Skip to content

CPP: Handle 'realloc' better in MemoryMayNotBeFreed.ql#114

Merged
jbj merged 2 commits into
github:rc/1.18from
geoffw0:samate-realloc
Sep 5, 2018
Merged

CPP: Handle 'realloc' better in MemoryMayNotBeFreed.ql#114
jbj merged 2 commits into
github:rc/1.18from
geoffw0:samate-realloc

Conversation

@geoffw0
Copy link
Copy Markdown
Contributor

@geoffw0 geoffw0 commented Aug 29, 2018

The MemoryMayNotBeFreed.ql query normally considers a realloc to be both an alloc, and a free of the old pointer. A subtlety is that if realloc fails and returns NULL it does not free the old pointer. To account for this the query considers the free of the old pointer to occur only if and when the return value is checked:

ptr_b = realloc(ptr_a, new_size);
if (ptr_b == 0)
{
  // handle failure (perhaps with an explicit free(ptr_a))
} else {
  // the realloc is considered to free ptr_a here
}

This works well up until we assign to the same variable:

ptr_a = realloc(ptr_a, new_size);
if (ptr_a == 0)
{
  // handle failure (which might be a bit awkward since we've just overwritten ptr_a)
} else {
  // the realloc is considered to free ptr_a here
}

Because now we get confused by the old vs new ptr_a and think the new allocation is being freed.

The ideal solution is probably to upgrade this query to use something like DataFlow rather than LocalScopeVariableReachability (I've created a JIRA ticket for this).

However, we need a quick fix because it's causing a regression on version 1.3 of the samate test-suite compared to the results we had on version 1.2. The workaround is not to consider this particular pattern on realloc as to be a free at all.

@geoffw0 geoffw0 added the C++ label Aug 29, 2018
jbj
jbj previously approved these changes Aug 30, 2018
View reviewed changes
@jbj jbj added the depends on internal PR This PR should only be merged in sync with an internal Semmle PR label Aug 30, 2018
@geoffw0 geoffw0 force-pushed the samate-realloc branch 3 times, most recently from 3a220f5 to f44d708 Compare August 30, 2018 14:08
@jbj jbj added this to the 1.18 milestone Sep 4, 2018
@jbj jbj changed the base branch from master to rc/1.18 September 4, 2018 09:06
@jbj
Copy link
Copy Markdown
Contributor

jbj commented Sep 4, 2018

@geoffw0 this is for 1.18, right? I've put the 1.18 milestone on it, and I've retargeted the PR to the rc/1.18 branch.

@jbj
Copy link
Copy Markdown
Contributor

jbj commented Sep 4, 2018

I think my retargeting of the PR and my triggering of Language-Tests/CPP got a bit racy and that Jenkins is now testing rc/1.18 of our internal repo with a submodule that's based on this PR merged into this repo's master. But that should be close enough that I'll accept the results.

@geoffw0
Copy link
Copy Markdown
Contributor Author

geoffw0 commented Sep 4, 2018

@geoffw0 this is for 1.18, right?

I had been hoping so, yes.

@jbj
Copy link
Copy Markdown
Contributor

jbj commented Sep 4, 2018

The test failed because (I think) this repo's master is broken (contains d4f9b5e). I'll try to confirm on some other PRs that this repo's rc/1.18 is okay.

@jbj
Copy link
Copy Markdown
Contributor

jbj commented Sep 5, 2018

The only test failures now are the ones that will be fixed by the internal PR, so I'm merging both now.

@jbj jbj merged commit 1bcae97 into github:rc/1.18 Sep 5, 2018
@jbj jbj mentioned this pull request Sep 6, 2018
Merged
aibaars added a commit that referenced this pull request Oct 14, 2021
@aibaars
Merge pull request #114 from github/aibaars/fix-scopes
bc55fa8 
Correct the scope of class/method names etc.
smowton pushed a commit to smowton/codeql that referenced this pull request Dec 6, 2021
@igfoo
Merge pull request github#114 from github/smowton/cleanup/merge-short…
c71b317 
…names-and-usetype

Merge shortName recursion into useType
erik-krogh pushed a commit to erik-krogh/ql that referenced this pull request Dec 15, 2021
@tausbn
Merge pull request github#114 from github/erik-krogh/consistency
fed640b 
fix the signature of regexpCapture and regexpFind
erik-krogh pushed a commit to erik-krogh/ql that referenced this pull request Dec 15, 2021
@tausbn
QL: Merge pull request github#114 from github/erik-krogh/consistency
2352cf7 
fix the signature of regexpCapture and regexpFind
MathiasVP added a commit to MathiasVP/ql that referenced this pull request Aug 10, 2025
@MathiasVP
Merge pull request github#114 from microsoft/powershell-flow-into-this
7e66dc3 
PS: Support flow through `this`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbj jbj jbj approved these changes

Assignees

No one assigned

Labels

C++ depends on internal PR This PR should only be merged in sync with an internal Semmle PR documentation

Projects

None yet

Milestone

1.18

Development

Successfully merging this pull request may close these issues.

3 participants

@geoffw0 @jbj @felicitymay