[inferbo] Do not raise integer overflow when multiplying 1

Summary: We assume multiplication of 1 is safe. It happens sometimes by multiplying `sizeof(char)`. Reviewed By: mbouaziz Differential Revision: D10444680 fbshipit-source-id: 2f33be280
6 years ago · 5d9f11c68e
parent cd1981a567
commit 5d9f11c68e
5 changed files with 54 additions and 31 deletions
--- a/infer/src/bufferoverrun/bufferOverrunProofObligations.ml
+++ b/infer/src/bufferoverrun/bufferOverrunProofObligations.ml
@ -360,7 +360,13 @@ module BinaryOperationCondition = struct

  let pp_description = pp

+  let is_mult_one binop lhs rhs =
+    equal_binop binop Mult && (ItvPure.is_one lhs || ItvPure.is_one rhs)
+
+
  let check {binop; typ; integer_widths; lhs; rhs} =
+    if is_mult_one binop lhs rhs then {report_issue_type= None; propagate= false}
+    else
      let v =
        match binop with
        | Plus ->
--- a/infer/src/bufferoverrun/itv.ml
+++ b/infer/src/bufferoverrun/itv.ml
@ -568,6 +568,8 @@ module ItvPure = struct

  let is_zero : t -> bool = fun (l, u) -> Bound.is_zero l && Bound.is_zero u

+  let is_one : t -> bool = fun (l, u) -> Bound.eq l Bound.one && Bound.eq u Bound.one
+
  let is_true : t -> bool = fun (l, u) -> Bound.le Bound.one l || Bound.le u Bound.mone

  let is_false : t -> bool = is_zero
--- a/infer/src/bufferoverrun/itv.mli
+++ b/infer/src/bufferoverrun/itv.mli
@ -98,6 +98,8 @@ module ItvPure : sig

  val is_top : t -> bool

+  val is_one : t -> bool
+
  val ( <= ) : lhs:t -> rhs:t -> bool

  val have_similar_bounds : t -> t -> bool
--- a/infer/tests/codetoanalyze/c/bufferoverrun/arith.c
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/arith.c
@ -178,3 +178,15 @@ void use_uint64_max_Bad_FN() {
  uint64_t y = UINT64_MAX - 15;
  arr[x - y] = 0;
 }
+
+uint64_t unknown_uint();
+
+void muliply_one_Good() {
+  uint64_t x = unknown_uint();
+  uint64_t y = x * 1;
+}
+
+void muliply_two_Bad() {
+  uint64_t x = unknown_uint();
+  uint64_t y = x * 2;
+}
--- a/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
+++ b/infer/tests/codetoanalyze/c/bufferoverrun/issues.exp
@ -7,6 +7,7 @@ codetoanalyze/c/bufferoverrun/arith.c, integer_overflow_by_subtraction_Bad, 4, I
 codetoanalyze/c/bufferoverrun/arith.c, integer_overflow_by_subtraction_Bad, 5, CONDITION_ALWAYS_FALSE, no_bucket, WARNING, []
 codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_Bad, 2, BUFFER_OVERRUN_L3, no_bucket, ERROR, [ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [-4, 4] Size: 5]
 codetoanalyze/c/bufferoverrun/arith.c, modulo_signed_neg_Bad, 2, BUFFER_OVERRUN_L3, no_bucket, ERROR, [ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [-4, 4] Size: 5]
+codetoanalyze/c/bufferoverrun/arith.c, muliply_two_Bad, 2, INTEGER_OVERFLOW_U5, no_bucket, ERROR, [Unknown value from: unknown_uint,Assignment,Binop: ([-oo, +oo] * 2):unsigned64]
 codetoanalyze/c/bufferoverrun/arith.c, plus_linear_min2_Good_FP, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Call,Assignment,Return,ArrayAccess: Offset: [0, 14] Size: 10]
 codetoanalyze/c/bufferoverrun/arith.c, plus_linear_min3_Good_FP, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Call,Assignment,Return,ArrayAccess: Offset: [0, 25] Size: 20]
 codetoanalyze/c/bufferoverrun/arith.c, plus_linear_min_Bad, 2, BUFFER_OVERRUN_L2, no_bucket, ERROR, [ArrayDeclaration,Call,Assignment,Return,ArrayAccess: Offset: [0, 19] Size: 19]