Merge pull request github#3050 from geoffw0/mismatching_placement_new

C++: Fix mismatching new/free FP in template code.

Author: jbj

change-notes/1.24/analysis-cpp.md

@@ -18,6 +18,7 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
 | No space for zero terminator (`cpp/no-space-for-terminator`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
 | Memory is never freed (`cpp/memory-never-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
 | Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
+| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed false positive results in template code. |
 | Missing return statement (`cpp/missing-return`) | Fewer false positive results | Functions containing `asm` statements are no longer highlighted by this query. |
 | No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) |  | This query is no longer run on LGTM. |

cpp/ql/src/Critical/NewDelete.qll

@@ -12,6 +12,7 @@ import semmle.code.cpp.dataflow.DataFlow
  */
 predicate allocExpr(Expr alloc, string kind) {
   isAllocationExpr(alloc) and
+  not alloc.isFromUninstantiatedTemplate(_) and
   (
     alloc instanceof FunctionCall and
     kind = "malloc"

cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.expected

@@ -1,3 +1,5 @@
+| test2.cpp:19:3:19:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:18:12:18:18 | new | new |
+| test2.cpp:26:3:26:6 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test2.cpp:25:7:25:13 | new | new |
 | test.cpp:36:2:36:17 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:27:18:27:23 | call to malloc | malloc |
 | test.cpp:41:2:41:5 | call to free | There is a new/free mismatch between this free and the corresponding $@. | test.cpp:26:7:26:17 | new | new |
 | test.cpp:68:3:68:11 | delete | There is a malloc/delete mismatch between this delete and the corresponding $@. | test.cpp:64:28:64:33 | call to malloc | malloc |

cpp/ql/test/query-tests/Critical/NewFree/test2.cpp

@@ -0,0 +1,36 @@
+// semmle-extractor-options: -std=gnu++14
+
+typedef unsigned long size_t;
+
+void *malloc(size_t size);
+void free(void *ptr);
+
+void* operator new(size_t _Size, void *_Where);
+
+// ---
+
+template<typename T>
+class MyTest2Class
+{
+public:
+	MyTest2Class()
+	{
+		int *a = new int;
+		free(a); // BAD
+
+		int *ptr_b = (int *)malloc(sizeof(int));
+		int *b = new(ptr_b) int;
+		free(b); // GOOD
+
+		c = new int;
+		free(c); // BAD
+
+		int *ptr_d = (int *)malloc(sizeof(int));
+		d = new(ptr_d) int;
+		free(d); // GOOD
+	}
+
+	int *c, *d;
+};
+
+MyTest2Class<int> mt2c_i;