Merge pull request #736 from geoffw0/macroinv2

CPP: Deprecate MacroInvocationExpr and MacroInvocationStmt

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -55,8 +55,11 @@ predicate stringArray(Variable arr, AggregateLiteral init) {
   // overwrite some of them with untrusted data.
 }
 
-predicate underscoreMacro(MacroInvocationExpr e) {
-  e.getMacroName() = "_"
+predicate underscoreMacro(Expr e) {
+  exists(MacroInvocation mi |
+    mi.getMacroName() = "_" and
+    mi.getExpr() = e
+  )
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -18,9 +18,9 @@ import semmle.code.cpp.security.TaintTracking
 
 predicate isRandValue(Expr e) {
   e.(FunctionCall).getTarget().getName() = "rand" or
-  exists(FunctionCall fc |
-    fc = e.(MacroInvocationExpr).getInvocation().getExpr().getAChild*()
-  | fc.getTarget().getName() = "rand"
+  exists(MacroInvocation mi |
+    e = mi.getExpr() and
+    e.getAChild*().(FunctionCall).getTarget().getName() = "rand"
   )
 }
 

cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -18,19 +18,29 @@ import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
 
-predicate isMaxValue(MacroInvocationExpr mie) {
-  mie.getMacroName() = "CHAR_MAX" or
-  mie.getMacroName() = "LLONG_MAX" or
-  mie.getMacroName() = "INT_MAX" or
-  mie.getMacroName() = "SHRT_MAX" or
-  mie.getMacroName() = "UINT_MAX"
+predicate isMaxValue(Expr mie) {
+  exists(MacroInvocation mi |
+    mi.getExpr() = mie and
+    (
+      mi.getMacroName() = "CHAR_MAX" or
+      mi.getMacroName() = "LLONG_MAX" or
+      mi.getMacroName() = "INT_MAX" or
+      mi.getMacroName() = "SHRT_MAX" or
+      mi.getMacroName() = "UINT_MAX"
+    )
+  )
 }
 
-predicate isMinValue(MacroInvocationExpr mie) {
-  mie.getMacroName() = "CHAR_MIN" or
-  mie.getMacroName() = "LLONG_MIN" or
-  mie.getMacroName() = "INT_MIN" or
-  mie.getMacroName() = "SHRT_MIN"
+predicate isMinValue(Expr mie) {
+  exists(MacroInvocation mi |
+    mi.getExpr() = mie and
+    (
+      mi.getMacroName() = "CHAR_MIN" or
+      mi.getMacroName() = "LLONG_MIN" or
+      mi.getMacroName() = "INT_MIN" or
+      mi.getMacroName() = "SHRT_MIN"
+    )
+  )
 }
 
 class SecurityOptionsArith extends SecurityOptions {

cpp/ql/src/semmle/code/cpp/Macro.qll

@@ -261,8 +261,13 @@ class MacroInvocation extends MacroAccess {
 
 /**
  * A top-level expression generated by a macro invocation.
+ *
+ * DEPRECATED: Use `MacroInvocation.getExpr()` directly to get an
+ * expression generated at the top-level of a macro invocation.  Use
+ * `MacroInvocation.getAnAffectedElement()` to get any element generated
+ * by a macro invocation.
  */
-class MacroInvocationExpr extends Expr {
+deprecated class MacroInvocationExpr extends Expr {
   MacroInvocationExpr() {
     exists(MacroInvocation i | this = i.getExpr())
   }
@@ -282,8 +287,13 @@ class MacroInvocationExpr extends Expr {
 
 /**
  * A top-level statement generated by a macro invocation.
+ *
+ * DEPRECATED: Use `MacroInvocation.getStmt()` directly to get a
+ * statement generated at the top-level of a macro invocation.  Use
+ * `MacroInvocation.getAnAffectedElement()` to get any element generated
+ * by a macro invocation.
  */
-class MacroInvocationStmt extends Stmt {
+deprecated class MacroInvocationStmt extends Stmt {
   MacroInvocationStmt() {
     exists(MacroInvocation i | this = i.getStmt())
   }

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

@@ -1 +1,11 @@
-| test.c:13:17:13:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:10:13:10:16 | call to rand | Uncontrolled value |
+| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:22 | call to rand | Uncontrolled value |
+| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+| test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c

@@ -1,9 +1,17 @@
 // Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
 // Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
 
-int rand();
+int rand(void);
 void trySlice(int start, int end);
 
+#define RAND() rand()
+#define RANDN(n) (rand() % n)
+#define RAND2() (rand() ^ rand())
+
+
+
+
+
 void randomTester() {
   int i;
   for (i = 0; i < 1000; i++) {
@@ -21,5 +29,74 @@ void randomTester() {
       trySlice(r, r+100);
     }
   }
-}
 
+  {
+    int r = RAND();
+    r += 100; // BAD: The return from RAND() is unbounded
+  }
+
+  {
+    int r = RANDN(100);
+    r += 100; // GOOD: The return from RANDN is bounded [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand();
+    r += 100; // BAD
+  }
+  
+  {
+    int r = rand() / 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand();
+    r = r / 10;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+  
+  {
+    int r = rand();
+    r /= 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand() & 0xFF;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand() + 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2();
+
+    r = r - 100; // BAD
+  }
+
+  {
+    int r = (rand() ^ rand());
+
+    r = r - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2() - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND();
+    int *ptr_r = &r;
+    *ptr_r -= 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = 0;
+    int *ptr_r = &r;
+    *ptr_r = RAND();
+    r -= 100; // BAD
+  }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp

@@ -0,0 +1,39 @@
+// Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
+// Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
+
+int rand(void);
+
+int get_rand()
+{
+	return rand();
+}
+
+void get_rand2(int *dest)
+{
+	*dest = rand();
+}
+
+void get_rand3(int &dest)
+{
+	dest = rand();
+}
+
+void randomTester2()
+{
+	{
+		int r = get_rand();
+		r = r + 100; // BAD
+	}
+
+	{
+		int r;
+		get_rand2(&r);
+		r = r + 100; // BAD [NOT DETECTED]
+	}
+
+	{
+		int r;
+		get_rand3(r);
+		r = r + 100; // BAD
+	}
+}