Merge pull request #4252 from jbj/normalize-bounds

C++: SimpleRangeAnalysis: Always normalize bounds after a computation

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -570,7 +570,7 @@ private float getTruncatedLowerBounds(Expr expr) {
     else (
       // Some of the bounds computed by getLowerBoundsImpl might
       // overflow, so we replace invalid bounds with exprMinVal.
-      exists(float newLB | newLB = getLowerBoundsImpl(expr) |
+      exists(float newLB | newLB = normalizeFloatUp(getLowerBoundsImpl(expr)) |
         if exprMinVal(expr) <= newLB and newLB <= exprMaxVal(expr)
         then result = newLB
         else result = exprMinVal(expr)
@@ -617,7 +617,7 @@ private float getTruncatedUpperBounds(Expr expr) {
       // Some of the bounds computed by `getUpperBoundsImpl`
       // might overflow, so we replace invalid bounds with
       // `exprMaxVal`.
-      exists(float newUB | newUB = getUpperBoundsImpl(expr) |
+      exists(float newUB | newUB = normalizeFloatUp(getUpperBoundsImpl(expr)) |
         if exprMinVal(expr) <= newUB and newUB <= exprMaxVal(expr)
         then result = newUB
         else result = exprMaxVal(expr)

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -136,7 +136,7 @@
 | test.c:183:14:183:14 | a | -7 |
 | test.c:184:5:184:9 | total | -45 |
 | test.c:184:14:184:14 | b | -7 |
-| test.c:184:16:184:16 | c | -0 |
+| test.c:184:16:184:16 | c | 0 |
 | test.c:186:13:186:13 | a | -2147483648 |
 | test.c:186:18:186:18 | a | -7 |
 | test.c:187:14:187:14 | a | -7 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected

@@ -115,7 +115,7 @@
 | test.c:168:14:168:14 | a | 11 |
 | test.c:169:5:169:9 | total | 8 |
 | test.c:169:14:169:14 | b | 11 |
-| test.c:169:16:169:16 | c | -0 |
+| test.c:169:16:169:16 | c | 0 |
 | test.c:171:13:171:13 | a | 2147483647 |
 | test.c:171:18:171:18 | a | 2147483647 |
 | test.c:172:14:172:14 | a | 11 |

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected

@@ -31,7 +31,7 @@
 | PointlessComparison.c:126:12:126:18 | ... >= ... | Comparison is always true because a >= 20. |
 | PointlessComparison.c:129:12:129:16 | ... > ... | Comparison is always false because a <= 3. |
 | PointlessComparison.c:197:7:197:11 | ... < ... | Comparison is always false because x >= 0. |
-| PointlessComparison.c:264:12:264:22 | ... >= ... | Comparison is always true because dbl >= 0 and -0 >= - .... |
+| PointlessComparison.c:264:12:264:22 | ... >= ... | Comparison is always true because dbl >= 0 and 0 >= - .... |
 | PointlessComparison.c:273:9:273:18 | ... > ... | Comparison is always false because c <= 0. |
 | PointlessComparison.c:283:13:283:19 | ... >= ... | Comparison is always true because c >= 11. |
 | PointlessComparison.c:294:9:294:16 | ... >= ... | Comparison is always false because ui1 <= 0. |

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp

@@ -79,4 +79,40 @@ int containsIfDef(int x) {
 #endif
 
   return result >= 0;
-}
+}
+
+void negativeZero1(int val) {
+  if (val >= 0)
+  {
+    val = -val;
+  }
+  if (val == 0) // GOOD [NO LONGER REPORTED]
+    ;
+}
+
+void negativeZero2(int val) {
+  if (val >= 0)
+  {
+    val = 0 - val;
+  }
+  if (val == 0) // GOOD
+    ;
+}
+
+void negativeZero3(int val) {
+  if (val >= 0)
+  {
+    val *= -1;
+  }
+  if (val == 0) // GOOD [NO LONGER REPORTED]
+    ;
+}
+
+void negativeZero4(int val) {
+  if (val >= 0)
+  {
+    val = val * -1;
+  }
+  if (val == 0) // GOOD [NO LONGER REPORTED]
+    ;
+}