Exclude if (f) f() from EXP-16-C

MichaelRFairhurst · MichaelRFairhurst · commit e655ed85787c · 2025-06-19T14:56:50.000-07:00
diff --git a/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql b/c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
@@ -17,33 +17,11 @@
  */
 
 import cpp
+import semmle.code.cpp.controlflow.IRGuards
 import codingstandards.c.cert
 import codingstandards.cpp.types.FunctionType
-import semmle.code.cpp.controlflow.IRGuards
-
-class FunctionExpr extends Expr {
-  Element function;
-  string funcName;
-
-  FunctionExpr() {
-    function = this.(FunctionAccess).getTarget() and
-    funcName = "Function " + function.(Function).getName()
-    or
-    this.(VariableAccess).getUnderlyingType() instanceof FunctionType and
-    function = this and
-    funcName = "Function pointer variable " + this.(VariableAccess).getTarget().getName()
-    or
-    this.getUnderlyingType() instanceof FunctionType and
-    not this instanceof FunctionAccess and
-    not this instanceof VariableAccess and
-    function = this and
-    funcName = "Expression with function pointer type"
-  }
-
-  Element getFunction() { result = function }
-
-  string getFuncName() { result = funcName }
-}
+import codingstandards.cpp.exprs.FunctionExprs
+import codingstandards.cpp.exprs.Guards
 
 abstract class EffectivelyComparison extends Element {
   abstract string getExplanation();
@@ -85,6 +63,7 @@ where
   not isExcluded(comparison,
     Expressions2Package::doNotCompareFunctionPointersToConstantValuesQuery()) and
   funcExpr = comparison.getFunctionExpr() and
+  not exists(NullFunctionCallGuard nullGuard | nullGuard.getFunctionExpr() = funcExpr) and
   function = funcExpr.getFunction() and
-  funcName = funcExpr.getFuncName()
+  funcName = funcExpr.describe()
 select comparison, comparison.getExplanation(), function, funcName
diff --git a/c/cert/test/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.expected b/c/cert/test/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.expected
@@ -1,16 +1,20 @@
-| test.c:17:7:17:13 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:20:7:20:12 | ... > ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:29:7:29:13 | ... == ... | $@ compared to constant value. | test.c:29:7:29:8 | g1 | Function pointer variable g1 |
-| test.c:32:7:32:16 | ... == ... | $@ compared to constant value. | test.c:32:7:32:8 | g2 | Function pointer variable g2 |
-| test.c:35:7:35:15 | ... != ... | $@ compared to constant value. | test.c:35:7:35:8 | g1 | Function pointer variable g1 |
-| test.c:38:7:38:8 | f1 | $@ undergoes implicit constant comparison. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:41:7:41:8 | g1 | $@ undergoes implicit constant comparison. | test.c:41:7:41:8 | g1 | Function pointer variable g1 |
-| test.c:68:7:68:27 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:71:7:71:18 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:74:7:76:14 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Function f1 |
-| test.c:83:3:83:9 | ... == ... | $@ compared to constant value. | test.c:83:3:83:4 | l1 | Function pointer variable l1 |
-| test.c:84:3:84:12 | ... == ... | $@ compared to constant value. | test.c:84:3:84:4 | l1 | Function pointer variable l1 |
-| test.c:91:3:91:4 | g1 | $@ undergoes implicit constant comparison. | test.c:91:3:91:4 | g1 | Function pointer variable g1 |
-| test.c:96:7:96:18 | ... == ... | $@ compared to constant value. | test.c:96:9:96:10 | fp | Function pointer variable fp |
-| test.c:102:7:102:22 | ... == ... | $@ compared to constant value. | test.c:14:11:14:21 | get_handler | Function get_handler |
+| test.c:17:7:17:13 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:20:7:20:12 | ... > ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:29:7:29:13 | ... == ... | $@ compared to constant value. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:32:7:32:16 | ... == ... | $@ compared to constant value. | test.c:5:7:5:8 | g2 | Function pointer variable g2 |
+| test.c:35:7:35:15 | ... != ... | $@ compared to constant value. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:38:7:38:8 | f1 | $@ undergoes implicit constant comparison. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:41:7:41:8 | g1 | $@ undergoes implicit constant comparison. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:68:7:68:27 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:71:7:71:18 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:74:7:76:14 | ... == ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:83:3:83:9 | ... == ... | $@ compared to constant value. | test.c:82:10:82:11 | l1 | Function pointer variable l1 |
+| test.c:84:3:84:12 | ... == ... | $@ compared to constant value. | test.c:82:10:82:11 | l1 | Function pointer variable l1 |
+| test.c:91:3:91:4 | g1 | $@ undergoes implicit constant comparison. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:96:7:96:18 | ... == ... | $@ compared to constant value. | test.c:9:9:9:10 | fp | Function pointer variable fp |
+| test.c:102:7:102:22 | ... == ... | $@ compared to constant value. | test.c:14:11:14:21 | get_handler | Address of function get_handler |
 | test.c:105:7:105:24 | ... == ... | $@ compared to constant value. | test.c:105:7:105:17 | call to get_handler | Expression with function pointer type |
+| test.c:121:7:121:13 | ... != ... | $@ compared to constant value. | test.c:3:5:3:6 | f1 | Address of function f1 |
+| test.c:133:7:133:13 | ... != ... | $@ compared to constant value. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:139:7:139:13 | ... == ... | $@ compared to constant value. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
+| test.c:149:8:149:9 | g1 | $@ undergoes implicit constant comparison. | test.c:4:8:4:9 | g1 | Function pointer variable g1 |
diff --git a/c/cert/test/rules/EXP16-C/test.c b/c/cert/test/rules/EXP16-C/test.c
@@ -94,7 +94,7 @@ void f6(void) {
 void f7(void) {
   struct S s;
   if (s.fp == NULL) // NON-COMPLIANT
-    return;
+    f1();
 
   if (s.fp() == NULL) // COMPLIANT
     return;
@@ -110,4 +110,44 @@ void f7(void) {
 
   if (get_handler()() == 0) // COMPLIANT
     return;
+}
+
+void f8(void) {
+  // Test instances of where the function pointer check is used to guard calls
+  // to that function.
+
+  // Technically, this function may perhaps be set to NULL by the linker. But
+  // it is not a variable that should need to be null-checked at runtime.
+  if (f1 != 0) // NON-COMPLIANT
+  {
+    f1();
+  }
+
+  // Check guards a call, so it is compliant.
+  if (g1 != 0) // COMPLIANT
+  {
+    g1();
+  }
+
+  // Incorrect check, not compliant.
+  if (g1 != 0) // NON-COMPLIANT
+  {
+    f1();
+  }
+
+  // Incorrect check, not compliant.
+  if (g1 == 0) // NON-COMPLIANT
+  {
+    g1();
+  }
+
+  if (g1) // COMPLIANT
+  {
+    g1();
+  }
+
+  if (!g1) // NON-COMPLIANT
+  {
+    g1();
+  }
 }
diff --git a/cpp/common/src/codingstandards/cpp/exprs/FunctionExprs.qll b/cpp/common/src/codingstandards/cpp/exprs/FunctionExprs.qll
@@ -0,0 +1,59 @@
+import cpp
+import codingstandards.cpp.types.FunctionType
+
+/**
+ * A class representing an expression that has a function pointer type. This can be a function
+ * access, a variable access, or any expression that has a function pointer type.
+ */
+abstract class FunctionExpr extends Expr {
+  /** Any element that could represent the function, for example, a variable or an expression. */
+  abstract Element getFunction();
+
+  /** A name or string that describes the function. */
+  abstract string describe();
+
+  /** Get calls of this function */
+  abstract Call getACall();
+}
+
+/**
+ * A function access is an an expression of function type where we know the function.
+ */
+class SimpleFunctionAccess extends FunctionExpr, FunctionAccess {
+  override Element getFunction() { result = this.getTarget() }
+
+  override string describe() { result = "Address of function " + this.getTarget().getName() }
+
+  override FunctionCall getACall() { result.getTarget() = this.getTarget() }
+}
+
+/**
+ * An access of a variable that has a function pointer type is also a function expression, for which
+ * we can track certain properties of the function.
+ */
+class FunctionVariableAccess extends FunctionExpr, VariableAccess {
+  FunctionVariableAccess() { this.getUnderlyingType() instanceof FunctionType }
+
+  override Element getFunction() { result = this.getTarget() }
+
+  override string describe() { result = "Function pointer variable " + this.getTarget().getName() }
+
+  override ExprCall getACall() { result.getExpr().(VariableAccess).getTarget() = this.getTarget() }
+}
+
+/**
+ * A function typed expression that is not a function access or a variable access.
+ */
+class FunctionTypedExpr extends FunctionExpr {
+  FunctionTypedExpr() {
+    this.getUnderlyingType() instanceof FunctionType and
+    not this instanceof FunctionAccess and
+    not this instanceof VariableAccess
+  }
+
+  override Element getFunction() { result = this }
+
+  override string describe() { result = "Expression with function pointer type" }
+
+  override ExprCall getACall() { result.getExpr() = this }
+}
diff --git a/cpp/common/src/codingstandards/cpp/exprs/Guards.qll b/cpp/common/src/codingstandards/cpp/exprs/Guards.qll
@@ -0,0 +1,34 @@
+import cpp
+import codeql.util.Boolean
+import semmle.code.cpp.controlflow.Guards
+import codingstandards.cpp.exprs.FunctionExprs
+
+/**
+ * A guard of the form: `if (funcPtr) funcPtr();`, e.g., a null check on a function before calling
+ * that function.
+ *
+ * Note this does not consider the above to be a null function call guard if `funcPtr` is a
+ * function name, as that could only be null via unusual linkage steps, and is not expected to be
+ * an intentional null check.
+ */
+class NullFunctionCallGuard extends GuardCondition {
+  FunctionExpr expr;
+
+  NullFunctionCallGuard() {
+    exists(BasicBlock block, Call guardedCall |
+      (
+        // Handles 'if (funcPtr != NULL)`:
+        this.ensuresEq(expr, 0, block, false)
+        or
+        // Handles `if (funcPtr)` in C where no implicit conversion to bool exists:
+        expr = this and
+        expr.getFunction() instanceof Variable and
+        this.controls(block, true)
+      ) and
+      guardedCall = expr.getACall() and
+      block.contains(guardedCall)
+    )
+  }
+
+  FunctionExpr getFunctionExpr() { result = expr }
+}
