PointerToAVirtualBaseClass: Handle reference types and type defs

Author: lcartey

change_notes/2025-08-15-m5-2-2-virtual-base.md

@@ -0,0 +1,3 @@
+ - `M5-2-2` - `PointerToAVirtualBaseClassCastToAPointer.ql`:
+   - Report casts where the from or to types are typedefs to virtual base classes or derived classes.
+   - Report casts to a reference type which is a derived type.

cpp/common/src/codingstandards/cpp/rules/pointertoavirtualbaseclasscasttoapointer/PointerToAVirtualBaseClassCastToAPointer.qll

@@ -16,11 +16,19 @@ query predicate problems(Cast cast, string message) {
   exists(VirtualBaseClass castFrom, Class castTo |
     not isExcluded(cast, getQuery()) and
     not cast instanceof DynamicCast and
-    castFrom = cast.getExpr().getType().(PointerType).getBaseType() and
-    cast.getType().(PointerType).getBaseType() = castTo and
     castTo = castFrom.getADerivedClass+() and
     message =
       "A pointer to virtual base class " + castFrom.getName() +
         " is not cast to a pointer of derived class " + castTo.getName() + " using a dynamic_cast."
+  |
+    // Pointer cast
+    castFrom = cast.getExpr().getType().stripTopLevelSpecifiers().(PointerType).getBaseType() and
+    cast.getType().stripTopLevelSpecifiers().(PointerType).getBaseType() = castTo
+    or
+    // Reference type cast
+    castFrom = cast.getExpr().getType().stripTopLevelSpecifiers() and
+    // Not actually represented as a reference type in our model - instead as the
+    // type itself
+    cast.getType().stripTopLevelSpecifiers() = castTo
   )
 }

cpp/common/test/rules/pointertoavirtualbaseclasscasttoapointer/PointerToAVirtualBaseClassCastToAPointer.expected

@@ -0,0 +1,3 @@
+| test.cpp:36:12:36:37 | reinterpret_cast<C2 *>... | A pointer to virtual base class C1 is not cast to a pointer of derived class C2 using a dynamic_cast. |
+| test.cpp:42:12:42:38 | reinterpret_cast<C2>... | A pointer to virtual base class C1 is not cast to a pointer of derived class C2 using a dynamic_cast. |
+| test.cpp:48:17:48:48 | reinterpret_cast<Derived>... | A pointer to virtual base class C1 is not cast to a pointer of derived class C2 using a dynamic_cast. |

cpp/common/test/rules/pointertoavirtualbaseclasscasttoapointer/test.cpp

@@ -2,17 +2,74 @@ class C1 {
 public:
   virtual ~C1() {}
 };
+
 class C2 : public virtual C1 {
 public:
   C2() {}
   ~C2() {}
 };
 
-void f1() {
+typedef C1 Base;
+typedef C2 Derived;
+
+void test_dynamic_cast_pointer_compliant() {
   C2 l1;
   C1 *p1 = &l1;
+  C2 *p2 = dynamic_cast<C2 *>(p1); // COMPLIANT
+}
 
-  // C2 *p2 = static_cast<C2 *>(p1);   // NON_COMPLIANT, prohibited by compiler
-  C2 *p3 = dynamic_cast<C2 *>(p1);  // COMPLIANT
+void test_dynamic_cast_reference_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
   C2 &l2 = dynamic_cast<C2 &>(*p1); // COMPLIANT
 }
+
+void test_dynamic_cast_reference_compliant_typedefs() {
+  Derived l1;
+  Base *p1 = &l1;
+  Derived &l2 = dynamic_cast<Derived &>(*p1); // COMPLIANT
+}
+
+void test_reinterpret_cast_pointer_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  C2 *p2 = reinterpret_cast<C2 *>(p1); // NON_COMPLIANT
+}
+
+void test_reinterpret_cast_reference_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  C2 &l2 = reinterpret_cast<C2 &>(*p1); // NON_COMPLIANT
+}
+
+void test_reinterpret_cast_typedefs_non_compliant() {
+  Derived l1;
+  Base *p1 = &l1;
+  Derived &l2 = reinterpret_cast<Derived &>(*p1); // NON_COMPLIANT
+}
+
+void test_c_style_cast_pointer_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  // C2 *p2 = (C2 *)p1; // NON_COMPLIANT - prohibited by the compiler
+}
+
+void test_c_style_cast_reference_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  // C2 &l2 = (C2 &)*p1; // NON_COMPLIANT - prohibited by the compiler
+}
+
+void test_static_cast_pointer_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  // C2 *p2 = static_cast<C2 *>(p1); // NON_COMPLIANT - prohibited by the
+  // compiler
+}
+
+void test_static_cast_reference_non_compliant() {
+  C2 l1;
+  C1 *p1 = &l1;
+  // C2 &l2 = static_cast<C2 &>(*p1); // NON_COMPLIANT - prohibited by the
+  // compiler
+}