Convert RangeAnalysis to trivial parameterized mod

2025-12-24 04:36:35 +01:00 · 2022-12-13 11:45:08 -05:00
parent 664fdc3b2a
commit edbe95837f
1 changed files with 689 additions and 682 deletions
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
@@ -70,6 +70,68 @@ private import ModulusAnalysis
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis

+
+/**
+ * An expression that does conversion, boxing, or unboxing
+ */
+private class ConvertOrBoxExpr extends SemUnaryExpr {
+  ConvertOrBoxExpr() {
+    this instanceof SemConvertExpr
+    or
+    this instanceof SemBoxExpr
+    or
+    this instanceof SemUnboxExpr
+  }
+}
+
+/**
+ * A cast that can be ignored for the purpose of range analysis.
+ */
+private class SafeCastExpr extends ConvertOrBoxExpr {
+  SafeCastExpr() {
+    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
+      getTrackedType(this))
+  }
+}
+
+/**
+ * Holds if `typ` is a small integral type with the given lower and upper bounds.
+ */
+private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
+  exists(int bitSize | bitSize = typ.getByteSize() * 8 |
+    bitSize < 32 and
+    (
+      if typ.isSigned()
+      then (
+        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
+        lowerbound = -upperbound - 1
+      ) else (
+        lowerbound = 0 and
+        upperbound = 1.bitShiftLeft(bitSize) - 1
+      )
+    )
+  )
+}
+
+/**
+ * A cast to a small integral type that may overflow or underflow.
+ */
+private class NarrowingCastExpr extends ConvertOrBoxExpr {
+  NarrowingCastExpr() {
+    not this instanceof SafeCastExpr and
+    typeBound(getTrackedType(this), _, _)
+  }
+
+  /** Gets the lower bound of the resulting type. */
+  int getLowerBound() { typeBound(getTrackedType(this), result, _) }
+
+  /** Gets the upper bound of the resulting type. */
+  int getUpperBound() { typeBound(getTrackedType(this), _, result) }
+}
+
+signature module RangeSig { }
+
+module RangeStage<RangeSig RangeParam> {
  cached
  private module RangeAnalysisCache {
    cached
@@ -123,7 +185,9 @@ private predicate boundCondition(
  ) {
    comp.getLesserOperand() = semSsaRead(v, delta) and e = comp.getGreaterOperand() and upper = true
    or
-  comp.getGreaterOperand() = semSsaRead(v, delta) and e = comp.getLesserOperand() and upper = false
+    comp.getGreaterOperand() = semSsaRead(v, delta) and
+    e = comp.getLesserOperand() and
+    upper = false
    or
    exists(SemSubExpr sub, SemConstantIntegerExpr c, int d |
      // (v - d) - e < c
@@ -327,64 +391,6 @@ private predicate unequalFlowStepIntegralSsa(
    )
  }

-/**
- * An expression that does conversion, boxing, or unboxing
- */
-private class ConvertOrBoxExpr extends SemUnaryExpr {
-  ConvertOrBoxExpr() {
-    this instanceof SemConvertExpr
-    or
-    this instanceof SemBoxExpr
-    or
-    this instanceof SemUnboxExpr
-  }
-}
-
-/**
- * A cast that can be ignored for the purpose of range analysis.
- */
-private class SafeCastExpr extends ConvertOrBoxExpr {
-  SafeCastExpr() {
-    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
-      getTrackedType(this))
-  }
-}
-
-/**
- * Holds if `typ` is a small integral type with the given lower and upper bounds.
- */
-private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
-  exists(int bitSize | bitSize = typ.getByteSize() * 8 |
-    bitSize < 32 and
-    (
-      if typ.isSigned()
-      then (
-        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
-        lowerbound = -upperbound - 1
-      ) else (
-        lowerbound = 0 and
-        upperbound = 1.bitShiftLeft(bitSize) - 1
-      )
-    )
-  )
-}
-
-/**
- * A cast to a small integral type that may overflow or underflow.
- */
-private class NarrowingCastExpr extends ConvertOrBoxExpr {
-  NarrowingCastExpr() {
-    not this instanceof SafeCastExpr and
-    typeBound(getTrackedType(this), _, _)
-  }
-
-  /** Gets the lower bound of the resulting type. */
-  int getLowerBound() { typeBound(getTrackedType(this), result, _) }
-
-  /** Gets the upper bound of the resulting type. */
-  int getUpperBound() { typeBound(getTrackedType(this), _, result) }
-}
-
  /** Holds if `e >= 1` as determined by sign analysis. */
  private predicate strictlyPositiveIntegralExpr(SemExpr e) {
    semStrictlyPositive(e) and getTrackedType(e) instanceof SemIntegerType
@@ -587,8 +593,8 @@ private int weakenDelta(boolean upper, int delta) {
   * - `upper = false` : `inp >= b + delta`
   */
  private predicate boundedPhiInp(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, SemBound b, int delta,
-  boolean upper, boolean fromBackEdge, int origdelta, SemReason reason
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, SemBound b,
+    int delta, boolean upper, boolean fromBackEdge, int origdelta, SemReason reason
  ) {
    edge.phiInput(phi, inp) and
    exists(int d, boolean fromBackEdge0 |
@@ -731,8 +737,8 @@ private predicate safeNarrowingCast(NarrowingCastExpr cast, boolean upper) {

  pragma[noinline]
  private predicate boundedCastExpr(
-  NarrowingCastExpr cast, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
-  SemReason reason
+    NarrowingCastExpr cast, SemBound b, int delta, boolean upper, boolean fromBackEdge,
+    int origdelta, SemReason reason
  ) {
    bounded(cast.getOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
  }
@@ -830,3 +836,4 @@ private predicate boundedConditionalExpr(
  ) {
    bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
  }
+}