Merge pull request #2750 from Cornelius-Riemenschneider/cpp-range-analysis-casts

C++: Support implicit casts better in range analysis
2025-12-22 11:46:32 +01:00 · 2020-02-05 13:59:09 -07:00
parent 81b1bd4177 eafd7b6045
commit c53f80175f
3 changed files with 33 additions and 1 deletions
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -187,6 +187,13 @@ private predicate boundFlowStepSsa(
    guard.controls(op2.getUse().getBlock(), testIsTrue) and
    reason = TCondReason(guard)
  )
+  or
+  exists(IRGuardCondition guard, boolean testIsTrue, SafeCastInstruction cast |
+    valueNumberOfOperand(op2) = valueNumber(cast.getUnary()) and
+    guard = boundFlowCond(valueNumber(cast), op1, delta, upper, testIsTrue) and
+    guard.controls(op2.getUse().getBlock(), testIsTrue) and
+    reason = TCondReason(guard)
+  )
 }

 /**
@@ -259,7 +266,7 @@ private predicate safeCast(IntegralType fromtyp, IntegralType totyp) {

 private class SafeCastInstruction extends ConvertInstruction {
  SafeCastInstruction() {
-    safeCast(getResultType(), getUnary().getResultType())
+    safeCast(getUnary().getResultType(), getResultType())
    or
    getResultType() instanceof PointerType and
    getUnary().getResultType() instanceof PointerType
--- a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
+++ b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected
@@ -59,3 +59,6 @@
 | test.cpp:183:10:183:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | -1 | true | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
 | test.cpp:185:10:185:10 | Load: i | test.cpp:175:23:175:23 | InitializeParameter: x | 0 | true | CompareLT: ... < ... | test.cpp:176:7:176:11 | test.cpp:176:7:176:11 |
 | test.cpp:187:10:187:10 | Store: i | test.cpp:175:23:175:23 | InitializeParameter: x | 0 | false | CompareLT: ... < ... | test.cpp:182:9:182:13 | test.cpp:182:9:182:13 |
+| test.cpp:199:10:199:10 | Load: i | test.cpp:197:25:197:25 | InitializeParameter: l | -1 | true | CompareLT: ... < ... | test.cpp:198:7:198:11 | test.cpp:198:7:198:11 |
+| test.cpp:202:11:202:11 | Load: i | test.cpp:197:25:197:25 | InitializeParameter: l | -3 | true | CompareLT: ... < ... | test.cpp:201:7:201:15 | test.cpp:201:7:201:15 |
+| test.cpp:208:10:208:10 | Load: x | test.cpp:206:24:206:24 | InitializeParameter: y | -3 | true | CompareLT: ... < ... | test.cpp:207:7:207:15 | test.cpp:207:7:207:15 |
--- a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.cpp
+++ b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/test.cpp
@@ -186,3 +186,25 @@ int test15(int i, int x) {
  }
  return i;
 }
+
+// safe integer type conversion
+int test16(int i) {
+  long l;
+  l = i;
+}
+
+// implicit integer casts
+void test17(int i, long l) {
+  if (i < l) {
+    sink(i);
+  }
+  if (i < l - 2) {
+    sink (i);
+  }
+}
+
+void test18(int x, int y) {
+  if (x < y - 2) {
+    sink(x);
+  }
+}