Adding basic SEH edge support. SEH exceptions are only considered for calls. Load and store SEH handling will be addressed in a separate PR.

Author: bdrodes

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -4,6 +4,7 @@ private import semmle.code.cpp.ir.implementation.internal.OperandTag
 private import semmle.code.cpp.ir.internal.CppType
 private import semmle.code.cpp.models.interfaces.SideEffect
 private import semmle.code.cpp.models.interfaces.Throwing
+private import semmle.code.cpp.models.interfaces.NonThrowing
 private import InstructionTag
 private import SideEffects
 private import TranslatedElement
@@ -84,12 +85,14 @@ abstract class TranslatedCall extends TranslatedExpr {
           this.getEnclosingFunction().getFunction() = instr.getEnclosingFunction()
         )
     else (
-      not this.mustThrowException() and
+      not this.mustThrowException(_) and
       result = this.getParent().getChildSuccessor(this, kind)
       or
-      this.mayThrowException() and
-      kind instanceof CppExceptionEdge and
-      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
+      exists(ExceptionEdge e | this.hasExceptionBehavior(e) |
+        this.mayThrowException(e) and
+        kind = e and
+        result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge), kind)
+      )
     )
   }
 
@@ -118,13 +121,42 @@ abstract class TranslatedCall extends TranslatedExpr {
 
   /**
    * Holds if the evaluation of this call may throw an exception.
+   * The edge `e` determines what type of exception is being considered,
+   * `CppExceptionEdge` or `SehExceptionEdge`.
    */
-  abstract predicate mayThrowException();
+  abstract predicate mayThrowException(ExceptionEdge e);
 
   /**
    * Holds if the evaluation of this call always throws an exception.
+   * The edge `e` determines what type of exception is being considered,
+   * `CppExceptionEdge` or `SehExceptionEdge`.
+   */
+  abstract predicate mustThrowException(ExceptionEdge e);
+
+  /**
+   * Holds when the call target is known to never raise an exception.
+   * The edge `e` determines what type of exception is being considered,
+   * `CppExceptionEdge` or `SehExceptionEdge`.
+   *
+   * Note that `alwaysRaiseException`, `mayRaiseException`,
+   * and `neverRaiseException` may conflict (e.g., all hold for a given target).
+   * Conflicting results are resolved during IR generation.
+   */
+  abstract predicate neverThrowException(ExceptionEdge e);
+
+  /**
+   * Holds if the call has any exception behavior defined for exception edge type `e`,
+   * i.e., if the function is known to throw or never throw an exception.
+   * This handles cases where a function has no annotation to specify
+   * if a function throws or doesn't throw.
    */
-  abstract predicate mustThrowException();
+  final predicate hasExceptionBehavior(ExceptionEdge e) {
+    this.mayThrowException(e)
+    or
+    this.mustThrowException(e)
+    or
+    this.neverThrowException(e)
+  }
 
   /**
    * Gets the result type of the call.
@@ -320,6 +352,32 @@ abstract class TranslatedCallExpr extends TranslatedNonConstantExpr, TranslatedC
   final override int getNumberOfArguments() { result = expr.getNumberOfArguments() }
 
   final override predicate isNoReturn() { any(Options opt).exits(expr.getTarget()) }
+
+  override predicate mustThrowException(ExceptionEdge e) {
+    // Functions that always raise exceptions only occur with Seh exceptions
+    // Use the `AlwaysSehThrowingFunction` instance unless the function is known to never throw
+    not this.neverThrowException(e) and
+    expr.getTarget() instanceof AlwaysSehThrowingFunction and
+    e instanceof SehExceptionEdge
+  }
+
+  override predicate mayThrowException(ExceptionEdge e) {
+    // by default, all functions may throw exceptions of any kind
+    // unless explicitly annotated to never throw
+    not this.neverThrowException(e) and
+    // for now assuming all calls may throw for Seh only
+    e instanceof SehExceptionEdge
+  }
+
+  override predicate neverThrowException(ExceptionEdge e) {
+    // currently, only functions can only explicitly stipulate they
+    // never through a C++ exception
+    // NOTE: we cannot simply check if not exists may and must throw.
+    // since an annotation exists to override any other behavior
+    // i.e., `NonCppThrowingFunction`.
+    e instanceof CppExceptionEdge and
+    expr.getTarget() instanceof NonCppThrowingFunction
+  }
 }
 
 /**
@@ -332,14 +390,16 @@ class TranslatedExprCall extends TranslatedCallExpr {
     result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
 
-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) { none() }
+
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
+
+  final override predicate neverThrowException(ExceptionEdge e) {
     // We assume that a call to a function pointer will not throw an exception.
     // This is not sound in general, but this will greatly reduce the number of
     // exceptional edges.
-    none()
+    any()
   }
-
-  final override predicate mustThrowException() { none() }
 }
 
 /**
@@ -361,18 +421,6 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
     exists(this.getQualifier()) and
     not exists(MemberFunction func | expr.getTarget() = func and func.isStatic())
   }
-
-  final override predicate mayThrowException() {
-    expr.getTarget().(ThrowingFunction).mayThrowException(_)
-    or
-    expr.getTarget() instanceof AlwaysSehThrowingFunction
-  }
-
-  final override predicate mustThrowException() {
-    expr.getTarget().(ThrowingFunction).mayThrowException(true)
-    or
-    expr.getTarget() instanceof AlwaysSehThrowingFunction
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -1107,8 +1107,8 @@ abstract class TranslatedElement extends TTranslatedElement {
    * nearest enclosing `try`, or the `Unwind` instruction for the function if
    * there is no enclosing `try`. The successor edge kind is specified by `kind`.
    */
-  Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
-    result = this.getParent().getExceptionSuccessorInstruction(kind)
+  Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
+    result = this.getParent().getExceptionSuccessorInstruction(kind, exception)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -15,6 +15,7 @@ private import TranslatedInitialization
 private import TranslatedStmt
 private import TranslatedGlobalVar
 private import IRConstruction
+private import EdgeKind
 import TranslatedCall
 
 /**
@@ -2375,14 +2376,16 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall, TranslatedDirect
         result = getTranslatedExpr(expr.getAllocatorCall().getArgument(index).getFullyConverted())
   }
 
-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) { none() }
+
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
+
+  final override predicate neverThrowException(ExceptionEdge e) {
     // We assume that a call to `new` or `new[]` will never throw. This is not
     // sound in general, but this will greatly reduce the number of exceptional
     // edges.
-    none()
+    any()
   }
-
-  final override predicate mustThrowException() { none() }
 }
 
 TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
@@ -2448,14 +2451,16 @@ class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, Trans
     result = getTranslatedExpr(expr.getExprWithReuse().getFullyConverted())
   }
 
-  final override predicate mayThrowException() {
+  final override predicate mayThrowException(ExceptionEdge e) { none() }
+
+  final override predicate mustThrowException(ExceptionEdge e) { none() }
+
+  final override predicate neverThrowException(ExceptionEdge e) {
     // We assume that a call to `delete` or `delete[]` will never throw. This is not
     // sound in general, but this will greatly reduce the number of exceptional
     // edges.
-    none()
+    any()
   }
-
-  final override predicate mustThrowException() { none() }
 }
 
 TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {
@@ -3040,7 +3045,7 @@ class TranslatedDestructorsAfterThrow extends TranslatedElement, TTranslatedDest
       // And otherwise, exit this element with an exceptional edge
       not exists(this.getChild(id + 1)) and
       kind instanceof CppExceptionEdge and
-      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge), kind)
     )
   }
 
@@ -3079,7 +3084,7 @@ abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr {
       or
       not exists(this.getDestructors()) and
       kind instanceof CppExceptionEdge and
-      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getParent().getExceptionSuccessorInstruction(any(GotoEdge edge), kind)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -209,12 +209,14 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
       (
         // Only generate the `Unwind` instruction if there is any exception
         // handling present in the function.
-        exists(TryOrMicrosoftTryStmt try | try.getEnclosingFunction() = func)
+        // Do not unwind for MicrosoftTryStmt (SEH), as an optimization (SEH exception
+        // will occur at any store/load, so unwind would appear everywhere as a result)
+        exists(TryStmt try | try.getEnclosingFunction() = func)
         or
         exists(ThrowExpr throw | throw.getEnclosingFunction() = func)
         or
-        exists(FunctionCall call | call.getEnclosingFunction() = func |
-          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException()
+        exists(FunctionCall call, CppExceptionEdge exception | call.getEnclosingFunction() = func |
+          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException(exception)
         )
       )
       or
@@ -228,7 +230,10 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
     )
   }
 
-  final override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+  final override Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
+    // only unwind for C++ exceptions since SEH exceptions are too verbose
+    // and would generate unwind for all functions.
+    exception instanceof CppExceptionEdge and
     result = this.getInstruction(UnwindTag()) and
     kind instanceof GotoEdge
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -10,6 +10,7 @@ private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedFunction
 private import TranslatedInitialization
+private import EdgeKind
 
 TranslatedStmt getTranslatedStmt(Stmt stmt) { result.getAst() = stmt }
 
@@ -151,7 +152,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
       // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
       // we should continue execution at the point where the exception occurred. But we don't have
       // any instruction to model this behavior.
-      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge), sehExceptionEdge())
       or
       kind instanceof FalseEdge and
       result = this.getInstruction(TryExceptGenerateZero())
@@ -171,7 +172,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
     tag = TryExceptCompareZeroBranch() and
     (
       kind instanceof TrueEdge and
-      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge), sehExceptionEdge())
       or
       kind instanceof FalseEdge and
       result = this.getInstruction(TryExceptGenerateOne())
@@ -226,10 +227,10 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
 
   final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
 
-  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+  override Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
     // A throw from within a `__except` block flows to the handler for the parent of
     // the `__try`.
-    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
+    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind, exception)
   }
 }
 
@@ -282,10 +283,10 @@ class TranslatedMicrosoftTryFinallyHandler extends TranslatedElement,
     result = getTranslatedStmt(tryFinally.getFinally())
   }
 
-  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+  override Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
     // A throw from within a `__finally` block flows to the handler for the parent of
     // the `__try`.
-    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
+    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind, exception)
   }
 }
 
@@ -734,14 +735,32 @@ class TranslatedTryStmt extends TranslatedStmt {
     // of the `try`, because the exception successor of the `try` itself is
     // the first catch clause.
     handler = this.getHandler(stmt.getNumberOfCatchClauses() - 1) and
-    result = this.getParent().getExceptionSuccessorInstruction(kind)
+    exists(ExceptionEdge exception |
+      stmt instanceof MicrosoftTryStmt and exception instanceof SehExceptionEdge
+      or
+      stmt instanceof TryStmt and exception instanceof CppExceptionEdge
+    |
+      result = this.getParent().getExceptionSuccessorInstruction(kind, exception)
+    )
   }
 
-  final override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
-    result = this.getHandler(0).getFirstInstruction(kind)
-    or
-    not exists(this.getHandler(_)) and
-    result = this.getFinally().getFirstInstruction(kind)
+  final override Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
+    // Seh exceptions are only handled for Seh try statements and
+    // C++ exceptions for C++ try statements.
+    // I.e., we are assuming there isn't a mix and match between Seh and C++ exceptions.
+    // They are either all Seh or all C++ within a single try block depending on the
+    // try type (TryStmt vs MicrosoftTryStmt).
+    (
+      stmt instanceof TryStmt and exception instanceof CppExceptionEdge
+      or
+      stmt instanceof MicrosoftTryStmt and exception instanceof SehExceptionEdge
+    ) and
+    (
+      result = this.getHandler(0).getFirstInstruction(kind)
+      or
+      not exists(this.getHandler(_)) and
+      result = this.getFinally().getFirstInstruction(kind)
+    )
   }
 
   private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }
@@ -821,10 +840,10 @@ abstract class TranslatedHandler extends TranslatedStmt {
     child = this.getBlock() and result = this.getParent().getChildSuccessor(this, kind)
   }
 
-  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+  override Instruction getExceptionSuccessorInstruction(EdgeKind kind, ExceptionEdge exception) {
     // A throw from within a `catch` block flows to the handler for the parent of
     // the `try`.
-    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
+    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind, exception)
   }
 
   TranslatedStmt getBlock() { result = getTranslatedStmt(stmt.getBlock()) }

cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll

@@ -12,8 +12,14 @@ import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
 /**
  * A function that is known to raise an exception.
+ *
+ * DEPRECATED: This was originally used to differentiate Seh and C++ exception use.
+ * `AlwaysSehThrowingFunction` should be used instead for Seh exceptions that are
+ * known to always throw and
+ * `NonCppThrowingFunction` in `semmle.code.cpp.models.interfaces.NonThrowing`
+ * should be used for C++ exceptions that are known to never throw.
  */
-abstract class ThrowingFunction extends Function {
+abstract deprecated class ThrowingFunction extends Function {
   /**
    * Holds if this function may throw an exception during evaluation.
    * If `unconditional` is `true` the function always throws an exception.