codeql-coding-standards icon indicating copy to clipboard operation
codeql-coding-standards copied to clipboard
verified publisher icon github

Add C `Contracts` package

Open lcartey opened this issue 1 year ago • 0 comments

Description

I recently reviewed a number of unimplemented MISRA C and CERT C rules related to the contracts which we had marked as either "compiler supported" or "covered by other rules", and identified some cases which

  • MSC40-C - Do not violate constraints - there is a requirement that the compiler produce a diagnostic when the constraints are violated. However, the CERT rule lists a specific cases which is known to not be reported by compilers. I have therefore added a new query to cover this case.
  • DIR-4-7 - If a function returns error information, then that error information shall be tested - as a directive we are not required to fully cover this rule. However, we already had a query for M0-3-2 that identifies cases where C standard library functions are called and where possible error states are not checked. I have shared this implementation.
  • DIR-4-11 - The validity of values passed to library functions shall be checked - similar to DIR-4-7, we already have a query which identifies domain, range and pole errors with calls to functions in math.h. I have also shared this implementation.

Change request type

  • [ ] Release or process automation (GitHub workflows, internal scripts)
  • [ ] Internal documentation
  • [ ] External documentation
  • [x] Query files (.ql, .qll, .qls or unit tests)
  • [ ] External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • [ ] No rules added
  • [x] Queries have been added for the following rules:
    • MSC40-C
    • DIR-4-7
    • DIR-4-11
  • [x] Queries have been modified for the following rules:
    • M0-3-2

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • [x] Yes
  • [ ] No

🚨🚨🚨 Reviewer: Confirm that format of shared queries (not the .qll file, the .ql file that imports it) is valid by running them within VS Code.

  • [ ] Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • [ ] Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • [x] Have all the relevant rule package description files been checked in?
  • [x] Have you verified that the metadata properties of each new query is set appropriately?
  • [x] Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • [x] Are the alert messages properly formatted and consistent with the style guide?
  • [x] Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • [x] Does the query have an appropriate level of in-query comments/documentation?
  • [x] Have you considered/identified possible edge cases?
  • [x] Does the query not reinvent features in the standard library?
  • [x] Can the query be simplified further (not golfed!)

Reviewer

  • [ ] Have all the relevant rule package description files been checked in?
  • [ ] Have you verified that the metadata properties of each new query is set appropriately?
  • [ ] Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • [ ] Are the alert messages properly formatted and consistent with the style guide?
  • [ ] Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • [ ] Does the query have an appropriate level of in-query comments/documentation?
  • [ ] Have you considered/identified possible edge cases?
  • [ ] Does the query not reinvent features in the standard library?
  • [ ] Can the query be simplified further (not golfed!)

lcartey avatar Jan 30 '24 10:01 lcartey