CodeQL library for C/C++
codeql/cpp-all 0.4.4 (changelog, source)
Search

Predicate stackPointerFlowsToUse

A stack address flows to use. The simplest case is when use is the expression &var, but assignments are also handled. For example:

x = &var;
y = x;
...y...   // use of &var

useType is the type of data which we believe was allocated on the stack. It is particularly important when dealing with pointers. Consider this example:

 int x[10];
 int *y = new int[10];
 ... = &x[1];
 ... = &y[1];

In this example, x and y are both stack variables. But &x[1] is a pointer to the stack and &y[1] is a pointer to the heap. The difference is that the type of x is int[10], but the type of y is int*. This information is stored in useType.

source is the origin of the stack address. It is only used to improve the quality of the error messages.

isLocal is true if the stack address came from the current function. It is false if the stack address arrived via a function parameter. This information is only used to improve the quality of the error messages.

Import path

import semmle.code.cpp.dataflow.StackAddress
predicate stackPointerFlowsToUse(Expr use, Type useType, Expr source, boolean isLocal)