C++: Add barriers to cpp/uncontrolled-allocation-size

[MathiasVP]

(Part of https://github.com/github/codeql-c-team/issues/272.)

This PR adds two barriers to cpp/uncontrolled-allocation-size:

• The first barrier (added in 5031b73) blocks flow out of arithmetic operations that we can prove won't overflow. This removes false positives in a couple of LGTM projects. When I compare 5031b73 to main we get:

Project	Alerts with main	Alerts with 5031b73
openssl/openssl	8	7
gpac/gpac	2	0
libretro/RetroArch	2	1
axiomatic-systems/Bento4	1	0
systemd/systemd	11	9
rizinorg/cutter	33	25
radareorg/radare2	29	22
haiku/haiku	14	12
kernel.org/pub/scm/network/iproute2/iproute2-next	3	1
Chia-Network/chiapos	1	0
ArtifexSoftware/ghostpdl	3	1

• The second barrier (added in 2d0a561) blocks flow out of PointerDiffExpr. This is quite a common cause of false positives for this query. When I compare 5031b73 to 2d0a561) we get:

Project	Alerts with 5031b73	Alerts with 2d0a561
vim/vim	1	0
openssl/openssl	7	0
git/git	1	0
lxc/lxc	1	0
alibaba/AliSQL	1	0
apache/trafficserver	2	1
stellar/stellar-core	3	0
systemd/systemd	9	6
nmap/nmap	1	0
cfengine/core	2	1
rizinorg/cutter	25	24
haiku/haiku	12	10
horms/openvswitch	1	0
trini/u-boot	1	0
FreeRADIUS/freeradius-server	1	0
ArtifexSoftware/ghostpdl	1	0

This change doesn't seem to affect SAMATE.

[rdmarsh2]

Could we add a test with a long to keep testing size > 0 with an actual overflow?

[MathiasVP]

Good point. I've done this in 31091c6. Sorry about the horrible diff from that commit. All it's doing is move a few lines and add the correct BAD result to the .expected file.

[geoffw0]

LGTM.

[geoffw0]

Seems reasonable. If the subtraction result is not well-defined, that should probably be handled by another query (which may or may-not already exist) rather than blaming a later malloc.

[MathiasVP]

Indeed. 👍 I've opened up https://github.com/github/codeql-c-team/issues/525 for this exact query idea.