CPP: Widen varMaybeStackAllocated.

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -22,16 +22,7 @@ predicate exprMaybeStackAllocated(Expr e) {
 // is initialized to/assigned a possibly stack allocated expression
 predicate varMaybeStackAllocated(LocalVariable lv) {
   not lv.isStatic() and
-  (
-    lv.getType().getUnderlyingType() instanceof ArrayType
-    or
-    exprMaybeStackAllocated(lv.getInitializer().getExpr())
-    or
-    exists(AssignExpr a |
-      a.getLValue().(VariableAccess).getTarget() = lv and
-      exprMaybeStackAllocated(a.getRValue())
-    )
-  )
+  not lv.getType() instanceof ReferenceType
 }
 
 // an expression possibly points to the stack if it takes the address of

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnCstrOfLocalStdString.expected

@@ -1 +1,4 @@
+| test.cpp:12:2:12:12 | return ... | May return stack-allocated memory. |
+| test.cpp:20:2:20:12 | return ... | May return stack-allocated memory. |
+| test.cpp:73:2:73:12 | return ... | May return stack-allocated memory. |
 | test.cpp:93:2:93:12 | return ... | May return stack-allocated memory. |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -9,7 +9,7 @@ MyClass *test1()
 {
 	MyClass mc;
 
-	return &mc; // BAD [NOT DETECTED]
+	return &mc; // BAD
 }
 
 MyClass *test2()
@@ -17,7 +17,7 @@ MyClass *test2()
 	MyClass mc;
 	MyClass *ptr = &mc;
 
-	return ptr; // BAD [NOT DETECTED]
+	return ptr; // BAD
 }
 
 MyClass *test3()
@@ -70,7 +70,7 @@ MyClass *test10()
 		ptr = &mc;
 	}
 
-	return ptr; // BAD [NOT DETECTED]
+	return ptr; // BAD
 }
 
 MyClass *test11(MyClass *param)