CPP: Add test demonstrating use-after-free false negatives.

alexet · alexet · commit 26b03637070a · 2023-10-23T17:01:52.000+01:00
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -97,6 +97,10 @@
 | test_free.cpp:260:9:260:9 | p |
 | test_free.cpp:263:12:263:12 | p |
 | test_free.cpp:269:7:269:11 | ... = ... |
+| test_free.cpp:277:11:277:13 | buf |
+| test_free.cpp:282:10:282:12 | buf |
+| test_free.cpp:288:8:288:10 | buf |
+| test_free.cpp:293:8:293:10 | buf |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -12,6 +12,10 @@ edges
 | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:293:8:293:10 | buf | test_free.cpp:294:3:294:13 | ... = ... |
+| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:5:294:7 | s indirection [post update] [buf] |
+| test_free.cpp:294:5:294:7 | s indirection [post update] [buf] | test_free.cpp:295:12:295:12 | s indirection [buf] |
+| test_free.cpp:295:12:295:12 | s indirection [buf] | test_free.cpp:295:14:295:16 | buf |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
@@ -38,6 +42,11 @@ nodes
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
+| test_free.cpp:293:8:293:10 | buf | semmle.label | buf |
+| test_free.cpp:294:3:294:13 | ... = ... | semmle.label | ... = ... |
+| test_free.cpp:294:5:294:7 | s indirection [post update] [buf] | semmle.label | s indirection [post update] [buf] |
+| test_free.cpp:295:12:295:12 | s indirection [buf] | semmle.label | s indirection [buf] |
+| test_free.cpp:295:14:295:16 | buf | semmle.label | buf |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -53,3 +62,4 @@ subpaths
 | test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | buf | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
@@ -267,4 +267,30 @@ void test_free_assign() {
 	void *a = malloc(10); 
 	void *b;
 	free(b = a); // GOOD 
+}
+
+struct MyStruct {
+  char* buf;
+};
+
+void test_free_struct(MyStruct* s) {
+  free(s->buf);
+  char c = s->buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct2(MyStruct s) {
+  free(s.buf);
+  char c = s.buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct3(MyStruct s) {
+  char* buf = s.buf;
+  free(buf);
+  char c = s.buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct4(char* buf, MyStruct s) {
+  free(buf);
+  s.buf = buf;
+  char c = s.buf[0]; // BAD
 }
