Merge remote-tracking branch 'origin/main' into michaelrfairhurst/implement-concurrency9-package

Author: MichaelRFairhurst

c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql

@@ -13,7 +13,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Pointers
+import codingstandards.cpp.types.Pointers
 import semmle.code.cpp.dataflow.TaintTracking
 import ScaledIntegerPointerArithmeticFlow::PathGraph
 

c/cert/src/rules/DCL40-C/IncompatibleFunctionDeclarations.ql

@@ -16,7 +16,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Compatible
+import codingstandards.cpp.types.Compatible
 import ExternalIdentifiers
 
 from ExternalIdentifiers d, FunctionDeclarationEntry f1, FunctionDeclarationEntry f2
@@ -29,12 +29,10 @@ where
   f1.getName() = f2.getName() and
   (
     //return type check
-    not typesCompatible(f1.getType(), f2.getType())
+    not FunctionDeclarationTypeEquivalence<TypesCompatibleConfig>::equalReturnTypes(f1, f2)
     or
     //parameter type check
-    parameterTypesIncompatible(f1, f2)
-    or
-    not f1.getNumberOfParameters() = f2.getNumberOfParameters()
+    not FunctionDeclarationTypeEquivalence<TypesCompatibleConfig>::equalParameterTypes(f1, f2)
   ) and
   // Apply ordering on start line, trying to avoid the optimiser applying this join too early
   // in the pipeline

c/common/src/codingstandards/c/Generic.qll

@@ -0,0 +1,150 @@
+import cpp
+import codingstandards.cpp.Macro
+import codingstandards.cpp.MatchingParenthesis
+
+string genericRegexp() { result = "\\b_Generic\\s*\\(\\s*(.+),.*" }
+
+bindingset[input]
+string deparenthesize(string input) {
+  input = "(" + result + ")" and
+  result = input.substring(1, input.length() - 1)
+}
+
+class GenericMacro extends Macro {
+  string ctrlExpr;
+
+  GenericMacro() { ctrlExpr = getBody().regexpCapture(genericRegexp(), 1).trim() }
+
+  string getAParameter() { result = this.(FunctionLikeMacro).getAParameter() }
+
+  string getControllingExprString() {
+    if exists(string s | s = deparenthesize(ctrlExpr))
+    then result = deparenthesize(ctrlExpr).trim()
+    else result = ctrlExpr
+  }
+
+  /**
+   * Whether the controlling expression of the `_Generic` expr in this macro's controlling
+   * expression refers to one of this macro's parameters.
+   */
+  predicate hasControllingExprFromMacroParameter() {
+    getControllingExprString().matches(getAParameter())
+  }
+}
+
+class GenericMacroString extends string {
+  GenericMacroString() { this = any(Macro m).getBody() and this.matches("%_Generic%") }
+}
+
+import MatchingParenthesis<GenericMacroString>
+
+class ParsedGenericMacro extends Macro {
+  ParsedRoot macroBody;
+  Parsed genericBody;
+  string beforeGenericBody;
+  string afterGenericBody;
+
+  ParsedGenericMacro() {
+    macroBody.getInputString() = this.getBody() and
+    exists(ParsedText genericText |
+      genericText.getText().matches("%_Generic%") and
+      genericBody = genericText.getParent().getChild(genericText.getChildIdx() + 1) and
+      genericBody.getRoot() = macroBody
+    ) and
+    beforeGenericBody =
+      textFrom(macroBody.getStartToken(), genericBody.getStartToken().getPrevious()) and
+    (
+      if exists(genericBody.getEndToken().getNext())
+      then afterGenericBody = textFrom(genericBody.getEndToken().getNext(), macroBody.getEndToken())
+      else afterGenericBody = ""
+    )
+  }
+
+  string getAParameter() { result = this.(FunctionLikeMacro).getAParameter() }
+
+  int getAParsedGenericCommaSeparatorOffset() {
+    exists(ParsedText text |
+      text.getParent() = genericBody and
+      result = text.getStartToken().getStartPos() + text.getText().indexOf(",")
+    )
+  }
+
+  int getAParsedGenericColonSeparatorOffset() {
+    exists(ParsedText text |
+      text.getParent() = genericBody and
+      result = text.getStartToken().getStartPos() + text.getText().indexOf(":")
+    )
+  }
+
+  int getParsedGenericCommaSeparatorOffset(int i) {
+    result = rank[i](int index | index = getAParsedGenericCommaSeparatorOffset())
+  }
+
+  bindingset[start, end]
+  int getParsedGenericColon(int start, int end) {
+    result =
+      min(int offset |
+        offset = getAParsedGenericColonSeparatorOffset() and
+        offset >= start and
+        offset <= end
+      )
+  }
+
+  predicate hasParsedFullSelectionRange(int idx, int start, int end) {
+    idx = 1 and
+    start = genericBody.getStartToken().getEndPos() and
+    end = getParsedGenericCommaSeparatorOffset(idx)
+    or
+    not exists(getParsedGenericCommaSeparatorOffset(idx)) and
+    start = getParsedGenericCommaSeparatorOffset(idx - 1) and
+    end = genericBody.getEndToken().getStartPos()
+    or
+    start = getParsedGenericCommaSeparatorOffset(idx - 1) and
+    end = getParsedGenericCommaSeparatorOffset(idx)
+  }
+
+  string getSelectionString(int idx) {
+    exists(int start, int rawStart, int end |
+      hasParsedFullSelectionRange(idx, rawStart, end) and
+      (
+        if exists(getParsedGenericColon(rawStart, end))
+        then start = getParsedGenericColon(rawStart, end)
+        else start = rawStart
+      ) and
+      result = genericBody.getInputString().substring(start, end)
+    )
+  }
+
+  string getControllingExprString() { result = getSelectionString(1).trim() }
+
+  bindingset[str, word]
+  private int countWordInString(string word, string str) {
+    result =
+      max(int occurrence |
+        exists(str.regexpFind("\\b" + word + "\\b", occurrence, _)) or occurrence = -1
+      |
+        occurrence + 1
+      )
+  }
+
+  int expansionsOutsideExpr(string parameter) {
+    parameter = getAParameter() and
+    result =
+      countWordInString(parameter, beforeGenericBody) +
+        countWordInString(parameter, afterGenericBody)
+  }
+
+  int expansionsInsideSelection(string parameter, int idx) {
+    parameter = getAParameter() and
+    result = countWordInString(parameter, getSelectionString(idx))
+  }
+
+  int expansionsInsideControllingExpr(string parameter) {
+    result = expansionsInsideSelection(parameter, 1)
+  }
+
+  int expansionsInsideAssociation(string parameter, int idx) {
+    not idx = 0 and
+    result = expansionsInsideSelection(parameter, idx + 1)
+  }
+}

c/common/src/codingstandards/c/OutOfBounds.qll

@@ -5,7 +5,7 @@
  */
 
 import cpp
-import codingstandards.cpp.Pointers
+import codingstandards.cpp.types.Pointers
 import codingstandards.c.Variable
 import codingstandards.cpp.Allocations
 import codingstandards.cpp.Overflow

c/common/src/codingstandards/c/UndefinedBehavior.qll

@@ -1,5 +1,5 @@
 import cpp
-import codingstandards.cpp.Pointers
+import codingstandards.cpp.types.Pointers
 import codingstandards.cpp.UndefinedBehavior
 
 /**

c/misra/src/codingstandards/c/misra/EssentialTypes.qll

@@ -164,14 +164,14 @@ EssentialTypeCategory getEssentialTypeCategory(Type type) {
  */
 pragma[nomagic]
 Type getEssentialType(Expr e) {
-  if e.hasExplicitConversion()
-  then
-    if e.getConversion() instanceof ParenthesisExpr
-    then
-      if e.getConversion().(ParenthesisExpr).hasExplicitConversion()
-      then result = e.getConversion().(ParenthesisExpr).getConversion().getType()
-      else result = e.getConversion().(ParenthesisExpr).getExpr().(EssentialExpr).getEssentialType()
-    else result = e.getConversion().getType()
+  if e.hasConversion()
+  then result = getEssentialTypeOfConversion(e.getFullyConverted())
+  else result = e.(EssentialExpr).getEssentialType()
+}
+
+Type getEssentialTypeOfConversion(Expr e) {
+  if e.(Conversion).isImplicit() or e instanceof ParenthesisExpr or e instanceof C11GenericExpr
+  then result = getEssentialTypeOfConversion(e.(Conversion).getExpr())
   else result = e.(EssentialExpr).getEssentialType()
 }
 
@@ -455,7 +455,7 @@ class EssentialLiteral extends EssentialExpr, Literal {
             if underlyingStandardType.(IntType).isSigned()
             then result = stlr(this)
             else result = utlr(this)
-          else result = underlyingStandardType
+          else result = getStandardType()
         )
     )
   }

c/misra/src/rules/DIR-4-15/PossibleMisuseOfUndetectedInfinity.ql

@@ -0,0 +1,142 @@
+/**
+ * @id c/misra/possible-misuse-of-undetected-infinity
+ * @name DIR-4-15: Evaluation of floating-point expressions shall not lead to the undetected generation of infinities
+ * @description Evaluation of floating-point expressions shall not lead to the undetected generation
+ *              of infinities.
+ * @kind path-problem
+ * @precision medium
+ * @problem.severity warning
+ * @tags external/misra/id/dir-4-15
+ *       correctness
+ *       external/misra/c/2012/amendment3
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codeql.util.Boolean
+import codingstandards.c.misra
+import codingstandards.cpp.RestrictedRangeAnalysis
+import codingstandards.cpp.FloatingPoint
+import codingstandards.cpp.AlertReporting
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.controlflow.Dominance
+
+module InvalidInfinityUsage implements DataFlow::ConfigSig {
+  /**
+   * An operation which does not have Infinity as an input, but may produce Infinity, according
+   * to the `RestrictedRangeAnalysis` module.
+   */
+  predicate isSource(DataFlow::Node node) {
+    potentialSource(node) and
+    not exists(DataFlow::Node prior |
+      isAdditionalFlowStep(prior, node) and
+      potentialSource(prior)
+    )
+  }
+
+  /**
+   * An operation which may produce Infinity acconding to the `RestrictedRangeAnalysis` module.
+   */
+  additional predicate potentialSource(DataFlow::Node node) {
+    node.asExpr() instanceof Operation and
+    exprMayEqualInfinity(node.asExpr(), _)
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    guardedNotFPClass(node.asExpr(), TInfinite())
+    or
+    exists(Expr e |
+      e.getType() instanceof IntegralType and
+      e = node.asConvertedExpr()
+    )
+  }
+
+  /**
+   * An additional flow step to handle operations which propagate Infinity.
+   *
+   * This double checks that an Infinity may propagate by checking the `RestrictedRangeAnalysis`
+   * value estimate. This is conservative, since `RestrictedRangeAnalysis` is performed locally
+   * in scope with unanalyzable values in a finite range. However, this conservative approach
+   * leverages analysis of guards and other local conditions to avoid false positives.
+   */
+  predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node sink) {
+    exists(Operation o |
+      o.getAnOperand() = source.asExpr() and
+      o = sink.asExpr() and
+      potentialSource(sink)
+    )
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    node instanceof InvalidInfinityUsage and
+    (
+      // Require that range analysis finds this value potentially infinite, to avoid false positives
+      // in the presence of guards. This may induce false negatives.
+      exprMayEqualInfinity(node.asExpr(), _)
+      or
+      // Unanalyzable expressions are not checked against range analysis, which assumes a finite
+      // range.
+      not RestrictedRangeAnalysis::canBoundExpr(node.asExpr())
+      or
+      node.asExpr().(VariableAccess).getTarget() instanceof Parameter
+    )
+  }
+}
+
+class InvalidInfinityUsage extends DataFlow::Node {
+  string description;
+
+  InvalidInfinityUsage() {
+    // Case 2: NaNs and infinities shall not be cast to integers
+    exists(Conversion c |
+      asExpr() = c.getUnconverted() and
+      c.getExpr().getType() instanceof FloatingPointType and
+      c.getType() instanceof IntegralType and
+      description = "cast to integer."
+    )
+    or
+    // Case 3: Infinities shall not underflow or otherwise produce finite values
+    exists(BinaryOperation op |
+      asExpr() = op.getRightOperand() and
+      op.getOperator() = "/" and
+      description = "divisor, which would silently underflow and produce zero."
+    )
+  }
+
+  string getDescription() { result = description }
+}
+
+module InvalidInfinityFlow = DataFlow::Global<InvalidInfinityUsage>;
+
+import InvalidInfinityFlow::PathGraph
+
+from
+  Element elem, InvalidInfinityFlow::PathNode source, InvalidInfinityFlow::PathNode sink,
+  InvalidInfinityUsage usage, Expr sourceExpr, string sourceString, Function function,
+  string computedInFunction
+where
+  elem = MacroUnwrapper<Expr>::unwrapElement(sink.getNode().asExpr()) and
+  not InvalidInfinityFlow::PathGraph::edges(_, source, _, _) and
+  not InvalidInfinityFlow::PathGraph::edges(sink, _, _, _) and
+  not isExcluded(elem, FloatingTypes2Package::possibleMisuseOfUndetectedInfinityQuery()) and
+  not sourceExpr.isFromTemplateInstantiation(_) and
+  not usage.asExpr().isFromTemplateInstantiation(_) and
+  usage = sink.getNode() and
+  sourceExpr = source.getNode().asExpr() and
+  function = sourceExpr.getEnclosingFunction() and
+  InvalidInfinityFlow::flow(source.getNode(), usage) and
+  (
+    if not sourceExpr.getEnclosingFunction() = usage.asExpr().getEnclosingFunction()
+    then computedInFunction = "computed in function $@ "
+    else computedInFunction = ""
+  ) and
+  (
+    if sourceExpr instanceof DivExpr
+    then sourceString = "from division by zero"
+    else sourceString = sourceExpr.toString()
+  )
+select elem, source, sink,
+  "Possibly infinite float value $@ " + computedInFunction + "flows to " + usage.getDescription(),
+  sourceExpr, sourceString, function, function.getName()