Merge pull request #18309 from github/calumgrant/bmn/return-stack-allocated-memory

C++: Fix FPs to cpp/return-stack-allocated-memory

Author: calumgrant

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -92,6 +92,8 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
     or
     node2.(PointerOffsetInstruction).getLeftOperand() = node1
   }
+
+  override predicate isBarrier(Instruction n) { n.getResultType() instanceof ErroneousType }
 }
 
 from

cpp/ql/src/change-notes/2024-12-18-return-stack-allocated-memory.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Returning stack-allocated memory" query (`cpp/return-stack-allocated-memory`) no longer produces results if there is an extraction error in the returned expression.

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -248,4 +248,5 @@ char* test_strdupa(const char* s) {
 void* test_strndupa(const char* s, size_t size) {
 	char* s2 = strndupa(s, size);
 	return s2; // BAD
-}
+}
+

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test_errors.cpp

@@ -0,0 +1,16 @@
+// semmle-extractor-options: --expect_errors
+
+UNKNOWN_TYPE test_error_value() {
+	UNKNOWN_TYPE x;
+	return x; // GOOD: Error return type
+}
+
+void* test_error_pointer() {
+	UNKNOWN_TYPE x;
+	return &x; // BAD [FALSE NEGATIVE]
+}
+
+int* test_error_pointer_member() {
+	UNKNOWN_TYPE x;
+	return &x.y; // BAD [FALSE NEGATIVE]
+}