A few MISRA-related checks (#588)

* A few UB and lint checks.

* Distinguish signed-int from int (for bitfields).

* Updating tests and OS test exclusions.

* Minor conversion refactor.

* More signed-int fixes.

* Cast ptr to int: Impl behavior intead of lint.

* Update test expected output.

* Update test expected output.

* More expected-output fixes.

* Update tests.

* Remove duplicate test.

* j055e.c.ref: Update test expected output.

* Update test expected output.

Author: chathhorn

examples/c/error-codes/Error_Codes.csv

@@ -220,6 +220,7 @@ CV-CTI3,The width of a bit field shall be an integer constant expression.,6.7.2.
 CV-CTI5,Structs containing a flexible array member must not be array elements.,6.7.2.1:2,Constraint Violation,
 IMPL-CCV2,Conversion to signed integer outside the range that can be represented.,"6.3.1.3:3, J.3.5:1 item 4",Implementation Defined Behavior,
 IMPL-CCV13,Conversion from an integer to non-null pointer.,"6.3.2.3:5",Implementation Defined Behavior,
+IMPL-CCVE4,Casting a pointer to an integer.,"6.3.2.3:6",Implementation Defined Behavior,
 IMPL-CEB8,The left operand in a bitwise right-shift is negative.,"6.5.7:5, J.3.5:1 item 5",Implementation Defined Behavior,
 IMPL-CEMX4,Modulus operator with a pointer value as an argument.,"6.3.2.3:6, J.3.7:1 item 1",Implementation Defined Behavior,
 IMPL-CTI4,"Bit-field with type other than signed int, unsigned int, or _Bool.","6.7.2.1:5, J.3.9:1 item 2",Implementation Defined Behavior,
@@ -230,6 +231,7 @@ IMPLUB-CEMX5,Division by an implementation-defined or unspecified value.,"6.5.5:
 IMPLUB-CEMX6,Modulus by an implementation-defined or unspecified value.,"6.5.5:5, J.2:1 item 45",Implementation-dependent undefined Behavior,
 UB-PTHREAD99,Unimplemented pthread function.,POSIX 2008,Implementation Defined Behavior,
 L-PTHREAD9,Terminating a thread while holding lock on mutexes.,,Possible unintended behavior,X
+L-RESTRICT1,Use of the restrict qualifier (a possible source of undefined behavior).,,Possible unintended behavior,X
 L-STDLIBE1,Called free() on a null pointer.,,Possible unintended behavior,X
 L-STDLIBE2,"Malloc overflows memory bound, returning null pointer.",,Possible unintended behavior,X
 L-STDLIBE3,"Realloc overflows memory bound, returning null pointer.",,Possible unintended behavior,X
@@ -240,6 +242,7 @@ L-CEIE2,File opened but never closed.,,Possible unintended behavior,X
 L-CER7,Dereferencing a native pointer.,,Possible unintended behavior,X
 L-CCVE1,Unsigned integer overflow.,,Possible unintended behavior,X
 L-CCVE2,Conversion to unsigned integer outside the range that can be represented.,,Possible unintended behavior,X
+L-CCVE3,Casting away qualifiers.,,Possible unintended behavior,X
 L-CMRE1,Reading a struct or union with uninitialized parts.,,Possible unintended behavior,X
 L-EFNCE1,"Stack might overflow specified bound on some compilers or ABIs.",,Possible unintended behavior,X
 L-EFNC3,"Recursive call to the function .",,Possible unintended behavior,X

examples/c/error-codes/implementation-defined/IMPL-CCVE4-bad.c

@@ -0,0 +1,7 @@
+#include <stdint.h>
+
+int main() {
+      int p = 0;
+
+      (uintptr_t) &p;
+}

examples/c/error-codes/implementation-defined/IMPL-CCVE4-bad.output

@@ -0,0 +1,7 @@
+Casting a pointer to an integer:
+      > in main at IMPL-CCVE4-bad.c:6:7
+
+    Implementation defined behavior (IMPL-CCVE4):
+        see C11 section 6.3.2.3:6 http://rvdoc.org/C11/6.3.2.3
+        see MISRA-C section 8.11:4 http://rvdoc.org/MISRA-C/8.11
+

examples/c/error-codes/implementation-defined/IMPL-CCVE4-good.c

@@ -0,0 +1,7 @@
+#include <stdint.h>
+
+int main() {
+      int p = 0;
+
+      (uintptr_t) p;
+}

examples/c/error-codes/implementation-defined/IMPL-CEMX4-bad.output

@@ -1,3 +1,10 @@
+Casting a pointer to an integer:
+      > in main at IMPL-CEMX4-bad.c:5:7
+
+    Implementation defined behavior (IMPL-CCVE4):
+        see C11 section 6.3.2.3:6 http://rvdoc.org/C11/6.3.2.3
+        see MISRA-C section 8.11:4 http://rvdoc.org/MISRA-C/8.11
+
 Modulus operator with a pointer value as an argument:
       > in main at IMPL-CEMX4-bad.c:5:7
 

examples/c/error-codes/lint/L-CCVE3-bad.c

@@ -0,0 +1,4 @@
+int main() {
+      const int * p = (void *) 0;
+      (int *) p;
+}

examples/c/error-codes/lint/L-CCVE3-bad.output

@@ -0,0 +1,7 @@
+Casting away qualifiers:
+      > in main at L-CCVE3-bad.c:3:7
+
+    Possible unintended behavior (L-CCVE3):
+        see CERT-C section EXP05-C http://rvdoc.org/CERT-C/EXP05-C
+        see MISRA-C section 8.11:8 http://rvdoc.org/MISRA-C/8.11
+

examples/c/error-codes/lint/L-CCVE3-good.c

@@ -0,0 +1,4 @@
+int main() {
+      const int * p = (void *)0;
+      (const int *) p;
+}

examples/c/error-codes/lint/L-RESTRICT1-bad-static.c

@@ -0,0 +1,3 @@
+int main() {
+      int * restrict p;
+}

examples/c/error-codes/lint/L-RESTRICT1-bad-static.output

@@ -0,0 +1,5 @@
+L-RESTRICT1-bad-static.c:2:7: warning: Use of the restrict qualifier (a possible source of undefined behavior).
+
+    Possible unintended behavior (L-RESTRICT1):
+        see MISRA-C section 8.8:14 http://rvdoc.org/MISRA-C/8.8
+

examples/c/error-codes/lint/L-RESTRICT1-bad.output

@@ -0,0 +1,3 @@
+int main() {
+      int * p;
+}

examples/c/error-codes/lint/L-RESTRICT1-good.c

@@ -8,7 +8,7 @@ CHECK_RESULT_COMPILE = if [ $$? -eq 0 ] ; then echo "passed $<"; mv $@.tmp.out $
 CHECK_RESULT_RUN = if [ $$? -eq 0 ] ; then echo "passed $<"; mv $@.tmp $@; else echo "failed $<"; cat $@.tmp; exit 1; fi
 
 KCC = kcc
-KCCFLAGS = -frecover-all-errors -fno-native-compilation -fno-diagnostics-color
+KCCFLAGS = -frecover-all-errors -fno-native-compilation -fno-diagnostics-color -Wno-implementation-defined
 CFLAGS = -fno-diagnostics-color -std=c11
 
 .PHONY: clean comparison

examples/c/error-codes/undefined/Makefile

@@ -1,5 +1,5 @@
 #include <stddef.h>
 int main(void) {
-      struct s { int m : 5; };
+      struct s { signed int m : 5; };
       return offsetof(struct s, m);
 }

examples/c/error-codes/undefined/UB-TEOFF1-bad-static.c

@@ -1,6 +1,6 @@
 struct s {
-      int a : 8;
-      int b : 0;
+      signed int a : 8;
+      signed int b : 0;
 };
 
 struct s x[1] = {{0, 0}};

examples/c/error-codes/violates-constraint/nonfatal/CV-CDT5-bad-static.c

@@ -34,6 +34,7 @@ module C-ALIGNMENT
      rule byteAlignofType'(t(_, _, _:SimpleSignedCharType)) => cfg:alignofSignedChar
      rule byteAlignofType'(t(_, _, short-int)) => cfg:alignofShortInt
      rule byteAlignofType'(t(_, _, int)) => cfg:alignofInt
+     rule byteAlignofType'(t(_, _, signed-int)) => cfg:alignofInt
      rule byteAlignofType'(t(_, _, long-int)) => cfg:alignofLongInt
      rule byteAlignofType'(t(_, _, long-long-int)) => cfg:alignofLongLongInt
      rule byteAlignofType'(t(_, _, oversized-int)) => cfg:alignofOversizedInt

semantics/c/language/common/alignment.k

@@ -280,7 +280,8 @@ module C-CONVERSION
      need not be in the range of values of any integer type.
      }*/
      rule cast(integerUType #as T'::UType, tv(V::CValue, ut(... st: pointerType(_)) #as T::UType))
-          => checkUse(tv(cfg:pointerToInt(V, T'), castTypes(T', T)))
+          => implPointerToInt()
+          ~> checkUse(tv(cfg:pointerToInt(V, T'), castTypes(T', T)))
           requires notBool isBoolUType(T')
                andBool (byteSizeofType(T) <=Int byteSizeofType(T')
                     orBool (V ==K NullPointer))
@@ -293,6 +294,9 @@ module C-CONVERSION
                andBool byteSizeofType(T) >Int byteSizeofType(T')
           [structural]
 
+     rule (.K => IMPL("CCVE4", "Casting a pointer to an integer."))
+          ~> implPointerToInt()
+
      syntax Bool ::= isAbsolute(CValue) [function]
      rule isAbsolute(_) => false [owise]
 
@@ -328,18 +332,34 @@ module C-CONVERSION
      }*/
      rule cast(ut(Mods'::Set, pointerType(T'::Type)), tv(Loc:SymLoc, ut(Mods::Set, pointerType(T::Type))))
           => adjustPointerBounds(tv(Loc, castTypes(ut(Mods', pointerType(T')), ut(Mods, pointerType(T)))))
-          requires Loc =/=K NullPointer andBool (notBool isCompleteType(T')
-               orBool type(pointerType(T')) ==Type type(pointerType(T))
-               orBool getAlignas(T') <=Int getAlign(Loc)
-               orBool (isFunctionType(T) andBool isFunctionType(T')))
+          requires Loc =/=K NullPointer
+               andBool getAlignas(T') <=Int getAlign(Loc)
+               andBool notBool (isFunctionType(T) andBool notBool isFunctionType(T'))
+               andBool getQualifiers(T) <=Quals getQualifiers(T')
      //TODO(dwightguth): handle pointer alignment
      rule (.K => UNDEF("CCV11",
                "Conversion to a pointer type with a stricter alignment requirement (possibly undefined)."))
           ~> cast(ut(_, pointerType(T'::Type)), tv(Loc:SymLoc, ut(_, pointerType(T::Type))))
-          requires isCompleteType(T')
-               andBool type(pointerType(T')) =/=Type type(pointerType(T))
+          requires T' =/=Type T
+               andBool notBool (isFunctionType(T) andBool notBool isFunctionType(T'))
                andBool getAlignas(T') >Int getAlign(Loc)
           [structural]
+     rule (.K => UNDEF("CCV14",
+               "Conversion of a function pointer to object pointer type."))
+          ~> cast(ut(_, pointerType(T'::Type)), tv(Loc:SymLoc, ut(_, pointerType(T::Type))))
+          requires isFunctionType(T) andBool notBool isFunctionType(T')
+          [structural]
+     rule (.K => lintCastingAwayQuals())
+          ~> cast(ut(_, pointerType(T'::Type)), tv(Loc:SymLoc, ut(_, pointerType(T::Type => addQualifiers(getQualifiers(T'), stripQualifiers(T))))))
+          requires getQualifiers(T) >Quals getQualifiers(T')
+          [structural]
+
+     syntax Error ::= lintCastingAwayQuals()
+                    | implPointerToInt()
+     rule lintCastingAwayQuals() => .K
+          requires notBool hasLint
+     rule implPointerToInt() => .K
+          requires notBool hasLint
 
      syntax UType ::= castTypes(UType, UType) [function]
      rule castTypes(ut(_, T'::SimpleUType), ut(Mods::Set, _)) => ut(Mods, T')

semantics/c/language/common/conversion.k

@@ -81,6 +81,7 @@ module C-COMMON-PROMOTION
      rule rank(ut(_, short-int)) => 2
      rule rank(ut(_, unsigned-short-int)) => 2
      rule rank(ut(_, int)) => 3
+     rule rank(ut(_, signed-int)) => 3
      rule rank(ut(_, unsigned-int)) => 3
      rule rank(ut(_, long-int)) => 4
      rule rank(ut(_, unsigned-long-int)) => 4
@@ -121,6 +122,7 @@ module C-COMMON-PROMOTION
      // things more convenient if it's total.
      rule isPromoted(ut(_, enumType(_))) => true
      rule isPromoted(ut(_, int)) => true
+     rule isPromoted(ut(_, signed-int)) => true
      rule isPromoted(ut(_, unsigned-int)) => true
      rule isPromoted(ut(_, long-int)) => true
      rule isPromoted(ut(_, unsigned-long-int)) => true
@@ -141,7 +143,7 @@ module C-COMMON-PROMOTION
 
      rule promote(ut(Mods::Set, bitfieldType(T::SimpleType, Len::Int)))
           => utype(int)
-          requires ((T ==K bool) orBool (T ==K int) orBool (T ==K unsigned-int))
+          requires ((T ==K bool) orBool isSimpleIntType(T) orBool (T ==K unsigned-int))
                andBool min(utype(int))
                     <=Int min(utype(bitfieldType(T, Len)))
                andBool max(utype(int))
@@ -157,7 +159,7 @@ module C-COMMON-PROMOTION
 
      rule promote(ut(Mods::Set, bitfieldType(T::SimpleType, Len::Int)))
           => utype(unsigned-int)
-          requires (T ==K bool orBool T ==K int orBool T ==K unsigned-int)
+          requires (T ==K bool orBool isSimpleIntType(T) orBool T ==K unsigned-int)
                andBool notBool (
                     min(utype(int))
                          <=Int min(utype(bitfieldType(T, Len)))

semantics/c/language/common/promotion.k

@@ -122,10 +122,11 @@ module C-TYPING-SYNTAX
      // Basic types
      syntax SimpleBitfieldType ::= bitfieldType(SimpleType, Int)
 
-     syntax SimpleSignedType ::= "short-int" | SimpleSignedIntType
+     syntax SimpleSignedType ::= "short-int" | SimpleIntType
                                | "long-int" | "long-long-int" | "oversized-int"
      syntax SimpleFloatType ::= "float" | "double" | "long-double" | "oversized-float"
-     syntax SimpleSignedIntType ::= "int"
+     syntax SimpleIntType ::= "int" | SimpleSignedIntType
+     syntax SimpleSignedIntType ::= "signed-int"
      syntax SimpleUnsignedType ::= SimpleBoolType | "unsigned-short-int"
                                  | SimpleUnsignedIntType | "unsigned-long-int"
                                  | "unsigned-long-long-int"
@@ -220,7 +221,7 @@ module C-TYPING-SYNTAX
      rule aggregateOrUnionUType => ut(?_, arrayUType(?_, ?_) #Or incompleteArrayUType(?_) #Or flexibleArrayUType(?_) #Or unspecifiedArrayUType(?_) #Or variableLengthArrayUType(?_, ?_) #Or structType(?_) #Or unionType(?_)) [macro]
      rule pointerOrArrayUType => ut(?_, arrayUType(?_, ?_) #Or incompleteArrayUType(?_) #Or flexibleArrayUType(?_) #Or unspecifiedArrayUType(?_) #Or variableLengthArrayUType(?_, ?_) #Or pointerType(?_)) [macro]
      rule integerUType => unsignedIntegerUType #Or signedIntegerUType #Or ut(?_, enumType(?_)) [macro]
-     rule signedIntegerUType => ut(?_, short-int #Or int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType #Or bitfieldType(short-int #Or int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType, ?_)) [macro]
+     rule signedIntegerUType => ut(?_, short-int #Or int #Or signed-int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType #Or bitfieldType(short-int #Or int #Or signed-int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType, ?_)) [macro]
      rule unsignedIntegerUType => ut(?_, bool #Or unsigned-short-int #Or unsigned-int #Or unsigned-long-int #Or unsigned-long-long-int #Or unsigned-oversized-int #Or unsignedCharType #Or bitfieldType(bool #Or unsigned-short-int #Or unsigned-int #Or unsigned-long-int #Or unsigned-long-long-int #Or unsigned-oversized-int #Or unsignedCharType, ?_)) [macro]
      rule charUType => ut(?_, signedCharType #Or unsignedCharType) [macro]
      rule arithmeticUType => integerUType #Or ut(?_, float #Or double #Or long-double #Or oversized-float) [macro]
@@ -230,7 +231,7 @@ module C-TYPING-SYNTAX
      rule aggregateOrUnionType => t(?_, ?_, arrayType(?_, ?_) #Or incompleteArrayType(?_) #Or flexibleArrayType(?_) #Or unspecifiedArrayType(?_) #Or variableLengthArrayType(?_, ?_) #Or structType(?_) #Or unionType(?_)) [macro]
      rule pointerOrArrayType => t(?_, ?_, arrayType(?_, ?_) #Or incompleteArrayType(?_) #Or flexibleArrayType(?_) #Or unspecifiedArrayType(?_) #Or variableLengthArrayType(?_, ?_) #Or pointerType(?_)) [macro]
      rule integerType => unsignedIntegerType #Or signedIntegerType #Or t(?_, ?_, enumType(?_)) [macro]
-     rule signedIntegerType => t(?_, ?_, short-int #Or int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType #Or bitfieldType(short-int #Or int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType, ?_)) [macro]
+     rule signedIntegerType => t(?_, ?_, short-int #Or int #Or signed-int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType #Or bitfieldType(short-int #Or int #Or signed-int #Or long-int #Or long-long-int #Or oversized-int #Or signedCharType, ?_)) [macro]
      rule unsignedIntegerType => t(?_, ?_, bool #Or unsigned-short-int #Or unsigned-int #Or unsigned-long-int #Or unsigned-long-long-int #Or unsigned-oversized-int #Or unsignedCharType #Or bitfieldType(bool #Or unsigned-short-int #Or unsigned-int #Or unsigned-long-int #Or unsigned-long-long-int #Or unsigned-oversized-int #Or unsignedCharType, ?_)) [macro]
      rule charType => t(?_, ?_, signedCharType #Or unsignedCharType) [macro]
      rule arithmeticType => integerType #Or t(?_, ?_, float #Or double #Or long-double #Or oversized-float) [macro]

semantics/c/language/common/typing.k

@@ -78,6 +78,7 @@ module C-TYPING-COMMON
      rule Qs::Quals -Qual _ => Qs [owise]
 
      rule quals(Qs::Set) <=Quals quals(Qs'::Set) => Qs <=Set Qs'
+     rule quals(Qs::Set) >Quals quals(Qs'::Set) => notBool (Qs <=Set Qs')
 
      rule quals(Qs::Set) +Quals quals(Qs'::Set) => quals(Qs Qs')
 
@@ -133,6 +134,7 @@ module C-TYPING-COMMON
      rule numBytesArithmetic(_:SimpleSignedCharType) => cfg:sizeofSignedChar
      rule numBytesArithmetic(short-int) => cfg:sizeofShortInt
      rule numBytesArithmetic(int) => cfg:sizeofInt
+     rule numBytesArithmetic(signed-int) => cfg:sizeofInt
      rule numBytesArithmetic(long-int) => cfg:sizeofLongInt
      rule numBytesArithmetic(long-long-int) => cfg:sizeofLongLongInt
      rule numBytesArithmetic(oversized-int) => cfg:sizeofOversizedInt
@@ -233,6 +235,7 @@ module C-TYPING-COMMON
      rule showTypeSpecifier(signed-char) => "signed char"
      rule showTypeSpecifier(short-int) => "short"
      rule showTypeSpecifier(int) => "int"
+     rule showTypeSpecifier(signed-int) => "signed int"
      rule showTypeSpecifier(long-int) => "long"
      rule showTypeSpecifier(long-long-int) => "long long"
      rule showTypeSpecifier(oversized-int) => "__kcc_oversized_int"

semantics/c/language/common/typing/common.k

@@ -60,8 +60,16 @@ module C-TYPING-COMPATIBILITY
 
      syntax Bool ::= #areCompat(Type, Type, Set) [function]
      rule #areCompat(
-               t(Qs::Quals, Mods::Set, T:SimpleBasicType),
-               t(Qs, Mods'::Set, T), _)
+               t(Qs::Quals, _, T:SimpleBasicType),
+               t(Qs       , _, T), _)
+          => true
+     rule #areCompat(
+               t(Qs::Quals, _, signed-int),
+               t(Qs       , _, int), _)
+          => true
+     rule #areCompat(
+               t(Qs::Quals, _, int),
+               t(Qs       , _, signed-int), _)
           => true
 
      // TODO(chathhorn): should be a setting.

semantics/c/language/common/typing/compatibility.k

@@ -49,6 +49,7 @@ module C-TYPING-MISC
      rule flipSignedness(_:SimpleSignedCharType) => unsigned-char
      rule flipSignedness(short-int) => unsigned-short-int
      rule flipSignedness(int) => unsigned-int
+     rule flipSignedness(signed-int) => unsigned-int
      rule flipSignedness(long-int) => unsigned-long-int
      rule flipSignedness(long-long-int) => unsigned-long-long-int
      rule flipSignedness(oversized-int) => unsigned-oversized-int

semantics/c/language/common/typing/misc.k

@@ -107,7 +107,7 @@ module C-TYPING-PREDICATES
      rule isReadFrom(_) => false [owise]
 
      rule isTruthValue(tv(V::CValue, ut(_, T::SimpleUType)))
-          => T ==K int andBool (V ==K 0 orBool V ==K 1)
+          => isSimpleIntType(T) andBool (V ==K 0 orBool V ==K 1)
 
      rule isFlexibleType(dynamicType(T::Type)) => isFlexibleType(T)
      rule isFlexibleType(t(... st: structType(_)) #as T::Type) => isFlexibleStruct(getFields(T))

semantics/c/language/common/typing/predicates.k

@@ -119,11 +119,11 @@ module C-FUNCTION-DEF
           [structural]
      rule (.K => UNDEF("FD5", "Function main must return an int.") )
           ~> checkMainDef(t(_, _, functionType(ut(_, T::SimpleUType), _)))
-          requires T =/=K int
+          requires notBool isSimpleIntType(T)
           [structural]
      rule (.K => UNDEF("FD6", "If main has parameters, the type of the first parameter must be equivalent to int.") )
           ~> checkMainDef(t(_, _, functionType(_, ListItem(t(_, _, T::SimpleType)) _)))
-          requires T =/=K int andBool T =/=K void
+          requires notBool isSimpleIntType(T) andBool T =/=K void
           [structural]
      rule (.K => UNDEF("FD7", "If main has parameters, the type of the second parameter must be equivalent to char**.") )
           ~> checkMainDef(t(_, _, functionType(_, ListItem(_) ListItem(T:Type))))

semantics/c/language/translation/function-def.k

@@ -16,9 +16,7 @@ module C-LITERAL
      rule simplifyForHex(S:String) => simplifyForHex(butFirstChar(S))
           requires (firstChar(S) ==String "0")
                andBool (lengthString(S) >Int 1)
-     rule simplifyForHex(S:String) => S
-          requires (firstChar(S) =/=String "0")
-               orBool (lengthString(S) ==Int 1)
+     rule simplifyForHex(S:String) => S [owise]
 
      syntax IntConstant ::= hexOrOctalConstant(Int)
      rule HexConstant(S:String)