-
Notifications
You must be signed in to change notification settings - Fork 282
Expand file tree
/
Copy pathlifetime_management.qll
More file actions
72 lines (63 loc) · 2.09 KB
/
lifetime_management.qll
File metadata and controls
72 lines (63 loc) · 2.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import cpp
import callbacks
/**
* Models various mechanism in Chrome that is used for managing object lifetime.
*/
/**
* A map field that has pointer as key and managed pointer of the same type as value.
* Usually the value are backing the keys, so it is usually ok.
*/
class ManagedKeyValueField extends MapField {
ManagedKeyValueField() {
exists(PointerType key, ManagedPtr value |
this.getType().(MapType).getComponentTypeAt(0) = key and
this.getType().(MapType).getComponentTypeAt(1) = value and
key.stripType() = value.getManagedType()
)
}
}
/**
* A wrapper of `destructorCleanup` for raw pointer fields that are removed when the type is destroyed.
*/
predicate cleanupInDestructor(GeneralPointerField f) {
exists(Destructor d, Expr fa | destructorCleanup(f, d, fa))
}
/**
* Whether the destructor of a type will remove the field f when executed.
*/
predicate destructorCleanup(GeneralPointerField f, Destructor d, Expr fa) {
f.getPointerType() = d.getDeclaringType().getABaseClass*() and
fa = f.getACleanup() and
reach*(d, fa.getEnclosingFunction())
}
/**
* FrameServiceBase is a class that observes the lifetime of RenderFrameHostImpl and
* so raw pointer of rfh inside it is usually ok.
*/
class FrameServiceBase extends ClassTemplateInstantiation {
FrameServiceBase() {
getName().matches("FrameServiceBase<%")
}
Type getService() {
result = getTemplateArgument(0)
}
}
predicate frameServiceBaseProtected(Field f) {
f.hasName("render_frame_host_") and
exists(FrameServiceBase fsb | fsb.getService() = f.getDeclaringType())
}
/**
* An expression that is not inside the constructor of a class. This and
* the following few predicates are useful to see if a managed pointer reset is
* inside constructor/destructor etc., which usually makes them ok.
*/
predicate notInsideConstructor(Class c, Expr e) {
not exists(Constructor f | f = e.getEnclosingFunction() and
f.getDeclaringType() = c
)
}
predicate notInsideDestructor(Class c, Expr e) {
not exists(Destructor f | f = e.getEnclosingFunction() and
f.getDeclaringType() = c
)
}