C++: Remove the implicit assumption about the existence of a lower bound implying the existence of an upper bound (and vice veraa).

MathiasVP · MathiasVP · commit 3f0bfe1d752f · 2021-11-15T13:39:15.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -1069,22 +1069,25 @@ class FormatLiteral extends Literal {
             or
             // The second case uses range analysis to deduce a length that's shorter than the length
             // of the number -2^31.
-            exists(Expr arg, float lower |
+            exists(Expr arg, float lower, float upper |
               arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted())
+              lower = lowerBound(arg.getFullyConverted()) and
+              upper = upperBound(arg.getFullyConverted())
             |
               cand =
                 max(int cand0 |
+                  // Include the sign bit in the length if it can be negative
                   (
-                    // Include the sign bit in the length of `lower` if it can be negative
                     if lower < 0
                     then cand0 = 1 + lengthInBase10(lower.abs())
                     else cand0 = lengthInBase10(lower)
                   )
                   or
-                  // We don't care about the sign of `upper`: if `upper` is negative, then we know
-                  // `lower` is also (possibly more) negative, and thus its length will be greater.
-                  cand0 = lengthInBase10(upperBound(arg.getFullyConverted()))
+                  (
+                    if upper < 0
+                    then cand0 = 1 + lengthInBase10(upper.abs())
+                    else cand0 = lengthInBase10(upper)
+                  )
                 )
             )
           )

Original file line number	Diff line number	Diff line change
`@@ -1069,22 +1069,25 @@ class FormatLiteral extends Literal {`
`1069`	`1069`	`or`
`1070`	`1070`	`// The second case uses range analysis to deduce a length that's shorter than the length`
`1071`	`1071`	`// of the number -2^31.`
`1072`		`- exists(Expr arg, float lower \|`
	`1072`	`+ exists(Expr arg, float lower, float upper \|`
`1073`	`1073`	`arg = this.getUse().getConversionArgument(n) and`
`1074`		`- lower = lowerBound(arg.getFullyConverted())`
	`1074`	`+ lower = lowerBound(arg.getFullyConverted()) and`
	`1075`	`+ upper = upperBound(arg.getFullyConverted())`
`1075`	`1076`	`\|`
`1076`	`1077`	`cand =`
`1077`	`1078`	`max(int cand0 \|`
	`1079`	`+ // Include the sign bit in the length if it can be negative`
`1078`	`1080`	`(`
`1079`		- // Include the sign bit in the length of `lower` if it can be negative
`1080`	`1081`	`if lower < 0`
`1081`	`1082`	`then cand0 = 1 + lengthInBase10(lower.abs())`
`1082`	`1083`	`else cand0 = lengthInBase10(lower)`
`1083`	`1084`	`)`
`1084`	`1085`	`or`
`1085`		- // We don't care about the sign of `upper`: if `upper` is negative, then we know
`1086`		- // `lower` is also (possibly more) negative, and thus its length will be greater.
`1087`		`- cand0 = lengthInBase10(upperBound(arg.getFullyConverted()))`
	`1086`	`+ (`
	`1087`	`+ if upper < 0`
	`1088`	`+ then cand0 = 1 + lengthInBase10(upper.abs())`
	`1089`	`+ else cand0 = lengthInBase10(upper)`
	`1090`	`+ )`
`1088`	`1091`	`)`
`1089`	`1092`	`)`
`1090`	`1093`	`)`