Merge pull request #1141 from geoffw0/newfreebug

jbj · web-flow · commit db8db8669bad · 2019-03-21T17:22:00.000+01:00
CPP: Fix a bug in NewFree.qll
diff --git a/change-notes/1.21/analysis-cpp.md b/change-notes/1.21/analysis-cpp.md
@@ -0,0 +1,16 @@
+# Improvements to C/C++ analysis
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed an issue where functions were being identified as allocation functions inappropriately.  Also affects `cpp/new-array-delete-mismatch` and `cpp/new-delete-array-mismatch`. |
+
+## Changes to QL libraries
diff --git a/cpp/ql/src/Critical/NewDelete.qll b/cpp/ql/src/Critical/NewDelete.qll
@@ -3,6 +3,7 @@
  */
 import cpp
 import semmle.code.cpp.controlflow.SSA
+import semmle.code.cpp.dataflow.DataFlow
 
 /**
  * Holds if `alloc` is a use of `malloc` or `new`.  `kind` is
@@ -46,7 +47,10 @@ predicate allocExprOrIndirect(Expr alloc, string kind) {
     alloc.(FunctionCall).getTarget() = rtn.getEnclosingFunction() and
     (
       allocExprOrIndirect(rtn.getExpr(), kind) or
-      allocReaches0(rtn.getExpr(), _, kind)
+      exists(Expr e |
+        allocExprOrIndirect(e, kind) and
+        DataFlow::localFlow(DataFlow::exprNode(e), DataFlow::exprNode(rtn.getExpr()))
+      )
     )
   )
 }
diff --git a/cpp/ql/test/query-tests/Critical/NewFree/test.cpp b/cpp/ql/test/query-tests/Critical/NewFree/test.cpp
@@ -371,3 +371,56 @@ void test12(bool cond)
 		free(z); // GOOD
 	}
 }
+
+// ---
+
+class MyBuffer13
+{
+public:
+	MyBuffer13(int size)
+	{
+		buffer = (char *)malloc(size * sizeof(char));
+	}
+
+	~MyBuffer13()
+	{
+		free(buffer); // GOOD
+	}
+
+	char *getBuffer() // note: this should not be considered an allocation function
+	{
+		return buffer;
+	}
+
+private:
+	char *buffer;
+};
+
+class MyPointer13
+{
+public:
+	MyPointer13(char *_pointer) : pointer(_pointer)
+	{
+	}
+
+	MyPointer13(MyBuffer13 &buffer) : pointer(buffer.getBuffer())
+	{
+	}
+
+	char *getPointer() // note: this should not be considered an allocation function
+	{
+		return pointer;
+	}
+
+private:
+	char *pointer;
+};
+
+void test13()
+{
+	MyBuffer13 myBuffer(100);
+	MyPointer13 myPointer2(myBuffer);
+	MyPointer13 myPointer3(new char[100]);
+
+	delete myPointer3.getPointer(); // GOOD
+}

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`*/`
`4`	`4`	`import cpp`
`5`	`5`	`import semmle.code.cpp.controlflow.SSA`
	`6`	`+import semmle.code.cpp.dataflow.DataFlow`
`6`	`7`
`7`	`8`	`/**`
`8`	`9`	* Holds if `alloc` is a use of `malloc` or `new`. `kind` is
`@@ -46,7 +47,10 @@ predicate allocExprOrIndirect(Expr alloc, string kind) {`
`46`	`47`	`alloc.(FunctionCall).getTarget() = rtn.getEnclosingFunction() and`
`47`	`48`	`(`
`48`	`49`	`allocExprOrIndirect(rtn.getExpr(), kind) or`
`49`		`- allocReaches0(rtn.getExpr(), _, kind)`
	`50`	`+ exists(Expr e \|`
	`51`	`+ allocExprOrIndirect(e, kind) and`
	`52`	`+ DataFlow::localFlow(DataFlow::exprNode(e), DataFlow::exprNode(rtn.getExpr()))`
	`53`	`+ )`
`50`	`54`	`)`
`51`	`55`	`)`
`52`	`56`	`}`