hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CPP-434] Improvements to Qhelp; hashCons-ify query.

Browse Source
This commit is contained in:
Ziemowit Laski
2019-10-08 14:07:20 -07:00
parent 872054a89a
commit afa34b5054
2 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp
View File

@@ -5,7 +5,7 @@
<overview>
<p>
Testing for <code>signed</code> integer overflow by adding a
value to a variable and then comparing the result to said variable
value to a variable and then comparing the result to that variable
is not defined by the C or C++ standards. The comparison may
produce an unintended result, or may be deleted by the compiler
entirely.
@@ -27,7 +27,7 @@ evaluated using <code>signed values</code> and its value is therefore undefined.
<sample src="SignedOverflowCheck-bad.cpp" />
<p>
In the next example, a value of type <code>signed int</code> is
getting added to a value ot type <code>unsigned int</code>. Because
added to a value of type <code>unsigned int</code>. Because
the types are of the same size, C/C++ promotion rules dictate that
<code>unsigned int</code> is chosen as the overall type of the addition
operation. The entire expression is evaluated using <code>unsigned</code>
@@ -36,7 +36,7 @@ values, which is allowed and defined behavior per the C/C++ standard.
<sample src="SignedOverflowCheck-good.cpp" />
</example>
<references>
<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
<li><a href="http://c-faq.com/expr/preservingrules.html">comp.lang.c FAQ list · Question 3.19 (Preserving rules)</a></li>
<li><a href="https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data">INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data</a></li>
</references>
</qhelp>

20
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
View File

@@ -12,19 +12,19 @@
*/
import cpp
import semmle.code.cpp.valuenumbering.HashCons
private predicate sameAccess(VariableAccess va1, VariableAccess va2) {
hashCons(va1) = hashCons(va2)
}
from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
where
ro.getAnOperand() = add and
add.getAnOperand() = va1 and
ro.getAnOperand() = va2 and
va1.getTarget() = va2.getTarget() and
(not exists(va1.getQualifier()) or va1.getQualifier() = va2.getQualifier()) and
/*
* if the addition (`add`) has been promoted to a signed type,
* then the other operand (`va2`) must have been likewise promoted and so
* have a signed comparison
*/
add.getExplicitlyConverted().getType().(IntegralType).isSigned()
select ro, "Testing for signed overflow may produce undefined results."
sameAccess(va1, va2) and
add.getExplicitlyConverted().getType().(IntegralType).isSigned() and
va2.getExplicitlyConverted().getType().(IntegralType).isSigned()
select va1, va1.getQualifier().getAQlClass(), va2, va2.getQualifier().getAQlClass(), ro,
"Testing for signed overflow may produce undefined results."