IMplement EXP40-C

Author: mbaluda

c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.md

@@ -5,7 +5,6 @@ This query implements the CERT-C rule EXP40-C:
 > Do not modify constant objects
 
 
-
 ## Description
 
 The C Standard, 6.7.3, paragraph 6 \[[IS](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-ISO-IEC9899-2011)[O/IEC 9899:2011](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-ISO-IEC9899-2011)\], states
@@ -89,7 +88,7 @@ Search for [vulnerabilities](https://wiki.sei.cmu.edu/confluence/display/c/BB.+D
 
 ## Implementation notes
 
-None
+The implementation does not consider pointer aliasing via multiple indirection.
 
 ## References
 

c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql

@@ -1,18 +1,61 @@
 /**
  * @id c/cert/do-not-modify-constant-objects
  * @name EXP40-C: Do not modify constant objects
- * @description 
- * @kind problem
- * @precision very-high
+ * @description Do not modify constant objects. This may result in undefined behavior.
+ * @kind path-problem
+ * @precision high
  * @problem.severity error
  * @tags external/cert/id/exp40-c
+ *       correctness
  *       external/cert/obligation/rule
  */
 
 import cpp
 import codingstandards.c.cert
+import semmle.code.cpp.dataflow.DataFlow
+import DataFlow::PathGraph
+import codingstandards.cpp.SideEffect
 
-from
+class ConstRemovingCast extends Cast {
+  ConstRemovingCast() {
+    this.getExpr().getType().(DerivedType).getBaseType*().isConst() and
+    not this.getType().(DerivedType).getBaseType*().isConst()
+  }
+}
+
+class MaybeReturnsStringLiteralFunctionCall extends FunctionCall {
+  MaybeReturnsStringLiteralFunctionCall() {
+    getTarget().getName() in [
+        "strpbrk", "strchr", "strrchr", "strstr", "wcspbrk", "wcschr", "wcsrchr", "wcsstr",
+        "memchr", "wmemchr"
+      ]
+  }
+}
+
+class MyDataFlowConfCast extends DataFlow::Configuration {
+  MyDataFlowConfCast() { this = "MyDataFlowConfCast" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().getFullyConverted() instanceof ConstRemovingCast
+    or
+    source.asExpr().getFullyConverted() = any(MaybeReturnsStringLiteralFunctionCall c)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(Assignment a).getLValue().(PointerDereferenceExpr).getOperand()
+  }
+}
+
+from MyDataFlowConfCast conf, DataFlow::PathNode src, DataFlow::PathNode sink
 where
-  not isExcluded(x, Contracts6Package::doNotModifyConstantObjectsQuery()) and
-select
+  conf.hasFlowPath(src, sink)
+  or
+  sink.getNode()
+      .asExpr()
+      .(VariableEffect)
+      .getTarget()
+      .getType()
+      .(DerivedType)
+      .getBaseType*()
+      .isConst()
+select sink, src, sink, "Const variable assigned with non const-value."

c/cert/test/rules/EXP40-C/DoNotModifyConstantObjects.expected

@@ -1 +1,29 @@
-No expected results have yet been specified
+edges
+| test.c:5:8:5:9 | & ... | test.c:6:4:6:5 | aa |
+| test.c:26:15:26:15 | a | test.c:27:4:27:4 | a |
+| test.c:34:13:34:14 | & ... | test.c:39:7:39:8 | p1 |
+| test.c:39:7:39:8 | p1 | test.c:26:15:26:15 | a |
+| test.c:40:7:40:9 | * ... | test.c:26:15:26:15 | a |
+| test.c:59:7:59:8 | & ... | test.c:60:4:60:4 | p |
+| test.c:79:11:79:16 | call to strchr | test.c:81:6:81:12 | ... ++ |
+nodes
+| test.c:5:8:5:9 | & ... | semmle.label | & ... |
+| test.c:6:4:6:5 | aa | semmle.label | aa |
+| test.c:26:15:26:15 | a | semmle.label | a |
+| test.c:27:4:27:4 | a | semmle.label | a |
+| test.c:34:13:34:14 | & ... | semmle.label | & ... |
+| test.c:39:7:39:8 | p1 | semmle.label | p1 |
+| test.c:40:7:40:9 | * ... | semmle.label | * ... |
+| test.c:59:7:59:8 | & ... | semmle.label | & ... |
+| test.c:60:4:60:4 | p | semmle.label | p |
+| test.c:74:12:74:12 | s | semmle.label | s |
+| test.c:79:11:79:16 | call to strchr | semmle.label | call to strchr |
+| test.c:81:6:81:12 | ... ++ | semmle.label | ... ++ |
+subpaths
+#select
+| test.c:6:4:6:5 | aa | test.c:5:8:5:9 | & ... | test.c:6:4:6:5 | aa | Const variable assigned with non const-value. |
+| test.c:27:4:27:4 | a | test.c:34:13:34:14 | & ... | test.c:27:4:27:4 | a | Const variable assigned with non const-value. |
+| test.c:27:4:27:4 | a | test.c:40:7:40:9 | * ... | test.c:27:4:27:4 | a | Const variable assigned with non const-value. |
+| test.c:60:4:60:4 | p | test.c:59:7:59:8 | & ... | test.c:60:4:60:4 | p | Const variable assigned with non const-value. |
+| test.c:74:12:74:12 | s | test.c:74:12:74:12 | s | test.c:74:12:74:12 | s | Const variable assigned with non const-value. |
+| test.c:81:6:81:12 | ... ++ | test.c:79:11:79:16 | call to strchr | test.c:81:6:81:12 | ... ++ | Const variable assigned with non const-value. |

c/cert/test/rules/EXP40-C/test.c

@@ -2,8 +2,8 @@ void f1() {
   const int a = 3;
   int *aa;
 
-  aa = &a; // NON_COMPLIANT
-  *aa = 100;
+  aa = &a;
+  *aa = 100; // NON_COMPLIANT
 }
 
 void f1a() {
@@ -31,13 +31,13 @@ void f4b(int *a) {}
 
 void f4() {
   const int a = 100;
-  int *p1 = &a; // NON_COMPLIANT
+  int *p1 = &a; // COMPLIANT
   const int **p2;
 
-  *p2 = &a; // NON_COMPLIANT
+  *p2 = &a; // COMPLIANT
 
-  f4a(p1);  // NON_COMPLIANT
-  f4a(*p2); // NON_COMPLIANT
+  f4a(p1);  // COMPLIANT
+  f4a(*p2); // COMPLIANT
 }
 
 void f5() {
@@ -49,4 +49,37 @@ void f5() {
 
   f4b(p1);
   f4b(*p2);
+}
+
+#include <string.h>
+
+void f6a() {
+  char *p;
+  const char c = 'A';
+  p = &c;
+  *p = 0; // NON_COMPLIANT
+}
+
+void f6b() {
+  const char **cpp;
+  char *p;
+  const char c = 'A';
+  cpp = &p;
+  *cpp = &c;
+  *p = 0; // NON_COMPLIANT[FALSE_NEGATIVE]
+}
+
+const char s[] = "foo"; // source
+void f7() {
+  *(char *)s = '\0'; // NON_COMPLIANT
+}
+
+const char *f8(const char *pathname) {
+  char *slash;
+  slash = strchr(pathname, '/');
+  if (slash) {
+    *slash++ = '\0'; // NON_COMPLIANT
+    return slash;
+  }
+  return pathname;
 }

c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql

@@ -1,12 +1,13 @@
 /**
  * @id c/misra/array-function-argument-number-of-elements
- * @name RULE-17-5: The function argument corresponding to a parameter declared to have an array type shall have an
- * @description The function argument corresponding to a parameter declared to have an array type
- *              shall have an appropriate number of elements
+ * @name RULE-17-5: An array founction argument shall have an appropriate number of elements
+ * @description The function argument corresponding to an array parameter shall have an appropriate
+ *              number of elements
  * @kind problem
  * @precision high
  * @problem.severity error
  * @tags external/misra/id/rule-17-5
+ *       correctness
  *       external/misra/obligation/advisory
  */
 

c/misra/src/rules/RULE-17-7/ValueReturnedByAFunctionNotUsed.ql

@@ -1,11 +1,13 @@
 /**
  * @id c/misra/value-returned-by-a-function-not-used
- * @name RULE-17-7: The value returned by a function having non-void return type shall be used
- * @description
+ * @name RULE-17-7: Return values should be used or cast to void
+ * @description The value returned by a function having non-void return type shall be used or cast
+ *              to void
  * @kind problem
  * @precision very-high
  * @problem.severity error
  * @tags external/misra/id/rule-17-7
+ *       correctness
  *       external/misra/obligation/required
  */
 

cpp/common/src/codingstandards/cpp/exclusions/c/Contracts6.qll

@@ -19,15 +19,6 @@ predicate isContracts6QueryMetadata(Query query, string queryId, string ruleId,
   ruleId = "EXP40-C" and
   category = "rule"
   or
-  query =
-    // `Query` instance for the `rightHandOperandOfAShiftOperatorRange` query
-    Contracts6Package::rightHandOperandOfAShiftOperatorRangeQuery() and
-  queryId =
-    // `@id` for the `rightHandOperandOfAShiftOperatorRange` query
-    "c/misra/right-hand-operand-of-a-shift-operator-range" and
-  ruleId = "RULE-12-2" and
-  category = "required"
-  or
   query =
     // `Query` instance for the `arrayFunctionArgumentNumberOfElements` query
     Contracts6Package::arrayFunctionArgumentNumberOfElementsQuery() and

rule_packages/c/Contracts6.json

@@ -6,36 +6,22 @@
       },
       "queries": [
         {
-          "description": "",
-          "kind": "problem",
+          "description": "Do not modify constant objects. This may result in undefined behavior.",
+          "kind": "path-problem",
           "name": "Do not modify constant objects",
-          "precision": "very-high",
+          "precision": "high",
           "severity": "error",
           "short_name": "DoNotModifyConstantObjects",
-          "tags": []
+          "tags": ["correctness"],
+          "implementation_scope": {
+            "description": "The implementation does not consider pointer aliasing via multiple indirection."
+          }
         }
       ],
       "title": "Do not modify constant objects"
     }
   },
   "MISRA-C-2012": {
-    "RULE-12-2": {
-      "properties": {
-        "obligation": "required"
-      },
-      "queries": [
-        {
-          "description": "The right hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left hand operand",
-          "kind": "problem",
-          "name": "The right hand operand of a shift operator shall lie in the range zero to one less than the width in",
-          "precision": "high",
-          "severity": "error",
-          "short_name": "RightHandOperandOfAShiftOperatorRange",
-          "tags": []
-        }
-      ],
-      "title": "The right hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left hand operand"
-    },
     "RULE-17-5": {
       "properties": {
         "obligation": "advisory"
@@ -48,7 +34,10 @@
           "precision": "high",
           "severity": "error",
           "short_name": "ArrayFunctionArgumentNumberOfElements",
-          "tags": []
+          "tags": ["correctness"],
+          "implementation_scope": {
+            "description": "The rule is enforced in the context of a single function."
+          }
         }
       ],
       "title": "The function argument corresponding to a parameter declared to have an array type shall have an appropriate number of elements"
@@ -65,7 +54,10 @@
           "precision": "very-high",
           "severity": "error",
           "short_name": "ValueReturnedByAFunctionNotUsed",
-          "tags": []
+          "tags": ["correctness"],
+          "implementation_scope": {
+            "description": "The rule is enforced in the context of a single function."
+          }
         }
       ],
       "title": "The value returned by a function having non-void return type shall be used"

rules.csv

@@ -523,7 +523,7 @@ c,CERT-C,EXP35-C,Yes,Rule,,,Do not modify objects with temporary lifetime,,Inval
 c,CERT-C,EXP36-C,Yes,Rule,,,Do not cast pointers into more strictly aligned pointer types,,Pointers3,Medium,
 c,CERT-C,EXP37-C,Yes,Rule,,,Call functions with the correct number and type of arguments,,Expressions,Easy,
 c,CERT-C,EXP39-C,Yes,Rule,,,Do not access a variable through a pointer of an incompatible type,,Pointers3,Medium,
-c,CERT-C,EXP40-C,Yes,Rule,,,Do not modify constant objects,,Contracts6,Medium,
+c,CERT-C,EXP40-C,Yes,Rule,,,Do not modify constant objects,,Contracts6,Hard,
 c,CERT-C,EXP42-C,Yes,Rule,,,Do not compare padding data,,Memory,Medium,
 c,CERT-C,EXP43-C,Yes,Rule,,,Avoid undefined behavior when using restrict-qualified pointers,,Pointers3,Medium,
 c,CERT-C,EXP44-C,Yes,Rule,,,"Do not rely on side effects in operands to sizeof, _Alignof, or _Generic",M5-3-4,SideEffects1,Medium,
@@ -683,7 +683,7 @@ c,MISRA-C-2012,RULE-11-7,Yes,Required,,,A cast shall not be performed between po
 c,MISRA-C-2012,RULE-11-8,Yes,Required,,,A cast shall not remove any const or volatile qualification from the type pointed to by a pointer,,Pointers1,Easy,
 c,MISRA-C-2012,RULE-11-9,Yes,Required,,,The macro NULL shall be the only permitted form of integer null pointer constant,,Pointers1,Easy,
 c,MISRA-C-2012,RULE-12-1,Yes,Advisory,,,The precedence of operators within expressions should be made explicit,,SideEffects1,Medium,
-c,MISRA-C-2012,RULE-12-2,Yes,Required,,,The right hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left hand operand,,Contracts6,Hard,
+c,MISRA-C-2012,RULE-12-2,Yes,Required,,,The right hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left hand operand,,Contracts,Medium,
 c,MISRA-C-2012,RULE-12-3,Yes,Advisory,,,The comma operator should not be used,M5-18-1,Banned,Import,
 c,MISRA-C-2012,RULE-12-4,Yes,Advisory,,,Evaluation of constant expressions should not lead to unsigned integer wrap-around,INT30-C,Types,Easy,
 c,MISRA-C-2012,RULE-12-5,Yes,Mandatory,,,The sizeof operator shall not have an operand which is a function parameter declared as �array of type�,,Types,Medium,
@@ -717,7 +717,7 @@ c,MISRA-C-2012,RULE-17-3,Yes,Mandatory,,,A function shall not be declared implic
 c,MISRA-C-2012,RULE-17-4,Yes,Mandatory,,,All exit paths from a function with non-void return type shall have an explicit return statement with an expression,MSC52-CPP,Statements,Medium,
 c,MISRA-C-2012,RULE-17-5,Yes,Advisory,,,The function argument corresponding to a parameter declared to have an array type shall have an appropriate number of elements,,Contracts6,Hard,
 c,MISRA-C-2012,RULE-17-6,No,Mandatory,,,The declaration of an array parameter shall not contain the static keyword between the [ ],,,,
-c,MISRA-C-2012,RULE-17-7,Yes,Required,,,The value returned by a function having non-void return type shall be used,A0-1-2,Contracts6,Import,
+c,MISRA-C-2012,RULE-17-7,Yes,Required,,,The value returned by a function having non-void return type shall be used,A0-1-2,Contracts6,Easy,
 c,MISRA-C-2012,RULE-17-8,Yes,Advisory,,,A function parameter should not be modified,,SideEffects2,Medium,
 c,MISRA-C-2012,RULE-18-1,Yes,Required,,,A pointer resulting from arithmetic on a pointer operand shall address an element of the same array as that pointer operand,M5-0-16,Pointers1,Import,
 c,MISRA-C-2012,RULE-18-2,Yes,Required,,,Subtraction between pointers shall only be applied to pointers that address elements of the same array,M5-0-17,Pointers1,Import,