Merge remote-tracking branch 'origin/michaelrfairhurst/update-dataflow-nodes-MISRA-C++-2023-Memory-Experimental' into jeongsoolee09/MISRA-C++-2023-Memory-Experimental

Author: jeongsoolee09

cpp/misra/src/rules/RULE-8-7-1/Experimental.ql

@@ -14,6 +14,7 @@
 
 import cpp
 import codingstandards.cpp.misra
+import semmle.code.cpp.ir.IR
 import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 import semmle.code.cpp.security.BufferAccess
@@ -216,7 +217,9 @@ class PointerFormation extends TPointerFormation {
   /**
    * Gets the data-flow node associated with this pointer formation.
    */
-  DataFlow::Node getNode() { result.asExpr() = this.asExpr() }
+  DataFlow::Node getNode() {
+    result.asInstruction().(PointerAddInstruction).getAst() = this.asExpr()
+  }
 
   Location getLocation() {
     result = this.asArrayExpr().getLocation() or
@@ -279,6 +282,16 @@ class FatPointer extends TFatPointer {
     result = this.asAllocated().asExpr() or
     result = this.asIndexAdjusted().getBase()
   }
+
+  DataFlow::Node getBasePointerNode() {
+    exists(PointerAddInstruction ptrAdd |
+      result.asInstruction() = ptrAdd.getAnOperand().getDef() and
+      (
+        result.asInstruction().getAst() = this.asIndexAdjusted().getBase() or
+        result.asInstruction().getAst() = this.asAllocated().asExpr()
+      )
+    )
+  }
 }
 
 predicate srcSinkLengthMap(
@@ -288,7 +301,7 @@ predicate srcSinkLengthMap(
     TrackArray::flowPath(src, sink) and
     /* Reiterate the data flow configuration here. */
     src.getNode() = start.getNode() and
-    sink.getNode().asExpr() = end.getBasePointer()
+    sink.getNode() = end.getBasePointerNode()
   |
     srcOffset = start.getOffset() and
     sinkOffset = end.getOffset() and
@@ -312,7 +325,7 @@ module TrackArrayConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) {
-    exists(FatPointer fatPointer | node.asExpr() = fatPointer.getBasePointer())
+    exists(FatPointer fatPointer | node = fatPointer.getBasePointerNode())
   }
 }
 

cpp/misra/test/rules/RULE-8-7-1/pointer_only.cpp

@@ -252,3 +252,44 @@ int main(int argc, char *argv[]) {
 
   return 0;
 }
+
+void malloc_2d_test() {
+  int **array = (int **)malloc(2 * sizeof(int *));
+  array[0] = (int *)malloc(3 * sizeof(int));
+  array[1] = (int *)malloc(3 * sizeof(int));
+
+  int valid11 = array[0][0];  // COMPLIANT: pointer is within boundary
+  int valid12 = array[0][1];  // COMPLIANT: pointer is within boundary
+  int valid13 = array[0][2];  // COMPLIANT: pointer points one beyond the last
+                              // element, but non-compliant to Rule 4.1.3
+  int invalid1 = array[0][4]; // NON_COMPLIANT: pointer points more than one
+                              // beyond the last element
+
+  int valid21 = array[1][0];  // COMPLIANT: pointer is within boundary
+  int valid22 = array[1][1];  // COMPLIANT: pointer is within boundary
+  int valid23 = array[1][2];  // COMPLIANT: pointer points one beyond the last
+                              // element, but non-compliant to Rule 4.1.3
+  int invalid2 = array[1][4]; // NON_COMPLIANT: pointer points more than one
+                              // beyond the last element
+
+  int valid31 = array[2][0];  // COMPLIANT: pointer points one beyond the last
+                              // element, but non-compliant to Rule 4.1.3
+  int invalid3 = array[3][0]; // NON_COMPLIANT: pointer points more than one
+                              // beyond the last element
+
+  array + 1;    // COMPLIANT
+  array + 2;    // COMPLIANT
+  array + 3;    // NON_COMPLIANT
+  array[0] + 1; // COMPLIANT
+  array[0] + 2; // COMPLIANT
+  array[0] + 3; // COMPLIANT
+  array[0] + 4; // NON_COMPLIANT
+
+  (array + 1)[0] +
+      3; // COMPLIANT: pointer points to one beyond the last element
+  (array + 1)[0] +
+      4; // NON_COMPLIANT: pointer points more than one beyond the last element
+  array[0][2] + 1; // COMPLIANT
+  array[0][3] + 1; // COMPLIANT
+  array[0][4] + 1; // NON_COMPLIANT
+}