Removed integerOverflowOptimization checking and merged functionality into invalidTestForOverflow

Author: danmar

lib/checkcondition.cpp

@@ -39,6 +39,7 @@
 #include <utility>
 
 // CWE ids used
+static const struct CWE uncheckedErrorConditionCWE(391U);
 static const struct CWE CWE398(398U);   // Indicator of Poor Code Quality
 static const struct CWE CWE570(570U);   // Expression is Always False
 static const struct CWE CWE571(571U);   // Expression is Always True
@@ -1494,63 +1495,103 @@ void CheckCondition::alwaysTrueFalseError(const Token *tok, const ValueFlow::Val
 
 void CheckCondition::checkInvalidTestForOverflow()
 {
+    // Interesting blogs:
+    // https://www.airs.com/blog/archives/120
+    // https://kristerw.blogspot.com/2016/02/how-undefined-signed-overflow-enables.html
+    // https://research.checkpoint.com/2020/optout-compiler-undefined-behavior-optimizations/
+
+    // x + c < x       ->   false
+    // x + c <= x      ->   false
+    // x + c > x       ->   true
+    // x + c >= x      ->   true
+
+    // x + y < x       ->   y < 0
+
+
     if (!mSettings->isEnabled(Settings::WARNING))
         return;
 
-    const SymbolDatabase *symbolDatabase = mTokenizer->getSymbolDatabase();
-    for (const Scope * scope : symbolDatabase->functionScopes) {
+    for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
+        if (!Token::Match(tok, "<|<=|>=|>") || !tok->isBinaryOp())
+            continue;
 
-        for (const Token* tok = scope->bodyStart; tok != scope->bodyEnd; tok = tok->next()) {
-            if (!tok->isComparisonOp() || !tok->astOperand1() || !tok->astOperand2())
-                continue;
+        const Token *lhsTokens[2] = {tok->astOperand1(), tok->astOperand2()};
+        for (const Token *lhs: lhsTokens) {
+            std::string cmp = tok->str();
+            if (lhs == tok->astOperand2())
+                cmp[0] = (cmp[0] == '<') ? '>' : '<';
 
-            const Token *calcToken, *exprToken;
-            bool result;
-            if (Token::Match(tok, "<|>=") && tok->astOperand1()->str() == "+") {
-                calcToken = tok->astOperand1();
-                exprToken = tok->astOperand2();
-                result = (tok->str() == ">=");
-            } else if (Token::Match(tok, ">|<=") && tok->astOperand2()->str() == "+") {
-                calcToken = tok->astOperand2();
-                exprToken = tok->astOperand1();
-                result = (tok->str() == "<=");
-            } else
+            if (!Token::Match(lhs, "[+-]") || !lhs->isBinaryOp())
                 continue;
 
-            // Only warn for signed integer overflows and pointer overflows.
-            if (!(calcToken->valueType() && (calcToken->valueType()->pointer || calcToken->valueType()->sign == ValueType::Sign::SIGNED)))
-                continue;
-            if (!(exprToken->valueType() && (exprToken->valueType()->pointer || exprToken->valueType()->sign == ValueType::Sign::SIGNED)))
+            const bool isSignedInteger = lhs->valueType() && lhs->valueType()->isIntegral() && lhs->valueType()->sign == ValueType::Sign::SIGNED;
+            const bool isPointer = lhs->valueType() && lhs->valueType()->pointer > 0;
+            if (!isSignedInteger && !isPointer)
                 continue;
 
-            const Token *termToken;
-            if (isSameExpression(mTokenizer->isCPP(), true, exprToken, calcToken->astOperand1(), mSettings->library, true, false))
-                termToken = calcToken->astOperand2();
-            else if (isSameExpression(mTokenizer->isCPP(), true, exprToken, calcToken->astOperand2(), mSettings->library, true, false))
-                termToken = calcToken->astOperand1();
-            else
-                continue;
+            const Token *exprTokens[2] = {lhs->astOperand1(), lhs->astOperand2()};
+            for (const Token *expr: exprTokens) {
+                if (lhs->str() == "-" && expr == lhs->astOperand2())
+                    continue; // TODO?
 
-            if (!termToken)
-                continue;
+                if (expr->hasKnownIntValue())
+                    continue;
+
+                if (!isSameExpression(mTokenizer->isCPP(),
+                                      true,
+                                      expr,
+                                      lhs->astSibling(),
+                                      mSettings->library,
+                                      true,
+                                      false))
+                    continue;
+
+                const Token * const other = expr->astSibling();
+
+                // x [+-] c cmp x
+                if ((other->isNumber() && other->getKnownIntValue() > 0) ||
+                    (!other->isNumber() && other->valueType() && other->valueType()->isIntegral() && other->valueType()->sign == ValueType::Sign::UNSIGNED)) {
+                    bool result;
+                    if (lhs->str() == "+")
+                        result = (cmp == ">" || cmp == ">=");
+                    else
+                        result = (cmp == "<" || cmp == "<=");
+                    invalidTestForOverflow(tok, lhs->valueType(), result ? "true" : "false");
+                    continue;
+                }
 
-            // Only warn when termToken is always positive
-            if (termToken->valueType() && termToken->valueType()->sign == ValueType::Sign::UNSIGNED)
-                invalidTestForOverflow(tok, result);
-            else if (termToken->isNumber() && MathLib::isPositive(termToken->str()))
-                invalidTestForOverflow(tok, result);
+                // x + y cmp x
+                if (lhs->str() == "+" && other->varId() > 0) {
+                    const std::string result = other->str() + cmp + "0";
+                    invalidTestForOverflow(tok, lhs->valueType(), result);
+                    continue;
+                }
+
+                // x - y cmp x
+                if (lhs->str() == "-" && other->varId() > 0) {
+                    std::string cmp2 = cmp;
+                    cmp2[0] = (cmp[0] == '<') ? '>' : '<';
+                    const std::string result = other->str() + cmp2 + "0";
+                    invalidTestForOverflow(tok, lhs->valueType(), result);
+                    continue;
+                }
+            }
         }
     }
 }
 
-void CheckCondition::invalidTestForOverflow(const Token* tok, bool result)
+void CheckCondition::invalidTestForOverflow(const Token* tok, const ValueType *valueType, const std::string &replace)
 {
-    const std::string errmsg = "Invalid test for overflow '" +
-                               (tok ? tok->expressionString() : std::string("x + u < x")) +
-                               "'. Condition is always " +
-                               std::string(result ? "true" : "false") +
-                               " unless there is overflow, and overflow is undefined behaviour.";
-    reportError(tok, Severity::warning, "invalidTestForOverflow", errmsg, (result ? CWE571 : CWE570), false);
+    const std::string expr = (tok ? tok->expressionString() : std::string("x + c < x"));
+    const std::string overflow = (valueType && valueType->pointer) ? "pointer overflow" : "signed integer overflow";
+
+    std::string errmsg =
+        "Invalid test for overflow '" +  expr + "'; " + overflow + " is undefined behavior.";
+    if (replace == "false" || replace == "true")
+        errmsg += " Some mainstream compilers remove such overflow tests when optimising the code and assume it's always " + replace + ".";
+    else
+        errmsg += " Some mainstream compilers removes handling of overflows when optimising the code and change the code to '" + replace + "'.";
+    reportError(tok, Severity::warning, "invalidTestForOverflow", errmsg, uncheckedErrorConditionCWE, false);
 }
 
 

lib/checkcondition.h

@@ -35,6 +35,7 @@ class Settings;
 class Token;
 class Tokenizer;
 class ErrorLogger;
+class ValueType;
 
 /// @addtogroup Checks
 /// @{
@@ -155,7 +156,7 @@ class CPPCHECKLIB CheckCondition : public Check {
 
     void alwaysTrueFalseError(const Token *tok, const ValueFlow::Value *value);
 
-    void invalidTestForOverflow(const Token* tok, bool result);
+    void invalidTestForOverflow(const Token* tok, const ValueType *valueType, const std::string &replace);
     void pointerAdditionResultNotNullError(const Token *tok, const Token *calc);
 
     void duplicateConditionalAssignError(const Token *condTok, const Token* assignTok);
@@ -179,7 +180,7 @@ class CPPCHECKLIB CheckCondition : public Check {
         c.moduloAlwaysTrueFalseError(nullptr, "1");
         c.clarifyConditionError(nullptr, true, false);
         c.alwaysTrueFalseError(nullptr, nullptr);
-        c.invalidTestForOverflow(nullptr, false);
+        c.invalidTestForOverflow(nullptr, nullptr, "false");
         c.pointerAdditionResultNotNullError(nullptr, nullptr);
         c.duplicateConditionalAssignError(nullptr, nullptr);
     }
@@ -202,7 +203,7 @@ class CPPCHECKLIB CheckCondition : public Check {
                "- Mutual exclusion over || always evaluating to true\n"
                "- Comparisons of modulo results that are always true/false.\n"
                "- Known variable values => condition is always true/false\n"
-               "- Invalid test for overflow (for example 'ptr+u < ptr'). Condition is always false unless there is overflow, and overflow is undefined behaviour.\n";
+               "- Invalid test for overflow. Some mainstream compilers remove such overflow tests when optimising code.\n";
     }
 };
 /// @}

lib/checktype.cpp

@@ -223,97 +223,6 @@ void CheckType::integerOverflowError(const Token *tok, const ValueFlow::Value &v
                 value.isInconclusive());
 }
 
-//---------------------------------------------------------------------------------
-// Checking for code patterns that might be optimised differently by the compilers
-//---------------------------------------------------------------------------------
-
-void CheckType::checkIntegerOverflowOptimisations()
-{
-    // Interesting blogs:
-    // https://www.airs.com/blog/archives/120
-    // https://kristerw.blogspot.com/2016/02/how-undefined-signed-overflow-enables.html
-    // https://research.checkpoint.com/2020/optout-compiler-undefined-behavior-optimizations/
-
-    // x + c < x       ->   false
-    // x + c <= x      ->   false
-    // x + c > x       ->   true
-    // x + c >= x      ->   true
-
-    // x + y < x       ->   y < 0
-
-
-    if (!mSettings->isEnabled(Settings::PORTABILITY))
-        return;
-
-    for (const Token *tok = mTokenizer->tokens(); tok; tok = tok->next()) {
-        if (!Token::Match(tok, "<|<=|>=|>") || !tok->isBinaryOp())
-            continue;
-
-        const Token *lhsTokens[2] = {tok->astOperand1(), tok->astOperand2()};
-        for (const Token *lhs: lhsTokens) {
-            std::string cmp = tok->str();
-            if (lhs == tok->astOperand2())
-                cmp[0] = (cmp[0] == '<') ? '>' : '<';
-
-            if (!Token::Match(lhs, "[+-]") || !lhs->isBinaryOp() || !lhs->valueType() || !lhs->valueType()->isIntegral() || lhs->valueType()->sign != ValueType::Sign::SIGNED)
-                continue;
-
-            const Token *exprTokens[2] = {lhs->astOperand1(), lhs->astOperand2()};
-            for (const Token *expr: exprTokens) {
-                if (lhs->str() == "-" && expr == lhs->astOperand2())
-                    continue; // TODO?
-
-                if (expr->hasKnownIntValue())
-                    continue;
-
-                if (!isSameExpression(mTokenizer->isCPP(),
-                                      false,
-                                      expr,
-                                      lhs->astSibling(),
-                                      mSettings->library,
-                                      false,
-                                      false))
-                    continue;
-
-                const Token * const other = expr->astSibling();
-
-                // x [+-] c cmp x
-                if (other->isNumber() && other->getKnownIntValue() > 0) {
-                    bool result;
-                    if (lhs->str() == "+")
-                        result = (cmp == ">" || cmp == ">=");
-                    else
-                        result = (cmp == "<" || cmp == "<=");
-                    integerOverflowOptimisationError(tok, result ? "true" : "false");
-                }
-
-                // x + y cmp x
-                if (lhs->str() == "+" && other->varId() > 0) {
-                    const std::string result = other->str() + cmp + "0";
-                    integerOverflowOptimisationError(tok, result);
-                }
-
-                // x - y cmp x
-                if (lhs->str() == "-" && other->varId() > 0) {
-                    std::string cmp2 = cmp;
-                    cmp2[0] = (cmp[0] == '<') ? '>' : '<';
-                    const std::string result = other->str() + cmp2 + "0";
-                    integerOverflowOptimisationError(tok, result);
-                }
-            }
-        }
-    }
-}
-
-void CheckType::integerOverflowOptimisationError(const Token *tok, const std::string &replace)
-{
-    const std::string expr = tok ? tok->expressionString() : "x+c<x";
-    const std::string errmsg =
-        "There is a danger that '" + expr + "' will be optimised into '" + replace + "'. Signed integer overflow is undefined behavior.\n"
-        "There is a danger that '" + expr + "' will be optimised into '" + replace + "'. Your code could work differently depending on what compiler/flags/version/etc is used. Signed integer overflow is undefined behavior and assuming that it will never happen; the result of '" + expr + "' is always '" + replace + "'.";
-    reportError(tok, Severity::portability, "integerOverflowOptimization", errmsg, CWE190, false);
-}
-
 //---------------------------------------------------------------------------
 // Checking for sign conversion when operand can be negative
 //---------------------------------------------------------------------------

lib/checktype.h

@@ -54,7 +54,6 @@ class CPPCHECKLIB CheckType : public Check {
         CheckType checkType(tokenizer, settings, errorLogger);
         checkType.checkTooBigBitwiseShift();
         checkType.checkIntegerOverflow();
-        checkType.checkIntegerOverflowOptimisations();
         checkType.checkSignConversion();
         checkType.checkLongCast();
         checkType.checkFloatToIntegerOverflow();
@@ -66,9 +65,6 @@ class CPPCHECKLIB CheckType : public Check {
     /** @brief %Check for integer overflow */
     void checkIntegerOverflow();
 
-    /** @brief Check for overflow code patterns that will be optimized */
-    void checkIntegerOverflowOptimisations();
-
     /** @brief %Check for dangerous sign conversion */
     void checkSignConversion();
 
@@ -85,7 +81,6 @@ class CPPCHECKLIB CheckType : public Check {
     void tooBigBitwiseShiftError(const Token *tok, int lhsbits, const ValueFlow::Value &rhsbits);
     void tooBigSignedBitwiseShiftError(const Token *tok, int lhsbits, const ValueFlow::Value &rhsbits);
     void integerOverflowError(const Token *tok, const ValueFlow::Value &value);
-    void integerOverflowOptimisationError(const Token *tok, const std::string &replace);
     void signConversionError(const Token *tok, const ValueFlow::Value *negativeValue, const bool constvalue);
     void longCastAssignError(const Token *tok);
     void longCastReturnError(const Token *tok);
@@ -113,7 +108,6 @@ class CPPCHECKLIB CheckType : public Check {
         return "Type checks\n"
                "- bitwise shift by too many bits (only enabled when --platform is used)\n"
                "- signed integer overflow (only enabled when --platform is used)\n"
-               "- expression that can be optimised 'out' because signed integer overflow is undefined behavior.\n"
                "- dangerous sign conversion, when signed value can be negative\n"
                "- possible loss of information when assigning int result to long variable\n"
                "- possible loss of information when returning int result as long return value\n"