C++: new query for dead code after goto or break

Author: Robert Marsh

cpp/ql/src/Critical/DeadCodeGoto.cpp

@@ -0,0 +1,3 @@
+goto err;
+free(pointer);
+err: return -1;

cpp/ql/src/Critical/DeadCodeGoto.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+Code following a goto or break statement will not be executed, unless there is a label or switch
+case. When the code is necessary, this leads to logical errors or resource leaks. If the code is
+unnecessary, it may confuse readers.
+</p>
+</overview>
+<recommendation>
+<p>
+If the unreachable code is necessary, move the goto or break statement to after the code.
+Otherwise, delete the unreachable code.
+</p>
+
+</recommendation>
+<example><sample src="DeadCodeGoto.cpp" />
+</example>
+<references>
+<li>
+  The CERT C Secure Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">MSC12-C. Detect and remove code that has no effect or is never executed</a>
+</li>
+</references>
+</qhelp>

cpp/ql/src/Critical/DeadCodeGoto.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Dead code due to goto or break statement
+ * @description A goto or break statement is followed by unreachable code. 
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/dead-code-goto
+ * @tags maintainability
+ *       external/cwe/cwe-561
+ */
+
+import cpp
+
+Stmt getNextRealStmt(Block b, int i) {
+  result = b.getStmt(i + 1) and
+  not result instanceof EmptyStmt
+  or
+  b.getStmt(i + 1) instanceof EmptyStmt and
+  result = getNextRealStmt(b, i + 1)
+}
+
+from JumpStmt js, Block b, int i, Stmt s
+where b.getStmt(i) = js
+  and s = getNextRealStmt(b, i)
+  // the next statement isn't jumped to
+  and not s instanceof LabelStmt
+  and not s instanceof SwitchCase
+  // the next statement isn't breaking out of a switch
+  and not s.(BreakStmt).getBreakable() instanceof SwitchStmt
+  // the jump isn't a goto into the body of the next statement
+  and not exists (LabelStmt ls | s.(Loop).getStmt().getAChild*() = ls | ls.getName() = js.(GotoStmt).getName())
+select js, "This statement makes $@ dead.", s, s.toString()

cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.expected

@@ -0,0 +1,3 @@
+| test.cpp:2:2:2:12 | goto ... | This statement makes $@ dead. | test.cpp:3:2:3:5 | ExprStmt | ExprStmt |
+| test.cpp:9:3:9:8 | break; | This statement makes $@ dead. | test.cpp:10:3:10:6 | ExprStmt | ExprStmt |
+| test.cpp:37:3:37:8 | break; | This statement makes $@ dead. | test.cpp:38:3:38:11 | return ... | return ... |

cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref

@@ -0,0 +1 @@
+Critical/DeadCodeGoto.ql

cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp

@@ -0,0 +1,52 @@
+int test1(int x) {
+	goto label; // BAD
+	x++;
+	label: return x;
+}
+
+int test2(int x) {
+	do {
+		break; // BAD
+		x++;
+	} while(false);
+	return x;
+}
+
+int test3(int x) {
+	goto label; // GOOD
+	label: x++;
+	return x;
+}
+
+int test4(int x) {
+	goto label; // GOOD
+	do {
+		label: x++;
+	} while(false);
+	return x;
+}
+
+int test5(int x, int y) {
+	switch(y) {
+	case 0:
+		break; // GOOD
+	case 1:
+		goto label; // GOOD
+		break;
+	case 2:
+		break; // BAD
+		return x;
+	case 3:
+		return x;
+		break; // GOOD
+	case 4:
+		goto label; // GOOD
+	case 5:
+		goto label;; // GOOD
+	default:
+		x++;
+	}
+	label:
+	return x;
+}
+