package io.joern.scanners.c;

import io.joern.console.CodeExamples;
import io.joern.console.Query;
import io.joern.console.Query$;
import io.joern.console.QueryBundle;
import io.joern.console.TraversalWithStrRep;
import io.joern.console.q;
import io.joern.dataflowengineoss.language.nodemethods.ExtendedCfgNodeMethods$;
import io.joern.dataflowengineoss.queryengine.EngineContext;
import io.joern.scanners.Crew$;
import io.joern.scanners.QueryTags$;
import io.shiftleft.codepropertygraph.Cpg;
import io.shiftleft.codepropertygraph.generated.nodes.AbstractNode;
import io.shiftleft.codepropertygraph.generated.nodes.Call;
import io.shiftleft.codepropertygraph.generated.nodes.CfgNode;
import io.shiftleft.codepropertygraph.generated.nodes.Expression;
import io.shiftleft.codepropertygraph.generated.nodes.Identifier;
import io.shiftleft.codepropertygraph.generated.nodes.Local;
import io.shiftleft.codepropertygraph.generated.nodes.Method;
import io.shiftleft.codepropertygraph.generated.nodes.MethodParameterIn;
import io.shiftleft.codepropertygraph.generated.traversal.CallTraversalExtGen$;
import io.shiftleft.codepropertygraph.generated.traversal.ExpressionTraversalExtGen$;
import io.shiftleft.codepropertygraph.generated.traversal.IdentifierTraversalExtGen$;
import io.shiftleft.codepropertygraph.generated.traversal.MethodParameterInTraversalExtGen$;
import io.shiftleft.codepropertygraph.generated.traversal.MethodTraversalExtGen$;
import io.shiftleft.semanticcpg.language.ICallResolver;
import io.shiftleft.semanticcpg.language.NoResolve$;
import io.shiftleft.semanticcpg.language.callgraphextension.MethodTraversal$;
import io.shiftleft.semanticcpg.language.nodemethods.AstNodeMethods$;
import io.shiftleft.semanticcpg.language.nodemethods.CallMethods$;
import io.shiftleft.semanticcpg.language.nodemethods.CfgNodeMethods$;
import io.shiftleft.semanticcpg.language.operatorextension.OpAstNode$;
import io.shiftleft.semanticcpg.language.package$;
import io.shiftleft.semanticcpg.language.types.expressions.CallTraversal$;
import io.shiftleft.semanticcpg.language.types.expressions.IdentifierTraversal$;
import io.shiftleft.semanticcpg.language.types.expressions.generalizations.AstNodeTraversal$;
import io.shiftleft.semanticcpg.language.types.expressions.generalizations.CfgNodeTraversal$;
import io.shiftleft.semanticcpg.language.types.expressions.generalizations.ExpressionTraversal$;
import overflowdb.traversal.Traversal;
import scala.MatchError;
import scala.Predef$;
import scala.Tuple2;
import scala.collection.IterableOps;
import scala.collection.StringOps$;
import scala.collection.immutable.List;
import scala.collection.immutable.Set;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: UseAfterFree.scala */
/* loaded from: input_file:io/joern/scanners/c/UseAfterFree$.class */
public final class UseAfterFree$ implements QueryBundle {
    public static final UseAfterFree$ MODULE$ = new UseAfterFree$();
    private static final ICallResolver resolver = NoResolve$.MODULE$;

    public ICallResolver resolver() {
        return resolver;
    }

    @q
    public Query freeFieldNoReassign(EngineContext engineContext) {
        return Query$.MODULE$.make("free-field-no-reassign", Crew$.MODULE$.fabs(), "A field of a parameter is free'd and not reassigned on all paths", StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          | The function is able to modify a field of a structure passed in by\n          | the caller. It frees this field and does not guarantee that on\n          | all paths to the exit, the field is reassigned. If any\n          | caller now accesses the field, then it accesses memory that is no\n          | longer allocated. We also check that the function does not free\n          | or clear the entire structure, as in that case, it is unlikely that the\n          | passed in structure will be used again.\n          |")), 5.0d, new TraversalWithStrRep(cpg -> {
            return (Traversal) CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(MethodTraversal$.MODULE$.callIn$extension(package$.MODULE$.toMethodForCallGraph(package$.MODULE$.toNodeTypeStarters(cpg).method("free"), Predef$.MODULE$.$conforms()), MODULE$.resolver()).where(traversal -> {
                return (Traversal) AstNodeTraversal$.MODULE$.isCallTo$extension(package$.MODULE$.toAstNode(CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(traversal, Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(1)), Predef$.MODULE$.$conforms()), "<operator>.*[fF]ieldAccess.*").filter(call -> {
                    return BoxesRunTime.boxToBoolean($anonfun$freeFieldNoReassign$3(call));
                });
            }).whereNot(traversal2 -> {
                return (Traversal) CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(AstNodeTraversal$.MODULE$.isCall$extension(package$.MODULE$.toAstNode(CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(traversal2, Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(1)), Predef$.MODULE$.$conforms())), Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(1)).filter(expression -> {
                    return BoxesRunTime.boxToBoolean($anonfun$freeFieldNoReassign$5(expression));
                });
            }).l(), iterableOnce -> {
                return overflowdb.traversal.package$.MODULE$.iterableToTraversal(iterableOnce);
            }), Predef$.MODULE$.int2Integer(1)).filter(expression -> {
                return BoxesRunTime.boxToBoolean($anonfun$freeFieldNoReassign$7(engineContext, expression));
            });
        }, "cpg =>\n        val freeOfStructField = cpg\n          .method(\"free\")\n          .callIn\n          .where(\n            _.argument(1)\n              .isCallTo(\"<operator>.*[fF]ieldAccess.*\")\n              .filter(x => x.method.parameter.name.toSet.contains(x.argument(1).code))\n          )\n          .whereNot(_.argument(1).isCall.argument(1).filter { struct =>\n            struct.method.ast.isCall\n              .name(\".*free$\", \"memset\", \"bzero\")\n              .argument(1)\n              .codeExact(struct.code)\n              .nonEmpty\n          })\n          .l\n\n        freeOfStructField.argument(1).filter { arg =>\n          arg.method.methodReturn.reachableBy(arg).nonEmpty\n        }"), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{QueryTags$.MODULE$.uaf(), QueryTags$.MODULE$.m4default()})), new CodeExamples((List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n            |\n            |void free_field_reassigned(a_struct_type *a_struct) {\n            |  free(a_struct->ptr);\n            |  if (something) {\n            |    return;\n            |  }\n            |  a_struct->ptr = foo;\n            |}\n            |\n            |"))})), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n            |\n            |void not_free_field_reassigned(a_struct_type *a_struct) {\n            |  free(a_struct->ptr);\n            |  if (something) {\n            |    a_struct->ptr = NULL;\n            |    return;\n            |  }\n            |  a_struct->ptr = foo;\n            |}\n            |\n            |"))}))));
    }

    @q
    public Query freeReturnedValue() {
        return Query$.MODULE$.make("free-returned-value", Crew$.MODULE$.malte(), "A value that is returned through a parameter is free'd in a path", StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |The function sets a field of a function parameter to a value of a local\n          |variable.\n          |This variable is then freed in some paths. Unless the value set in the\n          |function |parameter is overridden later on, the caller has access to the\n          |free'd memory, which is undefined behavior.\n          |\n          |Finds bugs like CVE-2019-18902.\n          |")), 5.0d, new TraversalWithStrRep(cpg -> {
            return (Traversal) ((IterableOps) freeAssigned$1(cpg).filter(tuple2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$freeReturnedValue$6(tuple2));
            })).flatMap(tuple22 -> {
                return package$.MODULE$.toTraversal((AbstractNode) tuple22._1());
            });
        }, "cpg =>\n        def outParams =\n          cpg.parameter\n            .typeFullName(\".+\\\\*\")\n            .whereNot(\n              _.referencingIdentifiers\n                .argumentIndex(1)\n                .inCall\n                .nameExact(Operators.assignment, Operators.addressOf)\n            )\n\n        def assignedValues =\n          outParams.referencingIdentifiers\n            .argumentIndex(1)\n            .inCall\n            .nameExact(Operators.indirectFieldAccess, Operators.indirection, Operators.indirectIndexAccess)\n            .argumentIndex(1)\n            .inCall\n            .nameExact(Operators.assignment)\n            .argument(2)\n            .isIdentifier\n\n        def freeAssigned =\n          assignedValues.map(id =>\n            (\n              id,\n              id.refsTo\n                .flatMap {\n                  case p: MethodParameterIn => p.referencingIdentifiers\n                  case v: Local             => v.referencingIdentifiers\n                }\n                .inCall\n                .name(\"(.*_)?free\")\n            )\n          )\n\n        freeAssigned\n          .filter { case (id, freeCall) =>\n            freeCall.dominatedBy.exists(_ == id)\n          }\n          .flatMap(_._1)"), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{QueryTags$.MODULE$.uaf()})), new CodeExamples((List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n            |\n            |void bad(a_struct_type *a_struct) {\n            |  void *x = NULL;\n            |  a_struct->foo = x;\n            |  free(x);\n            |}\n            |\n            |"))})), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n            |\n            |void good1(a_struct_type *a_struct) {\n            |  void *x = NULL, *y = NULL;\n            |  a_struct->foo = x;\n            |  free(y);\n            |}\n            |\n            |void good2(a_struct_type *a_struct) {\n            |  void *x = NULL;\n            |  free(a_struct->foo);\n            |  a_struct->foo = x;\n            |}\n            |\n            |void bad_not_covered(a_struct_type *a_struct) {\n            |  void *x = NULL;\n            |  a_struct->foo = x;\n            |  free(a_struct->foo);\n            |}\n            |\n            |"))}))));
    }

    @q
    public Query freePostDominatesUsage() {
        return Query$.MODULE$.make("free-follows-value-reuse", Crew$.MODULE$.malte(), "A value that is free'd is reused without reassignment.", StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n        |A value is used after being free'd in a path that leads to it\n        |without reassignment.\n        |\n        |Modeled after CVE-2019-18903.\n        |")), 5.0d, new TraversalWithStrRep(cpg -> {
            return (Traversal) MethodTraversal$.MODULE$.callIn$extension(package$.MODULE$.toMethodForCallGraph(MethodTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toMethodTraversalExtGen(package$.MODULE$.toNodeTypeStarters(cpg).method()), "(.*_)?free").filter(method -> {
                return BoxesRunTime.boxToBoolean($anonfun$freePostDominatesUsage$2(method));
            }), Predef$.MODULE$.$conforms()), MODULE$.resolver()).where(traversal -> {
                return AstNodeTraversal$.MODULE$.isIdentifier$extension(package$.MODULE$.toAstNode(CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(traversal, Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(1)), Predef$.MODULE$.$conforms()));
            }).flatMap(call -> {
                String code = CallMethods$.MODULE$.argument$extension(package$.MODULE$.toCallMethods(call), 1).code();
                Set setImmutable = CfgNodeMethods$.MODULE$.postDominatedBy$extension(package$.MODULE$.toCfgNodeMethods(call)).toSetImmutable();
                return IdentifierTraversalExtGen$.MODULE$.codeExact$extension(package$.MODULE$.toIdentifierTraversalExtGen(AstNodeTraversal$.MODULE$.isIdentifier$extension(package$.MODULE$.toAstNode(setImmutable.removedAll((Traversal) IdentifierTraversalExtGen$.MODULE$.codeExact$extension(package$.MODULE$.toIdentifierTraversalExtGen(AstNodeTraversal$.MODULE$.isIdentifier$extension(package$.MODULE$.toAstNode(setImmutable, iterableOnce -> {
                    return overflowdb.traversal.package$.MODULE$.iterableToTraversal(iterableOnce);
                })).where(traversal2 -> {
                    return OpAstNode$.MODULE$.inAssignment$extension(package$.MODULE$.toOpAstNodeTrav(traversal2));
                })), code).flatMap(identifier -> {
                    return (Traversal) package$.MODULE$.toTraversal(identifier).$plus$plus(CfgNodeMethods$.MODULE$.postDominatedBy$extension(package$.MODULE$.toCfgNodeMethods(identifier)));
                })), iterableOnce2 -> {
                    return overflowdb.traversal.package$.MODULE$.iterableToTraversal(iterableOnce2);
                }))), code);
            });
        }, "cpg =>\n        cpg.method\n          .name(\"(.*_)?free\")\n          .filter(_.parameter.size == 1)\n          .callIn\n          .where(_.argument(1).isIdentifier)\n          .flatMap(f => {\n            val freedIdentifierCode = f.argument(1).code\n            val postDom = f.postDominatedBy.toSetImmutable\n\n            val assignedPostDom = postDom.isIdentifier\n              .where(_.inAssignment)\n              .codeExact(freedIdentifierCode)\n              .flatMap(id => id ++ id.postDominatedBy)\n\n            postDom\n              .removedAll(assignedPostDom)\n              .isIdentifier\n              .codeExact(freedIdentifierCode)\n          })"), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{QueryTags$.MODULE$.uaf()})), new CodeExamples((List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void *bad() {\n          |  void *x = NULL;\n          |  if (cond)\n          |    free(x);\n          |  return x;\n          |}\n          |\n          |void *false_positive() {\n          |  void *x = NULL;\n          |  free(x);\n          |  if (cond)\n          |    x = NULL;\n          |  else\n          |    x = NULL;\n          |  return x;\n          |}\n          |\n          |"))})), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void *false_negative() {\n          |  void *x = NULL;\n          |  if (cond) {\n          |    free(x);\n          |    if (cond2)\n          |      return x; // not post-dominated by free call\n          |    x = NULL;\n          |  }\n          |  return x;\n          |}\n          |\n          |void *good() {\n          |  void *x = NULL;\n          |  if (cond)\n          |    free(x);\n          |  x = NULL;\n          |  return x;\n          |}\n          |\n          |"))}))));
    }

    public static final /* synthetic */ boolean $anonfun$freeFieldNoReassign$3(Call call) {
        return MethodParameterInTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toMethodParameterInTraversalExtGen(CfgNodeMethods$.MODULE$.method$extension(package$.MODULE$.toCfgNodeMethods(call)).parameter())).toSet().contains(CallMethods$.MODULE$.argument$extension(package$.MODULE$.toCallMethods(call), 1).code());
    }

    public static final /* synthetic */ boolean $anonfun$freeFieldNoReassign$5(Expression expression) {
        return ExpressionTraversalExtGen$.MODULE$.codeExact$extension(package$.MODULE$.toExpressionTraversalExtGen(CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(CallTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toCallTraversalExtGen(AstNodeTraversal$.MODULE$.isCall$extension(package$.MODULE$.toAstNode(AstNodeMethods$.MODULE$.ast$extension(package$.MODULE$.cfgNodeToAsNode(CfgNodeMethods$.MODULE$.method$extension(package$.MODULE$.toCfgNodeMethods(expression)))), Predef$.MODULE$.$conforms()))), ScalaRunTime$.MODULE$.wrapRefArray(new String[]{".*free$", "memset", "bzero"})), Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(1))), expression.code()).nonEmpty();
    }

    public static final /* synthetic */ boolean $anonfun$freeFieldNoReassign$7(EngineContext engineContext, Expression expression) {
        return ExtendedCfgNodeMethods$.MODULE$.reachableBy$extension(io.joern.dataflowengineoss.language.package$.MODULE$.cfgNodeToMethodsQp(CfgNodeMethods$.MODULE$.method$extension(package$.MODULE$.toCfgNodeMethods(expression)).methodReturn()), ScalaRunTime$.MODULE$.wrapRefArray(new Traversal[]{package$.MODULE$.toTraversal(expression)}), engineContext).nonEmpty();
    }

    private static final Traversal outParams$1(Cpg cpg) {
        return MethodParameterInTraversalExtGen$.MODULE$.typeFullName$extension(package$.MODULE$.toMethodParameterInTraversalExtGen(package$.MODULE$.toNodeTypeStarters(cpg).parameter()), ".+\\*").whereNot(traversal -> {
            return CallTraversalExtGen$.MODULE$.nameExact$extension(package$.MODULE$.toCallTraversalExtGen(ExpressionTraversal$.MODULE$.inCall$extension(package$.MODULE$.toExpression(IdentifierTraversalExtGen$.MODULE$.argumentIndex$extension(package$.MODULE$.toIdentifierTraversalExtGen(MethodParameterInTraversalExtGen$.MODULE$.referencingIdentifiers$extension(package$.MODULE$.toMethodParameterInTraversalExtGen(traversal))), 1), Predef$.MODULE$.$conforms()))), ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"<operator>.assignment", "<operator>.addressOf"}));
        });
    }

    private static final Traversal assignedValues$1(Cpg cpg) {
        return AstNodeTraversal$.MODULE$.isIdentifier$extension(package$.MODULE$.toAstNode(CallTraversal$.MODULE$.argument$extension(package$.MODULE$.toCall(CallTraversalExtGen$.MODULE$.nameExact$extension(package$.MODULE$.toCallTraversalExtGen(ExpressionTraversal$.MODULE$.inCall$extension(package$.MODULE$.toExpression(CallTraversalExtGen$.MODULE$.argumentIndex$extension(package$.MODULE$.toCallTraversalExtGen(CallTraversalExtGen$.MODULE$.nameExact$extension(package$.MODULE$.toCallTraversalExtGen(ExpressionTraversal$.MODULE$.inCall$extension(package$.MODULE$.toExpression(IdentifierTraversalExtGen$.MODULE$.argumentIndex$extension(package$.MODULE$.toIdentifierTraversalExtGen(MethodParameterInTraversalExtGen$.MODULE$.referencingIdentifiers$extension(package$.MODULE$.toMethodParameterInTraversalExtGen(outParams$1(cpg)))), 1), Predef$.MODULE$.$conforms()))), ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"<operator>.indirectFieldAccess", "<operator>.indirection", "<operator>.indirectIndexAccess"}))), 1), Predef$.MODULE$.$conforms()))), "<operator>.assignment"), Predef$.MODULE$.$conforms()), Predef$.MODULE$.int2Integer(2)), Predef$.MODULE$.$conforms()));
    }

    private static final Traversal freeAssigned$1(Cpg cpg) {
        return (Traversal) assignedValues$1(cpg).map(identifier -> {
            return new Tuple2(identifier, CallTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toCallTraversalExtGen(ExpressionTraversal$.MODULE$.inCall$extension(package$.MODULE$.toExpression(IdentifierTraversal$.MODULE$.refsTo$extension(package$.MODULE$.toIdentifier(identifier, identifier -> {
                return package$.MODULE$.toTraversal(identifier);
            })).flatMap(declaration -> {
                Traversal referencingIdentifiers;
                if (declaration instanceof MethodParameterIn) {
                    referencingIdentifiers = ((MethodParameterIn) declaration).referencingIdentifiers();
                } else {
                    if (!(declaration instanceof Local)) {
                        throw new MatchError(declaration);
                    }
                    referencingIdentifiers = ((Local) declaration).referencingIdentifiers();
                }
                return referencingIdentifiers;
            }), Predef$.MODULE$.$conforms()))), "(.*_)?free"));
        });
    }

    public static final /* synthetic */ boolean $anonfun$freeReturnedValue$7(Identifier identifier, CfgNode cfgNode) {
        return cfgNode != null ? cfgNode.equals(identifier) : identifier == null;
    }

    public static final /* synthetic */ boolean $anonfun$freeReturnedValue$6(Tuple2 tuple2) {
        if (tuple2 == null) {
            throw new MatchError(tuple2);
        }
        Identifier identifier = (Identifier) tuple2._1();
        return CfgNodeTraversal$.MODULE$.dominatedBy$extension(package$.MODULE$.toCfgNode((Traversal) tuple2._2(), Predef$.MODULE$.$conforms())).exists(cfgNode -> {
            return BoxesRunTime.boxToBoolean($anonfun$freeReturnedValue$7(identifier, cfgNode));
        });
    }

    public static final /* synthetic */ boolean $anonfun$freePostDominatesUsage$2(Method method) {
        return method.parameter().size() == 1;
    }

    private UseAfterFree$() {
    }
}
