C++: Relax commented-out code heuristic for }

I looked through a few hundred results from this query on lgtm.com and found that most of the FPs had to do with comment lines ending in `}`. This change should fix most of them, at the cost of very few false negatives. On Wireshark, this query goes from 7,425 results to 6,686 results before filtering for generated code. Almost all the lost results were FP, except a handful of results involving initializer lists.
2026-04-29 02:35:15 +02:00 · 2019-01-17 09:37:04 +01:00
parent 92b48bf6af
commit 9c42b5fab7
2 changed files with 12 additions and 3 deletions
--- a/cpp/ql/src/Documentation/CommentedOutCode.qll
+++ b/cpp/ql/src/Documentation/CommentedOutCode.qll
@@ -20,6 +20,18 @@ private predicate looksLikeCode(string line) {
    exists(string trimmed |
           trimmed = line.regexpReplaceAll("(?i)(^\\s+|&#?[a-z0-9]{1,31};|\\s+$)", "") |
           trimmed.regexpMatch(".*[{};]")
+           and (
+              // If this line looks like code because it ends with a closing
+              // brace that's preceded by something other than whitespace ...
+              trimmed.regexpMatch(".*.\\}")
+              implies
+              // ... then there has to be ") {" (with some variation of
+              // whitespace) on the line, suggesting it's a statement like `if`
+              // or a function declaration. Otherwise it's likely to be a
+              // benign use of braces such as a JSON example or explanatory
+              // pseudocode.
+              trimmed.regexpMatch(".*\\)\\s*\\{.*")
+           )
           and not trimmed.regexpMatch("(>.*|.*[\\\\@][{}].*|(optional|repeated) .*;|.*(\\{\\{\\{|\\}\\}\\}).*|\\{[-0-9a-zA-Z]+\\})"))
 }