IntegerOverflow: Implement INT32-C

Adds a query to detect signed integer operation overflow/underflow.
Initially this only supports add and subtract operations, and detects
CERT recommended patterns of avoiding overflow/underflow.

Author: lcartey

c/cert/src/rules/INT32-C/SignedIntegerOverflow.md

@@ -0,0 +1,18 @@
+# INT32-C: Ensure that operations on signed integers do not result in overflow
+
+This query implements the CERT-C rule INT32-C:
+
+> Ensure that operations on signed integers do not result in overflow
+
+
+## CERT
+
+** REPLACE THIS BY RUNNING THE SCRIPT `scripts/help/cert-help-extraction.py` **
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [INT32-C: Ensure that operations on signed integers do not result in overflow](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/INT32-C/SignedIntegerOverflow.ql

@@ -0,0 +1,33 @@
+/**
+ * @id c/cert/signed-integer-overflow
+ * @name INT32-C: Ensure that operations on signed integers do not result in overflow
+ * @description
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/int32-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.Overflow
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/* TODO: review the table to restrict to only those operations that actually overflow */
+from InterestingBinaryOverflowingExpr bop
+where
+  not isExcluded(bop, IntegerOverflowPackage::signedIntegerOverflowQuery()) and
+  bop.getType().getUnderlyingType().(IntegralType).isSigned() and
+  // Not within a guard condition
+  not exists(GuardCondition gc | gc.getAChild*() = bop) and
+  // Not checked before the operation
+  not bop.hasValidPreCheck() and
+  // Not guarded by a check, where the check is not an invalid overflow check
+  not bop.getAGuardingGVN() = globalValueNumber(bop.getAChild*())
+select bop,
+  "Binary expression ..." + bop.getOperator() + "... of type " + bop.getType().getUnderlyingType() +
+    " may overflow or underflow."

c/cert/test/rules/INT32-C/SignedIntegerOverflow.expected

@@ -0,0 +1,5 @@
+| test.c:6:3:6:9 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
+| test.c:23:5:23:11 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
+| test.c:28:19:28:25 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
+| test.c:36:3:36:9 | ... - ... | Binary expression ...-... of type int may overflow or underflow. |
+| test.c:49:19:49:25 | ... - ... | Binary expression ...-... of type int may overflow or underflow. |

c/cert/test/rules/INT32-C/SignedIntegerOverflow.qlref

@@ -0,0 +1 @@
+rules/INT32-C/SignedIntegerOverflow.ql

c/cert/test/rules/INT32-C/test.c

@@ -0,0 +1,160 @@
+#include <limits.h>
+#include <stddef.h>
+#include <stdint.h>
+
+void test_add_simple(signed int i1, signed int i2) {
+  i1 + i2; // NON_COMPLIANT - not bounds checked
+}
+
+void test_add_precheck(signed int i1, signed int i2) {
+  // Style recommended by CERT
+  if (((i2 > 0) && (i1 > (INT_MAX - i2))) ||
+      ((i2 < 0) && (i1 < (INT_MIN - i2)))) {
+    // handle error
+  } else {
+    i1 + i2; // COMPLIANT - bounds appropriately checked
+  }
+}
+
+void test_add_precheck_2(signed int i1, signed int i2) {
+  if (i1 + i2 < i1) { // Bad overflow check - undefined behavior
+    // handle error
+  } else {
+    i1 + i2; // NON_COMPLIANT
+  }
+}
+
+void test_add_postcheck(signed int i1, signed int i2) {
+  signed int i3 = i1 + i2; // NON_COMPLIANT - signed overflow is undefined
+                           // behavior, so checking afterwards is not sufficient
+  if (i3 < i1) {
+    // handle error
+  }
+}
+
+void test_sub_simple(signed int i1, signed int i2) {
+  i1 - i2; // NON_COMPLIANT - not bounds checked
+}
+
+void test_sub_precheck(signed int i1, signed int i2) {
+  // Style recomended by CERT
+  if ((i2 > 0 && i1 < INT_MIN + i2) || (i2 < 0 && i1 > INT_MAX + i2)) {
+    // handle error
+  } else {
+    i1 - i2; // COMPLIANT - bounds checked
+  }
+}
+
+void test_sub_postcheck(signed int i1, signed int i2) {
+  signed int i3 = i1 - i2; // NON_COMPLIANT - underflow is undefined behavior.
+  if (i3 > i1) {
+    // handle error
+  }
+}
+
+void test_mul_simple(signed int i1, signed int i2) {
+  i1 *i2; // NON_COMPLIANT
+}
+
+void test_mul_precheck(signed int i1, signed int i2) {
+  signed long long tmp =
+      (signed long long)i1 * (signed long long)i2; // COMPLIANT
+  signed int result;
+
+  if (tmp > INT_MAX || tmp < INT_MIN) {
+    // handle error
+  } else {
+    i1 *i2; // COMPLIANT - checked
+    result = (signed int)tmp;
+  }
+}
+
+void test_mul_precheck_2(signed int i1, signed int i2) {
+  if (i1 > 0) {
+    if (i2 > 0) {
+      if (i1 > (INT_MAX / i2)) {
+        return; // handle error
+      }
+    } else {
+      if (i2 < (INT_MIN / i1)) {
+        // handle error
+        return; // handle error
+      }
+    }
+  } else {
+    if (i2 > 0) {
+      if (i1 < (INT_MIN / i2)) {
+        // handle error
+        return; // handle error
+      }
+    } else {
+      if ((i1 != 0) && (i2 < (INT_MAX / i1))) {
+        // handle error
+        return; // handle error
+      }
+    }
+  }
+  i1 *i2; // COMPLIANT
+}
+
+void test_simple_div(signed int i1, signed int i2) {
+  if (i2 == 0) {
+    // handle error
+  } else {
+    i1 / i2; // NON_COMPLIANT
+  }
+}
+
+void test_div_precheck(signed int i1, signed int i2) {
+  if ((i2 == 0) || ((i1 == LONG_MIN) && (i2 == -1))) {
+    /* Handle error */
+  } else {
+    i1 / i2; // COMPLIANT
+  }
+}
+
+void test_simple_rem(signed int i1, signed int i2) {
+  if (i2 == 0) {
+    // handle error
+  } else {
+    i1 % i2; // NON_COMPLIANT
+  }
+}
+
+void test_rem_precheck(signed int i1, signed int i2) {
+  if ((i2 == 0) || ((i1 == LONG_MIN) && (i2 == -1))) {
+    /* Handle error */
+  } else {
+    i1 % i2; // COMPLIANT
+  }
+}
+
+void test_simple_left_shift(signed int i1, signed int i2) {
+  i1 << i2; // NON_COMPLIANT
+}
+
+/* Returns the number of set bits */
+size_t popcount(uintmax_t num);
+
+#define PRECISION(umax_value) popcount(umax_value)
+
+void test_left_shift_precheck(signed int i1, signed int i2) {
+  if ((i1 < 0) || (i2 < 0) || (i2 >= PRECISION(UINT_MAX)) ||
+      (i1 > (INT_MAX >> i2))) {
+    // handle error
+  } else {
+    i1 << i2; // COMPLIANT
+  }
+}
+
+void test_simple_negate(signed int i1) {
+  -i1; // NON_COMPLIANT
+}
+
+void test_negate_precheck(signed int i1) {
+  if (i1 == INT_MIN) {
+    // handle error
+  } else {
+    -i1; // COMPLIANT
+  }
+}

cpp/common/src/codingstandards/cpp/Overflow.qll

@@ -42,6 +42,105 @@ class InterestingBinaryOverflowingExpr extends BinaryArithmeticOperation {
     )
   }
 
+  /**
+   * Holds if there is a correct validity check after this expression which may overflow.
+   */
+  predicate hasValidPreCheck() {
+    exists(GVN i1, GVN i2 |
+      i1 = globalValueNumber(this.getLeftOperand()) and
+      i2 = globalValueNumber(this.getRightOperand())
+      or
+      i2 = globalValueNumber(this.getLeftOperand()) and
+      i1 = globalValueNumber(this.getRightOperand())
+    |
+      // The CERT rule for signed integer overflow has a very specific pattern it recommends
+      // for checking for overflow. We try to match the pattern here.
+      //   ((i2 > 0 && i1 > (INT_MAX - i2)) || (i2 < 0 && i1 < (INT_MIN - i2)))
+      this instanceof AddExpr and
+      exists(LogicalOrExpr orExpr |
+        // GuardCondition doesn't work in this case, so just confirm that this check dominates the overflow
+        bbDominates(orExpr.getBasicBlock(), this.getBasicBlock()) and
+        exists(LogicalAndExpr andExpr |
+          andExpr = orExpr.getAnOperand() and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getLesserOperand().getValue() = "0" and
+            globalValueNumber(gt.getGreaterOperand()) = i2
+          ) and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getLesserOperand() =
+              any(SubExpr se |
+                se.getLeftOperand().getValue().toFloat() = typeUpperBound(getType()) and
+                globalValueNumber(se.getRightOperand()) = i2
+              ) and
+            globalValueNumber(gt.getGreaterOperand()) = i1
+          )
+        ) and
+        exists(LogicalAndExpr andExpr |
+          andExpr = orExpr.getAnOperand() and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getGreaterOperand().getValue() = "0" and
+            globalValueNumber(gt.getLesserOperand()) = i2
+          ) and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getGreaterOperand() =
+              any(SubExpr se |
+                se.getLeftOperand().getValue().toFloat() = typeLowerBound(getType()) and
+                globalValueNumber(se.getRightOperand()) = i2
+              ) and
+            globalValueNumber(gt.getLesserOperand()) = i1
+          )
+        )
+      )
+      or
+      // The CERT rule for signed integer overflow has a very specific pattern it recommends
+      // for checking for underflow. We try to match the pattern here.
+      //   ((i2 > 0 && i1 > (INT_MIN + i2)) || (i2 < 0 && i1 < (INT_MAX + i2)))
+      this instanceof SubExpr and
+      exists(LogicalOrExpr orExpr |
+        // GuardCondition doesn't work in this case, so just confirm that this check dominates the overflow
+        bbDominates(orExpr.getBasicBlock(), this.getBasicBlock()) and
+        exists(LogicalAndExpr andExpr |
+          andExpr = orExpr.getAnOperand() and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getLesserOperand().getValue() = "0" and
+            globalValueNumber(gt.getGreaterOperand()) = i2
+          ) and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getGreaterOperand() =
+              any(AddExpr se |
+                se.getLeftOperand().getValue().toFloat() = typeLowerBound(getType()) and
+                globalValueNumber(se.getRightOperand()) = i2
+              ) and
+            globalValueNumber(gt.getLesserOperand()) = i1
+          )
+        ) and
+        exists(LogicalAndExpr andExpr |
+          andExpr = orExpr.getAnOperand() and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getGreaterOperand().getValue() = "0" and
+            globalValueNumber(gt.getLesserOperand()) = i2
+          ) and
+          exists(StrictRelationalOperation gt |
+            gt = andExpr.getAnOperand() and
+            gt.getLesserOperand() =
+              any(AddExpr se |
+                se.getLeftOperand().getValue().toFloat() = typeUpperBound(getType()) and
+                globalValueNumber(se.getRightOperand()) = i2
+              ) and
+            globalValueNumber(gt.getGreaterOperand()) = i1
+          )
+        )
+      )
+    )
+  }
+
   /**
    * Holds if there is a correct validity check after this expression which may overflow.
    *
@@ -90,3 +189,7 @@ class InterestingBinaryOverflowingExpr extends BinaryArithmeticOperation {
     )
   }
 }
+
+private class StrictRelationalOperation extends RelationalOperation {
+  StrictRelationalOperation() { this.getOperator() = [">", "<"] }
+}