Merge pull request github#6315 from MathiasVP/fix-off-by-one-in-rem-expr-range-analysis

rdmarsh2 · web-flow · commit e0ff1d949b9c · 2021-07-16T15:22:03.000-07:00
C++: Fix off–by-one in range analysis for `RemExpr`.
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -863,16 +863,16 @@ private float getLowerBoundsImpl(Expr expr) {
       result = 0
       or
       // If either input could be negative then the output could be
-      // negative. If so, the lower bound of `x%y` is `-abs(y)`, which is
-      // equal to `min(-y,y)`.
+      // negative. If so, the lower bound of `x%y` is `-abs(y) + 1`, which is
+      // equal to `min(-y + 1,y - 1)`.
       exists(float childLB |
         childLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and
         not childLB >= 0
       |
-        result = getFullyConvertedLowerBounds(remExpr.getRightOperand())
+        result = getFullyConvertedLowerBounds(remExpr.getRightOperand()) - 1
         or
         exists(float rhsUB | rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand()) |
-          result = -rhsUB
+          result = -rhsUB + 1
         )
       )
     )
@@ -1058,16 +1058,16 @@ private float getUpperBoundsImpl(Expr expr) {
       expr = remExpr and
       rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand())
     |
-      result = rhsUB
+      result = rhsUB - 1
       or
       // If the right hand side could be negative then we need to take its
       // absolute value. Since `abs(x) = max(-x,x)` this is equivalent to
       // adding `-rhsLB` to the set of upper bounds.
       exists(float rhsLB |
-        rhsLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and
+        rhsLB = getFullyConvertedLowerBounds(remExpr.getRightOperand()) and
         not rhsLB >= 0
       |
-        result = -rhsLB
+        result = -rhsLB + 1
       )
     )
     or
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
@@ -592,6 +592,8 @@
 | test.c:654:9:654:9 | i | -2147483648 |
 | test.c:658:7:658:7 | u | 0 |
 | test.c:659:9:659:9 | u | 0 |
+| test.c:664:12:664:12 | s | -2147483648 |
+| test.c:665:7:665:8 | s2 | -4 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
@@ -659,3 +659,8 @@ void guard_bound_out_of_range(void) {
     out(u); // unreachable [BUG: is 0 .. +max]
   }
 }
+
+void test_mod(int s) {
+  int s2 = s % 5;
+  out(s2); // -4 .. 4
+}
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
@@ -592,6 +592,8 @@
 | test.c:654:9:654:9 | i | 2147483647 |
 | test.c:658:7:658:7 | u | 0 |
 | test.c:659:9:659:9 | u | 4294967295 |
+| test.c:664:12:664:12 | s | 2147483647 |
+| test.c:665:7:665:8 | s2 | 4 |
 | test.cpp:10:7:10:7 | b | 2147483647 |
 | test.cpp:11:5:11:5 | x | 2147483647 |
 | test.cpp:13:10:13:10 | x | 2147483647 |

Original file line number	Diff line number	Diff line change
`@@ -863,16 +863,16 @@ private float getLowerBoundsImpl(Expr expr) {`
`863`	`863`	`result = 0`
`864`	`864`	`or`
`865`	`865`	`// If either input could be negative then the output could be`
`866`		- // negative. If so, the lower bound of `x%y` is `-abs(y)`, which is
`867`		- // equal to `min(-y,y)`.
	`866`	+ // negative. If so, the lower bound of `x%y` is `-abs(y) + 1`, which is
	`867`	+ // equal to `min(-y + 1,y - 1)`.
`868`	`868`	`exists(float childLB \|`
`869`	`869`	`childLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and`
`870`	`870`	`not childLB >= 0`
`871`	`871`	`\|`
`872`		`- result = getFullyConvertedLowerBounds(remExpr.getRightOperand())`
	`872`	`+ result = getFullyConvertedLowerBounds(remExpr.getRightOperand()) - 1`
`873`	`873`	`or`
`874`	`874`	`exists(float rhsUB \| rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand()) \|`
`875`		`- result = -rhsUB`
	`875`	`+ result = -rhsUB + 1`
`876`	`876`	`)`
`877`	`877`	`)`
`878`	`878`	`)`
`@@ -1058,16 +1058,16 @@ private float getUpperBoundsImpl(Expr expr) {`
`1058`	`1058`	`expr = remExpr and`
`1059`	`1059`	`rhsUB = getFullyConvertedUpperBounds(remExpr.getRightOperand())`
`1060`	`1060`	`\|`
`1061`		`- result = rhsUB`
	`1061`	`+ result = rhsUB - 1`
`1062`	`1062`	`or`
`1063`	`1063`	`// If the right hand side could be negative then we need to take its`
`1064`	`1064`	// absolute value. Since `abs(x) = max(-x,x)` this is equivalent to
`1065`	`1065`	// adding `-rhsLB` to the set of upper bounds.
`1066`	`1066`	`exists(float rhsLB \|`
`1067`		`- rhsLB = getFullyConvertedLowerBounds(remExpr.getAnOperand()) and`
	`1067`	`+ rhsLB = getFullyConvertedLowerBounds(remExpr.getRightOperand()) and`
`1068`	`1068`	`not rhsLB >= 0`
`1069`	`1069`	`\|`
`1070`		`- result = -rhsLB`
	`1070`	`+ result = -rhsLB + 1`
`1071`	`1071`	`)`
`1072`	`1072`	`)`
`1073`	`1073`	`or`
Original file line number	Diff line number	Diff line change
`@@ -659,3 +659,8 @@ void guard_bound_out_of_range(void) {`
`659`	`659`	`out(u); // unreachable [BUG: is 0 .. +max]`
`660`	`660`	`}`
`661`	`661`	`}`
	`662`	`+`
	`663`	`+void test_mod(int s) {`
	`664`	`+ int s2 = s % 5;`
	`665`	`+ out(s2); // -4 .. 4`
	`666`	`+}`