[CPP-434] Improvements to Qhelp; hashCons-ify query.

zlaski-semmle · zlaski-semmle · commit afa34b5054a1 · 2019-10-08T14:12:35.000-07:00
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp
@@ -5,7 +5,7 @@
 <overview>
 <p>
 Testing for <code>signed</code> integer overflow by adding a
-value to a variable and then comparing the result to said variable
+value to a variable and then comparing the result to that variable
 is not defined by the C or C++ standards.  The comparison may
 produce an unintended result, or may be deleted by the compiler
 entirely.
@@ -27,7 +27,7 @@ evaluated using <code>signed values</code> and its value is therefore undefined.
 <sample src="SignedOverflowCheck-bad.cpp" />
 <p>
 In the next example, a value of type <code>signed int</code> is
-getting added to a value ot type <code>unsigned int</code>.  Because
+added to a value of type <code>unsigned int</code>.  Because
 the types are of the same size, C/C++ promotion rules dictate that
 <code>unsigned int</code> is chosen as the overall type of the addition
 operation. The entire expression is evaluated using <code>unsigned</code>
@@ -36,7 +36,7 @@ values, which is allowed and defined behavior per the C/C++ standard.
 <sample src="SignedOverflowCheck-good.cpp" />
 </example>
 <references>
-<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
-<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
+<li><a href="http://c-faq.com/expr/preservingrules.html">comp.lang.c FAQ list · Question 3.19 (Preserving rules)</a></li>
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data">INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data</a></li>
 </references>
 </qhelp>
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -12,19 +12,19 @@
  */
 
 import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+
+private predicate sameAccess(VariableAccess va1, VariableAccess va2) {
+  hashCons(va1) = hashCons(va2)
+}
 
 from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
 where
   ro.getAnOperand() = add and
   add.getAnOperand() = va1 and
   ro.getAnOperand() = va2 and
-  va1.getTarget() = va2.getTarget() and
-  (not exists(va1.getQualifier()) or va1.getQualifier() = va2.getQualifier()) and 
-  /*
-   * if the addition (`add`) has been promoted to a signed type,
-   * then the other operand (`va2`) must have been likewise promoted and so
-   * have a signed comparison
-   */
-
-  add.getExplicitlyConverted().getType().(IntegralType).isSigned()
-select ro, "Testing for signed overflow may produce undefined results."
+  sameAccess(va1, va2) and
+  add.getExplicitlyConverted().getType().(IntegralType).isSigned() and
+  va2.getExplicitlyConverted().getType().(IntegralType).isSigned()
+select va1, va1.getQualifier().getAQlClass(), va2, va2.getQualifier().getAQlClass(), ro,
+  "Testing for signed overflow may produce undefined results."
