Merge pull request #1255 from geoffw0/wrongtypeformatmore

CPP: WrongTypeFormatArguments.ql Improvements

Author: jbj

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -25,8 +25,7 @@ private predicate formattingFunctionCallExpectedType(FormattingFunctionCall ffc,
       ffc.getTarget() = f and
       f.getFormatParameterIndex() = i and
       ffc.getArgument(i) = fl and
-      fl.getConversionType(pos) = expected and
-      count(fl.getConversionType(pos)) = 1
+      fl.getConversionType(pos) = expected
     )
 }
 
@@ -143,7 +142,10 @@ from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where (
         (
           formatArgType(ffc, n, expected, arg, actual) and
-          not trivialConversion(expected.getUnspecifiedType(), actual.getUnspecifiedType())
+          not exists(Type anyExpected |
+            formatArgType(ffc, n, anyExpected, arg, actual) and
+            trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
+          )
         )
         or
         (

cpp/ql/src/semmle/code/cpp/commons/Printf.qll

@@ -578,7 +578,7 @@ class FormatLiteral extends Literal {
       or ((len="z" or len="Z")
                   and (result = this.getSize_t() or result = this.getSsize_t()))
       or (len="t" and result = this.getPtrdiff_t())
-      or (len="I" and result instanceof IntType)
+      or (len="I" and (result = this.getSize_t() or result = this.getPtrdiff_t()))
       or (len="I32" and exists(MicrosoftInt32Type t |
         t.getUnsigned() = result.(IntegralType).getUnsigned() 
       ))
@@ -604,7 +604,7 @@ class FormatLiteral extends Literal {
       or ((len="z" or len="Z")
                   and (result = this.getSize_t() or result = this.getSsize_t()))
       or (len="t" and result = this.getPtrdiff_t())
-      or (len="I" and result instanceof IntType)
+      or (len="I" and (result = this.getSize_t() or result = this.getPtrdiff_t()))
       or (len="I32" and exists(MicrosoftInt32Type t |
         t.getUnsigned() = result.(IntegralType).getUnsigned()
       ))

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected

@@ -1,5 +1,7 @@
 | tests.cpp:18:15:18:22 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:19:15:19:22 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
+| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
+| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
 | tests.cpp:26:17:26:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:27:17:27:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
 | tests.cpp:29:17:29:23 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp

@@ -18,7 +18,7 @@ void tests() {
 	printf("%s", u"Hello"); // BAD: expecting char
 	printf("%s", L"Hello"); // BAD: expecting char
 
-	printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t [NOT DETECTED]
+	printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t
 	printf("%S", u"Hello"); // GOOD
 	printf("%S", L"Hello"); // GOOD
 

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.expected

@@ -1,2 +1,4 @@
 | tests_32.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
+| tests_32.cpp:15:15:15:15 | l | This argument should be of type 'void *' but is of type 'long' |
 | tests_64.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
+| tests_64.cpp:15:15:15:15 | l | This argument should be of type 'void *' but is of type 'long' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp

@@ -12,6 +12,6 @@ void test_32()
 
 	printf("%li", l); // GOOD
 	printf("%li", void_ptr); // BAD
-	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", l); // BAD
 	printf("%p", void_ptr); // GOOD
 }

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp

@@ -12,6 +12,6 @@ void test_64()
 
 	printf("%li", l); // GOOD
 	printf("%li", void_ptr); // BAD
-	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", l); // BAD
 	printf("%p", void_ptr); // GOOD
 }

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.expected

@@ -1,6 +1,7 @@
 | format.h:16:59:16:61 | str | This argument should be of type 'int' but is of type 'char *' |
 | format.h:16:64:16:64 | i | This argument should be of type 'double' but is of type 'int' |
 | format.h:16:67:16:67 | d | This argument should be of type 'char *' but is of type 'double' |
+| linux_c.c:11:15:11:18 | str3 | This argument should be of type 'char *' but is of type 'short *' |
 | pri_macros.h:15:35:15:40 | my_u64 | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:12:27:12:27 | i | This argument should be of type 'double' but is of type 'int' |
 | printf1.h:18:18:18:18 | i | This argument should be of type 'void *' but is of type 'int' |
@@ -12,6 +13,8 @@
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:113:17:113:17 | d | This argument should be of type 'long double' but is of type 'double' |
 | printf1.h:114:18:114:18 | d | This argument should be of type 'long double' but is of type 'double' |
+| printf1.h:147:19:147:19 | i | This argument should be of type 'long long' but is of type 'int' |
+| printf1.h:148:19:148:20 | ui | This argument should be of type 'unsigned long long' but is of type 'unsigned int' |
 | real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |
 | real_world.h:62:22:62:23 | & ... | This argument should be of type 'short *' but is of type 'int *' |
 | real_world.h:63:22:63:24 | & ... | This argument should be of type 'short *' but is of type 'unsigned int *' |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c

@@ -0,0 +1,12 @@
+/** standard printf functions */
+
+int printf(const char *format, ...);
+
+/** test program */
+
+void restrict_cases(char * restrict str1, const char * restrict str2, short * restrict str3)
+{
+	printf("%s", str1); // GOOD
+	printf("%s", str2); // GOOD
+	printf("%s", str3); // BAD
+}

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/options

@@ -1 +1 @@
-semmle-extractor-options: --edg --signed_chars
+semmle-extractor-options: --clang --edg --signed_chars