Improvements to C28127 port (#93)

* codeql port of code analysis rule C28127 * update query. add to unit test for query * fix query * fix query * fix query * Query improved. Update supporting files * detect all issues in unit tests but detect false positives in internal driver tests * less false positives * query now passes unit tests and internal testing false positives are greatly reduced * add expected sarif * improve query to also check parameters match for given function pointer and function's expected function pointer argument. Disregard explicit casts * update version. update results sarif and diff * update qlhelp file * update diff * fix comments in driver_snippet.c. remove unused part of query
microsoft · Dec 1, 2023 · 77fee14 · 77fee14
1 parent e8d637b
commit 77fee14
Show file tree

Hide file tree

Showing 5 changed files with 773 additions and 185 deletions.
diff --git a/src/drivers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.ql b/src/drivers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.ql
@@ -17,22 +17,24 @@
  * @tags correctness
  *       wddst
  * @scope domainspecific
- * @query-version v1
+ * @query-version v2
  */
 
 import cpp
+import semmle.code.cpp.exprs.Cast
 
 from FunctionCall fc, Parameter p, int n
 where
+  fc.getArgument(n).getUnspecifiedType() instanceof FunctionPointerType and
   p.getFunction() = fc.getTarget() and
   p.getUnspecifiedType() instanceof FunctionPointerType and
   p.getIndex() = n and
-  fc.getArgument(n).getUnspecifiedType() instanceof FunctionPointerType and
-  fc.getArgument(n).getUnspecifiedType().(FunctionPointerType).getReturnType().getUnspecifiedType() !=
-    p.getUnspecifiedType().(FunctionPointerType).getReturnType().getUnspecifiedType() 
-
+
+  fc.getArgument(n).hasImplicitConversion()
+    and not fc.getArgument(n).hasExplicitConversion()
 select fc,
-  "Function " + fc + " may use a function pointer (" + fc.getArgument(n) +
-    ") with an unexpected return type: " +
-    fc.getArgument(n).getUnspecifiedType().(FunctionPointerType).getReturnType() + " expected: " +
-    p.getUnspecifiedType().(FunctionPointerType).getReturnType()
+   "Function $@ may use a function pointer $@ for parameter $@ with an unexpected return type or parameter type. Expected formal parameter is: $@ ("
+  + p.getFunction().getNumberOfParameters() + " parameters). Actual argument: $@ (" + fc.getTarget().getNumberOfParameters() + " arguments).",
+  fc, fc.toString(), fc.getArgument(n), fc.getArgument(n).toString(),p,p.getName(), 
+  p, p.getUnspecifiedType().(FunctionPointerType).explain(),
+  fc.getArgument(n),fc.getArgument(n).getUnspecifiedType().(FunctionPointerType).explain()
diff --git a/...vers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.qlhelp b/...vers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.qlhelp
@@ -2,7 +2,7 @@
 <qhelp>
 	<overview>
 		<p>
-			The return type of a function pointer used in a function call should match the declaration of the calling function
+			The driver is passing or assigning a function (pointer) of an unexpected type (that is, function signature)
 		</p>
 	</overview>
 	<recommendation>