Fix false positives in RULE-6-9-2/A3-9-1 for auto-deduced types

castler · castler · commit 4ca4133aa98e · 2026-06-20T07:03:10.000+02:00
Variables declared with 'auto' or 'decltype(auto)' should not be flagged when the deduced type resolves through fixed-width typedefs (e.g. uint32_t) to a built-in integer type. The programmer never explicitly wrote a variable-width type name in these cases. This is analogous to the existing template instantiation exclusion (#540). Fixes: #1145
diff --git a/change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md b/change_notes/2026-06-19-fix-fp-rule-6-9-2-auto-deduced.md
@@ -0,0 +1,2 @@
+- `RULE-6-9-2`, `A3-9-1` - `VariableWidthIntegerTypesUsed.qll`:
+  - Fixed false positives for variables declared with `auto` or `decltype(auto)` where the deduced type resolves through fixed-width typedefs (e.g., `std::uint32_t`) to a built-in integer type. The programmer never wrote a variable-width type name in these cases.
diff --git a/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll b/cpp/common/src/codingstandards/cpp/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.qll
@@ -33,6 +33,10 @@ query predicate problems(Element e, string message) {
       // Fixed Width Types are recorded after stripping their typedef'd type,
       // thereby, causing false positives (#540).
       not v.isFromTemplateInstantiation(_) and
+      // Dont consider variables declared with `auto` or `decltype(auto)` because
+      // the deduced type may resolve through fixed-width typedefs (e.g. uint32_t)
+      // to a built-in type, even though the programmer never wrote that type name.
+      not v.declaredUsingAutoType() and
       //post-increment/post-decrement operators are required by the standard to have a dummy int parameter
       not v.(Parameter).getFunction() instanceof PostIncrementOperator and
       not v.(Parameter).getFunction() instanceof PostDecrementOperator and
diff --git a/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected b/cpp/common/test/rules/variablewidthintegertypesused/VariableWidthIntegerTypesUsed.expected
@@ -50,3 +50,5 @@
 | test.cpp:123:6:123:21 | test_long_return | Function 'test_long_return' has variable-width return type. |
 | test.cpp:126:15:126:39 | test_unsigned_long_return | Function 'test_unsigned_long_return' has variable-width return type. |
 | test.cpp:129:13:129:35 | test_signed_long_return | Function 'test_signed_long_return' has variable-width return type. |
+| test.cpp:160:5:160:11 | get_int | Function 'get_int' has variable-width return type. |
+| test.cpp:166:7:166:18 | explicit_int | Variable 'explicit_int' has variable-width type. |
diff --git a/cpp/common/test/rules/variablewidthintegertypesused/test.cpp b/cpp/common/test/rules/variablewidthintegertypesused/test.cpp
@@ -153,3 +153,15 @@ std::uint32_t test_uint32_t_return() { // COMPLIANT
 std::uint64_t test_uint64_t_return() { // COMPLIANT
   return 60;
 }
+
+// Regression test: auto-deduced types should not be flagged even when
+// the deduced type resolves through fixed-width typedefs to a built-in type.
+std::uint32_t get_uint32() { return 0; }
+int get_int() { return 0; }
+
+void test_auto_deduced_types() {
+  auto a1 = get_uint32(); // COMPLIANT - auto deduces through uint32_t
+  auto a2 = get_int();    // COMPLIANT - auto, programmer didn't write 'int'
+  const auto a3 = 42U;    // COMPLIANT - auto
+  int explicit_int = 0;   // NON_COMPLIANT - explicit variable-width type
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+- `RULE-6-9-2`, `A3-9-1` - `VariableWidthIntegerTypesUsed.qll`:
	`2`	+ - Fixed false positives for variables declared with `auto` or `decltype(auto)` where the deduced type resolves through fixed-width typedefs (e.g., `std::uint32_t`) to a built-in integer type. The programmer never wrote a variable-width type name in these cases.