Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 872054a

Browse files
zlaski-semmlezlaski-semmle
committed
[CPP-434] Narrow down query.
1 parent 341dc12 commit 872054a

3 files changed

Lines changed: 60 additions & 7 deletions

File tree

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/**
22
* @name Undefined result of signed test for overflow
3-
* @description Testing for oveflow by adding a value to a variable
3+
* @description Testing for overflow by adding a value to a variable
44
* to see if it "wraps around" works only for
55
* `unsigned` integer values.
66
* @kind problem
@@ -13,18 +13,18 @@
1313

1414
import cpp
1515

16-
from RelationalOperation ro, BinaryArithmeticOperation bao, VariableAccess va1, VariableAccess va2
16+
from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
1717
where
18-
ro.getAnOperand() = bao and
19-
bao instanceof AddExpr and
20-
bao.getAnOperand() = va1 and
18+
ro.getAnOperand() = add and
19+
add.getAnOperand() = va1 and
2120
ro.getAnOperand() = va2 and
2221
va1.getTarget() = va2.getTarget() and
22+
(not exists(va1.getQualifier()) or va1.getQualifier() = va2.getQualifier()) and
2323
/*
24-
* if the addition (`bao`) has been promoted to a signed type,
24+
* if the addition (`add`) has been promoted to a signed type,
2525
* then the other operand (`va2`) must have been likewise promoted and so
2626
* have a signed comparison
2727
*/
2828

29-
bao.getFullyConverted().getType().(IntegralType).isSigned()
29+
add.getExplicitlyConverted().getType().(IntegralType).isSigned()
3030
select ro, "Testing for signed overflow may produce undefined results."

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,3 +27,55 @@ bool cannotHoldAnotherUInt(int n1, unsigned int delta) {
2727
// msvc 19.22 /O2: not deleted
2828
return n1 + delta < n1; // GOOD
2929
}
30+
31+
bool shortShort1(unsigned short n1, unsigned short delta) {
32+
// clang 8.0.0 -O2: deleted
33+
// gcc 9.2 -O2: deleted
34+
// msvc 19.22 /O2: not deleted
35+
return n1 + delta < n1; // BAD
36+
}
37+
38+
bool shortShort2(unsigned short n1, unsigned short delta) {
39+
// clang 8.0.0 -O2: not deleted
40+
// gcc 9.2 -O2: not deleted
41+
// msvc 19.22 /O2: not deleted
42+
return (unsigned short)(n1 + delta) < n1; // GOOD
43+
}
44+
45+
/* Distinguish `varname` from `ptr->varname` and `obj.varname` */
46+
struct N {
47+
unsigned short n1;
48+
} n, *np;
49+
50+
bool shortStruct1(unsigned short n1, unsigned short delta) {
51+
return np->n1 + delta < n1; // GOOD
52+
}
53+
54+
bool shortStruct1a(unsigned short n1, unsigned short delta) {
55+
return n1 + delta < n.n1; // GOOD
56+
}
57+
58+
bool shortStruct2(unsigned short n1, unsigned short delta) {
59+
return (unsigned short)(n1 + delta) < n.n1; // GOOD
60+
}
61+
62+
struct se {
63+
short xPos;
64+
short yPos;
65+
short xSize;
66+
short ySize;
67+
};
68+
69+
extern se *getSo(void);
70+
71+
bool func1(se *so) {
72+
se *o = getSo();
73+
if (so->xPos + so->xSize < o->xPos // GOOD
74+
|| so->xPos > o->xPos + o->xSize) { // GOOD
75+
// clang 8.0.0 -O2: not deleted
76+
// gcc 9.2 -O2: not deleted
77+
// msvc 19.22 /O2: not deleted
78+
return false;
79+
}
80+
return true;
81+
}

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
| SignedOverflowCheck.cpp:8:12:8:22 | ... < ... | Testing for signed overflow may produce undefined results. |
22
| SignedOverflowCheck.cpp:18:12:18:26 | ... < ... | Testing for signed overflow may produce undefined results. |
3+
| SignedOverflowCheck.cpp:35:9:35:23 | ... < ... | Testing for signed overflow may produce undefined results. |

0 commit comments

Comments
 (0)