Address FPs on subojects

rvermeulen · rvermeulen · commit e51019dcb7c9 · 2024-02-14T17:02:50.000-08:00
Members of a struct can be initialized indirectly in various ways.
We account for those when counting uses.
diff --git a/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll b/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll
@@ -10,6 +10,44 @@ private string getConstExprValue(Variable v) {
   v.isConstexpr()
 }
 
+/**
+ * Gets the number of uses of variable `v` in an opaque assignment, where an opaqua assignment for example a cast from one type to the other and `v` is assumed to be a member of the resulting type.
+ * e.g.,
+ * struct foo {
+ *  int bar;
+ * }
+ *
+ * struct foo * v = (struct foo*)buffer;
+ */
+Expr getIndirectSubObjectAssignedValue(MemberVariable subobject) {
+  // struct foo * ptr = (struct foo*)buffer;
+  exists(Struct someStruct, Variable instanceOfSomeStruct | someStruct.getAMember() = subobject |
+    instanceOfSomeStruct.getType().(PointerType).getBaseType() = someStruct and
+    exists(Cast assignedValue |
+      // Exclude cases like struct foo * v = nullptr;
+      not assignedValue.isImplicit() and
+      // `v` is a subobject of another type that reinterprets another object. We count that as a use of `v`.
+      assignedValue.getExpr() = instanceOfSomeStruct.getAnAssignedValue() and
+      result = assignedValue
+    )
+    or
+    // struct foo; read(..., (char *)&foo);
+    instanceOfSomeStruct.getType() = someStruct and
+    exists(Call externalInitializerCall, Cast castToCharPointer, int n |
+      externalInitializerCall.getArgument(n).(AddressOfExpr).getOperand() =
+        instanceOfSomeStruct.getAnAccess() and
+      externalInitializerCall.getArgument(n) = castToCharPointer.getExpr() and
+      castToCharPointer.getType().(PointerType).getBaseType().getUnspecifiedType() instanceof
+        CharType and
+      result = externalInitializerCall
+    )
+    or
+    // the object this subject is part of is initialized and we assumes this initializes the subobject.
+    instanceOfSomeStruct.getType() = someStruct and
+    result = instanceOfSomeStruct.getInitializer().getExpr()
+  )
+}
+
 /** Gets a "use" count according to rule M0-1-4. */
 int getUseCount(Variable v) {
   // We enforce that it's a POD type variable, so if it has an initializer it is explicit
@@ -23,7 +61,7 @@ int getUseCount(Variable v) {
       // of the variable
       count(ClassTemplateInstantiation cti |
         cti.getTemplateArgument(_).(Expr).getValue() = getConstExprValue(v)
-      )
+      ) + count(getIndirectSubObjectAssignedValue(v))
 }
 
 Expr getAUserInitializedValue(Variable v) {
diff --git a/cpp/autosar/test/rules/M0-1-4/test_member.cpp b/cpp/autosar/test/rules/M0-1-4/test_member.cpp
@@ -93,4 +93,41 @@ void test_array_initialized_members() {
 
   l1[0].m1;
 }
+
+void test_indirect_assigned_members(void *opaque) {
+  struct s1 {
+    int m1; // COMPLIANT
+  };
+
+  struct s1 *p = (struct s1 *)opaque;
+  p->m1;
+
+  struct s2 {
+    int m1; // COMPLIANT
+  };
+
+  char buffer[sizeof(struct s2) + 8] = {0};
+  struct s2 *l2 = (struct s2 *)&buffer[8];
+  l2->m1;
+}
+
+void test_external_assigned_members(void (*fp)(unsigned char *)) {
+
+  struct s1 {
+    int m1; // COMPLIANT
+  };
+
+  struct s1 l1;
+  fp((unsigned char *)&l1);
+  l1.m1;
+
+  struct s2 {
+    int m1; // COMPLIANT
+  };
+
+  struct s2 (*copy_init)();
+  struct s2 l2 = copy_init();
+  l2.m1;
+}
+
 } // namespace test
