Merge pull request #20325 from michaelnebel/cpp/ql4ql

C++: Fix some Ql4Ql violations.

cpp/ql/lib/Options.qll

@@ -35,7 +35,7 @@ class CustomOptions extends Options {
   override predicate returnsNull(Call call) { Options.super.returnsNull(call) }
 
   /**
-   * Holds if a call to this function will never return.
+   * Holds if a call to the function `f` will never return.
    *
    * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
    * `longjmp`, `error`, `__builtin_unreachable` and any function with a

cpp/ql/lib/change-notes/2025-09-03-rename-api.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll

@@ -298,10 +298,11 @@ private predicate boundFlowStep(Instruction i, NonPhiOperand op, int delta, bool
       else
         if strictlyNegative(x)
         then upper = true and delta = -1
-        else
-          if negative(x)
-          then upper = true and delta = 0
-          else none()
+        else (
+          negative(x) and
+          upper = true and
+          delta = 0
+        )
   )
   or
   exists(Operand x |
@@ -321,10 +322,11 @@ private predicate boundFlowStep(Instruction i, NonPhiOperand op, int delta, bool
       else
         if strictlyNegative(x)
         then upper = false and delta = 1
-        else
-          if negative(x)
-          then upper = false and delta = 0
-          else none()
+        else (
+          negative(x) and
+          upper = false and
+          delta = 0
+        )
   )
   or
   i.(RemInstruction).getRightOperand() = op and positive(op) and delta = -1 and upper = true

cpp/ql/lib/semmle/code/cpp/Concept.qll

@@ -198,7 +198,7 @@ class ConceptIdExpr extends Expr, @concept_id {
   final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }
 
   /**
-   * Gets the `i`th template argument passed to the concept.
+   * Gets template argument at index `index` passed to the concept, if any.
    *
    * For example, if:
    * ```cpp
@@ -219,7 +219,7 @@ class ConceptIdExpr extends Expr, @concept_id {
   }
 
   /**
-   * Gets the kind of the `i`th template argument value passed to the concept.
+   * Gets the kind of the template argument value at index `index` passed to the concept, if any.
    *
    * For example, if:
    * ```cpp

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -223,8 +223,8 @@ class Declaration extends Locatable, @declaration {
   final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }
 
   /**
-   * Gets the `i`th template argument used to instantiate this declaration from a
-   * template.
+   * Gets the template argument at index `index` used to instantiate this declaration from a
+   * template, if any.
    *
    * For example:
    *
@@ -245,9 +245,9 @@ class Declaration extends Locatable, @declaration {
   }
 
   /**
-   * Gets the `i`th template argument value used to instantiate this declaration
-   * from a template. When called on a template, this will return the `i`th template
-   * parameter value if it exists.
+   * Gets the template argument value at index `index` used to instantiate this declaration
+   * from a template. When called on a template, this will return the template
+   * parameter value at index `index` if it exists.
    *
    * For example:
    *

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -877,7 +877,7 @@ class FormatLiteral extends Literal instanceof StringLiteral {
   }
 
   /**
-   * Gets the char type required by the nth conversion specifier.
+   * Gets the char type required by the `n`th conversion specifier.
    *  - in the base case this is the default for the formatting function
    *    (e.g. `char` for `printf`, `char` or `wchar_t` for `wprintf`).
    *  - the `%C` format character reverses wideness.
@@ -922,7 +922,7 @@ class FormatLiteral extends Literal instanceof StringLiteral {
   }
 
   /**
-   * Gets the string type required by the nth conversion specifier.
+   * Gets the string type required by the `n`th conversion specifier.
    *  - in the base case this is the default for the formatting function
    *    (e.g. `char *` for `printf`, `char *` or `wchar_t *` for `wprintf`).
    *  - the `%S` format character reverses wideness on some platforms.

cpp/ql/lib/semmle/code/cpp/controlflow/Dominance.qll

@@ -101,7 +101,7 @@ predicate postDominates(ControlFlowNode postDominator, ControlFlowNode node) {
  */
 
 /**
- * Holds if `dominator` is an immediate dominator of `node` in the control-flow
+ * Holds if `dom` is an immediate dominator of `node` in the control-flow
  * graph of basic blocks.
  */
 predicate bbIDominates(BasicBlock dom, BasicBlock node) =
@@ -117,7 +117,7 @@ private predicate bb_predecessor(BasicBlock succ, BasicBlock pred) { bb_successo
 private predicate bb_exit(ExitBasicBlock exit) { any() }
 
 /**
- * Holds if `postDominator` is an immediate post-dominator of `node` in the control-flow
+ * Holds if `pDom` is an immediate post-dominator of `node` in the control-flow
  * graph of basic blocks.
  */
 predicate bbIPostDominates(BasicBlock pDom, BasicBlock node) =

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -1042,8 +1042,8 @@ private predicate subEdgeIncludingDestructors(Pos p1, Node n1, Node n2, Pos p2)
  * - `MicrosoftTryFinallyStmt`: On the edge following the `__finally` block for
  *   the case where an exception was thrown and needs to be propagated.
  */
-DestructorCall getSynthesisedDestructorCallAfterNode(Node n, int i) {
-  synthetic_destructor_call(n, i, result)
+DestructorCall getSynthesisedDestructorCallAfterNode(Node node, int index) {
+  synthetic_destructor_call(node, index, result)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -834,8 +834,10 @@ class ContentSet instanceof Content {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2273,8 +2273,10 @@ class ContentSet instanceof Content {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -50,7 +50,7 @@ CppType getEllipsisVariablePRValueType() {
 CppType getEllipsisVariableGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }
 
 /**
- * Holds if the function returns a value, as opposed to returning `void`.
+ * Holds if the function `func` returns a value, as opposed to returning `void`.
  */
 predicate hasReturnValue(Function func) { not func.getUnspecifiedType() instanceof VoidType }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -601,7 +601,7 @@ class TranslatedReturnVoidStmt extends TranslatedReturnStmt {
  * The IR translation of an implicit `return` statement generated by the extractor to handle control
  * flow that reaches the end of a non-`void`-returning function body. Such control flow
  * produces undefined behavior in C++ but not in C. However even in C using the return value is
- * undefined behaviour. We make it return uninitialized memory to get as much flow as possible.
+ * undefined behavior. We make it return uninitialized memory to get as much flow as possible.
  */
 class TranslatedNoValueReturnStmt extends TranslatedReturnStmt, TranslatedVariableInitialization {
   TranslatedNoValueReturnStmt() {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRUtilities.qll

@@ -49,7 +49,8 @@ Type getVariableType(Variable v) {
 }
 
 /**
- * Holds if the database contains a `case` label with the specified minimum and maximum value.
+ * Holds if the database contains a `switchCase` label with the specified minimum `minValue`
+ * and maximum `maxValue` value.
  */
 predicate hasCaseEdge(SwitchCase switchCase, string minValue, string maxValue) {
   minValue = switchCase.getExpr().getFullyConverted().getValue() and

cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll

@@ -371,7 +371,7 @@ class FunctionOutput extends TFunctionOutput {
   /**
    * Holds if this is the output value pointed to by a pointer parameter to a function, or the
    * output value referred to by a reference parameter to a function, where the parameter has
-   * index `index`.
+   * index `i`.
    *
    * Example:
    * ```
@@ -389,7 +389,7 @@ class FunctionOutput extends TFunctionOutput {
   /**
    * Holds if this is the output value pointed to by a pointer parameter (through `ind` number
    * of indirections) to a function, or the output value referred to by a reference parameter to
-   * a function, where the parameter has index `index`.
+   * a function, where the parameter has index `i`.
    *
    * Example:
    * ```

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll

@@ -307,13 +307,12 @@ class SemStoreExpr extends SemUnaryExpr {
 }
 
 class SemConditionalExpr extends SemKnownExpr {
-  SemExpr condition;
   SemExpr trueResult;
   SemExpr falseResult;
 
   SemConditionalExpr() {
     opcode instanceof Opcode::Conditional and
-    Specific::conditionalExpr(this, type, condition, trueResult, falseResult)
+    Specific::conditionalExpr(this, type, any(SemExpr condition), trueResult, falseResult)
   }
 
   final SemExpr getBranchExpr(boolean branch) {

cpp/ql/lib/semmle/code/cpp/security/FileWrite.qll

@@ -21,7 +21,9 @@ class FileWrite extends Expr {
   Expr getDest() { fileWrite(this, _, result) }
 
   /**
-   * Gets the conversion character for this write, if it exists and is known. For example in the following code the write of `value1` has conversion character `"s"`, whereas the write of `value2` has no conversion specifier.
+   * Gets the conversion character from `source` for this write, if it exists and is known.
+   * For example in the following code the write of `value1` has conversion character `"s"`, whereas
+   * the write of `value2` has no conversion specifier.
    * ```
    * fprintf(file, "%s", value1);
    * stream << value2;

cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll

@@ -191,11 +191,19 @@ module BoostorgAsio {
   class SslContextClass extends Class {
     SslContextClass() { this.getQualifiedName() = "boost::asio::ssl::context" }
 
-    ConstructorCall getAContructorCall() {
+    /**
+     * Gets a constructor call, if any.
+     */
+    ConstructorCall getAConstructorCall() {
       this.getAConstructor().getACallToThisFunction() = result and
       not result.getLocation().getFile().toString().matches("%/boost/asio/%") and
       result.fromSource()
     }
+
+    /**
+     * DEPRECATED: Use `getAConstructorCall` instead.
+     */
+    deprecated ConstructorCall getAContructorCall() { result = this.getAConstructorCall() }
   }
 
   /**
@@ -368,7 +376,7 @@ module BoostorgAsio {
      */
     default predicate isSink(DataFlow::Node sink) {
       exists(ConstructorCall cc, SslContextClass c, Expr e | e = sink.asExpr() |
-        c.getAContructorCall() = cc and
+        c.getAConstructorCall() = cc and
         cc.getArgument(0) = e
       )
     }
@@ -468,7 +476,7 @@ module BoostorgAsio {
     predicate isSource(DataFlow::Node source) {
       exists(SslContextClass c, ConstructorCall cc |
         cc = source.asExpr() and
-        c.getAContructorCall() = cc
+        c.getAConstructorCall() = cc
       )
     }