C++: Fix some Ql4Ql violations.

cpp/ql/src/Best Practices/Magic Constants/MagicConstants.qll

@@ -164,12 +164,17 @@ predicate valueOccurrenceCount(string value, int n) {
   n > 20
 }
 
-predicate occurenceCount(Literal lit, string value, int n) {
+predicate occurrenceCount(Literal lit, string value, int n) {
   valueOccurrenceCount(value, n) and
   value = lit.getValue() and
   nonTrivialValue(_, lit)
 }
 
+/**
+ * DEPRECATED: Use `occurrenceCount` instead.
+ */
+deprecated predicate occurenceCount = occurrenceCount/3;
+
 /*
  * Literals repeated frequently
  */
@@ -178,7 +183,7 @@ predicate check(Literal lit, string value, int n, File f) {
   // Check that the literal is nontrivial
   not trivial(lit) and
   // Check that it is repeated a number of times
-  occurenceCount(lit, value, n) and
+  occurrenceCount(lit, value, n) and
   n > 20 and
   f = lit.getFile() and
   // Exclude generated files

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -128,11 +128,18 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
   /**
    * Holds if the top-level binary operation includes an addition or subtraction operator with an operand specified by `valueToCheck`.
    */
-  predicate additionalAdditionOrSubstractionCheckForLeapYear(int valueToCheck) {
+  predicate additionalAdditionOrSubtractionCheckForLeapYear(int valueToCheck) {
     additionalLogicalCheck(this, "+", valueToCheck) or
     additionalLogicalCheck(this, "-", valueToCheck)
   }
 
+  /**
+   * DEPRECATED: Use `additionalAdditionOrSubtractionCheckForLeapYear` instead.
+   */
+  deprecated predicate additionalAdditionOrSubstractionCheckForLeapYear(int valueToCheck) {
+    this.additionalAdditionOrSubtractionCheckForLeapYear(valueToCheck)
+  }
+
   /**
    * Holds if this object is used on a modulus 4 operation, which would likely indicate the start of a leap year check.
    */
@@ -180,13 +187,13 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {
     this.additionalModulusCheckForLeapYear(100) and
     // tm_year represents years since 1900
     (
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(1900)
       or
       // some systems may use 2000 for 2-digit year conversions
-      this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(2000)
       or
       // converting from/to Unix epoch
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(1970)
     )
   }
 }

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql

@@ -14,7 +14,7 @@ import cpp
 import semmle.code.cpp.security.boostorg.asio.protocols
 
 predicate isSourceImpl(DataFlow::Node source, ConstructorCall cc) {
-  exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = cc and cc = source.asExpr())
+  exists(BoostorgAsio::SslContextClass c | c.getAConstructorCall() = cc and cc = source.asExpr())
 }
 
 predicate isSinkImpl(DataFlow::Node sink, FunctionCall fcSetOptions) {

cpp/ql/src/Metrics/Internal/CallableExtents.ql

@@ -15,8 +15,8 @@ import cpp
 class RangeFunction extends Function {
   /**
    * Holds if this function is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
+   * The location spans column `sc` of line `sl` to
+   * column `ec` of line `el` in file `path`.
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */

cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql

@@ -25,10 +25,10 @@ import semmle.code.cpp.controlflow.IRGuards as IRGuards
 predicate outOfBoundsExpr(Expr expr, string kind) {
   if convertedExprMightOverflowPositively(expr)
   then kind = "overflow"
-  else
-    if convertedExprMightOverflowNegatively(expr)
-    then kind = "overflow negatively"
-    else none()
+  else (
+    convertedExprMightOverflowNegatively(expr) and
+    kind = "overflow negatively"
+  )
 }
 
 predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }

cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll

@@ -31,27 +31,28 @@ private predicate hasConditionalInitialization(
 class ConditionallyInitializedVariable extends LocalVariable {
   ConditionalInitializationCall call;
   ConditionalInitializationFunction f;
-  VariableAccess initAccess;
   Evidence e;
 
   ConditionallyInitializedVariable() {
     // Find a call that conditionally initializes this variable
-    hasConditionalInitialization(f, call, this, initAccess, e) and
-    // Ignore cases where the variable is assigned prior to the call
-    not reaches(this.getAnAssignedValue(), initAccess) and
-    // Ignore cases where the variable is assigned field-wise prior to the call.
-    not exists(FieldAccess fa |
-      exists(Assignment a |
-        fa = getAFieldAccess(this) and
-        a.getLValue() = fa
+    exists(VariableAccess initAccess |
+      hasConditionalInitialization(f, call, this, initAccess, e) and
+      // Ignore cases where the variable is assigned prior to the call
+      not reaches(this.getAnAssignedValue(), initAccess) and
+      // Ignore cases where the variable is assigned field-wise prior to the call.
+      not exists(FieldAccess fa |
+        exists(Assignment a |
+          fa = getAFieldAccess(this) and
+          a.getLValue() = fa
+        )
+      |
+        reaches(fa, initAccess)
+      ) and
+      // Ignore cases where the variable is assigned by a prior call to an initialization function
+      not exists(Call c |
+        this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
+        reaches(c, initAccess)
       )
-    |
-      reaches(fa, initAccess)
-    ) and
-    // Ignore cases where the variable is assigned by a prior call to an initialization function
-    not exists(Call c |
-      this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
-      reaches(c, initAccess)
     ) and
     /*
      * Static local variables with constant initializers do not have the initializer expr as part of

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -41,7 +41,7 @@ predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
 }
 
 /**
- * Holds if the function may throw an exception when called. That is, if the body of the function looks
+ * Holds if the function `f` may throw an exception when called. That is, if the body of the function looks
  * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
  */
 predicate functionMayThrow(Function f) {

cpp/ql/src/definitions.ql

@@ -13,6 +13,6 @@ where
   def = definitionOf(e, kind) and
   // We need to exclude definitions for elements inside template instantiations,
   // as these often lead to multiple links to definitions from the same source location.
-  // LGTM does not support this behaviour.
+  // LGTM does not support this behavior.
   not e.isFromTemplateInstantiation(_)
 select e, def, kind

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql

@@ -47,7 +47,7 @@ where
   // for a function parameter
   unchecked.getTarget() = param and
   // this function parameter is not overwritten
-  count(param.getAnAssignment()) = 0 and
+  not exists(param.getAnAssignment()) and
   check.getTarget() = param and
   // which is once checked
   candidateResultChecked(check, eqop) and

cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql

@@ -19,16 +19,17 @@ import cpp
  * Errors when using a variable declaration inside a loop.
  */
 class DangerousWhileLoop extends WhileStmt {
-  Expr exp;
   Declaration dl;
 
   DangerousWhileLoop() {
     this = dl.getParentScope().(BlockStmt).getParent*() and
-    exp = this.getCondition().getAChild*() and
-    not exp instanceof PointerFieldAccess and
-    not exp instanceof ValueFieldAccess and
-    exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof FunctionCall
+    exists(Expr exp |
+      exp = this.getCondition().getAChild*() and
+      not exp instanceof PointerFieldAccess and
+      not exp instanceof ValueFieldAccess and
+      exp.(VariableAccess).getTarget().getName() = dl.getName() and
+      not exp.getParent*() instanceof FunctionCall
+    )
   }
 
   Declaration getDeclaration() { result = dl }

cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

@@ -46,7 +46,7 @@ predicate exprMayBeString(Expr exp) {
   )
 }
 
-/** Holds if expression is constant or operator call `sizeof`. */
+/** Holds if expression `exp` is constant or operator call `sizeof`. */
 predicate argConstOrSizeof(Expr exp) {
   exp.getValue().toInt() > 1 or
   exp.(SizeofTypeOperator).getTypeOperand().getSize() > 1

cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql

@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions
 
-/** Holds if a `fc` function call is available before or after a `chdir` function call. */
+/** Holds if a `fcp` function call is available before or after a `chdir` function call. */
 predicate inExistsChdir(FunctionCall fcp) {
   exists(FunctionCall fctmp |
     (
@@ -29,7 +29,7 @@ predicate inExistsChdir(FunctionCall fcp) {
   )
 }
 
-/** Holds if a `fc` function call is available before or after a function call containing a `chdir` call. */
+/** Holds if a `fcp` function call is available before or after a function call containing a `chdir` call. */
 predicate outExistsChdir(FunctionCall fcp) {
   exists(FunctionCall fctmp |
     exists(FunctionCall fctmp2 |

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql

@@ -266,7 +266,7 @@ class LifetimePointerType extends LifetimeIndirectionType {
 class FullExpr extends Expr {
   FullExpr() {
     // A full-expression is not a subexpression
-    not exists(Expr p | this.getParent() = p)
+    not this.getParent() instanceof Expr
     or
     // A sub-expression that is an unevaluated operand
     this.isUnevaluated()

cpp/ql/src/external/DefectFilter.qll

@@ -5,8 +5,8 @@ import cpp
 /**
  * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
  * such that `message` is the associated message and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
+ * column `startcol` of line `startline` to column `endcol` of line `endline`
+ * in file `file`.
  *
  * For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
  */

cpp/ql/src/external/MetricFilter.qll

@@ -5,8 +5,8 @@ import cpp
 /**
  * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
  * such that `value` is the reported metric value and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
+ * column `startcol` of line `startline` to column `endcol` of line `endline`
+ * in file `file`.
  *
  * For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
  */

cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql

@@ -28,7 +28,7 @@ where
   exists(FunctionCall c, int i, Function f |
     c.getArgument(i) = e and
     c.getTarget() = f and
-    exists(Parameter p | f.getParameter(i) = p) and // varargs
+    exists(f.getParameter(i)) and // varargs
     baseElement(e.getType(), cl) and // only interested in arrays with classes
     not compatible(f.getParameter(i).getUnspecifiedType(), e.getUnspecifiedType())
   )