Refine into path-problem

jeongsoolee09 · jeongsoolee09 · commit 5ea652b101b0 · 2026-01-20T19:05:34.000-05:00
diff --git a/cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql b/cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql
@@ -3,7 +3,7 @@
  * @name RULE-8-7-1: Pointer arithmetic shall not form an invalid pointer.
  * @description Pointers obtained as result of performing arithmetic should point to an initialized
  *              object, or an element right next to the last element of an array.
- * @kind problem
+ * @kind path-problem
  * @precision very-high
  * @problem.severity error
  * @tags external/misra/id/rule-8-7-1
@@ -14,7 +14,7 @@
 
 import cpp
 import codingstandards.cpp.misra
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 import semmle.code.cpp.security.BufferAccess
 
 class ArrayDeclaration extends VariableDeclarationEntry {
@@ -135,14 +135,11 @@ class PointerFormation extends TPointerFormation {
   }
 
   Expr asExpr() {
-    result = this.asArrayExpr() or
+    result = this.asArrayExpr() or // This needs to be array base, as we are only dealing with pointers here.
     result = this.asPointerArithmetic()
   }
 
-  DataFlow::Node getNode() {
-    result.asExpr() = this.asExpr() or
-    result.asIndirectExpr() = this.asExpr()
-  }
+  DataFlow::Node getNode() { result.asExpr() = this.asExpr() }
 
   Location getLocation() {
     result = this.asArrayExpr().getLocation() or
@@ -160,40 +157,31 @@ module TrackArrayConfig implements DataFlow::ConfigSig {
   }
 }
 
-import semmle.code.cpp.dataflow.new.TaintTracking
 module TrackArray = TaintTracking::Global<TrackArrayConfig>;
 
-private predicate arrayDeclarationAndAccess(
-  DataFlow::Node arrayDeclarationNode, DataFlow::Node pointerFormationNode
-) {
-  TrackArray::flow(arrayDeclarationNode, pointerFormationNode)
-}
-
 private predicate arrayIndexExceedsOutOfBounds(
   DataFlow::Node arrayDeclarationNode, DataFlow::Node pointerFormationNode
 ) {
   /* 1. Ensure the array access is reachable from the array declaration. */
-  arrayDeclarationAndAccess(arrayDeclarationNode, pointerFormationNode) and
+  TrackArray::flow(arrayDeclarationNode, pointerFormationNode) and
+  /* 2. Cases where a pointer formation becomes illegal. */
   exists(ArrayAllocation arrayAllocation, PointerFormation pointerFormation |
-    arrayDeclarationNode.asExpr() = arrayAllocation.asStackAllocation().getInitExpr() and
+    arrayDeclarationNode = arrayAllocation.getNode() and
     pointerFormationNode = pointerFormation.getNode()
   |
-    /* 2. Cases where a pointer formation becomes illegal. */
-    (
-      /* 2-1. An offset cannot be negative. */
-      pointerFormation.getOffset() < 0
-      or
-      /* 2-2. The offset should be at most (number of elements) + 1 = (the declared length). */
-      arrayAllocation.getLength() < pointerFormation.getOffset()
-    )
+    /* 2-1. An offset cannot be negative. */
+    pointerFormation.getOffset() < 0
+    or
+    /* 2-2. The offset should be at most (number of elements) + 1 = (the declared length). */
+    arrayAllocation.getLength() < pointerFormation.getOffset()
   )
 }
 
-from PointerFormation pointerFormation
+import TrackArray::PathGraph
+
+from TrackArray::PathNode source, TrackArray::PathNode sink
 where
-  not isExcluded(pointerFormation.asExpr(),
+  not isExcluded(sink.getNode().asExpr(),
     Memory1Package::pointerArithmeticFormsAnInvalidPointerQuery()) and
-  exists(DataFlow::Node pointerFormationNode | pointerFormationNode = pointerFormation.getNode() |
-    arrayIndexExceedsOutOfBounds(_, pointerFormationNode)
-  )
-select pointerFormation, "TODO"
+  arrayIndexExceedsOutOfBounds(source.getNode(), sink.getNode())
+select sink, source, sink, "TODO"
diff --git a/cpp/misra/test/rules/RULE-8-7-1/test.cpp b/cpp/misra/test/rules/RULE-8-7-1/test.cpp
@@ -1,6 +1,6 @@
 #include <cstdlib>
 
-void f1(int *array) {
+void stack_allocation_pointer_arithmetic(int *array) {
   /* 1. Pointer formed from performing arithmetic */
   int *valid1 = array;     // COMPLIANT: pointer is within boundary
   int *valid2 = array + 1; // COMPLIANT: pointer is within boundary
@@ -13,7 +13,7 @@ void f1(int *array) {
   int *invalid2 = array - 1; // NON_COMPLIANT: pointer is outside boundary
 }
 
-void f2(int *array) {
+void stack_allocation_array_access(int *array) {
   /* 2. Array Access (entails pointer arithmetic) */
   int valid1 = array[0];   // COMPLIANT: pointer is within boundary
   int valid2 = array[1];   // COMPLIANT: pointer is within boundary
@@ -25,37 +25,103 @@ void f2(int *array) {
   int invalid2 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
 }
 
-void f1_realloc(int *array) {
+void malloc_pointer_arithmetic(int *array) { // [1, 4]
   /* 1. Pointer formed from performing arithmetic */
-  int *valid1 = array;     // COMPLIANT: pointer is within boundary
-  int *valid2 = array + 1; // COMPLIANT: pointer is within boundary
-  int *valid3 = array + 2; // COMPLIANT: pointer is within boundary
-  int *valid4 =
-      array + 3; // COMPLIANT: pointer points one beyond the last element
-  int *invalid1 =
-      array +
-      4; // NON_COMPLIANT: pointer points more than one beyond the last element
+  int *valid1 = array; // COMPLIANT: pointer is within boundary (lower bound: 1)
+  int *valid2 = array + 1; // COMPLIANT: pointer points more than one beyond the
+                           // last element (lower bound: 1)
+  int *valid3 = array + 2; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 1)
+  int *valid4 = array + 3; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 1)
+  int *invalid1 = array + 4; // NON_COMPLIANT: pointer points more than one
+                             // beyond the last element (lower bound: 1)
+  int *invalid2 = array + 5; // NON_COMPLIANT: pointer points more than one
+                             // beyond the last element (lower bound: 1)
+  int *invalid3 = array - 1; // NON_COMPLIANT: pointer is outside boundary
+}
+
+void malloc_array_access(int *array) { // [1, 4]
+  /* 2. Array Access (entails pointer arithmetic) */
+  int valid1 =
+      array[0]; // COMPLIANT: pointer is within boundary (lower bound: 1)
+  int valid2 = array[1]; // COMPLIANT: pointer points more than one beyond the
+                         // last element, but non-compliant to Rule 4.1.3 (lower
+                         // bound: 1)
+  int valid3 = array[2]; // NON_COMPLIANT: pointer points more than one beyond
+                         // the last element (lower bound: 1)
+  int valid4 = array[3]; // NON_COMPLIANT: pointer points more than one beyond
+                         // the last element (lower bound: 1)
+  int invalid1 = array[4]; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 1)
+  int invalid2 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
+}
+
+void calloc_pointer_arithmetic(int *array) { // [2, 5]
+  /* 1. Pointer formed from performing arithmetic */
+  int *valid1 = array; // COMPLIANT: pointer is within boundary (lower bound: 2)
+  int *valid2 =
+      array + 1; // COMPLIANT: pointer is within boundary (lower bound: 2)
+  int *valid3 = array + 2; // COMPLIANT: pointer points more than one beyond the
+                           // last element, but non-compliant to Rule 4.1.3
+                           // (lower bound: 2)
+  int *valid4 = array + 3; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 2)
+  int *invalid1 = array + 4; // NON_COMPLIANT: pointer points more than one
+                             // beyond the last element (lower bound: 2)
   int *invalid2 = array - 1; // NON_COMPLIANT: pointer is outside boundary
 }
 
-void f2_realloc(int *array) {
+void calloc_array_access(int *array) { // [2, 5]
   /* 2. Array Access (entails pointer arithmetic) */
   int valid1 = array[0];   // COMPLIANT: pointer is within boundary
   int valid2 = array[1];   // COMPLIANT: pointer is within boundary
-  int valid3 = array[2];   // COMPLIANT: pointer points one beyond the last
-  int invalid1 = array[3]; // NON_COMPLIANT: pointer points one beyond the last
-                           // element, but non-compliant to Rule 4.1.3
-  int invalid2 = array[4]; // NON_COMPLIANT: pointer points more than one beyond
-                           // the last element
-  int invalid3 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
+  int valid3 = array[2];   // COMPLIANT: pointer points more than one beyond the
+                           // last element, but non-compliant to Rule 4.1.3
+                           // (lower bound: 2)
+  int valid4 = array[3];   // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 2)
+  int invalid1 = array[4]; // NON_COMPLIANT: pointer points more than one
+                           // beyond the last element (lower bound: 2)
+  int invalid2 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
+}
+
+void realloc_pointer_arithmetic(int *array) { // [3, 6]
+  /* 1. Pointer formed from performing arithmetic */
+  int *valid1 = array; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int *valid2 =
+      array + 1; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int *valid3 =
+      array + 2; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int *valid4 = array + 3;   // COMPLIANT: pointer points one beyond the last
+                             // element (lower bound: 3)
+  int *invalid1 = array + 4; // NON_COMPLIANT: pointer points more than one
+                             // beyond the last element (lower bound: 3)
+  int *invalid2 = array - 1; // NON_COMPLIANT: pointer is outside boundary
+}
+
+void realloc_array_access(int *array) { // [3, 6]
+  /* 2. Array Access (entails pointer arithmetic) */
+  int valid1 =
+      array[0]; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int valid2 =
+      array[1]; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int valid3 =
+      array[2]; // COMPLIANT: pointer is within boundary (lower bound: 3)
+  int valid4 =
+      array[3]; // COMPLIANT: pointer points one beyond the last
+                // element, but non-compliant to Rule 4.1.3 (lower bound: 3)
+  int invalid1 = array[4]; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element (lower bound: 3)
+  int invalid2 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
 }
 
 int main(int argc, char *argv[]) {
   /* 1. Array initialized on the stack */
   int array[3] = {0, 1, 2};
 
-  f1(array);
-  f2(array);
+  stack_allocation_pointer_arithmetic(array);
+  stack_allocation_array_access(array);
 
   /* 2. Array initialized on the heap */
   int num_of_elements_malloc;
@@ -78,14 +144,14 @@ int main(int argc, char *argv[]) {
   int *array_realloc =
       (int *)realloc(array_malloc, num_of_elements_realloc * sizeof(int));
 
-  f1(array_malloc);
-  f2(array_malloc);
+  malloc_pointer_arithmetic(array_malloc);
+  malloc_array_access(array_malloc);
 
-  f1(array_calloc);
-  f2(array_calloc);
+  calloc_pointer_arithmetic(array_calloc);
+  calloc_array_access(array_calloc);
 
-  f1_realloc(array_realloc);
-  f2_realloc(array_realloc);
+  realloc_pointer_arithmetic(array_realloc);
+  realloc_array_access(array_realloc);
 
   return 0;
 }
