Merge pull request #821 from geoffw0/query-tags-case

CPP: Improve ArrayArgSizeMismatch.ql

Author: jbj

change-notes/1.20/analysis-cpp.md

@@ -10,11 +10,13 @@
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Use of string copy function in a condition (`cpp/string-copy-return-value-as-boolean`) | correctness | This query identifies calls to string copy functions used in conditions, where it's likely that a different function was intended to be called. |
 | Lossy function result cast (`cpp/lossy-function-result-cast`) | correctness | Finds function calls whose result type is a floating point type, which are implicitly cast to an integral type.  Newly available but not displayed by default on LGTM. |
+| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | reliability | Finds function calls where the size of an array being passed is smaller than the array size of the declared parameter.  Newly displayed on LGTM. |
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | Fewer false positives | An exception has been added to this query for variable sized arrays. |
 | Suspicious add with sizeof (`cpp/suspicious-add-sizeof`) | Fewer false positives | Pointer arithmetic on `char * const` expressions (and other variations of `char *`) are now correctly excluded from the results. |
 | Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Fewer false positives | False positives involving types that are not uniquely named in the snapshot have been fixed. |
 | Call to memory access function may overflow buffer (`cpp/overflow-buffer`) | More correct results | Calls to `fread` are now examined by this query. |

cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql

@@ -5,9 +5,11 @@
  * @kind problem
  * @id cpp/array-arg-size-mismatch
  * @problem.severity warning
+ * @precision high
  * @tags reliability
  */
 import cpp
+import semmle.code.cpp.commons.Buffer
 
 from Function f, FunctionCall c, int i, ArrayType argType, ArrayType paramType, int a, int b
 where f = c.getTarget() and
@@ -17,6 +19,7 @@ where f = c.getTarget() and
         b = paramType.getArraySize() and
         argType.getBaseType().getSize() = paramType.getBaseType().getSize() and
         a < b and
+        not memberMayBeVarSize(_, c.getArgument(i).(VariableAccess).getTarget()) and
         // filter out results for inconsistent declarations
         strictcount(f.getParameter(i).getType().getSize()) = 1
 select c.getArgument(i), "Array of size " + a +

cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.expected

@@ -0,0 +1 @@
+| test.cpp:24:4:24:7 | arr3 | Array of size 3 passed to $@ which expects an array of size 4. | test.cpp:8:6:8:6 | g | g |

cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref

@@ -0,0 +1 @@
+Likely Bugs/Conversion/ArrayArgSizeMismatch.ql

cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp

@@ -0,0 +1,49 @@
+
+typedef unsigned long size_t;
+void *malloc(size_t size);
+
+#define NUM (4)
+
+void f(int *vs);
+void g(int vs[4]);
+void h(float fs[NUM]);
+
+struct myStruct
+{
+	unsigned int num;
+	float data[0];
+};
+
+void test(float f3[3], float f4[4], float f5[5], float *fp)
+{
+	int arr3[3], arr4[4], arr5[5];
+
+	f(arr3); // GOOD
+	f(arr4); // GOOD
+	f(arr5); // GOOD
+	g(arr3); // BAD
+	g(arr4); // GOOD
+	g(arr5); // GOOD
+
+	h(f3); // BAD [NOT DETECTED]
+	h(f4); // GOOD
+	h(f5); // GOOD
+	h(fp); // GOOD
+
+	{
+		// variable size struct
+		myStruct *ms;
+
+		ms = (myStruct *)malloc(sizeof(myStruct) + (4 * sizeof(float)));
+		ms->num  = 4;
+		ms->data[0] = ms->data[1] = ms->data[2] = ms->data[3] = 0;
+		h(ms->data); // GOOD
+	}
+	
+	{
+		// char array
+		char ca[4 * sizeof(int)];
+		
+		g((int *)ca); // GOOD
+	}
+};