C++: Add inline expectations tests for the invalid-pointer-to-dereference stage of the query.

MathiasVP · MathiasVP · commit 4762e883fc40 · 2023-07-18T18:15:24.000+01:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerToDereference.ql
@@ -0,0 +1,81 @@
+import cpp
+import semmle.code.cpp.security.InvalidPointerDereference.InvalidPointerToDereference
+import TestUtilities.InlineExpectationsTest
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.dataflow.new.DataFlow
+
+string case3(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
+  operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
+  not exists(case2(_, _, operation)) and
+  not exists(case1(_, _, operation)) and
+  exists(int derefSourceLine, int derefSinkLine, int operationLine |
+    derefSourceLine = derefSource.getLocation().getStartLine() and
+    derefSinkLine = derefSink.getLocation().getStartLine() and
+    operationLine = operation.getLocation().getStartLine() and
+    derefSourceLine != derefSinkLine and
+    derefSinkLine != operationLine and
+    result = "L" + derefSourceLine + "->L" + derefSinkLine + "->L" + operationLine
+  )
+}
+
+string case2(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
+  operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
+  not exists(case1(_, _, operation)) and
+  exists(int derefSourceLine, int derefSinkLine, int operationLine |
+    derefSourceLine = derefSource.getLocation().getStartLine() and
+    derefSinkLine = derefSink.getLocation().getStartLine() and
+    operationLine = operation.getLocation().getStartLine() and
+    derefSourceLine = derefSinkLine and
+    derefSinkLine != operationLine and
+    result = "L" + derefSourceLine + "->L" + operationLine
+  )
+}
+
+string case1(DataFlow::Node derefSource, DataFlow::Node derefSink, DataFlow::Node operation) {
+  operationIsOffBy(_, _, derefSource, derefSink, _, operation, _) and
+  exists(int derefSourceLine, int derefSinkLine, int operationLine |
+    derefSourceLine = derefSource.getLocation().getStartLine() and
+    derefSinkLine = derefSink.getLocation().getStartLine() and
+    operationLine = operation.getLocation().getStartLine() and
+    derefSourceLine = derefSinkLine and
+    derefSinkLine = operationLine and
+    result = "L" + derefSourceLine
+  )
+}
+
+module InvalidPointerToDereferenceTest implements TestSig {
+  string getARelevantTag() { result = "deref" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(
+      PointerArithmeticInstruction pai, DataFlow::Node derefSource, DataFlow::Node derefSink,
+      DataFlow::Node operation, int delta, string value1, string value2
+    |
+      operationIsOffBy(_, pai, derefSource, derefSink, _, operation, delta) and
+      location = operation.getLocation() and
+      element = operation.toString() and
+      tag = "deref" and
+      value = value1 + value2
+    |
+      (
+        value1 = case3(derefSource, derefSink, operation)
+        or
+        value1 = case2(derefSource, derefSink, operation)
+        or
+        value1 = case1(derefSource, derefSink, operation)
+      ) and
+      (
+        delta > 0 and
+        value2 = "+" + delta
+        or
+        delta = 0 and
+        value2 = ""
+        or
+        delta < 0 and
+        value2 = "-" + (-delta)
+      )
+    )
+  }
+}
+
+import MakeTest<InvalidPointerToDereferenceTest>
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -3,9 +3,9 @@ char *malloc(int size);
 void test1(int size) {
     char* p = malloc(size);
     char* q = p + size; // $ alloc=L4
-    char a = *q; // BAD
+    char a = *q; // $ deref=L6 // BAD
     char b = *(q - 1); // GOOD
-    char c = *(q + 1); // BAD
+    char c = *(q + 1); // $ deref=L8+1 // BAD
     char d = *(q + size); // BAD [NOT DETECTED]
     char e = *(q - size); // GOOD
     char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -17,7 +17,7 @@ void test2(int size) {
     char* q = p + size - 1; // $ alloc=L16
     char a = *q; // GOOD
     char b = *(q - 1); // GOOD
-    char c = *(q + 1); // BAD
+    char c = *(q + 1); // $ deref=L20 // BAD
     char d = *(q + size); // BAD [NOT DETECTED]
     char e = *(q - size); // GOOD
     char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -27,9 +27,9 @@ void test2(int size) {
 void test3(int size) {
     char* p = malloc(size + 1);
     char* q = p + (size + 1); // $ alloc=L28+1
-    char a = *q; // BAD
+    char a = *q; // $ deref=L30 // BAD
     char b = *(q - 1); // GOOD
-    char c = *(q + 1); // BAD
+    char c = *(q + 1); // $ deref=L32+1 // BAD
     char d = *(q + size); // BAD [NOT DETECTED]
     char e = *(q - size); // GOOD
     char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -39,9 +39,9 @@ void test3(int size) {
 void test4(int size) {
     char* p = malloc(size - 1);
     char* q = p + (size - 1); // $ alloc=L40-1
-    char a = *q; // BAD
+    char a = *q; // $ deref=L42 // BAD
     char b = *(q - 1); // GOOD
-    char c = *(q + 1); // BAD
+    char c = *(q + 1); // $ deref=L44+1 // BAD
     char d = *(q + size); // BAD [NOT DETECTED]
     char e = *(q - size); // GOOD
     char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -64,7 +64,7 @@ void test5(int size) {
     }
 
     for (char* p = begin; p <= end; ++p) {
-        *p = 0; // BAD
+        *p = 0; // $ deref=L53->L62->L67 deref=L53->L66->L67 // BAD
     }
 
     for (char* p = begin; p < end; ++p) {
@@ -93,7 +93,7 @@ void test6(int size) {
     }
 
     for (char* p = arr.begin; p <= arr.end; ++p) {
-        *p = 0; // BAD
+        *p = 0; // $ deref=L83->L91->L96 deref=L83->L95->L96 // BAD
     }
 
     for (char* p = arr.begin; p < arr.end; ++p) {
@@ -107,7 +107,7 @@ void test7_callee(array_t arr) {
     }
 
     for (char* p = arr.begin; p <= arr.end; ++p) {
-        *p = 0; // BAD
+        *p = 0; // $ deref=L83->L105->L110 deref=L83->L109->L110 // BAD
     }
 
     for (char* p = arr.begin; p < arr.end; ++p) {
@@ -154,7 +154,7 @@ void test9(int size) {
     }
 
     for (char* p = arr->begin; p <= arr->end; ++p) {
-        *p = 0; // BAD
+        *p = 0; // $ deref=L144->L156->L157 // BAD
     }
 
     for (char* p = arr->begin; p < arr->end; ++p) {
@@ -168,7 +168,7 @@ void test10_callee(array_t *arr) {
     }
 
     for (char* p = arr->begin; p <= arr->end; ++p) {
-        *p = 0; // BAD
+        *p = 0; // $ deref=L144->L166->L171 deref=L144->L170->L171 // BAD
     }
 
     for (char* p = arr->begin; p < arr->end; ++p) {
@@ -198,7 +198,7 @@ void test12(unsigned len, unsigned index) {
         return;
     }
     
-    p[index] = '\0'; // BAD
+    p[index] = '\0'; // $ deref=L201 // BAD
 }
 
 void test13(unsigned len, unsigned index) {
@@ -210,7 +210,7 @@ void test13(unsigned len, unsigned index) {
         return;
     }
     
-    *q = '\0'; // BAD
+    *q = '\0'; // $ deref=L213 // BAD
 }
 
 bool unknown();
@@ -229,14 +229,14 @@ void test15(unsigned index) {
     return;
   }
   int* newname = new int[size];
-  newname[index] = 0; // $ alloc=L231 // GOOD [FALSE POSITIVE]
+  newname[index] = 0; // $ alloc=L231 deref=L232 // GOOD [FALSE POSITIVE]
 }
 
 void test16(unsigned index) {
   unsigned size = index + 13;
   if(size >= index) {
     int* newname = new int[size];
-    newname[index] = 0; // $ alloc=L238 // GOOD [FALSE POSITIVE]
+    newname[index] = 0; // $ alloc=L238 deref=L239 // GOOD [FALSE POSITIVE]
   }
 }
 
@@ -251,7 +251,7 @@ void test17(unsigned *p, unsigned x, unsigned k) {
         // The following access is okay because:
         // n = 3*p[0] + k >= p[0] + k >= p[1] + k > p[1] = i
         // (where p[0] denotes the original value for p[0])
-        p[i] = x; // $ alloc=L248 // GOOD [FALSE POSITIVE]
+        p[i] = x; // $ alloc=L248 deref=L254 // GOOD [FALSE POSITIVE]
     }
 }
 
@@ -261,7 +261,7 @@ void test17(unsigned len)
   int *end = xs + len; // $ alloc=L260
   for (int *x = xs; x <= end; x++)
   {
-    int i = *x; // BAD
+    int i = *x; // $ deref=L264 // BAD
   }
 }
 
@@ -271,7 +271,7 @@ void test18(unsigned len)
   int *end = xs + len; // $ alloc=L270
   for (int *x = xs; x <= end; x++)
   {
-    *x = 0; // BAD
+    *x = 0; // $ deref=L274 // BAD
   }
 }
 
@@ -305,7 +305,7 @@ void test21() {
 
   for (int i = 0; i < n; i += 2) {
     xs[i] = test21_get(i); // GOOD
-    xs[i+1] = test21_get(i+1); // $ alloc=L304 alloc=L304-1 // GOOD [FALSE POSITIVE]
+    xs[i+1] = test21_get(i+1); // $ alloc=L304 alloc=L304-1 deref=L308 // GOOD [FALSE POSITIVE]
   }
 }
 
@@ -355,8 +355,8 @@ void test25(unsigned size) {
   char *xs = new char[size];
   char *end = xs + size; // $ alloc=L355
   char *end_plus_one = end + 1;
-  int val1 = *end_plus_one; // BAD
-  int val2 = *(end_plus_one + 1); // BAD
+  int val1 = *end_plus_one; // $ deref=L358+1 // BAD
+  int val2 = *(end_plus_one + 1); // $ deref=L359+2 // BAD
 }
 
 void test26(unsigned size) {
@@ -381,7 +381,7 @@ void test27(unsigned size, bool b) {
     end++;
   }
 
-  int val = *end; // BAD
+  int val = *end; // $ deref=L384+1 // BAD
 }
 
 void test28(unsigned size) {
@@ -412,7 +412,7 @@ void test28_simple2(unsigned size) {
   if (xs < end) {
     xs++;
     if (xs < end + 1) {
-      xs[0] = 0;  // BAD
+      xs[0] = 0; // $ deref=L415 // BAD
     }
   }
 }
@@ -423,7 +423,7 @@ void test28_simple3(unsigned size) {
   if (xs < end) {
     xs++;
     if (xs - 1 < end) {
-      xs[0] = 0;  // BAD
+      xs[0] = 0; // $ deref=L426 // BAD
     }
   }
 }
@@ -435,7 +435,7 @@ void test28_simple4(unsigned size) {
     end++;
     xs++;
     if (xs < end) {
-      xs[0] = 0;  // BAD
+      xs[0] = 0; // $ deref=L438 // BAD
     }
   }
 }
@@ -447,7 +447,7 @@ void test28_simple5(unsigned size) {
   if (xs < end) {
     xs++;
     if (xs < end) {
-      xs[0] = 0;  // BAD
+      xs[0] = 0; // $ deref=L450 // BAD
     }
   }
 }
@@ -483,7 +483,7 @@ void test28_simple8(unsigned size) {
   if (xs < end) {
     xs++;
     if (xs < end - 1) {
-      xs[0] = 0;  // BAD
+      xs[0] = 0; // $ deref=L486+498 // BAD
     }
   }
 }
@@ -545,7 +545,7 @@ void test31_simple2(unsigned size, unsigned src_pos)
     src_pos = size;
   }
   if (src_pos < size + 1) {
-    xs[src_pos] = 0; // $ alloc=L543 // BAD
+    xs[src_pos] = 0; // $ alloc=L543 deref=L548 // BAD
   }
 }
 
@@ -556,7 +556,7 @@ void test31_simple3(unsigned size, unsigned src_pos)
     src_pos = size;
   }
   if (src_pos - 1 < size) {
-    xs[src_pos] = 0; // $ alloc=L554 // BAD
+    xs[src_pos] = 0; // $ alloc=L554 deref=L559 // BAD
   }
 }
 
@@ -644,7 +644,7 @@ void test31_simple1_sub1(unsigned size, unsigned src_pos)
     src_pos = size;
   }
   if (src_pos < size) {
-    xs[src_pos] = 0; // $ alloc=L642-1 // BAD
+    xs[src_pos] = 0; // $ alloc=L642-1 deref=L647 // BAD
   }
 }
 
@@ -659,7 +659,7 @@ void test32(unsigned size) {
   xs++;
   if (xs >= end)
     return;
-  xs[0] = 0; // GOOD [FALSE POSITIVE]
+  xs[0] = 0; // $ deref=L656->L662+1 deref=L657->L662+1 GOOD [FALSE POSITIVE]
 }
 
 void test33(unsigned size, unsigned src_pos)
@@ -672,7 +672,7 @@ void test33(unsigned size, unsigned src_pos)
   while (dst_pos < size - 1) {
     dst_pos++;
     if (true)
-      xs[dst_pos++] = 0; // $ alloc=L667+1 // GOOD [FALSE POSITIVE]
+      xs[dst_pos++] = 0; // $ alloc=L667+1 deref=L675 // GOOD [FALSE POSITIVE]
   }
 }
 
@@ -688,5 +688,5 @@ void test_missing_call_context_1(unsigned size) {
 void test_missing_call_context_2(unsigned size) {
   int* p = new int[size];
   int* end_minus_one = pointer_arithmetic(p, size - 1);
-  *end_minus_one = '0'; // GOOD
+  *end_minus_one = '0'; // $ deref=L680->L690->L691 // GOOD
 }

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,9 @@ char *malloc(int size);`
`3`	`3`	`void test1(int size) {`
`4`	`4`	`char* p = malloc(size);`
`5`	`5`	`char* q = p + size; // $ alloc=L4`
`6`		`- char a = *q; // BAD`
	`6`	`+ char a = *q; // $ deref=L6 // BAD`
`7`	`7`	`char b = *(q - 1); // GOOD`
`8`		`- char c = *(q + 1); // BAD`
	`8`	`+ char c = *(q + 1); // $ deref=L8+1 // BAD`
`9`	`9`	`char d = *(q + size); // BAD [NOT DETECTED]`
`10`	`10`	`char e = *(q - size); // GOOD`
`11`	`11`	`char f = *(q + size + 1); // BAD [NOT DETECTED]`
`@@ -17,7 +17,7 @@ void test2(int size) {`
`17`	`17`	`char* q = p + size - 1; // $ alloc=L16`
`18`	`18`	`char a = *q; // GOOD`
`19`	`19`	`char b = *(q - 1); // GOOD`
`20`		`- char c = *(q + 1); // BAD`
	`20`	`+ char c = *(q + 1); // $ deref=L20 // BAD`
`21`	`21`	`char d = *(q + size); // BAD [NOT DETECTED]`
`22`	`22`	`char e = *(q - size); // GOOD`
`23`	`23`	`char f = *(q + size + 1); // BAD [NOT DETECTED]`
`@@ -27,9 +27,9 @@ void test2(int size) {`
`27`	`27`	`void test3(int size) {`
`28`	`28`	`char* p = malloc(size + 1);`
`29`	`29`	`char* q = p + (size + 1); // $ alloc=L28+1`
`30`		`- char a = *q; // BAD`
	`30`	`+ char a = *q; // $ deref=L30 // BAD`
`31`	`31`	`char b = *(q - 1); // GOOD`
`32`		`- char c = *(q + 1); // BAD`
	`32`	`+ char c = *(q + 1); // $ deref=L32+1 // BAD`
`33`	`33`	`char d = *(q + size); // BAD [NOT DETECTED]`
`34`	`34`	`char e = *(q - size); // GOOD`
`35`	`35`	`char f = *(q + size + 1); // BAD [NOT DETECTED]`
`@@ -39,9 +39,9 @@ void test3(int size) {`
`39`	`39`	`void test4(int size) {`
`40`	`40`	`char* p = malloc(size - 1);`
`41`	`41`	`char* q = p + (size - 1); // $ alloc=L40-1`
`42`		`- char a = *q; // BAD`
	`42`	`+ char a = *q; // $ deref=L42 // BAD`
`43`	`43`	`char b = *(q - 1); // GOOD`
`44`		`- char c = *(q + 1); // BAD`
	`44`	`+ char c = *(q + 1); // $ deref=L44+1 // BAD`
`45`	`45`	`char d = *(q + size); // BAD [NOT DETECTED]`
`46`	`46`	`char e = *(q - size); // GOOD`
`47`	`47`	`char f = *(q + size + 1); // BAD [NOT DETECTED]`
`@@ -64,7 +64,7 @@ void test5(int size) {`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`for (char* p = begin; p <= end; ++p) {`
`67`		`- *p = 0; // BAD`
	`67`	`+ *p = 0; // $ deref=L53->L62->L67 deref=L53->L66->L67 // BAD`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`for (char* p = begin; p < end; ++p) {`
`@@ -93,7 +93,7 @@ void test6(int size) {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`for (char* p = arr.begin; p <= arr.end; ++p) {`
`96`		`- *p = 0; // BAD`
	`96`	`+ *p = 0; // $ deref=L83->L91->L96 deref=L83->L95->L96 // BAD`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`for (char* p = arr.begin; p < arr.end; ++p) {`
`@@ -107,7 +107,7 @@ void test7_callee(array_t arr) {`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`for (char* p = arr.begin; p <= arr.end; ++p) {`
`110`		`- *p = 0; // BAD`
	`110`	`+ *p = 0; // $ deref=L83->L105->L110 deref=L83->L109->L110 // BAD`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`for (char* p = arr.begin; p < arr.end; ++p) {`
`@@ -154,7 +154,7 @@ void test9(int size) {`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`for (char* p = arr->begin; p <= arr->end; ++p) {`
`157`		`- *p = 0; // BAD`
	`157`	`+ *p = 0; // $ deref=L144->L156->L157 // BAD`
`158`	`158`	`}`
`159`	`159`
`160`	`160`	`for (char* p = arr->begin; p < arr->end; ++p) {`
`@@ -168,7 +168,7 @@ void test10_callee(array_t *arr) {`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`for (char* p = arr->begin; p <= arr->end; ++p) {`
`171`		`- *p = 0; // BAD`
	`171`	`+ *p = 0; // $ deref=L144->L166->L171 deref=L144->L170->L171 // BAD`
`172`	`172`	`}`
`173`	`173`
`174`	`174`	`for (char* p = arr->begin; p < arr->end; ++p) {`
`@@ -198,7 +198,7 @@ void test12(unsigned len, unsigned index) {`
`198`	`198`	`return;`
`199`	`199`	`}`
`200`	`200`
`201`		`- p[index] = '\0'; // BAD`
	`201`	`+ p[index] = '\0'; // $ deref=L201 // BAD`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`void test13(unsigned len, unsigned index) {`
`@@ -210,7 +210,7 @@ void test13(unsigned len, unsigned index) {`
`210`	`210`	`return;`
`211`	`211`	`}`
`212`	`212`
`213`		`- *q = '\0'; // BAD`
	`213`	`+ *q = '\0'; // $ deref=L213 // BAD`
`214`	`214`	`}`
`215`	`215`
`216`	`216`	`bool unknown();`
`@@ -229,14 +229,14 @@ void test15(unsigned index) {`
`229`	`229`	`return;`
`230`	`230`	`}`
`231`	`231`	`int* newname = new int[size];`
`232`		`- newname[index] = 0; // $ alloc=L231 // GOOD [FALSE POSITIVE]`
	`232`	`+ newname[index] = 0; // $ alloc=L231 deref=L232 // GOOD [FALSE POSITIVE]`
`233`	`233`	`}`
`234`	`234`
`235`	`235`	`void test16(unsigned index) {`
`236`	`236`	`unsigned size = index + 13;`
`237`	`237`	`if(size >= index) {`
`238`	`238`	`int* newname = new int[size];`
`239`		`- newname[index] = 0; // $ alloc=L238 // GOOD [FALSE POSITIVE]`
	`239`	`+ newname[index] = 0; // $ alloc=L238 deref=L239 // GOOD [FALSE POSITIVE]`
`240`	`240`	`}`
`241`	`241`	`}`
`242`	`242`
`@@ -251,7 +251,7 @@ void test17(unsigned *p, unsigned x, unsigned k) {`
`251`	`251`	`// The following access is okay because:`
`252`	`252`	`// n = 3*p[0] + k >= p[0] + k >= p[1] + k > p[1] = i`
`253`	`253`	`// (where p[0] denotes the original value for p[0])`
`254`		`- p[i] = x; // $ alloc=L248 // GOOD [FALSE POSITIVE]`
	`254`	`+ p[i] = x; // $ alloc=L248 deref=L254 // GOOD [FALSE POSITIVE]`
`255`	`255`	`}`
`256`	`256`	`}`
`257`	`257`
`@@ -261,7 +261,7 @@ void test17(unsigned len)`
`261`	`261`	`int *end = xs + len; // $ alloc=L260`
`262`	`262`	`for (int *x = xs; x <= end; x++)`
`263`	`263`	`{`
`264`		`- int i = *x; // BAD`
	`264`	`+ int i = *x; // $ deref=L264 // BAD`
`265`	`265`	`}`
`266`	`266`	`}`
`267`	`267`
`@@ -271,7 +271,7 @@ void test18(unsigned len)`
`271`	`271`	`int *end = xs + len; // $ alloc=L270`
`272`	`272`	`for (int *x = xs; x <= end; x++)`
`273`	`273`	`{`
`274`		`- *x = 0; // BAD`
	`274`	`+ *x = 0; // $ deref=L274 // BAD`
`275`	`275`	`}`
`276`	`276`	`}`
`277`	`277`
`@@ -305,7 +305,7 @@ void test21() {`
`305`	`305`
`306`	`306`	`for (int i = 0; i < n; i += 2) {`
`307`	`307`	`xs[i] = test21_get(i); // GOOD`
`308`		`- xs[i+1] = test21_get(i+1); // $ alloc=L304 alloc=L304-1 // GOOD [FALSE POSITIVE]`
	`308`	`+ xs[i+1] = test21_get(i+1); // $ alloc=L304 alloc=L304-1 deref=L308 // GOOD [FALSE POSITIVE]`
`309`	`309`	`}`
`310`	`310`	`}`
`311`	`311`
`@@ -355,8 +355,8 @@ void test25(unsigned size) {`
`355`	`355`	`char *xs = new char[size];`
`356`	`356`	`char *end = xs + size; // $ alloc=L355`
`357`	`357`	`char *end_plus_one = end + 1;`
`358`		`- int val1 = *end_plus_one; // BAD`
`359`		`- int val2 = *(end_plus_one + 1); // BAD`
	`358`	`+ int val1 = *end_plus_one; // $ deref=L358+1 // BAD`
	`359`	`+ int val2 = *(end_plus_one + 1); // $ deref=L359+2 // BAD`
`360`	`360`	`}`
`361`	`361`
`362`	`362`	`void test26(unsigned size) {`
`@@ -381,7 +381,7 @@ void test27(unsigned size, bool b) {`
`381`	`381`	`end++;`
`382`	`382`	`}`
`383`	`383`
`384`		`- int val = *end; // BAD`
	`384`	`+ int val = *end; // $ deref=L384+1 // BAD`
`385`	`385`	`}`
`386`	`386`
`387`	`387`	`void test28(unsigned size) {`
`@@ -412,7 +412,7 @@ void test28_simple2(unsigned size) {`
`412`	`412`	`if (xs < end) {`
`413`	`413`	`xs++;`
`414`	`414`	`if (xs < end + 1) {`
`415`		`- xs[0] = 0; // BAD`
	`415`	`+ xs[0] = 0; // $ deref=L415 // BAD`
`416`	`416`	`}`
`417`	`417`	`}`
`418`	`418`	`}`
`@@ -423,7 +423,7 @@ void test28_simple3(unsigned size) {`
`423`	`423`	`if (xs < end) {`
`424`	`424`	`xs++;`
`425`	`425`	`if (xs - 1 < end) {`
`426`		`- xs[0] = 0; // BAD`
	`426`	`+ xs[0] = 0; // $ deref=L426 // BAD`
`427`	`427`	`}`
`428`	`428`	`}`
`429`	`429`	`}`
`@@ -435,7 +435,7 @@ void test28_simple4(unsigned size) {`
`435`	`435`	`end++;`
`436`	`436`	`xs++;`
`437`	`437`	`if (xs < end) {`
`438`		`- xs[0] = 0; // BAD`
	`438`	`+ xs[0] = 0; // $ deref=L438 // BAD`
`439`	`439`	`}`
`440`	`440`	`}`
`441`	`441`	`}`
`@@ -447,7 +447,7 @@ void test28_simple5(unsigned size) {`
`447`	`447`	`if (xs < end) {`
`448`	`448`	`xs++;`
`449`	`449`	`if (xs < end) {`
`450`		`- xs[0] = 0; // BAD`
	`450`	`+ xs[0] = 0; // $ deref=L450 // BAD`
`451`	`451`	`}`
`452`	`452`	`}`
`453`	`453`	`}`
`@@ -483,7 +483,7 @@ void test28_simple8(unsigned size) {`
`483`	`483`	`if (xs < end) {`
`484`	`484`	`xs++;`
`485`	`485`	`if (xs < end - 1) {`
`486`		`- xs[0] = 0; // BAD`
	`486`	`+ xs[0] = 0; // $ deref=L486+498 // BAD`
`487`	`487`	`}`
`488`	`488`	`}`
`489`	`489`	`}`
`@@ -545,7 +545,7 @@ void test31_simple2(unsigned size, unsigned src_pos)`
`545`	`545`	`src_pos = size;`
`546`	`546`	`}`
`547`	`547`	`if (src_pos < size + 1) {`
`548`		`- xs[src_pos] = 0; // $ alloc=L543 // BAD`
	`548`	`+ xs[src_pos] = 0; // $ alloc=L543 deref=L548 // BAD`
`549`	`549`	`}`
`550`	`550`	`}`
`551`	`551`
`@@ -556,7 +556,7 @@ void test31_simple3(unsigned size, unsigned src_pos)`
`556`	`556`	`src_pos = size;`
`557`	`557`	`}`
`558`	`558`	`if (src_pos - 1 < size) {`
`559`		`- xs[src_pos] = 0; // $ alloc=L554 // BAD`
	`559`	`+ xs[src_pos] = 0; // $ alloc=L554 deref=L559 // BAD`
`560`	`560`	`}`
`561`	`561`	`}`
`562`	`562`
`@@ -644,7 +644,7 @@ void test31_simple1_sub1(unsigned size, unsigned src_pos)`
`644`	`644`	`src_pos = size;`
`645`	`645`	`}`
`646`	`646`	`if (src_pos < size) {`
`647`		`- xs[src_pos] = 0; // $ alloc=L642-1 // BAD`
	`647`	`+ xs[src_pos] = 0; // $ alloc=L642-1 deref=L647 // BAD`
`648`	`648`	`}`
`649`	`649`	`}`
`650`	`650`
`@@ -659,7 +659,7 @@ void test32(unsigned size) {`
`659`	`659`	`xs++;`
`660`	`660`	`if (xs >= end)`
`661`	`661`	`return;`
`662`		`- xs[0] = 0; // GOOD [FALSE POSITIVE]`
	`662`	`+ xs[0] = 0; // $ deref=L656->L662+1 deref=L657->L662+1 GOOD [FALSE POSITIVE]`
`663`	`663`	`}`
`664`	`664`
`665`	`665`	`void test33(unsigned size, unsigned src_pos)`
`@@ -672,7 +672,7 @@ void test33(unsigned size, unsigned src_pos)`
`672`	`672`	`while (dst_pos < size - 1) {`
`673`	`673`	`dst_pos++;`
`674`	`674`	`if (true)`
`675`		`- xs[dst_pos++] = 0; // $ alloc=L667+1 // GOOD [FALSE POSITIVE]`
	`675`	`+ xs[dst_pos++] = 0; // $ alloc=L667+1 deref=L675 // GOOD [FALSE POSITIVE]`
`676`	`676`	`}`
`677`	`677`	`}`
`678`	`678`
`@@ -688,5 +688,5 @@ void test_missing_call_context_1(unsigned size) {`
`688`	`688`	`void test_missing_call_context_2(unsigned size) {`
`689`	`689`	`int* p = new int[size];`
`690`	`690`	`int* end_minus_one = pointer_arithmetic(p, size - 1);`
`691`		`- *end_minus_one = '0'; // GOOD`
	`691`	`+ *end_minus_one = '0'; // $ deref=L680->L690->L691 // GOOD`
`692`	`692`	`}`