C++: Add implicit destructors for named variables to the IR

[rdmarsh2]

No description provided.

[MathiasVP]

Some initial comments. So far I've only looked at some of the .expected files. I think I'll delay looking at too many of the .qll changes until the conflicts with main has been resolved.

I think some of the consistency issues I've noted here would also be revealed by running the cpp/ql/test/library-tests/ir/ tests

[MathiasVP]

I don't think this is correct. a, b and c are all static locals. So their destructors should not be called at the end of the scope. Ideally, we should have some kind of new IRFunction that calls these destructors at the end of main, but let's leave that aside for now.

As a start, I think we should simply not emit these destructors for now.

[rdmarsh2]

Oh, good point. I missed that those were static when I was looking over the results.

[rdmarsh2]

Force-pushed to fix a merge conflict with #15461 and remove some commits from #15318

[MathiasVP]

This looks great, Robert! The unaliased SSA failures are still a mystery to me, but other than excluding destructor of static locals this is looking really good 🎉

The DCA run you started also looks promising. I took the liberty of starting a run that also run the IR consistency queries to make sure we're not adding too many new inconsistencies. Hopefully, the new inconsistencies are simply because we're generating more IR 🤞

[rdmarsh2]

Assuming you're referring to the points_to test, I think what's happening there is that the destructor calls are leading to all the variables in that test escaping, which then means their MemoryLocations become part of AllAliasedMemory, so the results for them get filtered out.

[MathiasVP]

Assuming you're referring to the points_to test, I think what's happening there is that the destructor calls are leading to all the variables in that test escaping, which then means their MemoryLocations become part of AllAliasedMemory, so the results for them get filtered out.

That makes sense. It sounds like we now need a side-effect/alias model for the destructor of a smart pointer, then. How about we add something like the following: https://gist.github.com/MathiasVP/a681b702be4ab46d45a9adaf034352c9 ?

[MathiasVP]

Here's a FIXME that we haven't resolved yet. What's the status of this one?

[rdmarsh2]

That class only exists to handle an (old?) extractor bug. I don't think it can ever have a destructor attached, and neither can the init list it's part of, so I think it's fine for getALastChild to have no results.

[MathiasVP]

Sounds good. Should we delete the FIXME comment then? And maybe convert it to an internal issue?

[MathiasVP]

Also a question: Do we not need to do anything in this PR with the destruction of static locals now that we know that they aren't handled properly in the extractor?

[MathiasVP]

I think we're almost good to go! I'll run a final DCA on this since there's been quite a lot of changes since the last run. After that, I think we should eyeball the new results to make sure they're destructor-related, but then I think we can merge this 🎉

[MathiasVP]

Did you check this? Because I was kinda hoping that you would 😂 I think we should just start a fresh DCA run on this PR, and if nothing stands out here we should just delete the TODO comment.

[MathiasVP]

Sounds good. Should we delete the FIXME comment then? And maybe convert it to an internal issue?

[MathiasVP]

I think we're almost good to go! I'll run a final DCA on this since there's been quite a lot of changes since the last run. After that, I think we should eyeball the new results to make sure they're destructor-related, but then I think we can merge this 🎉

DCA came back:

• No performance problems 🎉 So I think we should just delete the TODO that crept into f791b0e
• I think we should look at a small subset of the query results and confirm that these are related to the introduction of destructors and not some new bug in IR construction

[geoffw0]

I think we should look at a small subset of the query results and confirm that these are related to the introduction of destructors and not some new bug in IR construction

I've just had a look at a couple of the Samate result changes in the above DCA run:

• new result for cpp/path-injection on dsp-testing__samate-c-cpp: C/testcases/CWE23_Relative_Path_Traversal/s01/CWE23_Relative_Path_Traversal__char_connect_socket_ifstream_83_bad.cpp:124:32:124:36
  • this is a result in a "bad" case and appears to be a correct result.
  • this involves a class with a constructor that calls recv (the source) and writes the result into a member variable data; then the destructor of the same classes accesses data (at the sink).
  • the test creates an object of this class in a local variable. Presumably we were missing the fact that the destructor was called at all prior to this PR. 🎉
• new result for cpp/tainted-format-string on dsp-testing__samate-c-cpp: C/testcases/CWE789_Uncontrolled_Mem_Alloc/s01/CWE789_Uncontrolled_Mem_Alloc__new_char_connect_socket_83_bad.cpp:118:24:118:38
  • this is a result in a "bad" case and appears to be a correct result.
  • very similar to the previous case; the sink is different. 👍

So these both look good, and I'm pretty confident all of the other Samate test changes are explained by the same pattern (they appear to be all for cases labelled '83', which means they'll follow the same constructor-destructor pattern).

There are a handful of results on other projects besides Samate - someone should review a few of these as well.

[rdmarsh2]

Looked into a couple of those today (had a horrible time getting them to evaluate without hitting some sort of cache...) and looks like they're false positives related to an issue with successors of return statements. Shoudl have a fix tomorrow.

[MathiasVP]

The new changes makes sense, and it looks like this removed a bunch of seemingly DCA results. I did verify that the use-after-free results that were removed were instances of the successor issue that you fixed in 2494b7d.

I think I spotted one bug in your fix commit. I tried to run this example after this fix:

struct String
{
  String();
  ~String();
};

void VoidFunc();

void IfReturnDestructors(bool b) {
  String s;
  return VoidFunc();
}

but now I'm getting a bunch of duplication and an unexplained loop: https://gist.github.com/MathiasVP/7afa7176a7a4bf4750c8579a04855ec4

[jketema]

@rdmarsh2 it seems your cli is somewhat out-of-date, as your latest changes to the PrintAST output revert some stuff that was fixed.

I would also be sensible to re-run DCA on this, given that things were fixed.

[MathiasVP]

One small nit, but otherwise I'm happy with this as soon as we have a happy DCA run! (Although, the .expected files obviously need to be modified as per Jeroen's comment)

[MathiasVP]

I think we're good to go! 2 remaining things:

• We need to add a change note. I suggest making a library change note of category minorAnalysis.
• We should probably start a DCA run to test the impact of the last IR fix (Edit: I took the liberty of starting this one myself. I hope that's okay!)

[rdmarsh2]

There's one new alert in the DCA that looks like a false positive... It's a use-after-free involving a delete in a loop, but there's an unconditional break following the free. I'm not sure if it's a pre-existing CFG issue that's now being exposed or a new CFG issue.

[MathiasVP]

There's one new alert in the DCA that looks like a false positive... It's a use-after-free involving a delete in a loop, but there's an unconditional break following the free. I'm not sure if it's a pre-existing CFG issue that's now being exposed or a new CFG issue.

I'm not too concerned about one new FP result amidst all the new TPs we're seeing on Samate (which Geoffrey looked at earlier). So if you investigated this one and concluded that it's a FP then I think this is good enough, and we should create an issue for why this happens as a follow-up.

[MathiasVP]

LGTM!