From 434973f8e6f8290c6a9507c0a52e17098726d971 Mon Sep 17 00:00:00 2001 From: Mrigank Pawagi Date: Thu, 5 Jun 2025 09:48:37 +0000 Subject: [PATCH 1/3] Update GlobalUseBeforeInit.ql --- cpp/ql/src/Critical/GlobalUseBeforeInit.ql | 23 +++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql index e9a637bd7d73..0b504060c178 100644 --- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql +++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql @@ -21,13 +21,23 @@ predicate initFunc(GlobalVariable v, Function f) { ) } +/** Holds if `v` has an initializer in function `f` that dominates `node`. **/ +predicate dominatingInitInFunc(GlobalVariable v, Function f, ControlFlowNode node) { + exists(VariableAccess initAccess | + v.getAnAccess() = initAccess and + initAccess.isUsedAsLValue() and + initAccess.getEnclosingFunction() = f and + dominates(initAccess, node) + ) +} + predicate useFunc(GlobalVariable v, Function f) { exists(VariableAccess access | v.getAnAccess() = access and access.isRValue() and - access.getEnclosingFunction() = f - ) and - not initFunc(v, f) + access.getEnclosingFunction() = f and + not dominatingInitInFunc(v, f, access) + ) } predicate uninitialisedBefore(GlobalVariable v, Function f) { @@ -38,12 +48,14 @@ predicate uninitialisedBefore(GlobalVariable v, Function f) { exists(Call call, Function g | uninitialisedBefore(v, g) and call.getEnclosingFunction() = g and - (not functionInitialises(f, v) or locallyUninitialisedAt(v, call)) and + (not functionInitialises(g, v) or locallyUninitialisedAt(v, call)) and resolvedCall(call, f) ) } predicate functionInitialises(Function f, GlobalVariable v) { + initFunc(v, f) + or exists(Call call | call.getEnclosingFunction() = f and initialisedBy(v, call) @@ -60,7 +72,8 @@ predicate locallyUninitialisedAt(GlobalVariable v, Call call) { exists(Call mid | locallyUninitialisedAt(v, mid) and not initialisedBy(v, mid) and callPair(mid, call) ) - ) + ) and + not dominatingInitInFunc(v, call.getEnclosingFunction(), call) } predicate initialisedBy(GlobalVariable v, Call call) { From 93c485fb139bd2dc0ec61e12638d45c3716aba67 Mon Sep 17 00:00:00 2001 From: Mrigank Pawagi Date: Thu, 5 Jun 2025 13:26:38 +0000 Subject: [PATCH 2/3] apply proper formatting in comment --- cpp/ql/src/Critical/GlobalUseBeforeInit.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql index 0b504060c178..fcdd35e49940 100644 --- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql +++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql @@ -21,7 +21,7 @@ predicate initFunc(GlobalVariable v, Function f) { ) } -/** Holds if `v` has an initializer in function `f` that dominates `node`. **/ +/** Holds if `v` has an initializer in function `f` that dominates `node`. */ predicate dominatingInitInFunc(GlobalVariable v, Function f, ControlFlowNode node) { exists(VariableAccess initAccess | v.getAnAccess() = initAccess and From 114b46824a021955a5f106121e2095121e1dc177 Mon Sep 17 00:00:00 2001 From: Mrigank Pawagi Date: Thu, 5 Jun 2025 15:56:35 +0000 Subject: [PATCH 3/3] update test --- .../GlobalUseBeforeInit/GlobalUseBeforeInit.expected | 1 + .../query-tests/Critical/GlobalUseBeforeInit/test.cpp | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected index c7c2d1ffad49..315b303de9dc 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected @@ -1 +1,2 @@ | test.cpp:27:5:27:6 | f1 | The variable $@ is used in this function but may not be initialized when it is called. | test.cpp:14:5:14:5 | b | b | +| test.cpp:38:5:38:8 | main | The variable $@ is used in this function but may not be initialized when it is called. | test.cpp:14:5:14:5 | b | b | diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp index fcecf6c5c44a..ea3f2ceacd9a 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp @@ -31,8 +31,14 @@ int f1() return 0; } +void f2() { + my_printf("%d\n", b); // GOOD +} + int main() { - int b = f1(); + my_printf("%d\n", b); // BAD + b = f1(); + f2(); return 0; } \ No newline at end of file