java: inline range test

[yoff]

This adds inline expectation test for the java range analysis.
Feel free to suggest better tests or better syntax.

Pull Request checklist

All query authors

• A change note is added if necessary. See the documentation in this repository.
• All new queries have appropriate .qhelp. See the documentation in this repository.
• QL tests are added if necessary. See Testing custom queries in the GitHub documentation.
• New and changed queries have correct query metadata. See the documentation in this repository.

Internal query authors only

• Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
• Changes are validated at scale (internal access required).
• Adding a new query? Consider also adding the query to autofix.

[aschackmull]

Same.

[yoff]

Yes, I will get that done.

[aschackmull]

Same.

[yoff]

👍

[aschackmull]

One of the key features of the range analysis library is the ability to report bounds in terms of SSA variables or interesting expressions such as arr.length. I think it would be nice to add some cases of inline expectations for those bounds as well. Given that they're plentiful, they should only be reported relative to indicated bound expression positions. E.g.

static void bound(int b) { }

static void tst(int[] arr) {
  bound(arr.length);
  for (int i = 0; i < arr.length; i++) {
    arr[i]++; // $ bound="i <= arr.length - 1"
  }
}

But feel free to take or leave this suggestion, depending on how much effort you want to put in, as it's also fine to just merge what's already here in the PR.

[yoff]

One of the key features of the range analysis library is the ability to report bounds in terms of SSA variables or interesting expressions such as arr.length. I think it would be nice to add some cases of inline expectations for those bounds as well. Given that they're plentiful, they should only be reported relative to indicated bound expression positions. E.g.

I think that is a nice idea. The current set of tests is based on my hunt for opportunities to improve range analysis results by rewriting the CFG. But the current PR should rather just present a useful set of tests for range analysis, so I will give this a go :-)

[yoff]

But the current PR should rather just present a useful set of tests for range analysis

This can probably still be improved quite a bit. But now there is at least support for annotating non-integer bounds.

[aschackmull]

That's not MISSING - such a bound would be wrong if b is negative or zero, and thus the range analysis won't infer it.

[yoff]

Ah, nice. So if I add a guard for b being positive, it might appear. Having both versions would be a good illustration of this.

[yoff]

I could not get the bound to appear, so now there are just a bunch of negative tests..

[aschackmull]

This constraint looks very weird. Perhaps something like this would suffice?

Suggested change

	(DataFlow::localFlow(DataFlow::exprNode(boundExpr), DataFlow::exprNode(e)) implies delta != 0)
	not e = b.getExpr()

[yoff]

I tried that first, but it let through some trivial things. However, it works now...I think I am not used to ensuring the test file compiles all the time... 😅

[aschackmull]

Suggested change

	annotatedBound(e, b, boundExpr, delta, upper) and
	annotatedBound(e, _, boundExpr, delta, upper) and

[aschackmull]

We should not add data flow to the mix.

Suggested change

private import semmle.code.java.dataflow.DataFlow

[aschackmull]

Btw. this is actually a case that potentially could be improved by some sort of "loop executes at least once" analysis.

[aschackmull]

LGTM now.