C++: Replace GVN with some other libraries.

geoffw0 · geoffw0 · commit 3b437fe6cf1e · 2021-04-09T15:21:42.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -12,10 +12,10 @@
 
 import cpp
 import semmle.code.cpp.commons.Exclusions
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.DataFlow
 
 /**
  *  Holds if `sub` is guarded by a condition which ensures that
@@ -37,15 +37,27 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
   e = sub.getLeftOperand()
   or
   exists(Expr other |
-    // GVN equality
+    // use-use
     exprIsSubLeftOrLess(sub, other) and
-    globalValueNumber(e) = globalValueNumber(other)
+    (
+      useUsePair(_, other, e) or
+      useUsePair(_, e, other)
+    )
+  )
+  or
+  exists(Expr other |
+    // dataflow
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::exprNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::exprNode(other), DataFlow::exprNode(e))
+    )
   )
   or
   exists(Expr other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other, e) // left >= right
+    isGuarded(sub, other, e) // other >= e
   )
   or
   exists(Expr other, float p, float q |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,20 +1,13 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:15:9:15:25 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:39:12:39:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:47:5:47:13 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:55:5:55:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -12,7 +12,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 	}
 
 	if(total <= limit) {
-		while(limit - total > 0) { // GOOD [FALSE POSITIVE]
+		while(limit - total > 0) { // GOOD
 			total += getAnInt();
 			if(total > limit) break;
 		}
@@ -29,30 +29,30 @@ void test(unsigned x, unsigned y, bool unknown) {
 	} else {
 		y = x;
 	}
-	bool b1 = x - y > 0; // GOOD [FALSE POSITIVE]
+	bool b1 = x - y > 0; // GOOD
 
 	x = getAnInt();
 	y = getAnInt();
 	if(y > x) {
 		y = x - 1;
 	}
-	bool b2 = x - y > 0; // GOOD [FALSE POSITIVE]
+	bool b2 = x - y > 0; // GOOD
 
 	int N = getAnInt();
 	y = x;
 	while(cond()) {
 		if(unknown) { y--; }
 	}
 	
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	x = y;
 	while(cond()) {
 		if(unknown) break;
 		y--;
 	}
 
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	y = 0;
 	for(int i = 0; i < x; ++i) {
@@ -66,7 +66,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 		if(unknown) { x++; }
 	}
 
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	int n = getAnInt();
 	if (n > x - y) { n = x - y; }
@@ -192,7 +192,7 @@ void test10() {
 		a = b;
 	}
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ void test(unsigned x, unsigned y, bool unknown) {`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`if(total <= limit) {`
`15`		`- while(limit - total > 0) { // GOOD [FALSE POSITIVE]`
	`15`	`+ while(limit - total > 0) { // GOOD`
`16`	`16`	`total += getAnInt();`
`17`	`17`	`if(total > limit) break;`
`18`	`18`	`}`
`@@ -29,30 +29,30 @@ void test(unsigned x, unsigned y, bool unknown) {`
`29`	`29`	`} else {`
`30`	`30`	`y = x;`
`31`	`31`	`}`
`32`		`- bool b1 = x - y > 0; // GOOD [FALSE POSITIVE]`
	`32`	`+ bool b1 = x - y > 0; // GOOD`
`33`	`33`
`34`	`34`	`x = getAnInt();`
`35`	`35`	`y = getAnInt();`
`36`	`36`	`if(y > x) {`
`37`	`37`	`y = x - 1;`
`38`	`38`	`}`
`39`		`- bool b2 = x - y > 0; // GOOD [FALSE POSITIVE]`
	`39`	`+ bool b2 = x - y > 0; // GOOD`
`40`	`40`
`41`	`41`	`int N = getAnInt();`
`42`	`42`	`y = x;`
`43`	`43`	`while(cond()) {`
`44`	`44`	`if(unknown) { y--; }`
`45`	`45`	`}`
`46`	`46`
`47`		`- if(x - y > 0) { } // GOOD [FALSE POSITIVE]`
	`47`	`+ if(x - y > 0) { } // GOOD`
`48`	`48`
`49`	`49`	`x = y;`
`50`	`50`	`while(cond()) {`
`51`	`51`	`if(unknown) break;`
`52`	`52`	`y--;`
`53`	`53`	`}`
`54`	`54`
`55`		`- if(x - y > 0) { } // GOOD [FALSE POSITIVE]`
	`55`	`+ if(x - y > 0) { } // GOOD`
`56`	`56`
`57`	`57`	`y = 0;`
`58`	`58`	`for(int i = 0; i < x; ++i) {`
`@@ -66,7 +66,7 @@ void test(unsigned x, unsigned y, bool unknown) {`
`66`	`66`	`if(unknown) { x++; }`
`67`	`67`	`}`
`68`	`68`
`69`		`- if(x - y > 0) { } // GOOD [FALSE POSITIVE]`
	`69`	`+ if(x - y > 0) { } // GOOD`
`70`	`70`
`71`	`71`	`int n = getAnInt();`
`72`	`72`	`if (n > x - y) { n = x - y; }`
`@@ -192,7 +192,7 @@ void test10() {`
`192`	`192`	`a = b;`
`193`	`193`	`}`
`194`	`194`
`195`		`- if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]`
	`195`	`+ if (a - b > 0) { // GOOD (as a >= b)`
`196`	`196`	`// ...`
`197`	`197`	`}`
`198`	`198`	`}`