Merge pull request #20400 from MathiasVP/cleanup-incorrect-scanf-query

C++: Cleanup `ScanfChecks.qll`

cpp/ql/src/Critical/ScanfChecks.qll

@@ -4,13 +4,9 @@ private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.ir.ValueNumbering
 
 private predicate exprInBooleanContext(Expr e) {
-  exists(IRGuardCondition gc |
+  exists(IRGuardCondition gc, Instruction i |
-    exists(Instruction i |
+    i.getUnconvertedResultExpression() = e and
-      i.getUnconvertedResultExpression() = e and
+    gc.comparesEq(valueNumber(i).getAUse(), 0, _, _)
-      gc.comparesEq(valueNumber(i).getAUse(), 0, _, _)
-    )
-    or
-    gc.getUnconvertedResultExpression() = e
   )
 }
 
@@ -36,20 +32,18 @@ private string getEofValue() {
  * Holds if the value of `call` has been checked to not equal `EOF`.
  */
 private predicate checkedForEof(ScanfFunctionCall call) {
-  exists(IRGuardCondition gc |
+  exists(IRGuardCondition gc, CallInstruction i | i.getUnconvertedResultExpression() = call |
-    exists(CallInstruction i | i.getUnconvertedResultExpression() = call |
+    exists(int val | gc.comparesEq(valueNumber(i).getAUse(), val, _, _) |
-      exists(int val | gc.comparesEq(valueNumber(i).getAUse(), val, _, _) |
+      // call == EOF
-        // call == EOF
+      val = getEofValue().toInt()
-        val = getEofValue().toInt()
-        or
-        // call == [any positive number]
-        val > 0
-      )
       or
-      exists(int val | gc.comparesLt(valueNumber(i).getAUse(), val, true, _) |
+      // call == [any positive number]
-        // call < [any non-negative number] (EOF is guaranteed to be negative)
+      val > 0
-        val >= 0
+    )
-      )
+    or
+    exists(int val | gc.comparesLt(valueNumber(i).getAUse(), val, true, _) |
+      // call < [any non-negative number] (EOF is guaranteed to be negative)
+      val >= 0
     )
   )
 }