Skip to content

Implement Memory1 (RULE-8-7-1) #967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jeongsoolee09 wants to merge 39 commits into
base: main
Choose a base branch
from
Open

Implement Memory1 (RULE-8-7-1) #967

jeongsoolee09 wants to merge 39 commits into from
+2,560 −9

Conversation

@jeongsoolee09
Copy link
Collaborator

@jeongsoolee09 jeongsoolee09 commented Nov 18, 2025
edited
Loading

Description

Implement Memory1 (RULE-8-7-1) and add rule package description files for the rest of the rules (Memory2-Memory6).

Change request type

  • Release or process automation (GitHub workflows, internal scripts)
  • Internal documentation
  • External documentation
  • Query files (.ql, .qll, .qls or unit tests)
  • External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • No rules added
  • Queries have been added for the following rules:
    • RULE-8-7-1
  • Queries have been modified for the following rules:
    • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • Yes
  • No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

  • Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Reviewer

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

@jeongsoolee09 jeongsoolee09 self-assigned this Nov 18, 2025
@jeongsoolee09
Add Memory1 package files
a5d4127
@jeongsoolee09
Expose malloc, calloc and realloc
1a2cde8
@jeongsoolee09
Minor comments
c21e862
@jeongsoolee09
Checkpoint
c0b1e55
@jeongsoolee09
Split out source and sinks into their cases
9d3bab0
@jeongsoolee09
Checkpoint
a8a6db7
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/MISRA-C++-2023-Memory
4464702
@jeongsoolee09
Checkpoint: Add DynamicAllocation case
e2c5870
@jeongsoolee09
First working draft
fe2a3c4
@jeongsoolee09
Refine into path-problem
5ea652b
@jeongsoolee09
Change TaintTracking to DataFlow
7b860d9
@jeongsoolee09
Finalize first working draft for stack / heap arrays
08b8bf7
@jeongsoolee09
Document code copy and clean up imports
062c62f
@jeongsoolee09
Add multidimensional arrays alloc'ed on stack
e264dfd
@jeongsoolee09
Add test.cpp and expected test results
4d2bc8b
@jeongsoolee09
Add exclusion for Memory1.qll
21500b8
@jeongsoolee09
Adjust precision of existing rule and add a supplementary rule
e9f39a2
@jeongsoolee09
Add supplementary query files
a62e2e1
@jeongsoolee09
Fix @kind from problem to path-problem
ca62995
@jeongsoolee09
Copy OutOfBounds.qll to cpp/common/src/codingstandards/cpp/
8abf097
@jeongsoolee09
Remove unused import codingstandards.cpp.Variable in OutOfBounds.qll
f5454de
@jeongsoolee09
Add PointerArgumentToCstringFunctionIsInvalid.ql and create testref f…
d82ed6e 
…or it
@jeongsoolee09
Copy test.c from ARR38-C and add strncpy
356bbf2
@jeongsoolee09
Add headers, Add defininitions to headers, remove cases without null …
4c4cf49 
…terminator, remove file pointer cases

1. Add headers, Adding missing headers: For obvious reasons.
2. Remove cases without null terminator: Both clang and g++ do not permit
   strings to be allocated that are declared to be shorter than the actual
   initializing expression. Since this is a C++ rule, we rule them out.
3. File pointer manipulation functions (e.g. fgets): Not required by the rule.
@jeongsoolee09
Remove testref and add qlref and expected
9ced913
@jeongsoolee09
Address case of strncat
1c5dc84
@jeongsoolee09
Remove unused predicate and update .expected
2f80208
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review January 30, 2026 20:35
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements MISRA C++ 2023 Rule 8-7-1 (Memory1 package) which validates pointer arithmetic to ensure pointers don't exceed array bounds. The PR updates the rules.csv to organize memory-related rules into separate packages (Memory1-Memory6) and adds two queries for detecting invalid pointer arithmetic.

Changes:

  • Implements two queries for RULE-8-7-1: PointerArithmeticFormsAnInvalidPointer (path-problem) and PointerArgumentToCstringFunctionIsInvalid (problem)
  • Adds a comprehensive OutOfBounds.qll module (1358 lines) for buffer overflow analysis
  • Updates rules.csv to assign memory-related rules to Memory1-Memory6 packages
  • Adds Memory1.json rule package description file and Memory1.qll exclusions file

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
rules.csv Updates package names from "Memory" to "Memory1" through "Memory6" for memory-related rules
rule_packages/cpp/Memory1.json Adds package description for Memory1 with metadata for both queries
cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql Implements path-problem query for detecting invalid pointer arithmetic
cpp/misra/src/rules/RULE-8-7-1/PointerArgumentToCstringFunctionIsInvalid.ql Implements problem query for invalid cstring function arguments
cpp/misra/test/rules/RULE-8-7-1/test.cpp Comprehensive test file with 519 lines covering various pointer arithmetic scenarios
cpp/misra/test/rules/RULE-8-7-1/*.expected Expected results files for both queries
cpp/misra/test/rules/RULE-8-7-1/*.qlref Query reference files
cpp/common/src/codingstandards/cpp/OutOfBounds.qll New module providing buffer overflow analysis infrastructure
cpp/common/src/codingstandards/cpp/exclusions/cpp/Memory1.qll Auto-generated exclusions file for Memory1 queries
cpp/common/src/codingstandards/cpp/exclusions/cpp/RuleMetadata.qll Updates to include Memory1 query metadata
cpp/common/test/includes/standard-library/*.h Adds missing C standard library function declarations
cpp/common/test/includes/standard-library/cstdlib Adds using declarations for malloc, calloc, realloc
Comments suppressed due to low confidence (1)

cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql:171

  • Similar to the PointerAddExpr case, this predicate uses getAnOperand() which could match either operand. For PointerSubExpr, you need to specifically get the right operand (the value being subtracted). The current implementation could incorrectly negate the pointer operand instead of the offset value.
    exists(PointerSubExpr pointerSubtraction | pointerSubtraction = this.asPointerArithmetic() |
      result = -pointerSubtraction.getAnOperand().getValue().toInt()
    )

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cpp/misra/src/rules/RULE-8-7-1/PointerArgumentToCstringFunctionIsInvalid.ql
Comment on lines +18 to +24
import codingstandards.cpp.exclusions.c.RuleMetadata

from
OOB::BufferAccessLibraryFunctionCall fc, string message, Expr bufferArg, string bufferArgStr,
Expr sizeOrOtherBufferArg, string otherStr
where
not isExcluded(fc, OutOfBoundsPackage::libraryFunctionArgumentOutOfBoundsQuery()) and
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This query imports from codingstandards.cpp.exclusions.c.RuleMetadata but the OutOfBoundsPackage::libraryFunctionArgumentOutOfBoundsQuery is defined for C, not C++. This is a MISRA C++ rule (RULE-8-7-1), so it should either use the C++ exclusions system or verify that using the C exclusions is intentional. This could cause issues with the exclusion system not properly recognizing this as a C++ query.

Copilot uses AI. Check for mistakes.
cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql
}

/**
* The
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incomplete documentation: The class documentation starts with "The" but is incomplete. Please complete the documentation explaining what this class represents, such as "A heap allocation function call that is cast to a specific pointer type."

Suggested change
* The
* A heap allocation function call that is cast to a specific pointer type.

Copilot uses AI. Check for mistakes.
cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql
Comment on lines +166 to +170
result = pointerAddition.getAnOperand().getValue().toInt() // TODO: only get the number being added
)
or
exists(PointerSubExpr pointerSubtraction | pointerSubtraction = this.asPointerArithmetic() |
result = -pointerSubtraction.getAnOperand().getValue().toInt()
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The getOffset predicate has a TODO comment indicating incomplete implementation. For PointerAddExpr, the current logic uses getAnOperand() which could match either the pointer or the integer operand. This should specifically get the right operand (the offset value) to avoid incorrect results. Consider using getRightOperand() or a similar specific accessor to ensure the correct operand is used.

Suggested change
result = pointerAddition.getAnOperand().getValue().toInt() // TODO: only get the number being added
)
or
exists(PointerSubExpr pointerSubtraction | pointerSubtraction = this.asPointerArithmetic() |
result = -pointerSubtraction.getAnOperand().getValue().toInt()
result = pointerAddition.getRightOperand().getValue().toInt()
)
or
exists(PointerSubExpr pointerSubtraction | pointerSubtraction = this.asPointerArithmetic() |
result = -pointerSubtraction.getRightOperand().getValue().toInt()

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MichaelRFairhurst MichaelRFairhurst Awaiting requested review from MichaelRFairhurst

At least 1 approving review is required to merge this pull request.

Assignees

@jeongsoolee09 jeongsoolee09

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jeongsoolee09 @Claude @Codex