Java: Account for additional constants in ArrayIndexOutOfBounds query.

java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql

@@ -44,6 +44,15 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) {
       )
     )
   )
+  or
+  exists(Field arr, Expr index, int delta, int arrlen |
+    aa.getIndexExpr() = index and
+    aa.getArray() = arr.getAnAccess() and
+    bounded(index, any(ZeroBound z), delta, true, _) and
+    arr.isFinal() and
+    arr.getInitializer().(ArrayCreationExpr).getFirstDimensionSize() = arrlen and
+    k = delta - arrlen
+  )
 }
 
 /**

java/ql/test/query-tests/RangeAnalysis/A.java

@@ -204,4 +204,11 @@ static int m16() {
       A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // BAD: random int may be out of range
       A.arr1[RandomUtils.nextInt(0, arr1.length)]; // GOOD: random int must be in range
   }
+
+  int m17() {
+    return this.arr2[(new Random()).nextInt(arr2.length + 1)] +  // BAD: random int may be out of range
+      this.arr2[(new Random()).nextInt(arr2.length)] + // GOOD: random int must be in range
+      this.arr2[RandomUtils.nextInt(0, arr2.length + 1)] + // BAD: random int may be out of range
+      this.arr2[RandomUtils.nextInt(0, arr2.length)]; // GOOD: random int must be in range
+  }
 }

java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected

@@ -14,3 +14,5 @@
 | A.java:195:9:195:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:202:12:202:58 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
 | A.java:204:7:204:53 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
+| A.java:209:12:209:61 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
+| A.java:211:7:211:56 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |