CodeQL library for C/C++
codeql/cpp-all 0.12.8-dev (changelog, source)
Search

Class SprintfBW

A call to a variant of sprintf.

Import path

import semmle.code.cpp.security.BufferWrite

Direct supertypes

Indirect supertypes

Fields

Predicates

getASource

Gets a data source of this operation (e.g. the source string, format string; not necessarily copied as-is).

getBufferType

Gets the (unspecified) type of the buffer this operation works with (for example char *).

getDest

Gets the destination buffer of this operation.

getMaxData

Gets an upper bound to the amount of data that’s being written (if one can be found).

getMaxData

Gets an upper bound to the amount of data that’s being written (if one can be found), specifying the reason for the estimation.

getMaxDataLimited

Gets an upper bound to the amount of data that’s being written (if one can be found), except that float to string conversions are assumed to be much smaller (8 bytes) than their true maximum length. This can be helpful in determining the cause of a buffer overflow issue.

getMaxDataLimited

Gets an upper bound to the amount of data that’s being written (if one can be found), specifying the reason for the estimation, except that float to string conversions are assumed to be much smaller (8 bytes) than their true maximum length. This can be helpful in determining the cause of a buffer overflow issue.

Inherited predicates

findRootCause

Gets the source of this element: either itself or a macro that expanded to this element.

from Element
fromSource

Holds if this element may be from source. This predicate holds for all elements, except for those in the dummy file, whose name is the empty string. The dummy file contains declarations that are built directly into the compiler.

from Element
getAChild

Gets a child of this expression.

from Expr
getAFalseSuccessor

Gets a node such that the control-flow edge (this, result) may be taken when this expression is false.

from ControlFlowNode
getAPredecessor

Gets a direct predecessor of this control-flow node, if any.

from ControlFlowNode
getAPrimaryQlClass

Gets the name of a primary CodeQL class to which this element belongs.

from FunctionCall
getASuccessor

Gets a direct successor of this control-flow node, if any.

from ControlFlowNode
getATemplateArgument

Gets a template argument for this call.

from FunctionCall
getATemplateArgumentKind

Gets a template argument value for this call.

from FunctionCall
getATrueSuccessor

Gets a node such that the control-flow edge (this, result) may be taken when this expression is true.

from ControlFlowNode
getActualType

Gets the type of this expression, after any implicit conversions and explicit casts, and after resolving typedefs.

from Expr
getAnArgument

Gets an argument for this call. To get the qualifier of this call, if any, use getQualifier().

from Call
getAnArgumentSubExpr

Gets a subexpression of the argument at position index. If the argument itself contains calls, such calls will be considered leaves in the expression tree. The qualifier of the call, if any, is not considered to be an argument.

from Call
getAnExplicitTemplateArgument

Gets an explicit template argument for this call.

from FunctionCall
getAnExplicitTemplateArgumentKind

Gets an explicit template argument value for this call.

from FunctionCall
getAnImplicitDestructorCall

Gets a compiler-generated destructor call that is performed after this expression.

from Expr
getArgument

Gets the nth argument for this call.

from Call
getBWDesc

Gets a description of this buffer write.

from BufferWrite
getBasicBlock

Gets the BasicBlock containing this control-flow node.

from ControlFlowNode
getCharSize

Gets the size of a single character of the type this operation works with, in bytes.

from BufferWrite
getChild

Gets the nth child of this expression.

from Expr
getControlFlowScope

Gets the function containing this control-flow node.

from Expr
getConversion

Gets the conversion associated with this expression, if any.

from Expr
getConversionString

Gets a string describing the conversion associated with this expression, or "" if there is none.

from Expr
getEnclosingBlock

Gets the nearest enclosing set of curly braces around this expression in the source, if any.

from Expr
getEnclosingDeclaration

Gets the enclosing variable or function of this expression.

from Expr
getEnclosingElement

Gets the closest Element enclosing this one.

from Element
getEnclosingFunction

Gets the enclosing function of this expression, if any.

from Expr
getEnclosingStmt

Gets the smallest statement containing this control-flow node.

from Expr
getEnclosingVariable

Gets the enclosing variable of this expression, if any.

from Expr
getExpectedParameterType

Gets the expected type of the nth parameter of the function called by this call.

from FunctionCall
getExpectedReturnType

Gets the expected return type of the function called by this call.

from FunctionCall
getExplicitLimit

Gets the explicit limit of bytes copied by this operation, if it exists and it’s value can be determined.

from BufferWrite
getExplicitTemplateArgument

Gets the nth explicit template argument for this call.

from FunctionCall
getExplicitTemplateArgumentKind

Gets the nth explicit template argument value for this call.

from FunctionCall
getExplicitlyConverted

Gets this expression with all of its explicit casts, but none of its implicit casts. More precisely this takes conversions up to the last explicit cast (there may be implicit conversions along the way), but does not include conversions after the last explicit cast.

from Expr
getFile

Gets the primary file where this element occurs.

from Element
getFullyConverted

Gets the fully converted form of this expression, including all type casts and other conversions.

from Expr
getImplicitDestructorCall

Gets the nth compiler-generated destructor call that is performed after this expression, in order of destruction.

from Expr
getImplicitlyConverted

Gets this expression with all of its initial implicit casts, but none of its explicit casts. More precisely, this takes all implicit conversions up to (but not including) the first explicit cast (if any).

from Expr
getLocation

Gets the location of this expression.

from Expr
getNameQualifier

Gets the name qualifier associated with this element. For example, the name qualifier of N::f() is N.

from NameQualifiableElement
getNumChild

Gets the number of direct children of this expression.

from Expr
getNumberOfArguments

Gets the number of arguments (actual parameters) of this call. The count does not include the qualifier of the call, if any.

from Call
getNumberOfExplicitTemplateArguments

Gets the number of explicit template arguments for this call.

from FunctionCall
getNumberOfTemplateArguments

Gets the number of template arguments for this call.

from FunctionCall
getParent

Gets the parent of this expression, if any.

from Expr
getParentScope

Gets the parent scope of this Element, if any. A scope is a Type (Class / Enum), a Namespace, a BlockStmt, a Function, or certain kinds of Statement.

from Element
getParentWithConversions

Gets the parent of this expression, if any, in an alternative syntax tree that has Conversions as part of the tree.

from Expr
getPrecedence

Gets the precedence of the main operator of this expression; higher precedence binds tighter.

from Call
getPrimaryQlClasses

Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

from ElementBase
getQualifier

Gets the expression to the left of the function name or function pointer variable name.

from Call
getTarget

Gets the function called by this call.

from FunctionCall
getTargetType

Gets the RoutineType of the call target as visible at the call site. For constructor calls, this predicate instead gets the Class of the constructor being called.

from FunctionCall
getTemplateArgument

Gets the nth template argument for this call (indexed from 0).

from FunctionCall
getTemplateArgumentKind

Gets the nth template argument value for this call (indexed from 0).

from FunctionCall
getType

Gets the type of this expression, that is, the return type of the function being called.

from FunctionCall
getUnconverted

Gets the unique non-Conversion expression e for which this = e.getConversion*().

from Expr
getUnderlyingType

Gets the type of this expression after typedefs have been resolved.

from Expr
getUnspecifiedType

Gets the type of this expression after specifiers have been deeply stripped and typedefs have been resolved.

from Expr
getValue

Gets the value of this expression, if it is a constant.

from Expr
getValueCategoryString

Gets a string representation of the value category of the expression. This is intended only for debugging. The possible values are:

from Expr
getValueText

Gets the source text for the value of this expression, if it is a constant.

from Expr
hasChild

Holds if e is the nth child of this expression.

from Expr
hasConversion

Holds if this expression has a conversion.

from Expr
hasExplicitConversion

Holds if this expression has an explicit conversion.

from Expr
hasExplicitLimit

Holds if the operation has an explicit parameter that limits the amount of data written (e.g. strncpy does, whereas strcpy does not); this is not the same as exists(getExplicitLimit()) because the limit may exist though it’s value is unknown.

from BufferWrite
hasGlobalQualifiedName

Holds if this element has a globally qualified name. For example, ::x is globally qualified. It is used to refer to x in the global namespace.

from NameQualifiableElement
hasImplicitConversion

Holds if this expression has an implicit conversion.

from Expr
hasImplicitTemplateArguments

Holds if any template arguments for this call are implicit / deduced.

from FunctionCall
hasLValueToRValueConversion

Holds if this expression has undergone an lvalue-to-rvalue conversion to extract its value. for example: y = x; The VariableAccess for x is a prvalue, and hasLValueToRValueConversion() holds because the value of x was loaded from the location of x. The VariableAccess for y is an lvalue, and hasLValueToRValueConversion() does not hold because the value of y was not extracted.

from Expr
hasQualifier

Holds if this call has a qualifier.

from Call
hasSuperQualifiedName

Holds if this element has a __super-qualified name. For example: __super::get(). Note: __super is non-standard C++ extension, only supported by some C++ compilers.

from NameQualifiableElement
hasTemplateArgumentList

Holds if a template argument list was provided for this call.

from FunctionCall
isAffectedByMacro

Holds if this element is affected in any way by a macro. All elements that are totally or partially generated by a macro are included, so this is a super-set of isInMacroExpansion.

from Element
isCompilerGenerated

Holds if this is an auxiliary expression generated by the compiler.

from Expr
isCondition

Holds if this node is the top-level expression of a conditional statement, meaning that this.getATrueSuccessor() or this.getAFalseSuccessor() will have a result.

from ControlFlowNode
isConstant

Holds if this expression has a value that can be determined at compile time.

from Expr
isFromTemplateInstantiation

Holds if this Element is a part of a template instantiation (but not the template itself).

from Element
isFromUninstantiatedTemplate

Holds if this Element is part of a template template (not if it is part of an instantiation of template). This means it is represented in the database purely as syntax and without guarantees on the presence or correctness of type-based operations such as implicit conversions.

from Element
isGLValueCategory

Holds if this expression is a glvalue. A glvalue is either an lvalue or an xvalue.

from Expr
isInMacroExpansion

Holds if this element comes from a macro expansion. Only elements that are entirely generated by a macro are included - for elements that partially come from a macro, see isAffectedByMacro.

from Element
isLValue

Holds if this expression is an lvalue, in the sense of having an address.

from Expr
isLValueCategory

Holds if this expression is an lvalue. An lvalue is an expression that represents a location, rather than a value. See [basic.lval] for more about lvalues.

from Expr
isOnlyFoundByADL

Holds if the target of this function call was found by argument-dependent lookup and wouldn’t have been found by any other means.

from FunctionCall
isPRValueCategory

Holds if this expression is a prvalue. A prvalue is an expression that represents a value, rather than a location. See [basic.lval] for more about prvalues.

from Expr
isParenthesised

Holds if this expression is parenthesised.

from Expr
isPure

Holds if this expression is side-effect free (conservative approximation). This predicate cannot be overridden; override mayBeImpure() instead.

from Expr
isRValueCategory

Holds if this expression is an rvalue. An rvalue is either a prvalue or an xvalue.

from Expr
isUnevaluated

Holds if this expression will not be evaluated because of its context, such as an expression inside a sizeof.

from Expr
isVirtual

Holds if this is a call to a virtual function.

from FunctionCall
isXValueCategory

Holds if this expression is an xvalue. An xvalue is a location whose lifetime is about to end (e.g. an rvalue reference returned from a function call). See [basic.lval] for more about xvalues.

from Expr
mayBeGloballyImpure

Holds if it is possible that the expression may be impure. If we are not sure, then it holds. Unlike mayBeImpure(), this predicate does not consider modifications to temporary local variables to be impure. If you call a function in which nothing may be globally impure then the function as a whole will have no side-effects, even if it mutates its own fresh stack variables.

from FunctionCall
mayBeImpure

Holds if it is possible that the expression may be impure. If we are not sure, then it holds.

from FunctionCall
passesByReference

Holds if this call passes the variable accessed by va by reference as the ith argument. The qualifier of a call to a member function is i = -1.

from Call
passesByReferenceNonConst

Holds if this call passes the variable accessed by va by reference to non-const data as the ith argument. The qualifier of a call to a member function is i = -1.

from Call
toString

Gets a textual representation of this function call.

from FunctionCall

Charpred