[CPP-434] When analyzing overflow, discard any explicit casts.

zlaski-semmle · zlaski-semmle · commit ad5aa182dfb0 · 2019-10-22T15:21:30.000-07:00
Use the simple range analysis library to detect which
          additions may in fact overflow.
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -12,22 +12,15 @@
  */
 
 import cpp
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-
-private predicate isSignedWithoutUnsignedCast(Expr e) {
-  e.getType().getUnspecifiedType().(IntegralType).isSigned()
-  /*
-   * and
-   *  not e.getExplicitlyConverted().getType().getUnspecifiedType().(IntegralType).isUnsigned()
-   */
-
-  }
+private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
 from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
 where
   ro.getAnOperand() = add and
   add.getAnOperand() = va1 and
   ro.getAnOperand() = va2 and
   globalValueNumber(va1) = globalValueNumber(va2) and
-  isSignedWithoutUnsignedCast(add)
+  add.getType().getUnspecifiedType().(IntegralType).isSigned() and
+  exprMightOverflowPositively(add)
 select ro, "Testing for signed overflow may produce undefined results."
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp
@@ -32,7 +32,7 @@ bool shortShort1(unsigned short n1, unsigned short delta) {
     // clang 8.0.0 -O2: deleted
     // gcc 9.2 -O2: deleted
     // msvc 19.22 /O2: not deleted
-	return n1 + delta < n1; // BAD: will always be false
+	return n1 + delta < n1; // GOOD: always false, but will never overflow
 }
 
 bool shortShort2(unsigned short n1, unsigned short delta) {
@@ -96,28 +96,28 @@ int checkOverflow4(unsigned int ioff, C c) {
 
 int overflow12(int n) {
     // not deleted by gcc or clang
-	return (n + 32 <= (unsigned)n? -1: 1); // BAD
+	return (n + 32 <= (unsigned)n? -1: 1); // BAD: n + 32 can overflow
 }
 
 bool multipleCasts(char x) {
     // clang 9.0.0 -O2: deleted
     // gcc 9.2 -O2: deleted
     // msvc 19.22 /O2: deleted
-    return (int)(unsigned short)x + 2 < (int)(unsigned short)x; // BAD
+    return (int)(unsigned short)x + 2 < (int)(unsigned short)x; // GOOD: cannot overflow
 }
 
 bool multipleCasts2(char x) {
     // clang 9.0.0 -O2: not deleted
     // gcc 9.2 -O2: not deleted
     // msvc 19.22 /O2: not deleted
-    return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; // BAD
+    return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; // GOOD: cannot overflow
 }
 
 int does_it_overflow(int n1, unsigned short delta) {
-    return n1 + (unsigned)delta < n1; // GOOD
+    return n1 + (unsigned)delta < n1; // GOOD: everything converted to unsigned
 }
 
 int overflow12b(int n) {
     // not deleted by gcc or clang
-	return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD
+	return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD: n + 32 may overflow
 }
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.expected
@@ -1,9 +1,4 @@
 | SignedOverflowCheck.cpp:8:12:8:22 | ... < ... | Testing for signed overflow may produce undefined results. |
 | SignedOverflowCheck.cpp:18:12:18:26 | ... < ... | Testing for signed overflow may produce undefined results. |
-| SignedOverflowCheck.cpp:35:9:35:23 | ... < ... | Testing for signed overflow may produce undefined results. |
-| SignedOverflowCheck.cpp:42:9:42:41 | ... < ... | Testing for signed overflow may produce undefined results. |
 | SignedOverflowCheck.cpp:99:10:99:30 | ... <= ... | Testing for signed overflow may produce undefined results. |
-| SignedOverflowCheck.cpp:106:12:106:62 | ... < ... | Testing for signed overflow may produce undefined results. |
-| SignedOverflowCheck.cpp:113:12:113:66 | ... < ... | Testing for signed overflow may produce undefined results. |
-| test.cpp:3:11:3:19 | ... < ... | Testing for signed overflow may produce undefined results. |
-| test.cpp:8:11:8:37 | ... < ... | Testing for signed overflow may produce undefined results. |
+| SignedOverflowCheck.cpp:122:10:122:42 | ... <= ... | Testing for signed overflow may produce undefined results. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp
@@ -1,11 +1,11 @@
 // Test for BadAdditionOverflowCheck.
 bool checkOverflow1(unsigned short a, unsigned short b) {
-  return (a + b < a);  // BAD: a + b is automatically promoted to int.
+  return (a + b < a);  // BAD: comparison always false (due to promotion).
 }
 
 // Test for BadAdditionOverflowCheck.
 bool checkOverflow2(unsigned short a, unsigned short b) {
-  return ((unsigned short)(a + b) < a);  // BAD: a + b overflow undefined
+  return ((unsigned short)(a + b) < a);  // GOOD
 }
 
 // Test for PointlessSelfComparison.

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`// Test for BadAdditionOverflowCheck.`
`2`	`2`	`bool checkOverflow1(unsigned short a, unsigned short b) {`
`3`		`- return (a + b < a); // BAD: a + b is automatically promoted to int.`
	`3`	`+ return (a + b < a); // BAD: comparison always false (due to promotion).`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`// Test for BadAdditionOverflowCheck.`
`7`	`7`	`bool checkOverflow2(unsigned short a, unsigned short b) {`
`8`		`- return ((unsigned short)(a + b) < a); // BAD: a + b overflow undefined`
	`8`	`+ return ((unsigned short)(a + b) < a); // GOOD`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`// Test for PointlessSelfComparison.`