CPP: Fix false positives when member variable is released via an ExprCall.

geoffw0 · geoffw0 · commit 370387a9cad8 · 2018-12-12T11:38:44.000Z
diff --git a/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql b/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
@@ -167,6 +167,13 @@ predicate unreleasedResource(Resource r, Expr acquire, File f, int acquireLine)
     and f = acquire.getFile()
     and acquireLine = acquire.getLocation().getStartLine()
 
+    and not exists(ExprCall exprCall |
+      // expression call (function pointer or lambda) with `r` as an
+      // argument, which could release it.
+      exprCall.getAnArgument() = r.getAnAccess() and
+      r.inDestructor(exprCall)
+    )
+
     // check that any destructor for this class has a block; if it doesn't,
     // we must be missing information.
     and forall(Class c, Destructor d |
diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected
@@ -10,9 +10,7 @@
 | DeleteThis.cpp:60:3:60:24 | ... = ... | Resource ptr14 is acquired by class MyClass3 but not released anywhere in this class. |
 | DeleteThis.cpp:127:3:127:20 | ... = ... | Resource d is acquired by class MyClass9 but not released anywhere in this class. |
 | ExternalOwners.cpp:49:3:49:20 | ... = ... | Resource a is acquired by class MyScreen but not released anywhere in this class. |
-| Lambda.cpp:7:3:7:21 | ... = ... | Resource r1 is acquired by class testLambda but not released anywhere in this class. |
 | Lambda.cpp:24:3:24:21 | ... = ... | Resource r4 is acquired by class testLambda but not released anywhere in this class. |
-| Lambda.cpp:26:3:26:21 | ... = ... | Resource r5 is acquired by class testLambda but not released anywhere in this class. |
 | Lambda.cpp:29:3:29:21 | ... = ... | Resource r6 is acquired by class testLambda but not released in the destructor. It is released from deleter_for_r6 on line 40, so this function may need to be called from the destructor. |
 | ListDelete.cpp:21:3:21:21 | ... = ... | Resource first is acquired by class MyThingColection but not released anywhere in this class. |
 | NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp
@@ -4,7 +4,7 @@ class testLambda
 public:
 	testLambda()
 	{
-		r1 = new char[4096]; // GOOD [FALSE POSITIVE]
+		r1 = new char[4096]; // GOOD
 		deleter1 = [](char *r) {
 			delete [] r;
 		};
@@ -23,7 +23,7 @@ class testLambda
 
 		r4 = new char[4096]; // BAD
 
-		r5 = new char[4096]; // GOOD [FALSE POSITIVE]
+		r5 = new char[4096]; // GOOD
 		deleter5 = &deleter_for_r5;
 
 		r6 = new char[4096]; // GOOD [FALSE POSITIVE]
