Incorrect integer conversion

[owen-mc]

Promoting this query (formerly called "Incorrect numeric conversion" because it also dealt with floats) from experimental status. There are three things I am aware I still need to do:

1. Run dist-compare on lgtm to check performance. It takes a long time on cockroachdb because there are a lot of sources and sinks. (Didn't do - decided to do 4 instead.)
2. Add tests for the library code that has been added
3. Deal with build constraints specifying 32-bit or 64-bit architectures, which could lead to false positives. Note that file names ending in the name of an architecture act as implicit build constraints as well.
4. Run on lgtm and check results. (Actually decided to do 1 after all.)

Note that we only look for upper bounds checks as sanitizers. It isn't possible to track upper and lower bounds checks with the taint tracking framework. This means we may miss some results, but it is probably quite rare to remember to check the upper bound and not the lower bound. (And with an unsigned integer you don't need a lower bound check.)

[owen-mc]

Thanks @intrigus-lgtm , lots of good points. I have addressed most of them with a new commit. I'm not sure what to do about the problem that 2^63 - 1 isn't exactly representable in a 32-bit float.

[owen-mc]

qhelp preview https://jenkins.internal.semmle.com/job/Pull-Request-Check/job/QHelp-Preview/3098/ (though it doesn't work for me)

[max-schaefer]

Looks great overall, thanks for tackling this! I have a few comments here and there.

[max-schaefer]

I'd suggest putting backticks around the names of the functions.

[shati-patel]

➕

Could you also add a comma after "strconv.ParseInt"? We try to consistently use Oxford commas.

[max-schaefer]

This is a little hard to follow. Would it perhaps make sense to split out the treatment of 0 into separate disjuncts?

Suggested change

	sourceBitSize in [0, 16, 32, 64] and
	sinkBitSize in [0, 8, 16, 32] and
	not (sourceBitSize = 0 and sinkBitSize = 0) and
	exists(int source, int sink |
	(if sourceBitSize = 0 then source = 64 else source = sourceBitSize) and
	if sinkBitSize = 0 then sink = 32 else sink = sinkBitSize
	|
	source > sink
	)
	sourceBitSize in [16, 32, 64] and
	sinkBitSize in [8, 16, 32] and
	sourceBitSize > sinkBitSize
	or
	sourceBitSize = 0 and
	sinkBitSize in [8, 16, 32]
	or
	sourceBitSize = 64 and
	sinkBitSize = 0

[max-schaefer]

If you put "ConversionWithoutBoundsCheckConfig" first, you can get rid of the toString()s, which reads slightly nicer, I think.

[max-schaefer]

I think I'd prefer this to be called getBitSizeDescription or even describeBitSize, just to emphasise that this isn't simply the toString() of getTargetBitSize().

[max-schaefer]

Suggested change

	if exists(StrConv::IntSize intSize | this.getArgument(2).(DataFlow::ReadNode).reads(intSize))
	if this.getArgument(2) = any(IntSize is).getARead()

[max-schaefer]

Suggested change

	class AtoiCall extends DataFlow::CallNode, ParserCall::Range {
	class AtoiCall extends ParserCall::Range {

(ParserCall::Range already extends DataFlow::CallNode)

[max-schaefer]

Couldn't you just use getTarget().getQualifiedName()? Then you wouldn't even need a separate predicate for it.

[max-schaefer]

I wonder whether it wouldn't be neater to describe this at the level of functions instead of function calls. So you'd have

module NumberParser {
  class Range extends Function {
    abstract FunctionInput getTargetBitSize();
    abstract predicate isTargetSigned();
  }
}

The various functions from StrConv above then extend this Range class. You'd have to move the logic for checking whether a bit size is architecture-dependent into the query, but that seems to be the right place for it anyway.

[owen-mc]

That does seem neater. How would getTargetBitSize() work for Atoi, which doesn't have a parameter corresponding to the bit size? Implement it as none() and then treat that case specially when calculating the bit size? Or return an algebraic data type which has branches for int and FunctionInput?

[max-schaefer]

I'd say implement as none() and have clients do what's appropriate for their context.

[shati-patel]

qhelp preview https://jenkins.internal.semmle.com/job/Pull-Request-Check/job/QHelp-Preview/3098/ (though it doesn't work for me)

Also doesn't work for me for some reason, but the query help looks good (from looking at the source) 😊

[shati-patel]

➕

Could you also add a comma after "strconv.ParseInt"? We try to consistently use Oxford commas.

[max-schaefer]

Is the "where 0 represents" bit intentional? I can't immediately see how that would apply in this case.

[owen-mc]

I mean if the value of the FunctionInput is 0 then that means the bit size of int and uint.

[smowton]

Suggestions only, looks good

[smowton]

No kidding ;)

[owen-mc]

Apparently the compiler considers boolean to be an unbounded type for historical reasons...

[smowton]

I guess sourceIsSigned = (ip.getResultType(0) instanceof SignedIntegerType) doesn't work?

[owen-mc]

Sadly not. "Expected an expression but found a term instead".

[smowton]

This if might be worth a brief explanatory comment

[smowton]

Comment on why we assume 32 for arch-specific?

[smowton]

Might be overkill, but perhaps get-result should be a member here, rather than assuming in the query that getResult(0) is always the place to find the output?

[owen-mc]

I think it's overkill. We can always change in future it if we want to add an integer parsing function that returns the output in a different place.

[smowton]

Possible false-positive to consider: masking before/after the shift, e.g. parsed & 0xff00 >> 8? I don't know if these are likely in reality, perhaps worth a leaf through lgtm

[owen-mc]

Good point. 17 repos on lgtm have the pattern byte(parsed & 0xff00 >> 8) and 83 have the pattern byte(parsed >> 8 & 0xff) (though not all necessarily relate to this query). I've made the query catch the former and added tests for it - I wouldn't expect it to impact performance noticeably. We already caught the latter but I've added tests for it too.

[max-schaefer]

This if condition is a little too complex for my taste. As you know, the compiler transforms if A then B else C into (A and B) or (not A and C), and if A is complex then not A can have unexpectedly bad performance.

In general, I would suggest pulling out parts of the condition into a surrounding exists wherever possible. In this specific case, the following rewrite may make sense:

exists(DataFlow::Node rawBitSize | rawBitSize = ip.getTargetBitSizeInput().getNode(c) |
  if rawBitSize = any(StrConv::IntSize intSize).getARead() then
    bitSize = 0
  else
    bitSize = rawBitSize.getIntValue()
)

You might also consider pulling out the any(StrConv::IntSize intSize).getARead() bit into a separate predicate to make the intention even clearer.

[owen-mc]

I've pushed a commit dealing with build constraints. We now run the tests in this folder again with GOARCH=386 and check we get the same results. Currently I've just hard-coded the path to this folder, but if we want to reuse the same functionality for other folders in future then we can set up something nicer. All the tests in files with architecture-specific build constraints have to produce no results, so that we get the same results no matter which architecture we are testing, but I have checked that they really are being run.

[max-schaefer]

Nice! Thanks for tackling that final piece of the puzzle. As usual I have a few nitpicks. I know that you've been hammering away at this for a while, but it seems to me like there are a few generally useful bits of functionality in here that are worth pulling out.

Also, we'll probably need a performance evaluation of this after all, just to make sure the reasoning about build constraints is handled well.

[max-schaefer]

Suggested change

	if file.hasConstrainedIntBitSize(32)
	then result = 32
	else
	if file.hasConstrainedIntBitSize(64)
	then result = 64
	else result = 0
	file.hasConstrainedIntBitSize(result)
	or
	not file.hasConstrainedIntBitSize(_) and
	result = 0

[max-schaefer]

How about simplifying the name slightly to constrainsBitSize and similarly explicitlyConstrainsBitSize and implicitlyConstrainsBitSize below?

[max-schaefer]

(In particular I don't think the "Architecture" part included in the name of those two other predicates adds much.)

[max-schaefer]

Alternatively, perhaps expose a more general predicate that determines whether a file is only built on a particular architecture, and then derive the bit-size information from that.

We might even want

class Architecture extends string {
  int bitSize;

  Architecture() {
    this = "386" and bitSize = 32 or
    ...
  }

  int getBitSize() { result = bitSize }
}

[owen-mc]

I like the idea of the architecture class. Which file do you think it should go in? Files.qll? Its own file?

[max-schaefer]

I can't immediately think of a good place to put it, so I think its own file is fine.

[max-schaefer]

I think it might be worth explicitly stating that bitSize is either 32 or 64 here.

[max-schaefer]

I think the logic for pulling out individual build constraints deserves to be moved into BuildConstraintComment, it looks independently useful.

[max-schaefer]

I don't think you need bc anymore.

[max-schaefer]

I think it might be slightly more readable to pull arch out into an exists

Suggested change

	this
	.getStem()
	.regexpMatch(".*_" + any(Architecture arch | arch.getBitSize() = bitSize) + "(_test)?")
	exists(Architecture arch | arch.getBitSize() = bitsize |
	this.getStem().regexpMatch("(?i).*_\\Q" + arch + "\\E(_test)?")
	)

I've added (?i) to do a case-insensitive match (I'm guessing that's required for non-case preserving file systems), and \\Q and \\E to quote any regex metacharacters in arch (I don't think there can be any at the moment, but better safe than sorry).

[max-schaefer]

Some final minor nitpicks, but overall this looks very good now! I'll do a quick dist-compare as a sanity check.

[max-schaefer]

Two suggestions about the select:

• Since the message mentions the conversion, we should probably select sink.getNode() rather than source.getNode().
• To provide a reference to source, we can turn the relevant part of the alert message into a link:

      " from $@ to a lower (...)", source, call.getTarget().getQualifiedName()

[max-schaefer]

Benchmarking suggests that performance is acceptable for a data-flow query. (It's a little on the slow side on large databases, but the evaluation log doesn't show anything that looks like an easy win.)