diff --git a/cpp/ql/lib/semmle/code/cpp/Function.qll b/cpp/ql/lib/semmle/code/cpp/Function.qll index 10b156e3fb64..b5ea5b3cbc73 100644 --- a/cpp/ql/lib/semmle/code/cpp/Function.qll +++ b/cpp/ql/lib/semmle/code/cpp/Function.qll @@ -524,6 +524,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function { not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0)) ) } + + /** + * Holds if this function has ambiguous return type (this occurs sometimes in + * Build Mode None). + */ + predicate hasAmbiguousReturnType() { + count(this.getType()) != 1 + } } pragma[noinline] diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql index a54ac9020c8c..6747d177c80e 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql +++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql @@ -218,7 +218,9 @@ where // only report if we cannot prove that the result of the // multiplication will be less (resp. greater) than the // maximum (resp. minimum) number we can compute. - overflows(me, t1) + overflows(me, t1) and + // exclude cases where the expression type may not have been extracted accurately + not me.getParent().(Call).getTarget().hasAmbiguousReturnType() select me, "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '" + me.getFullyConverted().getType().toString() + "'." diff --git a/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md new file mode 100644 index 000000000000..a0efd8a87852 --- /dev/null +++ b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in Build Mode Node databases. diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c new file mode 100644 index 000000000000..3d01a28fae0a --- /dev/null +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c @@ -0,0 +1,28 @@ +// semmle-extractor-options: --expect_errors + +void test_float_double1(float f, double d) { + float r1 = f * f; // GOOD + float r2 = f * d; // GOOD + double r3 = f * f; // BAD + double r4 = f * d; // GOOD + + float f1 = fabsf(f * f); // GOOD + float f2 = fabsf(f * d); // GOOD + double f3 = fabs(f * f); // BAD [NOT DETECTED] + double f4 = fabs(f * d); // GOOD +} + +double fabs(double f); +float fabsf(float f); + +void test_float_double2(float f, double d) { + float r1 = f * f; // GOOD + float r2 = f * d; // GOOD + double r3 = f * f; // BAD + double r4 = f * d; // GOOD + + float f1 = fabsf(f * f); // GOOD + float f2 = fabsf(f * d); // GOOD + double f3 = fabs(f * f); // BAD [NOT DETECTED] + double f4 = fabs(f * d); // GOOD +} diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected index 2806aaa809fe..05b2b7e1ea3c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected @@ -1,3 +1,5 @@ +| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | +| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. | | IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. | | IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. | | IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |