Merge pull request github#6537 from andersfugmann/implicit_downcast_involving_references

jbj · web-flow · commit abdf993e4792 · 2021-08-25T09:45:32.000+02:00
Implicit downcast involving references
diff --git a/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md b/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.
diff --git a/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql b/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
@@ -13,10 +13,15 @@
 
 import cpp
 
-from BitField fi, VariableAccess va
+from BitField fi, VariableAccess va, Type fct
 where
-  fi.getNumBits() > va.getFullyConverted().getType().getSize() * 8 and
-  va.getExplicitlyConverted().getType().getSize() > va.getFullyConverted().getType().getSize() and
+  (
+    if va.getFullyConverted().getType() instanceof ReferenceType
+    then fct = va.getFullyConverted().getType().(ReferenceType).getBaseType()
+    else fct = va.getFullyConverted().getType()
+  ) and
+  fi.getNumBits() > fct.getSize() * 8 and
+  va.getExplicitlyConverted().getType().getSize() > fct.getSize() and
   va.getTarget() = fi and
-  not va.getActualType() instanceof BoolType
+  not fct.getUnspecifiedType() instanceof BoolType
 select va, "Implicit downcast of bitfield $@", fi, fi.toString()
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.expected b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.expected
@@ -1 +1,2 @@
 | test.cpp:10:11:10:11 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |
+| test.cpp:26:25:26:25 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp
@@ -3,21 +3,41 @@ typedef struct {
 } my_struct;
 
 int getX1(my_struct m) {
-	return m.x;
+	return m.x; // GOOD
 }
 
 short getX2(my_struct m) {
-	return m.x;
+	return m.x; // BAD
 }
 
 short getX3(my_struct m) {
-	return (short) m.x;
+	return (short) m.x; // GOOD
 }
 
 bool getX4(my_struct m) {
-	return m.x;
+	return m.x; // GOOD
 }
 
 short getX5(my_struct m) {
-	return (char) m.x;
+	return (char) m.x; // GOOD
+}
+
+const char& getx6(my_struct& m) {
+	const char& result = m.x; // BAD
+	return result;
+}
+
+const short& getx7(my_struct& m) {
+	const short& result = (short) m.x; // GOOD
+	return result;
+}
+
+const int& getx8(my_struct& m) {
+	const int& result = m.x; // GOOD
+	return result;
+}
+
+const bool& getx9(my_struct& m) {
+	const bool& result = m.x; // GOOD
+	return result;
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`\| test.cpp:10:11:10:11 \| x \| Implicit downcast of bitfield $@ \| test.cpp:2:6:2:6 \| x \| x \|`
	`2`	`+\| test.cpp:26:25:26:25 \| x \| Implicit downcast of bitfield $@ \| test.cpp:2:6:2:6 \| x \| x \|`