C++: adjust test so size flows from malloc to field

rdmarsh2 · rdmarsh2 · commit 32ab636c77dd · 2022-09-21T12:43:44.000-04:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -4,9 +4,9 @@ edges
 | test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:31:9:31:11 | arr indirection [p] |
 | test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:35:9:35:11 | arr indirection [p] |
 | test.cpp:19:9:19:16 | VariableAddress indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
-| test.cpp:22:5:22:24 | Store | test.cpp:22:9:22:9 | arr indirection [post update] [p] |
-| test.cpp:22:9:22:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | VariableAddress indirection [p] |
-| test.cpp:22:13:22:18 | call to malloc | test.cpp:22:5:22:24 | Store |
+| test.cpp:21:5:21:24 | Store | test.cpp:21:9:21:9 | arr indirection [post update] [p] |
+| test.cpp:21:9:21:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | VariableAddress indirection [p] |
+| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | Store |
 | test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
 | test.cpp:31:13:31:13 | p | test.cpp:31:13:31:13 | Load |
 | test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
@@ -18,19 +18,19 @@ edges
 | test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
 | test.cpp:45:13:45:13 | p | test.cpp:45:13:45:13 | Load |
 | test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
-| test.cpp:56:5:56:24 | Store | test.cpp:56:9:56:9 | arr indirection [post update] [p] |
-| test.cpp:56:9:56:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
-| test.cpp:56:9:56:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
-| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:5:56:24 | Store |
+| test.cpp:55:5:55:24 | Store | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
+| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
+| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
+| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | Store |
 | test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
 | test.cpp:59:13:59:13 | p | test.cpp:59:13:59:13 | Load |
 | test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
 | test.cpp:63:13:63:13 | p | test.cpp:63:13:63:13 | Load |
 | test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:76:20:76:29 | Call indirection [p] |
 | test.cpp:67:10:67:19 | VariableAddress indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
-| test.cpp:70:5:70:25 | Store | test.cpp:70:10:70:10 | Load indirection [post update] [p] |
-| test.cpp:70:10:70:10 | Load indirection [post update] [p] | test.cpp:67:10:67:19 | VariableAddress indirection [p] |
-| test.cpp:70:14:70:19 | call to malloc | test.cpp:70:5:70:25 | Store |
+| test.cpp:69:5:69:25 | Store | test.cpp:69:10:69:10 | Load indirection [post update] [p] |
+| test.cpp:69:10:69:10 | Load indirection [post update] [p] | test.cpp:67:10:67:19 | VariableAddress indirection [p] |
+| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | Store |
 | test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:79:9:79:11 | Load indirection [p] |
 | test.cpp:76:20:76:29 | Call indirection [p] | test.cpp:83:9:83:11 | Load indirection [p] |
 | test.cpp:79:9:79:11 | Load indirection [p] | test.cpp:79:14:79:14 | p |
@@ -49,9 +49,9 @@ nodes
 | test.cpp:6:9:6:11 | Load | semmle.label | Load |
 | test.cpp:10:9:10:11 | Load | semmle.label | Load |
 | test.cpp:19:9:19:16 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
-| test.cpp:22:5:22:24 | Store | semmle.label | Store |
-| test.cpp:22:9:22:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
-| test.cpp:22:13:22:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:21:5:21:24 | Store | semmle.label | Store |
+| test.cpp:21:9:21:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
 | test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:31:13:31:13 | Load | semmle.label | Load |
 | test.cpp:31:13:31:13 | p | semmle.label | p |
@@ -66,19 +66,19 @@ nodes
 | test.cpp:45:13:45:13 | Load | semmle.label | Load |
 | test.cpp:45:13:45:13 | p | semmle.label | p |
 | test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
-| test.cpp:56:5:56:24 | Store | semmle.label | Store |
-| test.cpp:56:9:56:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
-| test.cpp:56:13:56:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:55:5:55:24 | Store | semmle.label | Store |
+| test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
+| test.cpp:55:13:55:18 | call to malloc | semmle.label | call to malloc |
 | test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:59:13:59:13 | Load | semmle.label | Load |
 | test.cpp:59:13:59:13 | p | semmle.label | p |
 | test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:63:13:63:13 | Load | semmle.label | Load |
 | test.cpp:63:13:63:13 | p | semmle.label | p |
 | test.cpp:67:10:67:19 | VariableAddress indirection [p] | semmle.label | VariableAddress indirection [p] |
-| test.cpp:70:5:70:25 | Store | semmle.label | Store |
-| test.cpp:70:10:70:10 | Load indirection [post update] [p] | semmle.label | Load indirection [post update] [p] |
-| test.cpp:70:14:70:19 | call to malloc | semmle.label | call to malloc |
+| test.cpp:69:5:69:25 | Store | semmle.label | Store |
+| test.cpp:69:10:69:10 | Load indirection [post update] [p] | semmle.label | Load indirection [post update] [p] |
+| test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
 | test.cpp:76:20:76:29 | Call indirection [p] | semmle.label | Call indirection [p] |
 | test.cpp:79:9:79:11 | Load indirection [p] | semmle.label | Load indirection [p] |
 | test.cpp:79:14:79:14 | Load | semmle.label | Load |
@@ -98,3 +98,15 @@ subpaths
 #select
 | test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | Load | test.cpp:5:25:5:28 | Load |
 | test.cpp:10:9:10:11 | Load | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | Load | test.cpp:9:26:9:29 | Load |
+| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:13:21:18 | call to malloc | test.cpp:30:29:30:32 | Load | test.cpp:30:29:30:32 | Load |
+| test.cpp:35:13:35:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:13:21:18 | call to malloc | test.cpp:34:30:34:33 | Load | test.cpp:34:30:34:33 | Load |
+| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:13:21:18 | call to malloc | test.cpp:40:29:40:32 | Load | test.cpp:40:29:40:32 | Load |
+| test.cpp:45:13:45:13 | Load | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:13:21:18 | call to malloc | test.cpp:44:30:44:33 | Load | test.cpp:44:30:44:33 | Load |
+| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:13:55:18 | call to malloc | test.cpp:56:5:56:19 | Store | test.cpp:56:5:56:19 | Store |
+| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:13:55:18 | call to malloc | test.cpp:56:5:56:19 | Store | test.cpp:56:5:56:19 | Store |
+| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:13:55:18 | call to malloc | test.cpp:56:16:56:19 | Load | test.cpp:56:16:56:19 | Load |
+| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:13:55:18 | call to malloc | test.cpp:58:29:58:32 | Load | test.cpp:58:29:58:32 | Load |
+| test.cpp:63:13:63:13 | Load | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:13:55:18 | call to malloc | test.cpp:62:30:62:33 | Load | test.cpp:62:30:62:33 | Load |
+| test.cpp:83:14:83:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:14:69:19 | call to malloc | test.cpp:82:31:82:34 | Load | test.cpp:82:31:82:34 | Load |
+| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:14:69:19 | call to malloc | test.cpp:88:30:88:33 | Load | test.cpp:88:30:88:33 | Load |
+| test.cpp:93:14:93:14 | Load | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | Load | off-by one error allocated at $@ bounded by $@ | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:14:69:19 | call to malloc | test.cpp:92:31:92:34 | Load | test.cpp:92:31:92:34 | Load |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp
@@ -18,8 +18,8 @@ typedef struct {
 
 array_t mk_array(int size) {
     array_t arr;
-    arr.size = size;
     arr.p = malloc(size);
+    arr.size = size;
 
     return arr;
 }
@@ -32,7 +32,7 @@ void test2(int size) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD [NOT DETECTED]
+        arr.p[i] = i; // BAD
     }
 }
 
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD [NOT DETECTED]
+        arr.p[i] = i; // BAD
     }
 }
 
@@ -52,8 +52,8 @@ void test3(int size) {
 
 void test4(int size) {
     array_t arr;
-    arr.size = size;
     arr.p = malloc(size);
+    arr.size = size;
 
     for (int i = 0; i < arr.size; i++) {
         arr.p[i] = 0; // GOOD
@@ -66,8 +66,8 @@ void test4(int size) {
 
 array_t *mk_array_p(int size) {
     array_t *arr = (array_t*) malloc(sizeof(array_t));
-    arr->size = size;
     arr->p = malloc(size);
+    arr->size = size;
 
     return arr;
 }

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,8 @@ typedef struct {`
`18`	`18`
`19`	`19`	`array_t mk_array(int size) {`
`20`	`20`	`array_t arr;`
`21`		`- arr.size = size;`
`22`	`21`	`arr.p = malloc(size);`
	`22`	`+ arr.size = size;`
`23`	`23`
`24`	`24`	`return arr;`
`25`	`25`	`}`
`@@ -32,7 +32,7 @@ void test2(int size) {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`for (int i = 0; i <= arr.size; i++) {`
`35`		`- arr.p[i] = i; // BAD [NOT DETECTED]`
	`35`	`+ arr.p[i] = i; // BAD`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`
`@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`for (int i = 0; i <= arr.size; i++) {`
`45`		`- arr.p[i] = i; // BAD [NOT DETECTED]`
	`45`	`+ arr.p[i] = i; // BAD`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`
`@@ -52,8 +52,8 @@ void test3(int size) {`
`52`	`52`
`53`	`53`	`void test4(int size) {`
`54`	`54`	`array_t arr;`
`55`		`- arr.size = size;`
`56`	`55`	`arr.p = malloc(size);`
	`56`	`+ arr.size = size;`
`57`	`57`
`58`	`58`	`for (int i = 0; i < arr.size; i++) {`
`59`	`59`	`arr.p[i] = 0; // GOOD`
`@@ -66,8 +66,8 @@ void test4(int size) {`
`66`	`66`
`67`	`67`	`array_t *mk_array_p(int size) {`
`68`	`68`	`array_t arr = (array_t) malloc(sizeof(array_t));`
`69`		`- arr->size = size;`
`70`	`69`	`arr->p = malloc(size);`
	`70`	`+ arr->size = size;`
`71`	`71`
`72`	`72`	`return arr;`
`73`	`73`	`}`