https://github.com/xophmeister/codeql-playground
https://github.com/xophmeister/codeql-playground
codeql playground static-analysis
Last synced: 6 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/xophmeister/codeql-playground
- Owner: Xophmeister
- Created: 2024-07-31T10:50:13.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-08-01T12:42:20.000Z (over 1 year ago)
- Last Synced: 2025-05-16T15:50:29.926Z (8 months ago)
- Topics: codeql, playground, static-analysis
- Language: Makefile
- Homepage:
- Size: 3.91 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# CodeQL Playground
Let's write some [dodgy C code](/ub.c) to see what
[CodeQL](https://codeql.github.com), with the default C/C++ queries, can
catch.
## Results
CodeQL didn't catch anything :disappointed:
### Comparison
GCC's static analysis does a much better job:
```console
$ gcc -fanalyzer ub.c
ub.c: In function ‘main’:
ub.c:10:5: warning: dereference of NULL ‘buffer’ [CWE-476] [-Wanalyzer-null-dereference]
10 | printf("%d\n", *buffer);
| ^~~~~~~~~~~~~~~~~~~~~~~
‘main’: events 1-5
|
| 6 | int* buffer = (int*)malloc(size * sizeof(int));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) allocated here
| 7 |
| 8 | if (buffer == NULL) {
| | ~
| | |
| | (2) assuming ‘buffer’ is NULL
| | (3) following ‘true’ branch (when ‘buffer’ is NULL)...
| 9 | /* Null-pointer dereference */
| 10 | printf("%d\n", *buffer);
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
| | (5) dereference of NULL ‘buffer’
|
ub.c:10:5: warning: use of uninitialized value ‘*buffer’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
10 | printf("%d\n", *buffer);
| ^~~~~~~~~~~~~~~~~~~~~~~
‘main’: events 1-4
|
| 6 | int* buffer = (int*)malloc(size * sizeof(int));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) region created on heap here
| 7 |
| 8 | if (buffer == NULL) {
| | ~
| | |
| | (2) following ‘true’ branch (when ‘buffer’ is NULL)...
| 9 | /* Null-pointer dereference */
| 10 | printf("%d\n", *buffer);
| | ~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (3) ...to here
| | (4) use of uninitialized value ‘*buffer’ here
|
ub.c:22:5: warning: double-‘free’ of ‘buffer’ [CWE-415] [-Wanalyzer-double-free]
22 | free(buffer);
| ^~~~~~~~~~~~
‘main’: events 1-12
|
| 6 | int* buffer = (int*)malloc(size * sizeof(int));
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) allocated here
| 7 |
| 8 | if (buffer == NULL) {
| | ~
| | |
| | (2) assuming ‘buffer’ is non-NULL
| | (3) following ‘false’ branch (when ‘buffer’ is non-NULL)...
|......
| 16 | for (size_t i = 0; i <= size; ++i) {
| | ~ ~~~~~~~~~
| | | |
| | | (5) following ‘true’ branch (when ‘i <= size’)...
| | (4) ...to here
| 17 | *(buffer + i) = (int)i;
| | ~
| | |
| | (6) ...to here
|......
| 21 | for (size_t j = 0; j < 2; ++j) {
| | ~~~~~
| | |
| | (7) following ‘true’ branch (when ‘j <= 1’)...
| | (10) following ‘true’ branch (when ‘j <= 1’)...
| 22 | free(buffer);
| | ~~~~~~~~~~~~
| | |
| | (8) ...to here
| | (9) first ‘free’ here
| | (11) ...to here
| | (12) second ‘free’ here; first ‘free’ was at (9)
|
```
Clang's `scan-build` can also detect the null dereference:
```
ub.c:10:20: warning: Dereference of null pointer (loaded from variable 'buffer') [core.NullDereference]
printf("%d\n", *buffer);
^~~~~~~
1 warning generated.
```