@@ -24,7 +24,8 @@ predicate mayCallFunction(Expr call, Function f) {
2424
2525predicate allocCallOrIndirect(Expr e) {
2626 // direct alloc call
27- isAllocationExpr(e) and
27+ e.(AllocationExpr).requiresDealloc() and
28+ not exists(e.(NewOrNewArrayExpr).getPlacementPointer()) and
2829 // We are only interested in alloc calls that are
2930 // actually freed somehow, as MemoryNeverFreed
3031 // will catch those that aren't.
@@ -53,8 +54,7 @@ predicate allocCallOrIndirect(Expr e) {
5354 * can cause memory leaks.
5455 */
5556predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode verified) {
56- reallocCall.getTarget().hasGlobalOrStdName("realloc") and
57- reallocCall.getArgument(0) = v.getAnAccess() and
57+ reallocCall.(AllocationExpr).getReallocPtr() = v.getAnAccess() and
5858 (
5959 exists(Variable newV, ControlFlowNode node |
6060 // a realloc followed by a null check at 'node' (return the non-null
@@ -71,23 +71,19 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
7171 or
7272 // a realloc(ptr, 0), which always succeeds and frees
7373 // (return the realloc itself)
74- reallocCall.getArgument(1 ).getValue() = "0" and
74+ reallocCall.(AllocationExpr).getReallocPtr( ).getValue() = "0" and
7575 verified = reallocCall
7676 )
7777}
7878
7979predicate freeCallOrIndirect(ControlFlowNode n, Variable v) {
8080 // direct free call
81- freeCall(n, v.getAnAccess() ) and
82- not n.(FunctionCall).getTarget().hasGlobalOrStdName("realloc" )
81+ n.(DeallocationExpr).getFreedExpr() = v.getAnAccess() and
82+ not exists( n.(AllocationExpr).getReallocPtr() )
8383 or
8484 // verified realloc call
8585 verifiedRealloc(_, v, n)
8686 or
87- n.(DeleteExpr).getExpr() = v.getAnAccess()
88- or
89- n.(DeleteArrayExpr).getExpr() = v.getAnAccess()
90- or
9187 exists(FunctionCall midcall, Function mid, int arg |
9288 // indirect free call
9389 n.(Call).getArgument(arg) = v.getAnAccess() and
0 commit comments