Address feedback

Author: MichaelRFairhurst

c/misra/src/rules/RULE-21-26/TimedlockOnInappropriateMutexType.ql

@@ -71,4 +71,6 @@ where
   not isExcluded(sink.getNode().asExpr(),
     Concurrency7Package::timedlockOnInappropriateMutexTypeQuery()) and
   Flow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Call to mtx_timedlock with mutex not of type 'mtx_timed'."
+select sink.getNode(), source, sink,
+  "Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'.",
+  source.getNode(), "initialized"

c/misra/src/rules/RULE-9-7/UninitializedAtomicObject.ql

@@ -14,6 +14,7 @@
 
 import cpp
 import codingstandards.c.misra
+import codingstandards.cpp.StdFunctionOrMacro
 import semmle.code.cpp.controlflow.Dominance
 
 class ThreadSpawningFunction extends Function {
@@ -29,18 +30,14 @@ class ThreadSpawningFunction extends Function {
   }
 }
 
-class AtomicInitAddressOfExpr extends FunctionCall {
-  Expr addressedExpr;
+private string atomicInit() { result = "atomic_init" }
 
+class AtomicInitAddressOfExpr extends AddressOfExpr {
   AtomicInitAddressOfExpr() {
-    exists(AddressOfExpr addrOf |
-      getArgument(0) = addrOf and
-      addrOf.getOperand() = addressedExpr and
-      getTarget().getName() = "__c11_atomic_init"
+    exists(StdFunctionOrMacro<C11FunctionWrapperMacro, atomicInit/0>::Call c |
+      this = c.getArgument(0)
     )
   }
-
-  Expr getAddressedExpr() { result = addressedExpr }
 }
 
 ControlFlowNode getARequiredInitializationPoint(LocalScopeVariable v) {
@@ -66,9 +63,15 @@ where
   not exists(v.getInitializer()) and
   exists(ControlFlowNode missingInitPoint |
     missingInitPoint = getARequiredInitializationPoint(v) and
+    // Check for `atomic_init(&v)`
     not exists(AtomicInitAddressOfExpr initialization |
-      initialization.getAddressedExpr().(VariableAccess).getTarget() = v and
+      initialization.getOperand().(VariableAccess).getTarget() = v and
       dominates(initialization, missingInitPoint)
+    ) and
+    // Check for `unknown_func(&v)` which may call `atomic_init` on `v`.
+    not exists(FunctionCall fc |
+      fc.getAnArgument().(AddressOfExpr).getOperand().(VariableAccess).getTarget() = v and
+      dominates(fc, missingInitPoint)
     )
   )
 select decl,

c/misra/test/rules/RULE-21-26/TimedlockOnInappropriateMutexType.expected

@@ -35,11 +35,11 @@ nodes
 | test.c:44:15:44:16 | *l3 [m] | semmle.label | *l3 [m] |
 subpaths
 #select
-| test.c:10:43:10:43 | *m | test.c:13:12:13:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:10:43:10:43 | *m | test.c:17:12:17:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:10:43:10:43 | *m | test.c:30:12:30:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:10:43:10:43 | *m | test.c:42:12:42:16 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:14:17:14:19 | *& ... | test.c:13:12:13:14 | mtx_init output argument | test.c:14:17:14:19 | *& ... | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:18:17:18:19 | *& ... | test.c:17:12:17:14 | mtx_init output argument | test.c:18:17:18:19 | *& ... | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:31:17:31:19 | *& ... | test.c:30:12:30:14 | mtx_init output argument | test.c:31:17:31:19 | *& ... | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
-| test.c:43:17:43:21 | *& ... | test.c:42:12:42:16 | mtx_init output argument | test.c:43:17:43:21 | *& ... | Call to mtx_timedlock with mutex not of type 'mtx_timed'. |
+| test.c:10:43:10:43 | *m | test.c:13:12:13:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:13:12:13:14 | mtx_init output argument | initialized |
+| test.c:10:43:10:43 | *m | test.c:17:12:17:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:17:12:17:14 | mtx_init output argument | initialized |
+| test.c:10:43:10:43 | *m | test.c:30:12:30:14 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:30:12:30:14 | mtx_init output argument | initialized |
+| test.c:10:43:10:43 | *m | test.c:42:12:42:16 | mtx_init output argument | test.c:10:43:10:43 | *m | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:42:12:42:16 | mtx_init output argument | initialized |
+| test.c:14:17:14:19 | *& ... | test.c:13:12:13:14 | mtx_init output argument | test.c:14:17:14:19 | *& ... | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:13:12:13:14 | mtx_init output argument | initialized |
+| test.c:18:17:18:19 | *& ... | test.c:17:12:17:14 | mtx_init output argument | test.c:18:17:18:19 | *& ... | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:17:12:17:14 | mtx_init output argument | initialized |
+| test.c:31:17:31:19 | *& ... | test.c:30:12:30:14 | mtx_init output argument | test.c:31:17:31:19 | *& ... | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:30:12:30:14 | mtx_init output argument | initialized |
+| test.c:43:17:43:21 | *& ... | test.c:42:12:42:16 | mtx_init output argument | test.c:43:17:43:21 | *& ... | Call to mtx_timedlock with mutex which is $@ without flag 'mtx_timed'. | test.c:42:12:42:16 | mtx_init output argument | initialized |

c/misra/test/rules/RULE-9-7/UninitializedAtomicObject.expected

@@ -1,3 +1,4 @@
-| test.c:22:15:22:16 | definition of l3 | Atomic object 'l3' has no initializer or corresponding use of 'atomic_init()'. |
-| test.c:25:15:25:16 | definition of l4 | Atomic object 'l4' has no initializer or corresponding use of 'atomic_init()'. |
-| test.c:29:15:29:16 | definition of l5 | Atomic object 'l5' has no initializer or corresponding use of 'atomic_init()'. |
+| test.c:24:15:24:16 | definition of l3 | Atomic object 'l3' has no initializer or corresponding use of 'atomic_init()'. |
+| test.c:27:15:27:16 | definition of l4 | Atomic object 'l4' has no initializer or corresponding use of 'atomic_init()'. |
+| test.c:31:15:31:16 | definition of l5 | Atomic object 'l5' has no initializer or corresponding use of 'atomic_init()'. |
+| test.c:41:15:41:16 | definition of l7 | Atomic object 'l7' has no initializer or corresponding use of 'atomic_init()'. |

c/misra/test/rules/RULE-9-7/test.c

@@ -11,6 +11,8 @@ void f_starts_thread() {
   thrd_create(&t, f_thread, 0);
 }
 
+void f_may_initialize_argument(void *p1) {}
+
 void main() {
   _Atomic int l1 = 1; // COMPLIANT
   f_starts_thread();
@@ -31,4 +33,14 @@ void main() {
     atomic_init(&l5, 0);
   }
   f_starts_thread();
+
+  _Atomic int l6; // COMPLIANT
+  f_may_initialize_argument(&l6);
+  f_starts_thread();
+
+  _Atomic int l7; // NON_COMPLIANT
+  if (g1 == 0) {
+    f_may_initialize_argument(&l7);
+  }
+  f_starts_thread();
 }

cpp/common/src/codingstandards/cpp/StdFunctionOrMacro.qll

@@ -0,0 +1,111 @@
+/**
+ * This module intends to reduce the difficulty of handling the pattern where implementations
+ * implement a function as a macro: the class `StdFunctionOrMacro<...>::Call` matches both std
+ * function calls as well as std function macro expansions.
+ *
+ * For instance, `atomic_init` may be implemented as a function, but is also implemented as
+ * `#DEFINE atomic_init(x) __c11_atomic_init(x)` on some platforms. This module aids in finding
+ * calls to any standard function which may be a macro, and has predefined behavior for
+ * handling `__c11_*` macros.
+ *
+ * Since a macro can be defined to expand to any expression, we cannot know generally which
+ * expanded expressions in `f(x, y)` correspond to arguments `x` or `y`. To handle this, the
+ * following inference options are available:
+ *  - `NoMacroExpansionInference`: Assume any expression in the macro expansion could correspond to
+ *    any macro argument.
+ *  - `C11FunctionWrapperMacro`: Check if the macro expands to a function call prefixed with
+ *    `__c11_` and if so, return the corresponding argument. Otherwise, fall back to
+ *    `NoMacroExpansionInference`.
+ *  - `InferMacroExpansionArguments`: Implement your own logic for inferring the argument.
+ *
+ * To use this module, pick one of the above inference strategies, and then create a predicate for
+ * the name you wish to match. For instance:
+ *
+ * ```codeql
+ *   private string atomicInit() { result = "atomic_init" }
+ *
+ *   from StdFunctionOrMacro<C11FunctionWrapperMacro, atomicInit/0>::Call c
+ *   select c.getArgument(0)
+ * ```
+ */
+
+import cpp as cpp
+
+/** Specify the name of your function as a predicate */
+signature string getName();
+
+/** Signature module to implement custom argument resolution behavior in expanded macros */
+signature module InferMacroExpansionArguments {
+  bindingset[mi, argumentIdx]
+  cpp::Expr inferArgument(cpp::MacroInvocation mi, int argumentIdx);
+}
+
+/** Assume all subexpressions of an expanded macro may be the result of any ith argument */
+module NoMacroExpansionInference implements InferMacroExpansionArguments {
+  bindingset[mi, argumentIdx]
+  cpp::Expr inferArgument(cpp::MacroInvocation mi, int argumentIdx) {
+    result.getParent*() = mi.getExpr()
+  }
+}
+
+/** Assume macro `f(x, y, ...)` expands to `__c11_f(x, y, ...)`. */
+module C11FunctionWrapperMacro implements InferMacroExpansionArguments {
+  bindingset[mi, argumentIdx]
+  cpp::Expr inferArgument(cpp::MacroInvocation mi, int argumentIdx) {
+    if mi.getExpr().(cpp::FunctionCall).getTarget().hasName("__c11_" + mi.getMacroName())
+    then result = mi.getExpr().(cpp::FunctionCall).getArgument(argumentIdx)
+    else result = NoMacroExpansionInference::inferArgument(mi, argumentIdx)
+  }
+}
+
+/**
+ * A module to find calls to standard functions, or expansions of macros with the same name.
+ *
+ * To use this module, specify a name predicate and an inference strategy for correlating macro
+ * expansions to macro arguments.
+ *
+ * For example:
+ *
+ * ```codeql
+ *   private string atomicInit() { result = "atomic_init" }
+ *   from StdFunctionOrMacro<C11FunctionWrapperMacro, atomicInit/0>::Call c
+ *   select c.getArgument(0)
+ * ```
+ */
+module StdFunctionOrMacro<InferMacroExpansionArguments InferExpansion, getName/0 getStdName> {
+  final private class Expr = cpp::Expr;
+
+  final private class FunctionCall = cpp::FunctionCall;
+
+  final private class MacroInvocation = cpp::MacroInvocation;
+
+  private newtype TStdCall =
+    TStdFunctionCall(FunctionCall fc) { fc.getTarget().hasName(getStdName()) } or
+    TStdMacroInvocation(MacroInvocation mi) { mi.getMacro().hasName(getStdName()) }
+
+  /**
+   * A call to a standard function or an expansion of a macro with the same name.
+   */
+  class Call extends TStdCall {
+    bindingset[this, argumentIdx]
+    Expr getArgument(int argumentIdx) {
+      exists(FunctionCall fc |
+        this = TStdFunctionCall(fc) and
+        result = fc.getArgument(argumentIdx)
+      )
+      or
+      exists(MacroInvocation mi |
+        this = TStdMacroInvocation(mi) and
+        result = InferExpansion::inferArgument(mi, argumentIdx)
+      )
+    }
+
+    string toString() {
+      this = TStdFunctionCall(_) and
+      result = "Standard function call"
+      or
+      this = TStdMacroInvocation(_) and
+      result = "Invocation of a standard function implemented as a macro"
+    }
+  }
+}

rule_packages/c/Concurrency7.json

@@ -15,7 +15,11 @@
           "tags": [
             "concurrency",
             "external/misra/c/2012/amendment4"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "This query tracks which functions may start threads, either indirectly or directly (\"thread spawning functions\"), and checks for local atomic variables that are not passed by address into `atomic_init` or other function calls, before such a thread spawning function is called.",
+            "items": []
+          }
         }
       ],
       "title": "Atomic objects shall be appropriately initialized before being accessed"