C++: Fix off-by-one in range analysis for 'RemExpr'.

MathiasVP · MathiasVP · commit 39d9395bc3d5 · 2021-07-16T16:35:19.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -863,16 +863,16 @@ private float getLowerBoundsImpl(Expr expr) {
       result = 0
       or
       // If either input could be negative then the output could be
-      // negative. If so, the lower bound of `x%y` is `-abs(y)`, which is
-      // equal to `min(-y,y)`.
+      // negative. If so, the lower bound of `x%y` is `-abs(y) + 1`, which is
+      // equal to `min(-y + 1,y - 1)`.
       exists(float childLB |
         childLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and
         not childLB >= 0
       |
-        result = getFullyConvertedLowerBounds(remExpr.getRightOperand())
+        result = getFullyConvertedLowerBounds(remExpr.getRightOperand()) - 1
         or
         exists(float rhsUB | rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand()) |
-          result = -rhsUB
+          result = -rhsUB + 1
         )
       )
     )
@@ -1058,7 +1058,7 @@ private float getUpperBoundsImpl(Expr expr) {
       expr = remExpr and
       rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand())
     |
-      result = rhsUB
+      result = rhsUB - 1
       or
       // If the right hand side could be negative then we need to take its
       // absolute value. Since `abs(x) = max(-x,x)` this is equivalent to
@@ -1067,7 +1067,7 @@ private float getUpperBoundsImpl(Expr expr) {
         rhsLB = getFullyConvertedLowerBounds(remExpr.getRightOperand()) and
         not rhsLB >= 0
       |
-        result = -rhsLB
+        result = -rhsLB + 1
       )
     )
     or
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
@@ -593,7 +593,7 @@
 | test.c:658:7:658:7 | u | 0 |
 | test.c:659:9:659:9 | u | 0 |
 | test.c:664:12:664:12 | s | -2147483648 |
-| test.c:665:7:665:8 | s2 | -5 |
+| test.c:665:7:665:8 | s2 | -4 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
@@ -662,5 +662,5 @@ void guard_bound_out_of_range(void) {
 
 void test_mod(int s) {
   int s2 = s % 5;
-  out(s2); // -4 .. 4 [BUG: is -5 .. 5]
+  out(s2); // -4 .. 4
 }
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
@@ -593,7 +593,7 @@
 | test.c:658:7:658:7 | u | 0 |
 | test.c:659:9:659:9 | u | 4294967295 |
 | test.c:664:12:664:12 | s | 2147483647 |
-| test.c:665:7:665:8 | s2 | 5 |
+| test.c:665:7:665:8 | s2 | 4 |
 | test.cpp:10:7:10:7 | b | 2147483647 |
 | test.cpp:11:5:11:5 | x | 2147483647 |
 | test.cpp:13:10:13:10 | x | 2147483647 |

Original file line number	Diff line number	Diff line change
`@@ -863,16 +863,16 @@ private float getLowerBoundsImpl(Expr expr) {`
`863`	`863`	`result = 0`
`864`	`864`	`or`
`865`	`865`	`// If either input could be negative then the output could be`
`866`		- // negative. If so, the lower bound of `x%y` is `-abs(y)`, which is
`867`		- // equal to `min(-y,y)`.
	`866`	+ // negative. If so, the lower bound of `x%y` is `-abs(y) + 1`, which is
	`867`	+ // equal to `min(-y + 1,y - 1)`.
`868`	`868`	`exists(float childLB \|`
`869`	`869`	`childLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and`
`870`	`870`	`not childLB >= 0`
`871`	`871`	`\|`
`872`		`- result = getFullyConvertedLowerBounds(remExpr.getRightOperand())`
	`872`	`+ result = getFullyConvertedLowerBounds(remExpr.getRightOperand()) - 1`
`873`	`873`	`or`
`874`	`874`	`exists(float rhsUB \| rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand()) \|`
`875`		`- result = -rhsUB`
	`875`	`+ result = -rhsUB + 1`
`876`	`876`	`)`
`877`	`877`	`)`
`878`	`878`	`)`
`@@ -1058,7 +1058,7 @@ private float getUpperBoundsImpl(Expr expr) {`
`1058`	`1058`	`expr = remExpr and`
`1059`	`1059`	`rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand())`
`1060`	`1060`	`\|`
`1061`		`- result = rhsUB`
	`1061`	`+ result = rhsUB - 1`
`1062`	`1062`	`or`
`1063`	`1063`	`// If the right hand side could be negative then we need to take its`
`1064`	`1064`	// absolute value. Since `abs(x) = max(-x,x)` this is equivalent to
`@@ -1067,7 +1067,7 @@ private float getUpperBoundsImpl(Expr expr) {`
`1067`	`1067`	`rhsLB = getFullyConvertedLowerBounds(remExpr.getRightOperand()) and`
`1068`	`1068`	`not rhsLB >= 0`
`1069`	`1069`	`\|`
`1070`		`- result = -rhsLB`
	`1070`	`+ result = -rhsLB + 1`
`1071`	`1071`	`)`
`1072`	`1072`	`)`
`1073`	`1073`	`or`
Original file line number	Diff line number	Diff line change
`@@ -662,5 +662,5 @@ void guard_bound_out_of_range(void) {`
`662`	`662`
`663`	`663`	`void test_mod(int s) {`
`664`	`664`	`int s2 = s % 5;`
`665`		`- out(s2); // -4 .. 4 [BUG: is -5 .. 5]`
	`665`	`+ out(s2); // -4 .. 4`
`666`	`666`	`}`