Merge pull request #14588 from aschackmull/shared/rangeanalysis

C++/Java: Share core range analysis
2026-04-25 00:35:20 +02:00 · 2023-10-26 16:32:46 +01:00
parent 867a39083e 6882504397
commit 30ecb4b0c8
22 changed files with 1006 additions and 1132 deletions
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -8,6 +8,7 @@ upgrades: upgrades
 dependencies:
  codeql/dataflow: ${workspace}
  codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
  codeql/regex: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/typetracking: ${workspace}
--- a/java/ql/lib/semmle/code/java/Type.qll
+++ b/java/ql/lib/semmle/code/java/Type.qll
@@ -1090,6 +1090,24 @@ class PrimitiveType extends Type, @primitive {
  override string getAPrimaryQlClass() { result = "PrimitiveType" }
 }

+private int getByteSize(PrimitiveType t) {
+  t.hasName("boolean") and result = 1
+  or
+  t.hasName("byte") and result = 1
+  or
+  t.hasName("char") and result = 2
+  or
+  t.hasName("short") and result = 2
+  or
+  t.hasName("int") and result = 4
+  or
+  t.hasName("float") and result = 4
+  or
+  t.hasName("long") and result = 8
+  or
+  t.hasName("double") and result = 8
+}
+
 /** The type of the `null` literal. */
 class NullType extends Type, @primitive {
  NullType() { this.hasName("<nulltype>") }
@@ -1282,6 +1300,12 @@ class IntegralType extends Type {
      name = ["byte", "char", "short", "int", "long"]
    )
  }
+
+  /** Gets the size in bytes of this numeric type. */
+  final int getByteSize() {
+    result = getByteSize(this) or
+    result = getByteSize(this.(BoxedType).getPrimitiveType())
+  }
 }

 /** A boolean type, which may be either a primitive or a boxed type. */
--- a/java/ql/lib/semmle/code/java/dataflow/Bound.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/Bound.qll
@@ -25,16 +25,8 @@ abstract class Bound extends TBound {
  /** Gets an expression that equals this bound. */
  Expr getExpr() { result = this.getExpr(0) }

-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `sc` of line `sl` to
-   * column `ec` of line `el` in file `path`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
-  }
+  /** Gets the location of this bound. */
+  abstract Location getLocation();
 }

 /**
@@ -45,6 +37,8 @@ class ZeroBound extends Bound, TBoundZero {
  override string toString() { result = "0" }

  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
+
+  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
 }

 /**
@@ -58,9 +52,7 @@ class SsaBound extends Bound, TBoundSsa {

  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }

-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    this.getSsa().getLocation().hasLocationInfo(path, sl, sc, el, ec)
-  }
+  override Location getLocation() { result = this.getSsa().getLocation() }
 }

 /**
@@ -72,7 +64,5 @@ class ExprBound extends Bound, TBoundExpr {

  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }

-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    this.getExpr().getLocation().hasLocationInfo(path, sl, sc, el, ec)
-  }
+  override Location getLocation() { result = this.getExpr().getLocation() }
 }
--- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
--- a/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll
@@ -145,6 +145,9 @@ class ConstantStringExpr extends Expr {
  string getStringValue() { constantStringExpr(this, result) }
 }

+bindingset[f]
+private predicate okInt(float f) { -2.pow(31) <= f and f <= 2.pow(31) - 1 }
+
 /**
 * Gets an expression that equals `v - d`.
 */
@@ -153,14 +156,16 @@ Expr ssaRead(SsaVariable v, int delta) {
  or
  exists(int d1, ConstantIntegerExpr c |
    result.(AddExpr).hasOperands(ssaRead(v, d1), c) and
-    delta = d1 - c.getIntValue()
+    delta = d1 - c.getIntValue() and
+    okInt(d1.(float) - c.getIntValue().(float))
  )
  or
  exists(SubExpr sub, int d1, ConstantIntegerExpr c |
    result = sub and
    sub.getLeftOperand() = ssaRead(v, d1) and
    sub.getRightOperand() = c and
-    delta = d1 + c.getIntValue()
+    delta = d1 + c.getIntValue() and
+    okInt(d1.(float) + c.getIntValue().(float))
  )
  or
  v.(SsaExplicitUpdate).getDefiningExpr().(PreIncExpr) = result and delta = 0
--- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll
@@ -10,6 +10,8 @@ class SsaVariable = Ssa::SsaVariable;

 class Expr = J::Expr;

+class Location = J::Location;
+
 class IntegralType = J::IntegralType;

 class ConstantIntegerExpr = RU::ConstantIntegerExpr;