IntegerOverflow: Expand supported operations

 * Support unary operations (unary plus/minus)
 * Support arithmetic assign operations

Author: lcartey

c/cert/src/rules/INT30-C/UnsignedIntegerOperationsWrapAround.ql

@@ -19,17 +19,19 @@ import codingstandards.cpp.Overflow
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-/* TODO: review the table to restrict to only those operations that actually overflow */
-from InterestingBinaryOverflowingExpr bop
+from InterestingOverflowingOperation op
 where
-  not isExcluded(bop, IntegerOverflowPackage::unsignedIntegerOperationsWrapAroundQuery()) and
-  bop.getType().getUnderlyingType().(IntegralType).isUnsigned() and
+  not isExcluded(op, IntegerOverflowPackage::unsignedIntegerOperationsWrapAroundQuery()) and
+  op.getType().getUnderlyingType().(IntegralType).isUnsigned() and
   // Not within a guard condition
-  not exists(GuardCondition gc | gc.getAChild*() = bop) and
+  not exists(GuardCondition gc | gc.getAChild*() = op) and
   // Not guarded by a check, where the check is not an invalid overflow check
-  not bop.getAGuardingGVN() = globalValueNumber(bop.getAChild*()) and
+  not op.getAGuardingGVN() = globalValueNumber(op.getAChild*()) and
   // Is not checked after the operation
-  not bop.hasValidPostCheck()
-select bop,
-  "Binary expression ..." + bop.getOperator() + "... of type " + bop.getType().getUnderlyingType() +
-    " may wrap."
+  not op.hasValidPostCheck() and
+  // Permitted by exception 3
+  not op instanceof LShiftExpr and
+  // Permitted by exception 2 - zero case is handled in separate query
+  not op instanceof DivExpr
+select op,
+  "Operation " + op.getOperator() + " of type " + op.getType().getUnderlyingType() + " may wrap."

c/cert/src/rules/INT32-C/SignedIntegerOverflow.ql

@@ -18,15 +18,14 @@ import codingstandards.cpp.Overflow
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-/* TODO: review the table to restrict to only those operations that actually overflow */
-from InterestingBinaryOverflowingExpr bop
+from InterestingOverflowingOperation op
 where
-  not isExcluded(bop, IntegerOverflowPackage::signedIntegerOverflowQuery()) and
-  bop.getType().getUnderlyingType().(IntegralType).isSigned() and
+  not isExcluded(op, IntegerOverflowPackage::signedIntegerOverflowQuery()) and
+  op.getType().getUnderlyingType().(IntegralType).isSigned() and
   // Not checked before the operation
-  not bop.hasValidPreCheck() and
+  not op.hasValidPreCheck() and
   // Not guarded by a check, where the check is not an invalid overflow check
-  not bop.getAGuardingGVN() = globalValueNumber(bop.getAChild*())
-select bop,
-  "Binary expression ..." + bop.getOperator() + "... of type " + bop.getType().getUnderlyingType() +
+  not op.getAGuardingGVN() = globalValueNumber(op.getAChild*())
+select op,
+  "Operation " + op.getOperator() + " of type " + op.getType().getUnderlyingType() +
     " may overflow or underflow."

c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.expected

@@ -1,2 +1,4 @@
-| test.c:4:3:4:9 | ... + ... | Binary expression ...+... of type unsigned int may wrap. |
-| test.c:48:3:48:9 | ... - ... | Binary expression ...-... of type unsigned int may wrap. |
+| test.c:4:3:4:9 | ... + ... | Operation + of type unsigned int may wrap. |
+| test.c:5:3:5:10 | ... += ... | Operation += of type unsigned int may wrap. |
+| test.c:58:3:58:9 | ... - ... | Operation - of type unsigned int may wrap. |
+| test.c:59:3:59:10 | ... -= ... | Operation -= of type unsigned int may wrap. |

c/cert/test/rules/INT30-C/test.c

@@ -1,22 +1,25 @@
 #include <limits.h>
 
 void test_add_simple(unsigned int i1, unsigned int i2) {
-  i1 + i2; // NON_COMPLIANT - not bounds checked
+  i1 + i2;  // NON_COMPLIANT - not bounds checked
+  i1 += i2; // NON_COMPLIANT - not bounds checked
 }
 
 void test_add_precheck(unsigned int i1, unsigned int i2) {
   if (UINT_MAX - i1 < i2) {
     // handle error
   } else {
-    i1 + i2; // COMPLIANT - bounds checked
+    i1 + i2;  // COMPLIANT - bounds checked
+    i1 += i2; // COMPLIANT - bounds checked
   }
 }
 
 void test_add_precheck_2(unsigned int i1, unsigned int i2) {
   if (i1 + i2 < i1) {
     // handle error
   } else {
-    i1 + i2; // COMPLIANT - bounds checked
+    i1 + i2;  // COMPLIANT - bounds checked
+    i1 += i2; // COMPLIANT - bounds checked
   }
 }
 
@@ -25,16 +28,23 @@ void test_add_postcheck(unsigned int i1, unsigned int i2) {
   if (i3 < i1) {
     // handle error
   }
+  i1 += i2; // COMPLIANT - checked for overflow afterwards
+  if (i1 < i2) {
+    // handle error
+  }
 }
 
 void test_ex2(unsigned int i1, unsigned int i2) {
   unsigned int ci1 = 2;
   unsigned int ci2 = 3;
   ci1 + ci2;     // COMPLIANT, compile time constants
   i1 + 0;        // COMPLIANT
+  i1 += 0;       // COMPLIANT
   i1 - 0;        // COMPLIANT
+  i1 -= 0;       // COMPLIANT
   UINT_MAX - i1; // COMPLIANT - cannot be smaller than 0
   i1 * 1;        // COMPLIANT
+  i1 *= 1;       // COMPLIANT
   if (0 <= i1 && i1 < 32) {
     UINT_MAX >> i1; // COMPLIANT
   }
@@ -45,14 +55,16 @@ void test_ex3(unsigned int i1, unsigned int i2) {
 }
 
 void test_sub_simple(unsigned int i1, unsigned int i2) {
-  i1 - i2; // NON_COMPLIANT - not bounds checked
+  i1 - i2;  // NON_COMPLIANT - not bounds checked
+  i1 -= i2; // NON_COMPLIANT - not bounds checked
 }
 
 void test_sub_precheck(unsigned int i1, unsigned int i2) {
   if (i1 < i2) {
     // handle error
   } else {
-    i1 - i2; // COMPLIANT - bounds checked
+    i1 - i2;  // COMPLIANT - bounds checked
+    i1 -= i2; // COMPLIANT - bounds checked
   }
 }
 
@@ -61,4 +73,8 @@ void test_sub_postcheck(unsigned int i1, unsigned int i2) {
   if (i3 > i1) {
     // handle error
   }
+  i1 -= i2; // COMPLIANT - checked for wrap afterwards
+  if (i1 > i2) {
+    // handle error
+  }
 }

c/cert/test/rules/INT32-C/SignedIntegerOverflow.expected

@@ -1,7 +1,16 @@
-| test.c:6:3:6:9 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
-| test.c:20:7:20:13 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
-| test.c:23:5:23:11 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
-| test.c:28:19:28:25 | ... + ... | Binary expression ...+... of type int may overflow or underflow. |
-| test.c:36:3:36:9 | ... - ... | Binary expression ...-... of type int may overflow or underflow. |
-| test.c:49:19:49:25 | ... - ... | Binary expression ...-... of type int may overflow or underflow. |
-| test.c:56:3:56:8 | ... * ... | Binary expression ...*... of type int may overflow or underflow. |
+| test.c:6:3:6:9 | ... + ... | Operation + of type int may overflow or underflow. |
+| test.c:7:3:7:10 | ... += ... | Operation += of type signed int may overflow or underflow. |
+| test.c:22:7:22:13 | ... + ... | Operation + of type int may overflow or underflow. |
+| test.c:25:5:25:11 | ... + ... | Operation + of type int may overflow or underflow. |
+| test.c:26:5:26:12 | ... += ... | Operation += of type signed int may overflow or underflow. |
+| test.c:31:19:31:25 | ... + ... | Operation + of type int may overflow or underflow. |
+| test.c:36:3:36:10 | ... += ... | Operation += of type signed int may overflow or underflow. |
+| test.c:43:3:43:9 | ... - ... | Operation - of type int may overflow or underflow. |
+| test.c:44:3:44:10 | ... -= ... | Operation -= of type signed int may overflow or underflow. |
+| test.c:58:19:58:25 | ... - ... | Operation - of type int may overflow or underflow. |
+| test.c:62:3:62:10 | ... -= ... | Operation -= of type signed int may overflow or underflow. |
+| test.c:69:3:69:8 | ... * ... | Operation * of type int may overflow or underflow. |
+| test.c:70:3:70:10 | ... *= ... | Operation *= of type signed int may overflow or underflow. |
+| test.c:153:3:153:10 | ... << ... | Operation << of type signed int may overflow or underflow. |
+| test.c:154:3:154:11 | ... <<= ... | Operation <<= of type signed int may overflow or underflow. |
+| test.c:173:3:173:5 | - ... | Operation - of type signed int may overflow or underflow. |

c/cert/test/rules/INT32-C/test.c

@@ -3,7 +3,8 @@
 #include <stdint.h>
 
 void test_add_simple(signed int i1, signed int i2) {
-  i1 + i2; // NON_COMPLIANT - not bounds checked
+  i1 + i2;  // NON_COMPLIANT - not bounds checked
+  i1 += i2; // NON_COMPLIANT - not bounds checked
 }
 
 void test_add_precheck(signed int i1, signed int i2) {
@@ -12,15 +13,17 @@ void test_add_precheck(signed int i1, signed int i2) {
       ((i2 < 0) && (i1 < (INT_MIN - i2)))) {
     // handle error
   } else {
-    i1 + i2; // COMPLIANT - bounds appropriately checked
+    i1 + i2;  // COMPLIANT - bounds appropriately checked
+    i1 += i2; // COMPLIANT - bounds appropriately checked
   }
 }
 
 void test_add_precheck_2(signed int i1, signed int i2) {
   if (i1 + i2 < i1) { // NON_COMPLIANT - bad overflow check - undefined behavior
     // handle error
   } else {
-    i1 + i2; // NON_COMPLIANT
+    i1 + i2;  // NON_COMPLIANT
+    i1 += i2; // NON_COMPLIANT
   }
 }
 
@@ -30,18 +33,24 @@ void test_add_postcheck(signed int i1, signed int i2) {
   if (i3 < i1) {
     // handle error
   }
+  i1 += i2; // NON_COMPLIANT
+  if (i1 < i2) {
+    // handle error
+  }
 }
 
 void test_sub_simple(signed int i1, signed int i2) {
-  i1 - i2; // NON_COMPLIANT - not bounds checked
+  i1 - i2;  // NON_COMPLIANT - not bounds checked
+  i1 -= i2; // NON_COMPLIANT - not bounds checked
 }
 
 void test_sub_precheck(signed int i1, signed int i2) {
   // Style recomended by CERT
   if ((i2 > 0 && i1 < INT_MIN + i2) || (i2 < 0 && i1 > INT_MAX + i2)) {
     // handle error
   } else {
-    i1 - i2; // COMPLIANT - bounds checked
+    i1 - i2;  // COMPLIANT - bounds checked
+    i1 -= i2; // COMPLIANT - bounds checked
   }
 }
 
@@ -50,10 +59,15 @@ void test_sub_postcheck(signed int i1, signed int i2) {
   if (i3 > i1) {
     // handle error
   }
+  i1 -= i2; // NON_COMPLIANT - underflow is undefined behavior.
+  if (i1 > i2) {
+    // handle error
+  }
 }
 
 void test_mul_simple(signed int i1, signed int i2) {
-  i1 *i2; // NON_COMPLIANT
+  i1 *i2;   // NON_COMPLIANT
+  i1 *= i2; // NON_COMPLIANT
 }
 
 void test_mul_precheck(signed int i1, signed int i2) {
@@ -66,6 +80,7 @@ void test_mul_precheck(signed int i1, signed int i2) {
   } else {
     i1 *i2; // COMPLIANT - checked
     result = (signed int)tmp;
+    i1 *= i2; // COMPLIANT - checked
   }
 }
 
@@ -94,43 +109,49 @@ void test_mul_precheck_2(signed int i1, signed int i2) {
       }
     }
   }
-  i1 *i2; // COMPLIANT
+  i1 *i2;   // COMPLIANT
+  i1 *= i2; // COMPLIANT
 }
 
 void test_simple_div(signed int i1, signed int i2) {
   if (i2 == 0) {
     // handle error
   } else {
-    i1 / i2; // NON_COMPLIANT
+    i1 / i2;  // NON_COMPLIANT
+    i1 /= i2; // NON_COMPLIANT
   }
 }
 
 void test_div_precheck(signed int i1, signed int i2) {
   if ((i2 == 0) || ((i1 == LONG_MIN) && (i2 == -1))) {
     /* Handle error */
   } else {
-    i1 / i2; // COMPLIANT
+    i1 / i2;  // COMPLIANT
+    i1 /= i2; // COMPLIANT
   }
 }
 
 void test_simple_rem(signed int i1, signed int i2) {
   if (i2 == 0) {
     // handle error
   } else {
-    i1 % i2; // NON_COMPLIANT
+    i1 % i2;  // NON_COMPLIANT
+    i1 %= i2; // NON_COMPLIANT
   }
 }
 
 void test_rem_precheck(signed int i1, signed int i2) {
   if ((i2 == 0) || ((i1 == LONG_MIN) && (i2 == -1))) {
     /* Handle error */
   } else {
-    i1 % i2; // COMPLIANT
+    i1 % i2;  // COMPLIANT
+    i1 %= i2; // COMPLIANT
   }
 }
 
 void test_simple_left_shift(signed int i1, signed int i2) {
-  i1 << i2; // NON_COMPLIANT
+  i1 << i2;  // NON_COMPLIANT
+  i1 <<= i2; // NON_COMPLIANT
 }
 
 /* Returns the number of set bits */
@@ -143,7 +164,8 @@ void test_left_shift_precheck(signed int i1, signed int i2) {
       (i1 > (INT_MAX >> i2))) {
     // handle error
   } else {
-    i1 << i2; // COMPLIANT
+    i1 << i2;  // COMPLIANT
+    i1 <<= i2; // COMPLIANT
   }
 }
 

cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql

@@ -19,13 +19,15 @@ import codingstandards.cpp.Overflow
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-from InterestingBinaryOverflowingExpr e
+from InterestingOverflowingOperation e
 where
   not isExcluded(e, IntegerConversionPackage::integerExpressionLeadToDataLossQuery()) and
   // Not within a guard condition
   not exists(GuardCondition gc | gc.getAChild*() = e) and
   // Not guarded by a check, where the check is not an invalid overflow check
   not e.getAGuardingGVN() = globalValueNumber(e.getAChild*()) and
   // Covered by `IntMultToLong.ql` instead
-  not e instanceof MulExpr
+  not e instanceof MulExpr and
+  // Not covered by this query - overflow/underflow in division is rare
+  not e instanceof DivExpr
 select e, "Binary expression ..." + e.getOperator() + "... may overflow."