hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Use range analysis in IntMultToLong.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2019-04-03 14:26:12 +02:00
parent 2f84aac7df
commit dec31a3dd6
2 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
java/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
View File

@@ -18,15 +18,26 @@
import java
import semmle.code.java.dataflow.RangeUtils
import semmle.code.java.dataflow.RangeAnalysis
import semmle.code.java.Conversions
/** An multiplication that does not overflow. */
/** Gets an upper bound on the absolute value of `e`. */
float exprBound(Expr e) {
result = e.(ConstantIntegerExpr).getIntValue().(float).abs()
or
exists(float lower, float upper |
bounded(e, any(ZeroBound zb), lower, false, _) and
bounded(e, any(ZeroBound zb), upper, true, _) and
result = upper.abs().maximum(lower.abs())
)
}
/** A multiplication that does not overflow. */
predicate small(MulExpr e) {
exists(NumType t, float lhs, float rhs, float res | t = e.getType() |
lhs = e.getLeftOperand().getProperExpr().(ConstantIntegerExpr).getIntValue() and
rhs = e.getRightOperand().getProperExpr().(ConstantIntegerExpr).getIntValue() and
lhs = exprBound(e.getLeftOperand().getProperExpr()) and
rhs = exprBound(e.getRightOperand().getProperExpr()) and
lhs * rhs = res and
t.getOrdPrimitiveType().getMinValue() <= res and
res <= t.getOrdPrimitiveType().getMaxValue()
)
}