C++: Use SEH exception edges for functions that unconditionally throw those

2026-04-21 15:05:56 +02:00 · 2024-12-10 15:01:07 +01:00
parent 0038d0f17c
commit 6f41d3c4e3
5 changed files with 31 additions and 33 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -84,11 +84,10 @@ abstract class TranslatedCall extends TranslatedExpr {
          this.getEnclosingFunction().getFunction() = instr.getEnclosingFunction()
        )
    else (
-      not this.mustThrowException() and
+      not this.mustThrowException(_) and
      result = this.getParent().getChildSuccessor(this, kind)
      or
-      this.mayThrowException() and
-      kind instanceof CppExceptionEdge and
+      this.mayThrowException(kind) and
      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
    )
  }
@@ -117,14 +116,14 @@ abstract class TranslatedCall extends TranslatedExpr {
  final override Instruction getResult() { result = this.getInstruction(CallTag()) }

  /**
-   * Holds if the evaluation of this call may throw an exception.
+   * Holds if the evaluation of this call may throw an exception of the kind represented by the `ExceptionEdge`.
   */
-  abstract predicate mayThrowException();
+  abstract predicate mayThrowException(ExceptionEdge e);

  /**
-   * Holds if the evaluation of this call always throws an exception.
+   * Holds if the evaluation of this call always throws an exception of the kind represented by the `ExceptionEdge`.
   */
-  abstract predicate mustThrowException();
+  abstract predicate mustThrowException(ExceptionEdge e);

  /**
   * Gets the result type of the call.
@@ -332,14 +331,14 @@ class TranslatedExprCall extends TranslatedCallExpr {
    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
  }

-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) {
    // We assume that a call to a function pointer will not throw an exception.
    // This is not sound in general, but this will greatly reduce the number of
    // exceptional edges.
    none()
  }

-  final override predicate mustThrowException() { none() }
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
 }

 /**
@@ -362,12 +361,11 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
    not exists(MemberFunction func | expr.getTarget() = func and func.isStatic())
  }

-  final override predicate mayThrowException() {
-    expr.getTarget() instanceof AlwaysSehThrowingFunction
-  }
+  final override predicate mayThrowException(ExceptionEdge e) { this.mustThrowException(e) }

-  final override predicate mustThrowException() {
-    expr.getTarget() instanceof AlwaysSehThrowingFunction
+  final override predicate mustThrowException(ExceptionEdge e) {
+    expr.getTarget() instanceof AlwaysSehThrowingFunction and
+    e instanceof SehExceptionEdge
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -2483,14 +2483,14 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall, TranslatedDirect
        result = getTranslatedExpr(expr.getAllocatorCall().getArgument(index).getFullyConverted())
  }

-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) {
    // We assume that a call to `new` or `new[]` will never throw. This is not
    // sound in general, but this will greatly reduce the number of exceptional
    // edges.
    none()
  }

-  final override predicate mustThrowException() { none() }
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
 }

 TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
@@ -2556,14 +2556,14 @@ class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, Trans
    result = getTranslatedExpr(expr.getExprWithReuse().getFullyConverted())
  }

-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) {
    // We assume that a call to `delete` or `delete[]` will never throw. This is not
    // sound in general, but this will greatly reduce the number of exceptional
    // edges.
    none()
  }

-  final override predicate mustThrowException() { none() }
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
 }

 TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -214,7 +214,7 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
        exists(ThrowExpr throw | throw.getEnclosingFunction() = func)
        or
        exists(FunctionCall call | call.getEnclosingFunction() = func |
-          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException()
+          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException(_)
        )
      )
      or