diff --git a/cpp/ql/src/semmle/code/cpp/commons/Alloc.qll b/cpp/ql/src/semmle/code/cpp/commons/Alloc.qll index 1ada25532ae..b6b38de3e25 100644 --- a/cpp/ql/src/semmle/code/cpp/commons/Alloc.qll +++ b/cpp/ql/src/semmle/code/cpp/commons/Alloc.qll @@ -1,5 +1,6 @@ import cpp import semmle.code.cpp.models.interfaces.Allocation +import semmle.code.cpp.models.interfaces.Deallocation /** * A library routine that allocates memory. diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll index 4263ba724e6..162b2f2f0c8 100644 --- a/cpp/ql/src/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/src/semmle/code/cpp/models/Models.qll @@ -1,4 +1,5 @@ private import implementations.Allocation +private import implementations.Deallocation private import implementations.IdentityFunction private import implementations.Inet private import implementations.Memcpy diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll index 887cbaec85c..6b5ebc38311 100644 --- a/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll @@ -209,119 +209,3 @@ class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr { result = getAllocatedType().getSize() } } - -/** - * A deallocation function such as `free`. - */ -class StandardDeallocationFunction extends DeallocationFunction { - int freedArg; - - StandardDeallocationFunction() { - exists(string name | - hasGlobalName(name) and - ( - name = "free" and freedArg = 0 - or - name = "realloc" and freedArg = 0 - ) - or - hasGlobalOrStdName(name) and - ( - name = "ExFreePoolWithTag" and freedArg = 0 - or - name = "ExFreeToLookasideListEx" and freedArg = 1 - or - name = "ExFreeToPagedLookasideList" and freedArg = 1 - or - name = "ExFreeToNPagedLookasideList" and freedArg = 1 - or - name = "ExDeleteTimer" and freedArg = 0 - or - name = "IoFreeMdl" and freedArg = 0 - or - name = "IoFreeWorkItem" and freedArg = 0 - or - name = "IoFreeErrorLogEntry" and freedArg = 0 - or - name = "MmFreeContiguousMemory" and freedArg = 0 - or - name = "MmFreeContiguousMemorySpecifyCache" and freedArg = 0 - or - name = "MmFreeNonCachedMemory" and freedArg = 0 - or - name = "MmFreeMappingAddress" and freedArg = 0 - or - name = "MmFreePagesFromMdl" and freedArg = 0 - or - name = "MmUnmapReservedMapping" and freedArg = 0 - or - name = "MmUnmapLockedPages" and freedArg = 0 - or - name = "LocalFree" and freedArg = 0 - or - name = "GlobalFree" and freedArg = 0 - or - name = "HeapFree" and freedArg = 2 - or - name = "VirtualFree" and freedArg = 0 - or - name = "CoTaskMemFree" and freedArg = 0 - or - name = "SysFreeString" and freedArg = 0 - or - name = "LocalReAlloc" and freedArg = 0 - or - name = "GlobalReAlloc" and freedArg = 0 - or - name = "HeapReAlloc" and freedArg = 2 - or - name = "CoTaskMemRealloc" and freedArg = 0 - ) - ) - } - - override int getFreedArg() { - result = freedArg - } -} - -/** - * An deallocation expression that is a function call, such as call to `free`. - */ -class CallDeallocationExpr extends DeallocationExpr, FunctionCall { - DeallocationFunction target; - - CallDeallocationExpr() { - target = getTarget() - } - - override Expr getFreedExpr() { - result = getArgument(target.getFreedArg()) - } -} - -/** - * An deallocation expression that is a `delete` expression. - */ -class DeleteDeallocationExpr extends DeallocationExpr, DeleteExpr { - DeleteDeallocationExpr() { - this instanceof DeleteExpr - } - - override Expr getFreedExpr() { - result = getExpr() - } -} - -/** - * An deallocation expression that is a `delete []` expression. - */ -class DeleteArrayDeallocationExpr extends DeallocationExpr, DeleteArrayExpr { - DeleteArrayDeallocationExpr() { - this instanceof DeleteArrayExpr - } - - override Expr getFreedExpr() { - result = getExpr() - } -} diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll new file mode 100644 index 00000000000..a9c3a80487d --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll @@ -0,0 +1,117 @@ +import semmle.code.cpp.models.interfaces.Allocation + +/** + * A deallocation function such as `free`. + */ +class StandardDeallocationFunction extends DeallocationFunction { + int freedArg; + + StandardDeallocationFunction() { + exists(string name | + hasGlobalName(name) and + ( + name = "free" and freedArg = 0 + or + name = "realloc" and freedArg = 0 + ) + or + hasGlobalOrStdName(name) and + ( + name = "ExFreePoolWithTag" and freedArg = 0 + or + name = "ExFreeToLookasideListEx" and freedArg = 1 + or + name = "ExFreeToPagedLookasideList" and freedArg = 1 + or + name = "ExFreeToNPagedLookasideList" and freedArg = 1 + or + name = "ExDeleteTimer" and freedArg = 0 + or + name = "IoFreeMdl" and freedArg = 0 + or + name = "IoFreeWorkItem" and freedArg = 0 + or + name = "IoFreeErrorLogEntry" and freedArg = 0 + or + name = "MmFreeContiguousMemory" and freedArg = 0 + or + name = "MmFreeContiguousMemorySpecifyCache" and freedArg = 0 + or + name = "MmFreeNonCachedMemory" and freedArg = 0 + or + name = "MmFreeMappingAddress" and freedArg = 0 + or + name = "MmFreePagesFromMdl" and freedArg = 0 + or + name = "MmUnmapReservedMapping" and freedArg = 0 + or + name = "MmUnmapLockedPages" and freedArg = 0 + or + name = "LocalFree" and freedArg = 0 + or + name = "GlobalFree" and freedArg = 0 + or + name = "HeapFree" and freedArg = 2 + or + name = "VirtualFree" and freedArg = 0 + or + name = "CoTaskMemFree" and freedArg = 0 + or + name = "SysFreeString" and freedArg = 0 + or + name = "LocalReAlloc" and freedArg = 0 + or + name = "GlobalReAlloc" and freedArg = 0 + or + name = "HeapReAlloc" and freedArg = 2 + or + name = "CoTaskMemRealloc" and freedArg = 0 + ) + ) + } + + override int getFreedArg() { + result = freedArg + } +} + +/** + * An deallocation expression that is a function call, such as call to `free`. + */ +class CallDeallocationExpr extends DeallocationExpr, FunctionCall { + DeallocationFunction target; + + CallDeallocationExpr() { + target = getTarget() + } + + override Expr getFreedExpr() { + result = getArgument(target.getFreedArg()) + } +} + +/** + * An deallocation expression that is a `delete` expression. + */ +class DeleteDeallocationExpr extends DeallocationExpr, DeleteExpr { + DeleteDeallocationExpr() { + this instanceof DeleteExpr + } + + override Expr getFreedExpr() { + result = getExpr() + } +} + +/** + * An deallocation expression that is a `delete []` expression. + */ +class DeleteArrayDeallocationExpr extends DeallocationExpr, DeleteArrayExpr { + DeleteArrayDeallocationExpr() { + this instanceof DeleteArrayExpr + } + + override Expr getFreedExpr() { + result = getExpr() + } +} diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll index 31cd2c1aa35..33950853b49 100644 --- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll @@ -1,9 +1,9 @@ /** * Provides an abstract class for modelling functions and expressions that - * allocate or deallocate memory, such as the standard `malloc` function. To - * use this QL library, create one or more QL classes extending classes here - * with a characteristic predicate that selects the functions or expressions - * you are trying to model. Within that class, override the predicates provided + * allocate memory, such as the standard `malloc` function. To use this QL + * library, create one or more QL classes extending a class here with a + * characteristic predicate that selects the functions or expressions you are + * trying to model. Within that class, override the predicates provided * by the abstract class to match the specifics of those functions or * expressions. Finally, add a private import statement to `Models.qll`. */ @@ -64,23 +64,3 @@ abstract class AllocationExpr extends Expr { */ Expr getReallocPtr() { none() } } - -/** - * A deallocation function such as `free`. - */ -abstract class DeallocationFunction extends Function { - /** - * Gets the index of the argument that is freed by this function. - */ - int getFreedArg() { none() } -} - -/** - * An deallocation expression such as call to `free` or a `delete` expression. - */ -abstract class DeallocationExpr extends Expr { - /** - * Gets the expression that is freed by this function. - */ - Expr getFreedExpr() { none() } -} diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Deallocation.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Deallocation.qll new file mode 100644 index 00000000000..9223592ef67 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Deallocation.qll @@ -0,0 +1,32 @@ +/** + * Provides an abstract class for modelling functions and expressions that + * deallocate memory, such as the standard `free` function. To use this QL + * library, create one or more QL classes extending a class here with a + * characteristic predicate that selects the functions or expressions you are + * trying to model. Within that class, override the predicates provided + * by the abstract class to match the specifics of those functions or + * expressions. Finally, add a private import statement to `Models.qll`. + */ + +import semmle.code.cpp.Function +import semmle.code.cpp.models.Models + +/** + * A deallocation function such as `free`. + */ +abstract class DeallocationFunction extends Function { + /** + * Gets the index of the argument that is freed by this function. + */ + int getFreedArg() { none() } +} + +/** + * An deallocation expression such as call to `free` or a `delete` expression. + */ +abstract class DeallocationExpr extends Expr { + /** + * Gets the expression that is freed by this function. + */ + Expr getFreedExpr() { none() } +}