EXP43-C: Refine data-flow and add context to output

Author: Nikita Kraiouchkine

c/cert/src/rules/EXP43-C/DoNotPassAliasedPointerToRestrictQualifiedParam.ql

@@ -49,8 +49,8 @@ class CallToFunctionWithRestrictParameters extends FunctionCall {
             .getIndex())
   }
 
-  Expr getAPtrArg() {
-    result = this.getAnArgument() and
+  Expr getAPtrArg(int index) {
+    result = this.getArgument(index) and
     pointerValue(result)
   }
 
@@ -69,9 +69,13 @@ class CallToFunctionWithRestrictParameters extends FunctionCall {
  * A `PointsToExpr` that is an argument of a pointer-type in a `CallToFunctionWithRestrictParameters`
  */
 class CallToFunctionWithRestrictParametersArgExpr extends Expr {
+  int paramIndex;
+
   CallToFunctionWithRestrictParametersArgExpr() {
-    this = any(CallToFunctionWithRestrictParameters call).getAPtrArg()
+    this = any(CallToFunctionWithRestrictParameters call).getAPtrArg(paramIndex)
   }
+
+  int getParamIndex() { result = paramIndex }
 }
 
 int getStatedValue(Expr e) {
@@ -101,28 +105,41 @@ class PointerValueToRestrictArgConfig extends DataFlow::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     exists(CallToFunctionWithRestrictParameters call |
-      sink.asExpr() = call.getAPtrArg().getAChild*()
+      sink.asExpr() = call.getAPtrArg(_).getAChild*()
     )
   }
+
+  override predicate isBarrierIn(DataFlow::Node node) {
+    exists(AddressOfExpr a | node.asExpr() = a.getOperand().getAChild*())
+  }
 }
 
 from
   CallToFunctionWithRestrictParameters call, CallToFunctionWithRestrictParametersArgExpr arg1,
-  CallToFunctionWithRestrictParametersArgExpr arg2, int argOffset1, int argOffset2
+  CallToFunctionWithRestrictParametersArgExpr arg2, int argOffset1, int argOffset2, Expr source1,
+  Expr source2, string sourceMessage1, string sourceMessage2
 where
   not isExcluded(call, Pointers3Package::doNotPassAliasedPointerToRestrictQualifiedParamQuery()) and
   arg1 = call.getARestrictPtrArg() and
-  arg2 = call.getAPtrArg() and
-  arg1 != arg2 and
-  exists(PointerValueToRestrictArgConfig config, Expr source1, Expr source2 |
+  arg2 = call.getAPtrArg(_) and
+  // enforce ordering to remove permutations if multiple restrict-qualified args exist
+  (not arg2 = call.getARestrictPtrArg() or arg2.getParamIndex() > arg1.getParamIndex()) and
+  // check if two pointers address the same object
+  exists(PointerValueToRestrictArgConfig config |
     config.hasFlow(DataFlow::exprNode(source1), DataFlow::exprNode(arg1.getAChild*())) and
     (
       // one pointer value flows to both args
-      config.hasFlow(DataFlow::exprNode(source1), DataFlow::exprNode(arg2.getAChild*()))
+      config.hasFlow(DataFlow::exprNode(source1), DataFlow::exprNode(arg2.getAChild*())) and
+      sourceMessage1 = "$@" and
+      sourceMessage2 = "source" and
+      source1 = source2
       or
       // there are two separate values that flow from an AddressOfExpr of the same target
       getAddressOfExprTargetBase(source1) = getAddressOfExprTargetBase(source2) and
-      config.hasFlow(DataFlow::exprNode(source2), DataFlow::exprNode(arg2.getAChild*()))
+      config.hasFlow(DataFlow::exprNode(source2), DataFlow::exprNode(arg2.getAChild*())) and
+      sourceMessage1 = "a pair of address-of expressions ($@, $@)" and
+      sourceMessage2 = "addressof1" and
+      not source1 = source2
     )
   ) and
   // get the offset of the pointer arithmetic operand (or '0' if there is none)
@@ -146,5 +163,6 @@ where
     not exists(call.getAPossibleSizeArg())
   )
 select call,
-  "Call to '" + call.getTarget().getName() +
-    "' passes an aliased pointer to a restrict-qualified parameter."
+  "Call to '" + call.getTarget().getName() + "' passes an $@ to a $@ (pointer value derived from " +
+    sourceMessage1 + ".", arg2, "aliased pointer", arg1, "restrict-qualified parameter", source1,
+  sourceMessage2, source2, "addressof2"

c/cert/src/rules/EXP43-C/RestrictPointerReferencesOverlappingObject.ql

@@ -28,6 +28,11 @@ class AssignmentOrInitializationToRestrictPtrValueExpr extends Expr {
   }
 
   Variable getVariable() { result = v }
+
+  predicate isTargetRestrictQualifiedAndInSameScope() {
+    this.(VariableAccess).getTarget().getType().hasSpecifier("restrict") and
+    this.(VariableAccess).getTarget().getParentScope() = this.getVariable().getParentScope()
+  }
 }
 
 /**
@@ -46,30 +51,41 @@ class AssignedValueToRestrictPtrValueConfiguration extends DataFlow::Configurati
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() instanceof AssignmentOrInitializationToRestrictPtrValueExpr
   }
+
+  override predicate isBarrierIn(DataFlow::Node node) {
+    isSource(node)
+  }
 }
 
 from
-  AssignedValueToRestrictPtrValueConfiguration config, DataFlow::Node sourceValue,
-  AssignmentOrInitializationToRestrictPtrValueExpr expr,
-  AssignmentOrInitializationToRestrictPtrValueExpr pre_expr
+  AssignedValueToRestrictPtrValueConfiguration config,
+  AssignmentOrInitializationToRestrictPtrValueExpr expr, DataFlow::Node sourceValue,
+  string sourceMessage
 where
   not isExcluded(expr, Pointers3Package::restrictPointerReferencesOverlappingObjectQuery()) and
   (
+    // Two restrict-qualified pointers in the same scope assigned to each other
+    expr.isTargetRestrictQualifiedAndInSameScope() and
+    sourceValue.asExpr() = expr and
+    sourceMessage = "the object pointed to by " + expr.(VariableAccess).getTarget().getName()
+    or
     // If the same expressions flows to two unique `AssignmentOrInitializationToRestrictPtrValueExpr`
     // in the same block, then the two variables point to the same (overlapping) object
-    expr.getEnclosingBlock() = pre_expr.getEnclosingBlock() and
-    (
-      config.hasFlow(sourceValue, DataFlow::exprNode(pre_expr)) and
-      config.hasFlow(sourceValue, DataFlow::exprNode(expr))
-      or
-      // Expressions referring to the address of the same variable can also result in aliasing
-      getAddressOfExprTargetBase(expr) = getAddressOfExprTargetBase(pre_expr)
-    ) and
-    strictlyDominates(pragma[only_bind_out](pre_expr), pragma[only_bind_out](expr))
-    or
-    // Two restrict-qualified pointers in the same scope assigned to each other
-    expr.(VariableAccess).getTarget().getType().hasSpecifier("restrict") and
-    expr.(VariableAccess).getTarget().getParentScope() = expr.getVariable().getParentScope()
+    not expr.isTargetRestrictQualifiedAndInSameScope() and
+    exists(AssignmentOrInitializationToRestrictPtrValueExpr pre_expr |
+      expr.getEnclosingBlock() = pre_expr.getEnclosingBlock() and
+      (
+        config.hasFlow(sourceValue, DataFlow::exprNode(pre_expr)) and
+        config.hasFlow(sourceValue, DataFlow::exprNode(expr)) and
+        sourceMessage = "the same source value"
+        or
+        // Expressions referring to the address of the same variable can also result in aliasing
+        getAddressOfExprTargetBase(expr) = getAddressOfExprTargetBase(pre_expr) and
+        sourceValue.asExpr() = pre_expr and
+        sourceMessage = getAddressOfExprTargetBase(expr).getName() + " via address-of"
+      ) and
+      strictlyDominates(pragma[only_bind_out](pre_expr), pragma[only_bind_out](expr))
+    )
   )
-select expr, "Assignment to restrict-qualified pointer $@ results in pointer aliasing.",
-  expr.getVariable(), expr.getVariable().getName()
+select expr, "Assignment to restrict-qualified pointer $@ results in pointers aliasing $@.",
+  expr.getVariable(), expr.getVariable().getName(), sourceValue, sourceMessage

c/cert/test/rules/EXP43-C/DoNotPassAliasedPointerToRestrictQualifiedParam.expected

@@ -1,5 +1,6 @@
-| test.c:59:3:59:6 | call to copy | Call to 'copy' passes an aliased pointer to a restrict-qualified parameter. |
-| test.c:64:3:64:6 | call to copy | Call to 'copy' passes an aliased pointer to a restrict-qualified parameter. |
-| test.c:70:3:70:8 | call to strcpy | Call to 'strcpy' passes an aliased pointer to a restrict-qualified parameter. |
-| test.c:77:3:77:8 | call to memcpy | Call to 'memcpy' passes an aliased pointer to a restrict-qualified parameter. |
-| test.c:90:3:90:7 | call to scanf | Call to 'scanf' passes an aliased pointer to a restrict-qualified parameter. |
+| test.c:59:3:59:6 | call to copy | Call to 'copy' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:59:13:59:15 | & ... | aliased pointer | test.c:59:8:59:10 | & ... | restrict-qualified parameter | test.c:59:8:59:10 | & ... | addressof1 | test.c:59:13:59:15 | & ... | addressof2 |
+| test.c:65:3:65:6 | call to copy | Call to 'copy' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:65:15:65:19 | & ... | aliased pointer | test.c:65:8:65:12 | & ... | restrict-qualified parameter | test.c:65:8:65:12 | & ... | addressof1 | test.c:65:15:65:19 | & ... | addressof2 |
+| test.c:67:3:67:6 | call to copy | Call to 'copy' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:67:15:67:16 | px | aliased pointer | test.c:67:8:67:12 | & ... | restrict-qualified parameter | test.c:67:8:67:12 | & ... | addressof1 | test.c:63:13:63:17 | & ... | addressof2 |
+| test.c:73:3:73:8 | call to strcpy | Call to 'strcpy' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:73:15:73:21 | ... + ... | aliased pointer | test.c:73:10:73:12 | & ... | restrict-qualified parameter | test.c:73:10:73:12 | & ... | addressof1 | test.c:73:15:73:17 | & ... | addressof2 |
+| test.c:80:3:80:8 | call to memcpy | Call to 'memcpy' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:80:15:80:21 | ... + ... | aliased pointer | test.c:80:10:80:12 | & ... | restrict-qualified parameter | test.c:80:10:80:12 | & ... | addressof1 | test.c:80:15:80:17 | & ... | addressof2 |
+| test.c:93:3:93:7 | call to scanf | Call to 'scanf' passes an $@ to a $@ (pointer value derived from a pair of address-of expressions ($@, $@). | test.c:93:14:93:20 | ... + ... | aliased pointer | test.c:93:9:93:11 | & ... | restrict-qualified parameter | test.c:93:9:93:11 | & ... | addressof1 | test.c:93:14:93:16 | & ... | addressof2 |

c/cert/test/rules/EXP43-C/RestrictPointerReferencesOverlappingObject.expected

@@ -1,8 +1,9 @@
-| test.c:18:22:18:23 | i2 | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:18:17:18:18 | i3 | i3 |
-| test.c:19:8:19:9 | g2 | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:5:15:5:16 | g1 | g1 |
-| test.c:20:8:20:9 | i2 | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:16:17:16:18 | i1 | i1 |
-| test.c:27:10:27:11 | g1 | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:23:19:23:20 | i5 | i5 |
-| test.c:28:10:28:11 | g1 | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:22:19:22:20 | i4 | i4 |
-| test.c:39:22:39:26 | & ... | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:39:17:39:18 | px | px |
-| test.c:45:10:45:14 | & ... | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:42:19:42:20 | pz | pz |
-| test.c:46:10:46:14 | & ... | Assignment to restrict-qualified pointer $@ results in pointer aliasing. | test.c:41:19:41:20 | py | py |
+| test.c:18:22:18:23 | i2 | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:18:17:18:18 | i3 | i3 | test.c:18:22:18:23 | i2 | the object pointed to by i2 |
+| test.c:19:8:19:9 | g2 | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:5:15:5:16 | g1 | g1 | test.c:19:8:19:9 | g2 | the object pointed to by g2 |
+| test.c:20:8:20:9 | i2 | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:16:17:16:18 | i1 | i1 | test.c:20:8:20:9 | i2 | the object pointed to by i2 |
+| test.c:27:10:27:11 | g1 | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:23:19:23:20 | i5 | i5 | test.c:19:8:19:9 | g2 | the same source value |
+| test.c:28:10:28:11 | g1 | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:22:19:22:20 | i4 | i4 | test.c:19:8:19:9 | g2 | the same source value |
+| test.c:39:22:39:26 | & ... | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:39:17:39:18 | px | px | test.c:38:28:38:30 | & ... | v1 via address-of |
+| test.c:45:10:45:14 | & ... | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:42:19:42:20 | pz | pz | test.c:43:10:43:14 | & ... | v1 via address-of |
+| test.c:46:10:46:14 | & ... | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:41:19:41:20 | py | py | test.c:43:10:43:14 | & ... | v1 via address-of |
+| test.c:46:10:46:14 | & ... | Assignment to restrict-qualified pointer $@ results in pointers aliasing $@. | test.c:41:19:41:20 | py | py | test.c:45:10:45:14 | & ... | v1 via address-of |

c/cert/test/rules/EXP43-C/test.c

@@ -60,8 +60,11 @@ void test_restrict_params() {
   copy(&i1, &i2, 1); // COMPLIANT
 
   int x[10];
-  copy(&x[0], &x[1], 1); // COMPLIANT - non overlapping
-  copy(&x[0], &x[1], 2); // NON_COMPLIANT - overlapping
+  int *px = &x[0];
+  copy(&x[0], &x[1], 1);       // COMPLIANT - non overlapping
+  copy(&x[0], &x[1], 2);       // NON_COMPLIANT - overlapping
+  copy(&x[0], (int *)x[0], 1); // COMPLIANT - non overlapping
+  copy(&x[0], px, 1);          // NON_COMPLIANT - overlapping
 }
 
 void test_strcpy() {

c/common/src/codingstandards/c/Variable.qll

@@ -47,6 +47,7 @@ class FlexibleArrayMemberCandidate extends MemberVariable {
 Variable getAddressOfExprTargetBase(AddressOfExpr expr) {
   result = expr.getOperand().(ValueFieldAccess).getQualifier().(VariableAccess).getTarget()
   or
+  not expr.getOperand() instanceof ValueFieldAccess and
   result = expr.getOperand().(VariableAccess).getTarget()
   or
   result = expr.getOperand().(ArrayExpr).getArrayBase().(VariableAccess).getTarget()