C++: Clean up false-positives

C++: Change note

Author: calumgrant

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -50,6 +50,8 @@ private class Fprintf extends FormattingFunction, NonThrowingFunction {
   override int getFormatParameterIndex() { result = 1 }
 
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = true }
+
+  override int getFirstFormatArgumentIndex() { result = 2 }
 }
 
 /**
@@ -91,7 +93,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
   override int getFirstFormatArgumentIndex() {
     if this.hasName("__builtin___sprintf_chk")
     then result = 4
-    else result = this.getNumberOfParameters()
+    else result = this.getNumberOfExplicitParameters()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -143,7 +143,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
    * from implicit function declarations. If there is some inconsistency in the number
    * of parameters, then don't return anything.
    */
-  private int getNumberOfExplicitParameters() {
+  int getNumberOfExplicitParameters() {
     forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
       result = fde.getNumberOfParameters()
     )

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -170,7 +170,8 @@ where
   ) and
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType
+  not actual.getUnspecifiedType() instanceof ErroneousType and
+  not arg.(Call).getTarget().getADeclarationEntry().isImplicit()
 select arg,
   "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
     actual.getUnspecifiedType().getName() + "'."

cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives in the `cpp/wrong-type-format-argument` ("Wrong type of arguments to formatting function") query if there are extraction errors in the function.

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected

@@ -1,4 +1 @@
-| tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:8:18:8:34 | call to implicit_function | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:9:13:9:13 | 0 | This format specifier for type 'char *' does not match the argument type 'int'. |
-| tests.c:10:13:10:13 | 0 | This format specifier for type 'char *' does not match the argument type 'int'. |
+| tests.c:6:18:6:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c

@@ -1,11 +1,10 @@
 // semmle-extractor-options: --expect_errors
 
 int printf(const char * format, ...);
-int fprintf();
 
-int f() {
-    printf("%s", 1); // BAD - TP
-    printf("%s", implicit_function()); // BAD (FP) - we should not infer the return type
-    sprintf(0, "%s", ""); // BAD (FP)
-    fprintf(0, "%s", ""); // BAD (FP)
+void f() {
+    printf("%s", 1); // BAD
+    printf("%s", implicit_function()); // GOOD - we should ignore the type
+    sprintf(0, "%s", ""); // GOOD
+    fprintf(0, "%s", ""); // GOOD
 }