Bad overflow check broken into three steps

When demoing this, I found it more convenient to split the query into
three steps so there are also some false positives to look at along the
way.

Author: jbj

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/01_overflow_checks.ql

@@ -0,0 +1,14 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add) {
+  exists(RelationalOperation compare |
+    compare.getAnOperand() = var.getAnAccess() and
+    compare.getAnOperand() = add and
+    add.getAnOperand() = var.getAnAccess()
+  )
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add)
+select add, "Overflow check on variable of type " + var.getUnderlyingType()

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/02_var_size.ql

@@ -0,0 +1,15 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add) {
+  exists(RelationalOperation compare |
+    compare.getAnOperand() = var.getAnAccess() and
+    compare.getAnOperand() = add and
+    add.getAnOperand() = var.getAnAccess()
+  )
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add)
+  and var.getType().getSize() < 4
+select add, "Overflow check on variable of type " + var.getUnderlyingType()

ql_demos/cpp/ChakraCore-bad-overflow-check/steps/03_bad_overflow_check.ql

@@ -0,0 +1,16 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add) {
+  exists(RelationalOperation compare |
+    compare.getAnOperand() = var.getAnAccess() and
+    compare.getAnOperand() = add and
+    add.getAnOperand() = var.getAnAccess()
+  )
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add)
+  and var.getType().getSize() < 4
+  and not add.getConversion+().getType().getSize() < 4
+select add, "Bad overflow check on variable of type " + var.getUnderlyingType()