C++: Clean up false-positives

C++: Change note
2026-04-27 17:55:19 +02:00 · 2024-10-14 17:10:55 +01:00
parent fe85e007b3
commit 853128c9c3
6 changed files with 16 additions and 13 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
@@ -50,6 +50,8 @@ private class Fprintf extends FormattingFunction, NonThrowingFunction {
  override int getFormatParameterIndex() { result = 1 }

  override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
+
+  override int getFirstFormatArgumentIndex() { result = 2 }
 }

 /**
@@ -91,7 +93,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
  override int getFirstFormatArgumentIndex() {
    if this.hasName("__builtin___sprintf_chk")
    then result = 4
-    else result = this.getNumberOfParameters()
+    else result = this.getNumberOfExplicitParameters()
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -143,7 +143,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
   * from implicit function declarations. If there is some inconsistency in the number
   * of parameters, then don't return anything.
   */
-  private int getNumberOfExplicitParameters() {
+  int getNumberOfExplicitParameters() {
    forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
      result = fde.getNumberOfParameters()
    )
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -170,7 +170,8 @@ where
  ) and
  not arg.isAffectedByMacro() and
  not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType
+  not actual.getUnspecifiedType() instanceof ErroneousType and
+  not arg.(Call).getTarget().getADeclarationEntry().isImplicit()
 select arg,
  "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
    actual.getUnspecifiedType().getName() + "'."
--- a/cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives in the `cpp/wrong-type-format-argument` ("Wrong type of arguments to formatting function") query if there are extraction errors in the function.
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
@@ -1,4 +1 @@
-| tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:8:18:8:34 | call to implicit_function | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:9:13:9:13 | 0 | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:10:13:10:13 | 0 | This format specifier for type 'char *' does not match the argument type 'int'. |
+| tests.c:6:18:6:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c
@@ -1,11 +1,10 @@
 // semmle-extractor-options: --expect_errors

 int printf(const char * format, ...);
-int fprintf();

-int f() {
-    printf("%s", 1); // BAD - TP
-    printf("%s", implicit_function()); // BAD (FP) - we should not infer the return type
-    sprintf(0, "%s", ""); // BAD (FP)
-    fprintf(0, "%s", ""); // BAD (FP)
+void f() {
+    printf("%s", 1); // BAD
+    printf("%s", implicit_function()); // GOOD - we should ignore the type
+    sprintf(0, "%s", ""); // GOOD
+    fprintf(0, "%s", ""); // GOOD
 }