PRE31-C: Implement query

Implements a heuristic query to find cases where arguments are provided
to unsafe macros which have side-effects.

Author: lcartey

c/cert/src/rules/PRE31-C/SideEffectsInArgumentsToUnsafeMacros.md

@@ -0,0 +1,16 @@
+# PRE31-C: Avoid side effects in arguments to unsafe macros
+
+This query implements the CERT-C rule PRE31-C:
+
+> Avoid side effects in arguments to unsafe macros
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [PRE31-C: Avoid side effects in arguments to unsafe macros](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/PRE31-C/SideEffectsInArgumentsToUnsafeMacros.ql

@@ -0,0 +1,74 @@
+/**
+ * @id c/cert/side-effects-in-arguments-to-unsafe-macros
+ * @name PRE31-C: Avoid side effects in arguments to unsafe macros
+ * @description Macro arguments can be expanded multiple times which can cause side-effects to be
+ *              evaluated multiple times.
+ * @kind problem
+ * @precision low
+ * @problem.severity error
+ * @tags external/cert/id/pre31-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.Macro
+import codingstandards.cpp.SideEffect
+import codingstandards.cpp.StructuralEquivalence
+import codingstandards.cpp.sideeffect.DefaultEffects
+import codingstandards.cpp.sideeffect.Customizations
+
+class FunctionCallEffect extends GlobalSideEffect::Range {
+  FunctionCallEffect() {
+    exists(Function f |
+      f = this.(FunctionCall).getTarget() and
+      // Not a side-effecting function
+      not f.(BuiltInFunction).getName() = "__builtin_expect" and
+      // Not side-effecting functions
+      not exists(string name |
+        name =
+          [
+            "acos", "asin", "atan", "atan2", "ceil", "cos", "cosh", "exp", "fabs", "floor", "fmod",
+            "frexp", "ldexp", "log", "log10", "modf", "pow", "sin", "sinh", "sqrt", "tan", "tanh",
+            "cbrt", "erf", "erfc", "exp2", "expm1", "fdim", "fma", "fmax", "fmin", "hypot", "ilogb",
+            "lgamma", "llrint", "llround", "log1p", "log2", "logb", "lrint", "lround", "nan",
+            "nearbyint", "nextafter", "nexttoward", "remainder", "remquo", "rint", "round",
+            "scalbln", "scalbn", "tgamma", "trunc"
+          ] and
+        f.hasGlobalOrStdName([name, name + "f", name + "l"])
+      )
+    )
+  }
+}
+
+class CrementEffect extends LocalSideEffect::Range {
+  CrementEffect() { this instanceof CrementOperation }
+}
+
+from
+  FunctionLikeMacro flm, MacroInvocation mi, Expr e, SideEffect sideEffect, int i, string arg,
+  string sideEffectDesc
+where
+  not isExcluded(e, SideEffects4Package::sideEffectsInArgumentsToUnsafeMacrosQuery()) and
+  sideEffect = getASideEffect(e) and
+  flm.getAnInvocation() = mi and
+  not exists(mi.getParentInvocation()) and
+  mi.getAnExpandedElement() = e and
+  // Only consider arguments that are expanded multiple times, and do not consider "stringified" arguments
+  count(int index | index = flm.getAParameterUse(i) and not flm.getBody().charAt(index) = "#") > 1 and
+  arg = mi.getExpandedArgument(i) and
+  (
+    sideEffect instanceof CrementEffect and
+    exists(arg.indexOf(sideEffect.(CrementOperation).getOperator())) and
+    sideEffectDesc = "the use of the " + sideEffect.(CrementOperation).getOperator() + " operator"
+    or
+    sideEffect instanceof FunctionCallEffect and
+    exists(arg.indexOf(sideEffect.(FunctionCall).getTarget().getName() + "(")) and
+    sideEffectDesc =
+      "a call to the function '" + sideEffect.(FunctionCall).getTarget().getName() + "'"
+  )
+select sideEffect,
+  "Argument " + mi.getUnexpandedArgument(i) + " to unsafe macro '" + flm.getName() +
+    "' is expanded to '" + arg + "' multiple times and includes " + sideEffectDesc +
+    " as a side-effect."

c/cert/test/rules/PRE31-C/SideEffectsInArgumentsToUnsafeMacros.expected

@@ -0,0 +1,10 @@
+| test.c:9:10:9:12 | ... ++ | Argument i++ to unsafe macro 'unsafe' is expanded to 'i++' multiple times and includes the use of the ++ operator as a side-effect. |
+| test.c:9:10:9:12 | ... ++ | Argument i++ to unsafe macro 'unsafe' is expanded to 'i++' multiple times and includes the use of the ++ operator as a side-effect. |
+| test.c:11:10:11:12 | ... -- | Argument i-- to unsafe macro 'unsafe' is expanded to 'i--' multiple times and includes the use of the -- operator as a side-effect. |
+| test.c:11:10:11:12 | ... -- | Argument i-- to unsafe macro 'unsafe' is expanded to 'i--' multiple times and includes the use of the -- operator as a side-effect. |
+| test.c:26:10:26:15 | call to addOne | Argument addOne(10) to unsafe macro 'unsafe' is expanded to 'addOne(10)' multiple times and includes a call to the function 'addOne' as a side-effect. |
+| test.c:26:10:26:15 | call to addOne | Argument addOne(10) to unsafe macro 'unsafe' is expanded to 'addOne(10)' multiple times and includes a call to the function 'addOne' as a side-effect. |
+| test.c:27:10:27:17 | call to external | Argument external() to unsafe macro 'unsafe' is expanded to 'external()' multiple times and includes a call to the function 'external' as a side-effect. |
+| test.c:27:10:27:17 | call to external | Argument external() to unsafe macro 'unsafe' is expanded to 'external()' multiple times and includes a call to the function 'external' as a side-effect. |
+| test.c:28:10:28:15 | call to writeX | Argument writeX(10) to unsafe macro 'unsafe' is expanded to 'writeX(10)' multiple times and includes a call to the function 'writeX' as a side-effect. |
+| test.c:28:10:28:15 | call to writeX | Argument writeX(10) to unsafe macro 'unsafe' is expanded to 'writeX(10)' multiple times and includes a call to the function 'writeX' as a side-effect. |

c/cert/test/rules/PRE31-C/SideEffectsInArgumentsToUnsafeMacros.qlref

@@ -0,0 +1 @@
+rules/PRE31-C/SideEffectsInArgumentsToUnsafeMacros.ql

c/cert/test/rules/PRE31-C/test.c

@@ -0,0 +1,29 @@
+#include <stdio.h>
+
+#define safe(x) ((x) + 1)
+#define unsafe(x) (x) * (x)
+
+void test_crement() {
+  int i = 0;
+  safe(i++);   // COMPLIANT
+  unsafe(i++); // NON_COMPLIANT
+  safe(i--);   // COMPLIANT
+  unsafe(i--); // NON_COMPLIANT
+}
+
+int addOne(int x) { return x + 1; }
+int writeX(int x) {
+  printf("%d", x);
+  return x;
+}
+
+int external();
+
+void test_call() {
+  safe(addOne(10));   // COMPLIANT
+  safe(external());   // COMPLIANT
+  safe(writeX(10));   // COMPLIANT
+  unsafe(addOne(10)); // COMPLIANT
+  unsafe(external()); // NON_COMPLIANT
+  unsafe(writeX(10)); // NON_COMPLIANT
+}

cpp/common/src/codingstandards/cpp/Macro.qll

@@ -15,7 +15,8 @@ class FunctionLikeMacro extends Macro {
 
   int getAParameterUse(int index) {
     exists(string parameter | parameter = getParameter(index) |
-      result = this.getBody().indexOf(parameter)
+      // Find identifier tokens in the program that match the parameter name
+      exists(this.getBody().regexpFind("\\#?\\b" + parameter + "\\b", _, result))
     )
   }
 }

cpp/common/src/codingstandards/cpp/exclusions/c/RuleMetadata.qll

@@ -50,6 +50,7 @@ import Preprocessor5
 import Preprocessor6
 import SideEffects1
 import SideEffects2
+import SideEffects4
 import SignalHandlers
 import StandardLibraryFunctionTypes
 import Statements1
@@ -113,6 +114,7 @@ newtype TCQuery =
   TPreprocessor6PackageQuery(Preprocessor6Query q) or
   TSideEffects1PackageQuery(SideEffects1Query q) or
   TSideEffects2PackageQuery(SideEffects2Query q) or
+  TSideEffects4PackageQuery(SideEffects4Query q) or
   TSignalHandlersPackageQuery(SignalHandlersQuery q) or
   TStandardLibraryFunctionTypesPackageQuery(StandardLibraryFunctionTypesQuery q) or
   TStatements1PackageQuery(Statements1Query q) or
@@ -176,6 +178,7 @@ predicate isQueryMetadata(Query query, string queryId, string ruleId, string cat
   isPreprocessor6QueryMetadata(query, queryId, ruleId, category) or
   isSideEffects1QueryMetadata(query, queryId, ruleId, category) or
   isSideEffects2QueryMetadata(query, queryId, ruleId, category) or
+  isSideEffects4QueryMetadata(query, queryId, ruleId, category) or
   isSignalHandlersQueryMetadata(query, queryId, ruleId, category) or
   isStandardLibraryFunctionTypesQueryMetadata(query, queryId, ruleId, category) or
   isStatements1QueryMetadata(query, queryId, ruleId, category) or

cpp/common/src/codingstandards/cpp/exclusions/c/SideEffects4.qll

@@ -0,0 +1,26 @@
+//** THIS FILE IS AUTOGENERATED, DO NOT MODIFY DIRECTLY.  **/
+import cpp
+import RuleMetadata
+import codingstandards.cpp.exclusions.RuleMetadata
+
+newtype SideEffects4Query = TSideEffectsInArgumentsToUnsafeMacrosQuery()
+
+predicate isSideEffects4QueryMetadata(Query query, string queryId, string ruleId, string category) {
+  query =
+    // `Query` instance for the `sideEffectsInArgumentsToUnsafeMacros` query
+    SideEffects4Package::sideEffectsInArgumentsToUnsafeMacrosQuery() and
+  queryId =
+    // `@id` for the `sideEffectsInArgumentsToUnsafeMacros` query
+    "c/cert/side-effects-in-arguments-to-unsafe-macros" and
+  ruleId = "PRE31-C" and
+  category = "rule"
+}
+
+module SideEffects4Package {
+  Query sideEffectsInArgumentsToUnsafeMacrosQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `sideEffectsInArgumentsToUnsafeMacros` query
+      TQueryC(TSideEffects4PackageQuery(TSideEffectsInArgumentsToUnsafeMacrosQuery()))
+  }
+}

rule_packages/c/SideEffects4.json

@@ -0,0 +1,23 @@
+{
+  "CERT-C": {
+    "PRE31-C": {
+      "properties": {
+        "obligation": "rule"
+      },
+      "queries": [
+        {
+          "description": "Macro arguments can be expanded multiple times which can cause side-effects to be evaluated multiple times.",
+          "kind": "problem",
+          "name": "Avoid side effects in arguments to unsafe macros",
+          "precision": "low",
+          "severity": "error",
+          "short_name": "SideEffectsInArgumentsToUnsafeMacros",
+          "tags": [
+            "correctness"
+          ]
+        }
+      ],
+      "title": "Avoid side effects in arguments to unsafe macros"
+    }
+  }
+}

rules.csv

@@ -586,7 +586,7 @@ c,CERT-C,POS52-C,OutOfScope,Rule,,,Do not perform operations that can block whil
 c,CERT-C,POS53-C,OutOfScope,Rule,,,Do not use more than one mutex for concurrent waiting operations on a condition variable,,,,
 c,CERT-C,POS54-C,OutOfScope,Rule,,,Detect and handle POSIX library errors,,,,
 c,CERT-C,PRE30-C,No,Rule,,,Do not create a universal character name through concatenation,,,Medium,
-c,CERT-C,PRE31-C,Yes,Rule,,,Avoid side effects in arguments to unsafe macros,RULE-13-2,SideEffects,Medium,
+c,CERT-C,PRE31-C,Yes,Rule,,,Avoid side effects in arguments to unsafe macros,RULE-13-2,SideEffects4,Medium,
 c,CERT-C,PRE32-C,Yes,Rule,,,Do not use preprocessor directives in invocations of function-like macros,,Preprocessor5,Hard,
 c,CERT-C,SIG30-C,Yes,Rule,,,Call only asynchronous-safe functions within signal handlers,,SignalHandlers,Medium,
 c,CERT-C,SIG31-C,Yes,Rule,,,Do not access shared objects in signal handlers,,SignalHandlers,Medium,