C++: Support C23 typeof and typeof_unqual

jketema · jketema · commit 5bb48a29d02c · 2025-04-11T14:57:22.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/Print.qll b/cpp/ql/lib/semmle/code/cpp/Print.qll
@@ -176,6 +176,18 @@ private class DecltypeDumpType extends DumpType, Decltype {
   }
 }
 
+private class TypeofExprDumpType extends DumpType, TypeofExprType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
 private class PointerIshDumpType extends DerivedDumpType {
   PointerIshDumpType() {
     this instanceof PointerType or
diff --git a/cpp/ql/lib/semmle/code/cpp/Type.qll b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -92,8 +92,9 @@ class Type extends Locatable, @type {
   /**
    * Gets this type after typedefs have been resolved.
    *
-   * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
-   * in which case the result will be type which results from (possibly recursively) resolving typedefs.
+   * The result of this predicate will be the type itself, except in the case of a TypedefType, a Decltype,
+   * or a TypeofExprType, in which case the result will be type which results from (possibly recursively)
+   * resolving typedefs.
    */
   pragma[nomagic]
   Type getUnderlyingType() { result = this }
@@ -1118,17 +1119,19 @@ class DerivedType extends Type, @derivedtype {
  * ```
  */
 class Decltype extends Type, @decltype {
+  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
+
   override string getAPrimaryQlClass() { result = "Decltype" }
 
   /**
    * The expression whose type is being obtained by this decltype.
    */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _) }
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
 
   /**
    * The type immediately yielded by this decltype.
    */
-  Type getBaseType() { decltypes(underlyingElement(this), _, unresolveElement(result), _) }
+  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }
 
   /**
    * Whether an extra pair of parentheses around the expression would change the semantics of this decltype.
@@ -1142,7 +1145,7 @@ class Decltype extends Type, @decltype {
    * ```
    * Please consult the C++11 standard for more details.
    */
-  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }
+  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, _, true) }
 
   override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
 
@@ -1183,6 +1186,127 @@ class Decltype extends Type, @decltype {
   }
 }
 
+/**
+ * An instance of the C23 `typeof` operator taking an expression as its argument.
+ * For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * ```
+ */
+class TypeofExprType extends Type, @decltype {
+  TypeofExprType() { decltypes(underlyingElement(this), _, 1, _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofExprType" }
+
+  /**
+   * The expression whose type is being obtained by this typeof.
+   */
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  /**
+   * The type immediately yielded by this typeof.
+   */
+  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override Location getLocation() { result = this.getExpr().getLocation() }
+
+  override string toString() { result = "typeof(...)" }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result = "typeof resulting in {" + this.getBaseType().explain() + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
+/**
+ * A type obtained by applying a type transforming intrinsic or the C23 `typeof`
+ * operator to a type.
+ * For example:
+ * ```
+ * __make_unsigned(int) x;
+ * typeof_unqual(const int) y;
+ * ```
+ */
+class TransformedType extends Type, @type_operator {
+  override string getAPrimaryQlClass() { result = "TransformedType" }
+
+  /**
+   * The type immediately yielded by this transformation.
+   */
+  Type getBaseType() { type_operators(underlyingElement(this), _, _, unresolveElement(result)) }
+
+  /**
+   * The type transformed.
+   */
+  Type getTransformedType() {
+    type_operators(underlyingElement(this), unresolveElement(result), _, _)
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result = "type transformation resulting in {" + this.getBaseType().explain() + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
 /**
  * A C/C++ pointer type. See 4.9.1.
  * ```
diff --git a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -310,6 +310,8 @@ class Expr extends StmtParent, @expr {
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
     or
+    exists(TypeofExprType t | t.getExpr() = this.getParentWithConversions*())
+    or
     exists(ConstexprIfStmt constIf |
       constIf.getControllingExpr() = this.getParentWithConversions*()
     )
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -16,6 +16,10 @@ private predicate isDeeplyConst(Type t) {
   or
   isDeeplyConst(t.(Decltype).getBaseType())
   or
+  isDeeplyConst(t.(TypeofExprType).getBaseType())
+  or
+  isDeeplyConst(t.(TransformedType).getBaseType())
+  or
   isDeeplyConst(t.(ReferenceType).getBaseType())
   or
   exists(SpecifiedType specType | specType = t |
@@ -36,6 +40,10 @@ private predicate isDeeplyConstBelow(Type t) {
   or
   isDeeplyConstBelow(t.(Decltype).getBaseType())
   or
+  isDeeplyConstBelow(t.(TypeofExprType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(TransformedType).getBaseType())
+  or
   isDeeplyConst(t.(PointerType).getBaseType())
   or
   isDeeplyConst(t.(ReferenceType).getBaseType())
diff --git a/cpp/ql/lib/semmlecode.cpp.dbscheme b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -743,15 +743,17 @@ typedefbase(
 );
 
 /**
- * An instance of the C++11 `decltype` operator.  For example:
+ * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual`
+ * operator taking an expression as its argument.  For example:
  * ```
  * int a;
  * decltype(1+a) b;
+ * typeof(1+a) c;
  * ```
  * Here `expr` is `1+a`.
  *
  * Sometimes an additional pair of parentheses around the expression
- * would change the semantics of this decltype, e.g.
+ * changes the semantics of the decltype, e.g.
  * ```
  * struct A { double x; };
  * const A* a = new A();
@@ -761,14 +763,55 @@ typedefbase(
  * (Please consult the C++11 standard for more details).
  * `parentheses_would_change_meaning` is `true` iff that is the case.
  */
+
+/*
+case @decltype.kind of
+|  0 = @decltype
+|  1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
+;
+*/
+
 #keyset[id, expr]
 decltypes(
     int id: @decltype,
     int expr: @expr ref,
+    int kind: int ref,
     int base_type: @type ref,
     boolean parentheses_would_change_meaning: boolean ref
 );
 
+/*
+case @type_operator.kind of
+|  0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
+|  1 = @underlying_type
+|  2 = @bases
+|  3 = @direct_bases
+|  4 = @add_lvalue_reference
+|  5 = @add_pointer
+|  6 = @add_rvalue_reference
+|  7 = @decay
+|  8 = @make_signed
+|  9 = @make_unsigned
+| 10 = @remove_all_extents
+| 11 = @remove_const
+| 12 = @remove_cv
+| 13 = @remove_cvref
+| 14 = @remove_extent
+| 15 = @remove_pointer
+| 16 = @remove_reference_t
+| 17 = @remove_restrict
+| 18 = @remove_volatile
+| 19 = @remove_reference
+;
+*/
+
+type_operators(
+    unique int id: @type_operator,
+    int arg_type: @type ref,
+    int kind: int ref,
+    int base_type: @type ref
+)
+
 /*
 case @usertype.kind of
 |  0 = @unknown_usertype
@@ -1103,10 +1146,10 @@ stmtattributes(
 @type = @builtintype
       | @derivedtype
       | @usertype
-      /* TODO | @fixedpointtype */
       | @routinetype
       | @ptrtomember
-      | @decltype;
+      | @decltype
+      | @type_operator;
 
 unspecifiedtype(
     unique int type_id: @type ref,
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
@@ -47,11 +47,17 @@ Type stripType(Type t) {
   or
   result = stripType(t.(Decltype).getBaseType())
   or
+  result = stripType(t.(TypeofExprType).getBaseType())
+  or
+  result = stripType(t.(TransformedType).getBaseType())
+  or
   not t instanceof TypedefType and
   not t instanceof ArrayType and
   not t instanceof ReferenceType and
   not t instanceof SpecifiedType and
   not t instanceof Decltype and
+  not t instanceof TypeofExprType and
+  not t instanceof TransformedType and
   result = t
 }
 

Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,8 @@ class Expr extends StmtParent, @expr {`
`310`	`310`	`or`
`311`	`311`	`exists(Decltype d \| d.getExpr() = this.getParentWithConversions*())`
`312`	`312`	`or`
	`313`	`+ exists(TypeofExprType t \| t.getExpr() = this.getParentWithConversions*())`
	`314`	`+ or`
`313`	`315`	`exists(ConstexprIfStmt constIf \|`
`314`	`316`	`constIf.getControllingExpr() = this.getParentWithConversions*()`
`315`	`317`	`)`