Merge branch 'main' into rdmarsh2/ir-global-vars

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -208,11 +208,16 @@ postWithInFlow
 | lambdas.cpp:13:7:13:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:13:10:17:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:13:10:17:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:13:11:13:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:13:11:13:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:16:3:16:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:7:20:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:10:24:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:10:24:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:10:24:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -220,6 +225,8 @@ postWithInFlow
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:28:11:28:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:28:11:28:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:34:7:34:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:34:13:34:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:40:7:40:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -27,7 +27,8 @@
 | arrayassignment.cpp:29:8:29:13 | call to source | arrayassignment.cpp:29:2:29:15 | ... = ... |  |
 | arrayassignment.cpp:29:8:29:13 | call to source | arrayassignment.cpp:33:7:33:9 | r_x |  |
 | arrayassignment.cpp:32:8:32:10 | p_x | arrayassignment.cpp:32:7:32:10 | * ... | TAINT |
-| arrayassignment.cpp:37:7:37:7 | Unknown literal | arrayassignment.cpp:37:7:37:7 | constructor init of field i | TAINT |
+| arrayassignment.cpp:37:7:37:7 | i | arrayassignment.cpp:37:7:37:7 | constructor init of field i | TAINT |
+| arrayassignment.cpp:37:7:37:7 | i | arrayassignment.cpp:37:7:37:7 | i |  |
 | arrayassignment.cpp:37:7:37:7 | this | arrayassignment.cpp:37:7:37:7 | constructor init of field i [pre-this] |  |
 | arrayassignment.cpp:40:2:40:6 | this | arrayassignment.cpp:40:12:40:15 | constructor init of field i [pre-this] |  |
 | arrayassignment.cpp:40:12:40:15 | 0 | arrayassignment.cpp:40:12:40:15 | constructor init of field i | TAINT |
@@ -284,6 +285,7 @@
 | copyableclass_declonly.cpp:67:13:67:18 | call to source | copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | TAINT |
 | copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:67:8:67:9 | ref arg s3 | TAINT |
 | copyableclass_declonly.cpp:67:13:67:20 | call to MyCopyableClassDeclOnly | copyableclass_declonly.cpp:67:11:67:11 | call to operator= | TAINT |
+| file://:0:0:0:0 | (unnamed parameter 0) | arrayassignment.cpp:37:7:37:7 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
@@ -299,6 +301,27 @@
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:75:8:75:8 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:75:8:75:8 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | structlikeclass.cpp:5:7:5:7 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | structlikeclass.cpp:5:7:5:7 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:228:11:228:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:228:11:228:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:235:11:235:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:235:11:235:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:235:11:235:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:243:11:243:11 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:243:11:243:11 | (unnamed parameter 0) |  |
 | format.cpp:16:21:16:21 | s | format.cpp:16:21:16:21 | s |  |
 | format.cpp:16:21:16:21 | s | format.cpp:22:22:22:22 | s |  |
 | format.cpp:16:31:16:31 | n | format.cpp:22:25:22:25 | n |  |
@@ -3554,8 +3577,10 @@
 | standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
-| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
-| stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container |  |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container |  |
 | stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
 | stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
 | stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x |  |
@@ -3573,16 +3598,6 @@
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | (no string representation) | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
-| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
 | stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
 | stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
 | stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
@@ -3593,6 +3608,26 @@
 | stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
 | stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
 | stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
 | stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
 | stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
 | stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
@@ -5354,10 +5389,12 @@
 | stringstream.cpp:266:54:266:58 | ref arg call to flush | stringstream.cpp:266:35:266:39 | ref arg call to write | TAINT |
 | stringstream.cpp:266:68:266:72 | xyz | stringstream.cpp:266:54:266:58 | ref arg call to flush | TAINT |
 | stringstream.cpp:266:68:266:72 | xyz | stringstream.cpp:266:62:266:66 | call to write | TAINT |
-| structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
-| structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |
+| structlikeclass.cpp:5:7:5:7 | v | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
+| structlikeclass.cpp:5:7:5:7 | v | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
+| structlikeclass.cpp:5:7:5:7 | v | structlikeclass.cpp:5:7:5:7 | v |  |
+| structlikeclass.cpp:5:7:5:7 | v | structlikeclass.cpp:5:7:5:7 | v |  |
 | structlikeclass.cpp:8:2:8:16 | this | structlikeclass.cpp:8:28:8:32 | constructor init of field v [pre-this] |  |
 | structlikeclass.cpp:8:22:8:23 | _v | structlikeclass.cpp:8:30:8:31 | _v |  |
 | structlikeclass.cpp:8:30:8:31 | _v | structlikeclass.cpp:8:28:8:32 | constructor init of field v | TAINT |
@@ -5973,24 +6010,29 @@
 | taint.cpp:226:9:226:10 | 0 | taint.cpp:261:7:261:7 | w |  |
 | taint.cpp:228:10:232:2 | [...](...){...} | taint.cpp:233:7:233:7 | a |  |
 | taint.cpp:228:10:232:2 | {...} | taint.cpp:228:10:232:2 | [...](...){...} |  |
-| taint.cpp:228:11:228:11 | Unknown literal | taint.cpp:228:11:228:11 | constructor init of field t | TAINT |
-| taint.cpp:228:11:228:11 | Unknown literal | taint.cpp:228:11:228:11 | constructor init of field u | TAINT |
 | taint.cpp:228:11:228:11 | constructor init of field t [post-this] | taint.cpp:228:11:228:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:228:11:228:11 | constructor init of field t [pre-this] | taint.cpp:228:11:228:11 | constructor init of field u [pre-this] |  |
+| taint.cpp:228:11:228:11 | t | taint.cpp:228:11:228:11 | constructor init of field t | TAINT |
+| taint.cpp:228:11:228:11 | t | taint.cpp:228:11:228:11 | t |  |
 | taint.cpp:228:11:228:11 | this | taint.cpp:228:11:228:11 | constructor init of field t [pre-this] |  |
+| taint.cpp:228:11:228:11 | u | taint.cpp:228:11:228:11 | constructor init of field u | TAINT |
+| taint.cpp:228:11:228:11 | u | taint.cpp:228:11:228:11 | u |  |
 | taint.cpp:228:17:228:17 | this | taint.cpp:229:3:229:6 | this |  |
 | taint.cpp:229:3:229:6 | this | taint.cpp:230:3:230:6 | this |  |
 | taint.cpp:230:3:230:6 | this | file://:0:0:0:0 | this |  |
 | taint.cpp:235:10:239:2 | [...](...){...} | taint.cpp:240:2:240:2 | b |  |
 | taint.cpp:235:10:239:2 | {...} | taint.cpp:235:10:239:2 | [...](...){...} |  |
-| taint.cpp:235:11:235:11 | Unknown literal | taint.cpp:235:11:235:11 | constructor init of field t | TAINT |
-| taint.cpp:235:11:235:11 | Unknown literal | taint.cpp:235:11:235:11 | constructor init of field u | TAINT |
-| taint.cpp:235:11:235:11 | Unknown literal | taint.cpp:235:11:235:11 | constructor init of field v | TAINT |
 | taint.cpp:235:11:235:11 | constructor init of field t [post-this] | taint.cpp:235:11:235:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:235:11:235:11 | constructor init of field t [pre-this] | taint.cpp:235:11:235:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:235:11:235:11 | constructor init of field u [post-this] | taint.cpp:235:11:235:11 | constructor init of field v [pre-this] |  |
 | taint.cpp:235:11:235:11 | constructor init of field u [pre-this] | taint.cpp:235:11:235:11 | constructor init of field v [pre-this] |  |
+| taint.cpp:235:11:235:11 | t | taint.cpp:235:11:235:11 | constructor init of field t | TAINT |
+| taint.cpp:235:11:235:11 | t | taint.cpp:235:11:235:11 | t |  |
 | taint.cpp:235:11:235:11 | this | taint.cpp:235:11:235:11 | constructor init of field t [pre-this] |  |
+| taint.cpp:235:11:235:11 | u | taint.cpp:235:11:235:11 | constructor init of field u | TAINT |
+| taint.cpp:235:11:235:11 | u | taint.cpp:235:11:235:11 | u |  |
+| taint.cpp:235:11:235:11 | v | taint.cpp:235:11:235:11 | constructor init of field v | TAINT |
+| taint.cpp:235:11:235:11 | v | taint.cpp:235:11:235:11 | v |  |
 | taint.cpp:235:15:235:15 | this | taint.cpp:236:3:236:6 | this |  |
 | taint.cpp:236:3:236:6 | this | taint.cpp:237:3:237:6 | this |  |
 | taint.cpp:237:3:237:6 | this | taint.cpp:238:3:238:14 | this |  |
@@ -5998,11 +6040,13 @@
 | taint.cpp:238:7:238:12 | call to source | taint.cpp:238:3:238:14 | ... = ... |  |
 | taint.cpp:243:10:246:2 | [...](...){...} | taint.cpp:247:2:247:2 | c |  |
 | taint.cpp:243:10:246:2 | {...} | taint.cpp:243:10:246:2 | [...](...){...} |  |
-| taint.cpp:243:11:243:11 | Unknown literal | taint.cpp:243:11:243:11 | constructor init of field t | TAINT |
-| taint.cpp:243:11:243:11 | Unknown literal | taint.cpp:243:11:243:11 | constructor init of field u | TAINT |
 | taint.cpp:243:11:243:11 | constructor init of field t [post-this] | taint.cpp:243:11:243:11 | constructor init of field u [pre-this] |  |
 | taint.cpp:243:11:243:11 | constructor init of field t [pre-this] | taint.cpp:243:11:243:11 | constructor init of field u [pre-this] |  |
+| taint.cpp:243:11:243:11 | t | taint.cpp:243:11:243:11 | constructor init of field t | TAINT |
+| taint.cpp:243:11:243:11 | t | taint.cpp:243:11:243:11 | t |  |
 | taint.cpp:243:11:243:11 | this | taint.cpp:243:11:243:11 | constructor init of field t [pre-this] |  |
+| taint.cpp:243:11:243:11 | u | taint.cpp:243:11:243:11 | constructor init of field u | TAINT |
+| taint.cpp:243:11:243:11 | u | taint.cpp:243:11:243:11 | u |  |
 | taint.cpp:243:15:243:15 | this | taint.cpp:244:3:244:6 | this |  |
 | taint.cpp:244:3:244:6 | this | taint.cpp:245:3:245:6 | this |  |
 | taint.cpp:249:11:252:2 | [...](...){...} | taint.cpp:253:2:253:2 | d |  |

cpp/ql/test/library-tests/defuse/isAddressOfAccess.expected

@@ -12,8 +12,12 @@
 | addressOf.cpp:40:15:40:15 | i | non-const address |
 | addressOf.cpp:42:19:42:22 | iref | non-const address |
 | addressOf.cpp:47:12:47:31 | captured | non-const address |
+| addressOf.cpp:47:13:47:13 | (unnamed parameter 0) |  |
+| addressOf.cpp:47:13:47:13 | captured |  |
 | addressOf.cpp:47:19:47:28 | captured |  |
 | addressOf.cpp:48:3:48:4 | f1 | const address |
+| addressOf.cpp:49:13:49:13 | (unnamed parameter 0) |  |
+| addressOf.cpp:49:13:49:13 | captured |  |
 | addressOf.cpp:49:15:49:22 | captured | non-const address |
 | addressOf.cpp:49:27:49:36 | captured |  |
 | addressOf.cpp:50:3:50:4 | f2 | const address |
@@ -245,6 +249,10 @@
 | test.cpp:173:19:173:19 | x | const address |
 | test.cpp:174:20:174:20 | x | const address |
 | test.cpp:175:7:175:7 | x |  |
+| test.cpp:178:8:178:8 | (unnamed parameter 0) |  |
+| test.cpp:178:8:178:8 | (unnamed parameter 0) |  |
+| test.cpp:178:8:178:8 | nested |  |
+| test.cpp:178:8:178:8 | x_ |  |
 | test.cpp:183:38:183:41 | yptr |  |
 | test.cpp:183:48:183:48 | z |  |
 | test.cpp:184:28:184:35 | static_y | non-const address |

cpp/ql/test/library-tests/defuse/parameterUsePair.expected

@@ -8,6 +8,10 @@
 | addressOf.cpp:61:33:61:35 | ref | addressOf.cpp:63:24:63:26 | ref |
 | addressOf.cpp:70:29:70:31 | obj | addressOf.cpp:71:32:71:34 | obj |
 | addressOf.cpp:70:29:70:31 | obj | addressOf.cpp:71:32:71:34 | obj |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:47:13:47:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:49:13:49:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
 | indirect_use.cpp:19:31:19:32 | ip | indirect_use.cpp:20:14:20:15 | ip |
 | indirect_use.cpp:24:31:24:32 | ip | indirect_use.cpp:25:14:25:15 | ip |
 | indirect_use.cpp:30:28:30:30 | ppp | indirect_use.cpp:31:19:31:21 | ppp |

cpp/ql/test/library-tests/defuse/useOfVar.expected

@@ -26,6 +26,10 @@
 | addressOf.cpp:70:29:70:31 | obj | addressOf.cpp:71:32:71:34 | obj |
 | addressOf.cpp:76:7:76:7 | x | addressOf.cpp:77:27:77:27 | x |
 | addressOf.cpp:76:7:76:7 | x | addressOf.cpp:77:48:77:48 | x |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:47:13:47:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:49:13:49:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
 | indirect_use.cpp:19:31:19:32 | ip | indirect_use.cpp:20:14:20:15 | ip |
 | indirect_use.cpp:20:10:20:10 | p | indirect_use.cpp:21:17:21:17 | p |
 | indirect_use.cpp:24:31:24:32 | ip | indirect_use.cpp:25:14:25:15 | ip |

cpp/ql/test/library-tests/defuse/useOfVarActual.expected

@@ -12,6 +12,10 @@
 | addressOf.cpp:61:23:61:25 | ptr | addressOf.cpp:63:19:63:21 | ptr |
 | addressOf.cpp:70:29:70:31 | obj | addressOf.cpp:71:32:71:34 | obj |
 | addressOf.cpp:76:7:76:7 | x | addressOf.cpp:77:48:77:48 | x |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:47:13:47:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | addressOf.cpp:49:13:49:13 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
+| file://:0:0:0:0 | (unnamed parameter 0) | test.cpp:178:8:178:8 | (unnamed parameter 0) |
 | indirect_use.cpp:19:31:19:32 | ip | indirect_use.cpp:20:14:20:15 | ip |
 | indirect_use.cpp:20:10:20:10 | p | indirect_use.cpp:21:17:21:17 | p |
 | indirect_use.cpp:24:31:24:32 | ip | indirect_use.cpp:25:14:25:15 | ip |

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -13035,6 +13035,23 @@ ir.cpp:
 # 1689|   getEntryPoint(): [BlockStmt] { ... }
 # 1689|     getStmt(0): [EmptyStmt] ;
 # 1689|     getStmt(1): [ReturnStmt] return ...
+# 1693| [TopLevelFunction] int goto_on_same_line()
+# 1693|   <params>: 
+# 1693|   getEntryPoint(): [BlockStmt] { ... }
+# 1694|     getStmt(0): [DeclStmt] declaration
+# 1694|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 1694|           Type = [IntType] int
+# 1694|         getVariable().getInitializer(): [Initializer] initializer for x
+# 1694|           getExpr(): [Literal] 42
+# 1694|               Type = [IntType] int
+# 1694|               Value = [Literal] 42
+# 1694|               ValueCategory = prvalue
+# 1695|     getStmt(1): [GotoStmt] goto ...
+# 1695|     getStmt(2): [LabelStmt] label ...:
+# 1696|     getStmt(3): [ReturnStmt] return ...
+# 1696|       getExpr(): [VariableAccess] x
+# 1696|           Type = [IntType] int
+# 1696|           ValueCategory = prvalue(load)
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected

@@ -6,6 +6,9 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field x | Instruction 'FieldAddress: constructor init of field x' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors

cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected

@@ -6,6 +6,9 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field x | Instruction 'FieldAddress: constructor init of field x' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -1690,10 +1690,15 @@ void captured_lambda(int x, int &y, int &&z)
     };
 }
 
+int goto_on_same_line() {
+  int x = 42;
+  goto next; next:
+  return x;
+}
+
 int global_1;
 
 int global_2 = 1;
 
 const int global_3 = 2;
-
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -41,6 +41,13 @@
 | bad_asts.cpp:16:7:16:23 | ChiTotal | total:m14_4 |
 | bad_asts.cpp:16:7:16:23 | SideEffect | ~m14_4 |
 | bad_asts.cpp:16:25:16:25 | Arg(0) | 0:r16_3 |
+| bad_asts.cpp:19:10:19:10 | Address | &:r19_5 |
+| bad_asts.cpp:19:10:19:10 | Address | &:r19_5 |
+| bad_asts.cpp:19:10:19:10 | Address | &:r19_7 |
+| bad_asts.cpp:19:10:19:10 | ChiPartial | partial:m19_3 |
+| bad_asts.cpp:19:10:19:10 | ChiTotal | total:m19_2 |
+| bad_asts.cpp:19:10:19:10 | Load | m19_6 |
+| bad_asts.cpp:19:10:19:10 | Unary | m19_6 |
 | bad_asts.cpp:22:5:22:9 | Address | &:r22_5 |
 | bad_asts.cpp:22:5:22:9 | Address | &:r22_5 |
 | bad_asts.cpp:22:5:22:9 | Address | &:r22_7 |
@@ -633,6 +640,12 @@
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_2 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
@@ -643,6 +656,9 @@
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
 | file://:0:0:0:0 | Address | &:r0_5 |
@@ -692,6 +708,9 @@
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m745_6 |
 | file://:0:0:0:0 | Load | m754_6 |
 | file://:0:0:0:0 | Load | m763_6 |
@@ -6779,13 +6798,20 @@
 | ir.cpp:1482:8:1482:8 | SideEffect | m1482_8 |
 | ir.cpp:1486:8:1486:8 | Address | &:r1486_5 |
 | ir.cpp:1486:8:1486:8 | Address | &:r1486_5 |
+| ir.cpp:1486:8:1486:8 | Address | &:r1486_5 |
+| ir.cpp:1486:8:1486:8 | Address | &:r1486_5 |
+| ir.cpp:1486:8:1486:8 | Address | &:r1486_7 |
 | ir.cpp:1486:8:1486:8 | Address | &:r1486_7 |
 | ir.cpp:1486:8:1486:8 | Address | &:r1486_7 |
 | ir.cpp:1486:8:1486:8 | ChiPartial | partial:m1486_3 |
+| ir.cpp:1486:8:1486:8 | ChiPartial | partial:m1486_3 |
 | ir.cpp:1486:8:1486:8 | ChiTotal | total:m1486_2 |
+| ir.cpp:1486:8:1486:8 | ChiTotal | total:m1486_2 |
+| ir.cpp:1486:8:1486:8 | Load | m1486_6 |
 | ir.cpp:1486:8:1486:8 | Load | m1486_6 |
 | ir.cpp:1486:8:1486:8 | SideEffect | m1486_3 |
 | ir.cpp:1486:8:1486:8 | SideEffect | m1486_8 |
+| ir.cpp:1486:8:1486:8 | Unary | m1486_6 |
 | ir.cpp:1499:6:1499:35 | ChiPartial | partial:m1499_3 |
 | ir.cpp:1499:6:1499:35 | ChiTotal | total:m1499_2 |
 | ir.cpp:1499:6:1499:35 | SideEffect | ~m1525_7 |
@@ -6958,13 +6984,20 @@
 | ir.cpp:1528:17:1528:17 | StoreValue | r1528_4 |
 | ir.cpp:1539:8:1539:8 | Address | &:r1539_5 |
 | ir.cpp:1539:8:1539:8 | Address | &:r1539_5 |
+| ir.cpp:1539:8:1539:8 | Address | &:r1539_5 |
+| ir.cpp:1539:8:1539:8 | Address | &:r1539_5 |
+| ir.cpp:1539:8:1539:8 | Address | &:r1539_7 |
 | ir.cpp:1539:8:1539:8 | Address | &:r1539_7 |
 | ir.cpp:1539:8:1539:8 | Address | &:r1539_7 |
 | ir.cpp:1539:8:1539:8 | ChiPartial | partial:m1539_3 |
+| ir.cpp:1539:8:1539:8 | ChiPartial | partial:m1539_3 |
 | ir.cpp:1539:8:1539:8 | ChiTotal | total:m1539_2 |
+| ir.cpp:1539:8:1539:8 | ChiTotal | total:m1539_2 |
+| ir.cpp:1539:8:1539:8 | Load | m1539_6 |
 | ir.cpp:1539:8:1539:8 | Load | m1539_6 |
 | ir.cpp:1539:8:1539:8 | SideEffect | m1539_3 |
 | ir.cpp:1539:8:1539:8 | SideEffect | m1539_8 |
+| ir.cpp:1539:8:1539:8 | Unary | m1539_6 |
 | ir.cpp:1567:60:1567:95 | Address | &:r1567_5 |
 | ir.cpp:1567:60:1567:95 | Address | &:r1567_5 |
 | ir.cpp:1567:60:1567:95 | Address | &:r1567_7 |
@@ -7537,16 +7570,27 @@
 | ir.cpp:1689:50:1689:50 | Load | m1689_6 |
 | ir.cpp:1689:50:1689:50 | SideEffect | m1689_3 |
 | ir.cpp:1689:50:1689:50 | SideEffect | m1689_8 |
-| ir.cpp:1695:5:1695:12 | Address | &:r1695_3 |
-| ir.cpp:1695:5:1695:12 | SideEffect | ~m1695_6 |
-| ir.cpp:1695:16:1695:16 | ChiPartial | partial:m1695_5 |
-| ir.cpp:1695:16:1695:16 | ChiTotal | total:m1695_2 |
-| ir.cpp:1695:16:1695:16 | StoreValue | r1695_4 |
-| ir.cpp:1697:11:1697:18 | Address | &:r1697_3 |
-| ir.cpp:1697:11:1697:18 | SideEffect | ~m1697_6 |
-| ir.cpp:1697:22:1697:22 | ChiPartial | partial:m1697_5 |
-| ir.cpp:1697:22:1697:22 | ChiTotal | total:m1697_2 |
-| ir.cpp:1697:22:1697:22 | StoreValue | r1697_4 |
+| ir.cpp:1693:5:1693:21 | Address | &:r1693_5 |
+| ir.cpp:1693:5:1693:21 | ChiPartial | partial:m1693_3 |
+| ir.cpp:1693:5:1693:21 | ChiTotal | total:m1693_2 |
+| ir.cpp:1693:5:1693:21 | Load | m1696_4 |
+| ir.cpp:1693:5:1693:21 | SideEffect | m1693_3 |
+| ir.cpp:1694:7:1694:7 | Address | &:r1694_1 |
+| ir.cpp:1694:10:1694:12 | StoreValue | r1694_2 |
+| ir.cpp:1696:3:1696:11 | Address | &:r1696_1 |
+| ir.cpp:1696:10:1696:10 | Address | &:r1696_2 |
+| ir.cpp:1696:10:1696:10 | Load | m1694_3 |
+| ir.cpp:1696:10:1696:10 | StoreValue | r1696_3 |
+| ir.cpp:1701:5:1701:12 | Address | &:r1701_3 |
+| ir.cpp:1701:5:1701:12 | SideEffect | ~m1701_6 |
+| ir.cpp:1701:16:1701:16 | ChiPartial | partial:m1701_5 |
+| ir.cpp:1701:16:1701:16 | ChiTotal | total:m1701_2 |
+| ir.cpp:1701:16:1701:16 | StoreValue | r1701_4 |
+| ir.cpp:1703:11:1703:18 | Address | &:r1703_3 |
+| ir.cpp:1703:11:1703:18 | SideEffect | ~m1703_6 |
+| ir.cpp:1703:22:1703:22 | ChiPartial | partial:m1703_5 |
+| ir.cpp:1703:22:1703:22 | ChiTotal | total:m1703_2 |
+| ir.cpp:1703:22:1703:22 | StoreValue | r1703_4 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

cpp/ql/test/library-tests/ir/ir/raw_consistency.expected

@@ -1,4 +1,17 @@
 missingOperand
+| bad_asts.cpp:19:10:19:10 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| bad_asts.cpp:19:10:19:10 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1688:24:1690:5 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | Store: Unknown literal | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
@@ -11,6 +24,19 @@ duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
 | ../../../include/memory.h:68:25:68:33 | CopyValue: (reference to) | Instruction 'CopyValue: (reference to)' has no successors in function '$@'. | ../../../include/memory.h:67:5:67:5 | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() |
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field x | Instruction 'FieldAddress: constructor init of field x' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field y | Instruction 'FieldAddress: constructor init of field y' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field b | Instruction 'FieldAddress: constructor init of field b' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field d | Instruction 'FieldAddress: constructor init of field d' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field m | Instruction 'FieldAddress: constructor init of field m' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field p | Instruction 'FieldAddress: constructor init of field p' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field r | Instruction 'FieldAddress: constructor init of field r' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field r_alt | Instruction 'FieldAddress: constructor init of field r_alt' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field xs | Instruction 'FieldAddress: constructor init of field xs' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field d | Instruction 'FieldAddress: constructor init of field d' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field r | Instruction 'FieldAddress: constructor init of field r' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
@@ -25,7 +51,36 @@ containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
+| bad_asts.cpp:19:10:19:10 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| bad_asts.cpp:19:10:19:10 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| bad_asts.cpp:19:10:19:10 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| bad_asts.cpp:19:10:19:10 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| file://:0:0:0:0 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| file://:0:0:0:0 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| file://:0:0:0:0 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
 | ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
+| ir.cpp:1539:8:1539:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1683:34:1683:34 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1683:43:1683:43 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1688:10:1688:21 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -49,6 +49,34 @@ bad_asts.cpp:
 #   14|     v14_5(void)           = AliasedUse                      : ~m?
 #   14|     v14_6(void)           = ExitFunction                    : 
 
+#   19| void Bad::Point::Point(Bad::Point const&)
+#   19|   Block 0
+#   19|     v19_1(void)           = EnterFunction                                : 
+#   19|     mu19_2(unknown)       = AliasedDefinition                            : 
+#   19|     mu19_3(unknown)       = InitializeNonLocal                           : 
+#   19|     r19_4(glval<unknown>) = VariableAddress[#this]                       : 
+#   19|     mu19_5(glval<Point>)  = InitializeParameter[#this]                   : &:r19_4
+#   19|     r19_6(glval<Point>)   = Load[#this]                                  : &:r19_4, ~m?
+#   19|     mu19_7(Point)         = InitializeIndirection[#this]                 : &:r19_6
+#-----|     r0_1(glval<Point &>)  = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(Point &)        = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(Point &)         = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)        = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+#   19|     r19_8(glval<int>)     = FieldAddress[x]                              : mu19_5
+
+#   19|   Block 1
+#   19|     mu19_9(int)        = Store[?]        : &:r19_8
+#   19|     r19_10(glval<int>) = FieldAddress[y] : mu19_5
+
+#   19|   Block 2
+#   19|     mu19_11(int) = Store[?]                                 : &:r19_10
+#   19|     v19_12(void) = NoOp                                     : 
+#   19|     v19_13(void) = ReturnIndirection[#this]                 : &:r19_6, ~m?
+#-----|     v0_5(void)   = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
+#   19|     v19_14(void) = ReturnVoid                               : 
+#   19|     v19_15(void) = AliasedUse                               : ~m?
+#   19|     v19_16(void) = ExitFunction                             : 
+
 #   22| void Bad::Point::Point()
 #   22|   Block 0
 #   22|     v22_1(void)           = EnterFunction                : 
@@ -8046,6 +8074,58 @@ ir.cpp:
 # 1486|     v1486_16(void) = AliasedUse               : ~m?
 # 1486|     v1486_17(void) = ExitFunction             : 
 
+# 1486| void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&)
+# 1486|   Block 0
+# 1486|     v1486_1(void)                                      = EnterFunction                                : 
+# 1486|     mu1486_2(unknown)                                  = AliasedDefinition                            : 
+# 1486|     mu1486_3(unknown)                                  = InitializeNonLocal                           : 
+# 1486|     r1486_4(glval<unknown>)                            = VariableAddress[#this]                       : 
+# 1486|     mu1486_5(glval<StructuredBindingDataMemberStruct>) = InitializeParameter[#this]                   : &:r1486_4
+# 1486|     r1486_6(glval<StructuredBindingDataMemberStruct>)  = Load[#this]                                  : &:r1486_4, ~m?
+# 1486|     mu1486_7(StructuredBindingDataMemberStruct)        = InitializeIndirection[#this]                 : &:r1486_6
+#-----|     r0_1(glval<StructuredBindingDataMemberStruct &>)   = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(StructuredBindingDataMemberStruct &)         = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(StructuredBindingDataMemberStruct &)          = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                     = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1486|     r1486_8(glval<int>)                                = FieldAddress[i]                              : mu1486_5
+
+# 1486|   Block 1
+# 1486|     mu1486_9(int)           = Store[?]        : &:r1486_8
+# 1486|     r1486_10(glval<double>) = FieldAddress[d] : mu1486_5
+
+# 1486|   Block 2
+# 1486|     mu1486_11(double)             = Store[?]        : &:r1486_10
+# 1486|     r1486_12(glval<unsigned int>) = FieldAddress[b] : mu1486_5
+
+# 1486|   Block 3
+# 1486|     mu1486_13(unsigned int) = Store[?]        : &:r1486_12
+# 1486|     r1486_14(glval<int &>)  = FieldAddress[r] : mu1486_5
+
+# 1486|   Block 4
+# 1486|     mu1486_15(int &)       = Store[?]        : &:r1486_14
+# 1486|     r1486_16(glval<int *>) = FieldAddress[p] : mu1486_5
+
+# 1486|   Block 5
+# 1486|     mu1486_17(int *)        = Store[?]         : &:r1486_16
+# 1486|     r1486_18(glval<int[2]>) = FieldAddress[xs] : mu1486_5
+
+# 1486|   Block 6
+# 1486|     mu1486_19(int[2])      = Store[?]            : &:r1486_18
+# 1486|     r1486_20(glval<int &>) = FieldAddress[r_alt] : mu1486_5
+
+# 1486|   Block 7
+# 1486|     mu1486_21(int &)                                         = Store[?]        : &:r1486_20
+# 1486|     r1486_22(glval<StructuredBindingDataMemberMemberStruct>) = FieldAddress[m] : mu1486_5
+
+# 1486|   Block 8
+# 1486|     mu1486_23(StructuredBindingDataMemberMemberStruct) = Store[?]                                 : &:r1486_22
+# 1486|     v1486_24(void)                                     = NoOp                                     : 
+# 1486|     v1486_25(void)                                     = ReturnIndirection[#this]                 : &:r1486_6, ~m?
+#-----|     v0_5(void)                                         = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
+# 1486|     v1486_26(void)                                     = ReturnVoid                               : 
+# 1486|     v1486_27(void)                                     = AliasedUse                               : ~m?
+# 1486|     v1486_28(void)                                     = ExitFunction                             : 
+
 # 1499| void data_member_structured_binding()
 # 1499|   Block 0
 # 1499|     v1499_1(void)                                              = EnterFunction                                      : 
@@ -8226,6 +8306,38 @@ ir.cpp:
 # 1539|     v1539_11(void)                                = AliasedUse                   : ~m?
 # 1539|     v1539_12(void)                                = ExitFunction                 : 
 
+# 1539| void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&)
+# 1539|   Block 0
+# 1539|     v1539_1(void)                                 = EnterFunction                                : 
+# 1539|     mu1539_2(unknown)                             = AliasedDefinition                            : 
+# 1539|     mu1539_3(unknown)                             = InitializeNonLocal                           : 
+# 1539|     r1539_4(glval<unknown>)                       = VariableAddress[#this]                       : 
+# 1539|     mu1539_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]                   : &:r1539_4
+# 1539|     r1539_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                                  : &:r1539_4, ~m?
+# 1539|     mu1539_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this]                 : &:r1539_6
+#-----|     r0_1(glval<StructuredBindingTupleRefGet &>)   = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(StructuredBindingTupleRefGet &)         = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(StructuredBindingTupleRefGet &)          = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1539|     r1539_8(glval<int>)                           = FieldAddress[i]                              : mu1539_5
+
+# 1539|   Block 1
+# 1539|     mu1539_9(int)           = Store[?]        : &:r1539_8
+# 1539|     r1539_10(glval<double>) = FieldAddress[d] : mu1539_5
+
+# 1539|   Block 2
+# 1539|     mu1539_11(double)      = Store[?]        : &:r1539_10
+# 1539|     r1539_12(glval<int &>) = FieldAddress[r] : mu1539_5
+
+# 1539|   Block 3
+# 1539|     mu1539_13(int &) = Store[?]                                 : &:r1539_12
+# 1539|     v1539_14(void)   = NoOp                                     : 
+# 1539|     v1539_15(void)   = ReturnIndirection[#this]                 : &:r1539_6, ~m?
+#-----|     v0_5(void)       = ReturnIndirection[(unnamed parameter 0)] : &:r0_3, ~m?
+# 1539|     v1539_16(void)   = ReturnVoid                               : 
+# 1539|     v1539_17(void)   = AliasedUse                               : ~m?
+# 1539|     v1539_18(void)   = ExitFunction                             : 
+
 # 1567| std::tuple_element<int 0, StructuredBindingTupleRefGet>::type& StructuredBindingTupleRefGet::get<int 0>()
 # 1567|   Block 0
 # 1567|     v1567_1(void)                                 = EnterFunction                : 
@@ -8859,29 +8971,48 @@ ir.cpp:
 # 1689|     v1689_12(void)                             = AliasedUse                   : ~m?
 # 1689|     v1689_13(void)                             = ExitFunction                 : 
 
-# 1693| int global_1
+# 1693| int goto_on_same_line()
+# 1693|   Block 0
+# 1693|     v1693_1(void)       = EnterFunction            : 
+# 1693|     mu1693_2(unknown)   = AliasedDefinition        : 
+# 1693|     mu1693_3(unknown)   = InitializeNonLocal       : 
+# 1694|     r1694_1(glval<int>) = VariableAddress[x]       : 
+# 1694|     r1694_2(int)        = Constant[42]             : 
+# 1694|     mu1694_3(int)       = Store[x]                 : &:r1694_1, r1694_2
+# 1695|     v1695_1(void)       = NoOp                     : 
+# 1695|     v1695_2(void)       = NoOp                     : 
+# 1696|     r1696_1(glval<int>) = VariableAddress[#return] : 
+# 1696|     r1696_2(glval<int>) = VariableAddress[x]       : 
+# 1696|     r1696_3(int)        = Load[x]                  : &:r1696_2, ~m?
+# 1696|     mu1696_4(int)       = Store[#return]           : &:r1696_1, r1696_3
+# 1693|     r1693_4(glval<int>) = VariableAddress[#return] : 
+# 1693|     v1693_5(void)       = ReturnValue              : &:r1693_4, ~m?
+# 1693|     v1693_6(void)       = AliasedUse               : ~m?
+# 1693|     v1693_7(void)       = ExitFunction             : 
 
-# 1695| int global_2
-# 1695|   Block 0
-# 1695|     v1695_1(void)       = EnterFunction     : 
-# 1695|     mu1695_2(unknown)   = AliasedDefinition : 
-# 1695|     r1695_3(glval<int>) = VariableAddress   : 
-# 1695|     r1695_4(int)        = Constant[1]       : 
-# 1695|     mu1695_5(int)       = Store[?]          : &:r1695_3, r1695_4
-# 1695|     v1695_6(void)       = ReturnVoid        : 
-# 1695|     v1695_7(void)       = AliasedUse        : ~m?
-# 1695|     v1695_8(void)       = ExitFunction      : 
+# 1699| int global_1
 
-# 1697| int const global_3
-# 1697|   Block 0
-# 1697|     v1697_1(void)       = EnterFunction     : 
-# 1697|     mu1697_2(unknown)   = AliasedDefinition : 
-# 1697|     r1697_3(glval<int>) = VariableAddress   : 
-# 1697|     r1697_4(int)        = Constant[2]       : 
-# 1697|     mu1697_5(int)       = Store[?]          : &:r1697_3, r1697_4
-# 1697|     v1697_6(void)       = ReturnVoid        : 
-# 1697|     v1697_7(void)       = AliasedUse        : ~m?
-# 1697|     v1697_8(void)       = ExitFunction      : 
+# 1701| int global_2
+# 1701|   Block 0
+# 1701|     v1701_1(void)       = EnterFunction     : 
+# 1701|     mu1701_2(unknown)   = AliasedDefinition : 
+# 1701|     r1701_3(glval<int>) = VariableAddress   : 
+# 1701|     r1701_4(int)        = Constant[1]       : 
+# 1701|     mu1701_5(int)       = Store[?]          : &:r1701_3, r1701_4
+# 1701|     v1701_6(void)       = ReturnVoid        : 
+# 1701|     v1701_7(void)       = AliasedUse        : ~m?
+# 1701|     v1701_8(void)       = ExitFunction      : 
+
+# 1703| int const global_3
+# 1703|   Block 0
+# 1703|     v1703_1(void)       = EnterFunction     : 
+# 1703|     mu1703_2(unknown)   = AliasedDefinition : 
+# 1703|     r1703_3(glval<int>) = VariableAddress   : 
+# 1703|     r1703_4(int)        = Constant[2]       : 
+# 1703|     mu1703_5(int)       = Store[?]          : &:r1703_3, r1703_4
+# 1703|     v1703_6(void)       = ReturnVoid        : 
+# 1703|     v1703_7(void)       = AliasedUse        : ~m?
+# 1703|     v1703_8(void)       = ExitFunction      : 
 
 perf-regression.cpp:
 #    6| void Big::Big()

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected

@@ -6,6 +6,9 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field x | Instruction 'FieldAddress: constructor init of field x' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected

@@ -6,6 +6,9 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| bad_asts.cpp:19:10:19:10 | FieldAddress: constructor init of field x | Instruction 'FieldAddress: constructor init of field x' has no successors in function '$@'. | bad_asts.cpp:19:10:19:10 | void Bad::Point::Point(Bad::Point const&) | void Bad::Point::Point(Bad::Point const&) |
+| ir.cpp:1486:8:1486:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct(StructuredBindingDataMemberStruct const&) |
+| ir.cpp:1539:8:1539:8 | FieldAddress: constructor init of field i | Instruction 'FieldAddress: constructor init of field i' has no successors in function '$@'. | ir.cpp:1539:8:1539:8 | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) | void StructuredBindingTupleRefGet::StructuredBindingTupleRefGet(StructuredBindingTupleRefGet const&) |
 | ir.cpp:1688:24:1690:5 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1683:6:1683:20 | void captured_lambda(int, int&, int&&) | void captured_lambda(int, int&, int&&) |
 | ir.cpp:1689:28:1689:54 | FieldAddress: {...} | Instruction 'FieldAddress: {...}' has no successors in function '$@'. | ir.cpp:1688:46:1688:46 | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const | void (void captured_lambda(int, int&, int&&))::(lambda [] type at line 1688, col. 25)::operator()() const |
 ambiguousSuccessors

cpp/ql/test/library-tests/lambdas/captures/elements.expected

@@ -125,8 +125,8 @@
 | captures.cpp:22:19:22:19 | (unnamed constructor) |
 | captures.cpp:22:19:22:19 | (unnamed constructor) |
 | captures.cpp:22:19:22:19 | (unnamed constructor) |
-| captures.cpp:22:19:22:19 | Unknown literal |
-| captures.cpp:22:19:22:19 | Unknown literal |
+| captures.cpp:22:19:22:19 | (unnamed parameter 0) |
+| captures.cpp:22:19:22:19 | (unnamed parameter 0) |
 | captures.cpp:22:19:22:19 | constructor init of field x |
 | captures.cpp:22:19:22:19 | constructor init of field y |
 | captures.cpp:22:19:22:19 | declaration of (unnamed constructor) |
@@ -135,6 +135,8 @@
 | captures.cpp:22:19:22:19 | definition of operator= |
 | captures.cpp:22:19:22:19 | operator= |
 | captures.cpp:22:19:22:19 | return ... |
+| captures.cpp:22:19:22:19 | x |
+| captures.cpp:22:19:22:19 | y |
 | captures.cpp:22:19:22:19 | { ... } |
 | captures.cpp:22:23:22:23 | definition of x |
 | captures.cpp:22:23:22:23 | x |
@@ -185,12 +187,13 @@
 | end_pos.cpp:9:15:9:15 | (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | (unnamed constructor) |
-| end_pos.cpp:9:15:9:15 | Unknown literal |
+| end_pos.cpp:9:15:9:15 | (unnamed parameter 0) |
 | end_pos.cpp:9:15:9:15 | constructor init of field ii |
 | end_pos.cpp:9:15:9:15 | declaration of (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
 | end_pos.cpp:9:15:9:15 | definition of operator= |
+| end_pos.cpp:9:15:9:15 | ii |
 | end_pos.cpp:9:15:9:15 | operator= |
 | end_pos.cpp:9:15:9:15 | return ... |
 | end_pos.cpp:9:15:9:15 | { ... } |

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -1498,6 +1498,8 @@ postWithInFlow
 | bad_asts.cpp:15:10:15:12 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:16:5:16:5 | s [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:16:5:16:5 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| bad_asts.cpp:19:10:19:10 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| bad_asts.cpp:19:10:19:10 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:27:11:27:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | break_labels.c:3:9:3:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | break_labels.c:5:9:5:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1626,11 +1628,15 @@ postWithInFlow
 | cpp11.cpp:60:15:60:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:65:10:65:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:65:19:65:45 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:65:20:65:20 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:65:35:65:43 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:77:19:77:21 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:77:19:77:21 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:11:82:14 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:11:82:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:17:82:17 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:17:82:17 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:17:82:17 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:17:82:55 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:17:82:55 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:82:17:82:55 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected

@@ -3,7 +3,6 @@ edges
 | tests.cpp:33:34:33:39 | call to getenv | tests.cpp:38:39:38:49 | environment indirection |
 | tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | ReturnValue |
 | tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
-| tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
 | tests.cpp:51:12:51:20 | call to badSource | tests.cpp:53:16:53:19 | data indirection |
 nodes
 | tests.cpp:26:15:26:23 | ReturnValue | semmle.label | ReturnValue |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -2,64 +2,55 @@ edges
 | test.cpp:16:20:16:23 | argv | test.cpp:22:45:22:52 | userName indirection |
 | test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
 | test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
-| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
 | test.cpp:47:21:47:26 | call to getenv | test.cpp:50:35:50:43 | envCflags indirection |
 | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
 | test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
-| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
 | test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
 | test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
 | test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
-| test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
 | test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | filename indirection |
 | test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | command indirection |
 | test.cpp:84:20:84:27 | filename indirection | test.cpp:84:11:84:17 | strncat output argument |
-| test.cpp:84:20:84:27 | filename indirection | test.cpp:84:11:84:17 | strncat output argument |
 | test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | filename indirection |
 | test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | path indirection |
 | test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
-| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
 | test.cpp:106:20:106:25 | call to getenv | test.cpp:107:33:107:36 | path indirection |
 | test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | call to c_str indirection |
 | test.cpp:107:33:107:36 | path indirection | test.cpp:107:31:107:31 | call to operator+ |
-| test.cpp:107:33:107:36 | path indirection | test.cpp:107:31:107:31 | call to operator+ |
 | test.cpp:113:20:113:25 | call to getenv | test.cpp:114:19:114:22 | path indirection |
 | test.cpp:114:17:114:17 | Call | test.cpp:114:25:114:29 | call to c_str indirection |
 | test.cpp:114:19:114:22 | path indirection | test.cpp:114:17:114:17 | Call |
-| test.cpp:114:19:114:22 | path indirection | test.cpp:114:17:114:17 | Call |
 | test.cpp:119:20:119:25 | call to getenv | test.cpp:120:19:120:22 | path indirection |
 | test.cpp:120:17:120:17 | Call | test.cpp:120:10:120:30 | call to data indirection |
 | test.cpp:120:19:120:22 | path indirection | test.cpp:120:17:120:17 | Call |
-| test.cpp:120:19:120:22 | path indirection | test.cpp:120:17:120:17 | Call |
 | test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | str indirection |
 | test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
 | test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
-| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
 | test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | filename indirection |
 | test.cpp:174:9:174:16 | fread output argument | test.cpp:178:22:178:26 | flags indirection |
 | test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | filename indirection |
 | test.cpp:177:13:177:17 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
 | test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
-| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
 | test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
 | test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
-| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
 | test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
 | test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
-| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
 | test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | filename indirection |
 | test.cpp:186:47:186:54 | *filename | test.cpp:188:20:188:24 | flags indirection |
 | test.cpp:186:47:186:54 | filename | test.cpp:187:18:187:25 | filename indirection |
 | test.cpp:186:47:186:54 | filename | test.cpp:188:20:188:24 | flags indirection |
 | test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
 | test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
 | test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
 | test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
 | test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
-| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
-| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
-| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
-| test.cpp:188:11:188:17 | command [post update] | test.cpp:205:10:205:16 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
 | test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
 | test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
 | test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
@@ -67,9 +58,21 @@ edges
 | test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename |
 | test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename indirection |
 | test.cpp:196:10:196:16 | command [post update] | test.cpp:198:32:198:38 | command indirection |
+| test.cpp:196:10:196:16 | command [post update] | test.cpp:198:32:198:38 | command indirection |
 | test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename |
+| test.cpp:196:26:196:33 | filename | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename | test.cpp:196:10:196:16 | command [post update] |
 | test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename |
-| test.cpp:205:10:205:16 | command [post update] | test.cpp:207:32:207:38 | command indirection |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | filename indirection |
+| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | filename indirection |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
+| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | command indirection |
+| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
+| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
+| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
+| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:10:220:16 | strncat output argument |
 nodes
 | test.cpp:16:20:16:23 | argv | semmle.label | argv |
 | test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
@@ -115,22 +118,48 @@ nodes
 | test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:180:22:180:29 | filename indirection | semmle.label | filename indirection |
 | test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
+| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
+| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
 | test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
 | test.cpp:186:47:186:54 | filename | semmle.label | filename |
 | test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
 | test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
 | test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
 | test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
+| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
 | test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
+| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
 | test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
 | test.cpp:196:10:196:16 | command [post update] | semmle.label | command [post update] |
+| test.cpp:196:10:196:16 | command [post update] | semmle.label | command [post update] |
 | test.cpp:196:26:196:33 | filename | semmle.label | filename |
 | test.cpp:196:26:196:33 | filename indirection | semmle.label | filename indirection |
 | test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
-| test.cpp:205:10:205:16 | command [post update] | semmle.label | command [post update] |
-| test.cpp:207:32:207:38 | command indirection | semmle.label | command indirection |
+| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
+| test.cpp:218:9:218:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:220:19:220:26 | filename indirection | semmle.label | filename indirection |
+| test.cpp:220:19:220:26 | filename indirection | semmle.label | filename indirection |
+| test.cpp:222:32:222:38 | command indirection | semmle.label | command indirection |
 subpaths
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
+| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | *filename | test.cpp:188:11:188:17 | command [post update] | test.cpp:196:10:196:16 | command [post update] |
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
 | test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
@@ -146,5 +175,5 @@ subpaths
 | test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
 | test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
 | test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
-| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
-| test.cpp:207:32:207:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:207:32:207:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:218:9:218:16 | fread output argument | user input (String read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:218:9:218:16 | fread output argument | user input (String read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -199,7 +199,7 @@ void test17(FILE *f) {
 }
 
 void test18() {
-  // GOOD [FALSE POSITIVE]
+  // GOOD
   char command[1000] = "ls ", flags[1000] = "-l", filename[1000] = ".";
 
   concat(command, flags, filename);
@@ -207,4 +207,19 @@ void test18() {
   execl("/bin/sh", "sh", "-c", command);
 }
 
+#define CONCAT(COMMAND, FILENAME)   \
+  strncat(COMMAND, FILENAME, 1000); \
+  strncat(COMMAND, " ", 1000);      \
+  strncat(COMMAND, FILENAME, 1000);
+
+void test19(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  CONCAT(command, filename)
+
+  execl("/bin/sh", "sh", "-c", command);
+}
+
 // open question: do we want to report certain sources even when they're the start of the string?

cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected

@@ -0,0 +1,8 @@
+edges
+| tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | array to pointer conversion |
+nodes
+| tests.c:57:21:57:28 | password | semmle.label | password |
+| tests.c:70:70:70:77 | array to pointer conversion | semmle.label | array to pointer conversion |
+subpaths
+#select
+| tests.c:70:70:70:77 | array to pointer conversion | tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | array to pointer conversion | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password | password |

cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c

@@ -67,6 +67,6 @@ void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad()
             printLine("Unable to login.");
         }
         /* FLAW: Write sensitive data to stderr */
-        fprintf(stderr, "User attempted access with password: %s\n", password); // [NOT DETECTED]
+        fprintf(stderr, "User attempted access with password: %s\n", password);
     }
 }

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -2,15 +2,26 @@ edges
 | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | (const char *)... |
 | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | (const char *)... |
 | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | (const char *)... |
-| tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
-| tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 |
-| tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw |
-| tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | tests2.cpp:109:14:109:15 | c1 [read] [ptr] |
-| tests2.cpp:107:6:107:8 | ptr [post update] | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] |
-| tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:107:6:107:8 | ptr [post update] |
-| tests2.cpp:109:14:109:15 | c1 [read] [ptr] | tests2.cpp:109:14:109:19 | (const char *)... |
+| tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:34 | (const char *)... |
+| tests2.cpp:78:18:78:38 | call to mysql_get_client_info | tests2.cpp:81:14:81:19 | (const char *)... |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info |
+| tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 |
+| tests2.cpp:101:8:101:15 | call to getpwuid | tests2.cpp:102:14:102:15 | pw |
+| tests2.cpp:109:3:109:4 | c1 [post update] [ptr] | tests2.cpp:111:14:111:15 | c1 [read] [ptr] |
+| tests2.cpp:109:6:109:8 | ptr [post update] | tests2.cpp:109:3:109:4 | c1 [post update] [ptr] |
+| tests2.cpp:109:12:109:17 | call to getenv | tests2.cpp:109:6:109:8 | ptr [post update] |
+| tests2.cpp:111:14:111:15 | c1 [read] [ptr] | tests2.cpp:111:14:111:19 | (const char *)... |
+| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | (const void *)... |
+| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | (const void *)... |
+| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path |
+| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | (const void *)... |
+| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path |
+| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | (const void *)... |
+| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | (const void *)... |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf |
 nodes
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
@@ -21,27 +32,49 @@ nodes
 | tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:65:13:65:30 | (const char *)... | semmle.label | (const char *)... |
-| tests2.cpp:76:18:76:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
-| tests2.cpp:79:14:79:19 | (const char *)... | semmle.label | (const char *)... |
-| tests2.cpp:89:42:89:45 | str1 | semmle.label | str1 |
-| tests2.cpp:91:14:91:17 | str1 | semmle.label | str1 |
-| tests2.cpp:99:8:99:15 | call to getpwuid | semmle.label | call to getpwuid |
-| tests2.cpp:100:14:100:15 | pw | semmle.label | pw |
-| tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | semmle.label | c1 [post update] [ptr] |
-| tests2.cpp:107:6:107:8 | ptr [post update] | semmle.label | ptr [post update] |
-| tests2.cpp:107:12:107:17 | call to getenv | semmle.label | call to getenv |
-| tests2.cpp:109:14:109:15 | c1 [read] [ptr] | semmle.label | c1 [read] [ptr] |
-| tests2.cpp:109:14:109:19 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:66:13:66:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:66:13:66:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:66:13:66:34 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:78:18:78:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:81:14:81:19 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:91:42:91:45 | str1 | semmle.label | str1 |
+| tests2.cpp:93:14:93:17 | str1 | semmle.label | str1 |
+| tests2.cpp:101:8:101:15 | call to getpwuid | semmle.label | call to getpwuid |
+| tests2.cpp:102:14:102:15 | pw | semmle.label | pw |
+| tests2.cpp:109:3:109:4 | c1 [post update] [ptr] | semmle.label | c1 [post update] [ptr] |
+| tests2.cpp:109:6:109:8 | ptr [post update] | semmle.label | ptr [post update] |
+| tests2.cpp:109:12:109:17 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:111:14:111:15 | c1 [read] [ptr] | semmle.label | c1 [read] [ptr] |
+| tests2.cpp:111:14:111:19 | (const char *)... | semmle.label | (const char *)... |
+| tests_sockets.cpp:26:15:26:20 | call to getenv | semmle.label | call to getenv |
+| tests_sockets.cpp:39:19:39:22 | (const void *)... | semmle.label | (const void *)... |
+| tests_sockets.cpp:39:19:39:22 | path | semmle.label | path |
+| tests_sockets.cpp:43:20:43:23 | (const void *)... | semmle.label | (const void *)... |
+| tests_sockets.cpp:43:20:43:23 | path | semmle.label | path |
+| tests_sockets.cpp:63:15:63:20 | call to getenv | semmle.label | call to getenv |
+| tests_sockets.cpp:76:19:76:22 | (const void *)... | semmle.label | (const void *)... |
+| tests_sockets.cpp:76:19:76:22 | path | semmle.label | path |
+| tests_sockets.cpp:80:20:80:23 | (const void *)... | semmle.label | (const void *)... |
+| tests_sockets.cpp:80:20:80:23 | path | semmle.label | path |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
+| tests_sysconf.cpp:39:19:39:25 | (const void *)... | semmle.label | (const void *)... |
+| tests_sysconf.cpp:39:19:39:25 | pathbuf | semmle.label | pathbuf |
 subpaths
 #select
 | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
 | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
 | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
-| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
-| tests2.cpp:79:14:79:19 | (const char *)... | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
-| tests2.cpp:91:14:91:17 | str1 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 | This operation exposes system data from $@. | tests2.cpp:89:42:89:45 | str1 | str1 |
-| tests2.cpp:100:14:100:15 | pw | tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw | This operation exposes system data from $@. | tests2.cpp:99:8:99:15 | call to getpwuid | call to getpwuid |
-| tests2.cpp:109:14:109:19 | (const char *)... | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:14:109:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |
+| tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv | call to getenv |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:81:14:81:19 | (const char *)... | tests2.cpp:78:18:78:38 | call to mysql_get_client_info | tests2.cpp:81:14:81:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:93:14:93:17 | str1 | tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 | str1 |
+| tests2.cpp:102:14:102:15 | pw | tests2.cpp:101:8:101:15 | call to getpwuid | tests2.cpp:102:14:102:15 | pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid | call to getpwuid |
+| tests2.cpp:111:14:111:19 | (const char *)... | tests2.cpp:109:12:109:17 | call to getenv | tests2.cpp:111:14:111:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv | call to getenv |
+| tests_sockets.cpp:39:19:39:22 | path | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv | call to getenv |
+| tests_sockets.cpp:43:20:43:23 | path | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv | call to getenv |
+| tests_sockets.cpp:76:19:76:22 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
+| tests_sockets.cpp:80:20:80:23 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
+| tests_sysconf.cpp:39:19:39:25 | pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected

@@ -0,0 +1,109 @@
+edges
+| tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:36 | (const char *)... |
+| tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:36 | (const char *)... |
+| tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:36 | (const char *)... |
+| tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:39 | (const char_type *)... |
+| tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:62 | (const char_type *)... |
+| tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:64 | (const char *)... |
+| tests.cpp:86:29:86:31 | *msg | tests.cpp:88:15:88:17 | msg |
+| tests.cpp:86:29:86:31 | msg | tests.cpp:88:15:88:17 | msg |
+| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | (const char *)... |
+| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | call to getenv |
+| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | call to getenv indirection |
+| tests.cpp:97:13:97:34 | call to getenv | tests.cpp:86:29:86:31 | msg |
+| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:86:29:86:31 | *msg |
+| tests.cpp:107:30:107:32 | *msg | tests.cpp:111:15:111:17 | tmp |
+| tests.cpp:107:30:107:32 | msg | tests.cpp:111:15:111:17 | tmp |
+| tests.cpp:114:30:114:32 | *msg | tests.cpp:119:7:119:12 | (const char *)... |
+| tests.cpp:114:30:114:32 | msg | tests.cpp:119:7:119:12 | (const char *)... |
+| tests.cpp:122:30:122:32 | *msg | tests.cpp:124:15:124:17 | msg |
+| tests.cpp:122:30:122:32 | msg | tests.cpp:124:15:124:17 | msg |
+| tests.cpp:131:14:131:19 | call to getenv | tests.cpp:131:14:131:35 | call to getenv |
+| tests.cpp:131:14:131:19 | call to getenv | tests.cpp:131:14:131:35 | call to getenv indirection |
+| tests.cpp:131:14:131:35 | call to getenv | tests.cpp:107:30:107:32 | msg |
+| tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:107:30:107:32 | *msg |
+| tests.cpp:132:14:132:19 | call to getenv | tests.cpp:132:14:132:35 | call to getenv |
+| tests.cpp:132:14:132:19 | call to getenv | tests.cpp:132:14:132:35 | call to getenv indirection |
+| tests.cpp:132:14:132:35 | call to getenv | tests.cpp:114:30:114:32 | msg |
+| tests.cpp:132:14:132:35 | call to getenv indirection | tests.cpp:114:30:114:32 | *msg |
+| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | (const char *)... |
+| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | call to getenv |
+| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | call to getenv indirection |
+| tests.cpp:133:14:133:35 | call to getenv | tests.cpp:122:30:122:32 | msg |
+| tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:122:30:122:32 | *msg |
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd |
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd |
+nodes
+| tests.cpp:48:15:48:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:48:15:48:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:48:15:48:36 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:49:15:49:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:49:15:49:36 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:50:15:50:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:50:15:50:36 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:57:18:57:23 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:57:18:57:39 | (const char_type *)... | semmle.label | (const char_type *)... |
+| tests.cpp:58:41:58:46 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:58:41:58:62 | (const char_type *)... | semmle.label | (const char_type *)... |
+| tests.cpp:59:43:59:48 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:59:43:59:64 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:86:29:86:31 | *msg | semmle.label | *msg |
+| tests.cpp:86:29:86:31 | msg | semmle.label | msg |
+| tests.cpp:88:15:88:17 | msg | semmle.label | msg |
+| tests.cpp:97:13:97:18 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:97:13:97:18 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:97:13:97:34 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:97:13:97:34 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| tests.cpp:107:30:107:32 | *msg | semmle.label | *msg |
+| tests.cpp:107:30:107:32 | msg | semmle.label | msg |
+| tests.cpp:111:15:111:17 | tmp | semmle.label | tmp |
+| tests.cpp:114:30:114:32 | *msg | semmle.label | *msg |
+| tests.cpp:114:30:114:32 | msg | semmle.label | msg |
+| tests.cpp:119:7:119:12 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:122:30:122:32 | *msg | semmle.label | *msg |
+| tests.cpp:122:30:122:32 | msg | semmle.label | msg |
+| tests.cpp:124:15:124:17 | msg | semmle.label | msg |
+| tests.cpp:131:14:131:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:131:14:131:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:131:14:131:35 | call to getenv indirection | semmle.label | call to getenv indirection |
+| tests.cpp:132:14:132:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:132:14:132:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:132:14:132:35 | call to getenv indirection | semmle.label | call to getenv indirection |
+| tests.cpp:133:14:133:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:133:14:133:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:133:14:133:35 | (const char *)... | semmle.label | (const char *)... |
+| tests.cpp:133:14:133:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | semmle.label | call to getpwnam |
+| tests_passwd.cpp:18:29:18:31 | pwd | semmle.label | pwd |
+| tests_passwd.cpp:19:26:19:28 | pwd | semmle.label | pwd |
+subpaths
+#select
+| tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv | call to getenv |
+| tests.cpp:48:15:48:36 | (const char *)... | tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:36 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv | call to getenv |
+| tests.cpp:49:15:49:36 | (const char *)... | tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:36 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv | call to getenv |
+| tests.cpp:50:15:50:36 | (const char *)... | tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:36 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:23 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv | call to getenv |
+| tests.cpp:57:18:57:39 | (const char_type *)... | tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:39 | (const char_type *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:46 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv | call to getenv |
+| tests.cpp:58:41:58:62 | (const char_type *)... | tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:62 | (const char_type *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:48 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv | call to getenv |
+| tests.cpp:59:43:59:64 | (const char *)... | tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:64 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv | call to getenv |
+| tests.cpp:88:15:88:17 | msg | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:88:15:88:17 | msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:18 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:97:13:97:34 | (const char *)... | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:111:15:111:17 | tmp | tests.cpp:131:14:131:19 | call to getenv | tests.cpp:111:15:111:17 | tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv | call to getenv |
+| tests.cpp:119:7:119:12 | (const char *)... | tests.cpp:132:14:132:19 | call to getenv | tests.cpp:119:7:119:12 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv | call to getenv |
+| tests.cpp:124:15:124:17 | msg | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:124:15:124:17 | msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:19 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests.cpp:133:14:133:35 | (const char *)... | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | (const char *)... | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests_passwd.cpp:18:29:18:31 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |
+| tests_passwd.cpp:19:26:19:28 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp

@@ -0,0 +1,134 @@
+// test cases for rule CWE-497
+
+// library functions etc
+
+#include "tests.h"
+
+
+typedef struct {} FILE;
+FILE *stdout;
+
+int puts(const char *s);
+int printf(const char *format, ...);
+int sprintf(char *s, const char *format, ...);
+int snprintf(char *s, size_t n, const char *format, ...);
+size_t strlen(const char *s);
+char *getenv(const char *name);
+
+extern std::ostream someotherostream;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#define NULL (0)
+
+// test cases
+
+void test1()
+{
+	std::ostream cout_copy = std::cout;
+
+	std::cout << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable
+	std::cerr << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable
+	std::clog << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable
+	someotherostream << getenv("SECRET_TOKEN"); // GOOD: not output
+	cout_copy << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable [NOT DETECTED]
+
+	std::cout << getenv("USERPROFILE"); // BAD: outputs PATH environment variable [NOT DETECTED]
+	std::cout << getenv("PATH"); // BAD: outputs PATH environment variable [NOT DETECTED]
+
+	std::cout.write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable
+	(std::cout << "SECRET_TOKEN = ").write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable
+	std::cout.write("SECRET_TOKEN = ", 7) << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable
+}
+
+char *global_token = getenv("SECRET_TOKEN");
+char *global_other = "Hello, world!";
+
+void test2(bool cond)
+{
+	char *maybe;
+
+	maybe = cond ? global_token : global_other;
+	
+	printf("token = '%s'\n", global_token); // BAD: outputs SECRET_TOKEN environment variable [NOT DETECTED]
+	printf("other = '%s'\n", global_other);
+	printf("maybe = '%s'\n", maybe); // BAD: may output SECRET_TOKEN environment variable [NOT DETECTED]
+}
+
+void test3()
+{
+	char *path_string = getenv("PATH");
+	char buf[4096];
+
+	// ...
+	snprintf(buf, 4096, "invalid path '%s'\n", path_string);
+	puts(buf); // BAD: outputs PATH environment variable [NOT DETECTED]
+}
+
+void myOutputFn(const char *msg)
+{
+	printf("%s", msg);
+}
+
+void myOtherFn(const char *msg)
+{
+}
+
+void test4()
+{
+	myOutputFn(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable
+	myOtherFn(getenv("SECRET_TOKEN")); // GOOD: does not output anything.
+}
+
+void myOutputFn2(const char *msg)
+{
+	msg = "";
+	printf("%s", msg);
+}
+
+void myOutputFn3(const char *msg)
+{
+	const char *tmp = msg;
+
+	printf("%s", tmp);
+}
+
+void myOutputFn4(const char *msg)
+{
+	char buffer[4096];
+
+	sprintf(buffer, "log: %s\n", msg);
+	puts(buffer);
+}
+
+void myOutputFn5(const char *msg)
+{
+	printf("%s", msg);
+	msg = "";
+}
+
+void test5()
+{
+	myOutputFn2(getenv("SECRET_TOKEN")); // GOOD: myOutputFn2 doesn't actually output the parameter
+	myOutputFn3(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable
+	myOutputFn4(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable
+	myOutputFn5(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable
+}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.h

@@ -0,0 +1,25 @@
+
+typedef unsigned long size_t;
+
+namespace std
+{
+	typedef size_t streamsize;
+
+	template<class charT> struct char_traits;
+
+	template <class charT, class traits = char_traits<charT> >
+	class basic_ostream /*: virtual public basic_ios<charT,traits> - not needed for this test */ {
+	public:
+		typedef charT char_type;
+		basic_ostream<charT,traits>& write(const char_type* s, streamsize n);
+
+		basic_ostream<charT, traits>& operator<<(int n);
+	};
+	template<class charT, class traits> basic_ostream<charT,traits>& operator<<(basic_ostream<charT,traits>&, const charT*);
+
+	typedef basic_ostream<char> ostream;
+
+	extern ostream cout;
+	extern ostream cerr;
+	extern ostream clog;
+}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -2,24 +2,24 @@
 
 // library functions etc
 
+#include "tests.h"
+
 char *getenv(const char *name);
 char *strcpy(char *s1, const char *s2);
 
-namespace std
-{
-	template<class charT> struct char_traits;
 
-	template <class charT, class traits = char_traits<charT> >
-	class basic_ostream /*: virtual public basic_ios<charT,traits> - not needed for this test */ {
-	public: 
-	};
 
-	template<class charT, class traits> basic_ostream<charT,traits>& operator<<(basic_ostream<charT,traits>&, const charT*);
 
-	typedef basic_ostream<char> ostream;
 
-	extern ostream cout;
-}
+
+
+
+
+
+
+
+
+
 
 int socket(int p1, int p2, int p3);
 void send(int sock, const char *buffer, int p3, int p4);
@@ -63,10 +63,12 @@ void test1()
 	send(sock, getenv("HOME"), val(), val()); // BAD
 	send(sock, getenv("PATH"), val(), val()); // BAD
 	send(sock, getenv("USERNAME"), val(), val()); // BAD
+	send(sock, getenv("APP_PASSWORD"), val(), val()); // BAD
 	send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
 	send(sock, "HOME", val(), val()); // GOOD: not system data
 	send(sock, "PATH", val(), val()); // GOOD: not system data
 	send(sock, "USERNAME", val(), val()); // GOOD: not system data
+	send(sock, "APP_PASSWORD", val(), val()); // GOOD: not system data
 	send(sock, "HARMLESS", val(), val()); // GOOD: not system data
 
 	// tests for `mysql_get_client_info`, including via a global

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp

@@ -0,0 +1,21 @@
+
+int printf(const char *format, ...);
+
+struct passwd {
+	char *pw_passwd;
+	char *pw_dir;
+	// ...
+};
+
+struct passwd *getpwnam(const char *name);
+
+void test6(char *username)
+{
+	passwd *pwd;
+
+	pwd = getpwnam(username);
+
+	printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD
+	printf("pw_dir = %s\n", pwd->pw_dir); // BAD
+	printf("sizeof(passwd) = %i\n", sizeof(passwd)); // GOOD
+}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sockets.cpp

@@ -0,0 +1,84 @@
+
+typedef unsigned long size_t;
+
+size_t strlen(const char *s);
+char *getenv(const char *name);
+
+#define	AF_INET (2)
+#define SOCK_STREAM (1)
+
+struct sockaddr {
+	int sa_family;
+
+	// ...
+};
+
+int socket(int domain, int type, int protocol);
+int connect(int socket, const struct sockaddr *address, size_t address_len);
+size_t send(int socket, const void *buffer, size_t length, int flags);
+int write(int handle, const void *buffer, size_t length);
+
+void test_sockets1()
+{
+	int sockfd;
+	sockaddr addr_remote;
+	char *msg = "Hello, world!";
+	char *path = getenv("PATH");
+
+	// create socket
+	sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd < 0) return;
+
+	// connect socket to a remote address
+	addr_remote.sa_family = AF_INET;
+	// ...
+	if (connect(sockfd, &addr_remote, sizeof(addr_remote)) != 0) return;
+
+	// send something using 'send'
+	if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
+	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
+	
+	// send something using 'write'
+	if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
+	if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
+
+	// clean up
+	// ...
+}
+
+int mksocket()
+{
+	int fd;
+	
+	fd = socket(AF_INET, SOCK_STREAM, 0);
+	
+	return fd;
+}
+
+void test_sockets2()
+{
+	int sockfd;
+	sockaddr addr_remote;
+	char *msg = "Hello, world!";
+	char *path = getenv("PATH");
+
+	// create socket
+	sockfd = mksocket();
+	if (sockfd < 0) return;
+
+	// connect socket to a remote address
+	addr_remote.sa_family = AF_INET;
+	// ...
+	if (connect(sockfd, &addr_remote, sizeof(addr_remote)) != 0) return;
+
+	// send something using 'send'
+	if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
+	if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
+	
+	// send something using 'write'
+	if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
+	if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
+
+	// clean up
+	// ...
+}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sysconf.cpp

@@ -0,0 +1,41 @@
+
+typedef unsigned long size_t;
+typedef signed long ssize_t;
+void *malloc(size_t size);
+#define NULL (0)
+
+int printf(const char *format, ...);
+size_t strlen(const char *s);
+
+int get_fd();
+int write(int handle, const void *buffer, size_t length);
+
+long sysconf(int name);
+#define _SC_CHILD_MAX (2)
+
+size_t confstr(int name, char *buffer, size_t length);
+#define _CS_PATH (1)
+
+void test_sc_1()
+{
+	int value = sysconf(_SC_CHILD_MAX);
+
+	printf("_SC_CHILD_MAX = %i\n", _SC_CHILD_MAX); // GOOD
+	printf("_SC_CHILD_MAX = %i\n", value); // BAD [NOT DETECTED]
+}
+
+void test_sc_2()
+{
+	char *pathbuf;
+	size_t n;
+
+	n = confstr(_CS_PATH, NULL, (size_t)0);
+	pathbuf = (char *)malloc(n);
+	if (pathbuf != NULL)
+	{
+		confstr(_CS_PATH, pathbuf, n);
+
+		printf("path: %s", pathbuf); // BAD [NOT DETECTED]
+		write(get_fd(), pathbuf, strlen(pathbuf)); // BAD
+	}
+}