CPP: Improve WrongTypeFormatArguments logic when there is more than one possible expected argument type.

geoffw0 · geoffw0 · commit a749b5b6d1ea · 2019-05-01T11:12:06.000+01:00
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
@@ -25,8 +25,7 @@ private predicate formattingFunctionCallExpectedType(FormattingFunctionCall ffc,
       ffc.getTarget() = f and
       f.getFormatParameterIndex() = i and
       ffc.getArgument(i) = fl and
-      fl.getConversionType(pos) = expected and
-      count(fl.getConversionType(pos)) = 1
+      fl.getConversionType(pos) = expected
     )
 }
 
@@ -143,7 +142,10 @@ from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where (
         (
           formatArgType(ffc, n, expected, arg, actual) and
-          not trivialConversion(expected.getUnspecifiedType(), actual.getUnspecifiedType())
+          not exists(Type anyExpected |
+            formatArgType(ffc, n, anyExpected, arg, actual) and
+            trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
+          )
         )
         or
         (
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected
@@ -1,5 +1,7 @@
 | tests.cpp:18:15:18:22 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:19:15:19:22 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
+| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
+| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
 | tests.cpp:26:17:26:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
 | tests.cpp:27:17:27:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
 | tests.cpp:29:17:29:23 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp
@@ -18,7 +18,7 @@ void tests() {
 	printf("%s", u"Hello"); // BAD: expecting char
 	printf("%s", L"Hello"); // BAD: expecting char
 
-	printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t [NOT DETECTED]
+	printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t
 	printf("%S", u"Hello"); // GOOD
 	printf("%S", L"Hello"); // GOOD
 
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.expected
@@ -1,2 +1,4 @@
 | tests_32.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
+| tests_32.cpp:15:15:15:15 | l | This argument should be of type 'void *' but is of type 'long' |
 | tests_64.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
+| tests_64.cpp:15:15:15:15 | l | This argument should be of type 'void *' but is of type 'long' |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp
@@ -12,6 +12,6 @@ void test_32()
 
 	printf("%li", l); // GOOD
 	printf("%li", void_ptr); // BAD
-	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", l); // BAD
 	printf("%p", void_ptr); // GOOD
 }
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp
@@ -12,6 +12,6 @@ void test_64()
 
 	printf("%li", l); // GOOD
 	printf("%li", void_ptr); // BAD
-	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", l); // BAD
 	printf("%p", void_ptr); // GOOD
 }
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected
@@ -32,3 +32,4 @@
 | real_world.h:63:22:63:24 | & ... | This argument should be of type 'short *' but is of type 'unsigned int *' |
 | real_world.h:64:22:64:24 | & ... | This argument should be of type 'short *' but is of type 'signed int *' |
 | wide_string.h:25:18:25:20 | c | This argument should be of type 'char' but is of type 'char *' |
+| wide_string.h:29:19:29:22 | c | This argument should be of type 'wchar_t' but is of type 'unsigned short *' |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h
@@ -26,5 +26,5 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) {
     printf("%wc", wc);             // GOOD
     printf("%wc", wcc);            // GOOD
     printf("%wc", L'c');           // GOOD
-    printf("%wc", L"c");           // BAD [NOT DETECTED]
+    printf("%wc", L"c");           // BAD
 }

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,7 @@ private predicate formattingFunctionCallExpectedType(FormattingFunctionCall ffc,`
`25`	`25`	`ffc.getTarget() = f and`
`26`	`26`	`f.getFormatParameterIndex() = i and`
`27`	`27`	`ffc.getArgument(i) = fl and`
`28`		`- fl.getConversionType(pos) = expected and`
`29`		`- count(fl.getConversionType(pos)) = 1`
	`28`	`+ fl.getConversionType(pos) = expected`
`30`	`29`	`)`
`31`	`30`	`}`
`32`	`31`
`@@ -143,7 +142,10 @@ from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual`
`143`	`142`	`where (`
`144`	`143`	`(`
`145`	`144`	`formatArgType(ffc, n, expected, arg, actual) and`
`146`		`- not trivialConversion(expected.getUnspecifiedType(), actual.getUnspecifiedType())`
	`145`	`+ not exists(Type anyExpected \|`
	`146`	`+ formatArgType(ffc, n, anyExpected, arg, actual) and`
	`147`	`+ trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())`
	`148`	`+ )`
`147`	`149`	`)`
`148`	`150`	`or`
`149`	`151`	`(`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,6 @@ void test_32()`
`12`	`12`
`13`	`13`	`printf("%li", l); // GOOD`
`14`	`14`	`printf("%li", void_ptr); // BAD`
`15`		`- printf("%p", l); // BAD [NOT DETECTED]`
	`15`	`+ printf("%p", l); // BAD`
`16`	`16`	`printf("%p", void_ptr); // GOOD`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,6 @@ void test_64()`
`12`	`12`
`13`	`13`	`printf("%li", l); // GOOD`
`14`	`14`	`printf("%li", void_ptr); // BAD`
`15`		`- printf("%p", l); // BAD [NOT DETECTED]`
	`15`	`+ printf("%p", l); // BAD`
`16`	`16`	`printf("%p", void_ptr); // GOOD`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,5 +26,5 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) {`
`26`	`26`	`printf("%wc", wc); // GOOD`
`27`	`27`	`printf("%wc", wcc); // GOOD`
`28`	`28`	`printf("%wc", L'c'); // GOOD`
`29`		`- printf("%wc", L"c"); // BAD [NOT DETECTED]`
	`29`	`+ printf("%wc", L"c"); // BAD`
`30`	`30`	`}`