Merge branch 'brodes/seh_flow_phase1_throwing_models' into brodes/seh_flow_phase2_splitting_seh_edges

bdrodes · bdrodes · commit cc43bb19694c · 2024-12-04T13:28:21.000-05:00
diff --git a/cpp/ql/lib/change-notes/2024-11-18-throwing-functions.md b/cpp/ql/lib/change-notes/2024-11-18-throwing-functions.md
@@ -1,4 +1,4 @@
 ---
 category: deprecated
 ---
-* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonThrowing` class from `semmle.code.cpp.models.interfaces.Throwing` instead.
+* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -364,10 +364,14 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
 
   final override predicate mayThrowException() {
     expr.getTarget().(ThrowingFunction).mayThrowException(_)
+    or
+    expr.getTarget() instanceof AlwaysSehThrowingFunction
   }
 
   final override predicate mustThrowException() {
     expr.getTarget().(ThrowingFunction).mayThrowException(true)
+    or
+    expr.getTarget() instanceof AlwaysSehThrowingFunction
   }
 }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll
@@ -9,14 +9,14 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
  * `__builtin___memcpy_chk`.
  */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
-  AliasFunction, NonThrowingFunction
+  AliasFunction, NonCppThrowingFunction
 {
   MemcpyFunction() {
     // memcpy(dest, src, num)
@@ -106,8 +106,6 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
     not this.hasGlobalName(["bcopy", mempcpy(), "memccpy"]) and
     index = this.getParamDest()
   }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 private string mempcpy() { result = ["mempcpy", "wmempcpy"] }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
@@ -8,10 +8,10 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
-  SideEffectFunction, NonThrowingFunction
+  SideEffectFunction, NonCppThrowingFunction
 {
   MemsetFunctionModel() {
     this.hasGlobalOrStdOrBslName("memset")
@@ -74,8 +74,6 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
     i = 0 and
     if this.hasGlobalName(bzero()) then result = 1 else result = 2
   }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 private string bzero() { result = ["bzero", "explicit_bzero"] }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/NoexceptFunction.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/NoexceptFunction.qll
@@ -1,13 +1,11 @@
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * A function that is annotated with a `noexcept` specifier (or the equivalent
  * `throw()` specifier) guaranteeing that the function can not throw exceptions.
  *
  * Note: The `throw` specifier was deprecated in C++11 and removed in C++17.
  */
-class NoexceptFunction extends NonThrowingFunction {
+class NoexceptFunction extends NonCppThrowingFunction {
   NoexceptFunction() { this.isNoExcept() or this.isNoThrow() }
-
-  override TCxxException getExceptionType() { any() }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
@@ -8,12 +8,12 @@
 import semmle.code.cpp.models.interfaces.FormattingFunction
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */
-private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunction {
+private class Printf extends FormattingFunction, AliasFunction, NonCppThrowingFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
@@ -32,14 +32,12 @@ private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunct
   override predicate parameterEscapesOnlyViaReturn(int n) { none() }
 
   override predicate parameterIsAlwaysReturned(int n) { none() }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 /**
  * The standard functions `fprintf`, `fwprintf` and their glib variants.
  */
-private class Fprintf extends FormattingFunction, NonThrowingFunction {
+private class Fprintf extends FormattingFunction, NonCppThrowingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
@@ -52,14 +50,12 @@ private class Fprintf extends FormattingFunction, NonThrowingFunction {
   override int getFormatParameterIndex() { result = 1 }
 
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 /**
  * The standard function `sprintf` and its Microsoft and glib variants.
  */
-private class Sprintf extends FormattingFunction, NonThrowingFunction {
+private class Sprintf extends FormattingFunction, NonCppThrowingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
@@ -97,14 +93,14 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
     then result = 4
     else result = super.getFirstFormatArgumentIndex()
   }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 /**
  * Implements `Snprintf`.
  */
-private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction, NonThrowingFunction {
+private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction,
+  NonCppThrowingFunction
+{
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
@@ -171,8 +167,6 @@ private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction,
     // We don't know how many parameters are passed to the function since it's varargs, but they also have read side effects.
     i = this.getFormatParameterIndex() and buffer = true
   }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 /**
@@ -213,7 +207,7 @@ private class StringCchPrintf extends FormattingFunction {
 /**
  * The standard function `syslog`.
  */
-private class Syslog extends FormattingFunction, NonThrowingFunction {
+private class Syslog extends FormattingFunction, NonCppThrowingFunction {
   Syslog() {
     this instanceof TopLevelFunction and
     this.hasGlobalName("syslog") and
@@ -223,6 +217,4 @@ private class Syslog extends FormattingFunction, NonThrowingFunction {
   override int getFormatParameterIndex() { result = 1 }
 
   override predicate isOutputGlobal() { any() }
-
-  override TCxxException getExceptionType() { any() }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@@ -7,15 +7,15 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcat` and its wide, sized, and Microsoft variants.
  *
  * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction,
-  NonThrowingFunction
+  NonCppThrowingFunction
 {
   StrcatFunction() {
     this.hasGlobalOrStdOrBslName([
@@ -94,8 +94,6 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
     (i = 0 or i = 1) and
     buffer = true
   }
-
-  override TCxxException getExceptionType() { any() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -7,13 +7,13 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.Throwing
+import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcpy` and its wide, sized, and Microsoft variants.
  */
 class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction,
-  NonThrowingFunction
+  NonCppThrowingFunction
 {
   StrcpyFunction() {
     this.hasGlobalOrStdOrBslName([
@@ -145,6 +145,4 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     i = this.getParamDest() and
     result = this.getParamSize()
   }
-
-  override TCxxException getExceptionType() { any() }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StructuredExceptionHandling.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StructuredExceptionHandling.qll
@@ -1,11 +1,7 @@
 import semmle.code.cpp.models.interfaces.Throwing
 
-class WindowsDriverExceptionAnnotation extends ThrowingFunction {
+class WindowsDriverExceptionAnnotation extends AlwaysSehThrowingFunction {
   WindowsDriverExceptionAnnotation() {
     this.hasGlobalName(["RaiseException", "ExRaiseAccessViolation", "ExRaiseDatatypeMisalignment"])
   }
-
-  override predicate mayThrowException(boolean unconditional) { unconditional = true }
-
-  override TSehException getExceptionType() { any() }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll
@@ -5,9 +5,16 @@
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 
+/**
+ * A function that is guaranteed to never throw a C++ exception
+ *
+ * The function may still raise a structured exception handling (SEH) exception.
+ */
+abstract class NonCppThrowingFunction extends Function { }
+
 /**
  * A function that is guaranteed to never throw.
  *
- * DEPRECATED: use `NonThrowingFunction` in `semmle.code.cpp.models.Models.Interfaces.Throwing` instead.
+ * DEPRECATED: use `NonCppThrowingFunction` instead.
  */
-abstract deprecated class NonThrowingFunction extends Function { }
+deprecated class NonThrowingFunction = NonCppThrowingFunction;
diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll
@@ -11,65 +11,17 @@ import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
 /**
- * Represents a type of exception,
- * either Structured Exception Handling (SEH) or C++ exceptions.
+ * A function that is known to raise an exception.
  */
-newtype TException =
-  /** Structured Exception Handling (SEH) exception */
-  TSehException() or
-  /** C++ exception */
-  TCxxException()
-
-/**
- * Functions with information about how an exception is thrown or if one is thrown at all.
- * If throwing details conflict for the same function, IR is assumed
- * to use the most restricted interpretation, meaning taking options
- * that stipulate no exception is raised, before the exception is always raised,
- * before conditional exceptions.
- *
- * Annotations must specify if the exception is from SEH (structured exception handling)
- * or ordinary c++ exceptions.
- */
-abstract private class ExceptionAnnotation extends Function {
-  /**
-   * Returns the type of exception this annotation is for,
-   * either a CPP exception or a STructured Exception Handling (SEH) exception.
-   */
-  abstract TException getExceptionType();
-
+abstract class ThrowingFunction extends Function {
   /**
-   * Holds if the exception type of this annotation is for a Structured Exception Handling (SEH) exception.
+   * Holds if this function may throw an exception during evaluation.
+   * If `unconditional` is `true` the function always throws an exception.
    */
-  final predicate isSeh() { this.getExceptionType() = TSehException() }
-
-  /**
-   * Holds if the exception type of this annotation is for a CPP exception.
-   */
-  final predicate isCxx() { this.getExceptionType() = TCxxException() }
+  abstract predicate mayThrowException(boolean unconditional);
 }
 
 /**
- * A Function that is known to not throw an exception.
+ * A function that unconditionally raises a structured exception handling (SEH) exception.
  */
-abstract class NonThrowingFunction extends ExceptionAnnotation { }
-
-/**
- * A function this is known to raise an exception.
- */
-abstract class ThrowingFunction extends ExceptionAnnotation {
-  ThrowingFunction() { any() }
-
-  /**
-   * Holds if this function may raise an exception during evaluation.
-   * If `unconditional` is `false` the function may raise, and if `true` the function
-   * will always raise an exception.
-   * Do not specify `none()` if no exception is raised, instead use the
-   * `NonThrowingFunction` class instead.
-   */
-  abstract predicate mayThrowException(boolean unconditional);
-
-  /**
-   * Holds if this function will always raise an exception if called
-   */
-  final predicate alwaysThrowsException() { this.mayThrowException(true) }
-}
+abstract class AlwaysSehThrowingFunction extends Function { }
diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -45,7 +45,7 @@ predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
  * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
  */
 predicate functionMayThrow(Function f) {
-  not f instanceof NonThrowingFunction and
+  not f instanceof NonCppThrowingFunction and
   (not exists(f.getBlock()) or stmtMayThrow(f.getBlock()))
 }
 

Original file line number	Diff line number	Diff line change
`@@ -364,10 +364,14 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {`
`364`	`364`
`365`	`365`	`final override predicate mayThrowException() {`
`366`	`366`	`expr.getTarget().(ThrowingFunction).mayThrowException(_)`
	`367`	`+ or`
	`368`	`+ expr.getTarget() instanceof AlwaysSehThrowingFunction`
`367`	`369`	`}`
`368`	`370`
`369`	`371`	`final override predicate mustThrowException() {`
`370`	`372`	`expr.getTarget().(ThrowingFunction).mayThrowException(true)`
	`373`	`+ or`
	`374`	`+ expr.getTarget() instanceof AlwaysSehThrowingFunction`
`371`	`375`	`}`
`372`	`376`	`}`
`373`	`377`
Original file line number	Diff line number	Diff line change
`@@ -8,10 +8,10 @@ import semmle.code.cpp.models.interfaces.ArrayFunction`
`8`	`8`	`import semmle.code.cpp.models.interfaces.DataFlow`
`9`	`9`	`import semmle.code.cpp.models.interfaces.Alias`
`10`	`10`	`import semmle.code.cpp.models.interfaces.SideEffect`
`11`		`-import semmle.code.cpp.models.interfaces.Throwing`
	`11`	`+import semmle.code.cpp.models.interfaces.NonThrowing`
`12`	`12`
`13`	`13`	`private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,`
`14`		`- SideEffectFunction, NonThrowingFunction`
	`14`	`+ SideEffectFunction, NonCppThrowingFunction`
`15`	`15`	`{`
`16`	`16`	`MemsetFunctionModel() {`
`17`	`17`	`this.hasGlobalOrStdOrBslName("memset")`
`@@ -74,8 +74,6 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias`
`74`	`74`	`i = 0 and`
`75`	`75`	`if this.hasGlobalName(bzero()) then result = 1 else result = 2`
`76`	`76`	`}`
`77`		`-`
`78`		`- override TCxxException getExceptionType() { any() }`
`79`	`77`	`}`
`80`	`78`
`81`	`79`	`private string bzero() { result = ["bzero", "explicit_bzero"] }`
Original file line number	Diff line number	Diff line change
`@@ -7,15 +7,15 @@ import semmle.code.cpp.models.interfaces.ArrayFunction`
`7`	`7`	`import semmle.code.cpp.models.interfaces.DataFlow`
`8`	`8`	`import semmle.code.cpp.models.interfaces.Taint`
`9`	`9`	`import semmle.code.cpp.models.interfaces.SideEffect`
`10`		`-import semmle.code.cpp.models.interfaces.Throwing`
	`10`	`+import semmle.code.cpp.models.interfaces.NonThrowing`
`11`	`11`
`12`	`12`	`/**`
`13`	`13`	* The standard function `strcat` and its wide, sized, and Microsoft variants.
`14`	`14`	`*`
`15`	`15`	* Does not include `strlcat`, which is covered by `StrlcatFunction`
`16`	`16`	`*/`
`17`	`17`	`class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction,`
`18`		`- NonThrowingFunction`
	`18`	`+ NonCppThrowingFunction`
`19`	`19`	`{`
`20`	`20`	`StrcatFunction() {`
`21`	`21`	`this.hasGlobalOrStdOrBslName([`
`@@ -94,8 +94,6 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid`
`94`	`94`	`(i = 0 or i = 1) and`
`95`	`95`	`buffer = true`
`96`	`96`	`}`
`97`		`-`
`98`		`- override TCxxException getExceptionType() { any() }`
`99`	`97`	`}`
`100`	`98`
`101`	`99`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,7 @@`
`1`	`1`	`import semmle.code.cpp.models.interfaces.Throwing`
`2`	`2`
`3`		`-class WindowsDriverExceptionAnnotation extends ThrowingFunction {`
	`3`	`+class WindowsDriverExceptionAnnotation extends AlwaysSehThrowingFunction {`
`4`	`4`	`WindowsDriverExceptionAnnotation() {`
`5`	`5`	`this.hasGlobalName(["RaiseException", "ExRaiseAccessViolation", "ExRaiseDatatypeMisalignment"])`
`6`	`6`	`}`
`7`		`-`
`8`		`- override predicate mayThrowException(boolean unconditional) { unconditional = true }`
`9`		`-`
`10`		`- override TSehException getExceptionType() { any() }`
`11`	`7`	`}`