C++: Update documentation based on PR feedback.

MathiasVP · MathiasVP · commit 5270cf6c41c6 · 2023-07-21T11:09:01.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
@@ -12,11 +12,11 @@
  * ```
  * this file identifies the flow from `new int[size]` to `base + size`.
  *
- * This is done using the product-flow library. The configuration tracks flow from the pair `(allocation, size of allocation)`
- * to a pair `(a, b)` where there exists a pointer-arithmetic instruction `pai` such that:
- *  1. `a` is equal to the left-hand side of `pai`, and
- *  2. `b` is a dataflow node that represents an operand that _non-strictly_ upper bounds the right-hand side of `pai`.
- *     See `pointerAddInstructionHasBounds` for the implementation of this.
+ * This is done using the product-flow library. The configuration tracks flow from the pair
+ * `(allocation, size of allocation)` to a pair `(a, b)` where there exists a pointer-arithmetic instruction
+ * `pai = a + r` such that `b` is a dataflow node where `b <= r`. Because there will be a dataflow-path from
+ * `allocation` to `a` this means that the `pai` will compute a pointer that's some number of elements away
+ * from the end position in the allocation. See `pointerAddInstructionHasBounds` for the implementation of this.
  *
  * In the above example, the pair `(a, b)` is `(base, size)` from the expression `base + size` on line 2. However, it could
  * also be something more complex like `(base, size)` where `base` is from line 3 and `size` is from line 2, and the
