C++: Fix FPs due to data flow Conversion handling

jbj · jbj · commit 6b1cd1700938 · 2019-03-16T20:50:27.000+01:00
Since we cannot track data flow from a fully-converted expression but
only the unconverted expression, we should check whether the address
initially escapes into the unconverted expression, not the
fully-converted one.

This fixes most of the false positives observed on lgtm.com.
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -41,7 +41,7 @@ where
     // the address escapes into some expression `pointerToLocal`, which flows
     // in a non-trivial way (one or more steps) to a returned expression.
     exists(Expr pointerToLocal |
-      variableAddressEscapesTree(va, pointerToLocal.getFullyConverted()) and
+      variableAddressEscapesTree(va, pointerToLocal) and
       conservativeDataFlowStep+(
         DataFlow::exprNode(pointerToLocal),
         DataFlow::exprNode(r.getExpr())
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
@@ -6,5 +6,3 @@
 | test.cpp:112:2:112:12 | return ... | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
 | test.cpp:119:2:119:19 | return ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
 | test.cpp:149:3:149:22 | return ... | May return stack-allocated memory from $@. | test.cpp:149:11:149:21 | threadLocal | threadLocal |
-| test.cpp:155:3:155:18 | return ... | May return stack-allocated memory from $@. | test.cpp:154:19:154:26 | localInt | localInt |
-| test.cpp:165:3:165:19 | return ... | May return stack-allocated memory from $@. | test.cpp:164:21:164:28 | localBuf | localBuf |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp
@@ -152,7 +152,7 @@ int *returnThreadLocal() {
 int returnDereferenced() {
   int localInt = 2;
   int &localRef = localInt;
-  return localRef; // GOOD [FALSE POSITIVE]
+  return localRef; // GOOD
 }
 
 typedef unsigned long size_t;
@@ -162,5 +162,5 @@ char *returnAfterCopy() {
   char localBuf[] = "Data";
   static char staticBuf[sizeof(localBuf)];
   memcpy(staticBuf, localBuf, sizeof(staticBuf));
-  return staticBuf; // GOOD [FALSE POSITIVE]
+  return staticBuf; // GOOD
 }

Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ int *returnThreadLocal() {`
`152`	`152`	`int returnDereferenced() {`
`153`	`153`	`int localInt = 2;`
`154`	`154`	`int &localRef = localInt;`
`155`		`- return localRef; // GOOD [FALSE POSITIVE]`
	`155`	`+ return localRef; // GOOD`
`156`	`156`	`}`
`157`	`157`
`158`	`158`	`typedef unsigned long size_t;`
`@@ -162,5 +162,5 @@ char *returnAfterCopy() {`
`162`	`162`	`char localBuf[] = "Data";`
`163`	`163`	`static char staticBuf[sizeof(localBuf)];`
`164`	`164`	`memcpy(staticBuf, localBuf, sizeof(staticBuf));`
`165`		`- return staticBuf; // GOOD [FALSE POSITIVE]`
	`165`	`+ return staticBuf; // GOOD`
`166`	`166`	`}`