Guards: Add support for wrappers that may throw exceptions.

aschackmull · aschackmull · commit 8b58c2c32fc1 · 2025-07-25T09:43:11.000+02:00
diff --git a/java/ql/lib/semmle/code/java/controlflow/Guards.qll b/java/ql/lib/semmle/code/java/controlflow/Guards.qll
@@ -146,6 +146,8 @@ private module GuardsInput implements SharedGuards::InputSig<Location> {
 
   class ControlFlowNode = J::ControlFlowNode;
 
+  class NormalExitNode = ControlFlow::NormalExitNode;
+
   class BasicBlock = J::BasicBlock;
 
   predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) { J::dominatingEdge(bb1, bb2) }
diff --git a/java/ql/test/library-tests/guards/Guards.java b/java/ql/test/library-tests/guards/Guards.java
@@ -202,4 +202,14 @@ void testWrappers(String s, Integer i) {
         break;
     }
   }
+
+  static void ensureNotNull(Object o) throws Exception {
+    if (o == null) throw new Exception();
+  }
+
+  void testExceptionWrapper(String s) throws Exception {
+    chk(); // nothing guards here
+    ensureNotNull(s);
+    chk(); // $ guarded='ensureNotNull(...):no exception' guarded='s:not null'
+  }
 }
diff --git a/java/ql/test/library-tests/guards/GuardsInline.expected b/java/ql/test/library-tests/guards/GuardsInline.expected
@@ -112,3 +112,5 @@
 | Guards.java:201:9:201:13 | chk(...) | 'testEnumWrapper(...):FAILURE' |
 | Guards.java:201:9:201:13 | chk(...) | 'testEnumWrapper(...):match FAILURE' |
 | Guards.java:201:9:201:13 | chk(...) | g(1):false |
+| Guards.java:213:5:213:9 | chk(...) | 'ensureNotNull(...):no exception' |
+| Guards.java:213:5:213:9 | chk(...) | 's:not null' |
diff --git a/shared/controlflow/codeql/controlflow/Guards.qll b/shared/controlflow/codeql/controlflow/Guards.qll
@@ -79,6 +79,9 @@ signature module InputSig<LocationSig Location> {
     Location getLocation();
   }
 
+  /** A control flow node indicating normal termination of a callable. */
+  class NormalExitNode extends ControlFlowNode;
+
   /**
    * A basic block, that is, a maximal straight-line sequence of control flow nodes
    * without branches or joins.
@@ -520,6 +523,8 @@ module Make<LocationSig Location, InputSig<Location> Input> {
     )
   }
 
+  private predicate normalExitBlock(BasicBlock bb) { bb.getNode(_) instanceof NormalExitNode }
+
   signature module LogicInputSig {
     class SsaDefinition {
       /** Gets the basic block to which this SSA definition belongs. */
@@ -1047,6 +1052,13 @@ module Make<LocationSig Location, InputSig<Location> Input> {
         )
       }
 
+      private predicate guardDirectlyControlsExit(Guard guard, GuardValue val) {
+        exists(BasicBlock bb |
+          guard.directlyValueControls(bb, val) and
+          normalExitBlock(bb)
+        )
+      }
+
       /**
        * Gets a non-overridable method that performs a check on the `ppos`th
        * parameter. A return value equal to `retval` allows us to conclude
@@ -1064,6 +1076,13 @@ module Make<LocationSig Location, InputSig<Location> Input> {
         |
           validReturnInCustomGuard(ret, ppos, retval, val)
         )
+        or
+        exists(SsaDefinition param, Guard g0, GuardValue v0 |
+          parameterDefinition(result.getParameter(ppos), param) and
+          guardDirectlyControlsExit(g0, v0) and
+          retval = TException(false) and
+          BranchImplies::ssaControls(param, val, g0, v0)
+        )
       }
 
       /**

Original file line number	Diff line number	Diff line change
`@@ -202,4 +202,14 @@ void testWrappers(String s, Integer i) {`
`202`	`202`	`break;`
`203`	`203`	`}`
`204`	`204`	`}`
	`205`	`+`
	`206`	`+ static void ensureNotNull(Object o) throws Exception {`
	`207`	`+ if (o == null) throw new Exception();`
	`208`	`+ }`
	`209`	`+`
	`210`	`+ void testExceptionWrapper(String s) throws Exception {`
	`211`	`+ chk(); // nothing guards here`
	`212`	`+ ensureNotNull(s);`
	`213`	`+ chk(); // $ guarded='ensureNotNull(...):no exception' guarded='s:not null'`
	`214`	`+ }`
`205`	`215`	`}`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,9 @@ signature module InputSig<LocationSig Location> {`
`79`	`79`	`Location getLocation();`
`80`	`80`	`}`
`81`	`81`
	`82`	`+ /** A control flow node indicating normal termination of a callable. */`
	`83`	`+ class NormalExitNode extends ControlFlowNode;`
	`84`	`+`
`82`	`85`	`/**`
`83`	`86`	`* A basic block, that is, a maximal straight-line sequence of control flow nodes`
`84`	`87`	`* without branches or joins.`
`@@ -520,6 +523,8 @@ module Make<LocationSig Location, InputSig<Location> Input> {`
`520`	`523`	`)`
`521`	`524`	`}`
`522`	`525`
	`526`	`+ private predicate normalExitBlock(BasicBlock bb) { bb.getNode(_) instanceof NormalExitNode }`
	`527`	`+`
`523`	`528`	`signature module LogicInputSig {`
`524`	`529`	`class SsaDefinition {`
`525`	`530`	`/** Gets the basic block to which this SSA definition belongs. */`
`@@ -1047,6 +1052,13 @@ module Make<LocationSig Location, InputSig<Location> Input> {`
`1047`	`1052`	`)`
`1048`	`1053`	`}`
`1049`	`1054`
	`1055`	`+ private predicate guardDirectlyControlsExit(Guard guard, GuardValue val) {`
	`1056`	`+ exists(BasicBlock bb \|`
	`1057`	`+ guard.directlyValueControls(bb, val) and`
	`1058`	`+ normalExitBlock(bb)`
	`1059`	`+ )`
	`1060`	`+ }`
	`1061`	`+`
`1050`	`1062`	`/**`
`1051`	`1063`	* Gets a non-overridable method that performs a check on the `ppos`th
`1052`	`1064`	* parameter. A return value equal to `retval` allows us to conclude
`@@ -1064,6 +1076,13 @@ module Make<LocationSig Location, InputSig<Location> Input> {`
`1064`	`1076`	`\|`
`1065`	`1077`	`validReturnInCustomGuard(ret, ppos, retval, val)`
`1066`	`1078`	`)`
	`1079`	`+ or`
	`1080`	`+ exists(SsaDefinition param, Guard g0, GuardValue v0 \|`
	`1081`	`+ parameterDefinition(result.getParameter(ppos), param) and`
	`1082`	`+ guardDirectlyControlsExit(g0, v0) and`
	`1083`	`+ retval = TException(false) and`
	`1084`	`+ BranchImplies::ssaControls(param, val, g0, v0)`
	`1085`	`+ )`
`1067`	`1086`	`}`
`1068`	`1087`
`1069`	`1088`	`/**`