ReadOfUninitializedMemory: Improve overall precision and recall #1079
Description
Affected rules
- RULE-11-6-2
- RULE-9-1
- A8-5-0
- EXP33-C
- EXP53-CPP
Description
this query makes use of approximations that underrepresent uninitialized variables and over represent definition locations. it is in the idea of only reporting cases where results are more certain, however a potential audit version of the query could be constructed that improves the potential case detection and catch some FPs and FNs that are currently not detected.
work has been done on this effort in this branch.
this improved query has benefits of:
- reuses more existing modelling
- models allocated objects in a way that reuses more out of the box library as well
- increases cases handled that involved subobjects (both potential field analysis and also array analysis)
the current improved query needs more effort on:
- still uses some approximations around field initialization (see below comment for one such improvement/but still heurisitic)
- determination on if array subobject cases should be included or not (see below comment as well for potential adjustment to align omission more with current version of query)
Example
one FP case within the unit test that will be improved is:
int *p1 = new int;
*p1 = 0; // COMPLIANT[FALSE_POSITIVE] -- this is not found bc this is not an
// lvalue access
use(p1); // COMPLIANT[FALSE_POSITIVE] -- the pointee of p1 has been
// initializedthese cases will no longer be found with the improved version of the query
one FN case within the unit test that will be improved is:
S s1;
S s2 = {1};
auto i1 = s1.m1; // NON_COMPLIANT[FALSE_NEGATIVE] - rule currently is not
// field sensitivethis cases will be found with the improved version of the query
the examples given are run with the optional additions listed below in the comment