Merge remote-tracking branch 'upstream/master' into mergeback-2018-10-08

2026-04-30 03:05:15 +02:00 · 2018-10-08 11:48:56 +02:00
parent 989a82fd1e 799c034a5e
commit 49644bfb47
151 changed files with 5884 additions and 546 deletions
--- a/Bugs/Arithmetic/PointlessComparison.ql
+++ b/Bugs/Arithmetic/PointlessComparison.ql
@@ -22,13 +22,15 @@ import UnsignedGEZero
 // #define PRINTMSG(val,msg) { if (val >= PRINTLEVEL) printf(msg); }
 //
 // So to reduce the number of false positives, we do not report a result if
-// the comparison is in a macro expansion.
+// the comparison is in a macro expansion. Similarly for template
+// instantiations.
 from
  ComparisonOperation cmp, SmallSide ss,
  float left, float right, boolean value,
  string reason
 where
  not cmp.isInMacroExpansion() and
+  not cmp.isFromTemplateInstantiation(_) and
  reachablePointlessComparison(cmp, left, right, value, ss) and

  // a comparison between an enum and zero is always valid because whether
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -25,7 +25,8 @@ private predicate formattingFunctionCallExpectedType(FormattingFunctionCall ffc,
      ffc.getTarget() = f and
      f.getFormatParameterIndex() = i and
      ffc.getArgument(i) = fl and
-      fl.getConversionType(pos) = expected
+      fl.getConversionType(pos) = expected and
+      count(fl.getConversionType(pos)) = 1
    )
 }

@@ -66,30 +67,15 @@ predicate formatOtherArgType(FormattingFunctionCall ffc, int pos, Type expected,
 class ExpectedType extends Type
 {
  ExpectedType() {
-    formatArgType(_, _, this, _, _) or
-    formatOtherArgType(_, _, this, _, _) or
-    exists(ExpectedType t |
-      this = t.(PointerType).getBaseType()
+  	exists(Type t |
+      (
+        formatArgType(_, _, t, _, _) or
+        formatOtherArgType(_, _, t, _, _)
+      ) and this = t.getUnspecifiedType()
    )
  }
 }

-/**
- * Gets an 'interesting' type that can be reached from `t` by removing
- * typedefs and specifiers.  Note that this does not always mean removing
- * all typedefs and specifiers as `Type.getUnspecifiedType()` would, for
- * example if the interesting type is itself a typedef.
- */
-ExpectedType getAnUnderlyingExpectedType(Type t) {
-  (
-    result = t
-  ) or (
-    result = getAnUnderlyingExpectedType(t.(TypedefType).getBaseType())
-  ) or (
-    result = getAnUnderlyingExpectedType(t.(SpecifiedType).getBaseType())
-  )
-}
-
 /**
 * Holds if it is safe to display a value of type `actual` when `printf`
 * expects a value of type `expected`.
@@ -100,59 +86,48 @@ ExpectedType getAnUnderlyingExpectedType(Type t) {
 * are converted to `double`.
 */
 predicate trivialConversion(ExpectedType expected, Type actual) {
-  formatArgType(_, _, expected, _, actual) and
-
-  exists(Type actualU |
-    actualU = actual.getUnspecifiedType() and
+  exists(Type exp, Type act |
+    formatArgType(_, _, exp, _, act) and
+    expected = exp.getUnspecifiedType() and
+    actual = act.getUnspecifiedType()
+  ) and (
    (
-      (
-        // allow a pointer type to be displayed with `%p`
-        expected instanceof VoidPointerType and actualU instanceof PointerType
-      ) or (
-        // allow a function pointer type to be displayed with `%p`
-        expected instanceof VoidPointerType and actualU instanceof FunctionPointerType and expected.getSize() = actual.getSize()
-      ) or (
-        // allow an `enum` type to be displayed with `%i`, `%c` etc
-        expected instanceof IntegralType and actualU instanceof Enum
-      ) or (
-        // allow any `char *` type to be displayed with `%s`
-        expected instanceof CharPointerType and actualU instanceof CharPointerType
-      ) or (
-        // allow `wchar_t *`, or any pointer to an integral type of the same size, to be displayed
-        // with `%ws`
-        expected.(PointerType).getBaseType().hasName("wchar_t") and
-        exists(Wchar_t t |
-          actual.getUnspecifiedType().(PointerType).getBaseType().(IntegralType).getSize() = t.getSize()
-        )
-      ) or (
-        // allow an `int` (or anything promoted to `int`) to be displayed with `%c`
-        expected instanceof CharType and actualU instanceof IntType
-      ) or (
-        // allow an `int` (or anything promoted to `int`) to be displayed with `%wc`
-        expected instanceof Wchar_t and actualU instanceof IntType
-      ) or (
-        expected instanceof UnsignedCharType and actualU instanceof IntType
-      ) or (
-        // allow the underlying type of a `size_t` (e.g. `unsigned long`) for
-        // `%zu`, since this is the type of a `sizeof` expression
-        expected instanceof Size_t and
-        actual.getUnspecifiedType() = expected.getUnspecifiedType()
-      ) or (
-        // allow the underlying type of a `ssize_t` (e.g. `long`) for `%zd`
-        expected instanceof Ssize_t and
-        actual.getUnspecifiedType() = expected.getUnspecifiedType()
-      ) or (
-        // allow any integral type of the same size 
-        // (this permits signedness changes)
-        expected.(IntegralType).getSize() = actualU.(IntegralType).getSize()
-      ) or (
-        // allow a pointer to any integral type of the same size
-        // (this permits signedness changes)
-        expected.(PointerType).getBaseType().(IntegralType).getSize() = actualU.(PointerType).getBaseType().(IntegralType).getSize()
-      ) or (
-        // allow expected, or a typedef or specified version of expected
-        expected = getAnUnderlyingExpectedType(actual)
+      // allow a pointer type to be displayed with `%p`
+      expected instanceof VoidPointerType and actual instanceof PointerType
+    ) or (
+      // allow a function pointer type to be displayed with `%p`
+      expected instanceof VoidPointerType and actual instanceof FunctionPointerType and expected.getSize() = actual.getSize()
+    ) or (
+      // allow an `enum` type to be displayed with `%i`, `%c` etc
+      expected instanceof IntegralType and actual instanceof Enum
+    ) or (
+      // allow any `char *` type to be displayed with `%s`
+      expected instanceof CharPointerType and actual instanceof CharPointerType
+    ) or (
+      // allow `wchar_t *`, or any pointer to an integral type of the same size, to be displayed
+      // with `%ws`
+      expected.(PointerType).getBaseType().hasName("wchar_t") and
+      exists(Wchar_t t |
+        actual.getUnspecifiedType().(PointerType).getBaseType().(IntegralType).getSize() = t.getSize()
      )
+    ) or (
+      // allow an `int` (or anything promoted to `int`) to be displayed with `%c`
+      expected instanceof CharType and actual instanceof IntType
+    ) or (
+      // allow an `int` (or anything promoted to `int`) to be displayed with `%wc`
+      expected instanceof Wchar_t and actual instanceof IntType
+    ) or (
+      expected instanceof UnsignedCharType and actual instanceof IntType
+    ) or (
+      // allow any integral type of the same size 
+      // (this permits signedness changes)
+      expected.(IntegralType).getSize() = actual.(IntegralType).getSize()
+    ) or (
+      // allow a pointer to any integral type of the same size
+      // (this permits signedness changes)
+      expected.(PointerType).getBaseType().(IntegralType).getSize() = actual.(PointerType).getBaseType().(IntegralType).getSize()
+    ) or (
+      expected = actual
    )
  )
 }
@@ -164,16 +139,16 @@ int sizeof_IntType() {
  exists(IntType it | result = it.getSize())
 }

-from FormattingFunctionCall ffc, int n, Expr arg, ExpectedType expected, Type actual
+from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where (
        (
          formatArgType(ffc, n, expected, arg, actual) and
-          not trivialConversion(expected, actual)
+          not trivialConversion(expected.getUnspecifiedType(), actual.getUnspecifiedType())
        )
        or
        (
          formatOtherArgType(ffc, n, expected, arg, actual) and
-          not actual.getUnderlyingType().(IntegralType).getSize() = sizeof_IntType()
+          not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
        )
      )
      and not arg.isAffectedByMacro()
--- a/Management/SuspiciousCallToMemset.ql
+++ b/Management/SuspiciousCallToMemset.ql
@@ -41,11 +41,13 @@ Type stripType(Type t) {
  result = stripType(t.(ArrayType).getBaseType()) or
  result = stripType(t.(ReferenceType).getBaseType()) or
  result = stripType(t.(SpecifiedType).getBaseType()) or
+  result = stripType(t.(Decltype).getBaseType()) or
  (
    not t instanceof TypedefType and
    not t instanceof ArrayType and
    not t instanceof ReferenceType and
    not t instanceof SpecifiedType and
+    not t instanceof Decltype and
    result = t
  )
 }
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
@@ -0,0 +1,3 @@
+wchar_t* pSrc;
+
+pSrc = (wchar_t*)"a"; // casting a byte-string literal "a" to a wide-character string
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>This rule indicates a potentially incorrect cast from an byte string (<code>char *</code>) to a wide-character string (<code>wchar_t *</code>).</p>
+  <p>This cast might yield strings that are not correctly terminated; including potential buffer overruns when using such strings with some dangerous APIs.</p>
+</overview>
+
+<recommendation>
+  <p>Do not explicitly cast byte strings to wide-character strings.</p>
+  <p>For string literals, prepend the literal string with the letter "L" to indicate that the string is a wide-character string (<code>wchar_t *</code>).</p>
+  <p>For converting a byte literal to a wide-character string literal, you would need to use the appropriate conversion function for the platform you are using. Please see the references section for options according to your platform.</p>
+</recommendation>
+
+<example>
+<p>In the following example, an byte string literal (<code>"a"</code>) is cast to a wide-character string.</p>
+<sample src="WcharCharConversion.cpp" />
+
+<p>To fix this issue, prepend the literal with the letter "L" (<code>L"a"</code>) to define it as a wide-character string.</p>
+</example>
+
+<references>
+  <li>
+    General resources:
+    <a href="https://en.cppreference.com/w/cpp/string/multibyte/mbstowcs">std::mbstowcs</a>
+  </li>
+  <li>
+    Microsoft specific resources:
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/Intl/security-considerations--international-features">Security Considerations: International Features</a>
+  </li>
+</references>
+
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -0,0 +1,29 @@
+/**
+ * @name Cast from char* to wchar_t*
+ * @description Casting a byte string to a wide-character string is likely 
+ *              to yield a string that is incorrectly terminated or aligned. 
+ *              This can lead to undefined behavior, including buffer overruns.
+ * @kind problem
+ * @id cpp/incorrect-string-type-conversion
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-704
+ *       external/microsoft/c/c6276
+ */
+import cpp
+
+class WideCharPointerType extends PointerType {
+  WideCharPointerType() { 
+    this.getBaseType() instanceof WideCharType 
+  }
+}
+
+from Expr e1, Cast e2
+where 
+  e2 = e1.getConversion() and
+  exists(WideCharPointerType w, CharPointerType c |
+    w = e2.getType().getUnspecifiedType().(PointerType) and
+    c = e1.getType().getUnspecifiedType().(PointerType)
+  )
+select e1, "Conversion from " + e1.getType().toString() + " to " +  e2.getType().toString() + ". Use of invalid string can lead to undefined behavior."
--- a/cpp/ql/src/jsf/4.13
+++ b/cpp/ql/src/jsf/4.13
@@ -3,7 +3,7 @@
 * @description All functions that are not void should return a value on every exit path.
 * @kind problem
 * @problem.severity error
- * @precision medium
+ * @precision high
 * @id cpp/missing-return
 * @tags reliability
 *       readability
--- a/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/Printf.qll
@@ -220,6 +220,32 @@ class FormatLiteral extends Literal {
    getUse().getTarget().(FormattingFunction).isWideCharDefault()
  }

+  /**
+   * Gets the default character type expected for `%s` by this format literal.  Typically
+   * `char` or `wchar_t`.
+   */
+  Type getDefaultCharType() {
+    result = getUse().getTarget().(FormattingFunction).getDefaultCharType()
+  }
+
+  /**
+   * Gets the non-default character type expected for `%S` by this format literal.  Typically
+   * `wchar_t` or `char`.  On some snapshots there may be multiple results where we can't tell
+   * which is correct for a particular function.
+   */
+  Type getNonDefaultCharType() {
+    result = getUse().getTarget().(FormattingFunction).getNonDefaultCharType()
+  }
+
+  /**
+   * Gets the wide character type for this format literal.  This is usually `wchar_t`.  On some
+   * snapshots there may be multiple results where we can't tell which is correct for a
+   * particular function.
+   */
+  Type getWideCharType() {
+    result = getUse().getTarget().(FormattingFunction).getWideCharType()
+  }
+
  /**
   * Holds if this `FormatLiteral` is in a context that supports
   * Microsoft rules and extensions.
@@ -629,7 +655,6 @@ class FormatLiteral extends Literal {
    result = getConversionType2(n) or
    result = getConversionType3(n) or
    result = getConversionType4(n) or
-    result = getConversionType5(n) or
    result = getConversionType6(n) or
    result = getConversionType7(n) or
    result = getConversionType8(n) or
@@ -696,33 +721,35 @@ class FormatLiteral extends Literal {
  }

  /**
-   * Gets the 'effective' string type character, that is, 's' (meaning a char string) or
-   * 'S' (meaning a wide string).
-   *  - in the base case this is the same as the format type character.
-   *  - for a `wprintf` or similar function call, the meanings are reversed.
-   *  - the size prefixes 'l'/'w' (long) and 'h' (short) override the
-   *    type character to effectively 'S' or 's' respectively.
+   * Gets the string type required by the nth conversion specifier.
+   *  - in the base case this is the default for the formatting function
+   *    (e.g. `char` for `printf`, `wchar_t` for `wprintf`).
+   *  - the `%S` format character reverses wideness.
+   *  - the size prefixes 'l'/'w' and 'h' override the type character
+   *    to wide or single-byte characters respectively.
   */
-  private string getEffectiveStringConversionChar(int n) {
-    exists(string len, string conv | this.parseConvSpec(n, _, _, _, _, _, len, conv) and (conv = "s" or conv = "S") |
-      (len = "l" and result = "S") or
-      (len = "w" and result = "S") or
-      (len = "h" and result = "s") or
-      (len != "l" and len != "w" and len != "h" and (result = "s" or result = "S") and (if isWideCharDefault() then result != conv else result = conv))
-    )
-  }
-
  private Type getConversionType4(int n) {
-    exists(string cnv, CharType t | cnv = this.getEffectiveStringConversionChar(n) |
-      cnv="s" and t = result.(PointerType).getBaseType()
-      and not t.isExplicitlySigned()
-      and not t.isExplicitlyUnsigned()
-    )
-  }
-
-  private Type getConversionType5(int n) {
-    exists(string cnv | cnv = this.getEffectiveStringConversionChar(n) |
-      cnv="S" and result.(PointerType).getBaseType().hasName("wchar_t") 
+    exists(string len, string conv |
+      this.parseConvSpec(n, _, _, _, _, _, len, conv) and
+      (
+        (
+          (conv = "s" or conv = "S") and
+          len = "h" and
+          result.(PointerType).getBaseType() instanceof PlainCharType
+        ) or (
+          (conv = "s" or conv = "S") and
+          (len = "l" or len = "w") and
+          result.(PointerType).getBaseType() = getWideCharType()
+        ) or (
+          conv = "s" and
+          (len != "l" and len != "w" and len != "h") and
+          result.(PointerType).getBaseType() = getDefaultCharType()
+        ) or (
+          conv = "S" and
+          (len != "l" and len != "w" and len != "h") and
+          result.(PointerType).getBaseType() = getNonDefaultCharType()
+        )
+      )
    )
  }

--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -12,7 +12,8 @@ class Printf extends FormattingFunction {
      hasGlobalName("wprintf") or
      hasGlobalName("wprintf_s") or
      hasGlobalName("g_printf")
-    )
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override int getFormatParameterIndex() { result=0 }
@@ -26,7 +27,15 @@ class Printf extends FormattingFunction {
 * The standard functions `fprintf`, `fwprintf` and their glib variants.
 */
 class Fprintf extends FormattingFunction {
-  Fprintf() { this instanceof TopLevelFunction and (hasGlobalName("fprintf") or hasGlobalName("fwprintf") or hasGlobalName("g_fprintf"))}
+  Fprintf() {
+    this instanceof TopLevelFunction and
+    (
+      hasGlobalName("fprintf") or
+      hasGlobalName("fwprintf") or
+      hasGlobalName("g_fprintf")
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
+  }

  override int getFormatParameterIndex() { result=1 }
  override predicate isWideCharDefault() { hasGlobalName("fwprintf") }
@@ -47,7 +56,8 @@ class Sprintf extends FormattingFunction {
      hasGlobalName("g_strdup_printf") or
      hasGlobalName("g_sprintf") or
      hasGlobalName("__builtin___sprintf_chk")
-    )
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override predicate isWideCharDefault() {
@@ -100,7 +110,8 @@ class Snprintf extends FormattingFunction {
      or hasGlobalName("g_snprintf")
      or hasGlobalName("wnsprintf")
      or hasGlobalName("__builtin___snprintf_chk")
-    )
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override int getFormatParameterIndex() {
@@ -133,10 +144,13 @@ class Snprintf extends FormattingFunction {
   * in the buffer.
   */
  predicate returnsFullFormatLength() {
-    hasGlobalName("snprintf") or
-    hasGlobalName("g_snprintf") or
-    hasGlobalName("__builtin___snprintf_chk") or
-    hasGlobalName("snprintf_s")
+    (
+      hasGlobalName("snprintf") or
+      hasGlobalName("g_snprintf") or
+      hasGlobalName("__builtin___snprintf_chk") or
+      hasGlobalName("snprintf_s")
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override int getSizeParameterIndex() {
@@ -158,7 +172,8 @@ class StringCchPrintf extends FormattingFunction {
      or hasGlobalName("StringCbPrintfEx")
      or hasGlobalName("StringCbPrintf_l")
      or hasGlobalName("StringCbPrintf_lEx")
-    )
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override int getFormatParameterIndex() {
@@ -187,7 +202,8 @@ class Syslog extends FormattingFunction {
  Syslog() {
    this instanceof TopLevelFunction and (
      hasGlobalName("syslog")
-    )
+    ) and
+    not exists(getDefinition().getFile().getRelativePath())
  }

  override int getFormatParameterIndex() { result=1 }
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -7,6 +7,38 @@
 */

 import semmle.code.cpp.Function
+
+private Type stripTopLevelSpecifiersOnly(Type t) {
+  (
+    result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
+  ) or (
+    result = t and
+    not t instanceof SpecifiedType
+  )
+}
+
+/**
+ * A type that is used as a format string by any formatting function.
+ */
+Type getAFormatterWideType() {
+  exists(FormattingFunction ff |
+    result = stripTopLevelSpecifiersOnly(ff.getDefaultCharType()) and
+    result.getSize() != 1
+  )
+}
+
+/**
+ * A type that is used as a format string by any formatting function, or `wchar_t` if
+ * there is none.
+ */
+private Type getAFormatterWideTypeOrDefault() {
+  result = getAFormatterWideType() or
+  (
+    not exists(getAFormatterWideType()) and
+    result instanceof Wchar_t
+  )
+}
+
 /**
 * A standard library function that uses a `printf`-like formatting string.
 */
@@ -20,6 +52,43 @@ abstract class FormattingFunction extends Function {
   */
  predicate isWideCharDefault() { none() }

+  /**
+   * Gets the default character type expected for `%s` by this function.  Typically
+   * `char` or `wchar_t`.
+   */
+  Type getDefaultCharType() {
+    result = stripTopLevelSpecifiersOnly(getParameter(getFormatParameterIndex()).getType().
+      getUnderlyingType().(PointerType).getBaseType())
+  }
+
+  /**
+   * Gets the non-default character type expected for `%S` by this function.  Typically
+   * `wchar_t` or `char`.  On some snapshots there may be multiple results where we can't tell
+   * which is correct for a particular function.
+   */
+  Type getNonDefaultCharType() {
+  	(
+  	  getDefaultCharType().getSize() = 1 and
+  	  result = getAFormatterWideTypeOrDefault()
+  	) or (
+  	  getDefaultCharType().getSize() > 1 and
+  	  result instanceof PlainCharType
+  	)
+  }
+
+  /**
+   * Gets the wide character type for this function.  This is usually `wchar_t`.  On some
+   * snapshots there may be multiple results where we can't tell which is correct for a
+   * particular function.
+   */
+  Type getWideCharType() {
+    (
+      result = getDefaultCharType() or
+      result = getNonDefaultCharType()
+    ) and
+    result.getSize() > 1
+  }
+
  /**
   * Gets the position at which the output parameter, if any, occurs.
   */
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -44,6 +44,7 @@
 import cpp
 private import RangeAnalysisUtils
 import RangeSSA
+import SimpleRangeAnalysisCached

 /**
 * This fixed set of lower bounds is used when the lower bounds of an
@@ -406,27 +407,6 @@ deprecated predicate negative_overflow(Expr expr) {
  exprMightOverflowNegatively(expr)
 }

-/**
- * Holds if the expression might overflow negatively. This predicate
- * does not consider the possibility that the expression might overflow
- * due to a conversion.
- */
-cached
-predicate exprMightOverflowNegatively(Expr expr) {
-  getLowerBoundsImpl(expr) < exprMinVal(expr)
-}
-
-/**
- * Holds if the expression might overflow negatively. Conversions
- * are also taken into account. For example the expression
- * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
- * due to the addition.
- */
-cached
-predicate convertedExprMightOverflowNegatively(Expr expr) {
-  exprMightOverflowNegatively(expr) or
-  convertedExprMightOverflowNegatively(expr.getConversion())
-}

 /**
 * Holds if the expression might overflow positively. This predicate
@@ -439,39 +419,6 @@ deprecated predicate positive_overflow(Expr expr) {
  exprMightOverflowPositively(expr)
 }

-/**
- * Holds if the expression might overflow positively. This predicate
- * does not consider the possibility that the expression might overflow
- * due to a conversion.
- */
-cached
-predicate exprMightOverflowPositively(Expr expr) {
-  getUpperBoundsImpl(expr) > exprMaxVal(expr)
-}
-
-/**
- * Holds if the expression might overflow positively. Conversions
- * are also taken into account. For example the expression
- * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
- * due to the addition.
- */
-cached
-predicate convertedExprMightOverflowPositively(Expr expr) {
-  exprMightOverflowPositively(expr) or
-  convertedExprMightOverflowPositively(expr.getConversion())
-}
-
-/**
- * Holds if the expression might overflow (either positively or
- * negatively). The possibility that the expression might overflow
- * due to an implicit or explicit cast is also considered.
- */
-cached
-predicate convertedExprMightOverflow(Expr expr) {
-  convertedExprMightOverflowNegatively(expr) or
-  convertedExprMightOverflowPositively(expr)
-}
-
 /** Only to be called by `getTruncatedLowerBounds`. */
 private
 float getLowerBoundsImpl(Expr expr) {
@@ -921,28 +868,6 @@ float getDefUpperBoundsImpl(RangeSsaDefinition def, LocalScopeVariable v) {
  unanalyzableDefBounds(def, v, _, result)
 }

-/** Holds if the definition might overflow negatively. */
-cached
-predicate defMightOverflowNegatively(RangeSsaDefinition def, LocalScopeVariable v) {
-  getDefLowerBoundsImpl(def, v) < varMinVal(v)
-}
-
-/** Holds if the definition might overflow positively. */
-cached
-predicate defMightOverflowPositively(RangeSsaDefinition def, LocalScopeVariable v) {
-  getDefUpperBoundsImpl(def, v) > varMaxVal(v)
-}
-
-/**
- * Holds if the definition might overflow (either positively or
- * negatively).
- */
-cached
-predicate defMightOverflow(RangeSsaDefinition def, LocalScopeVariable v) {
-  defMightOverflowNegatively(def, v) or
-  defMightOverflowPositively(def, v)
-}
-
 /**
 * Get the lower bounds for a `RangeSsaDefinition`. Most of the work is
 * done by `getDefLowerBoundsImpl`, but this is where widening is applied
@@ -1133,63 +1058,142 @@ predicate exprTypeBounds(Expr expr, float boundValue, boolean isLowerBound) {
  (isLowerBound = false and boundValue = exprMaxVal(expr.getFullyConverted()))
 }

-/**
- * Gets the lower bound of the expression.
- *
- * Note: expressions in C/C++ are often implicitly or explicitly cast to a
- * different result type. Such casts can cause the value of the expression
- * to overflow or to be truncated. This predicate computes the lower bound
- * of the expression without including the effect of the casts. To compute
- * the lower bound of the expression after all the casts have been applied,
- * call `lowerBound` like this:
- *
- *    `lowerBound(expr.getFullyConverted())`
- */
-cached
-float lowerBound(Expr expr) {
-  // Combine the lower bounds returned by getTruncatedLowerBounds into a
-  // single minimum value.
-  result = min(float lb | lb = getTruncatedLowerBounds(expr) | lb)
-}
+private cached module SimpleRangeAnalysisCached {
+    /**
+   * Gets the lower bound of the expression.
+   *
+   * Note: expressions in C/C++ are often implicitly or explicitly cast to a
+   * different result type. Such casts can cause the value of the expression
+   * to overflow or to be truncated. This predicate computes the lower bound
+   * of the expression without including the effect of the casts. To compute
+   * the lower bound of the expression after all the casts have been applied,
+   * call `lowerBound` like this:
+   *
+   *    `lowerBound(expr.getFullyConverted())`
+   */
+  cached
+  float lowerBound(Expr expr) {
+    // Combine the lower bounds returned by getTruncatedLowerBounds into a
+    // single minimum value.
+    result = min(float lb | lb = getTruncatedLowerBounds(expr) | lb)
+  }
+  
+  /**
+   * Gets the upper bound of the expression.
+   *
+   * Note: expressions in C/C++ are often implicitly or explicitly cast to a
+   * different result type. Such casts can cause the value of the expression
+   * to overflow or to be truncated. This predicate computes the upper bound
+   * of the expression without including the effect of the casts. To compute
+   * the upper bound of the expression after all the casts have been applied,
+   * call `upperBound` like this:
+   *
+   *    `upperBound(expr.getFullyConverted())`
+   */
+  cached
+  float upperBound(Expr expr) {
+    // Combine the upper bounds returned by getTruncatedUpperBounds into a
+    // single maximum value.
+    result = max(float ub | ub = getTruncatedUpperBounds(expr) | ub)
+  }
+  
+  /**
+   * Holds if `expr` has a provably empty range. For example:
+   *
+   *   10 < expr and expr < 5
+   *
+   * The range of an expression can only be empty if it can never be
+   * executed. For example:
+   *
+   *   if (10 < x) {
+   *     if (x < 5) {
+   *       // Unreachable code
+   *       return x; // x has an empty range: 10 < x && x < 5
+   *     }
+   *   }
+   */
+  cached
+  predicate exprWithEmptyRange(Expr expr) {
+    analyzableExpr(expr) and
+    (not exists(lowerBound(expr)) or
+     not exists(upperBound(expr)) or
+     lowerBound(expr) > upperBound(expr))
+  }

-/**
- * Gets the upper bound of the expression.
- *
- * Note: expressions in C/C++ are often implicitly or explicitly cast to a
- * different result type. Such casts can cause the value of the expression
- * to overflow or to be truncated. This predicate computes the upper bound
- * of the expression without including the effect of the casts. To compute
- * the upper bound of the expression after all the casts have been applied,
- * call `upperBound` like this:
- *
- *    `upperBound(expr.getFullyConverted())`
- */
-cached
-float upperBound(Expr expr) {
-  // Combine the upper bounds returned by getTruncatedUpperBounds into a
-  // single maximum value.
-  result = max(float ub | ub = getTruncatedUpperBounds(expr) | ub)
-}
-
-/**
- * Holds if `expr` has a provably empty range. For example:
- *
- *   10 < expr and expr < 5
- *
- * The range of an expression can only be empty if it can never be
- * executed. For example:
- *
- *   if (10 < x) {
- *     if (x < 5) {
- *       // Unreachable code
- *       return x; // x has an empty range: 10 < x && x < 5
- *     }
- *   }
- */
-cached
-predicate exprWithEmptyRange(Expr expr) {
-  analyzableExpr(expr) and
-  (not exists(lowerBound(expr)) or
-   not exists(upperBound(expr)) or
-   lowerBound(expr) > upperBound(expr))
+  /** Holds if the definition might overflow negatively. */
+  cached
+  predicate defMightOverflowNegatively(RangeSsaDefinition def, LocalScopeVariable v) {
+    getDefLowerBoundsImpl(def, v) < varMinVal(v)
+  }
+  
+  /** Holds if the definition might overflow positively. */
+  cached
+  predicate defMightOverflowPositively(RangeSsaDefinition def, LocalScopeVariable v) {
+    getDefUpperBoundsImpl(def, v) > varMaxVal(v)
+  }
+  
+  /**
+   * Holds if the definition might overflow (either positively or
+   * negatively).
+   */
+  cached
+  predicate defMightOverflow(RangeSsaDefinition def, LocalScopeVariable v) {
+    defMightOverflowNegatively(def, v) or
+    defMightOverflowPositively(def, v)
+  }
+  
+  /**
+   * Holds if the expression might overflow negatively. This predicate
+   * does not consider the possibility that the expression might overflow
+   * due to a conversion.
+   */
+  cached
+  predicate exprMightOverflowNegatively(Expr expr) {
+    getLowerBoundsImpl(expr) < exprMinVal(expr)
+  }
+  
+  /**
+   * Holds if the expression might overflow negatively. Conversions
+   * are also taken into account. For example the expression
+   * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
+   * due to the addition.
+   */
+  cached
+  predicate convertedExprMightOverflowNegatively(Expr expr) {
+    exprMightOverflowNegatively(expr) or
+    convertedExprMightOverflowNegatively(expr.getConversion())
+  }
+  
+    /**
+   * Holds if the expression might overflow positively. This predicate
+   * does not consider the possibility that the expression might overflow
+   * due to a conversion.
+   */
+  cached
+  predicate exprMightOverflowPositively(Expr expr) {
+    getUpperBoundsImpl(expr) > exprMaxVal(expr)
+  }
+  
+  /**
+   * Holds if the expression might overflow positively. Conversions
+   * are also taken into account. For example the expression
+   * `(int16)(x+y)` might overflow due to the `(int16)` cast, rather than
+   * due to the addition.
+   */
+  cached
+  predicate convertedExprMightOverflowPositively(Expr expr) {
+    exprMightOverflowPositively(expr) or
+    convertedExprMightOverflowPositively(expr.getConversion())
+  }
+  
+  /**
+   * Holds if the expression might overflow (either positively or
+   * negatively). The possibility that the expression might overflow
+   * due to an implicit or explicit cast is also considered.
+   */
+  cached
+  predicate convertedExprMightOverflow(Expr expr) {
+    convertedExprMightOverflowNegatively(expr) or
+    convertedExprMightOverflowPositively(expr)
+  }
 }
--- a/cpp/ql/src/semmle/code/cpp/valuenumbering/GlobalValueNumbering.qll
+++ b/cpp/ql/src/semmle/code/cpp/valuenumbering/GlobalValueNumbering.qll
@@ -312,7 +312,7 @@ private predicate analyzableLocalScopeVariable(VariableAccess access) {
  strictcount (SsaDefinition def, Variable v | def.getAUse(v) = access | v) = 1 and
  count (SsaDefinition def, Variable v
  | def.getAUse(v) = access
-  | def.getDefiningValue(v)) <= 1 and
+  | def.getDefiningValue(v).getFullyConverted()) <= 1 and
  not analyzableConst(access)
 }

--- a/Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected
+++ b/Bugs/Arithmetic/PointlessComparison/PointlessComparison.expected
@@ -32,3 +32,4 @@
 | PointlessComparison.c:129:12:129:16 | ... > ... | Comparison is always false because a <= 3. |
 | PointlessComparison.c:197:7:197:11 | ... < ... | Comparison is always false because x >= 0. |
 | RegressionTests.cpp:57:7:57:22 | ... <= ... | Comparison is always true because * ... <= 4294967295. |
+| Templates.cpp:9:10:9:24 | ... <= ... | Comparison is always true because local <= 32767. |
--- a/Bugs/Arithmetic/PointlessComparison/Templates.cpp
+++ b/Bugs/Arithmetic/PointlessComparison/Templates.cpp
@@ -0,0 +1,17 @@
+template<typename T>
+bool sometimesPointless(T param) {
+  return param <= 0xFFFF; // GOOD (hypothetical instantiations are okay)
+}
+
+template<typename T>
+bool alwaysPointless(T param) {
+  short local = param;
+  return local <= 0xFFFF; // BAD (in all instantiations)
+}
+
+static int caller(int i) {
+  return
+      sometimesPointless<short>(i) ||
+      alwaysPointless<short>(i) ||
+      alwaysPointless<int>(i);
+}
--- a/Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.expected
+++ b/Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.expected
@@ -1,5 +1,4 @@
 | custom_printf.cpp:31:5:31:12 | call to myPrintf | Format expects 2 arguments but given 3 |
-| custom_printf.cpp:44:2:44:7 | call to printf | Format expects 0 arguments but given 2 |
 | macros.cpp:12:2:12:31 | call to printf | Format expects 2 arguments but given 3 |
 | macros.cpp:16:2:16:30 | call to printf | Format expects 2 arguments but given 3 |
 | test.c:7:2:7:7 | call to printf | Format expects 0 arguments but given 1 |
--- a/Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected
+++ b/Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.expected
@@ -1,5 +1,4 @@
 | custom_printf.cpp:29:5:29:12 | call to myPrintf | Format expects 2 arguments but given 1 |
-| custom_printf.cpp:45:2:45:7 | call to printf | Format expects 2 arguments but given 0 |
 | macros.cpp:14:2:14:37 | call to printf | Format expects 4 arguments but given 3 |
 | macros.cpp:21:2:21:36 | call to printf | Format expects 4 arguments but given 3 |
 | test.c:9:2:9:7 | call to printf | Format expects 1 arguments but given 0 |
--- a/Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp
+++ b/Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp
@@ -41,6 +41,6 @@ void test_custom_printf2()
 {
 	//     notTheFormat  format    ...
 	printf(0,            "%i %i",  100, 200); // GOOD
-	printf("",           "%i %i",  100, 200); // GOOD [FALSE POSITIVE]
-	printf("%i %i",      ""        );         // GOOD [FALSE POSITIVE]
+	printf("",           "%i %i",  100, 200); // GOOD
+	printf("%i %i",      ""        );         // GOOD
 }
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected
@@ -0,0 +1,10 @@
+| tests.cpp:18:15:18:22 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
+| tests.cpp:19:15:19:22 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
+| tests.cpp:25:17:25:23 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
+| tests.cpp:26:17:26:24 | Hello | This argument should be of type 'wchar_t *' but is of type 'char16_t *' |
+| tests.cpp:30:17:30:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
+| tests.cpp:31:17:31:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
+| tests.cpp:33:36:33:42 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
+| tests.cpp:35:36:35:43 | Hello | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |
+| tests.cpp:38:36:38:43 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
+| tests.cpp:39:36:39:43 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref
@@ -0,0 +1 @@
+Likely Bugs/Format/WrongTypeFormatArguments.ql
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/formattingFunction.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/formattingFunction.expected
@@ -0,0 +1,3 @@
+| tests.cpp:8:5:8:10 | printf | char | char16_t, wchar_t | char16_t, wchar_t |
+| tests.cpp:9:5:9:11 | wprintf | wchar_t | char | wchar_t |
+| tests.cpp:10:5:10:12 | swprintf | char16_t | char | char16_t |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/formattingFunction.ql
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/formattingFunction.ql
@@ -0,0 +1,8 @@
+import cpp
+
+from FormattingFunction f
+select
+  f,
+  concat(f.getDefaultCharType().toString(), ", "),
+  concat(f.getNonDefaultCharType().toString(), ", "),
+  concat(f.getWideCharType().toString(), ", ")
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp
@@ -0,0 +1,40 @@
+/*
+ * Test for custom definitions of *wprintf using different types than the
+ * platform wide character type.
+ */
+
+typedef unsigned int size_t;
+
+int printf(const char * format, ...);
+int wprintf(const wchar_t * format, ...); // on wchar_t
+int swprintf(char16_t * s, size_t n, const char16_t * format, ...); // on char16_t
+
+#define BUF_SIZE (4096)
+
+void tests() {
+	char16_t buffer[BUF_SIZE];
+
+	printf("%s", "Hello"); // GOOD
+	printf("%s", u"Hello"); // BAD: expecting char
+	printf("%s", L"Hello"); // BAD: expecting char
+
+	printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t [NOT DETECTED]
+	printf("%S", u"Hello"); // GOOD
+	printf("%S", L"Hello"); // GOOD
+
+	wprintf(L"%s", "Hello"); // BAD: expecting wchar_t
+	wprintf(L"%s", u"Hello"); // BAD: expecting wchar_t
+	wprintf(L"%s", L"Hello"); // GOOD
+
+	wprintf(L"%S", "Hello"); // GOOD
+	wprintf(L"%S", u"Hello"); // BAD: expecting char
+	wprintf(L"%S", L"Hello"); // BAD: expecting char
+
+	swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // BAD: expecting char16_t
+	swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // GOOD
+	swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char16_t
+
+	swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // GOOD
+	swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // BAD: expecting char
+	swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.expected
@@ -0,0 +1,2 @@
+| tests_32.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
+| tests_64.cpp:14:16:14:23 | void_ptr | This argument should be of type 'long' but is of type 'void *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref
@@ -0,0 +1 @@
+Likely Bugs/Format/WrongTypeFormatArguments.ql
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp
@@ -0,0 +1,17 @@
+// semmle-extractor-options: --edg --target --edg linux_i686
+/*
+ * Test for printf in a snapshot that contains multiple word/pointer sizes.
+ */
+
+int printf(const char * format, ...);
+
+void test_32()
+{
+	long l;
+	void *void_ptr;
+
+	printf("%li", l); // GOOD
+	printf("%li", void_ptr); // BAD
+	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", void_ptr); // GOOD
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp
@@ -0,0 +1,17 @@
+// semmle-extractor-options: --edg --target --edg linux_x86_64
+/*
+ * Test for printf in a snapshot that contains multiple word/pointer sizes.
+ */
+
+int printf(const char * format, ...);
+
+void test_64()
+{
+	long l;
+	void *void_ptr;
+
+	printf("%li", l); // GOOD
+	printf("%li", void_ptr); // BAD
+	printf("%p", l); // BAD [NOT DETECTED]
+	printf("%p", void_ptr); // GOOD
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.expected
@@ -11,14 +11,6 @@
 | printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:47:19:47:21 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
-| printf1.h:68:19:68:21 | sst | This argument should be of type 'size_t' but is of type 'long' |
-| printf1.h:70:19:70:20 | ul | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:71:19:71:20 | st | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:72:19:72:20 | ST | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:73:19:73:22 | c_st | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:74:19:74:22 | C_ST | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:75:19:75:28 | sizeof(<expr>) | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:83:23:83:35 | ... - ... | This argument should be of type 'size_t' but is of type 'long' |
 | real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |
 | real_world.h:62:22:62:23 | & ... | This argument should be of type 'short *' but is of type 'int *' |
 | real_world.h:63:22:63:24 | & ... | This argument should be of type 'short *' but is of type 'unsigned int *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h
@@ -65,14 +65,14 @@ void g()
    printf("%zu", c_st); // ok
    printf("%zu", C_ST); // ok
    printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED ON MICROSOFT]
+    printf("%zu", sst); // not ok [NOT DETECTED]

-    printf("%zd", ul); // not ok
-    printf("%zd", st); // not ok
-    printf("%zd", ST); // not ok
-    printf("%zd", c_st); // not ok
-    printf("%zd", C_ST); // not ok
-    printf("%zd", sizeof(ul)); // not ok
+    printf("%zd", ul); // not ok [NOT DETECTED]
+    printf("%zd", st); // not ok [NOT DETECTED]
+    printf("%zd", ST); // not ok [NOT DETECTED]
+    printf("%zd", c_st); // not ok [NOT DETECTED]
+    printf("%zd", C_ST); // not ok [NOT DETECTED]
+    printf("%zd", sizeof(ul)); // not ok [NOT DETECTED]
    printf("%zd", sst); // ok
    {
        char *ptr_a, *ptr_b;
@@ -80,8 +80,8 @@ void g()

        printf("%tu", ptr_a - ptr_b); // ok
        printf("%td", ptr_a - ptr_b); // ok
-        printf("%zu", ptr_a - ptr_b); // ok (dubious) [DETECTED ON LINUX ONLY]
-        printf("%zd", ptr_a - ptr_b); // ok (dubious) [DETECTED ON MICROSOFT ONLY]
+        printf("%zu", ptr_a - ptr_b); // ok (dubious)
+        printf("%zd", ptr_a - ptr_b); // ok (dubious)
    }
 }

@@ -92,3 +92,12 @@ void h(int i, struct some_type *j, int k)
 	// going on.
 	printf("%i %R %i", i, j, k); // GOOD (as far as we can tell)
 }
+
+typedef long ptrdiff_t;
+
+void fun1(unsigned char* a, unsigned char* b) {
+  ptrdiff_t pdt;
+
+  printf("%td\n", pdt); // GOOD
+  printf("%td\n", a-b); // GOOD
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.expected
@@ -0,0 +1,2 @@
+| printf.cpp:45:29:45:35 | test | This argument should be of type 'char *' but is of type 'char16_t *' |
+| printf.cpp:52:29:52:35 | test | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref
@@ -0,0 +1 @@
+Likely Bugs/Format/WrongTypeFormatArguments.ql
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/formattingFunction.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/formattingFunction.expected
@@ -0,0 +1,2 @@
+| printf.cpp:15:5:15:12 | swprintf | char16_t | char | char16_t |
+| printf.cpp:26:5:26:11 | sprintf | char | char16_t | char16_t |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/formattingFunction.ql
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/formattingFunction.ql
@@ -0,0 +1,8 @@
+import cpp
+
+from FormattingFunction f
+select
+  f,
+  concat(f.getDefaultCharType().toString(), ", "),
+  concat(f.getNonDefaultCharType().toString(), ", "),
+  concat(f.getWideCharType().toString(), ", ")
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp
@@ -0,0 +1,53 @@
+/*
+ * Test for custom definitions of *wprintf using different types than the
+ * platform wide character type.
+ */
+
+#define WCHAR char16_t
+typedef void *va_list;
+#define va_start(va, other)
+#define va_end(args)
+
+int	vswprintf(WCHAR *dest, WCHAR *format, va_list args) {
+	return 0;
+}
+
+int swprintf(WCHAR *dest, WCHAR *format, ...) {
+	va_list args;
+	va_start(args, format);
+
+	int ret = vswprintf(dest, format, args);
+
+	va_end(args);
+
+	return ret;
+}
+
+int sprintf(char *dest, char *format, ...);
+
+// ---
+
+void test1() {
+	WCHAR string[20];
+
+	swprintf(string, u"test %s", u"test"); // GOOD
+}
+
+void test2() {
+	char string[20];
+
+	sprintf(string, "test %S", u"test"); // GOOD
+}
+
+void test3() {
+	char string[20];
+
+	sprintf(string, "test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string
+}
+
+
+void test4() {
+	char string[20];
+
+	sprintf(string, "test %S", L"test"); // BAD: `wchar_t` string parameter read as `char16_t` string
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.expected
@@ -11,14 +11,6 @@
 | printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:47:19:47:21 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
-| printf1.h:68:19:68:21 | sst | This argument should be of type 'size_t' but is of type 'long' |
-| printf1.h:70:19:70:20 | ul | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:71:19:71:20 | st | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:72:19:72:20 | ST | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:73:19:73:22 | c_st | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:74:19:74:22 | C_ST | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:75:19:75:28 | sizeof(<expr>) | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
-| printf1.h:83:23:83:35 | ... - ... | This argument should be of type 'size_t' but is of type 'long' |
 | real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |
 | real_world.h:62:22:62:23 | & ... | This argument should be of type 'short *' but is of type 'int *' |
 | real_world.h:63:22:63:24 | & ... | This argument should be of type 'short *' but is of type 'unsigned int *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/formattingFunction.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/formattingFunction.expected
@@ -0,0 +1,4 @@
+| common.h:12:12:12:17 | printf | char | wchar_t | wchar_t |
+| format.h:4:13:4:17 | error | char | wchar_t | wchar_t |
+| real_world.h:8:12:8:18 | fprintf | char | wchar_t | wchar_t |
+| real_world.h:33:6:33:12 | msg_out | char | wchar_t | wchar_t |
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/formattingFunction.ql
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/formattingFunction.ql
@@ -0,0 +1,8 @@
+import cpp
+
+from FormattingFunction f
+select
+  f,
+  concat(f.getDefaultCharType().toString(), ", "),
+  concat(f.getNonDefaultCharType().toString(), ", "),
+  concat(f.getWideCharType().toString(), ", ")
--- a/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h
+++ b/Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h
@@ -65,14 +65,14 @@ void g()
    printf("%zu", c_st); // ok
    printf("%zu", C_ST); // ok
    printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED ON MICROSOFT]
+    printf("%zu", sst); // not ok [NOT DETECTED]

-    printf("%zd", ul); // not ok
-    printf("%zd", st); // not ok
-    printf("%zd", ST); // not ok
-    printf("%zd", c_st); // not ok
-    printf("%zd", C_ST); // not ok
-    printf("%zd", sizeof(ul)); // not ok
+    printf("%zd", ul); // not ok [NOT DETECTED]
+    printf("%zd", st); // not ok [NOT DETECTED]
+    printf("%zd", ST); // not ok [NOT DETECTED]
+    printf("%zd", c_st); // not ok [NOT DETECTED]
+    printf("%zd", C_ST); // not ok [NOT DETECTED]
+    printf("%zd", sizeof(ul)); // not ok [NOT DETECTED]
    printf("%zd", sst); // ok
    {
        char *ptr_a, *ptr_b;
@@ -80,8 +80,8 @@ void g()

        printf("%tu", ptr_a - ptr_b); // ok
        printf("%td", ptr_a - ptr_b); // ok
-        printf("%zu", ptr_a - ptr_b); // ok (dubious) [DETECTED ON LINUX ONLY]
-        printf("%zd", ptr_a - ptr_b); // ok (dubious) [DETECTED ON MICROSOFT ONLY]
+        printf("%zu", ptr_a - ptr_b); // ok (dubious)
+        printf("%zd", ptr_a - ptr_b); // ok (dubious)
    }
 }

@@ -92,3 +92,12 @@ void h(int i, struct some_type *j, int k)
 	// going on.
 	printf("%i %R %i", i, j, k); // GOOD (as far as we can tell)
 }
+
+typedef long ptrdiff_t;
+
+void fun1(unsigned char* a, unsigned char* b) {
+  ptrdiff_t pdt;
+
+  printf("%td\n", pdt); // GOOD
+  printf("%td\n", a-b); // GOOD
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected
@@ -11,7 +11,6 @@
 | printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:47:19:47:21 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
-| printf1.h:70:19:70:20 | ul | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
 | printf1.h:71:19:71:20 | st | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:72:19:72:20 | ST | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:73:19:73:22 | c_st | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
--- a/Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h
+++ b/Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h
@@ -65,9 +65,9 @@ void g()
    printf("%zu", c_st); // ok
    printf("%zu", C_ST); // ok
    printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED ON MICROSOFT]
+    printf("%zu", sst); // not ok [NOT DETECTED]

-    printf("%zd", ul); // not ok
+    printf("%zd", ul); // not ok [NOT DETECTED]
    printf("%zd", st); // not ok
    printf("%zd", ST); // not ok
    printf("%zd", c_st); // not ok
@@ -80,8 +80,8 @@ void g()

        printf("%tu", ptr_a - ptr_b); // ok
        printf("%td", ptr_a - ptr_b); // ok
-        printf("%zu", ptr_a - ptr_b); // ok (dubious) [DETECTED ON LINUX ONLY]
-        printf("%zd", ptr_a - ptr_b); // ok (dubious) [DETECTED ON MICROSOFT ONLY]
+        printf("%zu", ptr_a - ptr_b); // ok (dubious)
+        printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE]
    }
 }

@@ -92,3 +92,12 @@ void h(int i, struct some_type *j, int k)
 	// going on.
 	printf("%i %R %i", i, j, k); // GOOD (as far as we can tell)
 }
+
+typedef long long ptrdiff_t;
+
+void fun1(unsigned char* a, unsigned char* b) {
+  ptrdiff_t pdt;
+
+  printf("%td\n", pdt); // GOOD
+  printf("%td\n", a-b); // GOOD
+}
--- a/Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h
+++ b/Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h
@@ -43,7 +43,7 @@ void someFunction()
 	WCHAR filename[MAX_LONGPATH];
 	int linenum;

-	msg_out("Source file: %S @ %d\n", filename, linenum); // GOOD
+	msg_out("Source file: %S @ %d\n", filename, linenum); // GOOD [FALSE POSITIVE]
 }

 // --------------------------------------------------------------
--- a/Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected
@@ -11,13 +11,13 @@
 | printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
 | printf1.h:47:19:47:21 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
-| printf1.h:70:19:70:20 | ul | This argument should be of type 'ssize_t' but is of type 'unsigned long' |
 | printf1.h:71:19:71:20 | st | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:72:19:72:20 | ST | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:73:19:73:22 | c_st | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:74:19:74:22 | C_ST | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:75:19:75:28 | sizeof(<expr>) | This argument should be of type 'ssize_t' but is of type 'unsigned long long' |
 | printf1.h:84:23:84:35 | ... - ... | This argument should be of type 'ssize_t' but is of type 'long long' |
+| printf1.h:130:18:130:18 | 0 | This argument should be of type 'void *' but is of type 'int' |
 | real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |
 | real_world.h:62:22:62:23 | & ... | This argument should be of type 'short *' but is of type 'int *' |
 | real_world.h:63:22:63:24 | & ... | This argument should be of type 'short *' but is of type 'unsigned int *' |
--- a/Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h
+++ b/Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h
@@ -65,9 +65,9 @@ void g()
    printf("%zu", c_st); // ok
    printf("%zu", C_ST); // ok
    printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED ON MICROSOFT]
+    printf("%zu", sst); // not ok [NOT DETECTED]

-    printf("%zd", ul); // not ok
+    printf("%zd", ul); // not ok [NOT DETECTED]
    printf("%zd", st); // not ok
    printf("%zd", ST); // not ok
    printf("%zd", c_st); // not ok
@@ -80,8 +80,8 @@ void g()

        printf("%tu", ptr_a - ptr_b); // ok
        printf("%td", ptr_a - ptr_b); // ok
-        printf("%zu", ptr_a - ptr_b); // ok (dubious) [DETECTED ON LINUX ONLY]
-        printf("%zd", ptr_a - ptr_b); // ok (dubious) [DETECTED ON MICROSOFT ONLY]
+        printf("%zu", ptr_a - ptr_b); // ok (dubious)
+        printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE]
    }
 }

@@ -92,3 +92,40 @@ void h(int i, struct some_type *j, int k)
 	// going on.
 	printf("%i %R %i", i, j, k); // GOOD (as far as we can tell)
 }
+
+typedef long long ptrdiff_t;
+
+void fun1(unsigned char* a, unsigned char* b) {
+  ptrdiff_t pdt;
+
+  printf("%td\n", pdt); // GOOD
+  printf("%td\n", a-b); // GOOD
+}
+
+typedef wchar_t WCHAR_T; // WCHAR_T -> wchar_t -> int
+typedef int MYCHAR; // MYCHAR -> int (notably not via the wchar_t typedef)
+
+void fun2() {
+  wchar_t *myString1;
+  WCHAR_T *myString2;
+  int *myString3;
+  MYCHAR *myString4;
+
+  printf("%S", myString1); // GOOD
+  printf("%S", myString2); // GOOD
+  printf("%S", myString3); // GOOD
+  printf("%S", myString4); // GOOD
+}
+
+typedef void *VOIDPTR;
+typedef int (*FUNPTR)(int);
+
+void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4)
+{
+  printf("%p\n", p1); // GOOD
+  printf("%p\n", p2); // GOOD
+  printf("%p\n", p3); // GOOD
+  printf("%p\n", p4); // GOOD
+  printf("%p\n", p4 + 1); // GOOD
+  printf("%p\n", 0); // GOOD [FALSE POSITIVE]
+}
--- a/Management/SuspiciousCallToMemset/test.cpp
+++ b/Management/SuspiciousCallToMemset/test.cpp
@@ -171,3 +171,10 @@ void more_tests_2()
 	memset(iapa, 0, sizeof(iapa)); // GOOD
 	memset(iapa, 0, sizeof(intArrayPointer *)); // BAD
 }
+
+void more_tests_3()
+{
+	myStruct ms;
+	decltype(&ms) msPtr = &ms;
+	memset(msPtr, 0, sizeof(myStruct)); // GOOD
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
@@ -0,0 +1,34 @@
+#define NULL 0
+#define CONST               const
+typedef wchar_t WCHAR;    // wc,   16-bit UNICODE character
+typedef char CHAR;
+
+typedef WCHAR *LPWSTR;
+typedef CONST WCHAR *LPCWSTR;
+
+typedef CHAR *LPSTR;
+typedef CONST CHAR *LPCSTR;
+
+void fconstWChar(LPCWSTR p) {}
+void fWChar(LPWSTR p) {}
+
+void Test()
+{
+	char *lpChar = NULL;
+	wchar_t *lpWchar = NULL;
+	LPCSTR lpcstr = "b";
+
+	lpWchar = (LPWSTR)"a"; // BUG
+	lpWchar = (LPWSTR)lpcstr; // BUG
+
+	lpWchar = (wchar_t*)lpChar;	// BUG
+
+	fconstWChar((LPCWSTR)lpChar);	// BUG
+	fWChar((LPWSTR)lpChar);			// BUG
+
+	lpChar = (LPSTR)"a"; // Valid
+	lpWchar = (LPWSTR)L"a"; // Valid
+
+	fconstWChar((LPCWSTR)lpWchar);	// Valid
+	fWChar(lpWchar);				// Valid
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
@@ -0,0 +1,5 @@
+| WcharCharConversion.cpp:21:20:21:22 | array to pointer conversion | Conversion from const char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:22:20:22:25 | lpcstr | Conversion from LPCSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:24:22:24:27 | lpChar | Conversion from char * to wchar_t *. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:26:23:26:28 | lpChar | Conversion from char * to LPCWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:27:17:27:22 | lpChar | Conversion from char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-704/WcharCharConversion.ql
				`@@ -0,0 +1 @@`
				`Likely Bugs/Format/WrongTypeFormatArguments.ql`
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-704/WcharCharConversion.ql`