Implement InvalidMemory1 queries

Modify packages and implement EXP33-C, EXP34-C, and MEM30-C

Author: Nikita Kraiouchkine

.vscode/tasks.json

@@ -222,6 +222,8 @@
                 "Includes",
                 "Initialization",
                 "IntegerConversion",
+                "InvalidMemory1",
+                "InvalidMemory2",
                 "Invariants",
                 "Iterators",
                 "Lambdas",
@@ -230,6 +232,8 @@
                 "Literals",
                 "Loops",
                 "Macros",
+                "Memory1",
+                "Memory2",
                 "Misc",
                 "MoveForward",
                 "Naming",

c/cert/src/rules/EXP33-C/DoNotReadUninitializedMemory.md

@@ -0,0 +1,23 @@
+/**
+ * @id c/cert/do-not-read-uninitialized-memory
+ * @name EXP33-C: Do not read uninitialized memory
+ * @description Using the value of an object with automatic storage duration while it is
+ *              indeterminate is undefined behavior.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags external/cert/id/exp33-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.rules.readofuninitializedmemory.ReadOfUninitializedMemory
+
+class DoNotReadUninitializedMemoryQuery extends ReadOfUninitializedMemorySharedQuery {
+  DoNotReadUninitializedMemoryQuery() {
+    this = InvalidMemory1Package::doNotReadUninitializedMemoryQuery()
+  }
+}

c/cert/src/rules/EXP33-C/DoNotReadUninitializedMemory.ql

@@ -0,0 +1,21 @@
+/**
+ * @id c/cert/do-not-dereference-null-pointers
+ * @name EXP34-C: Do not dereference null pointers
+ * @description Dereferencing a null pointer leads to undefined behavior.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags external/cert/id/exp34-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.rules.dereferenceofnullpointer.DereferenceOfNullPointer
+
+class DoNotDereferenceNullPointersQuery extends DereferenceOfNullPointerSharedQuery {
+  DoNotDereferenceNullPointersQuery() {
+    this = InvalidMemory1Package::doNotDereferenceNullPointersQuery()
+  }
+}

c/cert/src/rules/EXP34-C/DoNotDereferenceNullPointers.md

@@ -0,0 +1,63 @@
+/**
+ * @id c/cert/do-not-access-freed-memory
+ * @name MEM30-C: Do not access freed memory
+ * @description Accessing memory that has been deallocated is undefined behavior.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/mem30-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.Allocations
+import semmle.code.cpp.controlflow.StackVariableReachability
+
+/** `e` is an expression that frees the memory pointed to by `v`. */
+predicate isFreeExpr(Expr e, StackVariable v) {
+  exists(VariableAccess va | va.getTarget() = v and freeExprOrIndirect(e, va, _))
+}
+
+/** `e` is an expression that (may) dereference `v`. */
+predicate isDerefExpr(Expr e, StackVariable v) {
+  v.getAnAccess() = e and dereferenced(e)
+  or
+  isDerefByCallExpr(_, _, e, v)
+}
+
+/**
+ * `va` is passed by value as (part of) the `i`th argument in
+ * call `c`. The target function is either a library function
+ * or a source code function that dereferences the relevant
+ * parameter.
+ */
+predicate isDerefByCallExpr(Call c, int i, VariableAccess va, StackVariable v) {
+  v.getAnAccess() = va and
+  va = c.getAnArgumentSubExpr(i) and
+  not c.passesByReference(i, va) and
+  (c.getTarget().hasEntryPoint() implies isDerefExpr(_, c.getTarget().getParameter(i)))
+}
+
+class UseAfterFreeReachability extends StackVariableReachability {
+  UseAfterFreeReachability() { this = "UseAfterFree" }
+
+  override predicate isSource(ControlFlowNode node, StackVariable v) { isFreeExpr(node, v) }
+
+  override predicate isSink(ControlFlowNode node, StackVariable v) { isDerefExpr(node, v) }
+
+  override predicate isBarrier(ControlFlowNode node, StackVariable v) {
+    definitionBarrier(v, node) or
+    isFreeExpr(node, v)
+  }
+}
+
+from UseAfterFreeReachability r, StackVariable v, Expr free, Expr e
+where
+  not isExcluded(e, InvalidMemory1Package::doNotAccessFreedMemoryQuery()) and
+  r.reaches(free, v, e)
+select e,
+  "Memory pointed to by '" + v.getName().toString() +
+    "' accessed but may have been previously freed $@.", free, "here"

c/cert/src/rules/EXP34-C/DoNotDereferenceNullPointers.ql

@@ -0,0 +1 @@
+c/common/test/rules/readofuninitializedmemory/ReadOfUninitializedMemory.ql

c/cert/src/rules/MEM30-C/DoNotAccessFreedMemory.md

@@ -0,0 +1 @@
+c/common/test/rules/dereferenceofnullpointer/DereferenceOfNullPointer.ql

c/cert/src/rules/MEM30-C/DoNotAccessFreedMemory.ql

@@ -0,0 +1,2 @@
+| test.c:11:47:11:47 | p | Memory pointed to by 'p' accessed but may have been previously freed $@. | test.c:12:5:12:8 | call to free | here |
+| test.c:25:10:25:12 | buf | Memory pointed to by 'buf' accessed but may have been previously freed $@. | test.c:24:3:24:6 | call to free | here |