Convert RULE-21-14 to the new dataflow library

jketema · jketema · commit dc76e3c0388f · 2025-07-11T17:02:04.000+02:00
Observe that the special case for global variables is no longer
needed, as these are properly handled in the new dataflow library.
diff --git a/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql b/c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql
@@ -16,13 +16,13 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.misra.EssentialTypes
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.new.TaintTracking
 import NullTerminatedStringToMemcmpFlow::PathGraph
 
 // Data flow from a StringLiteral or from an array of characters, to a memcmp call
 module NullTerminatedStringToMemcmpConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof StringLiteral
+    source.asIndirectExpr(1) instanceof StringLiteral
     or
     exists(Variable v, ArrayAggregateLiteral aal |
       aal = v.getInitializer().getExpr() and
@@ -31,26 +31,14 @@ module NullTerminatedStringToMemcmpConfig implements DataFlow::ConfigSig {
       // Includes a null terminator somewhere in the array initializer
       aal.getAnElementExpr(_).getValue().toInt() = 0
     |
-      // For local variables, use the array aggregate literal as the source
       aal = source.asExpr()
-      or
-      // ArrayAggregateLiterals used as initializers for global variables are not viable sources
-      // for global data flow, so we instead report variable accesses as sources, where the variable
-      // is constant or is not assigned in the program
-      v instanceof GlobalVariable and
-      source.asExpr() = v.getAnAccess() and
-      (
-        v.isConst()
-        or
-        not exists(Expr e | e = v.getAnAssignedValue() and not e = aal)
-      )
     )
   }
 
   predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall memcmp |
       memcmp.getTarget().hasGlobalOrStdName("memcmp") and
-      sink.asExpr() = memcmp.getArgument([0, 1])
+      sink.asIndirectExpr() = memcmp.getArgument([0, 1])
     )
   }
 }
@@ -67,8 +55,8 @@ from
 where
   not isExcluded(memcmp, EssentialTypesPackage::memcmpUsedToCompareNullTerminatedStringsQuery()) and
   memcmp.getTarget().hasGlobalOrStdName("memcmp") and
-  arg1.getNode().asExpr() = memcmp.getArgument(0) and
-  arg2.getNode().asExpr() = memcmp.getArgument(1) and
+  arg1.getNode().asIndirectExpr(1) = memcmp.getArgument(0) and
+  arg2.getNode().asIndirectExpr(1) = memcmp.getArgument(1) and
   // There is a path from a null-terminated string to each argument
   NullTerminatedStringToMemcmpFlow::flowPath(source1, arg1) and
   NullTerminatedStringToMemcmpFlow::flowPath(source2, arg2) and
diff --git a/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected b/c/misra/test/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.expected
@@ -1,38 +1,62 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:23,54-62)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:24,22-30)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:50,20-28)
-WARNING: module 'TaintTracking' has been deprecated and may be removed in future (MemcmpUsedToCompareNullTerminatedStrings.ql:58,43-56)
 edges
-| test.c:12:13:12:15 | a | test.c:14:10:14:10 | a | provenance |  |
-| test.c:12:13:12:15 | a | test.c:23:13:23:13 | a | provenance |  |
-| test.c:12:13:12:15 | a | test.c:24:10:24:10 | a | provenance |  |
-| test.c:13:13:13:15 | b | test.c:14:13:14:13 | b | provenance |  |
-| test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | e | provenance |  |
-| test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | f | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:6:15:6:17 | 97 | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:16:10:16:10 | *c | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:26:13:26:13 | *c | provenance |  |
+| test.c:6:6:6:6 | *c | test.c:27:10:27:10 | *c | provenance |  |
+| test.c:6:14:6:26 | {...} | test.c:6:6:6:6 | *c | provenance |  |
+| test.c:6:15:6:17 | 97 | test.c:6:20:6:22 | 98 | provenance |  |
+| test.c:6:20:6:22 | 98 | test.c:6:25:6:25 | {...} | provenance |  |
+| test.c:6:25:6:25 | {...} | test.c:6:14:6:26 | {...} | provenance |  |
+| test.c:7:6:7:6 | *d | test.c:7:15:7:17 | 97 | provenance |  |
+| test.c:7:6:7:6 | *d | test.c:16:13:16:13 | *d | provenance |  |
+| test.c:7:14:7:26 | {...} | test.c:7:6:7:6 | *d | provenance |  |
+| test.c:7:15:7:17 | 97 | test.c:7:20:7:22 | 98 | provenance |  |
+| test.c:7:20:7:22 | 98 | test.c:7:25:7:25 | {...} | provenance |  |
+| test.c:7:25:7:25 | {...} | test.c:7:14:7:26 | {...} | provenance |  |
+| test.c:12:13:12:15 | *a | test.c:14:10:14:10 | *a | provenance | DataFlowFunction |
+| test.c:12:13:12:15 | *a | test.c:23:13:23:13 | *a | provenance | DataFlowFunction |
+| test.c:12:13:12:15 | *a | test.c:24:10:24:10 | *a | provenance | DataFlowFunction |
+| test.c:13:13:13:15 | *b | test.c:14:13:14:13 | *b | provenance | DataFlowFunction |
+| test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | *e | provenance |  |
+| test.c:18:27:18:27 | {...} | test.c:18:15:18:28 | {...} | provenance |  |
+| test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | *f | provenance |  |
+| test.c:19:27:19:27 | {...} | test.c:19:15:19:28 | {...} | provenance |  |
 nodes
-| test.c:10:10:10:12 | a | semmle.label | a |
-| test.c:10:15:10:17 | b | semmle.label | b |
-| test.c:12:13:12:15 | a | semmle.label | a |
-| test.c:13:13:13:15 | b | semmle.label | b |
-| test.c:14:10:14:10 | a | semmle.label | a |
-| test.c:14:13:14:13 | b | semmle.label | b |
-| test.c:16:10:16:10 | c | semmle.label | c |
-| test.c:16:13:16:13 | d | semmle.label | d |
+| test.c:6:6:6:6 | *c | semmle.label | *c |
+| test.c:6:14:6:26 | {...} | semmle.label | {...} |
+| test.c:6:15:6:17 | 97 | semmle.label | 97 |
+| test.c:6:20:6:22 | 98 | semmle.label | 98 |
+| test.c:6:25:6:25 | {...} | semmle.label | {...} |
+| test.c:7:6:7:6 | *d | semmle.label | *d |
+| test.c:7:14:7:26 | {...} | semmle.label | {...} |
+| test.c:7:15:7:17 | 97 | semmle.label | 97 |
+| test.c:7:20:7:22 | 98 | semmle.label | 98 |
+| test.c:7:25:7:25 | {...} | semmle.label | {...} |
+| test.c:10:10:10:12 | *a | semmle.label | *a |
+| test.c:10:15:10:17 | *b | semmle.label | *b |
+| test.c:12:13:12:15 | *a | semmle.label | *a |
+| test.c:13:13:13:15 | *b | semmle.label | *b |
+| test.c:14:10:14:10 | *a | semmle.label | *a |
+| test.c:14:13:14:13 | *b | semmle.label | *b |
+| test.c:16:10:16:10 | *c | semmle.label | *c |
+| test.c:16:13:16:13 | *d | semmle.label | *d |
 | test.c:18:15:18:28 | {...} | semmle.label | {...} |
+| test.c:18:27:18:27 | {...} | semmle.label | {...} |
 | test.c:19:15:19:28 | {...} | semmle.label | {...} |
-| test.c:21:10:21:10 | e | semmle.label | e |
-| test.c:21:13:21:13 | f | semmle.label | f |
-| test.c:23:13:23:13 | a | semmle.label | a |
-| test.c:24:10:24:10 | a | semmle.label | a |
-| test.c:26:13:26:13 | c | semmle.label | c |
-| test.c:27:10:27:10 | c | semmle.label | c |
+| test.c:19:27:19:27 | {...} | semmle.label | {...} |
+| test.c:21:10:21:10 | *e | semmle.label | *e |
+| test.c:21:13:21:13 | *f | semmle.label | *f |
+| test.c:23:13:23:13 | *a | semmle.label | *a |
+| test.c:24:10:24:10 | *a | semmle.label | *a |
+| test.c:26:13:26:13 | *c | semmle.label | *c |
+| test.c:27:10:27:10 | *c | semmle.label | *c |
 subpaths
 #select
-| test.c:10:3:10:8 | call to memcmp | test.c:10:10:10:12 | a | test.c:10:10:10:12 | a | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | a | null-terminated string | test.c:10:15:10:17 | b | null-terminated string |
-| test.c:10:3:10:8 | call to memcmp | test.c:10:15:10:17 | b | test.c:10:15:10:17 | b | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | a | null-terminated string | test.c:10:15:10:17 | b | null-terminated string |
-| test.c:14:3:14:8 | call to memcmp | test.c:12:13:12:15 | a | test.c:14:10:14:10 | a | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | a | null-terminated string | test.c:13:13:13:15 | b | null-terminated string |
-| test.c:14:3:14:8 | call to memcmp | test.c:13:13:13:15 | b | test.c:14:13:14:13 | b | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | a | null-terminated string | test.c:13:13:13:15 | b | null-terminated string |
-| test.c:16:3:16:8 | call to memcmp | test.c:16:10:16:10 | c | test.c:16:10:16:10 | c | memcmp used to compare $@ with $@. | test.c:16:10:16:10 | c | null-terminated string | test.c:16:13:16:13 | d | null-terminated string |
-| test.c:16:3:16:8 | call to memcmp | test.c:16:13:16:13 | d | test.c:16:13:16:13 | d | memcmp used to compare $@ with $@. | test.c:16:10:16:10 | c | null-terminated string | test.c:16:13:16:13 | d | null-terminated string |
-| test.c:21:3:21:8 | call to memcmp | test.c:18:15:18:28 | {...} | test.c:21:10:21:10 | e | memcmp used to compare $@ with $@. | test.c:18:15:18:28 | {...} | null-terminated string | test.c:19:15:19:28 | {...} | null-terminated string |
-| test.c:21:3:21:8 | call to memcmp | test.c:19:15:19:28 | {...} | test.c:21:13:21:13 | f | memcmp used to compare $@ with $@. | test.c:18:15:18:28 | {...} | null-terminated string | test.c:19:15:19:28 | {...} | null-terminated string |
+| test.c:10:3:10:8 | call to memcmp | test.c:10:10:10:12 | *a | test.c:10:10:10:12 | *a | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | *a | null-terminated string | test.c:10:15:10:17 | *b | null-terminated string |
+| test.c:10:3:10:8 | call to memcmp | test.c:10:15:10:17 | *b | test.c:10:15:10:17 | *b | memcmp used to compare $@ with $@. | test.c:10:10:10:12 | *a | null-terminated string | test.c:10:15:10:17 | *b | null-terminated string |
+| test.c:14:3:14:8 | call to memcmp | test.c:12:13:12:15 | *a | test.c:14:10:14:10 | *a | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | *a | null-terminated string | test.c:13:13:13:15 | *b | null-terminated string |
+| test.c:14:3:14:8 | call to memcmp | test.c:13:13:13:15 | *b | test.c:14:13:14:13 | *b | memcmp used to compare $@ with $@. | test.c:12:13:12:15 | *a | null-terminated string | test.c:13:13:13:15 | *b | null-terminated string |
+| test.c:16:3:16:8 | call to memcmp | test.c:6:25:6:25 | {...} | test.c:16:10:16:10 | *c | memcmp used to compare $@ with $@. | test.c:6:25:6:25 | {...} | null-terminated string | test.c:7:25:7:25 | {...} | null-terminated string |
+| test.c:16:3:16:8 | call to memcmp | test.c:7:25:7:25 | {...} | test.c:16:13:16:13 | *d | memcmp used to compare $@ with $@. | test.c:6:25:6:25 | {...} | null-terminated string | test.c:7:25:7:25 | {...} | null-terminated string |
+| test.c:21:3:21:8 | call to memcmp | test.c:18:27:18:27 | {...} | test.c:21:10:21:10 | *e | memcmp used to compare $@ with $@. | test.c:18:27:18:27 | {...} | null-terminated string | test.c:19:27:19:27 | {...} | null-terminated string |
+| test.c:21:3:21:8 | call to memcmp | test.c:19:27:19:27 | {...} | test.c:21:13:21:13 | *f | memcmp used to compare $@ with $@. | test.c:18:27:18:27 | {...} | null-terminated string | test.c:19:27:19:27 | {...} | null-terminated string |
