Import EXP51-CPP into rule 4-1-3 as it is UB

Author: MichaelRFairhurst

change_notes/2026-03-13-share-array-delete-type-mismatch-query.md

@@ -0,0 +1,3 @@
+ - `EXP51-CPP` - `DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql`:
+   - Refactored query logic into a shared library (`DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared.qll`) to enable reuse by MISRA C++ `RULE-4-1-3`. The query logic is unchanged and no visible changes to results or performance are expected.
+   - The query now uses a `query predicate problems` instead of a `from/where/select`. In path-problem BQRS output, the results section header changes from `#select` to `problems`. Alert results and their content are otherwise identical.

cpp/cert/src/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.ql

@@ -18,29 +18,18 @@
 
 import cpp
 import codingstandards.cpp.cert
-import semmle.code.cpp.dataflow.DataFlow
-import AllocationToDeleteFlow::PathGraph
+import codingstandards.cpp.rules.donotdeleteanarraythroughapointeroftheincorrecttypeshared.DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared
 
-module AllocationToDeleteConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NewArrayExpr }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(DeleteArrayExpr dae | dae.getExpr() = sink.asExpr())
+module DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeConfig implements
+  DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeSharedConfigSig
+{
+  Query getQuery() {
+    result = FreedPackage::doNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeQuery()
   }
 }
 
-module AllocationToDeleteFlow = DataFlow::Global<AllocationToDeleteConfig>;
+module Shared =
+  DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared<DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeConfig>;
 
-from
-  AllocationToDeleteFlow::PathNode source, AllocationToDeleteFlow::PathNode sink,
-  NewArrayExpr newArray, DeleteArrayExpr deleteArray
-where
-  not isExcluded(deleteArray.getExpr(),
-    FreedPackage::doNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeQuery()) and
-  AllocationToDeleteFlow::flowPath(source, sink) and
-  newArray = source.getNode().asExpr() and
-  deleteArray.getExpr() = sink.getNode().asExpr() and
-  not newArray.getType().getUnspecifiedType() = deleteArray.getExpr().getType().getUnspecifiedType()
-select sink, source, sink,
-  "Array of type " + newArray.getType() + " is deleted through a pointer of type " +
-    deleteArray.getExpr().getType() + "."
+import Shared::PathGraph
+import Shared

cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.expected

@@ -0,0 +1 @@
+cpp/common/test/rules/donotdeleteanarraythroughapointeroftheincorrecttypeshared/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared.ql

cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.qlref

@@ -8,7 +8,8 @@ newtype UndefinedQuery =
   TCriticalUnspecifiedBehaviorQuery() or
   TUndefinedBehaviorAuditQuery() or
   TCriticalUnspecifiedBehaviorAuditQuery() or
-  TPossibleDataRaceBetweenThreadsQuery()
+  TPossibleDataRaceBetweenThreadsQuery() or
+  TArrayDeletedThroughPointerOfIncorrectTypeQuery()
 
 predicate isUndefinedQueryMetadata(Query query, string queryId, string ruleId, string category) {
   query =
@@ -55,6 +56,15 @@ predicate isUndefinedQueryMetadata(Query query, string queryId, string ruleId, s
     "cpp/misra/possible-data-race-between-threads" and
   ruleId = "RULE-4-1-3" and
   category = "required"
+  or
+  query =
+    // `Query` instance for the `arrayDeletedThroughPointerOfIncorrectType` query
+    UndefinedPackage::arrayDeletedThroughPointerOfIncorrectTypeQuery() and
+  queryId =
+    // `@id` for the `arrayDeletedThroughPointerOfIncorrectType` query
+    "cpp/misra/array-deleted-through-pointer-of-incorrect-type" and
+  ruleId = "RULE-4-1-3" and
+  category = "required"
 }
 
 module UndefinedPackage {
@@ -92,4 +102,11 @@ module UndefinedPackage {
       // `Query` type for `possibleDataRaceBetweenThreads` query
       TQueryCPP(TUndefinedPackageQuery(TPossibleDataRaceBetweenThreadsQuery()))
   }
+
+  Query arrayDeletedThroughPointerOfIncorrectTypeQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `arrayDeletedThroughPointerOfIncorrectType` query
+      TQueryCPP(TUndefinedPackageQuery(TArrayDeletedThroughPointerOfIncorrectTypeQuery()))
+  }
 }

cpp/cert/test/rules/EXP51-CPP/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectType.testref

@@ -0,0 +1,48 @@
+/**
+ * Provides a configurable module DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared
+ * with a `problems` predicate for the following issue:
+ * Deleting an array through a pointer of an incorrect type leads to undefined behavior.
+ */
+
+import cpp
+import codingstandards.cpp.Customizations
+import codingstandards.cpp.Exclusions
+import semmle.code.cpp.dataflow.DataFlow
+
+signature module DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeSharedConfigSig {
+  Query getQuery();
+}
+
+module DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared<
+  DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeSharedConfigSig Config>
+{
+  private module AllocationToDeleteConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NewArrayExpr }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(DeleteArrayExpr dae | dae.getExpr() = sink.asExpr())
+    }
+  }
+
+  module AllocationToDeleteFlow = DataFlow::Global<AllocationToDeleteConfig>;
+
+  module PathGraph = AllocationToDeleteFlow::PathGraph;
+
+  query predicate problems(
+    Expr deleteExpr, AllocationToDeleteFlow::PathNode source, AllocationToDeleteFlow::PathNode sink,
+    string message
+  ) {
+    exists(NewArrayExpr newArray, DeleteArrayExpr deleteArray |
+      not isExcluded(deleteArray.getExpr(), Config::getQuery()) and
+      AllocationToDeleteFlow::flowPath(source, sink) and
+      newArray = source.getNode().asExpr() and
+      deleteArray.getExpr() = sink.getNode().asExpr() and
+      not newArray.getType().getUnspecifiedType() =
+        deleteArray.getExpr().getType().getUnspecifiedType() and
+      deleteExpr = sink.getNode().asExpr() and
+      message =
+        "Array of type " + newArray.getType() + " is deleted through a pointer of type " +
+          deleteArray.getExpr().getType() + "."
+    )
+  }
+}

cpp/common/src/codingstandards/cpp/exclusions/cpp/Undefined.qll

@@ -0,0 +1,11 @@
+problems
+| test.cpp:9:12:9:13 | l1 | test.cpp:6:19:6:37 | new[] | test.cpp:9:12:9:13 | l1 | Array of type DerivedClass * is deleted through a pointer of type BaseClass *. |
+edges
+| test.cpp:6:19:6:37 | new[] | test.cpp:9:12:9:13 | l1 | provenance |  |
+| test.cpp:7:22:7:40 | new[] | test.cpp:10:12:10:13 | l2 | provenance |  |
+nodes
+| test.cpp:6:19:6:37 | new[] | semmle.label | new[] |
+| test.cpp:7:22:7:40 | new[] | semmle.label | new[] |
+| test.cpp:9:12:9:13 | l1 | semmle.label | l1 |
+| test.cpp:10:12:10:13 | l2 | semmle.label | l2 |
+subpaths

cpp/common/src/codingstandards/cpp/rules/donotdeleteanarraythroughapointeroftheincorrecttypeshared/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared.qll

@@ -0,0 +1,11 @@
+// GENERATED FILE - DO NOT MODIFY
+import codingstandards.cpp.rules.donotdeleteanarraythroughapointeroftheincorrecttypeshared.DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared
+
+module TestFileConfig implements DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeSharedConfigSig {
+  Query getQuery() { result instanceof TestQuery }
+}
+
+module Shared = DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared<TestFileConfig>;
+
+import Shared::PathGraph
+import Shared

cpp/common/test/rules/donotdeleteanarraythroughapointeroftheincorrecttypeshared/DoNotDeleteAnArrayThroughAPointerOfTheIncorrectTypeShared.expected

@@ -8,4 +8,4 @@ void test() {
 
   delete[] l1; // NON_COMPLIANT - pointer to base class
   delete[] l2; // COMPLIANT - pointer to derived class
-}
+}