ARR38-C: Add missing GVN logic

Nikita Kraiouchkine · Nikita Kraiouchkine · commit b3523bed6f26 · 2023-04-07T01:57:21.000+02:00
diff --git a/c/cert/test/rules/ARR38-C/test.c b/c/cert/test/rules/ARR38-C/test.c
@@ -458,9 +458,10 @@ void test_read_file(const char *file_name) {
   fclose(f);
 }
 
-void test_equivalent_expressions(void *in, int x, int y) {
+void test_equivalent_expressions(void *in, int x, int y, int a, int b) {
   short *p = malloc(x * y * sizeof(short));
   memcpy(p, in, x * y * sizeof(short));     // COMPLIANT
   memcpy(p, in, x * y * sizeof(short) + 1); // NON_COMPLIANT
   memcpy(p, in, x * y * sizeof(short) - 1); // COMPLIANT
+  memcpy(p, in, a * b * sizeof(short) + 1); // COMPLIANT - unknown
 }
diff --git a/c/common/src/codingstandards/c/OutOfBounds.qll b/c/common/src/codingstandards/c/OutOfBounds.qll
@@ -1129,6 +1129,37 @@ module OOB {
     )
   }
 
+  /**
+   * Holds if `a` and `b` are function calls to the same target function and
+   * have identical arguments (determined by their global value number or `VariableAccess` targets).
+   */
+  bindingset[a, b]
+  private predicate areFunctionCallsSyntacticallySame(FunctionCall a, FunctionCall b) {
+    a.getTarget() = b.getTarget() and
+    (
+      exists(a.getAnArgument())
+      implies
+      not exists(int i, Expr argA, Expr argB |
+        i = [0 .. a.getTarget().getNumberOfParameters() - 1]
+      |
+        argA = a.getArgument(i) and
+        argB = b.getArgument(i) and
+        not globalValueNumber(argA) = globalValueNumber(argB) and
+        not argA.(VariableAccess).getTarget() = argB.(VariableAccess).getTarget()
+      )
+    )
+  }
+
+  /**
+   * Holds if `a` and `b` have the same global value number or are syntactically identical function calls
+   */
+  bindingset[a, b]
+  private predicate isGVNOrFunctionCallSame(Expr a, Expr b) {
+    globalValueNumber(a) = globalValueNumber(b)
+    or
+    areFunctionCallsSyntacticallySame(a, b)
+  }
+
   /**
    * Holds if the BufferAccess is accessed with a `base + accessOffset` on a buffer that was
    * allocated a size of the form `base + allocationOffset`.
@@ -1150,9 +1181,12 @@ module OOB {
       sourceSizeExpr = source.getSizeExprSource(sourceSizeExprBase, sourceSizeExprOffset) and
       bufferUseNonComputableSize(bufferArg, source) and
       not globalValueNumber(sourceSizeExpr) = globalValueNumber(bufferSizeArg) and
-      sizeArgOffset = getArithmeticOffsetValue(bufferSizeArg.getAChild*(), _) and
-      bufferArgOffset = getArithmeticOffsetValue(bufferArg, _) and
-      sourceSizeExprOffset + bufferArgOffset < sizeArgOffset
+      exists(Expr sizeArgBase |
+        sizeArgOffset = getArithmeticOffsetValue(bufferSizeArg.getAChild*(), sizeArgBase) and
+        isGVNOrFunctionCallSame(sizeArgBase, sourceSizeExprBase) and
+        bufferArgOffset = getArithmeticOffsetValue(bufferArg, _) and
+        sourceSizeExprOffset + bufferArgOffset < sizeArgOffset
+      )
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -458,9 +458,10 @@ void test_read_file(const char *file_name) {`
`458`	`458`	`fclose(f);`
`459`	`459`	`}`
`460`	`460`
`461`		`-void test_equivalent_expressions(void *in, int x, int y) {`
	`461`	`+void test_equivalent_expressions(void *in, int x, int y, int a, int b) {`
`462`	`462`	`short p = malloc(x y * sizeof(short));`
`463`	`463`	`memcpy(p, in, x * y * sizeof(short)); // COMPLIANT`
`464`	`464`	`memcpy(p, in, x * y * sizeof(short) + 1); // NON_COMPLIANT`
`465`	`465`	`memcpy(p, in, x * y * sizeof(short) - 1); // COMPLIANT`
	`466`	`+ memcpy(p, in, a * b * sizeof(short) + 1); // COMPLIANT - unknown`
`466`	`467`	`}`