CPP: Widen allocReachedVariable slightly.

cpp/ql/src/Critical/NewDelete.qll

@@ -52,19 +52,18 @@ predicate allocExprOrIndirect(Expr alloc, string kind) {
 }
 
 /**
- * Holds if `v` is a non-local variable which is assigned with
- * memory allocation `alloc` only (it may also be assigned with
- * NULL).  `kind` is a string describing the type of that allocation.
+ * Holds if `v` is a non-local variable which is assigned only with allocations of
+ * type `kind` (it may also be assigned with NULL).
  */
 private predicate allocReachesVariable(Variable v, Expr alloc, string kind) {
+  not v instanceof LocalScopeVariable and
   exists(Expr mid |
-    allocReaches(mid, alloc, kind) and
     v.getAnAssignedValue() = mid and
-    not v instanceof LocalScopeVariable and
-    count(Expr e |
-      v.getAnAssignedValue() = e and
-      not e.getValue().toInt() = 0
-    ) = 1
+    allocReaches(mid, alloc, kind)
+  ) and forall(Expr mid |
+    v.getAnAssignedValue() = mid |
+    allocReaches(mid, _, kind) or
+    mid.getValue().toInt() = 0 // NULL
   )
 }
 

cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.expected

@@ -3,3 +3,5 @@
 | test.cpp:240:2:240:9 | delete | This memory may have been allocated with '$@', not 'new'. | test.cpp:228:7:228:17 | new[] | new[] |
 | test.cpp:295:2:295:11 | delete | This memory may have been allocated with '$@', not 'new'. | test.cpp:290:8:290:28 | new[] | new[] |
 | test.cpp:310:3:310:13 | delete | This memory may have been allocated with '$@', not 'new'. | test.cpp:304:18:304:29 | new[] | new[] |
+| test.cpp:335:3:335:13 | delete | This memory may have been allocated with '$@', not 'new'. | test.cpp:321:10:321:21 | new[] | new[] |
+| test.cpp:335:3:335:13 | delete | This memory may have been allocated with '$@', not 'new'. | test.cpp:329:11:329:24 | new[] | new[] |

cpp/ql/test/query-tests/Critical/NewFree/test.cpp

@@ -332,7 +332,7 @@ public:
 
 	~Test11()
 	{
-		delete data; // BAD: new[] -> delete [NOT DETECTED]
+		delete data; // BAD: new[] -> delete
 	}
 
 	char *data;