Reject macros inside (u)INT<size>_C macros (eg, 1NT8_C(true)) and remove exception

MichaelRFairhurst · MichaelRFairhurst · commit 3708edfbefdc · 2024-10-04T23:29:16.000-07:00
Added exception to handle INT63_MIN as an addition expression, but that
exception is actually quite dangerous and should be removed.
diff --git a/c/misra/src/rules/RULE-7-5/InvalidIntegerConstantMacroArgument.ql b/c/misra/src/rules/RULE-7-5/InvalidIntegerConstantMacroArgument.ql
@@ -16,27 +16,19 @@ import codingstandards.cpp.IntegerConstantMacro
 import codingstandards.cpp.Literals
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
-/**
- * The max negative 64 bit signed integer is one less than the negative of the
- * max positive signed 64 bit integer. The only way to create a "negative"
- * literal is to use unary- negation of a positive literal. Therefore, clang
- * (and likely other compilers) rejects `INT64_C(-92233...808)` but accepts
- * `INT64_C(-92233...807 - 1)`. Therefore, in this case allow non-literal
- * expressions.
- */
-predicate specialMaxNegative64Exception(IntegerConstantMacro macro, Expr expr) {
-  macro.getSize() = 64 and
-  macro.isSigned() and
-  // Set a cutoff with precision, fix once BigInt library is available.
-  upperBound(expr) < macro.minValue() * 0.999999999 and
-  upperBound(expr) > macro.minValue() * 1.000000001
+predicate containsMacroInvocation(MacroInvocation outer, MacroInvocation inner) {
+  outer.getExpr() = inner.getExpr() and
+  exists(outer.getUnexpandedArgument(0).indexOf(inner.getMacroName()))
 }
 
 from MacroInvocation invoke, IntegerConstantMacro macro
 where
   not isExcluded(invoke, Types2Package::invalidIntegerConstantMacroArgumentQuery()) and
   invoke.getMacro() = macro and
-  not invoke.getExpr() instanceof PossiblyNegativeLiteral and
-  not specialMaxNegative64Exception(macro, invoke.getExpr())
+  (
+    not invoke.getExpr() instanceof PossiblyNegativeLiteral
+    or
+    containsMacroInvocation(invoke, _)
+  )
 select invoke.getExpr(),
   "Argument to integer constant macro " + macro.getName() + " must be an integer literal."
diff --git a/c/misra/test/rules/RULE-7-5/InvalidIntegerConstantMacroArgument.expected b/c/misra/test/rules/RULE-7-5/InvalidIntegerConstantMacroArgument.expected
@@ -1,5 +1,8 @@
 | test.c:48:13:48:17 | ... + ... | Argument to integer constant macro UINT8_C must be an integer literal. |
 | test.c:49:13:49:18 | access to array | Argument to integer constant macro UINT8_C must be an integer literal. |
 | test.c:50:13:50:19 | access to array | Argument to integer constant macro UINT8_C must be an integer literal. |
-| test.c:167:13:167:37 | ... - ... | Argument to integer constant macro INT64_C must be an integer literal. |
-| test.c:168:13:168:47 | ... - ... | Argument to integer constant macro INT64_C must be an integer literal. |
+| test.c:51:5:51:22 | 255 | Argument to integer constant macro UINT8_C must be an integer literal. |
+| test.c:52:5:52:17 | 1 | Argument to integer constant macro UINT8_C must be an integer literal. |
+| test.c:53:5:53:18 | 0 | Argument to integer constant macro UINT8_C must be an integer literal. |
+| test.c:54:5:54:17 | 0 | Argument to integer constant macro UINT8_C must be an integer literal. |
+| test.c:55:5:55:20 | 0 | Argument to integer constant macro UINT8_C must be an integer literal. |
diff --git a/c/misra/test/rules/RULE-7-5/test.c b/c/misra/test/rules/RULE-7-5/test.c
@@ -48,11 +48,11 @@ uint_least8_t g1[] = {
     UINT8_C(0 + 0),     // NON-COMPLIANT
     UINT8_C("a"[0]),    // NON-COMPLIANT
     UINT8_C(0 ["a"]),   // NON-COMPLIANT
-    UINT8_C(UINT8_MAX), // COMPLIANT
-    UINT8_C(true),      // NON-COMPLIANT[False Negative]
-    UINT8_C(false),     // NON-COMPLIANT[False Negative]
-    UINT8_C(NULL),      // NON-COMPLIANT[False Negative]
-    UINT8_C(NULLPTR),   // NON-COMPLIANT[False Negative]
+    UINT8_C(UINT8_MAX), // NON-COMPLIANT
+    UINT8_C(true),      // NON-COMPLIANT
+    UINT8_C(false),     // NON-COMPLIANT
+    UINT8_C(NULL),      // NON-COMPLIANT
+    UINT8_C(NULLPTR),   // NON-COMPLIANT
 };
 
 int_least8_t g2[] = {
@@ -158,20 +158,17 @@ int_least64_t g8[] = {
     INT64_C(9223372036854775807), // COMPLIANT
     // INT64_C(9223372036854775808) is a compile-time error
 
-    // -9223372036854775808 allowed, but cannot be created via unary- without
-    // compile time errors.
-    INT64_C(-9223372036854775807),     // COMPLIANT
-    INT64_C(-9223372036854775807 - 1), // COMPLIANT
-    // -9223372036854775809 is not allowed, and cannot be created via unary-
-    // without compile time errors.
-    INT64_C(-9223372036854775807 - 2),           // NON-COMPLIANT
-    INT64_C(-9223372036854775807 - 20000000000), // NON-COMPLIANT
+    INT64_C(-9223372036854775807), // COMPLIANT
+    // -9223372036854775808 is correctly sized, but not a valid decimal literal
+    // value.
+    // -9223372036854775809 is not correctly sized, and not a valid decimal
+    // literal value.
 
     INT64_C(0x7FFFFFFFFFFFFFFF),  // COMPLIANT
     INT64_C(0x8000000000000000),  // NON-COMPLIANT[FALSE NEGATIVE]
     INT64_C(-0x8000000000000000), // COMPLIANT
     INT64_C(-0x8000000000000001), // NON-COMPLIANT[FALSE NEGATIVE]
-    INT64_C(-0x8001000000000000), // NON-COMPLIANT
+    INT64_C(-0x8001000000000000), // NON-COMPLIANT[FALSE NEGATIVE]
 };
 
 // Other edge cases:
