github
diff --git a/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 3 additions & 0 deletions b/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad1.cpp‎
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad1.cpp‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad2.cpp‎
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad2.cpp‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good1.cpp‎
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good1.cpp‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good2.cpp‎
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good2.cpp‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp‎
Lines changed: 115 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql‎
Lines changed: 31 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.ql‎
Lines changed: 27 additions & 52 deletions b/‎cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.ql‎
Lines changed: 27 additions & 52 deletions
diff --git a/‎cpp/ql/src/Microsoft/SAL.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Microsoft/SAL.qll‎
Lines changed: 1 addition & 1 deletion
@@ -9,6 +9,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail.  This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |
+| Signed overflow check (`cpp/signed-overflow-check`) | correctness, reliability | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. |
 
 ## Changes to existing queries
 
@@ -23,6 +24,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
 | Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
 | Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. |
 | Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands explicitly specified argument numbers in format strings, such as the `1$` in `%1$s`. |
 
 ## Changes to libraries
 
 
@@ -19,6 +19,7 @@ where
   pointlessSelfComparison(cmp) and
   not nanTest(cmp) and
   not overflowTest(cmp) and
+  not cmp.isFromTemplateInstantiation(_) and
   not exists(MacroInvocation mi |
     // cmp is in mi
     mi.getAnExpandedElement() = cmp and
 
@@ -0,0 +1,3 @@
+bool foo(int n1, unsigned short delta) {
+    return n1 + delta < n1; // BAD
+}
@@ -0,0 +1,4 @@
+bool bar(unsigned short n1, unsigned short delta) {
+    // NB: Comparison is always false
+    return n1 + delta < n1; // GOOD (but misleading)
+}
@@ -0,0 +1,4 @@
+#include <limits.h>
+bool foo(int n1, unsigned short delta) {
+    return n1 > INT_MAX - delta; // GOOD
+}
@@ -0,0 +1,3 @@
+bool bar(unsigned short n1, unsigned short delta) {
+    return (unsigned short)(n1 + delta) < n1; // GOOD
+}
@@ -0,0 +1,115 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+When checking for integer overflow, you may often write tests like
+<code>a + b &lt; a</code>.  This works fine if <code>a</code> or
+<code>b</code> are unsigned integers, since any overflow in the addition
+will cause the value to simply "wrap around."  However, using
+<i>signed</i> integers is problematic because signed overflow has undefined
+behavior according to the C and C++ standards.  If the addition overflows
+and has an undefined result, the comparison will likewise be undefined;
+it may produce an unintended result, or may be deleted entirely by an
+optimizing compiler.
+</p>
+</overview>
+<recommendation>
+<p>
+Solutions to this problem can be thought of as falling into one of two
+categories: (1) rewrite the signed expression so that overflow cannot occur
+but the signedness remains, or (2) rewrite (or cast) the signed expression
+into unsigned form.
+</p>
+
+<p>
+Below we list examples of expressions where signed overflow may
+occur, along with proposed solutions.  The list should not be
+considered exhaustive.
+</p>
+
+<p>
+Given <code>unsigned short i, delta</code> and <code>i + delta &lt; i</code>, 
+it is possible to rewrite it as <code>(unsigned short)(i + delta)&nbsp;&lt;&nbsp;i</code>.
+Note that <code>i + delta</code>does not actually overflow, due to <code>int</code> promotion
+</p>
+
+<p>
+Given <code>unsigned short i, delta</code> and <code>i + delta &lt; i</code>,
+it is also possible to rewrite it as <code>USHORT_MAX - delta</code>. It must be true
+that <code>delta &gt; 0</code> and the <code>limits.h</code> or <code>climits</code>
+header has been included.
+</p>
+
+<p>
+Given <code>int i, delta</code> and <code>i + delta &lt; i</code>,
+it is possible to rewrite it as <code>INT_MAX - delta</code>. It must be true
+that <code>delta &gt; 0</code> and the <code>limits.h</code> or <code>climits</code>
+header has been included.
+</p>
+
+<p>
+Given <code>int i, delta</code> and <code>i + delta &lt; i</code>,
+it is also possible to rewrite it as <code>(unsigned)i + delta &lt; i</code>.
+Note that program semantics are affected by this change.
+</p>
+
+<p>
+Given <code>int i, delta</code> and <code>i + delta &lt; i</code>,
+it is also possible to rewrite it as <code>unsigned int i, delta</code> and
+<code>i + delta &lt; i</code>.  Note that program semantics are 
+affected by this change.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the following example, even though <code>delta</code> has been declared
+<code>unsigned short</code>, C/C++ type promotion rules require that its
+type is promoted to the larger type used in the addition and comparison,
+namely a <code>signed int</code>.  Addition is performed on 
+signed integers, and may have undefined behavior if an overflow occurs.
+As a result, the entire (comparison) expression may also have an undefined
+result.
+</p>
+<sample src="SignedOverflowCheck-bad1.cpp" />
+<p>
+The following example builds upon the previous one.  Instead of
+performing an addition (which could overflow), we have re-framed the
+solution so that a subtraction is used instead.  Since <code>delta</code>
+is promoted to a <code>signed int</code> and <code>INT_MAX</code> denotes
+the largest possible positive value for an <code>signed int</code>,
+the expression <code>INT_MAX - delta</code> can never be less than zero
+or more than <code>INT_MAX</code>.  Hence, any overflow and underflow
+are avoided.
+</p>
+<sample src="SignedOverflowCheck-good1.cpp" />
+<p>
+In the following example, even though both <code>n</code> and <code>delta</code>
+have been declared <code>unsigned short</code>, both are promoted to 
+<code>signed int</code> prior to addition.  Because we started out with the
+narrower <code>short</code> type, the addition is guaranteed not to overflow
+and is therefore defined.  But the fact that <code>n1 + delta</code> never 
+overflows means that the condition <code>n1 + delta &lt; n1</code> will never
+hold true, which likely is not what the programmer intended. (see also the
+<code>cpp/bad-addition-overflow-check</code> query).
+</p>
+<sample src="SignedOverflowCheck-bad2.cpp" />
+<p>
+The next example provides a solution to the previous one.  Even though
+<code>i + delta</code> does not overflow, casting it to an
+<code>unsigned short</code> truncates the addition modulo 2^16,
+so that <code>unsigned short</code> "wrap around" may now be observed.
+Furthermore, since the left-hand side is now of type <code>unsigned short</code>,
+the right-hand side does not need to be promoted to a <code>signed int</code>.
+</p>
+
+<sample src="SignedOverflowCheck-good2.cpp" />
+</example>
+<references>
+<li><a href="http://c-faq.com/expr/preservingrules.html">comp.lang.c FAQ list · Question 3.19 (Preserving rules)</a></li>
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data">INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data</a></li>
+<li>W. Dietz, P. Li, J. Regehr, V. Adve. <a href="https://www.cs.utah.edu/~regehr/papers/overflow12.pdf">Understanding Integer Overflow in C/C++</a></li>
+</references>
+</qhelp>
@@ -0,0 +1,31 @@
+/**
+ * @name Undefined result of signed test for overflow
+ * @description Testing for overflow by adding a value to a variable
+ *              to see if it "wraps around" works only for
+ *              unsigned integer values.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cpp/signed-overflow-check
+ * @tags reliability
+ *       security
+ */
+
+import cpp
+private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+from RelationalOperation ro, AddExpr add, Expr expr1, Expr expr2
+where
+  ro.getAnOperand() = add and
+  add.getAnOperand() = expr1 and
+  ro.getAnOperand() = expr2 and
+  globalValueNumber(expr1) = globalValueNumber(expr2) and
+  add.getUnspecifiedType().(IntegralType).isSigned() and
+  not exists(MacroInvocation mi | mi.getAnAffectedElement() = add) and
+  exprMightOverflowPositively(add) and
+  exists(Compilation c | c.getAFileCompiled() = ro.getFile() |
+    not c.getAnArgument() = "-fwrapv" and
+    not c.getAnArgument() = "-fno-strict-overflow"
+  )
+select ro, "Testing for signed overflow may produce undefined results."
@@ -13,76 +13,52 @@ import semmle.code.cpp.security.boostorg.asio.protocols
 class ExistsAnyFlowConfig extends DataFlow::Configuration {
   ExistsAnyFlowConfig() { this = "ExistsAnyFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { any() }
+  override predicate isSource(DataFlow::Node source) {
+    exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = source.asExpr())
+  }
 
-  override predicate isSink(DataFlow::Node sink) { any() }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(BoostorgAsio::SslSetOptionsFunction f, FunctionCall fcSetOptions |
+      f.getACallToThisFunction() = fcSetOptions and
+      fcSetOptions.getQualifier() = sink.asExpr()
+    )
+  }
 }
 
 bindingset[flag]
 predicate isOptionSet(ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
-  exists(
-    BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig,
-    Expr optionsSink
-  |
-    config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
-    exists(VariableAccess contextSetOptions |
-      testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
-      exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
-        contextSetOptions = fcSetOptions.getQualifier() and
-        forall(
-          Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
-          Expr optionArgumentSource
-        |
-          optionArgument = fcSetOptions.getArgument(0) and
-          optionArgConfig
-              .hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
-        |
-          optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
-        )
+  exists(ExistsAnyFlowConfig anyFlowConfig, VariableAccess contextSetOptions |
+    anyFlowConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
+    exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
+      contextSetOptions = fcSetOptions.getQualifier() and
+      forall(
+        Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
+        Expr optionArgumentSource
+      |
+        optionArgument = fcSetOptions.getArgument(0) and
+        optionArgConfig
+            .hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
+      |
+        optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
       )
     )
   )
 }
 
 bindingset[flag]
 predicate isOptionNotSet(ConstructorCall cc, int flag) {
-  not exists(
-    BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig,
-    Expr optionsSink
-  |
-    config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
-    exists(VariableAccess contextSetOptions |
-      testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
-      exists(FunctionCall fcSetOptions, BoostorgAsio::SslSetOptionsFunction f |
-        f.getACallToThisFunction() = fcSetOptions
-      |
-        contextSetOptions = fcSetOptions.getQualifier() and
-        forall(
-          Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
-          Expr optionArgumentSource
-        |
-          optionArgument = fcSetOptions.getArgument(0) and
-          optionArgConfig
-              .hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
-        |
-          optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
-        )
-      )
-    )
-  )
+  not exists(FunctionCall fcSetOptions | isOptionSet(cc, flag, fcSetOptions))
 }
 
 from
-  BoostorgAsio::SslContextCallTlsProtocolConfig configConstructor,
-  BoostorgAsio::SslContextFlowsToSetOptionConfig config, Expr protocolSource, Expr protocolSink,
-  ConstructorCall cc, Expr e, string msg
+  BoostorgAsio::SslContextCallTlsProtocolConfig configConstructor, Expr protocolSource,
+  Expr protocolSink, ConstructorCall cc, Expr e, string msg
 where
   configConstructor.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
   cc.getArgument(0) = protocolSink and
   (
     BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
-    not exists(Expr optionsSink |
-      config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
+    not (
       isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3(), _) and
       isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
       isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
@@ -91,8 +67,7 @@ where
     or
     BoostorgAsio::isExprTlsBoostProtocol(protocolSource) and
     not BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
-    not exists(Expr optionsSink |
-      config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
+    not (
       isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
       isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
       isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())
 
@@ -126,7 +126,7 @@ class SALParameter extends Parameter {
 }
 
 /**
- * A SAL element, i.e. a SAL annotation or a declaration entry
+ * A SAL element, that is, a SAL annotation or a declaration entry
  * that may have SAL annotations.
  */
 library class SALElement extends Element {
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+bool foo(int n1, unsigned short delta) {`
	`2`	`+ return n1 + delta < n1; // BAD`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+bool bar(unsigned short n1, unsigned short delta) {`
	`2`	`+ return (unsigned short)(n1 + delta) < n1; // GOOD`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ class SALParameter extends Parameter {`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`/**`
`129`		`- * A SAL element, i.e. a SAL annotation or a declaration entry`
	`129`	`+ * A SAL element, that is, a SAL annotation or a declaration entry`
`130`	`130`	`* that may have SAL annotations.`
`131`	`131`	`*/`
`132`	`132`	`library class SALElement extends Element {`