Shared/Java: Improve range analysis for phi exits out of loops and accept test changes.

MathiasVP · MathiasVP · commit 915fcf99aad1 · 2026-01-09T12:22:19.000Z
diff --git a/java/ql/test/library-tests/dataflow/range-analysis/RangeAnalysis.expected b/java/ql/test/library-tests/dataflow/range-analysis/RangeAnalysis.expected
@@ -236,6 +236,7 @@
 | A.java:44:13:44:13 | 0 | 0 | 0 | upper | NoReason |
 | A.java:45:12:45:12 | i | 0 | 0 | lower | NoReason |
 | A.java:45:12:45:12 | i | SSA def(i) | 0 | lower | NoReason |
+| A.java:45:12:45:12 | i | SSA param(size) | 0 | upper | ... < ... |
 | A.java:45:12:45:12 | i | SSA phi(i) | 0 | lower | NoReason |
 | A.java:45:12:45:12 | i | SSA phi(i) | 0 | upper | NoReason |
 | A.java:45:16:45:19 | size | SSA param(size) | 0 | lower | NoReason |
@@ -253,6 +254,7 @@
 | A.java:48:12:48:12 | i | 0 | 0 | lower | NoReason |
 | A.java:48:12:48:12 | i | SSA def(i) | 0 | lower | NoReason |
 | A.java:48:12:48:12 | i | SSA param(size) | 0 | lower | ... < ... |
+| A.java:48:12:48:12 | i | SSA param(size) | 0 | upper | ... < ... |
 | A.java:48:12:48:12 | i | SSA phi(i) | 0 | lower | NoReason |
 | A.java:48:12:48:12 | i | SSA phi(i) | 0 | upper | NoReason |
 | A.java:52:9:52:13 | i | 0 | 0 | lower | NoReason |
diff --git a/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll b/shared/rangeanalysis/codeql/rangeanalysis/RangeAnalysis.qll
@@ -1011,6 +1011,27 @@ module RangeStage<
     boundedPhiInp(phi, _, b, delta, upper, fromBackEdge, origdelta, reason)
   }
 
+  /**
+   * Holds if `inp <= delta` where `inp` is the input to `phi` along the edge
+   * with rank `rix`.
+   *
+   * Equivalent to `boundedPhiInp(phi, rix, any(SemZeroBound zb), delta, true, _, _, _)`.
+   */
+  private predicate zeroUpperBoundedPhiInp1(Sem::SsaPhiNode phi, int rix, D::Delta delta) {
+    boundedPhiInp1(phi, any(SemZeroBound zb), true, rix, delta)
+  }
+
+  /**
+   * Holds if `inp <= b + delta` for some input, `inp`, to `phi` and `b >= 0`.
+   */
+  private predicate upperBoundedPhiCand(
+    Sem::SsaPhiNode phi, SemSsaBound b, D::Delta delta, boolean fromBackEdge, D::Delta origdelta,
+    SemReason reason
+  ) {
+    boundedPhiCand(phi, true, b, delta, fromBackEdge, origdelta, reason) and
+    typeBound(Sem::getSsaType(b.getVariable()), any(float f | f >= 0), _)
+  }
+
   /**
    * Holds if the candidate bound `b + delta` for `phi` is valid for the phi input
    * along the edge with rank `rix`.
@@ -1031,6 +1052,12 @@ module RangeStage<
       or
       selfBoundedPhiInp(phi, rix, upper)
     )
+    or
+    upperBoundedPhiCand(phi, b, delta, fromBackEdge, origdelta, reason) and
+    exists(D::Delta d1 | zeroUpperBoundedPhiInp1(phi, rix, d1) |
+      upper = true and
+      D::toFloat(d1) <= D::toFloat(delta)
+    )
   }
 
   /**
