Move flowPath to srcSinkLengthMap and add stack_only.cpp

jeongsoolee09 · jeongsoolee09 · commit 128695899861 · 2026-03-09T11:14:28.000-07:00
diff --git a/cpp/misra/src/rules/RULE-8-7-1/Experimental.ql b/cpp/misra/src/rules/RULE-8-7-1/Experimental.ql
@@ -284,14 +284,21 @@ class FatPointer extends TFatPointer {
 predicate srcSinkLengthMap(
   FatPointer start, FatPointer end, int srcOffset, int sinkOffset, int length
 ) {
-  srcOffset = start.getOffset() and
-  sinkOffset = end.getOffset() and
-  (
-    /* Base case: The object is allocated and a fat pointer created. */
-    length = start.getLength()
-    or
-    /* Recursive case: A fat pointer is derived from a fat pointer. */
-    srcSinkLengthMap(_, start, _, srcOffset, length)
+  exists(TrackArray::PathNode src, TrackArray::PathNode sink |
+    TrackArray::flowPath(src, sink) and
+    /* Reiterate the data flow configuration here. */
+    src.getNode() = start.getNode() and
+    sink.getNode().asExpr() = end.getBasePointer()
+  |
+    srcOffset = start.getOffset() and
+    sinkOffset = end.getOffset() and
+    (
+      /* Base case: The object is allocated and a fat pointer created. */
+      length = start.getLength()
+      or
+      /* Recursive case: A fat pointer is derived from a fat pointer. */
+      srcSinkLengthMap(_, start, _, srcOffset, length)
+    )
   )
 }
 
@@ -318,10 +325,6 @@ where
   not isExcluded(sink.getNode().asExpr(),
     Memory1Package::pointerArithmeticFormsAnInvalidPointerQuery()) and
   exists(FatPointer start, FatPointer end, int srcOffset, int sinkOffset, int length |
-    TrackArray::flowPath(src, sink) and
-    /* Reiterate the data flow configuration here. */
-    src.getNode() = start.getNode() and
-    sink.getNode().asExpr() = end.getBasePointer() and
     srcSinkLengthMap(start, end, srcOffset, sinkOffset, length) and
     (
       srcOffset + sinkOffset < 0 or // Underflow detection
diff --git a/cpp/misra/test/rules/RULE-8-7-1/stack_only.cpp b/cpp/misra/test/rules/RULE-8-7-1/stack_only.cpp
@@ -0,0 +1,41 @@
+#include <cstdlib>
+#include <cstring>
+#include <ctime>
+#include <cwchar>
+
+void stack_allocated_single_dimensional_pointer_arithmetic(int *array) {
+  /* 1. Pointer formed from performing arithmetic */
+  int *valid1 = array;     // COMPLIANT: pointer is within boundary
+  int *valid2 = array + 1; // COMPLIANT: pointer is within boundary
+  int *valid3 = array + 2; // COMPLIANT: pointer is within boundary
+  int *valid4 =
+      array + 3; // COMPLIANT: pointer points one beyond the last element
+  int *invalid1 =
+      array +
+      4; // NON_COMPLIANT: pointer points more than one beyond the last element
+  int *invalid2 = array - 1; // NON_COMPLIANT: pointer is outside boundary
+}
+
+void stack_allocated_single_dimensional_array_access(int *array) {
+  /* 2. Array Access (entails pointer arithmetic) */
+  int valid1 = array[0];   // COMPLIANT: pointer is within boundary
+  int valid2 = array[1];   // COMPLIANT: pointer is within boundary
+  int valid3 = array[2];   // COMPLIANT: pointer is within boundary
+  int valid4 = array[3];   // COMPLIANT: pointer points one beyond the last
+                           // element, but non-compliant to Rule 4.1.3
+  int invalid1 = array[4]; // NON_COMPLIANT: pointer points more than one beyond
+                           // the last element
+  int invalid2 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
+}
+
+int main(int argc, char *argv[]) {
+  /* 1. Single-dimensional array initialized on the stack */
+  int stack_single_dimensional_array[3] = {0, 1, 2};
+
+  stack_allocated_single_dimensional_pointer_arithmetic(
+      stack_single_dimensional_array);
+  stack_allocated_single_dimensional_array_access(
+      stack_single_dimensional_array);
+
+  return 0;
+}
