Guards: Add support for wrappers that may throw exceptions.

Author: aschackmull

java/ql/lib/semmle/code/java/controlflow/Guards.qll

@@ -146,6 +146,10 @@ private module GuardsInput implements SharedGuards::InputSig<Location> {
 
   class ControlFlowNode = J::ControlFlowNode;
 
+  class NormalExitNode = ControlFlow::NormalExitNode;
+
+  class ExceptionalExitNode = ControlFlow::ExceptionalExitNode;
+
   class BasicBlock = J::BasicBlock;
 
   predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) { J::dominatingEdge(bb1, bb2) }

java/ql/test/library-tests/guards/Guards.java

@@ -202,4 +202,14 @@ void testWrappers(String s, Integer i) {
         break;
     }
   }
+
+  static void ensureNotNull(Object o) throws Exception {
+    if (o == null) throw new Exception();
+  }
+
+  void testExceptionWrapper(String s) throws Exception {
+    chk(); // nothing guards here
+    ensureNotNull(s);
+    chk(); // $ guarded='ensureNotNull(...):no exception' guarded='s:not null'
+  }
 }

java/ql/test/library-tests/guards/GuardsInline.expected

@@ -112,3 +112,5 @@
 | Guards.java:201:9:201:13 | chk(...) | 'testEnumWrapper(...):FAILURE' |
 | Guards.java:201:9:201:13 | chk(...) | 'testEnumWrapper(...):match FAILURE' |
 | Guards.java:201:9:201:13 | chk(...) | g(1):false |
+| Guards.java:213:5:213:9 | chk(...) | 'ensureNotNull(...):no exception' |
+| Guards.java:213:5:213:9 | chk(...) | 's:not null' |

shared/controlflow/codeql/controlflow/Guards.qll

@@ -79,6 +79,12 @@ signature module InputSig<LocationSig Location> {
     Location getLocation();
   }
 
+  /** A control flow node indicating normal termination of a callable. */
+  class NormalExitNode extends ControlFlowNode;
+
+  /** A control flow node indicating exceptional termination of a callable. */
+  class ExceptionalExitNode extends ControlFlowNode;
+
   /**
    * A basic block, that is, a maximal straight-line sequence of control flow nodes
    * without branches or joins.
@@ -520,6 +526,12 @@ module Make<LocationSig Location, InputSig<Location> Input> {
     )
   }
 
+  private predicate normalExitBlock(BasicBlock bb) { bb.getNode(_) instanceof NormalExitNode }
+
+  private predicate exceptionalExitBlock(BasicBlock bb) {
+    bb.getNode(_) instanceof ExceptionalExitNode
+  }
+
   signature module LogicInputSig {
     class SsaDefinition {
       /** Gets the basic block to which this SSA definition belongs. */
@@ -1047,6 +1059,16 @@ module Make<LocationSig Location, InputSig<Location> Input> {
         )
       }
 
+      private predicate guardDirectlyControlsExit(
+        Guard guard, GuardValue val, GuardValue exceptionVal
+      ) {
+        exists(BasicBlock bb | guard.directlyValueControls(bb, val) |
+          normalExitBlock(bb) and exceptionVal = TException(false)
+          or
+          exceptionalExitBlock(bb) and exceptionVal = TException(true)
+        )
+      }
+
       /**
        * Gets a non-overridable method that performs a check on the `ppos`th
        * parameter. A return value equal to `retval` allows us to conclude
@@ -1064,6 +1086,12 @@ module Make<LocationSig Location, InputSig<Location> Input> {
         |
           validReturnInCustomGuard(ret, ppos, retval, val)
         )
+        or
+        exists(SsaDefinition param, Guard g0, GuardValue v0 |
+          parameterDefinition(result.getParameter(ppos), param) and
+          guardDirectlyControlsExit(g0, v0, retval) and
+          BranchImplies::ssaControls(param, val, g0, v0)
+        )
       }
 
       /**