C#: Update range utils and signanalysis.

michaelnebel · michaelnebel · commit f29fb52cd5db · 2026-03-13T15:47:03.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
@@ -33,7 +33,9 @@ private module Impl {
   /** Holds if SSA definition `def` equals `e + delta`. */
   predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) {
     exists(ControlFlow::Node cfn | cfn = def.getControlFlowNode() |
-      e = cfn.(ExprNode::Assignment).getRValue() and delta = 0
+      e = cfn.(ExprNode::Assignment).getRValue() and
+      delta = 0 and
+      not cfn instanceof ExprNode::AssignOperation
       or
       e = cfn.(ExprNode::PostIncrExpr).getOperand() and delta = 1
       or
@@ -66,12 +68,24 @@ private module Impl {
       x.getIntValue() = delta
     )
     or
+    exists(ConstantIntegerExpr x |
+      e2.(ExprNode::AssignAddExpr).getLeftOperand() = e1 and
+      e2.(ExprNode::AssignAddExpr).getRightOperand() = x and
+      x.getIntValue() = delta
+    )
+    or
     exists(ConstantIntegerExpr x |
       e2.(ExprNode::SubExpr).getLeftOperand() = e1 and
       e2.(ExprNode::SubExpr).getRightOperand() = x and
       x.getIntValue() = -delta
     )
     or
+    exists(ConstantIntegerExpr x |
+      e2.(ExprNode::AssignSubExpr).getLeftOperand() = e1 and
+      e2.(ExprNode::AssignSubExpr).getRightOperand() = x and
+      x.getIntValue() = -delta
+    )
+    or
     // Conditional expressions with only one branch can happen either
     // because of pruning or because of Boolean splitting. In such cases
     // the conditional expression has the same value as the branch.
@@ -230,6 +244,11 @@ module ExprNode {
     override CS::AssignExpr e;
   }
 
+  /** A compound assignment operation. */
+  class AssignOperation extends Assignment, BinaryOperation {
+    override CS::AssignOperation e;
+  }
+
   /** A unary operation. */
   class UnaryOperation extends ExprNode {
     override CS::UnaryOperation e;
@@ -397,6 +416,90 @@ module ExprNode {
     override TUnsignedRightShiftOp getOp() { any() }
   }
 
+  /** A compound addition assignment operation. */
+  class AssignAddExpr extends AssignOperation {
+    override CS::AssignAddExpr e;
+
+    override TAddOp getOp() { any() }
+  }
+
+  /** A compound subtraction assignment operation. */
+  class AssignSubExpr extends AssignOperation {
+    override CS::AssignSubExpr e;
+
+    override TSubOp getOp() { any() }
+  }
+
+  /** A compound multiplication assignment operation. */
+  class AssignMulExpr extends AssignOperation {
+    override CS::AssignMulExpr e;
+
+    override TMulOp getOp() { any() }
+  }
+
+  /** A compound division assignment operation. */
+  class AssignDivExpr extends AssignOperation {
+    override CS::AssignDivExpr e;
+
+    override TDivOp getOp() { any() }
+  }
+
+  /** A compound remainder assignment operation. */
+  class AssignRemExpr extends AssignOperation {
+    override CS::AssignRemExpr e;
+
+    override TRemOp getOp() { any() }
+  }
+
+  /** A compound bitwise assignment operation. */
+  class AssignBitwiseOperation extends AssignOperation {
+    override CS::AssignBitwiseOperation e;
+
+    override TBinarySignOperation getOp() { none() }
+  }
+
+  /** A compound bitwise-and assignment operation. */
+  class AssignAndExpr extends AssignOperation {
+    override CS::AssignAndExpr e;
+
+    override TBitAndOp getOp() { any() }
+  }
+
+  /** A compound bitwise-or assignment operation. */
+  class AssignOrExpr extends AssignOperation {
+    override CS::AssignOrExpr e;
+
+    override TBitOrOp getOp() { any() }
+  }
+
+  /** A compound bitwise-xor assignment operation. */
+  class AssignXorExpr extends AssignOperation {
+    override CS::AssignXorExpr e;
+
+    override TBitXorOp getOp() { any() }
+  }
+
+  /** A compound left-shift assignment operation. */
+  class AssignLeftShiftExpr extends AssignOperation {
+    override CS::AssignLeftShiftExpr e;
+
+    override TLeftShiftOp getOp() { any() }
+  }
+
+  /** A compound right-shift assignment operation. */
+  class AssignRightShiftExpr extends AssignOperation {
+    override CS::AssignRightShiftExpr e;
+
+    override TRightShiftOp getOp() { any() }
+  }
+
+  /** A compound unsigned right-shift assignment operation. */
+  class AssignUnsignedRightShiftExpr extends AssignOperation {
+    override CS::AssignUnsighedRightShiftExpr e;
+
+    override TUnsignedRightShiftOp getOp() { any() }
+  }
+
   /** A conditional expression. */
   class ConditionalExpr extends ExprNode {
     override CS::ConditionalExpr e;
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
@@ -130,6 +130,11 @@ private module Impl {
       adef = def.getADefinition() and
       hasChild(adef.getExpr(), adef.getSource(), def.getControlFlowNode(), result)
     )
+    or
+    exists(AssignableDefinitions::AssignOperationDefinition adef |
+      adef = def.getADefinition() and
+      result.getExpr() = adef.getSource()
+    )
   }
 
   /** Holds if `def` can have any sign. */

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,11 @@ private module Impl {`
`130`	`130`	`adef = def.getADefinition() and`
`131`	`131`	`hasChild(adef.getExpr(), adef.getSource(), def.getControlFlowNode(), result)`
`132`	`132`	`)`
	`133`	`+ or`
	`134`	`+ exists(AssignableDefinitions::AssignOperationDefinition adef \|`
	`135`	`+ adef = def.getADefinition() and`
	`136`	`+ result.getExpr() = adef.getSource()`
	`137`	`+ )`
`133`	`138`	`}`
`134`	`139`
`135`	`140`	/** Holds if `def` can have any sign. */