Finalize INT34-C

jeongsoolee09 · jeongsoolee09 · commit 907e1588b060 · 2023-03-23T17:41:59.000-07:00
diff --git a/c/cert/src/rules/INT34-C/ExprShiftedbyNegativeOrGreaterPrecisionOperand.ql b/c/cert/src/rules/INT34-C/ExprShiftedbyNegativeOrGreaterPrecisionOperand.ql
@@ -13,6 +13,7 @@
 import cpp
 import codingstandards.c.cert
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.ir.internal.ASTValueNumbering
 import semmle.code.cpp.controlflow.Guards
 
 /*
@@ -34,6 +35,21 @@ class PrecisionMacro extends Macro {
   PrecisionMacro() { this.getName().toLowerCase().matches("precision") }
 }
 
+class LiteralZero extends Literal {
+  LiteralZero() { this.getValue() = "0" }
+}
+
+class BitShiftExpr extends BinaryBitwiseOperation {
+  BitShiftExpr() {
+    this instanceof LShiftExpr or
+    this instanceof RShiftExpr
+  }
+
+  override string toString() {
+    if this instanceof LShiftExpr then result = "left-shift" else result = "right-shift"
+  }
+}
+
 int getPrecision(BuiltInType type) {
   type.(CharType).isExplicitlyUnsigned() and result = type.(CharType).getSize() * 8
   or
@@ -66,80 +82,53 @@ int getPrecision(BuiltInType type) {
   result = type.(LongLongType).getSize() * 8 - 1
 }
 
-predicate isForbiddenLShiftExpr(LShiftExpr binbitop, string message) {
+predicate isForbiddenShiftExpr(BitShiftExpr shift, string message) {
   (
     (
-      getPrecision(binbitop.getLeftOperand().getUnderlyingType()) <=
-        upperBound(binbitop.getRightOperand()) and
+      getPrecision(shift.getLeftOperand().getUnderlyingType()) <=
+        upperBound(shift.getRightOperand()) and
       message =
-        "The operand " + binbitop.getLeftOperand() + " is left-shifted by an expression " +
-          binbitop.getRightOperand() + " which is greater than or equal to in precision."
+        "The operand " + shift.getLeftOperand() + " is " + shift + "ed by an expression " +
+          shift.getRightOperand() + " which is greater than or equal to in precision."
       or
-      lowerBound(binbitop.getRightOperand()) < 0 and
+      lowerBound(shift.getRightOperand()) < 0 and
       message =
-        "The operand " + binbitop.getLeftOperand() + " is left-shifted by a negative expression " +
-          binbitop.getRightOperand() + "."
-    )
-    or
-    /* Check a guard condition protecting the shift statement: heuristic (not an iff query) */
-    exists(GuardCondition gc, BasicBlock block, Expr precisionCall |
-      block = binbitop.getBasicBlock() and
-      (
-        precisionCall.(FunctionCall).getTarget() instanceof PopCount
-        or
-        precisionCall = any(PrecisionMacro pm).getAnInvocation().getExpr()
-      )
-    |
-      /*
-       * Shift statement is at a basic block where
-       * `shift_rhs < PRECISION(...)` is ensured
-       */
-
-      not gc.ensuresLt(binbitop.getRightOperand(), precisionCall, 0, block, true)
+        "The operand " + shift.getLeftOperand() + " is " + shift + "ed by a negative expression " +
+          shift.getRightOperand() + "."
     ) and
-    message = "TODO"
-  )
-}
+    /*
+     * Shift statement is not at a basic block where
+     * `shift_rhs < PRECISION(...)` is ensured
+     */
 
-predicate isForbiddenRShiftExpr(RShiftExpr binbitop, string message) {
-  (
-    (
-      getPrecision(binbitop.getLeftOperand().getUnderlyingType()) <=
-        upperBound(binbitop.getRightOperand()) and
-      message =
-        "The operand " + binbitop.getLeftOperand() + " is right-shifted by an expression " +
-          binbitop.getRightOperand() + " which is greater than or equal to in precision."
-      or
-      lowerBound(binbitop.getRightOperand()) < 0 and
-      message =
-        "The operand " + binbitop.getLeftOperand() + " is right-shifted by a negative expression " +
-          binbitop.getRightOperand() + "."
-    )
-    or
-    /* Check a guard condition protecting the shift statement: heuristic (not an iff query) */
-    exists(GuardCondition gc, BasicBlock block, Expr precisionCall |
-      block = binbitop.getBasicBlock() and
+    not exists(GuardCondition gc, BasicBlock block, Expr precisionCall, Expr lTLhs |
+      block = shift.getBasicBlock() and
       (
         precisionCall.(FunctionCall).getTarget() instanceof PopCount
         or
         precisionCall = any(PrecisionMacro pm).getAnInvocation().getExpr()
       )
     |
-      /*
-       * Shift statement is at a basic block where
-       * `shift_rhs < PRECISION(...)` is ensured
-       */
-
-      not gc.ensuresLt(binbitop.getRightOperand(), precisionCall, 0, block, true)
+      globalValueNumber(lTLhs) = globalValueNumber(shift.getRightOperand()) and
+      gc.ensuresLt(lTLhs, precisionCall, 0, block, true)
     ) and
-    message = "TODO"
+    /*
+     * Shift statement is not at a basic block where
+     * `shift_rhs < 0` is ensured
+     */
+
+    not exists(GuardCondition gc, BasicBlock block, Expr literalZero, Expr lTLhs |
+      block = shift.getBasicBlock() and
+      literalZero instanceof LiteralZero
+    |
+      globalValueNumber(lTLhs) = globalValueNumber(shift.getRightOperand()) and
+      gc.ensuresLt(lTLhs, literalZero, 0, block, true)
+    )
   )
 }
 
 from BinaryBitwiseOperation badShift, string message
 where
   not isExcluded(badShift, TypesPackage::exprShiftedbyNegativeOrGreaterPrecisionOperandQuery()) and
-  isForbiddenLShiftExpr(badShift, message)
-  or
-  isForbiddenRShiftExpr(badShift, message)
+  isForbiddenShiftExpr(badShift, message)
 select badShift, message
