Our recently developed type confusion detection tool reports a type_confusion error in the "xercesc/dom/imple/DOMCasts.hpp"
xercesc/dom/imple/DOMCasts.hpp, line 146
static inline DOMNodeImpl *castToNodeImpl(const DOMNode *p)
DOMElementImpl *pE = (DOMElementImpl *)p;
p is pointing to the object allocated as DOMTextImpl, and it is casted into DOMElementImpl. However, since DOMElementImpl is not a subobject of DOMTextImpl, it is violating C++ standard rules 5.2.9/11 (down casting is undefined if the object that the pointer to be casted points to is not a suboject of down casting type) and causes undefined behaviors.
There are similar type-confusion cases as below links.
- (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
- (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
I attached a actual type confusion report and object relationship information.