add analysis

Signed-off-by: Nikolaj Bjorner <nbjorner@microsoft.com>
2025-10-01 13:39:28 +00:00 · 2025-09-28 13:02:05 +03:00 · 2025-09-28 13:02:05 +03:00 · ae55b6fa1e
commit ae55b6fa1e
parent bda98d8da4
2 changed files with 128 additions and 0 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [cpp]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Run CodeQL Query
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: 'custom'
+        queries: ./codeql/custom-queries
--- a/codeql/custom_queries/FindUnderspecified.ql
+++ b/codeql/custom_queries/FindUnderspecified.ql
@ -0,0 +1,87 @@
+ /**
+
+  * Finds function calls with arguments that have unspecified evaluation order.
+
+  *
+
+  * @name Unspecified argument evaluation order
+
+  * @kind problem
+
+  * @problem.severity warning
+
+  * @id cpp/z3/unspecevalorder
+
+  */
+
+
+
+  import cpp
+
+
+
+  predicate isPureFunc(Function f) {
+
+    f.getName() = "m" or
+
+    not exists(Assignment a | a.getEnclosingFunction() = f) and
+
+    forall(FunctionCall g | g.getEnclosingFunction() = f | isPureFunc(g.getTarget()))
+
+  }
+
+
+
+  predicate sideEffectfulArgument(Expr a) {
+
+    exists(Function f | f = a.(FunctionCall).getTarget() |
+
+      not f instanceof ConstMemberFunction and
+
+      not isPureFunc(f)
+
+    )
+
+    or
+
+    exists(ArrayExpr b | b = a.(ArrayExpr) |
+
+      sideEffectfulArgument(b.getArrayBase()) or sideEffectfulArgument(b.getArrayOffset())
+
+    )
+
+    or
+
+    exists(Assignment b | b = a)
+
+    or
+
+    exists(BinaryOperation b | b = a | sideEffectfulArgument(b.getAnOperand()))
+
+    or
+
+    exists(UnaryOperation b | b = a | sideEffectfulArgument(b.getOperand()))
+
+  }
+
+
+
+  from FunctionCall f, Expr a, int i, Expr b, int j where
+
+    i < j and
+
+    f.getTarget().getName() != "operator&&" and
+
+    f.getTarget().getName() != "operator||" and
+
+    a = f.getArgument(i) and
+
+    b = f.getArgument(j) and
+
+    sideEffectfulArgument(a) and
+
+    sideEffectfulArgument(b)
+
+  select f, "potentially unspecified evaluation order of function arguments: $@ and $@", a,
+
+    i.toString(), b, j.toString()