Implement IntegerOverflow package
#263
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable re-use of existing query by extracting out "InterestingBinaryOverflowingExpr" to a separate library.
Adds a query for finding unsigned integer wraparound, based on the `InterestingBinaryOverflowingExpr` class.
Adds a query to find div/rem by zero errors.
Implement Rule 12.4 by sharing a query with M5-19-1 for finding constant integer expressions that wrap around.
Constant binary expressions which are immediately casted to a signed type should not be excluded from this rule, because the "wrap" will still occur.
For the "constantintegerexpressionswraparound" query, exclude results in macros from third-party libraries which do not have any arguments, as they are (a) not controlled by the user (b) likely intended or false positives (such as UULONG_MAX).
Only applicable to unsigned operations
Adds a query to detect signed integer operation overflow/underflow. Initially this only supports add and subtract operations, and detects CERT recommended patterns of avoiding overflow/underflow.
Add support for `MulExpr`s to the overflow library.
Signed integer overflow and underflow is undefined behavior, and so, unlike unsigned wraparound, it's not valid to do so even in a guard condition.
Adds a query to detect conversions which could potentially lead to data loss. This covers both explicit/implicit casts, and also calls to functions which internal convert values.
Conversions to bool should be permitted because they are not "lossy".
Add query to find incorrect precision checks.
|
🤖 Beep Boop! Matrix Testing for this PR has been initiated. Please check back later for results. |
|
🤖 Beep Boop! qcc/cpp/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
🤖 Beep Boop! qcc/c/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
🤖 Beep Boop! gcc/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! clang/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! clang/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! gcc/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! Matrix Testing for this PR has been completed. If no reports were posted it means this PR does not contain things that need matrix testing! |
nicolaswill
requested changes
Mar 25, 2023
There was a problem hiding this comment.
The changes LGTM, but they also changed the behaviour of A4-7-1:
void test_addition_loop_bound(unsigned int base, unsigned int size) {
if (size > 0) {
int n = size - 1;
for (int i = 0; i < n; i++) {
base + i; // COMPLIANT - `i` is bounded
}
}
}A previous false-negative (not in that snippet) as well as the for loop in the snippet above and the statement within it are now included as results. The base + i result looks like a true positive to me: base is not bounded, so wrapping could occur. I believe that the for loop's condition prevents i from ever overflowing, so that result is a false-positive. Agreed?
I think there should also be short change note documenting the changes affecting A4-7-1.
Due to widening in loops, SimpleRangeAnalysis is overly cautious about crement operations in loop updates. This commit makes some small adjustments to identify "safe" crement operations that cannot overflow due to the bounding by the loop counters.
Add support for + and - guards related to checking operands relative to each other.
|
🤖 Beep Boop! Matrix Testing for this PR has been initiated. Please check back later for results. |
|
🤖 Beep Boop! qcc/cpp/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
🤖 Beep Boop! qcc/c/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
|
🤖 Beep Boop! gcc/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! clang/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! Matrix Testing for this PR has been initiated. Please check back later for results. |
|
🤖 Beep Boop! gcc/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! clang/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! Matrix Testing for this PR has been completed. If no reports were posted it means this PR does not contain things that need matrix testing! |
|
🤖 Beep Boop! qcc/cpp/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
🤖 Beep Boop! qcc/c/AARCH64LE Matrix Testing for this PR won't happen because it is outside of license window! |
|
🤖 Beep Boop! clang/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! gcc/cpp/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! clang/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! gcc/c/X86_64 Matrix Testing for this PR has been completed. See below for the results! |
|
🤖 Beep Boop! Matrix Testing for this PR has been completed. If no reports were posted it means this PR does not contain things that need matrix testing! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements the
IntegerOverflowpackage. It mostly reuses concepts and code from previous work on C++ overflow queries, although notably it splits up the queryIntegerExpressionLeadToDataLoss.qlinto separate queries for (a) unsigned integer wrap (b) signed integer overflow/underflow, and adds a separate query for lossy integer conversions. We do this by adding a newOverflow.qlllibrary. Other notable changes include some limited support for multiplication, and greater detection of pre and post checks as specified by CERT-C.I have one further set of changes to make, which is to expand the
Overflow.qllto cover unary negation and div/rem. Other than that this is ready to go.Change request type
.ql,.qll,.qlsor unit tests)Rules with added or modified queries
INT30-CINT31-CINT32-CINT33-CINT35-CRule 12.4Release change checklist
A change note (development_handbook.md#change-notes) is required for any pull request which modifies:
If you are only adding new rule queries, a change note is not required.
Author: Is a change note required?
🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.
Reviewer: Confirm that either a change note is not required or the change note is required and has been added.
Query development review checklist
For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:
Author
As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
Reviewer
As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.