Skip to content

Commit 9ab2a28

Browse files
jeongsoolee09jeongsoolee09
authored
Merge branch 'main' into log-injection-mad
2 parents a148c7c + df1e8e2 commit 9ab2a28

File tree

42 files changed

+942
-298
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

42 files changed

+942
-298
lines changed

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -171,11 +171,9 @@ private predicate invalidPointerToDerefSource(
171171
// `deltaDerefSourceAndPai` is the constant difference between the pointer-arithmetic instruction
172172
// and the instruction computing the address for which we will search for a dereference.
173173
AllocToInvalidPointer::pointerAddInstructionHasBounds(allocSource, pai, _, rhsSizeDelta) and
174-
// pai <= derefSource + deltaDerefSourceAndPai and deltaDerefSourceAndPai <= 0 is equivalent to
175-
// derefSource >= pai + deltaDerefSourceAndPai and deltaDerefSourceAndPai >= 0
176-
bounded1(pai, derefSource.asInstruction(), deltaDerefSourceAndPai) and
177-
deltaDerefSourceAndPai <= 0 and
178-
// TODO: This condition will go away once #13725 is merged, and then we can make `Barrier2`
174+
bounded2(derefSource.asInstruction(), pai, deltaDerefSourceAndPai) and
175+
deltaDerefSourceAndPai >= 0 and
176+
// TODO: This condition will go away once #13725 is merged, and then we can make `SizeBarrier`
179177
// private to `AllocationToInvalidPointer.qll`.
180178
not derefSource.getBasicBlock() =
181179
AllocToInvalidPointer::SizeBarrier::getABarrierBlock(rhsSizeDelta)

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/RangeAnalysisUtil.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,14 @@ bindingset[i]
3535
pragma[inline_late]
3636
predicate bounded1(Instruction i, Instruction b, int delta) { boundedImpl(i, b, delta) }
3737

38+
/**
39+
* Holds if `i <= b + delta`.
40+
*
41+
* This predicate enforces a join-order that ensures that `b` has already been bound.
42+
*/
43+
bindingset[b]
44+
pragma[inline_late]
45+
predicate bounded2(Instruction i, Instruction b, int delta) { boundedImpl(i, b, delta) }
46+
3847
/** Holds if `i <= b + delta`. */
3948
predicate bounded = boundedImpl/3;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,53 +132,102 @@ edges
132132
| test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | ... = ... |
133133
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
134134
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
135+
| test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
136+
| test.cpp:355:14:355:27 | new[] | test.cpp:357:24:357:30 | ... + ... |
135137
| test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | * ... |
136138
| test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | * ... |
137139
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
138140
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
139141
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
140142
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
141143
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
144+
| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
145+
| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
146+
| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | * ... |
147+
| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
148+
| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | * ... |
142149
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
143150
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
151+
| test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
152+
| test.cpp:377:14:377:27 | new[] | test.cpp:381:5:381:9 | ... ++ |
144153
| test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | * ... |
145154
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
146155
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
147156
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
157+
| test.cpp:381:5:381:9 | ... ++ | test.cpp:381:5:381:9 | ... ++ |
158+
| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:13:384:16 | * ... |
148159
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
149160
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
161+
| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:8 | ... ++ |
162+
| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:8 | ... ++ |
150163
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... |
151164
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
152165
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
153166
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
167+
| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
168+
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | ... = ... |
169+
| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | ... = ... |
154170
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
155171
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
172+
| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:8 | ... ++ |
173+
| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:8 | ... ++ |
156174
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... |
157175
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
158176
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
159177
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
178+
| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
179+
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | ... = ... |
180+
| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | ... = ... |
160181
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
161182
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
183+
| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:8 | ... ++ |
184+
| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:8 | ... ++ |
162185
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... |
163186
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
164187
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
165188
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
189+
| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
190+
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | ... = ... |
191+
| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | ... = ... |
166192
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
167193
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
194+
| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:8 | ... ++ |
195+
| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:8 | ... ++ |
168196
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... |
169197
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
170198
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
171199
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
200+
| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
201+
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | ... = ... |
202+
| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | ... = ... |
172203
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
173204
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
205+
| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:8 | ... ++ |
206+
| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:8 | ... ++ |
174207
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... |
175208
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
176209
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
177210
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
211+
| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
212+
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | ... = ... |
213+
| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | ... = ... |
178214
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... |
179215
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... |
180216
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... |
217+
| test.cpp:652:14:652:27 | new[] | test.cpp:656:3:656:6 | ... ++ |
218+
| test.cpp:652:14:652:27 | new[] | test.cpp:656:3:656:6 | ... ++ |
219+
| test.cpp:652:14:652:27 | new[] | test.cpp:662:3:662:11 | ... = ... |
220+
| test.cpp:656:3:656:6 | ... ++ | test.cpp:656:3:656:6 | ... ++ |
221+
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | ... = ... |
222+
| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | ... = ... |
181223
| test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | ... = ... |
224+
| test.cpp:695:13:695:26 | new[] | test.cpp:698:5:698:10 | ... += ... |
225+
| test.cpp:698:5:698:10 | ... += ... | test.cpp:701:15:701:16 | * ... |
226+
| test.cpp:705:18:705:18 | q | test.cpp:705:18:705:18 | q |
227+
| test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
228+
| test.cpp:705:18:705:18 | q | test.cpp:706:12:706:13 | * ... |
229+
| test.cpp:711:13:711:26 | new[] | test.cpp:714:11:714:11 | q |
230+
| test.cpp:714:11:714:11 | q | test.cpp:705:18:705:18 | q |
182231
nodes
183232
| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
184233
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
@@ -276,40 +325,66 @@ nodes
276325
| test.cpp:355:14:355:27 | new[] | semmle.label | new[] |
277326
| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
278327
| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
328+
| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
329+
| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
279330
| test.cpp:358:14:358:26 | * ... | semmle.label | * ... |
280331
| test.cpp:359:14:359:32 | * ... | semmle.label | * ... |
281332
| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
282333
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
283334
| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
335+
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
336+
| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
284337
| test.cpp:384:13:384:16 | * ... | semmle.label | * ... |
285338
| test.cpp:410:14:410:27 | new[] | semmle.label | new[] |
286339
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
287340
| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
341+
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
342+
| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
288343
| test.cpp:415:7:415:15 | ... = ... | semmle.label | ... = ... |
289344
| test.cpp:421:14:421:27 | new[] | semmle.label | new[] |
290345
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
291346
| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
347+
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
348+
| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
292349
| test.cpp:426:7:426:15 | ... = ... | semmle.label | ... = ... |
293350
| test.cpp:432:14:432:27 | new[] | semmle.label | new[] |
294351
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
295352
| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
353+
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
354+
| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
296355
| test.cpp:438:7:438:15 | ... = ... | semmle.label | ... = ... |
297356
| test.cpp:444:14:444:27 | new[] | semmle.label | new[] |
298357
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
299358
| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
359+
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
360+
| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
300361
| test.cpp:450:7:450:15 | ... = ... | semmle.label | ... = ... |
301362
| test.cpp:480:14:480:27 | new[] | semmle.label | new[] |
302363
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
303364
| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
365+
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
366+
| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
304367
| test.cpp:486:7:486:15 | ... = ... | semmle.label | ... = ... |
305368
| test.cpp:543:14:543:27 | new[] | semmle.label | new[] |
306369
| test.cpp:548:5:548:19 | ... = ... | semmle.label | ... = ... |
307370
| test.cpp:554:14:554:27 | new[] | semmle.label | new[] |
308371
| test.cpp:559:5:559:19 | ... = ... | semmle.label | ... = ... |
309372
| test.cpp:642:14:642:31 | new[] | semmle.label | new[] |
310373
| test.cpp:647:5:647:19 | ... = ... | semmle.label | ... = ... |
374+
| test.cpp:652:14:652:27 | new[] | semmle.label | new[] |
375+
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
376+
| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
377+
| test.cpp:662:3:662:11 | ... = ... | semmle.label | ... = ... |
311378
| test.cpp:667:14:667:31 | new[] | semmle.label | new[] |
312379
| test.cpp:675:7:675:23 | ... = ... | semmle.label | ... = ... |
380+
| test.cpp:695:13:695:26 | new[] | semmle.label | new[] |
381+
| test.cpp:698:5:698:10 | ... += ... | semmle.label | ... += ... |
382+
| test.cpp:701:15:701:16 | * ... | semmle.label | * ... |
383+
| test.cpp:705:18:705:18 | q | semmle.label | q |
384+
| test.cpp:705:18:705:18 | q | semmle.label | q |
385+
| test.cpp:706:12:706:13 | * ... | semmle.label | * ... |
386+
| test.cpp:711:13:711:26 | new[] | semmle.label | new[] |
387+
| test.cpp:714:11:714:11 | q | semmle.label | q |
313388
subpaths
314389
#select
315390
| test.cpp:6:14:6:15 | * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -343,4 +418,7 @@ subpaths
343418
| test.cpp:548:5:548:19 | ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos |
344419
| test.cpp:559:5:559:19 | ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos |
345420
| test.cpp:647:5:647:19 | ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
421+
| test.cpp:662:3:662:11 | ... = ... | test.cpp:652:14:652:27 | new[] | test.cpp:662:3:662:11 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:652:14:652:27 | new[] | new[] | test.cpp:653:19:653:22 | size | size |
346422
| test.cpp:675:7:675:23 | ... = ... | test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:667:14:667:31 | new[] | new[] | test.cpp:675:10:675:18 | ... ++ | ... ++ |
423+
| test.cpp:701:15:701:16 | * ... | test.cpp:695:13:695:26 | new[] | test.cpp:701:15:701:16 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:695:13:695:26 | new[] | new[] | test.cpp:696:19:696:22 | size | size |
424+
| test.cpp:706:12:706:13 | * ... | test.cpp:711:13:711:26 | new[] | test.cpp:706:12:706:13 | * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:711:13:711:26 | new[] | new[] | test.cpp:712:19:712:22 | size | size |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ void test2(int size) {
1717
char* q = p + size - 1; // $ alloc=L16
1818
char a = *q; // GOOD
1919
char b = *(q - 1); // GOOD
20-
char c = *(q + 1); // $ deref=L17->L20 // BAD
20+
char c = *(q + 1); // $ deref=L20 // BAD
2121
char d = *(q + size); // BAD [NOT DETECTED]
2222
char e = *(q - size); // GOOD
2323
char f = *(q + size + 1); // BAD [NOT DETECTED]
@@ -198,7 +198,7 @@ void test12(unsigned len, unsigned index) {
198198
return;
199199
}
200200

201-
p[index] = '\0'; // $ deref=L195->L201 deref=L197->L201 // BAD
201+
p[index] = '\0'; // $ deref=L201 // BAD
202202
}
203203

204204
void test13(unsigned len, unsigned index) {
@@ -210,7 +210,7 @@ void test13(unsigned len, unsigned index) {
210210
return;
211211
}
212212

213-
*q = '\0'; // $ deref=L206->L213 deref=L209->L213 // BAD
213+
*q = '\0'; // $ deref=L213 // BAD
214214
}
215215

216216
bool unknown();
@@ -261,7 +261,7 @@ void test17(unsigned len)
261261
int *end = xs + len; // $ alloc=L260
262262
for (int *x = xs; x <= end; x++)
263263
{
264-
int i = *x; // $ deref=L261->L264 deref=L262->L264 // BAD
264+
int i = *x; // $ deref=L264 // BAD
265265
}
266266
}
267267

@@ -271,7 +271,7 @@ void test18(unsigned len)
271271
int *end = xs + len; // $ alloc=L270
272272
for (int *x = xs; x <= end; x++)
273273
{
274-
*x = 0; // $ deref=L271->L274 deref=L272->L274 // BAD
274+
*x = 0; // $ deref=L274 // BAD
275275
}
276276
}
277277

@@ -355,8 +355,8 @@ void test25(unsigned size) {
355355
char *xs = new char[size];
356356
char *end = xs + size; // $ alloc=L355
357357
char *end_plus_one = end + 1;
358-
int val1 = *end_plus_one; // $ deref=L356->L358+1 deref=L357->L358+1 // BAD
359-
int val2 = *(end_plus_one + 1); // $ deref=L356->L359+2 deref=L357->L359+2 // BAD
358+
int val1 = *end_plus_one; // $ deref=L358+1 // BAD
359+
int val2 = *(end_plus_one + 1); // $ deref=L359+2 // BAD
360360
}
361361

362362
void test26(unsigned size) {
@@ -381,7 +381,7 @@ void test27(unsigned size, bool b) {
381381
end++;
382382
}
383383

384-
int val = *end; // $ deref=L378->L384+1 deref=L381->L384+1 // BAD
384+
int val = *end; // $ deref=L384+1 // BAD
385385
}
386386

387387
void test28(unsigned size) {
@@ -412,7 +412,7 @@ void test28_simple2(unsigned size) {
412412
if (xs < end) {
413413
xs++;
414414
if (xs < end + 1) {
415-
xs[0] = 0; // $ deref=L411->L415 deref=L412->L415 deref=L414->L415 // BAD
415+
xs[0] = 0; // $ deref=L415 // BAD
416416
}
417417
}
418418
}
@@ -423,7 +423,7 @@ void test28_simple3(unsigned size) {
423423
if (xs < end) {
424424
xs++;
425425
if (xs - 1 < end) {
426-
xs[0] = 0; // $ deref=L422->L426 deref=L423->L426 deref=L425->L426 // BAD
426+
xs[0] = 0; // $ deref=L426 // BAD
427427
}
428428
}
429429
}
@@ -435,7 +435,7 @@ void test28_simple4(unsigned size) {
435435
end++;
436436
xs++;
437437
if (xs < end) {
438-
xs[0] = 0; // $ deref=L433->L438 deref=L434->L438 deref=L435->L438 // BAD
438+
xs[0] = 0; // $ deref=L438 // BAD
439439
}
440440
}
441441
}
@@ -447,7 +447,7 @@ void test28_simple5(unsigned size) {
447447
if (xs < end) {
448448
xs++;
449449
if (xs < end) {
450-
xs[0] = 0; // $ deref=L445->L450 deref=L446->L450 // BAD
450+
xs[0] = 0; // $ deref=L450 // BAD
451451
}
452452
}
453453
}
@@ -483,7 +483,7 @@ void test28_simple8(unsigned size) {
483483
if (xs < end) {
484484
xs++;
485485
if (xs < end - 1) {
486-
xs[0] = 0; // $ deref=L481->L486+498 deref=L482->L486+498 // BAD
486+
xs[0] = 0; // $ deref=L486+498 // BAD
487487
}
488488
}
489489
}
@@ -659,7 +659,7 @@ void test32(unsigned size) {
659659
xs++;
660660
if (xs >= end)
661661
return;
662-
xs[0] = 0; // $ GOOD
662+
xs[0] = 0; // $ deref=L656->L662+1 deref=L657->L662+1 GOOD [FALSE POSITIVE]
663663
}
664664

665665
void test33(unsigned size, unsigned src_pos)
@@ -698,12 +698,12 @@ void test34(unsigned size) {
698698
p += 1;
699699
}
700700
if (p + 1 < end) {
701-
int val = *p; // GOOD
701+
int val = *p; // $ deref=L698->L700->L701 // GOOD [FALSE POSITIVE]
702702
}
703703
}
704704

705705
void deref(char* q) {
706-
char x = *q; // $ MISSING: deref=L712->L706 deref=L713->L706
706+
char x = *q; // $ deref=L714->L705->L706 // BAD
707707
}
708708

709709
void test35(unsigned long size, char* q)

0 commit comments

Comments
 (0)