JS: fix bug in foldedComparisonEdge

asger-semmle · asger-semmle · commit d69e584cc2b9 · 2018-11-29T11:22:15.000Z
diff --git a/javascript/ql/src/semmle/javascript/RangeAnalysis.qll b/javascript/ql/src/semmle/javascript/RangeAnalysis.qll
@@ -464,8 +464,8 @@ module RangeAnalysis {
     exists (DataFlow::Node k, int ksign, Bias bias, int avalue, int kvalue |
       comparisonEdge(cfg, a, asign, k, ksign, bias, sharp) and
       avalue = a.asExpr().getIntValue() * asign and
-      kvalue = b.asExpr().getIntValue() * bsign and
-      (avalue < kvalue + bias or sharp = true and avalue = kvalue + bias) and
+      kvalue = k.asExpr().getIntValue() * ksign and
+      (avalue > kvalue + bias or sharp = true and avalue = kvalue + bias) and
       a = b and
       asign = bsign and
       c = -1)
diff --git a/javascript/ql/test/library-tests/RangeAnalysis/length.js b/javascript/ql/test/library-tests/RangeAnalysis/length.js
@@ -0,0 +1,3 @@
+function f(arr) {
+  if (arr.length > 2) {} // OK
+}
diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.expected b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/UselessComparisonTest.expected
@@ -1 +1,3 @@
-| example.js:8:7:8:13 | i < end | The condition 'i < end' is always false |
+| constant.js:2:7:2:11 | 1 > 2 | The condition '1 > 2' is always false. |
+| constant.js:3:7:3:11 | 1 > 0 | The condition '1 > 0' is always true. |
+| example.js:8:7:8:13 | i < end | The condition 'i < end' is always false. |
diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js
@@ -0,0 +1,4 @@
+function f() {
+  if (1 > 2) {} else {} // NOT OK - always false
+  if (1 > 0) {} else {} // NOT OK - always true
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+function f(arr) {`
	`2`	`+ if (arr.length > 2) {} // OK`
	`3`	`+}`