[CPP-340] When warning about mismatched parameters, follow what C

zlaski-semmle · zlaski-semmle · commit cb5bbd219764 · 2019-03-29T20:19:45.000-07:00
compilers do.  Various integral and floating-point types
          are treated as mutually implicitly convertible.  Remaining
          warnings deal with misuse of pointer and array types.
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.c b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.c
@@ -1,8 +1,7 @@
-void no_argument();
-
 void three_arguments(int x, int y, int z);
 
 void calls() {
-	three_arguments(1, 2, 3); // GOOD
-	three_arguments(1.0f, 2, 3.0f); // BAD: arguments 1 and 3 do not match parameters
+	int three = 3;
+	three_arguments(1, 2, three); // GOOD
+	three_arguments(1, 2, &three); // BAD
 }
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.o b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.o
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.ql b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.ql
@@ -14,89 +14,55 @@
 
 import cpp
 
-predicate argTypeMayBePromoted(Type arg, Type parm) {
+pragma[inline]
+predicate argTypeMayBeImplicitlyConverted(Type arg, Type parm) {
   arg = parm
   or
-  // floating-point and integral promotions
-  arg instanceof FloatType and parm instanceof DoubleType
-  or
-  arg instanceof FloatType and parm instanceof LongDoubleType
-  or
-  arg instanceof DoubleType and parm instanceof LongDoubleType
-  or
-  arg instanceof CharType and parm instanceof IntType
-  or
-  arg instanceof CharType and parm instanceof IntType
-  or
-  arg instanceof CharType and parm instanceof LongType
-  or
-  arg instanceof CharType and parm instanceof LongLongType
-  or
-  arg instanceof ShortType and parm instanceof IntType
-  or
-  arg instanceof ShortType and parm instanceof LongType
-  or
-  arg instanceof ShortType and parm instanceof LongLongType
-  or
-  arg instanceof IntType and parm instanceof LongType
-  or
-  arg instanceof IntType and parm instanceof LongLongType
+  // integral and floating-point types are implicitly convertible in C
+  arg instanceof ArithmeticType and parm instanceof ArithmeticType
   or
-  arg instanceof LongType and parm instanceof LongLongType
+  // integral values may be used to initialize pointers (but NOT array addresses)
+  arg instanceof IntegralType and parm instanceof PointerType
   or
-  arg instanceof Enum and parm instanceof IntType
+  // pointers-to-void may be used for arbitrary pointers
+  arg instanceof VoidPointerType and parm instanceof PointerType
   or
-  arg instanceof Enum and parm instanceof LongType
+  arg instanceof PointerType and parm instanceof VoidPointerType
   or
-  arg instanceof Enum and parm instanceof LongLongType
+  arg instanceof ArrayType and parm instanceof VoidPointerType
   or
-  // enums are usually sized as ints
-  arg instanceof IntType and parm instanceof Enum
+  arg instanceof VoidPointerType and parm instanceof ArrayType
   or
-  // pointer types
+  // pointers to same types
   arg.(PointerType).getBaseType().getUnspecifiedType() = parm
-        .getUnspecifiedType()
         .(PointerType)
         .getBaseType()
         .getUnspecifiedType()
   or
-  // void * parameters accept arbitrary pointer arguments
-  arg instanceof PointerType and
-  parm.(PointerType).getBaseType().getUnspecifiedType() instanceof VoidType
-  or
-  // handle reference types
-  argTypeMayBePromoted(arg.(ReferenceType).getBaseType().getUnspecifiedType(), parm)
-  or
-  argTypeMayBePromoted(arg, parm.(ReferenceType).getBaseType().getUnspecifiedType())
+  arg.(ArrayType).getBaseType().getUnspecifiedType() = parm
+        .(PointerType)
+        .getBaseType()
+        .getUnspecifiedType()
   or
-  // array-to-pointer decay
-  argTypeMayBePromoted(arg.(ArrayType).getBaseType().getUnspecifiedType(),
-    parm.(PointerType).getBaseType().getUnspecifiedType())
+  arg.(PointerType).getBaseType().getUnspecifiedType() = parm
+        .(ArrayType)
+        .getBaseType()
+        .getUnspecifiedType()
   or
-  // pointer-to-array promotion (C99)
-  argTypeMayBePromoted(arg.(PointerType).getBaseType().getUnspecifiedType(),
-    parm.(ArrayType).getBaseType().getUnspecifiedType())
+  arg.(ArrayType).getBaseType().getUnspecifiedType() = parm
+        .(ArrayType)
+        .getBaseType()
+        .getUnspecifiedType()
 }
 
 // This predicate doesn't necessarily have to exist, but if it does exist
 // then it must be inline to make sure we don't enumerate all pairs of
 // compatible types.
 // Its body could also just be hand-inlined where it's used.
 pragma[inline]
-predicate argMayBePromoted(Expr arg, Parameter parm) {
-  argTypeMayBePromoted(arg.getExplicitlyConverted().getType().getUnspecifiedType(),
+predicate argMayBeImplicitlyConverted(Expr arg, Parameter parm) {
+  argTypeMayBeImplicitlyConverted(arg.getFullyConverted().getType().getUnspecifiedType(),
     parm.getType().getUnspecifiedType())
-  or
-  // The value 0 is often passed in to indicate NULL, or to initialize an arbitrary integer type.
-  // we will allow all literal values for simplicity.  Pointer parameters are sometime passed
-  // special-case literals such as -1, -2, etc.
-  arg.(Literal).getType() instanceof IntegralType and
-  (
-    parm.getType().getUnspecifiedType() instanceof PointerType
-    or
-    parm.getType().getUnspecifiedType() instanceof IntegralType and
-    arg.(Literal).getType().getSize() <= parm.getType().getUnspecifiedType().getSize()
-  )
 }
 
 from FunctionCall fc, Function f, Parameter p
@@ -110,8 +76,7 @@ where
     fde.getNumberOfParameters() = 0
   ) and
   // Parameter p and its corresponding call argument must have mismatched types
-  not argMayBePromoted(fc.getArgument(p.getIndex()), p)
+  not argMayBeImplicitlyConverted(fc.getArgument(p.getIndex()), p)
 select fc, "Calling $@: argument $@ of type $@ is incompatible with parameter $@.", f, f.toString(),
-  fc.getArgument(p.getIndex()), fc.getArgument(p.getIndex()).toString(),
-  fc.getArgument(p.getIndex()).getType(), fc.getArgument(p.getIndex()).getType().toString(), p,
-  p.getTypedName()
+  fc.getArgument(p.getIndex()) as arg, arg.toString(), arg.getFullyConverted().getType() as type,
+  type.toString(), p, p.getTypedName()
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.s b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.s
@@ -0,0 +1 @@
+	.file	"MistypedFunctionArguments.c"
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooFewArguments.ql b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooFewArguments.ql
@@ -7,7 +7,7 @@
  * @kind problem
  * @problem.severity error
  * @precision very-high
- * @id cpp/too-few-arguments
+ * @id cpp/futile-params
  * @tags correctness
  *       maintainability
  *       security
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.c b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.c
@@ -1,9 +1,10 @@
-
-void one_argument(int x);
+void one_argument();
 
 void calls() {
 	
 	one_argument(1); // GOOD: `one_argument` will accept and use the argument
 	
 	one_argument(1, 2); // BAD: `one_argument` will use the first argument but ignore the second
 }
+
+void one_argument(int x);
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.qhelp b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.qhelp
@@ -25,6 +25,6 @@
 </example>
 
 <references>
-<li>SEI CERT C++ Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL20-C.+Explicitly+specify+void+when+a+function+accepts+no+arguments"> DCL20-C. Explicitly specify void when a function accepts no arguments </a></li>
+<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL20-C.+Explicitly+specify+void+when+a+function+accepts+no+arguments"> DCL20-C. Explicitly specify void when a function accepts no arguments </a></li>
 </references>
 </qhelp>
diff --git a/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/tests.c b/cpp/ql/src/Likely Bugs/UnderspecifiedFunctions/tests.c
@@ -0,0 +1,33 @@
+//void three_arguments();
+void three_arguments(int x, char y, int *z);
+void pointer_arguments(float *x, void *y, int **z);
+void array_argument(int arr[6]);
+void array_argument2(char arr[6]);
+int var;
+void *pv;
+double  d = 3732.70e13L;
+extern unsigned long long *ull;
+
+extern void *a[3];
+
+void calls() {
+	three_arguments(*ull, 2, &var); // BAD: arguments 1 and 3 do not match parameters
+	three_arguments(&ull, 2, &var); // BAD: arguments 1 and 3 do not match parameters
+	three_arguments(&var, 2, &var); // BAD: arguments 1 and 3 do not match parameters
+	three_arguments(var, 2, 3.0f); // BAD: arguments 1 and 3 do not match parameters
+
+	pointer_arguments(20, 0, 0);   // BAD
+	pointer_arguments(pv, &var, &pv);  // GOOD
+	pointer_arguments(&pv, &var, pv);  // BAD
+	pointer_arguments(&var, a, &pv);  // BAD
+	pointer_arguments(&var, &pv, a);  // BAD
+
+	array_argument(&var);
+	array_argument(pv);
+	array_argument(10);
+	array_argument("Hello");
+
+	array_argument2("Hello");
+
+}
+
diff --git a/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/MistypedFunctionArguments.expected
@@ -1,4 +1,7 @@
-| test.c:23:3:23:29 | call to declared_empty_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:32:6:32:32 | declared_empty_defined_with | declared_empty_defined_with | test.c:23:31:23:32 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:32:38:32:38 | x | int x |
-| test.c:24:3:24:29 | call to declared_empty_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:32:6:32:32 | declared_empty_defined_with | declared_empty_defined_with | test.c:24:31:24:34 | 3.0 | 3.0 | file://:0:0:0:0 | float | float | test.c:32:38:32:38 | x | int x |
-| test.c:26:3:26:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:35:6:35:30 | not_declared_defined_with | not_declared_defined_with | test.c:26:29:26:31 | 1.0 | 1.0 | file://:0:0:0:0 | double | double | test.c:35:36:35:36 | x | int x |
-| test.c:27:3:27:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:35:6:35:30 | not_declared_defined_with | not_declared_defined_with | test.c:27:29:27:31 | 4 | 4 | file://:0:0:0:0 | long long | long long | test.c:35:36:35:36 | x | int x |
+| test.c:25:3:25:19 | call to not_yet_declared2 | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:24:3:24:3 | not_yet_declared2 | not_yet_declared2 | test.c:25:21:25:22 | ca | ca | file://:0:0:0:0 | int * | int * | test.c:45:24:45:26 | p#0 | int p#0 |
+| test.c:25:3:25:19 | call to not_yet_declared2 | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:45:6:45:22 | not_yet_declared2 | not_yet_declared2 | test.c:25:21:25:22 | ca | ca | file://:0:0:0:0 | int * | int * | test.c:45:24:45:26 | p#0 | int p#0 |
+| test.c:32:3:32:29 | call to declared_empty_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:46:6:46:32 | declared_empty_defined_with | declared_empty_defined_with | test.c:32:31:32:32 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:46:38:46:38 | x | int x |
+| test.c:39:3:39:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:39:26:39:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:61:34:61:34 | x | int * x |
+| test.c:39:3:39:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:61:6:61:27 | declared_with_pointers | declared_with_pointers | test.c:39:26:39:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:61:34:61:34 | x | int * x |
+| test.c:41:3:41:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:6:6:6:24 | declared_with_array | declared_with_array | test.c:41:23:41:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:62:31:62:31 | a | char[6] a |
+| test.c:41:3:41:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:62:6:62:24 | declared_with_array | declared_with_array | test.c:41:23:41:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:62:31:62:31 | a | char[6] a |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/TooFewArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/TooFewArguments.expected
@@ -1,3 +1,4 @@
-| test.c:17:3:17:19 | call to not_yet_declared2 | This call has fewer arguments than required by $@. | test.c:16:3:16:3 | not_yet_declared2 | not_yet_declared2 |
-| test.c:17:3:17:19 | call to not_yet_declared2 | This call has fewer arguments than required by $@. | test.c:31:6:31:22 | not_yet_declared2 | not_yet_declared2 |
-| test.c:19:3:19:29 | call to declared_empty_defined_with | This call has fewer arguments than required by $@. | test.c:32:6:32:32 | declared_empty_defined_with | declared_empty_defined_with |
+| test.c:26:3:26:19 | call to not_yet_declared2 | This call has fewer arguments than required by $@. | test.c:24:3:24:3 | not_yet_declared2 | not_yet_declared2 |
+| test.c:26:3:26:19 | call to not_yet_declared2 | This call has fewer arguments than required by $@. | test.c:45:6:45:22 | not_yet_declared2 | not_yet_declared2 |
+| test.c:28:3:28:29 | call to declared_empty_defined_with | This call has fewer arguments than required by $@. | test.c:46:6:46:32 | declared_empty_defined_with | declared_empty_defined_with |
+| test.c:56:10:56:20 | call to dereference | This call has fewer arguments than required by $@. | test.c:59:5:59:15 | dereference | dereference |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/TooManyArguments.expected
@@ -1,5 +1,5 @@
-| test.c:8:3:8:16 | call to declared_empty | This call has more arguments than required by $@. | test.c:1:6:1:19 | declared_empty | declared_empty |
-| test.c:13:3:13:12 | call to undeclared | This call has more arguments than required by $@. | test.c:12:3:12:3 | undeclared | undeclared |
-| test.c:15:3:15:19 | call to not_yet_declared1 | This call has more arguments than required by $@. | test.c:15:3:15:3 | not_yet_declared1 | not_yet_declared1 |
-| test.c:15:3:15:19 | call to not_yet_declared1 | This call has more arguments than required by $@. | test.c:30:6:30:22 | not_yet_declared1 | not_yet_declared1 |
-| test.c:24:3:24:29 | call to declared_empty_defined_with | This call has more arguments than required by $@. | test.c:32:6:32:32 | declared_empty_defined_with | declared_empty_defined_with |
+| test.c:16:3:16:16 | call to declared_empty | This call has more arguments than required by $@. | test.c:1:6:1:19 | declared_empty | declared_empty |
+| test.c:21:3:21:12 | call to undeclared | This call has more arguments than required by $@. | test.c:20:3:20:3 | undeclared | undeclared |
+| test.c:23:3:23:19 | call to not_yet_declared1 | This call has more arguments than required by $@. | test.c:23:3:23:3 | not_yet_declared1 | not_yet_declared1 |
+| test.c:23:3:23:19 | call to not_yet_declared1 | This call has more arguments than required by $@. | test.c:44:6:44:22 | not_yet_declared1 | not_yet_declared1 |
+| test.c:33:3:33:29 | call to declared_empty_defined_with | This call has more arguments than required by $@. | test.c:46:6:46:32 | declared_empty_defined_with | declared_empty_defined_with |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/test.c b/cpp/ql/test/query-tests/Likely Bugs/UnderspecifiedFunctions/test.c
@@ -2,6 +2,14 @@ void declared_empty();
 void declared_void(void);
 void declared_with(int);
 void declared_empty_defined_with();
+void declared_with_pointers();
+void declared_with_array();
+
+struct _s { int a, b; } s;
+
+int ca[4] = { 1, 2, 3, 4 };
+
+void *pv;
 
 void test() {
   declared_empty(); // GOOD
@@ -14,17 +22,23 @@ void test() {
   
   not_yet_declared1(1); // BAD
   not_yet_declared2(1); // GOOD
+  not_yet_declared2(ca); // BAD
   not_yet_declared2(); // BAD
 
   declared_empty_defined_with(); // BAD
   declared_empty_defined_with(1); // GOOD
 
   int x;
-  declared_empty_defined_with(&x); // GOOD (type mismatch)
-  declared_empty_defined_with(3.0f, &x); // BAD (type mismatch)
+  declared_empty_defined_with(&x); // BAD
+  declared_empty_defined_with(3.0f, &x); // BAD
 
-  not_declared_defined_with(1.0, 0, 2U); // GOOD (type mismatch)
-  not_declared_defined_with(4LL, 0, 2); // GOOD (type mismatch)
+  not_declared_defined_with(1.0, 0, 2U); // GOOD
+  not_declared_defined_with(4LL, 0, 2.5e9); // GOOD
+
+  declared_with_pointers(pv, ca); // GOOD
+  declared_with_pointers(3.5e15, 0); // BAD
+  declared_with_array("Hello"); // GOOD
+  declared_with_array(&x); // BAD
 }
 
 void not_yet_declared1();
@@ -35,3 +49,15 @@ void declared_empty_defined_with(int x) {
 void not_declared_defined_with(int x, int y, int z) {
   return;
 }
+
+int dereference();
+
+int caller(void) {
+  return dereference(); // BAD
+}
+
+int dereference(int *x) { return *x; }
+
+void declared_with_pointers(int *x, void *y);
+void declared_with_array(char a [6]);
+
