Checkpoint: Add DynamicAllocation case

Author: jeongsoolee09

cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql

@@ -33,9 +33,50 @@ class ArrayDeclaration extends VariableDeclarationEntry {
   Expr getInitExpr() { result = this.getVariable().getInitializer().getExpr() }
 }
 
+class HeapAllocationFunctionCall extends FunctionCall {
+  AllocationFunction heapAllocFunction;
+
+  HeapAllocationFunctionCall() { this.getTarget() = heapAllocFunction }
+
+  predicate isMallocCall() { heapAllocFunction.getName() = "malloc" }
+
+  predicate isCallocCall() { heapAllocFunction.getName() = "calloc" }
+
+  predicate isReallocCall() { heapAllocFunction.getName() = "realloc" }
+
+  abstract Expr getByteArgument();
+
+  int getByteLowerBound() { result = lowerBound(this.getByteArgument()) }
+}
+
+class MallocFunctionCall extends HeapAllocationFunctionCall {
+  MallocFunctionCall() { this.isMallocCall() }
+
+  override Expr getByteArgument() { result = this.getArgument(0) }
+}
+
+class CallocReallocFunctionCall extends HeapAllocationFunctionCall {
+  CallocReallocFunctionCall() { this.isCallocCall() or this.isReallocCall() }
+
+  override Expr getByteArgument() { result = this.getArgument(1) }
+}
+
+class NarrowedHeapAllocationFunctionCall extends Cast {
+  HeapAllocationFunctionCall alloc;
+
+  NarrowedHeapAllocationFunctionCall() { alloc = this.getExpr() }
+
+  int getMinNumElements() {
+    result =
+      alloc.getByteLowerBound() / this.getUnderlyingType().(PointerType).getBaseType().getSize()
+  }
+
+  HeapAllocationFunctionCall getAllocFunctionCall() { result = alloc }
+}
+
 newtype TArrayAllocation =
   TStackAllocation(ArrayDeclaration arrayDecl) or
-  TDynamicAllocation(AllocationFunction alloc)
+  TDynamicAllocation(NarrowedHeapAllocationFunctionCall narrowedAlloc)
 
 newtype TPointerFormation =
   TArrayExpr(ArrayExprBA arrayExpr) or
@@ -44,16 +85,20 @@ newtype TPointerFormation =
 class ArrayAllocation extends TArrayAllocation {
   ArrayDeclaration asStackAllocation() { this = TStackAllocation(result) }
 
-  AllocationFunction asDynamicAllocation() { this = TDynamicAllocation(result) }
+  NarrowedHeapAllocationFunctionCall asDynamicAllocation() { this = TDynamicAllocation(result) }
 
   string toString() {
     result = this.asStackAllocation().toString() or
     result = this.asDynamicAllocation().toString()
   }
 
+  /**
+   * Gets the number of the object that the array holds. This number is exact for a stack-allocated
+   * array, and the minimum estimated value for a heap-allocated one.
+   */
   int getLength() {
     result = this.asStackAllocation().getLength() or
-    none() // TODO: this.asDynamicAllocation()
+    result = this.asDynamicAllocation().getMinNumElements()
   }
 
   Location getLocation() {

cpp/misra/test/rules/RULE-8-7-1/test.cpp

@@ -43,29 +43,40 @@ void f2_realloc(int *array) {
   int valid1 = array[0];   // COMPLIANT: pointer is within boundary
   int valid2 = array[1];   // COMPLIANT: pointer is within boundary
   int valid3 = array[2];   // COMPLIANT: pointer points one beyond the last
-  int invalid1 = array[3];   // NON_COMPLIANT: pointer points one beyond the last
+  int invalid1 = array[3]; // NON_COMPLIANT: pointer points one beyond the last
                            // element, but non-compliant to Rule 4.1.3
   int invalid2 = array[4]; // NON_COMPLIANT: pointer points more than one beyond
                            // the last element
   int invalid3 = array[-1]; // NON_COMPLIANT: pointer is outside boundary
 }
 
-int main() {
+int main(int argc, char *argv[]) {
   /* 1. Array initialized on the stack */
   int array[3] = {0, 1, 2};
 
   f1(array);
   f2(array);
 
   /* 2. Array initialized on the heap */
-  int num_of_elements = 3;
+  int num_of_elements_malloc;
+  int num_of_elements_calloc;
+  int num_of_elements_realloc;
 
-  int* array_malloc = (int*)std::malloc(num_of_elements * sizeof(int));
-  int* array_calloc = (int*)std::calloc(num_of_elements, sizeof(int));
+  if (argc) {
+    num_of_elements_malloc = 1;
+    num_of_elements_calloc = 2;
+    num_of_elements_realloc = 3;
+  } else {
+    num_of_elements_malloc = 4;
+    num_of_elements_calloc = 5;
+    num_of_elements_realloc = 6;
+  }
 
-  int new_num_of_elements = 2;
+  int *array_malloc = (int *)std::malloc(num_of_elements_malloc * sizeof(int));
+  int *array_calloc = (int *)std::calloc(num_of_elements_calloc, sizeof(int));
 
-  int* array_realloc = (int*)std::realloc(array_malloc, new_num_of_elements * sizeof(int));
+  int *array_realloc =
+      (int *)std::realloc(array_malloc, num_of_elements_realloc * sizeof(int));
 
   f1(array_malloc);
   f2(array_malloc);