C++: Range analysis: support casts from/to typedef

Author: jbj

cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll

@@ -205,10 +205,12 @@ predicate linearAccessImpl(Expr expr, VariableAccess v, float p, float q) {
     expr = unaryPlusExpr)
   or
   // (larger_type)(p*v+q) == p*v + q
-  exists (Cast cast
+  exists (Cast cast, ArithmeticType sourceType, ArithmeticType targetType
   | linearAccess(cast.getExpr(), v, p, q) and
-    typeLowerBound(cast.getType()) <= typeLowerBound(cast.getExpr().getType()) and
-    typeUpperBound(cast.getType()) >= typeUpperBound(cast.getExpr().getType()) and
+    sourceType = cast.getExpr().getType().getUnspecifiedType() and
+    targetType = cast.getType().getUnspecifiedType() and
+    typeLowerBound(targetType) <= typeLowerBound(sourceType) and
+    typeUpperBound(targetType) >= typeUpperBound(sourceType) and
     expr = cast)
   or
   // (p*v+q) == p*v + q
@@ -282,14 +284,14 @@ predicate cmpWithLinearBound(
 }
 
 /**
- * Holds if `lb` and `ub` are the lower and upper bounds of type `t`
- * respectively.
+ * Holds if `lb` and `ub` are the lower and upper bounds of the unspecified
+ * type `t`.
  *
  * For example, if `t` is a signed 32-bit type then holds if `lb` is
  * `-2^31` and `ub` is `2^31 - 1`.
  */
 private
-predicate typeBounds(Type t, float lb, float ub) {
+predicate typeBounds(ArithmeticType t, float lb, float ub) {
   exists (IntegralType integralType, float limit
   | integralType = t and limit = 2.pow(8 * integralType.getSize())
   | if integralType instanceof BoolType
@@ -303,22 +305,22 @@ predicate typeBounds(Type t, float lb, float ub) {
 }
 
 /**
- * Gets the lower bound for type `t`.
+ * Gets the lower bound for the unspecified type `t`.
  *
  * For example, if `t` is a signed 32-bit type then the result is
  * `-2^31`.
  */
-float typeLowerBound(Type t) {
+float typeLowerBound(ArithmeticType t) {
   typeBounds(t, result, _)
 }
 
 /**
- * Gets the upper bound for type `t`.
+ * Gets the upper bound for the unspecified type `t`.
  *
  * For example, if `t` is a signed 32-bit type then the result is
  * `2^31 - 1`.
  */
-float typeUpperBound(Type t) {
+float typeUpperBound(ArithmeticType t) {
   typeBounds(t, _, result)
 }
 

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c

@@ -270,7 +270,7 @@ typedef unsigned char u8;
 
 int widening_cast1(u8 c) {
   if (c == 0) {
-    if ((int)c > 0) { // BAD [NOT DETECTED]
+    if ((int)c > 0) { // BAD
       return 1;
     }
   }
@@ -280,7 +280,7 @@ int widening_cast1(u8 c) {
 int widening_cast2(u8 c) {
   if (c <= 10)
     return -1;
-  else if ((c >= 11) /* BAD [NOT DETECTED] */ && (c <= 47))
+  else if ((c >= 11) /* BAD */ && (c <= 47))
     return 0;
   else
     return 1;

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected

@@ -33,5 +33,7 @@
 | PointlessComparison.c:197:7:197:11 | ... < ... | Comparison is always false because x >= 0. |
 | PointlessComparison.c:210:6:210:10 | ... < ... | Comparison is always false because e >= 0. |
 | PointlessComparison.c:264:12:264:22 | ... >= ... | Comparison is always true because dbl >= 0 and -0 >= - .... |
+| PointlessComparison.c:273:9:273:18 | ... > ... | Comparison is always false because c <= 0. |
+| PointlessComparison.c:283:13:283:19 | ... >= ... | Comparison is always true because c >= 11. |
 | RegressionTests.cpp:57:7:57:22 | ... <= ... | Comparison is always true because * ... <= 4294967295. |
 | Templates.cpp:9:10:9:24 | ... <= ... | Comparison is always true because local <= 32767. |