C++: Accept test changes for the new use-after-query.

2026-05-01 03:35:13 +02:00 · 2023-04-11 14:39:25 +01:00
parent 725004a6fe
commit 3c88590df2
6 changed files with 184 additions and 38 deletions
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -26,6 +26,69 @@
 | test.cpp:128:15:128:16 | v4 |
 | test.cpp:185:10:185:12 | cpy |
 | test.cpp:199:10:199:12 | cpy |
+| test_free.cpp:11:10:11:10 | a |
+| test_free.cpp:14:10:14:10 | a |
+| test_free.cpp:16:10:16:10 | a |
+| test_free.cpp:18:18:18:18 | a |
+| test_free.cpp:23:10:23:10 | a |
+| test_free.cpp:25:10:25:10 | a |
+| test_free.cpp:26:10:26:10 | b |
+| test_free.cpp:30:10:30:10 | a |
+| test_free.cpp:31:27:31:27 | a |
+| test_free.cpp:35:10:35:10 | a |
+| test_free.cpp:37:27:37:27 | a |
+| test_free.cpp:42:27:42:27 | a |
+| test_free.cpp:44:27:44:27 | a |
+| test_free.cpp:46:10:46:10 | a |
+| test_free.cpp:50:27:50:27 | a |
+| test_free.cpp:51:10:51:10 | a |
+| test_free.cpp:55:27:55:27 | a |
+| test_free.cpp:57:10:57:10 | a |
+| test_free.cpp:61:10:61:10 | a |
+| test_free.cpp:63:10:63:10 | b |
+| test_free.cpp:69:10:69:10 | a |
+| test_free.cpp:72:14:72:14 | a |
+| test_free.cpp:83:12:83:12 | a |
+| test_free.cpp:85:12:85:12 | a |
+| test_free.cpp:90:10:90:10 | a |
+| test_free.cpp:95:10:95:10 | a |
+| test_free.cpp:101:10:101:10 | a |
+| test_free.cpp:102:23:102:23 | a |
+| test_free.cpp:103:10:103:10 | a |
+| test_free.cpp:104:10:104:10 | b |
+| test_free.cpp:107:23:107:23 | a |
+| test_free.cpp:112:14:112:14 | a |
+| test_free.cpp:114:10:114:10 | b |
+| test_free.cpp:118:23:118:23 | a |
+| test_free.cpp:119:17:119:17 | b |
+| test_free.cpp:121:14:121:14 | a |
+| test_free.cpp:126:10:126:11 | * ... |
+| test_free.cpp:128:10:128:11 | * ... |
+| test_free.cpp:129:10:129:11 | * ... |
+| test_free.cpp:131:10:131:13 | access to array |
+| test_free.cpp:132:10:132:13 | access to array |
+| test_free.cpp:143:27:143:30 | data |
+| test_free.cpp:145:14:145:22 | * ... |
+| test_free.cpp:148:10:148:17 | list_ptr |
+| test_free.cpp:152:27:152:27 | a |
+| test_free.cpp:154:10:154:10 | a |
+| test_free.cpp:159:14:159:15 | * ... |
+| test_free.cpp:162:10:162:10 | a |
+| test_free.cpp:167:23:167:23 | a |
+| test_free.cpp:173:10:173:10 | a |
+| test_free.cpp:181:10:181:10 | a |
+| test_free.cpp:183:10:183:10 | a |
+| test_free.cpp:185:10:185:10 | a |
+| test_free.cpp:188:10:188:10 | a |
+| test_free.cpp:193:20:193:20 | a |
+| test_free.cpp:199:20:199:20 | a |
+| test_free.cpp:205:10:205:10 | a |
+| test_free.cpp:207:10:207:10 | a |
+| test_free.cpp:209:10:209:10 | a |
+| test_free.cpp:213:10:213:10 | a |
+| test_free.cpp:216:10:216:10 | a |
+| test_free.cpp:220:10:220:10 | a |
+| test_free.cpp:227:24:227:45 | memory_descriptor_list |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
@@ -0,0 +1 @@
+| test_free.cpp:36:22:36:35 | ... = ... | This memory allocation may not be released at $@. | test_free.cpp:38:1:38:1 | return ... | this exit point |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
@@ -11,3 +11,4 @@
 | test.cpp:156:3:156:26 | new | This memory is never freed. |
 | test.cpp:157:3:157:26 | new[] | This memory is never freed. |
 | test.cpp:169:14:169:19 | call to strdup | This memory is never freed. |
+| test_free.cpp:167:15:167:21 | call to realloc | This memory is never freed. |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
@@ -9,8 +9,8 @@ int asprintf(char ** strp, const char * fmt, ...);

 void* test_double_free1(int *a) {
    free(a); // GOOD
-    a[5] = 5;
-    *a = 5;
+    a[5] = 5; // BAD
+    *a = 5; // BAD
    free(a); // BAD
    a = (int*) malloc(8);
    free(a); // GOOD
@@ -40,9 +40,9 @@ void test_dominance2(void *a) {
 void test_post_dominance1(int *a)
 {
    if (condition()) free(a); // GOOD
-    if (condition()) a[2] = 5;
+    if (condition()) a[2] = 5; // GOOD
    if (condition()) free(a); // GOOD
-    a[2] = 5;
+    a[2] = 5; // BAD
    free(a); // BAD
 }

@@ -61,14 +61,14 @@ void test_use_after_free6(int *a, int *b) {
    free(a);
    a=b;
    free(b);
-    if (condition()) a[0] = 5;
+    if (condition()) a[0] = 5; // BAD [NOT DETECTED]
 }

 void test_use_after_free7(int *a) {
    a[0] = 42;
    free(a);

-    if (a[3]) {
+    if (a[3]) { // BAD
        free(a); // BAD
    }
 }
@@ -81,20 +81,20 @@ public:
 void test_new1() {
    A *a = new A();
    delete(a);
-    a->f();
+    a->f(); // BAD [NOT DETECTED]
    delete(a); // BAD [NOT DETECTED]
 }

 void test_dereference1(A *a) {
-    a->f();
+    a->f(); // GOOD
    free(a);
-    a->f();
+    a->f(); // BAD
 }

 void* use_after_free(void *a) {
    free(a);
-    use(a);
-    return a;
+    use(a); // BAD
+    return a; // BAD
 }

 void test_realloc1(void *a) {
@@ -139,23 +139,23 @@ struct list {

 void test_loop1(struct list ** list_ptr) {
    struct list *next;
-    while (*list_ptr) {
+    while (*list_ptr) { // GOOD
        free((*list_ptr)->data); // GOOD
-        next = (*list_ptr)->next;
+        next = (*list_ptr)->next; // GOOD
        free(*list_ptr); // GOOD
-        *list_ptr = next;
+        *list_ptr = next; // GOOD
    }
    free(list_ptr); // GOOD
 }

 void test_use_after_free8(struct list * a) {
    if (condition()) free(a);
-    a->data = malloc(10);
+    a->data = malloc(10); // BAD
    free(a); // BAD
 }

 void test_loop2(char ** a) {
-    while (*a) {
+    while (*a) { // GOOD
        free(*a); // GOOD
        a++;
    }
@@ -171,7 +171,7 @@ void* test_realloc4() {

 void test_sizeof(int *a) {
    free(a);
-    int x = sizeof(a[0]);
+    int x = sizeof(a[0]); // GOOD
 }

 void call_by_reference(char * &a);
@@ -179,9 +179,9 @@ int custom_alloc_func(char ** a);

 void test_reassign(char *a) {
    free(a); // GOOD
-    asprintf(&a, "Hello world");
+    asprintf(&a, "Hello world"); // GOOD
    free(a); //GOOD
-    call_by_reference(a);
+    call_by_reference(a); // GOOD
    free(a); // GOOD
    int v;
    if (v = custom_alloc_func(&a)) return;
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
@@ -1,9 +1,74 @@
-| test.cpp:36:6:36:9 | data | Memory pointed to by 'data' may have $@. | test.cpp:35:2:35:5 | call to free | been previously freed |
-| test.cpp:70:7:70:10 | data | Memory pointed to by 'data' may have $@. | test.cpp:67:2:67:5 | call to free | been previously freed |
-| test.cpp:107:6:107:9 | data | Memory pointed to by 'data' may have $@. | test.cpp:105:2:105:5 | call to free | been previously freed |
-| test.cpp:117:6:117:9 | data | Memory pointed to by 'data' may have $@. | test.cpp:115:2:115:5 | call to free | been previously freed |
-| test.cpp:150:2:150:2 | c | Memory pointed to by 'c' may have $@. | test.cpp:149:2:149:10 | delete | been previously freed |
-| test.cpp:151:4:151:4 | c | Memory pointed to by 'c' may have $@. | test.cpp:149:2:149:10 | delete | been previously freed |
-| test.cpp:170:6:170:9 | data | Memory pointed to by 'data' may have $@. | test.cpp:165:2:165:5 | call to free | been previously freed |
-| test.cpp:193:6:193:9 | data | Memory pointed to by 'data' may have $@. | test.cpp:191:3:191:6 | call to free | been previously freed |
-| test.cpp:201:6:201:6 | x | Memory pointed to by 'x' may have $@. | test.cpp:200:2:200:9 | delete | been previously freed |
+edges
+| test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data |
+| test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data |
+| test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data |
+| test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data |
+| test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data |
+| test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data |
+| test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data |
+| test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data |
+| test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
+| test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
+| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
+| test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
+| test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
+| test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
+| test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
+| test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
+| test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
+| test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
+| test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
+| test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
+nodes
+| test.cpp:39:7:39:10 | data | semmle.label | data |
+| test.cpp:39:7:39:10 | data | semmle.label | data |
+| test.cpp:41:6:41:9 | data | semmle.label | data |
+| test.cpp:75:7:75:10 | data | semmle.label | data |
+| test.cpp:75:7:75:10 | data | semmle.label | data |
+| test.cpp:79:7:79:10 | data | semmle.label | data |
+| test.cpp:106:7:106:10 | data | semmle.label | data |
+| test.cpp:106:7:106:10 | data | semmle.label | data |
+| test.cpp:108:6:108:9 | data | semmle.label | data |
+| test.cpp:116:7:116:10 | data | semmle.label | data |
+| test.cpp:116:7:116:10 | data | semmle.label | data |
+| test.cpp:119:6:119:9 | data | semmle.label | data |
+| test.cpp:127:7:127:10 | data | semmle.label | data |
+| test.cpp:127:7:127:10 | data | semmle.label | data |
+| test.cpp:130:6:130:9 | data | semmle.label | data |
+| test.cpp:138:7:138:10 | data | semmle.label | data |
+| test.cpp:138:7:138:10 | data | semmle.label | data |
+| test.cpp:141:6:141:9 | data | semmle.label | data |
+| test.cpp:181:7:181:10 | data | semmle.label | data |
+| test.cpp:181:7:181:10 | data | semmle.label | data |
+| test.cpp:186:6:186:9 | data | semmle.label | data |
+| test.cpp:192:7:192:10 | data | semmle.label | data |
+| test.cpp:192:7:192:10 | data | semmle.label | data |
+| test.cpp:197:6:197:9 | data | semmle.label | data |
+| test.cpp:203:7:203:10 | data | semmle.label | data |
+| test.cpp:203:7:203:10 | data | semmle.label | data |
+| test.cpp:207:8:207:11 | data | semmle.label | data |
+| test.cpp:207:8:207:11 | data | semmle.label | data |
+| test.cpp:209:6:209:9 | data | semmle.label | data |
+| test.cpp:209:6:209:9 | data | semmle.label | data |
+subpaths
+#select
+| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
+| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
+| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free |
+| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | data | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free |
+| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free |
+| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | data | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free |
+| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free |
+| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | data | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free |
+| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
+| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
+| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
+| test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
+| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
+| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
+| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
+| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
+| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
+| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
+| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
+| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/test.cpp
@@ -6,14 +6,18 @@ typedef unsigned long size_t;
 void *malloc(size_t size);
 void free(void *ptr);

-void useExternal(char* data);
+void useExternal(...);

-void use(char* data)
+void use_if_nonzero(char* data)
 {
 	if (data)
 		useExternal(data);
 }

+void use(char* data) {
+	useExternal(*data);
+}
+
 [[noreturn]]
 void noReturn();

@@ -31,8 +35,9 @@ void test1()
 {
 	char* data;
 	data = (char *)malloc(100*sizeof(char));
-	use(data); // GOOD
+	use_if_nonzero(data); // GOOD
 	free(data);
+	use_if_nonzero(data); // BAD [NOT DETECTED]
 	use(data); // BAD
 }

@@ -42,9 +47,11 @@ void test2()
 	data = (char *)malloc(100*sizeof(char));
 	free(data);
 	myMalloc(&data);
+	use_if_nonzero(data); // GOOD
 	use(data); // GOOD
 	free(data);
 	myMalloc2(data);
+	use_if_nonzero(data); // GOOD
 	use(data); // GOOD
 }

@@ -56,6 +63,7 @@ void test3()
 	data = NULL;
 	if (data)
 	{
+		use_if_nonzero(data); // GOOD
 		use(data); // GOOD
 	}
 }
@@ -67,6 +75,7 @@ void test4()
 	free(data);
 	if (data)
 	{
+		use_if_nonzero(data); // BAD [NOT DETECTED]
 		use(data); // BAD
 	}
 }
@@ -85,7 +94,8 @@ char* returnsFreedData(int i)
 void test5()
 {
 	char* data = returnsFreedData(1);
-	use(data); // BAD (NOT REPORTED)
+	use_if_nonzero(data); // BAD [NOT DETECTED]
+	use(data); // BAD [NOT DETECTED]
 }

 void test6()
@@ -94,7 +104,8 @@ void test6()
 	data = (char *)malloc(100*sizeof(char));
 	data2 = data;
 	free(data);
-	use(data2); // BAD (NOT REPORTED)
+	use_if_nonzero(data2); // BAD [NOT DETECTED]
+	use(data); // BAD
 }

 void test7()
@@ -104,6 +115,7 @@ void test7()
 	data2 = data;
 	free(data);
 	data2 = NULL;
+	use_if_nonzero(data); // BAD [NOT DETECTED]
 	use(data); // BAD
 }

@@ -114,6 +126,7 @@ void test8()
 	data = data2;
 	free(data);
 	data2 = NULL;
+	use_if_nonzero(data); // BAD [NOT DETECTED]
 	use(data); // BAD
 }

@@ -124,13 +137,15 @@ void test9()
 	char *data, *data2;
 	free(data);
 	noReturnWrapper();
-	use(data); // GOOD
+	use_if_nonzero(data); // GOOD
+	use(data); // GOOD [FALSE POSITIVE]
 }

 void test10()
 {
 	for (char *data; true; data = NULL)
 	{
+		use_if_nonzero(data); // GOOD
 		use(data); // GOOD
 		free(data);
 	}
@@ -140,7 +155,7 @@ class myClass
 {
 public:
 	myClass() { }
-	
+
 	void myMethod() { }
 };

@@ -156,7 +171,8 @@ template<class T> T test()
 	T* x;
 	use(x); // GOOD
 	delete x;
-	use(x); // BAD
+	use_if_nonzero(x); // BAD [NOT DETECTED]
+	use(x); // BAD [NOT DETECTED]
 }

 void test12(int count)
@@ -178,7 +194,7 @@ void test13()
 	{
 		data = NULL;
 	}
-	use(data); // GOOD
+	use(data); // GOOD [FALSE POSITIVE]
 }

 void test14()
@@ -198,7 +214,7 @@ template<class T> T test15()
 	T* x;
 	use(x); // GOOD
 	delete x;
-	use(x); // BAD
+	use(x); // BAD [NOT DETECTED]
 }
 void test15runner(void)
 {
				`@@ -0,0 +1 @@`
				`\| test_free.cpp:36:22:36:35 \| ... = ... \| This memory allocation may not be released at $@. \| test_free.cpp:38:1:38:1 \| return ... \| this exit point \|`