CPP: Add use after free false positive example.

alexet · alexet · commit 9de6230bbf31 · 2023-09-20T18:34:47.000+01:00
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -26,6 +26,7 @@
 | test.cpp:128:15:128:16 | v4 |
 | test.cpp:185:10:185:12 | cpy |
 | test.cpp:199:10:199:12 | cpy |
+| test.cpp:205:7:205:11 | ... = ... |
 | test_free.cpp:11:10:11:10 | a |
 | test_free.cpp:14:10:14:10 | a |
 | test_free.cpp:16:10:16:10 | a |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
@@ -1 +1,2 @@
+| test.cpp:203:12:203:17 | call to malloc | This memory allocation may not be released at $@. | test.cpp:206:1:206:1 | return ... | this exit point |
 | test_free.cpp:36:22:36:35 | ... = ... | This memory allocation may not be released at $@. | test_free.cpp:38:1:38:1 | return ... | this exit point |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -13,6 +13,7 @@ edges
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 nodes
+| test.cpp:205:7:205:11 | ... = ... | semmle.label | ... = ... |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
 | test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
@@ -40,6 +41,7 @@ nodes
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 subpaths
 #select
+| test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | Memory may have been previously freed by $@. | test.cpp:205:2:205:5 | call to free | call to free |
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |
diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp
@@ -198,3 +198,9 @@ void test_strndupa_dealloc() {
 	char *cpy = strndupa(msg, 4);
     free(cpy); // BAD [NOT DETECTED]
 }
+
+void test_free_malloc() {
+	void *a = malloc(10);
+	void *b;
+	free(b = a);
+}

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
	`1`	`+\| test.cpp:203:12:203:17 \| call to malloc \| This memory allocation may not be released at $@. \| test.cpp:206:1:206:1 \| return ... \| this exit point \|`
`1`	`2`	`\| test_free.cpp:36:22:36:35 \| ... = ... \| This memory allocation may not be released at $@. \| test_free.cpp:38:1:38:1 \| return ... \| this exit point \|`