CPP: Add use after free false positive example.

2025-12-24 04:36:35 +01:00 · 2023-09-20 18:31:09 +01:00
parent 07dbad509c
commit 9de6230bbf
4 changed files with 10 additions and 0 deletions
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -26,6 +26,7 @@
 | test.cpp:128:15:128:16 | v4 |
 | test.cpp:185:10:185:12 | cpy |
 | test.cpp:199:10:199:12 | cpy |
+| test.cpp:205:7:205:11 | ... = ... |
 | test_free.cpp:11:10:11:10 | a |
 | test_free.cpp:14:10:14:10 | a |
 | test_free.cpp:16:10:16:10 | a |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
@@ -1 +1,2 @@
+| test.cpp:203:12:203:17 | call to malloc | This memory allocation may not be released at $@. | test.cpp:206:1:206:1 | return ... | this exit point |
 | test_free.cpp:36:22:36:35 | ... = ... | This memory allocation may not be released at $@. | test_free.cpp:38:1:38:1 | return ... | this exit point |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -13,6 +13,7 @@ edges
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 nodes
+| test.cpp:205:7:205:11 | ... = ... | semmle.label | ... = ... |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
 | test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
@@ -40,6 +41,7 @@ nodes
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 subpaths
 #select
+| test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | Memory may have been previously freed by $@. | test.cpp:205:2:205:5 | call to free | call to free |
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp
@@ -198,3 +198,9 @@ void test_strndupa_dealloc() {
 	char *cpy = strndupa(msg, 4);
    free(cpy); // BAD [NOT DETECTED]
 }
+
+void test_free_malloc() {
+	void *a = malloc(10);
+	void *b;
+	free(b = a);
+}