coder-chenzhi
diff --git a/‎cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
Lines changed: 102 additions & 16 deletions b/‎cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
Lines changed: 102 additions & 16 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.qlref renamed to ‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref b/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.qlref renamed to ‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
Lines changed: 147 additions & 0 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
Lines changed: 147 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test2.c renamed to ‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test2.c b/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/test2.c renamed to ‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test2.c
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.expected
Lines changed: 0 additions & 4 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/wider_type/ComparisonWithWiderType.expected
Lines changed: 0 additions & 4 deletions
@@ -118,36 +118,79 @@ private string getValue(Expr e) {
     )
 }
 
+/**
+ * A bitwise `&` expression in which both operands are unsigned, or are effectively
+ * unsigned due to being a non-negative constant.
+ */
+private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
+  UnsignedBitwiseAndExpr() {
+    (
+      getLeftOperand().getFullyConverted().getType().getUnderlyingType().(IntegralType).isUnsigned() or
+      getLeftOperand().getFullyConverted().getValue().toInt() >= 0
+    ) and
+    (
+      getRightOperand()
+          .getFullyConverted()
+          .getType()
+          .getUnderlyingType()
+          .(IntegralType)
+          .isUnsigned() or
+      getRightOperand().getFullyConverted().getValue().toInt() >= 0
+    )
+  }
+}
+
 /** Set of expressions which we know how to analyze. */
 private predicate analyzableExpr(Expr e) {
   // The type of the expression must be arithmetic. We reuse the logic in
   // `exprMinVal` to check this.
   exists(exprMinVal(e)) and
   (
-    exists(getValue(e).toFloat()) or
-    e instanceof UnaryPlusExpr or
-    e instanceof UnaryMinusExpr or
-    e instanceof MinExpr or
-    e instanceof MaxExpr or
-    e instanceof ConditionalExpr or
-    e instanceof AddExpr or
-    e instanceof SubExpr or
-    e instanceof AssignExpr or
-    e instanceof AssignAddExpr or
-    e instanceof AssignSubExpr or
-    e instanceof CrementOperation or
-    e instanceof RemExpr or
-    e instanceof CommaExpr or
-    e instanceof StmtExpr or
+    exists(getValue(e).toFloat())
+    or
+    e instanceof UnaryPlusExpr
+    or
+    e instanceof UnaryMinusExpr
+    or
+    e instanceof MinExpr
+    or
+    e instanceof MaxExpr
+    or
+    e instanceof ConditionalExpr
+    or
+    e instanceof AddExpr
+    or
+    e instanceof SubExpr
+    or
+    e instanceof AssignExpr
+    or
+    e instanceof AssignAddExpr
+    or
+    e instanceof AssignSubExpr
+    or
+    e instanceof CrementOperation
+    or
+    e instanceof RemExpr
+    or
+    e instanceof CommaExpr
+    or
+    e instanceof StmtExpr
+    or
     // A conversion is analyzable, provided that its child has an arithmetic
     // type. (Sometimes the child is a reference type, and so does not get
     // any bounds.) Rather than checking whether the type of the child is
     // arithmetic, we reuse the logic that is already encoded in
     // `exprMinVal`.
-    exists(exprMinVal(e.(Conversion).getExpr())) or
+    exists(exprMinVal(e.(Conversion).getExpr()))
+    or
     // Also allow variable accesses, provided that they have SSA
     // information.
     exists(RangeSsaDefinition def, StackVariable v | e = def.getAUse(v))
+    or
+    e instanceof UnsignedBitwiseAndExpr
+    or
+    // `>>` by a constant
+    exists(e.(RShiftExpr).getRightOperand().getValue())
   )
 }
 
@@ -245,6 +288,19 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
   or
   exists(Conversion convExpr | e = convExpr | exprDependsOnDef(convExpr.getExpr(), srcDef, srcVar))
   or
+  // unsigned `&`
+  exists(UnsignedBitwiseAndExpr andExpr |
+    andExpr = e and
+    exprDependsOnDef(andExpr.getAnOperand(), srcDef, srcVar)
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rs |
+    rs = e and
+    exists(rs.getRightOperand().getValue()) and
+    exprDependsOnDef(rs.getLeftOperand(), srcDef, srcVar)
+  )
+  or
   e = srcDef.getAUse(srcVar)
 }
 
@@ -641,6 +697,20 @@ private float getLowerBoundsImpl(Expr expr) {
   exists(RangeSsaDefinition def, StackVariable v | expr = def.getAUse(v) |
     result = getDefLowerBounds(def, v)
   )
+  or
+  // unsigned `&` (tighter bounds may exist)
+  exists(UnsignedBitwiseAndExpr andExpr |
+    andExpr = expr and
+    result = 0.0
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rsExpr, float left, int right |
+    rsExpr = expr and
+    left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
+    right = rsExpr.getRightOperand().getValue().toInt() and
+    result = left / 2.pow(right)
+  )
 }
 
 /** Only to be called by `getTruncatedUpperBounds`. */
@@ -794,6 +864,22 @@ private float getUpperBoundsImpl(Expr expr) {
   exists(RangeSsaDefinition def, StackVariable v | expr = def.getAUse(v) |
     result = getDefUpperBounds(def, v)
   )
+  or
+  // unsigned `&` (tighter bounds may exist)
+  exists(UnsignedBitwiseAndExpr andExpr, float left, float right |
+    andExpr = expr and
+    left = getFullyConvertedUpperBounds(andExpr.getLeftOperand()) and
+    right = getFullyConvertedUpperBounds(andExpr.getRightOperand()) and
+    result = left.minimum(right)
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rsExpr, float left, int right |
+    rsExpr = expr and
+    left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
+    right = rsExpr.getRightOperand().getValue().toInt() and
+    result = left / 2.pow(right)
+  )
 }
 
 /**
 
@@ -0,0 +1,15 @@
+| test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
+| test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
+| test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
+| test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |
+| test.c:87:14:87:18 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:84:15:84:15 | x | x |
+| test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
+| test.c:93:14:93:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:93:18:93:25 | 16711680 | 16711680 |
+| test.c:95:14:95:27 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:95:18:95:27 | 4278190080 | 4278190080 |
+| test.c:99:14:99:29 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:99:19:99:28 | ... & ... | ... & ... |
+| test.c:101:14:101:31 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:101:19:101:30 | ... & ... | ... & ... |
+| test.c:103:14:103:33 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:103:19:103:32 | ... & ... | ... & ... |
+| test.c:105:14:105:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:105:19:105:24 | ... >> ... | ... >> ... |
+| test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
+| test.c:128:15:128:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
+| test.c:139:15:139:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
@@ -0,0 +1,147 @@
+
+void test1 (int x) {
+	char c;
+	for (c = 0; c < x; c++) {} //BAD
+}
+
+void test2 (int x) {
+	char c;
+	for (c = 0; x > c; c++) {} // BAD
+}
+
+void test3 (int x) {
+	short s;
+	for (s = 0; s < x; s++) {} //BAD
+}
+
+void runner() { // get range analysis to give large values to x in tests
+	test1(65536);
+	test2(65536);
+	test3(655360);
+	test7((unsigned long long)1<<48);
+	test8(65536);
+	test9(65536);
+	test10(65536);
+
+}
+
+void test4 () {
+	short s1;
+	short s2 = 200;
+	for (s1 = 0;  s1 < s2; s1++) {}
+}
+
+void test5 () {
+	short s1;
+	int x = 65536;
+	s1 < x;
+}
+
+void test6() {
+	short  s1;
+	for (s1 = 0; s1 < 0x0000ffff; s1++) {}
+}
+
+void test7(long long l) {
+	int i;
+	for (i = 0; i < l; i++) {}
+}
+
+void test8(int x) {
+	short s;
+	for (s = 256; s < x; x--) {}
+}
+
+
+void test9(int x) {
+	short s;
+	for (s = 256; s < x; ) {
+		x--;
+	}
+}
+
+void test10(int x) {
+	short s;
+	for (s = 0; s < x; ) { // BAD
+		do
+		{
+			s++;
+		} while (0);
+	}
+}
+
+extern const int const256;
+
+void test11() {
+	short s;
+	for(s = 0; s < const256; ++s) {}
+}
+
+unsigned int get_a_uint();
+
+void test12() {
+	unsigned char c;
+	unsigned int x;
+
+	x = get_a_uint();
+	for (c = 0; c < x; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF; c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF00; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF0000; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < 0xFF000000; c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF00); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF0000); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x & 0xFF000000); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 8); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 16); c++) {} // BAD
+	x = get_a_uint();
+	for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints)
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF00) >> 8); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF0000) >> 16); c++) {} // GOOD
+	x = get_a_uint();
+	for (c = 0; c < ((x & 0xFF000000) >> 24); c++) {} // GOOD
+}
+
+int get_an_int();
+
+void test13() {
+	unsigned char uc;
+	int sx, sy;
+	unsigned ux, uy, sz;
+
+	ux = get_a_uint();
+	uy = get_a_uint();
+	sz = ux & uy;
+	for (uc = 0; uc < sz; uc++) {} // BAD
+
+	ux = get_a_uint();
+	uy = get_a_uint();
+	if (ux > 128) {ux = 128;}
+	sz = ux & uy;
+	for (uc = 0; uc < sz; uc++) {} // GOOD
+
+	sx = get_an_int();
+	sy = get_an_int();
+	sz = (unsigned)sx & (unsigned)sy;
+	for (uc = 0; uc < sz; uc++) {} // BAD
+
+	sx = get_an_int();
+	sy = get_an_int();
+	if (sx < 0) {sx = 0;}
+	if (sx > 128) {sx = 128;}
+	sz = (unsigned)sx & (unsigned)sy;
+	for (uc = 0; uc < sz; uc++) {} // GOOD
+}