C++: fix SimpleRangeAnalysis for equivclass SemExpr

2025-12-23 12:16:33 +01:00 · 2023-03-30 12:06:47 -04:00
parent 4b4fc97221
commit 868b2385d1
1 changed files with 18 additions and 2 deletions
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SimpleRangeAnalysis.qll
@@ -95,7 +95,15 @@ predicate defMightOverflow(RangeSsaDefinition def, StackVariable v) {
 * does not consider the possibility that the expression might overflow
 * due to a conversion.
 */
-predicate exprMightOverflowNegatively(Expr expr) { lowerBound(expr) < exprMinVal(expr) }
+predicate exprMightOverflowNegatively(Expr expr) {
  lowerBound(expr) < exprMinVal(expr)
  or
  exists(SemanticExprConfig::Expr semExpr |
    semExpr.getUnconverted().getAst() = expr and
    ConstantStage::potentiallyOverflowingExpr(false, semExpr) and
    not ConstantStage::initialBounded(semExpr, _, _, false, _, _, _)
  )
 }
 /**
 * Holds if the expression might overflow negatively. Conversions
@@ -113,7 +121,15 @@ predicate convertedExprMightOverflowNegatively(Expr expr) {
 * does not consider the possibility that the expression might overflow
 * due to a conversion.
 */
-predicate exprMightOverflowPositively(Expr expr) { upperBound(expr) > exprMaxVal(expr) }
+predicate exprMightOverflowPositively(Expr expr) {
  upperBound(expr) > exprMaxVal(expr)
  or
  exists(SemanticExprConfig::Expr semExpr |
    semExpr.getUnconverted().getAst() = expr and
    ConstantStage::potentiallyOverflowingExpr(true, semExpr) and
    not ConstantStage::initialBounded(semExpr, _, _, true, _, _, _)
  )
 }
 /**
 * Holds if the expression might overflow positively. Conversions