Update EXP39-C test and implement query

Author: Nikita Kraiouchkine

c/cert/src/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.md

@@ -0,0 +1,18 @@
+# EXP39-C: Do not access a variable through a pointer of an incompatible type
+
+This query implements the CERT-C rule EXP39-C:
+
+> Do not access a variable through a pointer of an incompatible type
+
+
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [EXP39-C: Do not access a variable through a pointer of an incompatible type](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.ql

@@ -0,0 +1,203 @@
+/**
+ * @id c/cert/do-not-access-variable-via-pointer-of-incompatible-type
+ * @name EXP39-C: Do not access a variable through a pointer of an incompatible type
+ * @description Modifying underlying pointer data through a pointer of an incompatible type can lead
+ *              to unpredictable results.
+ * @kind path-problem
+ * @precision very-high
+ * @problem.severity error
+ * @tags external/cert/id/exp39-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.controlflow.Dominance
+import DataFlow::PathGraph
+
+/**
+ * The standard function `memset` and its assorted variants
+ */
+class MemsetFunction extends Function {
+  MemsetFunction() {
+    this.hasGlobalOrStdOrBslName("memset")
+    or
+    this.hasGlobalOrStdName("wmemset")
+    or
+    this.hasGlobalName(["__builtin_memset", "__builtin___memset_chk", "__builtin_memset_chk"])
+  }
+}
+
+class IndirectCastAnalysisUnconvertedCastExpr extends Expr {
+  IndirectCastAnalysisUnconvertedCastExpr() { this = any(Cast c).getUnconverted() }
+}
+
+class IndirectCastAnalysisDereferenceSink extends Expr {
+  IndirectCastAnalysisDereferenceSink() { dereferenced(this) }
+}
+
+class ReallocationFunction extends AllocationFunction {
+  ReallocationFunction() { exists(this.getReallocPtrArg()) }
+}
+
+/**
+ * A data-flow state for a pointer which has not been reallocated.
+ */
+class IndirectCastDefaultFlowState extends DataFlow::FlowState {
+  IndirectCastDefaultFlowState() { this = "IndirectCastDefaultFlowState" }
+}
+
+/**
+ * A data-flow state for a pointer which has been reallocated but
+ * has not yet been zeroed with a memset call.
+ */
+class IndirectCastReallocatedFlowState extends DataFlow::FlowState {
+  IndirectCastReallocatedFlowState() { this = "IndirectCastReallocatedFlowState" }
+}
+
+/**
+ * A data-flow configuration to track the flow from cast expressions to either
+ * other cast expressions or to dereferences of pointers reallocated with a call
+ * to `realloc` but not cleared via a function call to `memset`.
+ */
+class IndirectCastConfiguration extends DataFlow::Configuration {
+  IndirectCastConfiguration() { this = "CastToIncompatibleTypeConfiguration" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+    state instanceof IndirectCastDefaultFlowState and
+    source.asExpr() instanceof IndirectCastAnalysisUnconvertedCastExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    sink.asExpr() instanceof IndirectCastAnalysisUnconvertedCastExpr and
+    state instanceof IndirectCastDefaultFlowState
+    or
+    sink.asExpr() instanceof IndirectCastAnalysisDereferenceSink and
+    state instanceof IndirectCastReallocatedFlowState and
+    // The memset call won't always have an edge to subsequent dereferences.
+    //
+    // Therefore, check that:
+    // 1) The memset call dominates the dereference.
+    // 2) The realloc call dominates the memset call.
+    // 3) There is no subsequent memset that also dominates the dereference.
+    //
+    // Currently, there is no relation between the pointer passed to memset
+    // and the pointer dereferenced. This unimplemented check might produce
+    // false-negatives when the memset call is unrelated to the reallocated memory.
+    not exists(FunctionCall memset, FunctionCall realloc, Expr ptr |
+      memset.getTarget() instanceof MemsetFunction and
+      realloc.getTarget() instanceof ReallocationFunction and
+      ptr = sink.asExpr() and
+      dominates(memset, ptr) and
+      not dominates(memset,
+        any(FunctionCall other |
+          other.getTarget() instanceof MemsetFunction and
+          other != memset and
+          dominates(other, ptr)
+        |
+          other
+        )) and
+      dominates(realloc, memset)
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
+    state instanceof IndirectCastReallocatedFlowState and
+    exists(FunctionCall fc |
+      fc.getTarget() instanceof MemsetFunction and
+      fc.getArgument(0) = node.asExpr()
+    )
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+    DataFlow::FlowState state2
+  ) {
+    // track pointer flow through realloc calls and update state to `IndirectCastReallocatedFlowState`
+    state1 instanceof IndirectCastDefaultFlowState and
+    state2 instanceof IndirectCastReallocatedFlowState and
+    exists(FunctionCall fc |
+      fc.getTarget() instanceof ReallocationFunction and
+      node1.asExpr() = fc.getArgument(fc.getTarget().(ReallocationFunction).getReallocPtrArg()) and
+      node2.asExpr() = fc
+    )
+    or
+    // track pointer flow through memset calls and reset state to `IndirectCastDefaultFlowState`
+    state1 instanceof IndirectCastReallocatedFlowState and
+    state2 instanceof IndirectCastDefaultFlowState and
+    exists(FunctionCall fc |
+      fc.getTarget() instanceof MemsetFunction and
+      node1.asExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+pragma[inline]
+predicate areTypesSameExceptForConstSpecifiers(Type a, Type b) {
+  a.stripType() = b.stripType() and
+  a.getSize() = b.getSize() and
+  forall(Specifier s | s = a.getASpecifier() and not s.hasName("const") |
+    b.hasSpecifier(s.getName())
+  )
+}
+
+pragma[inline]
+Type compatibleTypes(Type type) {
+  not (
+    type.isVolatile() and not result.isVolatile()
+    or
+    type.isConst() and not result.isConst()
+  ) and
+  (
+    (
+      result instanceof UnsignedCharType or
+      [result.stripTopLevelSpecifiers(), type.stripTopLevelSpecifiers()] instanceof VoidType
+    )
+    or
+    not result instanceof UnsignedCharType and
+    not result instanceof VoidType and
+    (
+      type.stripType() instanceof Struct and
+      type.getUnspecifiedType() = result.getUnspecifiedType() and
+      not type.getName() = "struct <unnamed>" and
+      not result.getName() = "struct <unnamed>"
+      or
+      not type.stripType() instanceof Struct and
+      (
+        areTypesSameExceptForConstSpecifiers(type, result)
+        or
+        result.getSize() = type.getSize() and
+        (
+          type instanceof Enum and result instanceof IntegralOrEnumType
+          or
+          not type instanceof PlainCharType and
+          (
+            result.(IntegralType).isSigned() and type.(IntegralType).isSigned()
+            or
+            result.(IntegralType).isUnsigned() and type.(IntegralType).isUnsigned()
+          )
+          or
+          result.(FloatingPointType).getDomain() = type.(FloatingPointType).getDomain()
+        )
+        or
+        type instanceof Enum and result instanceof IntegralOrEnumType
+      )
+    )
+  )
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, Cast cast, Type fromType, Type toType
+where
+  not isExcluded(cast, Pointers3Package::doNotAccessVariableViaPointerOfIncompatibleTypeQuery()) and
+  cast.getFile().compiledAsC() and
+  any(IndirectCastConfiguration config).hasFlowPath(source, sink) and
+  // include only sinks which are not a compatible type to the associated source
+  source.getNode().asExpr() = cast.getUnconverted() and
+  fromType = cast.getUnconverted().getType().(PointerType).getBaseType() and
+  toType = sink.getNode().asExpr().getActualType().(PointerType).getBaseType() and
+  not toType = compatibleTypes(fromType)
+select sink.getNode().asExpr().getUnconverted(), source, sink,
+  "Cast from " + fromType + " to " + toType + " results in an incompatible pointer base type."

c/cert/test/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.expected

@@ -0,0 +1,60 @@
+edges
+| test.c:49:8:49:9 | s3 | test.c:50:8:50:9 | s1 |
+| test.c:60:16:60:18 | E1A | test.c:61:16:61:17 | e1 |
+| test.c:60:16:60:18 | E1A | test.c:65:10:65:12 | & ... |
+| test.c:68:22:68:22 | v | test.c:68:41:68:41 | v |
+| test.c:72:13:72:15 | & ... | test.c:68:22:68:22 | v |
+| test.c:74:13:74:15 | & ... | test.c:68:22:68:22 | v |
+| test.c:97:32:97:37 | call to malloc | test.c:98:40:98:41 | s2 |
+| test.c:97:32:97:37 | call to malloc | test.c:98:40:98:41 | s2 |
+| test.c:98:32:98:38 | call to realloc | test.c:99:3:99:4 | s3 |
+| test.c:98:32:98:38 | call to realloc | test.c:100:10:100:11 | s3 |
+| test.c:98:40:98:41 | s2 | test.c:98:32:98:38 | call to realloc |
+nodes
+| test.c:6:19:6:20 | & ... | semmle.label | & ... |
+| test.c:11:10:11:11 | & ... | semmle.label | & ... |
+| test.c:13:17:13:19 | & ... | semmle.label | & ... |
+| test.c:15:17:15:19 | & ... | semmle.label | & ... |
+| test.c:19:18:19:20 | & ... | semmle.label | & ... |
+| test.c:20:20:20:22 | & ... | semmle.label | & ... |
+| test.c:21:11:21:13 | & ... | semmle.label | & ... |
+| test.c:26:17:26:19 | & ... | semmle.label | & ... |
+| test.c:27:10:27:12 | & ... | semmle.label | & ... |
+| test.c:28:13:28:15 | & ... | semmle.label | & ... |
+| test.c:29:19:29:21 | & ... | semmle.label | & ... |
+| test.c:30:16:30:18 | & ... | semmle.label | & ... |
+| test.c:47:8:47:9 | s2 | semmle.label | s2 |
+| test.c:49:8:49:9 | s3 | semmle.label | s3 |
+| test.c:49:8:49:9 | s3 | semmle.label | s3 |
+| test.c:50:8:50:9 | s1 | semmle.label | s1 |
+| test.c:60:16:60:18 | E1A | semmle.label | E1A |
+| test.c:60:16:60:18 | E1A | semmle.label | E1A |
+| test.c:61:16:61:17 | e1 | semmle.label | e1 |
+| test.c:65:10:65:12 | & ... | semmle.label | & ... |
+| test.c:68:22:68:22 | v | semmle.label | v |
+| test.c:68:41:68:41 | v | semmle.label | v |
+| test.c:72:13:72:15 | & ... | semmle.label | & ... |
+| test.c:72:13:72:15 | & ... | semmle.label | & ... |
+| test.c:74:13:74:15 | & ... | semmle.label | & ... |
+| test.c:74:13:74:15 | & ... | semmle.label | & ... |
+| test.c:97:32:97:37 | call to malloc | semmle.label | call to malloc |
+| test.c:97:32:97:37 | call to malloc | semmle.label | call to malloc |
+| test.c:98:32:98:38 | call to realloc | semmle.label | call to realloc |
+| test.c:98:32:98:38 | call to realloc | semmle.label | call to realloc |
+| test.c:98:32:98:38 | call to realloc | semmle.label | call to realloc |
+| test.c:98:40:98:41 | s2 | semmle.label | s2 |
+| test.c:98:40:98:41 | s2 | semmle.label | s2 |
+| test.c:99:3:99:4 | s3 | semmle.label | s3 |
+| test.c:100:10:100:11 | s3 | semmle.label | s3 |
+subpaths
+#select
+| test.c:6:19:6:20 | & ... | test.c:6:19:6:20 | & ... | test.c:6:19:6:20 | & ... | Cast from float to int results in an incompatible pointer base type. |
+| test.c:11:10:11:11 | & ... | test.c:11:10:11:11 | & ... | test.c:11:10:11:11 | & ... | Cast from short[2] to int results in an incompatible pointer base type. |
+| test.c:13:17:13:19 | & ... | test.c:13:17:13:19 | & ... | test.c:13:17:13:19 | & ... | Cast from short[2] to short[4] results in an incompatible pointer base type. |
+| test.c:19:18:19:20 | & ... | test.c:19:18:19:20 | & ... | test.c:19:18:19:20 | & ... | Cast from char to signed char results in an incompatible pointer base type. |
+| test.c:29:19:29:21 | & ... | test.c:29:19:29:21 | & ... | test.c:29:19:29:21 | & ... | Cast from int to unsigned int results in an incompatible pointer base type. |
+| test.c:47:8:47:9 | s2 | test.c:47:8:47:9 | s2 | test.c:47:8:47:9 | s2 | Cast from struct <unnamed> to struct <unnamed> results in an incompatible pointer base type. |
+| test.c:49:8:49:9 | s3 | test.c:49:8:49:9 | s3 | test.c:49:8:49:9 | s3 | Cast from S1 to struct <unnamed> results in an incompatible pointer base type. |
+| test.c:50:8:50:9 | s1 | test.c:50:8:50:9 | s1 | test.c:50:8:50:9 | s1 | Cast from struct <unnamed> to S1 results in an incompatible pointer base type. |
+| test.c:68:41:68:41 | v | test.c:72:13:72:15 | & ... | test.c:68:41:68:41 | v | Cast from float to int results in an incompatible pointer base type. |
+| test.c:99:3:99:4 | s3 | test.c:98:40:98:41 | s2 | test.c:99:3:99:4 | s3 | Cast from S2 to S3 results in an incompatible pointer base type. |

c/cert/test/rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.qlref

@@ -0,0 +1 @@
+rules/EXP39-C/DoNotAccessVariableViaPointerOfIncompatibleType.ql

c/cert/test/rules/EXP39-C/test.c

@@ -1,3 +1,6 @@
+#include <stdlib.h>
+#include <string.h>
+
 void test_incompatible_arithmetic() {
   float f = 0.0f;
   int *p = (int *)&f; // NON_COMPLIANT - arithmetic types are not compatible
@@ -14,8 +17,8 @@ void test_incompatible_arithmetic() {
   // char may be signed or unsigned, and so is not compatible with either
   char c1;
   (signed char *)&c1;   // NON_COMPLIANT
-  (unsigned char *)&c1; // NON_COMPLIANT
-  (char *)&c1;          // NON_COMPLIANT
+  (unsigned char *)&c1; // COMPLIANT - the underlying byte representation is always compatible
+  (char *)&c1;          // COMPLIANT - same type
 
   // int is defined as signed, so is compatible with all the signed versions
   // (long, short etc. are similar)
@@ -24,7 +27,7 @@ void test_incompatible_arithmetic() {
   (int *)&i1;          // COMPLIANT
   (signed *)&i1;       // COMPLIANT
   (unsigned int *)&i1; // NON_COMPLIANT
-  (const int *)&i1;    // NON_COMPLIANT
+  (const int *)&i1;    // COMPLIANT - adding a const specifier is permitted
 }
 
 struct {