Brodes/seh flow overhaul2

cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll

@@ -8,7 +8,7 @@
   TGotoEdge() or // Single successor (including fall-through)
   TTrueEdge() or // 'true' edge of conditional branch
   TFalseEdge() or // 'false' edge of conditional branch
-  TExceptionEdge() or // Thrown exception
+  TExceptionEdge(boolean isSEH){isSEH in [true, false]} or // Thrown exception, true for SEH exceptions, false otherwise
   TDefaultEdge() or // 'default' label of switch
   TCaseEdge(string minValue, string maxValue) {
     // Case label of switch
@@ -54,7 +54,18 @@
  * instruction's evaluation throws an exception.
  */
 class ExceptionEdge extends EdgeKind, TExceptionEdge {
-  final override string toString() { result = "Exception" }
+  boolean isSEH; //true for Structured Exception Handling, false for C++ exceptions
+
+  ExceptionEdge() { this = TExceptionEdge(isSEH) }
+
+  /**
+   * Holds if the exception is a Structured Exception Handling (SEH) exception.
+   */
+  final predicate isSEH() { isSEH = true }
+
+  final override string toString() { 
+    result = "Exception"
+   }
 }
 
 /**
@@ -123,7 +134,7 @@
   /**
    * Gets the single instance of the `ExceptionEdge` class.
    */
-  ExceptionEdge exceptionEdge() { result = TExceptionEdge() }
+  ExceptionEdge exceptionEdge() { result = TExceptionEdge(_) }
 
   /**
    * Gets the single instance of the `DefaultEdge` class.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -83,14 +83,38 @@
         any(UnreachedInstruction instr |
           this.getEnclosingFunction().getFunction() = instr.getEnclosingFunction()
         )
-    else (
-      not this.mustThrowException() and
-      result = this.getParent().getChildSuccessor(this, kind)
-      or
-      this.mayThrowException() and
-      kind instanceof ExceptionEdge and
-      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
-    )
+    else
+      exists(boolean isSEH |
+        isSEH = true and kind.(ExceptionEdge).isSEH()
+        or
+        isSEH = false and not kind.(ExceptionEdge).isSEH()
+      |
+        // Call throw behavior is resolved from most restricted to least restricted in order
+        // if there are conflicting throwing specificaitons for a function.
+        // Enumerating all scenarios to be explicit.
+        (
+          // If the call is known to never throw, regardless of other defined throwing behavior,
+          // do not generate any exception edges, only an ordinary successor
+          if this.(TranslatedCallExpr).neverRaiseException(isSEH)
+          then result = this.getParent().getChildSuccessor(this, kind)
+          else
+            // If the call is known to always throw, regardless of other defined throwing behavior,
+            // only generate an exception edge.
+            if this.(TranslatedCallExpr).alwaysRaiseException(isSEH)
+            then result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge), isSEH)
+            else
+              if this.(TranslatedCallExpr).mayRaiseException(isSEH)
+              then (
+                // if the call is known to conditionally throw, generate both an exception edge and an
+                // ordinary successor
+                result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge), isSEH)
+                or
+                result = this.getParent().getChildSuccessor(this, kind)
+              ) else
+                // fallthrough case, no exceptions, just get the ordinary successor
+                result = this.getParent().getChildSuccessor(this, kind)
+        )
+      )
   }
 
   override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
@@ -117,14 +141,28 @@
   final override Instruction getResult() { result = this.getInstruction(CallTag()) }
 
   /**
-   * Holds if the evaluation of this call may throw an exception.
+   * The call target is known to always raise an exception.
+   * Note that `alwaysRaiseException`, `mayRaiseException`,
+   * and `neverRaiseException` may conflict (e.g., all hold for a given target).
+   * Conflicting results are resolved during IR generation.
+   */
+  abstract predicate alwaysRaiseException(boolean isSEH);
+
+  /**
+   * The call target is known to conditionally raise an exception.
+   * Note that `alwaysRaiseException`, `mayRaiseException`,
+   * and `neverRaiseException` may conflict (e.g., all hold for a given target).
+   * Conflicting results are resolved during IR generation.
    */
-  abstract predicate mayThrowException();
+  abstract predicate mayRaiseException(boolean isSEH);
 
   /**
-   * Holds if the evaluation of this call always throws an exception.
+   * The call target is known to never raise an exception.
+   * Note that `alwaysRaiseException`, `mayRaiseException`,
+   * and `neverRaiseException` may conflict (e.g., all hold for a given target).
+   * Conflicting results are resolved during IR generation.
    */
-  abstract predicate mustThrowException();
+  abstract predicate neverRaiseException(boolean isSEH);
 
   /**
    * Gets the result type of the call.
@@ -320,6 +358,34 @@
   final override int getNumberOfArguments() { result = expr.getNumberOfArguments() }
 
   final override predicate isNoReturn() { any(Options opt).exits(expr.getTarget()) }
+
+  override Function getInstructionFunction(InstructionTag tag) {
+    tag = CallTargetTag() and result = expr.getTarget()
+  }
+
+  override predicate alwaysRaiseException(boolean isSEH) {
+    exists(ThrowingFunction f | f = expr.getTarget() |
+      f.alwaysRaisesException() and f.isSEH() and isSEH = true
+      or
+      f.alwaysRaisesException() and f.isCxx() and isSEH = false
+    )
+  }
+
+  override predicate mayRaiseException(boolean isSEH) {
+    exists(ThrowingFunction f | f = expr.getTarget() |
+      f.mayRaiseException() and f.isSEH() and isSEH = true
+      or
+      f.mayRaiseException() and f.isCxx() and isSEH = false
+    )
+  }
+
+  override predicate neverRaiseException(boolean isSEH) {
+    exists(NonThrowingFunction f | f = expr.getTarget() |
+      f.isSEH() and isSEH = true
+      or
+      f.isCxx() and isSEH = false
+    )
+  }
 }
 
 /**
@@ -332,14 +398,44 @@
     result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
 
-  final override predicate mayThrowException() {
-    // We assume that a call to a function pointer will not throw an exception.
+  override predicate alwaysRaiseException(boolean isSEH) {
+    // We assume that a call to a function pointer will not throw a CXX exception.
     // This is not sound in general, but this will greatly reduce the number of
     // exceptional edges.
-    none()
+    // For SEH exceptions, use the defined ThrowingFunction behavior and
+    // if no throwing function is found, assume a conditional SEH exception
+    // see `mayRaiseException`
+    exists(ThrowingFunction f | f = expr.getTarget() |
+      f.alwaysRaisesException() and f.isSEH() and isSEH = true
+    )
+  }
+
+  override predicate mayRaiseException(boolean isSEH) {
+    // We assume that a call to a function pointer will not throw a CXX exception.
+    // This is not sound in general, but this will greatly reduce the number of
+    // exceptional edges.
+    // For SEH exceptions, use the defined ThrowingFunction behavior.
+    // ASSUMPTION: if no ThrowingFunction is found for the given call, assume a conditional SEH exception
+    // on the call.
+    exists(ThrowingFunction f | f = expr.getTarget() |
+      f.mayRaiseException() and f.isSEH() and isSEH = true
+    )
+    or
+    not exists(ThrowingFunction f | f = expr.getTarget() and f.isSEH()) and
+    isSEH = true
   }
 
-  final override predicate mustThrowException() { none() }
+  override predicate neverRaiseException(boolean isSEH) {
+    // We assume that a call to a function pointer will not throw a CXX exception.
+    // This is not sound in general, but this will greatly reduce the number of
+    // exceptional edges.
+    // For SEH exceptions, use the defined ThrowingFunction behavior and
+    // if no throwing function is found, assume a conditional SEH exception
+    // see `mayRaiseException`
+    exists(NonThrowingFunction f | f = expr.getTarget() |
+      f.isSEH() and isSEH = true
+    )
+  }
 }
 
 /**
@@ -348,10 +444,6 @@
 class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
   override FunctionCall expr;
 
-  override Function getInstructionFunction(InstructionTag tag) {
-    tag = CallTargetTag() and result = expr.getTarget()
-  }
-
   override Instruction getQualifierResult() {
     this.hasQualifier() and
     result = this.getQualifier().getResult()
@@ -361,14 +453,6 @@
     exists(this.getQualifier()) and
     not exists(MemberFunction func | expr.getTarget() = func and func.isStatic())
   }
-
-  final override predicate mayThrowException() {
-    expr.getTarget().(ThrowingFunction).mayThrowException(_)
-  }
-
-  final override predicate mustThrowException() {
-    expr.getTarget().(ThrowingFunction).mayThrowException(true)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -165,8 +165,14 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio
     result = this.getInstruction(DynamicInitializationFlagLoadTag())
     or
     tag = DynamicInitializationFlagLoadTag() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(DynamicInitializationConditionalBranchTag())
+    (
+      kind instanceof GotoEdge and
+      result = this.getInstruction(DynamicInitializationConditionalBranchTag())
+      or
+      // All load instructions may throw an SEH exception
+      kind.(ExceptionEdge).isSEH() and
+      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge e), true)
+    )
     or
     tag = DynamicInitializationConditionalBranchTag() and
     (
@@ -182,7 +188,12 @@ class TranslatedStaticLocalVariableDeclarationEntry extends TranslatedDeclaratio
     result = this.getInstruction(DynamicInitializationFlagStoreTag())
     or
     tag = DynamicInitializationFlagStoreTag() and
-    result = this.getParent().getChildSuccessor(this, kind)
+    (
+      result = this.getParent().getChildSuccessor(this, kind)
+      or
+      // All store instructions may throw an SEH exception
+      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge e), true) and kind.(ExceptionEdge).isSEH()
+    )
   }
 
   final override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -1104,9 +1104,13 @@
    * within this element. This will generally return first `catch` block of the
    * nearest enclosing `try`, or the `Unwind` instruction for the function if
    * there is no enclosing `try`. The successor edge kind is specified by `kind`.
+   * 
+   * `isSEH` is true if the exception is a structured exception, false if otherwise.
+   * The boolean value can be extracted from `ExceptionEdge` from the exception 
+   * edge triggering the call to this function.
    */
-  Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
-    result = this.getParent().getExceptionSuccessorInstruction(kind)
+  Instruction getExceptionSuccessorInstruction(EdgeKind kind, boolean isSEH) {
+    result = this.getParent().getExceptionSuccessorInstruction(kind, isSEH)
   }
 
   /**