Skip to content

Narrowly focused implementation of RULE 15-0-1 #1121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MichaelRFairhurst wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Narrowly focused implementation of RULE 15-0-1 #1121

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
a31cf70
First round tests
MichaelRFairhurst Apr 29, 2026
ba6c2ca
First implementation
MichaelRFairhurst Apr 29, 2026
a31aac3
All tests passing for main query
MichaelRFairhurst Apr 29, 2026
057e33b
Implement audit query
MichaelRFairhurst Apr 29, 2026
3584a15
Add some cases
jeongsoolee09 Apr 29, 2026
d37827a
Use correct audit tag
MichaelRFairhurst Apr 29, 2026
5000f27
Just omit functions by hand that's supposed to not be declared
jeongsoolee09 Apr 29, 2026
184da86
Merge branch 'michaelrfairhurst/classes-3-take-2-rule-15-0-1' of gith…
jeongsoolee09 Apr 29, 2026
e63c088
Fix RuleMetadata.qll (package from a different rule/branch)
MichaelRFairhurst Apr 30, 2026
658571a
clang format
MichaelRFairhurst Apr 30, 2026
6e9dde1
Change the label of a case and break it down
jeongsoolee09 Apr 30, 2026
d04d4df
Merge branch 'michaelrfairhurst/classes-3-take-2-rule-15-0-1' of gith…
jeongsoolee09 Apr 30, 2026
96e2ed0
Some formatting, make copy-enabled class no longer copy-assignable
MichaelRFairhurst Apr 30, 2026
ce43802
Handle suppressed move operations
MichaelRFairhurst Apr 30, 2026
a1c1a9e
Updates to expected file
MichaelRFairhurst Apr 30, 2026
2813136
Address feedback
MichaelRFairhurst Apr 30, 2026
51985b9
Give code examples for when copy operations masquerade as moves.
MichaelRFairhurst Apr 30, 2026
61a4dd9
Review feedback
MichaelRFairhurst May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions cpp/common/src/codingstandards/cpp/exclusions/cpp/Classes3.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
//** THIS FILE IS AUTOGENERATED, DO NOT MODIFY DIRECTLY. **/
import cpp
import RuleMetadata
import codingstandards.cpp.exclusions.RuleMetadata

newtype Classes3Query =
TImproperlyProvidedSpecialMemberFunctionsQuery() or
TImproperlyProvidedSpecialMemberFunctionsAuditQuery()

predicate isClasses3QueryMetadata(Query query, string queryId, string ruleId, string category) {
query =
// `Query` instance for the `improperlyProvidedSpecialMemberFunctions` query
Classes3Package::improperlyProvidedSpecialMemberFunctionsQuery() and
queryId =
// `@id` for the `improperlyProvidedSpecialMemberFunctions` query
"cpp/misra/improperly-provided-special-member-functions" and
ruleId = "RULE-15-0-1" and
category = "required"
or
query =
// `Query` instance for the `improperlyProvidedSpecialMemberFunctionsAudit` query
Classes3Package::improperlyProvidedSpecialMemberFunctionsAuditQuery() and
queryId =
// `@id` for the `improperlyProvidedSpecialMemberFunctionsAudit` query
"cpp/misra/improperly-provided-special-member-functions-audit" and
ruleId = "RULE-15-0-1" and
category = "required"
}

module Classes3Package {
Query improperlyProvidedSpecialMemberFunctionsQuery() {
//autogenerate `Query` type
result =
// `Query` type for `improperlyProvidedSpecialMemberFunctions` query
TQueryCPP(TClasses3PackageQuery(TImproperlyProvidedSpecialMemberFunctionsQuery()))
}

Query improperlyProvidedSpecialMemberFunctionsAuditQuery() {
//autogenerate `Query` type
result =
// `Query` type for `improperlyProvidedSpecialMemberFunctionsAudit` query
TQueryCPP(TClasses3PackageQuery(TImproperlyProvidedSpecialMemberFunctionsAuditQuery()))
}
}
3 changes: 3 additions & 0 deletions cpp/common/src/codingstandards/cpp/exclusions/cpp/RuleMetadata.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import BannedSyntax
import BannedTypes
import Classes
import Classes2
import Classes3
import Classes4
import Comments
import Concurrency
Expand Down Expand Up @@ -126,6 +127,7 @@ newtype TCPPQuery =
TBannedTypesPackageQuery(BannedTypesQuery q) or
TClassesPackageQuery(ClassesQuery q) or
TClasses2PackageQuery(Classes2Query q) or
TClasses3PackageQuery(Classes3Query q) or
TClasses4PackageQuery(Classes4Query q) or
TCommentsPackageQuery(CommentsQuery q) or
TConcurrencyPackageQuery(ConcurrencyQuery q) or
Expand Down Expand Up @@ -234,6 +236,7 @@ predicate isQueryMetadata(Query query, string queryId, string ruleId, string cat
isBannedTypesQueryMetadata(query, queryId, ruleId, category) or
isClassesQueryMetadata(query, queryId, ruleId, category) or
isClasses2QueryMetadata(query, queryId, ruleId, category) or
isClasses3QueryMetadata(query, queryId, ruleId, category) or
isClasses4QueryMetadata(query, queryId, ruleId, category) or
isCommentsQueryMetadata(query, queryId, ruleId, category) or
isConcurrencyQueryMetadata(query, queryId, ruleId, category) or
Expand Down
112 changes: 112 additions & 0 deletions cpp/misra/src/rules/RULE-15-0-1/AnalyzableClass.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
import cpp

Comment thread
MichaelRFairhurst marked this conversation as resolved.
private predicate isUsable(MemberFunction f) {
not f.isDeleted() and
f.isPublic()
}

private predicate isMemberCustomized(MemberFunction f) {
exists(f.getDefinition()) and
not f.isDefaulted() and
not f.isDeleted() and
not f.isCompilerGenerated()
}

private predicate isUserDeclared(MemberFunction f) { not f.isCompilerGenerated() }

/**
* Holds if the implicit move constructor or move assignment operator of the class `c` will not be
* declared.
*
* See [class.copy]/8 and [class.copy]
Copy link
Copy Markdown
Collaborator

@jeongsoolee09 jeongsoolee09 Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* See [class.copy]/8 and [class.copy]
* See [class.copy.ctor]/8 and [class.copy]

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 61a4dd9!

*/
private predicate implicitMoveIsSuppressed(Class c) {
isUserDeclared(c.getAConstructor().(CopyConstructor))
or
isUserDeclared(c.getAConstructor().(CopyAssignmentOperator))
Comment thread
MichaelRFairhurst marked this conversation as resolved.
Outdated
or
isUserDeclared(c.getDestructor())
Copy link
Copy Markdown
Collaborator

@jeongsoolee09 jeongsoolee09 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be missing a branch.

Suggested change
isUserDeclared(c.getDestructor())
isUserDeclared(c.getDestructor())
or
isUserDeclared(c.getAMemberFunction().(MoveAssignmentOperator))

}

Constructor getMoveConstructor(Class c) {
if
not exists(MoveConstructor mc | mc = c.getAConstructor() and isUserDeclared(mc)) and
implicitMoveIsSuppressed(c)
then result = c.getAConstructor().(CopyConstructor)
else result = c.getAConstructor().(MoveConstructor)
}

Operator getMoveAssign(Class c) {
if
not exists(MoveAssignmentOperator mc | mc = c.getAMemberFunction() and isUserDeclared(mc)) and
implicitMoveIsSuppressed(c)
then result = c.getAMemberFunction().(CopyAssignmentOperator)
else result = c.getAMemberFunction().(MoveAssignmentOperator)
}
Comment thread
jeongsoolee09 marked this conversation as resolved.
Outdated

newtype TSpecialMember =
TMoveConstructor() or
TMoveAssignmentOperator() or
TCopyConstructor() or
TCopyAssignmentOperator() or
TDestructor()

class AnalyzableClass extends Class {
CopyConstructor copyCtor;
// The move constructor may be suppressed, and the copy constructor may be used during moves.
Comment thread
MichaelRFairhurst marked this conversation as resolved.
Constructor moveCtor;
CopyAssignmentOperator copyAssign;
// The move assignment operator may be suppressed, and the copy assignment operator may be used during moves.
Operator moveAssign;
Destructor dtor;

AnalyzableClass() {
copyCtor = this.getAConstructor() and
moveCtor = getMoveConstructor(this) and
copyAssign = this.getAMemberFunction() and
moveAssign = getMoveAssign(this) and
dtor = this.getDestructor()
}

predicate exposes(TSpecialMember m) {
m instanceof TMoveConstructor and moveConstructible()
or
m instanceof TMoveAssignmentOperator and moveAssignable()
or
m instanceof TCopyConstructor and copyConstructible()
or
m instanceof TCopyAssignmentOperator and copyAssignable()
or
m instanceof TDestructor and destructible()
}

predicate moveConstructible() { isUsable(moveCtor) }

predicate copyConstructible() { isUsable(copyCtor) }

predicate moveAssignable() { isUsable(moveAssign) }

predicate copyAssignable() { isUsable(copyAssign) }

predicate destructible() { isUsable(dtor) }

predicate isCustomized(TSpecialMember s) {
s instanceof TMoveConstructor and
isMemberCustomized(moveCtor) and
declaresMoveConstructor()
or
s instanceof TMoveAssignmentOperator and
isMemberCustomized(moveAssign) and
declaresMoveAssignmentOperator()
or
s instanceof TCopyConstructor and isMemberCustomized(copyCtor)
or
s instanceof TCopyAssignmentOperator and isMemberCustomized(copyAssign)
or
s instanceof TDestructor and isMemberCustomized(dtor)
}

predicate declaresMoveConstructor() { not moveCtor = copyCtor }

predicate declaresMoveAssignmentOperator() { not moveAssign = copyAssign }
}
150 changes: 150 additions & 0 deletions cpp/misra/src/rules/RULE-15-0-1/ImproperlyProvidedSpecialMemberFunctions.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
/**
* @id cpp/misra/improperly-provided-special-member-functions
* @name RULE-15-0-1: Special member functions shall be provided appropriately
* @description Incorrect provision of special member functions can lead to unexpected or undefined
* behavior when objects of the class are copied, moved, or destroyed.
* @kind problem
* @precision medium
* @problem.severity warning
* @tags external/misra/id/rule-15-0-1
* scope/single-translation-unit
* correctness
* maintainability
* external/misra/enforcement/decidable
* external/misra/obligation/required
*/

import cpp
import codingstandards.cpp.misra
import AnalyzableClass

predicate isCopyEnabled(AnalyzableClass c) {
c.moveConstructible() and
not c.moveAssignable() and
c.copyConstructible() and
not c.copyAssignable()
or
c.moveConstructible() and
c.moveAssignable() and
c.copyConstructible() and
c.copyAssignable()
}

predicate isMoveOnly(AnalyzableClass c) {
c.moveConstructible() and
not c.moveAssignable() and
not c.copyConstructible() and
not c.copyAssignable()
or
c.moveConstructible() and
c.moveAssignable() and
not c.copyConstructible() and
not c.copyAssignable()
}

predicate isUnmovable(AnalyzableClass c) {
not c.moveConstructible() and
not c.moveAssignable() and
not c.copyConstructible() and
not c.copyAssignable()
}

predicate isValidCategory(AnalyzableClass c) {
isCopyEnabled(c) or
isMoveOnly(c) or
isUnmovable(c)
}

string specialMemberName(TSpecialMember f) {
f = TCopyConstructor() and result = "copy constructor"
or
f = TMoveConstructor() and result = "move constructor"
or
f = TCopyAssignmentOperator() and result = "copy assignment operator"
or
f = TMoveAssignmentOperator() and result = "move assignment operator"
}

predicate violatesCustomizedMoveOrCopyRequirements(AnalyzableClass c, string reason) {
not c.isCustomized(TDestructor()) and
exists(string concatenated |
concatenated =
strictconcat(TSpecialMember f |
not f = TDestructor() and
c.isCustomized(f)
|
specialMemberName(f), ", "
) and
reason = "has customized " + concatenated + ", but does not customize the destructor."
)
}

private predicate undeclaredMoveException(AnalyzableClass c) {
// A copy-enabled class may have an undeclared move constructor.
isCopyEnabled(c) and
not c.moveAssignable() and
Copy link
Copy Markdown
Collaborator

@jeongsoolee09 jeongsoolee09 Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this condition needed?

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This (and the next comment) are attempting to check if the class is copy-assignable vs copy-enabled.

If a class is copyEnabled, we can check for the existence of either assignment operator to distinguish copy-enabled from copy-assignable, because a copy-assignable class will have both and a copy-enabled class will have neither.

It took me too long to remember that that's why I wrote it. I'll write a helper predicate that makes this clearer.

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see.

Yes, you're right. I forgot that copy-assignable was specifically declared to mean a class where std::is_copy_assignable_v<T> is true -- I thought it referred specifically to the assignable row of copy-enabled. (Which is only partly true).

Fixed in 61a4dd9!

not c.declaresMoveConstructor()
or
// A copy-assignable class may leave both move operations undeclared.
isCopyEnabled(c) and
c.moveAssignable() and
Copy link
Copy Markdown
Collaborator

@jeongsoolee09 jeongsoolee09 Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be c.copyAssignable() instead?

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 61a4dd9!

not c.declaresMoveConstructor() and
not c.declaresMoveAssignmentOperator()
}

predicate violatesCustomizedDestructorRequirements(AnalyzableClass c, string reason) {
c.isCustomized(TDestructor()) and
(
c.moveConstructible() and
not c.isCustomized(TMoveConstructor()) and
not undeclaredMoveException(c) and
reason = "has customized the destructor, but does not customize the move constructor."
or
c.moveAssignable() and
not undeclaredMoveException(c) and
not c.isCustomized(TMoveAssignmentOperator()) and
reason = "has customized the destructor, but does not customize the move assignment operator."
or
c.copyConstructible() and
not c.isCustomized(TCopyConstructor()) and
reason = "has customized the destructor, but does not customize the copy constructor."
or
c.copyAssignable() and
not c.isCustomized(TCopyAssignmentOperator()) and
reason = "has customized the destructor, but does not customize the copy assignment operator."
)
}
Comment on lines +82 to +115
Copy link
Copy Markdown
Collaborator

@jeongsoolee09 jeongsoolee09 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was a bit hard for me to follow the logic of this requirement check. Since these come in the form of

isCopyEnabled(class) -> {some_condition}

wouldn't it be simpler to check it using by taking the negation of the above?

isCopyEnabled(class) and ~{some_condition}

For example, the last requirement translates to

c.copyAssignable() implies (
  c.isCustomized(TCopyAssignmentOperator()) and
  (
    c.isCustomized(TMoveConstructor()) and c.isCustomized(TMoveAssignmentOperator()) or
    not isUserDeclared(getMoveConstructor(c)) and not isUserDeclared(getMoveAssign(c))
  )
)

So the check becomes:

c.copyAssignable() and not (
  c.isCustomized(TCopyAssignmentOperator()) and
  (
    c.isCustomized(TMoveConstructor()) and c.isCustomized(TMoveAssignmentOperator()) or
    not isUserDeclared(getMoveConstructor(c)) and not isUserDeclared(getMoveAssign(c))
  )
)

Rewriting above gives an arguably more readable version:

c.copyAssignable() and (
  /* 1. The copy assignment operator is not customized. */
  not c.isCustomized(TCopyAssignmentOperator()) or
  (
    /* 2. Any one (or both) of the move operations is not customized. */
    not c.isCustomized(TMoveConstructor() or not c.isCustomized(TMoveAssignmentOperator()) and
    /* 3. Any one (or both) of the move operations are user-declared. */
    (isUserDeclared(getMoveConstructor(c)) or isUserDeclared(getMoveAssign(c)))
  )
)

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm understanding correctly, I think this is simpler.

The bullet points 2 and 3 can essentially be rephrased as:

  • in the presence of a customized destructor
  • if it's copy constructible the copy constructor must be customized, and
  • if it's copy assignable the copy assignment operator must be customized, and
  • if it's move constructible, the move constructor must be customized, and
  • if it's move assignable, the the move assignment operator must be customized

The only exceptions are:

  • copy enabled, not copy-assignable classes may leave the move constructor undeclared
  • copy assignable classes may leave both move ctor & assign undeclared

This matches my implementation above.

We can prove each item:

if it's copy constructible, the copy constructor must be customized

If it is copy constructible, it can only be copy enabled or copy assignable. Copy enabled classes must have a customized copy constructor, and copy assignable classes must have a customized copy constructor.

Erg, all copy constructible classes must have a customized copy constructor.

Inversely, if it must have a customized copy constructor, it must be either copy constructible or copy assignable -- the other three categories have no restrictions on the copy constructor.

if it's copy assignable, the copy assignment operator must be customized

This one is a direct quote: "if it is copy-assignable it shall also have a customized copy assignment operator." No other categories place any requirements on the copy assignment operator.

if it's move constructible, the move constructor must be customized

If it's move constructible, it can belong to any category except unmovable. If it is move-only or move-assignable, it must have a customized move constructor (bullet 2).

If it is copy-enabled, it may be undeclared (exception 1) or customized. If it is copy-assignable, both move operation may be undeclared (exception 2) or the the move constructor must be customized along with the copy constructor

Ergo, all move constructible classes must fulfill either exception 1 or exception 2 or have a customized move constructor.

Inversely, the unmovable category places no requirements on the move constructor.

if it's move assignable, the move assignment operator must be customized

if its move assignable, it may be move-only. Move only and assignable classes must have a customized move assignment operator.

If it is copy-enabled, the move assignment operator may be undeclared if the move constructor is (exception 2). Otherwise, it has to be customized.

Ergo, all move assignable classes must fulfill exception 2 or have a customized move assignment operator.

Inversely, a class may be:

  • unmovable, in which case there are no requirements on the move assignment operator, or
  • move-only but not move assignable, in which case there are no requirements on the move assignment operator, or
  • copy-enabled but not assignable, in which case there are no requirements on the move assignment operator.

brief pause

...To me, this is just much simpler overall. Not only is easier to remember that "x-operatable requires x operation is customized."

But it also makes pragmatic sense. A customized destructor indicates that you're managing a resource. Copying and moving a class requires care, during both construction and during assignment.

class Owner {
  Resource *resource;
  Owner() : resource(get_a_resource()) {}
  ~Owner() {
    release(resource);
  }
}

In the above code, the default copy operations will copy the handle, and the resource will be freed twice (once by the original, once by the copy). The default move operations will move the handle, which will typically have copy semantics.

It isn't enough to customize just the move constructor, or just the move assignment operator. Every available operation must be either customized or deleted....with one exception! If you leave the move operations undeclared, then moving will call your copy operations, so its ok to leave move operations undeclared and instead customize your copy operations.

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're proposing something closer to this, right?

This is more verbose, but its absolutely possible to make the case that it has better error messages. It is also a pretty clear 1:1 mapping to the misra spec.

predicate violatesCustomizedDestructorRequirements(AnalyzableClass c, string reason) {
  c.isCustomized(TDestructor()) and
  (
    isMoveOnly(c) and
    (
      not c.isCustomized(TMoveConstructor()) and
      reason =
        "is move-only with a customized the destructor, but does not customize the move constructor."
      or
      c.moveAssignable() and
      not c.isCustomized(TMoveAssignmentOperator()) and
      reason =
        "is move-only and move-assignable with a customized the destructor, but does not customize the move assignment operator."
    )
    or
    isCopyEnabled(c) and
    (
      not c.isCustomized(TCopyConstructor()) and
      reason =
        "is copy-enabled with a customized the destructor, but does not customize the copy constructor."
      or
      not c.copyAssignable() and
      c.declaresMoveConstructor() and
      not c.isCustomized(TMoveConstructor()) and
      reason =
        "is copy-enabled with a customized the destructor, but declares a move constructor and does not customize it."
    )
    or
    c.copyAssignable() and
    (
      /* 1. The copy assignment operator is not customized. */
      not c.isCustomized(TCopyAssignmentOperator()) and
      reason =
        "is copy-assignable with a customized destructor but doesn't have a customized copy assignment operator"
      or
      /* 2. Only one of the move operations is customized. */
      c.declaresMoveConstructor() and
      not c.declaresMoveAssignmentOperator() and
      reason =
        "is copy assignable with a customized destructor, but declaring a move constructor implies that the move assignment operator should also be declared"
      or
      not c.declaresMoveConstructor() and
      c.declaresMoveAssignmentOperator() and
      reason =
        "is copy assignable with a customized destructor, but declaring a move assignment operator implies that the move constructor should also be declared"
      or
      /* 3. A move operation is declared but not customized. */
      c.declaresMoveConstructor() and
      not c.isCustomized(TMoveConstructor()) and
      reason =
        "has a customized destructor and declares a move constructor but does not customize it"
      or
      c.declaresMoveAssignmentOperator() and
      not c.isCustomized(TMoveAssignmentOperator()) and
      reason =
        "has a customized destructor and declares a move assignment operator but does not customize it"
    )
  )
}

The above version passes our current tests (just with different alert messages).

We shouldn't keep the old version unless we can clarify it. I don't know if its enough, but we could add a comment like this:

// If you follow the logic of each case in the rule specification, you'll find that all classes in a valid
// category that have a customized destructor, must customize every "x-operation" when the
// class is "x-operatable."
//
// This is logic makes perfect sense. A customized destructor indicates the class manages a
// resource, and such classes must customize every supported operation to prevent unwanted
// sharing, such as double frees.
//
// The only exception is that copy-enabled classes may sometimes omit move declarations. This
// also makes sense: when these operations aren't declared, the corresponding copy operation
// will be used instead.

Hopefully this comment:

  • explains that this is intentionally formulated differently than the rule text
  • explains the value of this formulation over the spec's formulation
  • makes it easier for a reader verify that the code does what it intends to do
  • makes the code easier to maintain

Copy link
Copy Markdown
Collaborator Author

@MichaelRFairhurst MichaelRFairhurst May 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, one last thought, and I don't really know which method this supports.

The original/current version will report errors for cases that are not one of the valid categories (not unmovable, or move-only, or copy-enabled), while the rewrite I posted above will not.

Usually this is a bad thing. We don't want to give two alerts when we could give one.

In this case, you could argue the reverse, that a class with a customized destructor and an otherwise defaulted operation should always get a warning. If a user intentionally writes a class that doesn't fit one of the categories (unmovable, move-only, copy-enabled), they might ignore that alert, and then they'll never get a warning that they forgot to customize their move assignment constructor.

Interesting to consider. Maybe not an issue in practice. On qlx, these two versions give the exact same results.


predicate isPublicBase(AnalyzableClass c) {
exists(ClassDerivation d |
d.getBaseClass() = c and
d.hasSpecifier("public")
)
}

predicate satisfiesInheritanceRequirements(AnalyzableClass c) {
not isPublicBase(c)
or
isUnmovable(c) and
c.getDestructor().isPublic() and
c.getDestructor().isVirtual()
or
c.getDestructor().isProtected() and
not c.getDestructor().isVirtual()
}

from AnalyzableClass c, string message
where
not isExcluded(c, Classes3Package::improperlyProvidedSpecialMemberFunctionsQuery()) and
(
not isValidCategory(c) and
message = "does not fall into a valid category (isUnmovable, move-only, or copy-enabled)."
or
violatesCustomizedMoveOrCopyRequirements(c, message)
or
violatesCustomizedDestructorRequirements(c, message)
or
not satisfiesInheritanceRequirements(c) and
message = "violates inheritance requirements for special member functions."
)
select c, "Class '" + c.getName() + "' " + message
49 changes: 49 additions & 0 deletions cpp/misra/src/rules/RULE-15-0-1/ImproperlyProvidedSpecialMemberFunctionsAudit.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/**
* @id cpp/misra/improperly-provided-special-member-functions-audit
* @name RULE-15-0-1: Special member functions shall be provided appropriately, Audit
* @description Audit: incorrect provision of special member functions can lead to unexpected or
* undefined behavior when objects of the class are copied, moved, or destroyed.
* @kind problem
* @precision low
* @problem.severity warning
* @tags external/misra/id/rule-15-0-1
* scope/single-translation-unit
* correctness
* external/misra/audit
* maintainability
* external/misra/enforcement/decidable
* external/misra/obligation/required
*/

import cpp
import codingstandards.cpp.misra
import AnalyzableClass

string missingKind(Class c) {
not c.getAConstructor() instanceof MoveConstructor and
result = "move constructor"
or
not c.getAMemberFunction() instanceof MoveAssignmentOperator and
result = "move assignment operator"
or
not c.getAConstructor() instanceof CopyConstructor and
result = "copy constructor"
or
not c.getAMemberFunction() instanceof CopyAssignmentOperator and
result = "copy assignment operator"
or
not c.getAMemberFunction() instanceof Destructor and
result = "destructor"
}

string missingKinds(Class c) { result = concat(missingKind(c), " and ") }
Comment thread
MichaelRFairhurst marked this conversation as resolved.

from Class c, string kinds
where
not isExcluded(c, Classes3Package::improperlyProvidedSpecialMemberFunctionsAuditQuery()) and
not c instanceof AnalyzableClass and
not c.isPod() and
kinds = missingKinds(c)
select c,
"Class '" + c.getName() + "' is not analyzable because the " + kinds +
" are not present in the CodeQL database."
Comment thread
MichaelRFairhurst marked this conversation as resolved.
Outdated
Loading
Loading