joern icon indicating copy to clipboard operation
joern copied to clipboard
verified publisher icon joernio

[Bug][C] Missing calls in ternary conditionals

Open mal-tee opened this issue 6 months ago • 3 comments

Describe the bug Method calls in ternary conditional expressions are not generated correctly.

To Reproduce

#include <stdio.h>
#include <stdbool.h>

void open_file_1() {
    printf("1");
}

void open_file_2() {
    printf("2");
}

int main (int argc, char **argv) {
    bool cond = true;
    ((cond ? open_file_1 : open_file_2) ());
}

// in joern, after importCode():
cpg.call("open_file_1").l // empty
cpg.call("open_file_2").l // empty

Expected behavior The calls should be found.

Desktop (please complete the following information): Latest joern via docker/nightly (4.0.388)

mal-tee avatar Jul 11 '25 08:07 mal-tee

open_file_1 and _2 respectively are not calls here. They are method references pointing to their respective methods. You can see that with: cpg.call.nameExact("<operator>.pointerCall").ast.isMethodRef.l.

max-leuthaeuser avatar Jul 11 '25 08:07 max-leuthaeuser

Thank you for the fast response and clarification about the method references. I think there is still an issue with data flow in the ternary conditionals.

#include <stdio.h>
#include <stdbool.h>

void open_file_1(char *arg) {
    printf(arg);
}

void open_file_2(char *arg) {
    printf(arg);
}

int main (int argc, char **argv) {
    bool cond = true;
    char *source = "source";
    ((cond ? open_file_1 : open_file_2) (source));
}

The query cpg.call("printf").argument.reachableByFlows(cpg.identifier("source")).p returns an empty result but should find the data flows.

van-dalf avatar Jul 11 '25 11:07 van-dalf

Yeah, because we currently do not link the call that's actually behind (cond ? open_file_1 : open_file_2) (source) (either open_file_1(source) or open_file_2(source)) to the corresponding method via the underlying method ref.

max-leuthaeuser avatar Jul 11 '25 13:07 max-leuthaeuser