[CPP-434] Much improved query (producing only true positives on a run of 75 projects).

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

@@ -14,16 +14,12 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-private predicate sameAccess(VariableAccess va1, VariableAccess va2) {
-  globalValueNumber(va1) = globalValueNumber(va2)
-}
-
 from RelationalOperation ro, AddExpr add, VariableAccess va1, VariableAccess va2
 where
   ro.getAnOperand() = add and
   add.getAnOperand() = va1 and
   ro.getAnOperand() = va2 and
-  sameAccess(va1, va2) and
-  add.getExplicitlyConverted().getType().(IntegralType).isSigned() and
-  va2.getExplicitlyConverted().getType().(IntegralType).isSigned()
+  globalValueNumber(va1) = globalValueNumber(va2) and
+  add.getFullyConverted().getType().getUnspecifiedType().(IntegralType).isSigned() and
+  not add.getExplicitlyConverted().getType().getUnspecifiedType().(IntegralType).isUnsigned()
 select ro, "Testing for signed overflow may produce undefined results."

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.cpp

@@ -32,7 +32,7 @@ bool shortShort1(unsigned short n1, unsigned short delta) {
     // clang 8.0.0 -O2: deleted
     // gcc 9.2 -O2: deleted
     // msvc 19.22 /O2: not deleted
-	return n1 + delta < n1; // BAD [NOT DETECTED]
+	return n1 + delta < n1; // BAD
 }
 
 bool shortShort2(unsigned short n1, unsigned short delta) {

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/SignedOverflowCheck/SignedOverflowCheck.expected

@@ -1,2 +1,3 @@
 | SignedOverflowCheck.cpp:8:12:8:22 | ... < ... | Testing for signed overflow may produce undefined results. |
 | SignedOverflowCheck.cpp:18:12:18:26 | ... < ... | Testing for signed overflow may produce undefined results. |
+| SignedOverflowCheck.cpp:35:9:35:23 | ... < ... | Testing for signed overflow may produce undefined results. |