Skip to content

Commit e607712

Browse files
MathiasVPMathiasVP
committed
C++: Only unary and binary arithmetic operations and left shifts are now
 reported as overflowing when we cannot analyze them.
1 parent ed64ed3 commit e607712

File tree

1 file changed

+20
-4
lines changed

1 file changed

+20
-4
lines changed

cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1617,6 +1617,18 @@ private module SimpleRangeAnalysisCached {
16171617
defMightOverflowPositively(def, v)
16181618
}
16191619

1620+
/**
1621+
* Holds if `e` is an expression where the concept of overflow makes sense.
1622+
* This predicate is used to filter out some of the unanalyzable expressions
1623+
* from `exprMightOverflowPositively` and `exprMightOverflowNegatively`.
1624+
*/
1625+
pragma[inline]
1626+
private predicate exprThatCanOverflow(Expr e) {
1627+
e instanceof UnaryArithmeticOperation or
1628+
e instanceof BinaryArithmeticOperation or
1629+
e instanceof LShiftExpr
1630+
}
1631+
16201632
/**
16211633
* Holds if the expression might overflow negatively. This predicate
16221634
* does not consider the possibility that the expression might overflow
@@ -1631,8 +1643,10 @@ private module SimpleRangeAnalysisCached {
16311643
// detecting whether it might overflow.
16321644
getLowerBoundsImpl(expr.(PostfixDecrExpr)) = exprMinVal(expr)
16331645
or
1634-
// Expressions we cannot analyze could potentially overflow
1635-
not analyzableExpr(expr)
1646+
// We can't conclude that any unanalyzable expression might overflow. This
1647+
// is because there are many expressions that the range analysis doesn't
1648+
// handle, but where the concept of overflow doesn't make sense.
1649+
exprThatCanOverflow(expr) and not analyzableExpr(expr)
16361650
}
16371651

16381652
/**
@@ -1661,8 +1675,10 @@ private module SimpleRangeAnalysisCached {
16611675
// detecting whether it might overflow.
16621676
getUpperBoundsImpl(expr.(PostfixIncrExpr)) = exprMaxVal(expr)
16631677
or
1664-
// Expressions we cannot analyze could potentially overflow
1665-
not analyzableExpr(expr)
1678+
// We can't conclude that any unanalyzable expression might overflow. This
1679+
// is because there are many expressions that the range analysis doesn't
1680+
// handle, but where the concept of overflow doesn't make sense.
1681+
exprThatCanOverflow(expr) and not analyzableExpr(expr)
16661682
}
16671683

16681684
/**

0 commit comments

Comments
 (0)