Fixes in cpp/global-use-before-init

[mrigankpawagi]

This PR introduces two fixes in the cpp/global-use-before-init query, which currently has two very basic inaccuracies.

Write after read

Consider the following example.

int x;

int main() {
    int woof = x;
    x = 42;
}

The query does not raise an alert on this because main does not satisfy useFunc (which holds if the function never writes to, but reads from, the global variable). The fix to useFunc modifies this condition to include functions which have a read that may not be preceded by a write inside the function.

Write before function call

Consider the following example.

int x;

void foo() {
    int meow = x;
}

int main() {
    x = 0;
    foo();
}

The query raises an alert if in the recursive step of uninitializedBefore, f never writes to v. However, what we really want is that g never writes to v (and if it does, locallyUninitialisedAt handles the case). Further, it is not clear why functionInitialises does not consider initFunc to be one of the ways for a function to initialize a variable, although it is considered by initialises. This is addressed by the fixes in uninitializedBefore and functionInitialises. This also required a corresponding change in locallyUninitialisedAt.

I am aware that some more enhancements can be made, but I am not sure how open the maintainers are to modifications in this query. I would be happy to discuss more in the comments.

[Copilot]

Pull Request Overview

This PR refines the global‐use‐before‐init query by distinguishing in‐function initializations that dominate a use, and by correcting which function is checked for prior writes in the recursive uninitialised‐before logic.

• Introduce dominatingInitInFunc to detect lvalue writes that dominate a given node.
• Update useFunc, uninitialisedBefore, functionInitialises, and locallyUninitialisedAt to use the new predicate and fix the function scope in recursive checks.

Comments suppressed due to low confidence (2)

cpp/ql/src/Critical/GlobalUseBeforeInit.ql:25

• Add tests covering scenarios where a global variable is written in the same function both before and after a read, to validate that dominatingInitInFunc correctly distinguishes dominating writes from non-dominating ones.

predicate dominatingInitInFunc(GlobalVariable v, Function f, ControlFlowNode node) {

cpp/ql/src/Critical/GlobalUseBeforeInit.ql:39

• [nitpick] Consider adding a code comment here to explain that this check filters out any reads dominated by a prior write in the same function, making the intent clearer for future maintainers.

    not dominatingInitInFunc(v, f, access)

[jketema]

Hi @mrigankpawagi,

Thanks for your contribution. We are always open to fixes to our queries. I would like to mention that we generally do not run this query, because it has performance issues due to its use of the points-to library. This also explains why some of the issues you're observing have been present for so long.

As part of this contribution, could you add some relevant tests to cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit? Your code snippets from above seem like a good start.

I see your changes currently do not satisfy our formatting guidelines. The easiest way to fix this is by loading the query file in VScode with the CodeQL extension installed, and asking VScode to format the file.

[mrigankpawagi]

Thanks for your response, @jketema! I have addressed your comments.