Merge pull request #6537 from andersfugmann/implicit_downcast_involving_references

Implicit downcast involving references
2026-04-30 03:05:15 +02:00 · 2021-08-25 09:45:32 +02:00
parent 8f73c6968a 67a267d971
commit abdf993e47
4 changed files with 37 additions and 9 deletions
--- a/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md
+++ b/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.
--- a/Bugs/Conversion/ImplicitDowncastFromBitfield.ql
+++ b/Bugs/Conversion/ImplicitDowncastFromBitfield.ql
@@ -13,10 +13,15 @@

 import cpp

-from BitField fi, VariableAccess va
+from BitField fi, VariableAccess va, Type fct
 where
-  fi.getNumBits() > va.getFullyConverted().getType().getSize() * 8 and
-  va.getExplicitlyConverted().getType().getSize() > va.getFullyConverted().getType().getSize() and
+  (
+    if va.getFullyConverted().getType() instanceof ReferenceType
+    then fct = va.getFullyConverted().getType().(ReferenceType).getBaseType()
+    else fct = va.getFullyConverted().getType()
+  ) and
+  fi.getNumBits() > fct.getSize() * 8 and
+  va.getExplicitlyConverted().getType().getSize() > fct.getSize() and
  va.getTarget() = fi and
-  not va.getActualType() instanceof BoolType
+  not fct.getUnspecifiedType() instanceof BoolType
 select va, "Implicit downcast of bitfield $@", fi, fi.toString()
--- a/Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.expected
+++ b/Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.expected
@@ -1 +1,2 @@
 | test.cpp:10:11:10:11 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |
+| test.cpp:26:25:26:25 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |
--- a/Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp
+++ b/Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp
@@ -3,21 +3,41 @@ typedef struct {
 } my_struct;

 int getX1(my_struct m) {
-	return m.x;
+	return m.x; // GOOD
 }

 short getX2(my_struct m) {
-	return m.x;
+	return m.x; // BAD
 }

 short getX3(my_struct m) {
-	return (short) m.x;
+	return (short) m.x; // GOOD
 }

 bool getX4(my_struct m) {
-	return m.x;
+	return m.x; // GOOD
 }

 short getX5(my_struct m) {
-	return (char) m.x;
+	return (char) m.x; // GOOD
+}
+
+const char& getx6(my_struct& m) {
+	const char& result = m.x; // BAD
+	return result;
+}
+
+const short& getx7(my_struct& m) {
+	const short& result = (short) m.x; // GOOD
+	return result;
+}
+
+const int& getx8(my_struct& m) {
+	const int& result = m.x; // GOOD
+	return result;
+}
+
+const bool& getx9(my_struct& m) {
+	const bool& result = m.x; // GOOD
+	return result;
 }