From 076bcc0179673cc264cfb15e43aee45563a79ae9 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 18 May 2026 15:31:45 +0100
Subject: [PATCH 1/2] C++: Remove use of 'FunctionWithWrappers' from
 'cpp/tainted-format-string'.

---
 .../CWE/CWE-134/UncontrolledFormatString.ql   | 38 ++++++-------------
 1 file changed, 12 insertions(+), 26 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index bf6f014672fb..242434a10f07 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -15,7 +15,7 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.FunctionWithWrappers
+import semmle.code.cpp.security.PrintfLike
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.ir.IR
@@ -23,32 +23,18 @@ import Flow::PathGraph
 
 predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
 
-/**
- * Holds if `f` is a printf-like function or a (possibly nested) wrapper
- * that forwards a format-string parameter to one.
- *
- * Functions that *implement* printf-like behavior (e.g. a custom
- * `vsnprintf` variant) internally parse the caller-supplied format string
- * and build small, bounded, local format strings such as `"%d"` or `"%ld"`
- * for inner `sprintf` calls.  Taint that reaches those inner calls via the
- * parsed format specifier is not exploitable, so sinks inside such
- * functions should be excluded.
- */
-private predicate isPrintfImplementation(Function f) {
-  f instanceof PrintfLikeFunction
-  or
-  exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
+predicate isSink(DataFlow::Node node, Function f) {
+  exists(Call c, int i |
+    c.getTarget() = f and
+    printfLikeFunction(f, i) and
+    c.getArgument(i) = node.asIndirectExpr()
+  )
 }
 
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { isSource(node, _) }
 
-  predicate isSink(DataFlow::Node node) {
-    exists(PrintfLikeFunction printf |
-      printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
-    ) and
-    not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
-  }
+  predicate isSink(DataFlow::Node node) { isSink(node, _) }
 
   private predicate isArithmeticNonCharType(ArithmeticType type) {
     not type instanceof CharType and
@@ -69,14 +55,14 @@ module Config implements DataFlow::ConfigSig {
 module Flow = TaintTracking::Global<Config>;
 
 from
-  PrintfLikeFunction printf, string printfFunction, string sourceType, DataFlow::Node source,
-  DataFlow::Node sink, Flow::PathNode sourceNode, Flow::PathNode sinkNode
+  Function printf, string sourceType, DataFlow::Node source, DataFlow::Node sink,
+  Flow::PathNode sourceNode, Flow::PathNode sinkNode
 where
   source = sourceNode.getNode() and
   sink = sinkNode.getNode() and
   isSource(source, sourceType) and
-  printf.outermostWrapperFunctionCall([sink.asExpr(), sink.asIndirectExpr()], printfFunction) and
+  isSink(sink, printf) and
   Flow::flowPath(sourceNode, sinkNode)
 select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being used as a formatting argument to " +
-    printfFunction + ".", source, sourceType
+    printf + ".", source, sourceType

From f87ba8de6330acdc8417c478f4acec0c6db2f4b5 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 18 May 2026 15:31:56 +0100
Subject: [PATCH 2/2] C++: Accept test changes.

---
 .../SAMATE/UncontrolledFormatString.expected  | 10 ++-
 .../CWE-134/semmle/argv/argvLocal.expected    | 62 +++++++------------
 .../CWE-134/semmle/funcs/funcsLocal.expected  | 16 ++---
 .../UncontrolledFormatString.expected         | 15 ++---
 .../CWE/CWE-134/semmle/ifs/ifs.expected       | 22 +++----
 5 files changed, 54 insertions(+), 71 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected
index 560ecc8bd775..8ae3d8ecde80 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected
@@ -1,7 +1,9 @@
 edges
+| char_connect_socket_w32_vsnprintf_01_bad.c:40:30:40:33 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:47:32:47:35 | *data | provenance |  |
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | provenance |  |
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance |  |
 | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance |  |
+| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:40:30:40:33 | *data | provenance |  |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:37:21:37:43 | ... = ... | provenance |  |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:44:17:44:37 | ... = ... | provenance |  |
 | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | provenance |  |
@@ -10,6 +12,8 @@ edges
 | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | provenance |  |
 | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | provenance | TaintFunction |
 nodes
+| char_connect_socket_w32_vsnprintf_01_bad.c:40:30:40:33 | *data | semmle.label | *data |
+| char_connect_socket_w32_vsnprintf_01_bad.c:47:32:47:35 | *data | semmle.label | *data |
 | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
 | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | semmle.label | ... = ... |
 | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | semmle.label | *data |
@@ -22,6 +26,6 @@ nodes
 | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | semmle.label | *data |
 subpaths
 #select
-| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv |
-| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets |
-| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable |
+| char_connect_socket_w32_vsnprintf_01_bad.c:47:32:47:35 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:47:32:47:35 | *data | The value of this argument may come from $@ and is being used as a formatting argument to vsnprintf. | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv |
+| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf. | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets |
+| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf. | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
index 7b87c3ff440a..88b333008182 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -1,13 +1,13 @@
 edges
 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | provenance |  |
+| argvLocal.c:9:25:9:31 | *correct | argvLocal.c:10:9:10:15 | *correct | provenance |  |
+| argvLocal.c:9:25:9:31 | *correct | argvLocal.c:10:9:10:15 | *correct | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance |  |
-| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:100:2:100:13 | *... = ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:105:14:105:17 | **argv | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction |
-| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:120:13:120:14 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:126:2:126:19 | ... = ... | provenance |  |
 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:149:2:149:17 | *... = ... | provenance |  |
@@ -17,32 +17,29 @@ edges
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:105:14:105:17 | **argv | provenance |  |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:116:9:116:10 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction |
-| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:120:13:120:14 | *i3 | provenance | DataFlowFunction |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:126:2:126:19 | ... = ... | provenance |  |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:149:2:149:17 | *... = ... | provenance |  |
 | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:101:9:101:10 | *i1 | provenance |  |
 | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
-| argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:102:15:102:16 | *i1 | provenance |  |
 | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:143:13:143:26 | *... , ... | provenance |  |
 | argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:102:15:102:16 | printWrapper output argument | provenance |  |
 | argvLocal.c:102:15:102:16 | printWrapper output argument | argvLocal.c:143:13:143:26 | *... , ... | provenance |  |
 | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:106:9:106:13 | *access to array | provenance |  |
 | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
-| argvLocal.c:105:14:105:17 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance |  |
 | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:110:9:110:11 | ** ... | provenance |  |
 | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:111:15:111:17 | ** ... | provenance |  |
 | argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:107:15:107:19 | printWrapper output argument | provenance |  |
 | argvLocal.c:107:15:107:19 | printWrapper output argument | argvLocal.c:110:9:110:11 | ** ... | provenance |  |
 | argvLocal.c:107:15:107:19 | printWrapper output argument | argvLocal.c:111:15:111:17 | ** ... | provenance |  |
+| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:117:15:117:16 | printWrapper output argument | provenance |  |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:120:13:120:14 | *i3 | provenance |  |
 | argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:121:9:121:10 | *i4 | provenance |  |
 | argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
-| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:122:15:122:16 | *i4 | provenance |  |
 | argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
 | argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
 | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
@@ -51,17 +48,14 @@ edges
 | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | *... ++ | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:127:9:127:10 | *i5 | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
-| argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:128:15:128:16 | *i5 | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:131:9:131:14 | *... + ... | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
-| argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
 | argvLocal.c:126:2:126:19 | ... = ... | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
 | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:128:15:128:16 | printWrapper output argument | provenance |  |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | *... + ... | provenance |  |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
-| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | *... + ... | provenance |  |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
 | argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | provenance |  |
@@ -69,48 +63,47 @@ edges
 | argvLocal.c:132:15:132:20 | printWrapper output argument | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance |  |
 | argvLocal.c:132:15:132:20 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance |  |
 | argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
+| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:136:15:136:18 | *-- ... | provenance |  |
+| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:143:13:143:26 | *... , ... | argvLocal.c:144:9:144:10 | *i7 | provenance |  |
 | argvLocal.c:143:13:143:26 | *... , ... | argvLocal.c:145:15:145:16 | *i7 | provenance |  |
+| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 | argvLocal.c:149:2:149:17 | *... = ... | argvLocal.c:150:9:150:10 | *i8 | provenance |  |
 | argvLocal.c:149:2:149:17 | *... = ... | argvLocal.c:151:15:151:16 | *i8 | provenance |  |
+| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:9:25:9:31 | *correct | provenance |  |
 nodes
 | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
 | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
+| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
+| argvLocal.c:10:9:10:15 | *correct | semmle.label | *correct |
 | argvLocal.c:13:27:13:30 | **argv | semmle.label | **argv |
 | argvLocal.c:95:9:95:15 | *access to array | semmle.label | *access to array |
 | argvLocal.c:96:15:96:21 | *access to array | semmle.label | *access to array |
-| argvLocal.c:96:15:96:21 | *access to array | semmle.label | *access to array |
 | argvLocal.c:96:15:96:21 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:100:2:100:13 | *... = ... | semmle.label | *... = ... |
 | argvLocal.c:101:9:101:10 | *i1 | semmle.label | *i1 |
 | argvLocal.c:102:15:102:16 | *i1 | semmle.label | *i1 |
-| argvLocal.c:102:15:102:16 | *i1 | semmle.label | *i1 |
 | argvLocal.c:102:15:102:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:105:14:105:17 | **argv | semmle.label | **argv |
 | argvLocal.c:106:9:106:13 | *access to array | semmle.label | *access to array |
 | argvLocal.c:107:15:107:19 | *access to array | semmle.label | *access to array |
-| argvLocal.c:107:15:107:19 | *access to array | semmle.label | *access to array |
 | argvLocal.c:107:15:107:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:110:9:110:11 | ** ... | semmle.label | ** ... |
 | argvLocal.c:111:15:111:17 | ** ... | semmle.label | ** ... |
 | argvLocal.c:116:9:116:10 | *i3 | semmle.label | *i3 |
 | argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 |
-| argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:120:13:120:14 | *i3 | semmle.label | *i3 |
 | argvLocal.c:121:9:121:10 | *i4 | semmle.label | *i4 |
 | argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 |
-| argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 |
 | argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:126:2:126:19 | ... = ... | semmle.label | ... = ... |
 | argvLocal.c:127:9:127:10 | *i5 | semmle.label | *i5 |
 | argvLocal.c:128:15:128:16 | *i5 | semmle.label | *i5 |
-| argvLocal.c:128:15:128:16 | *i5 | semmle.label | *i5 |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:131:9:131:14 | *... + ... | semmle.label | *... + ... |
 | argvLocal.c:132:15:132:20 | *... + ... | semmle.label | *... + ... |
-| argvLocal.c:132:15:132:20 | *... + ... | semmle.label | *... + ... |
 | argvLocal.c:132:15:132:20 | printWrapper output argument | semmle.label | printWrapper output argument |
 | argvLocal.c:135:9:135:12 | *... ++ | semmle.label | *... ++ |
 | argvLocal.c:135:9:135:12 | *... ++ | semmle.label | *... ++ |
@@ -133,27 +126,16 @@ subpaths
 | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:128:15:128:16 | printWrapper output argument |
 | argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:132:15:132:20 | printWrapper output argument |
 #select
-| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
-| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:10:9:10:15 | *correct | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:10:9:10:15 | *correct | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
+| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | argvLocal.c:13:27:13:30 | **argv | a command-line argument |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
index 4447b215aedf..28e89f7da6f6 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
@@ -33,11 +33,11 @@ nodes
 | funcsLocal.c:58:9:58:10 | *e1 | semmle.label | *e1 |
 subpaths
 #select
-| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
-| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets |
-| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets |
-| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets |
-| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets |
-| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets |
-| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets |
-| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
+| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
+| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets |
+| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets |
+| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets |
+| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets |
+| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets |
+| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets |
+| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected
index 7408d8360ef5..6cf3ad59e3de 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected
@@ -2,12 +2,10 @@ edges
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | provenance |  |
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance |  |
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance |  |
-| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance |  |
 | globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:9:7:9:11 | **copy2 | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance |  |
-| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance |  |
 | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | provenance |  |
 | globalVars.c:11:22:11:25 | **argv | globalVars.c:12:2:12:15 | *... = ... | provenance |  |
 | globalVars.c:12:2:12:15 | *... = ... | globalVars.c:8:7:8:10 | **copy | provenance |  |
@@ -15,6 +13,7 @@ edges
 | globalVars.c:15:21:15:23 | *val | globalVars.c:16:2:16:12 | *... = ... | provenance |  |
 | globalVars.c:16:2:16:12 | *... = ... | globalVars.c:9:7:9:11 | **copy2 | provenance |  |
 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | provenance |  |
+| globalVars.c:19:25:19:27 | *str | globalVars.c:20:9:20:11 | *str | provenance |  |
 | globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv | provenance |  |
 | globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv | provenance |  |
 | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | provenance |  |
@@ -38,17 +37,16 @@ nodes
 | globalVars.c:16:2:16:12 | *... = ... | semmle.label | *... = ... |
 | globalVars.c:19:25:19:27 | *str | semmle.label | *str |
 | globalVars.c:19:25:19:27 | *str | semmle.label | *str |
+| globalVars.c:20:9:20:11 | *str | semmle.label | *str |
 | globalVars.c:23:27:23:30 | **argv | semmle.label | **argv |
 | globalVars.c:24:11:24:14 | **argv | semmle.label | **argv |
 | globalVars.c:27:9:27:12 | *copy | semmle.label | *copy |
 | globalVars.c:30:15:30:18 | *copy | semmle.label | *copy |
-| globalVars.c:30:15:30:18 | *copy | semmle.label | *copy |
 | globalVars.c:30:15:30:18 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:35:11:35:14 | *copy | semmle.label | *copy |
 | globalVars.c:35:11:35:14 | setCopy2 output argument | semmle.label | setCopy2 output argument |
 | globalVars.c:38:9:38:13 | *copy2 | semmle.label | *copy2 |
 | globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 |
-| globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 |
 | globalVars.c:41:15:41:19 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:50:9:50:13 | *copy2 | semmle.label | *copy2 |
 subpaths
@@ -56,8 +54,7 @@ subpaths
 | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | globalVars.c:35:11:35:14 | setCopy2 output argument |
 | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument |
 #select
-| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
-| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
-| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
-| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
-| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument |
+| globalVars.c:20:9:20:11 | *str | globalVars.c:23:27:23:30 | **argv | globalVars.c:20:9:20:11 | *str | The value of this argument may come from $@ and is being used as a formatting argument to printf. | globalVars.c:23:27:23:30 | **argv | a command-line argument |
+| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf. | globalVars.c:23:27:23:30 | **argv | a command-line argument |
+| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | globalVars.c:23:27:23:30 | **argv | a command-line argument |
+| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | globalVars.c:23:27:23:30 | **argv | a command-line argument |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
index e8d852cbcd27..e21c9387e0ea 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
@@ -47,14 +47,14 @@ nodes
 | ifs.c:124:9:124:10 | *i9 | semmle.label | *i9 |
 subpaths
 #select
-| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
-| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |
+| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf. | ifs.c:16:27:16:30 | **argv | a command-line argument |