From 43a231f0a50d659f4cc146a15adc4fbd47a8a5d4 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Oct 2020 09:26:51 +0100 Subject: [PATCH 1/4] C++: Store steps now go from operands to instructions, and read steps now go from instructions and operands. There are a couple of read steps that still target instructions because I couldn't decide on an operand to target. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 45 ++++++++++--------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index e780c5c7eb36..87194355c878 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -228,7 +228,7 @@ private class ArrayContent extends Content, TArrayContent { private predicate fieldStoreStepNoChi(Node node1, FieldContent f, PostUpdateNode node2) { exists(StoreInstruction store, Class c | store = node2.asInstruction() and - store.getSourceValue() = node1.asInstruction() and + store.getSourceValueOperand() = node1.asOperand() and getWrittenField(store, f.(FieldContent).getAField(), c) and f.hasOffset(c, _, _) ) @@ -251,10 +251,10 @@ private predicate getWrittenField(Instruction instr, Field f, Class c) { } private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) { - exists(StoreInstruction store, ChiInstruction chi | - node1.asInstruction() = store and + exists(StoreValueOperand operand, ChiInstruction chi | + node1.asOperand() = operand and node2.asInstruction() = chi and - chi.getPartial() = store and + chi.getPartial() = operand.getUse() and exists(Class c | c = chi.getResultType() and exists(int startBit, int endBit | @@ -262,7 +262,7 @@ private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode n f.hasOffset(c, startBit, endBit) ) or - getWrittenField(store, f.getAField(), c) and + getWrittenField(operand.getUse(), f.getAField(), c) and f.hasOffset(c, _, _) ) ) @@ -270,8 +270,9 @@ private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode n private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) { a = TArrayContent() and - exists(StoreInstruction store | - node1.asInstruction() = store and + exists(StoreValueOperand operand, StoreInstruction store | + store.getSourceValueOperand() = operand and + node1.asOperand() = operand and ( // `x[i] = taint()` // This matches the characteristic predicate in `ArrayStoreNode`. @@ -304,7 +305,7 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) { private predicate fieldStoreStepAfterArraySuppression( Node node1, FieldContent f, PostUpdateNode node2 ) { - exists(BufferMayWriteSideEffectInstruction write, ChiInstruction chi, Class c | + exists(WriteSideEffectInstruction write, ChiInstruction chi, Class c | not chi.isResultConflated() and node1.asInstruction() = chi and node2.asInstruction() = chi and @@ -332,17 +333,17 @@ private predicate getLoadedField(LoadInstruction load, Field f, Class c) { * `node2`. */ private predicate fieldReadStep(Node node1, FieldContent f, Node node2) { - exists(LoadInstruction load | - node2.asInstruction() = load and - node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and + exists(LoadOperand operand | + node2.asOperand() = operand and + node1.asInstruction() = operand.getAnyDef() and exists(Class c | - c = load.getSourceValueOperand().getAnyDef().getResultType() and + c = operand.getAnyDef().getResultType() and exists(int startBit, int endBit | - load.getSourceValueOperand().getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and + operand.getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and f.hasOffset(c, startBit, endBit) ) or - getLoadedField(load, f.getAField(), c) and + getLoadedField(operand.getUse(), f.getAField(), c) and f.hasOffset(c, _, _) ) ) @@ -363,7 +364,7 @@ private predicate fieldReadStep(Node node1, FieldContent f, Node node2) { */ predicate suppressArrayRead(Node node1, ArrayContent a, Node node2) { a = TArrayContent() and - exists(BufferMayWriteSideEffectInstruction write, ChiInstruction chi | + exists(WriteSideEffectInstruction write, ChiInstruction chi | node1.asInstruction() = write and node2.asInstruction() = chi and chi.getPartial() = write and @@ -393,11 +394,11 @@ private Instruction skipCopyValueInstructions(Instruction instr) { private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) { a = TArrayContent() and // Explicit dereferences such as `*p` or `p[i]` where `p` is a pointer or array. - exists(LoadInstruction load, Instruction address | - load.getSourceValueOperand().isDefinitionInexact() and - node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and - load = node2.asInstruction() and - address = skipCopyValueInstructions(load.getSourceAddress()) and + exists(LoadOperand operand, Instruction address | + operand.isDefinitionInexact() and + node1.asInstruction() = operand.getAnyDef() and + operand = node2.asOperand() and + address = skipCopyValueInstructions(operand.getUse().(LoadInstruction).getSourceAddress()) and ( address instanceof LoadInstruction or address instanceof ArrayToPointerConvertInstruction or @@ -423,13 +424,13 @@ private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) { */ private predicate exactReadStep(Node node1, ArrayContent a, Node node2) { a = TArrayContent() and - exists(BufferMayWriteSideEffectInstruction write, ChiInstruction chi | + exists(WriteSideEffectInstruction write, ChiInstruction chi | not chi.isResultConflated() and chi.getPartial() = write and node1.asInstruction() = write and node2.asInstruction() = chi and // To distinquish this case from the `arrayReadStep` case we require that the entire variable was - // overwritten by the `BufferMayWriteSideEffectInstruction` (i.e., there is a load that reads the + // overwritten by the `WriteSideEffectInstruction` (i.e., there is a load that reads the // entire variable). exists(LoadInstruction load | load.getSourceValue() = chi) ) From 835d3fc2b72562447593de0d04f1ef475273f4d8 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Oct 2020 09:27:03 +0100 Subject: [PATCH 2/4] C++: Accept tests --- .../dataflow/fields/ir-path-flow.expected | 68 +++++-------------- 1 file changed, 17 insertions(+), 51 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index 61770c0aca35..a4ae4915055d 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -4,9 +4,8 @@ edges | A.cpp:55:12:55:19 | new | A.cpp:55:5:55:5 | set output argument [c] | | A.cpp:57:11:57:24 | B output argument [c] | A.cpp:57:28:57:30 | call to get | | A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | B output argument [c] | -| A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Store | +| A.cpp:98:12:98:18 | new | A.cpp:100:5:100:13 | Chi [a] | | A.cpp:100:5:100:13 | Chi [a] | A.cpp:103:14:103:14 | *c [a] | -| A.cpp:100:5:100:13 | Store | A.cpp:100:5:100:13 | Chi [a] | | A.cpp:103:14:103:14 | *c [a] | A.cpp:107:16:107:16 | a | | A.cpp:126:5:126:5 | Chi [c] | A.cpp:131:8:131:8 | f7 output argument [c] | | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:126:5:126:5 | Chi [c] | @@ -14,11 +13,9 @@ edges | A.cpp:131:8:131:8 | Chi [c] | A.cpp:132:13:132:13 | c | | A.cpp:131:8:131:8 | f7 output argument [c] | A.cpp:131:8:131:8 | Chi [c] | | A.cpp:142:7:142:20 | Chi [c] | A.cpp:151:18:151:18 | D output argument [c] | -| A.cpp:142:7:142:20 | Store | A.cpp:142:7:142:20 | Chi [c] | -| A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Store | +| A.cpp:142:14:142:20 | new | A.cpp:142:7:142:20 | Chi [c] | | A.cpp:143:7:143:31 | Chi [b] | A.cpp:151:12:151:24 | D output argument [b] | -| A.cpp:143:7:143:31 | Store | A.cpp:143:7:143:31 | Chi [b] | -| A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Store | +| A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Chi [b] | | A.cpp:150:12:150:18 | new | A.cpp:151:12:151:24 | D output argument [b] | | A.cpp:151:12:151:24 | Chi [b] | A.cpp:152:13:152:13 | b | | A.cpp:151:12:151:24 | D output argument [b] | A.cpp:151:12:151:24 | Chi [b] | @@ -27,20 +24,16 @@ edges | C.cpp:18:12:18:18 | C output argument [s1] | C.cpp:27:8:27:11 | *#this [s1] | | C.cpp:18:12:18:18 | C output argument [s3] | C.cpp:27:8:27:11 | *#this [s3] | | C.cpp:22:12:22:21 | Chi [s1] | C.cpp:24:5:24:25 | Chi [s1] | -| C.cpp:22:12:22:21 | Store | C.cpp:22:12:22:21 | Chi [s1] | -| C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Store | +| C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Chi [s1] | | C.cpp:24:5:24:25 | Chi [s1] | C.cpp:18:12:18:18 | C output argument [s1] | | C.cpp:24:5:24:25 | Chi [s3] | C.cpp:18:12:18:18 | C output argument [s3] | -| C.cpp:24:5:24:25 | Store | C.cpp:24:5:24:25 | Chi [s3] | -| C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Store | +| C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Chi [s3] | | C.cpp:27:8:27:11 | *#this [s1] | C.cpp:29:10:29:11 | s1 | | C.cpp:27:8:27:11 | *#this [s3] | C.cpp:31:10:31:11 | s3 | | aliasing.cpp:9:3:9:22 | Chi [m1] | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | -| aliasing.cpp:9:3:9:22 | Store | aliasing.cpp:9:3:9:22 | Chi [m1] | -| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:3:9:22 | Store | +| aliasing.cpp:9:11:9:20 | call to user_input | aliasing.cpp:9:3:9:22 | Chi [m1] | | aliasing.cpp:13:3:13:21 | Chi [m1] | aliasing.cpp:26:19:26:20 | referenceSetter output argument [m1] | -| aliasing.cpp:13:3:13:21 | Store | aliasing.cpp:13:3:13:21 | Chi [m1] | -| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:3:13:21 | Store | +| aliasing.cpp:13:10:13:19 | call to user_input | aliasing.cpp:13:3:13:21 | Chi [m1] | | aliasing.cpp:25:17:25:19 | Chi [m1] | aliasing.cpp:29:11:29:12 | m1 | | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | aliasing.cpp:25:17:25:19 | Chi [m1] | | aliasing.cpp:26:19:26:20 | Chi [m1] | aliasing.cpp:30:11:30:12 | m1 | @@ -48,15 +41,13 @@ edges | aliasing.cpp:37:13:37:22 | call to user_input | aliasing.cpp:38:11:38:12 | m1 | | aliasing.cpp:42:11:42:20 | call to user_input | aliasing.cpp:43:13:43:14 | m1 | | aliasing.cpp:60:3:60:22 | Chi [m1] | aliasing.cpp:61:13:61:14 | Store [m1] | -| aliasing.cpp:60:3:60:22 | Store | aliasing.cpp:60:3:60:22 | Chi [m1] | -| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:3:60:22 | Store | +| aliasing.cpp:60:11:60:20 | call to user_input | aliasing.cpp:60:3:60:22 | Chi [m1] | | aliasing.cpp:61:13:61:14 | Store [m1] | aliasing.cpp:62:14:62:15 | m1 | | aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 | | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 | | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 | | aliasing.cpp:98:3:98:21 | Chi [m1] | aliasing.cpp:100:14:100:14 | Store [m1] | -| aliasing.cpp:98:3:98:21 | Store | aliasing.cpp:98:3:98:21 | Chi [m1] | -| aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:3:98:21 | Store | +| aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:3:98:21 | Chi [m1] | | aliasing.cpp:100:14:100:14 | Store [m1] | aliasing.cpp:102:8:102:10 | * ... | | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:126:15:126:20 | taint_a_ptr output argument [array content] | @@ -67,8 +58,7 @@ edges | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:175:15:175:22 | taint_a_ptr output argument [array content] | | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:187:15:187:22 | taint_a_ptr output argument [array content] | | aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:200:15:200:24 | taint_a_ptr output argument [array content] | -| aliasing.cpp:106:3:106:20 | Store | aliasing.cpp:106:3:106:20 | Chi [array content] | -| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Store | +| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Chi [array content] | | aliasing.cpp:121:15:121:16 | Chi [array content] | aliasing.cpp:122:8:122:12 | access to array | | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | aliasing.cpp:121:15:121:16 | Chi [array content] | | aliasing.cpp:126:15:126:20 | Chi [array content] | aliasing.cpp:127:8:127:16 | * ... | @@ -106,20 +96,16 @@ edges | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:68:17:68:18 | nonMemberSetA output argument [a] | | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | | by_reference.cpp:84:3:84:25 | Chi [a] | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | -| by_reference.cpp:84:3:84:25 | Store | by_reference.cpp:84:3:84:25 | Chi [a] | -| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:3:84:25 | Store | +| by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:84:3:84:25 | Chi [a] | | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | -| by_reference.cpp:88:3:88:24 | Store | by_reference.cpp:88:3:88:24 | Chi [a] | -| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Store | +| by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Chi [a] | | by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | | by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | -| by_reference.cpp:92:3:92:20 | Store | by_reference.cpp:92:3:92:20 | Chi [array content] | -| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Store | +| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Chi [array content] | | by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | | by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | -| by_reference.cpp:96:3:96:19 | Store | by_reference.cpp:96:3:96:19 | Chi [array content] | -| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Store | +| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Chi [array content] | | by_reference.cpp:102:21:102:39 | Chi [a] | by_reference.cpp:110:27:110:27 | a | | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:21:102:39 | Chi [a] | | by_reference.cpp:104:15:104:22 | Chi | by_reference.cpp:104:15:104:22 | Chi [a] | @@ -184,19 +170,16 @@ edges | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] | | simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i | | simple.cpp:83:9:83:28 | Chi [f1] | simple.cpp:84:14:84:20 | call to getf2f1 | -| simple.cpp:83:9:83:28 | Store | simple.cpp:83:9:83:28 | Chi [f1] | -| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Store | +| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Chi [f1] | | simple.cpp:92:5:92:22 | Store [i] | simple.cpp:93:20:93:20 | Store [i] | | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | Store [i] | | simple.cpp:93:20:93:20 | Store [i] | simple.cpp:94:13:94:13 | i | | struct_init.c:14:24:14:25 | *ab [a] | struct_init.c:15:12:15:12 | a | | struct_init.c:20:20:20:29 | Chi [a] | struct_init.c:14:24:14:25 | *ab [a] | -| struct_init.c:20:20:20:29 | Store | struct_init.c:20:20:20:29 | Chi [a] | -| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | Store | +| struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | Chi [a] | | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:22:11:22:11 | a | | struct_init.c:27:7:27:16 | Chi [a] | struct_init.c:14:24:14:25 | *ab [a] | -| struct_init.c:27:7:27:16 | Store | struct_init.c:27:7:27:16 | Chi [a] | -| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | Store | +| struct_init.c:27:7:27:16 | call to user_input | struct_init.c:27:7:27:16 | Chi [a] | | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:31:23:31:23 | a | nodes | A.cpp:55:5:55:5 | set output argument [c] | semmle.label | set output argument [c] | @@ -208,7 +191,6 @@ nodes | A.cpp:57:28:57:30 | call to get | semmle.label | call to get | | A.cpp:98:12:98:18 | new | semmle.label | new | | A.cpp:100:5:100:13 | Chi [a] | semmle.label | Chi [a] | -| A.cpp:100:5:100:13 | Store | semmle.label | Store | | A.cpp:103:14:103:14 | *c [a] | semmle.label | *c [a] | | A.cpp:107:16:107:16 | a | semmle.label | a | | A.cpp:126:5:126:5 | Chi [c] | semmle.label | Chi [c] | @@ -218,10 +200,8 @@ nodes | A.cpp:131:8:131:8 | f7 output argument [c] | semmle.label | f7 output argument [c] | | A.cpp:132:13:132:13 | c | semmle.label | c | | A.cpp:142:7:142:20 | Chi [c] | semmle.label | Chi [c] | -| A.cpp:142:7:142:20 | Store | semmle.label | Store | | A.cpp:142:14:142:20 | new | semmle.label | new | | A.cpp:143:7:143:31 | Chi [b] | semmle.label | Chi [b] | -| A.cpp:143:7:143:31 | Store | semmle.label | Store | | A.cpp:143:25:143:31 | new | semmle.label | new | | A.cpp:150:12:150:18 | new | semmle.label | new | | A.cpp:151:12:151:24 | Chi [b] | semmle.label | Chi [b] | @@ -233,21 +213,17 @@ nodes | C.cpp:18:12:18:18 | C output argument [s1] | semmle.label | C output argument [s1] | | C.cpp:18:12:18:18 | C output argument [s3] | semmle.label | C output argument [s3] | | C.cpp:22:12:22:21 | Chi [s1] | semmle.label | Chi [s1] | -| C.cpp:22:12:22:21 | Store | semmle.label | Store | | C.cpp:22:12:22:21 | new | semmle.label | new | | C.cpp:24:5:24:25 | Chi [s1] | semmle.label | Chi [s1] | | C.cpp:24:5:24:25 | Chi [s3] | semmle.label | Chi [s3] | -| C.cpp:24:5:24:25 | Store | semmle.label | Store | | C.cpp:24:16:24:25 | new | semmle.label | new | | C.cpp:27:8:27:11 | *#this [s1] | semmle.label | *#this [s1] | | C.cpp:27:8:27:11 | *#this [s3] | semmle.label | *#this [s3] | | C.cpp:29:10:29:11 | s1 | semmle.label | s1 | | C.cpp:31:10:31:11 | s3 | semmle.label | s3 | | aliasing.cpp:9:3:9:22 | Chi [m1] | semmle.label | Chi [m1] | -| aliasing.cpp:9:3:9:22 | Store | semmle.label | Store | | aliasing.cpp:9:11:9:20 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:13:3:13:21 | Chi [m1] | semmle.label | Chi [m1] | -| aliasing.cpp:13:3:13:21 | Store | semmle.label | Store | | aliasing.cpp:13:10:13:19 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:25:17:25:19 | Chi [m1] | semmle.label | Chi [m1] | | aliasing.cpp:25:17:25:19 | pointerSetter output argument [m1] | semmle.label | pointerSetter output argument [m1] | @@ -260,7 +236,6 @@ nodes | aliasing.cpp:42:11:42:20 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:43:13:43:14 | m1 | semmle.label | m1 | | aliasing.cpp:60:3:60:22 | Chi [m1] | semmle.label | Chi [m1] | -| aliasing.cpp:60:3:60:22 | Store | semmle.label | Store | | aliasing.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:61:13:61:14 | Store [m1] | semmle.label | Store [m1] | | aliasing.cpp:62:14:62:15 | m1 | semmle.label | m1 | @@ -271,12 +246,10 @@ nodes | aliasing.cpp:92:12:92:21 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:93:12:93:13 | m1 | semmle.label | m1 | | aliasing.cpp:98:3:98:21 | Chi [m1] | semmle.label | Chi [m1] | -| aliasing.cpp:98:3:98:21 | Store | semmle.label | Store | | aliasing.cpp:98:10:98:19 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:100:14:100:14 | Store [m1] | semmle.label | Store [m1] | | aliasing.cpp:102:8:102:10 | * ... | semmle.label | * ... | | aliasing.cpp:106:3:106:20 | Chi [array content] | semmle.label | Chi [array content] | -| aliasing.cpp:106:3:106:20 | Store | semmle.label | Store | | aliasing.cpp:106:9:106:18 | call to user_input | semmle.label | call to user_input | | aliasing.cpp:121:15:121:16 | Chi [array content] | semmle.label | Chi [array content] | | aliasing.cpp:121:15:121:16 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] | @@ -330,16 +303,12 @@ nodes | by_reference.cpp:68:21:68:30 | call to user_input | semmle.label | call to user_input | | by_reference.cpp:69:8:69:20 | call to nonMemberGetA | semmle.label | call to nonMemberGetA | | by_reference.cpp:84:3:84:25 | Chi [a] | semmle.label | Chi [a] | -| by_reference.cpp:84:3:84:25 | Store | semmle.label | Store | | by_reference.cpp:84:14:84:23 | call to user_input | semmle.label | call to user_input | | by_reference.cpp:88:3:88:24 | Chi [a] | semmle.label | Chi [a] | -| by_reference.cpp:88:3:88:24 | Store | semmle.label | Store | | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input | | by_reference.cpp:92:3:92:20 | Chi [array content] | semmle.label | Chi [array content] | -| by_reference.cpp:92:3:92:20 | Store | semmle.label | Store | | by_reference.cpp:92:9:92:18 | call to user_input | semmle.label | call to user_input | | by_reference.cpp:96:3:96:19 | Chi [array content] | semmle.label | Chi [array content] | -| by_reference.cpp:96:3:96:19 | Store | semmle.label | Store | | by_reference.cpp:96:8:96:17 | call to user_input | semmle.label | call to user_input | | by_reference.cpp:102:21:102:39 | Chi [a] | semmle.label | Chi [a] | | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] | @@ -415,7 +384,6 @@ nodes | simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] | | simple.cpp:67:13:67:13 | i | semmle.label | i | | simple.cpp:83:9:83:28 | Chi [f1] | semmle.label | Chi [f1] | -| simple.cpp:83:9:83:28 | Store | semmle.label | Store | | simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input | | simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 | | simple.cpp:92:5:92:22 | Store [i] | semmle.label | Store [i] | @@ -425,11 +393,9 @@ nodes | struct_init.c:14:24:14:25 | *ab [a] | semmle.label | *ab [a] | | struct_init.c:15:12:15:12 | a | semmle.label | a | | struct_init.c:20:20:20:29 | Chi [a] | semmle.label | Chi [a] | -| struct_init.c:20:20:20:29 | Store | semmle.label | Store | | struct_init.c:20:20:20:29 | call to user_input | semmle.label | call to user_input | | struct_init.c:22:11:22:11 | a | semmle.label | a | | struct_init.c:27:7:27:16 | Chi [a] | semmle.label | Chi [a] | -| struct_init.c:27:7:27:16 | Store | semmle.label | Store | | struct_init.c:27:7:27:16 | call to user_input | semmle.label | call to user_input | | struct_init.c:31:23:31:23 | a | semmle.label | a | #select From f3f9a044e0be346617d258086a25bfca00f2e798 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Oct 2020 13:55:45 +0100 Subject: [PATCH 3/4] C++: Accept more tests. --- .../CWE-120/semmle/tests/UnboundedWrite.expected | 8 -------- .../CWE/CWE-134/semmle/argv/argvLocal.expected | 12 ------------ .../TaintedAllocationSize.expected | 7 +++---- .../uncontrolled/ArithmeticUncontrolled.expected | 14 ++++++-------- 4 files changed, 9 insertions(+), 32 deletions(-) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected index 365f9ed0aa97..291c1cb3a716 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected @@ -5,10 +5,6 @@ edges | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | -| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | -| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | -| tests.c:28:22:28:28 | access to array | tests.c:28:22:28:28 | (const char *)... | -| tests.c:28:22:28:28 | access to array | tests.c:28:22:28:28 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | @@ -19,10 +15,6 @@ edges | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | -| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | -| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | -| tests.c:34:10:34:16 | access to array | tests.c:34:10:34:16 | (const char *)... | -| tests.c:34:10:34:16 | access to array | tests.c:34:10:34:16 | access to array | nodes | tests.c:28:22:28:25 | argv | semmle.label | argv | | tests.c:28:22:28:25 | argv | semmle.label | argv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index ac52436676c5..9e73ca54e981 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -5,10 +5,6 @@ edges | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | -| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:15 | (const char *)... | -| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | @@ -39,8 +35,6 @@ edges | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | @@ -51,16 +45,10 @@ edges | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | -| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | -| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:106:9:106:13 | (const char *)... | -| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:106:9:106:13 | access to array | -| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | (const char *)... | -| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index a60e361fc1e6..5d508644dd38 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -59,9 +59,8 @@ edges | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size | | test.cpp:241:2:241:32 | Chi [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] | | test.cpp:241:2:241:32 | Chi [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] | -| test.cpp:241:2:241:32 | Store | test.cpp:241:2:241:32 | Chi [array content] | -| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Store | -| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Store | +| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi [array content] | +| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi [array content] | | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... | @@ -144,7 +143,7 @@ nodes | test.cpp:235:2:235:9 | Argument 0 | semmle.label | Argument 0 | | test.cpp:237:2:237:8 | Argument 0 | semmle.label | Argument 0 | | test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:241:2:241:32 | Store | semmle.label | Store | +| test.cpp:241:2:241:32 | StoreValue | semmle.label | StoreValue | | test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv | | test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... | | test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected index 6a8976532654..97a237a06234 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected @@ -43,13 +43,11 @@ edges | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store | | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store | | test.cpp:13:2:13:15 | Chi [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] | -| test.cpp:13:2:13:15 | Store | test.cpp:13:2:13:15 | Chi [array content] | -| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Store | -| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Store | +| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] | +| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] | | test.cpp:18:2:18:14 | Chi [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] | -| test.cpp:18:2:18:14 | Store | test.cpp:18:2:18:14 | Chi [array content] | -| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Store | -| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Store | +| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] | +| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] | | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | | test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r | @@ -111,11 +109,11 @@ nodes | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand | | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand | | test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:13:2:13:15 | Store | semmle.label | Store | +| test.cpp:13:2:13:15 | StoreValue | semmle.label | StoreValue | | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand | | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand | | test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:18:2:18:14 | Store | semmle.label | Store | +| test.cpp:18:2:18:14 | StoreValue | semmle.label | StoreValue | | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand | | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand | | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand | From 177f94368eb07dabde908fb42a0a6a70c8252e7c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 29 Oct 2020 16:30:35 +0100 Subject: [PATCH 4/4] C++: Respond to review comments and accept test changes. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 29 ++++++++++--------- .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 8 ++--- .../fields/dataflow-ir-consistency.expected | 8 +++++ .../dataflow/fields/ir-path-flow.expected | 22 ++++++++++++++ .../fields/partial-definition-diff.expected | 6 ---- .../fields/partial-definition-ir.expected | 6 ++++ .../dataflow-ir-consistency.expected | 14 +++++++++ .../TaintedAllocationSize.expected | 2 +- .../ArithmeticUncontrolled.expected | 4 +-- 9 files changed, 72 insertions(+), 27 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 87194355c878..6e87460f8418 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -251,10 +251,10 @@ private predicate getWrittenField(Instruction instr, Field f, Class c) { } private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) { - exists(StoreValueOperand operand, ChiInstruction chi | + exists(ChiPartialOperand operand, ChiInstruction chi | + chi.getPartialOperand() = operand and node1.asOperand() = operand and node2.asInstruction() = chi and - chi.getPartial() = operand.getUse() and exists(Class c | c = chi.getResultType() and exists(int startBit, int endBit | @@ -262,7 +262,7 @@ private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode n f.hasOffset(c, startBit, endBit) ) or - getWrittenField(operand.getUse(), f.getAField(), c) and + getWrittenField(operand.getDef(), f.getAField(), c) and f.hasOffset(c, _, _) ) ) @@ -270,9 +270,13 @@ private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode n private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) { a = TArrayContent() and - exists(StoreValueOperand operand, StoreInstruction store | - store.getSourceValueOperand() = operand and + exists(ChiPartialOperand operand, ChiInstruction chi, StoreInstruction store | + chi.getPartialOperand() = operand and + store = operand.getDef() and node1.asOperand() = operand and + // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode` + // and `PointerStoreNode` require it in their characteristic predicates. + node2.asInstruction() = chi and ( // `x[i] = taint()` // This matches the characteristic predicate in `ArrayStoreNode`. @@ -281,10 +285,7 @@ private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode n // `*p = taint()` // This matches the characteristic predicate in `PointerStoreNode`. store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction - ) and - // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode` - // and `PointerStoreNode` require it in their characteristic predicates. - node2.asInstruction().(ChiInstruction).getPartial() = store + ) ) } @@ -385,10 +386,10 @@ private Instruction skipOneCopyValueInstructionRec(CopyValueInstruction copy) { result = skipOneCopyValueInstructionRec(copy.getUnary()) } -private Instruction skipCopyValueInstructions(Instruction instr) { - not result instanceof CopyValueInstruction and result = instr +private Instruction skipCopyValueInstructions(Operand op) { + not result instanceof CopyValueInstruction and result = op.getDef() or - result = skipOneCopyValueInstructionRec(instr) + result = skipOneCopyValueInstructionRec(op.getDef()) } private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) { @@ -398,7 +399,7 @@ private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) { operand.isDefinitionInexact() and node1.asInstruction() = operand.getAnyDef() and operand = node2.asOperand() and - address = skipCopyValueInstructions(operand.getUse().(LoadInstruction).getSourceAddress()) and + address = skipCopyValueInstructions(operand.getAddressOperand()) and ( address instanceof LoadInstruction or address instanceof ArrayToPointerConvertInstruction or @@ -419,7 +420,7 @@ private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) { * use(x); * ``` * the load on `x` in `use(x)` will exactly overlap with its definition (in this case the definition - * is a `BufferMayWriteSideEffect`). This predicate pops the `ArrayContent` (pushed by the store in `f`) + * is a `WriteSideEffect`). This predicate pops the `ArrayContent` (pushed by the store in `f`) * from the access path. */ private predicate exactReadStep(Node node1, ArrayContent a, Node node2) { diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 1270b8d67da5..445152552bd9 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -396,16 +396,16 @@ private FieldAddressInstruction getFieldInstruction(Instruction instr) { /** * The target of a `fieldStoreStepAfterArraySuppression` store step, which is used to convert - * an `ArrayContent` to a `FieldContent` when the `BufferMayWriteSideEffect` instruction stores + * an `ArrayContent` to a `FieldContent` when the `WriteSideEffect` instruction stores * into a field. See the QLDoc for `suppressArrayRead` for an example of where such a conversion * is inserted. */ -private class BufferMayWriteSideEffectFieldStoreQualifierNode extends PartialDefinitionNode { +private class WriteSideEffectFieldStoreQualifierNode extends PartialDefinitionNode { override ChiInstruction instr; - BufferMayWriteSideEffectInstruction write; + WriteSideEffectInstruction write; FieldAddressInstruction field; - BufferMayWriteSideEffectFieldStoreQualifierNode() { + WriteSideEffectFieldStoreQualifierNode() { not instr.isResultConflated() and instr.getPartial() = write and field = getFieldInstruction(write.getDestinationAddress()) diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index a596cb187abc..b09317c2c1b4 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -121,6 +121,14 @@ postWithInFlow | complex.cpp:12:22:12:27 | Chi | PostUpdateNode should not be the target of local flow. | | complex.cpp:14:26:14:26 | Chi | PostUpdateNode should not be the target of local flow. | | complex.cpp:14:33:14:33 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:22:11:22:17 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:25:7:25:7 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:42:16:42:16 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:43:16:43:16 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:53:12:53:12 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:54:12:54:12 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:55:12:55:12 | Chi | PostUpdateNode should not be the target of local flow. | +| complex.cpp:56:12:56:12 | Chi | PostUpdateNode should not be the target of local flow. | | constructors.cpp:20:24:20:29 | Chi | PostUpdateNode should not be the target of local flow. | | constructors.cpp:21:24:21:29 | Chi | PostUpdateNode should not be the target of local flow. | | constructors.cpp:23:28:23:28 | Chi | PostUpdateNode should not be the target of local flow. | diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index a4ae4915055d..c8b70a74b3ab 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -127,18 +127,34 @@ edges | by_reference.cpp:128:15:128:23 | Chi [a] | by_reference.cpp:136:16:136:16 | a | | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | Chi | | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:42:18:42:18 | call to a | +| complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | Chi [b_] | | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | a output argument [b_] | | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:43:18:43:18 | call to b | +| complex.cpp:42:16:42:16 | Chi [b_] | complex.cpp:43:18:43:18 | call to b | +| complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:42:16:42:16 | Chi [b_] | | complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:43:18:43:18 | call to b | +| complex.cpp:53:12:53:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] | | complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] | +| complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:53:12:53:12 | Chi [a_] | | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:53:12:53:12 | setA output argument [a_] | +| complex.cpp:54:12:54:12 | Chi [b_] | complex.cpp:40:17:40:17 | *b [b_] | | complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:40:17:40:17 | *b [b_] | +| complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:54:12:54:12 | Chi [b_] | | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:54:12:54:12 | setB output argument [b_] | +| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] | +| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | Chi [a_] | +| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] | | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] | +| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:55:12:55:12 | Chi [a_] | +| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] | | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] | | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:55:12:55:12 | setA output argument [a_] | +| complex.cpp:56:12:56:12 | Chi [a_] | complex.cpp:40:17:40:17 | *b [a_] | +| complex.cpp:56:12:56:12 | Chi [b_] | complex.cpp:40:17:40:17 | *b [b_] | | complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:40:17:40:17 | *b [a_] | +| complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] | | complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:40:17:40:17 | *b [b_] | +| complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:56:12:56:12 | Chi [b_] | | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:56:12:56:12 | setB output argument [b_] | | constructors.cpp:26:15:26:15 | *f [a_] | constructors.cpp:28:12:28:12 | call to a | | constructors.cpp:26:15:26:15 | *f [b_] | constructors.cpp:28:10:28:10 | a output argument [b_] | @@ -340,15 +356,21 @@ nodes | by_reference.cpp:136:16:136:16 | a | semmle.label | a | | complex.cpp:40:17:40:17 | *b [a_] | semmle.label | *b [a_] | | complex.cpp:40:17:40:17 | *b [b_] | semmle.label | *b [b_] | +| complex.cpp:42:16:42:16 | Chi [b_] | semmle.label | Chi [b_] | | complex.cpp:42:16:42:16 | a output argument [b_] | semmle.label | a output argument [b_] | | complex.cpp:42:18:42:18 | call to a | semmle.label | call to a | | complex.cpp:43:18:43:18 | call to b | semmle.label | call to b | +| complex.cpp:53:12:53:12 | Chi [a_] | semmle.label | Chi [a_] | | complex.cpp:53:12:53:12 | setA output argument [a_] | semmle.label | setA output argument [a_] | | complex.cpp:53:19:53:28 | call to user_input | semmle.label | call to user_input | +| complex.cpp:54:12:54:12 | Chi [b_] | semmle.label | Chi [b_] | | complex.cpp:54:12:54:12 | setB output argument [b_] | semmle.label | setB output argument [b_] | | complex.cpp:54:19:54:28 | call to user_input | semmle.label | call to user_input | +| complex.cpp:55:12:55:12 | Chi [a_] | semmle.label | Chi [a_] | | complex.cpp:55:12:55:12 | setA output argument [a_] | semmle.label | setA output argument [a_] | | complex.cpp:55:19:55:28 | call to user_input | semmle.label | call to user_input | +| complex.cpp:56:12:56:12 | Chi [a_] | semmle.label | Chi [a_] | +| complex.cpp:56:12:56:12 | Chi [b_] | semmle.label | Chi [b_] | | complex.cpp:56:12:56:12 | setB output argument [a_] | semmle.label | setB output argument [a_] | | complex.cpp:56:12:56:12 | setB output argument [b_] | semmle.label | setB output argument [b_] | | complex.cpp:56:19:56:28 | call to user_input | semmle.label | call to user_input | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected index 51b43e6be1c6..bba86417ca57 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected @@ -294,22 +294,16 @@ | complex.cpp:11:22:11:23 | a_ | AST only | | complex.cpp:12:22:12:23 | b_ | AST only | | complex.cpp:42:8:42:8 | b | AST only | -| complex.cpp:42:10:42:14 | inner | AST only | | complex.cpp:42:16:42:16 | f | AST only | | complex.cpp:43:8:43:8 | b | AST only | -| complex.cpp:43:10:43:14 | inner | AST only | | complex.cpp:43:16:43:16 | f | AST only | | complex.cpp:53:3:53:4 | b1 | AST only | -| complex.cpp:53:6:53:10 | inner | AST only | | complex.cpp:53:12:53:12 | f | AST only | | complex.cpp:54:3:54:4 | b2 | AST only | -| complex.cpp:54:6:54:10 | inner | AST only | | complex.cpp:54:12:54:12 | f | AST only | | complex.cpp:55:3:55:4 | b3 | AST only | -| complex.cpp:55:6:55:10 | inner | AST only | | complex.cpp:55:12:55:12 | f | AST only | | complex.cpp:56:3:56:4 | b3 | AST only | -| complex.cpp:56:6:56:10 | inner | AST only | | complex.cpp:56:12:56:12 | f | AST only | | complex.cpp:59:7:59:8 | b1 | AST only | | complex.cpp:62:7:62:8 | b2 | AST only | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected index a66dd2869551..8d12b2a7e054 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected @@ -51,6 +51,12 @@ | by_reference.cpp:128:15:128:20 | pouter | | complex.cpp:11:22:11:23 | this | | complex.cpp:12:22:12:23 | this | +| complex.cpp:42:10:42:14 | inner | +| complex.cpp:43:10:43:14 | inner | +| complex.cpp:53:6:53:10 | inner | +| complex.cpp:54:6:54:10 | inner | +| complex.cpp:55:6:55:10 | inner | +| complex.cpp:56:6:56:10 | inner | | constructors.cpp:20:24:20:25 | this | | constructors.cpp:21:24:21:25 | this | | qualifiers.cpp:9:30:9:33 | this | diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected index 20f8815f2be7..8eee62064656 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected @@ -1491,6 +1491,7 @@ postWithInFlow | conditional_destructors.cpp:18:13:18:19 | Chi | PostUpdateNode should not be the target of local flow. | | cpp11.cpp:65:19:65:45 | Store | PostUpdateNode should not be the target of local flow. | | cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. | +| cpp11.cpp:82:17:82:55 | Chi | PostUpdateNode should not be the target of local flow. | | cpp11.cpp:82:45:82:48 | Chi | PostUpdateNode should not be the target of local flow. | | defdestructordeleteexpr.cpp:4:9:4:15 | Chi | PostUpdateNode should not be the target of local flow. | | deleteexpr.cpp:7:9:7:15 | Chi | PostUpdateNode should not be the target of local flow. | @@ -1541,6 +1542,18 @@ postWithInFlow | ir.cpp:659:9:659:14 | Chi | PostUpdateNode should not be the target of local flow. | | ir.cpp:660:13:660:13 | Chi | PostUpdateNode should not be the target of local flow. | | ir.cpp:661:9:661:13 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:662:9:662:19 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:663:5:663:5 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:745:8:745:8 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:745:8:745:8 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:748:10:748:10 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:754:8:754:8 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:757:12:757:12 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:763:8:763:8 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:766:13:766:13 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:775:15:775:15 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:784:15:784:15 | Chi | PostUpdateNode should not be the target of local flow. | +| ir.cpp:793:15:793:15 | Chi | PostUpdateNode should not be the target of local flow. | | ir.cpp:943:3:943:11 | Chi | PostUpdateNode should not be the target of local flow. | | ir.cpp:947:3:947:25 | Chi | PostUpdateNode should not be the target of local flow. | | ir.cpp:962:17:962:47 | Chi | PostUpdateNode should not be the target of local flow. | @@ -1561,3 +1574,4 @@ postWithInFlow | range_analysis.c:102:5:102:15 | Chi | PostUpdateNode should not be the target of local flow. | | static_init_templates.cpp:3:2:3:8 | Chi | PostUpdateNode should not be the target of local flow. | | static_init_templates.cpp:21:2:21:12 | Chi | PostUpdateNode should not be the target of local flow. | +| static_init_templates.cpp:240:7:240:7 | Chi | PostUpdateNode should not be the target of local flow. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index 5d508644dd38..9876b9695ad6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -143,7 +143,7 @@ nodes | test.cpp:235:2:235:9 | Argument 0 | semmle.label | Argument 0 | | test.cpp:237:2:237:8 | Argument 0 | semmle.label | Argument 0 | | test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:241:2:241:32 | StoreValue | semmle.label | StoreValue | +| test.cpp:241:2:241:32 | ChiPartial | semmle.label | ChiPartial | | test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv | | test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... | | test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected index 97a237a06234..ca8dd38fc3be 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected @@ -109,11 +109,11 @@ nodes | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand | | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand | | test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:13:2:13:15 | StoreValue | semmle.label | StoreValue | +| test.cpp:13:2:13:15 | ChiPartial | semmle.label | ChiPartial | | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand | | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand | | test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] | -| test.cpp:18:2:18:14 | StoreValue | semmle.label | StoreValue | +| test.cpp:18:2:18:14 | ChiPartial | semmle.label | ChiPartial | | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand | | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand | | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |