Merge pull request #21313 from MathiasVP/range-analysis-lower-bound-and-measure-enums

C++: Measure bounds for `Enum` constants and reduce `getBoundsLimit`

Author: jketema

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll

@@ -404,7 +404,7 @@ predicate cmpWithLinearBound(
  * For example, if `t` is a signed 32-bit type then holds if `lb` is
  * `-2^31` and `ub` is `2^31 - 1`.
  */
-private predicate typeBounds(ArithmeticType t, float lb, float ub) {
+private predicate typeBounds0(ArithmeticType t, float lb, float ub) {
   exists(IntegralType integralType, float limit |
     integralType = t and limit = 2.pow(8 * integralType.getSize())
   |
@@ -423,6 +423,42 @@ private predicate typeBounds(ArithmeticType t, float lb, float ub) {
   t instanceof FloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
 }
 
+/**
+ * Gets the underlying type for an enumeration `e`.
+ *
+ * If the enumeration does not have an explicit type we approximate it using
+ * the following rules:
+ * - The result type is always `signed`, and
+ * - if the largest value fits in an `int` the result is `int`. Otherwise, the
+ * result is `long`.
+ */
+private IntegralType getUnderlyingTypeForEnum(Enum e) {
+  result = e.getExplicitUnderlyingType()
+  or
+  not e.hasExplicitUnderlyingType() and
+  result.isSigned() and
+  exists(IntType intType |
+    if max(e.getAnEnumConstant().getValue().toFloat()) >= 2.pow(8 * intType.getSize() - 1)
+    then result instanceof LongType
+    else result = intType
+  )
+}
+
+/**
+ * Holds if `lb` and `ub` are the lower and upper bounds of the unspecified
+ * type `t`.
+ *
+ * For example, if `t` is a signed 32-bit type then holds if `lb` is
+ * `-2^31` and `ub` is `2^31 - 1`.
+ *
+ * Unlike `typeBounds0`, this predicate also handles `Enum` types.
+ */
+private predicate typeBounds(Type t, float lb, float ub) {
+  typeBounds0(t, lb, ub)
+  or
+  typeBounds0(getUnderlyingTypeForEnum(t), lb, ub)
+}
+
 private Type stripReference(Type t) {
   if t instanceof ReferenceType then result = t.(ReferenceType).getBaseType() else result = t
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -512,8 +512,8 @@ private module BoundsEstimate {
    */
   float getBoundsLimit() {
     // This limit is arbitrary, but low enough that it prevents timeouts on
-    // specific observed customer databases (and the in the tests).
-    result = 2.0.pow(40)
+    // specific observed customer databases (and in the tests).
+    result = 2.0.pow(29)
   }
 
   /** Gets the maximum number of bounds possible for `t` when widening is used. */

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -1025,6 +1025,7 @@
 | test.c:970:12:970:12 | y | 256 |
 | test.c:971:9:971:9 | x | 2147483647 |
 | test.c:972:9:972:9 | y | 256 |
+| test.c:985:7:985:7 | e | -2147483648 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
@@ -1093,3 +1094,64 @@
 | test.cpp:122:4:122:4 | n | 0 |
 | test.cpp:122:8:122:8 | n | 0 |
 | test.cpp:122:12:122:12 | n | 1 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 0 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 0 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 0 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 0 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 0 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 0 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 0 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 0 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 0 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 0 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 0 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 0 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 0 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 0 |
+| test_nr_of_bounds.cpp:72:12:72:12 | x | 0 |