Merge pull request #1585 from rdmarsh2/rdmarsh/cpp/hasGlobalOrStdName

C++: add Declaration.hasGlobalOrStdName()

Author: Dave Bartolomeo

change-notes/1.23/analysis-cpp.md

@@ -53,6 +53,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
   clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
   have been deprecated, and will be removed in a future release. Code that uses the old member
   predicates should be updated to use the corresponding new member predicate.
+* The predicates `Declaration.hasStdName()` and `Declaration.hasGlobalOrStdName`
+  have been added, simplifying handling of C++ standard library functions.
 * The control-flow graph is now computed in QL, not in the extractor. This can
   lead to regressions (or improvements) in how queries are optimized because
   optimization in QL relies on static size estimates, and the control-flow edge

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
 import Negativity
 
 predicate closeCall(FunctionCall fc, Variable v) {
-  fc.getTarget().hasGlobalName("close") and v.getAnAccess() = fc.getArgument(0)
+  fc.getTarget().hasGlobalOrStdName("close") and v.getAnAccess() = fc.getArgument(0)
   or
   exists(FunctionCall midcall, Function mid, int arg |
     fc.getArgument(arg) = v.getAnAccess() and

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
 
 predicate closed(Expr e) {
   exists(FunctionCall fc |
-    fc.getTarget().hasGlobalName("close") and
+    fc.getTarget().hasGlobalOrStdName("close") and
     fc.getArgument(0) = e
   )
 }

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -53,7 +53,7 @@ predicate allocCallOrIndirect(Expr e) {
  * can cause memory leaks.
  */
 predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode verified) {
-  reallocCall.getTarget().hasGlobalName("realloc") and
+  reallocCall.getTarget().hasGlobalOrStdName("realloc") and
   reallocCall.getArgument(0) = v.getAnAccess() and
   (
     exists(Variable newV, ControlFlowNode node |
@@ -79,7 +79,7 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
 predicate freeCallOrIndirect(ControlFlowNode n, Variable v) {
   // direct free call
   freeCall(n, v.getAnAccess()) and
-  not n.(FunctionCall).getTarget().hasGlobalName("realloc")
+  not n.(FunctionCall).getTarget().hasGlobalOrStdName("realloc")
   or
   // verified realloc call
   verifiedRealloc(_, v, n)

cpp/ql/src/Critical/OverflowCalculated.ql

@@ -13,10 +13,7 @@
 import cpp
 
 class MallocCall extends FunctionCall {
-  MallocCall() {
-    this.getTarget().hasGlobalName("malloc") or
-    this.getTarget().hasQualifiedName("std", "malloc")
-  }
+  MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
 
   Expr getAllocatedSize() {
     if this.getArgument(0) instanceof VariableAccess
@@ -36,12 +33,12 @@ predicate spaceProblem(FunctionCall append, string msg) {
     malloc.getAllocatedSize() = add and
     buffer.getAnAccess() = strlen.getStringExpr() and
     (
-      insert.getTarget().hasGlobalName("strcpy") or
-      insert.getTarget().hasGlobalName("strncpy")
+      insert.getTarget().hasGlobalOrStdName("strcpy") or
+      insert.getTarget().hasGlobalOrStdName("strncpy")
     ) and
     (
-      append.getTarget().hasGlobalName("strcat") or
-      append.getTarget().hasGlobalName("strncat")
+      append.getTarget().hasGlobalOrStdName("strcat") or
+      append.getTarget().hasGlobalOrStdName("strncat")
     ) and
     malloc.getASuccessor+() = insert and
     insert.getArgument(1) = buffer.getAnAccess() and

cpp/ql/src/Critical/OverflowDestination.ql

@@ -25,7 +25,7 @@ import semmle.code.cpp.security.TaintTracking
 predicate sourceSized(FunctionCall fc, Expr src) {
   exists(string name |
     (name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
-    fc.getTarget().hasGlobalName(name)
+    fc.getTarget().hasGlobalOrStdName(name)
   ) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and

cpp/ql/src/Critical/OverflowStatic.ql

@@ -60,19 +60,19 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
 predicate bufferAndSizeFunction(Function f, int buf, int size) {
   f.hasGlobalName("read") and buf = 1 and size = 2
   or
-  f.hasGlobalName("fgets") and buf = 0 and size = 1
+  f.hasGlobalOrStdName("fgets") and buf = 0 and size = 1
   or
-  f.hasGlobalName("strncpy") and buf = 0 and size = 2
+  f.hasGlobalOrStdName("strncpy") and buf = 0 and size = 2
   or
-  f.hasGlobalName("strncat") and buf = 0 and size = 2
+  f.hasGlobalOrStdName("strncat") and buf = 0 and size = 2
   or
-  f.hasGlobalName("memcpy") and buf = 0 and size = 2
+  f.hasGlobalOrStdName("memcpy") and buf = 0 and size = 2
   or
-  f.hasGlobalName("memmove") and buf = 0 and size = 2
+  f.hasGlobalOrStdName("memmove") and buf = 0 and size = 2
   or
-  f.hasGlobalName("snprintf") and buf = 0 and size = 1
+  f.hasGlobalOrStdName("snprintf") and buf = 0 and size = 1
   or
-  f.hasGlobalName("vsnprintf") and buf = 0 and size = 1
+  f.hasGlobalOrStdName("vsnprintf") and buf = 0 and size = 1
 }
 
 class CallWithBufferSize extends FunctionCall {

cpp/ql/src/Critical/SizeCheck.ql

@@ -17,12 +17,12 @@ import cpp
 class Allocation extends FunctionCall {
   Allocation() {
     exists(string name |
-      this.getTarget().hasGlobalName(name) and
+      this.getTarget().hasGlobalOrStdName(name) and
       (name = "malloc" or name = "calloc" or name = "realloc")
     )
   }
 
-  private string getName() { this.getTarget().hasGlobalName(result) }
+  private string getName() { this.getTarget().hasGlobalOrStdName(result) }
 
   int getSize() {
     this.getName() = "malloc" and

cpp/ql/src/Critical/SizeCheck2.ql

@@ -17,12 +17,12 @@ import cpp
 class Allocation extends FunctionCall {
   Allocation() {
     exists(string name |
-      this.getTarget().hasGlobalName(name) and
+      this.getTarget().hasGlobalOrStdName(name) and
       (name = "malloc" or name = "calloc" or name = "realloc")
     )
   }
 
-  private string getName() { this.getTarget().hasGlobalName(result) }
+  private string getName() { this.getTarget().hasGlobalOrStdName(result) }
 
   int getSize() {
     this.getName() = "malloc" and

cpp/ql/src/Critical/UseAfterFree.ql

@@ -16,7 +16,7 @@ import semmle.code.cpp.controlflow.LocalScopeVariableReachability
 predicate isFreeExpr(Expr e, LocalScopeVariable v) {
   exists(VariableAccess va | va.getTarget() = v |
     exists(FunctionCall fc | fc = e |
-      fc.getTarget().hasGlobalName("free") and
+      fc.getTarget().hasGlobalOrStdName("free") and
       va = fc.getArgument(0)
     )
     or