Widening/dedupe fixes, plus math lib support

Author: MichaelRFairhurst

c/misra/src/rules/DIR-4-15/PossibleMisuseOfUndetectedInfinity.ql

@@ -51,9 +51,6 @@ module InvalidInfinityUsage implements DataFlow::ConfigSig {
       e.getType() instanceof IntegralType and
       e = node.asConvertedExpr()
     )
-    or
-    // Sinks are places where Infinity produce a finite value
-    isSink(node)
   }
 
   /**
@@ -81,7 +78,9 @@ module InvalidInfinityUsage implements DataFlow::ConfigSig {
       or
       // Unanalyzable expressions are not checked against range analysis, which assumes a finite
       // range.
-      not RestrictedRangeAnalysis::analyzableExpr(node.asExpr())
+      not RestrictedRangeAnalysis::canBoundExpr(node.asExpr())
+      or
+      node.asExpr().(VariableAccess).getTarget() instanceof Parameter
     )
   }
 }
@@ -124,6 +123,7 @@ from
 where
   elem = MacroUnwrapper<Expr>::unwrapElement(sink.getNode().asExpr()) and
   not InvalidInfinityFlow::PathGraph::edges(_, source, _, _) and
+  not InvalidInfinityFlow::PathGraph::edges(sink, _, _, _) and
   not isExcluded(elem, FloatingTypes2Package::possibleMisuseOfUndetectedInfinityQuery()) and
   not sourceExpr.isFromTemplateInstantiation(_) and
   not usage.asExpr().isFromTemplateInstantiation(_) and

c/misra/src/rules/DIR-4-15/PossibleMisuseOfUndetectedNaN.ql

@@ -23,8 +23,73 @@ import semmle.code.cpp.dataflow.new.DataFlow
 import semmle.code.cpp.dataflow.new.TaintTracking
 import semmle.code.cpp.controlflow.Dominance
 
+bindingset[name]
+Function getMathVariants(string name) { result.hasGlobalOrStdName([name, name + "f", name + "l"]) }
+
+predicate hasDomainError(FunctionCall fc, string description) {
+  exists(Function functionWithDomainError | fc.getTarget() = functionWithDomainError |
+    functionWithDomainError = [getMathVariants(["acos", "asin", "atanh"])] and
+    not (
+      RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) <= 1.0 and
+      RestrictedRangeAnalysis::lowerBound(fc.getArgument(0)) >= -1.0
+    ) and
+    description =
+      "the argument has a range " + RestrictedRangeAnalysis::lowerBound(fc.getArgument(0)) + "..." +
+        RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) + " which is outside the domain of this function (-1.0...1.0)"
+    or
+    functionWithDomainError = getMathVariants(["atan2", "pow"]) and
+    (
+      exprMayEqualZero(fc.getArgument(0)) and
+      exprMayEqualZero(fc.getArgument(1)) and
+      description = "both arguments are equal to zero"
+    )
+    or
+    functionWithDomainError = getMathVariants("pow") and
+    (
+      RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) < 0.0 and
+      RestrictedRangeAnalysis::upperBound(fc.getArgument(1)) < 0.0 and
+      description = "both arguments are less than zero"
+    )
+    or
+    functionWithDomainError = getMathVariants("acosh") and
+    RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) < 1.0 and
+    description = "argument is less than 1"
+    or
+    //pole error is the same as domain for logb and tgamma (but not ilogb - no pole error exists)
+    functionWithDomainError = getMathVariants(["ilogb", "logb", "tgamma"]) and
+    exprMayEqualZero(fc.getArgument(0)) and
+    description = "argument is equal to zero"
+    or
+    functionWithDomainError = getMathVariants(["log", "log10", "log2", "sqrt"]) and
+    RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) < 0.0 and
+    description = "argument is negative"
+    or
+    functionWithDomainError = getMathVariants("log1p") and
+    RestrictedRangeAnalysis::upperBound(fc.getArgument(0)) < -1.0 and
+    description = "argument is less than 1"
+    or
+    functionWithDomainError = getMathVariants("fmod") and
+    exprMayEqualZero(fc.getArgument(1)) and
+    description = "y is 0"
+  )
+}
+
+abstract class PotentiallyNaNExpr extends Expr {
+  abstract string getReason();
+}
+
+class DomainErrorFunctionCall extends FunctionCall, PotentiallyNaNExpr {
+  string reason;
+
+  DomainErrorFunctionCall() {
+    hasDomainError(this, reason)
+  }
+
+  override string getReason() { result = reason }
+}
+
 // IEEE 754-1985 Section 7.1 invalid operations
-class InvalidOperationExpr extends BinaryOperation {
+class InvalidOperationExpr extends BinaryOperation, PotentiallyNaNExpr {
   string reason;
 
   InvalidOperationExpr() {
@@ -85,7 +150,7 @@ class InvalidOperationExpr extends BinaryOperation {
     )
   }
 
-  string getReason() { result = reason }
+  override string getReason() { result = reason }
 }
 
 module InvalidNaNUsage implements DataFlow::ConfigSig {
@@ -104,7 +169,7 @@ module InvalidNaNUsage implements DataFlow::ConfigSig {
    * An expression which may produce a NaN output.
    */
   additional predicate potentialSource(DataFlow::Node node) {
-    node.asExpr() instanceof InvalidOperationExpr
+    node.asExpr() instanceof PotentiallyNaNExpr
   }
 
   predicate isBarrierOut(DataFlow::Node node) {
@@ -173,13 +238,14 @@ from
   InvalidNaNUsage usage, Expr sourceExpr, string sourceString, Element extra, string extraString
 where
   not InvalidNaNFlow::PathGraph::edges(_, source, _, _) and
+  not InvalidNaNFlow::PathGraph::edges(sink, _, _, _) and
   not sourceExpr.isFromTemplateInstantiation(_) and
   not usage.asExpr().isFromTemplateInstantiation(_) and
   elem = MacroUnwrapper<Expr>::unwrapElement(sink.getNode().asExpr()) and
   usage = sink.getNode() and
   sourceExpr = source.getNode().asExpr() and
     sourceString =
-      " (" + source.getNode().asExpr().(InvalidOperationExpr).getReason() + ")" and
+      " (" + source.getNode().asExpr().(PotentiallyNaNExpr).getReason() + ")" and
   InvalidNaNFlow::flow(source.getNode(), usage) and
   (
     if not sourceExpr.getEnclosingFunction() = usage.asExpr().getEnclosingFunction()

c/misra/test/rules/DIR-4-15/PossibleMisuseOfUndetectedInfinity.expected

@@ -21,6 +21,21 @@ edges
 | test.c:77:15:77:21 | ... / ... | test.c:114:16:114:23 | l12 | provenance |  |
 | test.c:77:15:77:21 | ... / ... | test.c:117:23:117:30 | l12 | provenance |  |
 | test.c:77:15:77:21 | ... / ... | test.c:120:20:120:27 | l12 | provenance |  |
+| test.c:175:22:175:22 | p | test.c:175:27:175:32 | p | provenance |  |
+| test.c:183:34:183:34 | p | test.c:185:13:185:18 | p | provenance |  |
+| test.c:189:32:189:32 | p | test.c:189:47:189:59 | ... + ... | provenance | Config |
+| test.c:189:47:189:59 | ... + ... | test.c:175:22:175:22 | p | provenance |  |
+| test.c:189:47:189:59 | ... + ... | test.c:175:22:175:22 | p | provenance |  |
+| test.c:189:51:189:59 | ... / ... | test.c:189:47:189:59 | ... + ... | provenance | Config |
+| test.c:193:13:194:15 | ... / ... | test.c:175:22:175:22 | p | provenance |  |
+| test.c:200:25:200:33 | ... / ... | test.c:183:34:183:34 | p | provenance |  |
+| test.c:204:19:204:27 | ... / ... | test.c:204:19:204:27 | ... / ... | provenance |  |
+| test.c:204:19:204:27 | ... / ... | test.c:206:21:206:31 | ... + ... | provenance | Config |
+| test.c:206:21:206:31 | ... + ... | test.c:206:21:206:31 | ... + ... | provenance |  |
+| test.c:206:21:206:31 | ... + ... | test.c:208:13:208:21 | middleInf | provenance |  |
+| test.c:206:21:206:31 | ... + ... | test.c:210:23:210:31 | middleInf | provenance |  |
+| test.c:208:13:208:21 | middleInf | test.c:175:22:175:22 | p | provenance |  |
+| test.c:210:23:210:31 | middleInf | test.c:189:32:189:32 | p | provenance |  |
 nodes
 | test.c:8:14:8:20 | ... / ... | semmle.label | ... / ... |
 | test.c:8:14:8:20 | ... / ... | semmle.label | ... / ... |
@@ -51,29 +66,48 @@ nodes
 | test.c:114:16:114:23 | l12 | semmle.label | l12 |
 | test.c:117:23:117:30 | l12 | semmle.label | l12 |
 | test.c:120:20:120:27 | l12 | semmle.label | l12 |
+| test.c:163:3:164:16 | ... / ... | semmle.label | ... / ... |
+| test.c:175:22:175:22 | p | semmle.label | p |
+| test.c:175:27:175:32 | p | semmle.label | p |
+| test.c:183:34:183:34 | p | semmle.label | p |
+| test.c:185:13:185:18 | p | semmle.label | p |
+| test.c:189:32:189:32 | p | semmle.label | p |
+| test.c:189:47:189:59 | ... + ... | semmle.label | ... + ... |
+| test.c:189:47:189:59 | ... + ... | semmle.label | ... + ... |
+| test.c:189:51:189:59 | ... / ... | semmle.label | ... / ... |
+| test.c:193:13:194:15 | ... / ... | semmle.label | ... / ... |
+| test.c:200:25:200:33 | ... / ... | semmle.label | ... / ... |
+| test.c:204:19:204:27 | ... / ... | semmle.label | ... / ... |
+| test.c:204:19:204:27 | ... / ... | semmle.label | ... / ... |
+| test.c:206:21:206:31 | ... + ... | semmle.label | ... + ... |
+| test.c:206:21:206:31 | ... + ... | semmle.label | ... + ... |
+| test.c:208:13:208:21 | middleInf | semmle.label | middleInf |
+| test.c:210:23:210:31 | middleInf | semmle.label | middleInf |
 subpaths
 #select
-| test.c:12:8:12:9 | l2 | test.c:8:14:8:20 | ... / ... | test.c:12:8:12:9 | l2 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:13:8:13:9 | l3 | test.c:8:14:8:20 | ... / ... | test.c:13:8:13:9 | l3 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:13:8:13:9 | l3 | test.c:9:14:9:16 | - ... | test.c:13:8:13:9 | l3 | Invalid usage of possible $@. | test.c:9:14:9:16 | - ... | infinity |
-| test.c:18:8:18:9 | l2 | test.c:8:14:8:20 | ... / ... | test.c:18:3:18:9 | l2 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:19:8:19:9 | l3 | test.c:8:14:8:20 | ... / ... | test.c:19:3:19:9 | l3 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:19:8:19:9 | l3 | test.c:9:14:9:16 | - ... | test.c:19:3:19:9 | l3 | Invalid usage of possible $@. | test.c:9:14:9:16 | - ... | infinity |
-| test.c:27:19:27:20 | l2 | test.c:8:14:8:20 | ... / ... | test.c:27:19:27:20 | l2 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:28:19:28:20 | l3 | test.c:8:14:8:20 | ... / ... | test.c:28:19:28:20 | l3 | Invalid usage of possible $@. | test.c:8:14:8:20 | ... / ... | infinity |
-| test.c:28:19:28:20 | l3 | test.c:9:14:9:16 | - ... | test.c:28:19:28:20 | l3 | Invalid usage of possible $@. | test.c:9:14:9:16 | - ... | infinity |
-| test.c:38:8:38:9 | l7 | test.c:31:14:32:15 | ... / ... | test.c:38:3:38:9 | l7 | Invalid usage of possible $@. | test.c:31:14:32:15 | ... / ... | infinity |
-| test.c:61:11:61:17 | ... / ... | test.c:61:5:61:18 | ... / ... | test.c:61:5:61:18 | ... / ... | Invalid usage of possible $@. | test.c:61:5:61:18 | ... / ... | infinity |
-| test.c:66:11:66:19 | ... / ... | test.c:66:5:66:20 | ... / ... | test.c:66:5:66:20 | ... / ... | Invalid usage of possible $@. | test.c:66:5:66:20 | ... / ... | infinity |
-| test.c:72:20:72:28 | ... / ... | test.c:72:14:72:29 | ... / ... | test.c:72:14:72:29 | ... / ... | Invalid usage of possible $@. | test.c:72:14:72:29 | ... / ... | infinity |
-| test.c:75:24:75:32 | ... / ... | test.c:75:18:75:33 | ... / ... | test.c:75:18:75:33 | ... / ... | Invalid usage of possible $@. | test.c:75:18:75:33 | ... / ... | infinity |
-| test.c:79:10:79:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:79:5:79:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:87:10:87:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:87:5:87:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:91:10:91:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:91:5:91:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:93:10:93:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:93:5:93:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:99:10:99:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:99:5:99:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:105:10:105:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:105:5:105:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:111:10:111:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:111:5:111:12 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:114:21:114:23 | l12 | test.c:77:15:77:21 | ... / ... | test.c:114:16:114:23 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:117:28:117:30 | l12 | test.c:77:15:77:21 | ... / ... | test.c:117:23:117:30 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
-| test.c:120:25:120:27 | l12 | test.c:77:15:77:21 | ... / ... | test.c:120:20:120:27 | l12 | Invalid usage of possible $@. | test.c:77:15:77:21 | ... / ... | infinity |
+| test.c:12:8:12:9 | l2 | test.c:8:14:8:20 | ... / ... | test.c:12:8:12:9 | l2 | Division operation may silently underflow and produce zero, as the divisor $@. | test.c:8:14:8:20 | ... / ... | may be an infinite float value from division by zero |
+| test.c:13:8:13:9 | l3 | test.c:8:14:8:20 | ... / ... | test.c:13:8:13:9 | l3 | Division operation may silently underflow and produce zero, as the divisor $@. | test.c:8:14:8:20 | ... / ... | may be an infinite float value from division by zero |
+| test.c:18:8:18:9 | l2 | test.c:8:14:8:20 | ... / ... | test.c:18:3:18:9 | l2 | $@ casted to integer. | test.c:8:14:8:20 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:19:8:19:9 | l3 | test.c:8:14:8:20 | ... / ... | test.c:19:3:19:9 | l3 | $@ casted to integer. | test.c:8:14:8:20 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:27:19:27:20 | l2 | test.c:8:14:8:20 | ... / ... | test.c:27:19:27:20 | l2 | Division operation may silently underflow and produce zero, as the divisor $@. | test.c:8:14:8:20 | ... / ... | may be an infinite float value from division by zero |
+| test.c:28:19:28:20 | l3 | test.c:8:14:8:20 | ... / ... | test.c:28:19:28:20 | l3 | Division operation may silently underflow and produce zero, as the divisor $@. | test.c:8:14:8:20 | ... / ... | may be an infinite float value from division by zero |
+| test.c:38:8:38:9 | l7 | test.c:31:14:32:15 | ... / ... | test.c:38:3:38:9 | l7 | $@ casted to integer. | test.c:31:14:32:15 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:61:11:61:17 | ... / ... | test.c:61:5:61:18 | ... / ... | test.c:61:5:61:18 | ... / ... | $@ casted to integer. | test.c:61:11:61:17 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:66:11:66:19 | ... / ... | test.c:66:5:66:20 | ... / ... | test.c:66:5:66:20 | ... / ... | $@ casted to integer. | test.c:66:11:66:19 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:72:20:72:28 | ... / ... | test.c:72:14:72:29 | ... / ... | test.c:72:14:72:29 | ... / ... | $@ casted to integer. | test.c:72:20:72:28 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:75:24:75:32 | ... / ... | test.c:75:18:75:33 | ... / ... | test.c:75:18:75:33 | ... / ... | $@ casted to integer. | test.c:75:24:75:32 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:79:10:79:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:79:5:79:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:87:10:87:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:87:5:87:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:91:10:91:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:91:5:91:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:93:10:93:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:93:5:93:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:99:10:99:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:99:5:99:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:105:10:105:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:105:5:105:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:111:10:111:12 | l12 | test.c:77:15:77:21 | ... / ... | test.c:111:5:111:12 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:114:21:114:23 | l12 | test.c:77:15:77:21 | ... / ... | test.c:114:16:114:23 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:117:28:117:30 | l12 | test.c:77:15:77:21 | ... / ... | test.c:117:23:117:30 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:120:25:120:27 | l12 | test.c:77:15:77:21 | ... / ... | test.c:120:20:120:27 | l12 | $@ casted to integer. | test.c:77:15:77:21 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:163:9:164:15 | ... / ... | test.c:163:3:164:16 | ... / ... | test.c:163:3:164:16 | ... / ... | $@ casted to integer. | test.c:163:9:164:15 | ... / ... | Possibly infinite float value from division by zero |
+| test.c:175:32:175:32 | p | test.c:189:51:189:59 | ... / ... | test.c:175:27:175:32 | p | $@ casted to integer. | test.c:189:6:189:24 | addInfThenCastToInt | Possibly infinite float value computed in function addInfThenCastToInt |
+| test.c:175:32:175:32 | p | test.c:193:13:194:15 | ... / ... | test.c:175:27:175:32 | p | $@ casted to integer. | test.c:192:6:192:7 | f2 | Possibly infinite float value computed in function f2 |
+| test.c:175:32:175:32 | p | test.c:204:19:204:27 | ... / ... | test.c:175:27:175:32 | p | $@ casted to integer. | test.c:192:6:192:7 | f2 | Possibly infinite float value computed in function f2 |
+| test.c:185:18:185:18 | p | test.c:200:25:200:33 | ... / ... | test.c:185:13:185:18 | p | $@ casted to integer. | test.c:192:6:192:7 | f2 | Possibly infinite float value computed in function f2 |