Revert "Revert "C++: Work around extractor issue CPP-383""

**Revert the revert** of the workaround for CFG issues when a `FunctionCall` has a `getTarget` that does not exist. While we've fixed the main cause of the problem, it can apparently still happen in rare cases as a result of extractor crashes. This reverts commit ee5eaef5e4.
2025-12-20 18:56:32 +01:00 · 2021-04-16 16:44:58 +02:00
parent 3c8ea167c4
commit f8d45f04ed
1 changed files with 34 additions and 1 deletions
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -104,9 +104,42 @@ private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condit
  )
 }

+/**
+ * This relation is the same as the `el instanceof Function`, only obfuscated
+ * so the optimizer will not understand that any `FunctionCall.getTarget()`
+ * should be in this relation.
+ */
+pragma[noinline]
+private predicate isFunction(Element el) {
+  el instanceof Function
+  or
+  el.(Expr).getParent() = el
+}
+
+/**
+ * Holds if `fc` is a `FunctionCall` with no return value for `getTarget`. This
+ * can happen due to extractor issue CPP-383.
+ */
+pragma[noopt]
+private predicate callHasNoTarget(@funbindexpr fc) {
+  exists(Function f |
+    funbind(fc, f) and
+    not isFunction(f)
+  )
+}
+
+// This base case is pulled out to work around QL-796
+private predicate potentiallyReturningFunctionCall_base(FunctionCall fc) {
+  fc.isVirtual()
+  or
+  callHasNoTarget(fc)
+}
+
 /** A function call that *may* return; if in doubt, we assume it may. */
 private predicate potentiallyReturningFunctionCall(FunctionCall fc) {
-  potentiallyReturningFunction(fc.getTarget()) or fc.isVirtual()
+  potentiallyReturningFunctionCall_base(fc)
+  or
+  potentiallyReturningFunction(fc.getTarget())
 }

 /** A function that *may* return; if in doubt, we assume it may. */