Fix EXP37-C false-negative, refactor, and update test

Nikita Kraiouchkine · Nikita Kraiouchkine · commit 097e687c6d7a · 2022-08-16T12:20:22.000+02:00
diff --git a/c/cert/src/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.ql b/c/cert/src/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.ql
@@ -13,102 +13,15 @@
 
 import cpp
 import codingstandards.c.cert
+import codingstandards.cpp.MistypedFunctionArguments
 
-pragma[inline]
-private predicate arithTypesMatch(Type arg, Type parm) {
-  arg = parm
-  or
-  arg.getSize() = parm.getSize() and
-  (
-    arg instanceof IntegralOrEnumType and
-    parm instanceof IntegralOrEnumType
-    or
-    arg instanceof FloatingPointType and
-    parm instanceof FloatingPointType
-  )
-}
-
-pragma[inline]
-private predicate nestedPointerArgTypeMayBeUsed(Type arg, Type parm) {
-  // arithmetic types
-  arithTypesMatch(arg, parm)
-  or
-  // conversion to/from pointers to void is allowed
-  arg instanceof VoidType
-  or
-  parm instanceof VoidType
-}
-
-pragma[inline]
-private predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
-  nestedPointerArgTypeMayBeUsed(arg, parm)
-  or
-  // nested pointers
-  nestedPointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
-    parm.(PointerType).getBaseType().getUnspecifiedType())
-  or
-  nestedPointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
-    parm.(PointerType).getBaseType().getUnspecifiedType())
-}
-
-pragma[inline]
-private predicate argTypeMayBeUsed(Type arg, Type parm) {
-  // arithmetic types
-  arithTypesMatch(arg, parm)
-  or
-  // pointers to compatible types
-  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
-    parm.(PointerType).getBaseType().getUnspecifiedType())
-  or
-  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
-    parm.(PointerType).getBaseType().getUnspecifiedType())
-  or
-  // C11 arrays
-  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
-    parm.(ArrayType).getBaseType().getUnspecifiedType())
-  or
-  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
-    parm.(ArrayType).getBaseType().getUnspecifiedType())
-}
-
-// This predicate holds whenever expression `arg` may be used to initialize
-// function parameter `parm` without need for run-time conversion.
-pragma[inline]
-private predicate argMayBeUsed(Expr arg, Parameter parm) {
-  argTypeMayBeUsed(arg.getFullyConverted().getUnspecifiedType(), parm.getUnspecifiedType())
-}
-
-// True if function was ()-declared, but not (void)-declared or K&R-defined
-private predicate hasZeroParamDecl(Function f) {
-  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
-    not fde.hasVoidParamList() and fde.getNumberOfParameters() = 0 and not fde.isDefinition()
-  )
-}
-
-// True if this file (or header) was compiled as a C file
-private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
-}
-
-predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
-  f = fc.getTarget() and
-  p = f.getAParameter() and
-  hasZeroParamDecl(f) and
-  isCompiledAsC(f.getFile()) and
-  not f.isVarargs() and
-  not f instanceof BuiltInFunction and
-  p.getIndex() < fc.getNumberOfArguments() and
-  // Parameter p and its corresponding call argument must have mismatched types
-  not argMayBeUsed(fc.getArgument(p.getIndex()), p)
-}
-
-// The implementation of this query was taken from the following standard library query:
-// codeql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
 from FunctionCall fc, Function f, Parameter p
 where
   not isExcluded(fc, ExpressionsPackage::doNotCallFunctionsWithIncompatibleArgumentsQuery()) and
-  mistypedFunctionArguments(fc, f, p)
+  (
+    mistypedFunctionArguments(fc, f, p)
+    or
+    complexArgumentPassedToRealParameter(fc, f, p)
+  )
 select fc, "Argument $@ in call to $@ is incompatible with parameter $@.",
   fc.getArgument(p.getIndex()) as arg, arg.toString(), f, f.toString(), p, p.getTypedName()
diff --git a/c/cert/test/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.expected b/c/cert/test/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.expected
@@ -1,2 +1,3 @@
+| test.c:83:12:83:16 | call to atan2 | Argument $@ in call to $@ is incompatible with parameter $@. | test.c:83:18:83:18 | c | c | file:///Users/kraiouchkine/codeql-coding-standards/c/common/test/includes/standard-library/math.h:155:13:155:17 | atan2 | atan2 | file:///Users/kraiouchkine/codeql-coding-standards/c/common/test/includes/standard-library/math.h:155:19:155:24 | (unnamed parameter 0) | double (unnamed parameter 0) |
 | test.c:93:3:93:12 | call to test_func1 | Argument $@ in call to $@ is incompatible with parameter $@. | test.c:93:14:93:15 | p1 | p1 | test2.c:1:6:1:15 | test_func1 | test_func1 | test2.c:1:23:1:24 | p1 | short p1 |
 | test.c:94:3:94:12 | call to test_func1 | Argument $@ in call to $@ is incompatible with parameter $@. | test.c:94:14:94:15 | p2 | p2 | test2.c:1:6:1:15 | test_func1 | test_func1 | test2.c:1:23:1:24 | p1 | short p1 |
diff --git a/c/cert/test/rules/EXP37-C/test.c b/c/cert/test/rules/EXP37-C/test.c
@@ -94,6 +94,6 @@ void test_incompatible_arguments(int p1, short p2) {
   test_func1(p2);                   // NON_COMPLIANT
   ((int (*)(short))test_func1)(p2); // COMPLIANT
   test_func2(0);                    // COMPLIANT
-  test_func3(0);                    // NON_COMPLIANT
+  test_func3(0);                    // NON_COMPLIANT[FALSE_NEGATIVE]
   test_func3(0, 1);                 // NON_COMPLIANT[FALSE_NEGATIVE]
 }
diff --git a/cpp/common/src/codingstandards/cpp/MistypedFunctionArguments.qll b/cpp/common/src/codingstandards/cpp/MistypedFunctionArguments.qll
@@ -0,0 +1,114 @@
+/**
+ * Provides the implementation of the MistypedFunctionArguments query. The
+ * query is implemented as a library, so that we can avoid producing
+ * duplicate results in other similar queries.
+ *
+ * The implementation of this library is based on the following file from the standard library:
+ * codeql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll
+ */
+
+import cpp
+
+pragma[inline]
+private predicate arithTypesMatch(Type arg, Type parm) {
+  arg = parm
+  or
+  arg.getSize() = parm.getSize() and
+  (
+    arg instanceof IntegralOrEnumType and
+    parm instanceof IntegralOrEnumType
+    or
+    arg instanceof FloatingPointType and
+    parm instanceof FloatingPointType
+  )
+}
+
+pragma[inline]
+private predicate nestedPointerArgTypeMayBeUsed(Type arg, Type parm) {
+  // arithmetic types
+  arithTypesMatch(arg, parm)
+  or
+  // conversion to/from pointers to void is allowed
+  arg instanceof VoidType
+  or
+  parm instanceof VoidType
+}
+
+pragma[inline]
+private predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
+  nestedPointerArgTypeMayBeUsed(arg, parm)
+  or
+  // nested pointers
+  nestedPointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  nestedPointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+}
+
+pragma[inline]
+private predicate argTypeMayBeUsed(Type arg, Type parm) {
+  // arithmetic types
+  arithTypesMatch(arg, parm)
+  or
+  // pointers to compatible types
+  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  // C11 arrays
+  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(ArrayType).getBaseType().getUnspecifiedType())
+  or
+  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(ArrayType).getBaseType().getUnspecifiedType())
+}
+
+// This predicate holds whenever expression `arg` may be used to initialize
+// function parameter `parm` without need for run-time conversion.
+pragma[inline]
+private predicate argMayBeUsed(Expr arg, Parameter parm) {
+  argTypeMayBeUsed(arg.getFullyConverted().getUnspecifiedType(), parm.getUnspecifiedType())
+}
+
+// True if function was ()-declared, but not (void)-declared or K&R-defined
+private predicate hasZeroParamDecl(Function f) {
+  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
+    not fde.hasVoidParamList() and fde.getNumberOfParameters() = 0 and not fde.isDefinition()
+  )
+}
+
+// True if this file (or header) was compiled as a C file
+private predicate isCompiledAsC(File f) {
+  f.compiledAsC()
+  or
+  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+}
+
+private predicate isTypeInComplexDomain(FloatingPointType type) {
+  type.getUnderlyingType().(FloatingPointType).getDomain() instanceof ComplexDomain
+}
+
+predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
+  f = fc.getTarget() and
+  p = f.getAParameter() and
+  hasZeroParamDecl(f) and
+  isCompiledAsC(f.getFile()) and
+  not f.isVarargs() and
+  not f instanceof BuiltInFunction and
+  p.getIndex() < fc.getNumberOfArguments() and
+  // Parameter p and its corresponding call argument must have mismatched types
+  not argMayBeUsed(fc.getArgument(p.getIndex()), p)
+}
+
+predicate complexArgumentPassedToRealParameter(FunctionCall fc, Function f, Parameter p) {
+  f = fc.getTarget() and
+  p = f.getAParameter() and
+  // Some implementations implicitly convert complex floating point values by
+  // extracting the real part of the complex number (in-place or via a creal() call).
+  // This predicate includes those results unless the value is explicitly converted.
+  not isTypeInComplexDomain(p.getType()) and
+  isTypeInComplexDomain(fc.getArgument(p.getIndex()).getExplicitlyConverted().getType())
+}

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+\| test.c:83:12:83:16 \| call to atan2 \| Argument $@ in call to $@ is incompatible with parameter $@. \| test.c:83:18:83:18 \| c \| c \| file:///Users/kraiouchkine/codeql-coding-standards/c/common/test/includes/standard-library/math.h:155:13:155:17 \| atan2 \| atan2 \| file:///Users/kraiouchkine/codeql-coding-standards/c/common/test/includes/standard-library/math.h:155:19:155:24 \| (unnamed parameter 0) \| double (unnamed parameter 0) \|`
`1`	`2`	`\| test.c:93:3:93:12 \| call to test_func1 \| Argument $@ in call to $@ is incompatible with parameter $@. \| test.c:93:14:93:15 \| p1 \| p1 \| test2.c:1:6:1:15 \| test_func1 \| test_func1 \| test2.c:1:23:1:24 \| p1 \| short p1 \|`
`2`	`3`	`\| test.c:94:3:94:12 \| call to test_func1 \| Argument $@ in call to $@ is incompatible with parameter $@. \| test.c:94:14:94:15 \| p2 \| p2 \| test2.c:1:6:1:15 \| test_func1 \| test_func1 \| test2.c:1:23:1:24 \| p1 \| short p1 \|`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,6 @@ void test_incompatible_arguments(int p1, short p2) {`
`94`	`94`	`test_func1(p2); // NON_COMPLIANT`
`95`	`95`	`((int (*)(short))test_func1)(p2); // COMPLIANT`
`96`	`96`	`test_func2(0); // COMPLIANT`
`97`		`- test_func3(0); // NON_COMPLIANT`
	`97`	`+ test_func3(0); // NON_COMPLIANT[FALSE_NEGATIVE]`
`98`	`98`	`test_func3(0, 1); // NON_COMPLIANT[FALSE_NEGATIVE]`
`99`	`99`	`}`