hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Only unary and binary arithmetic operations and left shifts are now

Browse Source 
reported as overflowing when we cannot analyze them.
This commit is contained in:
Mathias Vorreiter Pedersen
2021-04-23 11:06:48 +02:00
parent ed64ed3d8d
commit e6077127be
1 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
View File

@@ -1617,6 +1617,18 @@ private module SimpleRangeAnalysisCached {
defMightOverflowPositively(def, v)
}
/**
* Holds if `e` is an expression where the concept of overflow makes sense.
* This predicate is used to filter out some of the unanalyzable expressions
* from `exprMightOverflowPositively` and `exprMightOverflowNegatively`.
*/
pragma[inline]
private predicate exprThatCanOverflow(Expr e) {
e instanceof UnaryArithmeticOperation or
e instanceof BinaryArithmeticOperation or
e instanceof LShiftExpr
}
/**
* Holds if the expression might overflow negatively. This predicate
* does not consider the possibility that the expression might overflow
@@ -1631,8 +1643,10 @@ private module SimpleRangeAnalysisCached {
// detecting whether it might overflow.
getLowerBoundsImpl(expr.(PostfixDecrExpr)) = exprMinVal(expr)
or
// Expressions we cannot analyze could potentially overflow
not analyzableExpr(expr)
// We can't conclude that any unanalyzable expression might overflow. This
// is because there are many expressions that the range analysis doesn't
// handle, but where the concept of overflow doesn't make sense.
exprThatCanOverflow(expr) and not analyzableExpr(expr)
}
/**
@@ -1661,8 +1675,10 @@ private module SimpleRangeAnalysisCached {
// detecting whether it might overflow.
getUpperBoundsImpl(expr.(PostfixIncrExpr)) = exprMaxVal(expr)
or
// Expressions we cannot analyze could potentially overflow
not analyzableExpr(expr)
// We can't conclude that any unanalyzable expression might overflow. This
// is because there are many expressions that the range analysis doesn't
// handle, but where the concept of overflow doesn't make sense.
exprThatCanOverflow(expr) and not analyzableExpr(expr)
}
/**