Address review: update QLDoc comment and fix expected test output

MarkLee131 · MarkLee131 · commit e6adfbca77ee · 2026-03-29T11:53:06.000+08:00
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
  comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll b/java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
@@ -138,9 +138,9 @@ predicate overflowIrrelevant(Expr exp) {
 
 /**
  * Holds if `exp` is an arithmetic expression used directly as an operand of a
- * comparison, indicating it is part of a bounds check rather than a vulnerable
- * computation. For example, in `if (off + len > array.length)`, the addition
- * is the bounds check itself.
+ * comparison in an `if`-condition, indicating it is part of a bounds check
+ * rather than a vulnerable computation. For example, in
+ * `if (off + len > array.length)`, the addition is the bounds check itself.
  */
 private predicate arithmeticUsedInBoundsCheck(ArithExpr exp) {
   exists(ComparisonExpr comp |
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
@@ -4,10 +4,10 @@
 | ArithmeticTainted.java:50:17:50:24 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:50:17:50:20 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
 | ArithmeticTainted.java:71:17:71:27 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:71:17:71:23 | herring | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
 | ArithmeticTainted.java:95:37:95:46 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:95:37:95:40 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
-| ArithmeticTainted.java:127:3:127:8 | ...++ | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:127:3:127:6 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
-| ArithmeticTainted.java:131:3:131:8 | ++... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:131:5:131:8 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
-| ArithmeticTainted.java:135:3:135:8 | ...-- | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:135:3:135:6 | data | This arithmetic expression depends on a $@, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
-| ArithmeticTainted.java:139:3:139:8 | --... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:139:5:139:8 | data | This arithmetic expression depends on a $@, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
+| ArithmeticTainted.java:129:3:129:8 | ...++ | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:129:3:129:6 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
+| ArithmeticTainted.java:133:3:133:8 | ++... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:133:5:133:8 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
+| ArithmeticTainted.java:137:3:137:8 | ...-- | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:137:3:137:6 | data | This arithmetic expression depends on a $@, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
+| ArithmeticTainted.java:141:3:141:8 | --... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:141:5:141:8 | data | This arithmetic expression depends on a $@, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
 edges
 | ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | provenance |  |
 | ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | provenance |  |
@@ -38,14 +38,14 @@ edges
 | ArithmeticTainted.java:66:18:66:24 | tainted : Holder [dat] : Number | ArithmeticTainted.java:66:18:66:34 | getData(...) : Number | provenance |  |
 | ArithmeticTainted.java:66:18:66:24 | tainted : Holder [dat] : Number | Holder.java:16:13:16:19 | parameter this : Holder [dat] : Number | provenance |  |
 | ArithmeticTainted.java:66:18:66:34 | getData(...) : Number | ArithmeticTainted.java:71:17:71:23 | herring | provenance |  |
-| ArithmeticTainted.java:118:9:118:12 | data : Number | ArithmeticTainted.java:125:26:125:33 | data : Number | provenance |  |
-| ArithmeticTainted.java:119:10:119:13 | data : Number | ArithmeticTainted.java:129:27:129:34 | data : Number | provenance |  |
-| ArithmeticTainted.java:120:10:120:13 | data : Number | ArithmeticTainted.java:133:27:133:34 | data : Number | provenance |  |
-| ArithmeticTainted.java:121:10:121:13 | data : Number | ArithmeticTainted.java:137:27:137:34 | data : Number | provenance |  |
-| ArithmeticTainted.java:125:26:125:33 | data : Number | ArithmeticTainted.java:127:3:127:6 | data | provenance |  |
-| ArithmeticTainted.java:129:27:129:34 | data : Number | ArithmeticTainted.java:131:5:131:8 | data | provenance |  |
-| ArithmeticTainted.java:133:27:133:34 | data : Number | ArithmeticTainted.java:135:3:135:6 | data | provenance |  |
-| ArithmeticTainted.java:137:27:137:34 | data : Number | ArithmeticTainted.java:139:5:139:8 | data | provenance |  |
+| ArithmeticTainted.java:118:9:118:12 | data : Number | ArithmeticTainted.java:127:26:127:33 | data : Number | provenance |  |
+| ArithmeticTainted.java:119:10:119:13 | data : Number | ArithmeticTainted.java:131:27:131:34 | data : Number | provenance |  |
+| ArithmeticTainted.java:120:10:120:13 | data : Number | ArithmeticTainted.java:135:27:135:34 | data : Number | provenance |  |
+| ArithmeticTainted.java:121:10:121:13 | data : Number | ArithmeticTainted.java:139:27:139:34 | data : Number | provenance |  |
+| ArithmeticTainted.java:127:26:127:33 | data : Number | ArithmeticTainted.java:129:3:129:6 | data | provenance |  |
+| ArithmeticTainted.java:131:27:131:34 | data : Number | ArithmeticTainted.java:133:5:133:8 | data | provenance |  |
+| ArithmeticTainted.java:135:27:135:34 | data : Number | ArithmeticTainted.java:137:3:137:6 | data | provenance |  |
+| ArithmeticTainted.java:139:27:139:34 | data : Number | ArithmeticTainted.java:141:5:141:8 | data | provenance |  |
 | Holder.java:12:22:12:26 | d : Number | Holder.java:13:9:13:9 | d : Number | provenance |  |
 | Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | Holder.java:12:14:12:20 | parameter this [Return] : Holder [dat] : Number | provenance |  |
 | Holder.java:13:9:13:9 | d : Number | Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | provenance |  |
@@ -86,14 +86,14 @@ nodes
 | ArithmeticTainted.java:119:10:119:13 | data : Number | semmle.label | data : Number |
 | ArithmeticTainted.java:120:10:120:13 | data : Number | semmle.label | data : Number |
 | ArithmeticTainted.java:121:10:121:13 | data : Number | semmle.label | data : Number |
-| ArithmeticTainted.java:125:26:125:33 | data : Number | semmle.label | data : Number |
-| ArithmeticTainted.java:127:3:127:6 | data | semmle.label | data |
-| ArithmeticTainted.java:129:27:129:34 | data : Number | semmle.label | data : Number |
-| ArithmeticTainted.java:131:5:131:8 | data | semmle.label | data |
-| ArithmeticTainted.java:133:27:133:34 | data : Number | semmle.label | data : Number |
-| ArithmeticTainted.java:135:3:135:6 | data | semmle.label | data |
-| ArithmeticTainted.java:137:27:137:34 | data : Number | semmle.label | data : Number |
-| ArithmeticTainted.java:139:5:139:8 | data | semmle.label | data |
+| ArithmeticTainted.java:127:26:127:33 | data : Number | semmle.label | data : Number |
+| ArithmeticTainted.java:129:3:129:6 | data | semmle.label | data |
+| ArithmeticTainted.java:131:27:131:34 | data : Number | semmle.label | data : Number |
+| ArithmeticTainted.java:133:5:133:8 | data | semmle.label | data |
+| ArithmeticTainted.java:135:27:135:34 | data : Number | semmle.label | data : Number |
+| ArithmeticTainted.java:137:3:137:6 | data | semmle.label | data |
+| ArithmeticTainted.java:139:27:139:34 | data : Number | semmle.label | data : Number |
+| ArithmeticTainted.java:141:5:141:8 | data | semmle.label | data |
 | Holder.java:12:14:12:20 | parameter this [Return] : Holder [dat] : Number | semmle.label | parameter this [Return] : Holder [dat] : Number |
 | Holder.java:12:22:12:26 | d : Number | semmle.label | d : Number |
 | Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | semmle.label | this <.field> [post update] : Holder [dat] : Number |
