C++: Implement Function::hasErrors()

2026-04-24 16:25:15 +02:00 · 2024-10-01 11:00:44 +01:00
parent 60abea17e6
commit 4b5aa1497b
4 changed files with 17 additions and 2 deletions
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -500,6 +500,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   * Gets the nearest enclosing AccessHolder.
   */
  override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+
+  /**
+   * Holds if this function has extraction errors that create an `ErrorExpr`.
+   */
+  predicate hasErrors() {
+    // Exclude allocator call arguments because they are are always extracted as `ErrorExpr`.
+    exists(ErrorExpr e | e.getEnclosingFunction() = this and not e.isFirstAllocatorCallArgument())
+  }
 }

 pragma[noinline]
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -744,6 +744,13 @@ class ErrorExpr extends Expr, @errorexpr {
  override string toString() { result = "<error expr>" }

  override string getAPrimaryQlClass() { result = "ErrorExpr" }
+
+  /**
+   * Holds if this error expression is the first argument to a `new` allocation call.
+   */
+  predicate isFirstAllocatorCallArgument() { 
+    this = any(NewOrNewArrayExpr new).getAllocatorCall().getArgument(0)
+  }
 }

 /**
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -89,5 +89,6 @@ from
 where
  conf.hasFlowPath(source, sink) and
  isSinkImpl(sink.getInstruction(), va) and
-  v = va.getTarget()
+  v = va.getTarget() and
+  not v.getFunction().hasErrors()
 select va, source, sink, "The variable $@ may not be initialized at this access.", v, v.getName()
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected
@@ -16,7 +16,6 @@ nodes
 | test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x |
 | test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x |
 #select
-| errors.cpp:6:10:6:10 | x | errors.cpp:4:7:4:7 | definition of x | errors.cpp:4:7:4:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:4:7:4:7 | x | x |
 | errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x |
 | test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
 | test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |