cklin
diff --git a/‎cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
Lines changed: 19 additions & 12 deletions b/‎cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
Lines changed: 19 additions & 12 deletions
diff --git a/‎cpp/ql/test/library-tests/ir/range-analysis/Overflow.ql
Lines changed: 25 additions & 0 deletions b/‎cpp/ql/test/library-tests/ir/range-analysis/Overflow.ql
Lines changed: 25 additions & 0 deletions
@@ -941,6 +941,17 @@ module RangeStage<
       semExprDoesntOverflow(upper.booleanNot(), e)
       or
       not potentiallyOverflowingExpr(upper.booleanNot(), e)
+      or
+      initialBounded(e, any(SemZeroBound z), _, upper.booleanNot(), _, _, _)
+      or
+      exists(D::Delta otherDelta |
+        initialBounded(e, _, otherDelta, upper.booleanNot(), _, _, _) and
+        (
+          upper = true and D::toFloat(otherDelta) >= 0
+          or
+          upper = false and D::toFloat(otherDelta) <= 0
+        )
+      )
     )
   }
 
@@ -952,16 +963,14 @@ module RangeStage<
     (
       positively = true and
       (
-        not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos()
-        or
-        not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()
+        semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos() and
+        semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()
       )
       or
       positively = false and
       (
-        not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg()
-        or
-        not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()
+        semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg() and
+        semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()
       )
     )
     or
@@ -972,16 +981,14 @@ module RangeStage<
     (
       positively = true and
       (
-        not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos()
-        or
-        not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()
+        semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos() and
+        semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()
       )
       or
       positively = false and
       (
-        not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg()
-        or
-        not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()
+        semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg() and
+        semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()
       )
     )
     or
 
@@ -0,0 +1,25 @@
+import cpp
+import experimental.semmle.code.cpp.semantic.analysis.SimpleRangeAnalysis
+import TestUtilities.InlineExpectationsTest
+
+class RangeAnalysisTest extends InlineExpectationsTest {
+  RangeAnalysisTest() { this = "RangeAnalysisTest" }
+
+  override string getARelevantTag() { result = "overflow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Expr e |
+      /*call.getArgument(0) = e and
+      call.getTarget().hasName("range") and*/
+      tag = "overflow" and
+      element = e.toString() and
+      location = e.getLocation() and
+      value =
+        strictconcat(string s |
+          s = "+" and exprMightOverflowPositively(e)
+          or
+          s = "-" and exprMightOverflowNegatively(e)
+        )
+    )
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -941,6 +941,17 @@ module RangeStage<`
`941`	`941`	`semExprDoesntOverflow(upper.booleanNot(), e)`
`942`	`942`	`or`
`943`	`943`	`not potentiallyOverflowingExpr(upper.booleanNot(), e)`
	`944`	`+ or`
	`945`	`+ initialBounded(e, any(SemZeroBound z), _, upper.booleanNot(), _, _, _)`
	`946`	`+ or`
	`947`	`+ exists(D::Delta otherDelta \|`
	`948`	`+ initialBounded(e, _, otherDelta, upper.booleanNot(), _, _, _) and`
	`949`	`+ (`
	`950`	`+ upper = true and D::toFloat(otherDelta) >= 0`
	`951`	`+ or`
	`952`	`+ upper = false and D::toFloat(otherDelta) <= 0`
	`953`	`+ )`
	`954`	`+ )`
`944`	`955`	`)`
`945`	`956`	`}`
`946`	`957`
`@@ -952,16 +963,14 @@ module RangeStage<`
`952`	`963`	`(`
`953`	`964`	`positively = true and`
`954`	`965`	`(`
`955`		`- not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos()`
`956`		`- or`
`957`		`- not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()`
	`966`	`+ semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos() and`
	`967`	`+ semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()`
`958`	`968`	`)`
`959`	`969`	`or`
`960`	`970`	`positively = false and`
`961`	`971`	`(`
`962`		`- not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg()`
`963`		`- or`
`964`		`- not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()`
	`972`	`+ semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg() and`
	`973`	`+ semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()`
`965`	`974`	`)`
`966`	`975`	`)`
`967`	`976`	`or`
`@@ -972,16 +981,14 @@ module RangeStage<`
`972`	`981`	`(`
`973`	`982`	`positively = true and`
`974`	`983`	`(`
`975`		`- not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos()`
`976`		`- or`
`977`		`- not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()`
	`984`	`+ semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TPos() and`
	`985`	`+ semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TNeg()`
`978`	`986`	`)`
`979`	`987`	`or`
`980`	`988`	`positively = false and`
`981`	`989`	`(`
`982`		`- not semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg()`
`983`		`- or`
`984`		`- not semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()`
	`990`	`+ semExprSign(expr.(SemBinaryExpr).getLeftOperand()) = TNeg() and`
	`991`	`+ semExprSign(expr.(SemBinaryExpr).getRightOperand()) = TPos()`
`985`	`992`	`)`
`986`	`993`	`)`
`987`	`994`	`or`