CodeQL library for C/C++
codeql/cpp-all 2.0.2-dev (changelog, source)
Search

Class StrcatFunction

The standard function strcat and its wide, sized, and Microsoft variants.

Does not include strlcat, which is covered by StrlcatFunction

Import path

import semmle.code.cpp.models.implementations.Strcat

Direct supertypes

Indirect supertypes

Predicates

getParamDest

Gets the index of the parameter that is the destination to be appended to.

getParamSize

Gets the index of the parameter that is the size of the copy (in characters).

getParamSrc

Gets the index of the parameter that is the source of the copy.

hasArrayInput

Holds if parameter bufParam is used as an input buffer.

hasArrayOutput

Holds if parameter bufParam is used as an output buffer.

hasArrayWithNullTerminator

Holds if parameter bufParam is a null-terminated buffer and the null-terminator will not be written past.

hasArrayWithUnknownSize

Holds if parameter bufParam points to a buffer with no fixed size and no size parameter, which is not null-terminated or which is null-terminated but for which the null value may be written past. For example, the first parameters of sprintf and strcat.

hasDataFlow

Holds if data can be copied from the argument, qualifier, or buffer represented by input to the return value or buffer represented by output

hasOnlySpecificReadSideEffects

Holds if the function never reads from memory that was defined before entry to the function. This memory could be from global variables, or from other memory that was reachable from a pointer that was passed into the function. Input side-effects, and reads from memory that cannot be visible to the caller (for example a buffer inside an I/O library) are not modeled here.

hasOnlySpecificWriteSideEffects

Holds if the function never writes to memory that remains allocated after the function returns. This memory could be from global variables, or from other memory that was reachable from a pointer that was passed into the function. Output side-effects, and writes to memory that cannot be visible to the caller (for example a buffer inside an I/O library) are not modeled here.

hasSpecificReadSideEffect

Holds if the value pointed to by the parameter at index i is read from. buffer is true if the read may be at an offset.

hasSpecificWriteSideEffect

Holds if the value pointed to by the parameter at index i is written to. buffer is true if the write may be at an offset. mustWrite is true if the write is unconditional.

hasTaintFlow

Holds if data passed into the argument, qualifier, or buffer represented by input influences the return value or buffer represented by output

Inherited predicates

accesses

Holds if this function accesses a function or variable or enumerator a.

from Function
accesses

Holds if this function accesses a function or variable or enumerator a in the Access expression l.

from Function
calls

Holds if this function calls the function f.

from Function
calls

Holds if this function calls the function f in the FunctionCall expression l.

from Function
canAccessClass

Holds if a base class base of derived is accessible at this (N4140 11.2/4). When this holds, and derived has only one base subobject of type base, code in this can implicitly convert a pointer to derived into a pointer to base. Conversely, if such a conversion is possible then this predicate holds.

from AccessHolder
canAccessMember

Holds if a non-static member member is accessible at this when named in a class derived that is derived from or equal to the declaring class of member (N4140 11.2/5 and 11.4).

from AccessHolder
couldAccessMember

Holds if a hypothetical non-static member of memberClass with access specifier memberAccess is accessible at this when named in a class derived that is derived from or equal to memberClass (N4140 11.2/5 and 11.4).

from AccessHolder
findRootCause

Gets the source of this element: either itself or a macro that expanded to this element.

from Element
fromSource

Holds if this element may be from source. This predicate holds for all elements, except for those in the dummy file, whose name is the empty string. The dummy file contains declarations that are built directly into the compiler.

from Element
getACallToThisFunction

Gets a call to this function.

from Function
getADeclaration

Gets a child declaration of this function.

from Function
getADeclarationEntry

Gets a declaration entry corresponding to this declaration. The relationship between Declaration and DeclarationEntry is explained in Declaration.qll.

from Function
getADeclarationLocation

Gets the location of a FunctionDeclarationEntry corresponding to this declaration.

from Function
getAFalseSuccessor

Gets a node such that the control-flow edge (this, result) may be taken when this expression is false.

from ControlFlowNode
getAFile

Gets a file where this element occurs.

from Declaration
getALinkTarget

Gets a link target which compiled or referenced this function.

from Function
getAParameter

Gets a parameter of this function. There is no result for the implicit this parameter, and there is no ... varargs pseudo-parameter.

from Function
getAPredecessor

Gets a direct predecessor of this control-flow node, if any.

from ControlFlowNode
getAPrimaryQlClass

Gets the name of a primary CodeQL class to which this element belongs.

from ElementBase
getASpecifier

Gets a specifier of this function.

from Function
getASuccessor

Gets a direct successor of this control-flow node, if any.

from ControlFlowNode
getATemplateArgument

Gets a template argument used to instantiate this declaration from a template. When called on a template, this will return a template parameter type for both typed and non-typed parameters.

from Declaration
getATemplateArgumentKind

Gets a template argument used to instantiate this declaration from a template. When called on a template, this will return a non-typed template parameter value.

from Declaration
getAThrownType

Gets a type that is specified to be thrown by the function.

from Function
getATrueSuccessor

Gets a node such that the control-flow edge (this, result) may be taken when this expression is true.

from ControlFlowNode
getAWrittenVariable

Gets a variable that is written-to in this function.

from Function
getAnAccess

Gets an access of this function.

from Function
getAnAttribute

Gets an attribute of this function.

from Function
getAnOverload

Gets a function that overloads this one.

from Function
getBasicBlock

Gets the BasicBlock containing this control-flow node.

from ControlFlowNode
getBlock

Gets the block that is the function body.

from Function
getClassAndName

Gets the class of which this function, called memberName, is a member.

from Function
getControlFlowScope

Implements ControlFlowNode.getControlFlowScope. The Function is used to represent the exit node of the control flow graph, so it is its own scope.

from Function
getDeclaringType

Gets the class where this member is declared, if it is a member. For templates, both the template itself and all instantiations of the template are considered to have the same declaring class.

from Declaration
getDefinition

Gets the declaration entry corresponding to this declaration that is a definition, if any.

from Function
getDefinitionLocation

Gets the location of the definition, if any.

from Function
getDescription

Gets a description of this Declaration for display purposes.

from Declaration
getEffectiveNumberOfParameters

Gets the number of parameters of this function, including any implicit this parameter but not including any ... varargs pseudo-parameter.

from Function
getEnclosingAccessHolder

Gets the nearest enclosing AccessHolder.

from Function
getEnclosingElement

Gets the closest Element enclosing this one.

from Element
getEnclosingStmt

Implements ControlFlowNode.getEnclosingStmt. The Function is used to represent the exit node of the control flow graph, so it has no enclosing statement.

from Function
getEntryPoint

Gets the first node in this function’s control flow graph.

from Function
getExplicitExpr

Gets the constant expression that determines whether the function is explicit.

from Function
getFile

Gets the primary file where this element occurs.

from Element
getLocation

Gets the preferred location of this declaration. (The location of the definition, if possible.)

from Function
getMetrics

Gets the metric class. MetricFunction has methods for computing various metrics, such as “number of lines of code” and “number of function calls”.

from Function
getName

Gets the name of this declaration.

from Function
getNamespace

Gets the innermost namespace which contains this declaration.

from Declaration
getNumberOfParameters

Gets the number of parameters of this function, not including any implicit this parameter or any ... varargs pseudo-parameter.

from Function
getNumberOfTemplateArguments

Gets the number of template arguments for this declaration.

from Declaration
getParameter

Gets the nth parameter of this function. There is no result for the implicit this parameter, and there is no ... varargs pseudo-parameter.

from Function
getParameterSizeIndex

Gets the index of the parameter that indicates the size of the buffer pointed to by the parameter at index i.

from SideEffectFunction
getParameterString

Gets a string representing the parameters of this function.

from Function
getParentScope

Gets the parent scope of this Element, if any. A scope is a Type (Class / Enum), a Namespace, a BlockStmt, a Function, or certain kinds of Statement.

from Element
getPrimaryQlClasses

Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

from ElementBase
getQualifiedName

Gets the name of the declaration, fully qualified with its namespace and declaring type.

from Declaration
getTemplateArgument

Gets the ith template argument used to instantiate this declaration from a template.

from Declaration
getTemplateArgumentKind

Gets the ith template argument value used to instantiate this declaration from a template. When called on a template, this will return the ith template parameter value if it exists.

from Declaration
getThrownType

Gets the ith type specified to be thrown by the function.

from Function
getType

Gets the return type of this function.

from Function
getUnspecifiedType

Gets the return type of this function after specifiers have been deeply stripped and typedefs have been resolved.

from Function
hasArrayWithFixedSize

Holds if parameter bufParam should always point to a buffer with exactly elemCount elements.

from ArrayFunction
hasArrayWithVariableSize

Holds if parameter bufParam should always point to a buffer with the number of elements indicated by countParam.

from ArrayFunction
hasCLinkage

Holds if this function has C linkage, as specified by one of its declaration entries. For example: extern "C" void foo();.

from Function
hasDeclaringType

Holds if this declaration is a member of a class/struct/union.

from Declaration
hasDefinition

Holds if the declaration has a definition.

from Declaration
hasEntryPoint

Holds if this function has an entry point.

from Function
hasErrors

Holds if this function has extraction errors that create an ErrorExpr.

from Function
hasExceptionSpecification

Holds if the function has an exception specification.

from Function
hasGlobalName

Holds if this declaration has the given name in the global namespace.

from Declaration
hasGlobalOrStdName

Holds if this declaration has the given name in the global namespace or the std namespace.

from Declaration
hasGlobalOrStdOrBslName

Holds if this declaration has the given name in the global namespace, the std namespace or the bsl namespace. We treat std and bsl as the same in some of our models.

from Declaration
hasName

Holds if this declaration has the given name.

from Declaration
hasQualifiedName

Holds if this declaration has a fully-qualified name with a name-space component of namespaceQualifier, no declaring type, and a base name of baseName.

from Declaration
hasQualifiedName

Holds if this declaration has a fully-qualified name with a name-space component of namespaceQualifier, a declaring type of typeQualifier, and a base name of baseName. Template parameters and arguments are stripped from all components. Missing components are "".

from Declaration
hasSpecifier

Holds if this declaration has a specifier with the given name.

from Declaration
hasTrailingReturnType

Holds if this function has a trailing return type.

from Function
inMemberOrFriendOf

Holds if this can access private members of class c.

from AccessHolder
isAffectedByMacro

Holds if this element is affected in any way by a macro. All elements that are totally or partially generated by a macro are included, so this is a super-set of isInMacroExpansion.

from Element
isCompilerGenerated

Holds if this function is generated by the compiler.

from Function
isCondition

Holds if this node is the top-level expression of a conditional statement, meaning that this.getATrueSuccessor() or this.getAFalseSuccessor() will have a result.

from ControlFlowNode
isConsteval

Holds if this function is declared to be consteval.

from Function
isConstexpr

Holds if this function is constexpr. Normally, this holds if and only if isDeclaredConstexpr() holds, but in some circumstances they differ. For example, with int f(int i) { return 6; } template <typename T> constexpr int g(T x) { return f(x); } g<int> is declared constexpr, but is not constexpr.

from Function
isConstructedFrom

Holds if this function is constructed from f as a result of template instantiation. If so, it originates either from a template function or from a function nested in a template class.

from Function
isDeclaredConstexpr

Holds if this function is declared to be constexpr.

from Function
isDeclaredVirtual

Holds if this function is declared with the virtual specifier.

from Function
isDefaulted

Holds if this function is explicitly defaulted with the = default specifier.

from Function
isDeleted

Holds if this function is deleted. This may be because it was explicitly deleted with an = delete definition, or because the compiler was unable to auto-generate a definition for it.

from Function
isExplicit

Holds if this function is declared to be explicit.

from Function
isFinal

Holds if this function is declared with the final specifier.

from Function
isFromTemplateInstantiation

Holds if this Element is a part of a template instantiation (but not the template itself).

from Element
isFromUninstantiatedTemplate

Holds if this Element is part of a template template (not if it is part of an instantiation of template). This means it is represented in the database purely as syntax and without guarantees on the presence or correctness of type-based operations such as implicit conversions.

from Element
isInMacroExpansion

Holds if this element comes from a macro expansion. Only elements that are entirely generated by a macro are included - for elements that partially come from a macro, see isAffectedByMacro.

from Element
isInline

Holds if this function is inline.

from Function
isMember

Holds if this declaration is a member of a class/struct/union.

from Declaration
isMultiplyDefined

Holds if this function is defined in several files. This is illegal in C (though possible in some C++ compilers), and likely indicates that several functions that are not linked together have been compiled. An example would be a project with many ‘main’ functions.

from Function
isNaked

Holds if this function is declared with __attribute__((naked)) or __declspec(naked).

from Function
isNoExcept

Holds if this function has a noexcept exception specification.

from Function
isNoThrow

Holds if this function has a throw() exception specification.

from Function
isOverride

Holds if this function is declared with the override specifier.

from Function
isPartialWrite

Holds if the write to output does not overwrite the entire value that was there before, or does not do so reliably. For example the destination argument of strcat is modified but not overwritten.

from PartialFlowFunction
isPrototyped

Holds if this function has a prototyped interface.

from Function
isSideEffectFree

Holds if this function is side-effect free (conservative approximation).

from Function
isSpecialization

Holds if this Function is a Template specialization.

from Function
isStatic

Holds if this declaration is static.

from Declaration
isTopLevel

Holds if this declaration is a top-level declaration.

from Declaration
isVarargs

Holds if this function is a varargs function.

from Function
isVirtual

Holds if this function is virtual.

from Function
mayHaveSideEffects

Holds if this function may have side-effects; if in doubt, we assume it may.

from Function
toString

Gets a textual representation of this element.

from Declaration

Charpred