Home
>
Documentation
>
Warnings
>
V1105. Suspicious string modification u…


V1105. Suspicious string modification using the 'operator+='. The right operand is implicitly converted to a character type.

The analyzer has detected a suspicious code fragment: a string variable of the 'std::basic_string' type is modified using the '+=' operator. At the same time, the right operand is an expression of arithmetic type. Due to implicit modifications that occur before the operator is called, the result may be unexpected.

Look at the example:

void foo()
{
  std::string str;
  str += 1000;     // N1
  str += ' ';
  str += 4.5;      // N2
  str += ' ';
  str += 400.52;   // N3
}

A developer wanted to build a string containing three numbers. However, the execution of this code results in the following:

  • In the line N1, there is an implicit conversion from the 'int' to 'char' type. The result of this conversion depends on the signedness of the 'char' type and the version of the C++ standard. For example, there is an option to convert the '1000' constant to the '-24' value, which matches a character from the extended ASCII table.
  • In the line N2, there is an implicit conversion from the 'double' to 'char' type. At first, the fractional part of the '4.5' number is discarded. Since the resulting value of '4' fits in the range of values of the 'char' type, the conversion results in a character with the ASCII code 4, which is a non-printable character.
  • The line N3 contains undefined behavior. After discarding the fractional part of '400.52', the result doesn't fit in the range of values of the 'char' type (even if it's unsigned).

Note: despite the fact that both values, 1000 and 400.52, don't fit in 'char', the consequences of their conversion will be different. In the case of 1000 we are dealing with a narrow conversion. This code compiles but can be incorrect. While converting a floating-point number (400.52) to the 'char' type is undefined behavior according to the language standard.

In all such cases, it's necessary to use the appropriate functions for explicit conversion. For example, use the 'std::to_string' function to convert numbers to strings:

void foo()
{
  std::string str;
  str += std::to_string(1000);
  str += ' ';
  str += std::to_string(4.5);
  str += ' ';
  str += std::to_string(400.52);
}

If a developer intends to add a character to a string using its numerical representation, the readability of such code definitely decreases. It's better to rewrite such code using a character literal containing either the required character or an escape sequence:

void foo()
{
  std::string str;

  // first option
  str += '*';

  // second option
  str += '\x2A';
}

The analyzer issues the following messages:

  • the warning of High level, when the right operand is of real type;
  • the warning of Medium level, when the right operand of integer type is discarded as a result of implicit conversion;
  • the warning of Low level, when the right operand of the integer type, due to implicit conversion, remains with the same value and fits in the range of [0 ... 127] (characters from the non-expanded ASCII table).