Merge branch 'main' into revert-import-change

Author: RasmusWL

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/memory.h

@@ -0,0 +1,127 @@
+
+namespace std {
+  namespace detail {
+    template<typename T>
+    class compressed_pair_element {
+      T element;
+
+    public:
+      compressed_pair_element() = default;
+      compressed_pair_element(const T& t) : element(t) {}
+      
+      T& get() { return element; }
+
+      const T& get() const { return element; }
+    };
+
+    template<typename T, typename U>
+    struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
+      compressed_pair() = default;
+      compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
+      compressed_pair(const compressed_pair&) = delete;
+      compressed_pair(compressed_pair<T, U>&&) noexcept = default;
+
+      T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
+      U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
+
+      const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
+      const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
+    };
+  }
+
+  template<class T>
+  struct default_delete {
+    void operator()(T* ptr) const { delete ptr; }
+  };
+
+  template<class T>
+  struct default_delete<T[]> {
+    template<class U>
+    void operator()(U* ptr) const { delete[] ptr; }
+  };
+
+  template<class T, class Deleter = default_delete<T> >
+  class unique_ptr {
+  private:
+    detail::compressed_pair<T*, Deleter> data;
+  public:
+    constexpr unique_ptr() noexcept {}
+    explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
+    unique_ptr(const unique_ptr& ptr) = delete;
+    unique_ptr(unique_ptr&& ptr) noexcept = default;
+
+    unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
+
+    T& operator*() const { return *get(); }
+    T* operator->() const noexcept { return get(); }
+
+    T* get() const noexcept { return data.first(); }
+
+    ~unique_ptr() {
+      Deleter& d = data.second();
+      d(data.first());
+    }
+  };
+  
+  template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
+    return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+
+  class ctrl_block {
+    unsigned uses;
+
+  public:
+    ctrl_block() : uses(1) {}
+
+    void inc() { ++uses; }
+    bool dec() { return --uses == 0; }
+
+    virtual void destroy() = 0;
+    virtual ~ctrl_block() {}
+  };
+
+  template<typename T, class Deleter = default_delete<T> >
+  struct ctrl_block_impl: public ctrl_block {
+    T* ptr;
+    Deleter d;
+
+    ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
+    virtual void destroy() override { d(ptr); }
+  };
+
+  template<class T>
+  class shared_ptr {
+  private:
+    ctrl_block* ctrl;
+    T* ptr;
+
+    void dec() {
+      if(ctrl->dec()) {
+        ctrl->destroy();
+        delete ctrl;
+      }
+    }
+
+    void inc() {
+      ctrl->inc();
+    }
+
+  public:
+    constexpr shared_ptr() noexcept = default;
+    shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
+    shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
+      inc();
+    }
+    shared_ptr(shared_ptr&& s) noexcept = default;
+
+    T* operator->() const { return ptr; }
+
+    T& operator*() const { return *ptr; }
+
+    ~shared_ptr() { dec(); }
+  };
+
+  template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
+    return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+}

python/ql/test/library-tests/DuplicateCode/DuplicateStatements.expected renamed to cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected

@@ -0,0 +1,39 @@
+import TestUtilities.dataflow.FlowTestCommon
+
+module ASTTest {
+  private import semmle.code.cpp.dataflow.TaintTracking
+
+  class ASTSmartPointerTaintConfig extends TaintTracking::Configuration {
+    ASTSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(FunctionCall).getTarget().getName() = "source"
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call |
+        call.getTarget().getName() = "sink" and
+        sink.asExpr() = call.getAnArgument()
+      )
+    }
+  }
+}
+
+module IRTest {
+  private import semmle.code.cpp.ir.dataflow.TaintTracking
+
+  class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
+    IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(FunctionCall).getTarget().getName() = "source"
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call |
+        call.getTarget().getName() = "sink" and
+        sink.asExpr() = call.getAnArgument()
+      )
+    }
+  }
+}

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.ql

@@ -0,0 +1,46 @@
+#include "memory.h"
+
+int source();
+void sink(int);
+
+void test_unique_ptr_int() {
+	std::unique_ptr<int> p1(new int(source()));
+	std::unique_ptr<int> p2 = std::make_unique<int>(source());
+	
+	sink(*p1); // $ MISSING: ast,ir
+	sink(*p2); // $ ast ir=8:50
+}
+
+struct A {
+	int x, y;
+
+	A(int x, int y) : x(x), y(y) {}
+};
+
+void test_unique_ptr_struct() {
+	std::unique_ptr<A> p1(new A{source(), 0});
+	std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
+	
+	sink(p1->x); // $ MISSING: ast,ir
+	sink(p1->y);
+	sink(p2->x); // $ MISSING: ast,ir
+	sink(p2->y);
+}
+
+void test_shared_ptr_int() {
+	std::shared_ptr<int> p1(new int(source()));
+	std::shared_ptr<int> p2 = std::make_shared<int>(source());
+	
+	sink(*p1); // $ ast
+	sink(*p2); // $ ast ir=32:50 
+}
+
+void test_shared_ptr_struct() {
+	std::shared_ptr<A> p1(new A{source(), 0});
+	std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
+	
+	sink(p1->x); // $ MISSING: ast,ir
+	sink(p1->y);
+	sink(p2->x); // $ MISSING: ast,ir
+	sink(p2->y);
+}

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp

@@ -10,3 +10,4 @@
 | test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
 | test.cpp:156:3:156:26 | new | This memory is never freed |
 | test.cpp:157:3:157:26 | new[] | This memory is never freed |
+| test.cpp:167:14:167:19 | call to strdup | This memory is never freed |

cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected

@@ -156,3 +156,15 @@ int overloadedNew() {
   new(std::nothrow) int(3); // BAD
   new(std::nothrow) int[2]; // BAD
 }
+
+// --- strdup ---
+
+char *strdup(const char *s1);
+void output_msg(const char *msg);
+
+void test_strdup() {
+	char msg[] = "OctoCat";
+	char *cpy = strdup(msg); // BAD
+
+	output_msg(cpy);
+}

cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp

@@ -7,3 +7,4 @@
 | test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
 | test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
 | test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
+| test.cpp:482:2:482:19 | call to pthread_mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |

cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.expected

@@ -445,3 +445,46 @@ bool test_mutex(data_t *data)
 
 	return true;
 }
+
+// ---
+
+struct pthread_mutex
+{
+	// ...
+};
+
+void pthread_mutex_lock(pthread_mutex *m);
+void pthread_mutex_unlock(pthread_mutex *m);
+
+class MyClass
+{
+public:
+	pthread_mutex lock;
+};
+
+bool maybe();
+
+int test_MyClass_good(MyClass *obj)
+{
+	pthread_mutex_lock(&obj->lock);
+	
+	if (maybe()) {
+		pthread_mutex_unlock(&obj->lock);
+		return -1; // GOOD
+	}
+
+	pthread_mutex_unlock(&obj->lock); // GOOD
+	return 0;
+}
+
+int test_MyClass_bad(MyClass *obj)
+{
+	pthread_mutex_lock(&obj->lock);
+
+	if (maybe()) {
+		return -1; // BAD
+	}
+
+	pthread_mutex_unlock(&obj->lock); // GOOD
+	return 0;
+}

cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp

@@ -18,9 +18,10 @@
 | NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
 | PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
 | SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
-| Variants.cpp:25:3:25:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
-| Variants.cpp:65:3:65:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
-| Variants.cpp:66:3:66:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
-| Variants.cpp:67:3:67:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
+| Variants.cpp:26:3:26:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
+| Variants.cpp:69:3:69:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
+| Variants.cpp:70:3:70:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
+| Variants.cpp:71:3:71:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
+| Variants.cpp:72:3:72:22 | ... = ... | Resource d is acquired by class MyClass6 but not released anywhere in this class. |
 | Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
 | Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |

cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.expected

@@ -5,6 +5,7 @@ void *malloc(size_t size);
 void *calloc(size_t nmemb, size_t size);
 void *realloc(void *ptr, size_t size);
 void free(void* ptr);
+char *strdup(const char *s1);
 
 int *ID(int *x) 
 {
@@ -45,16 +46,19 @@ class MyClass5
 		a = new int[10]; // GOOD
 		b = (int *)calloc(10, sizeof(int)); // GOOD
 		c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
+		d = strdup("string");
 	}
 
 	~MyClass5()
 	{
 		delete [] a;
 		free(b);
 		free(c);
+		free(d);
 	}
 
 	int *a, *b, *c;
+	char *d;
 };
 
 class MyClass6
@@ -65,13 +69,15 @@ class MyClass6
 		a = new int[10]; // BAD
 		b = (int *)calloc(10, sizeof(int)); // BAD
 		c = (int *)realloc(0, 10 * sizeof(int)); // BAD
+		d = strdup("string"); // BAD
 	}
 
 	~MyClass6()
 	{
 	}
 
 	int *a, *b, *c;
+	char *d;
 };
 
 class MyClass7