Merge pull request #5737 from dbartol/dbartol/smart-pointers/work

C++: IR Alias Analysis for smart pointers
2026-04-29 02:35:15 +02:00 · 2021-04-27 21:40:14 +02:00
parent 37377644c9 3b04bedee0
commit 0f141edbc3
21 changed files with 1152 additions and 292 deletions
--- a/cpp/ql/test/include/memory.h
+++ b/cpp/ql/test/include/memory.h
@@ -0,0 +1,139 @@
+#if !defined(CODEQL_MEMORY_H)
+#define CODEQL_MEMORY_H
+
+namespace std {
+  namespace detail {
+    template<typename T>
+    class compressed_pair_element {
+      T element;
+
+    public:
+      compressed_pair_element() = default;
+      compressed_pair_element(const T& t) : element(t) {}
+      
+      T& get() { return element; }
+
+      const T& get() const { return element; }
+    };
+
+    template<typename T, typename U>
+    struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
+      compressed_pair() = default;
+      compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
+      compressed_pair(const compressed_pair&) = delete;
+      compressed_pair(compressed_pair<T, U>&&) noexcept = default;
+
+      T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
+      U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
+
+      const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
+      const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
+    };
+  }
+
+  template<class T>
+  struct default_delete {
+    void operator()(T* ptr) const { delete ptr; }
+  };
+
+  template<class T>
+  struct default_delete<T[]> {
+    template<class U>
+    void operator()(U* ptr) const { delete[] ptr; }
+  };
+
+  template<class T, class Deleter = default_delete<T> >
+  class unique_ptr {
+  private:
+    detail::compressed_pair<T*, Deleter> data;
+  public:
+    constexpr unique_ptr() noexcept {}
+    explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
+    unique_ptr(const unique_ptr& ptr) = delete;
+    unique_ptr(unique_ptr&& ptr) noexcept = default;
+
+    unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
+
+    T& operator*() const { return *get(); }
+    T* operator->() const noexcept { return get(); }
+
+    T* get() const noexcept { return data.first(); }
+    T* release() noexcept { 
+        Deleter& d = data.second();
+        d(data.first());
+        data.first() = nullptr;
+    }
+
+    ~unique_ptr() {
+      Deleter& d = data.second();
+      d(data.first());
+    }
+  };
+  
+  template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
+    return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+
+  class ctrl_block {
+    unsigned uses;
+
+  public:
+    ctrl_block() : uses(1) {}
+
+    void inc() { ++uses; }
+    bool dec() { return --uses == 0; }
+
+    virtual void destroy() = 0;
+    virtual ~ctrl_block() {}
+  };
+
+  template<typename T, class Deleter = default_delete<T> >
+  struct ctrl_block_impl: public ctrl_block {
+    T* ptr;
+    Deleter d;
+
+    ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
+    virtual void destroy() override { d(ptr); }
+  };
+
+  template<class T>
+  class shared_ptr {
+  private:
+    ctrl_block* ctrl;
+    T* ptr;
+
+    void dec() {
+      if(ctrl->dec()) {
+        ctrl->destroy();
+        delete ctrl;
+      }
+    }
+
+    void inc() {
+      ctrl->inc();
+    }
+
+  public:
+    constexpr shared_ptr() noexcept = default;
+    shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
+    shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
+      inc();
+    }
+    shared_ptr(shared_ptr&& s) noexcept = default;
+    shared_ptr(unique_ptr<T>&& s) : shared_ptr(s.release()) {
+    }
+    T* operator->() const { return ptr; }
+
+    T& operator*() const { return *ptr; }
+
+    T* get() const noexcept { return ptr; }
+
+    ~shared_ptr() { dec(); }
+  };
+
+  template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
+    return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+}
+
+#endif
--- a/cpp/ql/test/include/type_traits.h
+++ b/cpp/ql/test/include/type_traits.h
@@ -0,0 +1,21 @@
+#if !defined(CODEQL_TYPE_TRAITS_H)
+#define CODEQL_TYPE_TRAITS_H
+
+namespace std {
+    template<typename T>
+    struct remove_reference {
+        typedef T type;
+    };
+
+    template<typename T>
+    struct remove_reference<T&> {
+        typedef T type;
+    };
+
+    template<typename T>
+    struct remove_reference<T&&> {
+        typedef T type;
+    };
+}
+
+#endif
--- a/cpp/ql/test/include/utility.h
+++ b/cpp/ql/test/include/utility.h
@@ -0,0 +1,13 @@
+#if !defined(CODEQL_UTILITY_H)
+#define CODEQL_UTILITY_H
+
+#include "type_traits.h"
+
+namespace std {
+    template<typename T>
+    typename remove_reference<T>::type&& move(T&& src) {
+        return static_cast<typename remove_reference<T>::type&&>(src);
+    }
+}
+
+#endif
--- a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
@@ -7,7 +7,7 @@ void test_unique_ptr_int() {
 	std::unique_ptr<int> p1(new int(source()));
 	std::unique_ptr<int> p2 = std::make_unique<int>(source());
 	
-	sink(*p1); // $ MISSING: ast,ir
+	sink(*p1); // $ ir MISSING: ast
 	sink(*p2); // $ ast ir=8:50
 }

@@ -21,7 +21,7 @@ void test_unique_ptr_struct() {
 	std::unique_ptr<A> p1(new A{source(), 0});
 	std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
 	
-	sink(p1->x); // $ MISSING: ast,ir
+	sink(p1->x); // $ ir MISSING: ast
 	sink(p1->y);
 	sink(p2->x); // $ MISSING: ast,ir
 	sink(p2->y);
@@ -31,7 +31,7 @@ void test_shared_ptr_int() {
 	std::shared_ptr<int> p1(new int(source()));
 	std::shared_ptr<int> p2 = std::make_shared<int>(source());
 	
-	sink(*p1); // $ ast
+	sink(*p1); // $ ast ir
 	sink(*p2); // $ ast ir=32:50 
 }

@@ -39,7 +39,7 @@ void test_shared_ptr_struct() {
 	std::shared_ptr<A> p1(new A{source(), 0});
 	std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
 	
-	sink(p1->x); // $ MISSING: ast,ir
+	sink(p1->x); // $ ir MISSING: ast
 	sink(p1->y);
 	sink(p2->x); // $ MISSING: ast,ir
 	sink(p2->y);
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3228,6 +3228,7 @@
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | ref arg p | TAINT |
 | smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
@@ -3240,6 +3241,7 @@
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | ref arg p | TAINT |
 | smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
@@ -3248,6 +3250,7 @@
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | ref arg p | TAINT |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
@@ -3262,6 +3265,7 @@
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | ref arg p | TAINT |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
@@ -3291,6 +3295,7 @@
 | smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ref arg ptr | TAINT |
 | smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
 | smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
@@ -3371,6 +3376,7 @@
 | smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ref arg ptr | TAINT |
 | smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
 | smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
@@ -3394,9 +3400,11 @@
 | smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
 | smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> |  |
 | smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
+| smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
@@ -3409,6 +3417,7 @@
 | smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | ref arg p2 | TAINT |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* |  |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
@@ -3429,6 +3438,7 @@
 | smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] |  |
+| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | ref arg p2 | TAINT |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 |  |
 | smart_pointer.cpp:136:18:136:19 | p2 | smart_pointer.cpp:136:17:136:17 | call to operator* | TAINT |
 | smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
@@ -3437,6 +3447,7 @@
 | smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | ref arg p2 | TAINT |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* |  |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
@@ -3532,13 +3543,13 @@
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= |  |
+| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 |  |
 | standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
-| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= |  |
+| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
@@ -3655,12 +3666,12 @@
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
@@ -3673,12 +3684,12 @@
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
 | string.cpp:25:12:25:17 | call to source | string.cpp:29:7:29:7 | a |  |
 | string.cpp:26:16:26:20 | 123 | string.cpp:26:16:26:21 | call to basic_string | TAINT |
 | string.cpp:26:16:26:21 | call to basic_string | string.cpp:30:7:30:7 | b |  |
@@ -4231,13 +4242,13 @@
 | string.cpp:407:9:407:10 | i6 | string.cpp:407:8:407:8 | call to operator* | TAINT |
 | string.cpp:408:8:408:9 | i2 | string.cpp:408:3:408:9 | ... = ... |  |
 | string.cpp:408:8:408:9 | i2 | string.cpp:409:10:409:11 | i7 |  |
-| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= |  |
+| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= | TAINT |
 | string.cpp:409:12:409:12 | call to operator+= | string.cpp:409:8:409:8 | call to operator* | TAINT |
 | string.cpp:409:12:409:12 | ref arg call to operator+= | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
 | string.cpp:409:14:409:14 | 1 | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
 | string.cpp:410:8:410:9 | i2 | string.cpp:410:3:410:9 | ... = ... |  |
 | string.cpp:410:8:410:9 | i2 | string.cpp:411:10:411:11 | i8 |  |
-| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= |  |
+| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= | TAINT |
 | string.cpp:411:12:411:12 | call to operator-= | string.cpp:411:8:411:8 | call to operator* | TAINT |
 | string.cpp:411:12:411:12 | ref arg call to operator-= | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
 | string.cpp:411:14:411:14 | 1 | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
@@ -4652,7 +4663,7 @@
 | stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:39:7:39:9 | ss3 |  |
 | stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:44:7:44:9 | ss3 |  |
 | stringstream.cpp:33:7:33:9 | ss3 | stringstream.cpp:33:11:33:11 | call to operator<< |  |
-| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< |  |
+| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | TAINT |
 | stringstream.cpp:33:11:33:11 | ref arg call to operator<< | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
@@ -4661,7 +4672,7 @@
 | stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:40:7:40:9 | ss4 |  |
 | stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:45:7:45:9 | ss4 |  |
 | stringstream.cpp:34:7:34:9 | ss4 | stringstream.cpp:34:11:34:11 | call to operator<< |  |
-| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< |  |
+| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | TAINT |
 | stringstream.cpp:34:11:34:11 | ref arg call to operator<< | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
@@ -4942,7 +4953,7 @@
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
 | stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:11:147:11 | call to operator>> |  |
 | stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:14:147:15 | ref arg s3 | TAINT |
-| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> |  |
+| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> | TAINT |
 | stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:20:147:21 | ref arg s4 | TAINT |
 | stringstream.cpp:147:11:147:11 | ref arg call to operator>> | stringstream.cpp:147:7:147:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:147:14:147:15 | ref arg s3 | stringstream.cpp:150:7:150:8 | s3 |  |
@@ -4974,7 +4985,7 @@
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
 | stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:11:155:11 | call to operator>> |  |
 | stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:14:155:15 | ref arg b3 | TAINT |
-| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> |  |
+| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> | TAINT |
 | stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:20:155:21 | ref arg b4 | TAINT |
 | stringstream.cpp:155:11:155:11 | ref arg call to operator>> | stringstream.cpp:155:7:155:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:155:14:155:15 | ref arg b3 | stringstream.cpp:158:7:158:8 | b3 |  |
@@ -5296,7 +5307,7 @@
 | stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:7:245:13 | call to getline |  |
 | stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:20:245:21 | ref arg s6 | TAINT |
 | stringstream.cpp:245:20:245:21 | ref arg s6 | stringstream.cpp:248:7:248:8 | s6 |  |
-| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline |  |
+| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline | TAINT |
 | stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:33:250:34 | ref arg s8 | TAINT |
 | stringstream.cpp:250:15:250:21 | ref arg call to getline | stringstream.cpp:250:23:250:25 | ref arg ss2 | TAINT |
 | stringstream.cpp:250:23:250:25 | ss2 | stringstream.cpp:250:15:250:21 | call to getline |  |
@@ -5500,7 +5511,7 @@
 | swap1.cpp:100:9:100:17 | ref arg call to move | swap1.cpp:103:10:103:10 | x |  |
 | swap1.cpp:100:19:100:19 | x | swap1.cpp:100:5:100:5 | ref arg y | TAINT |
 | swap1.cpp:100:19:100:19 | x | swap1.cpp:100:7:100:7 | call to operator= | TAINT |
-| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move |  |
+| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move | TAINT |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:109:5:109:13 | move_from |  |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:111:10:111:18 | move_from |  |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:113:41:113:49 | move_from |  |
@@ -5513,7 +5524,7 @@
 | swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | TAINT |
 | swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to |  |
-| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move |  |
+| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | TAINT |
 | swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:51 | call to Class |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x |  |
@@ -5547,7 +5558,7 @@
 | swap1.cpp:142:5:142:5 | ref arg y | swap1.cpp:144:10:144:10 | y |  |
 | swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:142:29:142:29 | x [inner post update] |  |
 | swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:145:10:145:10 | x |  |
-| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move |  |
+| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move | TAINT |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t |  |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t |  |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t |  |
@@ -5679,7 +5690,7 @@
 | swap2.cpp:100:9:100:17 | ref arg call to move | swap2.cpp:103:10:103:10 | x |  |
 | swap2.cpp:100:19:100:19 | x | swap2.cpp:100:5:100:5 | ref arg y | TAINT |
 | swap2.cpp:100:19:100:19 | x | swap2.cpp:100:7:100:7 | call to operator= | TAINT |
-| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move |  |
+| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move | TAINT |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:109:5:109:13 | move_from |  |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:111:10:111:18 | move_from |  |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:113:41:113:49 | move_from |  |
@@ -5692,7 +5703,7 @@
 | swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | TAINT |
 | swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to |  |
-| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move |  |
+| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | TAINT |
 | swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:51 | call to Class |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x |  |
@@ -5726,7 +5737,7 @@
 | swap2.cpp:142:5:142:5 | ref arg y | swap2.cpp:144:10:144:10 | y |  |
 | swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:142:29:142:29 | x [inner post update] |  |
 | swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:145:10:145:10 | x |  |
-| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move |  |
+| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move | TAINT |
 | taint.cpp:4:27:4:33 | source1 | taint.cpp:6:13:6:19 | source1 |  |
 | taint.cpp:4:40:4:45 | clean1 | taint.cpp:5:8:5:13 | clean1 |  |
 | taint.cpp:4:40:4:45 | clean1 | taint.cpp:6:3:6:8 | clean1 |  |
@@ -7950,7 +7961,7 @@
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= |  |
+| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= | TAINT |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
@@ -7958,7 +7969,7 @@
 | vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
 | vector.cpp:529:9:529:10 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:529:9:529:10 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= |  |
+| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= | TAINT |
 | vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
 | vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);

 void test_make_shared() {
    std::shared_ptr<int> p = std::make_shared<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
    sink(p); // $ ast,ir
 }

@@ -21,7 +21,7 @@ void test_make_shared_array() {

 void test_make_unique() {
    std::unique_ptr<int> p = std::make_unique<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
    sink(p); // $ ast,ir
 }

@@ -101,7 +101,7 @@ void taint_x(A* pa) {
 void reverse_taint_smart_pointer() {
  std::unique_ptr<A> p = std::unique_ptr<A>(new A);
  taint_x(p.get());
-  sink(p->x); // $ ast MISSING: ir
+  sink(p->x); // $ ast,ir
 }

 struct C {
--- a/cpp/ql/test/library-tests/ir/points_to/points_to.ql
+++ b/cpp/ql/test/library-tests/ir/points_to/points_to.ql
@@ -5,7 +5,16 @@ private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private predicate ignoreAllocation(string name) {
  name = "i" or
  name = "p" or
-  name = "q"
+  name = "q" or
+  name = "s" or
+  name = "t" or
+  name = "?{AllAliased}"
+}
+
+private predicate ignoreFile(File file) {
+  // Ignore standard headers.
+  file.getBaseName() = ["memory.h", "type_traits.h", "utility.h"] or
+  not file.fromSource()
 }

 module Raw {
@@ -29,7 +38,8 @@ module Raw {
        not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
        value = memLocation.toString() and
        element = instr.toString() and
-        location = instr.getLocation()
+        location = instr.getLocation() and
+        not ignoreFile(location.getFile())
      )
    }
  }
@@ -52,13 +62,14 @@ module UnaliasedSSA {
    override predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(Instruction instr, MemoryLocation memLocation |
        memLocation = getAMemoryAccess(instr) and
-        not memLocation instanceof AliasedVirtualVariable and
+        not memLocation.getVirtualVariable() instanceof AliasedVirtualVariable and
        not memLocation instanceof AllNonLocalMemory and
        tag = "ussa" and
        not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
        value = memLocation.toString() and
        element = instr.toString() and
-        location = instr.getLocation()
+        location = instr.getLocation() and
+        not ignoreFile(location.getFile())
      )
    }
  }
--- a/cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp
@@ -0,0 +1,33 @@
+#include "../../../include/memory.h"
+#include "../../../include/utility.h"
+
+using std::shared_ptr;
+using std::unique_ptr;
+
+struct S {
+    int x;
+};
+
+void unique_ptr_init(S s) {
+    unique_ptr<S> p(new S); //$ussa=dynamic{1}
+    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    unique_ptr<S> q = std::move(p);
+    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> t(std::move(q));
+    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+}
+
+void shared_ptr_init(S s) {
+    shared_ptr<S> p(new S); //$ussa=dynamic{1}
+    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> q = std::move(p);
+    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> t(q);
+    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+}