Java: Account for additional constants in ArrayIndexOutOfBounds query.

aschackmull · aschackmull · commit 2d6d8aaa74ba · 2023-02-03T16:16:39.000+01:00
diff --git a/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql b/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql
@@ -44,6 +44,15 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) {
       )
     )
   )
+  or
+  exists(Field arr, Expr index, int delta, int arrlen |
+    aa.getIndexExpr() = index and
+    aa.getArray() = arr.getAnAccess() and
+    bounded(index, any(ZeroBound z), delta, true, _) and
+    arr.isFinal() and
+    arr.getInitializer().(ArrayCreationExpr).getFirstDimensionSize() = arrlen and
+    k = delta - arrlen
+  )
 }
 
 /**
diff --git a/java/ql/test/query-tests/RangeAnalysis/A.java b/java/ql/test/query-tests/RangeAnalysis/A.java
@@ -204,4 +204,11 @@ static int m16() {
       A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // BAD: random int may be out of range
       A.arr1[RandomUtils.nextInt(0, arr1.length)]; // GOOD: random int must be in range
   }
+
+  int m17() {
+    return this.arr2[(new Random()).nextInt(arr2.length + 1)] +  // BAD: random int may be out of range
+      this.arr2[(new Random()).nextInt(arr2.length)] + // GOOD: random int must be in range
+      this.arr2[RandomUtils.nextInt(0, arr2.length + 1)] + // BAD: random int may be out of range
+      this.arr2[RandomUtils.nextInt(0, arr2.length)]; // GOOD: random int must be in range
+  }
 }
diff --git a/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected b/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected
@@ -14,3 +14,5 @@
 | A.java:195:9:195:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:202:12:202:58 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:204:7:204:53 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
+| A.java:209:12:209:61 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
+| A.java:211:7:211:56 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,15 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) {`
`44`	`44`	`)`
`45`	`45`	`)`
`46`	`46`	`)`
	`47`	`+ or`
	`48`	`+ exists(Field arr, Expr index, int delta, int arrlen \|`
	`49`	`+ aa.getIndexExpr() = index and`
	`50`	`+ aa.getArray() = arr.getAnAccess() and`
	`51`	`+ bounded(index, any(ZeroBound z), delta, true, _) and`
	`52`	`+ arr.isFinal() and`
	`53`	`+ arr.getInitializer().(ArrayCreationExpr).getFirstDimensionSize() = arrlen and`
	`54`	`+ k = delta - arrlen`
	`55`	`+ )`
`47`	`56`	`}`
`48`	`57`
`49`	`58`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -204,4 +204,11 @@ static int m16() {`
`204`	`204`	`A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // BAD: random int may be out of range`
`205`	`205`	`A.arr1[RandomUtils.nextInt(0, arr1.length)]; // GOOD: random int must be in range`
`206`	`206`	`}`
	`207`	`+`
	`208`	`+ int m17() {`
	`209`	`+ return this.arr2[(new Random()).nextInt(arr2.length + 1)] + // BAD: random int may be out of range`
	`210`	`+ this.arr2[(new Random()).nextInt(arr2.length)] + // GOOD: random int must be in range`
	`211`	`+ this.arr2[RandomUtils.nextInt(0, arr2.length + 1)] + // BAD: random int may be out of range`
	`212`	`+ this.arr2[RandomUtils.nextInt(0, arr2.length)]; // GOOD: random int must be in range`
	`213`	`+ }`
`207`	`214`	`}`