QL: add a new ql/could-be-cast query

Author: erik-krogh

ql/ql/src/codeql_ql/style/CouldBeCastQuery.qll

@@ -0,0 +1,53 @@
+import ql
+
+/**
+ * Holds if `aggr` is of one of the following forms:
+ * `exists(var | range)` or `any(var | range)` or `any(var | | range)` or `any(type x | .. | x)`
+ */
+private predicate castAggregate(AstNode aggr, Formula range, VarDecl var, string kind) {
+  kind = "exists" and
+  exists(Exists ex | aggr = ex |
+    ex.getRange() = range and
+    not exists(ex.getFormula()) and
+    count(ex.getArgument(_)) = 1 and
+    ex.getArgument(0) = var
+  )
+  or
+  kind = "any" and
+  exists(Any anyy | aggr = anyy |
+    not exists(anyy.getRange()) and
+    anyy.getExpr(0) = range and
+    count(anyy.getExpr(_)) = 1 and
+    count(anyy.getArgument(_)) = 1 and
+    anyy.getArgument(0) = var
+  )
+  or
+  kind = "any" and
+  exists(Any anyy | aggr = anyy |
+    range = anyy.getRange() and
+    count(anyy.getArgument(_)) = 1 and
+    anyy.getArgument(0) = var and
+    not exists(anyy.getExpr(0))
+  )
+  or
+  kind = "any" and
+  exists(Any anyy | aggr = anyy |
+    range = anyy.getRange() and
+    count(anyy.getExpr(_)) = 1 and
+    count(anyy.getArgument(_)) = 1 and
+    anyy.getExpr(_).(VarAccess).getDeclaration() = var and
+    anyy.getArgument(0) = var
+  )
+}
+
+/** Holds if `aggr` is an aggregate that could be replaced with an instanceof expression or an inline cast. */
+predicate aggregateCouldBeCast(
+  AstNode aggr, ComparisonFormula comp, string kind, VarDecl var, AstNode operand
+) {
+  castAggregate(aggr, comp, var, kind) and
+  comp.getOperator() = "=" and
+  count(VarAccess access | access.getDeclaration() = var and access.getParent() != aggr) = 1 and
+  comp.getAnOperand().(VarAccess).getDeclaration() = var and
+  operand = comp.getAnOperand() and
+  not operand.(VarAccess).getDeclaration() = var
+}

ql/ql/src/queries/style/CouldBeCast.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Expression can be replaced with a cast
+ * @description An exists/any that is only used to cast a value to a type
+ *              can be replaced with a cast.
+ * @kind problem
+ * @problem.severity warning
+ * @id ql/could-be-cast
+ * @precision very-high
+ */
+
+import ql
+import codeql_ql.style.CouldBeCastQuery
+
+from AstNode aggr, VarDecl var, string msg
+where
+  exists(string kind | aggregateCouldBeCast(aggr, _, kind, var, _) |
+    kind = "exists" and
+    msg = "The assignment to $@ in the exists(..) can replaced with an instanceof expression."
+    or
+    kind = "any" and
+    msg = "The assignment to $@ in this any(..) can be replaced with an inline cast."
+  )
+select aggr, msg, var, var.getName()

ql/ql/test/queries/style/CouldBeCast/CouldBeCast.expected

@@ -0,0 +1,3 @@
+| Foo.qll:3:3:3:24 | Exists | The assignment to $@ in the exists(..) can replaced with an instanceof expression. | Foo.qll:3:10:3:15 | j | j |
+| Foo.qll:7:3:7:21 | Any | The assignment to $@ in this any(..) can be replaced with an inline cast. | Foo.qll:7:7:7:12 | j | j |
+| Foo.qll:9:3:9:25 | Any | The assignment to $@ in this any(..) can be replaced with an inline cast. | Foo.qll:9:7:9:12 | j | j |

ql/ql/test/queries/style/CouldBeCast/CouldBeCast.qlref

@@ -0,0 +1 @@
+queries/style/CouldBeCast.ql

ql/ql/test/queries/style/CouldBeCast/Foo.qll

@@ -0,0 +1,19 @@
+bindingset[i]
+predicate foo(int i) {
+  exists(Even j | j = i) // NOT OK
+  or
+  exists(Even j | j = i | j % 4 = 0) // OK
+  or
+  any(Even j | j = i) = 2 // NOT OK
+  or
+  any(Even j | j = i | j) = 2 // NOT OK
+  or
+  any(Even j | j = i | j * 2) = 4 // OK
+  or
+  any(Even j | j = i and j % 4 = 0 | j) = 4 // OK
+}
+
+class Even extends int {
+  bindingset[this]
+  Even() { this % 2 = 0 }
+}