Skip to content

C++: Map operand nodes that are only used once onto the related instruction node #12004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jketema merged 2 commits into from
Feb 9, 2023
Merged

C++: Map operand nodes that are only used once onto the related instruction node #12004

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
20ce4cd
C++: Map operand nodes that are only used once onto the related instr…
jketema Jan 27, 2023
e4c211d
C++: Address review comments
jketema Feb 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 46 additions & 9 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,21 @@ private module Cached {
newtype TIRDataFlowNode0 =
TInstructionNode0(Instruction i) {
not Ssa::ignoreInstruction(i) and
not exists(Operand op |
not Ssa::ignoreOperand(op) and i = Ssa::getIRRepresentationOfOperand(op)
) and
// We exclude `void`-typed instructions because they cannot contain data.
// However, if the instruction is a glvalue, and their type is `void`, then the result
// type of the instruction is really `void*`, and thus we still want to have a dataflow
// node for it.
(not i.getResultType() instanceof VoidType or i.isGLValue())
} or
TOperandNode0(Operand op) { not Ssa::ignoreOperand(op) }
TMultipleUseOperandNode0(Operand op) {
not Ssa::ignoreOperand(op) and not exists(Ssa::getIRRepresentationOfOperand(op))
} or
TSingleUseOperandNode0(Operand op) {
not Ssa::ignoreOperand(op) and exists(Ssa::getIRRepresentationOfOperand(op))
}
}

private import Cached
Expand Down Expand Up @@ -66,11 +74,9 @@ class Node0Impl extends TIRDataFlowNode0 {
/**
* An instruction, viewed as a node in a data flow graph.
*/
class InstructionNode0 extends Node0Impl, TInstructionNode0 {
abstract class InstructionNode0 extends Node0Impl {
Instruction instr;

InstructionNode0() { this = TInstructionNode0(instr) }

/** Gets the instruction corresponding to this node. */
Instruction getInstruction() { result = instr }

Expand All @@ -85,18 +91,35 @@ class InstructionNode0 extends Node0Impl, TInstructionNode0 {
override string toStringImpl() {
// This predicate is overridden in subclasses. This default implementation
// does not use `Instruction.toString` because that's expensive to compute.
result = this.getInstruction().getOpcode().toString()
result = instr.getOpcode().toString()
}
}

/**
* An instruction without an operand that is used only once, viewed as a node in a data flow graph.
*/
private class InstructionInstructionNode0 extends InstructionNode0, TInstructionNode0 {
InstructionInstructionNode0() { this = TInstructionNode0(instr) }
}

/**
* An instruction with an operand that is used only once, viewed as a node in a data flow graph.
*/
private class SingleUseOperandInstructionNode0 extends InstructionNode0, TSingleUseOperandNode0 {
SingleUseOperandInstructionNode0() {
exists(Operand op |
this = TSingleUseOperandNode0(op) and
instr = Ssa::getIRRepresentationOfOperand(op)
)
}
}

/**
* An operand, viewed as a node in a data flow graph.
*/
class OperandNode0 extends Node0Impl, TOperandNode0 {
abstract class OperandNode0 extends Node0Impl {
Operand op;

OperandNode0() { this = TOperandNode0(op) }

/** Gets the operand corresponding to this node. */
Operand getOperand() { result = op }

Expand All @@ -108,7 +131,21 @@ class OperandNode0 extends Node0Impl, TOperandNode0 {

final override Location getLocationImpl() { result = op.getLocation() }

override string toStringImpl() { result = this.getOperand().toString() }
override string toStringImpl() { result = op.toString() }
}

/**
* An operand that is used multiple times, viewed as a node in a data flow graph.
*/
private class MultipleUseOperandNode0 extends OperandNode0, TMultipleUseOperandNode0 {
MultipleUseOperandNode0() { this = TMultipleUseOperandNode0(op) }
}

/**
* An operand that is used only once, viewed as a node in a data flow graph.
*/
private class SingleUseOperandNode0 extends OperandNode0, TSingleUseOperandNode0 {
SingleUseOperandNode0() { this = TSingleUseOperandNode0(op) }
}

/**
Expand Down
10 changes: 8 additions & 2 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ class OperandNode extends Node, Node0 {
OperandNode() { op = node.getOperand() }

/** Gets the operand corresponding to this node. */
Operand getOperand() { result = node.getOperand() }
Operand getOperand() { result = op }

override string toStringImpl() { result = op.getDef().getAst().toString() }
}
Expand Down Expand Up @@ -1439,7 +1439,13 @@ private module Cached {
simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
or
// Instruction -> Operand flow
simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
exists(Instruction iFrom, Operand opTo |
iFrom = nodeFrom.asInstruction() and opTo = nodeTo.asOperand()
|
simpleOperandLocalFlowStep(iFrom, opTo) and
// Omit when the instruction node also represents the operand.
not iFrom = Ssa::getIRRepresentationOfOperand(opTo)
)
or
// Phi node -> Node flow
Ssa::fromPhiNode(nodeFrom, nodeTo)
Expand Down
12 changes: 12 additions & 0 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -719,6 +719,18 @@ private module Cached {
)
}

/**
* Holds if the underlying IR has a suitable instruction to represent a value
* that would otherwise need to be represented by a dedicated `OperandNode` value.
*
* Such operands do not create new `OperandNode` values, but are
* instead associated with the instruction returned by this predicate.
*/
cached
Instruction getIRRepresentationOfOperand(Operand operand) {
operand = unique( | | result.getAUse())
Copy link
Contributor

@MathiasVP MathiasVP Jan 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just remembered that, while getAUse is probably not wrong to use here, we might actually be able to reduce the number of nodes even more if we replace result.getAUse() with getAUse(result) (which is a predicate that only finds the uses that are not ignored for dataflow purposes). This will likely result in more unique operands 🎉.

We don't need to do that in this PR (since this PR is already doing wonderful usability improvements as-is), and I think a similar fix could be applied in the indirection case (where I think I made the exact same mistake).

Copy link
Contributor Author

@jketema jketema Jan 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll try to do a follow-up PR.

Copy link
Contributor Author

@jketema jketema Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interestingly enough trying this gives me consistency errors in the dataflow tests.

Copy link
Contributor

@MathiasVP MathiasVP Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, that's weird. Which ones are failing?

Copy link
Contributor Author

@jketema jketema Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dataflow tests:

 uniqueNodeToString
+| dispatch.cpp:15:8:15:8 | Middle | Node should have one toString but has 2. |
+| dispatch.cpp:15:8:15:8 | Middle indirection | Node should have one toString but has 2. |
+| dispatch.cpp:15:8:15:8 | Middle indirection | Node should have one toString but has 2. |
+| dispatch.cpp:15:8:15:8 | this | Node should have one toString but has 2. |
+| dispatch.cpp:15:8:15:8 | this indirection | Node should have one toString but has 2. |
+| dispatch.cpp:15:8:15:8 | this indirection | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | Bottom | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | Bottom indirection | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | Bottom indirection | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | this | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | this indirection | Node should have one toString but has 2. |
+| dispatch.cpp:21:8:21:8 | this indirection | Node should have one toString but has 2. |

Fields tests:

 uniqueNodeToString
+| A.cpp:9:9:9:9 | C1 | Node should have one toString but has 2. |
+| A.cpp:9:9:9:9 | C1 indirection | Node should have one toString but has 2. |
+| A.cpp:9:9:9:9 | C1 indirection | Node should have one toString but has 2. |
+| A.cpp:9:9:9:9 | this | Node should have one toString but has 2. |
+| A.cpp:9:9:9:9 | this indirection | Node should have one toString but has 2. |
+| A.cpp:9:9:9:9 | this indirection | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | C2 | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | C2 indirection | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | C2 indirection | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | this | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | this indirection | Node should have one toString but has 2. |
+| A.cpp:14:9:14:9 | this indirection | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | C | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | C indirection | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | C indirection | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | this | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | this indirection | Node should have one toString but has 2. |
+| C.cpp:22:3:22:3 | this indirection | Node should have one toString but has 2. |
+| C.cpp:22:9:22:22 | C indirection [post update] | Node should have one toString but has 2. |
+| C.cpp:22:9:22:22 | this indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | Bar | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | Bar indirection | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | Bar indirection | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | this | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | this indirection | Node should have one toString but has 2. |
+| complex.cpp:22:3:22:5 | this indirection | Node should have one toString but has 2. |
+| complex.cpp:22:11:22:17 | Bar indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:22:11:22:17 | Bar indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:22:11:22:17 | this indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:22:11:22:17 | this indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | Outer | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | Outer indirection | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | Outer indirection | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | Outer indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | Outer indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | this | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | this indirection | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | this indirection | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | this indirection [post update] | Node should have one toString but has 2. |
+| complex.cpp:25:7:25:7 | this indirection [post update] | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | LinkedList | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | LinkedList indirection | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | LinkedList indirection | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | this | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | this indirection | Node should have one toString but has 2. |
+| conflated.cpp:45:3:45:12 | this indirection | Node should have one toString but has 2. |
+| conflated.cpp:45:34:45:43 | LinkedList indirection [post update] | Node should have one toString but has 2. |
+| conflated.cpp:45:34:45:43 | this indirection [post update] | Node should have one toString but has 2. |
 missingToString
 parameterCallable
 localFlowIsLocal
@@ -28,7 +76,9 @@
 | aliasing.cpp:77:11:77:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
 | aliasing.cpp:84:11:84:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
 | aliasing.cpp:91:11:91:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
+| complex.cpp:22:3:22:5 | Bar indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:22:3:22:5 | this indirection | Node has multiple PostUpdateNodes. |
+| complex.cpp:25:7:25:7 | Outer indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:25:7:25:7 | this indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:42:10:42:14 | inner indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:43:10:43:14 | inner indirection | Node has multiple PostUpdateNodes. |

Copy link
Contributor Author

@jketema jketema Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They all seem to be related to constructors.

Copy link
Contributor

@MathiasVP MathiasVP Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple toStrings does sound like something we'd be able to fix, though 😄. That's probably also the reason for the new localFlowIsLocal inconsistencies (since multiple toStrings probably means that a inconsistency is reported multiple times).

Multiple toStrings often happens because a node belongs to several QL classes that each define a toString. Based on this, I think the way forward would be to use getAQlClass to determine the overlapping node classes for some particular entity that belong to multiple classes that both define a toString. We can then figure out if we can merge those two classes in certain cases, or exclude the toString result when they overlap.

If this turns out to be too complicated, feel free to create an issue for it and leave it as future work.

Copy link
Contributor Author

@jketema jketema Feb 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely seems fixable, and yeah need to determine what the overlapping classes are.

I'll think I create an issue for it in any case, as this in not the top priority item and not needed to get the feature branch merged. Will revisit once I've re-worked the feature branch to be opt-in.

}

/**
* Holds if the underlying IR has a suitable operand to represent a value
* that would otherwise need to be represented by a dedicated `RawIndirectOperand` value.
Expand Down
11 changes: 0 additions & 11 deletions ...ity/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,30 @@
edges
| test1.c:7:26:7:29 | argv | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:13:9:13:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
| test1.c:12:9:12:9 | i | test1.c:40:16:40:16 | i |
| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i |
| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i |
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
| test1.c:40:16:40:16 | i | test1.c:41:11:41:11 | i |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
nodes
| test1.c:7:26:7:29 | argv | semmle.label | argv |
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
| test1.c:9:9:9:9 | i | semmle.label | i |
| test1.c:11:9:11:9 | i | semmle.label | i |
| test1.c:12:9:12:9 | i | semmle.label | i |
| test1.c:13:9:13:9 | i | semmle.label | i |
| test1.c:16:16:16:16 | i | semmle.label | i |
| test1.c:18:16:18:16 | i | semmle.label | i |
| test1.c:32:16:32:16 | i | semmle.label | i |
| test1.c:33:11:33:11 | i | semmle.label | i |
| test1.c:40:16:40:16 | i | semmle.label | i |
| test1.c:41:11:41:11 | i | semmle.label | i |
| test1.c:48:16:48:16 | i | semmle.label | i |
| test1.c:53:15:53:15 | j | semmle.label | j |
subpaths
Expand All @@ -43,9 +35,6 @@ subpaths
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
Comment on lines -46 to -48
Copy link
Contributor Author

@jketema jketema Jan 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this is a regression. However, this is also an FN on main, so I'm not immediately worried by this. Especially since the query actually digs into InstructionNodes.

| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
23 changes: 0 additions & 23 deletions .../Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ edges
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
Expand All @@ -12,15 +11,13 @@ edges
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:44:15:44:19 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | ... = ... |
| globalVars.c:12:2:12:15 | ... = ... | globalVars.c:8:7:8:10 | copy |
Expand All @@ -29,26 +26,12 @@ edges
| globalVars.c:16:2:16:12 | ... = ... | globalVars.c:9:7:9:11 | copy2 |
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:35:11:35:14 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:35:11:35:14 | copy |
| globalVars.c:33:15:33:18 | copy | globalVars.c:35:11:35:14 | copy |
| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:11:35:14 | copy |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
Expand All @@ -57,9 +40,6 @@ edges
| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
subpaths
nodes
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
Expand All @@ -73,7 +53,6 @@ nodes
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
Expand All @@ -83,15 +62,13 @@ nodes
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
#select
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
Expand Down
6 changes: 0 additions & 6 deletions cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,8 @@
edges
| test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 |
| test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 |
| test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 |
nodes
| test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 |
| test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 |
| test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 |
| test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 |
| test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 |
| test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 |
subpaths
#select
| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 |
Expand Down