cklin
diff --git a/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
Lines changed: 41 additions & 0 deletions b/‎cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
Lines changed: 41 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
Lines changed: 18 additions & 0 deletions b/‎cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
Lines changed: 18 additions & 0 deletions
diff --git a/‎csharp/ql/lib/ext/System.IO.model.yml
Lines changed: 17 additions & 0 deletions b/‎csharp/ql/lib/ext/System.IO.model.yml
Lines changed: 17 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 1 deletion b/‎csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll
Lines changed: 49 additions & 0 deletions
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
@@ -89,6 +89,9 @@
 | test_free.cpp:216:10:216:10 | a |
 | test_free.cpp:220:10:220:10 | a |
 | test_free.cpp:227:24:227:45 | memory_descriptor_list |
+| test_free.cpp:233:14:233:15 | * ... |
+| test_free.cpp:239:14:239:15 | * ... |
+| test_free.cpp:245:10:245:11 | * ... |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |
 
@@ -15,6 +15,20 @@ edges
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
+| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -39,6 +53,19 @@ nodes
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:152:27:152:27 | a | semmle.label | a |
 | test_free.cpp:153:5:153:5 | a | semmle.label | a |
+| test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
+| test_free.cpp:233:14:233:15 | * ... | semmle.label | * ... |
+| test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
+| test_free.cpp:236:9:236:10 | * ... | semmle.label | * ... |
+| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
+| test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
+| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
+| test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
+| test_free.cpp:241:10:241:10 | b | semmle.label | b |
+| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
+| test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
+| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
+| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -57,3 +84,17 @@ subpaths
 | test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
@@ -227,3 +227,21 @@ void test_ms_free(void * memory_descriptor_list) {
     MmFreePagesFromMdl(memory_descriptor_list); //GOOD
     ExFreePool(memory_descriptor_list); // GOOD
 }
+
+void test_loop3(char ** a, char ** b) {
+    if (*a) {
+        free(*a);
+        a++;
+    }
+    use(*a); // GOOD [FALSE POSITIVE]
+
+    for (;*b; b++) {
+        free(*b);
+    }
+    use(*b); // GOOD [FALSE POSITIVE]
+}
+
+void test_deref(char **a) {
+    free(*a);
+    use(*a); // GOOD [FALSE POSITIVE]
+}
@@ -4,6 +4,23 @@ extensions:
       extensible: sourceModel
     data:
       - ["System.IO", "FileStream", False, "FileStream", "", "", "Argument[this]", "file", "manual"]
+      - ["System.IO", "FileStream", False, "FileStream", "", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean,System.Text.Encoding)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean,System.Text.Encoding,System.Int32)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Text.Encoding,System.IO.FileStreamOptions)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.IO.FileStreamOptions)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "File", False, "Open", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "OpenWrite", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "Create", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "CreateText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "AppendText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "Open", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "OpenWrite", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "Create", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "CreateText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "AppendText", "", "", "ReturnValue", "file-write", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel
 
@@ -215,7 +215,7 @@ module ModelValidation {
     )
     or
     exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["local", "remote", "file"] and
+      not kind = ["local", "remote", "file", "file-write"] and
       result = "Invalid kind \"" + kind + "\" in source model."
     )
   }
 
@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
Original file line number	Diff line number	Diff line change
`@@ -215,7 +215,7 @@ module ModelValidation {`
`215`	`215`	`)`
`216`	`216`	`or`
`217`	`217`	`exists(string kind \| sourceModel(_, _, _, _, _, _, _, kind, _) \|`
`218`		`- not kind = ["local", "remote", "file"] and`
	`218`	`+ not kind = ["local", "remote", "file", "file-write"] and`
`219`	`219`	`result = "Invalid kind \"" + kind + "\" in source model."`
`220`	`220`	`)`
`221`	`221`	`}`