C++: Improve bitwise and range analysis

Author: gsingh93

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/BinaryOrAssignOperation.qll

@@ -0,0 +1,31 @@
+private import cpp
+
+Expr getLOp(Operation o) {
+  result = o.(BinaryOperation).getLeftOperand() or
+  result = o.(Assignment).getLValue()
+}
+
+Expr getROp(Operation o) {
+  result = o.(BinaryOperation).getRightOperand() or
+  result = o.(Assignment).getRValue()
+}
+
+private newtype TBinaryOrAssignOperation =
+  BinaryOp(BinaryOperation op) or
+  AssignOp(AssignOperation op)
+
+class BinaryOrAssignOperation extends TBinaryOrAssignOperation {
+  BinaryOperation asBinaryOp() { this = BinaryOp(result) }
+
+  AssignOperation asAssignOp() { this = AssignOp(result) }
+
+  Expr getLeftOperand() { result = getLOp(asBinaryOp()) or result = getLOp(asAssignOp()) }
+
+  Expr getRightOperand() { result = getROp(asBinaryOp()) or result = getROp(asAssignOp()) }
+
+  Expr getAnOperand() { result = getLeftOperand() or result = getRightOperand() }
+
+  Operation getOperation() { result = asBinaryOp() or result = asAssignOp() }
+
+  string toString() { result = asBinaryOp().toString() or result = asAssignOp().toString() }
+}

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll

@@ -2,3 +2,4 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 //
 // Import each extension we want to enable
 import extensions.SubtractSelf
+import extensions.ConstantBitwiseAndExprRange

cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll

@@ -0,0 +1,112 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+private import experimental.semmle.code.cpp.rangeanalysis.BinaryOrAssignOperation
+
+/**
+ * The current implementation for `BitwiseAndExpr` only handles cases where both operands are
+ * either unsigned or non-negative constants. This class not only covers these cases, but also
+ * adds support for `&` expressions between a signed integer with a non-negative range and a
+ * non-negative constant. It also adds support for `&=` for the same set of cases as `&`.
+ */
+private class ConstantBitwiseAndExprRange extends SimpleRangeAnalysisExpr {
+  BinaryOrAssignConstantBitwiseAndExpr e;
+
+  ConstantBitwiseAndExprRange() { this = e.getOperation() }
+
+  BinaryOrAssignConstantBitwiseAndExpr getExpr() { result = e }
+
+  Expr getLeftOperand() { result = e.getLeftOperand() }
+
+  Expr getRightOperand() { result = e.getRightOperand() }
+
+  override float getLowerBounds() { result = e.getLowerBounds() }
+
+  override float getUpperBounds() { result = e.getUpperBounds() }
+
+  override predicate dependsOnChild(Expr child) { child = e.getAnOperand() }
+}
+
+private class ConstantBitwiseAndExprOp extends Expr {
+  BinaryOrAssignConstantBitwiseAndExpr b;
+  float lowerBound;
+  float upperBound;
+
+  ConstantBitwiseAndExprOp() {
+    this = b.getAnOperand() and
+    lowerBound = getFullyConvertedLowerBounds(this) and
+    upperBound = getFullyConvertedUpperBounds(this) and
+    lowerBound <= upperBound
+  }
+
+  float getLowerBound() { result = lowerBound }
+
+  float getUpperBound() { result = upperBound }
+
+  predicate hasNegativeRange() { getLowerBound() < 0 or getUpperBound() < 0 }
+}
+
+/**
+ * Holds if `e` is a constant or if it is a variable with a constant value
+ */
+float evaluateConstantExpr(Expr e) {
+  result = e.getValue().toFloat()
+  or
+  exists(SsaDefinition defn, StackVariable sv |
+    defn.getAUse(sv) = e and
+    result = defn.getDefiningValue(sv).getValue().toFloat()
+  )
+}
+
+private class BinaryOrAssignConstantBitwiseAndExpr extends BinaryOrAssignOperation {
+  BinaryOrAssignConstantBitwiseAndExpr() {
+    (
+      getOperation() instanceof BitwiseAndExpr
+      or
+      getOperation() instanceof AssignAndExpr
+    ) and
+    // Make sure all operands and the result type are integral
+    getOperation().getUnspecifiedType() instanceof IntegralType and
+    getLeftOperand().getUnspecifiedType() instanceof IntegralType and
+    getRightOperand().getUnspecifiedType() instanceof IntegralType and
+    // No operands can be negative constants
+    not (evaluateConstantExpr(getLeftOperand()) < 0 or evaluateConstantExpr(getRightOperand()) < 0) and
+    // At least one operand must be a non-negative constant
+    (evaluateConstantExpr(getLeftOperand()) >= 0 or evaluateConstantExpr(getRightOperand()) >= 0)
+  }
+
+  float getLowerBounds() {
+    // If both operands have non-negative ranges, the lower bound is zero. If an operand can have
+    // negative values, the lower bound is unconstrained.
+    exists(ConstantBitwiseAndExprOp l, ConstantBitwiseAndExprOp r |
+      l = getLeftOperand() and
+      r = getRightOperand() and
+      (
+        (l.hasNegativeRange() or r.hasNegativeRange()) and
+        result = exprMinVal(getOperation())
+        or
+        // This technically results in two lowerBounds when an operand range is negative, but
+        // that's fine since `exprMinVal(x) <= 0`. We can't use an if statement here without
+        // non-monotonic recursion issues
+        result = 0
+      )
+    )
+  }
+
+  float getUpperBounds() {
+    // If an operand can have negative values, the upper bound is unconstrained.
+    // Otherwise, the upper bound is the maximum of the upper bounds of the operands
+    exists(ConstantBitwiseAndExprOp l, ConstantBitwiseAndExprOp r |
+      l = getLeftOperand() and
+      r = getRightOperand() and
+      (
+        (l.hasNegativeRange() or r.hasNegativeRange()) and
+        result = exprMaxVal(getOperation())
+        or
+        // This technically results in two upperBounds when an operand range is negative, but
+        // that's fine since `exprMaxVal(b) >= result`
+        result = r.getUpperBound().minimum(l.getUpperBound())
+      )
+    )
+  }
+}

cpp/ql/test/experimental/library-tests/rangeanalysis/bitwiseand/bitwiseand.expected

@@ -1,7 +1,7 @@
-| bitwiseand.cpp:7:3:7:8 | ... &= ... | 0.0 | 255.0 |
-| bitwiseand.cpp:15:3:15:7 | ... & ... | -2.147483648E9 | 2.147483647E9 |
-| bitwiseand.cpp:16:3:16:7 | ... & ... | -2.147483648E9 | 2.147483647E9 |
-| bitwiseand.cpp:17:3:17:20 | ... & ... | -2.147483648E9 | 2.147483647E9 |
+| bitwiseand.cpp:7:3:7:8 | ... &= ... | 0.0 | 7.0 |
+| bitwiseand.cpp:15:3:15:7 | ... & ... | 0.0 | 0.0 |
+| bitwiseand.cpp:16:3:16:7 | ... & ... | 0.0 | 7.0 |
+| bitwiseand.cpp:17:3:17:20 | ... & ... | 0.0 | 7.0 |
 | bitwiseand.cpp:21:3:21:16 | ... & ... | 0.0 | 255.0 |
 | bitwiseand.cpp:28:5:28:9 | ... & ... | -2.147483648E9 | 2.147483647E9 |
 | bitwiseand.cpp:32:5:32:9 | ... & ... | 0.0 | 100.0 |