Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LGTM.com - false positive for move and copy assignment operators not returning *this (C++) #7035

Open
oknenavin opened this issue Nov 2, 2021 · 2 comments
Labels
acknowledged GitHub staff acknowledges this issue C++ false-positive not security This issue does not relate to a security query

Comments

@oknenavin
Copy link

The error is reported for these operators when *this is returned indirectly via a function call. For example:

https://lgtm.com/projects/g/oknenavin/cxon/snapshot/9103621a01a81595999681a97870d8930d56aa58/files/src/cxon/lang/cbor/node/node.hxx?sort=name&dir=ASC&mode=heatmap#xc6e83398218bd018:1

we have:

return value::move_assign<T>(*this, std::forward<basic_node>(o));

where value::move_assign returns its first argument, which is *this.

@adityasharad adityasharad added C++ not security This issue does not relate to a security query labels Nov 2, 2021
@adityasharad
Copy link
Collaborator

Thanks for the report! At a brief glance I agree this looks like a false positive. The code you link to implements operator= using a templated move_assign function, which appears to return *this in all code paths, but the analysis used by this particular query has not taken that fact into account.

I have passed your suggestion on to the CodeQL C/C++ analysis team. Our current focus is on improving our security analysis. Because your report does not relate to a security query, we will put this on our backlog and prioritize it if we get enough reports of the same underlying issue in other projects. (If you think that your report is related to our security analysis, please clarify that in a comment.) We'll let you know here as soon as it's fixed.

In the meantime, GitHub Code Scanning and lgtm.com have facilities for suppressing individual alerts or disabling a query: please feel free to use those features as appropriate in your codebase, particularly if these alerts are proving noisy.

@adityasharad adityasharad added the acknowledged GitHub staff acknowledges this issue label Nov 2, 2021
@oknenavin
Copy link
Author

Thanks a lot for the quick response! Well, gaps in code analysis are always a security risk, no? ;)
Thanks again - I'll check how to suppress these gracefully as I don't want to cheat the system. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
acknowledged GitHub staff acknowledges this issue C++ false-positive not security This issue does not relate to a security query
Projects
None yet
Development

No branches or pull requests

2 participants