From 4482669d7e61bf5ac6306792e9fbc4157cbd390c Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 15 Sep 2022 15:58:49 +0100
Subject: [PATCH] C++: Add a new 'InvalidPointerDeref' query to experimental.

---
 .../CWE/CWE-193/InvalidPointerDeref.cpp       |  26 +
 .../CWE/CWE-193/InvalidPointerDeref.qhelp     |  31 +
 .../CWE/CWE-193/InvalidPointerDeref.ql        | 316 +++++++++
 .../InvalidPointerDeref.expected              | 626 ++++++++++++++++++
 .../pointer-deref/InvalidPointerDeref.qlref   |   1 +
 .../CWE/CWE-193/pointer-deref/test.cpp        | 181 +++++
 6 files changed, 1181 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.cpp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.cpp
new file mode 100644
index 00000000000..0ad0635ae40
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.cpp
@@ -0,0 +1,26 @@
+void *malloc(unsigned);
+unsigned get_size();
+void write_data(const unsigned char*, const unsigned char*);
+
+int main(int argc, char* argv[]) {
+  unsigned size = get_size();
+  
+  {
+    unsigned char *begin = (unsigned char*)malloc(size);
+    if(!begin) return -1;
+
+    unsigned char* end = begin + size;
+    write_data(begin, end);
+    *end = '\0'; // BAD: Out-of-bounds write
+  }
+
+  {
+    unsigned char *begin = (unsigned char*)malloc(size);
+    if(!begin) return -1;
+
+    unsigned char* end = begin + size;
+    write_data(begin, end);
+    *(end - 1) = '\0'; // GOOD: writing to the last byte
+  }
+
+}
\ No newline at end of file
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.qhelp
new file mode 100644
index 00000000000..4f590659112
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The program performs an out-of-bounds read or write operation. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>
+
+</overview>
+<recommendation>
+
+<p>Ensure that pointer dereferences are properly guarded to ensure that they cannot be used to read or write past the end of the allocation.</p>
+
+</recommendation>
+<example>
+<p>The first example allocates a buffer of size <code>size</code> and creates a local variable that stores the location that is one byte past the end of the allocation.
+This local variable is then dereferenced which results in an out-of-bounds write.
+The second example subtracts one from the <code>end</code> variable before dereferencing it. This subtraction ensures that the write correctly updates the final byte of the allocation.</p>
+<sample src="InvalidPointerDeref.cpp" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts">ARR30-C. Do not form or use out-of-bounds pointers or array subscripts</a>.</li>
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/vulnerabilities/Buffer_Overflow">Buffer Overflow</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
new file mode 100644
index 00000000000..e6e8c948e62
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -0,0 +1,316 @@
+/**
+ * @name Invalid pointer dereference
+ * @description Dereferencing a pointer that points past it allocation is undefined behavior
+ *              and may lead to security vulnerabilities.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/invalid-pointer-deref
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-119
+ *       external/cwe/cwe-125
+ *       external/cwe/cwe-193
+ *       external/cwe/cwe-787
+ */
+
+import cpp
+import experimental.semmle.code.cpp.dataflow.ProductFlow
+import experimental.semmle.code.cpp.ir.dataflow.DataFlow3
+import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
+import experimental.semmle.code.cpp.semantic.SemanticBound
+import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
+import semmle.code.cpp.ir.IR
+
+pragma[nomagic]
+Instruction getABoundIn(SemBound b, IRFunction func) {
+  result = b.getExpr(0) and
+  result.getEnclosingIRFunction() = func
+}
+
+/**
+ * Holds if `i <= b + delta`.
+ */
+pragma[nomagic]
+predicate bounded(Instruction i, Instruction b, int delta) {
+  exists(SemBound bound, IRFunction func |
+    semBounded(getSemanticExpr(i), bound, delta, true, _) and
+    b = getABoundIn(bound, func) and
+    i.getEnclosingIRFunction() = func
+  )
+}
+
+/**
+ * Holds if the combination of `n` and `state` represents an appropriate
+ * source for the expression `e` suitable for use-use flow.
+ */
+private predicate hasSizeImpl(Expr e, DataFlow::Node n, string state) {
+  // The simple case: If the size is a variable access with no qualifier we can just use the
+  // dataflow node for that expression and no state.
+  exists(VariableAccess va |
+    va = e and
+    not va instanceof FieldAccess and
+    n.asConvertedExpr() = va.getFullyConverted() and
+    state = "0"
+  )
+  or
+  // If the size is a choice between two expressions we allow both to be nodes representing the size.
+  exists(ConditionalExpr cond | cond = e | hasSizeImpl([cond.getThen(), cond.getElse()], n, state))
+  or
+  // If the size is an expression plus a constant, we pick the dataflow node of the expression and
+  // remember the constant in the state.
+  exists(Expr const, Expr nonconst |
+    e.(AddExpr).hasOperands(const, nonconst) and
+    state = const.getValue() and
+    hasSizeImpl(nonconst, n, _)
+  )
+  or
+  exists(Expr const, Expr nonconst |
+    e.(SubExpr).hasOperands(const, nonconst) and
+    state = "-" + const.getValue() and
+    hasSizeImpl(nonconst, n, _)
+  )
+}
+
+/**
+ * Holds if `(n, state)` pair represents the source of flow for the size
+ * expression associated with `alloc`.
+ */
+predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
+  hasSizeImpl(alloc.getSizeExpr(), n, state)
+}
+
+/**
+ * A product-flow configuration for flow from an (allocation, size) pair to a
+ * pointer-arithmetic operation that is non-strictly upper-bounded by `allocation + size`.
+ */
+class AllocToInvalidPointerConf extends ProductFlow::Configuration {
+  AllocToInvalidPointerConf() { this = "AllocToInvalidPointerConf" }
+
+  override predicate isSourcePair(
+    DataFlow::Node source1, string state1, DataFlow::Node source2, string state2
+  ) {
+    state1 = "" and
+    hasSize(source1.asConvertedExpr(), source2, state2)
+  }
+
+  override predicate isSinkPair(
+    DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
+    DataFlow::FlowState state2
+  ) {
+    state1 = "" and
+    exists(int delta |
+      isSinkImpl(_, sink1, sink2, delta) and
+      state2 = delta.toString()
+    )
+  }
+}
+
+pragma[nomagic]
+predicate pointerAddInstructionHasOperands(
+  PointerAddInstruction pai, Instruction left, Instruction right
+) {
+  pai.getLeft() = left and
+  pai.getRight() = right
+}
+
+/**
+ * Holds if `pai` is non-strictly upper bounded by `b + delta` and `sink1` is the
+ * non-constant operand of the pointer-arithmetic operation.
+ */
+pragma[nomagic]
+predicate pointerAddInstructionHasBounds(
+  PointerAddInstruction pai, DataFlow::Node sink1, Instruction sink2, int delta
+) {
+  exists(Instruction right |
+    pointerAddInstructionHasOperands(pai, sink1.asInstruction(), right) and
+    bounded(right, sink2, delta)
+  )
+}
+
+/**
+ * Holds if `pai` is non-strictly upper bounded by `sink2 + delta` and `sink1` is the
+ * non-constant operand of the pointer-arithmetic operation.
+ */
+predicate isSinkImpl(
+  PointerAddInstruction pai, DataFlow::Node sink1, DataFlow::Node sink2, int delta
+) {
+  pointerAddInstructionHasBounds(pai, sink1, sink2.asInstruction(), delta)
+}
+
+/**
+ * Holds if `sink` is a sink for `InvalidPointerToDerefConf` and `i` is a `StoreInstruction` that
+ * writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
+ * reads from an address that non-strictly upper-bounds `sink`.
+ */
+predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation) {
+  exists(AddressOperand addr, int delta |
+    bounded(addr.getDef(), sink.asInstruction(), delta) and
+    delta >= 0 and
+    i.getAnOperand() = addr
+  |
+    i instanceof StoreInstruction and
+    operation = "write"
+    or
+    i instanceof LoadInstruction and
+    operation = "read"
+  )
+}
+
+/**
+ * A configuration to track flow from a pointer-arithmetic operation found
+ * by `AllocToInvalidPointerConf` to a dereference of the pointer.
+ */
+class InvalidPointerToDerefConf extends DataFlow3::Configuration {
+  InvalidPointerToDerefConf() { this = "InvalidPointerToDerefConf" }
+
+  override predicate isSource(DataFlow::Node source) { invalidPointerToDerefSource(_, source, _) }
+
+  override predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
+}
+
+predicate invalidPointerToDerefSource(
+  PointerArithmeticInstruction pai, DataFlow::Node source, int delta
+) {
+  exists(ProductFlow::Configuration conf, DataFlow::PathNode p, DataFlow::Node sink1 |
+    p.getNode() = sink1 and
+    conf.hasFlowPath(_, _, p, _) and
+    isSinkImpl(pai, sink1, _, _) and
+    bounded(source.asInstruction(), pai, delta) and
+    delta >= 0
+  )
+}
+
+newtype TMergedPathNode =
+  // The path nodes computed by the first projection of `AllocToInvalidPointerConf`
+  TPathNode1(DataFlow::PathNode p) or
+  // The path nodes computed by `InvalidPointerToDerefConf`
+  TPathNode3(DataFlow3::PathNode p) or
+  // The read/write that uses the invalid pointer identified by `InvalidPointerToDerefConf`.
+  // This one is needed because the sink identified by `InvalidPointerToDerefConf` is the
+  // pointer, but we want to raise an alert at the dereference.
+  TPathNodeSink(Instruction i) {
+    exists(DataFlow::Node n |
+      any(InvalidPointerToDerefConf conf).hasFlow(_, n) and
+      isInvalidPointerDerefSink(n, i, _)
+    )
+  }
+
+class MergedPathNode extends TMergedPathNode {
+  string toString() { none() }
+
+  final DataFlow::PathNode asPathNode1() { this = TPathNode1(result) }
+
+  final DataFlow3::PathNode asPathNode3() { this = TPathNode3(result) }
+
+  final Instruction asSinkNode() { this = TPathNodeSink(result) }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    none()
+  }
+}
+
+class PathNode1 extends MergedPathNode, TPathNode1 {
+  override string toString() {
+    exists(DataFlow::PathNode p |
+      this = TPathNode1(p) and
+      result = p.toString()
+    )
+  }
+
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.asPathNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+class PathNode3 extends MergedPathNode, TPathNode3 {
+  override string toString() {
+    exists(DataFlow3::PathNode p |
+      this = TPathNode3(p) and
+      result = p.toString()
+    )
+  }
+
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.asPathNode3().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+class PathSinkNode extends MergedPathNode, TPathNodeSink {
+  override string toString() {
+    exists(Instruction i |
+      this = TPathNodeSink(i) and
+      result = i.toString()
+    )
+  }
+
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.asSinkNode()
+        .getLocation()
+        .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+query predicate edges(MergedPathNode node1, MergedPathNode node2) {
+  node1.asPathNode1().getASuccessor() = node2.asPathNode1()
+  or
+  joinOn1(_, node1.asPathNode1(), node2.asPathNode3())
+  or
+  node1.asPathNode3().getASuccessor() = node2.asPathNode3()
+  or
+  joinOn2(node1.asPathNode3(), node2.asSinkNode(), _)
+}
+
+/**
+ * Holds if `p1` is a sink of `AllocToInvalidPointerConf` and `p2` is a source
+ * of `InvalidPointerToDerefConf`, and they are connected through `pai`.
+ */
+predicate joinOn1(PointerArithmeticInstruction pai, DataFlow::PathNode p1, DataFlow3::PathNode p2) {
+  isSinkImpl(pai, p1.getNode(), _, _) and
+  invalidPointerToDerefSource(pai, p2.getNode(), _)
+}
+
+/**
+ * Holds if `p1` is a sink of `InvalidPointerToDerefConf` and `i` is the instruction
+ * that dereferences `p1`. The string `operation` describes whether the `i` is
+ * a `StoreInstruction` or `LoadInstruction`.
+ */
+predicate joinOn2(DataFlow3::PathNode p1, Instruction i, string operation) {
+  isInvalidPointerDerefSink(p1.getNode(), i, operation)
+}
+
+predicate hasFlowPath(
+  MergedPathNode source1, MergedPathNode sink, DataFlow3::PathNode source3,
+  PointerArithmeticInstruction pai, string operation
+) {
+  exists(
+    AllocToInvalidPointerConf conf1, InvalidPointerToDerefConf conf2, DataFlow3::PathNode sink3,
+    DataFlow::PathNode sink1
+  |
+    conf1.hasFlowPath(source1.asPathNode1(), _, sink1, _) and
+    joinOn1(pai, sink1, source3) and
+    conf2.hasFlowPath(source3, sink3) and
+    joinOn2(sink3, sink.asSinkNode(), operation)
+  )
+}
+
+from
+  MergedPathNode source, MergedPathNode sink, int k, string kstr, DataFlow3::PathNode source3,
+  PointerArithmeticInstruction pai, string operation, Expr offset, DataFlow::Node n
+where
+  hasFlowPath(source, sink, source3, pai, operation) and
+  invalidPointerToDerefSource(pai, source3.getNode(), k) and
+  offset = pai.getRight().getUnconvertedResultExpression() and
+  n = source.asPathNode1().getNode() and
+  if k = 0 then kstr = "" else kstr = " + " + k
+select sink, source, sink,
+  "This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr +
+    ".", n, n.toString(), offset, offset.toString()
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
new file mode 100644
index 00000000000..430c56774f7
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -0,0 +1,626 @@
+edges
+| test.cpp:4:15:4:20 | call to malloc | test.cpp:5:15:5:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:8:16:8:20 | ... + ... |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | Store |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | ... + ... | test.cpp:12:16:12:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:6:15:6:15 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:7:16:7:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:8:16:8:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:9:16:9:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:10:16:10:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:11:16:11:16 | Load |
+| test.cpp:5:15:5:22 | Store | test.cpp:12:16:12:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:7:16:7:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:6:15:6:15 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:8:16:8:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:7:16:7:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:9:16:9:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:8:16:8:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:8:16:8:20 | ... + ... | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:10:16:10:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:9:16:9:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:11:16:11:16 | Load |
+| test.cpp:10:16:10:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:11:16:11:16 | Load | test.cpp:12:16:12:16 | Load |
+| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:6:14:6:15 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:12:16:12:16 | Load | test.cpp:8:14:8:21 | Load: * ... |
+| test.cpp:16:15:16:20 | call to malloc | test.cpp:17:15:17:15 | Load |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:17:15:17:22 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:15 | Load | test.cpp:20:16:20:20 | ... + ... |
+| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:17:15:17:22 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | test.cpp:20:14:20:21 | Load: * ... |
+| test.cpp:28:15:28:20 | call to malloc | test.cpp:29:15:29:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:32:16:32:20 | ... + ... |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | Store |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | ... + ... | test.cpp:36:16:36:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:30:15:30:15 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:31:16:31:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:32:16:32:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:33:16:33:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:34:16:34:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:35:16:35:16 | Load |
+| test.cpp:29:15:29:28 | Store | test.cpp:36:16:36:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:31:16:31:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:30:15:30:15 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:32:16:32:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:31:16:31:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:33:16:33:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:32:16:32:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:32:16:32:20 | ... + ... | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:34:16:34:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:33:16:33:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:35:16:35:16 | Load |
+| test.cpp:34:16:34:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:35:16:35:16 | Load | test.cpp:36:16:36:16 | Load |
+| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:30:14:30:15 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:36:16:36:16 | Load | test.cpp:32:14:32:21 | Load: * ... |
+| test.cpp:40:15:40:20 | call to malloc | test.cpp:41:15:41:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:44:16:44:20 | ... + ... |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:41:15:41:28 | Store |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | ... + ... | test.cpp:48:16:48:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:42:15:42:15 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:43:16:43:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:44:16:44:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:45:16:45:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:46:16:46:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:47:16:47:16 | Load |
+| test.cpp:41:15:41:28 | Store | test.cpp:48:16:48:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:43:16:43:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:42:15:42:15 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:44:16:44:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:43:16:43:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:45:16:45:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:44:16:44:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:44:16:44:20 | ... + ... | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:46:16:46:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:45:16:45:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:47:16:47:16 | Load |
+| test.cpp:46:16:46:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:47:16:47:16 | Load | test.cpp:48:16:48:16 | Load |
+| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:42:14:42:15 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:48:16:48:16 | Load | test.cpp:44:14:44:21 | Load: * ... |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:62:39:62:39 | Load |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:66:39:66:39 | Load |
+| test.cpp:51:7:51:14 | VariableAddress indirection | test.cpp:70:38:70:38 | Load |
+| test.cpp:51:33:51:35 | Load indirection | test.cpp:60:34:60:37 | mk_array output argument |
+| test.cpp:52:19:52:24 | call to malloc | test.cpp:51:7:51:14 | VariableAddress indirection |
+| test.cpp:52:19:52:24 | call to malloc | test.cpp:53:12:53:16 | Load |
+| test.cpp:53:5:53:23 | Store | test.cpp:51:33:51:35 | Load indirection |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:5:53:23 | Store |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
+| test.cpp:53:12:53:16 | Load | test.cpp:53:12:53:23 | ... + ... |
+| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | Load indirection |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:62:32:62:34 | Load |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:66:32:66:34 | Load |
+| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:70:31:70:33 | Load |
+| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:62:32:62:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:66:32:66:34 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:70:31:70:33 | Load | test.cpp:67:9:67:14 | Store: ... = ... |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:91:20:91:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:95:20:95:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:99:20:99:22 | arr indirection [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [begin] | test.cpp:119:18:119:25 | call to mk_array [begin] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:91:36:91:38 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:95:36:95:38 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:99:35:99:37 | arr indirection [end] |
+| test.cpp:80:9:80:16 | VariableAddress indirection [end] | test.cpp:119:18:119:25 | call to mk_array [end] |
+| test.cpp:82:5:82:28 | Store | test.cpp:82:9:82:13 | arr indirection [post update] [begin] |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:80:9:80:16 | VariableAddress indirection [begin] |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:83:15:83:17 | arr indirection [begin] |
+| test.cpp:82:17:82:22 | call to malloc | test.cpp:82:5:82:28 | Store |
+| test.cpp:83:5:83:30 | Store | test.cpp:83:9:83:11 | arr indirection [post update] [end] |
+| test.cpp:83:9:83:11 | arr indirection [post update] [end] | test.cpp:80:9:80:16 | VariableAddress indirection [end] |
+| test.cpp:83:15:83:17 | arr indirection [begin] | test.cpp:83:19:83:23 | begin |
+| test.cpp:83:15:83:30 | ... + ... | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:5:83:30 | Store |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
+| test.cpp:83:19:83:23 | Load | test.cpp:83:15:83:30 | ... + ... |
+| test.cpp:83:19:83:23 | begin | test.cpp:83:19:83:23 | Load |
+| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:24:91:28 | begin |
+| test.cpp:91:20:91:22 | arr indirection [begin] | test.cpp:91:47:91:47 | Load |
+| test.cpp:91:24:91:28 | begin | test.cpp:91:47:91:47 | Load |
+| test.cpp:91:36:91:38 | arr indirection [end] | test.cpp:91:40:91:42 | end |
+| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:91:40:91:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:91:40:91:42 | end | test.cpp:91:40:91:42 | Load |
+| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:24:95:28 | begin |
+| test.cpp:95:20:95:22 | arr indirection [begin] | test.cpp:95:47:95:47 | Load |
+| test.cpp:95:24:95:28 | begin | test.cpp:95:47:95:47 | Load |
+| test.cpp:95:36:95:38 | arr indirection [end] | test.cpp:95:40:95:42 | end |
+| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:95:40:95:42 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:95:40:95:42 | end | test.cpp:95:40:95:42 | Load |
+| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:24:99:28 | begin |
+| test.cpp:99:20:99:22 | arr indirection [begin] | test.cpp:99:46:99:46 | Load |
+| test.cpp:99:24:99:28 | begin | test.cpp:99:46:99:46 | Load |
+| test.cpp:99:35:99:37 | arr indirection [end] | test.cpp:99:39:99:41 | end |
+| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:99:39:99:41 | Load | test.cpp:96:9:96:14 | Store: ... = ... |
+| test.cpp:99:39:99:41 | end | test.cpp:99:39:99:41 | Load |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:105:20:105:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:109:20:109:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [begin] | test.cpp:113:20:113:22 | arr indirection [begin] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:105:36:105:38 | arr indirection [end] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:109:36:109:38 | arr indirection [end] |
+| test.cpp:104:27:104:29 | arr [end] | test.cpp:113:35:113:37 | arr indirection [end] |
+| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:24:105:28 | begin |
+| test.cpp:105:20:105:22 | arr indirection [begin] | test.cpp:105:47:105:47 | Load |
+| test.cpp:105:24:105:28 | begin | test.cpp:105:47:105:47 | Load |
+| test.cpp:105:36:105:38 | arr indirection [end] | test.cpp:105:40:105:42 | end |
+| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:105:40:105:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:105:40:105:42 | end | test.cpp:105:40:105:42 | Load |
+| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:24:109:28 | begin |
+| test.cpp:109:20:109:22 | arr indirection [begin] | test.cpp:109:47:109:47 | Load |
+| test.cpp:109:24:109:28 | begin | test.cpp:109:47:109:47 | Load |
+| test.cpp:109:36:109:38 | arr indirection [end] | test.cpp:109:40:109:42 | end |
+| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:109:40:109:42 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:109:40:109:42 | end | test.cpp:109:40:109:42 | Load |
+| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:24:113:28 | begin |
+| test.cpp:113:20:113:22 | arr indirection [begin] | test.cpp:113:46:113:46 | Load |
+| test.cpp:113:24:113:28 | begin | test.cpp:113:46:113:46 | Load |
+| test.cpp:113:35:113:37 | arr indirection [end] | test.cpp:113:39:113:41 | end |
+| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:113:39:113:41 | Load | test.cpp:110:9:110:14 | Store: ... = ... |
+| test.cpp:113:39:113:41 | end | test.cpp:113:39:113:41 | Load |
+| test.cpp:119:18:119:25 | call to mk_array [begin] | test.cpp:104:27:104:29 | arr [begin] |
+| test.cpp:119:18:119:25 | call to mk_array [end] | test.cpp:104:27:104:29 | arr [end] |
+| test.cpp:124:15:124:20 | call to malloc | test.cpp:125:5:125:17 | Store |
+| test.cpp:124:15:124:20 | call to malloc | test.cpp:126:15:126:15 | Load |
+| test.cpp:125:5:125:17 | Store | test.cpp:125:9:125:13 | arr indirection [post update] [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:129:11:129:13 | arr indirection [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:133:11:133:13 | arr indirection [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:137:11:137:13 | arr indirection [begin] |
+| test.cpp:129:11:129:13 | arr indirection [begin] | test.cpp:129:15:129:19 | begin |
+| test.cpp:129:15:129:19 | begin | test.cpp:129:15:129:19 | Load |
+| test.cpp:133:11:133:13 | arr indirection [begin] | test.cpp:133:15:133:19 | begin |
+| test.cpp:133:15:133:19 | begin | test.cpp:133:15:133:19 | Load |
+| test.cpp:137:11:137:13 | arr indirection [begin] | test.cpp:137:15:137:19 | begin |
+| test.cpp:137:15:137:19 | begin | test.cpp:137:15:137:19 | Load |
+| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:150:20:150:29 | Call indirection [begin] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [begin] | test.cpp:180:18:180:27 | call to mk_array_p indirection [begin] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:150:20:150:29 | Call indirection [end] |
+| test.cpp:141:10:141:19 | VariableAddress indirection [end] | test.cpp:180:18:180:27 | call to mk_array_p indirection [end] |
+| test.cpp:143:5:143:29 | Store | test.cpp:143:10:143:14 | Load indirection [post update] [begin] |
+| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:141:10:141:19 | VariableAddress indirection [begin] |
+| test.cpp:143:10:143:14 | Load indirection [post update] [begin] | test.cpp:144:16:144:18 | Load indirection [begin] |
+| test.cpp:143:18:143:23 | call to malloc | test.cpp:143:5:143:29 | Store |
+| test.cpp:144:5:144:32 | Store | test.cpp:144:10:144:12 | Load indirection [post update] [end] |
+| test.cpp:144:10:144:12 | Load indirection [post update] [end] | test.cpp:141:10:141:19 | VariableAddress indirection [end] |
+| test.cpp:144:16:144:18 | Load indirection [begin] | test.cpp:144:21:144:25 | begin |
+| test.cpp:144:16:144:32 | ... + ... | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:5:144:32 | Store |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
+| test.cpp:144:21:144:25 | Load | test.cpp:144:16:144:32 | ... + ... |
+| test.cpp:144:21:144:25 | begin | test.cpp:144:21:144:25 | Load |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:152:20:152:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:156:20:156:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [begin] | test.cpp:160:20:160:22 | Load indirection [begin] |
+| test.cpp:150:20:150:29 | Call indirection [end] | test.cpp:156:37:156:39 | Load indirection [end] |
+| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:25:152:29 | begin |
+| test.cpp:152:20:152:22 | Load indirection [begin] | test.cpp:152:49:152:49 | Load |
+| test.cpp:152:25:152:29 | begin | test.cpp:152:49:152:49 | Load |
+| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:25:156:29 | begin |
+| test.cpp:156:20:156:22 | Load indirection [begin] | test.cpp:156:49:156:49 | Load |
+| test.cpp:156:25:156:29 | begin | test.cpp:156:49:156:49 | Load |
+| test.cpp:156:37:156:39 | Load indirection [end] | test.cpp:156:42:156:44 | end |
+| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
+| test.cpp:156:42:156:44 | Load | test.cpp:157:9:157:14 | Store: ... = ... |
+| test.cpp:156:42:156:44 | end | test.cpp:156:42:156:44 | Load |
+| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:25:160:29 | begin |
+| test.cpp:160:20:160:22 | Load indirection [begin] | test.cpp:160:48:160:48 | Load |
+| test.cpp:160:25:160:29 | begin | test.cpp:160:48:160:48 | Load |
+| test.cpp:165:28:165:30 | arr indirection [begin] | test.cpp:166:20:166:22 | Load indirection [begin] |
+| test.cpp:165:28:165:30 | arr indirection [begin] | test.cpp:170:20:170:22 | Load indirection [begin] |
+| test.cpp:165:28:165:30 | arr indirection [begin] | test.cpp:174:20:174:22 | Load indirection [begin] |
+| test.cpp:165:28:165:30 | arr indirection [end] | test.cpp:166:37:166:39 | Load indirection [end] |
+| test.cpp:165:28:165:30 | arr indirection [end] | test.cpp:170:37:170:39 | Load indirection [end] |
+| test.cpp:165:28:165:30 | arr indirection [end] | test.cpp:174:36:174:38 | Load indirection [end] |
+| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:25:166:29 | begin |
+| test.cpp:166:20:166:22 | Load indirection [begin] | test.cpp:166:49:166:49 | Load |
+| test.cpp:166:25:166:29 | begin | test.cpp:166:49:166:49 | Load |
+| test.cpp:166:37:166:39 | Load indirection [end] | test.cpp:166:42:166:44 | end |
+| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:166:42:166:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:166:42:166:44 | end | test.cpp:166:42:166:44 | Load |
+| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:25:170:29 | begin |
+| test.cpp:170:20:170:22 | Load indirection [begin] | test.cpp:170:49:170:49 | Load |
+| test.cpp:170:25:170:29 | begin | test.cpp:170:49:170:49 | Load |
+| test.cpp:170:37:170:39 | Load indirection [end] | test.cpp:170:42:170:44 | end |
+| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:170:42:170:44 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:170:42:170:44 | end | test.cpp:170:42:170:44 | Load |
+| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:25:174:29 | begin |
+| test.cpp:174:20:174:22 | Load indirection [begin] | test.cpp:174:48:174:48 | Load |
+| test.cpp:174:25:174:29 | begin | test.cpp:174:48:174:48 | Load |
+| test.cpp:174:36:174:38 | Load indirection [end] | test.cpp:174:41:174:43 | end |
+| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:174:41:174:43 | Load | test.cpp:171:9:171:14 | Store: ... = ... |
+| test.cpp:174:41:174:43 | end | test.cpp:174:41:174:43 | Load |
+| test.cpp:180:18:180:27 | call to mk_array_p indirection [begin] | test.cpp:165:28:165:30 | arr indirection [begin] |
+| test.cpp:180:18:180:27 | call to mk_array_p indirection [end] | test.cpp:165:28:165:30 | arr indirection [end] |
+#select
+| test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
+| test.cpp:20:14:20:21 | Load: * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
+| test.cpp:30:14:30:15 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
+| test.cpp:42:14:42:15 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
+| test.cpp:67:9:67:14 | Store: ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
+| test.cpp:96:9:96:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:96:9:96:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
+| test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
+| test.cpp:157:9:157:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:157:9:157:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
+| test.cpp:171:9:171:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:171:9:171:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref
new file mode 100644
index 00000000000..76da29dc7a0
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
new file mode 100644
index 00000000000..6de69f124c8
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -0,0 +1,181 @@
+char *malloc(int size);
+
+void test1(int size) {
+    char* p = malloc(size);
+    char* q = p + size;
+    char a = *q; // BAD
+    char b = *(q - 1); // GOOD
+    char c = *(q + 1); // BAD
+    char d = *(q + size); // BAD [NOT DETECTED]
+    char e = *(q - size); // GOOD
+    char f = *(q + size + 1); // BAD [NOT DETECTED]
+    char g = *(q - size - 1); // GOOD
+}
+
+void test12(int size) {
+    char* p = malloc(size);
+    char* q = p + size - 1;
+    char a = *q; // GOOD
+    char b = *(q - 1); // GOOD
+    char c = *(q + 1); // BAD
+    char d = *(q + size); // BAD [NOT DETECTED]
+    char e = *(q - size); // GOOD
+    char f = *(q + size + 1); // BAD [NOT DETECTED]
+    char g = *(q - size - 1); // GOOD
+}
+
+void test9(int size) {
+    char* p = malloc(size + 1);
+    char* q = p + (size + 1);
+    char a = *q; // BAD
+    char b = *(q - 1); // GOOD
+    char c = *(q + 1); // BAD
+    char d = *(q + size); // BAD [NOT DETECTED]
+    char e = *(q - size); // GOOD
+    char f = *(q + size + 1); // BAD [NOT DETECTED]
+    char g = *(q - size - 1); // GOOD
+}
+
+void test10(int size) {
+    char* p = malloc(size - 1);
+    char* q = p + (size - 1);
+    char a = *q; // BAD
+    char b = *(q - 1); // GOOD
+    char c = *(q + 1); // BAD
+    char d = *(q + size); // BAD [NOT DETECTED]
+    char e = *(q - size); // GOOD
+    char f = *(q + size + 1); // BAD [NOT DETECTED]
+    char g = *(q - size - 1); // GOOD
+}
+
+char* mk_array(int size, char** end) {
+    char* begin = malloc(size);
+    *end = begin + size;
+
+    return begin;
+}
+
+void test11(int size) {
+    char* end;
+    char* begin = mk_array(size, &end);
+
+    for (char* p = begin; p != end; ++p) {
+        *p = 0; // GOOD
+    }
+
+    for (char* p = begin; p <= end; ++p) {
+        *p = 0; // BAD
+    }
+
+    for (char* p = begin; p < end; ++p) {
+        *p = 0; // GOOD
+    }
+}
+
+struct array_t {
+    char* begin;
+    char* end;
+};
+
+array_t mk_array(int size) {
+    array_t arr;
+    arr.begin = malloc(size);
+    arr.end = arr.begin + size;
+
+    return arr;
+}
+
+void test2(int size) {
+    array_t arr = mk_array(size);
+
+    for (char* p = arr.begin; p != arr.end; ++p) {
+        *p = 0; // GOOD
+    }
+
+    for (char* p = arr.begin; p <= arr.end; ++p) {
+        *p = 0; // BAD
+    }
+
+    for (char* p = arr.begin; p < arr.end; ++p) {
+        *p = 0; // GOOD
+    }
+}
+
+void test3_callee(array_t arr) {
+    for (char* p = arr.begin; p != arr.end; ++p) {
+        *p = 0; // GOOD
+    }
+
+    for (char* p = arr.begin; p <= arr.end; ++p) {
+        *p = 0; // BAD
+    }
+
+    for (char* p = arr.begin; p < arr.end; ++p) {
+        *p = 0; // GOOD
+    }
+}
+
+void test3(int size) {
+    test3_callee(mk_array(size));
+}
+
+void test4(int size) {
+    array_t arr;
+    char* p = malloc(size);
+    arr.begin = p;
+    arr.end = p + size;
+
+    for (int i = 0; i < arr.end - arr.begin; i++) {
+        *(arr.begin + i) = 0; // GOOD
+    }
+
+    for (int i = 0; i != arr.end - arr.begin; i++) {
+        *(arr.begin + i) = 0; // GOOD
+    }
+
+    for (int i = 0; i <= arr.end - arr.begin; i++) {
+        *(arr.begin + i) = 0; // BAD [NOT DETECTED]
+    }
+}
+
+array_t *mk_array_p(int size) {
+    array_t *arr = (array_t*) malloc(sizeof(array_t));
+    arr->begin = malloc(size);
+    arr->end = arr->begin + size;
+
+    return arr;
+}
+
+void test5(int size) {
+    array_t *arr = mk_array_p(size);
+
+    for (char* p = arr->begin; p != arr->end; ++p) {
+        *p = 0; // GOOD
+    }
+
+    for (char* p = arr->begin; p <= arr->end; ++p) {
+        *p = 0; // BAD
+    }
+
+    for (char* p = arr->begin; p < arr->end; ++p) {
+        *p = 0; // GOOD
+    }
+}
+
+void test6_callee(array_t *arr) {
+    for (char* p = arr->begin; p != arr->end; ++p) {
+        *p = 0; // GOOD
+    }
+
+    for (char* p = arr->begin; p <= arr->end; ++p) {
+        *p = 0; // BAD
+    }
+
+    for (char* p = arr->begin; p < arr->end; ++p) {
+        *p = 0; // GOOD
+    }
+}
+
+void test6(int size) {
+    test6_callee(mk_array_p(size));
+}