Overview¶

The standard CodeQL library for C and C++ represents functions using theFunction class (seeCodeQL libraries for C and C++).

The example queries in this topic explore some of the most useful library predicates for querying functions.

Finding all static functions¶

Using the member predicateFunction.isStatic() we can list all the static functions in a database:

importcppfromFunctionfwheref.isStatic()selectf,"This is a static function."

This query is very general, so there are probably too many results to be interesting for most nontrivial projects.

Finding functions that are not called¶

It might be more interesting to find functions that are not called, using the standard CodeQLFunctionCall class from theabstract syntax tree category (seeCodeQL libraries for C and C++). TheFunctionCall class can be used to identify places where a function is actually used, and it is related toFunction through theFunctionCall.getTarget() predicate.

importcppfromFunctionfwherenotexists(FunctionCallfc|fc.getTarget()=f)selectf,"This function is never called."

The new query finds functions that are not the target of anyFunctionCall—in other words, functions that are never called. You may be surprised by how many results the query finds. However, if you examine the results, you can see that many of the functions it finds are used indirectly. To create a query that finds only unused functions, we need to refine the query and exclude other ways of using a function.

Excluding functions that are referenced with a function pointer¶

You can modify the query to remove functions where a function pointer is used to reference the function:

importcppfromFunctionfwherenotexists(FunctionCallfc|fc.getTarget()=f)andnotexists(FunctionAccessfa|fa.getTarget()=f)selectf,"This function is never called, or referenced with a function pointer."

This query returns fewer results. However, if you examine the results then you can probably still find potential refinements.

For example, there is a more complicated standard query,Unused static function, that finds unused static functions.

You can explore the definition of an element in the standard libraries and see what predicates are available. Right-click the element to display the context menu, and clickGo to Definition. The library file is opened in a new tab with the definition of the element highlighted.

Finding a specific function¶

This query usesFunction andFunctionCall to find calls to the functionsprintf that have a variable format string—which is potentially a security hazard.

importcppfromFunctionCallfcwherefc.getTarget().getQualifiedName()="sprintf"andnotfc.getArgument(1)instanceofStringLiteralselectfc,"sprintf called with variable format string."

This uses:

• Declaration.getQualifiedName() to identify calls to the specific functionsprintf.

• FunctionCall.getArgument(1) to fetch the format string argument.

Note that we could have usedDeclaration.getName(), butDeclaration.getQualifiedName() is a better choice because it includes the namespace. For example:getName() would returnvector wheregetQualifiedName would returnstd::vector.

The published version of this query is considerably more complicated, but if you look carefully you will find that its structure is the same. SeeNon-constant format string.

Further reading¶

• CodeQL queries for C and C++

• Example queries for C and C++

• CodeQL library reference for C and C++

• “QL language reference”

• “CodeQL tools”