Merge pull request #750 from github/michaelrfairhurst/implement-package-invalid-memory3

Implement InvalidMemory3, Rule 18-8 amendment.

Author: lcartey

amendments.csv

@@ -15,7 +15,7 @@ c,MISRA-C-2012,Amendment4,RULE-11-3,Yes,Expand,No,Easy
 c,MISRA-C-2012,Amendment4,RULE-11-8,Yes,Expand,No,Easy
 c,MISRA-C-2012,Amendment4,RULE-13-2,Yes,Expand,No,Very Hard
 c,MISRA-C-2012,Amendment4,RULE-18-6,Yes,Expand,No,Medium
-c,MISRA-C-2012,Amendment4,RULE-18-8,Yes,Split,No,Easy
+c,MISRA-C-2012,Amendment4,RULE-18-8,Yes,Split,Yes,Easy
 c,MISRA-C-2012,Corrigendum2,RULE-2-2,Yes,Clarification,No,Import
 c,MISRA-C-2012,Corrigendum2,RULE-2-7,Yes,Clarification,No,Import
 c,MISRA-C-2012,Corrigendum2,RULE-3-1,Yes,Refine,No,Easy

c/cert/src/rules/EXP35-C/DoNotModifyObjectsWithTemporaryLifetime.ql

@@ -13,18 +13,7 @@
 
 import cpp
 import codingstandards.c.cert
-
-/**
- * A struct or union type that contains an array type
- */
-class StructOrUnionTypeWithArrayField extends Struct {
-  StructOrUnionTypeWithArrayField() {
-    this.getAField().getUnspecifiedType() instanceof ArrayType
-    or
-    // nested struct or union containing an array type
-    this.getAField().getUnspecifiedType().(Struct) instanceof StructOrUnionTypeWithArrayField
-  }
-}
+import codingstandards.cpp.lifetimes.CLifetimes
 
 // Note: Undefined behavior is possible regardless of whether the accessed field from the returned
 // struct is an array or a scalar (i.e. arithmetic and pointer types) member, according to the standard.

c/misra/src/rules/RULE-18-10/PointersToVariablyModifiedArrayTypesUsed.ql

@@ -0,0 +1,51 @@
+/**
+ * @id c/misra/pointers-to-variably-modified-array-types-used
+ * @name RULE-18-10: Pointers to variably-modified array types shall not be used
+ * @description Pointers to variably-modified array types shall not be used, as these pointer types
+ *              are frequently incompatible with other fixed or variably sized arrays, resulting in
+ *              undefined behavior.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/misra/id/rule-18-10
+ *       external/misra/c/2012/amendment4
+ *       correctness
+ *       security
+ *       external/misra/obligation/mandatory
+ */
+
+import cpp
+import codingstandards.c.misra
+import codingstandards.cpp.VariablyModifiedTypes
+
+from VmtDeclarationEntry v, string declstr, string adjuststr, string relationstr
+where
+  not isExcluded(v, InvalidMemory3Package::pointersToVariablyModifiedArrayTypesUsedQuery()) and
+  // Capture only pointers to VLA types, not raw VLA types.
+  not v.getVlaType() = v.getType() and
+  (
+    if v instanceof ParameterDeclarationEntry
+    then declstr = "Parameter "
+    else
+      if v instanceof VariableDeclarationEntry
+      then declstr = "Variable "
+      else declstr = "Declaration "
+  ) and
+  (
+    if
+      v instanceof ParameterDeclarationEntry and
+      v.getType() instanceof ParameterAdjustedVariablyModifiedType
+    then adjuststr = "adjusted to"
+    else adjuststr = "declared with"
+  ) and
+  (
+    if v.getType().(PointerType).getBaseType() instanceof CandidateVlaType
+    then relationstr = "pointer to"
+    else relationstr = "with inner"
+  ) and
+  // Remove results that appear to be unreliable, potentially from a macro.
+  not v.appearsDuplicated()
+select v,
+  declstr + v.getName() + " is " + adjuststr + " variably-modified type, " + relationstr +
+    " variable length array of non constant size $@ and element type '" +
+    v.getVlaType().getVariableBaseType() + "'", v.getSizeExpr(), v.getSizeExpr().toString()

c/misra/src/rules/RULE-18-8/VariableLengthArrayTypesUsed.ql

@@ -16,33 +16,53 @@ import cpp
 import codingstandards.c.misra
 
 /**
- * A variable length array (VLA)
- * ie an array where the size
- * is not an integer constant expression
+ * Typedefs may be declared as VLAs, eg, `typedef int vla[x];`. This query finds types that refer to
+ * such typedef types, for instance `vla foo;` or adding a dimension via `vla bar[10];`.
+ *
+ * Consts and other specifiers may be added, but `vla *ptr;` is not a VLA any more, and is excluded.
  */
-class VariableLengthArray extends VariableDeclarationEntry {
-  VariableLengthArray() {
-    //VLAs will not have: static/extern specifiers (compilation error)
-    not this.hasSpecifier("static") and
-    not this.hasSpecifier("extern") and
-    //VLAs are not allowed to be initialized
-    not this.getDeclaration().hasInitializer() and
-    exists(ArrayType a |
-      //a.hasArraySize() does not catch multidimensional VLAs like a[1][]
-      a.toString().matches("%[]%") and
-      this.getUnspecifiedType() = a and
-      //variable length array is one declared in block or function prototype
-      (
-        this.getDeclaration().getParentScope() instanceof Function or
-        this.getDeclaration().getParentScope() instanceof BlockStmt
-      )
+class VlaTypedefType extends Type {
+  VlaDeclStmt vlaDecl;
+  ArrayType arrayType;
+
+  VlaTypedefType() {
+    // Holds for direct references to the typedef type:
+    this = vlaDecl.getType() and
+    vlaDecl.getType() instanceof TypedefType and
+    arrayType = vlaDecl.getType().stripTopLevelSpecifiers()
+    or
+    // Handle arrays of VLA typedefs, and carefully handle specified VLA typedef types, as
+    // `stripTopLevelSpecifiers` resolves past the VLA typedef type.
+    exists(DerivedType dt, VlaTypedefType vlaType |
+      (dt instanceof ArrayType or dt instanceof SpecifiedType) and
+      this = dt and
+      vlaType = dt.getBaseType() and
+      vlaDecl = vlaType.getVlaDeclStmt() and
+      arrayType = vlaType.getArrayType()
     )
   }
+
+  VlaDeclStmt getVlaDeclStmt() { result = vlaDecl }
+
+  ArrayType getArrayType() { result = arrayType }
 }
 
-from VariableLengthArray v
+from Variable v, Expr size, ArrayType arrayType, VlaDeclStmt vlaDecl, string typeStr
 where
   not isExcluded(v, Declarations7Package::variableLengthArrayTypesUsedQuery()) and
-  //an exception, argv in : int main(int argc, char *argv[])
-  not v.getDeclaration().getParentScope().(Function).hasName("main")
-select v, "Variable length array declared."
+  size = vlaDecl.getVlaDimensionStmt(0).getDimensionExpr() and
+  (
+    // Holds is if v is a variable declaration:
+    v = vlaDecl.getVariable() and
+    arrayType = v.getType().stripTopLevelSpecifiers()
+    or
+    // Holds is if v is a typedef declaration:
+    exists(VlaTypedefType typedef |
+      v.getType() = typedef and
+      arrayType = typedef.getArrayType() and
+      vlaDecl = typedef.getVlaDeclStmt()
+    )
+  ) and
+  typeStr = arrayType.getBaseType().toString()
+select v, "Variable length array of element type '" + typeStr + "' with non-constant size $@.",
+  size, size.toString()

c/misra/src/rules/RULE-18-9/ArrayToPointerConversionOfTemporaryObject.ql

@@ -0,0 +1,70 @@
+/**
+ * @id c/misra/array-to-pointer-conversion-of-temporary-object
+ * @name RULE-18-9: An object with temporary lifetime shall not undergo array to pointer conversion
+ * @description Modifying or accessing elements of an array with temporary lifetime that has been
+ *              converted to a pointer will result in undefined behavior.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/misra/id/rule-18-9
+ *       external/misra/c/2012/amendment3
+ *       correctness
+ *       security
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.c.misra
+import codingstandards.cpp.lifetimes.CLifetimes
+
+/**
+ * Holds if the value of an expression is used or stored.
+ *
+ * For instance, `(x)` does not use any values, but `x + y` uses `x` and `y`.
+ *
+ * A pointer-to-array conversion does not need to be flagged if the result of
+ * that conversion is not used or stored.
+ */
+predicate isUsedOrStored(Expr e) {
+  e = any(Operation o).getAnOperand()
+  or
+  e = any(ConditionalExpr c).getCondition()
+  or
+  e = any(Call c).getAnArgument()
+  or
+  e = any(VariableDeclarationEntry d).getDeclaration().getInitializer().getExpr()
+  or
+  e = any(ClassAggregateLiteral l).getAFieldExpr(_)
+}
+
+/**
+ * Find expressions that defer their value directly to an inner expression
+ * value.
+ *
+ * When an array is on the rhs of a comma expr, or in the then/else branch of a
+ * ternary expr, and the result us used as a pointer, then the ArrayToPointer
+ * conversion is marked inside comma expr/ternary expr, on the operands. These
+ * conversions are only non-compliant if they flow into an operation or store.
+ *
+ * Full flow analysis with localFlowStep should not be necessary, and may cast a
+ * wider net than needed for some queries, potentially resulting in false
+ * positives.
+ */
+Expr temporaryObjectFlowStep(Expr e) {
+  e = result.(CommaExpr).getRightOperand()
+  or
+  e = result.(ConditionalExpr).getThen()
+  or
+  e = result.(ConditionalExpr).getElse()
+}
+
+from
+  TemporaryLifetimeArrayAccess fa, TemporaryLifetimeExpr temporary,
+  ArrayToPointerConversion conversion
+where
+  not isExcluded(conversion, InvalidMemory3Package::arrayToPointerConversionOfTemporaryObjectQuery()) and
+  fa.getTemporary() = temporary and
+  conversion.getExpr() = fa and
+  isUsedOrStored(temporaryObjectFlowStep*(conversion.getExpr()))
+select conversion, "Array to pointer conversion of array $@ from temporary object $@.",
+  fa.getTarget(), fa.getTarget().getName(), temporary, temporary.toString()

c/misra/src/rules/RULE-18-9/ModifiableLValueSubscriptedWithTemporaryLifetime.ql

@@ -0,0 +1,59 @@
+/**
+ * @id c/misra/modifiable-l-value-subscripted-with-temporary-lifetime
+ * @name RULE-18-9: Usage of the subscript operator on an object with temporary lifetime shall not return a modifiable value
+ * @description Modifying elements of an array with temporary lifetime will result in undefined
+ *              behavior.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/misra/id/rule-18-9
+ *       external/misra/c/2012/amendment3
+ *       correctness
+ *       security
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.c.misra
+import codingstandards.cpp.lifetimes.CLifetimes
+
+class TemporaryLifetimeArrayExpr extends ArrayExpr {
+  TemporaryLifetimeArrayAccess member;
+  Type elementType;
+
+  TemporaryLifetimeArrayExpr() {
+    member = getArrayBase() and
+    elementType = member.getType().(ArrayType).getBaseType()
+    or
+    exists(TemporaryLifetimeArrayExpr inner |
+      inner = getArrayBase() and
+      member = inner.getMember() and
+      elementType = inner.getElementType().(ArrayType).getBaseType()
+    )
+  }
+
+  TemporaryLifetimeArrayAccess getMember() { result = member }
+
+  Type getElementType() { result = elementType }
+}
+
+predicate usedAsModifiableLvalue(Expr expr) {
+  exists(Assignment parent | parent.getLValue() = expr)
+  or
+  exists(CrementOperation parent | parent.getOperand() = expr)
+  or
+  exists(AddressOfExpr parent | parent.getOperand() = expr)
+  or
+  exists(FieldAccess parent | parent.getQualifier() = expr and usedAsModifiableLvalue(parent))
+}
+
+from TemporaryLifetimeArrayExpr expr, TemporaryLifetimeArrayAccess member
+where
+  not isExcluded(expr,
+    InvalidMemory3Package::modifiableLValueSubscriptedWithTemporaryLifetimeQuery()) and
+  member = expr.getMember() and
+  not expr.isUnevaluated() and
+  usedAsModifiableLvalue(expr)
+select expr,
+  "Modifiable lvalue produced by subscripting array member $@ of temporary lifetime object $@ ",
+  member, member.getTarget().getName(), member.getTemporary(), member.getTemporary().toString()

c/misra/test/rules/RULE-18-10/PointersToVariablyModifiedArrayTypesUsed.expected

@@ -0,0 +1,17 @@
+| test.c:17:11:17:12 | definition of p5 | Parameter p5 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int' | test.c:17:15:17:16 | p0 | p0 |
+| test.c:18:11:18:12 | definition of p6 | Parameter p6 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:18:18:18:19 | p0 | p0 |
+| test.c:19:11:19:12 | definition of p7 | Parameter p7 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int[2]' | test.c:19:15:19:16 | p0 | p0 |
+| test.c:20:11:20:12 | definition of p8 | Parameter p8 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int[]' | test.c:20:15:20:16 | p0 | p0 |
+| test.c:20:11:20:12 | definition of p8 | Parameter p8 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int[]' | test.c:20:19:20:20 | p0 | p0 |
+| test.c:24:12:24:13 | definition of p9 | Parameter p9 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int *' | test.c:24:16:24:17 | p0 | p0 |
+| test.c:25:13:25:15 | definition of p10 | Parameter p10 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int *' | test.c:25:18:25:19 | p0 | p0 |
+| test.c:28:12:28:14 | definition of p11 | Parameter p11 is adjusted to variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:28:21:28:22 | p0 | p0 |
+| test.c:32:17:32:19 | definition of p13 | Parameter p13 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'const int' | test.c:32:22:32:23 | p0 | p0 |
+| test.c:33:17:33:19 | definition of p14 | Parameter p14 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:33:22:33:23 | p0 | p0 |
+| test.c:40:12:40:14 | definition of p17 | Parameter p17 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:40:24:40:25 | p0 | p0 |
+| test.c:41:14:41:16 | definition of p18 | Parameter p18 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:41:27:41:28 | p0 | p0 |
+| test.c:68:9:68:11 | definition of p27 | Parameter p27 is adjusted to variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:68:13:68:14 | p0 | p0 |
+| test.c:68:9:68:11 | definition of p27 | Parameter p27 is adjusted to variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:68:17:68:18 | p0 | p0 |
+| test.c:74:8:74:9 | definition of l3 | Variable l3 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int' | test.c:74:12:74:13 | p0 | p0 |
+| test.c:79:15:79:16 | definition of l4 | Variable l4 is declared with variably-modified type, pointer to variable length array of non constant size $@ and element type 'int' | test.c:79:19:79:20 | p0 | p0 |
+| test.c:84:16:84:18 | declaration of td3 | Declaration td3 is declared with variably-modified type, with inner variable length array of non constant size $@ and element type 'int' | test.c:84:21:84:22 | p0 | p0 |

c/misra/test/rules/RULE-18-10/PointersToVariablyModifiedArrayTypesUsed.qlref

@@ -0,0 +1 @@
+rules/RULE-18-10/PointersToVariablyModifiedArrayTypesUsed.ql