Swift: Understand overflow binary arithmetic operations.

geoffw0 · geoffw0 · commit 1206b73d8772 · 2023-03-02T12:11:15.000Z
diff --git a/swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll b/swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll
@@ -45,30 +45,33 @@ class BinaryArithmeticOperation extends BinaryExpr {
  * An add expression.
  * ```
  * a + b
+ * a &+ b
  * ```
  */
 class AddExpr extends BinaryExpr {
-  AddExpr() { this.getStaticTarget().getName() = "+(_:_:)" }
+  AddExpr() { this.getStaticTarget().getName() = ["+(_:_:)", "&+(_:_:)"] }
 }
 
 /**
  * A subtract expression.
  * ```
  * a - b
+ * a &- b
  * ```
  */
 class SubExpr extends BinaryExpr {
-  SubExpr() { this.getStaticTarget().getName() = "-(_:_:)" }
+  SubExpr() { this.getStaticTarget().getName() = ["-(_:_:)", "&-(_:_:)"] }
 }
 
 /**
  * A multiply expression.
  * ```
  * a * b
+ * a &* b
  * ```
  */
 class MulExpr extends BinaryExpr {
-  MulExpr() { this.getStaticTarget().getName() = "*(_:_:)" }
+  MulExpr() { this.getStaticTarget().getName() = ["*(_:_:)", "&*(_:_:)"] }
 }
 
 /**
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected
@@ -19,6 +19,18 @@
 | simple.swift:21:13:21:20 | call to source() | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
 | simple.swift:21:24:21:24 | 100 | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
 | simple.swift:23:14:23:21 | call to source() | simple.swift:23:13:23:21 | call to -(_:) |
+| simple.swift:27:13:27:13 | 1 | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
+| simple.swift:27:18:27:25 | call to source() | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
+| simple.swift:28:13:28:20 | call to source() | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
+| simple.swift:28:25:28:25 | 1 | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
+| simple.swift:29:13:29:13 | 1 | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
+| simple.swift:29:18:29:25 | call to source() | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
+| simple.swift:30:13:30:20 | call to source() | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
+| simple.swift:30:25:30:25 | 1 | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
+| simple.swift:31:13:31:13 | 2 | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
+| simple.swift:31:18:31:25 | call to source() | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
+| simple.swift:32:13:32:20 | call to source() | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
+| simple.swift:32:25:32:25 | 2 | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
 | simple.swift:36:7:36:7 | SSA def(a) | simple.swift:37:13:37:13 | a |
 | simple.swift:36:11:36:11 | 0 | simple.swift:36:7:36:7 | SSA def(a) |
 | simple.swift:37:13:37:13 | [post] a | simple.swift:38:3:38:3 | a |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected
@@ -10,6 +10,12 @@ edges
 | simple.swift:20:19:20:26 | call to source() :  | simple.swift:20:13:20:26 | ... .%(_:_:) ... |
 | simple.swift:21:13:21:20 | call to source() :  | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
 | simple.swift:23:14:23:21 | call to source() :  | simple.swift:23:13:23:21 | call to -(_:) |
+| simple.swift:27:18:27:25 | call to source() :  | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
+| simple.swift:28:13:28:20 | call to source() :  | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
+| simple.swift:29:18:29:25 | call to source() :  | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
+| simple.swift:30:13:30:20 | call to source() :  | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
+| simple.swift:31:18:31:25 | call to source() :  | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
+| simple.swift:32:13:32:20 | call to source() :  | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
 | simple.swift:40:8:40:15 | call to source() :  | simple.swift:41:13:41:13 | a |
 | simple.swift:40:8:40:15 | call to source() :  | simple.swift:43:13:43:13 | a |
 | simple.swift:48:8:48:15 | call to source() :  | simple.swift:49:13:49:13 | b |
@@ -48,6 +54,18 @@ nodes
 | simple.swift:21:13:21:24 | ... .%(_:_:) ... | semmle.label | ... .%(_:_:) ... |
 | simple.swift:23:13:23:21 | call to -(_:) | semmle.label | call to -(_:) |
 | simple.swift:23:14:23:21 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
+| simple.swift:27:18:27:25 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:28:13:28:20 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
+| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
+| simple.swift:29:18:29:25 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:30:13:30:20 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
+| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
+| simple.swift:31:18:31:25 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:32:13:32:20 | call to source() :  | semmle.label | call to source() :  |
+| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
 | simple.swift:40:8:40:15 | call to source() :  | semmle.label | call to source() :  |
 | simple.swift:41:13:41:13 | a | semmle.label | a |
 | simple.swift:43:13:43:13 | a | semmle.label | a |
@@ -86,6 +104,12 @@ subpaths
 | simple.swift:20:13:20:26 | ... .%(_:_:) ... | simple.swift:20:19:20:26 | call to source() :  | simple.swift:20:13:20:26 | ... .%(_:_:) ... | result |
 | simple.swift:21:13:21:24 | ... .%(_:_:) ... | simple.swift:21:13:21:20 | call to source() :  | simple.swift:21:13:21:24 | ... .%(_:_:) ... | result |
 | simple.swift:23:13:23:21 | call to -(_:) | simple.swift:23:14:23:21 | call to source() :  | simple.swift:23:13:23:21 | call to -(_:) | result |
+| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | simple.swift:27:18:27:25 | call to source() :  | simple.swift:27:13:27:25 | ... .&+(_:_:) ... | result |
+| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | simple.swift:28:13:28:20 | call to source() :  | simple.swift:28:13:28:25 | ... .&+(_:_:) ... | result |
+| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | simple.swift:29:18:29:25 | call to source() :  | simple.swift:29:13:29:25 | ... .&-(_:_:) ... | result |
+| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | simple.swift:30:13:30:20 | call to source() :  | simple.swift:30:13:30:25 | ... .&-(_:_:) ... | result |
+| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | simple.swift:31:18:31:25 | call to source() :  | simple.swift:31:13:31:25 | ... .&*(_:_:) ... | result |
+| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | simple.swift:32:13:32:20 | call to source() :  | simple.swift:32:13:32:25 | ... .&*(_:_:) ... | result |
 | simple.swift:41:13:41:13 | a | simple.swift:40:8:40:15 | call to source() :  | simple.swift:41:13:41:13 | a | result |
 | simple.swift:43:13:43:13 | a | simple.swift:40:8:40:15 | call to source() :  | simple.swift:43:13:43:13 | a | result |
 | simple.swift:49:13:49:13 | b | simple.swift:48:8:48:15 | call to source() :  | simple.swift:49:13:49:13 | b | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/simple.swift b/swift/ql/test/library-tests/dataflow/taint/core/simple.swift
@@ -24,12 +24,12 @@ func taintThroughArithmetic() {
 
   // overflow operators
 
-  sink(arg: 1 &+ source()) // $ MISSING: tainted=
-  sink(arg: source() &+ 1) // $ MISSING: tainted=
-  sink(arg: 1 &- source()) // $ MISSING: tainted=
-  sink(arg: source() &- 1) // $ MISSING: tainted=
-  sink(arg: 2 &* source()) // $ MISSING: tainted=
-  sink(arg: source() &* 2) // $ MISSING: tainted=
+  sink(arg: 1 &+ source()) // $ tainted=27
+  sink(arg: source() &+ 1) // $ tainted=28
+  sink(arg: 1 &- source()) // $ tainted=29
+  sink(arg: source() &- 1) // $ tainted=30
+  sink(arg: 2 &* source()) // $ tainted=31
+  sink(arg: source() &* 2) // $ tainted=32
 }
 
 func taintThroughAssignmentArithmetic() {
diff --git a/swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.expected b/swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.expected
@@ -5,3 +5,6 @@
 | arithmeticoperation.swift:10:6:10:10 | ... .%(_:_:) ... | BinaryArithmeticOperation, RemExpr |
 | arithmeticoperation.swift:11:6:11:7 | call to -(_:) | UnaryArithmeticOperation, UnaryMinusExpr |
 | arithmeticoperation.swift:12:6:12:7 | call to +(_:) | UnaryArithmeticOperation, UnaryPlusExpr |
+| arithmeticoperation.swift:15:8:15:13 | ... .&+(_:_:) ... | AddExpr, BinaryArithmeticOperation |
+| arithmeticoperation.swift:16:8:16:13 | ... .&-(_:_:) ... | BinaryArithmeticOperation, SubExpr |
+| arithmeticoperation.swift:17:8:17:13 | ... .&*(_:_:) ... | BinaryArithmeticOperation, MulExpr |
diff --git a/swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.swift b/swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.swift
@@ -12,7 +12,7 @@ func test(c: Bool, x: Int, y: Int, z: Int) {
 	v = +x;
 
    // arithmetic operations with overflow
-   v = x &+ y; // NOT DETECTED
-   v = x &- y; // NOT DETECTED
-   v = x &* y; // NOT DETECTED
+   v = x &+ y;
+   v = x &- y;
+   v = x &* y;
 }
