Skip to content

CPP: Work on Lossy function result cast query#654

Merged
jbj merged 11 commits into
github:masterfrom
geoffw0:lossyresultcast
Jan 17, 2019
Merged

CPP: Work on Lossy function result cast query#654
jbj merged 11 commits into
github:masterfrom
geoffw0:lossyresultcast

Conversation

@geoffw0

@geoffw0 geoffw0 commented Dec 10, 2018

Copy link
Copy Markdown
Contributor

Added test, qhelp and tags to this query. Fixed some false positives. It appears to produce generally good results (despite the comment that was in the @description), so I've given it a medium precision - which will result on it being run on LGTM but not displayed by default. If this part turns out to be controversial I can reduce the precision to low or delete it.

@jbj - I'd like your opinion on the precision tag.
@Semmle/doc - please review and make suggestions on the new qhelp.

@geoffw0 geoffw0 added the C++ label Dec 10, 2018
@geoffw0 geoffw0 requested a review from a team as a code owner December 10, 2018 16:58

@jbj jbj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have mixed feelings about this query. It's more or less a compiler warning, and we generally leave that type of query to compilers. It would make more sense if we could reduce FPs by taking a whole-program view.

On the other hand, I ran this query on a bunch of projects, and the results generally looked good. Unexpected rounding probably won't be a disaster for these projects, but almost all of them could use an explicit cast or rounding to at least show the reader that it's not an accident.

fName = "roundl" or
fName = "trunc" or
fName = "truncf" or
fName = "truncl"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My main worry is that this list is that this list isn't exhaustive. It doesn't include user-defined wrappers around rounding functions, for example. I also notice that pow(2, smallPositiveInteger) is a common FP.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any cases of user-defined wrappers 'in the wild', but I've added this functionality.

I've also add pow (and variants) as an exception, provided the first number (base) has a compile time value that is a whole number.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran the query again on a bunch of LGTM projects and found this FP, where __builtin_ceil is called. Apparently, GCC has builtin versions of some of these operations. AFAICT from the compiler docs, only the ceil and floor functions are available as builtins, but the mathop.h file also uses __builtin_lroundf and apparently gets away with it. Perhaps, to be on the safe side, we should just whitelist all these function names with a __builtin_ prefix as well.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for investigating. I've added an exception for __builtin_* as well.

@semmledocs-ac semmledocs-ac self-requested a review December 11, 2018 09:03
semmledocs-ac
semmledocs-ac previously approved these changes Dec 11, 2018

@semmledocs-ac semmledocs-ac left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query help LGTM

@geoffw0

geoffw0 commented Jan 9, 2019

Copy link
Copy Markdown
Contributor Author

It's more or less a compiler warning, and we generally leave that type of query to compilers.

That's a fair criticism.

the results generally looked good.

That was my observation as well, hence my instinct to make it run but not displayed by default on LGTM. I'll remove the @precision tag if you're not entirely happy with that though.

@jbj

jbj commented Jan 10, 2019

Copy link
Copy Markdown
Contributor

Testing here: https://lgtm.com/query/351600969242589109/

@jbj jbj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise LGTM

fName = "roundl" or
fName = "trunc" or
fName = "truncf" or
fName = "truncl"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran the query again on a bunch of LGTM projects and found this FP, where __builtin_ceil is called. Apparently, GCC has builtin versions of some of these operations. AFAICT from the compiler docs, only the ceil and floor functions are available as builtins, but the mathop.h file also uses __builtin_lroundf and apparently gets away with it. Perhaps, to be on the safe side, we should just whitelist all these function names with a __builtin_ prefix as well.

rs.getEnclosingFunction() = fc.getTarget() and
rs.getExpr().(VariableAccess).getTarget() = v and
whiteListWrapped(v.getAnAssignedValue())
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wrapper detection is failing to detect vim_round, and this causes a FP on vim. I suggest using DataFlow::localFlow.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good thinking, done.

@jbj jbj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested at https://lgtm.com/query/7450163572923171309/. The tests hit a transient failure, and I've re-triggered them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants