C++: Fix obtaining the base type of a VLA

jketema · jketema · commit c54128eec961 · 2025-09-01T16:46:59.000+02:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -4185,8 +4185,18 @@ class TranslatedSizeofExpr extends TranslatedNonConstantExpr {
 
   override string getInstructionConstantValue(InstructionTag tag) {
     tag = SizeofVlaDimensionTag(-1) and
-    result =
-      getBaseType(vlaDeclStmt.getVariable().getUnderlyingType(), vlaDimensions).getSize().toString()
+    result = this.getVlaBaseType(vlaDeclStmt).getSize().toString()
+  }
+
+  private Type getVlaBaseType(VlaDeclStmt v) {
+    not exists(getParentVlaDecl(v)) and
+    (
+      result = getBaseType(v.getVariable().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+      or
+      result = getBaseType(v.getType().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+    )
+    or
+    result = this.getVlaBaseType(getParentVlaDecl(v))
   }
 
   override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
@@ -20589,7 +20589,7 @@ ir.cpp:
 # 2807|     m2807_2(long[][][])           = Uninitialized[tmp]       : &:r2807_1
 # 2807|     v2807_3(void)                 = NoOp                     : 
 # 2808|     r2808_1(glval<unsigned long>) = VariableAddress[#return] : 
-# 2808|     r2808_2(unsigned long)        = Constant                 : 
+# 2808|     r2808_2(unsigned long)        = Constant[8]              : 
 # 2808|     r2808_3(unsigned long)        = Mul                      : r2808_2, r2802_2
 # 2808|     r2808_4(unsigned long)        = Mul                      : r2808_3, r2802_4
 # 2808|     m2808_5(unsigned long)        = Store[#return]           : &:r2808_1, r2808_4
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -18732,7 +18732,7 @@ ir.cpp:
 # 2807|     mu2807_2(long[][][])          = Uninitialized[tmp]       : &:r2807_1
 # 2807|     v2807_3(void)                 = NoOp                     : 
 # 2808|     r2808_1(glval<unsigned long>) = VariableAddress[#return] : 
-# 2808|     r2808_2(unsigned long)        = Constant                 : 
+# 2808|     r2808_2(unsigned long)        = Constant[8]              : 
 # 2808|     r2808_3(unsigned long)        = Mul                      : r2808_2, r2802_2
 # 2808|     r2808_4(unsigned long)        = Mul                      : r2808_3, r2802_4
 # 2808|     mu2808_5(unsigned long)       = Store[#return]           : &:r2808_1, r2808_4
