C++: Fix SimpleRangeAnalysis for AssignOperation

The range analysis wasn't producing useful bounds for `AssignOperation`s
(`+=`, `-=`) unless their RHS involved a variable. This is because a
shortcut was made in the `analyzableDef` predicate, which used to
specify that an analyzable definition was one for which we'd specified
the dependencies. But we can't distinguish between having _no
dependencies_ and having _no specification of the dependencies_.

The fix is to be more explicit about which definitions are analyzable.
To avoid too much repetition I'm still calling out to `analyzableExpr`
in the new code.

Author: jbj

cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -391,9 +391,17 @@ private predicate assignmentDef(RangeSsaDefinition def, StackVariable v, Expr ex
   )
 }
 
-/** See comment above sourceDef. */
+/** See comment above assignmentDef. */
 private predicate analyzableDef(RangeSsaDefinition def, StackVariable v) {
-  assignmentDef(def, v, _) or defDependsOnDef(def, v, _, _)
+  assignmentDef(def, v, _)
+  or
+  analyzableExpr(def.(AssignOperation)) and
+  v = def.getAVariable()
+  or
+  analyzableExpr(def.(CrementOperation)) and
+  v = def.getAVariable()
+  or
+  phiDependsOnDef(def, v, _, _)
 }
 
 /**

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -427,19 +427,19 @@
 | test.c:408:7:408:7 | i | 10 |
 | test.c:410:3:410:3 | i | -2147483648 |
 | test.c:411:3:411:3 | i | 10 |
-| test.c:412:7:412:7 | i | -2147483648 |
+| test.c:412:7:412:7 | i | 20 |
 | test.c:414:3:414:3 | i | -2147483648 |
 | test.c:415:3:415:3 | i | 40 |
-| test.c:416:7:416:7 | i | -2147483648 |
+| test.c:416:7:416:7 | i | 30 |
 | test.c:418:3:418:3 | i | -2147483648 |
 | test.c:418:7:418:7 | j | -2147483648 |
 | test.c:419:7:419:7 | i | 40 |
 | test.c:421:3:421:3 | i | -2147483648 |
 | test.c:421:8:421:8 | j | 40 |
 | test.c:422:7:422:7 | i | 50 |
 | test.c:424:3:424:3 | i | -2147483648 |
-| test.c:424:13:424:13 | j | -2147483648 |
-| test.c:425:7:425:7 | i | -2147483648 |
+| test.c:424:13:424:13 | j | 50 |
+| test.c:425:7:425:7 | i | 60 |
 | test.c:432:12:432:12 | a | 0 |
 | test.c:432:17:432:17 | a | 3 |
 | test.c:432:33:432:33 | b | 0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c

@@ -422,7 +422,7 @@ void test17() {
   out(i); // 50
 
   i = 20 + (j -= 10);
-  out(i); // 60 [BUG: the analysis thinks it's 2^-31 .. 2^31-1]
+  out(i); // 60
 }
 
 // Tests for unsigned multiplication.

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected

@@ -427,19 +427,19 @@
 | test.c:408:7:408:7 | i | 10 |
 | test.c:410:3:410:3 | i | 2147483647 |
 | test.c:411:3:411:3 | i | 10 |
-| test.c:412:7:412:7 | i | 2147483647 |
+| test.c:412:7:412:7 | i | 20 |
 | test.c:414:3:414:3 | i | 2147483647 |
 | test.c:415:3:415:3 | i | 40 |
-| test.c:416:7:416:7 | i | 2147483647 |
+| test.c:416:7:416:7 | i | 30 |
 | test.c:418:3:418:3 | i | 2147483647 |
 | test.c:418:7:418:7 | j | 2147483647 |
 | test.c:419:7:419:7 | i | 40 |
 | test.c:421:3:421:3 | i | 2147483647 |
 | test.c:421:8:421:8 | j | 40 |
 | test.c:422:7:422:7 | i | 50 |
 | test.c:424:3:424:3 | i | 2147483647 |
-| test.c:424:13:424:13 | j | 2147483647 |
-| test.c:425:7:425:7 | i | 2147483647 |
+| test.c:424:13:424:13 | j | 50 |
+| test.c:425:7:425:7 | i | 60 |
 | test.c:432:12:432:12 | a | 4294967295 |
 | test.c:432:17:432:17 | a | 4294967295 |
 | test.c:432:33:432:33 | b | 4294967295 |