Squash a few sign analysis diffs due to range analysis fixes

Author: Dave Bartolomeo

java/ql/lib/semmle/code/java/semantic/analysis/SignAnalysisCommon.qll

@@ -204,25 +204,68 @@ private class BinarySignExpr extends FlowSignExpr {
   }
 }
 
+/**
+ * A `Convert`, `Box`, or `Unbox` expression.
+ */
+private class SemCastExpr extends SemUnaryExpr {
+  SemCastExpr() {
+    this instanceof SemConvertExpr
+    or
+    this instanceof SemBoxExpr
+    or
+    this instanceof SemUnboxExpr
+  }
+}
+
 /** A unary expression whose sign is computed from the sign of its operand. */
 private class UnarySignExpr extends FlowSignExpr {
   SemUnaryExpr unary;
 
-  UnarySignExpr() { unary = this }
+  UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
 
   override Sign getSignRestriction() {
     result = semExprSign(unary.getOperand()).applyUnaryOp(unary.getOpcode())
   }
 }
 
 /**
- * A `Convert` expression, whose sign is computed based on sign of its operand and the source and
- * destination types.
+ * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
+ * the sign of its operand and the source and destination types.
  */
-private class ConvertSignExpr extends UnarySignExpr {
-  override SemConvertExpr unary;
+abstract private class CastSignExpr extends FlowSignExpr {
+  SemUnaryExpr cast;
+
+  CastSignExpr() { cast = this and cast instanceof SemCastExpr }
+
+  override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
+}
 
-  override Sign getSignRestriction() { result = semExprSign(unary.getOperand()) }
+/**
+ * A `Convert` expression.
+ */
+private class ConvertSignExpr extends CastSignExpr {
+  override SemConvertExpr cast;
+}
+
+/**
+ * A `Box` expression.
+ */
+private class BoxSignExpr extends CastSignExpr {
+  override SemBoxExpr cast;
+}
+
+/**
+ * An `Unbox` expression.
+ */
+private class UnboxSignExpr extends CastSignExpr {
+  override SemUnboxExpr cast;
+
+  UnboxSignExpr() {
+    exists(SemType fromType | fromType = getTrackedType(cast.getOperand()) |
+      // Only numeric source types are handled here.
+      fromType instanceof SemNumericType
+    )
+  }
 }
 
 private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }

java/ql/lib/semmle/code/java/semantic/analysis/SignAnalysisSpecific.qll

@@ -148,10 +148,16 @@ private class ChooseSignExpr extends CustomSignExpr {
 private class CastSignExpr extends CustomSignExpr {
   CastExpr cast;
 
-  CastSignExpr() { cast = getJavaExpr(this) }
+  CastSignExpr() {
+    // The core already handles numeric conversions, boxing, and unboxing.
+    // We need to handle any casts between reference types that we want to track
+    // here.
+    cast = getJavaExpr(this) and
+    cast.getType() instanceof RefType and
+    cast.getExpr().getType() instanceof RefType
+  }
 
   override Sign getSignRestriction() {
-    // REVIEW: Should only apply to trackable operations
     result = semExprSign(getSemanticExpr(cast.getExpr()))
     or
     semAnySign(result) and not cast.getExpr().getType() instanceof NumericOrCharType
@@ -175,7 +181,9 @@ predicate ignoreTypeRestrictions(SemExpr e) {
  */
 predicate trackUnknownNonNumericExpr(SemExpr e) {
   // REVIEW: Only needed to match original Java results.
-  e = getEnhancedForInitExpr(_) or getJavaExpr(e) instanceof VarAccess
+  e = getEnhancedForInitExpr(_) or
+  getJavaExpr(e) instanceof VarAccess or
+  getJavaExpr(e) instanceof CastExpr
 }
 
 /**