trailofbits
diff --git a/‎cpp/ql/examples/addressof.ql‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/examples/addressof.ql‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/examples/arrayaccess.ql‎
Lines changed: 16 additions & 0 deletions b/‎cpp/ql/examples/arrayaccess.ql‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎cpp/ql/examples/castexpr.ql‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/examples/castexpr.ql‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/examples/catch_exception.ql‎
Lines changed: 14 additions & 0 deletions b/‎cpp/ql/examples/catch_exception.ql‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cpp/ql/examples/constructor_call.ql‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/examples/constructor_call.ql‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/examples/derives_from_class.ql‎
Lines changed: 19 additions & 0 deletions b/‎cpp/ql/examples/derives_from_class.ql‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎cpp/ql/examples/emptyblock.ql‎
Lines changed: 13 additions & 0 deletions b/‎cpp/ql/examples/emptyblock.ql‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎cpp/ql/examples/emptythen.ql‎
Lines changed: 16 additions & 0 deletions b/‎cpp/ql/examples/emptythen.ql‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎cpp/ql/examples/eq_true.ql‎
Lines changed: 17 additions & 0 deletions b/‎cpp/ql/examples/eq_true.ql‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cpp/ql/examples/field_access.ql‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/examples/field_access.ql‎
Lines changed: 15 additions & 0 deletions
@@ -0,0 +1,15 @@
+/**
+ * @name Address of reference variable
+ * @description Finds address-of expressions (`&`) that take the address
+ *              of a reference variable
+ * @tags addressof
+ *       reference
+ */
+
+import cpp
+
+from AddressOfExpr addr, VariableAccess access
+where
+  access = addr.getOperand() and
+  access.getTarget().getType() instanceof ReferenceType
+select addr
@@ -0,0 +1,16 @@
+/**
+ * @name Array access
+ * @description Finds array access expressions with an index expression
+ *              consisting of a postfix increment (`++`) expression.
+ * @tags array
+ *       access
+ *       index
+ *       postfix
+ *       increment
+ */
+
+import cpp
+
+from ArrayExpr a
+where a.getArrayOffset() instanceof PostfixIncrExpr
+select a
@@ -0,0 +1,15 @@
+/**
+ * @name Cast expressions
+ * @description Finds casts from a floating point type to an integer type
+ * @tags cast
+ *       integer
+ *       float
+ *       type
+ */
+
+import cpp
+
+from Cast c
+where c.getExpr().getType() instanceof FloatingPointType
+  and c.getType() instanceof IntegralType
+select c
@@ -0,0 +1,14 @@
+/**
+ * @name Catch exception
+ * @description Finds places where we catch exceptions of type `parse_error`
+ * @tags catch
+ *       try
+ *       exception
+ */
+ 
+import cpp
+
+from CatchBlock catch
+// `stripType` converts `const parse_error &` to `parse_error`.
+where catch.getParameter().getType().stripType().hasName("parse_error")
+select catch
@@ -0,0 +1,15 @@
+/**
+ * @name Call to constructor
+ * @description Finds places where we call `new MyClass(...)`
+ * @tags call
+ *       constructor
+ *       new
+ */
+ 
+import cpp
+
+from NewExpr new, Constructor c
+where
+  c = new.getInitializer().(ConstructorCall).getTarget() and
+  c.getName() = "MyClass"
+select new
@@ -0,0 +1,19 @@
+/**
+ * @name Class derives from
+ * @description Finds classes that derive from `std::exception`
+ * @tags base
+ *       class
+ *       derive
+ *       inherit
+ *       override
+ *       subtype
+ *       supertype
+ */
+ 
+import cpp
+
+from Class type
+where
+  type.getABaseClass+().hasName("exception") and
+  type.getNamespace().getName() = "std"
+select type
@@ -0,0 +1,13 @@
+/**
+ * @name Empty blocks
+ * @description Finds empty block statements
+ * @tags empty
+ *       block
+ *       statement
+ */
+
+import cpp
+
+from Block blk
+where blk.getNumStmt() = 0
+select blk
@@ -0,0 +1,16 @@
+/**
+ * @name If statements with empty then branch
+ * @description Finds `if` statements where the `then` branch is
+ *              an empty block statement
+ * @tags if
+ *       then
+ *       empty
+ *       conditional
+ *       branch
+ */
+
+import cpp
+
+from IfStmt i
+where i.getThen().(Block).getNumStmt() = 0
+select i
@@ -0,0 +1,17 @@
+/**
+ * @name Equality test on boolean
+ * @description Finds tests like `==true`, `!=true`
+ * @tags equal
+ *       comparison
+ *       test
+ *       boolean
+ */
+ 
+import cpp
+
+from EqualityOperation eq, Expr trueExpr
+where
+  trueExpr = eq.getAnOperand() and
+  trueExpr.getType() instanceof BoolType and
+  trueExpr.getValue().toInt() = 1
+select eq
@@ -0,0 +1,15 @@
+/**
+ * @name Access of field
+ * @description Finds reads of `aDate` (defined on class `Order`)
+ * @tags access
+ *       field
+ *       read
+ */
+ 
+import cpp
+
+from Field f, FieldAccess access
+where f.hasName("aDate")
+  and f.getDeclaringType().hasName("Order")
+  and f = access.getTarget()
+select access