securitylab/CodeQL_Queries/cpp/Chrome/object_lifetime/obj_lifetime.qll at patch-1 · anticomputer/securitylab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import cpp
import pointers.managed_ptr

/**
 * Long live classes, e.g. Singleton, classes owned by BrowserLoop etc.
 */

class OwnedByBrowserContext extends Class {
  OwnedByBrowserContext() {
    this.getName() = "VideoDecodePerfHistory" or
    this.getName() = "ServiceInstanceGroupHolder" or
    this.getName() = "BrowserContextServiceManagerConnectionHolder" or
    this.getName() = "ContentServiceDelegateHolder" or
    this.getName() = "FileServiceHolder" or
    this.getName() = "PermissionControllerImpl" or
    this.getName() = "BrowsingDataRemoverImpl" or
    this.getName() = "StoragePartitionImplMap" or
    this.getName() = "DownloadManager" or
    this.getName() = "BrowsingDataRemover" or
    this.getName() = "PermissionController"
  }
}

class Singleton extends Type {
  Singleton() {
    this.hasName("MediaInternals") or
    hasName("NetworkConnectionTracker") or
    hasName("ChildProcessSecurityPolicyImpl") or
    hasName("MprisService") or
    hasName("PluginServiceFilter") or
    hasName("TickClock") or
    exists(Class c | c.getName().matches("Singleton<%") and
      this = c.getTemplateArgument(0)
    ) or
    exists(Variable v | v.isStatic() and
      v.getType().getName().matches("NoDestructor<%") and
      v.getType().(Class).getTemplateArgument(0) = this and
      not this.getName().matches("vector<%") and
      not this.getName().matches("atomic<%") and
      not this.getName().matches("set<%") and
      not this.getName().matches("basic_string<%") and
      not this.getName().matches("map<%") and
      not this.getName().matches("CallbackList<%") and
      not this.getName().matches("RepeatingCallback<%") and
      not this.getName().matches("OnceCallback<%") and
      not this.getName().matches("unique_ptr<%") and
      not this.getName().matches("scoped_refptr<%") and
      not this.getName().matches("WeakPtr<%") and
      not this.getName().matches("ThreadLocalPointer<%") and
      not this.getName().matches("ReceiverSetBase<%") and
      not this.getName().matches("SequenceLocalStorageSlot<%")
    )
  }
}

/**
 * Types that are owned by browser main loop. These types are usually long lived.
 */
class OwnedByBrowserMainLoop extends Class {
  OwnedByBrowserMainLoop() {
    exists(GeneralManagedField f | f.getManagedType() = this and
      f.getDeclaringType().hasName("BrowserMainLoop")
    ) or
    getName() = "UserInputMonitor" or
    getName() = "UserInputMonitorBase" or
    getName() = "BrowserGpuChannelHostFactory"
  }
}