C++: Fix missing result and accept test changes.

MathiasVP · MathiasVP · commit 23a7cd943f23 · 2023-04-13T10:50:46.000+01:00
diff --git a/cpp/ql/src/Critical/UseAfterFree.ql b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -39,6 +39,8 @@ predicate isUse0(DataFlow::Node n, Expr e) {
     or
     e = any(ArrayExpr ae).getArrayBase()
     or
+    e = any(Call call).getQualifier()
+    or
     // Assume any function without a body will dereference the pointer
     exists(int i, Call call, Function f |
       n.asExpr() = call.getArgument(i) and
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -9,6 +9,8 @@ edges
 | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
+| test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
+| test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
 | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a |
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
@@ -28,6 +30,9 @@ nodes
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:71:9:71:9 | a | semmle.label | a |
+| test_free.cpp:90:10:90:10 | a | semmle.label | a |
+| test_free.cpp:90:10:90:10 | a | semmle.label | a |
+| test_free.cpp:91:5:91:5 | a | semmle.label | a |
 | test_free.cpp:95:10:95:10 | a | semmle.label | a |
 | test_free.cpp:96:9:96:9 | a | semmle.label | a |
 | test_free.cpp:101:10:101:10 | a | semmle.label | a |
@@ -49,6 +54,8 @@ subpaths
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
+| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
+| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
 | test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free |
 | test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
@@ -88,7 +88,7 @@ void test_new1() {
 void test_dereference1(A *a) {
     a->f(); // GOOD
     free(a);
-    a->f(); // BAD [NOT DETECTED]
+    a->f(); // BAD
 }
 
 void* use_after_free(void *a) {

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ void test_new1() {`
`88`	`88`	`void test_dereference1(A *a) {`
`89`	`89`	`a->f(); // GOOD`
`90`	`90`	`free(a);`
`91`		`- a->f(); // BAD [NOT DETECTED]`
	`91`	`+ a->f(); // BAD`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`void* use_after_free(void *a) {`