Merge pull request #2085 from aschackmull/java/overflow-check-fp

Java: Add another overflow check pattern to UselessComparisonTest.
2026-04-30 19:26:02 +02:00 · 2019-10-18 11:01:24 -04:00
parent 0ad802bad0 582a91f1e9
commit afcde14403
3 changed files with 47 additions and 15 deletions
--- a/Bugs/Comparison/UselessComparisonTest.ql
+++ b/Bugs/Comparison/UselessComparisonTest.ql
@@ -134,37 +134,48 @@ Expr overFlowCand() {
  result.(LocalVariableDeclExpr).getInit() = overFlowCand()
 }

-/** Gets an expression that equals `v` plus a positive value. */
-Expr increaseOfVar(SsaVariable v) {
+predicate positiveOrNegative(Expr e) { positive(e) or negative(e) }
+
+/** Gets an expression that equals `v` plus a positive or negative value. */
+Expr increaseOrDecreaseOfVar(SsaVariable v) {
  exists(AssignAddExpr add |
    result = add and
-    positive(add.getDest()) and
+    positiveOrNegative(add.getDest()) and
    add.getRhs() = v.getAUse()
  )
  or
  exists(AddExpr add, Expr e |
    result = add and
    add.hasOperands(v.getAUse(), e) and
-    positive(e)
+    positiveOrNegative(e)
  )
  or
-  exists(SsaExplicitUpdate x | result = x.getAUse() and x.getDefiningExpr() = increaseOfVar(v))
+  exists(SubExpr sub |
+    result = sub and
+    sub.getLeftOperand() = v.getAUse() and
+    positiveOrNegative(sub.getRightOperand())
+  )
  or
-  result.(ParExpr).getExpr() = increaseOfVar(v)
+  exists(SsaExplicitUpdate x |
+    result = x.getAUse() and x.getDefiningExpr() = increaseOrDecreaseOfVar(v)
+  )
  or
-  result.(AssignExpr).getRhs() = increaseOfVar(v)
+  result.(ParExpr).getExpr() = increaseOrDecreaseOfVar(v)
  or
-  result.(LocalVariableDeclExpr).getInit() = increaseOfVar(v)
+  result.(AssignExpr).getRhs() = increaseOrDecreaseOfVar(v)
+  or
+  result.(LocalVariableDeclExpr).getInit() = increaseOrDecreaseOfVar(v)
 }

 predicate overFlowTest(ComparisonExpr comp) {
-  exists(SsaVariable v |
-    comp.getLesserOperand() = increaseOfVar(v) and
-    comp.getGreaterOperand() = v.getAUse()
-  )
-  or
-  comp.getLesserOperand() = overFlowCand() and
-  comp.getGreaterOperand().(IntegerLiteral).getIntValue() = 0
+  (
+    exists(SsaVariable v | comp.hasOperands(increaseOrDecreaseOfVar(v), v.getAUse()))
+    or
+    comp.getLesserOperand() = overFlowCand() and
+    comp.getGreaterOperand().(IntegerLiteral).getIntValue() = 0
+  ) and
+  // exclude loop conditions as they are unlikely to be overflow tests
+  not comp.getEnclosingStmt() instanceof LoopStmt
 }

 predicate concurrentModificationTest(BinaryExpr test) {
--- a/java/ql/test/query-tests/UselessComparisonTest/A.java
+++ b/java/ql/test/query-tests/UselessComparisonTest/A.java
@@ -121,6 +121,26 @@ public class A {
    }
  }

+  static final long VAL = 100L;
+
+  long overflowAwareIncrease(long x) {
+    if (x + VAL > x) {
+      return x + VAL;
+    } else {
+      overflow();
+      return Long.MAX_VALUE;
+    }
+  }
+
+  long overflowAwareDecrease(long x) {
+    if (x - VAL < x) {
+      return x - VAL;
+    } else {
+      overflow();
+      return Long.MIN_VALUE;
+    }
+  }
+
  void overflow() { }

  void unreachableCode() {