hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CPP-434] Switch to global value numbering (GVN). Improve qlhelp doc.

Browse Source
This commit is contained in:
Ziemowit Laski
2019-10-08 16:33:05 -07:00
parent afa34b5054
commit bd87d7bc76
4 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-bad2.cpp Normal file
View File

@@ -0,0 +1,3 @@
bool bar(unsigned short n1, unsigned short delta) {
return n1 + delta < n1; // BAD
}

2
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck-good.cpp
View File

@@ -1,3 +1,3 @@
bool bar(int n1, unsigned int delta) {
bool baz(int n1, unsigned int delta) {
return n1 + delta < n1; // GOOD
}

11
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.qhelp
View File

@@ -22,10 +22,19 @@ In the following example, even though <code>delta</code> has been declared
<code>unsigned short</code>, C/C++ type promotion rules require that its
type is promoted to the larger type used in the addition and comparison,
namely a <code>signed int</code>. As a result, the entire expression is
evaluated using <code>signed values</code> and its value is therefore undefined.
evaluated using <code>signed</code> values and its value is therefore undefined.
</p>
<sample src="SignedOverflowCheck-bad.cpp" />
<p>
In the following example, even though both <code>n</code> and <code>delta</code>
have been declared <code>unsigned short</code>, C/C++ type promotion rules
require that both parameters be promoted to the next bigger <code>signed</code>
integer type (in this case <code>signed int</code>) before being added together
so as to avoid overflows or underflows. As a result, the entire expression is
evaluated using <code>signed</code> values and its value is therefore undefined.
</p>
<sample src="SignedOverflowCheck-bad2.cpp" />
<p>
In the next example, a value of type <code>signed int</code> is
added to a value of type <code>unsigned int</code>. Because
the types are of the same size, C/C++ promotion rules dictate that

9
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
View File

@@ -5,17 +5,17 @@
* `unsigned` integer values.
* @kind problem
* @problem.severity warning
* @precision medium
* @precision high
* @id cpp/signed-overflow-check
* @tags reliability
* security
*/
import cpp
import semmle.code.cpp.valuenumbering.HashCons
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
private predicate sameAccess(VariableAccess va1, VariableAccess va2) {
hashCons(va1) = hashCons(va2)
globalValueNumber(va1) = globalValueNumber(va2)
}
from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
@@ -26,5 +26,4 @@ where
sameAccess(va1, va2) and
add.getExplicitlyConverted().getType().(IntegralType).isSigned() and
va2.getExplicitlyConverted().getType().(IntegralType).isSigned()
select va1, va1.getQualifier().getAQlClass(), va2, va2.getQualifier().getAQlClass(), ro,
"Testing for signed overflow may produce undefined results."
select ro, "Testing for signed overflow may produce undefined results."