Restrict ARR30-C to reduce FPs and fix performance

Nikita Kraiouchkine · Nikita Kraiouchkine · commit a8c7dc36e0ec · 2023-04-07T03:51:26.000+02:00
diff --git a/c/cert/src/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.ql b/c/cert/src/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.ql
@@ -21,6 +21,15 @@
    string message
  where
    not isExcluded(ba, OutOfBoundsPackage::doNotFormOutOfBoundsPointersOrArraySubscriptsQuery()) and
+   // exclude loops
+   not exists(Loop loop | loop.getStmt().getChildStmt*() = ba.getEnclosingStmt()) and
+   // exclude size arguments that are of type ssize_t
+   not sizeArg.getAChild*().(VariableAccess).getTarget().getType() instanceof Ssize_t and
+   // exclude size arguments that are assigned the result of a function call e.g. ftell
+   not sizeArg.getAChild*().(VariableAccess).getTarget().getAnAssignedValue() instanceof FunctionCall and
+   // exclude field or array accesses for the size arguments
+   not sizeArg.getAChild*() instanceof FieldAccess and
+   not sizeArg.getAChild*() instanceof ArrayExpr and
    (
      exists(int sizeArgValue, int bufferArgSize |
       OOB::isSizeArgGreaterThanBufferSize(bufferArg, sizeArg, bufferSource, bufferArgSize, sizeArgValue, ba) and
@@ -33,7 +42,7 @@
        OOB::isSizeArgNotCheckedLessThanFixedBufferSize(bufferArg, sizeArg, bufferSource,
          bufferArgSize, ba, sizeArgUpperBound, sizeMult) and
        message =
-         "Buffer accesses may access up to offset " + sizeArgUpperBound + "*" + sizeMult +
+         "Buffer may access up to offset " + sizeArgUpperBound + "*" + sizeMult +
            " which is greater than the fixed size " + bufferArgSize + " of the $@."
      )
      or
diff --git a/c/cert/test/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.expected b/c/cert/test/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.expected
@@ -2,7 +2,7 @@
 | test.c:16:3:16:13 | ... + ... | Buffer access may be to a negative index in the buffer. | test.c:16:3:16:5 | arr | buffer |
 | test.c:21:5:21:15 | ... + ... | Buffer access may be to a negative index in the buffer. | test.c:21:5:21:7 | arr | buffer |
 | test.c:41:17:41:30 | ... + ... | Buffer access may be to a negative index in the buffer. | test.c:41:17:41:22 | buffer | buffer |
-| test.c:45:17:45:30 | ... + ... | Buffer accesses may access up to offset 101*1 which is greater than the fixed size 100 of the $@. | test.c:45:17:45:22 | buffer | buffer |
+| test.c:45:17:45:30 | ... + ... | Buffer may access up to offset 101*1 which is greater than the fixed size 100 of the $@. | test.c:45:17:45:22 | buffer | buffer |
 | test.c:55:5:55:13 | ... - ... | Buffer access may be to a negative index in the buffer. | test.c:55:5:55:9 | ptr16 | buffer |
 | test.c:57:5:57:14 | ... + ... | Buffer accesses offset 22 which is greater than the fixed size 20 of the $@. | test.c:57:5:57:9 | ptr16 | buffer |
 | test.c:58:5:58:14 | ... - ... | Buffer access may be to a negative index in the buffer. | test.c:58:5:58:9 | ptr16 | buffer |
diff --git a/c/common/src/codingstandards/c/OutOfBounds.qll b/c/common/src/codingstandards/c/OutOfBounds.qll
@@ -606,6 +606,7 @@ module OOB {
     SimpleStringLibraryFunctionCall() { this.getTarget() instanceof SimpleStringLibraryFunction }
   }
 
+  bindingset[dest]
   private Expr getSourceConstantExpr(Expr dest) {
     exists(result.getValue().toInt()) and
     DataFlow::localExprFlow(result, dest)
@@ -639,6 +640,7 @@ module OOB {
    * malloc(sz);
    * ```
    */
+  bindingset[e]
   private int getMinStatedValue(Expr e) {
     result = upperBound(e).minimum(min(getSourceConstantExpr(e).getValue().toInt()))
   }
@@ -647,6 +649,7 @@ module OOB {
    * A class for reasoning about the offset of a variable from the original value flowing to it
    * as a result of arithmetic or pointer arithmetic expressions.
    */
+  bindingset[expr]
   private int getArithmeticOffsetValue(Expr expr, Expr base) {
     result = getMinStatedValue(expr.(PointerArithmeticExpr).getOperand()) and
     base = expr.(PointerArithmeticExpr).getPointer()
@@ -1264,16 +1267,16 @@ module OOB {
       ) and
       (
         // Not a size expression for which we can compute a specific size
-        // and with a lower bound that is less than zero, taking into account offsets
         not sizeExprComputableSize(sizeArg, _, _) and
+        // and with a lower bound that is less than zero, taking into account offsets
         lowerBound(sizeArg) + getArithmeticOffsetValue(bufferArg, _) < 0
         or
         // A size expression for which we can compute a specific size and that size is less than zero
         sizeExprComputableSize(sizeArg, _, _) and
         (
           if isSizeArgPointerSubExprRightOperand(sizeArg)
-          then -getMinStatedValue(sizeArg) + getArithmeticOffsetValue(bufferArg, _) < 0
-          else getMinStatedValue(sizeArg) + getArithmeticOffsetValue(bufferArg, _) < 0
+          then -sizeArg.getValue().toInt() + getArithmeticOffsetValue(bufferArg, _) < 0
+          else sizeArg.getValue().toInt() + getArithmeticOffsetValue(bufferArg, _) < 0
         )
       )
     )
diff --git a/rule_packages/c/OutOfBounds.json b/rule_packages/c/OutOfBounds.json
@@ -9,7 +9,7 @@
           "description": "Forming or using an out-of-bounds pointer is undefined behavior and can result in invalid memory accesses.",
           "kind": "problem",
           "name": "Do not form or use out-of-bounds pointers or array subscripts",
-          "precision": "high",
+          "precision": "medium",
           "severity": "error",
           "short_name": "DoNotFormOutOfBoundsPointersOrArraySubscripts",
           "tags": [
