CPP: Fix false positives when a member variable is released via the target of a function pointer.

geoffw0 · geoffw0 · commit 2f3a874c7d00 · 2018-12-12T11:38:44.000Z
diff --git a/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql b/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
@@ -227,6 +227,11 @@ predicate leakedInSameMethod(Resource r, Expr acquire) {
         fc.getQualifier() = r.getAnAccess() or // e.g. `r->setOwner(this)`
         fc = acquire.getAChild*() // e.g. `r = new MyClass(this)`
       )
+    ) or exists(FunctionAccess fa, string kind |
+      // the address of a function that releases `r` is taken (and likely
+      // used to release `r` at some point).
+      r.acquisitionWithRequiredKind(acquire, kind) and
+      fa.getTarget() = r.getAReleaseExpr(kind).getEnclosingFunction()
     )
   )
 }
diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected
@@ -11,7 +11,6 @@
 | DeleteThis.cpp:127:3:127:20 | ... = ... | Resource d is acquired by class MyClass9 but not released anywhere in this class. |
 | ExternalOwners.cpp:49:3:49:20 | ... = ... | Resource a is acquired by class MyScreen but not released anywhere in this class. |
 | Lambda.cpp:24:3:24:21 | ... = ... | Resource r4 is acquired by class testLambda but not released anywhere in this class. |
-| Lambda.cpp:29:3:29:21 | ... = ... | Resource r6 is acquired by class testLambda but not released in the destructor. It is released from deleter_for_r6 on line 40, so this function may need to be called from the destructor. |
 | ListDelete.cpp:21:3:21:21 | ... = ... | Resource first is acquired by class MyThingColection but not released anywhere in this class. |
 | NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
 | PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp
@@ -26,7 +26,7 @@ class testLambda
 		r5 = new char[4096]; // GOOD
 		deleter5 = &deleter_for_r5;
 
-		r6 = new char[4096]; // GOOD [FALSE POSITIVE]
+		r6 = new char[4096]; // GOOD
 		deleter6 = &testLambda::deleter_for_r6;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,11 @@ predicate leakedInSameMethod(Resource r, Expr acquire) {`
`227`	`227`	fc.getQualifier() = r.getAnAccess() or // e.g. `r->setOwner(this)`
`228`	`228`	fc = acquire.getAChild*() // e.g. `r = new MyClass(this)`
`229`	`229`	`)`
	`230`	`+ ) or exists(FunctionAccess fa, string kind \|`
	`231`	+ // the address of a function that releases `r` is taken (and likely
	`232`	+ // used to release `r` at some point).
	`233`	`+ r.acquisitionWithRequiredKind(acquire, kind) and`
	`234`	`+ fa.getTarget() = r.getAReleaseExpr(kind).getEnclosingFunction()`
`230`	`235`	`)`
`231`	`236`	`)`
`232`	`237`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ class testLambda`
`26`	`26`	`r5 = new char[4096]; // GOOD`
`27`	`27`	`deleter5 = &deleter_for_r5;`
`28`	`28`
`29`		`- r6 = new char[4096]; // GOOD [FALSE POSITIVE]`
	`29`	`+ r6 = new char[4096]; // GOOD`
`30`	`30`	`deleter6 = &testLambda::deleter_for_r6;`
`31`	`31`	`}`
`32`	`32`