C++: Improve bounds from inequalities on integers

paldepind · paldepind · commit c4f9212db26a · 2025-10-05T11:57:58.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -1397,6 +1397,20 @@ predicate nonNanGuardedVariable(Expr guard, VariableAccess v, boolean branch) {
   nanExcludingComparison(guard, branch)
 }
 
+/**
+ * Adjusts a lower bound to its meaning for integral types.
+ *
+ * Examples:
+ * `>= 3.0` becomes `3.0`
+ * ` > 3.0` becomes `4.0`
+ * `>= 3.5` becomes `4.0`
+ * ` > 3.5` becomes `4.0`
+ */
+bindingset[strictness, lb]
+private float adjustLowerBoundIntegral(RelationStrictness strictness, float lb) {
+  if strictness = Nonstrict() and lb.floor() = lb then result = lb else result = safeFloor(lb) + 1
+}
+
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a lower bound
@@ -1408,15 +1422,27 @@ private predicate lowerBoundFromGuard(Expr guard, VariableAccess v, float lb, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if
-        strictness = Nonstrict() or
-        not getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then lb = childLB
-      else lb = childLB + 1
+      if getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then lb = adjustLowerBoundIntegral(strictness, childLB)
+      else lb = childLB
     else lb = varMinVal(v.getTarget())
   )
 }
 
+/**
+ * Adjusts an upper bound to its meaning for integral types.
+ *
+ * Examples:
+ * `<= 3.0` becomes `3.0`
+ * ` < 3.0` becomes `2.0`
+ * `<= 3.5` becomes `3.0`
+ * ` < 3.5` becomes `3.0`
+ */
+bindingset[strictness, ub]
+private float adjustUpperBoundIntegral(RelationStrictness strictness, float ub) {
+  if strictness = Strict() and ub.floor() = ub then result = ub - 1 else result = safeFloor(ub)
+}
+
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a upper bound
@@ -1428,11 +1454,9 @@ private predicate upperBoundFromGuard(Expr guard, VariableAccess v, float ub, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if
-        strictness = Nonstrict() or
-        not getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then ub = childUB
-      else ub = childUB - 1
+      if getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then ub = adjustUpperBoundIntegral(strictness, childUB)
+      else ub = childUB
     else ub = varMaxVal(v.getTarget())
   )
 }
@@ -1472,7 +1496,7 @@ private predicate boundFromGuard(
  * lower or upper bound for `v`.
  */
 private predicate linearBoundFromGuard(
-  ComparisonOperation guard, VariableAccess v, float p, float q, float boundValue,
+  ComparisonOperation guard, VariableAccess v, float p, float q, float r,
   boolean isLowerBound, // Is this a lower or an upper bound?
   RelationStrictness strictness, boolean branch // Which control-flow branch is this bound valid on?
 ) {
@@ -1487,11 +1511,11 @@ private predicate linearBoundFromGuard(
   |
     isLowerBound = directionIsGreater(dir) and
     strictness = st and
-    getBounds(rhs, boundValue, isLowerBound)
+    getBounds(rhs, r, isLowerBound)
     or
     isLowerBound = directionIsLesser(dir) and
     strictness = Nonstrict() and
-    exprTypeBounds(rhs, boundValue, isLowerBound)
+    exprTypeBounds(rhs, r, isLowerBound)
   )
   or
   // For x == RHS, we create the following bounds:
@@ -1502,7 +1526,7 @@ private predicate linearBoundFromGuard(
   exists(Expr lhs, Expr rhs |
     linearAccess(lhs, v, p, q) and
     eqOpWithSwapAndNegate(guard, lhs, rhs, true, branch) and
-    getBounds(rhs, boundValue, isLowerBound) and
+    getBounds(rhs, r, isLowerBound) and
     strictness = Nonstrict()
   )
   // x != RHS and !x are handled elsewhere
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
@@ -351,19 +351,19 @@
 | test.c:330:14:330:14 | r | -2147483648 |
 | test.c:333:10:333:14 | total | -2147483648 |
 | test.c:338:27:338:27 | e | 0 |
-| test.c:338:40:338:40 | e | 0.5 |
+| test.c:338:40:338:40 | e | 0 |
 | test.c:339:25:339:25 | e | 0 |
 | test.c:339:39:339:39 | e | 0 |
 | test.c:340:27:340:27 | e | 0 |
-| test.c:340:40:340:40 | e | 0.333333 |
+| test.c:340:40:340:40 | e | 0 |
 | test.c:341:27:341:27 | e | 0 |
-| test.c:341:40:341:40 | e | 0.5 |
+| test.c:341:40:341:40 | e | 0 |
 | test.c:342:27:342:27 | e | 0 |
-| test.c:342:41:342:41 | e | 8.5 |
-| test.c:344:10:344:12 | bi1 | 0.5 |
+| test.c:342:41:342:41 | e | 8 |
+| test.c:344:10:344:12 | bi1 | 0 |
 | test.c:344:16:344:18 | bi2 | 0 |
-| test.c:344:22:344:24 | bi3 | 0.333333 |
-| test.c:344:28:344:30 | bi4 | 0.5 |
+| test.c:344:22:344:24 | bi3 | 0 |
+| test.c:344:28:344:30 | bi4 | 0 |
 | test.c:344:34:344:36 | bi5 | 2 |
 | test.c:349:7:349:7 | x | -2147483648 |
 | test.c:353:10:353:10 | i | 0 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryLower.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryLower.expected
@@ -1,9 +1,9 @@
 | test.c:154:10:154:40 | ... ? ... : ... | -1.0 | 1.0 | -1.0 |
-| test.c:338:22:338:44 | ... ? ... : ... | 0.5 | 0.5 | 2.0 |
+| test.c:338:22:338:44 | ... ? ... : ... | 0.0 | 0.0 | 2.0 |
 | test.c:339:20:339:43 | ... ? ... : ... | 0.0 | 0.0 | 2.0 |
-| test.c:340:22:340:44 | ... ? ... : ... | 0.33333333333333337 | 0.33333333333333337 | 2.0 |
-| test.c:341:22:341:44 | ... ? ... : ... | 0.5 | 0.5 | 2.0 |
-| test.c:342:22:342:45 | ... ? ... : ... | 2.0 | 8.5 | 2.0 |
+| test.c:340:22:340:44 | ... ? ... : ... | 0.0 | 0.0 | 2.0 |
+| test.c:341:22:341:44 | ... ? ... : ... | 0.0 | 0.0 | 2.0 |
+| test.c:342:22:342:45 | ... ? ... : ... | 2.0 | 8.0 | 2.0 |
 | test.c:368:8:368:23 | ... ? ... : ... | 0.0 | 0.0 | 10.0 |
 | test.c:369:8:369:24 | ... ? ... : ... | 0.0 | 10.0 | 0.0 |
 | test.c:377:10:377:15 | ... ? ... : ... | 0.0 | 0.0 | 5.0 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryUpper.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryUpper.expected
@@ -1,7 +1,7 @@
 | test.c:154:10:154:40 | ... ? ... : ... | 2.147483647E9 | 2.147483647E9 | -1.0 |
 | test.c:338:22:338:44 | ... ? ... : ... | 2.147483647E9 | 2.147483647E9 | 2.0 |
 | test.c:339:20:339:43 | ... ? ... : ... | 2.147483647E9 | 2.147483647E9 | 2.0 |
-| test.c:340:22:340:44 | ... ? ... : ... | 1.4316557643333333E9 | 1.4316557643333333E9 | 2.0 |
+| test.c:340:22:340:44 | ... ? ... : ... | 1.431655764E9 | 1.431655764E9 | 2.0 |
 | test.c:341:22:341:44 | ... ? ... : ... | 2.147483647E9 | 2.147483647E9 | 2.0 |
 | test.c:342:22:342:45 | ... ? ... : ... | 2.147483647E9 | 2.147483647E9 | 2.0 |
 | test.c:368:8:368:23 | ... ? ... : ... | 99.0 | 99.0 | 10.0 |
diff --git a/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected b/cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
@@ -355,14 +355,14 @@
 | test.c:339:25:339:25 | e | 4294967295 |
 | test.c:339:39:339:39 | e | 2147483647 |
 | test.c:340:27:340:27 | e | 4294967295 |
-| test.c:340:40:340:40 | e | 1431655764.333333 |
+| test.c:340:40:340:40 | e | 1431655764 |
 | test.c:341:27:341:27 | e | 4294967295 |
 | test.c:341:40:341:40 | e | 2147483647 |
 | test.c:342:27:342:27 | e | 4294967295 |
 | test.c:342:41:342:41 | e | 2147483647 |
 | test.c:344:10:344:12 | bi1 | 2147483647 |
 | test.c:344:16:344:18 | bi2 | 2147483647 |
-| test.c:344:22:344:24 | bi3 | 1431655764.333333 |
+| test.c:344:22:344:24 | bi3 | 1431655764 |
 | test.c:344:28:344:30 | bi4 | 2147483647 |
 | test.c:344:34:344:36 | bi5 | 2147483647 |
 | test.c:349:7:349:7 | x | 2147483647 |
