C++: Also compute type bounds for accesses of an enum type.

2026-02-23 10:23:41 +01:00 · 2026-02-11 17:01:41 +00:00
parent b14ece72be
commit a4dd4f91d4
3 changed files with 160 additions and 39 deletions
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll
@@ -404,7 +404,7 @@ predicate cmpWithLinearBound(
 * For example, if `t` is a signed 32-bit type then holds if `lb` is
 * `-2^31` and `ub` is `2^31 - 1`.
 */
-private predicate typeBounds(ArithmeticType t, float lb, float ub) {
+private predicate typeBounds0(ArithmeticType t, float lb, float ub) {
  exists(IntegralType integralType, float limit |
    integralType = t and limit = 2.pow(8 * integralType.getSize())
  |
@@ -423,6 +423,42 @@ private predicate typeBounds(ArithmeticType t, float lb, float ub) {
  t instanceof FloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
 }

+/**
+ * Gets the underlying type for an enumeration `e`.
+ *
+ * If the enumeration does not have an explicit type we approximate it using
+ * the following rules:
+ * - The result type is always `signed`, and
+ * - if the largest value fits in an `int` the result is `int`. Otherwise, the
+ * result is `long`.
+ */
+private IntegralType getUnderlyingTypeForEnum(Enum e) {
+  result = e.getExplicitUnderlyingType()
+  or
+  not e.hasExplicitUnderlyingType() and
+  result.isSigned() and
+  exists(IntType intType |
+    if max(e.getAnEnumConstant().getValue().toFloat()) >= 2.pow(8 * intType.getSize() - 1)
+    then result instanceof LongType
+    else result = intType
+  )
+}
+
+/**
+ * Holds if `lb` and `ub` are the lower and upper bounds of the unspecified
+ * type `t`.
+ *
+ * For example, if `t` is a signed 32-bit type then holds if `lb` is
+ * `-2^31` and `ub` is `2^31 - 1`.
+ *
+ * Unlike `typeBounds0`, this predicate also handles `Enum` types.
+ */
+private predicate typeBounds(Type t, float lb, float ub) {
+  typeBounds0(t, lb, ub)
+  or
+  typeBounds0(getUnderlyingTypeForEnum(t), lb, ub)
+}
+
 private Type stripReference(Type t) {
  if t instanceof ReferenceType then result = t.(ReferenceType).getBaseType() else result = t
 }
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp
@@ -1,34 +1,34 @@
 enum MY_ENUM {
-    A = 0x1, // $ nonFunctionalNrOfBounds
-    B = 0x2, // $ nonFunctionalNrOfBounds
-    C = 0x4, // $ nonFunctionalNrOfBounds
-    D = 0x8, // $ nonFunctionalNrOfBounds
-    E = 0x10, // $ nonFunctionalNrOfBounds
-    F = 0x20, // $ nonFunctionalNrOfBounds
-    G = 0x40, // $ nonFunctionalNrOfBounds
-    H = 0x80, // $ nonFunctionalNrOfBounds
-    I = 0x100, // $ nonFunctionalNrOfBounds
-    J = 0x200, // $ nonFunctionalNrOfBounds
-    L = 0x400, // $ nonFunctionalNrOfBounds
-    M = 0x800, // $ nonFunctionalNrOfBounds
-    N = 0x1000, // $ nonFunctionalNrOfBounds
-    O = 0x2000, // $ nonFunctionalNrOfBounds
-    P = 0x4000, // $ nonFunctionalNrOfBounds
-    Q = 0x8000, // $ nonFunctionalNrOfBounds
-    R = 0x10000, // $ nonFunctionalNrOfBounds
-    S = 0x20000, // $ nonFunctionalNrOfBounds
-    T = 0x40000, // $ nonFunctionalNrOfBounds
-    U = 0x80000, // $ nonFunctionalNrOfBounds
-    V = 0x100000, // $ nonFunctionalNrOfBounds
-    W = 0x200000, // $ nonFunctionalNrOfBounds
-    X = 0x400000, // $ nonFunctionalNrOfBounds
-    Y = 0x800000, // $ nonFunctionalNrOfBounds
-    Z = 0x1000000, // $ nonFunctionalNrOfBounds
-    AA = 0x2000000, // $ nonFunctionalNrOfBounds
-    AB = 0x4000000, // $ nonFunctionalNrOfBounds
-    AC = 0x8000000, // $ nonFunctionalNrOfBounds
-    AD = 0x10000000, // $ nonFunctionalNrOfBounds
-    AE = 0x20000000 // $ nonFunctionalNrOfBounds
+    A = 0x1,
+    B = 0x2,
+    C = 0x4,
+    D = 0x8,
+    E = 0x10,
+    F = 0x20,
+    G = 0x40,
+    H = 0x80,
+    I = 0x100,
+    J = 0x200,
+    L = 0x400,
+    M = 0x800,
+    N = 0x1000,
+    O = 0x2000,
+    P = 0x4000,
+    Q = 0x8000,
+    R = 0x10000,
+    S = 0x20000,
+    T = 0x40000,
+    U = 0x80000,
+    V = 0x100000,
+    W = 0x200000,
+    X = 0x400000,
+    Y = 0x800000,
+    Z = 0x1000000,
+    AA = 0x2000000,
+    AB = 0x4000000,
+    AC = 0x8000000,
+    AD = 0x10000000,
+    AE = 0x20000000
 };

 typedef unsigned int MY_ENUM_FLAGS;
@@ -37,13 +37,13 @@ MY_ENUM_FLAGS check_and_subs(MY_ENUM_FLAGS x)
 {

    #define CHECK_AND_SUB(flag) if ((x & flag) == flag) { x -= flag; }
-    CHECK_AND_SUB(A); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(B); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(C); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(D); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(E); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(F); // $ nonFunctionalNrOfBounds
-    CHECK_AND_SUB(G); // $ nonFunctionalNrOfBounds
+    CHECK_AND_SUB(A);
+    CHECK_AND_SUB(B);
+    CHECK_AND_SUB(C);
+    CHECK_AND_SUB(D);
+    CHECK_AND_SUB(E);
+    CHECK_AND_SUB(F);
+    CHECK_AND_SUB(G);
    // CHECK_AND_SUB(H);
    // CHECK_AND_SUB(I);
    // CHECK_AND_SUB(J);
@@ -69,5 +69,5 @@ MY_ENUM_FLAGS check_and_subs(MY_ENUM_FLAGS x)
    // CHECK_AND_SUB(AE);
    #undef CHECK_AND_SUB
    
-    return x; // $ nonFunctionalNrOfBounds
+    return x;
 }
--- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected
@@ -37,36 +37,121 @@ estimateNrOfBounds
 | minmax.c:26:37:26:37 | x | 1.0 |
 | minmax.c:26:40:26:40 | y | 1.0 |
 | minmax.c:26:43:26:43 | z | 2.0 |
+| missing_bounds.cpp:2:9:2:11 | 1 | 1.0 |
+| missing_bounds.cpp:3:9:3:11 | 2 | 1.0 |
+| missing_bounds.cpp:4:9:4:11 | 4 | 1.0 |
+| missing_bounds.cpp:5:9:5:11 | 8 | 1.0 |
+| missing_bounds.cpp:6:9:6:12 | 16 | 1.0 |
+| missing_bounds.cpp:7:9:7:12 | 32 | 1.0 |
+| missing_bounds.cpp:8:9:8:12 | 64 | 1.0 |
+| missing_bounds.cpp:9:9:9:12 | 128 | 1.0 |
+| missing_bounds.cpp:10:9:10:13 | 256 | 1.0 |
+| missing_bounds.cpp:11:9:11:13 | 512 | 1.0 |
+| missing_bounds.cpp:12:9:12:13 | 1024 | 1.0 |
+| missing_bounds.cpp:13:9:13:13 | 2048 | 1.0 |
+| missing_bounds.cpp:14:9:14:14 | 4096 | 1.0 |
+| missing_bounds.cpp:15:9:15:14 | 8192 | 1.0 |
+| missing_bounds.cpp:16:9:16:14 | 16384 | 1.0 |
+| missing_bounds.cpp:17:9:17:14 | 32768 | 1.0 |
+| missing_bounds.cpp:18:9:18:15 | 65536 | 1.0 |
+| missing_bounds.cpp:19:9:19:15 | 131072 | 1.0 |
+| missing_bounds.cpp:20:9:20:15 | 262144 | 1.0 |
+| missing_bounds.cpp:21:9:21:15 | 524288 | 1.0 |
+| missing_bounds.cpp:22:9:22:16 | 1048576 | 1.0 |
+| missing_bounds.cpp:23:9:23:16 | 2097152 | 1.0 |
+| missing_bounds.cpp:24:9:24:16 | 4194304 | 1.0 |
+| missing_bounds.cpp:25:9:25:16 | 8388608 | 1.0 |
+| missing_bounds.cpp:26:9:26:17 | 16777216 | 1.0 |
+| missing_bounds.cpp:27:10:27:18 | 33554432 | 1.0 |
+| missing_bounds.cpp:28:10:28:18 | 67108864 | 1.0 |
+| missing_bounds.cpp:29:10:29:18 | 134217728 | 1.0 |
+| missing_bounds.cpp:30:10:30:19 | 268435456 | 1.0 |
+| missing_bounds.cpp:31:10:31:19 | 536870912 | 1.0 |
+| missing_bounds.cpp:40:5:40:19 | ... & ... | 1.0 |
+| missing_bounds.cpp:40:5:40:19 | ... -= ... | 1.0 |
 | missing_bounds.cpp:40:5:40:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:40:5:40:20 | (...) | 1.0 |
 | missing_bounds.cpp:40:5:40:20 | x | 1.0 |
 | missing_bounds.cpp:40:5:40:20 | x | 1.0 |
 | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:40:19:40:19 | A | 1.0 |
+| missing_bounds.cpp:40:19:40:19 | A | 1.0 |
+| missing_bounds.cpp:40:19:40:19 | A | 1.0 |
+| missing_bounds.cpp:41:5:41:19 | ... & ... | 2.0 |
+| missing_bounds.cpp:41:5:41:19 | ... -= ... | 2.0 |
 | missing_bounds.cpp:41:5:41:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:41:5:41:20 | (...) | 2.0 |
+| missing_bounds.cpp:41:5:41:20 | x | 2.0 |
+| missing_bounds.cpp:41:5:41:20 | x | 2.0 |
 | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:41:19:41:19 | B | 1.0 |
+| missing_bounds.cpp:41:19:41:19 | B | 1.0 |
+| missing_bounds.cpp:41:19:41:19 | B | 1.0 |
+| missing_bounds.cpp:42:5:42:19 | ... & ... | 4.0 |
+| missing_bounds.cpp:42:5:42:19 | ... -= ... | 4.0 |
 | missing_bounds.cpp:42:5:42:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:42:5:42:20 | (...) | 4.0 |
+| missing_bounds.cpp:42:5:42:20 | x | 4.0 |
+| missing_bounds.cpp:42:5:42:20 | x | 4.0 |
 | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:42:19:42:19 | C | 1.0 |
+| missing_bounds.cpp:42:19:42:19 | C | 1.0 |
+| missing_bounds.cpp:42:19:42:19 | C | 1.0 |
+| missing_bounds.cpp:43:5:43:19 | ... & ... | 8.0 |
+| missing_bounds.cpp:43:5:43:19 | ... -= ... | 8.0 |
 | missing_bounds.cpp:43:5:43:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:43:5:43:20 | (...) | 8.0 |
+| missing_bounds.cpp:43:5:43:20 | x | 8.0 |
+| missing_bounds.cpp:43:5:43:20 | x | 8.0 |
 | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:43:19:43:19 | D | 1.0 |
+| missing_bounds.cpp:43:19:43:19 | D | 1.0 |
+| missing_bounds.cpp:43:19:43:19 | D | 1.0 |
+| missing_bounds.cpp:44:5:44:19 | ... & ... | 16.0 |
+| missing_bounds.cpp:44:5:44:19 | ... -= ... | 16.0 |
 | missing_bounds.cpp:44:5:44:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:44:5:44:20 | (...) | 16.0 |
+| missing_bounds.cpp:44:5:44:20 | x | 16.0 |
+| missing_bounds.cpp:44:5:44:20 | x | 16.0 |
 | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:44:19:44:19 | E | 1.0 |
+| missing_bounds.cpp:44:19:44:19 | E | 1.0 |
+| missing_bounds.cpp:44:19:44:19 | E | 1.0 |
+| missing_bounds.cpp:45:5:45:19 | ... & ... | 32.0 |
+| missing_bounds.cpp:45:5:45:19 | ... -= ... | 32.0 |
 | missing_bounds.cpp:45:5:45:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:45:5:45:20 | (...) | 32.0 |
+| missing_bounds.cpp:45:5:45:20 | x | 32.0 |
+| missing_bounds.cpp:45:5:45:20 | x | 32.0 |
 | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:45:19:45:19 | F | 1.0 |
+| missing_bounds.cpp:45:19:45:19 | F | 1.0 |
+| missing_bounds.cpp:45:19:45:19 | F | 1.0 |
+| missing_bounds.cpp:46:5:46:19 | ... & ... | 64.0 |
+| missing_bounds.cpp:46:5:46:19 | ... -= ... | 64.0 |
 | missing_bounds.cpp:46:5:46:19 | ... == ... | 1.0 |
+| missing_bounds.cpp:46:5:46:20 | (...) | 64.0 |
+| missing_bounds.cpp:46:5:46:20 | x | 64.0 |
+| missing_bounds.cpp:46:5:46:20 | x | 64.0 |
 | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
 | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
+| missing_bounds.cpp:46:19:46:19 | G | 1.0 |
+| missing_bounds.cpp:46:19:46:19 | G | 1.0 |
+| missing_bounds.cpp:46:19:46:19 | G | 1.0 |
+| missing_bounds.cpp:72:12:72:12 | x | 128.0 |
 | test.c:6:14:6:15 | 0 | 1.0 |
 | test.c:8:5:8:9 | count | 1.0 |
 | test.c:8:5:8:19 | ... = ... | 13.0 |