Skip to content

Commit b5c66c5

Browse files
aschackmullaschackmull
committed
Java: Support double-recursive range analysis bounds for addition.
1 parent 6b26510 commit b5c66c5

File tree

1 file changed

+48
-26
lines changed

1 file changed

+48
-26
lines changed

java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll

Lines changed: 48 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -421,32 +421,6 @@ private predicate boundFlowStep(Expr e2, Expr e1, int delta, boolean upper) {
421421
delta = 0 and
422422
(upper = true or upper = false)
423423
or
424-
exists(Expr x |
425-
e2.(AddExpr).hasOperands(e1, x)
426-
or
427-
exists(AssignAddExpr add | add = e2 |
428-
add.getDest() = e1 and add.getRhs() = x
429-
or
430-
add.getDest() = x and add.getRhs() = e1
431-
)
432-
|
433-
// `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
434-
not x instanceof ConstantIntegerExpr and
435-
not e1 instanceof ConstantIntegerExpr and
436-
if strictlyPositiveIntegralExpr(x)
437-
then upper = false and delta = 1
438-
else
439-
if positive(x)
440-
then upper = false and delta = 0
441-
else
442-
if strictlyNegativeIntegralExpr(x)
443-
then upper = true and delta = -1
444-
else
445-
if negative(x)
446-
then upper = true and delta = 0
447-
else none()
448-
)
449-
or
450424
exists(Expr x |
451425
exists(SubExpr sub |
452426
e2 = sub and
@@ -896,6 +870,20 @@ private predicate bounded(
896870
or
897871
upper = false and delta = d1.minimum(d2)
898872
)
873+
or
874+
exists(
875+
Bound b1, Bound b2, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2, Reason r1,
876+
Reason r2
877+
|
878+
boundedAddition(e, upper, b1, true, d1, fbe1, od1, r1) and
879+
boundedAddition(e, upper, b2, false, d2, fbe2, od2, r2) and
880+
delta = d1 + d2 and
881+
fromBackEdge = fbe1.booleanOr(fbe2)
882+
|
883+
b = b1 and origdelta = od1 and reason = r1 and b2 instanceof ZeroBound
884+
or
885+
b = b2 and origdelta = od2 and reason = r2 and b1 instanceof ZeroBound
886+
)
899887
}
900888

901889
private predicate boundedConditionalExpr(
@@ -904,3 +892,37 @@ private predicate boundedConditionalExpr(
904892
) {
905893
bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
906894
}
895+
896+
private predicate nonConstAdd(Expr add, Expr operand, boolean isLeft) {
897+
exists(Expr other |
898+
add.(AddExpr).getLeftOperand() = operand and
899+
add.(AddExpr).getRightOperand() = other and
900+
isLeft = true
901+
or
902+
add.(AddExpr).getLeftOperand() = other and
903+
add.(AddExpr).getRightOperand() = operand and
904+
isLeft = false
905+
or
906+
add.(AssignAddExpr).getDest() = operand and
907+
add.(AssignAddExpr).getRhs() = other and
908+
isLeft = true
909+
or
910+
add.(AssignAddExpr).getDest() = other and
911+
add.(AssignAddExpr).getRhs() = operand and
912+
isLeft = false
913+
|
914+
// `ConstantIntegerExpr` is covered by valueFlowStep
915+
not other instanceof ConstantIntegerExpr and
916+
not operand instanceof ConstantIntegerExpr
917+
)
918+
}
919+
920+
private predicate boundedAddition(
921+
Expr add, boolean upper, Bound b, boolean isLeft, int delta, boolean fromBackEdge, int origdelta,
922+
Reason reason
923+
) {
924+
exists(Expr op |
925+
nonConstAdd(add, op, isLeft) and
926+
bounded(op, b, delta, upper, fromBackEdge, origdelta, reason)
927+
)
928+
}

0 commit comments

Comments
 (0)