github
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql‎
Lines changed: 3 additions & 3 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected‎
Lines changed: 6 additions & 6 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected‎
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c‎
Lines changed: 25 additions & 0 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 2 additions & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/Assignable.qll‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/commons/ConsistencyChecks.qll‎
Lines changed: 4 additions & 1 deletion b/‎csharp/ql/src/semmle/code/csharp/commons/ConsistencyChecks.qll‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 4 additions & 3 deletions b/‎csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll‎
Lines changed: 10 additions & 9 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll‎
Lines changed: 10 additions & 9 deletions
@@ -16,6 +16,6 @@ import DataFlow::PathGraph
 
 from WriteConfig b, DataFlow::PathNode source, DataFlow::PathNode sink
 where b.hasFlowPath(source, sink)
-select sink.getNode(),
-  "This write into the external location '" + sink + "' may contain unencrypted data from $@",
-  source, "this source."
+select sink.getNode(), source, sink,
+  "This write into the external location '" + sink.getNode() +
+    "' may contain unencrypted data from $@", source, "this source."
@@ -12,6 +12,7 @@
  */
 
 import cpp
+import semmle.code.cpp.controlflow.Guards
 
 /**
  * A function call that potentially does not return (such as `exit`).
@@ -48,7 +49,11 @@ class ReallocCallLeak extends FunctionCall {
    * example a call to `exit()`.
    */
   predicate mayHandleByTermination() {
-    this.(ControlFlowNode).getASuccessor*() instanceof CallMayNotReturn
+    exists(GuardCondition guard, CallMayNotReturn exit |
+      this.(ControlFlowNode).getASuccessor*() = guard and
+      guard.getAChild*() = v.getAnAccess() and
+      guard.controls(exit.getBasicBlock(), _)
+    )
   }
 }
 
 
@@ -13,9 +13,9 @@ nodes
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
 #select
-| test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
-| test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
-| test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
-| test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
-| test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
-| test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |
+| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
+| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
+| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
+| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
+| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
+| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |
@@ -4,3 +4,5 @@
 | test.c:186:29:186:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:282:29:282:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:299:26:299:32 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:328:29:328:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:342:29:342:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
@@ -319,3 +319,28 @@ unsigned char *noBadResize_4_1(unsigned char *buffer, size_t currentSize, size_t
 
 	return buffer;
 }
+
+unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+	}
+	if (cond)
+	{
+		abort(); // irrelevant
+	}
+	return buffer;
+}
+
+unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+		assert(cond); // irrelevant
+	}
+	return buffer;
+}
@@ -3,6 +3,7 @@
  */
 
 import csharp
+private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 
 /**
  * An assignable, that is, an element that can be assigned to. Either a
@@ -83,7 +84,7 @@ class AssignableRead extends AssignableAccess {
 
   pragma[noinline]
   private ControlFlow::Node getAnAdjacentReadSameVar() {
-    Ssa::Internal::adjacentReadPairSameVar(_, this.getAControlFlowNode(), result)
+    SsaImpl::adjacentReadPairSameVar(_, this.getAControlFlowNode(), result)
   }
 
   /**
 
@@ -46,7 +46,10 @@ module SsaChecks {
   }
 
   predicate notDominatedByDef(AssignableRead read, string m) {
-    exists(Definition def, BasicBlock bb, ControlFlow::Node rnode, ControlFlow::Node dnode, int i |
+    exists(
+      Definition def, ControlFlow::BasicBlock bb, ControlFlow::Node rnode, ControlFlow::Node dnode,
+      int i
+    |
       def.getAReadAtNode(rnode) = read
     |
       def.definesAt(_, bb, i) and
 
@@ -1723,6 +1723,7 @@ module Internal {
   cached
   private module Cached {
     private import semmle.code.csharp.Caching
+    private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 
     /**
      * Holds if basic block `bb` only is reached when guard `g` has abstract value `v`.
@@ -1775,9 +1776,9 @@ module Internal {
     private predicate adjacentReadPairSameVarUniquePredecessor(
       Ssa::Definition def, ControlFlow::Node cfn1, ControlFlow::Node cfn2
     ) {
-      Ssa::Internal::adjacentReadPairSameVar(def, cfn1, cfn2) and
+      SsaImpl::adjacentReadPairSameVar(def, cfn1, cfn2) and
       not exists(ControlFlow::Node other |
-        Ssa::Internal::adjacentReadPairSameVar(def, other, cfn2) and
+        SsaImpl::adjacentReadPairSameVar(def, other, cfn2) and
         other != cfn1 and
         other != cfn2
       )
@@ -1831,7 +1832,7 @@ module Internal {
     private predicate firstReadUniquePredecessor(Ssa::ExplicitDefinition def, ControlFlow::Node cfn) {
       exists(def.getAFirstReadAtNode(cfn)) and
       not exists(ControlFlow::Node other |
-        Ssa::Internal::adjacentReadPairSameVar(def, other, cfn) and
+        SsaImpl::adjacentReadPairSameVar(def, other, cfn) and
         other != cfn
       )
     }
 
@@ -23,6 +23,7 @@ private import internal.CallableReturns
 private import semmle.code.csharp.commons.Assertions
 private import semmle.code.csharp.controlflow.Guards as G
 private import semmle.code.csharp.controlflow.Guards::AbstractValues
+private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.Test
 
@@ -177,7 +178,7 @@ private predicate defMaybeNull(Ssa::Definition def, string msg, Element reason)
     exists(G::DereferenceableExpr de | de = def.getARead() |
       reason = de.getANullCheck(_, true) and
       msg = "as suggested by $@ null check" and
-      not de = any(Ssa::PseudoDefinition pdef).getARead() and
+      not de = any(Ssa::PhiNode phi).getARead() and
       strictcount(Element e | e = any(Ssa::Definition def0 | de = def0.getARead()).getElement()) = 1 and
       // Don't use a check as reason if there is a `null` assignment
       // or argument
@@ -205,7 +206,7 @@ private predicate defMaybeNull(Ssa::Definition def, string msg, Element reason)
     // A variable of nullable type may be null
     exists(Dereference d | dereferenceAt(_, _, def, d) |
       d.hasNullableType() and
-      not def instanceof Ssa::PseudoDefinition and
+      not def instanceof Ssa::PhiNode and
       reason = def.getSourceVariable().getAssignable() and
       msg = "because it has a nullable type"
     )
@@ -236,13 +237,13 @@ private predicate defNullImpliesStep(
   Ssa::Definition def1, BasicBlock bb1, Ssa::Definition def2, BasicBlock bb2
 ) {
   exists(Ssa::SourceVariable v | defNullImpliesStep0(v, def1, bb1, bb2) |
-    def2.(Ssa::PseudoDefinition).getAnInput() = def1 and
+    def2.(Ssa::PhiNode).getAnInput() = def1 and
     bb2 = def2.getBasicBlock()
     or
     def2 = def1 and
-    not exists(Ssa::PseudoDefinition def |
-      def.getSourceVariable() = v and
-      bb2 = def.getBasicBlock()
+    not exists(Ssa::PhiNode phi |
+      phi.getSourceVariable() = v and
+      bb2 = phi.getBasicBlock()
     )
   ) and
   not exists(SuccessorTypes::ConditionalSuccessor s, NullValue nv |
@@ -426,14 +427,14 @@ module PathGraph {
 }
 
 private Ssa::Definition getAPseudoInput(Ssa::Definition def) {
-  result = def.(Ssa::PseudoDefinition).getAnInput()
+  result = def.(Ssa::PhiNode).getAnInput()
 }
 
 // `def.getAnUltimateDefinition()` includes inputs into uncertain
 // definitions, but we only want inputs into pseudo nodes
 private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) {
   result = getAPseudoInput*(def) and
-  not result instanceof Ssa::PseudoDefinition
+  not result instanceof Ssa::PhiNode
 }
 
 /**
@@ -446,7 +447,7 @@ private predicate defReaches(Ssa::Definition def, ControlFlow::Node cfn, boolean
   (always = true or always = false)
   or
   exists(ControlFlow::Node mid | defReaches(def, mid, always) |
-    Ssa::Internal::adjacentReadPairSameVar(_, mid, cfn) and
+    SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and
     not mid =
       any(Dereference d |
         if always = true
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,10 @@ module SsaChecks {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`predicate notDominatedByDef(AssignableRead read, string m) {`
`49`		`- exists(Definition def, BasicBlock bb, ControlFlow::Node rnode, ControlFlow::Node dnode, int i \|`
	`49`	`+ exists(`
	`50`	`+ Definition def, ControlFlow::BasicBlock bb, ControlFlow::Node rnode, ControlFlow::Node dnode,`
	`51`	`+ int i`
	`52`	`+ \|`
`50`	`53`	`def.getAReadAtNode(rnode) = read`
`51`	`54`	`\|`
`52`	`55`	`def.definesAt(_, bb, i) and`