Why is CodeQL C++ unable to find the asserted Expression in assert() if NDEBUG is defined ?

[Sixelayo]

For debugging purposes and trying to understand how CodeQL worked, I have a simple cpp file from which I create 2 Code QL databases (the only difference being the #define NDEBUG commented out in one).

#include <iostream>

#define NDEBUG
#include <cassert>

int main(){
    int* a = nullptr;
    assert(a != nullptr); 

    std::cout << "program didn't stopped" << std::endl;
}

On which I run 2 requests

This request return a result for both databases :

import cpp
import semmle.code.cpp.commons.Assertions

from Assertion assert
select assert

This request only return a result when NDEBUG is not defined

import cpp
import semmle.code.cpp.commons.Assertions

from Assertion assert
select assert, assert.getAsserted()

I didn't understand at first and after some searching I found that In assert.h the assert macro is defined as such :

#ifdef NDEBUG

    #define assert(expression) ((void)0)

So now seing this I don't even understand how CodeQL is able to know there's a assertion if NDEBUG is defined. That means CodeQL HAS to look at source code before preprocessor invocation. And if so, why doesn't it also grab the Expression inside ? Another thing that I find weird is that Assertion does NOT inherit from ControlFlowNode (which I guess make sens because a macro could theorically expand to a complex code branching ?) but that doesn't change the fact that I want to know the position of the assert() and dominance relation relative to other control flow element such as VariableAccess. And the "Location" (position in file) is completely irrelevant to that extent.

[jketema]

Hi @ayosten,

Thanks for your question.

So now seing this I don't even understand how CodeQL is able to know there's a assertion if NDEBUG is defined. That means CodeQL HAS to look at source code before preprocessor invocation.

Not quite. We simply record the macro invocations that affect the code/expression that ends up in your database.

And if so, why doesn't it also grab the Expression inside ?

Because the expression in not in the database when the code is compile with NDEBUG, instead there will be a ((void)0) in the database at the location of the assert. The ((void)0) statement will be the one to which the macro invocation is attached, or the be more precise: ((void)0) is generated by the assert macro invocation.

Another thing that I find weird is that Assertion does NOT inherit from ControlFlowNode (which I guess make sens because a macro could theorically expand to a complex code branching ?)

This is because macro invocations, which is what all Assertions currently are, fall outside of the AST given that they might not nicely map on statements/expressions, as you already observed.

What you likely want to do is something along the lines of:

import cpp
import semmle.code.cpp.commons.Assertions

from LibcAssert a
select a, a.getAGeneratedElement().(Stmt)

where a.getAGeneratedElement().(Stmt) is a control flow node.

[Sixelayo]

Thanks a lot for your replie ! It really helped me understanding how CodeQL works.