JS: be conservative in presence of NaN comments

asger-semmle · asger-semmle · commit 43df9538bf7d · 2018-11-29T11:22:14.000Z
diff --git a/javascript/ql/src/semmle/javascript/RangeAnalysis.qll b/javascript/ql/src/semmle/javascript/RangeAnalysis.qll
@@ -69,7 +69,7 @@ import javascript
  *
  * CAVEATS:
  *
- * - We assume !(x <= y) means x > y, ignoring NaN.
+ * - We assume !(x <= y) means x > y, ignoring NaN, unless a nearby comment or identifier mentions NaN.
  *
  * - We assume integer arithmetic is exact, ignoring values above 2^53.
  *
@@ -257,6 +257,24 @@ module RangeAnalysis {
     )
   }
 
+  /**
+   * Holds if the given container has a comment or identifier mentioning `NaN`.
+   */
+  predicate hasNaNIndicator(StmtContainer container) {
+    exists (Comment comment |
+      comment.getText().regexpMatch("(?s).*N[aA]N.*") and
+      comment.getFile() = container.getFile() and
+      (
+        comment.getLocation().getStartLine() >= container.getLocation().getStartLine() and
+        comment.getLocation().getEndLine() <= container.getLocation().getEndLine()
+        or
+        comment.getNextToken() = container.getFirstToken()
+      ))
+    or
+    exists (Identifier id | id.getName() = "NaN" or id.getName() = "isNaN" |
+      id.getContainer() = container)
+  }
+
   /**
    * Holds if `guard` asserts that the outcome of `A <op> B + bias` is true, where `<op>` is a comparison operator.
    */
@@ -266,6 +284,7 @@ module RangeAnalysis {
       (
         guard.getOutcome() = true and operator = compare.getOperator()
         or
+        not hasNaNIndicator(guard.getContainer()) and
         guard.getOutcome() = false and operator = negateOperator(compare.getOperator())
       )
     )
diff --git a/javascript/ql/test/library-tests/RangeAnalysis/tst.js b/javascript/ql/test/library-tests/RangeAnalysis/tst.js
@@ -50,3 +50,15 @@ function h(x, y) {
     if (x > y) {}  // NOT OK - always true
   }
 }
+
+function nan(x) {
+  // This is a NaN comment.
+  if (x - 1 < x) {} // OK
+}
+
+/**
+ * This is a NAN comment.
+ */
+function nan2(x) {
+  if (x - 1 < x) {} // OK
+}

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ import javascript`
`69`	`69`	`*`
`70`	`70`	`* CAVEATS:`
`71`	`71`	`*`
`72`		`- * - We assume !(x <= y) means x > y, ignoring NaN.`
	`72`	`+ * - We assume !(x <= y) means x > y, ignoring NaN, unless a nearby comment or identifier mentions NaN.`
`73`	`73`	`*`
`74`	`74`	`* - We assume integer arithmetic is exact, ignoring values above 2^53.`
`75`	`75`	`*`
`@@ -257,6 +257,24 @@ module RangeAnalysis {`
`257`	`257`	`)`
`258`	`258`	`}`
`259`	`259`
	`260`	`+ /**`
	`261`	+ * Holds if the given container has a comment or identifier mentioning `NaN`.
	`262`	`+ */`
	`263`	`+ predicate hasNaNIndicator(StmtContainer container) {`
	`264`	`+ exists (Comment comment \|`
	`265`	`+ comment.getText().regexpMatch("(?s).N[aA]N.") and`
	`266`	`+ comment.getFile() = container.getFile() and`
	`267`	`+ (`
	`268`	`+ comment.getLocation().getStartLine() >= container.getLocation().getStartLine() and`
	`269`	`+ comment.getLocation().getEndLine() <= container.getLocation().getEndLine()`
	`270`	`+ or`
	`271`	`+ comment.getNextToken() = container.getFirstToken()`
	`272`	`+ ))`
	`273`	`+ or`
	`274`	`+ exists (Identifier id \| id.getName() = "NaN" or id.getName() = "isNaN" \|`
	`275`	`+ id.getContainer() = container)`
	`276`	`+ }`
	`277`	`+`
`260`	`278`	`/**`
`261`	`279`	* Holds if `guard` asserts that the outcome of `A <op> B + bias` is true, where `<op>` is a comparison operator.
`262`	`280`	`*/`
`@@ -266,6 +284,7 @@ module RangeAnalysis {`
`266`	`284`	`(`
`267`	`285`	`guard.getOutcome() = true and operator = compare.getOperator()`
`268`	`286`	`or`
	`287`	`+ not hasNaNIndicator(guard.getContainer()) and`
`269`	`288`	`guard.getOutcome() = false and operator = negateOperator(compare.getOperator())`
`270`	`289`	`)`
`271`	`290`	`)`