C++: Promote cpp/incorrect-allocation-error-handling out of experimental.

Author: MathiasVP

cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp renamed to cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp

@@ -0,0 +1,31 @@
+  <!DOCTYPE qhelp PUBLIC
+    "-//Semmle//qhelp//EN"
+    "qhelp.dtd">
+  <qhelp>
+  <overview>
+  <p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
+  If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
+  but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
+  method of error handling, allocation failure may go unhandled and could cause the program to behave in
+  unexpected ways.</p>
+
+  </overview>
+  <recommendation>
+
+  <p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
+  make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
+
+  </recommendation>
+  <example>
+  <sample src="IncorrectAllocationErrorHandling.cpp" />
+
+  </example>
+  <references>
+
+  <li>
+    CERT C++ Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
+  </li>
+
+  </references>
+  </qhelp>

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp

@@ -0,0 +1,224 @@
+  /**
+   * @name Incorrect allocation-error handling
+   * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
+   * @kind problem
+   * @id cpp/incorrect-allocation-error-handling
+   * @problem.severity warning
+   * @precision medium
+   * @tags correctness
+   *       security
+   *       external/cwe/cwe-570
+   */
+
+  import cpp
+  import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+  import semmle.code.cpp.controlflow.Guards
+
+  /**
+   * A C++ `delete` or `delete[]` expression.
+   */
+  class DeleteOrDeleteArrayExpr extends Expr {
+    DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
+
+    DeallocationFunction getDeallocator() {
+      result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
+    }
+
+    Destructor getDestructor() {
+      result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
+    }
+  }
+
+  /** Gets the `Constructor` invoked when `newExpr` allocates memory. */
+  Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
+    result.getACallToThisFunction() = newExpr.getInitializer()
+  }
+
+  /** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
+  Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
+    result = deleteExpr.getDestructor()
+  }
+
+  /** Holds if the evaluation of `newExpr` may throw an exception. */
+  predicate newMayThrow(NewOrNewArrayExpr newExpr) {
+    functionMayThrow(newExpr.getAllocator()) or
+    functionMayThrow(getConstructorForAllocation(newExpr))
+  }
+
+  /** Holds if the evaluation of `deleteExpr` may throw an exception. */
+  predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
+    functionMayThrow(deleteExpr.getDeallocator()) or
+    functionMayThrow(getDestructorForDeallocation(deleteExpr))
+  }
+
+  /**
+   * Holds if the function may throw an exception when called. That is, if the body of the function looks
+   * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
+   */
+  predicate functionMayThrow(Function f) {
+    (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
+    not f.isNoExcept() and
+    not f.isNoThrow()
+  }
+
+  /** Holds if the evaluation of `stmt` may throw an exception. */
+  predicate stmtMayThrow(Stmt stmt) {
+    stmtMayThrow(stmt.(BlockStmt).getAStmt())
+    or
+    convertedExprMayThrow(stmt.(ExprStmt).getExpr())
+    or
+    convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
+    or
+    exists(IfStmt ifStmt | ifStmt = stmt |
+      convertedExprMayThrow(ifStmt.getCondition()) or
+      stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
+    )
+    or
+    exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
+      stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
+    )
+    or
+    exists(Loop loop | loop = stmt |
+      convertedExprMayThrow(loop.getCondition()) or
+      stmtMayThrow(loop.getStmt())
+    )
+    or
+    // The case for `Loop` already checked the condition and the statement.
+    convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
+    or
+    // The case for `Loop` already checked the condition and the statement.
+    exists(ForStmt forStmt | forStmt = stmt |
+      stmtMayThrow(forStmt.getInitialization())
+      or
+      convertedExprMayThrow(forStmt.getUpdate())
+    )
+    or
+    exists(SwitchStmt switchStmt | switchStmt = stmt |
+      convertedExprMayThrow(switchStmt.getExpr()) or
+      stmtMayThrow(switchStmt.getStmt())
+    )
+    or
+    // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
+    stmtMayThrow(stmt.(Handler).getBlock())
+    or
+    convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
+    or
+    convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
+  }
+
+  /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
+  predicate convertedExprMayThrow(Expr e) {
+    exprMayThrow(e)
+    or
+    convertedExprMayThrow(e.getConversion())
+  }
+
+  /** Holds if the evaluation of `e` may throw an exception. */
+  predicate exprMayThrow(Expr e) {
+    e instanceof DynamicCast
+    or
+    e instanceof TypeidOperator
+    or
+    e instanceof ThrowExpr
+    or
+    newMayThrow(e)
+    or
+    deleteMayThrow(e)
+    or
+    convertedExprMayThrow(e.(UnaryOperation).getOperand())
+    or
+    exists(BinaryOperation binOp | binOp = e |
+      convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
+    )
+    or
+    exists(Assignment assign | assign = e |
+      convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
+    )
+    or
+    exists(CommaExpr comma | comma = e |
+      convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
+    )
+    or
+    exists(StmtExpr stmtExpr | stmtExpr = e |
+      convertedExprMayThrow(stmtExpr.getResultExpr()) or
+      stmtMayThrow(stmtExpr.getStmt())
+    )
+    or
+    convertedExprMayThrow(e.(Conversion).getExpr())
+    or
+    exists(FunctionCall fc | fc = e |
+      not exists(fc.getTarget()) or
+      functionMayThrow(fc.getTarget()) or
+      convertedExprMayThrow(fc.getAnArgument())
+    )
+  }
+
+  /** An allocator that might throw an exception. */
+  class ThrowingAllocator extends Function {
+    ThrowingAllocator() {
+      exists(NewOrNewArrayExpr newExpr |
+        newExpr.getAllocator() = this and
+        functionMayThrow(this)
+      )
+    }
+  }
+
+  /** The `std::bad_alloc` exception and its `bsl` variant. */
+  class BadAllocType extends Class {
+    BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
+  }
+
+  /**
+   * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
+   * block that catches every exception (i.e., `catch(...)`).
+   */
+  class BadAllocCatchBlock extends CatchBlock {
+    BadAllocCatchBlock() {
+      this.getParameter().getUnspecifiedType().stripType() =
+        any(BadAllocType badAlloc).getABaseClass*()
+      or
+      not exists(this.getParameter())
+    }
+  }
+
+  /**
+   * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
+   * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
+   * will throw that exception.
+   */
+  predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
+    exists(TryStmt try |
+      not stmtMayThrow(try.getStmt()) and
+      try.getACatchClause() = catchBlock and
+      newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
+    )
+  }
+
+  /**
+   * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
+   * the guard condition `guard` compares the result of `newExpr` to a null value.
+   */
+  predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
+    newExpr.getAllocator() instanceof ThrowingAllocator and
+    (
+      // Handles null comparisons.
+      guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+      or
+      // Handles `if(ptr)` and `if(!ptr)` cases.
+      guard = globalValueNumber(newExpr).getAnExpr()
+    )
+  }
+
+  from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
+  where
+    not newExpr.isFromUninstantiatedTemplate(_) and
+    (
+      noThrowInTryBlock(newExpr, element) and
+      msg = "This allocation cannot throw. $@ is unnecessary." and
+      elementString = "This catch block"
+      or
+      nullCheckInThrowingNew(newExpr, element) and
+      msg = "This allocation cannot return null. $@ is unnecessary." and
+      elementString = "This check"
+    )
+  select newExpr, msg, element, elementString