Fix bug in handling of subtractions.

criemen · criemen · commit 9d2533c8abd9 · 2020-04-29T13:07:15.000+02:00
diff --git a/cpp/ql/src/experimental/library/ArrayLengthAnalysis.qll b/cpp/ql/src/experimental/library/ArrayLengthAnalysis.qll
@@ -176,9 +176,8 @@ private predicate deconstructMallocSizeExpr(Expr sizeExpr, Expr lengthExpr, int
   or
   sizeExpr instanceof SubExpr and
   exists(Expr constantExpr |
-    lengthExpr = sizeExpr.(SubExpr).getAnOperand() and
-    constantExpr = sizeExpr.(SubExpr).getAnOperand() and
-    lengthExpr != constantExpr and
+    lengthExpr = sizeExpr.(SubExpr).getLeftOperand() and
+    constantExpr = sizeExpr.(SubExpr).getRightOperand() and
     delta = -constantExpr.getValue().toInt()
   )
 }
diff --git a/cpp/ql/test/experimental/library-tests/arraylengthanalysis/ArrayLengthAnalysisTest.expected b/cpp/ql/test/experimental/library-tests/arraylengthanalysis/ArrayLengthAnalysisTest.expected
@@ -22,3 +22,4 @@
 | test.cpp:80:8:80:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Load: count) | 1 |
 | test.cpp:85:8:85:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Add: ... + ...) | 0 |
 | test.cpp:87:8:87:8 | Load: a | VNLength(InitializeParameter: count) | 1 | OpOffset(Add: ... + ...) | 1 |
+| test.cpp:89:8:89:8 | Load: a | VNLength(Sub: ... - ...) | 0 | ZeroOffset | 0 |
diff --git a/cpp/ql/test/experimental/library-tests/arraylengthanalysis/test.cpp b/cpp/ql/test/experimental/library-tests/arraylengthanalysis/test.cpp
@@ -85,4 +85,6 @@ void test2(unsigned int count, bool b) {
   sink(a); // TODO, should be (count, 1, count, 1), but is (count, 1, count + 1, 0)
   a += 1;
   sink(a); // TODO, should be (count, 1, count, 2), but is (count, 1, count + 1, 1)
+  a = (int*) malloc(sizeof(int) * (1024 - count));
+  sink(a); // (1024-count, 0, Zero, 0)
 }

Original file line number	Diff line number	Diff line change
`@@ -176,9 +176,8 @@ private predicate deconstructMallocSizeExpr(Expr sizeExpr, Expr lengthExpr, int`
`176`	`176`	`or`
`177`	`177`	`sizeExpr instanceof SubExpr and`
`178`	`178`	`exists(Expr constantExpr \|`
`179`		`- lengthExpr = sizeExpr.(SubExpr).getAnOperand() and`
`180`		`- constantExpr = sizeExpr.(SubExpr).getAnOperand() and`
`181`		`- lengthExpr != constantExpr and`
	`179`	`+ lengthExpr = sizeExpr.(SubExpr).getLeftOperand() and`
	`180`	`+ constantExpr = sizeExpr.(SubExpr).getRightOperand() and`
`182`	`181`	`delta = -constantExpr.getValue().toInt()`
`183`	`182`	`)`
`184`	`183`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,4 +85,6 @@ void test2(unsigned int count, bool b) {`
`85`	`85`	`sink(a); // TODO, should be (count, 1, count, 1), but is (count, 1, count + 1, 0)`
`86`	`86`	`a += 1;`
`87`	`87`	`sink(a); // TODO, should be (count, 1, count, 2), but is (count, 1, count + 1, 1)`
	`88`	`+ a = (int) malloc(sizeof(int) (1024 - count));`
	`89`	`+ sink(a); // (1024-count, 0, Zero, 0)`
`88`	`90`	`}`