C++: Update documentation.

MathiasVP · MathiasVP · commit 375f0ea8b66a · 2023-10-30T15:57:30.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll
@@ -23,9 +23,7 @@
  * configuration (see `InvalidPointerToDerefConfig`).
  *
  * The dataflow traversal defines the set of sources as any dataflow node `n` such that there exists a pointer-arithmetic
- * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() >= pai + deltaDerefSourceAndPai`.
- * Here, `deltaDerefSourceAndPai` is the constant difference between the source we track for finding a dereference and the
- * pointer-arithmetic instruction.
+ * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() = pai`.
  *
  * The set of sinks is defined as any dataflow node `n` such that `addr <= n.asInstruction() + deltaDerefSinkAndDerefAddress`
  * for some address operand `addr` and constant difference `deltaDerefSinkAndDerefAddress`. Since an address operand is
@@ -37,9 +35,8 @@
  * `deltaDerefSinkAndDerefAddress >= 0`. The load attached to `*p` is the "operation". To ensure that the path makes
  * intuitive sense, we only pick operations that are control-flow reachable from the dereference sink.
  *
- * To compute how many elements the dereference is beyond the end position of the allocation, we sum the two deltas
- * `deltaDerefSourceAndPai` and `deltaDerefSinkAndDerefAddress`. This is done in the `operationIsOffBy` predicate
- * (which is the only predicate exposed by this file).
+ * We use the `deltaDerefSinkAndDerefAddress` to compute how many elements the dereference is beyond the end position of
+ * the allocation. This is done in the `operationIsOffBy` predicate (which is the only predicate exposed by this file).
  *
  * Handling false positives:
  *

Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,7 @@`
`23`	`23`	* configuration (see `InvalidPointerToDerefConfig`).
`24`	`24`	`*`
`25`	`25`	* The dataflow traversal defines the set of sources as any dataflow node `n` such that there exists a pointer-arithmetic
`26`		- * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() >= pai + deltaDerefSourceAndPai`.
`27`		- * Here, `deltaDerefSourceAndPai` is the constant difference between the source we track for finding a dereference and the
`28`		`- * pointer-arithmetic instruction.`
	`26`	+ * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() = pai`.
`29`	`27`	`*`
`30`	`28`	* The set of sinks is defined as any dataflow node `n` such that `addr <= n.asInstruction() + deltaDerefSinkAndDerefAddress`
`31`	`29`	* for some address operand `addr` and constant difference `deltaDerefSinkAndDerefAddress`. Since an address operand is
`@@ -37,9 +35,8 @@`
`37`	`35`	* `deltaDerefSinkAndDerefAddress >= 0`. The load attached to `*p` is the "operation". To ensure that the path makes
`38`	`36`	`* intuitive sense, we only pick operations that are control-flow reachable from the dereference sink.`
`39`	`37`	`*`
`40`		`- * To compute how many elements the dereference is beyond the end position of the allocation, we sum the two deltas`
`41`		- * `deltaDerefSourceAndPai` and `deltaDerefSinkAndDerefAddress`. This is done in the `operationIsOffBy` predicate
`42`		`- * (which is the only predicate exposed by this file).`
	`38`	+ * We use the `deltaDerefSinkAndDerefAddress` to compute how many elements the dereference is beyond the end position of
	`39`	+ * the allocation. This is done in the `operationIsOffBy` predicate (which is the only predicate exposed by this file).
`43`	`40`	`*`
`44`	`41`	`* Handling false positives:`
`45`	`42`	`*`