diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll index 2423a3a71a0..03dbc56dc99 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll @@ -404,7 +404,7 @@ predicate cmpWithLinearBound( * For example, if `t` is a signed 32-bit type then holds if `lb` is * `-2^31` and `ub` is `2^31 - 1`. */ -private predicate typeBounds(ArithmeticType t, float lb, float ub) { +private predicate typeBounds0(ArithmeticType t, float lb, float ub) { exists(IntegralType integralType, float limit | integralType = t and limit = 2.pow(8 * integralType.getSize()) | @@ -423,6 +423,42 @@ private predicate typeBounds(ArithmeticType t, float lb, float ub) { t instanceof FloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0 } +/** + * Gets the underlying type for an enumeration `e`. + * + * If the enumeration does not have an explicit type we approximate it using + * the following rules: + * - The result type is always `signed`, and + * - if the largest value fits in an `int` the result is `int`. Otherwise, the + * result is `long`. + */ +private IntegralType getUnderlyingTypeForEnum(Enum e) { + result = e.getExplicitUnderlyingType() + or + not e.hasExplicitUnderlyingType() and + result.isSigned() and + exists(IntType intType | + if max(e.getAnEnumConstant().getValue().toFloat()) >= 2.pow(8 * intType.getSize() - 1) + then result instanceof LongType + else result = intType + ) +} + +/** + * Holds if `lb` and `ub` are the lower and upper bounds of the unspecified + * type `t`. + * + * For example, if `t` is a signed 32-bit type then holds if `lb` is + * `-2^31` and `ub` is `2^31 - 1`. + * + * Unlike `typeBounds0`, this predicate also handles `Enum` types. + */ +private predicate typeBounds(Type t, float lb, float ub) { + typeBounds0(t, lb, ub) + or + typeBounds0(getUnderlyingTypeForEnum(t), lb, ub) +} + private Type stripReference(Type t) { if t instanceof ReferenceType then result = t.(ReferenceType).getBaseType() else result = t } diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp index cdb332e9387..a6f642e8870 100644 --- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp +++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/missing_bounds.cpp @@ -1,34 +1,34 @@ enum MY_ENUM { - A = 0x1, // $ nonFunctionalNrOfBounds - B = 0x2, // $ nonFunctionalNrOfBounds - C = 0x4, // $ nonFunctionalNrOfBounds - D = 0x8, // $ nonFunctionalNrOfBounds - E = 0x10, // $ nonFunctionalNrOfBounds - F = 0x20, // $ nonFunctionalNrOfBounds - G = 0x40, // $ nonFunctionalNrOfBounds - H = 0x80, // $ nonFunctionalNrOfBounds - I = 0x100, // $ nonFunctionalNrOfBounds - J = 0x200, // $ nonFunctionalNrOfBounds - L = 0x400, // $ nonFunctionalNrOfBounds - M = 0x800, // $ nonFunctionalNrOfBounds - N = 0x1000, // $ nonFunctionalNrOfBounds - O = 0x2000, // $ nonFunctionalNrOfBounds - P = 0x4000, // $ nonFunctionalNrOfBounds - Q = 0x8000, // $ nonFunctionalNrOfBounds - R = 0x10000, // $ nonFunctionalNrOfBounds - S = 0x20000, // $ nonFunctionalNrOfBounds - T = 0x40000, // $ nonFunctionalNrOfBounds - U = 0x80000, // $ nonFunctionalNrOfBounds - V = 0x100000, // $ nonFunctionalNrOfBounds - W = 0x200000, // $ nonFunctionalNrOfBounds - X = 0x400000, // $ nonFunctionalNrOfBounds - Y = 0x800000, // $ nonFunctionalNrOfBounds - Z = 0x1000000, // $ nonFunctionalNrOfBounds - AA = 0x2000000, // $ nonFunctionalNrOfBounds - AB = 0x4000000, // $ nonFunctionalNrOfBounds - AC = 0x8000000, // $ nonFunctionalNrOfBounds - AD = 0x10000000, // $ nonFunctionalNrOfBounds - AE = 0x20000000 // $ nonFunctionalNrOfBounds + A = 0x1, + B = 0x2, + C = 0x4, + D = 0x8, + E = 0x10, + F = 0x20, + G = 0x40, + H = 0x80, + I = 0x100, + J = 0x200, + L = 0x400, + M = 0x800, + N = 0x1000, + O = 0x2000, + P = 0x4000, + Q = 0x8000, + R = 0x10000, + S = 0x20000, + T = 0x40000, + U = 0x80000, + V = 0x100000, + W = 0x200000, + X = 0x400000, + Y = 0x800000, + Z = 0x1000000, + AA = 0x2000000, + AB = 0x4000000, + AC = 0x8000000, + AD = 0x10000000, + AE = 0x20000000 }; typedef unsigned int MY_ENUM_FLAGS; @@ -37,13 +37,13 @@ MY_ENUM_FLAGS check_and_subs(MY_ENUM_FLAGS x) { #define CHECK_AND_SUB(flag) if ((x & flag) == flag) { x -= flag; } - CHECK_AND_SUB(A); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(B); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(C); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(D); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(E); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(F); // $ nonFunctionalNrOfBounds - CHECK_AND_SUB(G); // $ nonFunctionalNrOfBounds + CHECK_AND_SUB(A); + CHECK_AND_SUB(B); + CHECK_AND_SUB(C); + CHECK_AND_SUB(D); + CHECK_AND_SUB(E); + CHECK_AND_SUB(F); + CHECK_AND_SUB(G); // CHECK_AND_SUB(H); // CHECK_AND_SUB(I); // CHECK_AND_SUB(J); @@ -69,5 +69,5 @@ MY_ENUM_FLAGS check_and_subs(MY_ENUM_FLAGS x) // CHECK_AND_SUB(AE); #undef CHECK_AND_SUB - return x; // $ nonFunctionalNrOfBounds + return x; } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected index 98189dd2d07..08b2995845a 100644 --- a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected +++ b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected @@ -37,36 +37,121 @@ estimateNrOfBounds | minmax.c:26:37:26:37 | x | 1.0 | | minmax.c:26:40:26:40 | y | 1.0 | | minmax.c:26:43:26:43 | z | 2.0 | +| missing_bounds.cpp:2:9:2:11 | 1 | 1.0 | +| missing_bounds.cpp:3:9:3:11 | 2 | 1.0 | +| missing_bounds.cpp:4:9:4:11 | 4 | 1.0 | +| missing_bounds.cpp:5:9:5:11 | 8 | 1.0 | +| missing_bounds.cpp:6:9:6:12 | 16 | 1.0 | +| missing_bounds.cpp:7:9:7:12 | 32 | 1.0 | +| missing_bounds.cpp:8:9:8:12 | 64 | 1.0 | +| missing_bounds.cpp:9:9:9:12 | 128 | 1.0 | +| missing_bounds.cpp:10:9:10:13 | 256 | 1.0 | +| missing_bounds.cpp:11:9:11:13 | 512 | 1.0 | +| missing_bounds.cpp:12:9:12:13 | 1024 | 1.0 | +| missing_bounds.cpp:13:9:13:13 | 2048 | 1.0 | +| missing_bounds.cpp:14:9:14:14 | 4096 | 1.0 | +| missing_bounds.cpp:15:9:15:14 | 8192 | 1.0 | +| missing_bounds.cpp:16:9:16:14 | 16384 | 1.0 | +| missing_bounds.cpp:17:9:17:14 | 32768 | 1.0 | +| missing_bounds.cpp:18:9:18:15 | 65536 | 1.0 | +| missing_bounds.cpp:19:9:19:15 | 131072 | 1.0 | +| missing_bounds.cpp:20:9:20:15 | 262144 | 1.0 | +| missing_bounds.cpp:21:9:21:15 | 524288 | 1.0 | +| missing_bounds.cpp:22:9:22:16 | 1048576 | 1.0 | +| missing_bounds.cpp:23:9:23:16 | 2097152 | 1.0 | +| missing_bounds.cpp:24:9:24:16 | 4194304 | 1.0 | +| missing_bounds.cpp:25:9:25:16 | 8388608 | 1.0 | +| missing_bounds.cpp:26:9:26:17 | 16777216 | 1.0 | +| missing_bounds.cpp:27:10:27:18 | 33554432 | 1.0 | +| missing_bounds.cpp:28:10:28:18 | 67108864 | 1.0 | +| missing_bounds.cpp:29:10:29:18 | 134217728 | 1.0 | +| missing_bounds.cpp:30:10:30:19 | 268435456 | 1.0 | +| missing_bounds.cpp:31:10:31:19 | 536870912 | 1.0 | +| missing_bounds.cpp:40:5:40:19 | ... & ... | 1.0 | +| missing_bounds.cpp:40:5:40:19 | ... -= ... | 1.0 | | missing_bounds.cpp:40:5:40:19 | ... == ... | 1.0 | +| missing_bounds.cpp:40:5:40:20 | (...) | 1.0 | | missing_bounds.cpp:40:5:40:20 | x | 1.0 | | missing_bounds.cpp:40:5:40:20 | x | 1.0 | | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:40:19:40:19 | A | 1.0 | +| missing_bounds.cpp:40:19:40:19 | A | 1.0 | +| missing_bounds.cpp:40:19:40:19 | A | 1.0 | +| missing_bounds.cpp:41:5:41:19 | ... & ... | 2.0 | +| missing_bounds.cpp:41:5:41:19 | ... -= ... | 2.0 | | missing_bounds.cpp:41:5:41:19 | ... == ... | 1.0 | +| missing_bounds.cpp:41:5:41:20 | (...) | 2.0 | +| missing_bounds.cpp:41:5:41:20 | x | 2.0 | +| missing_bounds.cpp:41:5:41:20 | x | 2.0 | | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:41:19:41:19 | B | 1.0 | +| missing_bounds.cpp:41:19:41:19 | B | 1.0 | +| missing_bounds.cpp:41:19:41:19 | B | 1.0 | +| missing_bounds.cpp:42:5:42:19 | ... & ... | 4.0 | +| missing_bounds.cpp:42:5:42:19 | ... -= ... | 4.0 | | missing_bounds.cpp:42:5:42:19 | ... == ... | 1.0 | +| missing_bounds.cpp:42:5:42:20 | (...) | 4.0 | +| missing_bounds.cpp:42:5:42:20 | x | 4.0 | +| missing_bounds.cpp:42:5:42:20 | x | 4.0 | | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:42:19:42:19 | C | 1.0 | +| missing_bounds.cpp:42:19:42:19 | C | 1.0 | +| missing_bounds.cpp:42:19:42:19 | C | 1.0 | +| missing_bounds.cpp:43:5:43:19 | ... & ... | 8.0 | +| missing_bounds.cpp:43:5:43:19 | ... -= ... | 8.0 | | missing_bounds.cpp:43:5:43:19 | ... == ... | 1.0 | +| missing_bounds.cpp:43:5:43:20 | (...) | 8.0 | +| missing_bounds.cpp:43:5:43:20 | x | 8.0 | +| missing_bounds.cpp:43:5:43:20 | x | 8.0 | | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:43:19:43:19 | D | 1.0 | +| missing_bounds.cpp:43:19:43:19 | D | 1.0 | +| missing_bounds.cpp:43:19:43:19 | D | 1.0 | +| missing_bounds.cpp:44:5:44:19 | ... & ... | 16.0 | +| missing_bounds.cpp:44:5:44:19 | ... -= ... | 16.0 | | missing_bounds.cpp:44:5:44:19 | ... == ... | 1.0 | +| missing_bounds.cpp:44:5:44:20 | (...) | 16.0 | +| missing_bounds.cpp:44:5:44:20 | x | 16.0 | +| missing_bounds.cpp:44:5:44:20 | x | 16.0 | | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:44:19:44:19 | E | 1.0 | +| missing_bounds.cpp:44:19:44:19 | E | 1.0 | +| missing_bounds.cpp:44:19:44:19 | E | 1.0 | +| missing_bounds.cpp:45:5:45:19 | ... & ... | 32.0 | +| missing_bounds.cpp:45:5:45:19 | ... -= ... | 32.0 | | missing_bounds.cpp:45:5:45:19 | ... == ... | 1.0 | +| missing_bounds.cpp:45:5:45:20 | (...) | 32.0 | +| missing_bounds.cpp:45:5:45:20 | x | 32.0 | +| missing_bounds.cpp:45:5:45:20 | x | 32.0 | | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:45:19:45:19 | F | 1.0 | +| missing_bounds.cpp:45:19:45:19 | F | 1.0 | +| missing_bounds.cpp:45:19:45:19 | F | 1.0 | +| missing_bounds.cpp:46:5:46:19 | ... & ... | 64.0 | +| missing_bounds.cpp:46:5:46:19 | ... -= ... | 64.0 | | missing_bounds.cpp:46:5:46:19 | ... == ... | 1.0 | +| missing_bounds.cpp:46:5:46:20 | (...) | 64.0 | +| missing_bounds.cpp:46:5:46:20 | x | 64.0 | +| missing_bounds.cpp:46:5:46:20 | x | 64.0 | | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 | | missing_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 | +| missing_bounds.cpp:46:19:46:19 | G | 1.0 | +| missing_bounds.cpp:46:19:46:19 | G | 1.0 | +| missing_bounds.cpp:46:19:46:19 | G | 1.0 | +| missing_bounds.cpp:72:12:72:12 | x | 128.0 | | test.c:6:14:6:15 | 0 | 1.0 | | test.c:8:5:8:9 | count | 1.0 | | test.c:8:5:8:19 | ... = ... | 13.0 |