Implement Expressions package

Author: Nikita Kraiouchkine

c/cert/src/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.md

@@ -0,0 +1,16 @@
+# EXP37-C: Pass the correct number of arguments to the POSIX open function.
+
+This query implements the CERT-C rule EXP37-C:
+
+> Call functions with the correct number and type of arguments
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [EXP37-C: Call functions with the correct number and type of arguments](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.ql

@@ -0,0 +1,70 @@
+/**
+ * @id c/cert/call-posix-open-with-correct-argument-count
+ * @name EXP37-C: Pass the correct number of arguments to the POSIX open function.
+ * @description A third argument should be passed to the POSIX function open() when and only when
+ *              creating a new file.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/exp37-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import semmle.code.cpp.commons.unix.Constants
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+int o_creat_val() {
+  result = any(MacroInvocation ma | ma.getMacroName() = "O_CREAT" | ma.getExpr().getValue().toInt())
+  or
+  result = o_creat()
+}
+
+/**
+ * A function call to POSIX open()
+ */
+class POSIXOpenFunctionCall extends FunctionCall {
+  POSIXOpenFunctionCall() { this.getTarget().getQualifiedName() = "open" }
+
+  /**
+   * Holds if reasonable bounds exist for the value of the 'flags' argument of the call.
+   * This predicate will never hold for cases such as wrapper functions
+   * which pass a parameter to the open() 'flags' argument.
+   */
+  predicate hasFlagsArgBounds() { lowerBound(this.getArgument(1)) >= 0 }
+
+  /**
+   * Holds if the 'flags' argument contains the O_CREAT flag.
+   * Because this predicate uses the SimpleRangeAnalysis library, it only
+   * analyzes the bounds of 'flag' arguments which can be deduced locally.
+   */
+  predicate isOpenCreateCall() {
+    hasFlagsArgBounds() and
+    upperBound(this.getArgument(1)).toString().toInt().bitAnd(o_creat_val()) != 0
+  }
+}
+
+from POSIXOpenFunctionCall call, string message
+where
+  not isExcluded(call, ExpressionsPackage::callPOSIXOpenWithCorrectArgumentCountQuery()) and
+  // include only analyzable flag arguments which have values that can be determined locally
+  call.hasFlagsArgBounds() and
+  // differentiate between two variants:
+  // 1) a call to open() with the O_CREAT flag set, which should pass three arguments
+  // 2) a call to open without the O_CREAT flag set, which should pass two arguments
+  if call.isOpenCreateCall()
+  then (
+    call.getNumberOfArguments() != 3 and
+    message =
+      "Call to " + call.getTarget().getName() +
+        " with O_CREAT flag does not pass exactly three arguments."
+  ) else (
+    call.getNumberOfArguments() != 2 and
+    message =
+      "Call to " + call.getTarget().getName() +
+        " without O_CREAT flag does not pass exactly two arguments."
+  )
+select call, message

c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.md

@@ -0,0 +1,16 @@
+# EXP37-C: Do not call a function pointer which points to a function of an incompatible type
+
+This query implements the CERT-C rule EXP37-C:
+
+> Call functions with the correct number and type of arguments
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [EXP37-C: Call functions with the correct number and type of arguments](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql

@@ -0,0 +1,54 @@
+/**
+ * @id c/cert/do-not-call-function-pointer-with-incompatible-type
+ * @name EXP37-C: Do not call a function pointer which points to a function of an incompatible type
+ * @description Calling a function pointer with a type incompatible with the function it points to
+ *              is undefined.
+ * @kind path-problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/exp37-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import semmle.code.cpp.dataflow.DataFlow
+import DataFlow::PathGraph
+
+class SuspectFunctionPointerCastExpr extends Expr {
+  SuspectFunctionPointerCastExpr() {
+    exists(CStyleCast cast, Type old, Type new |
+      this = cast.getUnconverted() and
+      old = cast.getUnconverted().getUnderlyingType() and
+      new = cast.getFullyConverted().getUnderlyingType() and
+      old != new and
+      old instanceof FunctionPointerType and
+      new instanceof FunctionPointerType
+    )
+  }
+}
+
+class SuspectFunctionPointerToCallConfig extends DataFlow::Configuration {
+  SuspectFunctionPointerToCallConfig() { this = "SuspectFunctionPointerToCallConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr() instanceof SuspectFunctionPointerCastExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(VariableCall call | sink.asExpr() = call.getExpr().(VariableAccess))
+  }
+}
+
+from
+  SuspectFunctionPointerToCallConfig config, DataFlow::PathNode src, DataFlow::PathNode sink,
+  Access access
+where
+  not isExcluded(src.getNode().asExpr(),
+    ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery()) and
+  access = src.getNode().asExpr() and
+  config.hasFlowPath(src, sink)
+select src, src, sink,
+  "Incompatible function $@ assigned to function pointer is eventually called through the pointer.",
+  access.getTarget(), access.getTarget().getName()

c/cert/src/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.md

@@ -0,0 +1,16 @@
+# EXP37-C: Do not pass arguments with an incompatible count or type to a function.
+
+This query implements the CERT-C rule EXP37-C:
+
+> Call functions with the correct number and type of arguments
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [EXP37-C: Call functions with the correct number and type of arguments](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/EXP37-C/DoNotCallFunctionsWithIncompatibleArguments.ql

@@ -0,0 +1,114 @@
+/**
+ * @id c/cert/do-not-call-functions-with-incompatible-arguments
+ * @name EXP37-C: Do not pass arguments with an incompatible count or type to a function.
+ * @description The arguments passed to a function must be compatible with the function's
+ *              parameters.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/exp37-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+
+pragma[inline]
+private predicate arithTypesMatch(Type arg, Type parm) {
+  arg = parm
+  or
+  arg.getSize() = parm.getSize() and
+  (
+    arg instanceof IntegralOrEnumType and
+    parm instanceof IntegralOrEnumType
+    or
+    arg instanceof FloatingPointType and
+    parm instanceof FloatingPointType
+  )
+}
+
+pragma[inline]
+private predicate nestedPointerArgTypeMayBeUsed(Type arg, Type parm) {
+  // arithmetic types
+  arithTypesMatch(arg, parm)
+  or
+  // conversion to/from pointers to void is allowed
+  arg instanceof VoidType
+  or
+  parm instanceof VoidType
+}
+
+pragma[inline]
+private predicate pointerArgTypeMayBeUsed(Type arg, Type parm) {
+  nestedPointerArgTypeMayBeUsed(arg, parm)
+  or
+  // nested pointers
+  nestedPointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  nestedPointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+}
+
+pragma[inline]
+private predicate argTypeMayBeUsed(Type arg, Type parm) {
+  // arithmetic types
+  arithTypesMatch(arg, parm)
+  or
+  // pointers to compatible types
+  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(PointerType).getBaseType().getUnspecifiedType())
+  or
+  // C11 arrays
+  pointerArgTypeMayBeUsed(arg.(PointerType).getBaseType().getUnspecifiedType(),
+    parm.(ArrayType).getBaseType().getUnspecifiedType())
+  or
+  pointerArgTypeMayBeUsed(arg.(ArrayType).getBaseType().getUnspecifiedType(),
+    parm.(ArrayType).getBaseType().getUnspecifiedType())
+}
+
+// This predicate holds whenever expression `arg` may be used to initialize
+// function parameter `parm` without need for run-time conversion.
+pragma[inline]
+private predicate argMayBeUsed(Expr arg, Parameter parm) {
+  argTypeMayBeUsed(arg.getFullyConverted().getUnspecifiedType(), parm.getUnspecifiedType())
+}
+
+// True if function was ()-declared, but not (void)-declared or K&R-defined
+private predicate hasZeroParamDecl(Function f) {
+  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
+    not fde.hasVoidParamList() and fde.getNumberOfParameters() = 0 and not fde.isDefinition()
+  )
+}
+
+// True if this file (or header) was compiled as a C file
+private predicate isCompiledAsC(File f) {
+  f.compiledAsC()
+  or
+  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+}
+
+predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
+  f = fc.getTarget() and
+  p = f.getAParameter() and
+  hasZeroParamDecl(f) and
+  isCompiledAsC(f.getFile()) and
+  not f.isVarargs() and
+  not f instanceof BuiltInFunction and
+  p.getIndex() < fc.getNumberOfArguments() and
+  // Parameter p and its corresponding call argument must have mismatched types
+  not argMayBeUsed(fc.getArgument(p.getIndex()), p)
+}
+
+// The implementation of this query was taken from the following standard library query:
+// codeql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
+from FunctionCall fc, Function f, Parameter p
+where
+  not isExcluded(fc, ExpressionsPackage::doNotCallFunctionsWithIncompatibleArgumentsQuery()) and
+  mistypedFunctionArguments(fc, f, p)
+select fc, "Argument $@ in call to $@ is incompatible with parameter $@.",
+  fc.getArgument(p.getIndex()) as arg, arg.toString(), f, f.toString(), p, p.getTypedName()

c/cert/src/rules/EXP46-C/DoNotUseABitwiseOperatorWithABooleanLikeOperand.md

@@ -0,0 +1,16 @@
+# EXP46-C: Do not use a bitwise operator with a Boolean-like operand
+
+This query implements the CERT-C rule EXP46-C:
+
+> Do not use a bitwise operator with a Boolean-like operand
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [EXP46-C: Do not use a bitwise operator with a Boolean-like operand](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/EXP46-C/DoNotUseABitwiseOperatorWithABooleanLikeOperand.ql

@@ -0,0 +1,41 @@
+/**
+ * @id c/cert/do-not-use-a-bitwise-operator-with-a-boolean-like-operand
+ * @name EXP46-C: Do not use a bitwise operator with a Boolean-like operand
+ * @description
+ * @kind problem
+ * @precision very-high
+ * @problem.severity error
+ * @tags external/cert/id/exp46-c
+ *       maintainability
+ *       readability
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+
+predicate isBitwiseOperationPotentiallyAmbiguous(BinaryBitwiseOperation op) {
+  op instanceof BitwiseAndExpr or
+  op instanceof BitwiseOrExpr or
+  op instanceof BitwiseXorExpr
+}
+
+predicate isDisallowedBitwiseOperationOperand(Expr e) {
+  not e.isParenthesised() and
+  (
+    e.getFullyConverted().getUnderlyingType() instanceof BoolType or
+    e instanceof RelationalOperation or
+    e instanceof EqualityOperation
+  )
+}
+
+from Expr operand, Operation operation
+where
+  not isExcluded(operation,
+    ExpressionsPackage::doNotUseABitwiseOperatorWithABooleanLikeOperandQuery()) and
+  isBitwiseOperationPotentiallyAmbiguous(operation) and
+  operand = operation.getAnOperand() and
+  isDisallowedBitwiseOperationOperand(operand)
+select operation,
+  "Bitwise operator " + operation.getOperator() +
+    " performs potentially unintended operation on $@.", operand, "boolean operand"

c/cert/test/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.expected

@@ -0,0 +1,6 @@
+| test.c:18:3:18:6 | call to open | Call to open without O_CREAT flag does not pass exactly two arguments. |
+| test.c:19:3:19:6 | call to open | Call to open with O_CREAT flag does not pass exactly three arguments. |
+| test.c:23:3:23:6 | call to open | Call to open without O_CREAT flag does not pass exactly two arguments. |
+| test.c:26:3:26:6 | call to open | Call to open with O_CREAT flag does not pass exactly three arguments. |
+| test.c:34:3:34:6 | call to open | Call to open without O_CREAT flag does not pass exactly two arguments. |
+| test.c:35:3:35:6 | call to open | Call to open with O_CREAT flag does not pass exactly three arguments. |

c/cert/test/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.qlref

@@ -0,0 +1 @@
+rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.ql