Skip to content

Commit 6d91d55

Browse files
geoffw0geoffw0
committed
C++: Use the AllocationExpr model.
1 parent 17ff342 commit 6d91d55

File tree

2 files changed

+10
-40
lines changed

2 files changed

+10
-40
lines changed

cpp/ql/src/Critical/SizeCheck.ql

Lines changed: 5 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -13,25 +13,9 @@
1313
*/
1414

1515
import cpp
16+
import semmle.code.cpp.models.Models
1617

17-
class Allocation extends FunctionCall {
18-
Allocation() { this.getTarget().hasGlobalOrStdName(["malloc", "calloc", "realloc"]) }
19-
20-
private string getName() { this.getTarget().hasGlobalOrStdName(result) }
21-
22-
int getSize() {
23-
this.getName() = "malloc" and
24-
this.getArgument(0).getValue().toInt() = result
25-
or
26-
this.getName() = "realloc" and
27-
this.getArgument(1).getValue().toInt() = result
28-
or
29-
this.getName() = "calloc" and
30-
result = this.getArgument(0).getValue().toInt() * this.getArgument(1).getValue().toInt()
31-
}
32-
}
33-
34-
predicate baseType(Allocation alloc, Type base) {
18+
predicate baseType(AllocationExpr alloc, Type base) {
3519
exists(PointerType pointer |
3620
pointer.getBaseType() = base and
3721
(
@@ -49,11 +33,12 @@ predicate decideOnSize(Type t, int size) {
4933
size = min(t.getSize())
5034
}
5135

52-
from Allocation alloc, Type base, int basesize, int allocated
36+
from AllocationExpr alloc, Type base, int basesize, int allocated
5337
where
5438
baseType(alloc, base) and
55-
allocated = alloc.getSize() and
39+
allocated = alloc.getSizeBytes() and
5640
decideOnSize(base, basesize) and
41+
alloc.(FunctionCall).getTarget() instanceof AllocationFunction and // exclude `new` and similar
5742
basesize > allocated
5843
select alloc,
5944
"Type '" + base.getName() + "' is " + basesize.toString() + " bytes, but only " +

cpp/ql/src/Critical/SizeCheck2.ql

Lines changed: 5 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -13,25 +13,9 @@
1313
*/
1414

1515
import cpp
16+
import semmle.code.cpp.models.Models
1617

17-
class Allocation extends FunctionCall {
18-
Allocation() { this.getTarget().hasGlobalOrStdName(["malloc", "calloc", "realloc"]) }
19-
20-
private string getName() { this.getTarget().hasGlobalOrStdName(result) }
21-
22-
int getSize() {
23-
this.getName() = "malloc" and
24-
this.getArgument(0).getValue().toInt() = result
25-
or
26-
this.getName() = "realloc" and
27-
this.getArgument(1).getValue().toInt() = result
28-
or
29-
this.getName() = "calloc" and
30-
result = this.getArgument(0).getValue().toInt() * this.getArgument(1).getValue().toInt()
31-
}
32-
}
33-
34-
predicate baseType(Allocation alloc, Type base) {
18+
predicate baseType(AllocationExpr alloc, Type base) {
3519
exists(PointerType pointer |
3620
pointer.getBaseType() = base and
3721
(
@@ -49,11 +33,12 @@ predicate decideOnSize(Type t, int size) {
4933
size = min(t.getSize())
5034
}
5135

52-
from Allocation alloc, Type base, int basesize, int allocated
36+
from AllocationExpr alloc, Type base, int basesize, int allocated
5337
where
5438
baseType(alloc, base) and
55-
allocated = alloc.getSize() and
39+
allocated = alloc.getSizeBytes() and
5640
decideOnSize(base, basesize) and
41+
alloc.(FunctionCall).getTarget() instanceof AllocationFunction and // exclude `new` and similar
5742
// If the codebase has more than one type with the same name, check if any matches
5843
not exists(int size | base.getSize() = size |
5944
size = 0 or

0 commit comments

Comments
 (0)