From 19424020c372f284e7595e3ffbf93341533acf38 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Wed, 4 Dec 2024 10:57:15 +0000 Subject: [PATCH 1/5] C++: Test for erroneous string types --- .../Buildless/WrongTypeFormatArguments.expected | 1 + .../Format/WrongTypeFormatArguments/Buildless/tests.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index 745f2f790f79..8ff4f02d4d67 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1 +1,2 @@ | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | +| tests.c:11:18:11:20 | str | This format specifier for type 'char *' does not match the argument type ' *'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c index 81698c497c57..175d2f23182d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c @@ -3,9 +3,10 @@ int printf(const char * format, ...); int fprintf(); -void f() { +void f(UNKNOWN_CHAR * str) { printf("%s", 1); // BAD printf("%s", implicit_function()); // GOOD - we should ignore the type sprintf(0, "%s", ""); // GOOD fprintf(0, "%s", ""); // GOOD + printf("%s", str); // GOOD - erroneous type is ignored } From 28c5187a3c6505593635b3262e69ca486d87a8d5 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Wed, 4 Dec 2024 11:02:19 +0000 Subject: [PATCH 2/5] C++: Remove FPs in cpp/wrong-type-format-argument when string type is an error --- cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 4 ++++ .../Buildless/WrongTypeFormatArguments.expected | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 027f4caa8ae4..905c4307ad16 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -171,6 +171,10 @@ where not arg.isAffectedByMacro() and not arg.isFromUninstantiatedTemplate(_) and not actual.getUnspecifiedType() instanceof ErroneousType and + not ( + expected instanceof PointerType and + actual.getUnspecifiedType().(PointerType).getBaseType() instanceof ErroneousType + ) and not arg.(Call).mayBeFromImplicitlyDeclaredFunction() select arg, "This format specifier for type '" + expected.getName() + "' does not match the argument type '" + diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index 8ff4f02d4d67..745f2f790f79 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1,2 +1 @@ | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | -| tests.c:11:18:11:20 | str | This format specifier for type 'char *' does not match the argument type ' *'. | From 12b4c0a2dd26dfdf487026ca941b68b6005e4760 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Thu, 5 Dec 2024 15:40:50 +0000 Subject: [PATCH 3/5] C++: Change note --- cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md new file mode 100644 index 000000000000..df9e13c07046 --- /dev/null +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) query no longer produces results when a string type has an extraction error. From 2cd4e1af9f387b6dbbe3b0a802104ae494aa70c6 Mon Sep 17 00:00:00 2001 From: Calum Grant Date: Fri, 6 Dec 2024 09:55:05 +0000 Subject: [PATCH 4/5] C++: Use Expr.stripType() --- cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 905c4307ad16..272ef8369d0e 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -170,11 +170,7 @@ where ) and not arg.isAffectedByMacro() and not arg.isFromUninstantiatedTemplate(_) and - not actual.getUnspecifiedType() instanceof ErroneousType and - not ( - expected instanceof PointerType and - actual.getUnspecifiedType().(PointerType).getBaseType() instanceof ErroneousType - ) and + not actual.stripType() instanceof ErroneousType and not arg.(Call).mayBeFromImplicitlyDeclaredFunction() select arg, "This format specifier for type '" + expected.getName() + "' does not match the argument type '" + From 5aa604b42ce687ff2e0aacf9a800acd6b5c1382a Mon Sep 17 00:00:00 2001 From: Calum Grant <42069085+calumgrant@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:34:57 +0000 Subject: [PATCH 5/5] Update cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com> --- cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md index df9e13c07046..1bf77d55a618 100644 --- a/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md +++ b/cpp/ql/src/change-notes/2024-12-05-wrong-type-format-args.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) query no longer produces results when a string type has an extraction error. +* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) no longer produces results when an argument type has an extraction error.