C++: Model function calls throwing exceptions.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -3,6 +3,7 @@ private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
 private import semmle.code.cpp.ir.internal.CppType
 private import semmle.code.cpp.models.interfaces.SideEffect
+private import semmle.code.cpp.models.interfaces.Throwing
 private import InstructionTag
 private import SideEffects
 private import TranslatedElement
@@ -76,7 +77,14 @@ abstract class TranslatedCall extends TranslatedExpr {
         any(UnreachedInstruction instr |
           this.getEnclosingFunction().getFunction() = instr.getEnclosingFunction()
         )
-    else result = this.getParent().getChildSuccessor(this, kind)
+    else (
+      not this.mustThrowException() and
+      result = this.getParent().getChildSuccessor(this, kind)
+      or
+      this.mayThrowException() and
+      kind instanceof ExceptionEdge and
+      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
+    )
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
@@ -102,6 +110,16 @@ abstract class TranslatedCall extends TranslatedExpr {
 
   final override Instruction getResult() { result = this.getInstruction(CallTag()) }
 
+  /**
+   * Holds if the evaluation of this call may throw an exception.
+   */
+  abstract predicate mayThrowException();
+
+  /**
+   * Holds if the evaluation of this call always throws an exception.
+   */
+  abstract predicate mustThrowException();
+
   /**
    * Gets the result type of the call.
    */
@@ -295,6 +313,15 @@ class TranslatedExprCall extends TranslatedCallExpr {
   override TranslatedExpr getCallTarget() {
     result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
+
+  final override predicate mayThrowException() {
+    // We assume that a call to a function pointer will not throw an exception.
+    // This is not sound in general, but this will greatly reduce the number of
+    // exceptional edges.
+    none()
+  }
+
+  final override predicate mustThrowException() { none() }
 }
 
 /**
@@ -316,6 +343,14 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
     exists(this.getQualifier()) and
     not exists(MemberFunction func | expr.getTarget() = func and func.isStatic())
   }
+
+  final override predicate mayThrowException() {
+    expr.getTarget().(ThrowingFunction).mayThrowException(_)
+  }
+
+  final override predicate mustThrowException() {
+    expr.getTarget().(ThrowingFunction).mayThrowException(true)
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2063,6 +2063,15 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall, TranslatedDirect
       else
         result = getTranslatedExpr(expr.getAllocatorCall().getArgument(index).getFullyConverted())
   }
+
+  final override predicate mayThrowException() {
+    // We assume that a call to `new` or `new[]` will never throw. This is not
+    // sound in general, but this will greatly reduce the number of exceptional
+    // edges.
+    none()
+  }
+
+  final override predicate mustThrowException() { none() }
 }
 
 TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
@@ -2123,6 +2132,15 @@ class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, Trans
     index = 0 and
     result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
+
+  final override predicate mayThrowException() {
+    // We assume that a call to `delete` or `delete[]` will never throw. This is not
+    // sound in general, but this will greatly reduce the number of exceptional
+    // edges.
+    none()
+  }
+
+  final override predicate mustThrowException() { none() }
 }
 
 TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -39,3 +39,4 @@ private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System
+private import implementations.StructuredExceptionHandling

cpp/ql/lib/semmle/code/cpp/models/implementations/StructuredExceptionHandling.qll

@@ -0,0 +1,9 @@
+import semmle.code.cpp.models.interfaces.Throwing
+
+class WindowsDriverFunction extends ThrowingFunction {
+  WindowsDriverFunction() {
+    this.hasGlobalName(["RaiseException", "ExRaiseAccessViolation", "ExRaiseDatatypeMisalignment"])
+  }
+
+  final override predicate mayThrowException(boolean unconditional) { unconditional = true }
+}

cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll

@@ -0,0 +1,22 @@
+/**
+ * Provides an abstract class for modeling whether a function may throw an
+ * exception.
+ * To use this QL library, create a QL class extending `ThrowingFunction` with
+ * a characteristic predicate that selects the function or set of functions you
+ * are modeling the exceptional flow of.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.Models
+import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+
+/**
+ * A class that models the exceptional behavior of a function.
+ */
+abstract class ThrowingFunction extends Function {
+  /**
+   * Holds if this function may throw an exception during evaluation.
+   * If `unconditional` is `true` the function always throws an exception.
+   */
+  abstract predicate mayThrowException(boolean unconditional);
+}