Skip to content

C++: Add tests for experimental cpp/guarded-free query #17960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 12, 2024
Merged

C++: Add tests for experimental cpp/guarded-free query #17960

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a5a6445
C++: Add tests for experimental `cpp/guarded-free` query
jketema Nov 11, 2024
a29b958
C++: Address review comments
jketema Nov 12, 2024
79a9e9c
C++: Address review comments
jketema Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions cpp/ql/test/experimental/query-tests/Best Practices/GuardedFree/GuardedFree.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
| test.cpp:5:7:5:7 | x | unnecessary NULL check before call to $@ | test.cpp:6:5:6:8 | call to free | free |
| test.cpp:23:7:23:7 | x | unnecessary NULL check before call to $@ | test.cpp:26:5:26:8 | call to free | free |
| test.cpp:31:7:31:8 | ! ... | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
| test.cpp:31:7:31:24 | ... \|\| ... | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
| test.cpp:31:8:31:8 | x | unnecessary NULL check before call to $@ | test.cpp:35:3:35:6 | call to free | free |
| test.cpp:94:12:94:12 | x | unnecessary NULL check before call to $@ | test.cpp:94:3:94:13 | call to free | free |
| test.cpp:98:7:98:8 | ! ... | unnecessary NULL check before call to $@ | test.cpp:101:3:101:6 | call to free | free |
| test.cpp:98:8:98:8 | x | unnecessary NULL check before call to $@ | test.cpp:101:3:101:6 | call to free | free |
| test.cpp:106:7:106:18 | ... != ... | unnecessary NULL check before call to $@ | test.cpp:107:5:107:8 | call to free | free |
| test.cpp:113:7:113:18 | ... != ... | unnecessary NULL check before call to $@ | test.cpp:114:17:114:20 | call to free | free |
1 change: 1 addition & 0 deletions cpp/ql/test/experimental/query-tests/Best Practices/GuardedFree/GuardedFree.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Best Practices/GuardedFree.ql
115 changes: 115 additions & 0 deletions cpp/ql/test/experimental/query-tests/Best Practices/GuardedFree/test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
extern "C" void free(void *ptr);
extern "C" int strcmp(const char *s1, const char *s2);

void test0(int *x) {
if (x) // BAD
free(x);
}

void test1(int *x) {
if (x) { // BAD
free(x);
}
}

void test2(int *x) {
if (x) { // GOOD: x is being accessed in the body of the if
*x = 42;
free(x);
}
}

void test3(int *x, bool b) {
if (x) { // GOOD [FALSE POSITIVE]: x is being accessed in the body of the if
if (b)
*x = 42;
free(x);
}
}

bool test4(char *x, char *y) {
if (!x || strcmp(x, y)) { // GOOD [FALSE POSITIVE]: x is being accessed in the guard and return value depends on x
free(x);
return true;
}
free(x);
return false;
}

void test5(char *x) {
if (x)
*x = 42;
if (x) { // BAD
free(x);
}
}

void test6(char *x) {
*x = 42;
if (x) { // BAD
free(x);
}
}

void test7(char *x) {
if (x || x) { // BAD [NOT DETECTED]
free(x);
}
}

bool test8(char *x) {
if (x) { // GOOD: return value depends on x
free(x);
return true;
}
return false;
}

#ifdef FOO
#define my_free(x) free(x - 1)
#else
#define my_free(x) free(x)
#endif

void test9(char *x) {
if (x) { // GOOD: macro may make free behave unexpectedly when compiled differently
my_free(x);
}
}

void test10(char *x) {
if (x) { // GOOD: #ifdef may make free behave unexpectedly when compiled differently
#ifdef FOO
free(x - 1);
#else
free(x);
#endif
}
}

#define TRY_FREE(x) \
if (x) free(x);

void test11(char *x) {
TRY_FREE(x) // BAD
}

bool test12(char *x) {
if (!x) // GOOD [FALSE POSITIVE]: return value depends on x
return false;

free(x);
return true;
}

void test13(char *x) {
if (x != nullptr) // BAD
free(x);
}

void inspect(char *x);

void test14(char *x) {
if (x != nullptr) // GOOD [FALSE POSITIVE]: x might be accessed in the first operand of the comma operator
inspect(x), free(x);
Copy link
Contributor

@paldepind paldepind Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the comma operator what's causing the issue? Or does this also fail with { inspect(x); free(x); }? If it does then maybe just use semicolons? If not, would it make sense to add a comment to clarify that?

Copy link
Contributor Author

@jketema jketema Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is that inspect may assume that x is non-null, so if the remove the if, which is what the query is about, the thing would start crashing. Note that this derives from code I saw in the wild. Replacing it by { inspect(x); free(x); } would not give an FP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then what about changing the comment to:

// GOOD [FALSE POSITIVE]: x might be accessed in the first operand of the comma operator

Or something else to make it clear that , is part of the problem/what is being tested?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

}
Loading