Add tests and query

Author: AndreiDiaconu1

csharp/ql/test/library-tests/ir/offbyone/OffByOneRA.expected

@@ -0,0 +1,7 @@
+| test.cs:10:17:10:21 | test1 | test.cs:17:41:17:51 | access to array element | This array access is ok, the index is at most the lenth of the array  + -1 |
+| test.cs:21:17:21:21 | test2 | test.cs:33:41:33:51 | access to array element | This array access might be out of bounds, as the index might be equal to the array length |
+| test.cs:37:17:37:21 | test3 | test.cs:50:41:50:51 | access to array element | This array access is ok, the index is at most the lenth of the array  + -1 |
+| test.cs:54:17:54:21 | test4 | test.cs:64:41:64:51 | access to array element | This array access might be out of bounds, as the index might be equal to the array length |
+| test.cs:68:17:68:21 | test5 | test.cs:74:22:74:27 | access to indexer | This array access might be out of bounds, as the index might be equal to the array length |
+| test.cs:78:17:78:21 | test6 | test.cs:87:41:87:55 | access to array element | This array access might be out of bounds, as the index might be equal to the array length |
+| test.cs:91:17:91:21 | test7 | test.cs:101:41:101:50 | access to array element | This array access might be out of bounds, as the index might be equal to the array length + 1 |

csharp/ql/test/library-tests/ir/offbyone/OffByOneRA.ql

@@ -0,0 +1,65 @@
+import csharp
+import semmle.code.csharp.ir.IR
+import semmle.code.csharp.ir.rangeanalysis.RangeAnalysis
+
+/**
+ * Holds if the index expression of `aa` is less than or equal to the array length plus `k`.
+ */
+predicate boundedArrayAccess(ElementAccess aa, int k) {
+  exists(Instruction index, Instruction usage, Bound b, int delta |
+    (
+      // indexer access
+      usage.(CallInstruction).getAST() = aa
+      or
+      // array access
+      usage.(PointerAddInstruction).getAST() = aa
+    ) and
+    usage.getAnOperand().getDef() = index and
+    boundedInstruction(index, b, delta, true, _)
+  |
+    exists(PropertyAccess pa |
+      k = delta and
+      b.getInstruction().getAST() = pa and
+      pa.getProperty().getName() = "Length" and
+      pa.(QualifiableExpr).getQualifier().(VariableAccess).getTarget() = aa
+            .getQualifier()
+            .(VariableAccess)
+            .getTarget()
+    )
+    or
+    exists(ArrayCreation ac |
+      ac.getParent().(LocalVariableDeclExpr).getVariable() = aa
+            .getQualifier()
+            .(VariableAccess)
+            .getTarget() and
+      b instanceof ZeroBound and
+      if exists(ac.getLengthArgument(0))
+      then k = delta - ac.getLengthArgument(0).getValue().toInt()
+      else
+        if exists(ac.getInitializer())
+        then k = delta - ac.getInitializer().getNumberOfElements()
+        else none()
+    )
+  )
+}
+
+/**
+ * Holds if the index expression is less than or equal to the array length plus `k`,
+ * but not necessarily less than or equal to the array length plus `k-1`.
+ */
+predicate bestArrayAccessBound(ElementAccess aa, int k) {
+  k = min(int k0 | boundedArrayAccess(aa, k0))
+}
+
+from ElementAccess aa, int k, string msg, string add
+where
+  bestArrayAccessBound(aa, k) and
+  (if k = 0 then add = "" else add = " + " + k) and
+  (
+    if k >= 0
+    then
+      msg = "This array access might be out of bounds, as the index might be equal to the array length"
+          + add
+    else msg = "This array access is ok, the index is at most the lenth of the array " + add
+  )
+select aa.getEnclosingCallable(), aa, msg

csharp/ql/test/library-tests/ir/offbyone/buildSnap.qlref

@@ -0,0 +1 @@
+Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql

csharp/ql/test/library-tests/ir/offbyone/null.cs

@@ -0,0 +1,5 @@
+class Null {
+    public static void Main() {
+        object o = null;
+    }
+}

csharp/ql/test/library-tests/ir/offbyone/test.cs

@@ -0,0 +1,104 @@
+class ContainerLengthOffByOne
+{
+    public int[] arr;
+    public string str;
+
+    public static void fun(int elem)
+    {
+    }
+
+    public void test1() 
+    {
+        int len1 = this.arr.Length;
+        int len2 = len1 + 1;
+        // OK
+        for(int i = 0; i < len2 - 1; i++) 
+        {
+            ContainerLengthOffByOne.fun(this.arr[i]);
+        }
+    }
+
+    public void test2() {
+        int len1 = this.arr.Length;
+
+        int len2;
+        if (len1 % 2 == 0)
+            len2 = len1 + 1;
+        else
+            len2 = len1;
+        // Not OK, PHI node where the upper bound
+        // exceeds the size of the array.
+        for(int i = 0; i < len2; i++) 
+        {
+            ContainerLengthOffByOne.fun(this.arr[i]);
+        }
+    }
+
+    public void test3() {
+        int len1 = this.arr.Length;
+        int len2 = len1 - 1;
+
+        int len3;
+        if (len2 % 2 == 0)
+            len3 = len2 + 1;
+        else
+            len3 = len2;
+        // OK, PHI node has bounds that ensure
+        // we don't get an off by one error.
+        for(int i = 0; i < len3; i++) 
+        {
+            ContainerLengthOffByOne.fun(this.arr[i]);
+        }
+    }   
+
+    public void test4() {
+        int len1 = this.arr.Length;
+
+        int len2 = len1 + 1;
+        int len3 = len2 - 1;
+        int len4 = len3 + 2;
+        int len5 = len4 - 1;
+        // Not OK, len5 is off by one.
+        for(int i = 0; i < len5; i++) 
+        {
+            ContainerLengthOffByOne.fun(this.arr[i]);
+        }
+    }
+
+    public void test5()
+    {
+        int len = this.str.Length;
+        // Not OK; test for indexers
+        for (int i = 0; i <= len; i++)
+        {
+            char c = str[i];
+        }
+    }
+
+    public void test6()
+    {
+        int len = this.arr.Length - 2;
+        int len1 = len + 3;
+        int len2 = len1 - 1;
+        // Not OK, of by one
+        // The test shows that more complex expressions are treated correctly
+        for (int i = 0; i < len2; i++)
+        {
+            ContainerLengthOffByOne.fun(this.arr[i + 1]);
+        }
+    }
+
+    public void test7()
+    {
+        int[] arrInit = { 1, 2, 3 };
+        int len = (arrInit.Length * 2 + 2) / 2 * 2;
+        int len1 = len / 2 - 3 + 4;
+        // Not OK, len1 == this.arrInit + 1
+        // This test shows that array initializer's length
+        // are used in bounds
+        for (int i = 0; i < len1; i++) 
+        {
+            ContainerLengthOffByOne.fun(arrInit[i]);    
+        }
+    }
+}

csharp/ql/test/library-tests/ir/rangeanalysis/RangeAnalysis.expected

@@ -0,0 +1,18 @@
+| test.cs:19:12:19:12 | Store: access to parameter x | test.cs:15:24:15:24 | InitializeParameter: x | 0 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:19:12:19:12 | Store: access to parameter x | test.cs:15:31:15:31 | InitializeParameter: y | 0 | false | CompareLT: ... < ... | test.cs:16:9:16:13 | test.cs:16:9:16:13 |
+| test.cs:19:12:19:12 | Store: access to parameter x | test.cs:15:31:15:31 | InitializeParameter: y | 0 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:29:12:29:12 | Store: access to parameter x | test.cs:23:24:23:24 | InitializeParameter: x | -2 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:29:12:29:12 | Store: access to parameter x | test.cs:23:31:23:31 | InitializeParameter: y | -2 | false | CompareLT: ... < ... | test.cs:24:9:24:13 | test.cs:24:9:24:13 |
+| test.cs:36:12:36:12 | Load: access to local variable i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:36:12:36:12 | Load: access to local variable i | test.cs:33:25:33:25 | InitializeParameter: x | -1 | true | CompareLT: ... < ... | test.cs:35:20:35:24 | test.cs:35:20:35:24 |
+| test.cs:39:12:39:12 | Load: access to local variable i | file://:0:0:0:0 | 0 | 1 | false | CompareGT: ... > ... | test.cs:38:20:38:24 | test.cs:38:20:38:24 |
+| test.cs:39:12:39:12 | Load: access to local variable i | test.cs:33:25:33:25 | InitializeParameter: x | 0 | true | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:39:12:39:12 | Load: access to local variable i | test.cs:35:20:35:20 | Phi: access to local variable i | 0 | true | CompareLT: ... < ... | test.cs:35:20:35:24 | test.cs:35:20:35:24 |
+| test.cs:42:12:42:12 | Load: access to local variable i | file://:0:0:0:0 | 0 | 0 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:42:12:42:12 | Load: access to local variable i | test.cs:33:25:33:25 | InitializeParameter: x | 1 | true | CompareLT: ... < ... | test.cs:41:20:41:28 | test.cs:41:20:41:28 |
+| test.cs:42:12:42:12 | Load: access to local variable i | test.cs:35:20:35:20 | Phi: access to local variable i | 1 | true | CompareLT: ... < ... | test.cs:41:20:41:28 | test.cs:41:20:41:28 |
+| test.cs:42:12:42:12 | Load: access to local variable i | test.cs:38:20:38:20 | Phi: access to local variable i | 0 | false | CompareGT: ... > ... | test.cs:38:20:38:24 | test.cs:38:20:38:24 |
+| test.cs:49:13:49:17 | Load: access to parameter begin | test.cs:47:33:47:37 | InitializeParameter: begin | 0 | false | NoReason | file://:0:0:0:0 | :0:0:0:0 |
+| test.cs:58:14:58:14 | Load: access to parameter x | test.cs:55:32:55:32 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cs:57:11:57:15 | test.cs:57:11:57:15 |
+| test.cs:58:14:58:14 | Load: access to parameter x | test.cs:55:39:55:39 | InitializeParameter: z | -2 | true | CompareLT: ... < ... | test.cs:57:11:57:15 | test.cs:57:11:57:15 |
+| test.cs:63:14:63:14 | Load: access to parameter x | test.cs:55:32:55:32 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cs:61:9:61:13 | test.cs:61:9:61:13 |

csharp/ql/test/library-tests/ir/rangeanalysis/RangeAnalysis.ql

@@ -0,0 +1,26 @@
+import semmle.code.csharp.ir.rangeanalysis.RangeAnalysis
+import semmle.code.csharp.ir.IR
+import semmle.code.csharp.ir.internal.IRGuards
+import semmle.code.csharp.ir.ValueNumbering
+
+query predicate instructionBounds(
+    Instruction i, Bound b, int delta, boolean upper, Reason reason, Location reasonLoc
+) {
+  (
+    i.getAUse() instanceof ArgumentOperand
+    or
+    exists(ReturnValueInstruction retInstr | retInstr.getReturnValueOperand() = i.getAUse())
+  ) and
+  (
+    upper = true and
+    delta = min(int d | boundedInstruction(i, b, d, upper, reason))
+    or
+    upper = false and
+    delta = max(int d | boundedInstruction(i, b, d, upper, reason))
+  ) and
+  not valueNumber(b.getInstruction()) = valueNumber(i) and
+  if reason instanceof CondReason
+  then reasonLoc = reason.(CondReason).getCond().getLocation()
+  else reasonLoc instanceof EmptyLocation
+}
+

csharp/ql/test/library-tests/ir/rangeanalysis/null.cs

@@ -0,0 +1,5 @@
+class Null {
+    public static void Main() {
+        object o = null;
+    }
+}

csharp/ql/test/library-tests/ir/rangeanalysis/test.cs

@@ -0,0 +1,78 @@
+class RangeAnalysis {
+  static void sink(int val) {
+  
+  }
+  
+  static unsafe void sinkp(int* p) {
+  
+  }
+  
+  static int source() {
+    return 0;
+  }
+  
+  // Guards, inference, critical edges
+  static int test1(int x, int y) {
+    if (x < y) {
+      x = y;
+    }
+    return x;
+  }
+  
+  // Bounds mergers at phi nodes
+  static int test2(int x, int y) {
+    if (x < y) {
+      x = y;
+    } else {
+      x = x-2;
+    }
+    return x;
+  }
+  
+  // for loops
+  static void test3(int x) {
+    int y = x;
+    for(int i = 0; i < x; i++) {
+      sink(i);
+    }
+    for(int i = y; i > 0; i--) {
+      sink(i);
+    }
+    for(int i = 0; i < y + 2; i++) {
+      sink(i);
+    }
+  }
+  
+  // pointer bounds
+  unsafe static void test4(int *begin, int *end) {
+    while (begin < end) {
+      sinkp(begin);
+      begin++;
+    }
+  }
+  
+  // bound propagation through conditionals
+  static void test5(int x, int y, int z) {
+    if (y < z) {
+      if (x < y) {
+        sink(x);
+      }
+    }
+    if (x < y) {
+      if (y < z) {
+        sink(x); // x < z is not inferred here
+      }
+    }
+  }
+
+    unsafe static void addone(int[] arr) 
+    {
+        int length = arr.Length;
+        fixed (int* b = arr) 
+        {
+            int *p = b;
+            for(int i = 0; i <= length; i++)
+                *p++ += 1;
+        }
+    }  
+}