Add support for address of arbitrary lvalue exprs

jeongsoolee09 · jeongsoolee09 · commit 44ef2668d99f · 2026-04-21T15:41:50.000-04:00
diff --git a/cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql b/cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql
@@ -119,11 +119,8 @@ class NarrowedHeapAllocationFunctionCall extends Cast {
 
 newtype TArrayAllocation =
   TStackAllocation(ArrayDeclaration arrayDecl) or
-  TDynamicAllocation(NarrowedHeapAllocationFunctionCall narrowedAlloc)
-
-newtype TPointerFormation =
-  TArrayExpr(ArrayExprBA arrayExpr) or
-  TPointerArithmetic(PointerArithmeticOperation pointerArithmetic)
+  TDynamicAllocation(NarrowedHeapAllocationFunctionCall narrowedAlloc) or
+  TAddressOfLvalue(AddressOfExpr addressExpr)
 
 /**
  * Any kind of allocation of an array, either allocated on the stack or the heap.
@@ -133,9 +130,12 @@ class ArrayAllocation extends TArrayAllocation {
 
   NarrowedHeapAllocationFunctionCall asDynamicAllocation() { this = TDynamicAllocation(result) }
 
+  AddressOfExpr asAddressOfExpr() { this = TAddressOfLvalue(result) }
+
   string toString() {
     result = this.asStackAllocation().toString() or
-    result = this.asDynamicAllocation().toString()
+    result = this.asDynamicAllocation().toString() or
+    result = this.asAddressOfExpr().toString()
   }
 
   /**
@@ -149,26 +149,31 @@ class ArrayAllocation extends TArrayAllocation {
       result = this.asStackAllocation().getLength(inode.getIndirection())
     )
     or
-    result = this.asStackAllocation().getLength() and
-    node.asUninitialized() = this.asStackAllocation().getVariable()
+    node.asUninitialized() = this.asStackAllocation().getVariable() and
+    result = this.asStackAllocation().getLength()
     or
-    result = this.asDynamicAllocation().getMinNumElements() and
-    node.asConvertedExpr() = this.asDynamicAllocation()
+    node.asConvertedExpr() = this.asDynamicAllocation() and
+    result = this.asDynamicAllocation().getMinNumElements()
+    or
+    result = 1 and
+    node.asExpr() = this.asAddressOfExpr()
   }
 
   Location getLocation() {
     result = this.asStackAllocation().getLocation() or
-    result = this.asDynamicAllocation().getLocation()
+    result = this.asDynamicAllocation().getLocation() or
+    result = this.asAddressOfExpr().getLocation()
   }
 
   /**
    * Gets the node associated with this allocation.
    */
-  DataFlow::Node getNode() { exists(getLength(result)) }
+  DataFlow::Node getNode() { exists(this.getLength(result)) }
 
   Expr asExpr() {
     result = this.asStackAllocation().getVariable().getAnAccess() or
-    result = this.asDynamicAllocation()
+    result = this.asDynamicAllocation() or
+    result = this.asAddressOfExpr()
   }
 }
 
@@ -199,6 +204,10 @@ class IndirectUninitializedNode extends Node {
   int getIndirection() { result = indirection }
 }
 
+newtype TPointerFormation =
+  TArrayExpr(ArrayExprBA arrayExpr) or
+  TPointerArithmetic(PointerArithmeticOperation pointerArithmetic)
+
 /**
  * Any kind of pointer formation that derives from a base pointer, either as an arithmetic operation
  * on pointers, or an array access expression.
@@ -343,11 +352,11 @@ class FatPointer extends TFatPointer {
  * ``` C++
  * int buf[10];
  * int *p = buf;
- * int *p2 = p - 5;   // offshoots to left, totalOffset = -5
+ * int *p2 = p - 5;   // offshoots to left,  totalOffset = -5
  * int *p3 = p2 + 16; // offshoots to right, totalOffset = 11
- * int *p4 = p3 - 2;  // adjusts to left, totalOffset = 9
- * int *p5 = p4 - 5;  // adjusts to left, totalOffset = 4
- * int *p6 = p5 - 5;  // offshoots to left, totalOffset = -1
+ * int *p4 = p3 - 2;  // adjusts   to left,  totalOffset = 9
+ * int *p5 = p4 - 5;  // adjusts   to left,  totalOffset = 4
+ * int *p6 = p5 - 5;  // offshoots to left,  totalOffset = -1
  * ```
  *
  * Then, this table is roughly populated with (we use PathNode src, sink instead of FatPointer
diff --git a/cpp/misra/test/rules/RULE-8-7-1/test.cpp b/cpp/misra/test/rules/RULE-8-7-1/test.cpp
@@ -212,6 +212,22 @@ void stack_allocated_multi_dimensional_pointer_arithmetic(int array[2][3]) {
                        // one beyond the last element (equivalent to the above)
 }
 
+void test_address_of_expr(int *ptr) {
+  int valid11 = ptr[0]; // COMPLIANT: pointer points one beyond the last element
+  int *valid12 =
+      ptr + 0; // COMPLIANT: pointer points one beyond the last element
+
+  int valid21 = ptr[1]; // COMPLIANT: pointer points one beyond the last
+                        // element, but non-compliant to Rule 4.1.3
+  int *valid22 =
+      ptr + 1; // COMPLIANT: pointer points one beyond the last element
+
+  int invalid31 = ptr[2]; // NON_COMPLIANT: pointer points more than one beyond
+                          // the last element
+  int *invalid32 = ptr + 2; // NON_COMPLIANT: pointer points more than one
+                            // beyond the last element
+}
+
 /**
  * Test code that was copied from that of ARR38-C, at revision `d82ed6ee`.
  */
@@ -524,13 +540,17 @@ int main(int argc, char *argv[]) {
   int stack_multi_dimensional_array[2][3] = {{1, 2, 3}, {4, 5, 6}};
 
   /* 4. Multi-dimensional array initialized on the heap */
-  int(*heap_multi_dimensional_array)[3] = (int(*)[3])malloc(sizeof(int[2][3]));
+  int (*heap_multi_dimensional_array)[3] =
+      (int (*)[3])malloc(sizeof(int[2][3]));
 
   stack_allocated_multi_dimensional_array_access(stack_multi_dimensional_array);
   stack_allocated_multi_dimensional_pointer_arithmetic(
       stack_multi_dimensional_array);
   stack_allocated_multi_dimensional_array_access2(
       stack_multi_dimensional_array);
 
+  int lvalue_example = 1;
+  test_address_of_expr(&lvalue_example);
+
   return 0;
 }
