Merge pull request #372 from aschackmull/java/rangeanalysis-array-phinodes

semmle-qlci · web-flow · commit 7b84f5b1fd21 · 2018-10-29T13:02:58.000Z
Approved by yh-semmle
diff --git a/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql b/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql
@@ -13,6 +13,7 @@
 
 import java
 import semmle.code.java.dataflow.SSA
+import semmle.code.java.dataflow.RangeUtils
 import semmle.code.java.dataflow.RangeAnalysis
 
 /**
@@ -31,9 +32,7 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) {
       k = delta
     )
     or
-    exists(ArrayCreationExpr arraycreation |
-      arraycreation = arr.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource()
-    |
+    exists(ArrayCreationExpr arraycreation | arraycreation = getArrayDef(arr) |
       k = delta and
       arraycreation.getDimension(0) = b.getExpr()
       or
diff --git a/java/ql/src/semmle/code/java/dataflow/RangeAnalysis.qll b/java/ql/src/semmle/code/java/dataflow/RangeAnalysis.qll
@@ -583,18 +583,6 @@ private predicate unequalSsa(SsaVariable v, SsaReadPosition pos, Bound b, int de
   )
 }
 
-/**
- * Holds if `inp` is an input to `phi` along a back edge.
- */
-private predicate backEdge(SsaPhiNode phi, SsaVariable inp, SsaReadPositionPhiInputEdge edge) {
-  edge.phiInput(phi, inp) and
-  // Conservatively assume that every edge is a back edge if we don't have dominance information.
-  (
-    phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
-    not hasDominanceInformation(edge.getOrigBlock())
-  )
-}
-
 /** Weakens a delta to lie in the range `[-1..1]`. */
 bindingset[delta, upper]
 private int weakenDelta(boolean upper, int delta) {
diff --git a/java/ql/src/semmle/code/java/dataflow/RangeUtils.qll b/java/ql/src/semmle/code/java/dataflow/RangeUtils.qll
@@ -6,6 +6,65 @@ import java
 private import SSA
 private import semmle.code.java.controlflow.internal.GuardsLogic
 
+/**
+ * Holds if `v` is an input to `phi` that is not along a back edge, and the
+ * only other input to `phi` is a `null` value.
+ *
+ * Note that the declared type of `phi` is `SsaVariable` instead of
+ * `SsaPhiNode` in order for the reflexive case of `nonNullSsaFwdStep*(..)` to
+ * have non-`SsaPhiNode` results.
+ */
+private predicate nonNullSsaFwdStep(SsaVariable v, SsaVariable phi) {
+  exists(SsaExplicitUpdate vnull, SsaPhiNode phi0 | phi0 = phi |
+    2 = strictcount(phi0.getAPhiInput()) and
+    vnull = phi0.getAPhiInput() and
+    v = phi0.getAPhiInput() and
+    not backEdge(phi0, v, _) and
+    vnull != v and
+    vnull.getDefiningExpr().(VariableAssign).getSource() instanceof NullLiteral
+  )
+}
+
+private predicate nonNullDefStep(Expr e1, Expr e2) {
+  e2.(ParExpr).getExpr() = e1
+  or
+  exists(ConditionalExpr cond | cond = e2 |
+    cond.getTrueExpr() = e1 and cond.getFalseExpr() instanceof NullLiteral
+    or
+    cond.getFalseExpr() = e1 and cond.getTrueExpr() instanceof NullLiteral
+  )
+}
+
+/**
+ * Gets the definition of `v` provided that `v` is a non-null array with an
+ * explicit `ArrayCreationExpr` definition and that the definition does not go
+ * through a back edge.
+ */
+ArrayCreationExpr getArrayDef(SsaVariable v) {
+  exists(Expr src |
+    v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = src and
+    nonNullDefStep*(result, src)
+  )
+  or
+  exists(SsaVariable mid |
+    result = getArrayDef(mid) and
+    nonNullSsaFwdStep(mid, v)
+  )
+}
+
+/**
+ * Holds if `arrlen` is a read of an array `length` field on an array that, if
+ * it is non-null, is defined by `def` and that the definition can reach
+ * `arrlen` without going through a back edge.
+ */
+private predicate arrayLengthDef(FieldRead arrlen, ArrayCreationExpr def) {
+  exists(SsaVariable arr |
+    arrlen.getField() instanceof ArrayLengthField and
+    arrlen.getQualifier() = arr.getAUse() and
+    def = getArrayDef(arr)
+  )
+}
+
 /** An expression that always has the same integer value. */
 pragma[nomagic]
 private predicate constantIntegerExpr(Expr e, int val) {
@@ -17,11 +76,17 @@ private predicate constantIntegerExpr(Expr e, int val) {
     constantIntegerExpr(src, val)
   )
   or
-  exists(SsaExplicitUpdate v, FieldRead arrlen |
-    e = arrlen and
+  exists(ArrayCreationExpr a |
+    arrayLengthDef(e, a) and
+    a.getFirstDimensionSize() = val
+  )
+  or
+  exists(Field a, FieldRead arrlen |
+    a.isFinal() and
+    a.getInitializer().(ArrayCreationExpr).getFirstDimensionSize() = val and
     arrlen.getField() instanceof ArrayLengthField and
-    arrlen.getQualifier() = v.getAUse() and
-    v.getDefiningExpr().(VariableAssign).getSource().(ArrayCreationExpr).getFirstDimensionSize() = val
+    arrlen.getQualifier() = a.getAnAccess() and
+    e = arrlen
   )
 }
 
@@ -122,6 +187,18 @@ class SsaReadPositionPhiInputEdge extends SsaReadPosition, TSsaReadPositionPhiIn
   override string toString() { result = "edge" }
 }
 
+/**
+ * Holds if `inp` is an input to `phi` along a back edge.
+ */
+predicate backEdge(SsaPhiNode phi, SsaVariable inp, SsaReadPositionPhiInputEdge edge) {
+  edge.phiInput(phi, inp) and
+  // Conservatively assume that every edge is a back edge if we don't have dominance information.
+  (
+    phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
+    not hasDominanceInformation(edge.getOrigBlock())
+  )
+}
+
 /**
  * Holds if `guard` directly controls the position `controlled` with the
  * value `testIsTrue`.
@@ -201,11 +278,9 @@ predicate valueFlowStep(Expr e2, Expr e1, int delta) {
   or
   e2.(PreDecExpr).getExpr() = e1 and delta = -1
   or
-  exists(SsaExplicitUpdate v, FieldRead arrlen |
-    e2 = arrlen and
-    arrlen.getField() instanceof ArrayLengthField and
-    arrlen.getQualifier() = v.getAUse() and
-    v.getDefiningExpr().(VariableAssign).getSource().(ArrayCreationExpr).getDimension(0) = e1 and
+  exists(ArrayCreationExpr a |
+    arrayLengthDef(e2, a) and
+    a.getDimension(0) = e1 and
     delta = 0
   )
   or
diff --git a/java/ql/test/query-tests/RangeAnalysis/A.java b/java/ql/test/query-tests/RangeAnalysis/A.java
@@ -34,7 +34,7 @@ void m3(int[] a) {
     }
     for (int i = 0; i < arr1.length; ) {
       sum += arr1[i++]; // OK
-      sum += arr1[i++]; // OK - FP
+      sum += arr1[i++]; // OK
       i += 2;
     }
     for (int i = 0; i < arr2.length; ) {
@@ -162,4 +162,17 @@ void m12() {
       sum += b[i] + b[i + 1]; // OK
     }
   }
+
+  void m13(int n) {
+    int[] a = null;
+    if (n > 0) {
+      a = n > 0 ? new int[3 * n] : null;
+    }
+    int sum;
+    if (a != null) {
+      for (int i = 0; i < a.length; i += 3) {
+        sum += a[i + 2]; // OK
+      }
+    }
+  }
 }
diff --git a/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected b/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected
@@ -1,6 +1,5 @@
 | A.java:16:14:16:17 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:23:21:23:28 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
-| A.java:37:14:37:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:42:14:42:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:46:14:46:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:55:14:55:19 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ void m3(int[] a) {`
`34`	`34`	`}`
`35`	`35`	`for (int i = 0; i < arr1.length; ) {`
`36`	`36`	`sum += arr1[i++]; // OK`
`37`		`- sum += arr1[i++]; // OK - FP`
	`37`	`+ sum += arr1[i++]; // OK`
`38`	`38`	`i += 2;`
`39`	`39`	`}`
`40`	`40`	`for (int i = 0; i < arr2.length; ) {`
`@@ -162,4 +162,17 @@ void m12() {`
`162`	`162`	`sum += b[i] + b[i + 1]; // OK`
`163`	`163`	`}`
`164`	`164`	`}`
	`165`	`+`
	`166`	`+ void m13(int n) {`
	`167`	`+ int[] a = null;`
	`168`	`+ if (n > 0) {`
	`169`	`+ a = n > 0 ? new int[3 * n] : null;`
	`170`	`+ }`
	`171`	`+ int sum;`
	`172`	`+ if (a != null) {`
	`173`	`+ for (int i = 0; i < a.length; i += 3) {`
	`174`	`+ sum += a[i + 2]; // OK`
	`175`	`+ }`
	`176`	`+ }`
	`177`	`+ }`
`165`	`178`	`}`