Query and tests for sum without domain

calumgrant · calumgrant · commit 6cf575df78f0 · 2023-02-23T12:19:25.000Z
diff --git a/ql/ql/src/codeql_ql/ast/Ast.qll b/ql/ql/src/codeql_ql/ast/Ast.qll
@@ -1808,7 +1808,7 @@ class FullAggregate extends TFullAggregate, Aggregate {
 
   /**
    * Gets the kind of aggregate.
-   * E.g. for `min(int i | foo(i))` the result is "foo".
+   * E.g. for `min(int i | foo(i))` the result is "min".
    */
   override string getKind() { result = kind }
 
diff --git a/ql/ql/src/queries/bugs/SumWithoutDomain.ql b/ql/ql/src/queries/bugs/SumWithoutDomain.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Sum is missing a domain
+ * @description An aggregate like 'sum' should work over a domain, otherwise duplicate values will not be counted.
+ * @kind problem
+ * @problem.severity error
+ * @id ql/sum-missing-domain
+ * @tags correctness
+ * @precision medium
+ */
+
+import ql
+
+from ExprAggregate agg
+where agg.getKind() = ["sum", "strictsum"]
+select agg,
+  "This " + agg.getKind() + " does not have a domain argument, so may produce surprising results."
diff --git a/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref b/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref
@@ -0,0 +1 @@
+queries/bugs/SumWithoutDomain.ql
diff --git a/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll b/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll
@@ -0,0 +1,7 @@
+// Result is 3 and not 4
+int foo() {
+  result = sum([1, 1, 2]) // <- Alert here
+}
+
+// Ok - false negative
+predicate bar() { sum(int x | x = [1, 1, 2] | x) = 3 }
