Skip to content

Commit 23a9d07

Browse files
tamasvajktamasvajk
committed
Java: Fix range analysis false negative
1 parent c66473c commit 23a9d07

File tree

2 files changed

+23
-3
lines changed

2 files changed

+23
-3
lines changed

java/ql/src/semmle/code/java/dataflow/RangeAnalysis.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -252,6 +252,15 @@ private Guard boundFlowCond(SsaVariable v, Expr e, int delta, boolean upper, boo
252252
or
253253
result = eqFlowCond(v, e, delta, true, testIsTrue) and
254254
(upper = true or upper = false)
255+
or
256+
// guard that tests whether `v2` is bounded by `e + delta + d1 - d2` and
257+
// exists a guard `guardEq` such that `v = v2 - d1 + d2`.
258+
exists(SsaVariable v2, Guard guardEq, boolean eqIsTrue, int d1, int d2 |
259+
guardEq = eqFlowCond(v, ssaRead(v2, d1), d2, true, eqIsTrue) and
260+
result = boundFlowCond(v2, e, delta + d1 - d2, upper, testIsTrue) and
261+
// guardEq needs to control guard
262+
guardEq.directlyControls(result.getBasicBlock(), eqIsTrue)
263+
)
255264
}
256265

257266
private newtype TReason =

java/ql/test/library-tests/dataflow/range-analysis/RangeAnalysis.expected

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,13 @@
2727
| A.java:8:25:8:25 | y | SSA init(y) | 0 | upper | NoReason |
2828
| A.java:8:29:8:31 | 300 | 0 | 300 | lower | NoReason |
2929
| A.java:8:29:8:31 | 300 | 0 | 300 | upper | NoReason |
30+
| A.java:9:16:9:16 | x | 0 | 299 | lower | ... > ... |
3031
| A.java:9:16:9:16 | x | 0 | 400 | upper | ... > ... |
3132
| A.java:9:16:9:16 | x | SSA init(x) | 0 | lower | NoReason |
3233
| A.java:9:16:9:16 | x | SSA init(x) | 0 | upper | NoReason |
3334
| A.java:9:16:9:16 | x | SSA init(y) | -2 | lower | ... == ... |
3435
| A.java:9:16:9:16 | x | SSA init(y) | -2 | upper | ... == ... |
36+
| A.java:9:16:9:20 | ... + ... | 0 | 300 | lower | ... > ... |
3537
| A.java:9:16:9:20 | ... + ... | SSA init(x) | 1 | lower | NoReason |
3638
| A.java:9:16:9:20 | ... + ... | SSA init(y) | -1 | lower | ... == ... |
3739
| A.java:9:20:9:20 | y | 0 | 301 | lower | ... > ... |
@@ -61,11 +63,13 @@
6163
| A.java:15:13:15:13 | y | SSA init(y) | 0 | upper | NoReason |
6264
| A.java:15:17:15:19 | 300 | 0 | 300 | lower | NoReason |
6365
| A.java:15:17:15:19 | 300 | 0 | 300 | upper | NoReason |
66+
| A.java:16:21:16:21 | x | 0 | 302 | lower | ... > ... |
6467
| A.java:16:21:16:21 | x | 0 | 400 | upper | ... > ... |
6568
| A.java:16:21:16:21 | x | SSA init(x) | 0 | lower | NoReason |
6669
| A.java:16:21:16:21 | x | SSA init(x) | 0 | upper | NoReason |
6770
| A.java:16:21:16:21 | x | SSA init(y) | 1 | lower | ... != ... |
6871
| A.java:16:21:16:21 | x | SSA init(y) | 1 | upper | ... != ... |
72+
| A.java:16:21:16:25 | ... + ... | 0 | 303 | lower | ... > ... |
6973
| A.java:16:21:16:25 | ... + ... | SSA init(x) | 1 | lower | NoReason |
7074
| A.java:16:21:16:25 | ... + ... | SSA init(y) | 2 | lower | ... != ... |
7175
| A.java:16:25:16:25 | y | 0 | 301 | lower | ... > ... |
@@ -141,17 +145,24 @@
141145
| A.java:34:50:34:50 | z | SSA init(z) | 0 | upper | NoReason |
142146
| A.java:34:55:34:57 | 350 | 0 | 350 | lower | NoReason |
143147
| A.java:34:55:34:57 | 350 | 0 | 350 | upper | NoReason |
144-
| A.java:35:16:35:16 | x | 0 | 400 | upper | ... > ... |
148+
| A.java:35:16:35:16 | x | 0 | 349 | lower | ... == ... |
149+
| A.java:35:16:35:16 | x | 0 | 349 | upper | ... == ... |
145150
| A.java:35:16:35:16 | x | SSA init(x) | 0 | lower | NoReason |
146151
| A.java:35:16:35:16 | x | SSA init(x) | 0 | upper | NoReason |
147152
| A.java:35:16:35:16 | x | SSA init(y) | 1 | lower | ... == ... |
148153
| A.java:35:16:35:16 | x | SSA init(y) | 1 | upper | ... == ... |
154+
| A.java:35:16:35:16 | x | SSA init(z) | -1 | lower | ... == ... |
155+
| A.java:35:16:35:16 | x | SSA init(z) | -1 | upper | ... == ... |
156+
| A.java:35:16:35:20 | ... + ... | 0 | 350 | lower | ... == ... |
149157
| A.java:35:16:35:20 | ... + ... | SSA init(x) | 1 | lower | NoReason |
150158
| A.java:35:16:35:20 | ... + ... | SSA init(y) | 2 | lower | ... == ... |
159+
| A.java:35:16:35:20 | ... + ... | SSA init(z) | 0 | lower | ... == ... |
160+
| A.java:35:16:35:24 | ... + ... | 0 | 351 | lower | ... == ... |
151161
| A.java:35:16:35:24 | ... + ... | SSA init(x) | 2 | lower | NoReason |
152162
| A.java:35:16:35:24 | ... + ... | SSA init(y) | 3 | lower | ... == ... |
153-
| A.java:35:20:35:20 | y | 0 | 301 | lower | ... > ... |
154-
| A.java:35:20:35:20 | y | 0 | 399 | upper | ... == ... |
163+
| A.java:35:16:35:24 | ... + ... | SSA init(z) | 1 | lower | ... == ... |
164+
| A.java:35:20:35:20 | y | 0 | 348 | lower | ... == ... |
165+
| A.java:35:20:35:20 | y | 0 | 348 | upper | ... == ... |
155166
| A.java:35:20:35:20 | y | SSA init(x) | -1 | lower | ... == ... |
156167
| A.java:35:20:35:20 | y | SSA init(x) | -1 | upper | ... == ... |
157168
| A.java:35:20:35:20 | y | SSA init(y) | 0 | lower | NoReason |

0 commit comments

Comments
 (0)