C++: Adds another redundant null check rule #3921
Conversation
Thank you for the contribution. I look forward to seeing what results it has on a larger set of projects.
Please go through the steps in CONTRIBUTING.md -- in particular the steps where the query is moved to experimental and auto-formatted.
| ) and | ||
| //Simple test if the first access in this code path is dereferenced | ||
| not dereferenced(checked) and | ||
| blockDominates(checked.getEnclosingBlock(), unchecked.getEnclosingBlock()) |
There was a problem hiding this comment.
| blockDominates(checked.getEnclosingBlock(), unchecked.getEnclosingBlock()) | |
| bbDominates(checked.getBasicBlock(), unchecked.getBasicBlock()) |
I'm guessing you're interested in BasicBlock (from the control-flow graph) rather than Block (from the tree of statements). A Block is a { ...; ...; } statement.
If so, you can delete the location-based blockDominates predicate.
There was a problem hiding this comment.
In facts, it seems the basic block logic leads to false positives with condition like if (X && ptr == NULL)
There was a problem hiding this comment.
We'll have to investigate that if we ever want to promote this query out of experimental, but we can leave it as is for now.
| @@ -0,0 +1,11 @@ | |||
| void test(char *arg1, int *arg2) { | |||
| if (arg1[0] == 'A') { | |||
| if (arg2 != NULL) { | |||
There was a problem hiding this comment.
| if (arg2 != NULL) { | |
| if (arg2 != NULL) { // redundant |
|
I'll be on holiday for the rest of July, so I'm assigning this PR over to @rdmarsh2. |
Is there an easy way to test on all my Github repos ? How can I get the ql file to be auto-formatted without Visual Code ? |
If your projects are on LGTM and favourited you should be select multiple projects at the LGTM query console. Does this link take you to an LGTM console set to run on 12 projects? |
Yes :-D thank you very much for this pointer |
|
So, running on my 12 projects found one more alert in ndpi There is indeed a NULL check here I am not sure why |
The definition of |
So, this is another true alert as far as I can tell :-) |
|
Editorial check of the qhelp: |
The query now complies with everything in https://github.com/github/codeql/blob/master/CONTRIBUTING.md except the auto-formatting requirement:
The queries and libraries must be autoformatted, for example using the "Format Document" command in CodeQL for Visual Studio Code.
|
Thanks @jbj Did I get it right now ? |
|
I've started the CI tests and will merge if they're clean. |
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
A potential NULL dereference (or redundant NULL check) may happen if a pointer is checked once against NULL in a function but not every time.
This is a new rule similar to RedundantNullCheckSimple, in addition to finding the NULL dereference from CVE-2020-10957 also finds the redundant null checks from :
This follows #3576 cc @jbj
I used
Critical/MissingNullTest.qlas a start for finding the dereference (which does not use the Intermediate Representation)Performance seems much better now, on a project like dovecot where I could find 2 redundant/missing null checks with this rule.