Merge pull request #20523 from smowton/smowton/fix/mistyped-exp-fp

Go: mistyped-exponentiation: notice constants with likely-bitmask values

go/ql/src/InconsistentCode/MistypedExponentiation.ql

@@ -13,12 +13,16 @@
 
 import go
 
+private Expr getConstantInitialiser(Expr e) {
+  exists(DeclaredConstant c | e = c.getAReference() | result = c.getInit())
+}
+
 /** Holds if `e` is not 0 and is either an octal or hexadecimal literal, or the number one. */
 predicate maybeXorBitPattern(Expr e) {
   // 0 makes no sense as an xor bit pattern
   not e.getNumericValue() = 0 and
   // include octal and hex literals
-  e.(IntLit).getText().matches("0%")
+  [e, getConstantInitialiser(e)].(IntLit).getText().matches("0%")
   or
   e.getNumericValue() = 1
 }

go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go

@@ -22,6 +22,13 @@ func main() {
 
 	mask := (((1 << 10) - 1) ^ 7) // OK
 
+	const (
+		c1 = 0x1234
+		c2 = 0x5678
+	)
+
+	fmt.Println(c1 ^ c2) // OK
+
 	// This is not ok, but isn't detected because the multiplication binds tighter
 	// than the xor operator and so the query doesn't see a constant on the left
 	// hand side of ^.