CPP: Fix false positives when a member variable is released via the target of a function pointer.

2026-04-28 10:15:14 +02:00 · 2018-12-12 10:27:50 +00:00
parent 370387a9ca
commit 2f3a874c7d
3 changed files with 6 additions and 2 deletions
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -227,6 +227,11 @@ predicate leakedInSameMethod(Resource r, Expr acquire) {
        fc.getQualifier() = r.getAnAccess() or // e.g. `r->setOwner(this)`
        fc = acquire.getAChild*() // e.g. `r = new MyClass(this)`
      )
+    ) or exists(FunctionAccess fa, string kind |
+      // the address of a function that releases `r` is taken (and likely
+      // used to release `r` at some point).
+      r.acquisitionWithRequiredKind(acquire, kind) and
+      fa.getTarget() = r.getAReleaseExpr(kind).getEnclosingFunction()
    )
  )
 }