CPP: Fix over-enthusiastic dataflow in allocExprOrIndirect.

Author: geoffw0

cpp/ql/src/Critical/NewDelete.qll

@@ -46,7 +46,11 @@ predicate allocExprOrIndirect(Expr alloc, string kind) {
     alloc.(FunctionCall).getTarget() = rtn.getEnclosingFunction() and
     (
       allocExprOrIndirect(rtn.getExpr(), kind) or
-      allocReaches0(rtn.getExpr(), _, kind)
+      exists(SsaDefinition def, LocalScopeVariable v |
+        // alloc via SSA
+        allocExprOrIndirect(def.getAnUltimateDefiningValue(v), kind) and
+        rtn.getExpr() = def.getAUse(v)
+      )
     )
   )
 }

cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected

@@ -6,10 +6,8 @@
 | test.cpp:91:3:91:11 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:88:28:88:36 | call to my_malloc | malloc |
 | test.cpp:99:3:99:11 | call to my_delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:96:28:96:33 | call to malloc | malloc |
 | test.cpp:138:2:138:9 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:135:12:135:22 | call to my_malloc_2 | malloc |
-| test.cpp:155:2:155:9 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:152:12:152:22 | call to my_malloc_3 | malloc |
 | test.cpp:232:2:232:9 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:226:7:226:12 | call to malloc | malloc |
 | test.cpp:233:2:233:12 | delete[] | There is a malloc/delete mismatch between this delete[] and the corresponding $@. | test.cpp:226:7:226:12 | call to malloc | malloc |
 | test.cpp:235:2:235:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:227:7:227:13 | new | new |
 | test.cpp:239:2:239:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:228:7:228:17 | new[] | new[] |
 | test.cpp:272:3:272:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:265:7:265:13 | new | new |
-| test.cpp:425:2:425:31 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:425:20:425:29 | call to getPointer | malloc |

cpp/ql/test/query-tests/Critical/NewFree/test.cpp

@@ -152,7 +152,7 @@ void test3()
 	void *b = my_malloc_3(10);
 
 	free(a); // GOOD
-	delete b; // BAD: malloc -> delete
+	delete b; // BAD: malloc -> delete [NOT DETECTED]
 }
 
 void test4(bool do_array_delete)
@@ -422,5 +422,5 @@ void test13()
 	MyPointer13 myPointer2(myBuffer);
 	MyPointer13 myPointer3(new char[100]);
 
-	delete myPointer2.getPointer(); // GOOD [FALSE POSITIVE]
+	delete myPointer2.getPointer(); // GOOD
 }