C++: Fixed handling of false negative. Query now supports global variables

Author: MathiasVP

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -132,7 +132,7 @@ class SubAnalyzableExpr extends AnalyzableExpr, SubExpr {
 }
 
 class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {
-  VarAnalyzableExpr() { not exists(this.getQualifier()) }
+  VarAnalyzableExpr() { this.getTarget() instanceof StackVariable }
 
   override float maxValue() {
     exists(SsaDefinition def, Variable v |

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c

@@ -117,4 +117,12 @@ void g2(struct A* a, short n) {
     unsigned long ulong1, ulong2;
     ulong1 = (a->s - 1) * ((*a).s + 1); // GOOD
     ulong2 = a->i * (*a).i; // BAD
+}
+
+int global_i;
+unsigned char global_uchar;
+void g3() {
+    unsigned long ulong1, ulong2;
+    ulong1 = global_i * global_i; // BAD
+    ulong2 = (global_uchar + 1) * 2; // GOOD
 }

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected

@@ -11,3 +11,4 @@
 | IntMultToLong.c:103:14:103:46 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
 | IntMultToLong.c:108:14:108:78 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
 | IntMultToLong.c:119:14:119:26 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |
+| IntMultToLong.c:126:14:126:32 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'unsigned long'. |