Merge branch 'main' into wild-crest-ql

MODULE.bazel

@@ -21,7 +21,7 @@ bazel_dep(name = "rules_java", version = "9.6.1")
 bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "1.9.0")
-bazel_dep(name = "rules_shell", version = "0.6.1")
+bazel_dep(name = "rules_shell", version = "0.7.1")
 bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/ext/ZMQ.model.yml

@@ -0,0 +1,22 @@
+# ZeroMQ networking library models
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "zmq_recv", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "zmq_recvmsg", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "zmq_msg_recv", "", "", "Argument[*0]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "zmq_send", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["", "", False, "zmq_sendmsg", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["", "", False, "zmq_msg_send", "", "", "Argument[*0]", "remote-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "zmq_msg_init_data", "", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "zmq_msg_data", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]

cpp/ql/lib/ext/getc.model.yml

@@ -0,0 +1,19 @@
+# Models for getc and similar character-reading functions
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "getc", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "getwc", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "_getc_nolock", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "_getwc_nolock", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "getch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getch_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwch_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "getchar", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "getwchar", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getchar_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwchar_nolock", "", "", "ReturnValue", "local", "manual"]

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -1,9 +1,10 @@
 /**
  * INTERNAL use only. This is an experimental API subject to change without notice.
  *
- * Provides classes and predicates for dealing with flow models specified in CSV format.
+ * Provides classes and predicates for dealing with flow models specified
+ * in data extension files.
  *
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
  * - Sources:
  *   `namespace; type; subtypes; name; signature; ext; output; kind`
  * - Sinks:
@@ -104,117 +105,9 @@ private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
 private import internal.ExternalFlowExtensions::Extensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
-private import codeql.util.Unit
 private import codeql.mad.static.ModelsAsData as SharedMaD
 
-/**
- * A unit class for adding additional source model rows.
- *
- * Extend this class to add additional source definitions.
- */
-class SourceModelCsv extends Unit {
-  /** Holds if `row` specifies a source definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional sink model rows.
- *
- * Extend this class to add additional sink definitions.
- */
-class SinkModelCsv extends Unit {
-  /** Holds if `row` specifies a sink definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional summary model rows.
- *
- * Extend this class to add additional flow summary definitions.
- */
-class SummaryModelCsv extends Unit {
-  /** Holds if `row` specifies a summary definition. */
-  abstract predicate row(string row);
-}
-
-/** Holds if `row` is a source model. */
-predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
-
-/** Holds if `row` is a sink model. */
-predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
-
-/** Holds if `row` is a summary model. */
-predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
-
 private module MadInput implements SharedMaD::InputSig {
-  /** Holds if a source model exists for the given parameters. */
-  predicate additionalSourceModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sourceModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = output and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /** Holds if a sink model exists for the given parameters. */
-  predicate additionalSinkModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sinkModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /**
-   * Holds if a summary model exists for the given parameters.
-   *
-   * This predicate does not expand `@` to `*`s.
-   */
-  predicate additionalSummaryModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      summaryModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = output and
-      row.splitAt(";", 8) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
   string namespaceSegmentSeparator() { result = "::" }
 }
 
@@ -250,8 +143,8 @@ predicate summaryModel(
   )
 }
 
-/** Provides a query predicate to check the CSV data for validation errors. */
-module CsvValidation {
+/** Provides a query predicate to check the data for validation errors. */
+module ModelValidation {
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, string part |
       sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
@@ -294,40 +187,6 @@ module CsvValidation {
 
   private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
 
-  private string getInvalidModelSubtype() {
-    exists(string pred, string row |
-      sourceModel(row) and pred = "source"
-      or
-      sinkModel(row) and pred = "sink"
-      or
-      summaryModel(row) and pred = "summary"
-    |
-      exists(string b |
-        b = row.splitAt(";", 2) and
-        not b = ["true", "false"] and
-        result = "Invalid boolean \"" + b + "\" in " + pred + " model."
-      )
-    )
-  }
-
-  private string getInvalidModelColumnCount() {
-    exists(string pred, string row, int expect |
-      sourceModel(row) and expect = 8 and pred = "source"
-      or
-      sinkModel(row) and expect = 8 and pred = "sink"
-      or
-      summaryModel(row) and expect = 9 and pred = "summary"
-    |
-      exists(int cols |
-        cols = 1 + max(int n | exists(row.splitAt(";", n))) and
-        cols != expect and
-        result =
-          "Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
-            "."
-      )
-    )
-  }
-
   private string getInvalidModelSignature() {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
       sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
@@ -366,13 +225,12 @@ module CsvValidation {
     )
   }
 
-  /** Holds if some row in a CSV-based flow model appears to contain typos. */
+  /** Holds if some row in a MaD flow model appears to contain typos. */
   query predicate invalidModelRow(string msg) {
     msg =
       [
         getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
-        getIncorrectConstructorSummaryOutput()
+        KindVal::getInvalidModelKind(), getIncorrectConstructorSummaryOutput()
       ]
   }
 }
@@ -1026,7 +884,7 @@ private module Cached {
   }
 
   /**
-   * Holds if `node` is specified as a source with the given kind in a CSV flow
+   * Holds if `node` is specified as a source with the given kind in a MaD flow
    * model.
    */
   cached
@@ -1037,7 +895,7 @@ private module Cached {
   }
 
   /**
-   * Holds if `node` is specified as a sink with the given kind in a CSV flow
+   * Holds if `node` is specified as a sink with the given kind in a MaD flow
    * model.
    */
   cached

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -585,12 +585,15 @@ class ConstructorDelegationInit extends ConstructorBaseInit, @ctordelegatinginit
 
 /**
  * An initialization of a member variable performed as part of a
- * constructor's explicit initializer list or implicit actions.
+ * constructor's initializer list or by default initialization.
+ *
  * In the example below, member variable `b` is being initialized by
- * constructor parameter `a`:
+ * constructor parameter `a`, and `c` is initialized by default
+ * initialization:
  * ```
  * struct S {
  *   int b;
+ *   int c = 3;
  *   S(int a): b(a) {}
  * } s(2);
  * ```
@@ -616,6 +619,28 @@ class ConstructorFieldInit extends ConstructorInit, @ctorfieldinit {
   override predicate mayBeGloballyImpure() { this.getExpr().mayBeGloballyImpure() }
 }
 
+/**
+ * An initialization of a member variable performed as part of a
+ * constructor's explicit initializer list.
+ */
+class ConstructorDirectFieldInit extends ConstructorFieldInit {
+  ConstructorDirectFieldInit() { exists(this.getChild(0)) }
+
+  override string getAPrimaryQlClass() { result = "ConstructorDirectFieldInit" }
+}
+
+/**
+ * An initialization of a member variable performed by default
+ * initialization.
+ */
+class ConstructorDefaultFieldInit extends ConstructorFieldInit {
+  ConstructorDefaultFieldInit() {
+    not exists(this.getChild(0)) and exists(this.getTarget().getInitializer())
+  }
+
+  override string getAPrimaryQlClass() { result = "ConstructorDefaultFieldInit" }
+}
+
 /**
  * A call to a destructor of a base class or field as part of a destructor's
  * compiler-generated actions.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -238,7 +238,12 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
 
   private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>
 
-  private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
+  private predicate isSource(PathNode n) { n.isSource() }
+
+  private predicate isSink(PathNode n) { n.isSink() }
+
+  private predicate edgePlus(PathNode n1, PathNode n2) =
+    doublyBoundedFastTC(edges/2, isSource/1, isSink/1)(n1, n2)
 
   /**
    * Gets the most specific implementation of `mf` that may be called when the
@@ -255,6 +260,15 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
     )
   }
 
+  pragma[nomagic]
+  private MemberFunction mostSpecificForSource(PathNode p1, MemberFunction mf) {
+    p1.isSource() and
+    exists(Class derived |
+      qualifierSourceImpl(p1.getNode(), derived) and
+      result = mostSpecific(mf, derived)
+    )
+  }
+
   /**
    * Gets a possible pair of end-points `(p1, p2)` where:
    * - `p1` is a derived-to-base conversion that converts from some
@@ -264,16 +278,16 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
    * - `callable` is the most specific implementation that may be called when
    * the qualifier has type `derived`.
    */
+  bindingset[p1, p2]
+  pragma[inline_late]
   private predicate pairCand(
     PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
     DataFlowPrivate::DataFlowCall call
   ) {
-    exists(Class derived, MemberFunction mf |
-      qualifierSourceImpl(p1.getNode(), derived) and
+    p2.isSink() and
+    exists(MemberFunction mf |
       qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
-      p1.isSource() and
-      p2.isSink() and
-      callable.asSourceCallable() = mostSpecific(mf, derived)
+      callable.asSourceCallable() = mostSpecificForSource(p1, mf)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll

@@ -878,7 +878,11 @@ module Public {
 
     /** Gets the parameter through which this value is assigned. */
     Parameter getParameter() {
-      result = this.getCallInstruction().getStaticCallTarget().getParameter(this.getArgumentIndex())
+      result =
+        this.getCallInstruction()
+            .getStaticCallTarget()
+            .(Function)
+            .getParameter(this.getArgumentIndex())
     }
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -175,7 +175,8 @@ private class PointerWrapperTypeIndirection extends Indirection instanceof Point
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
-      this = call.getStaticCallTarget().getClassAndName(["operator*", "operator->", "get"]) and
+      this =
+        call.getStaticCallTarget().(Function).getClassAndName(["operator*", "operator->", "get"]) and
       address = call.getThisArgumentOperand()
     )
   }
@@ -194,7 +195,7 @@ private module IteratorIndirections {
 
     override predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) {
       exists(CallInstruction call | call.getArgumentOperand(0) = value.asOperand() |
-        this = call.getStaticCallTarget().getClassAndName("operator=") and
+        this = call.getStaticCallTarget().(Function).getClassAndName("operator=") and
         address = call.getThisArgumentOperand() and
         certain = false
       )

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -495,7 +495,7 @@ class FieldInstruction extends Instruction {
  * `FunctionAddress` instruction.
  */
 class FunctionInstruction extends Instruction {
-  Language::Function funcSymbol;
+  Language::Declaration funcSymbol;
 
   FunctionInstruction() { funcSymbol = Raw::getInstructionFunction(this) }
 
@@ -504,7 +504,7 @@ class FunctionInstruction extends Instruction {
   /**
    * Gets the function that this instruction references.
    */
-  final Language::Function getFunctionSymbol() { result = funcSymbol }
+  final Language::Declaration getFunctionSymbol() { result = funcSymbol }
 }
 
 /**
@@ -1678,7 +1678,7 @@ class CallInstruction extends Instruction {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  final Language::Function getStaticCallTarget() {
+  final Language::Declaration getStaticCallTarget() {
     result = this.getCallTarget().(FunctionAddressInstruction).getFunctionSymbol()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -495,7 +495,7 @@ class FieldInstruction extends Instruction {
  * `FunctionAddress` instruction.
  */
 class FunctionInstruction extends Instruction {
-  Language::Function funcSymbol;
+  Language::Declaration funcSymbol;
 
   FunctionInstruction() { funcSymbol = Raw::getInstructionFunction(this) }
 
@@ -504,7 +504,7 @@ class FunctionInstruction extends Instruction {
   /**
    * Gets the function that this instruction references.
    */
-  final Language::Function getFunctionSymbol() { result = funcSymbol }
+  final Language::Declaration getFunctionSymbol() { result = funcSymbol }
 }
 
 /**
@@ -1678,7 +1678,7 @@ class CallInstruction extends Instruction {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  final Language::Function getStaticCallTarget() {
+  final Language::Declaration getStaticCallTarget() {
     result = this.getCallTarget().(FunctionAddressInstruction).getFunctionSymbol()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -15,6 +15,7 @@ private import TranslatedCall
 private import TranslatedStmt
 private import TranslatedFunction
 private import TranslatedGlobalVar
+private import TranslatedNonStaticDataMember
 private import TranslatedInitialization
 
 TranslatedElement getInstructionTranslatedElement(Instruction instruction) {
@@ -45,6 +46,9 @@ module Raw {
       or
       not var.isFromUninstantiatedTemplate(_) and
       var instanceof StaticInitializedStaticLocalVariable
+      or
+      not var.isFromUninstantiatedTemplate(_) and
+      var instanceof Field
     ) and
     var.hasInitializer() and
     (
@@ -64,6 +68,8 @@ module Raw {
     getTranslatedFunction(decl).hasUserVariable(var, type)
     or
     getTranslatedVarInit(decl).hasUserVariable(var, type)
+    or
+    getTranslatedFieldInit(decl).hasUserVariable(var, type)
   }
 
   cached
@@ -110,7 +116,7 @@ module Raw {
   }
 
   cached
-  Function getInstructionFunction(Instruction instruction) {
+  Declaration getInstructionFunction(Instruction instruction) {
     result =
       getInstructionTranslatedElement(instruction)
           .getInstructionFunction(getInstructionTag(instruction))

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -130,27 +130,31 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
 }
 
 /**
- * A `Call` or `NewOrNewArrayExpr` or `DeleteOrDeleteArrayExpr`.
+ * An expression that can have call side effects.
  *
- * All kinds of expression invoke a function as part of their evaluation. This class provides a
- * way to treat both kinds of function similarly, and to get the invoked `Function`.
+ * All kinds of expressions invoke a function as part of their evaluation. This class provides a
+ * way to treat those expressions similarly, and to get the invoked `Declaration`.
  */
-class CallOrAllocationExpr extends Expr {
-  CallOrAllocationExpr() {
+class ExprWithCallSideEffects extends Expr {
+  ExprWithCallSideEffects() {
     this instanceof Call
     or
     this instanceof NewOrNewArrayExpr
     or
     this instanceof DeleteOrDeleteArrayExpr
+    or
+    this instanceof ConstructorDefaultFieldInit
   }
 
-  /** Gets the `Function` invoked by this expression, if known. */
-  final Function getTarget() {
+  /** Gets the `Declaration` invoked by this expression, if known. */
+  final Declaration getTarget() {
     result = this.(Call).getTarget()
     or
     result = this.(NewOrNewArrayExpr).getAllocator()
     or
     result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
+    or
+    result = this.(ConstructorDefaultFieldInit).getTarget()
   }
 }
 
@@ -158,7 +162,7 @@ class CallOrAllocationExpr extends Expr {
  * Returns the side effect opcode, if any, that represents any side effects not specifically modeled
  * by an argument side effect.
  */
-Opcode getCallSideEffectOpcode(CallOrAllocationExpr expr) {
+Opcode getCallSideEffectOpcode(ExprWithCallSideEffects expr) {
   not exists(expr.getTarget().(SideEffectFunction)) and result instanceof Opcode::CallSideEffect
   or
   exists(SideEffectFunction sideEffectFunction |
@@ -175,7 +179,7 @@ Opcode getCallSideEffectOpcode(CallOrAllocationExpr expr) {
 /**
  * Returns a side effect opcode for parameter index `i` of the specified call.
  *
- * This predicate will return at most two results: one read side effect, and one write side effect.
+ * This predicate will yield at most two results: one read side effect, and one write side effect.
  */
 Opcode getASideEffectOpcode(Call call, ParameterIndex i) {
   exists(boolean buffer |
@@ -228,3 +232,14 @@ Opcode getASideEffectOpcode(Call call, ParameterIndex i) {
     )
   )
 }
+
+/**
+ * Returns a side effect opcode for a default field initialization.
+ *
+ * This predicate will yield two results: one read side effect, and one write side effect.
+ */
+Opcode getDefaultFieldInitSideEffectOpcode() {
+  result instanceof Opcode::IndirectReadSideEffect
+  or
+  result instanceof Opcode::IndirectMayWriteSideEffect
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -10,6 +10,7 @@ private import SideEffects
 private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedFunction
+private import TranslatedInitialization
 private import DefaultOptions as DefaultOptions
 
 /**
@@ -348,7 +349,7 @@ class TranslatedExprCall extends TranslatedCallExpr {
 class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
   override FunctionCall expr;
 
-  override Function getInstructionFunction(InstructionTag tag) {
+  override Declaration getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and result = expr.getTarget()
   }
 
@@ -429,6 +430,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
     or
     expr instanceof DeleteOrDeleteArrayExpr and
     result = getTranslatedDeleteOrDeleteArray(expr).getInstruction(CallTag())
+    or
+    expr instanceof ConstructorDefaultFieldInit and
+    result = getTranslatedConstructorFieldInitialization(expr).getInstruction(CallTag())
   }
 }
 
@@ -504,11 +508,25 @@ abstract class TranslatedSideEffect extends TranslatedElement {
   abstract predicate sideEffectInstruction(Opcode opcode, CppType type);
 }
 
+private class CallOrDefaultFieldInit extends Expr {
+  CallOrDefaultFieldInit() {
+    this instanceof Call
+    or
+    this instanceof ConstructorDefaultFieldInit
+  }
+
+  Declaration getTarget() {
+    result = this.(Call).getTarget()
+    or
+    result = this.(ConstructorDefaultFieldInit).getTarget()
+  }
+}
+
 /**
  * The IR translation of a single argument side effect for a call.
  */
 abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
-  Call call;
+  CallOrDefaultFieldInit callOrInit;
   int index;
   SideEffectOpcode sideEffectOpcode;
 
@@ -524,7 +542,7 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
     result = "(read side effect for " + this.getArgString() + ")"
   }
 
-  override Call getPrimaryExpr() { result = call }
+  override Expr getPrimaryExpr() { result = callOrInit }
 
   override predicate sortOrder(int group, int indexInGroup) {
     indexInGroup = index and
@@ -586,9 +604,10 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
     tag instanceof OnlyInstructionTag and
     operandTag instanceof BufferSizeOperandTag and
     result =
-      getTranslatedExpr(call.getArgument(call.getTarget()
-              .(SideEffectFunction)
-              .getParameterSizeIndex(index)).getFullyConverted()).getResult()
+      getTranslatedExpr(callOrInit
+            .(Call)
+            .getArgument(callOrInit.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
+            .getFullyConverted()).getResult()
   }
 
   /** Holds if this side effect is a write side effect, rather than a read side effect. */
@@ -616,7 +635,7 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
   Expr arg;
 
   TranslatedArgumentExprSideEffect() {
-    this = TTranslatedArgumentExprSideEffect(call, arg, index, sideEffectOpcode)
+    this = TTranslatedArgumentExprSideEffect(callOrInit, arg, index, sideEffectOpcode)
   }
 
   final override Locatable getAst() { result = arg }
@@ -640,28 +659,31 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
  * The IR translation of an argument side effect for `*this` on a call, where there is no `Expr`
  * object that represents the `this` argument.
  *
- * The applies only to constructor calls, as the AST has exploit qualifier `Expr`s for all other
- * calls to non-static member functions.
+ * This applies to constructor calls and default field initializations, as the AST has explicit
+ * qualifier `Expr`s for all other calls to non-static member functions.
  */
-class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect,
-  TTranslatedStructorQualifierSideEffect
+class TranslatedImplicitThisQualifierSideEffect extends TranslatedArgumentSideEffect,
+  TTranslatedImplicitThisQualifierSideEffect
 {
-  TranslatedStructorQualifierSideEffect() {
-    this = TTranslatedStructorQualifierSideEffect(call, sideEffectOpcode) and
+  TranslatedImplicitThisQualifierSideEffect() {
+    this = TTranslatedImplicitThisQualifierSideEffect(callOrInit, sideEffectOpcode) and
     index = -1
   }
 
-  final override Locatable getAst() { result = call }
+  final override Locatable getAst() { result = callOrInit }
 
-  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
+  final override Type getIndirectionType() { result = callOrInit.getTarget().getDeclaringType() }
 
   final override string getArgString() { result = "this" }
 
   final override Instruction getArgInstruction() {
     exists(TranslatedStructorCall structorCall |
-      structorCall.getExpr() = call and
+      structorCall.getExpr() = callOrInit and
       result = structorCall.getQualifierResult()
     )
+    or
+    callOrInit instanceof ConstructorDefaultFieldInit and
+    result = getTranslatedFunction(callOrInit.getEnclosingFunction()).getLoadThisInstruction()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -36,7 +36,8 @@ abstract class TranslatedCondition extends TranslatedElement {
   final override Declaration getFunction() {
     result = getEnclosingFunction(expr) or
     result = getEnclosingVariable(expr).(GlobalOrNamespaceVariable) or
-    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable)
+    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable) or
+    result = getEnclosingVariable(expr).(Field)
   }
 
   final Type getResultType() { result = expr.getUnspecifiedType() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -34,8 +34,11 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
       or
       result = entry.getDeclaration().(GlobalOrNamespaceVariable)
       or
+      result = entry.getDeclaration().(Field)
+      or
       not entry.getDeclaration() instanceof StaticInitializedStaticLocalVariable and
       not entry.getDeclaration() instanceof GlobalOrNamespaceVariable and
+      not entry.getDeclaration() instanceof Field and
       result = stmt.getEnclosingFunction()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -767,7 +767,7 @@ newtype TTranslatedElement =
       expr = initList.getFieldExpr(field, position).getFullyConverted()
     )
     or
-    exists(ConstructorFieldInit init |
+    exists(ConstructorDirectFieldInit init |
       not ignoreExpr(init) and
       ast = init and
       field = init.getTarget() and
@@ -775,6 +775,14 @@ newtype TTranslatedElement =
       position = -1
     )
   } or
+  // The initialization of a field via a default member initializer.
+  TTranslatedDefaultFieldInitialization(Expr ast, Field field) {
+    exists(ConstructorDefaultFieldInit init |
+      not ignoreExpr(init) and
+      ast = init and
+      field = init.getTarget()
+    )
+  } or
   // The value initialization of a field due to an omitted member of an
   // initializer list.
   TTranslatedFieldValueInitialization(Expr ast, Field field) {
@@ -871,7 +879,7 @@ newtype TTranslatedElement =
   // The declaration/initialization part of a `ConditionDeclExpr`
   TTranslatedConditionDecl(ConditionDeclExpr expr) { not ignoreExpr(expr) } or
   // The side effects of a `Call`
-  TTranslatedCallSideEffects(CallOrAllocationExpr expr) {
+  TTranslatedCallSideEffects(ExprWithCallSideEffects expr) {
     not ignoreExpr(expr) and
     not ignoreSideEffects(expr)
   } or
@@ -910,15 +918,23 @@ newtype TTranslatedElement =
   } or
   // Constructor calls lack a qualifier (`this`) expression, so we need to handle the side effects
   // on `*this` without an `Expr`.
-  TTranslatedStructorQualifierSideEffect(Call call, SideEffectOpcode opcode) {
+  TTranslatedImplicitThisQualifierSideEffect(ExprWithCallSideEffects call, SideEffectOpcode opcode) {
     not ignoreExpr(call) and
     not ignoreSideEffects(call) and
-    call instanceof ConstructorCall and
-    opcode = getASideEffectOpcode(call, -1)
+    (
+      call instanceof ConstructorCall and
+      opcode = getASideEffectOpcode(call, -1)
+      or
+      call instanceof ConstructorFieldInit and
+      opcode = getDefaultFieldInitSideEffectOpcode()
+    )
   } or
   // The side effect that initializes newly-allocated memory.
   TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
-  TTranslatedStaticStorageDurationVarInit(Variable var) { Raw::varHasIRFunc(var) } or
+  TTranslatedStaticStorageDurationVarInit(Variable var) {
+    Raw::varHasIRFunc(var) and not var instanceof Field
+  } or
+  TTranslatedNonStaticDataMemberVarInit(Field var) { Raw::varHasIRFunc(var) } or
   TTranslatedAssertionOperand(MacroInvocation mi, int index) { hasAssertionOperand(mi, index) }
 
 /**
@@ -1179,7 +1195,7 @@ abstract class TranslatedElement extends TTranslatedElement {
    * If the instruction specified by `tag` is a `FunctionInstruction`, gets the
    * `Function` for that instruction.
    */
-  Function getInstructionFunction(InstructionTag tag) { none() }
+  Declaration getInstructionFunction(InstructionTag tag) { none() }
 
   /**
    * If the instruction specified by `tag` is a `VariableInstruction`, gets the
@@ -1297,5 +1313,7 @@ abstract class TranslatedRootElement extends TranslatedElement {
     this instanceof TTranslatedFunction
     or
     this instanceof TTranslatedStaticStorageDurationVarInit
+    or
+    this instanceof TTranslatedNonStaticDataMemberVarInit
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -14,6 +14,7 @@ private import TranslatedFunction
 private import TranslatedInitialization
 private import TranslatedStmt
 private import TranslatedGlobalVar
+private import TranslatedNonStaticDataMember
 private import IRConstruction
 import TranslatedCall
 
@@ -138,6 +139,8 @@ abstract class TranslatedExpr extends TranslatedElement {
     result = getTranslatedFunction(getEnclosingFunction(expr))
     or
     result = getTranslatedVarInit(getEnclosingVariable(expr))
+    or
+    result = getTranslatedFieldInit(getEnclosingVariable(expr))
   }
 }
 
@@ -153,7 +156,10 @@ Declaration getEnclosingDeclaration0(Expr e) {
     i.getExpr().getFullyConverted() = e and
     v = i.getDeclaration()
   |
-    if v instanceof StaticInitializedStaticLocalVariable or v instanceof GlobalOrNamespaceVariable
+    if
+      v instanceof StaticInitializedStaticLocalVariable or
+      v instanceof GlobalOrNamespaceVariable or
+      v instanceof Field
     then result = v
     else result = e.getEnclosingDeclaration()
   )
@@ -173,7 +179,10 @@ Variable getEnclosingVariable0(Expr e) {
     i.getExpr().getFullyConverted() = e and
     v = i.getDeclaration()
   |
-    if v instanceof StaticInitializedStaticLocalVariable or v instanceof GlobalOrNamespaceVariable
+    if
+      v instanceof StaticInitializedStaticLocalVariable or
+      v instanceof GlobalOrNamespaceVariable or
+      v instanceof Field
     then result = v
     else result = e.getEnclosingVariable()
   )
@@ -826,6 +835,46 @@ class TranslatedPostfixCrementOperation extends TranslatedCrementOperation {
   override Instruction getResult() { result = this.getLoadedOperand().getResult() }
 }
 
+class TranslatedParamAccessForType extends TranslatedNonConstantExpr {
+  override ParamAccessForType expr;
+
+  TranslatedParamAccessForType() {
+    // Currently only needed for this parameter accesses.
+    expr.isThisAccess()
+  }
+
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(OnlyInstructionTag()) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getInstruction(OnlyInstructionTag())
+  }
+
+  final override TranslatedElement getChildInternal(int id) { none() }
+
+  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    tag = OnlyInstructionTag() and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = OnlyInstructionTag() and
+    opcode instanceof Opcode::CopyValue and
+    resultType = getTypeForPRValue(expr.getType())
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag instanceof UnaryOperandTag and
+    result =
+      this.getEnclosingFunction().(TranslatedNonStaticDataMemberVarInit).getLoadThisInstruction()
+  }
+}
+
 /**
  * IR translation of an array access expression (e.g. `a[i]`). The array being accessed will either
  * be a prvalue of pointer type (possibly due to an implicit array-to-pointer conversion), or a
@@ -1215,7 +1264,7 @@ class TranslatedFunctionAccess extends TranslatedNonConstantExpr {
     resultType = this.getResultType()
   }
 
-  override Function getInstructionFunction(InstructionTag tag) {
+  override Declaration getInstructionFunction(InstructionTag tag) {
     tag = OnlyInstructionTag() and
     result = expr.getTarget()
   }
@@ -2498,7 +2547,7 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall, TranslatedDirect
     any()
   }
 
-  override Function getInstructionFunction(InstructionTag tag) {
+  override Declaration getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and result = expr.getAllocator()
   }
 
@@ -2581,7 +2630,7 @@ class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, Trans
     result = this.getFirstArgumentOrCallInstruction(kind)
   }
 
-  override Function getInstructionFunction(InstructionTag tag) {
+  override Declaration getInstructionFunction(InstructionTag tag) {
     tag = CallTargetTag() and result = expr.getDeallocator()
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -148,7 +148,8 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
   final override Declaration getFunction() {
     result = getEnclosingFunction(expr) or
     result = getEnclosingVariable(expr).(GlobalOrNamespaceVariable) or
-    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable)
+    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable) or
+    result = getEnclosingVariable(expr).(Field)
   }
 
   final override Locatable getAst() { result = expr }
@@ -514,8 +515,8 @@ TranslatedFieldInitialization getTranslatedConstructorFieldInitialization(Constr
 }
 
 /**
- * Represents the IR translation of the initialization of a field from an
- * element of an initializer list.
+ * The IR translation of the initialization of a field from an element of
+ * an initializer list.
  */
 abstract class TranslatedFieldInitialization extends TranslatedElement {
   Expr ast;
@@ -528,13 +529,11 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
   final override Declaration getFunction() {
     result = getEnclosingFunction(ast) or
     result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
-    result = getEnclosingVariable(ast).(StaticInitializedStaticLocalVariable)
+    result = getEnclosingVariable(ast).(StaticInitializedStaticLocalVariable) or
+    result = getEnclosingVariable(ast).(Field)
   }
 
-  final override Instruction getFirstInstruction(EdgeKind kind) {
-    result = this.getInstruction(this.getFieldAddressTag()) and
-    kind instanceof GotoEdge
-  }
+  final Field getField() { result = field }
 
   /**
    * Gets the zero-based index describing the order in which this field is to be
@@ -542,6 +541,20 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
    */
   final int getOrder() { result = field.getInitializationOrder() }
 
+  /** Gets the position in the initializer list, or `-1` if the initialization is implicit. */
+  int getPosition() { result = -1 }
+}
+
+/**
+ * The IR translation of the initialization of a field from an element of an initializer
+ * list where default initialization is not used.
+ */
+abstract class TranslatedNonDefaultFieldInitialization extends TranslatedFieldInitialization {
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(this.getFieldAddressTag()) and
+    kind instanceof GotoEdge
+  }
+
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     tag = this.getFieldAddressTag() and
     opcode instanceof Opcode::FieldAddress and
@@ -559,18 +572,13 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
   }
 
   final InstructionTag getFieldAddressTag() { result = InitializerFieldAddressTag() }
-
-  final Field getField() { result = field }
-
-  /** Gets the position in the initializer list, or `-1` if the initialization is implicit. */
-  int getPosition() { result = -1 }
 }
 
 /**
- * Represents the IR translation of the initialization of a field from an
- * explicit element in an initializer list.
+ * The IR translation of the initialization of a field from an explicit element in
+ * an initializer list.
  */
-class TranslatedExplicitFieldInitialization extends TranslatedFieldInitialization,
+class TranslatedExplicitFieldInitialization extends TranslatedNonDefaultFieldInitialization,
   InitializationContext, TTranslatedExplicitFieldInitialization
 {
   Expr expr;
@@ -610,15 +618,81 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
   override int getPosition() { result = position }
 }
 
+/**
+ * The IR translation of the initialization of a field from an element of an initializer
+ * list where default initialization is used.
+ */
+class TranslatedDefaultFieldInitialization extends TranslatedFieldInitialization,
+  TTranslatedDefaultFieldInitialization
+{
+  TranslatedDefaultFieldInitialization() {
+    this = TTranslatedDefaultFieldInitialization(ast, field)
+  }
+
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(CallTargetTag()) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getSideEffects().getALastInstruction()
+  }
+
+  override TranslatedElement getLastChild() { result = this.getSideEffects() }
+
+  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    tag = CallTargetTag() and
+    result = this.getInstruction(CallTag())
+    or
+    tag = CallTag() and
+    result = this.getSideEffects().getFirstInstruction(kind)
+  }
+
+  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
+    child = this.getSideEffects() and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = CallTargetTag() and
+    opcode instanceof Opcode::FunctionAddress and
+    resultType = getFunctionGLValueType()
+    or
+    tag = CallTag() and
+    opcode instanceof Opcode::Call and
+    resultType = getVoidType()
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = CallTag() and
+    (
+      operandTag instanceof CallTargetOperandTag and
+      result = this.getInstruction(CallTargetTag())
+      or
+      operandTag instanceof ThisArgumentOperandTag and
+      result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
+    )
+  }
+
+  override Declaration getInstructionFunction(InstructionTag tag) {
+    tag = CallTargetTag() and
+    result = field
+  }
+
+  override TranslatedElement getChild(int id) { id = 0 and result = this.getSideEffects() }
+
+  final TranslatedSideEffects getSideEffects() { result.getExpr() = ast }
+}
+
 private string getZeroValue(Type type) {
   if type instanceof FloatingPointType then result = "0.0" else result = "0"
 }
 
 /**
- * Represents the IR translation of the initialization of a field without a
- * corresponding element in the initializer list.
+ * The IR translation of the initialization of a field without a corresponding
+ * element in the initializer list.
  */
-class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
+class TranslatedFieldValueInitialization extends TranslatedNonDefaultFieldInitialization,
   TTranslatedFieldValueInitialization
 {
   TranslatedFieldValueInitialization() { this = TTranslatedFieldValueInitialization(ast, field) }
@@ -628,7 +702,7 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
   }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    TranslatedFieldInitialization.super.hasInstruction(opcode, tag, resultType)
+    TranslatedNonDefaultFieldInitialization.super.hasInstruction(opcode, tag, resultType)
     or
     tag = this.getFieldDefaultValueTag() and
     opcode instanceof Opcode::Constant and
@@ -659,7 +733,8 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
   }
 
   override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    result = TranslatedFieldInitialization.super.getInstructionRegisterOperand(tag, operandTag)
+    result =
+      TranslatedNonDefaultFieldInitialization.super.getInstructionRegisterOperand(tag, operandTag)
     or
     tag = this.getFieldDefaultValueStoreTag() and
     (
@@ -683,8 +758,8 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization,
 }
 
 /**
- * Represents the IR translation of the initialization of an array element from
- * an element of an initializer list.
+ * The IR translation of the initialization of an array element from an element
+ * of an initializer list.
  */
 abstract class TranslatedElementInitialization extends TranslatedElement {
   ArrayOrVectorAggregateLiteral initList;
@@ -701,6 +776,8 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
     result = getEnclosingVariable(initList).(GlobalOrNamespaceVariable)
     or
     result = getEnclosingVariable(initList).(StaticInitializedStaticLocalVariable)
+    or
+    result = getEnclosingVariable(initList).(Field)
   }
 
   final override Instruction getFirstInstruction(EdgeKind kind) {
@@ -759,8 +836,8 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
 }
 
 /**
- * Represents the IR translation of the initialization of an array element from
- * an explicit element in an initializer list.
+ * The IR translation of the initialization of an array element from an explicit
+ * element in an initializer list.
  */
 class TranslatedExplicitElementInitialization extends TranslatedElementInitialization,
   TTranslatedExplicitElementInitialization, InitializationContext
@@ -808,8 +885,8 @@ class TranslatedExplicitElementInitialization extends TranslatedElementInitializ
 }
 
 /**
- * Represents the IR translation of the initialization of a range of array
- * elements without corresponding elements in the initializer list.
+ * The IR translation of the initialization of a range of array elements without
+ * corresponding elements in the initializer list.
  */
 class TranslatedElementValueInitialization extends TranslatedElementInitialization,
   TTranslatedElementValueInitialization

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedNonStaticDataMember.qll

@@ -0,0 +1,217 @@
+import semmle.code.cpp.ir.implementation.raw.internal.TranslatedElement
+private import TranslatedExpr
+private import cpp
+private import semmle.code.cpp.ir.implementation.internal.OperandTag
+private import semmle.code.cpp.ir.internal.TempVariableTag
+private import semmle.code.cpp.ir.internal.CppType
+private import TranslatedInitialization
+private import InstructionTag
+private import semmle.code.cpp.ir.internal.IRUtilities
+
+class TranslatedNonStaticDataMemberVarInit extends TranslatedRootElement,
+  TTranslatedNonStaticDataMemberVarInit, InitializationContext
+{
+  Field field;
+  Class cls;
+
+  TranslatedNonStaticDataMemberVarInit() {
+    this = TTranslatedNonStaticDataMemberVarInit(field) and
+    cls.getAMember() = field
+  }
+
+  override string toString() { result = cls.toString() + "::" + field.toString() }
+
+  final override Field getAst() { result = field }
+
+  final override Declaration getFunction() { result = field }
+
+  override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(EnterFunctionTag()) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getInstruction(ExitFunctionTag())
+  }
+
+  override TranslatedElement getChild(int n) {
+    n = 1 and
+    result = getTranslatedInitialization(field.getInitializer().getExpr().getFullyConverted())
+  }
+
+  override predicate hasInstruction(Opcode op, InstructionTag tag, CppType type) {
+    op instanceof Opcode::EnterFunction and
+    tag = EnterFunctionTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedDefinition and
+    tag = AliasedDefinitionTag() and
+    type = getUnknownType()
+    or
+    op instanceof Opcode::InitializeNonLocal and
+    tag = InitializeNonLocalTag() and
+    type = getUnknownType()
+    or
+    tag = ThisAddressTag() and
+    op instanceof Opcode::VariableAddress and
+    type = getTypeForGLValue(any(UnknownType t))
+    or
+    tag = InitializerStoreTag() and
+    op instanceof Opcode::InitializeParameter and
+    type = this.getThisType()
+    or
+    tag = ThisLoadTag() and
+    op instanceof Opcode::Load and
+    type = this.getThisType()
+    or
+    tag = InitializerIndirectStoreTag() and
+    op instanceof Opcode::InitializeIndirection and
+    type = getTypeForPRValue(cls)
+    or
+    op instanceof Opcode::FieldAddress and
+    tag = InitializerFieldAddressTag() and
+    type = getTypeForGLValue(field.getType())
+    or
+    op instanceof Opcode::ReturnVoid and
+    tag = ReturnTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedUse and
+    tag = AliasedUseTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::ExitFunction and
+    tag = ExitFunctionTag() and
+    type = getVoidType()
+  }
+
+  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    kind instanceof GotoEdge and
+    (
+      tag = EnterFunctionTag() and
+      result = this.getInstruction(AliasedDefinitionTag())
+      or
+      tag = AliasedDefinitionTag() and
+      result = this.getInstruction(InitializeNonLocalTag())
+      or
+      tag = InitializeNonLocalTag() and
+      result = this.getInstruction(ThisAddressTag())
+      or
+      tag = ThisAddressTag() and
+      result = this.getInstruction(InitializerStoreTag())
+      or
+      tag = InitializerStoreTag() and
+      result = this.getInstruction(ThisLoadTag())
+      or
+      tag = ThisLoadTag() and
+      result = this.getInstruction(InitializerIndirectStoreTag())
+      or
+      tag = InitializerIndirectStoreTag() and
+      result = this.getInstruction(InitializerFieldAddressTag())
+    )
+    or
+    tag = InitializerFieldAddressTag() and
+    result = this.getChild(1).getFirstInstruction(kind)
+    or
+    kind instanceof GotoEdge and
+    (
+      tag = ReturnTag() and
+      result = this.getInstruction(AliasedUseTag())
+      or
+      tag = AliasedUseTag() and
+      result = this.getInstruction(ExitFunctionTag())
+    )
+  }
+
+  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
+    child = this.getChild(1) and
+    result = this.getInstruction(ReturnTag()) and
+    kind instanceof GotoEdge
+  }
+
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
+  }
+
+  override IRVariable getInstructionVariable(InstructionTag tag) {
+    (
+      tag = ThisAddressTag() or
+      tag = InitializerStoreTag() or
+      tag = InitializerIndirectStoreTag()
+    ) and
+    result = getIRTempVariable(field, ThisTempVar())
+  }
+
+  override Field getInstructionField(InstructionTag tag) {
+    tag = InitializerFieldAddressTag() and
+    result = field
+  }
+
+  override predicate hasTempVariable(TempVariableTag tag, CppType type) {
+    tag = ThisTempVar() and
+    type = this.getThisType()
+  }
+
+  /**
+   * Holds if this variable defines or accesses variable `var` with type `type`. This includes all
+   * parameters and local variables, plus any global variables or static data members that are
+   * directly accessed by the function.
+   */
+  final predicate hasUserVariable(Variable varUsed, CppType type) {
+    (
+      (
+        varUsed instanceof GlobalOrNamespaceVariable
+        or
+        varUsed instanceof StaticLocalVariable
+        or
+        varUsed instanceof MemberVariable and not varUsed instanceof Field
+      ) and
+      exists(VariableAccess access |
+        access.getTarget() = varUsed and
+        getEnclosingVariable(access) = field
+      )
+      or
+      field = varUsed
+      or
+      varUsed.(LocalScopeVariable).getEnclosingElement*() = field
+      or
+      varUsed.(Parameter).getCatchBlock().getEnclosingElement*() = field
+    ) and
+    type = getTypeForPRValue(getVariableType(varUsed))
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    (
+      tag = InitializerStoreTag()
+      or
+      tag = ThisLoadTag()
+    ) and
+    operandTag instanceof AddressOperandTag and
+    result = this.getInstruction(ThisAddressTag())
+    or
+    (
+      tag = InitializerIndirectStoreTag() and
+      operandTag instanceof AddressOperandTag
+      or
+      tag = InitializerFieldAddressTag() and
+      operandTag instanceof UnaryOperandTag
+    ) and
+    result = this.getInstruction(ThisLoadTag())
+  }
+
+  override Instruction getTargetAddress() {
+    result = this.getInstruction(InitializerFieldAddressTag())
+  }
+
+  override Type getTargetType() { result = field.getUnspecifiedType() }
+
+  final Instruction getLoadThisInstruction() { result = this.getInstruction(ThisLoadTag()) }
+
+  private CppType getThisType() { result = getTypeForGLValue(cls) }
+}
+
+TranslatedNonStaticDataMemberVarInit getTranslatedFieldInit(Field field) { result.getAst() = field }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -495,7 +495,7 @@ class FieldInstruction extends Instruction {
  * `FunctionAddress` instruction.
  */
 class FunctionInstruction extends Instruction {
-  Language::Function funcSymbol;
+  Language::Declaration funcSymbol;
 
   FunctionInstruction() { funcSymbol = Raw::getInstructionFunction(this) }
 
@@ -504,7 +504,7 @@ class FunctionInstruction extends Instruction {
   /**
    * Gets the function that this instruction references.
    */
-  final Language::Function getFunctionSymbol() { result = funcSymbol }
+  final Language::Declaration getFunctionSymbol() { result = funcSymbol }
 }
 
 /**
@@ -1678,7 +1678,7 @@ class CallInstruction extends Instruction {
   /**
    * Gets the `Function` that the call targets, if this is statically known.
    */
-  final Language::Function getStaticCallTarget() {
+  final Language::Declaration getStaticCallTarget() {
     result = this.getCallTarget().(FunctionAddressInstruction).getFunctionSymbol()
   }
 

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -48,7 +48,6 @@ private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System
 private import implementations.StructuredExceptionHandling
-private import implementations.ZMQ
 private import implementations.Win32CommandExecution
 private import implementations.CA2AEX
 private import implementations.CComBSTR

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -112,21 +112,3 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
 }
-
-/**
- * A model for `getc` and similar functions that are flow sources.
- */
-private class GetcSource extends SourceModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;getc;;;ReturnValue;remote", ";;false;getwc;;;ReturnValue;remote",
-        ";;false;_getc_nolock;;;ReturnValue;remote", ";;false;_getwc_nolock;;;ReturnValue;remote",
-        ";;false;getch;;;ReturnValue;local", ";;false;_getch;;;ReturnValue;local",
-        ";;false;_getwch;;;ReturnValue;local", ";;false;_getch_nolock;;;ReturnValue;local",
-        ";;false;_getwch_nolock;;;ReturnValue;local", ";;false;getchar;;;ReturnValue;local",
-        ";;false;getwchar;;;ReturnValue;local", ";;false;_getchar_nolock;;;ReturnValue;local",
-        ";;false;_getwchar_nolock;;;ReturnValue;local",
-      ]
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll

@@ -1,45 +0,0 @@
-/**
- * Provides implementation classes modeling the ZeroMQ networking library.
- */
-
-import semmle.code.cpp.models.interfaces.FlowSource
-
-/**
- * Remote flow sources.
- */
-private class ZmqSource extends SourceModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;zmq_recv;;;Argument[*1];remote", ";;false;zmq_recvmsg;;;Argument[*1];remote",
-        ";;false;zmq_msg_recv;;;Argument[*0];remote",
-      ]
-  }
-}
-
-/**
- * Remote flow sinks.
- */
-private class ZmqSinks extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;zmq_send;;;Argument[*1];remote-sink",
-        ";;false;zmq_sendmsg;;;Argument[*1];remote-sink",
-        ";;false;zmq_msg_send;;;Argument[*0];remote-sink",
-      ]
-  }
-}
-
-/**
- * Flow steps.
- */
-private class ZmqSummaries extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;zmq_msg_init_data;;;Argument[*1];Argument[*0];taint",
-        ";;false;zmq_msg_data;;;Argument[*0];ReturnValue[*];taint",
-      ]
-  }
-}

cpp/ql/test/library-tests/ctorinits/ctors.expected

@@ -1,17 +1,17 @@
-| ctorinits.cpp:5:3:5:10 | NoisyInt | 0 | ConstructorFieldInit | ctorinits.cpp:5:29:5:42 | constructor init of field m_value | 1 | 0 |
-| ctorinits.cpp:13:3:13:11 | NoisyPair | 0 | ConstructorFieldInit | ctorinits.cpp:14:7:14:16 | constructor init of field m_fst | 1 | 0 |
-| ctorinits.cpp:13:3:13:11 | NoisyPair | 1 | ConstructorFieldInit | ctorinits.cpp:15:7:15:16 | constructor init of field m_snd | 1 | 0 |
+| ctorinits.cpp:5:3:5:10 | NoisyInt | 0 | ConstructorDirectFieldInit | ctorinits.cpp:5:29:5:42 | constructor init of field m_value | 1 | 0 |
+| ctorinits.cpp:13:3:13:11 | NoisyPair | 0 | ConstructorDirectFieldInit | ctorinits.cpp:14:7:14:16 | constructor init of field m_fst | 1 | 0 |
+| ctorinits.cpp:13:3:13:11 | NoisyPair | 1 | ConstructorDirectFieldInit | ctorinits.cpp:15:7:15:16 | constructor init of field m_snd | 1 | 0 |
 | ctorinits.cpp:16:3:16:11 | NoisyPair | 0 | ConstructorDelegationInit | ctorinits.cpp:16:17:16:31 | call to NoisyPair | 2 | 2 |
 | ctorinits.cpp:21:8:21:8 | NoisyTriple | 0 | ConstructorDirectInit | ctorinits.cpp:21:8:21:8 | call to NoisyPair | 0 | 0 |
-| ctorinits.cpp:21:8:21:8 | NoisyTriple | 1 | ConstructorFieldInit | ctorinits.cpp:21:8:21:8 | constructor init of field m_third | 1 | 0 |
-| ctorinits.cpp:28:2:28:9 | ArrayInt | 0 | ConstructorFieldInit | ctorinits.cpp:28:13:28:13 | constructor init of field m_array | 1 | 0 |
-| ctorinits.cpp:42:2:42:16 | ArrayMemberInit | 0 | ConstructorFieldInit | ctorinits.cpp:42:22:42:32 | constructor init of field xs | 1 | 4 |
+| ctorinits.cpp:21:8:21:8 | NoisyTriple | 1 | ConstructorDirectFieldInit | ctorinits.cpp:21:8:21:8 | constructor init of field m_third | 1 | 0 |
+| ctorinits.cpp:28:2:28:9 | ArrayInt | 0 | ConstructorDirectFieldInit | ctorinits.cpp:28:13:28:13 | constructor init of field m_array | 1 | 0 |
+| ctorinits.cpp:42:2:42:16 | ArrayMemberInit | 0 | ConstructorDirectFieldInit | ctorinits.cpp:42:22:42:32 | constructor init of field xs | 1 | 4 |
 | ctorinits.cpp:65:3:65:15 | MultipleBases | 0 | ConstructorDirectInit | ctorinits.cpp:69:5:69:8 | call to A | 1 | 1 |
 | ctorinits.cpp:65:3:65:15 | MultipleBases | 1 | ConstructorDirectInit | ctorinits.cpp:67:5:67:8 | call to B | 1 | 1 |
 | ctorinits.cpp:65:3:65:15 | MultipleBases | 2 | ConstructorDirectInit | ctorinits.cpp:70:5:70:8 | call to C | 1 | 1 |
-| ctorinits.cpp:65:3:65:15 | MultipleBases | 3 | ConstructorFieldInit | ctorinits.cpp:68:5:68:8 | constructor init of field x | 1 | 1 |
-| ctorinits.cpp:65:3:65:15 | MultipleBases | 4 | ConstructorFieldInit | ctorinits.cpp:71:5:71:8 | constructor init of field y | 1 | 1 |
-| ctorinits.cpp:65:3:65:15 | MultipleBases | 5 | ConstructorFieldInit | ctorinits.cpp:66:5:66:8 | constructor init of field z | 1 | 1 |
+| ctorinits.cpp:65:3:65:15 | MultipleBases | 3 | ConstructorDirectFieldInit | ctorinits.cpp:68:5:68:8 | constructor init of field x | 1 | 1 |
+| ctorinits.cpp:65:3:65:15 | MultipleBases | 4 | ConstructorDirectFieldInit | ctorinits.cpp:71:5:71:8 | constructor init of field y | 1 | 1 |
+| ctorinits.cpp:65:3:65:15 | MultipleBases | 5 | ConstructorDirectFieldInit | ctorinits.cpp:66:5:66:8 | constructor init of field z | 1 | 1 |
 | ctorinits.cpp:81:8:81:8 | VD | 0 | ConstructorVirtualInit | ctorinits.cpp:81:8:81:8 | call to VB | 0 | 0 |
 | ctorinits.cpp:85:3:85:22 | VirtualAndNonVirtual | 0 | ConstructorVirtualInit | ctorinits.cpp:85:26:85:26 | call to VB | 0 | 0 |
 | ctorinits.cpp:85:3:85:22 | VirtualAndNonVirtual | 1 | ConstructorDirectInit | ctorinits.cpp:85:26:85:26 | call to VD | 0 | 0 |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -10,11 +10,13 @@ uniqueEnclosingCallable
 | test.cpp:1158:18:1158:42 | ... , ... | Node should have one enclosing callable but has 0. |
 | test.cpp:1158:23:1158:31 | recursion | Node should have one enclosing callable but has 0. |
 | test.cpp:1158:35:1158:40 | call to source | Node should have one enclosing callable but has 0. |
+| test.cpp:1318:13:1318:18 | call to source | Node should have one enclosing callable but has 0. |
 uniqueCallEnclosingCallable
 | test.cpp:864:47:864:54 | call to source | Call should have one enclosing callable but has 0. |
 | test.cpp:872:46:872:51 | call to source | Call should have one enclosing callable but has 0. |
 | test.cpp:1158:18:1158:21 | call to sink | Call should have one enclosing callable but has 0. |
 | test.cpp:1158:35:1158:40 | call to source | Call should have one enclosing callable but has 0. |
+| test.cpp:1318:13:1318:18 | call to source | Call should have one enclosing callable but has 0. |
 uniqueType
 uniqueNodeLocation
 missingLocation

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -170,6 +170,7 @@ astFlow
 | test.cpp:1308:7:1308:12 | call to source | test.cpp:1309:14:1309:16 | ... ++ |
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1313:8:1313:24 | ... ? ... : ... |
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x |
+| test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -390,6 +391,7 @@ irFlow
 | test.cpp:1308:7:1308:12 | call to source | test.cpp:1309:8:1309:16 | ... ++ |
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1313:8:1313:24 | ... ? ... : ... |
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x |
+| test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1312,4 +1312,20 @@ void crement_test2(bool b, int y) {
   x = source();
   sink(b ? (long)x++ : 0); // $ ir ast
   sink(x); // $ ir ast
-}
+}
+
+struct nsdmi {
+    int i = source();
+
+    nsdmi() {}
+
+    nsdmi(int i) : i(i) {}
+};
+
+void nsdmi_test() {
+  nsdmi x;
+  sink(x.i); // $ MISSING: ir ast
+
+  nsdmi y(source());
+  sink(y.i); // $ ir ast
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected

@@ -36,6 +36,12 @@ irTypeBugs
 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element[*] in operator-> |
 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[**] in operator-> |
 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[*] in operator-> |
+| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field |
+| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field |
+| test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | test.cpp:356:7:356:11 | field |
+| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i |
+| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i |
+| test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | test.cpp:1318:9:1318:9 | i |
 incorrectBaseType
 | clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
 | clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * |

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.ql

@@ -1,2 +1,2 @@
 import cpp
-import semmle.code.cpp.dataflow.ExternalFlow::CsvValidation
+import semmle.code.cpp.dataflow.ExternalFlow::ModelValidation

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql

@@ -1,20 +0,0 @@
-import testModels
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
-
-string describe(DataFlow::Node n) {
-  n instanceof ParameterNode and result = "ParameterNode"
-  or
-  n instanceof PostUpdateNode and result = "PostUpdateNode"
-  or
-  n instanceof ArgumentNode and result = "ArgumentNode"
-  or
-  n instanceof ReturnNode and result = "ReturnNode"
-  or
-  n instanceof OutNode and result = "OutNode"
-}
-
-from FlowSummaryNode n
-select n, concat(describe(n), ", "), concat(n.getSummarizedCallable().toString(), ", "),
-  concat(n.getEnclosingCallable().toString(), ", ")

cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected

@@ -1,267 +0,0 @@
-summaryCalls
-| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
-| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
-| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
-summarizedCallables
-| tests.cpp:144:5:144:19 | madArg0ToReturn |
-| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
-| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
-| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
-| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
-| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
-| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
-| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
-| tests.cpp:153:5:153:18 | madArgsComplex |
-| tests.cpp:154:5:154:14 | madArgsAny |
-| tests.cpp:155:5:155:28 | madAndImplementedComplex |
-| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
-| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
-| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
-| tests.cpp:163:13:163:32 | madArg0ToReturnField |
-| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
-| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
-| tests.cpp:284:7:284:19 | madArg0ToSelf |
-| tests.cpp:285:6:285:20 | madSelfToReturn |
-| tests.cpp:287:7:287:20 | madArg0ToField |
-| tests.cpp:288:6:288:21 | madFieldToReturn |
-| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
-| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
-| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
-| tests.cpp:436:6:436:25 | madCallArg0WithValue |
-| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
-| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
-| tests.cpp:471:5:471:17 | receive_array |
-sourceCallables
-| tests.cpp:3:5:3:10 | source |
-| tests.cpp:4:6:4:14 | sourcePtr |
-| tests.cpp:5:6:5:19 | sourceIndirect |
-| tests.cpp:6:6:6:9 | sink |
-| tests.cpp:6:15:6:17 | val |
-| tests.cpp:7:6:7:9 | sink |
-| tests.cpp:7:16:7:18 | ptr |
-| tests.cpp:11:5:11:18 | localMadSource |
-| tests.cpp:12:5:12:19 | remoteMadSource |
-| tests.cpp:13:5:13:14 | notASource |
-| tests.cpp:14:5:14:22 | localMadSourceVoid |
-| tests.cpp:15:5:15:25 | localMadSourceHasBody |
-| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
-| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
-| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
-| tests.cpp:18:39:18:39 | x |
-| tests.cpp:18:47:18:47 | y |
-| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
-| tests.cpp:19:39:19:39 | x |
-| tests.cpp:19:47:19:47 | y |
-| tests.cpp:20:5:20:22 | remoteMadSourceVar |
-| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
-| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
-| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
-| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
-| tests.cpp:31:6:31:19 | localMadSource |
-| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
-| tests.cpp:35:6:35:17 | test_sources |
-| tests.cpp:50:6:50:6 | v |
-| tests.cpp:51:7:51:16 | v_indirect |
-| tests.cpp:52:6:52:13 | v_direct |
-| tests.cpp:63:6:63:6 | a |
-| tests.cpp:63:9:63:9 | b |
-| tests.cpp:63:12:63:12 | c |
-| tests.cpp:63:15:63:15 | d |
-| tests.cpp:75:6:75:6 | e |
-| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
-| tests.cpp:85:32:85:32 | x |
-| tests.cpp:92:6:92:16 | madSinkArg0 |
-| tests.cpp:92:22:92:22 | x |
-| tests.cpp:93:6:93:13 | notASink |
-| tests.cpp:93:19:93:19 | x |
-| tests.cpp:94:6:94:16 | madSinkArg1 |
-| tests.cpp:94:22:94:22 | x |
-| tests.cpp:94:29:94:29 | y |
-| tests.cpp:95:6:95:17 | madSinkArg01 |
-| tests.cpp:95:23:95:23 | x |
-| tests.cpp:95:30:95:30 | y |
-| tests.cpp:95:37:95:37 | z |
-| tests.cpp:96:6:96:17 | madSinkArg02 |
-| tests.cpp:96:23:96:23 | x |
-| tests.cpp:96:30:96:30 | y |
-| tests.cpp:96:37:96:37 | z |
-| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
-| tests.cpp:97:31:97:31 | x |
-| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
-| tests.cpp:98:38:98:38 | x |
-| tests.cpp:99:5:99:14 | madSinkVar |
-| tests.cpp:100:6:100:23 | madSinkVarIndirect |
-| tests.cpp:102:6:102:15 | test_sinks |
-| tests.cpp:116:6:116:6 | a |
-| tests.cpp:117:7:117:11 | a_ptr |
-| tests.cpp:132:6:132:18 | madSinkParam0 |
-| tests.cpp:132:24:132:24 | x |
-| tests.cpp:138:8:138:8 | operator= |
-| tests.cpp:138:8:138:8 | operator= |
-| tests.cpp:138:8:138:18 | MyContainer |
-| tests.cpp:139:6:139:10 | value |
-| tests.cpp:140:6:140:11 | value2 |
-| tests.cpp:141:7:141:9 | ptr |
-| tests.cpp:144:5:144:19 | madArg0ToReturn |
-| tests.cpp:144:25:144:25 | x |
-| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
-| tests.cpp:145:34:145:34 | x |
-| tests.cpp:146:5:146:15 | notASummary |
-| tests.cpp:146:21:146:21 | x |
-| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
-| tests.cpp:147:34:147:34 | x |
-| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
-| tests.cpp:148:34:148:34 | x |
-| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
-| tests.cpp:149:41:149:41 | x |
-| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
-| tests.cpp:150:37:150:37 | x |
-| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
-| tests.cpp:151:32:151:32 | x |
-| tests.cpp:151:40:151:40 | y |
-| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
-| tests.cpp:152:47:152:47 | x |
-| tests.cpp:152:55:152:55 | y |
-| tests.cpp:153:5:153:18 | madArgsComplex |
-| tests.cpp:153:25:153:25 | a |
-| tests.cpp:153:33:153:33 | b |
-| tests.cpp:153:40:153:40 | c |
-| tests.cpp:153:47:153:47 | d |
-| tests.cpp:154:5:154:14 | madArgsAny |
-| tests.cpp:154:20:154:20 | a |
-| tests.cpp:154:28:154:28 | b |
-| tests.cpp:155:5:155:28 | madAndImplementedComplex |
-| tests.cpp:155:34:155:34 | a |
-| tests.cpp:155:41:155:41 | b |
-| tests.cpp:155:48:155:48 | c |
-| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
-| tests.cpp:160:38:160:39 | mc |
-| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
-| tests.cpp:161:47:161:48 | mc |
-| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
-| tests.cpp:162:46:162:47 | mc |
-| tests.cpp:163:13:163:32 | madArg0ToReturnField |
-| tests.cpp:163:38:163:38 | x |
-| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
-| tests.cpp:164:47:164:47 | x |
-| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
-| tests.cpp:165:46:165:46 | x |
-| tests.cpp:167:13:167:30 | madFieldToFieldVar |
-| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
-| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
-| tests.cpp:171:6:171:19 | test_summaries |
-| tests.cpp:174:6:174:6 | a |
-| tests.cpp:174:9:174:9 | b |
-| tests.cpp:174:12:174:12 | c |
-| tests.cpp:174:15:174:15 | d |
-| tests.cpp:174:18:174:18 | e |
-| tests.cpp:175:7:175:11 | a_ptr |
-| tests.cpp:218:14:218:16 | mc1 |
-| tests.cpp:218:19:218:21 | mc2 |
-| tests.cpp:237:15:237:18 | rtn1 |
-| tests.cpp:240:14:240:17 | rtn2 |
-| tests.cpp:241:7:241:14 | rtn2_ptr |
-| tests.cpp:267:7:267:7 | operator= |
-| tests.cpp:267:7:267:7 | operator= |
-| tests.cpp:267:7:267:13 | MyClass |
-| tests.cpp:270:6:270:26 | memberRemoteMadSource |
-| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
-| tests.cpp:271:46:271:46 | x |
-| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
-| tests.cpp:273:7:273:21 | qualifierSource |
-| tests.cpp:274:7:274:26 | qualifierFieldSource |
-| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
-| tests.cpp:277:29:277:29 | x |
-| tests.cpp:278:6:278:21 | memberMadSinkVar |
-| tests.cpp:279:7:279:19 | qualifierSink |
-| tests.cpp:280:7:280:23 | qualifierArg0Sink |
-| tests.cpp:280:29:280:29 | x |
-| tests.cpp:281:7:281:24 | qualifierFieldSink |
-| tests.cpp:284:7:284:19 | madArg0ToSelf |
-| tests.cpp:284:25:284:25 | x |
-| tests.cpp:285:6:285:20 | madSelfToReturn |
-| tests.cpp:286:6:286:16 | notASummary |
-| tests.cpp:287:7:287:20 | madArg0ToField |
-| tests.cpp:287:26:287:26 | x |
-| tests.cpp:288:6:288:21 | madFieldToReturn |
-| tests.cpp:290:6:290:8 | val |
-| tests.cpp:293:7:293:7 | MyDerivedClass |
-| tests.cpp:293:7:293:7 | operator= |
-| tests.cpp:293:7:293:7 | operator= |
-| tests.cpp:293:7:293:20 | MyDerivedClass |
-| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
-| tests.cpp:296:6:296:21 | subtypeNonSource |
-| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
-| tests.cpp:300:9:300:15 | source2 |
-| tests.cpp:301:6:301:9 | sink |
-| tests.cpp:301:19:301:20 | mc |
-| tests.cpp:304:8:304:8 | operator= |
-| tests.cpp:304:8:304:8 | operator= |
-| tests.cpp:304:8:304:14 | MyClass |
-| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
-| tests.cpp:307:39:307:39 | x |
-| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
-| tests.cpp:308:52:308:52 | x |
-| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
-| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
-| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
-| tests.cpp:317:22:317:28 | source3 |
-| tests.cpp:319:6:319:23 | test_class_members |
-| tests.cpp:320:10:320:11 | mc |
-| tests.cpp:320:14:320:16 | mc2 |
-| tests.cpp:320:19:320:21 | mc3 |
-| tests.cpp:320:24:320:26 | mc4 |
-| tests.cpp:320:29:320:31 | mc5 |
-| tests.cpp:320:34:320:36 | mc6 |
-| tests.cpp:320:39:320:41 | mc7 |
-| tests.cpp:320:44:320:46 | mc8 |
-| tests.cpp:320:49:320:51 | mc9 |
-| tests.cpp:320:54:320:57 | mc10 |
-| tests.cpp:320:60:320:63 | mc11 |
-| tests.cpp:321:11:321:13 | ptr |
-| tests.cpp:321:17:321:23 | mc4_ptr |
-| tests.cpp:322:17:322:19 | mdc |
-| tests.cpp:323:23:323:25 | mnc |
-| tests.cpp:323:28:323:31 | mnc2 |
-| tests.cpp:324:24:324:31 | mnc2_ptr |
-| tests.cpp:330:6:330:6 | a |
-| tests.cpp:429:8:429:8 | operator= |
-| tests.cpp:429:8:429:8 | operator= |
-| tests.cpp:429:8:429:14 | intPair |
-| tests.cpp:430:6:430:10 | first |
-| tests.cpp:431:6:431:11 | second |
-| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
-| tests.cpp:434:37:434:43 | fun_ptr |
-| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
-| tests.cpp:435:46:435:52 | fun_ptr |
-| tests.cpp:436:6:436:25 | madCallArg0WithValue |
-| tests.cpp:436:34:436:40 | fun_ptr |
-| tests.cpp:436:53:436:57 | value |
-| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
-| tests.cpp:437:45:437:51 | fun_ptr |
-| tests.cpp:437:64:437:68 | value |
-| tests.cpp:439:5:439:14 | getTainted |
-| tests.cpp:440:6:440:13 | useValue |
-| tests.cpp:440:19:440:19 | x |
-| tests.cpp:441:6:441:17 | dontUseValue |
-| tests.cpp:441:23:441:23 | x |
-| tests.cpp:443:6:443:27 | test_function_pointers |
-| tests.cpp:456:19:456:19 | X |
-| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
-| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
-| tests.cpp:458:12:458:15 | Type |
-| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
-| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
-| tests.cpp:459:45:459:45 | x |
-| tests.cpp:459:45:459:45 | x |
-| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
-| tests.cpp:463:6:463:6 | x |
-| tests.cpp:464:36:464:36 | s |
-| tests.cpp:465:6:465:6 | y |
-| tests.cpp:469:7:469:9 | INT |
-| tests.cpp:471:5:471:17 | receive_array |
-| tests.cpp:471:23:471:23 | a |
-| tests.cpp:473:6:473:23 | test_receive_array |
-| tests.cpp:474:6:474:6 | x |
-| tests.cpp:475:6:475:10 | array |
-| tests.cpp:476:6:476:6 | y |

cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.ql

@@ -1,9 +0,0 @@
-import testModels
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-
-query predicate summaryCalls(SummaryCall c) { any() }
-
-query predicate summarizedCallables(SummarizedCallable c) { any() }
-
-query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }

cpp/ql/test/library-tests/dataflow/models-as-data/consistency.expected

@@ -1,29 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall
-lambdaCallEnclosingCallableMismatch
-speculativeStepAlreadyHasModel

cpp/ql/test/library-tests/dataflow/models-as-data/consistency.ql

@@ -1,2 +0,0 @@
-import testModels
-import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.ql

@@ -1,18 +0,0 @@
-import utils.test.InlineExpectationsTest
-import testModels
-
-module InterpretElementTest implements TestSig {
-  string getARelevantTag() { result = "interpretElement" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Element e |
-      e = interpretElement(_, _, _, _, _, _) and
-      location = e.getLocation() and
-      element = e.toString() and
-      tag = "interpretElement" and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<InterpretElementTest>

cpp/ql/test/library-tests/dataflow/models-as-data/taint.ql

@@ -1,32 +0,0 @@
-import utils.test.dataflow.FlowTestCommon
-import testModels
-
-module IRTest {
-  private import semmle.code.cpp.ir.IR
-  private import semmle.code.cpp.ir.dataflow.TaintTracking
-
-  /** Common data flow configuration to be used by tests. */
-  module TestAllocationConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node source) {
-      source instanceof FlowSource
-      or
-      source.asExpr().(FunctionCall).getTarget().getName() =
-        ["source", "source2", "source3", "sourcePtr"]
-      or
-      source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
-    }
-
-    predicate isSink(DataFlow::Node sink) {
-      sinkNode(sink, "test-sink")
-      or
-      exists(FunctionCall call |
-        call.getTarget().getName() = "sink" and
-        sink.asExpr() = call.getAnArgument()
-      )
-    }
-  }
-
-  module IRFlow = TaintTracking::Global<TestAllocationConfig>;
-}
-
-import MakeTest<IRFlowTest<IRTest::IRFlow>>

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected

@@ -1,3 +1,301 @@
+uniqueEnclosingCallable
+uniqueCallEnclosingCallable
+uniqueType
+uniqueNodeLocation
+missingLocation
+uniqueNodeToString
+parameterCallable
+localFlowIsLocal
+readStepIsLocal
+storeStepIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+argHasPostUpdate
+postWithInFlow
+viableImplInCallContextTooLarge
+uniqueParameterNodeAtPosition
+uniqueParameterNodePosition
+uniqueContentApprox
+identityLocalStep
+missingArgumentCall
+multipleArgumentCall
+lambdaCallEnclosingCallableMismatch
+speculativeStepAlreadyHasModel
+testFailures
+summaryCalls
+| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
+| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
+| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
+summarizedCallables
+| tests.cpp:144:5:144:19 | madArg0ToReturn |
+| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
+| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
+| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
+| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
+| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
+| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
+| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
+| tests.cpp:153:5:153:18 | madArgsComplex |
+| tests.cpp:154:5:154:14 | madArgsAny |
+| tests.cpp:155:5:155:28 | madAndImplementedComplex |
+| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
+| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
+| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
+| tests.cpp:163:13:163:32 | madArg0ToReturnField |
+| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
+| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
+| tests.cpp:284:7:284:19 | madArg0ToSelf |
+| tests.cpp:285:6:285:20 | madSelfToReturn |
+| tests.cpp:287:7:287:20 | madArg0ToField |
+| tests.cpp:288:6:288:21 | madFieldToReturn |
+| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
+| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
+| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
+| tests.cpp:436:6:436:25 | madCallArg0WithValue |
+| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
+| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
+| tests.cpp:471:5:471:17 | receive_array |
+sourceCallables
+| tests.cpp:3:5:3:10 | source |
+| tests.cpp:4:6:4:14 | sourcePtr |
+| tests.cpp:5:6:5:19 | sourceIndirect |
+| tests.cpp:6:6:6:9 | sink |
+| tests.cpp:6:15:6:17 | val |
+| tests.cpp:7:6:7:9 | sink |
+| tests.cpp:7:16:7:18 | ptr |
+| tests.cpp:11:5:11:18 | localMadSource |
+| tests.cpp:12:5:12:19 | remoteMadSource |
+| tests.cpp:13:5:13:14 | notASource |
+| tests.cpp:14:5:14:22 | localMadSourceVoid |
+| tests.cpp:15:5:15:25 | localMadSourceHasBody |
+| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
+| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
+| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
+| tests.cpp:18:39:18:39 | x |
+| tests.cpp:18:47:18:47 | y |
+| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
+| tests.cpp:19:39:19:39 | x |
+| tests.cpp:19:47:19:47 | y |
+| tests.cpp:20:5:20:22 | remoteMadSourceVar |
+| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
+| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
+| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
+| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
+| tests.cpp:31:6:31:19 | localMadSource |
+| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
+| tests.cpp:35:6:35:17 | test_sources |
+| tests.cpp:50:6:50:6 | v |
+| tests.cpp:51:7:51:16 | v_indirect |
+| tests.cpp:52:6:52:13 | v_direct |
+| tests.cpp:63:6:63:6 | a |
+| tests.cpp:63:9:63:9 | b |
+| tests.cpp:63:12:63:12 | c |
+| tests.cpp:63:15:63:15 | d |
+| tests.cpp:75:6:75:6 | e |
+| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
+| tests.cpp:85:32:85:32 | x |
+| tests.cpp:92:6:92:16 | madSinkArg0 |
+| tests.cpp:92:22:92:22 | x |
+| tests.cpp:93:6:93:13 | notASink |
+| tests.cpp:93:19:93:19 | x |
+| tests.cpp:94:6:94:16 | madSinkArg1 |
+| tests.cpp:94:22:94:22 | x |
+| tests.cpp:94:29:94:29 | y |
+| tests.cpp:95:6:95:17 | madSinkArg01 |
+| tests.cpp:95:23:95:23 | x |
+| tests.cpp:95:30:95:30 | y |
+| tests.cpp:95:37:95:37 | z |
+| tests.cpp:96:6:96:17 | madSinkArg02 |
+| tests.cpp:96:23:96:23 | x |
+| tests.cpp:96:30:96:30 | y |
+| tests.cpp:96:37:96:37 | z |
+| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
+| tests.cpp:97:31:97:31 | x |
+| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
+| tests.cpp:98:38:98:38 | x |
+| tests.cpp:99:5:99:14 | madSinkVar |
+| tests.cpp:100:6:100:23 | madSinkVarIndirect |
+| tests.cpp:102:6:102:15 | test_sinks |
+| tests.cpp:116:6:116:6 | a |
+| tests.cpp:117:7:117:11 | a_ptr |
+| tests.cpp:132:6:132:18 | madSinkParam0 |
+| tests.cpp:132:24:132:24 | x |
+| tests.cpp:138:8:138:8 | operator= |
+| tests.cpp:138:8:138:8 | operator= |
+| tests.cpp:138:8:138:18 | MyContainer |
+| tests.cpp:139:6:139:10 | value |
+| tests.cpp:140:6:140:11 | value2 |
+| tests.cpp:141:7:141:9 | ptr |
+| tests.cpp:144:5:144:19 | madArg0ToReturn |
+| tests.cpp:144:25:144:25 | x |
+| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
+| tests.cpp:145:34:145:34 | x |
+| tests.cpp:146:5:146:15 | notASummary |
+| tests.cpp:146:21:146:21 | x |
+| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
+| tests.cpp:147:34:147:34 | x |
+| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
+| tests.cpp:148:34:148:34 | x |
+| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
+| tests.cpp:149:41:149:41 | x |
+| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
+| tests.cpp:150:37:150:37 | x |
+| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
+| tests.cpp:151:32:151:32 | x |
+| tests.cpp:151:40:151:40 | y |
+| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
+| tests.cpp:152:47:152:47 | x |
+| tests.cpp:152:55:152:55 | y |
+| tests.cpp:153:5:153:18 | madArgsComplex |
+| tests.cpp:153:25:153:25 | a |
+| tests.cpp:153:33:153:33 | b |
+| tests.cpp:153:40:153:40 | c |
+| tests.cpp:153:47:153:47 | d |
+| tests.cpp:154:5:154:14 | madArgsAny |
+| tests.cpp:154:20:154:20 | a |
+| tests.cpp:154:28:154:28 | b |
+| tests.cpp:155:5:155:28 | madAndImplementedComplex |
+| tests.cpp:155:34:155:34 | a |
+| tests.cpp:155:41:155:41 | b |
+| tests.cpp:155:48:155:48 | c |
+| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
+| tests.cpp:160:38:160:39 | mc |
+| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
+| tests.cpp:161:47:161:48 | mc |
+| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
+| tests.cpp:162:46:162:47 | mc |
+| tests.cpp:163:13:163:32 | madArg0ToReturnField |
+| tests.cpp:163:38:163:38 | x |
+| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
+| tests.cpp:164:47:164:47 | x |
+| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
+| tests.cpp:165:46:165:46 | x |
+| tests.cpp:167:13:167:30 | madFieldToFieldVar |
+| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
+| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
+| tests.cpp:171:6:171:19 | test_summaries |
+| tests.cpp:174:6:174:6 | a |
+| tests.cpp:174:9:174:9 | b |
+| tests.cpp:174:12:174:12 | c |
+| tests.cpp:174:15:174:15 | d |
+| tests.cpp:174:18:174:18 | e |
+| tests.cpp:175:7:175:11 | a_ptr |
+| tests.cpp:218:14:218:16 | mc1 |
+| tests.cpp:218:19:218:21 | mc2 |
+| tests.cpp:237:15:237:18 | rtn1 |
+| tests.cpp:240:14:240:17 | rtn2 |
+| tests.cpp:241:7:241:14 | rtn2_ptr |
+| tests.cpp:267:7:267:7 | operator= |
+| tests.cpp:267:7:267:7 | operator= |
+| tests.cpp:267:7:267:13 | MyClass |
+| tests.cpp:270:6:270:26 | memberRemoteMadSource |
+| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
+| tests.cpp:271:46:271:46 | x |
+| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
+| tests.cpp:273:7:273:21 | qualifierSource |
+| tests.cpp:274:7:274:26 | qualifierFieldSource |
+| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
+| tests.cpp:277:29:277:29 | x |
+| tests.cpp:278:6:278:21 | memberMadSinkVar |
+| tests.cpp:279:7:279:19 | qualifierSink |
+| tests.cpp:280:7:280:23 | qualifierArg0Sink |
+| tests.cpp:280:29:280:29 | x |
+| tests.cpp:281:7:281:24 | qualifierFieldSink |
+| tests.cpp:284:7:284:19 | madArg0ToSelf |
+| tests.cpp:284:25:284:25 | x |
+| tests.cpp:285:6:285:20 | madSelfToReturn |
+| tests.cpp:286:6:286:16 | notASummary |
+| tests.cpp:287:7:287:20 | madArg0ToField |
+| tests.cpp:287:26:287:26 | x |
+| tests.cpp:288:6:288:21 | madFieldToReturn |
+| tests.cpp:290:6:290:8 | val |
+| tests.cpp:293:7:293:7 | MyDerivedClass |
+| tests.cpp:293:7:293:7 | operator= |
+| tests.cpp:293:7:293:7 | operator= |
+| tests.cpp:293:7:293:20 | MyDerivedClass |
+| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
+| tests.cpp:296:6:296:21 | subtypeNonSource |
+| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
+| tests.cpp:300:9:300:15 | source2 |
+| tests.cpp:301:6:301:9 | sink |
+| tests.cpp:301:19:301:20 | mc |
+| tests.cpp:304:8:304:8 | operator= |
+| tests.cpp:304:8:304:8 | operator= |
+| tests.cpp:304:8:304:14 | MyClass |
+| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
+| tests.cpp:307:39:307:39 | x |
+| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
+| tests.cpp:308:52:308:52 | x |
+| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
+| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
+| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
+| tests.cpp:317:22:317:28 | source3 |
+| tests.cpp:319:6:319:23 | test_class_members |
+| tests.cpp:320:10:320:11 | mc |
+| tests.cpp:320:14:320:16 | mc2 |
+| tests.cpp:320:19:320:21 | mc3 |
+| tests.cpp:320:24:320:26 | mc4 |
+| tests.cpp:320:29:320:31 | mc5 |
+| tests.cpp:320:34:320:36 | mc6 |
+| tests.cpp:320:39:320:41 | mc7 |
+| tests.cpp:320:44:320:46 | mc8 |
+| tests.cpp:320:49:320:51 | mc9 |
+| tests.cpp:320:54:320:57 | mc10 |
+| tests.cpp:320:60:320:63 | mc11 |
+| tests.cpp:321:11:321:13 | ptr |
+| tests.cpp:321:17:321:23 | mc4_ptr |
+| tests.cpp:322:17:322:19 | mdc |
+| tests.cpp:323:23:323:25 | mnc |
+| tests.cpp:323:28:323:31 | mnc2 |
+| tests.cpp:324:24:324:31 | mnc2_ptr |
+| tests.cpp:330:6:330:6 | a |
+| tests.cpp:429:8:429:8 | operator= |
+| tests.cpp:429:8:429:8 | operator= |
+| tests.cpp:429:8:429:14 | intPair |
+| tests.cpp:430:6:430:10 | first |
+| tests.cpp:431:6:431:11 | second |
+| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
+| tests.cpp:434:37:434:43 | fun_ptr |
+| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
+| tests.cpp:435:46:435:52 | fun_ptr |
+| tests.cpp:436:6:436:25 | madCallArg0WithValue |
+| tests.cpp:436:34:436:40 | fun_ptr |
+| tests.cpp:436:53:436:57 | value |
+| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
+| tests.cpp:437:45:437:51 | fun_ptr |
+| tests.cpp:437:64:437:68 | value |
+| tests.cpp:439:5:439:14 | getTainted |
+| tests.cpp:440:6:440:13 | useValue |
+| tests.cpp:440:19:440:19 | x |
+| tests.cpp:441:6:441:17 | dontUseValue |
+| tests.cpp:441:23:441:23 | x |
+| tests.cpp:443:6:443:27 | test_function_pointers |
+| tests.cpp:456:19:456:19 | X |
+| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
+| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
+| tests.cpp:458:12:458:15 | Type |
+| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
+| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
+| tests.cpp:459:45:459:45 | x |
+| tests.cpp:459:45:459:45 | x |
+| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
+| tests.cpp:463:6:463:6 | x |
+| tests.cpp:464:36:464:36 | s |
+| tests.cpp:465:6:465:6 | y |
+| tests.cpp:469:7:469:9 | INT |
+| tests.cpp:471:5:471:17 | receive_array |
+| tests.cpp:471:23:471:23 | a |
+| tests.cpp:473:6:473:23 | test_receive_array |
+| tests.cpp:474:6:474:6 | x |
+| tests.cpp:475:6:475:10 | array |
+| tests.cpp:476:6:476:6 | y |
+flowSummaryNode
 | tests.cpp:144:5:144:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
 | tests.cpp:144:5:144:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
 | tests.cpp:145:6:145:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ext.yml

@@ -0,0 +1,84 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "localMadSource", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "remoteMadSource", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "localMadSourceVoid", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "localMadSourceHasBody", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "remoteMadSourceIndirect", "", "", "ReturnValue[*]", "remote", "manual"]
+      - ["", "", False, "remoteMadSourceDoubleIndirect", "", "", "ReturnValue[**]", "remote", "manual"]
+      - ["", "", False, "remoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
+      - ["", "", False, "remoteMadSourceIndirectArg1", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "remoteMadSourceVar", "", "", "", "remote", "manual"]
+      - ["", "", False, "remoteMadSourceVarIndirect", "", "", "*", "remote", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
+      - ["", "", False, "remoteMadSourceParam0", "", "", "Parameter[0]", "remote", "manual"]
+      - ["MyNamespace", "", False, "namespaceLocalMadSource", "", "", "ReturnValue", "local", "manual"]
+      - ["MyNamespace", "", False, "namespaceLocalMadSourceVar", "", "", "", "local", "manual"]
+      - ["MyNamespace::MyNamespace2", "", False, "namespace2LocalMadSource", "", "", "ReturnValue", "local", "manual"]
+      - ["", "MyClass", True, "memberRemoteMadSource", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "MyClass", True, "memberRemoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
+      - ["", "MyClass", True, "memberRemoteMadSourceVar", "", "", "", "remote", "manual"]
+      - ["", "MyClass", True, "subtypeRemoteMadSource1", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "MyClass", False, "subtypeNonSource", "", "", "ReturnValue", "remote", "manual"] # the tests define this in MyDerivedClass, so it should *not* be recongized as a source
+      - ["", "MyClass", True, "qualifierSource", "", "", "Argument[-1]", "remote", "manual"]
+      - ["", "MyClass", True, "qualifierFieldSource", "", "", "Argument[-1].val", "remote", "manual"]
+      - ["", "MyDerivedClass", False, "subtypeRemoteMadSource2", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "madSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
+      - ["", "", False, "madSinkArg1", "", "", "Argument[1]", "test-sink", "manual"]
+      - ["", "", False, "madSinkArg01", "", "", "Argument[0..1]", "test-sink", "manual"]
+      - ["", "", False, "madSinkArg02", "", "", "Argument[0,2]", "test-sink", "manual"]
+      - ["", "", False, "madSinkIndirectArg0", "", "", "Argument[*0]", "test-sink", "manual"]
+      - ["", "", False, "madSinkDoubleIndirectArg0", "", "", "Argument[**0]", "test-sink", "manual"]
+      - ["", "", False, "madSinkVar", "", "", "", "test-sink", "manual"]
+      - ["", "", False, "madSinkVarIndirect", "", "", "*", "test-sink", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
+      - ["", "", False, "madSinkParam0", "", "", "Parameter[0]", "test-sink", "manual"]
+      - ["", "MyClass", True, "memberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
+      - ["", "MyClass", True, "memberMadSinkVar", "", "", "", "test-sink", "manual"]
+      - ["", "MyClass", True, "qualifierSink", "", "", "Argument[-1]", "test-sink", "manual"]
+      - ["", "MyClass", True, "qualifierArg0Sink", "", "", "Argument[-1..0]", "test-sink", "manual"]
+      - ["", "MyClass", True, "qualifierFieldSink", "", "", "Argument[-1].val", "test-sink", "manual"]
+      - ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
+      - ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
+      - ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkVar", "", "", "", "test-sink", "manual"]
+      - ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkVar", "", "", "", "test-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "madArg0ToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0ToReturnIndirect", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "", False, "madArg0ToReturnValueFlow", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "madArg0IndirectToReturn", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0DoubleIndirectToReturn", "", "", "Argument[**0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0NotIndirectToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0ToArg1Indirect", "", "", "Argument[0]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "madArg0IndirectToArg1Indirect", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "madArgsComplex", "", "", "Argument[*0..1,2]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madAndImplementedComplex", "", "", "Argument[2]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArgsAny", "", "", "Argument", "ReturnValue", "taint", "manual"] # we can't express this source/sink correctly at present, "Argument" is not a valid input
+      - ["", "", False, "madArg0FieldToReturn", "", "", "Argument[0].Field[value]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0IndirectFieldToReturn", "", "", "Argument[*0].Field[value]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0FieldIndirectToReturn", "", "", "Argument[0].Field[*ptr]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madArg0ToReturnField", "", "", "Argument[0]", "ReturnValue.Field[value]", "taint", "manual"]
+      - ["", "", False, "madArg0ToReturnIndirectField", "", "", "Argument[0]", "ReturnValue[*].Field[value]", "taint", "manual"]
+      - ["", "", False, "madArg0ToReturnFieldIndirect", "", "", "Argument[0]", "ReturnValue.Field[*ptr]", "taint", "manual"]
+      - ["", "", False, "madFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
+      - ["", "", False, "madFieldToIndirectFieldVar", "", "", "Field[value]", "Field[*ptr]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[*ptr]" is not a valid output
+      - ["", "", False, "madIndirectFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
+      - ["", "MyClass", True, "madArg0ToSelf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["", "MyClass", True, "madSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "MyClass", True, "madArg0ToField", "", "", "Argument[0]", "Argument[-1].Field[val]", "taint", "manual"]
+      - ["", "MyClass", True, "madFieldToReturn", "", "", "Argument[-1].Field[val]", "ReturnValue", "taint", "manual"]
+      - ["MyNamespace", "MyClass", True, "namespaceMadSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["", "", False, "madCallArg0ReturnToReturn", "", "", "Argument[0].ReturnValue", "ReturnValue", "value", "manual"]
+      - ["", "", False, "madCallArg0ReturnToReturnFirst", "", "", "Argument[0].ReturnValue", "ReturnValue.Field[first]", "value", "manual"]
+      - ["", "", False, "madCallArg0WithValue", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["", "", False, "madCallReturnValueIgnoreFunction", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "StructWithTypedefInParameter<T>", True, "parameter_ref_to_return_ref", "(const T &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["", "", False, "receive_array", "(int[20])", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ql

@@ -0,0 +1,74 @@
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency
+import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
+import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+import semmle.code.cpp.security.FlowSources
+import utils.test.dataflow.FlowTestCommon
+
+module InterpretElementTest implements TestSig {
+  string getARelevantTag() { result = "interpretElement" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Element e |
+      e = interpretElement(_, _, _, _, _, _) and
+      location = e.getLocation() and
+      element = e.toString() and
+      tag = "interpretElement" and
+      value = ""
+    )
+  }
+}
+
+query predicate summaryCalls(SummaryCall c) { any() }
+
+query predicate summarizedCallables(SummarizedCallable c) { any() }
+
+query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }
+
+module IRTest {
+  private import semmle.code.cpp.ir.IR
+  private import semmle.code.cpp.ir.dataflow.TaintTracking
+
+  /** Common data flow configuration to be used by tests. */
+  module TestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      source instanceof FlowSource
+      or
+      source.asExpr().(FunctionCall).getTarget().getName() =
+        ["source", "source2", "source3", "sourcePtr"]
+      or
+      source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
+    }
+
+    predicate isSink(DataFlow::Node sink) {
+      sinkNode(sink, "test-sink")
+      or
+      exists(FunctionCall call |
+        call.getTarget().getName() = "sink" and
+        sink.asExpr() = call.getAnArgument()
+      )
+    }
+  }
+
+  module IRFlow = TaintTracking::Global<TestAllocationConfig>;
+}
+
+import MakeTest<MergeTests<IRFlowTest<IRTest::IRFlow>, InterpretElementTest>>
+
+string describe(DataFlow::Node n) {
+  n instanceof ParameterNode and result = "ParameterNode"
+  or
+  n instanceof PostUpdateNode and result = "PostUpdateNode"
+  or
+  n instanceof ArgumentNode and result = "ArgumentNode"
+  or
+  n instanceof ReturnNode and result = "ReturnNode"
+  or
+  n instanceof OutNode and result = "OutNode"
+}
+
+query predicate flowSummaryNode(FlowSummaryNode n, string str1, string str2, string str3) {
+  str1 = concat(describe(n), ", ") and
+  str2 = concat(n.getSummarizedCallable().toString(), ", ") and
+  str3 = concat(n.getEnclosingCallable().toString(), ", ")
+}

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll

@@ -1,105 +0,0 @@
-import semmle.code.cpp.security.FlowSources
-
-/**
- * Models-as-data source models for this test.
- */
-private class TestSources extends SourceModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;localMadSource;;;ReturnValue;local",
-        ";;false;remoteMadSource;;;ReturnValue;remote",
-        ";;false;localMadSourceVoid;;;ReturnValue;local",
-        ";;false;localMadSourceHasBody;;;ReturnValue;local",
-        ";;false;remoteMadSourceIndirect;;;ReturnValue[*];remote",
-        ";;false;remoteMadSourceDoubleIndirect;;;ReturnValue[**];remote",
-        ";;false;remoteMadSourceIndirectArg0;;;Argument[*0];remote",
-        ";;false;remoteMadSourceIndirectArg1;;;Argument[*1];remote",
-        ";;false;remoteMadSourceVar;;;;remote",
-        ";;false;remoteMadSourceVarIndirect;;;*;remote", // not correctly expressed
-        ";;false;remoteMadSourceParam0;;;Parameter[0];remote",
-        "MyNamespace;;false;namespaceLocalMadSource;;;ReturnValue;local",
-        "MyNamespace;;false;namespaceLocalMadSourceVar;;;;local",
-        "MyNamespace::MyNamespace2;;false;namespace2LocalMadSource;;;ReturnValue;local",
-        ";MyClass;true;memberRemoteMadSource;;;ReturnValue;remote",
-        ";MyClass;true;memberRemoteMadSourceIndirectArg0;;;Argument[*0];remote",
-        ";MyClass;true;memberRemoteMadSourceVar;;;;remote",
-        ";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
-        ";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
-        ";MyClass;true;qualifierSource;;;Argument[-1];remote",
-        ";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
-        ";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
-      ]
-  }
-}
-
-/**
- * Models-as-data sink models for this test.
- */
-private class TestSinks extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;madSinkArg0;;;Argument[0];test-sink",
-        ";;false;madSinkArg1;;;Argument[1];test-sink",
-        ";;false;madSinkArg01;;;Argument[0..1];test-sink",
-        ";;false;madSinkArg02;;;Argument[0,2];test-sink",
-        ";;false;madSinkIndirectArg0;;;Argument[*0];test-sink",
-        ";;false;madSinkDoubleIndirectArg0;;;Argument[**0];test-sink",
-        ";;false;madSinkVar;;;;test-sink",
-        ";;false;madSinkVarIndirect;;;*;test-sink", // not correctly expressed
-        ";;false;madSinkParam0;;;Parameter[0];test-sink",
-        ";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
-        ";MyClass;true;memberMadSinkVar;;;;test-sink",
-        ";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
-        ";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
-        ";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
-        "MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
-        "MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
-        "MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
-        "MyNamespace;MyClass;true;namespaceStaticMemberMadSinkVar;;;;test-sink",
-      ]
-  }
-}
-
-/**
- * Models-as-data summary models for this test.
- */
-private class TestSummaries extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        ";;false;madArg0ToReturn;;;Argument[0];ReturnValue;taint",
-        ";;false;madArg0ToReturnIndirect;;;Argument[0];ReturnValue[*];taint",
-        ";;false;madArg0ToReturnValueFlow;;;Argument[0];ReturnValue;value",
-        ";;false;madArg0IndirectToReturn;;;Argument[*0];ReturnValue;taint",
-        ";;false;madArg0DoubleIndirectToReturn;;;Argument[**0];ReturnValue;taint",
-        ";;false;madArg0NotIndirectToReturn;;;Argument[0];ReturnValue;taint",
-        ";;false;madArg0ToArg1Indirect;;;Argument[0];Argument[*1];taint",
-        ";;false;madArg0IndirectToArg1Indirect;;;Argument[*0];Argument[*1];taint",
-        ";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
-        ";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
-        ";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
-        ";;false;madArg0FieldToReturn;;;Argument[0].Field[value];ReturnValue;taint",
-        ";;false;madArg0IndirectFieldToReturn;;;Argument[*0].Field[value];ReturnValue;taint",
-        ";;false;madArg0FieldIndirectToReturn;;;Argument[0].Field[*ptr];ReturnValue;taint",
-        ";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.Field[value];taint",
-        ";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].Field[value];taint",
-        ";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.Field[*ptr];taint",
-        ";;false;madFieldToFieldVar;;;Field[value];Field[value2];taint",
-        ";;false;madFieldToIndirectFieldVar;;;Field[value];Field[*ptr];taint",
-        ";;false;madIndirectFieldToFieldVar;;;;Field[value];Field[value2];taint", // not correctly expressed
-        ";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
-        ";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
-        ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].Field[val];taint",
-        ";MyClass;true;madFieldToReturn;;;Argument[-1].Field[val];ReturnValue;taint",
-        "MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
-        ";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
-        ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
-        ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
-        ";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
-        ";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value",
-        ";;false;receive_array;(int[20]);;Argument[*0];ReturnValue;taint"
-      ]
-  }
-}

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -277,7 +277,7 @@ bad_asts.cpp:
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Point &
 #   19|   <initializations>: 
-#   19|     getInitializer(0): [ConstructorFieldInit] constructor init of field x
+#   19|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field x
 #   19|         Type = [IntType] int
 #   19|         ValueCategory = prvalue
 #   19|       getExpr(): [ReferenceFieldAccess] x
@@ -289,7 +289,7 @@ bad_asts.cpp:
 #   19|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 #   19|             Type = [SpecifiedType] const Point
 #   19|             ValueCategory = lvalue
-#   19|     getInitializer(1): [ConstructorFieldInit] constructor init of field y
+#   19|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field y
 #   19|         Type = [IntType] int
 #   19|         ValueCategory = prvalue
 #   19|       getExpr(): [ReferenceFieldAccess] y
@@ -8986,20 +8986,20 @@ ir.cpp:
 #  658| [Constructor] void C::C()
 #  658|   <params>: 
 #  658|   <initializations>: 
-#  659|     getInitializer(0): [ConstructorFieldInit] constructor init of field m_a
+#  659|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field m_a
 #  659|         Type = [IntType] int
 #  659|         ValueCategory = prvalue
 #  659|       getExpr(): [Literal] 1
 #  659|           Type = [IntType] int
 #  659|           Value = [Literal] 1
 #  659|           ValueCategory = prvalue
-#  663|     getInitializer(1): [ConstructorFieldInit] constructor init of field m_b
+#  663|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field m_b
 #  663|         Type = [Struct] String
 #  663|         ValueCategory = prvalue
 #  663|       getExpr(): [ConstructorCall] call to String
 #  663|           Type = [VoidType] void
 #  663|           ValueCategory = prvalue
-#  660|     getInitializer(2): [ConstructorFieldInit] constructor init of field m_c
+#  660|     getInitializer(2): [ConstructorDirectFieldInit] constructor init of field m_c
 #  660|         Type = [PlainCharType] char
 #  660|         ValueCategory = prvalue
 #  660|       getExpr(): [Literal] 3
@@ -9011,14 +9011,14 @@ ir.cpp:
 #  660|           Type = [PlainCharType] char
 #  660|           Value = [CStyleCast] 3
 #  660|           ValueCategory = prvalue
-#  661|     getInitializer(3): [ConstructorFieldInit] constructor init of field m_e
+#  661|     getInitializer(3): [ConstructorDirectFieldInit] constructor init of field m_e
 #  661|         Type = [VoidPointerType] void *
 #  661|         ValueCategory = prvalue
 #  661|       getExpr(): [Literal] 0
 #  661|           Type = [VoidPointerType] void *
 #  661|           Value = [Literal] 0
 #  661|           ValueCategory = prvalue
-#  662|     getInitializer(4): [ConstructorFieldInit] constructor init of field m_f
+#  662|     getInitializer(4): [ConstructorDirectFieldInit] constructor init of field m_f
 #  662|         Type = [Struct] String
 #  662|         ValueCategory = prvalue
 #  662|       getExpr(): [ConstructorCall] call to String
@@ -9474,7 +9474,7 @@ ir.cpp:
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Base &
 #  745|   <initializations>: 
-#  745|     getInitializer(0): [ConstructorFieldInit] constructor init of field base_s
+#  745|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field base_s
 #  745|         Type = [Struct] String
 #  745|         ValueCategory = prvalue
 #  745|       getExpr(): [ConstructorCall] call to String
@@ -9485,7 +9485,7 @@ ir.cpp:
 #  748| [Constructor] void Base::Base()
 #  748|   <params>: 
 #  748|   <initializations>: 
-#  748|     getInitializer(0): [ConstructorFieldInit] constructor init of field base_s
+#  748|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field base_s
 #  748|         Type = [Struct] String
 #  748|         ValueCategory = prvalue
 #  748|       getExpr(): [ConstructorCall] call to String
@@ -9593,7 +9593,7 @@ ir.cpp:
 #  757|     getInitializer(0): [ConstructorDirectInit] call to Base
 #  757|         Type = [VoidType] void
 #  757|         ValueCategory = prvalue
-#  757|     getInitializer(1): [ConstructorFieldInit] constructor init of field middle_s
+#  757|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field middle_s
 #  757|         Type = [Struct] String
 #  757|         ValueCategory = prvalue
 #  757|       getExpr(): [ConstructorCall] call to String
@@ -9704,7 +9704,7 @@ ir.cpp:
 #  766|     getInitializer(0): [ConstructorDirectInit] call to Middle
 #  766|         Type = [VoidType] void
 #  766|         ValueCategory = prvalue
-#  766|     getInitializer(1): [ConstructorFieldInit] constructor init of field derived_s
+#  766|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field derived_s
 #  766|         Type = [Struct] String
 #  766|         ValueCategory = prvalue
 #  766|       getExpr(): [ConstructorCall] call to String
@@ -9743,7 +9743,7 @@ ir.cpp:
 #  775|     getInitializer(0): [ConstructorVirtualInit] call to Base
 #  775|         Type = [VoidType] void
 #  775|         ValueCategory = prvalue
-#  775|     getInitializer(1): [ConstructorFieldInit] constructor init of field middlevb1_s
+#  775|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field middlevb1_s
 #  775|         Type = [Struct] String
 #  775|         ValueCategory = prvalue
 #  775|       getExpr(): [ConstructorCall] call to String
@@ -9782,7 +9782,7 @@ ir.cpp:
 #  784|     getInitializer(0): [ConstructorVirtualInit] call to Base
 #  784|         Type = [VoidType] void
 #  784|         ValueCategory = prvalue
-#  784|     getInitializer(1): [ConstructorFieldInit] constructor init of field middlevb2_s
+#  784|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field middlevb2_s
 #  784|         Type = [Struct] String
 #  784|         ValueCategory = prvalue
 #  784|       getExpr(): [ConstructorCall] call to String
@@ -9827,7 +9827,7 @@ ir.cpp:
 #  793|     getInitializer(2): [ConstructorDirectInit] call to MiddleVB2
 #  793|         Type = [VoidType] void
 #  793|         ValueCategory = prvalue
-#  793|     getInitializer(3): [ConstructorFieldInit] constructor init of field derivedvb_s
+#  793|     getInitializer(3): [ConstructorDirectFieldInit] constructor init of field derivedvb_s
 #  793|         Type = [Struct] String
 #  793|         ValueCategory = prvalue
 #  793|       getExpr(): [ConstructorCall] call to String
@@ -15190,7 +15190,7 @@ ir.cpp:
 # 1508|     getInitializer(0): [ConstructorInit] constructor init
 # 1508|         Type = [Struct] Inheritance_Test_B
 # 1508|         ValueCategory = prvalue
-# 1508|     getInitializer(1): [ConstructorFieldInit] constructor init of field x
+# 1508|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field x
 # 1508|         Type = [IntType] int
 # 1508|         ValueCategory = prvalue
 # 1508|       getExpr(): [Literal] 42
@@ -15414,7 +15414,7 @@ ir.cpp:
 # 1533| [Constructor] void StructuredBindingDataMemberMemberStruct::StructuredBindingDataMemberMemberStruct()
 # 1533|   <params>: 
 # 1533|   <initializations>: 
-# 1533|     getInitializer(0): [ConstructorFieldInit] constructor init of field x
+# 1533|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field x
 # 1533|         Type = [IntType] int
 # 1533|         ValueCategory = prvalue
 # 1533|   getEntryPoint(): [BlockStmt] { ... }
@@ -15434,25 +15434,25 @@ ir.cpp:
 # 1537| [Constructor] void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct()
 # 1537|   <params>: 
 # 1537|   <initializations>: 
-# 1537|     getInitializer(0): [ConstructorFieldInit] constructor init of field i
+# 1537|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field i
 # 1537|         Type = [IntType] int
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(1): [ConstructorFieldInit] constructor init of field d
+# 1537|     getInitializer(1): [ConstructorDefaultFieldInit] constructor init of field d
 # 1537|         Type = [DoubleType] double
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(2): [ConstructorFieldInit] constructor init of field r
+# 1537|     getInitializer(2): [ConstructorDefaultFieldInit] constructor init of field r
 # 1537|         Type = [LValueReferenceType] int &
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(3): [ConstructorFieldInit] constructor init of field p
+# 1537|     getInitializer(3): [ConstructorDefaultFieldInit] constructor init of field p
 # 1537|         Type = [IntPointerType] int *
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(4): [ConstructorFieldInit] constructor init of field xs
+# 1537|     getInitializer(4): [ConstructorDefaultFieldInit] constructor init of field xs
 # 1537|         Type = [CTypedefType,NestedTypedefType] ArrayType
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(5): [ConstructorFieldInit] constructor init of field r_alt
+# 1537|     getInitializer(5): [ConstructorDefaultFieldInit] constructor init of field r_alt
 # 1537|         Type = [CTypedefType,NestedTypedefType] RefType
 # 1537|         ValueCategory = prvalue
-# 1537|     getInitializer(6): [ConstructorFieldInit] constructor init of field m
+# 1537|     getInitializer(6): [ConstructorDirectFieldInit] constructor init of field m
 # 1537|         Type = [Struct] StructuredBindingDataMemberMemberStruct
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ConstructorCall] call to StructuredBindingDataMemberMemberStruct
@@ -15465,7 +15465,7 @@ ir.cpp:
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const StructuredBindingDataMemberStruct &
 # 1537|   <initializations>: 
-# 1537|     getInitializer(0): [ConstructorFieldInit] constructor init of field i
+# 1537|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field i
 # 1537|         Type = [IntType] int
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] i
@@ -15477,7 +15477,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(1): [ConstructorFieldInit] constructor init of field d
+# 1537|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field d
 # 1537|         Type = [DoubleType] double
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] d
@@ -15489,7 +15489,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(2): [ConstructorFieldInit] constructor init of field b
+# 1537|     getInitializer(2): [ConstructorDirectFieldInit] constructor init of field b
 # 1537|         Type = [IntType] unsigned int
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] b
@@ -15501,7 +15501,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(3): [ConstructorFieldInit] constructor init of field r
+# 1537|     getInitializer(3): [ConstructorDirectFieldInit] constructor init of field r
 # 1537|         Type = [LValueReferenceType] int &
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] r
@@ -15513,7 +15513,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(4): [ConstructorFieldInit] constructor init of field p
+# 1537|     getInitializer(4): [ConstructorDirectFieldInit] constructor init of field p
 # 1537|         Type = [IntPointerType] int *
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] p
@@ -15525,7 +15525,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(5): [ConstructorFieldInit] constructor init of field xs
+# 1537|     getInitializer(5): [ConstructorDirectFieldInit] constructor init of field xs
 # 1537|         Type = [CTypedefType,NestedTypedefType] ArrayType
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] xs
@@ -15537,7 +15537,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(6): [ConstructorFieldInit] constructor init of field r_alt
+# 1537|     getInitializer(6): [ConstructorDirectFieldInit] constructor init of field r_alt
 # 1537|         Type = [CTypedefType,NestedTypedefType] RefType
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] r_alt
@@ -15549,7 +15549,7 @@ ir.cpp:
 # 1537|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1537|             Type = [SpecifiedType] const StructuredBindingDataMemberStruct
 # 1537|             ValueCategory = lvalue
-# 1537|     getInitializer(7): [ConstructorFieldInit] constructor init of field m
+# 1537|     getInitializer(7): [ConstructorDirectFieldInit] constructor init of field m
 # 1537|         Type = [Struct] StructuredBindingDataMemberMemberStruct
 # 1537|         ValueCategory = prvalue
 # 1537|       getExpr(): [ReferenceFieldAccess] m
@@ -15918,13 +15918,13 @@ ir.cpp:
 # 1590| [Constructor] void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet()
 # 1590|   <params>: 
 # 1590|   <initializations>: 
-# 1590|     getInitializer(0): [ConstructorFieldInit] constructor init of field i
+# 1590|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field i
 # 1590|         Type = [IntType] int
 # 1590|         ValueCategory = prvalue
-# 1590|     getInitializer(1): [ConstructorFieldInit] constructor init of field d
+# 1590|     getInitializer(1): [ConstructorDefaultFieldInit] constructor init of field d
 # 1590|         Type = [DoubleType] double
 # 1590|         ValueCategory = prvalue
-# 1590|     getInitializer(2): [ConstructorFieldInit] constructor init of field r
+# 1590|     getInitializer(2): [ConstructorDefaultFieldInit] constructor init of field r
 # 1590|         Type = [LValueReferenceType] int &
 # 1590|         ValueCategory = prvalue
 # 1590|   getEntryPoint(): [BlockStmt] { ... }
@@ -15934,7 +15934,7 @@ ir.cpp:
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const StructuredBindingTupleRefGet &
 # 1590|   <initializations>: 
-# 1590|     getInitializer(0): [ConstructorFieldInit] constructor init of field i
+# 1590|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field i
 # 1590|         Type = [IntType] int
 # 1590|         ValueCategory = prvalue
 # 1590|       getExpr(): [ReferenceFieldAccess] i
@@ -15946,7 +15946,7 @@ ir.cpp:
 # 1590|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1590|             Type = [SpecifiedType] const StructuredBindingTupleRefGet
 # 1590|             ValueCategory = lvalue
-# 1590|     getInitializer(1): [ConstructorFieldInit] constructor init of field d
+# 1590|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field d
 # 1590|         Type = [DoubleType] double
 # 1590|         ValueCategory = prvalue
 # 1590|       getExpr(): [ReferenceFieldAccess] d
@@ -15958,7 +15958,7 @@ ir.cpp:
 # 1590|         getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1590|             Type = [SpecifiedType] const StructuredBindingTupleRefGet
 # 1590|             ValueCategory = lvalue
-# 1590|     getInitializer(2): [ConstructorFieldInit] constructor init of field r
+# 1590|     getInitializer(2): [ConstructorDirectFieldInit] constructor init of field r
 # 1590|         Type = [LValueReferenceType] int &
 # 1590|         ValueCategory = prvalue
 # 1590|       getExpr(): [ReferenceFieldAccess] r
@@ -16327,10 +16327,10 @@ ir.cpp:
 # 1657| [Constructor] void StructuredBindingTupleNoRefGet::StructuredBindingTupleNoRefGet()
 # 1657|   <params>: 
 # 1657|   <initializations>: 
-# 1657|     getInitializer(0): [ConstructorFieldInit] constructor init of field i
+# 1657|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field i
 # 1657|         Type = [IntType] int
 # 1657|         ValueCategory = prvalue
-# 1657|     getInitializer(1): [ConstructorFieldInit] constructor init of field r
+# 1657|     getInitializer(1): [ConstructorDefaultFieldInit] constructor init of field r
 # 1657|         Type = [LValueReferenceType] int &
 # 1657|         ValueCategory = prvalue
 # 1657|   getEntryPoint(): [BlockStmt] { ... }
@@ -19817,7 +19817,7 @@ ir.cpp:
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const ClassWithDestructor &
 # 2188|   <initializations>: 
-# 2188|     getInitializer(0): [ConstructorFieldInit] constructor init of field x
+# 2188|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field x
 # 2188|         Type = [CharPointerType] char *
 # 2188|         ValueCategory = prvalue
 # 2188|       getExpr(): [ReferenceFieldAccess] x
@@ -25642,6 +25642,168 @@ ir.cpp:
 # 2884|                   Type = [VoidType] void
 # 2884|                   ValueCategory = prvalue
 # 2886|     getStmt(6): [ReturnStmt] return ...
+# 2889| [CopyAssignmentOperator] StructInit& StructInit::operator=(StructInit const&)
+# 2889|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const StructInit &
+# 2889| [MoveAssignmentOperator] StructInit& StructInit::operator=(StructInit&&)
+# 2889|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] StructInit &&
+# 2889| [CopyConstructor] void StructInit::StructInit(StructInit const&)
+# 2889|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const StructInit &
+# 2889| [MoveConstructor] void StructInit::StructInit(StructInit&&)
+# 2889|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] StructInit &&
+# 2897| [Constructor] void StructInit::StructInit(int)
+# 2897|   <params>: 
+# 2897|     getParameter(0): [Parameter] j
+# 2897|         Type = [IntType] int
+# 2897|   <initializations>: 
+# 2897|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field i
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|     getInitializer(1): [ConstructorDirectFieldInit] constructor init of field j
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|       getExpr(): [VariableAccess] j
+# 2897|           Type = [IntType] int
+# 2897|           ValueCategory = prvalue(load)
+# 2897|     getInitializer(2): [ConstructorDefaultFieldInit] constructor init of field k
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|     getInitializer(3): [ConstructorDefaultFieldInit] constructor init of field l
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|     getInitializer(4): [ConstructorDefaultFieldInit] constructor init of field m
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|     getInitializer(5): [ConstructorDirectFieldInit] constructor init of field n
+# 2897|         Type = [IntType] int
+# 2897|         ValueCategory = prvalue
+# 2897|       getExpr(): [FunctionCall] call to get_val
+# 2897|           Type = [IntType] int
+# 2897|           ValueCategory = prvalue
+# 2897|         getQualifier(): [ThisExpr] this
+# 2897|             Type = [PointerType] StructInit *
+# 2897|             ValueCategory = prvalue(load)
+# 2897|   getEntryPoint(): [BlockStmt] { ... }
+# 2897|     getStmt(0): [ReturnStmt] return ...
+# 2899| [Constructor] void StructInit::StructInit()
+# 2899|   <params>: 
+# 2899|   <initializations>: 
+# 2899|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field i
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|       getExpr(): [Literal] 41
+# 2899|           Type = [IntType] int
+# 2899|           Value = [Literal] 41
+# 2899|           ValueCategory = prvalue
+# 2899|     getInitializer(1): [ConstructorDefaultFieldInit] constructor init of field j
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|     getInitializer(2): [ConstructorDirectFieldInit] constructor init of field k
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|       getExpr(): [Literal] 41
+# 2899|           Type = [IntType] int
+# 2899|           Value = [Literal] 41
+# 2899|           ValueCategory = prvalue
+# 2899|     getInitializer(3): [ConstructorDefaultFieldInit] constructor init of field l
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|     getInitializer(4): [ConstructorDefaultFieldInit] constructor init of field m
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|     getInitializer(5): [ConstructorDefaultFieldInit] constructor init of field n
+# 2899|         Type = [IntType] int
+# 2899|         ValueCategory = prvalue
+# 2899|   getEntryPoint(): [BlockStmt] { ... }
+# 2899|     getStmt(0): [ReturnStmt] return ...
+# 2901| [MemberFunction] int StructInit::get_val()
+# 2901|   <params>: 
+# 2901|   getEntryPoint(): [BlockStmt] { ... }
+# 2901|     getStmt(0): [ReturnStmt] return ...
+# 2901|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] k
+# 2901|           Type = [IntType] int
+# 2901|           ValueCategory = prvalue(load)
+# 2901|         getQualifier(): [ThisExpr] this
+# 2901|             Type = [PointerType] StructInit *
+# 2901|             ValueCategory = prvalue(load)
+# 2905| [Constructor] void StructInitFromTemplate<int>::StructInitFromTemplate()
+# 2905|   <params>: 
+# 2905|   <initializations>: 
+# 2905|     getInitializer(0): [ConstructorDefaultFieldInit] constructor init of field t
+# 2905|         Type = [IntType] int
+# 2905|         ValueCategory = prvalue
+# 2905|   getEntryPoint(): [BlockStmt] { ... }
+# 2905|     getStmt(0): [ReturnStmt] return ...
+# 2909| [GlobalVariable] StructInitFromTemplate<int> StructInitFromTemplateVar
+#-----|   getInitializer(): [Initializer] initializer for StructInitFromTemplateVar
+#-----|     getExpr(): [ConstructorCall] call to StructInitFromTemplate
+#-----|         Type = [VoidType] void
+#-----|         ValueCategory = prvalue
+#-----|     getExpr().getFullyConverted(): [TemporaryObjectExpr] temporary object
+#-----|         Type = [ClassTemplateInstantiation,Struct] StructInitFromTemplate<int>
+#-----|         ValueCategory = prvalue(load)
+# 2912| [GlobalVariable,VariableTemplateInstantiation] double VariableTemplate<double>
+# 2912|   getInitializer(): [Initializer] initializer for VariableTemplate
+# 2912|     getExpr(): [Literal] 42
+# 2912|         Type = [IntType] int
+# 2912|         Value = [Literal] 42
+# 2912|         ValueCategory = prvalue
+# 2912|     getExpr().getFullyConverted(): [CStyleCast] (double)...
+# 2912|         Conversion = [IntegralToFloatingPointConversion] integral to floating point conversion
+# 2912|         Type = [DoubleType] double
+# 2912|         Value = [CStyleCast] 42.0
+# 2912|         ValueCategory = prvalue
+# 2915| [TemplateFunction,TopLevelFunction] T VariableTemplateFunc<T>(T)
+# 2915|   <params>: 
+# 2915|     getParameter(0): [Parameter] x
+# 2915|         Type = [TypeTemplateParameter] T
+# 2915|   getEntryPoint(): [BlockStmt] { ... }
+# 2916|     getStmt(0): [ReturnStmt] return ...
+# 2916|       getExpr(): [AddExpr] ... + ...
+# 2916|           Type = [UnknownType] unknown
+# 2916|           ValueCategory = prvalue
+# 2916|         getLeftOperand(): [VariableAccess] VariableTemplate
+# 2916|             Type = [UnknownType] unknown
+# 2916|             ValueCategory = lvalue
+# 2916|         getRightOperand(): [VariableAccess] x
+# 2916|             Type = [TypeTemplateParameter] T
+# 2916|             ValueCategory = lvalue
+# 2915| [FunctionTemplateInstantiation,TopLevelFunction] double VariableTemplateFunc<double>(double)
+# 2915|   <params>: 
+# 2915|     getParameter(0): [Parameter] x
+# 2915|         Type = [DoubleType] double
+# 2915|   getEntryPoint(): [BlockStmt] { ... }
+# 2916|     getStmt(0): [ReturnStmt] return ...
+# 2916|       getExpr(): [AddExpr] ... + ...
+# 2916|           Type = [DoubleType] double
+# 2916|           ValueCategory = prvalue
+# 2916|         getLeftOperand(): [VariableAccess] VariableTemplate
+# 2916|             Type = [DoubleType] double
+# 2916|             Value = [VariableAccess] 42.0
+# 2916|             ValueCategory = prvalue(load)
+# 2916|         getRightOperand(): [VariableAccess] x
+# 2916|             Type = [DoubleType] double
+# 2916|             ValueCategory = prvalue(load)
+# 2919| [GlobalVariable] int VariableTemplateFuncUse
+# 2919|   getInitializer(): [Initializer] initializer for VariableTemplateFuncUse
+# 2919|     getExpr(): [FunctionCall] call to VariableTemplateFunc
+# 2919|         Type = [DoubleType] double
+# 2919|         ValueCategory = prvalue
+# 2919|       getArgument(0): [Literal] 2.299999999999999822
+# 2919|           Type = [DoubleType] double
+# 2919|           Value = [Literal] 2.299999999999999822
+# 2919|           ValueCategory = prvalue
+# 2919|     getExpr().getFullyConverted(): [CStyleCast] (int)...
+# 2919|         Conversion = [FloatingPointToIntegralConversion] floating point to integral conversion
+# 2919|         Type = [IntType] int
+# 2919|         ValueCategory = prvalue
 ir23.cpp:
 #    1| [TopLevelFunction] bool consteval_1()
 #    1|   <params>: 
@@ -50386,7 +50548,7 @@ perf-regression.cpp:
 #    6| [Constructor] void Big::Big()
 #    6|   <params>: 
 #    6|   <initializations>: 
-#    6|     getInitializer(0): [ConstructorFieldInit] constructor init of field buffer
+#    6|     getInitializer(0): [ConstructorDirectFieldInit] constructor init of field buffer
 #    6|         Type = [ArrayType] char[1073741824]
 #    6|         ValueCategory = prvalue
 #    6|       getExpr(): [ArrayAggregateLiteral] {...}

cpp/ql/test/library-tests/ir/ir/PrintConfig.qll

@@ -20,5 +20,7 @@ predicate shouldDumpDeclaration(Declaration decl) {
     decl.(GlobalOrNamespaceVariable).hasInitializer()
     or
     decl.(StaticLocalVariable).hasInitializer()
+    or
+    decl.(Field).hasInitializer()
   )
 }

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -2886,4 +2886,36 @@ namespace {
     }
 }
 
+struct StructInit {
+    int i = 42;
+    int j = 42;
+    int k = 42;
+    int l = k;
+    int m = get_val();
+    int n = 42;
+
+    StructInit(int j) : j(j), n(get_val()) {}
+
+    StructInit() : i(41), k(41) {}
+
+    int get_val() { return k; }
+};
+
+template<typename T>
+struct StructInitFromTemplate {
+    T t = T();
+};
+
+StructInitFromTemplate<int> StructInitFromTemplateVar;
+
+template<class T>
+constexpr T VariableTemplate = T(42);
+ 
+template<class T>
+T VariableTemplateFunc(T x) {
+    return VariableTemplate<T> + x;
+}
+
+int VariableTemplateFuncUse = VariableTemplateFunc(2.3);
+
 // semmle-extractor-options: -std=c++20 --clang

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -20,7 +20,6 @@ multipleIRTypes
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
-| ir.cpp:1537:8:1537:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1537:8:1537:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
 wronglyMarkedAsConflated

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -11339,44 +11339,89 @@ ir.cpp:
 
 # 1533| void StructuredBindingDataMemberMemberStruct::StructuredBindingDataMemberMemberStruct()
 # 1533|   Block 0
-# 1533|     v1533_1(void)                                            = EnterFunction                : 
-# 1533|     mu1533_2(unknown)                                        = AliasedDefinition            : 
-# 1533|     mu1533_3(unknown)                                        = InitializeNonLocal           : 
-# 1533|     r1533_4(glval<unknown>)                                  = VariableAddress[#this]       : 
-# 1533|     mu1533_5(glval<StructuredBindingDataMemberMemberStruct>) = InitializeParameter[#this]   : &:r1533_4
-# 1533|     r1533_6(glval<StructuredBindingDataMemberMemberStruct>)  = Load[#this]                  : &:r1533_4, ~m?
-# 1533|     mu1533_7(StructuredBindingDataMemberMemberStruct)        = InitializeIndirection[#this] : &:r1533_6
-# 1533|     v1533_8(void)                                            = NoOp                         : 
-# 1533|     v1533_9(void)                                            = ReturnIndirection[#this]     : &:r1533_6, ~m?
-# 1533|     v1533_10(void)                                           = ReturnVoid                   : 
-# 1533|     v1533_11(void)                                           = AliasedUse                   : ~m?
-# 1533|     v1533_12(void)                                           = ExitFunction                 : 
+# 1533|     v1533_1(void)                                            = EnterFunction                   : 
+# 1533|     mu1533_2(unknown)                                        = AliasedDefinition               : 
+# 1533|     mu1533_3(unknown)                                        = InitializeNonLocal              : 
+# 1533|     r1533_4(glval<unknown>)                                  = VariableAddress[#this]          : 
+# 1533|     mu1533_5(glval<StructuredBindingDataMemberMemberStruct>) = InitializeParameter[#this]      : &:r1533_4
+# 1533|     r1533_6(glval<StructuredBindingDataMemberMemberStruct>)  = Load[#this]                     : &:r1533_4, ~m?
+# 1533|     mu1533_7(StructuredBindingDataMemberMemberStruct)        = InitializeIndirection[#this]    : &:r1533_6
+# 1533|     r1533_8(glval<unknown>)                                  = FunctionAddress[x]              : 
+# 1533|     v1533_9(void)                                            = Call[x]                         : func:r1533_8, this:r1533_6
+# 1533|     mu1533_10(unknown)                                       = ^CallSideEffect                 : ~m?
+# 1533|     v1533_11(void)                                           = ^IndirectReadSideEffect[-1]     : &:r1533_6, ~m?
+# 1533|     mu1533_12(StructuredBindingDataMemberMemberStruct)       = ^IndirectMayWriteSideEffect[-1] : &:r1533_6
+# 1533|     v1533_13(void)                                           = NoOp                            : 
+# 1533|     v1533_14(void)                                           = ReturnIndirection[#this]        : &:r1533_6, ~m?
+# 1533|     v1533_15(void)                                           = ReturnVoid                      : 
+# 1533|     v1533_16(void)                                           = AliasedUse                      : ~m?
+# 1533|     v1533_17(void)                                           = ExitFunction                    : 
+
+# 1534| int StructuredBindingDataMemberMemberStruct::x
+# 1534|   Block 0
+# 1534|     v1534_1(void)                                            = EnterFunction                : 
+# 1534|     mu1534_2(unknown)                                        = AliasedDefinition            : 
+# 1534|     mu1534_3(unknown)                                        = InitializeNonLocal           : 
+# 1534|     r1534_4(glval<unknown>)                                  = VariableAddress[#this]       : 
+# 1534|     mu1534_5(glval<StructuredBindingDataMemberMemberStruct>) = InitializeParameter[#this]   : &:r1534_4
+# 1534|     r1534_6(glval<StructuredBindingDataMemberMemberStruct>)  = Load[#this]                  : &:r1534_4, ~m?
+# 1534|     mu1534_7(StructuredBindingDataMemberMemberStruct)        = InitializeIndirection[#this] : &:r1534_6
+# 1534|     r1534_8(glval<int>)                                      = FieldAddress[x]              : r1534_6
+# 1534|     r1534_9(int)                                             = Constant[5]                  : 
+# 1534|     mu1534_10(int)                                           = Store[?]                     : &:r1534_8, r1534_9
+# 1534|     v1534_11(void)                                           = ReturnVoid                   : 
+# 1534|     v1534_12(void)                                           = AliasedUse                   : ~m?
+# 1534|     v1534_13(void)                                           = ExitFunction                 : 
 
 # 1537| void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct()
 # 1537|   Block 0
-# 1537|     v1537_1(void)                                      = EnterFunction                : 
-# 1537|     mu1537_2(unknown)                                  = AliasedDefinition            : 
-# 1537|     mu1537_3(unknown)                                  = InitializeNonLocal           : 
-# 1537|     r1537_4(glval<unknown>)                            = VariableAddress[#this]       : 
-# 1537|     mu1537_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1537_4
-# 1537|     r1537_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1537_4, ~m?
-# 1537|     mu1537_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1537_6
-#-----|   Goto -> Block 2
-
-# 1537|   Block 1
-# 1537|     r1537_8(glval<StructuredBindingDataMemberMemberStruct>) = FieldAddress[m]                                          : r1537_6
-# 1537|     r1537_9(glval<unknown>)                                 = FunctionAddress[StructuredBindingDataMemberMemberStruct] : 
-# 1537|     v1537_10(void)                                          = Call[StructuredBindingDataMemberMemberStruct]            : func:r1537_9, this:r1537_8
-# 1537|     mu1537_11(unknown)                                      = ^CallSideEffect                                          : ~m?
-# 1537|     mu1537_12(StructuredBindingDataMemberMemberStruct)      = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_8
-#-----|   Goto -> Block 2
-
-# 1537|   Block 2
-# 1537|     v1537_13(void) = NoOp                     : 
-# 1537|     v1537_14(void) = ReturnIndirection[#this] : &:r1537_6, ~m?
-# 1537|     v1537_15(void) = ReturnVoid               : 
-# 1537|     v1537_16(void) = AliasedUse               : ~m?
-# 1537|     v1537_17(void) = ExitFunction             : 
+# 1537|     v1537_1(void)                                            = EnterFunction                                            : 
+# 1537|     mu1537_2(unknown)                                        = AliasedDefinition                                        : 
+# 1537|     mu1537_3(unknown)                                        = InitializeNonLocal                                       : 
+# 1537|     r1537_4(glval<unknown>)                                  = VariableAddress[#this]                                   : 
+# 1537|     mu1537_5(glval<StructuredBindingDataMemberStruct>)       = InitializeParameter[#this]                               : &:r1537_4
+# 1537|     r1537_6(glval<StructuredBindingDataMemberStruct>)        = Load[#this]                                              : &:r1537_4, ~m?
+# 1537|     mu1537_7(StructuredBindingDataMemberStruct)              = InitializeIndirection[#this]                             : &:r1537_6
+# 1537|     r1537_8(glval<unknown>)                                  = FunctionAddress[i]                                       : 
+# 1537|     v1537_9(void)                                            = Call[i]                                                  : func:r1537_8, this:r1537_6
+# 1537|     mu1537_10(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_11(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_12(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_13(glval<unknown>)                                 = FunctionAddress[d]                                       : 
+# 1537|     v1537_14(void)                                           = Call[d]                                                  : func:r1537_13, this:r1537_6
+# 1537|     mu1537_15(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_16(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_17(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_18(glval<unknown>)                                 = FunctionAddress[r]                                       : 
+# 1537|     v1537_19(void)                                           = Call[r]                                                  : func:r1537_18, this:r1537_6
+# 1537|     mu1537_20(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_21(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_22(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_23(glval<unknown>)                                 = FunctionAddress[p]                                       : 
+# 1537|     v1537_24(void)                                           = Call[p]                                                  : func:r1537_23, this:r1537_6
+# 1537|     mu1537_25(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_26(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_27(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_28(glval<unknown>)                                 = FunctionAddress[xs]                                      : 
+# 1537|     v1537_29(void)                                           = Call[xs]                                                 : func:r1537_28, this:r1537_6
+# 1537|     mu1537_30(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_31(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_32(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_33(glval<unknown>)                                 = FunctionAddress[r_alt]                                   : 
+# 1537|     v1537_34(void)                                           = Call[r_alt]                                              : func:r1537_33, this:r1537_6
+# 1537|     mu1537_35(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     v1537_36(void)                                           = ^IndirectReadSideEffect[-1]                              : &:r1537_6, ~m?
+# 1537|     mu1537_37(StructuredBindingDataMemberStruct)             = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_6
+# 1537|     r1537_38(glval<StructuredBindingDataMemberMemberStruct>) = FieldAddress[m]                                          : r1537_6
+# 1537|     r1537_39(glval<unknown>)                                 = FunctionAddress[StructuredBindingDataMemberMemberStruct] : 
+# 1537|     v1537_40(void)                                           = Call[StructuredBindingDataMemberMemberStruct]            : func:r1537_39, this:r1537_38
+# 1537|     mu1537_41(unknown)                                       = ^CallSideEffect                                          : ~m?
+# 1537|     mu1537_42(StructuredBindingDataMemberMemberStruct)       = ^IndirectMayWriteSideEffect[-1]                          : &:r1537_38
+# 1537|     v1537_43(void)                                           = NoOp                                                     : 
+# 1537|     v1537_44(void)                                           = ReturnIndirection[#this]                                 : &:r1537_6, ~m?
+# 1537|     v1537_45(void)                                           = ReturnVoid                                               : 
+# 1537|     v1537_46(void)                                           = AliasedUse                                               : ~m?
+# 1537|     v1537_47(void)                                           = ExitFunction                                             : 
 
 # 1537| void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&)
 # 1537|   Block 0
@@ -11454,6 +11499,114 @@ ir.cpp:
 # 1537|     v1537_67(void)                                           = AliasedUse                                   : ~m?
 # 1537|     v1537_68(void)                                           = ExitFunction                                 : 
 
+# 1540| int StructuredBindingDataMemberStruct::i
+# 1540|   Block 0
+# 1540|     v1540_1(void)                                      = EnterFunction                : 
+# 1540|     mu1540_2(unknown)                                  = AliasedDefinition            : 
+# 1540|     mu1540_3(unknown)                                  = InitializeNonLocal           : 
+# 1540|     r1540_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1540|     mu1540_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1540_4
+# 1540|     r1540_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1540_4, ~m?
+# 1540|     mu1540_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1540_6
+# 1540|     r1540_8(glval<int>)                                = FieldAddress[i]              : r1540_6
+# 1540|     r1540_9(int)                                       = Constant[1]                  : 
+# 1540|     mu1540_10(int)                                     = Store[?]                     : &:r1540_8, r1540_9
+# 1540|     v1540_11(void)                                     = ReturnVoid                   : 
+# 1540|     v1540_12(void)                                     = AliasedUse                   : ~m?
+# 1540|     v1540_13(void)                                     = ExitFunction                 : 
+
+# 1541| double StructuredBindingDataMemberStruct::d
+# 1541|   Block 0
+# 1541|     v1541_1(void)                                      = EnterFunction                : 
+# 1541|     mu1541_2(unknown)                                  = AliasedDefinition            : 
+# 1541|     mu1541_3(unknown)                                  = InitializeNonLocal           : 
+# 1541|     r1541_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1541|     mu1541_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1541_4
+# 1541|     r1541_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1541_4, ~m?
+# 1541|     mu1541_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1541_6
+# 1541|     r1541_8(glval<double>)                             = FieldAddress[d]              : r1541_6
+# 1541|     r1541_9(double)                                    = Constant[2.0]                : 
+# 1541|     mu1541_10(double)                                  = Store[?]                     : &:r1541_8, r1541_9
+# 1541|     v1541_11(void)                                     = ReturnVoid                   : 
+# 1541|     v1541_12(void)                                     = AliasedUse                   : ~m?
+# 1541|     v1541_13(void)                                     = ExitFunction                 : 
+
+# 1543| int& StructuredBindingDataMemberStruct::r
+# 1543|   Block 0
+# 1543|     v1543_1(void)                                      = EnterFunction                : 
+# 1543|     mu1543_2(unknown)                                  = AliasedDefinition            : 
+# 1543|     mu1543_3(unknown)                                  = InitializeNonLocal           : 
+# 1543|     r1543_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1543|     mu1543_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1543_4
+# 1543|     r1543_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1543_4, ~m?
+# 1543|     mu1543_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1543_6
+# 1543|     r1543_8(glval<int &>)                              = FieldAddress[r]              : r1543_6
+# 1543|     r1543_9(StructuredBindingDataMemberStruct *)       = CopyValue                    : r1543_6
+# 1543|     r1543_10(glval<int>)                               = FieldAddress[i]              : r1543_9
+#-----|     r0_1(int &)                                        = CopyValue                    : r1543_10
+#-----|     mu0_2(int &)                                       = Store[?]                     : &:r1543_8, r0_1
+# 1543|     v1543_11(void)                                     = ReturnVoid                   : 
+# 1543|     v1543_12(void)                                     = AliasedUse                   : ~m?
+# 1543|     v1543_13(void)                                     = ExitFunction                 : 
+
+# 1544| int* StructuredBindingDataMemberStruct::p
+# 1544|   Block 0
+# 1544|     v1544_1(void)                                      = EnterFunction                : 
+# 1544|     mu1544_2(unknown)                                  = AliasedDefinition            : 
+# 1544|     mu1544_3(unknown)                                  = InitializeNonLocal           : 
+# 1544|     r1544_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1544|     mu1544_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1544_4
+# 1544|     r1544_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1544_4, ~m?
+# 1544|     mu1544_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1544_6
+# 1544|     r1544_8(glval<int *>)                              = FieldAddress[p]              : r1544_6
+# 1544|     r1544_9(StructuredBindingDataMemberStruct *)       = CopyValue                    : r1544_6
+# 1544|     r1544_10(glval<int>)                               = FieldAddress[i]              : r1544_9
+# 1544|     r1544_11(int *)                                    = CopyValue                    : r1544_10
+# 1544|     mu1544_12(int *)                                   = Store[?]                     : &:r1544_8, r1544_11
+# 1544|     v1544_13(void)                                     = ReturnVoid                   : 
+# 1544|     v1544_14(void)                                     = AliasedUse                   : ~m?
+# 1544|     v1544_15(void)                                     = ExitFunction                 : 
+
+# 1545| StructuredBindingDataMemberStruct::ArrayType StructuredBindingDataMemberStruct::xs
+# 1545|   Block 0
+# 1545|     v1545_1(void)                                      = EnterFunction                : 
+# 1545|     mu1545_2(unknown)                                  = AliasedDefinition            : 
+# 1545|     mu1545_3(unknown)                                  = InitializeNonLocal           : 
+# 1545|     r1545_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1545|     mu1545_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1545_4
+# 1545|     r1545_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1545_4, ~m?
+# 1545|     mu1545_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1545_6
+# 1545|     r1545_8(glval<int[2]>)                             = FieldAddress[xs]             : r1545_6
+# 1545|     r1545_9(int)                                       = Constant[0]                  : 
+# 1545|     r1545_10(glval<int>)                               = PointerAdd[4]                : r1545_8, r1545_9
+# 1545|     r1545_11(int)                                      = Constant[1]                  : 
+# 1545|     mu1545_12(int)                                     = Store[?]                     : &:r1545_10, r1545_11
+# 1545|     r1545_13(int)                                      = Constant[1]                  : 
+# 1545|     r1545_14(glval<int>)                               = PointerAdd[4]                : r1545_8, r1545_13
+# 1545|     r1545_15(int)                                      = Constant[2]                  : 
+# 1545|     mu1545_16(int)                                     = Store[?]                     : &:r1545_14, r1545_15
+# 1545|     v1545_17(void)                                     = ReturnVoid                   : 
+# 1545|     v1545_18(void)                                     = AliasedUse                   : ~m?
+# 1545|     v1545_19(void)                                     = ExitFunction                 : 
+
+# 1546| StructuredBindingDataMemberStruct::RefType StructuredBindingDataMemberStruct::r_alt
+# 1546|   Block 0
+# 1546|     v1546_1(void)                                      = EnterFunction                : 
+# 1546|     mu1546_2(unknown)                                  = AliasedDefinition            : 
+# 1546|     mu1546_3(unknown)                                  = InitializeNonLocal           : 
+# 1546|     r1546_4(glval<unknown>)                            = VariableAddress[#this]       : 
+# 1546|     mu1546_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]   : &:r1546_4
+# 1546|     r1546_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                  : &:r1546_4, ~m?
+# 1546|     mu1546_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this] : &:r1546_6
+# 1546|     r1546_8(glval<int &>)                              = FieldAddress[r_alt]          : r1546_6
+# 1546|     r1546_9(StructuredBindingDataMemberStruct *)       = CopyValue                    : r1546_6
+# 1546|     r1546_10(glval<int>)                               = FieldAddress[i]              : r1546_9
+#-----|     r0_1(int &)                                        = CopyValue                    : r1546_10
+#-----|     mu0_2(int &)                                       = Store[?]                     : &:r1546_8, r0_1
+# 1546|     v1546_11(void)                                     = ReturnVoid                   : 
+# 1546|     v1546_12(void)                                     = AliasedUse                   : ~m?
+# 1546|     v1546_13(void)                                     = ExitFunction                 : 
+
 # 1550| void data_member_structured_binding()
 # 1550|   Block 0
 # 1550|     v1550_1(void)                                              = EnterFunction                                      : 
@@ -11621,18 +11774,33 @@ ir.cpp:
 
 # 1590| void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet()
 # 1590|   Block 0
-# 1590|     v1590_1(void)                                 = EnterFunction                : 
-# 1590|     mu1590_2(unknown)                             = AliasedDefinition            : 
-# 1590|     mu1590_3(unknown)                             = InitializeNonLocal           : 
-# 1590|     r1590_4(glval<unknown>)                       = VariableAddress[#this]       : 
-# 1590|     mu1590_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]   : &:r1590_4
-# 1590|     r1590_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                  : &:r1590_4, ~m?
-# 1590|     mu1590_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this] : &:r1590_6
-# 1590|     v1590_8(void)                                 = NoOp                         : 
-# 1590|     v1590_9(void)                                 = ReturnIndirection[#this]     : &:r1590_6, ~m?
-# 1590|     v1590_10(void)                                = ReturnVoid                   : 
-# 1590|     v1590_11(void)                                = AliasedUse                   : ~m?
-# 1590|     v1590_12(void)                                = ExitFunction                 : 
+# 1590|     v1590_1(void)                                 = EnterFunction                   : 
+# 1590|     mu1590_2(unknown)                             = AliasedDefinition               : 
+# 1590|     mu1590_3(unknown)                             = InitializeNonLocal              : 
+# 1590|     r1590_4(glval<unknown>)                       = VariableAddress[#this]          : 
+# 1590|     mu1590_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]      : &:r1590_4
+# 1590|     r1590_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                     : &:r1590_4, ~m?
+# 1590|     mu1590_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this]    : &:r1590_6
+# 1590|     r1590_8(glval<unknown>)                       = FunctionAddress[i]              : 
+# 1590|     v1590_9(void)                                 = Call[i]                         : func:r1590_8, this:r1590_6
+# 1590|     mu1590_10(unknown)                            = ^CallSideEffect                 : ~m?
+# 1590|     v1590_11(void)                                = ^IndirectReadSideEffect[-1]     : &:r1590_6, ~m?
+# 1590|     mu1590_12(StructuredBindingTupleRefGet)       = ^IndirectMayWriteSideEffect[-1] : &:r1590_6
+# 1590|     r1590_13(glval<unknown>)                      = FunctionAddress[d]              : 
+# 1590|     v1590_14(void)                                = Call[d]                         : func:r1590_13, this:r1590_6
+# 1590|     mu1590_15(unknown)                            = ^CallSideEffect                 : ~m?
+# 1590|     v1590_16(void)                                = ^IndirectReadSideEffect[-1]     : &:r1590_6, ~m?
+# 1590|     mu1590_17(StructuredBindingTupleRefGet)       = ^IndirectMayWriteSideEffect[-1] : &:r1590_6
+# 1590|     r1590_18(glval<unknown>)                      = FunctionAddress[r]              : 
+# 1590|     v1590_19(void)                                = Call[r]                         : func:r1590_18, this:r1590_6
+# 1590|     mu1590_20(unknown)                            = ^CallSideEffect                 : ~m?
+# 1590|     v1590_21(void)                                = ^IndirectReadSideEffect[-1]     : &:r1590_6, ~m?
+# 1590|     mu1590_22(StructuredBindingTupleRefGet)       = ^IndirectMayWriteSideEffect[-1] : &:r1590_6
+# 1590|     v1590_23(void)                                = NoOp                            : 
+# 1590|     v1590_24(void)                                = ReturnIndirection[#this]        : &:r1590_6, ~m?
+# 1590|     v1590_25(void)                                = ReturnVoid                      : 
+# 1590|     v1590_26(void)                                = AliasedUse                      : ~m?
+# 1590|     v1590_27(void)                                = ExitFunction                    : 
 
 # 1590| void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&)
 # 1590|   Block 0
@@ -11675,6 +11843,56 @@ ir.cpp:
 # 1590|     v1590_32(void)                                  = AliasedUse                                   : ~m?
 # 1590|     v1590_33(void)                                  = ExitFunction                                 : 
 
+# 1591| int StructuredBindingTupleRefGet::i
+# 1591|   Block 0
+# 1591|     v1591_1(void)                                 = EnterFunction                : 
+# 1591|     mu1591_2(unknown)                             = AliasedDefinition            : 
+# 1591|     mu1591_3(unknown)                             = InitializeNonLocal           : 
+# 1591|     r1591_4(glval<unknown>)                       = VariableAddress[#this]       : 
+# 1591|     mu1591_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]   : &:r1591_4
+# 1591|     r1591_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                  : &:r1591_4, ~m?
+# 1591|     mu1591_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this] : &:r1591_6
+# 1591|     r1591_8(glval<int>)                           = FieldAddress[i]              : r1591_6
+# 1591|     r1591_9(int)                                  = Constant[1]                  : 
+# 1591|     mu1591_10(int)                                = Store[?]                     : &:r1591_8, r1591_9
+# 1591|     v1591_11(void)                                = ReturnVoid                   : 
+# 1591|     v1591_12(void)                                = AliasedUse                   : ~m?
+# 1591|     v1591_13(void)                                = ExitFunction                 : 
+
+# 1592| double StructuredBindingTupleRefGet::d
+# 1592|   Block 0
+# 1592|     v1592_1(void)                                 = EnterFunction                  : 
+# 1592|     mu1592_2(unknown)                             = AliasedDefinition              : 
+# 1592|     mu1592_3(unknown)                             = InitializeNonLocal             : 
+# 1592|     r1592_4(glval<unknown>)                       = VariableAddress[#this]         : 
+# 1592|     mu1592_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]     : &:r1592_4
+# 1592|     r1592_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                    : &:r1592_4, ~m?
+# 1592|     mu1592_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this]   : &:r1592_6
+# 1592|     r1592_8(glval<double>)                        = FieldAddress[d]                : r1592_6
+# 1592|     r1592_9(double)                               = Constant[2.200000000000000178] : 
+# 1592|     mu1592_10(double)                             = Store[?]                       : &:r1592_8, r1592_9
+# 1592|     v1592_11(void)                                = ReturnVoid                     : 
+# 1592|     v1592_12(void)                                = AliasedUse                     : ~m?
+# 1592|     v1592_13(void)                                = ExitFunction                   : 
+
+# 1593| int& StructuredBindingTupleRefGet::r
+# 1593|   Block 0
+# 1593|     v1593_1(void)                                 = EnterFunction                : 
+# 1593|     mu1593_2(unknown)                             = AliasedDefinition            : 
+# 1593|     mu1593_3(unknown)                             = InitializeNonLocal           : 
+# 1593|     r1593_4(glval<unknown>)                       = VariableAddress[#this]       : 
+# 1593|     mu1593_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]   : &:r1593_4
+# 1593|     r1593_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                  : &:r1593_4, ~m?
+# 1593|     mu1593_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this] : &:r1593_6
+# 1593|     r1593_8(glval<int &>)                         = FieldAddress[r]              : r1593_6
+# 1593|     r1593_9(StructuredBindingTupleRefGet *)       = CopyValue                    : r1593_6
+# 1593|     r1593_10(glval<int>)                          = FieldAddress[i]              : r1593_9
+#-----|     r0_1(int &)                                   = CopyValue                    : r1593_10
+#-----|     mu0_2(int &)                                  = Store[?]                     : &:r1593_8, r0_1
+# 1593|     v1593_11(void)                                = ReturnVoid                   : 
+# 1593|     v1593_12(void)                                = AliasedUse                   : ~m?
+# 1593|     v1593_13(void)                                = ExitFunction                 : 
+
 # 1618| std::tuple_element<int 0, StructuredBindingTupleRefGet>::type& StructuredBindingTupleRefGet::get<int 0>()
 # 1618|   Block 0
 # 1618|     v1618_1(void)                                 = EnterFunction                : 
@@ -11890,18 +12108,62 @@ ir.cpp:
 
 # 1657| void StructuredBindingTupleNoRefGet::StructuredBindingTupleNoRefGet()
 # 1657|   Block 0
-# 1657|     v1657_1(void)                                   = EnterFunction                : 
-# 1657|     mu1657_2(unknown)                               = AliasedDefinition            : 
-# 1657|     mu1657_3(unknown)                               = InitializeNonLocal           : 
-# 1657|     r1657_4(glval<unknown>)                         = VariableAddress[#this]       : 
-# 1657|     mu1657_5(glval<StructuredBindingTupleNoRefGet>) = InitializeParameter[#this]   : &:r1657_4
-# 1657|     r1657_6(glval<StructuredBindingTupleNoRefGet>)  = Load[#this]                  : &:r1657_4, ~m?
-# 1657|     mu1657_7(StructuredBindingTupleNoRefGet)        = InitializeIndirection[#this] : &:r1657_6
-# 1657|     v1657_8(void)                                   = NoOp                         : 
-# 1657|     v1657_9(void)                                   = ReturnIndirection[#this]     : &:r1657_6, ~m?
-# 1657|     v1657_10(void)                                  = ReturnVoid                   : 
-# 1657|     v1657_11(void)                                  = AliasedUse                   : ~m?
-# 1657|     v1657_12(void)                                  = ExitFunction                 : 
+# 1657|     v1657_1(void)                                   = EnterFunction                   : 
+# 1657|     mu1657_2(unknown)                               = AliasedDefinition               : 
+# 1657|     mu1657_3(unknown)                               = InitializeNonLocal              : 
+# 1657|     r1657_4(glval<unknown>)                         = VariableAddress[#this]          : 
+# 1657|     mu1657_5(glval<StructuredBindingTupleNoRefGet>) = InitializeParameter[#this]      : &:r1657_4
+# 1657|     r1657_6(glval<StructuredBindingTupleNoRefGet>)  = Load[#this]                     : &:r1657_4, ~m?
+# 1657|     mu1657_7(StructuredBindingTupleNoRefGet)        = InitializeIndirection[#this]    : &:r1657_6
+# 1657|     r1657_8(glval<unknown>)                         = FunctionAddress[i]              : 
+# 1657|     v1657_9(void)                                   = Call[i]                         : func:r1657_8, this:r1657_6
+# 1657|     mu1657_10(unknown)                              = ^CallSideEffect                 : ~m?
+# 1657|     v1657_11(void)                                  = ^IndirectReadSideEffect[-1]     : &:r1657_6, ~m?
+# 1657|     mu1657_12(StructuredBindingTupleNoRefGet)       = ^IndirectMayWriteSideEffect[-1] : &:r1657_6
+# 1657|     r1657_13(glval<unknown>)                        = FunctionAddress[r]              : 
+# 1657|     v1657_14(void)                                  = Call[r]                         : func:r1657_13, this:r1657_6
+# 1657|     mu1657_15(unknown)                              = ^CallSideEffect                 : ~m?
+# 1657|     v1657_16(void)                                  = ^IndirectReadSideEffect[-1]     : &:r1657_6, ~m?
+# 1657|     mu1657_17(StructuredBindingTupleNoRefGet)       = ^IndirectMayWriteSideEffect[-1] : &:r1657_6
+# 1657|     v1657_18(void)                                  = NoOp                            : 
+# 1657|     v1657_19(void)                                  = ReturnIndirection[#this]        : &:r1657_6, ~m?
+# 1657|     v1657_20(void)                                  = ReturnVoid                      : 
+# 1657|     v1657_21(void)                                  = AliasedUse                      : ~m?
+# 1657|     v1657_22(void)                                  = ExitFunction                    : 
+
+# 1658| int StructuredBindingTupleNoRefGet::i
+# 1658|   Block 0
+# 1658|     v1658_1(void)                                   = EnterFunction                : 
+# 1658|     mu1658_2(unknown)                               = AliasedDefinition            : 
+# 1658|     mu1658_3(unknown)                               = InitializeNonLocal           : 
+# 1658|     r1658_4(glval<unknown>)                         = VariableAddress[#this]       : 
+# 1658|     mu1658_5(glval<StructuredBindingTupleNoRefGet>) = InitializeParameter[#this]   : &:r1658_4
+# 1658|     r1658_6(glval<StructuredBindingTupleNoRefGet>)  = Load[#this]                  : &:r1658_4, ~m?
+# 1658|     mu1658_7(StructuredBindingTupleNoRefGet)        = InitializeIndirection[#this] : &:r1658_6
+# 1658|     r1658_8(glval<int>)                             = FieldAddress[i]              : r1658_6
+# 1658|     r1658_9(int)                                    = Constant[1]                  : 
+# 1658|     mu1658_10(int)                                  = Store[?]                     : &:r1658_8, r1658_9
+# 1658|     v1658_11(void)                                  = ReturnVoid                   : 
+# 1658|     v1658_12(void)                                  = AliasedUse                   : ~m?
+# 1658|     v1658_13(void)                                  = ExitFunction                 : 
+
+# 1659| int& StructuredBindingTupleNoRefGet::r
+# 1659|   Block 0
+# 1659|     v1659_1(void)                                   = EnterFunction                : 
+# 1659|     mu1659_2(unknown)                               = AliasedDefinition            : 
+# 1659|     mu1659_3(unknown)                               = InitializeNonLocal           : 
+# 1659|     r1659_4(glval<unknown>)                         = VariableAddress[#this]       : 
+# 1659|     mu1659_5(glval<StructuredBindingTupleNoRefGet>) = InitializeParameter[#this]   : &:r1659_4
+# 1659|     r1659_6(glval<StructuredBindingTupleNoRefGet>)  = Load[#this]                  : &:r1659_4, ~m?
+# 1659|     mu1659_7(StructuredBindingTupleNoRefGet)        = InitializeIndirection[#this] : &:r1659_6
+# 1659|     r1659_8(glval<int &>)                           = FieldAddress[r]              : r1659_6
+# 1659|     r1659_9(StructuredBindingTupleNoRefGet *)       = CopyValue                    : r1659_6
+# 1659|     r1659_10(glval<int>)                            = FieldAddress[i]              : r1659_9
+#-----|     r0_1(int &)                                     = CopyValue                    : r1659_10
+#-----|     mu0_2(int &)                                    = Store[?]                     : &:r1659_8, r0_1
+# 1659|     v1659_11(void)                                  = ReturnVoid                   : 
+# 1659|     v1659_12(void)                                  = AliasedUse                   : ~m?
+# 1659|     v1659_13(void)                                  = ExitFunction                 : 
 
 # 1684| std::tuple_element<int 0, StructuredBindingTupleNoRefGet>::type StructuredBindingTupleNoRefGet::get<int 0>()
 # 1684|   Block 0
@@ -19200,6 +19462,321 @@ ir.cpp:
 # 2867|     v2867_13(void)      = ReturnVoid                    : 
 #-----|   Goto -> Block 1
 
+# 2890| int StructInit::i
+# 2890|   Block 0
+# 2890|     v2890_1(void)               = EnterFunction                : 
+# 2890|     mu2890_2(unknown)           = AliasedDefinition            : 
+# 2890|     mu2890_3(unknown)           = InitializeNonLocal           : 
+# 2890|     r2890_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2890|     mu2890_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2890_4
+# 2890|     r2890_6(glval<StructInit>)  = Load[#this]                  : &:r2890_4, ~m?
+# 2890|     mu2890_7(StructInit)        = InitializeIndirection[#this] : &:r2890_6
+# 2890|     r2890_8(glval<int>)         = FieldAddress[i]              : r2890_6
+# 2890|     r2890_9(int)                = Constant[42]                 : 
+# 2890|     mu2890_10(int)              = Store[?]                     : &:r2890_8, r2890_9
+# 2890|     v2890_11(void)              = ReturnVoid                   : 
+# 2890|     v2890_12(void)              = AliasedUse                   : ~m?
+# 2890|     v2890_13(void)              = ExitFunction                 : 
+
+# 2891| int StructInit::j
+# 2891|   Block 0
+# 2891|     v2891_1(void)               = EnterFunction                : 
+# 2891|     mu2891_2(unknown)           = AliasedDefinition            : 
+# 2891|     mu2891_3(unknown)           = InitializeNonLocal           : 
+# 2891|     r2891_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2891|     mu2891_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2891_4
+# 2891|     r2891_6(glval<StructInit>)  = Load[#this]                  : &:r2891_4, ~m?
+# 2891|     mu2891_7(StructInit)        = InitializeIndirection[#this] : &:r2891_6
+# 2891|     r2891_8(glval<int>)         = FieldAddress[j]              : r2891_6
+# 2891|     r2891_9(int)                = Constant[42]                 : 
+# 2891|     mu2891_10(int)              = Store[?]                     : &:r2891_8, r2891_9
+# 2891|     v2891_11(void)              = ReturnVoid                   : 
+# 2891|     v2891_12(void)              = AliasedUse                   : ~m?
+# 2891|     v2891_13(void)              = ExitFunction                 : 
+
+# 2892| int StructInit::k
+# 2892|   Block 0
+# 2892|     v2892_1(void)               = EnterFunction                : 
+# 2892|     mu2892_2(unknown)           = AliasedDefinition            : 
+# 2892|     mu2892_3(unknown)           = InitializeNonLocal           : 
+# 2892|     r2892_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2892|     mu2892_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2892_4
+# 2892|     r2892_6(glval<StructInit>)  = Load[#this]                  : &:r2892_4, ~m?
+# 2892|     mu2892_7(StructInit)        = InitializeIndirection[#this] : &:r2892_6
+# 2892|     r2892_8(glval<int>)         = FieldAddress[k]              : r2892_6
+# 2892|     r2892_9(int)                = Constant[42]                 : 
+# 2892|     mu2892_10(int)              = Store[?]                     : &:r2892_8, r2892_9
+# 2892|     v2892_11(void)              = ReturnVoid                   : 
+# 2892|     v2892_12(void)              = AliasedUse                   : ~m?
+# 2892|     v2892_13(void)              = ExitFunction                 : 
+
+# 2893| int StructInit::l
+# 2893|   Block 0
+# 2893|     v2893_1(void)               = EnterFunction                : 
+# 2893|     mu2893_2(unknown)           = AliasedDefinition            : 
+# 2893|     mu2893_3(unknown)           = InitializeNonLocal           : 
+# 2893|     r2893_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2893|     mu2893_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2893_4
+# 2893|     r2893_6(glval<StructInit>)  = Load[#this]                  : &:r2893_4, ~m?
+# 2893|     mu2893_7(StructInit)        = InitializeIndirection[#this] : &:r2893_6
+# 2893|     r2893_8(glval<int>)         = FieldAddress[l]              : r2893_6
+# 2893|     r2893_9(StructInit *)       = CopyValue                    : r2893_6
+# 2893|     r2893_10(glval<int>)        = FieldAddress[k]              : r2893_9
+# 2893|     r2893_11(int)               = Load[?]                      : &:r2893_10, ~m?
+# 2893|     mu2893_12(int)              = Store[?]                     : &:r2893_8, r2893_11
+# 2893|     v2893_13(void)              = ReturnVoid                   : 
+# 2893|     v2893_14(void)              = AliasedUse                   : ~m?
+# 2893|     v2893_15(void)              = ExitFunction                 : 
+
+# 2894| int StructInit::m
+# 2894|   Block 0
+# 2894|     v2894_1(void)               = EnterFunction                   : 
+# 2894|     mu2894_2(unknown)           = AliasedDefinition               : 
+# 2894|     mu2894_3(unknown)           = InitializeNonLocal              : 
+# 2894|     r2894_4(glval<unknown>)     = VariableAddress[#this]          : 
+# 2894|     mu2894_5(glval<StructInit>) = InitializeParameter[#this]      : &:r2894_4
+# 2894|     r2894_6(glval<StructInit>)  = Load[#this]                     : &:r2894_4, ~m?
+# 2894|     mu2894_7(StructInit)        = InitializeIndirection[#this]    : &:r2894_6
+# 2894|     r2894_8(glval<int>)         = FieldAddress[m]                 : r2894_6
+# 2894|     r2894_9(StructInit *)       = CopyValue                       : r2894_6
+# 2894|     r2894_10(glval<unknown>)    = FunctionAddress[get_val]        : 
+# 2894|     r2894_11(int)               = Call[get_val]                   : func:r2894_10, this:r2894_9
+# 2894|     mu2894_12(unknown)          = ^CallSideEffect                 : ~m?
+# 2894|     v2894_13(void)              = ^IndirectReadSideEffect[-1]     : &:r2894_9, ~m?
+# 2894|     mu2894_14(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2894_9
+# 2894|     mu2894_15(int)              = Store[?]                        : &:r2894_8, r2894_11
+# 2894|     v2894_16(void)              = ReturnVoid                      : 
+# 2894|     v2894_17(void)              = AliasedUse                      : ~m?
+# 2894|     v2894_18(void)              = ExitFunction                    : 
+
+# 2895| int StructInit::n
+# 2895|   Block 0
+# 2895|     v2895_1(void)               = EnterFunction                : 
+# 2895|     mu2895_2(unknown)           = AliasedDefinition            : 
+# 2895|     mu2895_3(unknown)           = InitializeNonLocal           : 
+# 2895|     r2895_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2895|     mu2895_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2895_4
+# 2895|     r2895_6(glval<StructInit>)  = Load[#this]                  : &:r2895_4, ~m?
+# 2895|     mu2895_7(StructInit)        = InitializeIndirection[#this] : &:r2895_6
+# 2895|     r2895_8(glval<int>)         = FieldAddress[n]              : r2895_6
+# 2895|     r2895_9(int)                = Constant[42]                 : 
+# 2895|     mu2895_10(int)              = Store[?]                     : &:r2895_8, r2895_9
+# 2895|     v2895_11(void)              = ReturnVoid                   : 
+# 2895|     v2895_12(void)              = AliasedUse                   : ~m?
+# 2895|     v2895_13(void)              = ExitFunction                 : 
+
+# 2897| void StructInit::StructInit(int)
+# 2897|   Block 0
+# 2897|     v2897_1(void)               = EnterFunction                   : 
+# 2897|     mu2897_2(unknown)           = AliasedDefinition               : 
+# 2897|     mu2897_3(unknown)           = InitializeNonLocal              : 
+# 2897|     r2897_4(glval<unknown>)     = VariableAddress[#this]          : 
+# 2897|     mu2897_5(glval<StructInit>) = InitializeParameter[#this]      : &:r2897_4
+# 2897|     r2897_6(glval<StructInit>)  = Load[#this]                     : &:r2897_4, ~m?
+# 2897|     mu2897_7(StructInit)        = InitializeIndirection[#this]    : &:r2897_6
+# 2897|     r2897_8(glval<int>)         = VariableAddress[j]              : 
+# 2897|     mu2897_9(int)               = InitializeParameter[j]          : &:r2897_8
+# 2897|     r2897_10(glval<unknown>)    = FunctionAddress[i]              : 
+# 2897|     v2897_11(void)              = Call[i]                         : func:r2897_10, this:r2897_6
+# 2897|     mu2897_12(unknown)          = ^CallSideEffect                 : ~m?
+# 2897|     v2897_13(void)              = ^IndirectReadSideEffect[-1]     : &:r2897_6, ~m?
+# 2897|     mu2897_14(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2897_6
+# 2897|     r2897_15(glval<int>)        = FieldAddress[j]                 : r2897_6
+# 2897|     r2897_16(glval<int>)        = VariableAddress[j]              : 
+# 2897|     r2897_17(int)               = Load[j]                         : &:r2897_16, ~m?
+# 2897|     mu2897_18(int)              = Store[?]                        : &:r2897_15, r2897_17
+# 2897|     r2897_19(glval<unknown>)    = FunctionAddress[k]              : 
+# 2897|     v2897_20(void)              = Call[k]                         : func:r2897_19, this:r2897_6
+# 2897|     mu2897_21(unknown)          = ^CallSideEffect                 : ~m?
+# 2897|     v2897_22(void)              = ^IndirectReadSideEffect[-1]     : &:r2897_6, ~m?
+# 2897|     mu2897_23(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2897_6
+# 2897|     r2897_24(glval<unknown>)    = FunctionAddress[l]              : 
+# 2897|     v2897_25(void)              = Call[l]                         : func:r2897_24, this:r2897_6
+# 2897|     mu2897_26(unknown)          = ^CallSideEffect                 : ~m?
+# 2897|     v2897_27(void)              = ^IndirectReadSideEffect[-1]     : &:r2897_6, ~m?
+# 2897|     mu2897_28(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2897_6
+# 2897|     r2897_29(glval<unknown>)    = FunctionAddress[m]              : 
+# 2897|     v2897_30(void)              = Call[m]                         : func:r2897_29, this:r2897_6
+# 2897|     mu2897_31(unknown)          = ^CallSideEffect                 : ~m?
+# 2897|     v2897_32(void)              = ^IndirectReadSideEffect[-1]     : &:r2897_6, ~m?
+# 2897|     mu2897_33(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2897_6
+# 2897|     r2897_34(glval<int>)        = FieldAddress[n]                 : r2897_6
+# 2897|     r2897_35(glval<unknown>)    = VariableAddress[#this]          : 
+# 2897|     r2897_36(StructInit *)      = Load[#this]                     : &:r2897_35, ~m?
+# 2897|     r2897_37(glval<unknown>)    = FunctionAddress[get_val]        : 
+# 2897|     r2897_38(int)               = Call[get_val]                   : func:r2897_37, this:r2897_36
+# 2897|     mu2897_39(unknown)          = ^CallSideEffect                 : ~m?
+# 2897|     v2897_40(void)              = ^IndirectReadSideEffect[-1]     : &:r2897_36, ~m?
+# 2897|     mu2897_41(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2897_36
+# 2897|     mu2897_42(int)              = Store[?]                        : &:r2897_34, r2897_38
+# 2897|     v2897_43(void)              = NoOp                            : 
+# 2897|     v2897_44(void)              = ReturnIndirection[#this]        : &:r2897_6, ~m?
+# 2897|     v2897_45(void)              = ReturnVoid                      : 
+# 2897|     v2897_46(void)              = AliasedUse                      : ~m?
+# 2897|     v2897_47(void)              = ExitFunction                    : 
+
+# 2899| void StructInit::StructInit()
+# 2899|   Block 0
+# 2899|     v2899_1(void)               = EnterFunction                   : 
+# 2899|     mu2899_2(unknown)           = AliasedDefinition               : 
+# 2899|     mu2899_3(unknown)           = InitializeNonLocal              : 
+# 2899|     r2899_4(glval<unknown>)     = VariableAddress[#this]          : 
+# 2899|     mu2899_5(glval<StructInit>) = InitializeParameter[#this]      : &:r2899_4
+# 2899|     r2899_6(glval<StructInit>)  = Load[#this]                     : &:r2899_4, ~m?
+# 2899|     mu2899_7(StructInit)        = InitializeIndirection[#this]    : &:r2899_6
+# 2899|     r2899_8(glval<int>)         = FieldAddress[i]                 : r2899_6
+# 2899|     r2899_9(int)                = Constant[41]                    : 
+# 2899|     mu2899_10(int)              = Store[?]                        : &:r2899_8, r2899_9
+# 2899|     r2899_11(glval<unknown>)    = FunctionAddress[j]              : 
+# 2899|     v2899_12(void)              = Call[j]                         : func:r2899_11, this:r2899_6
+# 2899|     mu2899_13(unknown)          = ^CallSideEffect                 : ~m?
+# 2899|     v2899_14(void)              = ^IndirectReadSideEffect[-1]     : &:r2899_6, ~m?
+# 2899|     mu2899_15(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2899_6
+# 2899|     r2899_16(glval<int>)        = FieldAddress[k]                 : r2899_6
+# 2899|     r2899_17(int)               = Constant[41]                    : 
+# 2899|     mu2899_18(int)              = Store[?]                        : &:r2899_16, r2899_17
+# 2899|     r2899_19(glval<unknown>)    = FunctionAddress[l]              : 
+# 2899|     v2899_20(void)              = Call[l]                         : func:r2899_19, this:r2899_6
+# 2899|     mu2899_21(unknown)          = ^CallSideEffect                 : ~m?
+# 2899|     v2899_22(void)              = ^IndirectReadSideEffect[-1]     : &:r2899_6, ~m?
+# 2899|     mu2899_23(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2899_6
+# 2899|     r2899_24(glval<unknown>)    = FunctionAddress[m]              : 
+# 2899|     v2899_25(void)              = Call[m]                         : func:r2899_24, this:r2899_6
+# 2899|     mu2899_26(unknown)          = ^CallSideEffect                 : ~m?
+# 2899|     v2899_27(void)              = ^IndirectReadSideEffect[-1]     : &:r2899_6, ~m?
+# 2899|     mu2899_28(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2899_6
+# 2899|     r2899_29(glval<unknown>)    = FunctionAddress[n]              : 
+# 2899|     v2899_30(void)              = Call[n]                         : func:r2899_29, this:r2899_6
+# 2899|     mu2899_31(unknown)          = ^CallSideEffect                 : ~m?
+# 2899|     v2899_32(void)              = ^IndirectReadSideEffect[-1]     : &:r2899_6, ~m?
+# 2899|     mu2899_33(StructInit)       = ^IndirectMayWriteSideEffect[-1] : &:r2899_6
+# 2899|     v2899_34(void)              = NoOp                            : 
+# 2899|     v2899_35(void)              = ReturnIndirection[#this]        : &:r2899_6, ~m?
+# 2899|     v2899_36(void)              = ReturnVoid                      : 
+# 2899|     v2899_37(void)              = AliasedUse                      : ~m?
+# 2899|     v2899_38(void)              = ExitFunction                    : 
+
+# 2901| int StructInit::get_val()
+# 2901|   Block 0
+# 2901|     v2901_1(void)               = EnterFunction                : 
+# 2901|     mu2901_2(unknown)           = AliasedDefinition            : 
+# 2901|     mu2901_3(unknown)           = InitializeNonLocal           : 
+# 2901|     r2901_4(glval<unknown>)     = VariableAddress[#this]       : 
+# 2901|     mu2901_5(glval<StructInit>) = InitializeParameter[#this]   : &:r2901_4
+# 2901|     r2901_6(glval<StructInit>)  = Load[#this]                  : &:r2901_4, ~m?
+# 2901|     mu2901_7(StructInit)        = InitializeIndirection[#this] : &:r2901_6
+# 2901|     r2901_8(glval<int>)         = VariableAddress[#return]     : 
+# 2901|     r2901_9(glval<unknown>)     = VariableAddress[#this]       : 
+# 2901|     r2901_10(StructInit *)      = Load[#this]                  : &:r2901_9, ~m?
+# 2901|     r2901_11(glval<int>)        = FieldAddress[k]              : r2901_10
+# 2901|     r2901_12(int)               = Load[?]                      : &:r2901_11, ~m?
+# 2901|     mu2901_13(int)              = Store[#return]               : &:r2901_8, r2901_12
+# 2901|     v2901_14(void)              = ReturnIndirection[#this]     : &:r2901_6, ~m?
+# 2901|     r2901_15(glval<int>)        = VariableAddress[#return]     : 
+# 2901|     v2901_16(void)              = ReturnValue                  : &:r2901_15, ~m?
+# 2901|     v2901_17(void)              = AliasedUse                   : ~m?
+# 2901|     v2901_18(void)              = ExitFunction                 : 
+
+# 2905| void StructInitFromTemplate<int>::StructInitFromTemplate()
+# 2905|   Block 0
+# 2905|     v2905_1(void)                                = EnterFunction                   : 
+# 2905|     mu2905_2(unknown)                            = AliasedDefinition               : 
+# 2905|     mu2905_3(unknown)                            = InitializeNonLocal              : 
+# 2905|     r2905_4(glval<unknown>)                      = VariableAddress[#this]          : 
+# 2905|     mu2905_5(glval<StructInitFromTemplate<int>>) = InitializeParameter[#this]      : &:r2905_4
+# 2905|     r2905_6(glval<StructInitFromTemplate<int>>)  = Load[#this]                     : &:r2905_4, ~m?
+# 2905|     mu2905_7(StructInitFromTemplate<int>)        = InitializeIndirection[#this]    : &:r2905_6
+# 2905|     r2905_8(glval<unknown>)                      = FunctionAddress[t]              : 
+# 2905|     v2905_9(void)                                = Call[t]                         : func:r2905_8, this:r2905_6
+# 2905|     mu2905_10(unknown)                           = ^CallSideEffect                 : ~m?
+# 2905|     v2905_11(void)                               = ^IndirectReadSideEffect[-1]     : &:r2905_6, ~m?
+# 2905|     mu2905_12(StructInitFromTemplate<int>)       = ^IndirectMayWriteSideEffect[-1] : &:r2905_6
+# 2905|     v2905_13(void)                               = NoOp                            : 
+# 2905|     v2905_14(void)                               = ReturnIndirection[#this]        : &:r2905_6, ~m?
+# 2905|     v2905_15(void)                               = ReturnVoid                      : 
+# 2905|     v2905_16(void)                               = AliasedUse                      : ~m?
+# 2905|     v2905_17(void)                               = ExitFunction                    : 
+
+# 2906| int StructInitFromTemplate<int>::t
+# 2906|   Block 0
+# 2906|     v2906_1(void)                                = EnterFunction                 : 
+# 2906|     mu2906_2(unknown)                            = AliasedDefinition             : 
+# 2906|     mu2906_3(unknown)                            = InitializeNonLocal            : 
+# 2906|     r2906_4(glval<unknown>)                      = VariableAddress[#this]        : 
+# 2906|     mu2906_5(glval<StructInitFromTemplate<int>>) = InitializeParameter[#this]    : &:r2906_4
+# 2906|     r2906_6(glval<StructInitFromTemplate<int>>)  = Load[#this]                   : &:r2906_4, ~m?
+# 2906|     mu2906_7(StructInitFromTemplate<int>)        = InitializeIndirection[#this]  : &:r2906_6
+# 2906|     r2906_8(glval<int>)                          = FieldAddress[t]               : r2906_6
+# 2906|     r2906_9(glval<int>)                          = VariableAddress[#temp2906:11] : 
+# 2906|     r2906_10(int)                                = Constant[0]                   : 
+# 2906|     mu2906_11(int)                               = Store[#temp2906:11]           : &:r2906_9, r2906_10
+# 2906|     r2906_12(int)                                = Load[#temp2906:11]            : &:r2906_9, ~m?
+# 2906|     mu2906_13(int)                               = Store[?]                      : &:r2906_8, r2906_12
+# 2906|     v2906_14(void)                               = ReturnVoid                    : 
+# 2906|     v2906_15(void)                               = AliasedUse                    : ~m?
+# 2906|     v2906_16(void)                               = ExitFunction                  : 
+
+# 2909| StructInitFromTemplate<int> StructInitFromTemplateVar
+# 2909|   Block 0
+# 2909|     v2909_1(void)                               = EnterFunction                              : 
+# 2909|     mu2909_2(unknown)                           = AliasedDefinition                          : 
+# 2909|     r2909_3(glval<StructInitFromTemplate<int>>) = VariableAddress[StructInitFromTemplateVar] : 
+#-----|     r0_1(glval<StructInitFromTemplate<int>>)    = VariableAddress[#temp0:0]                  : 
+#-----|     mu0_2(StructInitFromTemplate<int>)          = Uninitialized[#temp0:0]                    : &:r0_1
+#-----|     r0_3(glval<unknown>)                        = FunctionAddress[StructInitFromTemplate]    : 
+#-----|     v0_4(void)                                  = Call[StructInitFromTemplate]               : func:r0_3, this:r0_1
+#-----|     mu0_5(unknown)                              = ^CallSideEffect                            : ~m?
+#-----|     mu0_6(StructInitFromTemplate<int>)          = ^IndirectMayWriteSideEffect[-1]            : &:r0_1
+#-----|     r0_7(StructInitFromTemplate<int>)           = Load[#temp0:0]                             : &:r0_1, ~m?
+#-----|     mu0_8(StructInitFromTemplate<int>)          = Store[StructInitFromTemplateVar]           : &:r2909_3, r0_7
+# 2909|     v2909_4(void)                               = ReturnVoid                                 : 
+# 2909|     v2909_5(void)                               = AliasedUse                                 : ~m?
+# 2909|     v2909_6(void)                               = ExitFunction                               : 
+
+# 2912| double VariableTemplate<double>
+# 2912|   Block 0
+# 2912|     v2912_1(void)          = EnterFunction                     : 
+# 2912|     mu2912_2(unknown)      = AliasedDefinition                 : 
+# 2912|     r2912_3(glval<double>) = VariableAddress[VariableTemplate] : 
+# 2912|     r2912_4(double)        = Constant[42.0]                    : 
+# 2912|     mu2912_5(double)       = Store[VariableTemplate]           : &:r2912_3, r2912_4
+# 2912|     v2912_6(void)          = ReturnVoid                        : 
+# 2912|     v2912_7(void)          = AliasedUse                        : ~m?
+# 2912|     v2912_8(void)          = ExitFunction                      : 
+
+# 2915| double VariableTemplateFunc<double>(double)
+# 2915|   Block 0
+# 2915|     v2915_1(void)          = EnterFunction            : 
+# 2915|     mu2915_2(unknown)      = AliasedDefinition        : 
+# 2915|     mu2915_3(unknown)      = InitializeNonLocal       : 
+# 2915|     r2915_4(glval<double>) = VariableAddress[x]       : 
+# 2915|     mu2915_5(double)       = InitializeParameter[x]   : &:r2915_4
+# 2916|     r2916_1(glval<double>) = VariableAddress[#return] : 
+# 2916|     r2916_2(double)        = Constant[42.0]           : 
+# 2916|     r2916_3(glval<double>) = VariableAddress[x]       : 
+# 2916|     r2916_4(double)        = Load[x]                  : &:r2916_3, ~m?
+# 2916|     r2916_5(double)        = Add                      : r2916_2, r2916_4
+# 2916|     mu2916_6(double)       = Store[#return]           : &:r2916_1, r2916_5
+# 2915|     r2915_6(glval<double>) = VariableAddress[#return] : 
+# 2915|     v2915_7(void)          = ReturnValue              : &:r2915_6, ~m?
+# 2915|     v2915_8(void)          = AliasedUse               : ~m?
+# 2915|     v2915_9(void)          = ExitFunction             : 
+
+# 2919| int VariableTemplateFuncUse
+# 2919|   Block 0
+# 2919|     v2919_1(void)           = EnterFunction                            : 
+# 2919|     mu2919_2(unknown)       = AliasedDefinition                        : 
+# 2919|     r2919_3(glval<int>)     = VariableAddress[VariableTemplateFuncUse] : 
+# 2919|     r2919_4(glval<unknown>) = FunctionAddress[VariableTemplateFunc]    : 
+# 2919|     r2919_5(double)         = Constant[2.299999999999999822]           : 
+# 2919|     r2919_6(double)         = Call[VariableTemplateFunc]               : func:r2919_4, 0:r2919_5
+# 2919|     mu2919_7(unknown)       = ^CallSideEffect                          : ~m?
+# 2919|     r2919_8(int)            = Convert                                  : r2919_6
+# 2919|     mu2919_9(int)           = Store[VariableTemplateFuncUse]           : &:r2919_3, r2919_8
+# 2919|     v2919_10(void)          = ReturnVoid                               : 
+# 2919|     v2919_11(void)          = AliasedUse                               : ~m?
+# 2919|     v2919_12(void)          = ExitFunction                             : 
+
 ir23.cpp:
 #    1| bool consteval_1()
 #    1|   Block 0

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -1,3 +1,24 @@
+#select
+| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
+| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
+| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
+| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
+| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
+| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
+| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
+| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
+| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
+| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
+| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
+| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
+| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
+| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
+| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 edges
 | tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance |  |
 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance |  |
@@ -12,16 +33,16 @@ edges
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
-| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance |  |
-| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance |  |
+| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | MaD:4 |
+| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | Sink:MaD:2 |
 | tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance |  |
 | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance |  |
-| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance |  |
-| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance |  |
-| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance |  |
-| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance |  |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | Sink:MaD:3 |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | Sink:MaD:1 |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | Sink:MaD:3 |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | Sink:MaD:1 |
 | tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | provenance |  |
-| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance |  |
+| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | MaD:4 |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance |  |
@@ -29,6 +50,11 @@ edges
 | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance |  |
 | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance |  |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance |  |
+models
+| 1 | Sink: ; ; false; zmq_msg_send; ; ; Argument[*0]; remote-sink; manual |
+| 2 | Sink: ; ; false; zmq_send; ; ; Argument[*1]; remote-sink; manual |
+| 3 | Sink: ; ; false; zmq_sendmsg; ; ; Argument[*1]; remote-sink; manual |
+| 4 | Summary: ; ; false; zmq_msg_init_data; ; ; Argument[*1]; Argument[*0]; taint; manual |
 nodes
 | tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |
@@ -75,24 +101,3 @@ nodes
 | tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
 subpaths
 | tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
-#select
-| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
-| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
-| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
-| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
-| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
-| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
-| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
-| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
-| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
-| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
-| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
-| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
-| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
-| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
-| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
-| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
-| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
-| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
-| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
-| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.qlref

@@ -1 +1,4 @@
-Security/CWE/CWE-497/ExposedSystemData.ql
+query: Security/CWE/CWE-497/ExposedSystemData.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -47,7 +47,7 @@ int val();
 
 // --- test cases ---
 
-const char *global1 = mysql_get_client_info();
+const char *global1 = mysql_get_client_info(); // $ Source
 const char *global2 = "abc";
 
 void test7()
@@ -55,15 +55,15 @@ void test7()
 	int sock = socket(val(), val(), val());
 
 	// tests for a strict implementation of CWE-497
-	std::cout << getenv("HOME"); // BAD: outputs HOME environment variable [NOT DETECTED]
-	std::cout << "PATH = " << getenv("PATH") << "."; // BAD: outputs PATH environment variable [NOT DETECTED]
+	std::cout << getenv("HOME");  // $ MISSING: Alert // outputs HOME environment variable
+	std::cout << "PATH = " << getenv("PATH") << "."; // $ MISSING: Alert // outputs PATH environment variable
 	std::cout << "PATHPATHPATH"; // GOOD: not system data
 
 	// tests for a more pragmatic implementation of CWE-497
-	send(sock, getenv("HOME"), val(), val()); // BAD
-	send(sock, getenv("PATH"), val(), val()); // BAD
-	send(sock, getenv("USERNAME"), val(), val()); // BAD
-	send(sock, getenv("APP_PASSWORD"), val(), val()); // BAD
+	send(sock, getenv("HOME"), val(), val()); // $ Alert
+	send(sock, getenv("PATH"), val(), val()); // $ Alert
+	send(sock, getenv("USERNAME"), val(), val()); // $ Alert
+	send(sock, getenv("APP_PASSWORD"), val(), val()); // $ Alert
 	send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
 	send(sock, "HOME", val(), val()); // GOOD: not system data
 	send(sock, "PATH", val(), val()); // GOOD: not system data
@@ -75,11 +75,11 @@ void test7()
 	{
 		char buffer[256];
 
-		strcpy(buffer, mysql_get_client_info());
+		strcpy(buffer, mysql_get_client_info()); // $ Source
 
-		send(sock, mysql_get_client_info(), val(), val()); // BAD
-		send(sock, buffer, val(), val()); // BAD
-		send(sock, global1, val(), val()); // BAD
+		send(sock, mysql_get_client_info(), val(), val()); // $ Alert
+		send(sock, buffer, val(), val()); // $ Alert
+		send(sock, global1, val(), val()); // $ Alert
 		send(sock, global2, val(), val()); // GOOD: not system data
 	}
 
@@ -88,9 +88,9 @@ void test7()
 		const char *str1 = "123456";
 		const char *str2 = "abcdef";
 
-		mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
+		mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val()); // $ Source
 
-		send(sock, str1, val(), val()); // BAD
+		send(sock, str1, val(), val()); // $ Alert
 		send(sock, str2, val(), val()); // GOOD: not system data
 	}
 
@@ -98,17 +98,17 @@ void test7()
 	{
 		passwd *pw;
 
-		pw = getpwuid(val());
-		send(sock, pw->pw_passwd, val(), val()); // BAD
+		pw = getpwuid(val()); // $ Source
+		send(sock, pw->pw_passwd, val(), val()); // $ Alert
 	}
 
 	// tests for containers
 	{
 		container c1, c2;
 
-		c1.ptr = getenv("MY_SECRET_TOKEN");
+		c1.ptr = getenv("MY_SECRET_TOKEN"); // $ Source
 		c2.ptr = "";
-		send(sock, c1.ptr, val(), val()); // BAD
+		send(sock, c1.ptr, val(), val()); // $ Alert
 		send(sock, c2.ptr, val(), val()); // GOOD: not system data
 	}
 }
@@ -131,20 +131,20 @@ void test_zmq(void *remoteSocket)
 	size_t message_len;
 
 	// prepare data
-	message_data = getenv("HOME");
+	message_data = getenv("HOME"); // $ Source
 	message_len = strlen(message_data) + 1;
 
 	// send as data
-	if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
+	if (zmq_send(socket, message_data, message_len, 0) >= 0) { // $ Alert: outputs HOME environment variable
 		// ...
 	}
 
 	// send as message
 	if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
-		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
+		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // $ Alert: outputs HOME environment variable
 			// ...
 		}
-		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
+		if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
 			// ...
 		}
 	}
@@ -152,10 +152,10 @@ void test_zmq(void *remoteSocket)
 	// send as message (alternative path)
 	if (zmq_msg_init_size(&message, message_len) == 0) {
 		memcpy(zmq_msg_data(&message), message_data, message_len);
-		if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
+		if (zmq_sendmsg(remoteSocket,&message, message_len)) { // $ Alert: outputs HOME environment variable
 			// ...
 		}
-		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
+		if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
 			// ...
 		}
 	}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sockets.cpp

@@ -23,7 +23,7 @@ void test_sockets1()
 	int sockfd;
 	sockaddr addr_remote;
 	char *msg = "Hello, world!";
-	char *path = getenv("PATH");
+	char *path = getenv("PATH"); // $ Source
 
 	// create socket
 	sockfd = socket(AF_INET, SOCK_STREAM, 0);
@@ -36,11 +36,11 @@ void test_sockets1()
 
 	// send something using 'send'
 	if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
-	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
-	
+	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
+
 	// send something using 'write'
 	if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
-	if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
+	if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
 
 	// clean up
 	// ...
@@ -49,9 +49,9 @@ void test_sockets1()
 int mksocket()
 {
 	int fd;
-	
+
 	fd = socket(AF_INET, SOCK_STREAM, 0);
-	
+
 	return fd;
 }
 
@@ -60,7 +60,7 @@ void test_sockets2()
 	int sockfd;
 	sockaddr addr_remote;
 	char *msg = "Hello, world!";
-	char *path = getenv("PATH");
+	char *path = getenv("PATH"); // $ Source
 
 	// create socket
 	sockfd = mksocket();
@@ -73,11 +73,11 @@ void test_sockets2()
 
 	// send something using 'send'
 	if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
-	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
-	
+	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
+
 	// send something using 'write'
 	if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
-	if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
+	if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
 
 	// clean up
 	// ...

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sysconf.cpp

@@ -21,7 +21,7 @@ void test_sc_1()
 	int value = sysconf(_SC_CHILD_MAX);
 
 	printf("_SC_CHILD_MAX = %i\n", _SC_CHILD_MAX); // GOOD
-	printf("_SC_CHILD_MAX = %i\n", value); // BAD [NOT DETECTED]
+	printf("_SC_CHILD_MAX = %i\n", value); // $ MISSING: Alert
 }
 
 void test_sc_2()
@@ -33,9 +33,9 @@ void test_sc_2()
 	pathbuf = (char *)malloc(n);
 	if (pathbuf != NULL)
 	{
-		confstr(_CS_PATH, pathbuf, n);
+		confstr(_CS_PATH, pathbuf, n); // $ Source
 
-		printf("path: %s", pathbuf); // BAD [NOT DETECTED]
-		write(get_fd(), pathbuf, strlen(pathbuf)); // BAD
+		printf("path: %s", pathbuf); // $ MISSING: Alert
+		write(get_fd(), pathbuf, strlen(pathbuf)); // $ Alert
 	}
 }

csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/assignments.ql

@@ -0,0 +1,177 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location {
+  string toString() { none() }
+}
+
+newtype TAddedElement =
+  TAssignment(CompoundAssignmentExpr e) or
+  TLhs(CompoundAssignmentExpr e) or
+  TRhs(CompoundAssignmentExpr e)
+
+module Fresh = QlBuiltins::NewEntity<TAddedElement>;
+
+class TNewExpr = @expr or Fresh::EntityId;
+
+class NewExpr extends TNewExpr {
+  string toString() { none() }
+}
+
+class TNewControlFlowElement = @control_flow_element or Fresh::EntityId;
+
+class NewControlFlowElement extends TNewControlFlowElement {
+  string toString() { none() }
+}
+
+class TypeOrRef extends @type_or_ref {
+  string toString() { none() }
+}
+
+class Callable extends @callable {
+  string toString() { none() }
+}
+
+class Accessible extends @accessible {
+  string toString() { none() }
+}
+
+predicate assignmentKind(int kind) {
+  // | 63 = @simple_assign_expr
+  // | 80 = @add_event_expr
+  // | 81 = @remove_event_expr
+  // | 83 = @local_var_decl_expr
+  kind = [63, 80, 81, 83]
+}
+
+predicate compoundAssignmentKind(int kind) {
+  // | 64 = @assign_add_expr
+  // | 65 = @assign_sub_expr
+  // | 66 = @assign_mul_expr
+  // | 67 = @assign_div_expr
+  // | 68 = @assign_rem_expr
+  // | 69 = @assign_and_expr
+  // | 70 = @assign_xor_expr
+  // | 71 = @assign_or_expr
+  // | 72 = @assign_lshift_expr
+  // | 73 = @assign_rshift_expr
+  // | 119 = @assign_coalesce_expr
+  // | 134 = @assign_urshift_expr
+  kind = [64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 119, 134]
+}
+
+int getOperatorKindFromAssignmentKind(int kind) {
+  kind = 64 and result = 44 // @assign_add_expr -> @add_expr
+  or
+  kind = 65 and result = 45 // @assign_sub_expr -> @sub_expr
+  or
+  kind = 66 and result = 41 // @assign_mul_expr -> @mul_expr
+  or
+  kind = 67 and result = 42 // @assign_div_expr -> @div_expr
+  or
+  kind = 68 and result = 43 // @assign_rem_expr -> @rem_expr
+  or
+  kind = 69 and result = 54 // @assign_and_expr -> @bit_and_expr
+  or
+  kind = 70 and result = 55 // @assign_xor_expr -> @bit_xor_expr
+  or
+  kind = 71 and result = 56 // @assign_or_expr -> @bit_or_expr
+  or
+  kind = 72 and result = 46 // @assign_lshift_expr -> @lshift_expr
+  or
+  kind = 73 and result = 47 // @assign_rshift_expr -> @rshift_expr
+  or
+  kind = 119 and result = 61 // @assign_coalesce_expr -> @coalesce_expr
+  or
+  kind = 134 and result = 133 // @assign_urshift_expr -> @urshift_expr
+}
+
+predicate isAssignment(Expr ass) {
+  exists(int kind | assignmentKind(kind) | expressions(ass, kind, _))
+}
+
+class CompoundAssignmentExpr extends Expr {
+  CompoundAssignmentExpr() {
+    exists(int kind | compoundAssignmentKind(kind) | expressions(this, kind, _))
+  }
+}
+
+query predicate new_expressions(NewExpr e, int kind, TypeOrRef t) {
+  expressions(e, kind, t)
+  or
+  // Introduce expanded expression nodes.
+  exists(CompoundAssignmentExpr compound, int kind0, Expr e1, int kind1 |
+    expressions(compound, kind0, t) and
+    expressions(e1, kind1, _) and
+    expr_parent(e1, 0, compound)
+  |
+    Fresh::map(TAssignment(compound)) = e and kind = 63
+    or
+    Fresh::map(TLhs(compound)) = e and kind = kind1
+    or
+    Fresh::map(TRhs(compound)) = e and kind = getOperatorKindFromAssignmentKind(kind0)
+  )
+}
+
+query predicate new_expr_parent(NewExpr e, int child, NewControlFlowElement parent) {
+  if isAssignment(parent)
+  then
+    // Swap children for assignments, local variable declarations and add/remove event.
+    child = 0 and expr_parent(e, 1, parent)
+    or
+    child = 1 and expr_parent(e, 0, parent)
+  else (
+    exists(CompoundAssignmentExpr compound |
+      Fresh::map(TAssignment(compound)) = e and child = 2 and parent = compound
+      or
+      Fresh::map(TLhs(compound)) = e and child = 1 and parent = Fresh::map(TAssignment(compound))
+      or
+      Fresh::map(TRhs(compound)) = e and child = 0 and parent = Fresh::map(TAssignment(compound))
+      or
+      expr_parent(e, child, compound) and parent = Fresh::map(TRhs(compound))
+    )
+    or
+    // Copy the expr_parent relation except for compound assignment edges.
+    expr_parent(e, child, parent) and not parent instanceof CompoundAssignmentExpr
+  )
+}
+
+query predicate new_expr_location(NewExpr e, Location loc) {
+  expr_location(e, loc)
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TAssignment(compound)) = e and expr_location(compound, loc)
+    or
+    Fresh::map(TLhs(compound)) = e and
+    exists(Expr child | expr_location(child, loc) and expr_parent(child, 0, compound))
+    or
+    Fresh::map(TRhs(compound)) = e and expr_location(compound, loc)
+  )
+}
+
+query predicate new_expr_call(NewExpr e, Callable c) {
+  expr_call(e, c) and not e instanceof CompoundAssignmentExpr
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TRhs(compound)) = e and expr_call(compound, c)
+  )
+}
+
+query predicate new_dynamic_member_name(NewExpr e, string name) {
+  dynamic_member_name(e, name) and not e instanceof CompoundAssignmentExpr
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TRhs(compound)) = e and dynamic_member_name(compound, name)
+  )
+}
+
+query predicate new_expr_access(NewExpr e, Accessible a) {
+  expr_access(e, a)
+  or
+  exists(CompoundAssignmentExpr compound, Expr access |
+    expr_parent(access, 0, compound) and
+    expr_access(access, a) and
+    Fresh::map(TLhs(compound)) = e
+  )
+}

csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/upgrade.properties

@@ -0,0 +1,8 @@
+description: Remove operation kinds for operations, introduce expanded assignments and rotate assignment child expressions.
+compatibility: partial
+expr_parent.rel: run assignments.ql new_expr_parent
+expressions.rel: run assignments.ql new_expressions
+expr_location.rel: run assignments.ql new_expr_location
+expr_call.rel: run assignments.ql new_expr_call
+dynamic_member_name.rel: run assignments.ql new_dynamic_member_name
+expr_access.rel: run assignments.ql new_expr_access

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs

@@ -22,26 +22,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            var operatorKind = OperatorKind;
-            if (operatorKind.HasValue)
-            {
-                // Convert assignment such as `a += b` into `a = a + b`.
-                var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.SIMPLE_ASSIGN, this, 2, isCompilerGenerated: true, null));
-                Create(Context, Syntax.Left, simpleAssignExpr, 1);
-                var opexpr = new Expression(new ExpressionInfo(Context, Type, Location, operatorKind.Value, simpleAssignExpr, 0, isCompilerGenerated: true, null));
-                Create(Context, Syntax.Left, opexpr, 0, isCompilerGenerated: true);
-                Create(Context, Syntax.Right, opexpr, 1);
-                opexpr.OperatorCall(trapFile, Syntax);
-            }
-            else
-            {
-                Create(Context, Syntax.Left, this, 1);
-                Create(Context, Syntax.Right, this, 0);
+            Create(Context, Syntax.Left, this, 0);
+            Create(Context, Syntax.Right, this, 1);
 
-                if (Kind == ExprKind.ADD_EVENT || Kind == ExprKind.REMOVE_EVENT)
-                {
-                    OperatorCall(trapFile, Syntax);
-                }
+            if (Kind != ExprKind.SIMPLE_ASSIGN && Kind != ExprKind.ASSIGN_COALESCE)
+            {
+                OperatorCall(trapFile, Syntax);
             }
         }
 
@@ -108,56 +94,5 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             return kind;
         }
-
-        /// <summary>
-        /// Gets the kind of this assignment operator (<code>null</code> if the
-        /// assignment is not an assignment operator). For example, the operator
-        /// kind of `*=` is `*`.
-        /// </summary>
-        private ExprKind? OperatorKind
-        {
-            get
-            {
-                var kind = Kind;
-                if (kind == ExprKind.REMOVE_EVENT || kind == ExprKind.ADD_EVENT || kind == ExprKind.SIMPLE_ASSIGN)
-                    return null;
-
-                if (CallType.AdjustKind(kind) == ExprKind.OPERATOR_INVOCATION)
-                    return ExprKind.OPERATOR_INVOCATION;
-
-                switch (kind)
-                {
-                    case ExprKind.ASSIGN_ADD:
-                        return ExprKind.ADD;
-                    case ExprKind.ASSIGN_AND:
-                        return ExprKind.BIT_AND;
-                    case ExprKind.ASSIGN_DIV:
-                        return ExprKind.DIV;
-                    case ExprKind.ASSIGN_LSHIFT:
-                        return ExprKind.LSHIFT;
-                    case ExprKind.ASSIGN_MUL:
-                        return ExprKind.MUL;
-                    case ExprKind.ASSIGN_OR:
-                        return ExprKind.BIT_OR;
-                    case ExprKind.ASSIGN_REM:
-                        return ExprKind.REM;
-                    case ExprKind.ASSIGN_RSHIFT:
-                        return ExprKind.RSHIFT;
-                    case ExprKind.ASSIGN_URSHIFT:
-                        return ExprKind.URSHIFT;
-                    case ExprKind.ASSIGN_SUB:
-                        return ExprKind.SUB;
-                    case ExprKind.ASSIGN_XOR:
-                        return ExprKind.BIT_XOR;
-                    case ExprKind.ASSIGN_COALESCE:
-                        return ExprKind.NULL_COALESCING;
-                    default:
-                        Context.ModelError(Syntax, $"Couldn't unfold assignment of type {kind}");
-                        return ExprKind.UNKNOWN;
-                }
-            }
-        }
-
-        public new CallType CallType => GetCallType(Context, Syntax);
     }
 }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs

@@ -83,8 +83,22 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 {
                     var assignmentInfo = new ExpressionNodeInfo(Context, init, this, child++).SetKind(ExprKind.SIMPLE_ASSIGN);
                     var assignmentEntity = new Expression(assignmentInfo);
+                    var target = Context.GetSymbolInfo(assignment.Left);
+
+                    // If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
+                    var access = target.Symbol is null ?
+                        new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0).SetKind(ExprKind.ARRAY_ACCESS)) :
+                        Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0), target.Symbol, false, Context.CreateEntity(target.Symbol));
+
+                    if (assignment.Left is ImplicitElementAccessSyntax iea)
+                    {
+                        // An array/indexer initializer of the form `[...] = ...`
+                        access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
+                    }
+
                     var typeInfoRight = Context.GetTypeInfo(assignment.Right);
                     if (typeInfoRight.Type is null)
+                    {
                         // The type may be null for nested initializers such as
                         // ```csharp
                         // new ClassWithArrayField() { As = { [0] = a } }
@@ -92,21 +106,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         // In this case we take the type from the assignment
                         // `As = { [0] = a }` instead
                         typeInfoRight = assignmentInfo.TypeInfo;
-                    CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 0, typeInfoRight));
-
-                    var target = Context.GetSymbolInfo(assignment.Left);
-
-                    // If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
-
-                    var access = target.Symbol is null ?
-                        new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1).SetKind(ExprKind.ARRAY_ACCESS)) :
-                        Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1), target.Symbol, false, Context.CreateEntity(target.Symbol));
-
-                    if (assignment.Left is ImplicitElementAccessSyntax iea)
-                    {
-                        // An array/indexer initializer of the form `[...] = ...`
-                        access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
                     }
+                    CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 1, typeInfoRight));
                 }
                 else
                 {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs

@@ -41,11 +41,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 var loc = Context.CreateLocation(init.GetLocation());
 
                 var assignment = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, isCompilerGenerated: false, null));
-                Create(Context, init.Expression, assignment, 0);
                 Property.Create(Context, property);
-
-                var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 1, isCompilerGenerated: false, null));
+                var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 0, isCompilerGenerated: false, null));
                 trapFile.expr_access(access, propEntity);
+
+                Create(Context, init.Expression, assignment, 1);
             }
         }
     }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs

@@ -94,12 +94,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     child
                     );
 
-                Expression.Create(cx, Expr, decl, 0);
-
                 var nameLoc = cx.CreateLocation(name.GetLocation());
-                var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 1, isCompilerGenerated: false, null));
+                var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 0, isCompilerGenerated: false, null));
                 cx.TrapWriter.Writer.expr_access(access, LocalVariable.Create(cx, variableSymbol));
 
+                Expression.Create(cx, Expr, decl, 1);
+
                 return decl;
             }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs

@@ -176,11 +176,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
                 if (d.Initializer is not null)
                 {
-                    Create(cx, d.Initializer.Value, ret, 0);
-
                     // Create an access
-                    var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 1, isCompilerGenerated: false, null));
+                    var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 0, isCompilerGenerated: false, null));
                     cx.TrapWriter.Writer.expr_access(access, localVar);
+
+                    Create(cx, d.Initializer.Value, ret, 1);
                 }
 
                 if (d.Parent is VariableDeclarationSyntax decl)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs

@@ -116,9 +116,9 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             var type = Symbol.GetAnnotatedType();
             var simpleAssignExpr = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, constValue));
-            Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 0));
-            var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, constValue));
+            var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, constValue));
             trapFile.expr_access(access, this);
+            Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 1));
             return access;
         }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs

@@ -94,9 +94,9 @@ namespace Semmle.Extraction.CSharp.Entities
                         var loc = Context.CreateLocation(initializer!.GetLocation());
                         var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(Symbol.Type);
                         var simpleAssignExpr = new Expression(new ExpressionInfo(Context, annotatedType, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, null));
-                        Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 0));
-                        var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, null));
+                        var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, null));
                         trapFile.expr_access(access, this);
+                        Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 1));
                         if (!Symbol.IsStatic)
                         {
                             This.CreateImplicit(Context, Symbol.ContainingType, Location, access, -1);

csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql

@@ -16,16 +16,9 @@ import experimental.code.csharp.Cryptography.NonCryptographicHashes
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
 where
   maybeUsedInFnvFunction(v, _, _, loop) and
-  (
-    exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
-      xor2.getAnOperand() = v.getAnAccess()
-    )
-    or
-    exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
-      xor2.getAnOperand() = v.getAnAccess()
-    )
+  exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
+    loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
+    xor2.getAnOperand() = v.getAnAccess()
   )
 select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
   additional_xor, "additional xor", v, v.toString()

csharp/ql/integration-tests/all-platforms/autobuild/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/autobuild_slnx/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/binlog/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/binlog_multiple/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/blazor/Files.expected

@@ -14,12 +14,12 @@
 | BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs |
 | BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs |
 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |

csharp/ql/integration-tests/all-platforms/blazor/XSS.expected

@@ -3,8 +3,8 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
 edges
-| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
+| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
 | 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
 | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
 subpaths

csharp/ql/integration-tests/all-platforms/blazor/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/Files.expected

@@ -8,13 +8,13 @@
 | BlazorTest/Components/Routes.razor |
 | BlazorTest/Components/_Imports.razor |
 | BlazorTest/Program.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.expected

@@ -3,8 +3,8 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
 edges
-| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
-| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
+| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
+| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
 | 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
 | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
-| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
+| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
 subpaths

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/conditional_compilation/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/cshtml/Files.expected

@@ -5,4 +5,4 @@
 | obj/Debug/net10.0/cshtml.GlobalUsings.g.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.GlobalUsings.g.cs |
 | obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs |
 | obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
-| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

csharp/ql/integration-tests/all-platforms/cshtml/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/cshtml_standalone/Files.expected

@@ -1,4 +1,4 @@
 | Program.cs |
 | Views/Home/Index.cshtml |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |
-| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/cshtml_standalone_disabled/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/Files.expected

@@ -1,4 +1,4 @@
 | Program.cs |
 | Views/Home/Index.cshtml |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |
-| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "6.0.418"
+        "version": "10.0.201"
     }
-}
+}

csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/diag_missing_xamarin_sdk/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/diag_recursive_generics/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_10/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_build/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_no_args_inject/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_pack/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_publish/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/dotnet_run/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/source_generator/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }

csharp/ql/integration-tests/all-platforms/standalone/global.json

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
     }
 }