review fixes

Author: jsinglet

c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql

@@ -44,48 +44,32 @@ class TssCreateToTssDeleteDataFlowConfiguration extends DataFlow::Configuration
   }
 }
 
-class TssCreateToFreeDataFlowConfiguration extends DataFlow::Configuration {
-  TssCreateToFreeDataFlowConfiguration() { this = "TssCreateToFreeDataFlowConfiguration" }
-
-  override predicate isSource(DataFlow::Node node) {
-    exists(TSSCreateFunctionCall tsc, Expr e |
-      // the only requirement of the source is that at some point
-      // it refers to the key of a create statement
-      e.getParent*() = tsc.getKey() and
-      (e = node.asDefiningArgument() or e = node.asExpr())
-    )
-  }
-
-  override predicate isSink(DataFlow::Node node) {
-    exists(TSSGetFunctionCall tsg, FreeFunctionCall ffc, Expr e |
-      // the only requirement of a sink is that at some point
-      // it references the key of a delete call.
-      e.getParent*() = tsg.getKey() and
-      (e = node.asDefiningArgument() or e = node.asExpr()) and
-      ffc.getArgument(0) = tsg
-    )
-  }
-}
-
-from TSSCreateFunctionCall tcc
+from TSSCreateFunctionCall tcfc
 where
-  not isExcluded(tcc, Concurrency4Package::cleanUpThreadSpecificStorageQuery()) and
-  if tcc.hasDeallocator()
-  then
-    // if they specify a deallocator the memory must be freed with a call to
-    // tss_delete(key), which implies that there is dataflow from the create call
-    // to the delete call
-    not exists(TssCreateToTssDeleteDataFlowConfiguration config |
-      config.hasFlow(DataFlow::definitionByReferenceNodeFromArgument(tcc.getKey()), _)
+  not isExcluded(tcfc, Concurrency4Package::cleanUpThreadSpecificStorageQuery()) and
+  // all calls to `tss_create` must be bookended by calls to tss_delete
+  // even if a thread is not created.
+  not exists(TssCreateToTssDeleteDataFlowConfiguration config |
+    config.hasFlow(DataFlow::definitionByReferenceNodeFromArgument(tcfc.getKey()), _)
+    or
+    config.hasFlow(DataFlow::exprNode(tcfc.getKey()), _)
+  )
+  or
+  // if a thread is created, we must check additional items
+  exists(C11ThreadCreateCall tcc |
+    tcfc.getASuccessor*() = tcc and
+    if tcfc.hasDeallocator()
+    then
+      // if they specify a deallocator, they must wait for this thread to finish, otherwise
+      // automatic calls to the deallocator will not work.
+      not exists(ThreadWait tw | tcc.getASuccessor*() = tw)
       or
-      config.hasFlow(DataFlow::exprNode(tcc.getKey()), _)
-    )
-  else
-    // otherwise, they are required to call some kind of free on the result of
-    // a key which has dataflow of the form tss_create -> tss_get -> free.
-    not exists(TssCreateToFreeDataFlowConfiguration config |
-      config.hasFlow(DataFlow::definitionByReferenceNodeFromArgument(tcc.getKey()), _)
-      or
-      config.hasFlow(DataFlow::exprNode(tcc.getKey()), _)
-    )
-select tcc
+      // freeing memory twice can lead to errors; because of this we report cases
+      // where a deallocator is specified but free is called explicitly.
+      getAThreadSpecificStorageDeallocationCall(tcc, _)
+    else
+      // otherwise, we require that the thread that gets called calls a free like
+      // function with the argument of a `tss_get` call.
+      not getAThreadSpecificStorageDeallocationCall(tcc, _)
+  )
+select tcfc, "Resources used by thread specific storage may not be cleaned up."

c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql

@@ -17,10 +17,7 @@ import codingstandards.c.cert
 import codingstandards.cpp.Concurrency
 import semmle.code.cpp.dataflow.TaintTracking
 import semmle.code.cpp.dataflow.DataFlow
-
-class MallocFunctionCall extends FunctionCall {
-  MallocFunctionCall() { getTarget().getName() = "malloc" }
-}
+import semmle.code.cpp.commons.Alloc
 
 from C11ThreadCreateCall tcc, StackVariable sv, Expr arg, Expr acc
 where
@@ -29,11 +26,11 @@ where
   sv.getAnAccess() = acc and
   // a stack variable that is given as an argument to a thread
   TaintTracking::localTaint(DataFlow::exprNode(acc), DataFlow::exprNode(arg)) and
-  // it's either not static
-  not sv.isStatic() and
   // or isn't one of the allowed usage patterns
-  not exists(MallocFunctionCall mfc |
-    sv.getAnAssignedValue() = mfc and acc.getAPredecessor*() = mfc
+  not exists(Expr mfc |
+    isAllocationExpr(mfc) and
+    sv.getAnAssignedValue() = mfc and
+    acc.getAPredecessor*() = mfc
   ) and
   not exists(TSSGetFunctionCall tsg, TSSSetFunctionCall tss, DataFlow::Node src |
     sv.getAnAssignedValue() = tsg and

c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected

@@ -1,12 +1,11 @@
-| main.c:27:3:27:12 | call to tss_create |
-| main.c:33:3:33:12 | call to tss_create |
-| main.c:40:3:40:12 | call to tss_create |
-| main.c:62:3:62:12 | call to tss_create |
-| main.c:66:3:66:12 | call to tss_create |
-| main.c:70:3:70:12 | call to tss_create |
-| main.c:74:3:74:12 | call to tss_create |
-| main.c:78:3:78:12 | call to tss_create |
-| main.c:82:3:82:12 | call to tss_create |
-| main.c:86:3:86:12 | call to tss_create |
-| main.c:91:3:91:12 | call to tss_create |
-| main.c:96:3:96:12 | call to tss_create |
+| main.c:27:3:27:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:49:3:49:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:71:3:71:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:87:3:87:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:95:3:95:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:135:3:135:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:139:3:139:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:143:3:143:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:147:3:147:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:151:3:151:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |
+| main.c:155:3:155:12 | call to tss_create | Resources used by thread specific storage may not be cleaned up. |

c/cert/test/rules/CON30-C/main.c

@@ -4,95 +4,153 @@
 
 static tss_t k;
 
-void do_free(void *d) { free(d); }
+void t1(void *data) {}
+void t2(void *data) { free(tss_get(k)); }
+void t3(void *data) {
+  void *p = tss_get(k);
+  free(p);
+}
 
+void do_free(void *d) { free(d); }
 void maybe_free(void *d) {}
 
 void m1() {
+  thrd_t id;
   tss_create(&k, free); // COMPLIANT
+  thrd_create(&id, t1, NULL);
+  thrd_join(id, NULL);
+  tss_delete(k);
+}
+
+void m1a() {
+  thrd_t id;
+  tss_create(&k, free); // NON_COMPLIANT - Doesn't wait for thread to cleanup
+                        // resources; if tss_delete is called prior to thread
+                        // termination the destructor won't be called.
+  thrd_create(&id, t1, NULL);
+  tss_delete(k);
+}
+
+void m1b() {
+  tss_create(&k, free); // COMPLIANT - No threads created.
   tss_delete(k);
 }
 
 void m2() {
+  thrd_t id;
   tss_create(&k, do_free); // COMPLIANT
+  thrd_create(&id, t1, NULL);
+  thrd_join(id, NULL);
+  tss_delete(k);
+}
+
+void m2a() {
+  thrd_t id;
+  tss_create(&k, do_free); // NON_COMPLIANT - Doesn't wait for thread to cleanup
+                           // resources; if tss_delete is called prior to thread
+                           // termination the destructor won't be called.
+  thrd_create(&id, t1, NULL);
+  tss_delete(k);
+}
+
+void m2b() {
+  tss_create(&k, do_free); // COMPLIANT - No threads created.
   tss_delete(k);
 }
 
 void m3() {
+  thrd_t id;
   tss_create(&k, maybe_free); // COMPLIANT
+  thrd_create(&id, t1, NULL);
+  thrd_join(id, NULL);
   tss_delete(k);
 }
 
-void m1a() {
-  tss_create(&k, free); // NON_COMPLIANT - The memory is deallocated, but the
-                        // usage pattern is non-standard and may lead to errors.
-  free(tss_get(k));
+void m3a() {
+  thrd_t id;
+  tss_create(&k,
+             maybe_free); // NON_COMPLIANT - Doesn't wait for thread to cleanup
+                          // resources; if tss_delete is called prior to thread
+                          // termination the destructor won't be called.
+  thrd_create(&id, t1, NULL);
+  tss_delete(k);
 }
 
-void m2a() {
-  tss_create(&k,
-             do_free); // NON_COMPLIANT - The memory is deallocated, but the
-                       // usage pattern is non-standard and may lead to errors.
-  free(tss_get(k));
+void m3b() {
+  tss_create(&k, maybe_free); // COMPLIANT - No threads created.
+  tss_delete(k);
 }
 
-void m3a() {
-  tss_create(
-      &k, maybe_free); // NON_COMPLIANT - The memory is deallocated, but the
-                       // usage pattern is non-standard and may lead to errors.
-  free(tss_get(k));
+void m4() {
+  thrd_t id;
+
+  tss_create(&k, free); // NON_COMPLIANT - The memory is deallocated, but the
+                        // usage pattern is non-standard and may lead to errors.
+  thrd_create(&id, t2, NULL);
+  thrd_join(id, NULL);
+  tss_delete(k);
 }
 
-void m1b() {
-  tss_create(&k, NULL); // COMPLIANT
-  free(tss_get(k));
+void m5() {
+  tss_create(&k, NULL); // NON_COMPLIANT - `tss_delete` should be called.
 }
 
-void m2b() {
+void m5a() {
+  thrd_t id;
+
   tss_create(&k, NULL); // COMPLIANT
-  free(tss_get(k));
+  thrd_create(&id, t2, NULL);
+  thrd_join(id, NULL);
+  tss_delete(k);
 }
 
-void m3b() {
+void m5aa() {
+  thrd_t id;
+
   tss_create(&k, NULL); // COMPLIANT
-  free(tss_get(k));
+  thrd_create(&id, t3, NULL);
+  thrd_join(id, NULL);
+  tss_delete(k);
 }
 
-void m4() {
-  tss_create(&k, free); // NON_COMPLIANT
-}
+void m5b() {
+  thrd_t id;
 
-void m5() {
-  tss_create(&k, do_free); // NON_COMPLIANT
+  tss_create(&k, NULL); // COMPLIANT - Cleanup can happen before OR after
+                        // `tss_delete` is called; so there is no need to wait.
+  thrd_create(&id, t2, NULL);
+  tss_delete(k);
 }
 
-void m6() {
-  tss_create(&k, maybe_free); // NON_COMPLIANT
+void m5bb() {
+  thrd_t id;
+
+  tss_create(&k, NULL); // COMPLIANT - Cleanup can happen before OR after
+                        // `tss_delete` is called; so there is no need to wait.
+  thrd_create(&id, t3, NULL);
+  tss_delete(k);
 }
 
-void m4a() {
-  tss_create(&k, NULL); // NON_COMPLIANT
+void m6() {
+  tss_create(&k, free); // NON_COMPLIANT
 }
 
-void m5a() {
-  tss_create(&k, NULL); // NON_COMPLIANT
+void m7() {
+  tss_create(&k, do_free); // NON_COMPLIANT
 }
 
-void m6a() {
-  tss_create(&k, NULL); // NON_COMPLIANT
+void m8() {
+  tss_create(&k, maybe_free); // NON_COMPLIANT
 }
 
-void m4b() {
+void m9() {
   tss_create(&k, NULL); // NON_COMPLIANT
-  tss_delete(k);
 }
 
-void m5b() {
+void m10() {
   tss_create(&k, NULL); // NON_COMPLIANT
-  tss_delete(k);
 }
 
-void m6b() {
+void m11() {
   tss_create(&k, NULL); // NON_COMPLIANT
-  tss_delete(k);
 }

c/cert/test/rules/CON34-C/main.c

@@ -42,7 +42,7 @@ void m3() {
 
 void m4() {
   thrd_t id;
-  int *value = (int *)malloc(sizeof(int));
+  int *value = (int *)realloc(NULL, sizeof(int)); 
 
   thrd_create(&id, t1, value); // COMPLIANT
 

cpp/common/src/codingstandards/cpp/Concurrency.qll

@@ -851,3 +851,14 @@ class TSSCreateFunctionCall extends ThreadSpecificStorageFunctionCall {
 class TSSDeleteFunctionCall extends ThreadSpecificStorageFunctionCall {
   TSSDeleteFunctionCall() { getTarget().getName() = "tss_delete" }
 }
+
+/**
+ * Gets a call to `DeallocationExpr` that deallocates memory owned by thread specific
+ * storage.
+ */
+predicate getAThreadSpecificStorageDeallocationCall(C11ThreadCreateCall tcc, DeallocationExpr dexp) {
+  exists(TSSGetFunctionCall tsg |
+    tcc.getFunction().getEntryPoint().getASuccessor*() = tsg and
+    DataFlow::localFlow(DataFlow::exprNode(tsg), DataFlow::exprNode(dexp.getFreedExpr()))
+  )
+}

rule_packages/c/Concurrency4.json

@@ -52,7 +52,7 @@
           "severity": "error",
           "short_name": "ThreadObjectStorageDurationsNotInitialized",
           "tags": [
-            "external/autosar/audit",
+            "external/cert/audit",
             "correctness",
             "concurrency"            
           ]