C++: Add some use-after-free FPs.

Author: MathiasVP

cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected

@@ -89,6 +89,9 @@
 | test_free.cpp:216:10:216:10 | a |
 | test_free.cpp:220:10:220:10 | a |
 | test_free.cpp:227:24:227:45 | memory_descriptor_list |
+| test_free.cpp:233:14:233:15 | * ... |
+| test_free.cpp:239:14:239:15 | * ... |
+| test_free.cpp:245:10:245:11 | * ... |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -15,6 +15,20 @@ edges
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -39,6 +53,19 @@ nodes
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:153:5:153:5 | a | semmle.label | a |
+| test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
+| test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
+| test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
+| test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
+| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
+| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
+| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
+| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
+| test_free.cpp:241:10:241:10 | b | semmle.label | b |
+| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
+| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
+| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
+| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -57,3 +84,17 @@ subpaths
 | test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |

cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp

@@ -227,3 +227,21 @@ void test_ms_free(void * memory_descriptor_list) {
     MmFreePagesFromMdl(memory_descriptor_list); //GOOD
     ExFreePool(memory_descriptor_list); // GOOD
 }
+
+void test_loop3(char ** a, char ** b) {
+    if (*a) {
+        free(*a);
+        a++;
+    }
+    use(*a); // GOOD [FALSE POSITIVE]
+
+    for (;*b; b++) {
+        free(*b);
+    }
+    use(*b); // GOOD [FALSE POSITIVE]
+}
+
+void test_deref(char **a) {
+    free(*a);
+    use(*a); // GOOD [FALSE POSITIVE]
+}