Implement rule 28-6-1, only move non-const lvalues

c/cert/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

c/cert/src/rules/INT36-C/ConvertingAPointerToIntegerOrIntegerToPointer.ql

@@ -17,6 +17,7 @@
 
 import cpp
 import codingstandards.c.cert
+import codingstandards.cpp.types.Resolve
 
 class LiteralZero extends Literal {
   LiteralZero() { this.getValue() = "0" }
@@ -37,21 +38,30 @@ class StdIntIntPtrType extends Type {
   }
 }
 
+class ResolvesToStdIntIntPtrType = ResolvesTo<StdIntIntPtrType>::IgnoringSpecifiers;
+
+class ResolvesToVoidPointerType = ResolvesTo<VoidPointerType>::IgnoringSpecifiers;
+
 /**
  * Casting a pointer value to integer, excluding literal 0.
  * Includes implicit conversions made during declarations or assignments.
  */
 predicate conversionBetweenPointerAndInteger(Cast cast, string message) {
   /* Ensure that `int` has different size than that of pointers */
-  exists(IntType intType, PointerType ptrType | intType.getSize() < ptrType.getSize() |
-    cast.getExpr().getUnderlyingType() = intType and
-    cast.getUnderlyingType() = ptrType and
+  exists(
+    ResolvesTo<IntType>::IgnoringSpecifiers intType,
+    ResolvesTo<PointerType>::IgnoringSpecifiers ptrType
+  |
+    intType.getSize() < ptrType.getSize()
+  |
+    cast.getExpr().getType() = intType and
+    cast.getType() = ptrType and
     if cast.isCompilerGenerated()
     then message = "Integer expression " + cast.getExpr() + " is implicitly cast to a pointer type."
     else message = "Integer expression " + cast.getExpr() + " is cast to a pointer type."
     or
-    cast.getExpr().getUnderlyingType() = ptrType and
-    cast.getUnderlyingType() = intType and
+    cast.getExpr().getType() = ptrType and
+    cast.getType() = intType and
     if cast.isCompilerGenerated()
     then
       message = "Pointer expression " + cast.getExpr() + " is implicitly cast to an integer type."
@@ -61,11 +71,11 @@ predicate conversionBetweenPointerAndInteger(Cast cast, string message) {
   not cast.getExpr() instanceof LiteralZero and
   /* Compliant exception 2: variable's declared type is (u)intptr_t */
   not (
-    cast.getType() instanceof StdIntIntPtrType and
-    cast.getExpr().getType() instanceof VoidPointerType
+    cast.getType() instanceof ResolvesToStdIntIntPtrType and
+    cast.getExpr().getType() instanceof ResolvesToVoidPointerType
     or
-    cast.getType() instanceof VoidPointerType and
-    cast.getExpr().getType() instanceof StdIntIntPtrType
+    cast.getType() instanceof ResolvesToVoidPointerType and
+    cast.getExpr().getType() instanceof ResolvesToStdIntIntPtrType
   )
 }
 

c/cert/test/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

c/common/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

c/common/test/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

c/misra/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql

@@ -16,9 +16,11 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.cpp.Concurrency
-import codingstandards.cpp.Type
+import codingstandards.cpp.types.Resolve
 
-predicate isThreadingObject(Type t) { t instanceof PossiblySpecified<C11ThreadingObjectType>::Type }
+predicate isThreadingObject(Type t) {
+  t instanceof ResolvesTo<C11ThreadingObjectType>::IgnoringSpecifiers
+}
 
 predicate validUseOfStdThreadObject(Expr e) {
   e.getParent() instanceof AddressOfExpr

c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql

@@ -17,15 +17,15 @@ import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
 import codingstandards.cpp.Concurrency
-import codingstandards.cpp.Type
+import codingstandards.cpp.types.Resolve
 
 from ObjectIdentity obj, StorageDuration storageDuration, Type type
 where
   not isExcluded(obj, Concurrency8Package::threadingObjectWithInvalidStorageDurationQuery()) and
   storageDuration = obj.getStorageDuration() and
   not storageDuration.isStatic() and
   type = obj.getASubObjectType() and
-  type instanceof PossiblySpecified<C11ThreadingObjectType>::Type
+  type instanceof ResolvesTo<C11ThreadingObjectType>::IgnoringSpecifiers
 select obj,
   "Object of type '" + obj.getType().getName() + "' has invalid storage duration type '" +
     storageDuration.getStorageTypeName() + "'."

c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql

@@ -17,7 +17,7 @@ import cpp
 import codingstandards.c.misra
 import codingstandards.c.Objects
 import codingstandards.cpp.Concurrency
-import codingstandards.cpp.Type
+import codingstandards.cpp.types.Resolve
 import codingstandards.c.initialization.GlobalInitializationAnalysis
 
 module MutexInitializationConfig implements GlobalInitializationAnalysisConfigSig {
@@ -68,8 +68,8 @@ where
   ) and
   (
     if
-      obj.getType() instanceof PossiblySpecified<C11MutexType>::Type or
-      obj.getType() instanceof PossiblySpecified<C11ConditionType>::Type
+      obj.getType() instanceof ResolvesTo<C11MutexType>::IgnoringSpecifiers or
+      obj.getType() instanceof ResolvesTo<C11ConditionType>::IgnoringSpecifiers
     then description = typeString
     else description = typeString + " in object"
   )

c/misra/test/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

change_notes/2025-12-03-type-resolution-tracking-changes.md

@@ -0,0 +1,6 @@
+ - `INT36-C` - `ConvertingAPointerToIntegerOrIntegerToPointer.ql`:
+  - Integrated new type resolution modules to fully handle typedefs and ignore cv-qualifiers during type comparisons, such as in detecting int types, pointer types, (u)intptr_t types, and void pointer types.
+ - `RULE-22-12`, `RULE-22-13`, `RULE-22-14` - `NonstandardUseOfThreadingObject.ql`, `ThreadingObjectWithInvalidStorageDuration.ql`, `MutexNotInitializedBeforeUse.ql`:
+  - Integrated new type resolution modules to handle typedefs when identifying threading object types.
+ - `RULE-9-5-1` - `LegacyForStatementsShouldBeSimple.ql`:
+  - Refactor to integrate new type resolution, no change in functionality expected.

cpp/autosar/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

cpp/autosar/test/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

cpp/cert/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

cpp/cert/test/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

cpp/common/src/codeql-pack.lock.yml

@@ -1,6 +1,8 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  advanced-security/qtil:
+    version: 0.0.3
   codeql/cpp-all:
     version: 4.0.3
   codeql/dataflow:

cpp/common/src/codingstandards/cpp/ast/ValueCategory.qll

@@ -0,0 +1,60 @@
+import cpp
+
+/**
+ * Get an expression's value category as a ValueCategory object.
+ *
+ * Note that the standard cpp library exposes `is{_}ValueCategory` predicates, but they do not
+ * correctly work with conversions. This function is intended to give the correct answer in the
+ * presence of conversions such as lvalue-to-rvalue conversion.
+ */
+ValueCategory getValueCategory(Expr e) {
+  not exists(e.getConversion()) and
+  result = getDirectValueCategory(e)
+  or
+  if e.getConversion() instanceof ReferenceToExpr
+  then result = getDirectValueCategory(e)
+  else result = getDirectValueCategory(e.getConversion())
+}
+
+private ValueCategory getDirectValueCategory(Expr e) {
+  if e.isLValueCategory()
+  then result = LValue(e.getValueCategoryString())
+  else
+    if e.isPRValueCategory()
+    then result = PRValue(e.getValueCategoryString())
+    else
+      if e.isXValueCategory()
+      then result = XValue(e.getValueCategoryString())
+      else none()
+}
+
+newtype TValueCategory =
+  LValue(string descr) {
+    exists(Expr e | e.isLValueCategory() and descr = e.getValueCategoryString())
+  } or
+  PRValue(string descr) {
+    exists(Expr e | e.isPRValueCategory() and descr = e.getValueCategoryString())
+  } or
+  XValue(string descr) {
+    exists(Expr e | e.isXValueCategory() and descr = e.getValueCategoryString())
+  }
+
+class ValueCategory extends TValueCategory {
+  string description;
+
+  ValueCategory() {
+    this = LValue(description) or this = PRValue(description) or this = XValue(description)
+  }
+
+  predicate isLValue() { this instanceof LValue }
+
+  predicate isPRValue() { this instanceof PRValue }
+
+  predicate isXValue() { this instanceof XValue }
+
+  predicate isRValue() { this instanceof PRValue or this instanceof XValue }
+
+  predicate isGlvalue() { this instanceof LValue or this instanceof XValue }
+
+  string toString() { result = description }
+}

cpp/common/src/codingstandards/cpp/exclusions/cpp/Preconditions5.qll

@@ -0,0 +1,26 @@
+//** THIS FILE IS AUTOGENERATED, DO NOT MODIFY DIRECTLY.  **/
+import cpp
+import RuleMetadata
+import codingstandards.cpp.exclusions.RuleMetadata
+
+newtype Preconditions5Query = TStdMoveWithNonConstLvalueQuery()
+
+predicate isPreconditions5QueryMetadata(Query query, string queryId, string ruleId, string category) {
+  query =
+    // `Query` instance for the `stdMoveWithNonConstLvalue` query
+    Preconditions5Package::stdMoveWithNonConstLvalueQuery() and
+  queryId =
+    // `@id` for the `stdMoveWithNonConstLvalue` query
+    "cpp/misra/std-move-with-non-const-lvalue" and
+  ruleId = "RULE-28-6-1" and
+  category = "required"
+}
+
+module Preconditions5Package {
+  Query stdMoveWithNonConstLvalueQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `stdMoveWithNonConstLvalue` query
+      TQueryCPP(TPreconditions5PackageQuery(TStdMoveWithNonConstLvalueQuery()))
+  }
+}

cpp/common/src/codingstandards/cpp/exclusions/cpp/RuleMetadata.qll

@@ -44,6 +44,7 @@ import Operators
 import OrderOfEvaluation
 import OutOfBounds
 import Pointers
+import Preconditions5
 import Representation
 import Scope
 import SideEffects1
@@ -103,6 +104,7 @@ newtype TCPPQuery =
   TOrderOfEvaluationPackageQuery(OrderOfEvaluationQuery q) or
   TOutOfBoundsPackageQuery(OutOfBoundsQuery q) or
   TPointersPackageQuery(PointersQuery q) or
+  TPreconditions5PackageQuery(Preconditions5Query q) or
   TRepresentationPackageQuery(RepresentationQuery q) or
   TScopePackageQuery(ScopeQuery q) or
   TSideEffects1PackageQuery(SideEffects1Query q) or
@@ -162,6 +164,7 @@ predicate isQueryMetadata(Query query, string queryId, string ruleId, string cat
   isOrderOfEvaluationQueryMetadata(query, queryId, ruleId, category) or
   isOutOfBoundsQueryMetadata(query, queryId, ruleId, category) or
   isPointersQueryMetadata(query, queryId, ruleId, category) or
+  isPreconditions5QueryMetadata(query, queryId, ruleId, category) or
   isRepresentationQueryMetadata(query, queryId, ruleId, category) or
   isScopeQueryMetadata(query, queryId, ruleId, category) or
   isSideEffects1QueryMetadata(query, queryId, ruleId, category) or