C/C++ : memory may not be freed on loop #9053
Conversation
There was a problem hiding this comment.
This is a promising idea for a query, thank you for your contribution!
I think we should clean up the QL a bit - I've made some initial suggestions. In general adding \\ comments to blocks of code explaining what they do would help make the QL more readable and maintainable.
cpp/ql/src/experimental/Critical/MemoryMayNotBeFreedOnLoop.qhelp
Outdated
Show resolved
Hide resolved
cpp/ql/src/experimental/Critical/MemoryMayNotBeFreedOnLoop.qhelp
Outdated
Show resolved
Hide resolved
| e.(ConstructorFieldInit).getExpr() = v.getAnAccess() | ||
| } | ||
|
|
||
| predicate allocCallOrIndirect(Expr e) { |
There was a problem hiding this comment.
Again it may be worth calling out the predicates that are copies, as ideally at some point we would want to clean this up to have a single version of each in a .qll library somewhere.
| from StackVariable v, Expr def, JumpStmt b, BlockStmt bs, IfStmt is | ||
| where | ||
| allocationDefinition(v, def) and | ||
| (b instanceof BreakStmt or b instanceof ContinueStmt) and |
There was a problem hiding this comment.
Do you think we'd get good results if we included ReturnStmt as well?
| (bs.getChild(y) = is or bs.getChild(y).(IfStmt).getAChild*() = is) and | ||
| sameLoop(bs, is) and | ||
| (is.getAChild() = b or is.getThen().getAChild() = b) and | ||
| not is.getCondition().getAChild*() = v.getAnAccess() and |
There was a problem hiding this comment.
I think this line is redundant, given the line below.
| ) and | ||
| exists(int y | y in [i .. bs.getNumStmt() - 1] | | ||
| (bs.getChild(y) = is or bs.getChild(y).(IfStmt).getAChild*() = is) and | ||
| sameLoop(bs, is) and |
There was a problem hiding this comment.
Is checking sameLoop here redundant (given the previous line bs.getChild(y) = is or...)?
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I've run the tests on this PR, and it looks like you need to autoformat the QL file. Let me know if you don't know how to do this. I also started an LGTM run to see what kinds of real world results we get from this query: https://lgtm.com/query/7023328987326235286/ . It looks like there are some good results, but sometimes a very large number of locations are reported. |
| is.getAChild() = b or | ||
| is.getThen().getAChild() = b or | ||
| is.getAChild() = rt or | ||
| is.getThen().getAChild() = rt |
Check warning
Code scanning / CodeQL
Var only used in one side of disjunct.
There was a problem hiding this comment.
Hi @Yonah125, please could you let us know if you intend to do any more work on this PR? I'm OK with merging this into experimental as it is - but there are some unaddressed comments, in particular the real world results that reference very large numbers of locations. I think this query would also benefit greatly from a good test (in cpp/ql/test/experimental).
cpp/ql/src/experimental/Critical/MemoryMayNotBeFreedOnLoop.qhelp
Outdated
Show resolved
Hide resolved
Yes I think you're right. Its looks promising but a little unfinished to me. But for merging into experimental that's OK, it can potentially be built upon in future. I've started the checks, will merge if they pass. |
| sameLoop(bs, is) and | ||
| ( | ||
| is.getAChild() = b or | ||
| is.getThen().getAChild() = b or |
There was a problem hiding this comment.
| is.getThen().getAChild() = b or | |
| is.getThen().getAChild() = b |
There was a problem hiding this comment.
Friendly ping @Yonah125 could you do these changes ?
This query finds memory that might no be freed in a loop.
For exemple :
A resultat was found in netcdf-c : Unidata/netcdf-c#2339
Supervised by @catenacyber