diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql index 6659b8206599..c1f7e735636e 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql @@ -312,11 +312,13 @@ Instruction getASuccessor(Instruction instr) { */ pragma[inline] predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) { - exists(AddressOperand addr, Instruction s | + exists(AddressOperand addr, Instruction s, IRBlock b | s = sink.asInstruction() and - bounded1(addr.getDef(), s, delta) and + boundedImpl(addr.getDef(), s, delta) and delta >= 0 and - i.getAnOperand() = addr + i.getAnOperand() = addr and + b = i.getBlock() and + not b = InvalidPointerToDerefBarrier::getABarrierBlock(delta) | i instanceof StoreInstruction and operation = "write" @@ -326,6 +328,60 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o ) } +module InvalidPointerToDerefBarrier { + private module BarrierConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // The sources is the same as in the sources for `InvalidPointerToDerefConfig`. + invalidPointerToDerefSource(_, source, _) + } + + additional predicate isSink( + DataFlow::Node left, DataFlow::Node right, IRGuardCondition g, int state, boolean testIsTrue + ) { + // The sink is any "large" side of a relational comparison. + g.comparesLt(left.asOperand(), right.asOperand(), state, true, testIsTrue) + } + + predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) } + } + + private import DataFlow::Global + + private int getInvalidPointerToDerefSourceDelta(DataFlow::Node node) { + exists(DataFlow::Node source | + flow(source, node) and + invalidPointerToDerefSource(_, source, result) + ) + } + + private predicate operandGuardChecks( + IRGuardCondition g, Operand left, Operand right, int state, boolean edge + ) { + exists(DataFlow::Node nLeft, DataFlow::Node nRight, int state0 | + nRight.asOperand() = right and + nLeft.asOperand() = left and + BarrierConfig::isSink(nLeft, nRight, g, state0, edge) and + state = getInvalidPointerToDerefSourceDelta(nRight) and + state0 <= state + ) + } + + Instruction getABarrierInstruction(int state) { + exists(IRGuardCondition g, ValueNumber value, Operand use, boolean edge | + use = value.getAUse() and + operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](use), _, state, + pragma[only_bind_into](edge)) and + result = value.getAnInstruction() and + g.controls(result.getBlock(), edge) + ) + } + + DataFlow::Node getABarrierNode() { result.asOperand() = getABarrierInstruction(_).getAUse() } + + pragma[nomagic] + IRBlock getABarrierBlock(int state) { result.getAnInstruction() = getABarrierInstruction(state) } +} + /** * A configuration to track flow from a pointer-arithmetic operation found * by `AllocToInvalidPointerConfig` to a dereference of the pointer. @@ -338,6 +394,8 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true) + or + node = InvalidPointerToDerefBarrier::getABarrierNode() } } @@ -382,7 +440,7 @@ newtype TMergedPathNode = // pointer, but we want to raise an alert at the dereference. TPathNodeSink(Instruction i) { exists(DataFlow::Node n | - InvalidPointerToDerefFlow::flowTo(n) and + InvalidPointerToDerefFlow::flowTo(pragma[only_bind_into](n)) and isInvalidPointerDerefSink(n, i, _, _) and i = getASuccessor(n.asInstruction()) ) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected index c0fd4fb29ddd..b1ecd38c3c3b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected @@ -720,14 +720,6 @@ edges | test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... | | test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... | | test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p | -| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... | -| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... | -| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p | -| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p | -| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p | -| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p | -| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... | -| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... | | test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs | | test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | | test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | @@ -752,53 +744,284 @@ edges | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end | | test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... | | test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs | -| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs | -| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs | -| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs | -| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... | -| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] | -| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] | -| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... | -| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection | -| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs | -| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs | -| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs | -| test.cpp:439:14:439:27 | new[] | test.cpp:444:5:444:6 | xs | -| test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:6 | xs | -| test.cpp:455:5:455:6 | xs | test.cpp:455:5:455:15 | access to array | -| test.cpp:455:5:455:15 | access to array | test.cpp:455:5:455:19 | Store: ... = ... | -| test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:6 | xs | -| test.cpp:466:5:466:6 | xs | test.cpp:466:5:466:15 | access to array | -| test.cpp:466:5:466:15 | access to array | test.cpp:466:5:466:19 | Store: ... = ... | -| test.cpp:472:14:472:27 | new[] | test.cpp:477:5:477:6 | xs | -| test.cpp:483:14:483:27 | new[] | test.cpp:488:5:488:6 | xs | -| test.cpp:494:14:494:31 | new[] | test.cpp:499:5:499:6 | xs | -| test.cpp:505:14:505:31 | new[] | test.cpp:510:5:510:6 | xs | -| test.cpp:516:14:516:31 | new[] | test.cpp:521:5:521:6 | xs | -| test.cpp:527:14:527:31 | new[] | test.cpp:532:5:532:6 | xs | -| test.cpp:538:14:538:31 | new[] | test.cpp:543:5:543:6 | xs | -| test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:6 | xs | -| test.cpp:554:5:554:6 | xs | test.cpp:554:5:554:15 | access to array | -| test.cpp:554:5:554:15 | access to array | test.cpp:554:5:554:19 | Store: ... = ... | +| test.cpp:388:14:388:27 | new[] | test.cpp:392:3:392:4 | xs | +| test.cpp:399:14:399:27 | new[] | test.cpp:400:16:400:17 | xs | +| test.cpp:399:14:399:27 | new[] | test.cpp:402:5:402:6 | xs | +| test.cpp:410:14:410:27 | new[] | test.cpp:411:16:411:17 | xs | +| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:6 | xs | +| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end | +| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array | +| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array | +| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end | +| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end | +| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:411:16:411:17 | xs | test.cpp:414:9:414:10 | xs | +| test.cpp:411:16:411:17 | xs | test.cpp:414:14:414:16 | end | +| test.cpp:411:16:411:17 | xs | test.cpp:415:7:415:11 | access to array | +| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... | +| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end | +| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end | +| test.cpp:411:16:411:23 | access to array | test.cpp:414:14:414:16 | end | +| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:412:12:412:14 | end | test.cpp:414:14:414:16 | end | +| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:414:9:414:10 | xs | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:414:14:414:16 | end | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:415:7:415:11 | access to array | test.cpp:415:7:415:15 | Store: ... = ... | +| test.cpp:421:14:421:27 | new[] | test.cpp:422:16:422:17 | xs | +| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:6 | xs | +| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end | +| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array | +| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array | +| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end | +| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end | +| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs | +| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs | +| test.cpp:422:16:422:17 | xs | test.cpp:425:18:425:20 | end | +| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:8 | xs | +| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:11 | access to array | +| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... | +| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end | +| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end | +| test.cpp:422:16:422:23 | access to array | test.cpp:425:18:425:20 | end | +| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:423:12:423:14 | end | test.cpp:425:18:425:20 | end | +| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:8 | xs | +| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:425:18:425:20 | end | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:426:7:426:8 | xs | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:426:7:426:11 | access to array | test.cpp:426:7:426:15 | Store: ... = ... | +| test.cpp:432:14:432:27 | new[] | test.cpp:433:16:433:17 | xs | +| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:6 | xs | +| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end | +| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array | +| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array | +| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end | +| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end | +| test.cpp:433:16:433:17 | xs | test.cpp:435:5:435:7 | end | +| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:433:16:433:17 | xs | test.cpp:437:9:437:10 | xs | +| test.cpp:433:16:433:17 | xs | test.cpp:438:7:438:11 | access to array | +| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... | +| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end | +| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end | +| test.cpp:433:16:433:23 | access to array | test.cpp:435:5:435:7 | end | +| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:434:12:434:14 | end | test.cpp:435:5:435:7 | end | +| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:435:5:435:7 | end | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:437:9:437:10 | xs | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:438:7:438:11 | access to array | test.cpp:438:7:438:15 | Store: ... = ... | +| test.cpp:444:14:444:27 | new[] | test.cpp:445:16:445:17 | xs | +| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:6 | xs | +| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end | +| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end | +| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array | +| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array | +| test.cpp:445:16:445:17 | xs | test.cpp:446:3:446:5 | end | +| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:445:16:445:17 | xs | test.cpp:449:9:449:10 | xs | +| test.cpp:445:16:445:17 | xs | test.cpp:450:7:450:11 | access to array | +| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... | +| test.cpp:445:16:445:23 | access to array | test.cpp:446:3:446:5 | end | +| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:446:3:446:5 | end | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:449:9:449:10 | xs | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:450:7:450:11 | access to array | test.cpp:450:7:450:15 | Store: ... = ... | +| test.cpp:456:14:456:31 | new[] | test.cpp:457:16:457:17 | xs | +| test.cpp:456:14:456:31 | new[] | test.cpp:460:5:460:6 | xs | +| test.cpp:468:14:468:27 | new[] | test.cpp:469:16:469:17 | xs | +| test.cpp:468:14:468:27 | new[] | test.cpp:472:5:472:6 | xs | +| test.cpp:480:14:480:27 | new[] | test.cpp:481:16:481:17 | xs | +| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:6 | xs | +| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end | +| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end | +| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array | +| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array | +| test.cpp:481:16:481:17 | xs | test.cpp:482:3:482:5 | end | +| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:481:16:481:17 | xs | test.cpp:485:9:485:10 | xs | +| test.cpp:481:16:481:17 | xs | test.cpp:486:7:486:11 | access to array | +| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... | +| test.cpp:481:16:481:23 | access to array | test.cpp:482:3:482:5 | end | +| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:482:3:482:5 | end | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:485:9:485:10 | xs | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:486:7:486:11 | access to array | test.cpp:486:7:486:15 | Store: ... = ... | +| test.cpp:499:3:499:25 | ... = ... | test.cpp:499:7:499:8 | val indirection [post update] [xs] | +| test.cpp:499:7:499:8 | val indirection [post update] [xs] | test.cpp:500:3:500:5 | val indirection [xs] | +| test.cpp:499:12:499:25 | new[] | test.cpp:499:3:499:25 | ... = ... | +| test.cpp:500:3:500:5 | val indirection [xs] | test.cpp:500:7:500:8 | xs indirection | +| test.cpp:500:7:500:8 | xs indirection | test.cpp:500:7:500:8 | xs | +| test.cpp:510:16:510:33 | new[] | test.cpp:512:7:512:8 | xs | +| test.cpp:520:14:520:27 | new[] | test.cpp:526:5:526:6 | xs | +| test.cpp:532:14:532:27 | new[] | test.cpp:537:5:537:6 | xs | +| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:6 | xs | +| test.cpp:548:5:548:6 | xs | test.cpp:548:5:548:15 | access to array | +| test.cpp:548:5:548:15 | access to array | test.cpp:548:5:548:19 | Store: ... = ... | +| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:6 | xs | +| test.cpp:559:5:559:6 | xs | test.cpp:559:5:559:15 | access to array | +| test.cpp:559:5:559:15 | access to array | test.cpp:559:5:559:19 | Store: ... = ... | +| test.cpp:565:14:565:27 | new[] | test.cpp:570:5:570:6 | xs | +| test.cpp:576:14:576:27 | new[] | test.cpp:581:5:581:6 | xs | +| test.cpp:587:14:587:31 | new[] | test.cpp:592:5:592:6 | xs | +| test.cpp:598:14:598:31 | new[] | test.cpp:603:5:603:6 | xs | +| test.cpp:609:14:609:31 | new[] | test.cpp:614:5:614:6 | xs | +| test.cpp:620:14:620:31 | new[] | test.cpp:625:5:625:6 | xs | +| test.cpp:631:14:631:31 | new[] | test.cpp:636:5:636:6 | xs | +| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:6 | xs | +| test.cpp:647:5:647:6 | xs | test.cpp:647:5:647:15 | access to array | +| test.cpp:647:5:647:15 | access to array | test.cpp:647:5:647:19 | Store: ... = ... | nodes | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc | | test.cpp:5:15:5:15 | p | semmle.label | p | @@ -1125,11 +1348,6 @@ nodes | test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... | | test.cpp:363:14:363:27 | new[] | semmle.label | new[] | | test.cpp:365:15:365:15 | p | semmle.label | p | -| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... | -| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... | -| test.cpp:371:7:371:7 | p | semmle.label | p | -| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... | -| test.cpp:372:16:372:16 | p | semmle.label | p | | test.cpp:377:14:377:27 | new[] | semmle.label | new[] | | test.cpp:378:15:378:16 | xs | semmle.label | xs | | test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... | @@ -1143,53 +1361,147 @@ nodes | test.cpp:384:14:384:16 | end | semmle.label | end | | test.cpp:388:14:388:27 | new[] | semmle.label | new[] | | test.cpp:389:16:389:17 | xs | semmle.label | xs | -| test.cpp:392:5:392:6 | xs | semmle.label | xs | -| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ | -| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ | -| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ | -| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ | -| test.cpp:393:9:393:10 | xs | semmle.label | xs | -| test.cpp:393:9:393:10 | xs | semmle.label | xs | -| test.cpp:395:5:395:6 | xs | semmle.label | xs | -| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... | -| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... | -| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] | -| test.cpp:406:12:406:25 | new[] | semmle.label | new[] | -| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] | -| test.cpp:407:7:407:8 | xs | semmle.label | xs | -| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection | -| test.cpp:417:16:417:33 | new[] | semmle.label | new[] | -| test.cpp:419:7:419:8 | xs | semmle.label | xs | -| test.cpp:427:14:427:27 | new[] | semmle.label | new[] | -| test.cpp:433:5:433:6 | xs | semmle.label | xs | -| test.cpp:439:14:439:27 | new[] | semmle.label | new[] | -| test.cpp:444:5:444:6 | xs | semmle.label | xs | -| test.cpp:450:14:450:27 | new[] | semmle.label | new[] | -| test.cpp:455:5:455:6 | xs | semmle.label | xs | -| test.cpp:455:5:455:15 | access to array | semmle.label | access to array | -| test.cpp:455:5:455:19 | Store: ... = ... | semmle.label | Store: ... = ... | -| test.cpp:461:14:461:27 | new[] | semmle.label | new[] | -| test.cpp:466:5:466:6 | xs | semmle.label | xs | -| test.cpp:466:5:466:15 | access to array | semmle.label | access to array | -| test.cpp:466:5:466:19 | Store: ... = ... | semmle.label | Store: ... = ... | -| test.cpp:472:14:472:27 | new[] | semmle.label | new[] | -| test.cpp:477:5:477:6 | xs | semmle.label | xs | -| test.cpp:483:14:483:27 | new[] | semmle.label | new[] | -| test.cpp:488:5:488:6 | xs | semmle.label | xs | -| test.cpp:494:14:494:31 | new[] | semmle.label | new[] | -| test.cpp:499:5:499:6 | xs | semmle.label | xs | -| test.cpp:505:14:505:31 | new[] | semmle.label | new[] | -| test.cpp:510:5:510:6 | xs | semmle.label | xs | -| test.cpp:516:14:516:31 | new[] | semmle.label | new[] | -| test.cpp:521:5:521:6 | xs | semmle.label | xs | -| test.cpp:527:14:527:31 | new[] | semmle.label | new[] | -| test.cpp:532:5:532:6 | xs | semmle.label | xs | -| test.cpp:538:14:538:31 | new[] | semmle.label | new[] | -| test.cpp:543:5:543:6 | xs | semmle.label | xs | -| test.cpp:549:14:549:31 | new[] | semmle.label | new[] | -| test.cpp:554:5:554:6 | xs | semmle.label | xs | -| test.cpp:554:5:554:15 | access to array | semmle.label | access to array | -| test.cpp:554:5:554:19 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:392:3:392:4 | xs | semmle.label | xs | +| test.cpp:399:14:399:27 | new[] | semmle.label | new[] | +| test.cpp:400:16:400:17 | xs | semmle.label | xs | +| test.cpp:402:5:402:6 | xs | semmle.label | xs | +| test.cpp:410:14:410:27 | new[] | semmle.label | new[] | +| test.cpp:411:15:411:23 | & ... | semmle.label | & ... | +| test.cpp:411:15:411:23 | & ... | semmle.label | & ... | +| test.cpp:411:15:411:23 | & ... | semmle.label | & ... | +| test.cpp:411:15:411:23 | & ... | semmle.label | & ... | +| test.cpp:411:16:411:17 | xs | semmle.label | xs | +| test.cpp:411:16:411:23 | access to array | semmle.label | access to array | +| test.cpp:411:16:411:23 | access to array | semmle.label | access to array | +| test.cpp:412:12:412:14 | end | semmle.label | end | +| test.cpp:412:12:412:14 | end | semmle.label | end | +| test.cpp:413:5:413:6 | xs | semmle.label | xs | +| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:414:9:414:10 | xs | semmle.label | xs | +| test.cpp:414:14:414:16 | end | semmle.label | end | +| test.cpp:415:7:415:11 | access to array | semmle.label | access to array | +| test.cpp:415:7:415:15 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:421:14:421:27 | new[] | semmle.label | new[] | +| test.cpp:422:15:422:23 | & ... | semmle.label | & ... | +| test.cpp:422:15:422:23 | & ... | semmle.label | & ... | +| test.cpp:422:15:422:23 | & ... | semmle.label | & ... | +| test.cpp:422:15:422:23 | & ... | semmle.label | & ... | +| test.cpp:422:16:422:17 | xs | semmle.label | xs | +| test.cpp:422:16:422:23 | access to array | semmle.label | access to array | +| test.cpp:422:16:422:23 | access to array | semmle.label | access to array | +| test.cpp:423:12:423:14 | end | semmle.label | end | +| test.cpp:423:12:423:14 | end | semmle.label | end | +| test.cpp:424:5:424:6 | xs | semmle.label | xs | +| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:425:9:425:10 | xs | semmle.label | xs | +| test.cpp:425:9:425:10 | xs | semmle.label | xs | +| test.cpp:425:18:425:20 | end | semmle.label | end | +| test.cpp:426:7:426:8 | xs | semmle.label | xs | +| test.cpp:426:7:426:11 | access to array | semmle.label | access to array | +| test.cpp:426:7:426:15 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:432:14:432:27 | new[] | semmle.label | new[] | +| test.cpp:433:15:433:23 | & ... | semmle.label | & ... | +| test.cpp:433:15:433:23 | & ... | semmle.label | & ... | +| test.cpp:433:15:433:23 | & ... | semmle.label | & ... | +| test.cpp:433:15:433:23 | & ... | semmle.label | & ... | +| test.cpp:433:16:433:17 | xs | semmle.label | xs | +| test.cpp:433:16:433:23 | access to array | semmle.label | access to array | +| test.cpp:433:16:433:23 | access to array | semmle.label | access to array | +| test.cpp:434:12:434:14 | end | semmle.label | end | +| test.cpp:434:12:434:14 | end | semmle.label | end | +| test.cpp:435:5:435:7 | end | semmle.label | end | +| test.cpp:436:5:436:6 | xs | semmle.label | xs | +| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:437:9:437:10 | xs | semmle.label | xs | +| test.cpp:438:7:438:11 | access to array | semmle.label | access to array | +| test.cpp:438:7:438:15 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:444:14:444:27 | new[] | semmle.label | new[] | +| test.cpp:445:15:445:23 | & ... | semmle.label | & ... | +| test.cpp:445:15:445:23 | & ... | semmle.label | & ... | +| test.cpp:445:15:445:23 | & ... | semmle.label | & ... | +| test.cpp:445:15:445:23 | & ... | semmle.label | & ... | +| test.cpp:445:16:445:17 | xs | semmle.label | xs | +| test.cpp:445:16:445:23 | access to array | semmle.label | access to array | +| test.cpp:445:16:445:23 | access to array | semmle.label | access to array | +| test.cpp:446:3:446:5 | end | semmle.label | end | +| test.cpp:448:5:448:6 | xs | semmle.label | xs | +| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:449:9:449:10 | xs | semmle.label | xs | +| test.cpp:450:7:450:11 | access to array | semmle.label | access to array | +| test.cpp:450:7:450:15 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:456:14:456:31 | new[] | semmle.label | new[] | +| test.cpp:457:16:457:17 | xs | semmle.label | xs | +| test.cpp:460:5:460:6 | xs | semmle.label | xs | +| test.cpp:468:14:468:27 | new[] | semmle.label | new[] | +| test.cpp:469:16:469:17 | xs | semmle.label | xs | +| test.cpp:472:5:472:6 | xs | semmle.label | xs | +| test.cpp:480:14:480:27 | new[] | semmle.label | new[] | +| test.cpp:481:15:481:23 | & ... | semmle.label | & ... | +| test.cpp:481:15:481:23 | & ... | semmle.label | & ... | +| test.cpp:481:15:481:23 | & ... | semmle.label | & ... | +| test.cpp:481:15:481:23 | & ... | semmle.label | & ... | +| test.cpp:481:16:481:17 | xs | semmle.label | xs | +| test.cpp:481:16:481:23 | access to array | semmle.label | access to array | +| test.cpp:481:16:481:23 | access to array | semmle.label | access to array | +| test.cpp:482:3:482:5 | end | semmle.label | end | +| test.cpp:484:5:484:6 | xs | semmle.label | xs | +| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ | +| test.cpp:485:9:485:10 | xs | semmle.label | xs | +| test.cpp:486:7:486:11 | access to array | semmle.label | access to array | +| test.cpp:486:7:486:15 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:499:3:499:25 | ... = ... | semmle.label | ... = ... | +| test.cpp:499:7:499:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] | +| test.cpp:499:12:499:25 | new[] | semmle.label | new[] | +| test.cpp:500:3:500:5 | val indirection [xs] | semmle.label | val indirection [xs] | +| test.cpp:500:7:500:8 | xs | semmle.label | xs | +| test.cpp:500:7:500:8 | xs indirection | semmle.label | xs indirection | +| test.cpp:510:16:510:33 | new[] | semmle.label | new[] | +| test.cpp:512:7:512:8 | xs | semmle.label | xs | +| test.cpp:520:14:520:27 | new[] | semmle.label | new[] | +| test.cpp:526:5:526:6 | xs | semmle.label | xs | +| test.cpp:532:14:532:27 | new[] | semmle.label | new[] | +| test.cpp:537:5:537:6 | xs | semmle.label | xs | +| test.cpp:543:14:543:27 | new[] | semmle.label | new[] | +| test.cpp:548:5:548:6 | xs | semmle.label | xs | +| test.cpp:548:5:548:15 | access to array | semmle.label | access to array | +| test.cpp:548:5:548:19 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:554:14:554:27 | new[] | semmle.label | new[] | +| test.cpp:559:5:559:6 | xs | semmle.label | xs | +| test.cpp:559:5:559:15 | access to array | semmle.label | access to array | +| test.cpp:559:5:559:19 | Store: ... = ... | semmle.label | Store: ... = ... | +| test.cpp:565:14:565:27 | new[] | semmle.label | new[] | +| test.cpp:570:5:570:6 | xs | semmle.label | xs | +| test.cpp:576:14:576:27 | new[] | semmle.label | new[] | +| test.cpp:581:5:581:6 | xs | semmle.label | xs | +| test.cpp:587:14:587:31 | new[] | semmle.label | new[] | +| test.cpp:592:5:592:6 | xs | semmle.label | xs | +| test.cpp:598:14:598:31 | new[] | semmle.label | new[] | +| test.cpp:603:5:603:6 | xs | semmle.label | xs | +| test.cpp:609:14:609:31 | new[] | semmle.label | new[] | +| test.cpp:614:5:614:6 | xs | semmle.label | xs | +| test.cpp:620:14:620:31 | new[] | semmle.label | new[] | +| test.cpp:625:5:625:6 | xs | semmle.label | xs | +| test.cpp:631:14:631:31 | new[] | semmle.label | new[] | +| test.cpp:636:5:636:6 | xs | semmle.label | xs | +| test.cpp:642:14:642:31 | new[] | semmle.label | new[] | +| test.cpp:647:5:647:6 | xs | semmle.label | xs | +| test.cpp:647:5:647:15 | access to array | semmle.label | access to array | +| test.cpp:647:5:647:19 | Store: ... = ... | semmle.label | Store: ... = ... | subpaths #select | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size | @@ -1214,9 +1526,12 @@ subpaths | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... | | test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size | | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size | -| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size | | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size | -| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size | -| test.cpp:455:5:455:19 | Store: ... = ... | test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:450:14:450:27 | new[] | new[] | test.cpp:455:8:455:14 | src_pos | src_pos | -| test.cpp:466:5:466:19 | Store: ... = ... | test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:461:14:461:27 | new[] | new[] | test.cpp:466:8:466:14 | src_pos | src_pos | -| test.cpp:554:5:554:19 | Store: ... = ... | test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:549:14:549:31 | new[] | new[] | test.cpp:554:8:554:14 | src_pos | src_pos | +| test.cpp:415:7:415:15 | Store: ... = ... | test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:410:14:410:27 | new[] | new[] | test.cpp:411:19:411:22 | size | size | +| test.cpp:426:7:426:15 | Store: ... = ... | test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:421:14:421:27 | new[] | new[] | test.cpp:422:19:422:22 | size | size | +| test.cpp:438:7:438:15 | Store: ... = ... | test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:432:14:432:27 | new[] | new[] | test.cpp:433:19:433:22 | size | size | +| test.cpp:450:7:450:15 | Store: ... = ... | test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:444:14:444:27 | new[] | new[] | test.cpp:445:19:445:22 | size | size | +| test.cpp:486:7:486:15 | Store: ... = ... | test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 498. | test.cpp:480:14:480:27 | new[] | new[] | test.cpp:481:19:481:22 | size | size | +| test.cpp:548:5:548:19 | Store: ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos | +| test.cpp:559:5:559:19 | Store: ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos | +| test.cpp:647:5:647:19 | Store: ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp index 95af0938286a..bdd3863544fe 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp @@ -387,12 +387,105 @@ void test27(unsigned size, bool b) { void test28(unsigned size) { char *xs = new char[size]; char *end = &xs[size]; - if (xs >= end) - return; + if (xs >= end) + return; + xs++; + if (xs >= end) + return; + xs[0] = 0; // GOOD +} + +void test28_simple(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + if (xs < end) { xs++; - if (xs >= end) - return; - xs[0] = 0; // GOOD [FALSE POSITIVE] + if (xs < end) { + xs[0] = 0; // GOOD + } + } +} + +void test28_simple2(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + if (xs < end) { + xs++; + if (xs < end + 1) { + xs[0] = 0; // BAD + } + } +} + +void test28_simple3(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + if (xs < end) { + xs++; + if (xs - 1 < end) { + xs[0] = 0; // BAD + } + } +} + +void test28_simple4(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + if (xs < end) { + end++; + xs++; + if (xs < end) { + xs[0] = 0; // BAD + } + } +} + +void test28_simple5(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + end++; + if (xs < end) { + xs++; + if (xs < end) { + xs[0] = 0; // BAD + } + } +} + +void test28_simple6(unsigned size) { + char *xs = new char[size + 1]; + char *end = &xs[size]; + end++; + if (xs < end) { + xs++; + if (xs < end) { + xs[0] = 0; // GOOD + } + } +} + +void test28_simple7(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + end++; + if (xs < end) { + xs++; + if (xs < end - 1) { + xs[0] = 0; // GOOD + } + } +} + +void test28_simple8(unsigned size) { + char *xs = new char[size]; + char *end = &xs[size]; + end += 500; + if (xs < end) { + xs++; + if (xs < end - 1) { + xs[0] = 0; // BAD + } + } } struct test29_struct { @@ -429,7 +522,7 @@ void test31(unsigned size, unsigned src_pos) src_pos = size; } unsigned dst_pos = src_pos; - if(dst_pos < size - 3) { + if (dst_pos < size - 3) { xs[dst_pos++] = 0; // GOOD } } @@ -440,7 +533,7 @@ void test31_simple1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size) { + if (src_pos < size) { xs[src_pos] = 0; // GOOD } } @@ -451,7 +544,7 @@ void test31_simple2(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size + 1) { + if (src_pos < size + 1) { xs[src_pos] = 0; // BAD } } @@ -462,7 +555,7 @@ void test31_simple3(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos - 1 < size) { + if (src_pos - 1 < size) { xs[src_pos] = 0; // BAD } } @@ -473,7 +566,7 @@ void test31_simple4(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size - 1) { + if (src_pos < size - 1) { xs[src_pos] = 0; // GOOD } } @@ -484,7 +577,7 @@ void test31_simple5(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos + 1 < size) { + if (src_pos + 1 < size) { xs[src_pos] = 0; // GOOD } } @@ -495,7 +588,7 @@ void test31_simple1_plus1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size) { + if (src_pos < size) { xs[src_pos] = 0; // GOOD } } @@ -506,7 +599,7 @@ void test31_simple2_plus1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size + 1) { + if (src_pos < size + 1) { xs[src_pos] = 0; // GOOD } } @@ -517,7 +610,7 @@ void test31_simple3_plus1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos - 1 < size) { + if (src_pos - 1 < size) { xs[src_pos] = 0; // GOOD } } @@ -528,7 +621,7 @@ void test31_simple4_plus1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size - 1) { + if (src_pos < size - 1) { xs[src_pos] = 0; // GOOD } } @@ -539,7 +632,7 @@ void test31_simple5_plus1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos + 1 < size) { + if (src_pos + 1 < size) { xs[src_pos] = 0; // GOOD } } @@ -550,7 +643,7 @@ void test31_simple1_sub1(unsigned size, unsigned src_pos) if (src_pos > size) { src_pos = size; } - if(src_pos < size) { + if (src_pos < size) { xs[src_pos] = 0; // BAD } }