Improve 18-1, void* casts and FPs where lowerBound appears incorrect

Author: MichaelRFairhurst

change_notes/2025-1-04-misra-c-technical-corrigenda-2.md

@@ -4,8 +4,9 @@
    - Disallow `+` and `-` operations with an essentially char type and other types larger than int type.
    - Note, this change affects the essential type of such expressions, which may affect other essential types rules.
  - `RULE-18-1`, `M5-0-16` - `PointerAndDerivedPointerMustAddressSameArray.ql`, `PointerAndDerivedPointerAccessDifferentArray.ql`:
-   - Treat casts to byte pointers as pointers to arrays of the size of the pointed-to type
+   - Treat casts to byte pointers as pointers to arrays of the size of the pointed-to type.
    - Fix typo in report message, "passed" replaced with "past."
+   - Suppress results where range analysis appears potentially unreliable.
  - `RULE-21-10`, `RULE-25-5-3`, `ENV34-C` - `CallToSetlocaleInvalidatesOldPointers.ql`, `CallToSetlocaleInvalidatesOldPointersMisra.ql`, `DoNotStorePointersReturnedByEnvFunctions.ql`:
    - Report usage of returned pointers from `asctime`, `ctime`, during a call to either of the former.
    - Report usage of returned pointers from `gmtime`, `localtime`, during a call to either of the former.

cpp/common/src/codingstandards/cpp/rules/donotusepointerarithmetictoaddressdifferentarrays/DoNotUsePointerArithmeticToAddressDifferentArrays.qll

@@ -9,6 +9,7 @@ import codingstandards.cpp.Customizations
 import codingstandards.cpp.Exclusions
 import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import codeql.util.Boolean
 
 abstract class DoNotUsePointerArithmeticToAddressDifferentArraysSharedQuery extends Query { }
@@ -68,11 +69,13 @@ int elementSize(Type type, Boolean deref) {
  * length depends on `elementSize()` of the original pointed-to type.
  */
 class CastedToBytePointer extends ArrayLikeAccess, Conversion {
+  /** The sizeof() the pointed-to type */
   int size;
 
   CastedToBytePointer() {
     getType().(PointerType).getBaseType().getSize() = 1 and
-    size = elementSize(getExpr().getType(), true)
+    size = elementSize(getExpr().getType(), true) and
+    size > 1
   }
 
   override Element getElement() { result = this }
@@ -138,7 +141,7 @@ module ArrayToArrayExprFlow = DataFlow::Global<ArrayToArrayExprConfig>;
 
 /** Holds if the address taken expression `addressOf` takes the address of an array element at `index` of `array`. */
 predicate pointerOperandCreation(AddressOfExpr addressOf, ArrayLikeAccess array, int index) {
-  exists(ArrayExpr ae |
+  exists(ArrayExpr ae, Expr arrayOffset |
     (
       ArrayToArrayExprFlow::flow(array.getNode(), DataFlow::exprNode(ae.getArrayBase())) and
       array instanceof ArrayVariableAccess
@@ -149,7 +152,10 @@ predicate pointerOperandCreation(AddressOfExpr addressOf, ArrayLikeAccess array,
       // flow() may hold for `ArrayVariableAccess` in the above, even though they aren't sources
       array instanceof CastedToBytePointer
     ) and
-    index = lowerBound(ae.getArrayOffset().getFullyConverted()) and
+    arrayOffset = ae.getArrayOffset().getFullyConverted() and
+    index = lowerBound(arrayOffset) and
+    // This case typically indicates range analysis has gone wrong:
+    not index = exprMaxVal(arrayOffset) and
     addressOf.getOperand() = ae
   )
 }

cpp/common/test/rules/donotusepointerarithmetictoaddressdifferentarrays/test.cpp

@@ -39,4 +39,10 @@ void f1() {
   long *p21 = (long *)&l1;
   void *p22 = &p21[0];   // COMPLIANT
   void *p23 = &p21[100]; // NON_COMPLIANT[FALSE_NEGATIVE]
+
+  // Void pointers have size zero and can't be analyzed.
+  void *p24 = 0;
+  unsigned char* p25 = (unsigned char*)p24;
+  void *p26 = &p25[100]; // COMPLIANT
+
 }