Address feedback

Author: MichaelRFairhurst

c/misra/src/rules/RULE-18-10/PointersToVariablyModifiedArrayTypesUsed.ql

@@ -18,84 +18,11 @@ import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.VariablyModifiedTypes
 
-/**
- * Check that the declaration entry, which may be a parameter or a variable
- * etc., seems to subsume the location of `inner`, including the declaration
- * type text.
- *
- * The location of the `DeclarationEntry` itself points to the _identifier_
- * that is declared. This range will not include the type of the declaration.
- *
- * For parameters, the `before` and `end` `Location` objects will be
- * constrained to the closest earlier element (parameter or function body),
- * these values can therefore be captured and inspected for debugging.
- *
- * For declarations which occur in statements, the `before` and `end`
- * `Location` objects will be both constrained to be equal, and equal to,
- * the `Location` of the containing `DeclStmt`.
- */
-predicate declarationSubsumes(
-  DeclarationEntry entry, Location inner, Location before, Location after
-) {
-  inner.getFile() = entry.getLocation().getFile() and
-  (
-    exists(ParameterDeclarationEntry param, FunctionDeclarationEntry func, int i |
-      param = entry and
-      func = param.getFunctionDeclarationEntry() and
-      func.getParameterDeclarationEntry(i) = param and
-      before = entry.getLocation() and
-      (
-        after = func.getParameterDeclarationEntry(i + 1).getLocation()
-        or
-        not exists(ParameterDeclarationEntry afterParam |
-          afterParam = func.getParameterDeclarationEntry(i + 1)
-        ) and
-        after = func.getBlock().getLocation()
-      )
-    ) and
-    before.isBefore(inner, _) and
-    inner.isBefore(after, _)
-    or
-    exists(DeclStmt s |
-      s.getADeclaration() = entry.getDeclaration() and
-      before = s.getLocation() and
-      after = before and
-      before.subsumes(inner)
-    )
-  )
-}
-
-/**
- * A declaration involving a pointer to a variably-modified type.
- */
-class InvalidDeclaration extends DeclarationEntry {
-  Expr sizeExpr;
-  CandidateVlaType vlaType;
-  // `before` and `after` are captured for debugging, see doc comment for
-  // `declarationSubsumes`.
-  Location before;
-  Location after;
-
-  InvalidDeclaration() {
-    sizeExpr = any(VlaDimensionStmt vla).getDimensionExpr() and
-    declarationSubsumes(this, sizeExpr.getLocation(), before, after) and
-    (
-      if this instanceof ParameterDeclarationEntry
-      then vlaType = this.getType().(VariablyModifiedTypeIfAdjusted).getInnerVlaType()
-      else vlaType = this.getType().(VariablyModifiedTypeIfUnadjusted).getInnerVlaType()
-    ) and
-    // Capture only pointers to VLA types, not raw VLA types.
-    not vlaType = this.getType()
-  }
-
-  Expr getSizeExpr() { result = sizeExpr }
-
-  CandidateVlaType getVlaType() { result = vlaType }
-}
-
-from InvalidDeclaration v, string declstr, string adjuststr, string relationstr
+from VmtDeclarationEntry v, string declstr, string adjuststr, string relationstr
 where
   not isExcluded(v, InvalidMemory3Package::pointersToVariablyModifiedArrayTypesUsedQuery()) and
+  // Capture only pointers to VLA types, not raw VLA types.
+  not v.getVlaType() = v.getType() and
   (
     if v instanceof ParameterDeclarationEntry
     then declstr = "Parameter "

c/misra/src/rules/RULE-18-8/VariableLengthArrayTypesUsed.ql

@@ -20,9 +20,11 @@ where
   not isExcluded(v, Declarations7Package::variableLengthArrayTypesUsedQuery()) and
   size = v.getVlaDimensionStmt(0).getDimensionExpr() and
   (
-    arrayType = v.getVariable().getType()
+    // Holds is if v is a variable declaration:
+    arrayType = v.getVariable().getType().stripTopLevelSpecifiers()
     or
-    arrayType = v.getType().getUnspecifiedType()
+    // Holds is if v is a typedef declaration:
+    arrayType = v.getType().stripTopLevelSpecifiers()
   ) and
   typeStr = arrayType.getBaseType().toString()
 select v, "Variable length array of element type '" + typeStr + "' with non-constant size $@.",

c/misra/src/rules/RULE-18-9/ArrayToPointerConversionOfTemporaryObject.ql

@@ -18,32 +18,20 @@ import codingstandards.c.misra
 import codingstandards.cpp.lifetimes.CLifetimes
 
 /**
- * Get the expression(s) whose value is "used" by this expression.
+ * Holds if the value of an expression is used or stored.
  *
  * For instance, `(x)` does not use any values, but `x + y` uses `x` and `y`.
  *
  * A pointer-to-array conversion does not need to be flagged if the result of
  * that conversion is not used or stored.
  */
-Expr usedValuesOf(Expr expr) {
-  result = expr.(BinaryOperation).getLeftOperand()
+predicate isUsedOrStored(Expr e) {
+  e = any(Operation o).getAnOperand()
   or
-  result = expr.(BinaryOperation).getRightOperand()
+  e = any(ConditionalExpr c).getCondition()
   or
-  result = expr.(UnaryOperation).getOperand()
+  e = any(Call c).getAnArgument()
   or
-  result = expr.(ConditionalExpr).getCondition()
-  or
-  result = expr.(Call).getAnArgument()
-}
-
-/**
- * Get the expression(s) whose value is stored by this declaration.
- *
- * A pointer-to-array conversion does not need to be flagged if the result of
- * that conversion is not used or stored.
- */
-predicate isStored(Expr e) {
   e = any(VariableDeclarationEntry d).getDeclaration().getInitializer().getExpr()
   or
   e = any(ClassAggregateLiteral l).getAFieldExpr(_)
@@ -77,10 +65,6 @@ where
   not isExcluded(conversion, InvalidMemory3Package::arrayToPointerConversionOfTemporaryObjectQuery()) and
   fa.getTemporary() = temporary and
   conversion.getExpr() = fa and
-  (
-    temporaryObjectFlowStep*(conversion.getExpr()) = usedValuesOf(any(Expr e))
-    or
-    isStored(temporaryObjectFlowStep*(conversion.getExpr()))
-  )
+  isUsedOrStored(temporaryObjectFlowStep*(conversion.getExpr()))
 select conversion, "Array to pointer conversion of array $@ from temporary object $@",
   fa.getTarget(), fa.getTarget().getName(), temporary, temporary.toString()

cpp/common/src/codingstandards/cpp/VariablyModifiedTypes.qll

@@ -1,5 +1,82 @@
 import cpp
 
+/**
+ * A declaration involving a variably-modified type.
+ */
+class VmtDeclarationEntry extends DeclarationEntry {
+  Expr sizeExpr;
+  CandidateVlaType vlaType;
+  // `before` and `after` are captured for debugging, see doc comment for
+  // `declarationSubsumes`.
+  Location before;
+  Location after;
+
+  VmtDeclarationEntry() {
+    // Most of this library looks for candidate VLA types, by looking for arrays
+    // without a size. These may or may not be VLA types. To confirm an a
+    // candidate type is really a VLA type, we check that the location of the
+    // declaration subsumes a `VlaDimensionStmt` which indicates a real VLA.
+    sizeExpr = any(VlaDimensionStmt vla).getDimensionExpr() and
+    declarationSubsumes(this, sizeExpr.getLocation(), before, after) and
+    (
+      if this instanceof ParameterDeclarationEntry
+      then vlaType = this.getType().(VariablyModifiedTypeIfAdjusted).getInnerVlaType()
+      else vlaType = this.getType().(VariablyModifiedTypeIfUnadjusted).getInnerVlaType()
+    )
+  }
+
+  Expr getSizeExpr() { result = sizeExpr }
+
+  CandidateVlaType getVlaType() { result = vlaType }
+}
+
+/**
+ * Check that the declaration entry, which may be a parameter or a variable
+ * etc., seems to subsume the location of `inner`, including the declaration
+ * type text.
+ *
+ * The location of the `DeclarationEntry` itself points to the _identifier_
+ * that is declared. This range will not include the type of the declaration.
+ *
+ * For parameters, the `before` and `end` `Location` objects will be
+ * constrained to the closest earlier element (parameter or function body),
+ * these values can therefore be captured and inspected for debugging.
+ *
+ * For declarations which occur in statements, the `before` and `end`
+ * `Location` objects will be both constrained to be equal, and equal to,
+ * the `Location` of the containing `DeclStmt`.
+ */
+private predicate declarationSubsumes(
+  DeclarationEntry entry, Location inner, Location before, Location after
+) {
+  inner.getFile() = entry.getLocation().getFile() and
+  (
+    exists(ParameterDeclarationEntry param, FunctionDeclarationEntry func, int i |
+      param = entry and
+      func = param.getFunctionDeclarationEntry() and
+      func.getParameterDeclarationEntry(i) = param and
+      before = entry.getLocation() and
+      (
+        after = func.getParameterDeclarationEntry(i + 1).getLocation()
+        or
+        not exists(ParameterDeclarationEntry afterParam |
+          afterParam = func.getParameterDeclarationEntry(i + 1)
+        ) and
+        after = func.getBlock().getLocation()
+      )
+    ) and
+    before.isBefore(inner, _) and
+    inner.isBefore(after, _)
+    or
+    exists(DeclStmt s |
+      s.getADeclaration() = entry.getDeclaration() and
+      before = s.getLocation() and
+      after = before and
+      before.subsumes(inner)
+    )
+  )
+}
+
 /**
  * A candidate to be a variably length array type (VLA).
  *
@@ -90,19 +167,13 @@ class NoAdjustmentVariablyModifiedType extends Type {
   NoAdjustmentVariablyModifiedType() {
     exists(Type innerType |
       (
-        innerType = this.(PointerType).getBaseType()
-        or
-        innerType = this.(ArrayType).getBaseType()
+        innerType = this.(DerivedType).getBaseType()
         or
         innerType = this.(RoutineType).getReturnType()
         or
-        innerType = this.(RoutineType).getAParameterType()
-        or
         innerType = this.(FunctionPointerType).getReturnType()
         or
         innerType = this.(TypedefType).getBaseType()
-        or
-        innerType = this.(SpecifiedType).getBaseType()
       ) and
       vlaType = innerType.(VariablyModifiedTypeIfUnadjusted).getInnerVlaType()
     )

cpp/common/src/codingstandards/cpp/lifetimes/CLifetimes.qll

@@ -25,7 +25,7 @@ class TemporaryLifetimeExpr extends Expr {
     getUnconverted().getUnspecifiedType() instanceof StructOrUnionTypeWithArrayField and
     not isCLValue(this)
     or
-    this.(ArrayExpr).getArrayBase() instanceof TemporaryLifetimeArrayAccess
+    this.getUnconverted().(ArrayExpr).getArrayBase() instanceof TemporaryLifetimeArrayAccess
   }
 }