C++: Fixed false negative

MathiasVP · MathiasVP · commit db08076fedd5 · 2020-01-07T22:20:04.000+01:00
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
@@ -132,6 +132,8 @@ class SubAnalyzableExpr extends AnalyzableExpr, SubExpr {
 }
 
 class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {
+  VarAnalyzableExpr() { not exists(this.getQualifier()) }
+
   override float maxValue() {
     exists(SsaDefinition def, Variable v |
       def.getAUse(v) = this and
@@ -140,7 +142,7 @@ class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {
       // variable the largest possible value it can hold
       if exists(def.getDefiningValue(v))
       then result = def.getDefiningValue(v).(AnalyzableExpr).maxValue()
-      else result = exprMaxVal(this)
+      else result = upperBound(this)
     )
   }
 
@@ -149,7 +151,7 @@ class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {
       def.getAUse(v) = this and
       if exists(def.getDefiningValue(v))
       then result = def.getDefiningValue(v).(AnalyzableExpr).minValue()
-      else result = exprMinVal(this)
+      else result = lowerBound(this)
     )
   }
 }
@@ -206,9 +208,9 @@ where
     ) and
     e.(Literal).getType().getSize() = t2.getSize()
   ) and
-  // only report if cannot prove that the result of the
+  // only report if we cannot prove that the result of the
   // multiplication will be less (resp. greater) than the
-  // maximum (resp. minimum) number we can store.
+  // maximum (resp. minimum) number we can compute.
   overflows(me, t1)
 select me,
   "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
@@ -10,3 +10,4 @@
 | IntMultToLong.c:99:14:99:35 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
 | IntMultToLong.c:103:14:103:46 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
 | IntMultToLong.c:108:14:108:78 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
+| IntMultToLong.c:119:14:119:26 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,8 @@ class SubAnalyzableExpr extends AnalyzableExpr, SubExpr {`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {`
	`135`	`+ VarAnalyzableExpr() { not exists(this.getQualifier()) }`
	`136`	`+`
`135`	`137`	`override float maxValue() {`
`136`	`138`	`exists(SsaDefinition def, Variable v \|`
`137`	`139`	`def.getAUse(v) = this and`
`@@ -140,7 +142,7 @@ class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {`
`140`	`142`	`// variable the largest possible value it can hold`
`141`	`143`	`if exists(def.getDefiningValue(v))`
`142`	`144`	`then result = def.getDefiningValue(v).(AnalyzableExpr).maxValue()`
`143`		`- else result = exprMaxVal(this)`
	`145`	`+ else result = upperBound(this)`
`144`	`146`	`)`
`145`	`147`	`}`
`146`	`148`
`@@ -149,7 +151,7 @@ class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {`
`149`	`151`	`def.getAUse(v) = this and`
`150`	`152`	`if exists(def.getDefiningValue(v))`
`151`	`153`	`then result = def.getDefiningValue(v).(AnalyzableExpr).minValue()`
`152`		`- else result = exprMinVal(this)`
	`154`	`+ else result = lowerBound(this)`
`153`	`155`	`)`
`154`	`156`	`}`
`155`	`157`	`}`
`@@ -206,9 +208,9 @@ where`
`206`	`208`	`) and`
`207`	`209`	`e.(Literal).getType().getSize() = t2.getSize()`
`208`	`210`	`) and`
`209`		`- // only report if cannot prove that the result of the`
	`211`	`+ // only report if we cannot prove that the result of the`
`210`	`212`	`// multiplication will be less (resp. greater) than the`
`211`		`- // maximum (resp. minimum) number we can store.`
	`213`	`+ // maximum (resp. minimum) number we can compute.`
`212`	`214`	`overflows(me, t1)`
`213`	`215`	`select me,`
`214`	`216`	`"Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"`