github/codeql-coding-standardsPublic

NotificationsYou must be signed in to change notification settings
Fork70
Star171

Commit67ab0aa

committed

Modernize dataflow configurations

1 parentd74222a commit67ab0aaCopy full SHA for 67ab0aa

File tree

21 files changed

+209

-203

lines changed

cpp/autosar/src/rules
- A18-1-4
  - PointerToAnElementOfAnArrayPassedToASmartPointer.ql
- A5-0-4
  - PointerArithmeticUsedWithPointersToNonFinalClasses.ql
c
- cert/src/rules
  - ARR37-C
    - DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
  - ARR39-C
    - DoNotAddOrSubtractAScaledIntegerToAPointer.ql
  - CON30-C
    - CleanUpThreadSpecificStorage.ql
  - EXP36-C
    - DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
  - EXP37-C
    - DoNotCallFunctionPointerWithIncompatibleType.ql
  - EXP39-C
    - DoNotAccessVariableViaPointerOfIncompatibleType.ql
  - EXP40-C
    - DoNotModifyConstantObjects.ql
  - EXP43-C
    - DoNotPassAliasedPointerToRestrictQualifiedParam.ql
    - RestrictPointerReferencesOverlappingObject.ql
  - FIO44-C
    - OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql
  - MEM36-C
    - DoNotModifyAlignmentOfMemoryWithRealloc.ql
  - MSC33-C
    - DoNotPassInvalidDataToTheAsctimeFunction.ql
  - MSC39-C
    - DoNotCallVaArgOnAVaListThatHasAnIndeterminateValue.ql
  - STR30-C
    - DoNotAttemptToModifyStringLiterals.ql
- common/src/codingstandards/c
  - OutOfBounds.qll
- misra/src/rules
  - RULE-17-5
    - ArrayFunctionArgumentNumberOfElements.ql
  - RULE-21-14
    - MemcmpUsedToCompareNullTerminatedStrings.ql
  - RULE-22-4
    - AttemptToWriteToAReadOnlyStream.ql
  - RULE-22-7
    - EofShallBeComparedWithUnmodifiedReturnValues.ql

21 files changed

+209

-203

lines changed

`‎c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql‎`

Lines changed: 12 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,16 +14,14 @@`
`14`	`14`	`import cpp`
`15`	`15`	`import codingstandards.c.cert`
`16`	`16`	`import codingstandards.cpp.dataflow.DataFlow`
`17`		`-importDataFlow::PathGraph`
	`17`	`+importNonArrayPointerToArrayIndexingExprFlow::PathGraph`
`18`	`18`
`19`	`19`	`/**`
`20`	`20`	* A data-flow configuration that tracks flow from an `AddressOfExpr` of a variable
`21`	`21`	* of `PointerType` that is not also an `ArrayType` to a `PointerArithmeticOrArrayExpr`
`22`	`22`	`*/`
`23`		`-classNonArrayPointerToArrayIndexingExprConfigextends DataFlow::Configuration{`
`24`		`-NonArrayPointerToArrayIndexingExprConfig(){this="ArrayToArrayIndexConfig"}`
`25`		`-`
`26`		`-overridepredicateisSource(DataFlow::Nodesource){`
	`23`	`+module NonArrayPointerToArrayIndexingExprConfigimplements DataFlow::ConfigSig{`
	`24`	`+predicateisSource(DataFlow::Nodesource){`
`27`	`25`	`exists(AddressOfExprao,Typet\|`
`28`	`26`	`source.asExpr()=aoand`
`29`	`27`	`notao.getOperand()instanceofArrayExprand`
`@@ -35,15 +33,15 @@ class NonArrayPointerToArrayIndexingExprConfig extends DataFlow::Configuration {`
`35`	`33`	`)`
`36`	`34`	`}`
`37`	`35`
`38`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`36`	`+predicateisSink(DataFlow::Nodesink){`
`39`	`37`	`exists(PointerArithmeticOrArrayExprae\|`
`40`	`38`	`sink.asExpr()=ae.getPointerOperand()and`
`41`	`39`	`notsink.asExpr()instanceofLiteraland`
`42`	`40`	`notae.isNonPointerOperandZero()`
`43`	`41`	`)`
`44`	`42`	`}`
`45`	`43`
`46`		`-overridepredicateisBarrierOut(DataFlow::Nodenode){`
	`44`	`+predicateisBarrierOut(DataFlow::Nodenode){`
`47`	`45`	`// the default interprocedural data-flow model flows through any field or array assignment`
`48`	`46`	`// expressions to the qualifier (array base, pointer dereferenced, or qualifier) instead of the`
`49`	`47`	`// individual element or field that the assignment modifies. this default behaviour causes`
`@@ -63,6 +61,9 @@ class NonArrayPointerToArrayIndexingExprConfig extends DataFlow::Configuration {`
`63`	`61`	`}`
`64`	`62`	`}`
`65`	`63`
	`64`	`+module NonArrayPointerToArrayIndexingExprFlow=`
	`65`	`+ DataFlow::Global<NonArrayPointerToArrayIndexingExprConfig>;`
	`66`	`+`
`66`	`67`	`classPointerArithmeticOrArrayExprextendsExpr{`
`67`	`68`	`Exproperand;`
`68`	`69`
`@@ -101,9 +102,11 @@ class PointerArithmeticOrArrayExpr extends Expr {`
`101`	`102`	`predicateisNonPointerOperandZero(){operand.(Literal).getValue().toInt()=0}`
`102`	`103`	`}`
`103`	`104`
`104`		`-from DataFlow::PathNodesource, DataFlow::PathNodesink`
	`105`	`+from`
	`106`	`+ NonArrayPointerToArrayIndexingExprFlow::PathNodesource,`
	`107`	`+ NonArrayPointerToArrayIndexingExprFlow::PathNodesink`
`105`	`108`	`where`
`106`	`109`	`notisExcluded(sink.getNode().asExpr(),`
`107`	`110`	`InvalidMemory2Package::doNotUsePointerArithmeticOnNonArrayObjectPointersQuery())and`
`108`		`-any(NonArrayPointerToArrayIndexingExprConfigcfg).hasFlowPath(source,sink)`
	`111`	`+NonArrayPointerToArrayIndexingExprFlow::flowPath(source,sink)`
`109`	`112`	`selectsink,source,sink,"Pointer arithmetic on non-array object pointer."`

`‎c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql‎`

Lines changed: 10 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import cpp`
`15`	`15`	`import codingstandards.c.cert`
`16`	`16`	`import codingstandards.c.Pointers`
`17`	`17`	`import codingstandards.cpp.dataflow.TaintTracking`
`18`		`-importDataFlow::PathGraph`
	`18`	`+importScaledIntegerPointerArithmeticFlow::PathGraph`
`19`	`19`
`20`	`20`	`/**`
`21`	`21`	* An expression which invokes the `offsetof` macro or `__builtin_offsetof` operation.
`@@ -69,12 +69,10 @@ class ScaledIntegerExpr extends Expr {`
`69`	`69`	* A data-flow configuration modeling data-flow from a `ScaledIntegerExpr` to a
`70`	`70`	* `PointerArithmeticExpr` where the pointer does not point to a 1-byte type.
`71`	`71`	`*/`
`72`		`-classScaledIntegerPointerArithmeticConfigextends DataFlow::Configuration{`
`73`		`-ScaledIntegerPointerArithmeticConfig(){this="ScaledIntegerPointerArithmeticConfig"}`
	`72`	`+module ScaledIntegerPointerArithmeticConfigimplements DataFlow::ConfigSig{`
	`73`	`+predicateisSource(DataFlow::Nodesrc){src.asExpr()instanceofScaledIntegerExpr}`
`74`	`74`
`75`		`-overridepredicateisSource(DataFlow::Nodesrc){src.asExpr()instanceofScaledIntegerExpr}`
`76`		`-`
`77`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`75`	`+predicateisSink(DataFlow::Nodesink){`
`78`	`76`	`exists(PointerArithmeticExprpa\|`
`79`	`77`	`// exclude pointers to 1-byte types as they do not scale`
`80`	`78`	`pa.getPointer().getFullyConverted().getType().(DerivedType).getBaseType().getSize()!=1and`
`@@ -83,9 +81,13 @@ class ScaledIntegerPointerArithmeticConfig extends DataFlow::Configuration {`
`83`	`81`	`}`
`84`	`82`	`}`
`85`	`83`
`86`		`-fromScaledIntegerPointerArithmeticConfigconfig, DataFlow::PathNodesrc, DataFlow::PathNodesink`
	`84`	`+module ScaledIntegerPointerArithmeticFlow= DataFlow::Global<ScaledIntegerPointerArithmeticConfig>;`
	`85`	`+`
	`86`	`+from`
	`87`	`+ ScaledIntegerPointerArithmeticFlow::PathNodesrc,`
	`88`	`+ ScaledIntegerPointerArithmeticFlow::PathNodesink`
`87`	`89`	`where`
`88`	`90`	`notisExcluded(sink.getNode().asExpr(),`
`89`	`91`	`Pointers2Package::doNotAddOrSubtractAScaledIntegerToAPointerQuery())and`
`90`		`-config.hasFlowPath(src,sink)`
	`92`	`+ScaledIntegerPointerArithmeticFlow::flowPath(src,sink)`
`91`	`93`	`selectsink,src,sink,"Scaled integer used in pointer arithmetic."`

`‎c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql‎`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,10 +18,8 @@ import codingstandards.cpp.Concurrency`
`18`	`18`	`import codingstandards.cpp.dataflow.TaintTracking`
`19`	`19`	`import codingstandards.cpp.dataflow.DataFlow`
`20`	`20`
`21`		`-classTssCreateToTssDeleteDataFlowConfigurationextends DataFlow::Configuration{`
`22`		`-TssCreateToTssDeleteDataFlowConfiguration(){this="TssCreateToTssDeleteDataFlowConfiguration"}`
`23`		`-`
`24`		`-overridepredicateisSource(DataFlow::Nodenode){`
	`21`	`+module TssCreateToTssDeleteConfigimplements DataFlow::ConfigSig{`
	`22`	`+predicateisSource(DataFlow::Nodenode){`
`25`	`23`	`exists(TSSCreateFunctionCalltsc,Expre\|`
`26`	`24`	`// the only requirement of the source is that at some point`
`27`	`25`	`// it refers to the key of a create statement`
`@@ -30,7 +28,7 @@ class TssCreateToTssDeleteDataFlowConfiguration extends DataFlow::Configuration`
`30`	`28`	`)`
`31`	`29`	`}`
`32`	`30`
`33`		`-overridepredicateisSink(DataFlow::Nodenode){`
	`31`	`+predicateisSink(DataFlow::Nodenode){`
`34`	`32`	`exists(TSSDeleteFunctionCalltsd,Expre\|`
`35`	`33`	`// the only requirement of a sink is that at some point`
`36`	`34`	`// it references the key of a delete call.`
`@@ -40,15 +38,17 @@ class TssCreateToTssDeleteDataFlowConfiguration extends DataFlow::Configuration`
`40`	`38`	`}`
`41`	`39`	`}`
`42`	`40`
	`41`	`+module TssCreateToTssDeleteFlow= DataFlow::Global<TssCreateToTssDeleteConfig>;`
	`42`	`+`
`43`	`43`	`fromTSSCreateFunctionCalltcfc`
`44`	`44`	`where`
`45`	`45`	`notisExcluded(tcfc, Concurrency4Package::cleanUpThreadSpecificStorageQuery())and`
`46`	`46`	// all calls to `tss_create` must be bookended by calls to tss_delete
`47`	`47`	`// even if a thread is not created.`
`48`		`-notexists(TssCreateToTssDeleteDataFlowConfigurationconfig\|`
`49`		`-config.hasFlow(DataFlow::definitionByReferenceNodeFromArgument(tcfc.getKey()), _)`
	`48`	`+not(`
	`49`	`+TssCreateToTssDeleteFlow::flow(DataFlow::definitionByReferenceNodeFromArgument(tcfc.getKey()), _)`
`50`	`50`	`or`
`51`		`-config.hasFlow(DataFlow::exprNode(tcfc.getKey()), _)`
	`51`	`+TssCreateToTssDeleteFlow::flow(DataFlow::exprNode(tcfc.getKey()), _)`
`52`	`52`	`)`
`53`	`53`	`or`
`54`	`54`	`// if a thread is created, we must check additional items`

`‎c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql‎`

Lines changed: 18 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import codingstandards.cpp.Alignment`
`17`	`17`	`import codingstandards.cpp.dataflow.DataFlow`
`18`	`18`	`import codingstandards.cpp.dataflow.DataFlow2`
`19`	`19`	`import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`
`20`		`-importDataFlow::PathGraph`
	`20`	`+importExprWithAlignmentToCStyleCastFlow::PathGraph`
`21`	`21`
`22`	`22`	`/**`
`23`	`23`	`* An expression with a type that has defined alignment requirements`
`@@ -96,8 +96,7 @@ class UnconvertedCastFromNonVoidPointerExpr extends Expr {`
`96`	`96`	`*/`
`97`	`97`	`classDefaultAlignedPointerExprextendsUnconvertedCastFromNonVoidPointerExpr,ExprWithAlignment{`
`98`	`98`	`DefaultAlignedPointerExpr(){`
`99`		`-notany(AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfigconfig)`
`100`		`- .hasFlowTo(DataFlow::exprNode(this))`
	`99`	`+not AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprFlow::flowTo(DataFlow::exprNode(this))`
`101`	`100`	`}`
`102`	`101`
`103`	`102`	`overrideintgetAlignment(){result=this.getType().(PointerType).getBaseType().getAlignment()}`
`@@ -118,43 +117,37 @@ class DefaultAlignedPointerExpr extends UnconvertedCastFromNonVoidPointerExpr, E`
`118`	`117`	* to exclude an `DefaultAlignedPointerAccessExpr` as a source if a preceding source
`119`	`118`	`* defined by this configuration provides more accurate alignment information.`
`120`	`119`	`*/`
`121`		`-classAllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfigextends DataFlow2::Configuration`
	`120`	`+module AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfigimplements`
	`121`	`+ DataFlow::ConfigSig`
`122`	`122`	`{`
`123`		`-AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfig(){`
`124`		`-this="AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfig"`
`125`		`-}`
`126`		`-`
`127`		`-overridepredicateisSource(DataFlow::Nodesource){`
	`123`	`+predicateisSource(DataFlow::Nodesource){`
`128`	`124`	`source.asExpr()instanceofAddressOfAlignedVariableExpror`
`129`	`125`	`source.asExpr()instanceofDefinedAlignmentAllocationExpr`
`130`	`126`	`}`
`131`	`127`
`132`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`128`	`+predicateisSink(DataFlow::Nodesink){`
`133`	`129`	`sink.asExpr()instanceofUnconvertedCastFromNonVoidPointerExpr`
`134`	`130`	`}`
`135`	`131`	`}`
`136`	`132`
	`133`	`+module AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprFlow=`
	`134`	`+ DataFlow::Global<AllocationOrAddressOfExprToUnconvertedCastFromNonVoidPointerExprConfig>;`
	`135`	`+`
`137`	`136`	`/**`
`138`	`137`	* A data-flow configuration for analysing the flow of `ExprWithAlignment` pointer expressions
`139`	`138`	`* to casts which perform pointer type conversions and potentially create pointer alignment issues.`
`140`	`139`	`*/`
`141`		`-classExprWithAlignmentToCStyleCastConfigurationextends DataFlow::Configuration{`
`142`		`-ExprWithAlignmentToCStyleCastConfiguration(){`
`143`		`-this="ExprWithAlignmentToCStyleCastConfiguration"`
`144`		`-}`
	`140`	`+module ExprWithAlignmentToCStyleCastConfigimplements DataFlow::ConfigSig{`
	`141`	`+predicateisSource(DataFlow::Nodesource){source.asExpr()instanceofExprWithAlignment}`
`145`	`142`
`146`		`-overridepredicateisSource(DataFlow::Nodesource){`
`147`		`-source.asExpr()instanceofExprWithAlignment`
`148`		`-}`
`149`		`-`
`150`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`143`	`+predicateisSink(DataFlow::Nodesink){`
`151`	`144`	`exists(CStyleCastcast\|`
`152`	`145`	`cast.getUnderlyingType()instanceofPointerTypeand`
`153`	`146`	`cast.getUnconverted()=sink.asExpr()`
`154`	`147`	`)`
`155`	`148`	`}`
`156`	`149`
`157`		`-overridepredicateisBarrierOut(DataFlow::Nodenode){`
	`150`	`+predicateisBarrierOut(DataFlow::Nodenode){`
`158`	`151`	`// the default interprocedural data-flow model flows through any array assignment expressions`
`159`	`152`	`// to the qualifier (array base or pointer dereferenced) instead of the individual element`
`160`	`153`	`// that the assignment modifies. this default behaviour causes false positives for any future`
`@@ -169,12 +162,15 @@ class ExprWithAlignmentToCStyleCastConfiguration extends DataFlow::Configuration`
`169`	`162`	`}`
`170`	`163`	`}`
`171`	`164`
	`165`	`+module ExprWithAlignmentToCStyleCastFlow= DataFlow::Global<ExprWithAlignmentToCStyleCastConfig>;`
	`166`	`+`
`172`	`167`	`from`
`173`		`- DataFlow::PathNodesource, DataFlow::PathNodesink,ExprWithAlignmentexpr,CStyleCastcast,`
	`168`	`+ ExprWithAlignmentToCStyleCastFlow::PathNodesource,`
	`169`	`+ ExprWithAlignmentToCStyleCastFlow::PathNodesink,ExprWithAlignmentexpr,CStyleCastcast,`
`174`	`170`	`TypetoBaseType,intalignmentFrom,intalignmentTo`
`175`	`171`	`where`
`176`	`172`	`notisExcluded(cast, Pointers3Package::doNotCastPointerToMoreStrictlyAlignedPointerTypeQuery())and`
`177`		`-any(ExprWithAlignmentToCStyleCastConfigurationconfig).hasFlowPath(source,sink)and`
	`173`	`+ExprWithAlignmentToCStyleCastFlow::flowPath(source,sink)and`
`178`	`174`	`source.getNode().asExpr()=exprand`
`179`	`175`	`sink.getNode().asExpr()=cast.getUnconverted()and`
`180`	`176`	`toBaseType=cast.getActualType().(PointerType).getBaseType()and`

`‎c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql‎`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`import cpp`
`15`	`15`	`import codingstandards.c.cert`
`16`	`16`	`import codingstandards.cpp.dataflow.DataFlow`
`17`		`-importDataFlow::PathGraph`
	`17`	`+importSuspectFunctionPointerToCallFlow::PathGraph`
`18`	`18`
`19`	`19`	`/**`
`20`	`20`	* An expression of type `FunctionPointer` which is the unconverted expression of a cast
`@@ -37,26 +37,26 @@ class SuspiciousFunctionPointerCastExpr extends Expr {`
`37`	`37`	* Data-flow configuration for flow from a `SuspiciousFunctionPointerCastExpr`
`38`	`38`	`* to a call of the function pointer resulting from the function pointer cast`
`39`	`39`	`*/`
`40`		`-classSuspectFunctionPointerToCallConfigextends DataFlow::Configuration{`
`41`		`-SuspectFunctionPointerToCallConfig(){this="SuspectFunctionPointerToCallConfig"}`
`42`		`-`
`43`		`-overridepredicateisSource(DataFlow::Nodesrc){`
	`40`	`+module SuspectFunctionPointerToCallConfigimplements DataFlow::ConfigSig{`
	`41`	`+predicateisSource(DataFlow::Nodesrc){`
`44`	`42`	`src.asExpr()instanceofSuspiciousFunctionPointerCastExpr`
`45`	`43`	`}`
`46`	`44`
`47`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`45`	`+predicateisSink(DataFlow::Nodesink){`
`48`	`46`	`exists(VariableCallcall\|sink.asExpr()=call.getExpr().(VariableAccess))`
`49`	`47`	`}`
`50`	`48`	`}`
`51`	`49`
	`50`	`+module SuspectFunctionPointerToCallFlow= DataFlow::Global<SuspectFunctionPointerToCallConfig>;`
	`51`	`+`
`52`	`52`	`from`
`53`		`-SuspectFunctionPointerToCallConfigconfig, DataFlow::PathNodesrc,DataFlow::PathNodesink,`
	`53`	`+SuspectFunctionPointerToCallFlow::PathNodesrc,SuspectFunctionPointerToCallFlow::PathNodesink,`
`54`	`54`	`Accessaccess`
`55`	`55`	`where`
`56`	`56`	`notisExcluded(src.getNode().asExpr(),`
`57`	`57`	`ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery())and`
`58`	`58`	`access=src.getNode().asExpr()and`
`59`		`-config.hasFlowPath(src,sink)`
	`59`	`+SuspectFunctionPointerToCallFlow::flowPath(src,sink)`
`60`	`60`	`selectsrc,src,sink,`
`61`	`61`	`"Incompatible function $@ assigned to function pointer is eventually called through the pointer.",`
`62`	`62`	`access.getTarget(),access.getTarget().getName()`

`‎c/cert/src/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.ql‎`

Lines changed: 14 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import cpp`
`15`	`15`	`import codingstandards.c.cert`
`16`	`16`	`import codingstandards.cpp.dataflow.DataFlow`
`17`	`17`	`import semmle.code.cpp.controlflow.Dominance`
`18`		`-importDataFlow::PathGraph`
	`18`	`+importIndirectCastFlow::PathGraph`
`19`	`19`
`20`	`20`	`/**`
`21`	`21`	* The standard function `memset` and its assorted variants
`@@ -62,15 +62,15 @@ class IndirectCastReallocatedFlowState extends DataFlow::FlowState {`
`62`	`62`	`* other cast expressions or to dereferences of pointers reallocated with a call`
`63`	`63`	* to `realloc` but not cleared via a function call to `memset`.
`64`	`64`	`*/`
`65`		`-classIndirectCastConfigurationextends DataFlow::Configuration{`
`66`		`-IndirectCastConfiguration(){this="CastToIncompatibleTypeConfiguration"}`
	`65`	`+module IndirectCastConfigimplements DataFlow::StateConfigSig{`
	`66`	`+classFlowState= DataFlow::FlowState;`
`67`	`67`
`68`		`-overridepredicateisSource(DataFlow::Nodesource,DataFlow::FlowStatestate){`
	`68`	`+predicateisSource(DataFlow::Nodesource,FlowStatestate){`
`69`	`69`	`stateinstanceofIndirectCastDefaultFlowStateand`
`70`	`70`	`source.asExpr()instanceofIndirectCastAnalysisUnconvertedCastExpr`
`71`	`71`	`}`
`72`	`72`
`73`		`-overridepredicateisSink(DataFlow::Nodesink,DataFlow::FlowStatestate){`
	`73`	`+predicateisSink(DataFlow::Nodesink,FlowStatestate){`
`74`	`74`	`sink.asExpr()instanceofIndirectCastAnalysisUnconvertedCastExprand`
`75`	`75`	`stateinstanceofIndirectCastDefaultFlowState`
`76`	`76`	`or`
`@@ -103,17 +103,16 @@ class IndirectCastConfiguration extends DataFlow::Configuration {`
`103`	`103`	`)`
`104`	`104`	`}`
`105`	`105`
`106`		`-overridepredicateisBarrier(DataFlow::Nodenode,DataFlow::FlowStatestate){`
	`106`	`+predicateisBarrier(DataFlow::Nodenode,FlowStatestate){`
`107`	`107`	`stateinstanceofIndirectCastReallocatedFlowStateand`
`108`	`108`	`exists(FunctionCallfc\|`
`109`	`109`	`fc.getTarget()instanceofMemsetFunctionand`
`110`	`110`	`fc.getArgument(0)=node.asExpr()`
`111`	`111`	`)`
`112`	`112`	`}`
`113`	`113`
`114`		`-overridepredicateisAdditionalFlowStep(`
`115`		`- DataFlow::Nodenode1, DataFlow::FlowStatestate1, DataFlow::Nodenode2,`
`116`		`- DataFlow::FlowStatestate2`
	`114`	`+predicateisAdditionalFlowStep(`
	`115`	`+ DataFlow::Nodenode1,FlowStatestate1, DataFlow::Nodenode2,FlowStatestate2`
`117`	`116`	`){`
`118`	`117`	// track pointer flow through realloc calls and update state to `IndirectCastReallocatedFlowState`
`119`	`118`	`state1instanceofIndirectCastDefaultFlowStateand`
`@@ -135,6 +134,8 @@ class IndirectCastConfiguration extends DataFlow::Configuration {`
`135`	`134`	`}`
`136`	`135`	`}`
`137`	`136`
	`137`	`+module IndirectCastFlow= DataFlow::GlobalWithState<IndirectCastConfig>;`
	`138`	`+`
`138`	`139`	`pragma[inline]`
`139`	`140`	`predicateareTypesSameExceptForConstSpecifiers(Typea,Typeb){`
`140`	`141`	`a.stripType()=b.stripType()and`
`@@ -190,12 +191,14 @@ Type compatibleTypes(Type type) {`
`190`	`191`	`)`
`191`	`192`	`}`
`192`	`193`
`193`		`-from DataFlow::PathNodesource, DataFlow::PathNodesink,Castcast,TypefromType,TypetoType`
	`194`	`+from`
	`195`	`+ IndirectCastFlow::PathNodesource, IndirectCastFlow::PathNodesink,Castcast,TypefromType,`
	`196`	`+TypetoType`
`194`	`197`	`where`
`195`	`198`	`notisExcluded(sink.getNode().asExpr(),`
`196`	`199`	`Pointers3Package::doNotAccessVariableViaPointerOfIncompatibleTypeQuery())and`
`197`	`200`	`cast.getFile().compiledAsC()and`
`198`		`-any(IndirectCastConfigurationconfig).hasFlowPath(source,sink)and`
	`201`	`+IndirectCastFlow::flowPath(source,sink)and`
`199`	`202`	`// include only sinks which are not a compatible type to the associated source`
`200`	`203`	`source.getNode().asExpr()=cast.getUnconverted()and`
`201`	`204`	`fromType=cast.getUnconverted().getType().(PointerType).getBaseType()and`

`‎c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql‎`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`import cpp`
`14`	`14`	`import codingstandards.c.cert`
`15`	`15`	`import codingstandards.cpp.dataflow.DataFlow`
`16`		`-importDataFlow::PathGraph`
	`16`	`+importCastFlow::PathGraph`
`17`	`17`	`import codingstandards.cpp.SideEffect`
`18`	`18`
`19`	`19`	`classConstRemovingCastextendsCast{`
`@@ -32,23 +32,23 @@ class MaybeReturnsStringLiteralFunctionCall extends FunctionCall {`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`
`35`		`-classMyDataFlowConfCastextends DataFlow::Configuration{`
`36`		`-MyDataFlowConfCast(){this="MyDataFlowConfCast"}`
`37`		`-`
`38`		`-overridepredicateisSource(DataFlow::Nodesource){`
	`35`	`+module CastConfigimplements DataFlow::ConfigSig{`
	`36`	`+predicateisSource(DataFlow::Nodesource){`
`39`	`37`	`source.asExpr().getFullyConverted()instanceofConstRemovingCast`
`40`	`38`	`or`
`41`	`39`	`source.asExpr().getFullyConverted()=any(MaybeReturnsStringLiteralFunctionCallc)`
`42`	`40`	`}`
`43`	`41`
`44`		`-overridepredicateisSink(DataFlow::Nodesink){`
	`42`	`+predicateisSink(DataFlow::Nodesink){`
`45`	`43`	`sink.asExpr()=any(Assignmenta).getLValue().(PointerDereferenceExpr).getOperand()`
`46`	`44`	`}`
`47`	`45`	`}`
`48`	`46`
`49`		`-fromMyDataFlowConfCastconf, DataFlow::PathNodesrc, DataFlow::PathNodesink`
	`47`	`+module CastFlow= DataFlow::Global<CastConfig>;`
	`48`	`+`
	`49`	`+from CastFlow::PathNodesrc, CastFlow::PathNodesink`
`50`	`50`	`where`
`51`		`-conf.hasFlowPath(src,sink)`
	`51`	`+CastFlow::flowPath(src,sink)`
`52`	`52`	`or`
`53`	`53`	`sink.getNode()`
`54`	`54`	`.asExpr()`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit67ab0aa

File tree

21 files changed

21 files changed

`‎c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql‎`

`‎c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql‎`

`‎c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql‎`

`‎c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql‎`

`‎c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql‎`

`‎c/cert/src/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.ql‎`

`‎c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql‎`

0 commit comments