C++: Switch the source of use-after-free and double-free to be post-update nodes.

Author: MathiasVP

cpp/ql/src/Critical/DoubleFree.ql

@@ -16,7 +16,10 @@ import semmle.code.cpp.dataflow.new.DataFlow
 import FlowAfterFree
 import DoubleFree::PathGraph
 
-predicate isFree(DataFlow::Node n, Expr e) { isFree(n, e, _) }
+predicate isFree(DataFlow::Node n, Expr e) {
+  n.asExpr() = e and
+  isFree(_, e, _)
+}
 
 /**
  * `dealloc1` is a deallocation expression and `e` is an expression such

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -101,7 +101,7 @@ predicate isFree(DataFlow::Node n, Expr e, DeallocationExpr dealloc) {
   exists(Expr conv |
     e = conv.getUnconverted() and
     conv = dealloc.getFreedExpr().getFullyConverted() and
-    conv = n.asConvertedExpr()
+    conv = n.(DataFlow::PostUpdateNode).getPreUpdateNode().asConvertedExpr()
   ) and
   // Ignore realloc functions
   not exists(dealloc.(FunctionCall).getTarget().(AllocationFunction).getReallocPtrArg())

cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected

@@ -1,52 +1,56 @@
 edges
-| test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a |
-| test_free.cpp:30:10:30:10 | a | test_free.cpp:31:27:31:27 | a |
-| test_free.cpp:35:10:35:10 | a | test_free.cpp:37:27:37:27 | a |
-| test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a |
-| test_free.cpp:50:27:50:27 | a | test_free.cpp:51:10:51:10 | a |
-| test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
-| test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a |
-| test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a |
-| test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... |
-| test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
-| test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
+| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a |
+| test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a |
+| test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a |
+| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
+| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
+| test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a |
+| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a |
+| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a |
+| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a |
+| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... |
+| test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array |
+| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a |
+| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a |
 nodes
-| test_free.cpp:11:10:11:10 | a | semmle.label | a |
+| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:14:10:14:10 | a | semmle.label | a |
-| test_free.cpp:30:10:30:10 | a | semmle.label | a |
+| test_free.cpp:30:10:30:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:31:27:31:27 | a | semmle.label | a |
-| test_free.cpp:35:10:35:10 | a | semmle.label | a |
+| test_free.cpp:35:10:35:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:37:27:37:27 | a | semmle.label | a |
-| test_free.cpp:42:27:42:27 | a | semmle.label | a |
-| test_free.cpp:44:27:44:27 | a | semmle.label | a |
+| test_free.cpp:42:27:42:27 | pointer to free output argument | semmle.label | pointer to free output argument |
+| test_free.cpp:44:27:44:27 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:46:10:46:10 | a | semmle.label | a |
 | test_free.cpp:46:10:46:10 | a | semmle.label | a |
-| test_free.cpp:50:27:50:27 | a | semmle.label | a |
+| test_free.cpp:50:27:50:27 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:51:10:51:10 | a | semmle.label | a |
-| test_free.cpp:69:10:69:10 | a | semmle.label | a |
+| test_free.cpp:69:10:69:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:72:14:72:14 | a | semmle.label | a |
-| test_free.cpp:83:12:83:12 | a | semmle.label | a |
+| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument |
 | test_free.cpp:85:12:85:12 | a | semmle.label | a |
-| test_free.cpp:101:10:101:10 | a | semmle.label | a |
+| test_free.cpp:101:10:101:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:103:10:103:10 | a | semmle.label | a |
-| test_free.cpp:128:10:128:11 | * ... | semmle.label | * ... |
+| test_free.cpp:128:10:128:11 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:129:10:129:11 | * ... | semmle.label | * ... |
-| test_free.cpp:152:27:152:27 | a | semmle.label | a |
+| test_free.cpp:131:10:131:13 | pointer to free output argument | semmle.label | pointer to free output argument |
+| test_free.cpp:132:10:132:13 | access to array | semmle.label | access to array |
+| test_free.cpp:152:27:152:27 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:154:10:154:10 | a | semmle.label | a |
-| test_free.cpp:207:10:207:10 | a | semmle.label | a |
+| test_free.cpp:207:10:207:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
 subpaths
 #select
-| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
-| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | a | test_free.cpp:31:27:31:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:30:5:30:8 | call to free | call to free |
-| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | a | test_free.cpp:37:27:37:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:35:5:35:8 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
-| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
-| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | a | test_free.cpp:51:10:51:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:50:22:50:25 | call to free | call to free |
-| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
-| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
-| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
-| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
-| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
+| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
+| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:30:5:30:8 | call to free | call to free |
+| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:35:5:35:8 | call to free | call to free |
+| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
+| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
+| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:50:22:50:25 | call to free | call to free |
+| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
+| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
+| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
+| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
+| test_free.cpp:132:10:132:13 | access to array | test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array | Memory pointed to by 'access to array' may already have been freed by $@. | test_free.cpp:131:5:131:8 | call to free | call to free |
+| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
+| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |