From d23a3f821e6a9f8e6fe320cb6cdd7b04403b47f0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:20:48 +0000 Subject: [PATCH 1/7] C++: Add a test case for WrongTypeFormatArguments involving code that's included twice. --- .../WrongTypeFormatArguments.expected | 6 +++++ .../Buildless/first.cpp | 8 ++++++ .../Buildless/include_twice.h | 25 +++++++++++++++++++ .../Buildless/second.cpp | 8 ++++++ 4 files changed, 47 insertions(+) create mode 100644 cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp create mode 100644 cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h create mode 100644 cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index 745f2f790f79..e22d4c4a02c2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1 +1,7 @@ +| include_twice.h:10:18:10:18 | s | This format specifier for type 'int' does not match the argument type 'unsigned long'. | +| include_twice.h:13:18:13:18 | s | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long'. | +| include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | +| include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | +| include_twice.h:24:18:24:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | +| include_twice.h:24:18:24:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp new file mode 100644 index 000000000000..389d609c04ac --- /dev/null +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp @@ -0,0 +1,8 @@ +// semmle-extractor-options: --expect_errors + +int printf(const char * format, ...); + +// defines type size_t plausibly +typedef unsigned long size_t; + +#include "include_twice.h" diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h new file mode 100644 index 000000000000..1288f172d52b --- /dev/null +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h @@ -0,0 +1,25 @@ +// semmle-extractor-options: --expect_errors + +void test_size_t() { + size_t s = 0; + + printf("%zd", s); // GOOD + printf("%zi", s); // GOOD + printf("%zu", s); // GOOD + printf("%zx", s); // GOOD + printf("%d", s); // BAD + printf("%ld", s); // BAD [NOT DETECTED] + printf("%lld", s); // BAD [NOT DETECTED] + printf("%u", s); // BAD + + char buffer[1024]; + + printf("%zd", &buffer[1023] - buffer); // GOOD + printf("%zi", &buffer[1023] - buffer); // GOOD + printf("%zu", &buffer[1023] - buffer); // GOOD + printf("%zx", &buffer[1023] - buffer); // GOOD + printf("%d", &buffer[1023] - buffer); // BAD + printf("%ld", &buffer[1023] - buffer); // BAD [NOT DETECTED] + printf("%lld", &buffer[1023] - buffer); // BAD [NOT DETECTED] + printf("%u", &buffer[1023] - buffer); // BAD +} diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp new file mode 100644 index 000000000000..5c815ff98e07 --- /dev/null +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -0,0 +1,8 @@ +// semmle-extractor-options: --expect_errors + +int printf(const char * format, ...); + +// defines type `myFunctionPointerType` +typedef int (*myFunctionPointerType) (); + +#include "include_twice.h" From 7f6fd34d4687e0d3f3770496f3a6658c6ac73b09 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Mar 2026 10:13:11 +0000 Subject: [PATCH 2/7] C++: Expose a type resolution issue. --- .../Buildless/WrongTypeFormatArguments.expected | 6 ++++++ .../WrongTypeFormatArguments/Buildless/include_twice.h | 8 ++++---- .../Format/WrongTypeFormatArguments/Buildless/second.cpp | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index e22d4c4a02c2..abc8c7294501 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1,4 +1,10 @@ +| include_twice.h:8:19:8:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | +| include_twice.h:9:19:9:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | +| include_twice.h:10:18:10:18 | s | This format specifier for type 'int' does not match the argument type '..(*)(..)'. | | include_twice.h:10:18:10:18 | s | This format specifier for type 'int' does not match the argument type 'unsigned long'. | +| include_twice.h:11:19:11:19 | s | This format specifier for type 'long' does not match the argument type '..(*)(..)'. | +| include_twice.h:12:20:12:20 | s | This format specifier for type 'long long' does not match the argument type '..(*)(..)'. | +| include_twice.h:13:18:13:18 | s | This format specifier for type 'unsigned int' does not match the argument type '..(*)(..)'. | | include_twice.h:13:18:13:18 | s | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long'. | | include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | | include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h index 1288f172d52b..d531ada4a553 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h @@ -5,11 +5,11 @@ void test_size_t() { printf("%zd", s); // GOOD printf("%zi", s); // GOOD - printf("%zu", s); // GOOD - printf("%zx", s); // GOOD + printf("%zu", s); // GOOD [FALSE POSITIVE] + printf("%zx", s); // GOOD [FALSE POSITIVE] printf("%d", s); // BAD - printf("%ld", s); // BAD [NOT DETECTED] - printf("%lld", s); // BAD [NOT DETECTED] + printf("%ld", s); // BAD + printf("%lld", s); // BAD printf("%u", s); // BAD char buffer[1024]; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index 5c815ff98e07..0c2b5ea69b15 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -2,7 +2,7 @@ int printf(const char * format, ...); -// defines type `myFunctionPointerType` -typedef int (*myFunctionPointerType) (); +// defines type `myFunctionPointerType`, referencing `size_t` +typedef size_t (*myFunctionPointerType) (); #include "include_twice.h" From da99d3660d409775ea1d61646b630c831bc4f2cd Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:53:43 +0000 Subject: [PATCH 3/7] C++: Turns out we can simplify. --- .../WrongTypeFormatArguments.expected | 20 ++++++--------- .../Buildless/first.cpp | 5 ---- .../Buildless/include_twice.h | 25 ------------------- .../Buildless/second.cpp | 24 +++++++++++++++++- 4 files changed, 31 insertions(+), 43 deletions(-) delete mode 100644 cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index abc8c7294501..ff2db0dfcf09 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1,13 +1,9 @@ -| include_twice.h:8:19:8:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | -| include_twice.h:9:19:9:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | -| include_twice.h:10:18:10:18 | s | This format specifier for type 'int' does not match the argument type '..(*)(..)'. | -| include_twice.h:10:18:10:18 | s | This format specifier for type 'int' does not match the argument type 'unsigned long'. | -| include_twice.h:11:19:11:19 | s | This format specifier for type 'long' does not match the argument type '..(*)(..)'. | -| include_twice.h:12:20:12:20 | s | This format specifier for type 'long long' does not match the argument type '..(*)(..)'. | -| include_twice.h:13:18:13:18 | s | This format specifier for type 'unsigned int' does not match the argument type '..(*)(..)'. | -| include_twice.h:13:18:13:18 | s | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long'. | -| include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | -| include_twice.h:21:18:21:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | -| include_twice.h:24:18:24:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | -| include_twice.h:24:18:24:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | +| second.cpp:13:19:13:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | +| second.cpp:14:19:14:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | +| second.cpp:15:18:15:18 | s | This format specifier for type 'int' does not match the argument type '..(*)(..)'. | +| second.cpp:16:19:16:19 | s | This format specifier for type 'long' does not match the argument type '..(*)(..)'. | +| second.cpp:17:20:17:20 | s | This format specifier for type 'long long' does not match the argument type '..(*)(..)'. | +| second.cpp:18:18:18:18 | s | This format specifier for type 'unsigned int' does not match the argument type '..(*)(..)'. | +| second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | +| second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp index 389d609c04ac..8973ace78c76 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp @@ -1,8 +1,3 @@ -// semmle-extractor-options: --expect_errors - -int printf(const char * format, ...); // defines type size_t plausibly typedef unsigned long size_t; - -#include "include_twice.h" diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h deleted file mode 100644 index d531ada4a553..000000000000 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/include_twice.h +++ /dev/null @@ -1,25 +0,0 @@ -// semmle-extractor-options: --expect_errors - -void test_size_t() { - size_t s = 0; - - printf("%zd", s); // GOOD - printf("%zi", s); // GOOD - printf("%zu", s); // GOOD [FALSE POSITIVE] - printf("%zx", s); // GOOD [FALSE POSITIVE] - printf("%d", s); // BAD - printf("%ld", s); // BAD - printf("%lld", s); // BAD - printf("%u", s); // BAD - - char buffer[1024]; - - printf("%zd", &buffer[1023] - buffer); // GOOD - printf("%zi", &buffer[1023] - buffer); // GOOD - printf("%zu", &buffer[1023] - buffer); // GOOD - printf("%zx", &buffer[1023] - buffer); // GOOD - printf("%d", &buffer[1023] - buffer); // BAD - printf("%ld", &buffer[1023] - buffer); // BAD [NOT DETECTED] - printf("%lld", &buffer[1023] - buffer); // BAD [NOT DETECTED] - printf("%u", &buffer[1023] - buffer); // BAD -} diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index 0c2b5ea69b15..34a7d24f132e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -5,4 +5,26 @@ int printf(const char * format, ...); // defines type `myFunctionPointerType`, referencing `size_t` typedef size_t (*myFunctionPointerType) (); -#include "include_twice.h" +void test_size_t() { + size_t s = 0; + + printf("%zd", s); // GOOD + printf("%zi", s); // GOOD + printf("%zu", s); // GOOD [FALSE POSITIVE] + printf("%zx", s); // GOOD [FALSE POSITIVE] + printf("%d", s); // BAD + printf("%ld", s); // BAD + printf("%lld", s); // BAD + printf("%u", s); // BAD + + char buffer[1024]; + + printf("%zd", &buffer[1023] - buffer); // GOOD + printf("%zi", &buffer[1023] - buffer); // GOOD + printf("%zu", &buffer[1023] - buffer); // GOOD + printf("%zx", &buffer[1023] - buffer); // GOOD + printf("%d", &buffer[1023] - buffer); // BAD + printf("%ld", &buffer[1023] - buffer); // BAD [NOT DETECTED] + printf("%lld", &buffer[1023] - buffer); // BAD [NOT DETECTED] + printf("%u", &buffer[1023] - buffer); // BAD +} From 3c4a386f3f115ff9a961d5538dc785262edd87d0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 16 Mar 2026 16:08:35 +0000 Subject: [PATCH 4/7] C++: Clarify two cases in the test. --- .../Format/WrongTypeFormatArguments/Buildless/second.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index 34a7d24f132e..c009b0513a96 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -10,8 +10,8 @@ void test_size_t() { printf("%zd", s); // GOOD printf("%zi", s); // GOOD - printf("%zu", s); // GOOD [FALSE POSITIVE] - printf("%zx", s); // GOOD [FALSE POSITIVE] + printf("%zu", s); // GOOD (we generally permits signedness changes) [FALSE POSITIVE] + printf("%zx", s); // GOOD (we generally permits signedness changes) [FALSE POSITIVE] printf("%d", s); // BAD printf("%ld", s); // BAD printf("%lld", s); // BAD From eeb09ae3899711babbbe3192311bc7f03aad7fa4 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 16 Mar 2026 16:12:30 +0000 Subject: [PATCH 5/7] C++: Fix typo. --- .../Format/WrongTypeFormatArguments/Buildless/second.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index c009b0513a96..e6ff2a36e07e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -10,8 +10,8 @@ void test_size_t() { printf("%zd", s); // GOOD printf("%zi", s); // GOOD - printf("%zu", s); // GOOD (we generally permits signedness changes) [FALSE POSITIVE] - printf("%zx", s); // GOOD (we generally permits signedness changes) [FALSE POSITIVE] + printf("%zu", s); // GOOD (we generally permit signedness changes) [FALSE POSITIVE] + printf("%zx", s); // GOOD (we generally permit signedness changes) [FALSE POSITIVE] printf("%d", s); // BAD printf("%ld", s); // BAD printf("%lld", s); // BAD From a57f803b37aee8e3dcdc64434b455db4cb14edf4 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 16 Mar 2026 16:48:54 +0000 Subject: [PATCH 6/7] C++: Address false positive results. --- .../Likely Bugs/Format/WrongTypeFormatArguments.ql | 2 ++ .../Buildless/WrongTypeFormatArguments.expected | 6 ------ .../WrongTypeFormatArguments/Buildless/second.cpp | 12 ++++++------ 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 33fe3a0b7a15..7f0a4833cb59 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -168,9 +168,11 @@ where formatOtherArgType(ffc, n, expected, arg, actual) and not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType() ) and + // Exclude some cases where we're less confident the result is correct / clear / valuable not arg.isAffectedByMacro() and not arg.isFromUninstantiatedTemplate(_) and not actual.stripType() instanceof ErroneousType and + not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and // Make sure that the format function definition is consistent count(ffc.getTarget().getFormatParameterIndex()) = 1 diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected index ff2db0dfcf09..8eefcc95a24f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected @@ -1,9 +1,3 @@ -| second.cpp:13:19:13:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | -| second.cpp:14:19:14:19 | s | This format specifier for type 'size_t' does not match the argument type '..(*)(..)'. | -| second.cpp:15:18:15:18 | s | This format specifier for type 'int' does not match the argument type '..(*)(..)'. | -| second.cpp:16:19:16:19 | s | This format specifier for type 'long' does not match the argument type '..(*)(..)'. | -| second.cpp:17:20:17:20 | s | This format specifier for type 'long long' does not match the argument type '..(*)(..)'. | -| second.cpp:18:18:18:18 | s | This format specifier for type 'unsigned int' does not match the argument type '..(*)(..)'. | | second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. | | second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. | | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index e6ff2a36e07e..9ebbc4dd6e0a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -10,12 +10,12 @@ void test_size_t() { printf("%zd", s); // GOOD printf("%zi", s); // GOOD - printf("%zu", s); // GOOD (we generally permit signedness changes) [FALSE POSITIVE] - printf("%zx", s); // GOOD (we generally permit signedness changes) [FALSE POSITIVE] - printf("%d", s); // BAD - printf("%ld", s); // BAD - printf("%lld", s); // BAD - printf("%u", s); // BAD + printf("%zu", s); // GOOD (we generally permit signedness changes) + printf("%zx", s); // GOOD (we generally permit signedness changes) + printf("%d", s); // BAD [NOT DETECTED] + printf("%ld", s); // BAD [NOT DETECTED] + printf("%lld", s); // BAD [NOT DETECTED] + printf("%u", s); // BAD [NOT DETECTED] char buffer[1024]; From 9cb1c89a02952b8d0935ab2d4c30a9f7abf76bde Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 16 Mar 2026 19:11:27 +0000 Subject: [PATCH 7/7] C++: Change note. --- .../src/change-notes/2026-03-16-wrong-type-format-argument.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md diff --git a/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md new file mode 100644 index 000000000000..84aef7791fcf --- /dev/null +++ b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.