[CPP-434] Rename everything to SignedOverflowCheck. Add .qlhelp. Deal with addition only, not subtraction.

zlaski-semmle · zlaski-semmle · commit 8c6caf2b4e79 · 2019-10-08T14:12:35.000-07:00
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad.cpp b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad.cpp
@@ -0,0 +1,3 @@
+bool foo(int n1, unsigned short delta) {
+    return n1 + delta < n1; // BAD
+}
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good.cpp b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good.cpp
@@ -0,0 +1,3 @@
+bool bar(int n1, unsigned int delta) {
+    return n1 + delta < n1; // GOOD
+}
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp
@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Testing for <code>signed</code> integer overflow by adding a
+value to a variable and then comparing the result to said variable
+is not defined by the C or C++ standards.  The comparison may
+produce an unintended result, or may be deleted by the compiler
+entirely.
+</p>
+</overview>
+<recommendation>
+<p>
+Make sure that the comparison in question uses <i>unsigned</i> values.
+</p>
+</recommendation>
+<example>
+<p>
+In the following example, even though <code>delta</code> has been declared
+<code>unsigned short</code>, C/C++ type promotion rules require that its
+type is promoted to the larger type used in the addition and comparison,
+namely a <code>signed int</code>.  As a result, the entire expression is
+evaluated using <code>signed values</code> and its value is therefore undefined.
+</p>
+<sample src="SignedOverflowCheck-bad.cpp" />
+<p>
+In the next example, a value of type <code>signed int</code> is
+getting added to a value ot type <code>unsigned int</code>.  Because
+the types are of the same size, C/C++ promotion rules dictate that
+<code>unsigned int</code> is chosen as the overall type of the addition
+operation. The entire expression is evaluated using <code>unsigned</code>
+values, which is allowed and defined behavior per the C/C++ standard.
+</p>
+<sample src="SignedOverflowCheck-good.cpp" />
+</example>
+<references>
+<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
+<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
+</references>
+</qhelp>
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -1,11 +1,8 @@
 /**
  * @name Undefined result of signed test for overflow
- * @description Testing for signed integer overflow by adding a value to
- *              a variable (or subtracting a value from a variable) and
- *              then comparing the result to said variable is not defined
- *              by the C or C++ standards.  The comparison may produce an
- *              unintended result, or may be deleted by the compiler
- *              entirely.
+ * @description Testing for oveflow by adding a value to a variable
+ *              to see if it "wraps around" works only for
+ *              `unsigned` integer values.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -19,14 +16,14 @@ import cpp
 from RelationalOperation ro, BinaryArithmeticOperation bao, VariableAccess va1, VariableAccess va2
 where
   ro.getAnOperand() = bao and
-  (bao instanceof AddExpr or bao instanceof SubExpr) and
+  bao instanceof AddExpr and
   bao.getAnOperand() = va1 and
   ro.getAnOperand() = va2 and
   va1.getTarget() = va2.getTarget() and
   /*
    * if the addition/subtraction (`bao`) has been promoted to a signed type,
-   * then the other operand (`va2`) must also be signed and we have a signed
-   * comparison
+   * then the other operand (`va2`) must have been likewise promoted and so
+   * have a signed comparison
    */
 
   bao.getFullyConverted().getType().(IntegralType).isSigned()
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedComparisons/SignedComparisons.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedComparisons/SignedComparisons.expected
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedComparisons/SignedComparisons.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedComparisons/SignedComparisons.qlref
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp
@@ -7,9 +7,6 @@ bool cannotHoldAnother8(int n1) {
     // msvc 19.22 /O2: not deleted
     return n1 + 8 < n1; // BAD
 }
-bool canHoldPreceding16(int n1) {
-	return n1 - 16 < n1;
-}
 
 /* 2. Signed comparison with a narrower unsigned type.  The narrower
       type gets promoted to the (signed) larger type, and so the
@@ -20,9 +17,6 @@ bool cannotHoldAnotherUShort(int n1, unsigned short delta) {
     // msvc 19.22 /O2: not deleted
     return n1 + delta < n1; // BAD
 }
-bool canHoldPrecedingUShort(int n1, unsigned short delta) {
-	return n1 - delta < n1;
-}
 
 /* 3. Signed comparison with a non-narrower unsigned type.  The
       signed type gets promoted to (a possibly wider) unsigned type,
@@ -33,6 +27,3 @@ bool cannotHoldAnotherUInt(int n1, unsigned int delta) {
     // msvc 19.22 /O2: not deleted
     return n1 + delta < n1; // GOOD
 }
-bool canHoldPrecedingUInt(int n1, unsigned int delta) {
-	return n1 - delta < n1;
-}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.expected
@@ -0,0 +1,2 @@
+| SignedOverflowCheck.cpp:8:12:8:22 | ... < ... | Testing for signed overflow/underflow may produce undefined results. |
+| SignedOverflowCheck.cpp:18:12:18:26 | ... < ... | Testing for signed overflow/underflow may produce undefined results. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.qlref
@@ -0,0 +1 @@
+Likely Bugs/Arithmetic/SignedOverflowCheck.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+bool foo(int n1, unsigned short delta) {`
	`2`	`+ return n1 + delta < n1; // BAD`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+bool bar(int n1, unsigned int delta) {`
	`2`	`+ return n1 + delta < n1; // GOOD`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| SignedOverflowCheck.cpp:8:12:8:22 \| ... < ... \| Testing for signed overflow/underflow may produce undefined results. \|`
	`2`	`+\| SignedOverflowCheck.cpp:18:12:18:26 \| ... < ... \| Testing for signed overflow/underflow may produce undefined results. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Likely Bugs/Arithmetic/SignedOverflowCheck.ql`