Merge pull request #1238 from geoffw0/newtests

CPP: New test cases

Author: jbj

cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.expected

@@ -0,0 +1,2 @@
+| test.cpp:7:3:7:24 | call to MyRect | The constructor MyRect may leave the instance uninitialized, as it tries to delegate to another constructor. |
+| test.cpp:16:3:16:24 | call to MyRect | The constructor MyRect may leave the instance uninitialized, as it tries to delegate to another constructor. |

cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref

@@ -0,0 +1 @@
+Likely Bugs/OO/IncorrectConstructorDelegation.ql

cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp

@@ -0,0 +1,32 @@
+
+class MyRect
+{
+public:
+	MyRect()
+	{
+		MyRect(100.0f, 100.0f); // BAD
+	}
+
+	MyRect(float _width, float _height) : width(_width), height(_height)
+	{
+	}
+
+	MyRect(float _width)
+	{
+		MyRect(_width, _width); // BAD
+	}
+
+	MyRect(int a) : MyRect(10.0f, 10.0f) // GOOD
+	{
+		MyRect other1(20.0f, 20.0f); // GOOD
+		MyRect other2 = MyRect(30.0f, 30.0f); // GOOD
+	}
+
+	MyRect(int a, int b)
+	{
+		*this = MyRect(40.0f, 40.0f); // GOOD
+	}
+
+private:
+	float width, height;
+};

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -56,6 +56,11 @@
 | tests.cpp:519:3:519:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:510:16:510:21 | call to malloc | destination buffer |
 | tests.cpp:541:6:541:10 | call to fread | This 'fread' operation may access 101 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
 | tests.cpp:546:6:546:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
+| tests.cpp:569:6:569:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
+| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
+| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:571:8:571:13 | buffer | array |
+| tests.cpp:579:6:579:12 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
+| tests.cpp:579:6:579:12 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:571:8:571:13 | buffer | array |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -560,6 +560,32 @@ void test20()
 	}
 }
 
+void test21(bool cond)
+{
+	char buffer[100];
+	char *ptr;
+	int i;
+
+	if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1]
+
+	ptr = buffer;
+	if (cond)
+	{
+		ptr++;
+		if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0]
+	} else {
+		if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1]
+	}
+	if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0]
+
+	ptr = buffer;
+	for (i = 0; i < 2; i++)
+	{
+		ptr++;
+	}
+	if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
+}
+
 int main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -582,6 +608,7 @@ int main(int argc, char *argv[])
 	test18();
 	test19(argc == 0);
 	test20();
+	test21(argc == 0);
 
 	return 0;
 }

cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp

@@ -555,6 +555,20 @@ void test28()
 	dostuff();
 }
 
+// placement new
+void* operator new(size_t, void* p);
+
+class MyClass29
+{
+};
+
+void test29()
+{
+	void *buf = malloc(sizeof(MyClass29)); // GOOD (freed)
+	MyClass29 *p1 = new (buf) MyClass29(); // GOOD (not really an allocation)
+	free(buf);
+}
+
 // run tests
 int main(int argc, char *argv[])
 {
@@ -585,4 +599,5 @@ int main(int argc, char *argv[])
 	test26();
 	test27();
 	test28();
+	test29();
 }

cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.expected

@@ -0,0 +1,2 @@
+| test.c:14:6:14:15 | not_called | AV Rule 186: There shall be no unreachable code. |
+| test.c:32:3:32:6 | ExprStmt | AV Rule 186: There shall be no unreachable code. |

cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref

@@ -0,0 +1 @@
+jsf/4.24 Control Flow Structures/AV Rule 186.ql

cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c

@@ -0,0 +1,38 @@
+
+int x = 0;
+
+void called1()
+{
+	x++;
+}
+
+void called2()
+{
+	x++;
+}
+
+void not_called()
+{
+	x++; // BAD: unreachable
+}
+
+int main(int argc, const char* argv[])
+{
+	void (*fun_ptr)() = &called2;
+
+	called1();
+	called2();
+
+	if (argc > 4)
+	{
+		x++;
+		while (1) {
+			x++;
+		}
+		x++; // BAD: unreachable
+	} else if (argc > 4) {
+		x++; // BAD: unreachable [NOT DETECTED]
+	} else if (argc > 5) {
+		x++; // BAD: unreachable [NOT DETECTED]
+	}
+}