:107:13 | c1 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:120:12:120:13 | c1 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:132:10:132:10 | b | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:152:10:152:10 | d | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:153:10:153:10 | d | Origin of readStep is missing a PostUpdateNode. | | A.cpp:153:13:153:13 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:154:10:154:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:163:10:163:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:164:10:164:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:154:10:154:10 | b | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:163:10:163:11 | l3 | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:164:10:164:11 | l3 | Origin of readStep is missing a PostUpdateNode. | | A.cpp:164:14:164:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:165:10:165:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:165:10:165:11 | l3 | Origin of readStep is missing a PostUpdateNode. | | A.cpp:165:14:165:17 | Unary | Origin of readStep is missing a PostUpdateNode. | | A.cpp:165:20:165:23 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:166:10:166:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:166:10:166:11 | l3 | Origin of readStep is missing a PostUpdateNode. | | A.cpp:166:14:166:17 | Unary | Origin of readStep is missing a PostUpdateNode. | | A.cpp:166:20:166:23 | Unary | Origin of readStep is missing a PostUpdateNode. | | A.cpp:166:26:166:29 | Unary | Origin of readStep is missing a PostUpdateNode. | -| A.cpp:169:12:169:12 | Unary | Origin of readStep is missing a PostUpdateNode. | -| B.cpp:9:10:9:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| A.cpp:169:12:169:12 | l | Origin of readStep is missing a PostUpdateNode. | +| B.cpp:9:10:9:11 | b2 | Origin of readStep is missing a PostUpdateNode. | | B.cpp:9:14:9:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| B.cpp:10:10:10:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| B.cpp:10:10:10:11 | b2 | Origin of readStep is missing a PostUpdateNode. | | B.cpp:10:14:10:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| B.cpp:18:10:18:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| B.cpp:18:10:18:11 | b2 | Origin of readStep is missing a PostUpdateNode. | | B.cpp:18:14:18:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| B.cpp:19:10:19:11 | Unary | Origin of readStep is missing a PostUpdateNode. | +| B.cpp:19:10:19:11 | b2 | Origin of readStep is missing a PostUpdateNode. | | B.cpp:19:14:19:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| C.cpp:29:10:29:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| C.cpp:31:10:31:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| D.cpp:30:5:30:5 | Unary | Origin of readStep is missing a PostUpdateNode. | -| D.cpp:37:5:37:5 | Unary | Origin of readStep is missing a PostUpdateNode. | +| C.cpp:29:10:29:11 | this | Origin of readStep is missing a PostUpdateNode. | +| C.cpp:31:10:31:11 | this | Origin of readStep is missing a PostUpdateNode. | +| D.cpp:30:5:30:5 | b | Origin of readStep is missing a PostUpdateNode. | +| D.cpp:37:5:37:5 | b | Origin of readStep is missing a PostUpdateNode. | | D.cpp:58:5:58:12 | Unary | Origin of readStep is missing a PostUpdateNode. | -| D.cpp:58:5:58:12 | Unary | Origin of readStep is missing a PostUpdateNode. | -| D.cpp:64:10:64:17 | Unary | Origin of readStep is missing a PostUpdateNode. | +| D.cpp:58:5:58:12 | this | Origin of readStep is missing a PostUpdateNode. | | D.cpp:64:10:64:17 | Unary | Origin of readStep is missing a PostUpdateNode. | +| D.cpp:64:10:64:17 | this | Origin of readStep is missing a PostUpdateNode. | | D.cpp:64:20:64:22 | Unary | Origin of readStep is missing a PostUpdateNode. | -| E.cpp:21:10:21:10 | Unary | Origin of readStep is missing a PostUpdateNode. | +| E.cpp:21:10:21:10 | p | Origin of readStep is missing a PostUpdateNode. | | E.cpp:21:13:21:16 | Unary | Origin of readStep is missing a PostUpdateNode. | -| E.cpp:29:21:29:21 | Unary | Origin of readStep is missing a PostUpdateNode. | +| E.cpp:29:21:29:21 | b | Origin of readStep is missing a PostUpdateNode. | | E.cpp:30:21:30:21 | Unary | Origin of readStep is missing a PostUpdateNode. | | E.cpp:30:23:30:26 | Unary | Origin of readStep is missing a PostUpdateNode. | -| E.cpp:32:10:32:10 | Unary | Origin of readStep is missing a PostUpdateNode. | +| E.cpp:32:10:32:10 | b | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:70:11:70:11 | Unary | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:73:8:73:8 | Unary | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:77:11:77:11 | Unary | Origin of readStep is missing a PostUpdateNode. | @@ -109,12 +109,12 @@ reverseRead | aliasing.cpp:194:16:194:17 | Unary | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:194:19:194:19 | Unary | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:196:8:196:11 | Unary | Origin of readStep is missing a PostUpdateNode. | -| aliasing.cpp:200:16:200:18 | Unary | Origin of readStep is missing a PostUpdateNode. | +| aliasing.cpp:200:16:200:18 | ps2 | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:200:21:200:21 | Unary | Origin of readStep is missing a PostUpdateNode. | -| aliasing.cpp:201:8:201:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| aliasing.cpp:205:16:205:18 | Unary | Origin of readStep is missing a PostUpdateNode. | +| aliasing.cpp:201:8:201:10 | ps2 | Origin of readStep is missing a PostUpdateNode. | +| aliasing.cpp:205:16:205:18 | ps2 | Origin of readStep is missing a PostUpdateNode. | | aliasing.cpp:205:21:205:21 | Unary | Origin of readStep is missing a PostUpdateNode. | -| aliasing.cpp:206:8:206:10 | Unary | Origin of readStep is missing a PostUpdateNode. | +| aliasing.cpp:206:8:206:10 | ps2 | Origin of readStep is missing a PostUpdateNode. | | arrays.cpp:36:3:36:3 | Unary | Origin of readStep is missing a PostUpdateNode. | | arrays.cpp:36:5:36:10 | Unary | Origin of readStep is missing a PostUpdateNode. | | arrays.cpp:37:8:37:8 | Unary | Origin of readStep is missing a PostUpdateNode. | @@ -142,35 +142,35 @@ reverseRead | by_reference.cpp:102:22:102:26 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:103:21:103:25 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:104:16:104:20 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:106:22:106:27 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:107:21:107:26 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:108:16:108:21 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:106:22:106:27 | pouter | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:107:21:107:26 | pouter | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:108:16:108:21 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:110:8:110:12 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:110:14:110:25 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:111:8:111:12 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:111:14:111:22 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:112:8:112:12 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:114:8:114:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:114:8:114:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:114:16:114:27 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:115:8:115:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:115:8:115:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:115:16:115:24 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:116:8:116:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:116:8:116:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:122:21:122:25 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:123:22:123:26 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:124:15:124:19 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:126:21:126:26 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:127:22:127:27 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:128:15:128:20 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:126:21:126:26 | pouter | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:127:22:127:27 | pouter | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:128:15:128:20 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:130:8:130:12 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:130:14:130:25 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:131:8:131:12 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:131:14:131:22 | Unary | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:132:8:132:12 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:134:8:134:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:134:8:134:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:134:16:134:27 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:135:8:135:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:135:8:135:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | by_reference.cpp:135:16:135:24 | Unary | Origin of readStep is missing a PostUpdateNode. | -| by_reference.cpp:136:8:136:13 | Unary | Origin of readStep is missing a PostUpdateNode. | +| by_reference.cpp:136:8:136:13 | pouter | Origin of readStep is missing a PostUpdateNode. | | complex.cpp:22:3:22:5 | Unary | Origin of readStep is missing a PostUpdateNode. | | complex.cpp:25:7:25:7 | Unary | Origin of readStep is missing a PostUpdateNode. | | complex.cpp:42:8:42:8 | Unary | Origin of readStep is missing a PostUpdateNode. | @@ -185,10 +185,10 @@ reverseRead | complex.cpp:55:6:55:10 | Unary | Origin of readStep is missing a PostUpdateNode. | | complex.cpp:56:3:56:4 | Unary | Origin of readStep is missing a PostUpdateNode. | | complex.cpp:56:6:56:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| conflated.cpp:54:3:54:4 | Unary | Origin of readStep is missing a PostUpdateNode. | -| conflated.cpp:55:8:55:9 | Unary | Origin of readStep is missing a PostUpdateNode. | -| conflated.cpp:60:3:60:4 | Unary | Origin of readStep is missing a PostUpdateNode. | -| conflated.cpp:61:8:61:9 | Unary | Origin of readStep is missing a PostUpdateNode. | +| conflated.cpp:54:3:54:4 | ll | Origin of readStep is missing a PostUpdateNode. | +| conflated.cpp:55:8:55:9 | ll | Origin of readStep is missing a PostUpdateNode. | +| conflated.cpp:60:3:60:4 | ll | Origin of readStep is missing a PostUpdateNode. | +| conflated.cpp:61:8:61:9 | ll | Origin of readStep is missing a PostUpdateNode. | | qualifiers.cpp:23:10:23:14 | Unary | Origin of readStep is missing a PostUpdateNode. | | qualifiers.cpp:23:16:23:20 | Unary | Origin of readStep is missing a PostUpdateNode. | | qualifiers.cpp:28:10:28:14 | Unary | Origin of readStep is missing a PostUpdateNode. | @@ -228,10 +228,10 @@ reverseRead | realistic.cpp:65:21:65:30 | Unary | Origin of readStep is missing a PostUpdateNode. | | realistic.cpp:65:32:65:34 | Unary | Origin of readStep is missing a PostUpdateNode. | | realistic.cpp:65:37:65:45 | Unary | Origin of readStep is missing a PostUpdateNode. | -| simple.cpp:79:16:79:17 | Unary | Origin of readStep is missing a PostUpdateNode. | -| simple.cpp:83:9:83:10 | Unary | Origin of readStep is missing a PostUpdateNode. | -| struct_init.c:15:8:15:9 | Unary | Origin of readStep is missing a PostUpdateNode. | -| struct_init.c:16:8:16:9 | Unary | Origin of readStep is missing a PostUpdateNode. | +| simple.cpp:79:16:79:17 | this | Origin of readStep is missing a PostUpdateNode. | +| simple.cpp:83:9:83:10 | this | Origin of readStep is missing a PostUpdateNode. | +| struct_init.c:15:8:15:9 | ab | Origin of readStep is missing a PostUpdateNode. | +| struct_init.c:16:8:16:9 | ab | Origin of readStep is missing a PostUpdateNode. | | struct_init.c:22:8:22:9 | Unary | Origin of readStep is missing a PostUpdateNode. | | struct_init.c:23:8:23:9 | Unary | Origin of readStep is missing a PostUpdateNode. | | struct_init.c:26:16:26:20 | Unary | Origin of readStep is missing a PostUpdateNode. | diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index fe6c2e965d9f..e696d86d9698 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -5,8 +5,8 @@ edges | A.cpp:27:22:27:32 | Store | A.cpp:27:28:27:28 | this indirection [post update] [c] | | A.cpp:28:8:28:10 | this indirection [c] | A.cpp:28:23:28:26 | this indirection [c] | | A.cpp:28:23:28:26 | this indirection [c] | A.cpp:28:8:28:10 | VariableAddress indirection | -| A.cpp:28:23:28:26 | this indirection [c] | A.cpp:28:29:28:29 | c | -| A.cpp:28:29:28:29 | c | A.cpp:28:8:28:10 | VariableAddress indirection | +| A.cpp:28:23:28:26 | this indirection [c] | A.cpp:28:29:28:29 | FieldAddress indirection | +| A.cpp:28:29:28:29 | FieldAddress indirection | A.cpp:28:8:28:10 | VariableAddress indirection | | A.cpp:29:23:29:23 | c | A.cpp:31:20:31:20 | c | | A.cpp:31:14:31:21 | call to B [c] | A.cpp:29:15:29:18 | VariableAddress indirection [c] | | A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | @@ -20,9 +20,9 @@ edges | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | | A.cpp:48:20:48:20 | c | A.cpp:48:12:48:18 | call to make indirection [c] | | A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:10:49:13 | c | -| A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:13:49:13 | c | -| A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:13:49:13 | c | -| A.cpp:49:13:49:13 | c | A.cpp:49:10:49:13 | c | +| A.cpp:49:10:49:10 | b indirection [c] | A.cpp:49:13:49:13 | FieldAddress indirection | +| A.cpp:49:13:49:13 | FieldAddress indirection | A.cpp:49:10:49:13 | c | +| A.cpp:49:13:49:13 | FieldAddress indirection | A.cpp:49:13:49:13 | c | | A.cpp:55:5:55:5 | set output argument [c] | A.cpp:56:10:56:10 | b indirection [c] | | A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c | | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] | @@ -41,17 +41,17 @@ edges | A.cpp:64:21:64:28 | new | A.cpp:64:21:64:28 | new | | A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c | | A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:10:66:14 | c | -| A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:14:66:14 | c | -| A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:14:66:14 | c | -| A.cpp:66:14:66:14 | c | A.cpp:66:10:66:14 | c | +| A.cpp:66:10:66:11 | b2 indirection [c] | A.cpp:66:14:66:14 | FieldAddress indirection | +| A.cpp:66:14:66:14 | FieldAddress indirection | A.cpp:66:10:66:14 | c | +| A.cpp:66:14:66:14 | FieldAddress indirection | A.cpp:66:14:66:14 | c | | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | A.cpp:75:10:75:11 | b2 indirection [c] | | A.cpp:73:25:73:32 | new | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | | A.cpp:73:25:73:32 | new | A.cpp:73:25:73:32 | new | | A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c | | A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:10:75:14 | c | -| A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:14:75:14 | c | -| A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:14:75:14 | c | -| A.cpp:75:14:75:14 | c | A.cpp:75:10:75:14 | c | +| A.cpp:75:10:75:11 | b2 indirection [c] | A.cpp:75:14:75:14 | FieldAddress indirection | +| A.cpp:75:14:75:14 | FieldAddress indirection | A.cpp:75:10:75:14 | c | +| A.cpp:75:14:75:14 | FieldAddress indirection | A.cpp:75:14:75:14 | c | | A.cpp:78:27:78:27 | c | A.cpp:81:21:81:21 | c | | A.cpp:81:10:81:15 | call to setOnB indirection [c] | A.cpp:78:6:78:15 | VariableAddress indirection [c] | | A.cpp:81:21:81:21 | c | A.cpp:81:10:81:15 | call to setOnB indirection [c] | @@ -67,22 +67,22 @@ edges | A.cpp:103:14:103:14 | c indirection [a] | A.cpp:107:12:107:13 | c1 indirection [a] | | A.cpp:103:14:103:14 | c indirection [a] | A.cpp:120:12:120:13 | c1 indirection [a] | | A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:12:107:16 | a | -| A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:16:107:16 | a | -| A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:16:107:16 | a | -| A.cpp:107:16:107:16 | a | A.cpp:107:12:107:16 | a | +| A.cpp:107:12:107:13 | c1 indirection [a] | A.cpp:107:16:107:16 | FieldAddress indirection | +| A.cpp:107:16:107:16 | FieldAddress indirection | A.cpp:107:12:107:16 | a | +| A.cpp:107:16:107:16 | FieldAddress indirection | A.cpp:107:16:107:16 | a | | A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:12:120:16 | a | -| A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:16:120:16 | a | -| A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:16:120:16 | a | -| A.cpp:120:16:120:16 | a | A.cpp:120:12:120:16 | a | +| A.cpp:120:12:120:13 | c1 indirection [a] | A.cpp:120:16:120:16 | FieldAddress indirection | +| A.cpp:120:16:120:16 | FieldAddress indirection | A.cpp:120:12:120:16 | a | +| A.cpp:120:16:120:16 | FieldAddress indirection | A.cpp:120:16:120:16 | a | | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:131:8:131:8 | f7 output argument [c] | | A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c | | A.cpp:126:12:126:18 | new | A.cpp:126:5:126:5 | set output argument [c] | | A.cpp:126:12:126:18 | new | A.cpp:126:12:126:18 | new | | A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:132:10:132:10 | b indirection [c] | | A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:10:132:13 | c | -| A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:13:132:13 | c | -| A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:13:132:13 | c | -| A.cpp:132:13:132:13 | c | A.cpp:132:10:132:13 | c | +| A.cpp:132:10:132:10 | b indirection [c] | A.cpp:132:13:132:13 | FieldAddress indirection | +| A.cpp:132:13:132:13 | FieldAddress indirection | A.cpp:132:10:132:13 | c | +| A.cpp:132:13:132:13 | FieldAddress indirection | A.cpp:132:13:132:13 | c | | A.cpp:140:13:140:13 | b | A.cpp:143:7:143:31 | Store | | A.cpp:142:7:142:20 | Store | A.cpp:142:10:142:10 | b indirection [post update] [c] | | A.cpp:142:10:142:10 | b indirection [post update] [c] | A.cpp:143:7:143:31 | Store indirection [c] | @@ -101,20 +101,20 @@ edges | A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b | | A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | call to D [b] | | A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:10:152:13 | b | -| A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:13:152:13 | b | -| A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:13:152:13 | b | -| A.cpp:152:13:152:13 | b | A.cpp:152:10:152:13 | b | +| A.cpp:152:10:152:10 | d indirection [b] | A.cpp:152:13:152:13 | FieldAddress indirection | +| A.cpp:152:13:152:13 | FieldAddress indirection | A.cpp:152:10:152:13 | b | +| A.cpp:152:13:152:13 | FieldAddress indirection | A.cpp:152:13:152:13 | b | | A.cpp:153:10:153:10 | d indirection [b indirection, c] | A.cpp:153:13:153:13 | FieldAddress indirection [c] | | A.cpp:153:10:153:10 | d indirection [b indirection, c] | A.cpp:153:13:153:13 | b indirection [c] | | A.cpp:153:13:153:13 | FieldAddress indirection [c] | A.cpp:153:13:153:13 | b indirection [c] | | A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:10:153:16 | c | -| A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:16:153:16 | c | -| A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:16:153:16 | c | -| A.cpp:153:16:153:16 | c | A.cpp:153:10:153:16 | c | +| A.cpp:153:13:153:13 | b indirection [c] | A.cpp:153:16:153:16 | FieldAddress indirection | +| A.cpp:153:16:153:16 | FieldAddress indirection | A.cpp:153:10:153:16 | c | +| A.cpp:153:16:153:16 | FieldAddress indirection | A.cpp:153:16:153:16 | c | | A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:10:154:13 | c | -| A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:13:154:13 | c | -| A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:13:154:13 | c | -| A.cpp:154:13:154:13 | c | A.cpp:154:10:154:13 | c | +| A.cpp:154:10:154:10 | b indirection [c] | A.cpp:154:13:154:13 | FieldAddress indirection | +| A.cpp:154:13:154:13 | FieldAddress indirection | A.cpp:154:10:154:13 | c | +| A.cpp:154:13:154:13 | FieldAddress indirection | A.cpp:154:13:154:13 | c | | A.cpp:159:12:159:18 | new | A.cpp:160:29:160:29 | b | | A.cpp:160:18:160:60 | call to MyList [head] | A.cpp:161:38:161:39 | l1 indirection [head] | | A.cpp:160:29:160:29 | b | A.cpp:160:18:160:60 | call to MyList [head] | @@ -133,9 +133,9 @@ edges | A.cpp:165:14:165:17 | next indirection [next indirection, head] | A.cpp:165:20:165:23 | next indirection [head] | | A.cpp:165:20:165:23 | FieldAddress indirection [head] | A.cpp:165:20:165:23 | next indirection [head] | | A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:10:165:29 | head | -| A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:26:165:29 | head | -| A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:26:165:29 | head | -| A.cpp:165:26:165:29 | head | A.cpp:165:10:165:29 | head | +| A.cpp:165:20:165:23 | next indirection [head] | A.cpp:165:26:165:29 | FieldAddress indirection | +| A.cpp:165:26:165:29 | FieldAddress indirection | A.cpp:165:10:165:29 | head | +| A.cpp:165:26:165:29 | FieldAddress indirection | A.cpp:165:26:165:29 | head | | A.cpp:167:44:167:44 | l indirection [next indirection, head] | A.cpp:167:47:167:50 | FieldAddress indirection [head] | | A.cpp:167:44:167:44 | l indirection [next indirection, head] | A.cpp:167:47:167:50 | next indirection [head] | | A.cpp:167:44:167:44 | l indirection [next indirection, next indirection, head] | A.cpp:167:47:167:50 | FieldAddress indirection [next indirection, head] | @@ -145,9 +145,9 @@ edges | A.cpp:167:47:167:50 | next indirection [head] | A.cpp:169:12:169:12 | l indirection [head] | | A.cpp:167:47:167:50 | next indirection [next indirection, head] | A.cpp:167:44:167:44 | l indirection [next indirection, head] | | A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:12:169:18 | head | -| A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:15:169:18 | head | -| A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:15:169:18 | head | -| A.cpp:169:15:169:18 | head | A.cpp:169:12:169:18 | head | +| A.cpp:169:12:169:12 | l indirection [head] | A.cpp:169:15:169:18 | FieldAddress indirection | +| A.cpp:169:15:169:18 | FieldAddress indirection | A.cpp:169:12:169:18 | head | +| A.cpp:169:15:169:18 | FieldAddress indirection | A.cpp:169:15:169:18 | head | | A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:20 | Store | | A.cpp:181:32:181:35 | next indirection [head] | A.cpp:184:7:184:23 | Store indirection [head] | | A.cpp:181:32:181:35 | next indirection [next indirection, head] | A.cpp:184:7:184:23 | Store indirection [next indirection, head] | @@ -165,9 +165,9 @@ edges | B.cpp:9:10:9:11 | b2 indirection [box1 indirection, elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] | | B.cpp:9:14:9:17 | FieldAddress indirection [elem1] | B.cpp:9:14:9:17 | box1 indirection [elem1] | | B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:10:9:24 | elem1 | -| B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:20:9:24 | elem1 | -| B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:20:9:24 | elem1 | -| B.cpp:9:20:9:24 | elem1 | B.cpp:9:10:9:24 | elem1 | +| B.cpp:9:14:9:17 | box1 indirection [elem1] | B.cpp:9:20:9:24 | FieldAddress indirection | +| B.cpp:9:20:9:24 | FieldAddress indirection | B.cpp:9:10:9:24 | elem1 | +| B.cpp:9:20:9:24 | FieldAddress indirection | B.cpp:9:20:9:24 | elem1 | | B.cpp:15:15:15:27 | new | B.cpp:16:37:16:37 | e | | B.cpp:16:16:16:38 | call to Box1 [elem2] | B.cpp:17:25:17:26 | b1 indirection [elem2] | | B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | call to Box1 [elem2] | @@ -179,9 +179,9 @@ edges | B.cpp:19:10:19:11 | b2 indirection [box1 indirection, elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] | | B.cpp:19:14:19:17 | FieldAddress indirection [elem2] | B.cpp:19:14:19:17 | box1 indirection [elem2] | | B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:10:19:24 | elem2 | -| B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:20:19:24 | elem2 | -| B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:20:19:24 | elem2 | -| B.cpp:19:20:19:24 | elem2 | B.cpp:19:10:19:24 | elem2 | +| B.cpp:19:14:19:17 | box1 indirection [elem2] | B.cpp:19:20:19:24 | FieldAddress indirection | +| B.cpp:19:20:19:24 | FieldAddress indirection | B.cpp:19:10:19:24 | elem2 | +| B.cpp:19:20:19:24 | FieldAddress indirection | B.cpp:19:20:19:24 | elem2 | | B.cpp:33:16:33:17 | e1 | B.cpp:35:7:35:22 | Store | | B.cpp:33:26:33:27 | e2 | B.cpp:36:7:36:22 | Store | | B.cpp:35:7:35:22 | Store | B.cpp:35:13:35:17 | this indirection [post update] [elem1] | @@ -209,9 +209,9 @@ edges | C.cpp:31:10:31:11 | this indirection [s3] | C.cpp:31:10:31:11 | FieldAddress indirection | | C.cpp:31:10:31:11 | this indirection [s3] | C.cpp:31:10:31:11 | s3 | | D.cpp:10:11:10:17 | this indirection [elem] | D.cpp:10:30:10:33 | this indirection [elem] | -| D.cpp:10:30:10:33 | elem | D.cpp:10:11:10:17 | VariableAddress indirection | +| D.cpp:10:30:10:33 | FieldAddress indirection | D.cpp:10:11:10:17 | VariableAddress indirection | | D.cpp:10:30:10:33 | this indirection [elem] | D.cpp:10:11:10:17 | VariableAddress indirection | -| D.cpp:10:30:10:33 | this indirection [elem] | D.cpp:10:30:10:33 | elem | +| D.cpp:10:30:10:33 | this indirection [elem] | D.cpp:10:30:10:33 | FieldAddress indirection | | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:36 | Store | | D.cpp:11:29:11:36 | Store | D.cpp:11:29:11:32 | this indirection [post update] [elem] | | D.cpp:17:11:17:17 | this indirection [box indirection, elem] | D.cpp:17:30:17:32 | this indirection [box indirection, elem] | @@ -260,9 +260,9 @@ edges | D.cpp:64:10:64:17 | this indirection [boxfield indirection, box indirection, elem] | D.cpp:64:10:64:17 | boxfield indirection [box indirection, elem] | | D.cpp:64:20:64:22 | FieldAddress indirection [elem] | D.cpp:64:20:64:22 | box indirection [elem] | | D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:10:64:28 | elem | -| D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:25:64:28 | elem | -| D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:25:64:28 | elem | -| D.cpp:64:25:64:28 | elem | D.cpp:64:10:64:28 | elem | +| D.cpp:64:20:64:22 | box indirection [elem] | D.cpp:64:25:64:28 | FieldAddress indirection | +| D.cpp:64:25:64:28 | FieldAddress indirection | D.cpp:64:10:64:28 | elem | +| D.cpp:64:25:64:28 | FieldAddress indirection | D.cpp:64:25:64:28 | elem | | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | E.cpp:21:13:21:16 | data indirection [buffer indirection] | | E.cpp:21:13:21:16 | data indirection [buffer indirection] | E.cpp:21:18:21:23 | FieldAddress indirection | @@ -443,12 +443,12 @@ edges | by_reference.cpp:24:25:24:29 | value | by_reference.cpp:24:19:24:22 | nonMemberSetA output argument [a] | | by_reference.cpp:31:46:31:46 | s indirection [a] | by_reference.cpp:32:12:32:12 | s indirection [a] | | by_reference.cpp:32:12:32:12 | s indirection [a] | by_reference.cpp:31:16:31:28 | VariableAddress indirection | -| by_reference.cpp:32:12:32:12 | s indirection [a] | by_reference.cpp:32:15:32:15 | a | -| by_reference.cpp:32:15:32:15 | a | by_reference.cpp:31:16:31:28 | VariableAddress indirection | +| by_reference.cpp:32:12:32:12 | s indirection [a] | by_reference.cpp:32:15:32:15 | FieldAddress indirection | +| by_reference.cpp:32:15:32:15 | FieldAddress indirection | by_reference.cpp:31:16:31:28 | VariableAddress indirection | | by_reference.cpp:35:9:35:19 | this indirection [a] | by_reference.cpp:36:12:36:15 | this indirection [a] | | by_reference.cpp:36:12:36:15 | this indirection [a] | by_reference.cpp:35:9:35:19 | VariableAddress indirection | -| by_reference.cpp:36:12:36:15 | this indirection [a] | by_reference.cpp:36:18:36:18 | a | -| by_reference.cpp:36:18:36:18 | a | by_reference.cpp:35:9:35:19 | VariableAddress indirection | +| by_reference.cpp:36:12:36:15 | this indirection [a] | by_reference.cpp:36:18:36:18 | FieldAddress indirection | +| by_reference.cpp:36:18:36:18 | FieldAddress indirection | by_reference.cpp:35:9:35:19 | VariableAddress indirection | | by_reference.cpp:39:9:39:21 | this indirection [a] | by_reference.cpp:40:12:40:15 | this indirection [a] | | by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:35:9:35:19 | this indirection [a] | | by_reference.cpp:40:12:40:15 | this indirection [a] | by_reference.cpp:39:9:39:21 | VariableAddress indirection | @@ -570,13 +570,13 @@ edges | by_reference.cpp:136:8:136:13 | pouter indirection [a] | by_reference.cpp:136:16:136:16 | a | | by_reference.cpp:136:16:136:16 | FieldAddress indirection | by_reference.cpp:136:16:136:16 | a | | complex.cpp:9:7:9:7 | this indirection [a_] | complex.cpp:9:20:9:21 | this indirection [a_] | -| complex.cpp:9:20:9:21 | a_ | complex.cpp:9:7:9:7 | VariableAddress indirection | +| complex.cpp:9:20:9:21 | FieldAddress indirection | complex.cpp:9:7:9:7 | VariableAddress indirection | | complex.cpp:9:20:9:21 | this indirection [a_] | complex.cpp:9:7:9:7 | VariableAddress indirection | -| complex.cpp:9:20:9:21 | this indirection [a_] | complex.cpp:9:20:9:21 | a_ | +| complex.cpp:9:20:9:21 | this indirection [a_] | complex.cpp:9:20:9:21 | FieldAddress indirection | | complex.cpp:10:7:10:7 | this indirection [b_] | complex.cpp:10:20:10:21 | this indirection [b_] | -| complex.cpp:10:20:10:21 | b_ | complex.cpp:10:7:10:7 | VariableAddress indirection | +| complex.cpp:10:20:10:21 | FieldAddress indirection | complex.cpp:10:7:10:7 | VariableAddress indirection | | complex.cpp:10:20:10:21 | this indirection [b_] | complex.cpp:10:7:10:7 | VariableAddress indirection | -| complex.cpp:10:20:10:21 | this indirection [b_] | complex.cpp:10:20:10:21 | b_ | +| complex.cpp:10:20:10:21 | this indirection [b_] | complex.cpp:10:20:10:21 | FieldAddress indirection | | complex.cpp:11:17:11:17 | a | complex.cpp:11:22:11:27 | Store | | complex.cpp:11:22:11:27 | Store | complex.cpp:11:22:11:23 | this indirection [post update] [a_] | | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:27 | Store | @@ -675,13 +675,13 @@ edges | conflated.cpp:61:12:61:15 | next indirection [y] | conflated.cpp:61:18:61:18 | y | | conflated.cpp:61:18:61:18 | FieldAddress indirection | conflated.cpp:61:18:61:18 | y | | constructors.cpp:18:9:18:9 | this indirection [a_] | constructors.cpp:18:22:18:23 | this indirection [a_] | -| constructors.cpp:18:22:18:23 | a_ | constructors.cpp:18:9:18:9 | VariableAddress indirection | +| constructors.cpp:18:22:18:23 | FieldAddress indirection | constructors.cpp:18:9:18:9 | VariableAddress indirection | | constructors.cpp:18:22:18:23 | this indirection [a_] | constructors.cpp:18:9:18:9 | VariableAddress indirection | -| constructors.cpp:18:22:18:23 | this indirection [a_] | constructors.cpp:18:22:18:23 | a_ | +| constructors.cpp:18:22:18:23 | this indirection [a_] | constructors.cpp:18:22:18:23 | FieldAddress indirection | | constructors.cpp:19:9:19:9 | this indirection [b_] | constructors.cpp:19:22:19:23 | this indirection [b_] | -| constructors.cpp:19:22:19:23 | b_ | constructors.cpp:19:9:19:9 | VariableAddress indirection | +| constructors.cpp:19:22:19:23 | FieldAddress indirection | constructors.cpp:19:9:19:9 | VariableAddress indirection | | constructors.cpp:19:22:19:23 | this indirection [b_] | constructors.cpp:19:9:19:9 | VariableAddress indirection | -| constructors.cpp:19:22:19:23 | this indirection [b_] | constructors.cpp:19:22:19:23 | b_ | +| constructors.cpp:19:22:19:23 | this indirection [b_] | constructors.cpp:19:22:19:23 | FieldAddress indirection | | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:28:23:28 | Store | | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:35:23:35 | Store | | constructors.cpp:23:28:23:28 | Store | constructors.cpp:23:25:23:29 | this indirection [post update] [a_] | @@ -787,17 +787,17 @@ edges | realistic.cpp:61:32:61:34 | FieldAddress indirection [userInput, bufferLen] | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:14:61:55 | bufferLen | -| realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:47:61:55 | bufferLen | -| realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:47:61:55 | bufferLen | -| realistic.cpp:61:47:61:55 | bufferLen | realistic.cpp:61:14:61:55 | bufferLen | +| realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | realistic.cpp:61:47:61:55 | FieldAddress indirection | +| realistic.cpp:61:47:61:55 | FieldAddress indirection | realistic.cpp:61:14:61:55 | bufferLen | +| realistic.cpp:61:47:61:55 | FieldAddress indirection | realistic.cpp:61:47:61:55 | bufferLen | | simple.cpp:18:9:18:9 | this indirection [a_] | simple.cpp:18:22:18:23 | this indirection [a_] | -| simple.cpp:18:22:18:23 | a_ | simple.cpp:18:9:18:9 | VariableAddress indirection | +| simple.cpp:18:22:18:23 | FieldAddress indirection | simple.cpp:18:9:18:9 | VariableAddress indirection | | simple.cpp:18:22:18:23 | this indirection [a_] | simple.cpp:18:9:18:9 | VariableAddress indirection | -| simple.cpp:18:22:18:23 | this indirection [a_] | simple.cpp:18:22:18:23 | a_ | +| simple.cpp:18:22:18:23 | this indirection [a_] | simple.cpp:18:22:18:23 | FieldAddress indirection | | simple.cpp:19:9:19:9 | this indirection [b_] | simple.cpp:19:22:19:23 | this indirection [b_] | -| simple.cpp:19:22:19:23 | b_ | simple.cpp:19:9:19:9 | VariableAddress indirection | +| simple.cpp:19:22:19:23 | FieldAddress indirection | simple.cpp:19:9:19:9 | VariableAddress indirection | | simple.cpp:19:22:19:23 | this indirection [b_] | simple.cpp:19:9:19:9 | VariableAddress indirection | -| simple.cpp:19:22:19:23 | this indirection [b_] | simple.cpp:19:22:19:23 | b_ | +| simple.cpp:19:22:19:23 | this indirection [b_] | simple.cpp:19:22:19:23 | FieldAddress indirection | | simple.cpp:20:19:20:19 | a | simple.cpp:20:24:20:29 | Store | | simple.cpp:20:24:20:29 | Store | simple.cpp:20:24:20:25 | this indirection [post update] [a_] | | simple.cpp:21:19:21:19 | b | simple.cpp:21:24:21:29 | Store | @@ -832,9 +832,9 @@ edges | simple.cpp:67:13:67:13 | FieldAddress indirection | simple.cpp:67:13:67:13 | i | | simple.cpp:78:9:78:15 | this indirection [f2, f1] | simple.cpp:79:16:79:17 | this indirection [f2, f1] | | simple.cpp:79:16:79:17 | f2 indirection [f1] | simple.cpp:78:9:78:15 | VariableAddress indirection | -| simple.cpp:79:16:79:17 | f2 indirection [f1] | simple.cpp:79:19:79:20 | f1 | +| simple.cpp:79:16:79:17 | f2 indirection [f1] | simple.cpp:79:19:79:20 | FieldAddress indirection | | simple.cpp:79:16:79:17 | this indirection [f2, f1] | simple.cpp:79:16:79:17 | f2 indirection [f1] | -| simple.cpp:79:19:79:20 | f1 | simple.cpp:78:9:78:15 | VariableAddress indirection | +| simple.cpp:79:19:79:20 | FieldAddress indirection | simple.cpp:78:9:78:15 | VariableAddress indirection | | simple.cpp:83:9:83:10 | this indirection [post update] [f2, f1] | simple.cpp:84:14:84:20 | this indirection [f2, f1] | | simple.cpp:83:9:83:28 | Store | simple.cpp:83:12:83:13 | f2 indirection [post update] [f1] | | simple.cpp:83:12:83:13 | f2 indirection [post update] [f1] | simple.cpp:83:9:83:10 | this indirection [post update] [f2, f1] | @@ -901,7 +901,7 @@ nodes | A.cpp:28:8:28:10 | VariableAddress indirection | semmle.label | VariableAddress indirection | | A.cpp:28:8:28:10 | this indirection [c] | semmle.label | this indirection [c] | | A.cpp:28:23:28:26 | this indirection [c] | semmle.label | this indirection [c] | -| A.cpp:28:29:28:29 | c | semmle.label | c | +| A.cpp:28:29:28:29 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:29:15:29:18 | VariableAddress indirection [c] | semmle.label | VariableAddress indirection [c] | | A.cpp:29:23:29:23 | c | semmle.label | c | | A.cpp:31:14:31:21 | call to B [c] | semmle.label | call to B [c] | @@ -915,7 +915,7 @@ nodes | A.cpp:48:20:48:20 | c | semmle.label | c | | A.cpp:49:10:49:10 | b indirection [c] | semmle.label | b indirection [c] | | A.cpp:49:10:49:13 | c | semmle.label | c | -| A.cpp:49:13:49:13 | c | semmle.label | c | +| A.cpp:49:13:49:13 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:49:13:49:13 | c | semmle.label | c | | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] | | A.cpp:55:12:55:19 | new | semmle.label | new | @@ -932,14 +932,14 @@ nodes | A.cpp:64:21:64:28 | new | semmle.label | new | | A.cpp:66:10:66:11 | b2 indirection [c] | semmle.label | b2 indirection [c] | | A.cpp:66:10:66:14 | c | semmle.label | c | -| A.cpp:66:14:66:14 | c | semmle.label | c | +| A.cpp:66:14:66:14 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:66:14:66:14 | c | semmle.label | c | | A.cpp:73:10:73:19 | call to setOnBWrap indirection [c] | semmle.label | call to setOnBWrap indirection [c] | | A.cpp:73:25:73:32 | new | semmle.label | new | | A.cpp:73:25:73:32 | new | semmle.label | new | | A.cpp:75:10:75:11 | b2 indirection [c] | semmle.label | b2 indirection [c] | | A.cpp:75:10:75:14 | c | semmle.label | c | -| A.cpp:75:14:75:14 | c | semmle.label | c | +| A.cpp:75:14:75:14 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:75:14:75:14 | c | semmle.label | c | | A.cpp:78:6:78:15 | VariableAddress indirection [c] | semmle.label | VariableAddress indirection [c] | | A.cpp:78:27:78:27 | c | semmle.label | c | @@ -956,11 +956,11 @@ nodes | A.cpp:103:14:103:14 | c indirection [a] | semmle.label | c indirection [a] | | A.cpp:107:12:107:13 | c1 indirection [a] | semmle.label | c1 indirection [a] | | A.cpp:107:12:107:16 | a | semmle.label | a | -| A.cpp:107:16:107:16 | a | semmle.label | a | +| A.cpp:107:16:107:16 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:107:16:107:16 | a | semmle.label | a | | A.cpp:120:12:120:13 | c1 indirection [a] | semmle.label | c1 indirection [a] | | A.cpp:120:12:120:16 | a | semmle.label | a | -| A.cpp:120:16:120:16 | a | semmle.label | a | +| A.cpp:120:16:120:16 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:120:16:120:16 | a | semmle.label | a | | A.cpp:126:5:126:5 | set output argument [c] | semmle.label | set output argument [c] | | A.cpp:126:12:126:18 | new | semmle.label | new | @@ -968,7 +968,7 @@ nodes | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] | | A.cpp:132:10:132:10 | b indirection [c] | semmle.label | b indirection [c] | | A.cpp:132:10:132:13 | c | semmle.label | c | -| A.cpp:132:13:132:13 | c | semmle.label | c | +| A.cpp:132:13:132:13 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:132:13:132:13 | c | semmle.label | c | | A.cpp:140:13:140:13 | b | semmle.label | b | | A.cpp:142:7:142:20 | Store | semmle.label | Store | @@ -988,17 +988,17 @@ nodes | A.cpp:151:18:151:18 | b | semmle.label | b | | A.cpp:152:10:152:10 | d indirection [b] | semmle.label | d indirection [b] | | A.cpp:152:10:152:13 | b | semmle.label | b | -| A.cpp:152:13:152:13 | b | semmle.label | b | +| A.cpp:152:13:152:13 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:152:13:152:13 | b | semmle.label | b | | A.cpp:153:10:153:10 | d indirection [b indirection, c] | semmle.label | d indirection [b indirection, c] | | A.cpp:153:10:153:16 | c | semmle.label | c | | A.cpp:153:13:153:13 | FieldAddress indirection [c] | semmle.label | FieldAddress indirection [c] | | A.cpp:153:13:153:13 | b indirection [c] | semmle.label | b indirection [c] | -| A.cpp:153:16:153:16 | c | semmle.label | c | +| A.cpp:153:16:153:16 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:153:16:153:16 | c | semmle.label | c | | A.cpp:154:10:154:10 | b indirection [c] | semmle.label | b indirection [c] | | A.cpp:154:10:154:13 | c | semmle.label | c | -| A.cpp:154:13:154:13 | c | semmle.label | c | +| A.cpp:154:13:154:13 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:154:13:154:13 | c | semmle.label | c | | A.cpp:159:12:159:18 | new | semmle.label | new | | A.cpp:160:18:160:60 | call to MyList [head] | semmle.label | call to MyList [head] | @@ -1013,7 +1013,7 @@ nodes | A.cpp:165:14:165:17 | next indirection [next indirection, head] | semmle.label | next indirection [next indirection, head] | | A.cpp:165:20:165:23 | FieldAddress indirection [head] | semmle.label | FieldAddress indirection [head] | | A.cpp:165:20:165:23 | next indirection [head] | semmle.label | next indirection [head] | -| A.cpp:165:26:165:29 | head | semmle.label | head | +| A.cpp:165:26:165:29 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:165:26:165:29 | head | semmle.label | head | | A.cpp:167:44:167:44 | l indirection [next indirection, head] | semmle.label | l indirection [next indirection, head] | | A.cpp:167:44:167:44 | l indirection [next indirection, next indirection, head] | semmle.label | l indirection [next indirection, next indirection, head] | @@ -1023,7 +1023,7 @@ nodes | A.cpp:167:47:167:50 | next indirection [next indirection, head] | semmle.label | next indirection [next indirection, head] | | A.cpp:169:12:169:12 | l indirection [head] | semmle.label | l indirection [head] | | A.cpp:169:12:169:18 | head | semmle.label | head | -| A.cpp:169:15:169:18 | head | semmle.label | head | +| A.cpp:169:15:169:18 | FieldAddress indirection | semmle.label | FieldAddress indirection | | A.cpp:169:15:169:18 | head | semmle.label | head | | A.cpp:181:15:181:21 | newHead | semmle.label | newHead | | A.cpp:181:32:181:35 | next indirection [head] | semmle.label | next indirection [head] | @@ -1043,7 +1043,7 @@ nodes | B.cpp:9:10:9:24 | elem1 | semmle.label | elem1 | | B.cpp:9:14:9:17 | FieldAddress indirection [elem1] | semmle.label | FieldAddress indirection [elem1] | | B.cpp:9:14:9:17 | box1 indirection [elem1] | semmle.label | box1 indirection [elem1] | -| B.cpp:9:20:9:24 | elem1 | semmle.label | elem1 | +| B.cpp:9:20:9:24 | FieldAddress indirection | semmle.label | FieldAddress indirection | | B.cpp:9:20:9:24 | elem1 | semmle.label | elem1 | | B.cpp:15:15:15:27 | new | semmle.label | new | | B.cpp:16:16:16:38 | call to Box1 [elem2] | semmle.label | call to Box1 [elem2] | @@ -1054,7 +1054,7 @@ nodes | B.cpp:19:10:19:24 | elem2 | semmle.label | elem2 | | B.cpp:19:14:19:17 | FieldAddress indirection [elem2] | semmle.label | FieldAddress indirection [elem2] | | B.cpp:19:14:19:17 | box1 indirection [elem2] | semmle.label | box1 indirection [elem2] | -| B.cpp:19:20:19:24 | elem2 | semmle.label | elem2 | +| B.cpp:19:20:19:24 | FieldAddress indirection | semmle.label | FieldAddress indirection | | B.cpp:19:20:19:24 | elem2 | semmle.label | elem2 | | B.cpp:33:16:33:17 | e1 | semmle.label | e1 | | B.cpp:33:26:33:27 | e2 | semmle.label | e2 | @@ -1088,7 +1088,7 @@ nodes | C.cpp:31:10:31:11 | this indirection [s3] | semmle.label | this indirection [s3] | | D.cpp:10:11:10:17 | VariableAddress indirection | semmle.label | VariableAddress indirection | | D.cpp:10:11:10:17 | this indirection [elem] | semmle.label | this indirection [elem] | -| D.cpp:10:30:10:33 | elem | semmle.label | elem | +| D.cpp:10:30:10:33 | FieldAddress indirection | semmle.label | FieldAddress indirection | | D.cpp:10:30:10:33 | this indirection [elem] | semmle.label | this indirection [elem] | | D.cpp:11:24:11:24 | e | semmle.label | e | | D.cpp:11:29:11:32 | this indirection [post update] [elem] | semmle.label | this indirection [post update] [elem] | @@ -1135,7 +1135,7 @@ nodes | D.cpp:64:10:64:28 | elem | semmle.label | elem | | D.cpp:64:20:64:22 | FieldAddress indirection [elem] | semmle.label | FieldAddress indirection [elem] | | D.cpp:64:20:64:22 | box indirection [elem] | semmle.label | box indirection [elem] | -| D.cpp:64:25:64:28 | elem | semmle.label | elem | +| D.cpp:64:25:64:28 | FieldAddress indirection | semmle.label | FieldAddress indirection | | D.cpp:64:25:64:28 | elem | semmle.label | elem | | E.cpp:19:27:19:27 | p indirection [data, buffer indirection] | semmle.label | p indirection [data, buffer indirection] | | E.cpp:21:10:21:10 | p indirection [data, buffer indirection] | semmle.label | p indirection [data, buffer indirection] | @@ -1309,11 +1309,11 @@ nodes | by_reference.cpp:31:16:31:28 | VariableAddress indirection | semmle.label | VariableAddress indirection | | by_reference.cpp:31:46:31:46 | s indirection [a] | semmle.label | s indirection [a] | | by_reference.cpp:32:12:32:12 | s indirection [a] | semmle.label | s indirection [a] | -| by_reference.cpp:32:15:32:15 | a | semmle.label | a | +| by_reference.cpp:32:15:32:15 | FieldAddress indirection | semmle.label | FieldAddress indirection | | by_reference.cpp:35:9:35:19 | VariableAddress indirection | semmle.label | VariableAddress indirection | | by_reference.cpp:35:9:35:19 | this indirection [a] | semmle.label | this indirection [a] | | by_reference.cpp:36:12:36:15 | this indirection [a] | semmle.label | this indirection [a] | -| by_reference.cpp:36:18:36:18 | a | semmle.label | a | +| by_reference.cpp:36:18:36:18 | FieldAddress indirection | semmle.label | FieldAddress indirection | | by_reference.cpp:39:9:39:21 | VariableAddress indirection | semmle.label | VariableAddress indirection | | by_reference.cpp:39:9:39:21 | this indirection [a] | semmle.label | this indirection [a] | | by_reference.cpp:40:12:40:15 | this indirection [a] | semmle.label | this indirection [a] | @@ -1420,11 +1420,11 @@ nodes | by_reference.cpp:136:16:136:16 | a | semmle.label | a | | complex.cpp:9:7:9:7 | VariableAddress indirection | semmle.label | VariableAddress indirection | | complex.cpp:9:7:9:7 | this indirection [a_] | semmle.label | this indirection [a_] | -| complex.cpp:9:20:9:21 | a_ | semmle.label | a_ | +| complex.cpp:9:20:9:21 | FieldAddress indirection | semmle.label | FieldAddress indirection | | complex.cpp:9:20:9:21 | this indirection [a_] | semmle.label | this indirection [a_] | | complex.cpp:10:7:10:7 | VariableAddress indirection | semmle.label | VariableAddress indirection | | complex.cpp:10:7:10:7 | this indirection [b_] | semmle.label | this indirection [b_] | -| complex.cpp:10:20:10:21 | b_ | semmle.label | b_ | +| complex.cpp:10:20:10:21 | FieldAddress indirection | semmle.label | FieldAddress indirection | | complex.cpp:10:20:10:21 | this indirection [b_] | semmle.label | this indirection [b_] | | complex.cpp:11:17:11:17 | a | semmle.label | a | | complex.cpp:11:22:11:23 | this indirection [post update] [a_] | semmle.label | this indirection [post update] [a_] | @@ -1513,11 +1513,11 @@ nodes | conflated.cpp:61:18:61:18 | y | semmle.label | y | | constructors.cpp:18:9:18:9 | VariableAddress indirection | semmle.label | VariableAddress indirection | | constructors.cpp:18:9:18:9 | this indirection [a_] | semmle.label | this indirection [a_] | -| constructors.cpp:18:22:18:23 | a_ | semmle.label | a_ | +| constructors.cpp:18:22:18:23 | FieldAddress indirection | semmle.label | FieldAddress indirection | | constructors.cpp:18:22:18:23 | this indirection [a_] | semmle.label | this indirection [a_] | | constructors.cpp:19:9:19:9 | VariableAddress indirection | semmle.label | VariableAddress indirection | | constructors.cpp:19:9:19:9 | this indirection [b_] | semmle.label | this indirection [b_] | -| constructors.cpp:19:22:19:23 | b_ | semmle.label | b_ | +| constructors.cpp:19:22:19:23 | FieldAddress indirection | semmle.label | FieldAddress indirection | | constructors.cpp:19:22:19:23 | this indirection [b_] | semmle.label | this indirection [b_] | | constructors.cpp:23:13:23:13 | a | semmle.label | a | | constructors.cpp:23:20:23:20 | b | semmle.label | b | @@ -1616,15 +1616,15 @@ nodes | realistic.cpp:61:32:61:34 | FieldAddress indirection [userInput, bufferLen] | semmle.label | FieldAddress indirection [userInput, bufferLen] | | realistic.cpp:61:32:61:34 | baz indirection [userInput, bufferLen] | semmle.label | baz indirection [userInput, bufferLen] | | realistic.cpp:61:37:61:45 | userInput indirection [bufferLen] | semmle.label | userInput indirection [bufferLen] | -| realistic.cpp:61:47:61:55 | bufferLen | semmle.label | bufferLen | +| realistic.cpp:61:47:61:55 | FieldAddress indirection | semmle.label | FieldAddress indirection | | realistic.cpp:61:47:61:55 | bufferLen | semmle.label | bufferLen | | simple.cpp:18:9:18:9 | VariableAddress indirection | semmle.label | VariableAddress indirection | | simple.cpp:18:9:18:9 | this indirection [a_] | semmle.label | this indirection [a_] | -| simple.cpp:18:22:18:23 | a_ | semmle.label | a_ | +| simple.cpp:18:22:18:23 | FieldAddress indirection | semmle.label | FieldAddress indirection | | simple.cpp:18:22:18:23 | this indirection [a_] | semmle.label | this indirection [a_] | | simple.cpp:19:9:19:9 | VariableAddress indirection | semmle.label | VariableAddress indirection | | simple.cpp:19:9:19:9 | this indirection [b_] | semmle.label | this indirection [b_] | -| simple.cpp:19:22:19:23 | b_ | semmle.label | b_ | +| simple.cpp:19:22:19:23 | FieldAddress indirection | semmle.label | FieldAddress indirection | | simple.cpp:19:22:19:23 | this indirection [b_] | semmle.label | this indirection [b_] | | simple.cpp:20:19:20:19 | a | semmle.label | a | | simple.cpp:20:24:20:25 | this indirection [post update] [a_] | semmle.label | this indirection [post update] [a_] | @@ -1660,7 +1660,7 @@ nodes | simple.cpp:78:9:78:15 | this indirection [f2, f1] | semmle.label | this indirection [f2, f1] | | simple.cpp:79:16:79:17 | f2 indirection [f1] | semmle.label | f2 indirection [f1] | | simple.cpp:79:16:79:17 | this indirection [f2, f1] | semmle.label | this indirection [f2, f1] | -| simple.cpp:79:19:79:20 | f1 | semmle.label | f1 | +| simple.cpp:79:19:79:20 | FieldAddress indirection | semmle.label | FieldAddress indirection | | simple.cpp:83:9:83:10 | this indirection [post update] [f2, f1] | semmle.label | this indirection [post update] [f2, f1] | | simple.cpp:83:9:83:28 | Store | semmle.label | Store | | simple.cpp:83:12:83:13 | f2 indirection [post update] [f1] | semmle.label | f2 indirection [post update] [f1] | diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected index b2fa79c36e51..8ec70301ca91 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected @@ -117,7 +117,6 @@ uniqueNodeLocation | file://:0:0:0:0 | VariableAddress indirection | Node should have one location but has 0. | | file://:0:0:0:0 | VariableAddress indirection | Node should have one location but has 0. | | file://:0:0:0:0 | VariableAddress indirection | Node should have one location but has 0. | -| file://:0:0:0:0 | VariableAddress indirection | Node should have one location but has 0. | | forstmt.cpp:1:6:1:7 | AliasedDefinition | Node should have one location but has 2. | | forstmt.cpp:1:6:1:7 | InitializeNonLocal | Node should have one location but has 2. | | forstmt.cpp:8:6:8:7 | AliasedDefinition | Node should have one location but has 2. | @@ -268,24 +267,22 @@ uniqueNodeLocation | whilestmt.c:39:6:39:11 | AliasedDefinition | Node should have one location but has 4. | | whilestmt.c:39:6:39:11 | InitializeNonLocal | Node should have one location but has 4. | missingLocation -| Nodes without location: 38 | +| Nodes without location: 37 | uniqueNodeToString | break_labels.c:2:11:2:11 | i | Node should have one toString but has 2. | | break_labels.c:2:11:2:11 | i | Node should have one toString but has 2. | | break_labels.c:2:11:2:11 | x | Node should have one toString but has 2. | | break_labels.c:2:11:2:11 | x | Node should have one toString but has 2. | | break_labels.c:4:9:4:9 | i | Node should have one toString but has 2. | -| break_labels.c:4:9:4:9 | i indirection | Node should have one toString but has 2. | | break_labels.c:4:9:4:9 | x | Node should have one toString but has 2. | -| break_labels.c:4:9:4:9 | x indirection | Node should have one toString but has 2. | | break_labels.c:6:16:6:16 | i | Node should have one toString but has 2. | -| break_labels.c:6:16:6:16 | i indirection | Node should have one toString but has 2. | | break_labels.c:6:16:6:16 | x | Node should have one toString but has 2. | -| break_labels.c:6:16:6:16 | x indirection | Node should have one toString but has 2. | | break_labels.c:7:17:7:17 | i | Node should have one toString but has 2. | | break_labels.c:7:17:7:17 | i indirection | Node should have one toString but has 2. | +| break_labels.c:7:17:7:17 | i indirection | Node should have one toString but has 2. | | break_labels.c:7:17:7:17 | x | Node should have one toString but has 2. | | break_labels.c:7:17:7:17 | x indirection | Node should have one toString but has 2. | +| break_labels.c:7:17:7:17 | x indirection | Node should have one toString but has 2. | | constructorinitializer.cpp:3:9:3:9 | i | Node should have one toString but has 2. | | constructorinitializer.cpp:3:9:3:9 | x | Node should have one toString but has 2. | | constructorinitializer.cpp:3:16:3:16 | j | Node should have one toString but has 2. | @@ -295,13 +292,9 @@ uniqueNodeToString | duff.c:2:12:2:12 | x | Node should have one toString but has 2. | | duff.c:2:12:2:12 | x | Node should have one toString but has 2. | | duff.c:3:14:3:14 | i | Node should have one toString but has 2. | -| duff.c:3:14:3:14 | i indirection | Node should have one toString but has 2. | | duff.c:3:14:3:14 | x | Node should have one toString but has 2. | -| duff.c:3:14:3:14 | x indirection | Node should have one toString but has 2. | | duff.c:4:13:4:13 | i | Node should have one toString but has 2. | -| duff.c:4:13:4:13 | i indirection | Node should have one toString but has 2. | | duff.c:4:13:4:13 | x | Node should have one toString but has 2. | -| duff.c:4:13:4:13 | x indirection | Node should have one toString but has 2. | | newexpr.cpp:3:9:3:9 | i | Node should have one toString but has 2. | | newexpr.cpp:3:9:3:9 | x | Node should have one toString but has 2. | | newexpr.cpp:3:16:3:16 | j | Node should have one toString but has 2. | @@ -311,17 +304,13 @@ uniqueNodeToString | nodefaultswitchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. | | nodefaultswitchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. | | nodefaultswitchstmt.c:2:14:2:14 | i | Node should have one toString but has 2. | -| nodefaultswitchstmt.c:2:14:2:14 | i indirection | Node should have one toString but has 2. | | nodefaultswitchstmt.c:2:14:2:14 | x | Node should have one toString but has 2. | -| nodefaultswitchstmt.c:2:14:2:14 | x indirection | Node should have one toString but has 2. | | switchstmt.c:1:12:1:12 | i | Node should have one toString but has 2. | | switchstmt.c:1:12:1:12 | i | Node should have one toString but has 2. | | switchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. | | switchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. | | switchstmt.c:2:14:2:14 | i | Node should have one toString but has 2. | -| switchstmt.c:2:14:2:14 | i indirection | Node should have one toString but has 2. | | switchstmt.c:2:14:2:14 | x | Node should have one toString but has 2. | -| switchstmt.c:2:14:2:14 | x indirection | Node should have one toString but has 2. | missingToString parameterCallable localFlowIsLocal @@ -360,13 +349,13 @@ reverseRead | ir.cpp:658:5:658:5 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:658:5:658:5 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:745:8:745:8 | Unary | Origin of readStep is missing a PostUpdateNode. | -| ir.cpp:745:8:745:8 | Unary | Origin of readStep is missing a PostUpdateNode. | +| ir.cpp:745:8:745:8 | this | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:748:3:748:6 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:750:3:750:7 | Unary | Origin of readStep is missing a PostUpdateNode. | -| ir.cpp:754:8:754:8 | Unary | Origin of readStep is missing a PostUpdateNode. | +| ir.cpp:754:8:754:8 | this | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:757:3:757:8 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:759:3:759:9 | Unary | Origin of readStep is missing a PostUpdateNode. | -| ir.cpp:763:8:763:8 | Unary | Origin of readStep is missing a PostUpdateNode. | +| ir.cpp:763:8:763:8 | this | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:766:3:766:9 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:768:3:768:10 | Unary | Origin of readStep is missing a PostUpdateNode. | | ir.cpp:775:3:775:11 | Unary | Origin of readStep is missing a PostUpdateNode. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 4bc38902ce96..35fc171319e9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -43,6 +43,8 @@ edges | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | +| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | @@ -164,6 +166,7 @@ nodes | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | +| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 8fa26cba4024..1e64734233d6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -63,23 +63,23 @@ edges | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | | funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | -| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:10:47:11 | * ... | -| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:10:47:11 | * ... | +| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | +| funcsLocal.c:46:7:46:9 | * ... | funcsLocal.c:47:9:47:11 | * ... | +| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... | | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... | | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | * ... | -| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:10:47:11 | * ... | | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | -| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:10:53:11 | * ... | -| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:10:53:11 | * ... | +| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | +| funcsLocal.c:52:8:52:11 | call to gets | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:13:52:15 | gets output argument | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:13:52:15 | gets output argument | funcsLocal.c:53:9:53:11 | * ... | -| funcsLocal.c:52:13:52:15 | gets output argument | funcsLocal.c:53:10:53:11 | * ... | +| funcsLocal.c:52:13:52:15 | gets output argument | funcsLocal.c:53:9:53:11 | * ... | +| funcsLocal.c:52:13:52:15 | i81 | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:13:52:15 | i81 | funcsLocal.c:53:9:53:11 | * ... | | funcsLocal.c:52:13:52:15 | i81 | funcsLocal.c:53:9:53:11 | * ... | -| funcsLocal.c:52:13:52:15 | i81 | funcsLocal.c:53:10:53:11 | * ... | subpaths nodes | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | @@ -119,14 +119,14 @@ nodes | funcsLocal.c:46:7:46:9 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... | | funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... | -| funcsLocal.c:47:10:47:11 | * ... | semmle.label | * ... | +| funcsLocal.c:47:9:47:11 | * ... | semmle.label | * ... | | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets | | funcsLocal.c:52:8:52:11 | call to gets | semmle.label | call to gets | | funcsLocal.c:52:13:52:15 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:52:13:52:15 | i81 | semmle.label | i81 | | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... | | funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... | -| funcsLocal.c:53:10:53:11 | * ... | semmle.label | * ... | +| funcsLocal.c:53:9:53:11 | * ... | semmle.label | * ... | | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 | | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 | | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 3309fa95a977..33241f07c5f2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -13,16 +13,19 @@ edges | globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | | globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | | globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | +| globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | | globalVars.c:30:15:30:18 | Load | globalVars.c:30:15:30:18 | copy | | globalVars.c:30:15:30:18 | Load | globalVars.c:30:15:30:18 | copy | | globalVars.c:35:11:35:14 | Load | globalVars.c:35:11:35:14 | copy | | globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val | | globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | | globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | +| globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | | globalVars.c:41:15:41:19 | Load | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:41:15:41:19 | Load | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | | globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | +| globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | subpaths nodes | globalVars.c:8:7:8:10 | copy | semmle.label | copy | @@ -36,6 +39,7 @@ nodes | globalVars.c:27:9:27:12 | Load | semmle.label | Load | | globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:27:9:27:12 | copy | semmle.label | copy | +| globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | Load | semmle.label | Load | | globalVars.c:30:15:30:18 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | copy | semmle.label | copy | @@ -44,12 +48,14 @@ nodes | globalVars.c:38:9:38:13 | Load | semmle.label | Load | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | +| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | Load | semmle.label | Load | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | Load | semmle.label | Load | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | +| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | #select | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv | | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected index 3309fa95a977..33241f07c5f2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected @@ -13,16 +13,19 @@ edges | globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv | | globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | | globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | +| globalVars.c:27:9:27:12 | Load | globalVars.c:27:9:27:12 | copy | | globalVars.c:30:15:30:18 | Load | globalVars.c:30:15:30:18 | copy | | globalVars.c:30:15:30:18 | Load | globalVars.c:30:15:30:18 | copy | | globalVars.c:35:11:35:14 | Load | globalVars.c:35:11:35:14 | copy | | globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val | | globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | | globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | +| globalVars.c:38:9:38:13 | Load | globalVars.c:38:9:38:13 | copy2 | | globalVars.c:41:15:41:19 | Load | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:41:15:41:19 | Load | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | | globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | +| globalVars.c:50:9:50:13 | Load | globalVars.c:50:9:50:13 | copy2 | subpaths nodes | globalVars.c:8:7:8:10 | copy | semmle.label | copy | @@ -36,6 +39,7 @@ nodes | globalVars.c:27:9:27:12 | Load | semmle.label | Load | | globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:27:9:27:12 | copy | semmle.label | copy | +| globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | Load | semmle.label | Load | | globalVars.c:30:15:30:18 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | copy | semmle.label | copy | @@ -44,12 +48,14 @@ nodes | globalVars.c:38:9:38:13 | Load | semmle.label | Load | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | +| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | Load | semmle.label | Load | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | Load | semmle.label | Load | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | +| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | #select | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv | | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected index b86b85a91ebc..e5c424909608 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected @@ -1,11 +1,14 @@ edges | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | +| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | +| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | subpaths nodes | examples.cpp:63:26:63:30 | & ... | semmle.label | & ... | +| examples.cpp:63:26:63:30 | & ... | semmle.label | & ... | | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument | | examples.cpp:66:11:66:14 | data | semmle.label | data | | examples.cpp:66:11:66:14 | data | semmle.label | data | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected index 9277c8f774e9..3fff65b9995e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected @@ -19,12 +19,6 @@ edges | test.cpp:18:9:18:12 | call to rand | test.cpp:16:21:16:24 | Load indirection | | test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | | test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | -| test.cpp:71:23:71:31 | buf_start indirection | test.cpp:75:9:75:11 | len | -| test.cpp:71:40:71:46 | buf_end indirection | test.cpp:75:9:75:11 | len | -| test.cpp:80:50:80:53 | call to rand | test.cpp:81:14:81:16 | buf indirection | -| test.cpp:80:50:80:53 | call to rand | test.cpp:81:19:81:30 | ... + ... indirection | -| test.cpp:81:14:81:16 | buf indirection | test.cpp:71:23:71:31 | buf_start indirection | -| test.cpp:81:19:81:30 | ... + ... indirection | test.cpp:71:40:71:46 | buf_end indirection | | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | @@ -71,12 +65,6 @@ nodes | test.cpp:31:7:31:7 | r | semmle.label | r | | test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument | | test.cpp:37:7:37:7 | r | semmle.label | r | -| test.cpp:71:23:71:31 | buf_start indirection | semmle.label | buf_start indirection | -| test.cpp:71:40:71:46 | buf_end indirection | semmle.label | buf_end indirection | -| test.cpp:75:9:75:11 | len | semmle.label | len | -| test.cpp:80:50:80:53 | call to rand | semmle.label | call to rand | -| test.cpp:81:14:81:16 | buf indirection | semmle.label | buf indirection | -| test.cpp:81:19:81:30 | ... + ... indirection | semmle.label | ... + ... indirection | | test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand | | test.cpp:90:10:90:10 | x | semmle.label | x | | test.cpp:98:10:98:13 | call to rand | semmle.label | call to rand | @@ -115,7 +103,6 @@ subpaths | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | -| test.cpp:75:9:75:11 | len | test.cpp:80:50:80:53 | call to rand | test.cpp:75:9:75:11 | len | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:80:50:80:53 | call to rand | uncontrolled value | | test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | | test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | | test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index b2966bbf44cb..277ad0b3e29a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -5,18 +5,6 @@ edges | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | -| test.cpp:76:25:76:29 | start | test.cpp:80:18:80:28 | ... - ... | -| test.cpp:76:25:76:29 | start indirection | test.cpp:80:18:80:28 | ... - ... | -| test.cpp:76:38:76:40 | end | test.cpp:80:18:80:28 | ... - ... | -| test.cpp:76:38:76:40 | end indirection | test.cpp:80:18:80:28 | ... - ... | -| test.cpp:98:18:98:23 | fread output argument | test.cpp:102:17:102:22 | buffer | -| test.cpp:98:18:98:23 | fread output argument | test.cpp:102:17:102:22 | buffer indirection | -| test.cpp:98:18:98:23 | fread output argument | test.cpp:102:25:102:39 | ... + ... | -| test.cpp:98:18:98:23 | fread output argument | test.cpp:102:25:102:39 | ... + ... indirection | -| test.cpp:102:17:102:22 | buffer | test.cpp:76:25:76:29 | start | -| test.cpp:102:17:102:22 | buffer indirection | test.cpp:76:25:76:29 | start indirection | -| test.cpp:102:25:102:39 | ... + ... | test.cpp:76:38:76:40 | end | -| test.cpp:102:25:102:39 | ... + ... indirection | test.cpp:76:38:76:40 | end indirection | | test.cpp:124:18:124:23 | call to getenv | test.cpp:125:29:125:32 | size | | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:125:29:125:32 | size | @@ -54,8 +42,6 @@ edges | test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... | | test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... | | test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... | -| test.cpp:331:15:331:20 | Call | test.cpp:334:9:334:14 | offset | -| test.cpp:331:15:331:20 | call to getenv indirection | test.cpp:334:9:334:14 | offset | nodes | test.cpp:40:21:40:24 | argv | semmle.label | argv | | test.cpp:43:38:43:44 | tainted | semmle.label | tainted | @@ -64,16 +50,6 @@ nodes | test.cpp:49:32:49:35 | size | semmle.label | size | | test.cpp:50:26:50:29 | size | semmle.label | size | | test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... | -| test.cpp:76:25:76:29 | start | semmle.label | start | -| test.cpp:76:25:76:29 | start indirection | semmle.label | start indirection | -| test.cpp:76:38:76:40 | end | semmle.label | end | -| test.cpp:76:38:76:40 | end indirection | semmle.label | end indirection | -| test.cpp:80:18:80:28 | ... - ... | semmle.label | ... - ... | -| test.cpp:98:18:98:23 | fread output argument | semmle.label | fread output argument | -| test.cpp:102:17:102:22 | buffer | semmle.label | buffer | -| test.cpp:102:17:102:22 | buffer indirection | semmle.label | buffer indirection | -| test.cpp:102:25:102:39 | ... + ... | semmle.label | ... + ... | -| test.cpp:102:25:102:39 | ... + ... indirection | semmle.label | ... + ... indirection | | test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv | | test.cpp:124:18:124:31 | call to getenv indirection | semmle.label | call to getenv indirection | | test.cpp:125:29:125:32 | size | semmle.label | size | @@ -118,9 +94,6 @@ nodes | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... | | test.cpp:305:18:305:21 | get_size output argument | semmle.label | get_size output argument | | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... | -| test.cpp:331:15:331:20 | Call | semmle.label | Call | -| test.cpp:331:15:331:20 | call to getenv indirection | semmle.label | call to getenv indirection | -| test.cpp:334:9:334:14 | offset | semmle.label | offset | subpaths #select | test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) | @@ -129,7 +102,6 @@ subpaths | test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) | | test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) | | test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) | -| test.cpp:80:9:80:29 | new[] | test.cpp:98:18:98:23 | fread output argument | test.cpp:80:18:80:28 | ... - ... | This allocation size is derived from $@ and might overflow. | test.cpp:98:18:98:23 | fread output argument | user input (String read by fread) | | test.cpp:127:17:127:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:127:24:127:49 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) | | test.cpp:127:17:127:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:127:24:127:49 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) | | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) | @@ -158,5 +130,3 @@ subpaths | test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) | | test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) | | test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) | -| test.cpp:334:2:334:7 | call to malloc | test.cpp:331:15:331:20 | Call | test.cpp:334:9:334:14 | offset | This allocation size is derived from $@ and might overflow. | test.cpp:331:15:331:20 | Call | user input (an environment variable) | -| test.cpp:334:2:334:7 | call to malloc | test.cpp:331:15:331:20 | call to getenv indirection | test.cpp:334:9:334:14 | offset | This allocation size is derived from $@ and might overflow. | test.cpp:331:15:331:20 | call to getenv indirection | user input (an environment variable) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected index 955bfe909b0d..c45a15523241 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected @@ -6,6 +6,10 @@ edges | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf | | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer | | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | +| test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | +| test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | +| test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | +| test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | @@ -15,6 +19,8 @@ edges | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | +| test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | +| test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | nodes @@ -65,6 +71,8 @@ subpaths | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | +| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | +| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | @@ -75,5 +83,6 @@ subpaths | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | | test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | | test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected index 87d22d75e71b..86cc2bdc6c6c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected @@ -15,9 +15,9 @@ edges | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr] | tests2.cpp:111:14:111:15 | c1 indirection [ptr] | | tests2.cpp:109:12:109:17 | call to getenv | tests2.cpp:109:3:109:36 | Store | | tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:14:111:19 | ptr | -| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:17:111:19 | ptr | -| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:17:111:19 | ptr | -| tests2.cpp:111:17:111:19 | ptr | tests2.cpp:111:14:111:19 | ptr | +| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:17:111:19 | FieldAddress indirection | +| tests2.cpp:111:17:111:19 | FieldAddress indirection | tests2.cpp:111:14:111:19 | ptr | +| tests2.cpp:111:17:111:19 | FieldAddress indirection | tests2.cpp:111:17:111:19 | ptr | | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path | | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path | | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path | @@ -59,7 +59,7 @@ nodes | tests2.cpp:109:12:109:17 | call to getenv | semmle.label | call to getenv | | tests2.cpp:111:14:111:15 | c1 indirection [ptr] | semmle.label | c1 indirection [ptr] | | tests2.cpp:111:14:111:19 | ptr | semmle.label | ptr | -| tests2.cpp:111:17:111:19 | ptr | semmle.label | ptr | +| tests2.cpp:111:17:111:19 | FieldAddress indirection | semmle.label | FieldAddress indirection | | tests2.cpp:111:17:111:19 | ptr | semmle.label | ptr | | tests_sockets.cpp:26:15:26:20 | call to getenv | semmle.label | call to getenv | | tests_sockets.cpp:39:19:39:22 | path | semmle.label | path | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 34f1b826015e..0c3725b115de 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -1,19 +1,58 @@ edges | tests3.cpp:23:21:23:53 | call to createXMLReader | tests3.cpp:25:2:25:2 | p | +| tests3.cpp:35:16:35:20 | p_3_3 | tests3.cpp:38:2:38:6 | Load | +| tests3.cpp:35:24:35:56 | Store | tests3.cpp:35:16:35:20 | p_3_3 | +| tests3.cpp:35:24:35:56 | call to createXMLReader | tests3.cpp:35:24:35:56 | Store | +| tests3.cpp:38:2:38:6 | Load | tests3.cpp:38:2:38:6 | p_3_3 | +| tests3.cpp:41:16:41:20 | p_3_4 | tests3.cpp:45:2:45:6 | Load | +| tests3.cpp:41:24:41:56 | Store | tests3.cpp:41:16:41:20 | p_3_4 | +| tests3.cpp:41:24:41:56 | call to createXMLReader | tests3.cpp:41:24:41:56 | Store | +| tests3.cpp:45:2:45:6 | Load | tests3.cpp:45:2:45:6 | p_3_4 | +| tests3.cpp:48:16:48:20 | p_3_5 | tests3.cpp:56:2:56:6 | Load | +| tests3.cpp:48:24:48:56 | Store | tests3.cpp:48:16:48:20 | p_3_5 | +| tests3.cpp:48:24:48:56 | call to createXMLReader | tests3.cpp:48:24:48:56 | Store | +| tests3.cpp:56:2:56:6 | Load | tests3.cpp:56:2:56:6 | p_3_5 | | tests3.cpp:60:21:60:53 | call to createXMLReader | tests3.cpp:63:2:63:2 | p | | tests3.cpp:67:21:67:53 | call to createXMLReader | tests3.cpp:70:2:70:2 | p | | tests5.cpp:27:25:27:38 | call to createLSParser | tests5.cpp:29:2:29:2 | p | | tests5.cpp:40:25:40:38 | call to createLSParser | tests5.cpp:43:2:43:2 | p | | tests5.cpp:55:25:55:38 | call to createLSParser | tests5.cpp:59:2:59:2 | p | +| tests5.cpp:63:14:63:17 | g_p1 | tests5.cpp:76:2:76:5 | Load | +| tests5.cpp:63:21:63:24 | g_p2 | tests5.cpp:77:2:77:5 | Load | +| tests5.cpp:67:2:67:32 | Store | tests5.cpp:63:14:63:17 | g_p1 | +| tests5.cpp:67:17:67:30 | call to createLSParser | tests5.cpp:67:2:67:32 | Store | +| tests5.cpp:70:2:70:32 | Store | tests5.cpp:63:21:63:24 | g_p2 | +| tests5.cpp:70:17:70:30 | call to createLSParser | tests5.cpp:70:2:70:32 | Store | +| tests5.cpp:76:2:76:5 | Load | tests5.cpp:76:2:76:5 | g_p1 | +| tests5.cpp:77:2:77:5 | Load | tests5.cpp:77:2:77:5 | g_p2 | | tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:83:2:83:2 | p | -| tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:83:2:83:2 | p | -| tests5.cpp:83:2:83:2 | p | tests5.cpp:85:2:85:2 | p | -| tests5.cpp:85:2:85:2 | p | tests5.cpp:86:2:86:2 | p | -| tests5.cpp:86:2:86:2 | p | tests5.cpp:88:2:88:2 | p | +| tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:85:2:85:2 | Load | +| tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:85:2:85:2 | p indirection | +| tests5.cpp:85:2:85:2 | Load | tests5.cpp:85:2:85:2 | p | +| tests5.cpp:85:2:85:2 | p | tests5.cpp:88:2:88:2 | Load | +| tests5.cpp:85:2:85:2 | p | tests5.cpp:88:2:88:2 | p indirection | +| tests5.cpp:85:2:85:2 | p indirection | tests5.cpp:85:2:85:2 | p | +| tests5.cpp:88:2:88:2 | Load | tests5.cpp:88:2:88:2 | p | | tests5.cpp:88:2:88:2 | p | tests5.cpp:89:2:89:2 | p | +| tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:88:2:88:2 | p | nodes | tests3.cpp:23:21:23:53 | call to createXMLReader | semmle.label | call to createXMLReader | | tests3.cpp:25:2:25:2 | p | semmle.label | p | +| tests3.cpp:35:16:35:20 | p_3_3 | semmle.label | p_3_3 | +| tests3.cpp:35:24:35:56 | Store | semmle.label | Store | +| tests3.cpp:35:24:35:56 | call to createXMLReader | semmle.label | call to createXMLReader | +| tests3.cpp:38:2:38:6 | Load | semmle.label | Load | +| tests3.cpp:38:2:38:6 | p_3_3 | semmle.label | p_3_3 | +| tests3.cpp:41:16:41:20 | p_3_4 | semmle.label | p_3_4 | +| tests3.cpp:41:24:41:56 | Store | semmle.label | Store | +| tests3.cpp:41:24:41:56 | call to createXMLReader | semmle.label | call to createXMLReader | +| tests3.cpp:45:2:45:6 | Load | semmle.label | Load | +| tests3.cpp:45:2:45:6 | p_3_4 | semmle.label | p_3_4 | +| tests3.cpp:48:16:48:20 | p_3_5 | semmle.label | p_3_5 | +| tests3.cpp:48:24:48:56 | Store | semmle.label | Store | +| tests3.cpp:48:24:48:56 | call to createXMLReader | semmle.label | call to createXMLReader | +| tests3.cpp:56:2:56:6 | Load | semmle.label | Load | +| tests3.cpp:56:2:56:6 | p_3_5 | semmle.label | p_3_5 | | tests3.cpp:60:21:60:53 | call to createXMLReader | semmle.label | call to createXMLReader | | tests3.cpp:63:2:63:2 | p | semmle.label | p | | tests3.cpp:67:21:67:53 | call to createXMLReader | semmle.label | call to createXMLReader | @@ -29,16 +68,31 @@ nodes | tests5.cpp:43:2:43:2 | p | semmle.label | p | | tests5.cpp:55:25:55:38 | call to createLSParser | semmle.label | call to createLSParser | | tests5.cpp:59:2:59:2 | p | semmle.label | p | +| tests5.cpp:63:14:63:17 | g_p1 | semmle.label | g_p1 | +| tests5.cpp:63:21:63:24 | g_p2 | semmle.label | g_p2 | +| tests5.cpp:67:2:67:32 | Store | semmle.label | Store | +| tests5.cpp:67:17:67:30 | call to createLSParser | semmle.label | call to createLSParser | +| tests5.cpp:70:2:70:32 | Store | semmle.label | Store | +| tests5.cpp:70:17:70:30 | call to createLSParser | semmle.label | call to createLSParser | +| tests5.cpp:76:2:76:5 | Load | semmle.label | Load | +| tests5.cpp:76:2:76:5 | g_p1 | semmle.label | g_p1 | +| tests5.cpp:77:2:77:5 | Load | semmle.label | Load | +| tests5.cpp:77:2:77:5 | g_p2 | semmle.label | g_p2 | | tests5.cpp:81:25:81:38 | call to createLSParser | semmle.label | call to createLSParser | | tests5.cpp:83:2:83:2 | p | semmle.label | p | -| tests5.cpp:83:2:83:2 | p | semmle.label | p | +| tests5.cpp:85:2:85:2 | Load | semmle.label | Load | | tests5.cpp:85:2:85:2 | p | semmle.label | p | -| tests5.cpp:86:2:86:2 | p | semmle.label | p | +| tests5.cpp:85:2:85:2 | p indirection | semmle.label | p indirection | +| tests5.cpp:88:2:88:2 | Load | semmle.label | Load | | tests5.cpp:88:2:88:2 | p | semmle.label | p | +| tests5.cpp:88:2:88:2 | p indirection | semmle.label | p indirection | | tests5.cpp:89:2:89:2 | p | semmle.label | p | subpaths #select | tests3.cpp:25:2:25:2 | p | tests3.cpp:23:21:23:53 | call to createXMLReader | tests3.cpp:25:2:25:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader | XML parser | +| tests3.cpp:38:2:38:6 | p_3_3 | tests3.cpp:35:24:35:56 | call to createXMLReader | tests3.cpp:38:2:38:6 | p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader | XML parser | +| tests3.cpp:45:2:45:6 | p_3_4 | tests3.cpp:41:24:41:56 | call to createXMLReader | tests3.cpp:45:2:45:6 | p_3_4 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:41:24:41:56 | call to createXMLReader | XML parser | +| tests3.cpp:56:2:56:6 | p_3_5 | tests3.cpp:48:24:48:56 | call to createXMLReader | tests3.cpp:56:2:56:6 | p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | call to createXMLReader | XML parser | | tests3.cpp:63:2:63:2 | p | tests3.cpp:60:21:60:53 | call to createXMLReader | tests3.cpp:63:2:63:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | call to createXMLReader | XML parser | | tests3.cpp:70:2:70:2 | p | tests3.cpp:67:21:67:53 | call to createXMLReader | tests3.cpp:70:2:70:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | call to createXMLReader | XML parser | | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | @@ -49,5 +103,7 @@ subpaths | tests5.cpp:29:2:29:2 | p | tests5.cpp:27:25:27:38 | call to createLSParser | tests5.cpp:29:2:29:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | call to createLSParser | XML parser | | tests5.cpp:43:2:43:2 | p | tests5.cpp:40:25:40:38 | call to createLSParser | tests5.cpp:43:2:43:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | call to createLSParser | XML parser | | tests5.cpp:59:2:59:2 | p | tests5.cpp:55:25:55:38 | call to createLSParser | tests5.cpp:59:2:59:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | call to createLSParser | XML parser | +| tests5.cpp:76:2:76:5 | g_p1 | tests5.cpp:67:17:67:30 | call to createLSParser | tests5.cpp:76:2:76:5 | g_p1 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:67:17:67:30 | call to createLSParser | XML parser | +| tests5.cpp:77:2:77:5 | g_p2 | tests5.cpp:70:17:70:30 | call to createLSParser | tests5.cpp:77:2:77:5 | g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser | XML parser | | tests5.cpp:83:2:83:2 | p | tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:83:2:83:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser | XML parser | | tests5.cpp:89:2:89:2 | p | tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:89:2:89:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser | XML parser | From b8fab9ae794b6e797050424655293ca460fda83a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 15 Nov 2022 16:07:07 +0000 Subject: [PATCH 7/7] C++: Respond to review comments. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 80 ++++++++++++++++++ .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 84 +------------------ .../cpp/ir/dataflow/internal/SsaInternals.qll | 4 +- 3 files changed, 84 insertions(+), 84 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 8072e3a7cc48..6464e4af9c4d 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -6,6 +6,86 @@ private import DataFlowImplConsistency private import semmle.code.cpp.ir.internal.IRCppLanguage private import SsaInternals as Ssa +/** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an operand in the IR + * after `index` number of loads. + * + * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may + * be an `OperandNode`. + */ +class IndirectOperand extends Node { + Operand operand; + int indirectionIndex; + + IndirectOperand() { + this.(RawIndirectOperand).getOperand() = operand and + this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex + or + this.(OperandNode).getOperand() = + Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) + } + + /** Gets the underlying operand. */ + Operand getOperand() { result = operand } + + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } + + /** + * Holds if this `IndirectOperand` is represented directly in the IR instead of + * a `RawIndirectionOperand` with operand `op` and indirection index `index`. + */ + predicate isIRRepresentationOf(Operand op, int index) { + this instanceof OperandNode and + ( + op = operand and + index = indirectionIndex + ) + } +} + +/** + * INTERNAL: Do not use. + * + * A node that represents the indirect value of an instruction in the IR + * after `index` number of loads. + * + * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may + * be an `InstructionNode`. + */ +class IndirectInstruction extends Node { + Instruction instr; + int indirectionIndex; + + IndirectInstruction() { + this.(RawIndirectInstruction).getInstruction() = instr and + this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex + or + this.(InstructionNode).getInstruction() = + Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) + } + + /** Gets the underlying instruction. */ + Instruction getInstruction() { result = instr } + + /** Gets the underlying indirection index. */ + int getIndirectionIndex() { result = indirectionIndex } + + /** + * Holds if this `IndirectInstruction` is represented directly in the IR instead of + * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`. + */ + predicate isIRRepresentationOf(Instruction i, int index) { + this instanceof InstructionNode and + ( + i = instr and + index = indirectionIndex + ) + } +} + /** Gets the callable in which this node occurs. */ DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index d857ea2fa45f..46ed0c28f248 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -637,7 +637,7 @@ private Type getTypeImpl(Type t, int indirectionIndex) { * A node that represents the indirect value of an operand in the IR * after `index` number of loads. */ -private class RawIndirectOperand extends Node, TRawIndirectOperand { +class RawIndirectOperand extends Node, TRawIndirectOperand { Operand operand; int indirectionIndex; @@ -666,46 +666,6 @@ private class RawIndirectOperand extends Node, TRawIndirectOperand { } } -/** - * INTERNAL: Do not use. - * - * A node that represents the indirect value of an operand in the IR - * after `index` number of loads. - * - * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may - * be an `OperandNode`. - */ -class IndirectOperand extends Node { - Operand operand; - int indirectionIndex; - - IndirectOperand() { - this.(RawIndirectOperand).getOperand() = operand and - this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex - or - this.(OperandNode).getOperand() = - Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) - } - - /** Gets the underlying operand. */ - Operand getOperand() { result = operand } - - /** Gets the underlying indirection index. */ - int getIndirectionIndex() { result = indirectionIndex } - - /** - * Holds if this `IndirectOperand` is represented directly in the IR instead of - * a `RawIndirectionOperand` with operand `op` and indirection index `index`. - */ - predicate isIRRepresentationOf(Operand op, int index) { - this instanceof OperandNode and - ( - op = operand and - index = indirectionIndex - ) - } -} - /** * The value of an uninitialized local variable, viewed as a node in a data * flow graph. @@ -731,7 +691,7 @@ class UninitializedNode extends Node { * A node that represents the indirect value of an instruction in the IR * after `index` number of loads. */ -private class RawIndirectInstruction extends Node, TRawIndirectInstruction { +class RawIndirectInstruction extends Node, TRawIndirectInstruction { Instruction instr; int indirectionIndex; @@ -760,46 +720,6 @@ private class RawIndirectInstruction extends Node, TRawIndirectInstruction { } } -/** - * INTERNAL: Do not use. - * - * A node that represents the indirect value of an instruction in the IR - * after `index` number of loads. - * - * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may - * be an `InstructionNode`. - */ -class IndirectInstruction extends Node { - Instruction instr; - int indirectionIndex; - - IndirectInstruction() { - this.(RawIndirectInstruction).getInstruction() = instr and - this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex - or - this.(InstructionNode).getInstruction() = - Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) - } - - /** Gets the underlying instruction. */ - Instruction getInstruction() { result = instr } - - /** Gets the underlying indirection index. */ - int getIndirectionIndex() { result = indirectionIndex } - - /** - * Holds if this `IndirectInstruction` is represented directly in the IR instead of - * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`. - */ - predicate isIRRepresentationOf(Instruction i, int index) { - this instanceof InstructionNode and - ( - i = instr and - index = indirectionIndex - ) - } -} - private predicate isFullyConvertedArgument(Expr e) { exists(Call call | e = call.getAnArgument().getFullyConverted() diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 77acc76223e4..f23f57a1230d 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -88,7 +88,7 @@ import SourceVariables /** * Holds if the `(operand, indirectionIndex)` columns should be - * assigned an `RawIndirectOperand` value. + * assigned a `RawIndirectOperand` value. */ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) { exists(CppType type, int m | @@ -102,7 +102,7 @@ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) { /** * Holds if the `(instr, indirectionIndex)` columns should be - * assigned an `RawIndirectInstruction` value. + * assigned a `RawIndirectInstruction` value. */ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) { exists(CppType type, int m |