Added a FP test case and corrected the leap year logic to no longer flag this case.

bdrodes · bdrodes · commit 1f63bee67466 · 2026-02-03T09:38:47.000-05:00
diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
@@ -629,27 +629,36 @@ class LeapYearGuardCondition extends GuardCondition {
       // form: `(year % 4 == 0) && (year % 100 != 0 || year % 400 == 0)`
       // or : `!((year % 4 == 0) && (year % 100 != 0 || year % 400 == 0))`
       // Also accepting `((year & 3) == 0) && (year % 100 != 0 || year % 400 == 0)`
+      // and `(year % 4 == 0) && (year % 100 > 0 || year % 400 == 0)`
       this = andExpr and
       andExpr.hasOperands(div4Check, orExpr) and
       orExpr.hasOperands(div100Check, div400Check) and
       (
+        // year % 4 == 0
         exists(RemExpr e |
           div4Check.comparesEq(e, 0, true, gv) and
           e.getRightOperand().getValue().toInt() = 4 and
           yearSinkDiv4 = e.getLeftOperand()
         )
         or
+        // year & 3 == 0
         exists(BitwiseAndExpr e |
           div4Check.comparesEq(e, 0, true, gv) and
           e.getRightOperand().getValue().toInt() = 3 and
           yearSinkDiv4 = e.getLeftOperand()
         )
       ) and
       exists(RemExpr e |
-        div100Check.comparesEq(e, 0, false, gv) and
+        (
+          // year % 100 != 0 or year % 100 > 0
+          div100Check.comparesEq(e, 0, false, gv)
+          or
+          div100Check.comparesLt(e, 1, false, gv)
+        ) and
         e.getRightOperand().getValue().toInt() = 100 and
         yearSinkDiv100 = e.getLeftOperand()
       ) and
+      // year % 400 == 0
       exists(RemExpr e |
         div400Check.comparesEq(e, 0, true, gv) and
         e.getRightOperand().getValue().toInt() = 400 and
@@ -659,29 +668,41 @@ class LeapYearGuardCondition extends GuardCondition {
       // Inverted logic case:
       //  `year % 4 != 0 || (year % 100 == 0 && year % 400 != 0)`
       // or `year & 3 != 0 || (year % 100 == 0 && year % 400 != 0)`
+      // also accepting `year % 4 > 0 || (year % 100 == 0 && year % 400 > 0)`
       this = orExpr and
       orExpr.hasOperands(div4Check, andExpr) and
       andExpr.hasOperands(div100Check, div400Check) and
       (
+        // year % 4 != 0 or year % 4 > 0
         exists(RemExpr e |
-          div4Check.comparesEq(e, 0, false, gv) and
+          (
+            div4Check.comparesEq(e, 0, false, gv) or
+            div4Check.comparesLt(e, 1, false, gv)
+          ) and
           e.getRightOperand().getValue().toInt() = 4 and
           yearSinkDiv4 = e.getLeftOperand()
         )
         or
+        // year & 3 != 0
         exists(BitwiseAndExpr e |
           div4Check.comparesEq(e, 0, false, gv) and
           e.getRightOperand().getValue().toInt() = 3 and
           yearSinkDiv4 = e.getLeftOperand()
         )
       ) and
+      // year % 100 == 0
       exists(RemExpr e |
         div100Check.comparesEq(e, 0, true, gv) and
         e.getRightOperand().getValue().toInt() = 100 and
         yearSinkDiv100 = e.getLeftOperand()
       ) and
+      // year % 400 != 0 or year % 400 > 0
       exists(RemExpr e |
-        div400Check.comparesEq(e, 0, false, gv) and
+        (
+          div400Check.comparesEq(e, 0, false, gv)
+          or
+          div400Check.comparesLt(e, 1, false, gv)
+        ) and
         e.getRightOperand().getValue().toInt() = 400 and
         yearSinkDiv400 = e.getLeftOperand()
       )
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected
@@ -23,7 +23,7 @@
 | test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1584:2:1584:22 | ... += ... | test.cpp:1584:2:1584:22 | ... += ... | test.cpp:1584:2:1584:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1596:2:1596:22 | ... += ... | test.cpp:1596:2:1596:22 | ... += ... | test.cpp:1596:2:1596:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:1609:2:1609:22 | ... += ... | test.cpp:1609:2:1609:22 | ... += ... | test.cpp:1609:2:1609:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1629:2:1629:22 | ... += ... | test.cpp:1629:2:1629:22 | ... += ... | test.cpp:1629:2:1629:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 edges
 | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance |  |
 | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance |  |
@@ -158,8 +158,10 @@ nodes
 | test.cpp:1573:2:1573:22 | ... += ... | semmle.label | ... += ... |
 | test.cpp:1584:2:1584:22 | ... += ... | semmle.label | ... += ... |
 | test.cpp:1596:2:1596:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1609:2:1609:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1644:2:1644:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1649:2:1649:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1678:2:1678:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1608:2:1608:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1618:2:1618:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1629:2:1629:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1664:2:1664:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1669:2:1669:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1698:2:1698:22 | ... += ... | semmle.label | ... += ... |
 subpaths
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp
@@ -1604,6 +1604,26 @@ void odd_leap_year_check3(tm timeinfo){
 	}
 }
 
+void odd_leap_year_check4(tm timeinfo){
+	timeinfo.tm_year += 1; 
+	WORD year = timeinfo.tm_year + 1900;
+
+	if( (year % 4 == 0) && (year % 100 > 0 || (year % 400 == 0)))
+	{
+		// do something
+	}
+}
+
+void odd_leap_year_check5(tm timeinfo){
+	timeinfo.tm_year += 1; 
+	WORD year = timeinfo.tm_year + 1900;
+
+	if( (year % 4 > 0) || (year % 100 == 0 && (year % 400 > 0)))
+	{
+		// do something
+	}
+}
+
 
 void date_adjusted_through_mkgmtime(tm timeinfo){
 	timeinfo.tm_year += 1; // $ SPURIOUS: Alert[cpp/microsoft/public/leap-year/unchecked-after-arithmetic-year-modification]
