Address feedback

Author: MichaelRFairhurst

c/misra/src/codeql-suites/misra-c-audit.qls

@@ -0,0 +1,8 @@
+- description: MISRA C 2012 (Audit)
+- qlpack: codeql/misra-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    tags contain:
+    - external/misra/c/audit

c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql

@@ -19,27 +19,22 @@ import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.Concurrency
 
-Function callers(Function f) { result = f.getACallToThisFunction().getEnclosingFunction() }
+class CThreadRoot extends Function {
+  CThreadCreateCall threadCreate;
 
-class ThreadReachableFunction extends Function {
-  /* The root threaded function from which this function is reachable */
-  Function threadRoot;
-
-  ThreadReachableFunction() {
-    exists(CThreadCreateCall tc |
-      tc.getFunction() = callers*(this) and
-      threadRoot = tc.getFunction()
-    )
+  CThreadRoot() {
+    threadCreate.getFunction() = this
   }
 
-  /* Get the root threaded function from which this function is reachable */
-  Function getThreadRoot() { result = threadRoot }
+  /* Get a function which is reachable from this function */
+  Function getAReachableFunction() { calls*(result) }
+
+  CThreadCreateCall getCThreadCreateCall() { result = threadCreate }
 }
 
-from CThreadCreateCall tc, ThreadReachableFunction enclosingFunction, Function threadRoot
+  from CThreadCreateCall tc, CThreadRoot threadRoot
 where
   not isExcluded(tc, Concurrency6Package::threadCreatedByThreadQuery()) and
-  enclosingFunction = tc.getEnclosingFunction() and
-  threadRoot = enclosingFunction.getThreadRoot()
-select tc, "Thread creation call reachable from threaded function '$@'.", threadRoot,
-  threadRoot.toString()
+  tc.getEnclosingFunction() = threadRoot.getAReachableFunction()
+select tc, "Thread creation call reachable from function '$@', which may also be $@.", threadRoot,
+  threadRoot.toString(), threadRoot.getCThreadCreateCall(), "started as a thread"

c/misra/src/rules/RULE-12-6/AtomicAggregateObjectDirectlyAccessed.ql

@@ -22,13 +22,13 @@ where
   (
     exists(FieldAccess fa |
       expr = fa and
-      fa.getQualifier().getUnderlyingType().hasSpecifier("atomic") and
+      fa.getQualifier().getType().hasSpecifier("atomic") and
       field = fa.getTarget()
     )
     or
     exists(PointerFieldAccess fa |
       expr = fa and
-      fa.getQualifier().getUnderlyingType().(PointerType).getBaseType().hasSpecifier("atomic") and
+      fa.getQualifier().getType().stripTopLevelSpecifiers().(PointerType).getBaseType().hasSpecifier("atomic") and
       field = fa.getTarget()
     )
   )

c/misra/src/rules/RULE-21-25/InvalidMemoryOrderArgument.ql

@@ -46,7 +46,7 @@ class MemoryOrderConstantExpr extends Expr {
   }
 
   /* Get the name of the `MemoryOrder` this expression is valued as. */
-  string getMemoryOrderString() { result = ord.toString() }
+  string getMemoryOrderString() { result = ord.getName() }
 }
 
 /**
@@ -56,26 +56,26 @@ class MemoryOrderedStdAtomicFunction extends Function {
   int orderParamIdx;
 
   MemoryOrderedStdAtomicFunction() {
-    exists(int baseParamIdx, int baseParams, string prefix, string suffix |
-      prefix = ["__", "__c11_"] and
-      suffix = ["", ".*", "_explicit"] and
+    exists(int baseParamIdx, int baseParams, string prefix, string regex, string basename |
+      regex = "__(c11_)?atomic_([a-z_]+)" and
+      prefix = getName().regexpCapture(regex, 1) and
+      basename = "atomic_" + getName().regexpCapture(regex, 2) + ["", "_explicit"] and
       (
-        getName().regexpMatch(prefix + ["atomic_thread_fence", "atomic_signal_fence"] + suffix) and
+        basename in ["atomic_thread_fence", "atomic_signal_fence"] and
         baseParamIdx = 0 and
         baseParams = 1
         or
-        getName()
-            .regexpMatch(prefix + ["atomic_load", "atomic_flag_clear", "atomic_flag_test_and_set"] +
-                suffix) and
+        basename in ["atomic_load", "atomic_flag_clear", "atomic_flag_test_and_set"] and
         baseParamIdx = 1 and
         baseParams = 2
         or
-        getName()
-            .regexpMatch(prefix + ["atomic_store", "atomic_fetch_.*", "atomic_exchange"] + suffix) and
+        basename in [
+            "atomic_store", "atomic_fetch_" + ["add", "sub", "or", "xor", "and"], "atomic_exchange"
+          ] and
         baseParamIdx = 2 and
         baseParams = 3
         or
-        getName().regexpMatch(prefix + "atomic_compare_exchange_.*" + suffix) and
+        basename in ["atomic_compare_exchange_" + ["strong", "weak"]] and
         baseParamIdx = [3, 4] and
         baseParams = 5
       ) and
@@ -84,8 +84,7 @@ class MemoryOrderedStdAtomicFunction extends Function {
         // __atomic_load(8, &repr->a, &desired, order)
         // or
         // __atomic_load_8(&repr->a, &desired, order)
-        prefix = "__" and
-        suffix = ".*" and
+        prefix = "" and
         exists(int extraParams |
           extraParams = getNumberOfParameters() - baseParams and
           extraParams >= 0 and
@@ -94,13 +93,7 @@ class MemoryOrderedStdAtomicFunction extends Function {
         or
         // Clang case, no inserted parameters:
         // __c11_atomic_load(object, order)
-        suffix = "" and
-        prefix = "__c11_" and
-        orderParamIdx = baseParamIdx
-        or
-        // Non-macro case, may occur in a subset of gcc/clang functions:
-        prefix = "" and
-        suffix = "_explicit" and
+        prefix = "c11_" and
         orderParamIdx = baseParamIdx
       )
     )
@@ -122,17 +115,6 @@ module MemoryOrderFlowConfig implements DataFlow::ConfigSig {
       node.asExpr() = literal and
       not literal.getValue().toInt() = any(AllowedMemoryOrder a).getValue().toInt()
     )
-    or
-    // Everything else: not a memory order constant or an integer valued literal, also exclude
-    // variables and functions, things that flow further back.
-    exists(Expr e |
-      node.asExpr() = e and
-      not e instanceof MemoryOrderConstantAccess and
-      not e instanceof Literal and
-      not e instanceof VariableAccess and
-      not e instanceof FunctionCall and
-      not DataFlow::localFlowStep(_, node)
-    )
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -169,4 +151,4 @@ where
   not value = any(AllowedMemoryOrder e).getName() and
   function.getACallToThisFunction().getAnArgument() = argument
 select argument, source, sink, "Invalid memory order '$@' in call to function '$@'.", value, value,
-  function, function.toString()
+  function, function.getName()

c/misra/test/rules/RULE-12-6/AtomicAggregateObjectDirectlyAccessed.expected

@@ -2,3 +2,12 @@
 | test.c:44:18:44:18 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
 | test.c:45:13:45:13 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
 | test.c:46:18:46:18 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:65:6:65:6 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:71:9:71:9 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:82:18:82:18 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:83:3:83:31 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:84:3:84:39 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:85:3:85:19 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:86:3:86:23 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:87:3:87:19 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |
+| test.c:88:3:88:23 | x | Invalid access to member '$@' on atomic struct or union. | test.c:5:7:5:7 | x | x |

c/misra/test/rules/RULE-12-6/test.c

@@ -58,4 +58,32 @@ void f1() {
   *s1_atomic_ptr = (s1){0};                         // COMPLIANT
   s1_atomic_ptr = l2;                               // COMPLIANT
   s1_atomic_ptr->x;                                 // COMPLIANT
+
+  // Atomic specifier hidden behind a typedef, still atomic:
+  typedef _Atomic s1 atomic_s1;
+  atomic_s1 l3;
+  l3.x; // NON_COMPLIANT
+
+  // Worst case scenario: a typedef of a volatile const pointer to an atomic
+  // typedef type.
+  typedef atomic_s1 *volatile const atomic_s1_specified_ptr;
+  atomic_s1_specified_ptr l4;
+  (l4)->x; // NON_COMPLIANT
+}
+
+#define NOOP(x) (x)
+#define DOT_FIELD_ACCESS_X(v) (v).x
+#define POINTER_FIELD_ACCESS_X(v) (v)->x
+#define GET_X_ATOMIC_S1() atomic_s1.x
+#define GET_X_PTR_ATOMIC_S1() atomic_s1.x
+
+void f2() {
+  // Banned UB with user macros:
+  NOOP(atomic_s1.x);                     // NON-COMPLIANT
+  DOT_FIELD_ACCESS_X(atomic_s1);         // NON-COMPLIANT
+  POINTER_FIELD_ACCESS_X(ptr_atomic_s1); // NON-COMPLIANT
+  GET_X_ATOMIC_S1();                     // NON-COMPLIANT
+  GET_X_PTR_ATOMIC_S1();                 // NON-COMPLIANT
+  GET_X_ATOMIC_S1() = 0;                 // NON-COMPLIANT
+  GET_X_PTR_ATOMIC_S1() = 0;             // NON-COMPLIANT
 }

c/misra/test/rules/RULE-21-25/InvalidMemoryOrderArgument.expected

@@ -17,25 +17,35 @@ edges
 | test.c:4:5:4:6 | *g2 | test.c:68:23:68:24 | g2 | provenance |  |
 | test.c:4:5:4:6 | *g2 | test.c:71:23:71:24 | g2 | provenance |  |
 | test.c:4:10:4:29 | memory_order_relaxed | test.c:4:5:4:6 | *g2 | provenance |  |
+| test.c:4:10:4:29 | memory_order_relaxed | test.c:4:10:4:29 | memory_order_relaxed | provenance |  |
 | test.c:5:5:5:6 | *g3 | test.c:72:23:72:24 | g3 | provenance |  |
 | test.c:5:10:5:29 | memory_order_acquire | test.c:5:5:5:6 | *g3 | provenance |  |
+| test.c:5:10:5:29 | memory_order_acquire | test.c:5:10:5:29 | memory_order_acquire | provenance |  |
 | test.c:6:5:6:6 | *g4 | test.c:73:23:73:24 | g4 | provenance |  |
 | test.c:6:10:6:29 | memory_order_consume | test.c:6:5:6:6 | *g4 | provenance |  |
+| test.c:6:10:6:29 | memory_order_consume | test.c:6:10:6:29 | memory_order_consume | provenance |  |
 | test.c:7:5:7:6 | *g5 | test.c:74:23:74:24 | g5 | provenance |  |
 | test.c:7:10:7:29 | memory_order_acq_rel | test.c:7:5:7:6 | *g5 | provenance |  |
+| test.c:7:10:7:29 | memory_order_acq_rel | test.c:7:10:7:29 | memory_order_acq_rel | provenance |  |
 | test.c:8:5:8:6 | *g6 | test.c:75:23:75:24 | g6 | provenance |  |
 | test.c:8:10:8:29 | memory_order_release | test.c:8:5:8:6 | *g6 | provenance |  |
+| test.c:8:10:8:29 | memory_order_release | test.c:8:10:8:29 | memory_order_release | provenance |  |
 nodes
 | test.c:4:5:4:6 | *g2 | semmle.label | *g2 |
 | test.c:4:10:4:29 | memory_order_relaxed | semmle.label | memory_order_relaxed |
+| test.c:4:10:4:29 | memory_order_relaxed | semmle.label | memory_order_relaxed |
 | test.c:5:5:5:6 | *g3 | semmle.label | *g3 |
 | test.c:5:10:5:29 | memory_order_acquire | semmle.label | memory_order_acquire |
+| test.c:5:10:5:29 | memory_order_acquire | semmle.label | memory_order_acquire |
 | test.c:6:5:6:6 | *g4 | semmle.label | *g4 |
 | test.c:6:10:6:29 | memory_order_consume | semmle.label | memory_order_consume |
+| test.c:6:10:6:29 | memory_order_consume | semmle.label | memory_order_consume |
 | test.c:7:5:7:6 | *g5 | semmle.label | *g5 |
 | test.c:7:10:7:29 | memory_order_acq_rel | semmle.label | memory_order_acq_rel |
+| test.c:7:10:7:29 | memory_order_acq_rel | semmle.label | memory_order_acq_rel |
 | test.c:8:5:8:6 | *g6 | semmle.label | *g6 |
 | test.c:8:10:8:29 | memory_order_release | semmle.label | memory_order_release |
+| test.c:8:10:8:29 | memory_order_release | semmle.label | memory_order_release |
 | test.c:16:29:16:48 | memory_order_relaxed | semmle.label | memory_order_relaxed |
 | test.c:17:29:17:48 | memory_order_acquire | semmle.label | memory_order_acquire |
 | test.c:18:29:18:48 | memory_order_consume | semmle.label | memory_order_consume |
@@ -62,10 +72,8 @@ nodes
 | test.c:73:23:73:24 | g4 | semmle.label | g4 |
 | test.c:74:23:74:24 | g5 | semmle.label | g5 |
 | test.c:75:23:75:24 | g6 | semmle.label | g6 |
-| test.c:78:23:78:46 | ... * ... | semmle.label | ... * ... |
 | test.c:79:23:79:23 | 1 | semmle.label | 1 |
 | test.c:80:23:80:25 | 100 | semmle.label | 100 |
-| test.c:81:23:81:28 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
 | test.c:16:29:16:48 | memory_order_relaxed | test.c:16:29:16:48 | memory_order_relaxed | test.c:16:29:16:48 | memory_order_relaxed | Invalid memory order '$@' in call to function '$@'. | memory_order_relaxed | memory_order_relaxed | file://:0:0:0:0 | __c11_atomic_load | __c11_atomic_load |
@@ -96,4 +104,3 @@ subpaths
 | test.c:75:23:75:24 | g6 | test.c:8:10:8:29 | memory_order_release | test.c:75:23:75:24 | g6 | Invalid memory order '$@' in call to function '$@'. | memory_order_release | memory_order_release | file://:0:0:0:0 | __c11_atomic_thread_fence | __c11_atomic_thread_fence |
 | test.c:79:23:79:23 | 1 | test.c:79:23:79:23 | 1 | test.c:79:23:79:23 | 1 | Invalid memory order '$@' in call to function '$@'. | memory_order_consume | memory_order_consume | file://:0:0:0:0 | __c11_atomic_thread_fence | __c11_atomic_thread_fence |
 | test.c:80:23:80:25 | 100 | test.c:80:23:80:25 | 100 | test.c:80:23:80:25 | 100 | Invalid memory order '$@' in call to function '$@'. | 100 | 100 | file://:0:0:0:0 | __c11_atomic_thread_fence | __c11_atomic_thread_fence |
-| test.c:81:23:81:28 | ... + ... | test.c:81:23:81:28 | ... + ... | test.c:81:23:81:28 | ... + ... | Invalid memory order '$@' in call to function '$@'. | ... + ... | ... + ... | file://:0:0:0:0 | __c11_atomic_thread_fence | __c11_atomic_thread_fence |

c/misra/test/rules/RULE-21-25/test.c

@@ -78,7 +78,7 @@ void f(int p) {
   atomic_thread_fence(memory_order_seq_cst * 1); // COMPLIANT
   atomic_thread_fence(1);                        // NON-COMPLIANT
   atomic_thread_fence(100);                      // NON-COMPLIANT
-  atomic_thread_fence(g1 + 1);                   // NON-COMPLIANT
+  atomic_thread_fence(g1 + 1);                   // NON_COMPLIANT[FALSE_NEGATIVE]
 
   // No unsafe flow, currently accepted:
   atomic_thread_fence(p); // COMPLIANT