C++: Implement Function::hasErrors()

calumgrant · calumgrant · commit 4b5aa1497ba8 · 2024-10-01T11:00:44.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/Function.qll b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -500,6 +500,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nearest enclosing AccessHolder.
    */
   override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+
+  /**
+   * Holds if this function has extraction errors that create an `ErrorExpr`.
+   */
+  predicate hasErrors() {
+    // Exclude allocator call arguments because they are are always extracted as `ErrorExpr`.
+    exists(ErrorExpr e | e.getEnclosingFunction() = this and not e.isFirstAllocatorCallArgument())
+  }
 }
 
 pragma[noinline]
diff --git a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -744,6 +744,13 @@ class ErrorExpr extends Expr, @errorexpr {
   override string toString() { result = "<error expr>" }
 
   override string getAPrimaryQlClass() { result = "ErrorExpr" }
+
+  /**
+   * Holds if this error expression is the first argument to a `new` allocation call.
+   */
+  predicate isFirstAllocatorCallArgument() { 
+    this = any(NewOrNewArrayExpr new).getAllocatorCall().getArgument(0)
+  }
 }
 
 /**
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
@@ -89,5 +89,6 @@ from
 where
   conf.hasFlowPath(source, sink) and
   isSinkImpl(sink.getInstruction(), va) and
-  v = va.getTarget()
+  v = va.getTarget() and
+  not v.getFunction().hasErrors()
 select va, source, sink, "The variable $@ may not be initialized at this access.", v, v.getName()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected
@@ -16,7 +16,6 @@ nodes
 | test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x |
 | test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x |
 #select
-| errors.cpp:6:10:6:10 | x | errors.cpp:4:7:4:7 | definition of x | errors.cpp:4:7:4:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:4:7:4:7 | x | x |
 | errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x |
 | test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo |
 | test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo |
