Provide getAllocatedElementType predicate for AllocationExprs.

This predicate tries to determine the type of the allocated elements of an allocation expression.

Author: criemen

cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll

@@ -342,6 +342,11 @@ class CallAllocationExpr extends AllocationExpr, FunctionCall {
 
   override Expr getReallocPtr() { result = getArgument(target.getReallocPtrArg()) }
 
+  override Type getAllocatedElementType() {
+    result = this.getFullyConverted().getUnderlyingType().(PointerType).getBaseType() and
+    not result instanceof VoidType
+  }
+
   override predicate requiresDealloc() { target.requiresDealloc() }
 }
 
@@ -353,6 +358,8 @@ class NewAllocationExpr extends AllocationExpr, NewExpr {
 
   override int getSizeBytes() { result = getAllocatedType().getSize() }
 
+  override Type getAllocatedElementType() { result = getAllocatedType() }
+
   override predicate requiresDealloc() { not exists(getPlacementPointer()) }
 }
 
@@ -373,6 +380,8 @@ class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
     result = getAllocatedElementType().getSize()
   }
 
+  override Type getAllocatedElementType() { result = NewArrayExpr.super.getAllocatedElementType() }
+
   override int getSizeBytes() { result = getAllocatedType().getSize() }
 
   override predicate requiresDealloc() { not exists(getPlacementPointer()) }

cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -72,6 +72,11 @@ abstract class AllocationExpr extends Expr {
    */
   Expr getReallocPtr() { none() }
 
+  /**
+   * Gets the type of the elements that are allocated, if it can be determined.
+   */
+  Type getAllocatedElementType() { none() }
+
   /**
    * Whether or not this allocation requires a corresponding deallocation of
    * some sort (most do, but `alloca` for example does not).  If it is unclear,

cpp/ql/test/library-tests/allocators/allocators.expected

@@ -61,35 +61,35 @@ allocationFunctions
 | file://:0:0:0:0 | operator new[] | getSizeArg = 0, requiresDealloc |
 | file://:0:0:0:0 | operator new[] | getSizeArg = 0, requiresDealloc |
 allocationExprs
-| allocators.cpp:49:3:49:9 | new | getSizeBytes = 4, requiresDealloc |
-| allocators.cpp:50:3:50:15 | new | getSizeBytes = 4, requiresDealloc |
-| allocators.cpp:51:3:51:11 | new | getSizeBytes = 4, requiresDealloc |
-| allocators.cpp:52:3:52:14 | new | getSizeBytes = 8, requiresDealloc |
-| allocators.cpp:53:3:53:27 | new | getSizeBytes = 8, requiresDealloc |
-| allocators.cpp:54:3:54:17 | new | getSizeBytes = 256, requiresDealloc |
-| allocators.cpp:55:3:55:25 | new | getSizeBytes = 256, requiresDealloc |
-| allocators.cpp:68:3:68:12 | new[] | getSizeExpr = n, getSizeMult = 4, requiresDealloc |
-| allocators.cpp:69:3:69:18 | new[] | getSizeExpr = n, getSizeMult = 4, requiresDealloc |
-| allocators.cpp:70:3:70:15 | new[] | getSizeExpr = n, getSizeMult = 8, requiresDealloc |
-| allocators.cpp:71:3:71:20 | new[] | getSizeExpr = n, getSizeMult = 256, requiresDealloc |
-| allocators.cpp:72:3:72:16 | new[] | getSizeBytes = 80, requiresDealloc |
-| allocators.cpp:107:3:107:18 | new | getSizeBytes = 1, requiresDealloc |
-| allocators.cpp:108:3:108:19 | new[] | getSizeExpr = n, getSizeMult = 1, requiresDealloc |
-| allocators.cpp:109:3:109:35 | new | getSizeBytes = 128, requiresDealloc |
-| allocators.cpp:110:3:110:37 | new[] | getSizeBytes = 1280, requiresDealloc |
-| allocators.cpp:129:3:129:21 | new | getSizeBytes = 4 |
-| allocators.cpp:132:3:132:17 | new[] | getSizeBytes = 4 |
-| allocators.cpp:135:3:135:26 | new | getSizeBytes = 4, requiresDealloc |
-| allocators.cpp:136:3:136:26 | new[] | getSizeBytes = 8, requiresDealloc |
-| allocators.cpp:142:13:142:27 | new[] | getSizeExpr = x, getSizeMult = 10, requiresDealloc |
-| allocators.cpp:143:13:143:28 | new[] | getSizeBytes = 400, requiresDealloc |
-| allocators.cpp:144:13:144:31 | new[] | getSizeExpr = x, getSizeMult = 900, requiresDealloc |
+| allocators.cpp:49:3:49:9 | new | getAllocatedElementType = int, getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:50:3:50:15 | new | getAllocatedElementType = int, getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:51:3:51:11 | new | getAllocatedElementType = int, getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:52:3:52:14 | new | getAllocatedElementType = String, getSizeBytes = 8, requiresDealloc |
+| allocators.cpp:53:3:53:27 | new | getAllocatedElementType = String, getSizeBytes = 8, requiresDealloc |
+| allocators.cpp:54:3:54:17 | new | getAllocatedElementType = Overaligned, getSizeBytes = 256, requiresDealloc |
+| allocators.cpp:55:3:55:25 | new | getAllocatedElementType = Overaligned, getSizeBytes = 256, requiresDealloc |
+| allocators.cpp:68:3:68:12 | new[] | getAllocatedElementType = int, getSizeExpr = n, getSizeMult = 4, requiresDealloc |
+| allocators.cpp:69:3:69:18 | new[] | getAllocatedElementType = int, getSizeExpr = n, getSizeMult = 4, requiresDealloc |
+| allocators.cpp:70:3:70:15 | new[] | getAllocatedElementType = String, getSizeExpr = n, getSizeMult = 8, requiresDealloc |
+| allocators.cpp:71:3:71:20 | new[] | getAllocatedElementType = Overaligned, getSizeExpr = n, getSizeMult = 256, requiresDealloc |
+| allocators.cpp:72:3:72:16 | new[] | getAllocatedElementType = String, getSizeBytes = 80, requiresDealloc |
+| allocators.cpp:107:3:107:18 | new | getAllocatedElementType = FailedInit, getSizeBytes = 1, requiresDealloc |
+| allocators.cpp:108:3:108:19 | new[] | getAllocatedElementType = FailedInit, getSizeExpr = n, getSizeMult = 1, requiresDealloc |
+| allocators.cpp:109:3:109:35 | new | getAllocatedElementType = FailedInitOveraligned, getSizeBytes = 128, requiresDealloc |
+| allocators.cpp:110:3:110:37 | new[] | getAllocatedElementType = FailedInitOveraligned, getSizeBytes = 1280, requiresDealloc |
+| allocators.cpp:129:3:129:21 | new | getAllocatedElementType = int, getSizeBytes = 4 |
+| allocators.cpp:132:3:132:17 | new[] | getAllocatedElementType = int, getSizeBytes = 4 |
+| allocators.cpp:135:3:135:26 | new | getAllocatedElementType = int, getSizeBytes = 4, requiresDealloc |
+| allocators.cpp:136:3:136:26 | new[] | getAllocatedElementType = int, getSizeBytes = 8, requiresDealloc |
+| allocators.cpp:142:13:142:27 | new[] | getAllocatedElementType = char[10], getSizeExpr = x, getSizeMult = 10, requiresDealloc |
+| allocators.cpp:143:13:143:28 | new[] | getAllocatedElementType = char[20], getSizeBytes = 400, requiresDealloc |
+| allocators.cpp:144:13:144:31 | new[] | getAllocatedElementType = char[30][30], getSizeExpr = x, getSizeMult = 900, requiresDealloc |
 | allocators.cpp:149:8:149:19 | call to operator new | getSizeBytes = 4, getSizeExpr = sizeof(int), getSizeMult = 1, requiresDealloc |
-| allocators.cpp:157:50:157:55 | call to malloc | getSizeBytes = 5, getSizeExpr = 5, getSizeMult = 1, requiresDealloc |
+| allocators.cpp:157:50:157:55 | call to malloc | getAllocatedElementType = const volatile int, getSizeBytes = 5, getSizeExpr = 5, getSizeMult = 1, requiresDealloc |
 | allocators.cpp:158:26:158:31 | call to malloc | getSizeBytes = 20, getSizeExpr = 5, getSizeMult = 4, requiresDealloc |
-| allocators.cpp:159:31:159:36 | call to malloc | getSizeExpr = count, getSizeMult = 1, requiresDealloc |
-| allocators.cpp:160:16:160:21 | call to malloc | getSizeExpr = count, getSizeMult = 4, requiresDealloc |
-| allocators.cpp:161:34:161:39 | call to malloc | getSizeExpr = ... + ..., getSizeMult = 1, requiresDealloc |
+| allocators.cpp:159:31:159:36 | call to malloc | getAllocatedElementType = volatile long, getSizeExpr = count, getSizeMult = 1, requiresDealloc |
+| allocators.cpp:160:16:160:21 | call to malloc | getAllocatedElementType = volatile long, getSizeExpr = count, getSizeMult = 4, requiresDealloc |
+| allocators.cpp:161:34:161:39 | call to malloc | getAllocatedElementType = const char, getSizeExpr = ... + ..., getSizeMult = 1, requiresDealloc |
 | allocators.cpp:162:23:162:28 | call to malloc | getSizeExpr = count, getSizeMult = 8, requiresDealloc |
 | allocators.cpp:163:3:163:8 | call to malloc | getSizeBytes = 32, getSizeExpr = ... * ..., getSizeMult = 1, requiresDealloc |
 deallocationFunctions

cpp/ql/test/library-tests/allocators/allocators.ql

@@ -138,6 +138,8 @@ string describeAllocationExpr(AllocationExpr e) {
   or
   result = "getReallocPtr = " + e.getReallocPtr().toString()
   or
+  result = "getAllocatedElementType = " + e.getAllocatedElementType().toString()
+  or
   e.requiresDealloc() and
   result = "requiresDealloc"
 }