C++: Model operator new and operator new[].

2026-04-26 17:25:19 +02:00 · 2020-03-30 18:11:07 +01:00
parent ef68bd6bf4
commit 259f714d91
3 changed files with 59 additions and 8 deletions
--- a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
@@ -2,6 +2,7 @@ import semmle.code.cpp.Element
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
 private import semmle.code.cpp.internal.AddressConstantExpression
+private import semmle.code.cpp.models.implementations.Allocation

 /**
 * A C/C++ expression.
@@ -804,8 +805,10 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
   * call the constructor of `T` but will not allocate memory.
   */
  Expr getPlacementPointer() {
-    isStandardPlacementNewAllocator(this.getAllocator()) and
-    result = this.getAllocatorCall().getArgument(1)
+    result =
+      this
+          .getAllocatorCall()
+          .getArgument(this.getAllocator().(OperatorNewAllocationFunction).getPlacementArgument())
  }
 }

@@ -1194,12 +1197,6 @@ private predicate convparents(Expr child, int idx, Element parent) {
  )
 }

-private predicate isStandardPlacementNewAllocator(Function operatorNew) {
-  operatorNew.getName().matches("operator new%") and
-  operatorNew.getNumberOfParameters() = 2 and
-  operatorNew.getParameter(1).getType() instanceof VoidPointerType
-}
-
 // Pulled out for performance. See QL-796.
 private predicate hasNoConversions(Expr e) { not e.hasConversion() }

--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
@@ -215,6 +215,39 @@ class SizelessAllocationFunction extends AllocationFunction {
  }
 }

+/**
+ * An `operator new` or `operator new[]` function that may be associated with a `new` or
+ * `new[]` expression.  Note that `new` and `new[]` are not function calls, but these
+ * functions may also be called directly.
+ */
+class OperatorNewAllocationFunction extends AllocationFunction {
+  OperatorNewAllocationFunction() {
+    exists(string name |
+      hasGlobalOrStdName(name) and
+      (
+        // operator new(bytes, ...)
+        name = "operator new" or
+        // operator new[](bytes, ...)
+        name = "operator new[]"
+      )
+    )
+  }
+
+  override int getSizeArg() { result = 0 }
+
+  override predicate requiresDealloc() { not exists(getPlacementArgument()) }
+
+  /**
+   * Gets the position of the placement pointer if this is a placement
+   * `operator new` function.
+   */
+  int getPlacementArgument() {
+    getNumberOfParameters() = 2 and
+    getParameter(1).getType() instanceof VoidPointerType and
+    result = 1
+  }
+}
+
 /**
 * An allocation expression that is a function call, such as call to `malloc`.
 */
--- a/cpp/ql/test/library-tests/allocators/allocators.expected
+++ b/cpp/ql/test/library-tests/allocators/allocators.expected
@@ -47,15 +47,31 @@ deleteArrayExprs
 | allocators.cpp:82:3:82:49 | delete[] | PolymorphicBase | operator delete[](void *, unsigned long) -> void | 8 | 8 | sized  |
 | allocators.cpp:83:3:83:23 | delete[] | int | operator delete[](void *, unsigned long) -> void | 4 | 4 | sized  |
 allocationFunctions
+| allocators.cpp:7:7:7:18 | operator new | getSizeArg = 0, requiresDealloc |
+| allocators.cpp:8:7:8:20 | operator new[] | getSizeArg = 0, requiresDealloc |
+| allocators.cpp:9:7:9:18 | operator new | getSizeArg = 0, requiresDealloc |
+| allocators.cpp:10:7:10:20 | operator new[] | getSizeArg = 0, requiresDealloc |
+| allocators.cpp:121:7:121:18 | operator new | getSizeArg = 0 |
+| allocators.cpp:122:7:122:20 | operator new[] | getSizeArg = 0 |
+| allocators.cpp:123:7:123:18 | operator new | getSizeArg = 0, requiresDealloc |
+| allocators.cpp:124:7:124:20 | operator new[] | getSizeArg = 0, requiresDealloc |
+| file://:0:0:0:0 | operator new | getSizeArg = 0, requiresDealloc |
+| file://:0:0:0:0 | operator new | getSizeArg = 0, requiresDealloc |
+| file://:0:0:0:0 | operator new[] | getSizeArg = 0, requiresDealloc |
+| file://:0:0:0:0 | operator new[] | getSizeArg = 0, requiresDealloc |
 allocationExprs
 | allocators.cpp:49:3:49:9 | new | getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:50:3:50:15 | call to operator new | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:50:3:50:15 | new | getSizeBytes = 4, requiresDealloc |
 | allocators.cpp:51:3:51:11 | new | getSizeBytes = 4, requiresDealloc |
 | allocators.cpp:52:3:52:14 | new | getSizeBytes = 8, requiresDealloc |
+| allocators.cpp:53:3:53:27 | call to operator new | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:53:3:53:27 | new | getSizeBytes = 8, requiresDealloc |
 | allocators.cpp:54:3:54:17 | new | getSizeBytes = 256, requiresDealloc |
+| allocators.cpp:55:3:55:25 | call to operator new | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:55:3:55:25 | new | getSizeBytes = 256, requiresDealloc |
 | allocators.cpp:68:3:68:12 | new[] | getSizeExpr = n, getSizeMult = 4, requiresDealloc |
+| allocators.cpp:69:3:69:18 | call to operator new[] | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:69:3:69:18 | new[] | getSizeExpr = n, getSizeMult = 4, requiresDealloc |
 | allocators.cpp:70:3:70:15 | new[] | getSizeExpr = n, getSizeMult = 8, requiresDealloc |
 | allocators.cpp:71:3:71:20 | new[] | getSizeExpr = n, getSizeMult = 256, requiresDealloc |
@@ -64,13 +80,18 @@ allocationExprs
 | allocators.cpp:108:3:108:19 | new[] | getSizeExpr = n, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:109:3:109:35 | new | getSizeBytes = 128, requiresDealloc |
 | allocators.cpp:110:3:110:37 | new[] | getSizeBytes = 1280, requiresDealloc |
+| allocators.cpp:129:3:129:21 | call to operator new | getSizeExpr = <error expr>, getSizeMult = 1 |
 | allocators.cpp:129:3:129:21 | new | getSizeBytes = 4 |
+| allocators.cpp:132:3:132:17 | call to operator new[] | getSizeExpr = <error expr>, getSizeMult = 1 |
 | allocators.cpp:132:3:132:17 | new[] | getSizeBytes = 4 |
+| allocators.cpp:135:3:135:26 | call to operator new | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:135:3:135:26 | new | getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:136:3:136:26 | call to operator new[] | getSizeExpr = <error expr>, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:136:3:136:26 | new[] | getSizeBytes = 8, requiresDealloc |
 | allocators.cpp:142:13:142:27 | new[] | getSizeExpr = x, getSizeMult = 10, requiresDealloc |
 | allocators.cpp:143:13:143:28 | new[] | getSizeBytes = 400, requiresDealloc |
 | allocators.cpp:144:13:144:31 | new[] | getSizeExpr = x, getSizeMult = 900, requiresDealloc |
+| allocators.cpp:149:8:149:19 | call to operator new | getSizeBytes = 4, getSizeExpr = sizeof(int), getSizeMult = 1, requiresDealloc |
 deallocationFunctions
 deallocationExprs
 | allocators.cpp:59:3:59:35 | delete | getFreedExpr = 0 |