Merge pull request #4098 from jbj/SimpleRangeAnalysis-mul-constant

C++: Support multiplication by constants in range analysis

Author: MathiasVP

change-notes/1.26/analysis-cpp.md

@@ -21,4 +21,4 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 * The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` when `e1` and `e2` are unsigned.
+  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

cpp/ql/src/semmle/code/cpp/exprs/Expr.qll

@@ -539,6 +539,17 @@ class BinaryOperation extends Operation, @bin_op_expr {
   /** Gets the right operand of this binary operation. */
   Expr getRightOperand() { this.hasChild(result, 1) }
 
+  /**
+   * Holds if `e1` and `e2` (in either order) are the two operands of this
+   * binary operation.
+   */
+  predicate hasOperands(Expr e1, Expr e2) {
+    exists(int i | i in [0, 1] |
+      this.hasChild(e1, i) and
+      this.hasChild(e2, 1 - i)
+    )
+  }
+
   override string toString() { result = "... " + this.getOperator() + " ..." }
 
   override predicate mayBeImpure() {