C++: Implement clearsContent for IR dataflow

2026-04-21 06:55:31 +02:00 · 2023-06-26 12:11:03 +02:00
parent e6ca5dff87
commit 458522a656
14 changed files with 944 additions and 55 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -651,13 +651,16 @@ predicate jumpStep(Node n1, Node n2) {
 * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
 * Thus, `node2` references an object with a field `f` that contains the
 * value of `node1`.
+ *
+ * The boolean `certain` is true if the destination address does not involve
+ * any pointer arithmetic, and false otherwise.
 */
-predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
+predicate storeStepImpl(Node node1, Content c, PostFieldUpdateNode node2, boolean certain) {
  exists(int indirectionIndex1, int numberOfLoads, StoreInstruction store |
    nodeHasInstruction(node1, store, pragma[only_bind_into](indirectionIndex1)) and
    node2.getIndirectionIndex() = 1 and
    numberOfLoadsFromOperand(node2.getFieldAddress(), store.getDestinationAddressOperand(),
-      numberOfLoads)
+      numberOfLoads, certain)
  |
    exists(FieldContent fc | fc = c |
      fc.getField() = node2.getUpdatedField() and
@@ -671,21 +674,34 @@ predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
  )
 }

+/**
+ * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
+ * Thus, `node2` references an object with a field `f` that contains the
+ * value of `node1`.
+ */
+predicate storeStep(Node node1, Content c, PostFieldUpdateNode node2) {
+  storeStepImpl(node1, c, node2, _)
+}
+
 /**
 * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
 * operations and exactly `n` `LoadInstruction` operations.
 */
-private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand operandTo, int ind) {
+private predicate numberOfLoadsFromOperandRec(
+  Operand operandFrom, Operand operandTo, int ind, boolean certain
+) {
  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
-    operandTo = operandFrom and ind = 0
+    operandTo = operandFrom and ind = 0 and certain = true
    or
-    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1)
+    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
  )
  or
-  exists(Operand op, Instruction instr |
+  exists(Operand op, Instruction instr, boolean isPointerArith, boolean certain0 |
    instr = op.getDef() and
-    conversionFlow(operandFrom, instr, _, _) and
-    numberOfLoadsFromOperand(op, operandTo, ind)
+    conversionFlow(operandFrom, instr, isPointerArith, _) and
+    numberOfLoadsFromOperand(op, operandTo, ind, certain0)
+  |
+    if isPointerArith = true then certain = false else certain = certain0
  )
 }

@@ -693,13 +709,16 @@ private predicate numberOfLoadsFromOperandRec(Operand operandFrom, Operand opera
 * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
 * operations and exactly `n` `LoadInstruction` operations.
 */
-private predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandTo, int n) {
-  numberOfLoadsFromOperandRec(operandFrom, operandTo, n)
+private predicate numberOfLoadsFromOperand(
+  Operand operandFrom, Operand operandTo, int n, boolean certain
+) {
+  numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
  or
  not Ssa::isDereference(_, operandFrom) and
  not conversionFlow(operandFrom, _, _, _) and
  operandFrom = operandTo and
-  n = 0
+  n = 0 and
+  certain = true
 }

 // Needed to join on both an operand and an index at the same time.
@@ -729,7 +748,7 @@ predicate readStep(Node node1, Content c, Node node2) {
    // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
    // in `storeStep`.
    nodeHasOperand(node1, fa1.getObjectAddressOperand(), 1) and
-    numberOfLoadsFromOperand(fa1, operand, numberOfLoads)
+    numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _)
  |
    exists(FieldContent fc | fc = c |
      fc.getField() = fa1.getField() and
@@ -747,7 +766,32 @@ predicate readStep(Node node1, Content c, Node node2) {
 * Holds if values stored inside content `c` are cleared at node `n`.
 */
 predicate clearsContent(Node n, Content c) {
-  none() // stub implementation
+  n =
+    any(PostUpdateNode pun, Content d | d.impliesClearOf(c) and storeStepImpl(_, d, pun, true) | pun)
+        .getPreUpdateNode() and
+  (
+    // The crement operations and pointer addition and subtraction self-assign. We do not
+    // want to clear the contents if it is indirectly pointed at by any of these operations,
+    // as part of the contents might still be accessible afterwards. If there is no such
+    // indirection clearing the contents is safe.
+    not exists(Operand op, Cpp::Operation p |
+      n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
+      (
+        p instanceof Cpp::AssignPointerAddExpr or
+        p instanceof Cpp::AssignPointerSubExpr or
+        p instanceof Cpp::CrementOperation
+      )
+    |
+      p.getAnOperand() = op.getUse().getAst()
+    )
+    or
+    not exists(PostUpdateNode pun, Content d |
+      d.impliesClearOf(c) and
+      storeStepImpl(_, d, pun, true) and
+      c.getIndirectionIndex() > d.getIndirectionIndex() and
+      pun.getPreUpdateNode() = n
+    )
+  )
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1832,6 +1832,26 @@ class Content extends TContent {
  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
  }
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * Holds if a write to this `Content` implies that `c` is
+   * also cleared.
+   *
+   * For example, a write to a field `f` implies that any content of
+   * the form `*f` is also cleared.
+   */
+  abstract predicate impliesClearOf(Content c);
+
+  abstract int getIndirectionIndex();
+}
+
+predicate foo(FieldContent f) {
+  exists(int i, Field ff |
+    i = f.getIndirectionIndex() and
+    ff = f.getField()
+  )
 }

 /** A reference through a non-union instance field. */
@@ -1850,9 +1870,19 @@ class FieldContent extends Content, TFieldContent {
  Field getField() { result = f }

  pragma[inline]
-  int getIndirectionIndex() {
+  override int getIndirectionIndex() {
    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
  }
+
+  override predicate impliesClearOf(Content c) {
+    exists(FieldContent fc |
+      fc = c and
+      fc.getField() = f and
+      // If `this` is `f` then `c` is cleared if it's of the
+      // form `*f`, `**f`, etc.
+      fc.getIndirectionIndex() >= indirectionIndex
+    )
+  }
 }

 /** A reference through an instance field of a union. */
@@ -1877,9 +1907,21 @@ class UnionContent extends Content, TUnionContent {

  /** Gets the indirection index of this `UnionContent`. */
  pragma[inline]
-  int getIndirectionIndex() {
+  override int getIndirectionIndex() {
    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
  }
+
+  override predicate impliesClearOf(Content c) {
+    exists(UnionContent uc |
+      uc = c and
+      uc.getUnion() = u and
+      // If `this` is `u` then `c` is cleared if it's of the
+      // form `*u`, `**u`, etc. (and we ignore `bytes` because
+      // we know the entire union is overwritten because it's a
+      // union).
+      uc.getIndirectionIndex() >= indirectionIndex
+    )
+  }
 }

 /**
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -4,8 +4,9 @@ edges
 | test.cpp:19:9:19:16 | mk_array indirection [p] | test.cpp:28:19:28:26 | call to mk_array [p] |
 | test.cpp:19:9:19:16 | mk_array indirection [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
 | test.cpp:21:5:21:24 | ... = ... | test.cpp:21:9:21:9 | arr indirection [post update] [p] |
-| test.cpp:21:9:21:9 | arr indirection [post update] [p] | test.cpp:19:9:19:16 | mk_array indirection [p] |
+| test.cpp:21:9:21:9 | arr indirection [post update] [p] | test.cpp:22:5:22:7 | arr indirection [p] |
 | test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... |
+| test.cpp:22:5:22:7 | arr indirection [p] | test.cpp:19:9:19:16 | mk_array indirection [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | arr indirection [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | arr indirection [p] |
 | test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p indirection |
@@ -20,9 +21,10 @@ edges
 | test.cpp:45:13:45:13 | p indirection | test.cpp:45:13:45:13 | p |
 | test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
 | test.cpp:55:5:55:24 | ... = ... | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
-| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:59:9:59:11 | arr indirection [p] |
-| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:63:9:63:11 | arr indirection [p] |
+| test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:56:5:56:7 | arr indirection [p] |
 | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
+| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:59:9:59:11 | arr indirection [p] |
+| test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:63:9:63:11 | arr indirection [p] |
 | test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p indirection |
 | test.cpp:59:13:59:13 | p indirection | test.cpp:59:13:59:13 | p |
 | test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p indirection |
@@ -30,8 +32,9 @@ edges
 | test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] |
 | test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
 | test.cpp:69:5:69:25 | ... = ... | test.cpp:69:10:69:10 | arr indirection [post update] [p] |
-| test.cpp:69:10:69:10 | arr indirection [post update] [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] |
+| test.cpp:69:10:69:10 | arr indirection [post update] [p] | test.cpp:70:5:70:7 | arr indirection [p] |
 | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
+| test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] |
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:79:9:79:11 | arr indirection [p] |
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:83:9:83:11 | arr indirection [p] |
 | test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p indirection |
@@ -53,6 +56,7 @@ nodes
 | test.cpp:21:5:21:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:21:9:21:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
 | test.cpp:21:13:21:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:22:5:22:7 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
 | test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:31:13:31:13 | p | semmle.label | p |
@@ -71,6 +75,7 @@ nodes
 | test.cpp:55:5:55:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
 | test.cpp:55:13:55:18 | call to malloc | semmle.label | call to malloc |
+| test.cpp:56:5:56:7 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:59:13:59:13 | p | semmle.label | p |
 | test.cpp:59:13:59:13 | p indirection | semmle.label | p indirection |
@@ -81,6 +86,7 @@ nodes
 | test.cpp:69:5:69:25 | ... = ... | semmle.label | ... = ... |
 | test.cpp:69:10:69:10 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
 | test.cpp:69:14:69:19 | call to malloc | semmle.label | call to malloc |
+| test.cpp:70:5:70:7 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
 | test.cpp:79:9:79:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:79:14:79:14 | p | semmle.label | p |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -380,9 +380,10 @@ edges
 | test.cpp:80:9:80:16 | mk_array indirection [end] | test.cpp:89:19:89:26 | call to mk_array [end] |
 | test.cpp:80:9:80:16 | mk_array indirection [end] | test.cpp:119:18:119:25 | call to mk_array [end] |
 | test.cpp:82:5:82:28 | ... = ... | test.cpp:82:9:82:13 | arr indirection [post update] [begin] |
-| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:80:9:80:16 | mk_array indirection [begin] |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:83:5:83:7 | arr indirection [begin] |
 | test.cpp:82:9:82:13 | arr indirection [post update] [begin] | test.cpp:83:15:83:17 | arr indirection [begin] |
 | test.cpp:82:17:82:22 | call to malloc | test.cpp:82:5:82:28 | ... = ... |
+| test.cpp:83:5:83:7 | arr indirection [begin] | test.cpp:80:9:80:16 | mk_array indirection [begin] |
 | test.cpp:83:5:83:30 | ... = ... | test.cpp:83:9:83:11 | arr indirection [post update] [end] |
 | test.cpp:83:9:83:11 | arr indirection [post update] [end] | test.cpp:80:9:80:16 | mk_array indirection [end] |
 | test.cpp:83:15:83:17 | arr indirection [begin] | test.cpp:83:19:83:23 | begin indirection |
@@ -455,9 +456,10 @@ edges
 | test.cpp:124:15:124:20 | call to malloc | test.cpp:125:5:125:17 | ... = ... |
 | test.cpp:124:15:124:20 | call to malloc | test.cpp:126:15:126:15 | p |
 | test.cpp:125:5:125:17 | ... = ... | test.cpp:125:9:125:13 | arr indirection [post update] [begin] |
-| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:129:11:129:13 | arr indirection [begin] |
-| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:133:11:133:13 | arr indirection [begin] |
-| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:137:11:137:13 | arr indirection [begin] |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | test.cpp:126:5:126:7 | arr indirection [begin] |
+| test.cpp:126:5:126:7 | arr indirection [begin] | test.cpp:129:11:129:13 | arr indirection [begin] |
+| test.cpp:126:5:126:7 | arr indirection [begin] | test.cpp:133:11:133:13 | arr indirection [begin] |
+| test.cpp:126:5:126:7 | arr indirection [begin] | test.cpp:137:11:137:13 | arr indirection [begin] |
 | test.cpp:129:11:129:13 | arr indirection [begin] | test.cpp:129:15:129:19 | begin indirection |
 | test.cpp:129:15:129:19 | begin indirection | test.cpp:129:15:129:19 | begin |
 | test.cpp:133:11:133:13 | arr indirection [begin] | test.cpp:133:15:133:19 | begin indirection |
@@ -469,9 +471,10 @@ edges
 | test.cpp:141:10:141:19 | mk_array_p indirection [end] | test.cpp:150:20:150:29 | call to mk_array_p indirection [end] |
 | test.cpp:141:10:141:19 | mk_array_p indirection [end] | test.cpp:180:19:180:28 | call to mk_array_p indirection [end] |
 | test.cpp:143:5:143:29 | ... = ... | test.cpp:143:10:143:14 | arr indirection [post update] [begin] |
-| test.cpp:143:10:143:14 | arr indirection [post update] [begin] | test.cpp:141:10:141:19 | mk_array_p indirection [begin] |
+| test.cpp:143:10:143:14 | arr indirection [post update] [begin] | test.cpp:144:5:144:7 | arr indirection [begin] |
 | test.cpp:143:10:143:14 | arr indirection [post update] [begin] | test.cpp:144:16:144:18 | arr indirection [begin] |
 | test.cpp:143:18:143:23 | call to malloc | test.cpp:143:5:143:29 | ... = ... |
+| test.cpp:144:5:144:7 | arr indirection [begin] | test.cpp:141:10:141:19 | mk_array_p indirection [begin] |
 | test.cpp:144:5:144:32 | ... = ... | test.cpp:144:10:144:12 | arr indirection [post update] [end] |
 | test.cpp:144:10:144:12 | arr indirection [post update] [end] | test.cpp:141:10:141:19 | mk_array_p indirection [end] |
 | test.cpp:144:16:144:18 | arr indirection [begin] | test.cpp:144:21:144:25 | begin indirection |
@@ -772,15 +775,10 @@ edges
 | test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
 | test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
 | test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:404:3:404:25 | ... = ... | test.cpp:404:7:404:8 | val indirection [post update] [xs] |
-| test.cpp:404:7:404:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
-| test.cpp:404:12:404:25 | new[] | test.cpp:404:3:404:25 | ... = ... |
 | test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
 | test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
 | test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
 | test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
-| test.cpp:407:3:407:18 | access to array | test.cpp:407:3:407:22 | Store: ... = ... |
-| test.cpp:407:7:407:8 | xs | test.cpp:407:3:407:18 | access to array |
 | test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
 | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
 | test.cpp:419:7:419:8 | xs | test.cpp:419:7:419:11 | access to array |
@@ -880,6 +878,7 @@ nodes
 | test.cpp:82:5:82:28 | ... = ... | semmle.label | ... = ... |
 | test.cpp:82:9:82:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
 | test.cpp:82:17:82:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:83:5:83:7 | arr indirection [begin] | semmle.label | arr indirection [begin] |
 | test.cpp:83:5:83:30 | ... = ... | semmle.label | ... = ... |
 | test.cpp:83:9:83:11 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
 | test.cpp:83:15:83:17 | arr indirection [begin] | semmle.label | arr indirection [begin] |
@@ -939,6 +938,7 @@ nodes
 | test.cpp:124:15:124:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:125:5:125:17 | ... = ... | semmle.label | ... = ... |
 | test.cpp:125:9:125:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:126:5:126:7 | arr indirection [begin] | semmle.label | arr indirection [begin] |
 | test.cpp:126:15:126:15 | p | semmle.label | p |
 | test.cpp:129:11:129:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
 | test.cpp:129:15:129:19 | begin | semmle.label | begin |
@@ -954,6 +954,7 @@ nodes
 | test.cpp:143:5:143:29 | ... = ... | semmle.label | ... = ... |
 | test.cpp:143:10:143:14 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
 | test.cpp:143:18:143:23 | call to malloc | semmle.label | call to malloc |
+| test.cpp:144:5:144:7 | arr indirection [begin] | semmle.label | arr indirection [begin] |
 | test.cpp:144:5:144:32 | ... = ... | semmle.label | ... = ... |
 | test.cpp:144:10:144:12 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
 | test.cpp:144:16:144:18 | arr indirection [begin] | semmle.label | arr indirection [begin] |
@@ -1138,15 +1139,10 @@ nodes
 | test.cpp:393:9:393:10 | xs | semmle.label | xs |
 | test.cpp:395:5:395:6 | xs | semmle.label | xs |
 | test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
-| test.cpp:404:3:404:25 | ... = ... | semmle.label | ... = ... |
-| test.cpp:404:7:404:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
-| test.cpp:404:12:404:25 | new[] | semmle.label | new[] |
 | test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
 | test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
 | test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
 | test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
-| test.cpp:407:3:407:18 | access to array | semmle.label | access to array |
-| test.cpp:407:3:407:22 | Store: ... = ... | semmle.label | Store: ... = ... |
 | test.cpp:407:7:407:8 | xs | semmle.label | xs |
 | test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
 | test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
@@ -1184,6 +1180,5 @@ subpaths
 | test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
 | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
 | test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
-| test.cpp:407:3:407:22 | Store: ... = ... | test.cpp:404:12:404:25 | new[] | test.cpp:407:3:407:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:404:12:404:25 | new[] | new[] | test.cpp:407:10:407:17 | ... - ... | ... - ... |
 | test.cpp:419:7:419:15 | Store: ... = ... | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:417:16:417:33 | new[] | new[] | test.cpp:419:10:419:10 | i | i |
 | test.cpp:433:5:433:21 | Store: ... = ... | test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:427:14:427:27 | new[] | new[] | test.cpp:433:8:433:16 | ... ++ | ... ++ |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -404,7 +404,7 @@ void test29(unsigned size) {
  val.xs = new char[size];
  size++;
  val.xs = new char[size];
-  val.xs[size - 1] = 0; // GOOD [FALSE POSITIVE]
+  val.xs[size - 1] = 0; // GOOD
 }

 void test30(int *size)
--- a/cpp/ql/test/library-tests/dataflow/fields/clearning.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/clearning.cpp
@@ -0,0 +1,182 @@
+// We want a source of user input that can be both a pointer and a non-pointer. So we
+// hack the testing a bit by providing an overload that takes a boolean to distinguish
+// between the two while still satisfying the test requirement that the function must
+// be named `user_input`.
+int user_input();
+int* user_input(bool);
+void sink(...);
+void argument_source(int*);
+
+struct S {
+	int** x;
+};
+
+void test()
+{
+	{
+		S s;
+		**s.x = user_input();
+		*s.x = 0;
+		sink(**s.x); // $ clean, as *s.x was overwritten and that contains the tainted **s.x
+	}
+
+	{
+		S s;
+		**s.x = user_input();
+		**s.x = 0;
+		sink(**s.x); // $ clean, as **s.x was overwritten and tainted
+	}
+
+	{
+		S s;
+		*s.x = user_input(true);
+		**s.x = 0;
+		sink(*s.x); // $ ir // not clean, as **s.x was overwritten and is neither equal nor contains the tainted *s.x
+	}
+
+	{
+		S s;
+		*s.x = user_input(true);
+		s.x = 0;
+		sink(*s.x); // clean, as s.x was overwritten and contains the tainted *s.x
+	}
+
+	{
+		S s;
+		**s.x = user_input();
+		s.x = 0;
+		sink(*s.x); // clean, as s.x was overwritten and contains the tainted **s.x
+	}
+
+	{
+		S s;
+		*s.x = user_input(true);
+		s.x++;
+		sink(s.x); // $ SPURIOUS: ir ast // Cannot tell the difference with the whole array being tainted
+	}
+
+	{
+		S s;
+		**s.x = user_input();
+		s.x++;
+		sink(s.x); // $ SPURIOUS: ir // Cannot tell the difference with the whole array being tainted
+	}
+}
+
+struct S2
+{
+	int* val;
+};
+
+void test_uncertain_write_is_not_clear()
+{
+	S2 s;
+	argument_source(s.val);
+	s.val[10] = 0;
+	sink(*s.val); // $ ir MISSING: ast // not clean, as all elements of s.val are tainted and only one is overwitten
+}
+
+void test_indirection_should_not_be_cleared_with_write_1() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	s.val[0] = 0;
+    s.val = s.val + 1;
+	sink(*s.val); // $ ir MISSING: ast // not clean, as all elements of s.val are tainted, only one if overwritten, and the updated pointer still points to tainted elements
+}
+
+void test_indirection_should_not_be_cleared_with_write_2() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	*s.val++ = 0;
+	sink(*s.val); // $ ir MISSING: ast // not clean, as all elements of s.val are tainted, only one if overwritten, and the updated pointer still points to tainted elements
+}
+
+void test_indirection_should_not_be_cleared_without_write_1() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	s.val = s.val + 1;
+	sink(*s.val); // $ ir MISSING: ast // not clean, as all elements of s.val are tainted and the updated pointer still points to tainted elements
+}
+
+void test_indirection_should_not_be_cleared_without_write_2() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	s.val++;
+	sink(*s.val); // $ ir MISSING: ast // not clean, as all elements of s.val are tainted and the updated pointer still points to tainted elements
+}
+
+void test_indirection_should_not_be_cleared_without_write_3() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	++s.val;
+	sink(*s.val); // $ ir MISSING: ast // not clean as the pointer is only moved to the next tainted element
+}
+
+void test_indirection_should_not_be_cleared_without_write_4() {
+	S2 s;
+	argument_source(s.val); // *s.val is tainted
+	s.val += 1;
+	sink(*s.val); // $ ir MISSING: ast // not clean as the pointer is only moved to the next tainted element
+}
+
+void test_direct_should_be_cleared() {
+	S2 s;
+	s.val = user_input(true); // s.val is tainted
+	s.val += 1;
+	sink(s.val); // $ SPURIOUS: ast // clean, as s.val was overwritten and tainted
+}
+
+void test_direct_should_be_cleared_post() {
+	S2 s;
+	s.val = user_input(true); // s.val is tainted
+	s.val++;
+	sink(s.val); // $ SPURIOUS: ast // clean, as s.val was overwritten and tainted
+}
+
+void test_direct_should_be_cleared_pre() {
+	S2 s;
+	s.val = user_input(true); // s.val is tainted
+	++s.val;
+	sink(s.val); // $ SPURIOUS: ast // // clean, as s.x was overwritten and tainted
+}
+
+struct S3
+{
+	int val;
+};
+
+void test_direct() {
+	{
+		S3 s;
+		s.val = user_input();
+		sink(s.val); // $ ir ast
+	}
+
+	{
+		S3 s;
+		s.val = user_input();
+		s.val = 0;
+		sink(s.val); // $ SPURIOUS: ast // clean
+	}
+
+	{
+		S3 s;
+		s.val = user_input();
+		s.val++;
+		sink(s.val); // $ SPURIOUS: ast // clean
+	}
+
+	{
+		S3 s;
+		s.val = user_input();
+		s.val += 1;
+		sink(s.val); // $ SPURIOUS: ast // clean
+	}
+
+	{
+		S3 s;
+		s.val = user_input();
+		s.val = s.val + 1;
+		sink(s.val); // $ SPURIOUS: ast // clean
+	}
+}
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
@@ -43,6 +43,9 @@ argHasPostUpdate
 | arrays.cpp:10:8:10:15 | * ... | ArgumentNode is missing PostUpdateNode. |
 | arrays.cpp:16:8:16:13 | access to array | ArgumentNode is missing PostUpdateNode. |
 | arrays.cpp:17:8:17:13 | access to array | ArgumentNode is missing PostUpdateNode. |
+| clearning.cpp:34:8:34:11 | * ... | ArgumentNode is missing PostUpdateNode. |
+| clearning.cpp:41:8:41:11 | * ... | ArgumentNode is missing PostUpdateNode. |
+| clearning.cpp:48:8:48:11 | * ... | ArgumentNode is missing PostUpdateNode. |
 postWithInFlow
 | A.cpp:25:13:25:13 | c [post update] | PostUpdateNode should not be the target of local flow. |
 | A.cpp:27:28:27:28 | c [post update] | PostUpdateNode should not be the target of local flow. |
@@ -123,6 +126,32 @@ postWithInFlow
 | by_reference.cpp:108:24:108:24 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:123:28:123:36 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
 | by_reference.cpp:127:30:127:38 | inner_ptr [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:19:3:19:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:19:6:19:6 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:32:3:32:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:32:6:32:6 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:39:3:39:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:39:6:39:6 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:40:5:40:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:47:5:47:5 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:53:3:53:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:53:6:53:6 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:75:2:75:10 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:75:4:75:6 | val [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:82:2:82:9 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:82:4:82:6 | val [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:83:7:83:9 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:97:4:97:6 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:124:4:124:6 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:131:4:131:6 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:138:4:138:6 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:151:5:151:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:157:5:157:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:158:5:158:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:164:5:164:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:171:5:171:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:178:5:178:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
+| clearning.cpp:179:5:179:7 | val [post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:11:22:11:23 | a_ [post update] | PostUpdateNode should not be the target of local flow. |
 | complex.cpp:12:22:12:23 | b_ [post update] | PostUpdateNode should not be the target of local flow. |
 | conflated.cpp:10:3:10:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
@@ -19,6 +19,17 @@ uniquePostUpdate
 | aliasing.cpp:77:11:77:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
 | aliasing.cpp:84:11:84:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
 | aliasing.cpp:91:11:91:11 | definition of w indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:54:3:54:3 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:61:3:61:3 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:90:3:90:3 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:104:2:104:2 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:111:4:111:4 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:118:2:118:2 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:125:2:125:2 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:132:2:132:2 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:139:4:139:4 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:165:3:165:3 | s indirection | Node has multiple PostUpdateNodes. |
+| clearning.cpp:172:3:172:3 | s indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:22:3:22:5 | this indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:25:7:25:7 | this indirection | Node has multiple PostUpdateNodes. |
 | complex.cpp:42:10:42:14 | inner indirection | Node has multiple PostUpdateNodes. |
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -572,6 +572,136 @@ edges
 | by_reference.cpp:136:8:136:13 | pouter indirection [a] | by_reference.cpp:136:16:136:16 | a |
 | by_reference.cpp:136:8:136:13 | pouter indirection [a] | by_reference.cpp:136:16:136:16 | a indirection |
 | by_reference.cpp:136:16:136:16 | a indirection | by_reference.cpp:136:16:136:16 | a |
+| clearning.cpp:32:3:32:25 | ... = ... | clearning.cpp:32:6:32:6 | s indirection [post update] [x indirection] |
+| clearning.cpp:32:6:32:6 | s indirection [post update] [x indirection] | clearning.cpp:33:5:33:5 | s indirection [x indirection] |
+| clearning.cpp:32:10:32:19 | call to user_input | clearning.cpp:32:3:32:25 | ... = ... |
+| clearning.cpp:33:5:33:5 | s indirection [x indirection] | clearning.cpp:34:9:34:9 | s indirection [x indirection] |
+| clearning.cpp:34:9:34:9 | s indirection [x indirection] | clearning.cpp:34:8:34:11 | * ... |
+| clearning.cpp:34:9:34:9 | s indirection [x indirection] | clearning.cpp:34:11:34:11 | x indirection |
+| clearning.cpp:34:9:34:9 | s indirection [x indirection] | clearning.cpp:34:11:34:11 | x indirection |
+| clearning.cpp:34:11:34:11 | x indirection | clearning.cpp:34:8:34:11 | * ... |
+| clearning.cpp:34:11:34:11 | x indirection | clearning.cpp:34:8:34:11 | * ... |
+| clearning.cpp:53:3:53:25 | ... = ... | clearning.cpp:53:6:53:6 | s indirection [post update] [x indirection] |
+| clearning.cpp:53:6:53:6 | s indirection [post update] [x indirection] | clearning.cpp:54:3:54:3 | s indirection [x indirection] |
+| clearning.cpp:53:10:53:19 | call to user_input | clearning.cpp:53:3:53:25 | ... = ... |
+| clearning.cpp:54:3:54:3 | s indirection [x indirection] | clearning.cpp:54:3:54:7 | ... ++ indirection |
+| clearning.cpp:54:3:54:3 | s indirection [x indirection] | clearning.cpp:54:5:54:5 | x indirection |
+| clearning.cpp:54:3:54:3 | s indirection [x indirection] | clearning.cpp:55:8:55:8 | s indirection [x indirection] |
+| clearning.cpp:54:3:54:7 | ... ++ indirection | clearning.cpp:54:3:54:7 | ... ++ indirection |
+| clearning.cpp:54:3:54:7 | ... ++ indirection | clearning.cpp:54:5:54:5 | s indirection [post update] [x indirection] |
+| clearning.cpp:54:5:54:5 | s indirection [post update] [x indirection] | clearning.cpp:55:8:55:8 | s indirection [x indirection] |
+| clearning.cpp:54:5:54:5 | x indirection | clearning.cpp:54:3:54:7 | ... ++ indirection |
+| clearning.cpp:55:8:55:8 | s indirection [x indirection] | clearning.cpp:55:10:55:10 | x indirection |
+| clearning.cpp:55:8:55:8 | s indirection [x indirection] | clearning.cpp:55:10:55:10 | x indirection |
+| clearning.cpp:55:10:55:10 | x indirection | clearning.cpp:55:10:55:10 | x indirection |
+| clearning.cpp:60:3:60:22 | ... = ... | clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] |
+| clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] | clearning.cpp:61:3:61:3 | s indirection [x indirection] |
+| clearning.cpp:60:11:60:20 | call to user_input | clearning.cpp:60:3:60:22 | ... = ... |
+| clearning.cpp:61:3:61:3 | s indirection [x indirection] | clearning.cpp:61:3:61:7 | ... ++ indirection |
+| clearning.cpp:61:3:61:3 | s indirection [x indirection] | clearning.cpp:61:5:61:5 | x indirection |
+| clearning.cpp:61:3:61:3 | s indirection [x indirection] | clearning.cpp:62:8:62:8 | s indirection [x indirection] |
+| clearning.cpp:61:3:61:7 | ... ++ indirection | clearning.cpp:61:3:61:7 | ... ++ indirection |
+| clearning.cpp:61:3:61:7 | ... ++ indirection | clearning.cpp:61:5:61:5 | s indirection [post update] [x indirection] |
+| clearning.cpp:61:5:61:5 | s indirection [post update] [x indirection] | clearning.cpp:62:8:62:8 | s indirection [x indirection] |
+| clearning.cpp:61:5:61:5 | x indirection | clearning.cpp:61:3:61:7 | ... ++ indirection |
+| clearning.cpp:62:8:62:8 | s indirection [x indirection] | clearning.cpp:62:10:62:10 | x indirection |
+| clearning.cpp:62:8:62:8 | s indirection [x indirection] | clearning.cpp:62:10:62:10 | x indirection |
+| clearning.cpp:62:10:62:10 | x indirection | clearning.cpp:62:10:62:10 | x indirection |
+| clearning.cpp:74:20:74:22 | argument_source output argument | clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] | clearning.cpp:76:8:76:8 | s indirection [val indirection] |
+| clearning.cpp:76:8:76:8 | s indirection [val indirection] | clearning.cpp:76:7:76:12 | * ... |
+| clearning.cpp:76:8:76:8 | s indirection [val indirection] | clearning.cpp:76:10:76:12 | val indirection |
+| clearning.cpp:76:8:76:8 | s indirection [val indirection] | clearning.cpp:76:10:76:12 | val indirection |
+| clearning.cpp:76:10:76:12 | val indirection | clearning.cpp:76:7:76:12 | * ... |
+| clearning.cpp:76:10:76:12 | val indirection | clearning.cpp:76:7:76:12 | * ... |
+| clearning.cpp:81:20:81:22 | argument_source output argument | clearning.cpp:81:20:81:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:81:20:81:22 | s indirection [post update] [val indirection] | clearning.cpp:83:13:83:13 | s indirection [val indirection] |
+| clearning.cpp:83:5:83:21 | ... = ... indirection | clearning.cpp:83:7:83:9 | s indirection [post update] [val indirection] |
+| clearning.cpp:83:7:83:9 | s indirection [post update] [val indirection] | clearning.cpp:84:8:84:8 | s indirection [val indirection] |
+| clearning.cpp:83:13:83:13 | s indirection [val indirection] | clearning.cpp:83:13:83:21 | ... + ... indirection |
+| clearning.cpp:83:13:83:13 | s indirection [val indirection] | clearning.cpp:83:15:83:17 | val indirection |
+| clearning.cpp:83:13:83:21 | ... + ... indirection | clearning.cpp:83:5:83:21 | ... = ... indirection |
+| clearning.cpp:83:15:83:17 | val indirection | clearning.cpp:83:5:83:21 | ... = ... indirection |
+| clearning.cpp:84:8:84:8 | s indirection [val indirection] | clearning.cpp:84:7:84:12 | * ... |
+| clearning.cpp:84:8:84:8 | s indirection [val indirection] | clearning.cpp:84:10:84:12 | val indirection |
+| clearning.cpp:84:8:84:8 | s indirection [val indirection] | clearning.cpp:84:10:84:12 | val indirection |
+| clearning.cpp:84:10:84:12 | val indirection | clearning.cpp:84:7:84:12 | * ... |
+| clearning.cpp:84:10:84:12 | val indirection | clearning.cpp:84:7:84:12 | * ... |
+| clearning.cpp:89:20:89:22 | argument_source output argument | clearning.cpp:89:20:89:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:89:20:89:22 | s indirection [post update] [val indirection] | clearning.cpp:90:3:90:3 | s indirection [val indirection] |
+| clearning.cpp:90:3:90:3 | s indirection [val indirection] | clearning.cpp:90:3:90:9 | ... ++ indirection |
+| clearning.cpp:90:3:90:3 | s indirection [val indirection] | clearning.cpp:90:5:90:7 | val indirection |
+| clearning.cpp:90:3:90:3 | s indirection [val indirection] | clearning.cpp:91:8:91:8 | s indirection [val indirection] |
+| clearning.cpp:90:3:90:9 | ... ++ indirection | clearning.cpp:90:3:90:9 | ... ++ indirection |
+| clearning.cpp:90:3:90:9 | ... ++ indirection | clearning.cpp:90:5:90:7 | s indirection [post update] [val indirection] |
+| clearning.cpp:90:5:90:7 | s indirection [post update] [val indirection] | clearning.cpp:91:8:91:8 | s indirection [val indirection] |
+| clearning.cpp:90:5:90:7 | val indirection | clearning.cpp:90:3:90:9 | ... ++ indirection |
+| clearning.cpp:91:8:91:8 | s indirection [val indirection] | clearning.cpp:91:7:91:12 | * ... |
+| clearning.cpp:91:8:91:8 | s indirection [val indirection] | clearning.cpp:91:10:91:12 | val indirection |
+| clearning.cpp:91:8:91:8 | s indirection [val indirection] | clearning.cpp:91:10:91:12 | val indirection |
+| clearning.cpp:91:10:91:12 | val indirection | clearning.cpp:91:7:91:12 | * ... |
+| clearning.cpp:91:10:91:12 | val indirection | clearning.cpp:91:7:91:12 | * ... |
+| clearning.cpp:96:20:96:22 | argument_source output argument | clearning.cpp:96:20:96:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:96:20:96:22 | s indirection [post update] [val indirection] | clearning.cpp:97:10:97:10 | s indirection [val indirection] |
+| clearning.cpp:97:2:97:18 | ... = ... indirection | clearning.cpp:97:4:97:6 | s indirection [post update] [val indirection] |
+| clearning.cpp:97:4:97:6 | s indirection [post update] [val indirection] | clearning.cpp:98:8:98:8 | s indirection [val indirection] |
+| clearning.cpp:97:10:97:10 | s indirection [val indirection] | clearning.cpp:97:10:97:18 | ... + ... indirection |
+| clearning.cpp:97:10:97:10 | s indirection [val indirection] | clearning.cpp:97:12:97:14 | val indirection |
+| clearning.cpp:97:10:97:18 | ... + ... indirection | clearning.cpp:97:2:97:18 | ... = ... indirection |
+| clearning.cpp:97:12:97:14 | val indirection | clearning.cpp:97:2:97:18 | ... = ... indirection |
+| clearning.cpp:98:8:98:8 | s indirection [val indirection] | clearning.cpp:98:7:98:12 | * ... |
+| clearning.cpp:98:8:98:8 | s indirection [val indirection] | clearning.cpp:98:10:98:12 | val indirection |
+| clearning.cpp:98:8:98:8 | s indirection [val indirection] | clearning.cpp:98:10:98:12 | val indirection |
+| clearning.cpp:98:10:98:12 | val indirection | clearning.cpp:98:7:98:12 | * ... |
+| clearning.cpp:98:10:98:12 | val indirection | clearning.cpp:98:7:98:12 | * ... |
+| clearning.cpp:103:20:103:22 | argument_source output argument | clearning.cpp:103:20:103:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:103:20:103:22 | s indirection [post update] [val indirection] | clearning.cpp:104:2:104:2 | s indirection [val indirection] |
+| clearning.cpp:104:2:104:2 | s indirection [val indirection] | clearning.cpp:104:2:104:8 | ... ++ indirection |
+| clearning.cpp:104:2:104:2 | s indirection [val indirection] | clearning.cpp:104:4:104:6 | val indirection |
+| clearning.cpp:104:2:104:2 | s indirection [val indirection] | clearning.cpp:105:8:105:8 | s indirection [val indirection] |
+| clearning.cpp:104:2:104:8 | ... ++ indirection | clearning.cpp:104:2:104:8 | ... ++ indirection |
+| clearning.cpp:104:2:104:8 | ... ++ indirection | clearning.cpp:104:4:104:6 | s indirection [post update] [val indirection] |
+| clearning.cpp:104:4:104:6 | s indirection [post update] [val indirection] | clearning.cpp:105:8:105:8 | s indirection [val indirection] |
+| clearning.cpp:104:4:104:6 | val indirection | clearning.cpp:104:2:104:8 | ... ++ indirection |
+| clearning.cpp:105:8:105:8 | s indirection [val indirection] | clearning.cpp:105:7:105:12 | * ... |
+| clearning.cpp:105:8:105:8 | s indirection [val indirection] | clearning.cpp:105:10:105:12 | val indirection |
+| clearning.cpp:105:8:105:8 | s indirection [val indirection] | clearning.cpp:105:10:105:12 | val indirection |
+| clearning.cpp:105:10:105:12 | val indirection | clearning.cpp:105:7:105:12 | * ... |
+| clearning.cpp:105:10:105:12 | val indirection | clearning.cpp:105:7:105:12 | * ... |
+| clearning.cpp:110:20:110:22 | argument_source output argument | clearning.cpp:110:20:110:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:110:20:110:22 | s indirection [post update] [val indirection] | clearning.cpp:111:4:111:4 | s indirection [val indirection] |
+| clearning.cpp:111:2:111:8 | ++ ... indirection | clearning.cpp:111:2:111:8 | ++ ... indirection |
+| clearning.cpp:111:2:111:8 | ++ ... indirection | clearning.cpp:111:6:111:8 | s indirection [post update] [val indirection] |
+| clearning.cpp:111:4:111:4 | s indirection [val indirection] | clearning.cpp:111:2:111:8 | ++ ... indirection |
+| clearning.cpp:111:4:111:4 | s indirection [val indirection] | clearning.cpp:111:6:111:8 | val indirection |
+| clearning.cpp:111:4:111:4 | s indirection [val indirection] | clearning.cpp:112:8:112:8 | s indirection [val indirection] |
+| clearning.cpp:111:6:111:8 | s indirection [post update] [val indirection] | clearning.cpp:112:8:112:8 | s indirection [val indirection] |
+| clearning.cpp:111:6:111:8 | val indirection | clearning.cpp:111:2:111:8 | ++ ... indirection |
+| clearning.cpp:112:8:112:8 | s indirection [val indirection] | clearning.cpp:112:7:112:12 | * ... |
+| clearning.cpp:112:8:112:8 | s indirection [val indirection] | clearning.cpp:112:10:112:12 | val indirection |
+| clearning.cpp:112:8:112:8 | s indirection [val indirection] | clearning.cpp:112:10:112:12 | val indirection |
+| clearning.cpp:112:10:112:12 | val indirection | clearning.cpp:112:7:112:12 | * ... |
+| clearning.cpp:112:10:112:12 | val indirection | clearning.cpp:112:7:112:12 | * ... |
+| clearning.cpp:117:20:117:22 | argument_source output argument | clearning.cpp:117:20:117:22 | s indirection [post update] [val indirection] |
+| clearning.cpp:117:20:117:22 | s indirection [post update] [val indirection] | clearning.cpp:118:2:118:2 | s indirection [val indirection] |
+| clearning.cpp:118:2:118:2 | s indirection [val indirection] | clearning.cpp:118:2:118:11 | ... += ... indirection |
+| clearning.cpp:118:2:118:2 | s indirection [val indirection] | clearning.cpp:118:4:118:6 | val indirection |
+| clearning.cpp:118:2:118:2 | s indirection [val indirection] | clearning.cpp:119:8:119:8 | s indirection [val indirection] |
+| clearning.cpp:118:2:118:11 | ... += ... indirection | clearning.cpp:118:2:118:11 | ... += ... indirection |
+| clearning.cpp:118:2:118:11 | ... += ... indirection | clearning.cpp:118:4:118:6 | s indirection [post update] [val indirection] |
+| clearning.cpp:118:4:118:6 | s indirection [post update] [val indirection] | clearning.cpp:119:8:119:8 | s indirection [val indirection] |
+| clearning.cpp:118:4:118:6 | val indirection | clearning.cpp:118:2:118:11 | ... += ... indirection |
+| clearning.cpp:119:8:119:8 | s indirection [val indirection] | clearning.cpp:119:7:119:12 | * ... |
+| clearning.cpp:119:8:119:8 | s indirection [val indirection] | clearning.cpp:119:10:119:12 | val indirection |
+| clearning.cpp:119:8:119:8 | s indirection [val indirection] | clearning.cpp:119:10:119:12 | val indirection |
+| clearning.cpp:119:10:119:12 | val indirection | clearning.cpp:119:7:119:12 | * ... |
+| clearning.cpp:119:10:119:12 | val indirection | clearning.cpp:119:7:119:12 | * ... |
+| clearning.cpp:151:3:151:22 | ... = ... | clearning.cpp:151:5:151:7 | s indirection [post update] [val] |
+| clearning.cpp:151:5:151:7 | s indirection [post update] [val] | clearning.cpp:152:8:152:8 | s indirection [val] |
+| clearning.cpp:151:11:151:20 | call to user_input | clearning.cpp:151:3:151:22 | ... = ... |
+| clearning.cpp:152:8:152:8 | s indirection [val] | clearning.cpp:152:10:152:12 | val |
+| clearning.cpp:152:8:152:8 | s indirection [val] | clearning.cpp:152:10:152:12 | val indirection |
+| clearning.cpp:152:10:152:12 | val indirection | clearning.cpp:152:10:152:12 | val |
 | complex.cpp:9:7:9:7 | this indirection [a_] | complex.cpp:9:20:9:21 | this indirection [a_] |
 | complex.cpp:9:20:9:21 | a_ | complex.cpp:9:7:9:7 | a indirection |
 | complex.cpp:9:20:9:21 | a_ indirection | complex.cpp:9:7:9:7 | a indirection |
@@ -861,19 +991,20 @@ edges
 | struct_init.c:15:8:15:9 | ab indirection [a] | struct_init.c:15:12:15:12 | a |
 | struct_init.c:15:8:15:9 | ab indirection [a] | struct_init.c:15:12:15:12 | a indirection |
 | struct_init.c:15:12:15:12 | a indirection | struct_init.c:15:12:15:12 | a |
-| struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] | struct_init.c:22:8:22:9 | ab indirection [a] |
-| struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] | struct_init.c:24:10:24:12 | & ... indirection [a] |
-| struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] | struct_init.c:28:5:28:7 | & ... indirection [a] |
+| struct_init.c:20:13:20:14 | definition of ab indirection [a] | struct_init.c:22:8:22:9 | ab indirection [a] |
+| struct_init.c:20:13:20:14 | definition of ab indirection [a] | struct_init.c:24:10:24:12 | & ... indirection [a] |
+| struct_init.c:20:13:20:14 | definition of ab indirection [a] | struct_init.c:28:5:28:7 | & ... indirection [a] |
+| struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] | struct_init.c:20:13:20:14 | definition of ab indirection [a] |
 | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] |
 | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:20:20:20:29 | call to user_input |
 | struct_init.c:22:8:22:9 | ab indirection [a] | struct_init.c:22:11:22:11 | a |
 | struct_init.c:22:8:22:9 | ab indirection [a] | struct_init.c:22:11:22:11 | a indirection |
 | struct_init.c:22:11:22:11 | a indirection | struct_init.c:22:11:22:11 | a |
 | struct_init.c:24:10:24:12 | & ... indirection [a] | struct_init.c:14:24:14:25 | ab indirection [a] |
-| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:31:8:31:12 | outer indirection [nestedAB, a] |
-| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:31:8:31:12 | outer indirection [nestedAB, a] |
-| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] |
-| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] |
+| struct_init.c:26:16:26:20 | definition of outer indirection [nestedAB, a] | struct_init.c:31:8:31:12 | outer indirection [nestedAB, a] |
+| struct_init.c:26:16:26:20 | definition of outer indirection [nestedAB, a] | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] |
+| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:26:16:26:20 | definition of outer indirection [nestedAB, a] |
+| struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | struct_init.c:26:16:26:20 | definition of outer indirection [nestedAB, a] |
 | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [pointerAB indirection, a] | struct_init.c:33:8:33:12 | outer indirection [pointerAB indirection, a] |
 | struct_init.c:27:5:27:23 | {...} indirection [post update] [a] | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] |
 | struct_init.c:27:5:27:23 | {...} indirection [post update] [a] | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] |
@@ -892,7 +1023,8 @@ edges
 | struct_init.c:33:25:33:25 | a indirection | struct_init.c:33:25:33:25 | a |
 | struct_init.c:36:10:36:24 | & ... indirection [a] | struct_init.c:14:24:14:25 | ab indirection [a] |
 | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] | struct_init.c:36:10:36:24 | & ... indirection [a] |
-| struct_init.c:40:17:40:36 | definition of ab indirection [post update] [a] | struct_init.c:43:5:43:7 | & ... indirection [a] |
+| struct_init.c:40:13:40:14 | definition of ab indirection [a] | struct_init.c:43:5:43:7 | & ... indirection [a] |
+| struct_init.c:40:17:40:36 | definition of ab indirection [post update] [a] | struct_init.c:40:13:40:14 | definition of ab indirection [a] |
 | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:40:17:40:36 | definition of ab indirection [post update] [a] |
 | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:40:20:40:29 | call to user_input |
 | struct_init.c:41:23:44:3 | definition of outer indirection [post update] [pointerAB indirection, a] | struct_init.c:46:10:46:14 | outer indirection [pointerAB indirection, a] |
@@ -1433,6 +1565,114 @@ nodes
 | by_reference.cpp:136:8:136:13 | pouter indirection [a] | semmle.label | pouter indirection [a] |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
 | by_reference.cpp:136:16:136:16 | a indirection | semmle.label | a indirection |
+| clearning.cpp:32:3:32:25 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:32:6:32:6 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] |
+| clearning.cpp:32:10:32:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:33:5:33:5 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:34:8:34:11 | * ... | semmle.label | * ... |
+| clearning.cpp:34:9:34:9 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:34:11:34:11 | x indirection | semmle.label | x indirection |
+| clearning.cpp:34:11:34:11 | x indirection | semmle.label | x indirection |
+| clearning.cpp:53:3:53:25 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:53:6:53:6 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] |
+| clearning.cpp:53:10:53:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:54:3:54:3 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:54:3:54:7 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:54:3:54:7 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:54:5:54:5 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] |
+| clearning.cpp:54:5:54:5 | x indirection | semmle.label | x indirection |
+| clearning.cpp:55:8:55:8 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:55:10:55:10 | x indirection | semmle.label | x indirection |
+| clearning.cpp:55:10:55:10 | x indirection | semmle.label | x indirection |
+| clearning.cpp:60:3:60:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:60:7:60:7 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] |
+| clearning.cpp:60:11:60:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:61:3:61:3 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:61:3:61:7 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:61:3:61:7 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:61:5:61:5 | s indirection [post update] [x indirection] | semmle.label | s indirection [post update] [x indirection] |
+| clearning.cpp:61:5:61:5 | x indirection | semmle.label | x indirection |
+| clearning.cpp:62:8:62:8 | s indirection [x indirection] | semmle.label | s indirection [x indirection] |
+| clearning.cpp:62:10:62:10 | x indirection | semmle.label | x indirection |
+| clearning.cpp:62:10:62:10 | x indirection | semmle.label | x indirection |
+| clearning.cpp:74:20:74:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:74:20:74:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:76:7:76:12 | * ... | semmle.label | * ... |
+| clearning.cpp:76:8:76:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:76:10:76:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:76:10:76:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:81:20:81:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:81:20:81:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:83:5:83:21 | ... = ... indirection | semmle.label | ... = ... indirection |
+| clearning.cpp:83:7:83:9 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:83:13:83:13 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:83:13:83:21 | ... + ... indirection | semmle.label | ... + ... indirection |
+| clearning.cpp:83:15:83:17 | val indirection | semmle.label | val indirection |
+| clearning.cpp:84:7:84:12 | * ... | semmle.label | * ... |
+| clearning.cpp:84:8:84:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:84:10:84:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:84:10:84:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:89:20:89:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:89:20:89:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:90:3:90:3 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:90:3:90:9 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:90:3:90:9 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:90:5:90:7 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:90:5:90:7 | val indirection | semmle.label | val indirection |
+| clearning.cpp:91:7:91:12 | * ... | semmle.label | * ... |
+| clearning.cpp:91:8:91:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:91:10:91:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:91:10:91:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:96:20:96:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:96:20:96:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:97:2:97:18 | ... = ... indirection | semmle.label | ... = ... indirection |
+| clearning.cpp:97:4:97:6 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:97:10:97:10 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:97:10:97:18 | ... + ... indirection | semmle.label | ... + ... indirection |
+| clearning.cpp:97:12:97:14 | val indirection | semmle.label | val indirection |
+| clearning.cpp:98:7:98:12 | * ... | semmle.label | * ... |
+| clearning.cpp:98:8:98:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:98:10:98:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:98:10:98:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:103:20:103:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:103:20:103:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:104:2:104:2 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:104:2:104:8 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:104:2:104:8 | ... ++ indirection | semmle.label | ... ++ indirection |
+| clearning.cpp:104:4:104:6 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:104:4:104:6 | val indirection | semmle.label | val indirection |
+| clearning.cpp:105:7:105:12 | * ... | semmle.label | * ... |
+| clearning.cpp:105:8:105:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:105:10:105:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:105:10:105:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:110:20:110:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:110:20:110:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:111:2:111:8 | ++ ... indirection | semmle.label | ++ ... indirection |
+| clearning.cpp:111:2:111:8 | ++ ... indirection | semmle.label | ++ ... indirection |
+| clearning.cpp:111:4:111:4 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:111:6:111:8 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:111:6:111:8 | val indirection | semmle.label | val indirection |
+| clearning.cpp:112:7:112:12 | * ... | semmle.label | * ... |
+| clearning.cpp:112:8:112:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:112:10:112:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:112:10:112:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:117:20:117:22 | argument_source output argument | semmle.label | argument_source output argument |
+| clearning.cpp:117:20:117:22 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:118:2:118:2 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:118:2:118:11 | ... += ... indirection | semmle.label | ... += ... indirection |
+| clearning.cpp:118:2:118:11 | ... += ... indirection | semmle.label | ... += ... indirection |
+| clearning.cpp:118:4:118:6 | s indirection [post update] [val indirection] | semmle.label | s indirection [post update] [val indirection] |
+| clearning.cpp:118:4:118:6 | val indirection | semmle.label | val indirection |
+| clearning.cpp:119:7:119:12 | * ... | semmle.label | * ... |
+| clearning.cpp:119:8:119:8 | s indirection [val indirection] | semmle.label | s indirection [val indirection] |
+| clearning.cpp:119:10:119:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:119:10:119:12 | val indirection | semmle.label | val indirection |
+| clearning.cpp:151:3:151:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:151:5:151:7 | s indirection [post update] [val] | semmle.label | s indirection [post update] [val] |
+| clearning.cpp:151:11:151:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:152:8:152:8 | s indirection [val] | semmle.label | s indirection [val] |
+| clearning.cpp:152:10:152:12 | val | semmle.label | val |
+| clearning.cpp:152:10:152:12 | val indirection | semmle.label | val indirection |
 | complex.cpp:9:7:9:7 | a indirection | semmle.label | a indirection |
 | complex.cpp:9:7:9:7 | this indirection [a_] | semmle.label | this indirection [a_] |
 | complex.cpp:9:20:9:21 | a_ | semmle.label | a_ |
@@ -1699,6 +1939,7 @@ nodes
 | struct_init.c:15:8:15:9 | ab indirection [a] | semmle.label | ab indirection [a] |
 | struct_init.c:15:12:15:12 | a | semmle.label | a |
 | struct_init.c:15:12:15:12 | a indirection | semmle.label | a indirection |
+| struct_init.c:20:13:20:14 | definition of ab indirection [a] | semmle.label | definition of ab indirection [a] |
 | struct_init.c:20:17:20:36 | definition of ab indirection [post update] [a] | semmle.label | definition of ab indirection [post update] [a] |
 | struct_init.c:20:20:20:29 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:20:20:20:29 | call to user_input | semmle.label | call to user_input |
@@ -1706,6 +1947,7 @@ nodes
 | struct_init.c:22:11:22:11 | a | semmle.label | a |
 | struct_init.c:22:11:22:11 | a indirection | semmle.label | a indirection |
 | struct_init.c:24:10:24:12 | & ... indirection [a] | semmle.label | & ... indirection [a] |
+| struct_init.c:26:16:26:20 | definition of outer indirection [nestedAB, a] | semmle.label | definition of outer indirection [nestedAB, a] |
 | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | semmle.label | definition of outer indirection [post update] [nestedAB, a] |
 | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [nestedAB, a] | semmle.label | definition of outer indirection [post update] [nestedAB, a] |
 | struct_init.c:26:23:29:3 | definition of outer indirection [post update] [pointerAB indirection, a] | semmle.label | definition of outer indirection [post update] [pointerAB indirection, a] |
@@ -1724,6 +1966,7 @@ nodes
 | struct_init.c:33:25:33:25 | a indirection | semmle.label | a indirection |
 | struct_init.c:36:10:36:24 | & ... indirection [a] | semmle.label | & ... indirection [a] |
 | struct_init.c:36:11:36:15 | outer indirection [nestedAB, a] | semmle.label | outer indirection [nestedAB, a] |
+| struct_init.c:40:13:40:14 | definition of ab indirection [a] | semmle.label | definition of ab indirection [a] |
 | struct_init.c:40:17:40:36 | definition of ab indirection [post update] [a] | semmle.label | definition of ab indirection [post update] [a] |
 | struct_init.c:40:20:40:29 | call to user_input | semmle.label | call to user_input |
 | struct_init.c:40:20:40:29 | call to user_input | semmle.label | call to user_input |
@@ -1883,6 +2126,17 @@ subpaths
 | by_reference.cpp:134:29:134:29 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:134:29:134:29 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:135:27:135:27 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:135:27:135:27 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:136:16:136:16 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
+| clearning.cpp:34:8:34:11 | * ... | clearning.cpp:32:10:32:19 | call to user_input | clearning.cpp:34:8:34:11 | * ... | * ... flows from $@ | clearning.cpp:32:10:32:19 | call to user_input | call to user_input |
+| clearning.cpp:55:10:55:10 | x indirection | clearning.cpp:53:10:53:19 | call to user_input | clearning.cpp:55:10:55:10 | x indirection | x indirection flows from $@ | clearning.cpp:53:10:53:19 | call to user_input | call to user_input |
+| clearning.cpp:62:10:62:10 | x indirection | clearning.cpp:60:11:60:20 | call to user_input | clearning.cpp:62:10:62:10 | x indirection | x indirection flows from $@ | clearning.cpp:60:11:60:20 | call to user_input | call to user_input |
+| clearning.cpp:76:7:76:12 | * ... | clearning.cpp:74:20:74:22 | argument_source output argument | clearning.cpp:76:7:76:12 | * ... | * ... flows from $@ | clearning.cpp:74:20:74:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:84:7:84:12 | * ... | clearning.cpp:81:20:81:22 | argument_source output argument | clearning.cpp:84:7:84:12 | * ... | * ... flows from $@ | clearning.cpp:81:20:81:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:91:7:91:12 | * ... | clearning.cpp:89:20:89:22 | argument_source output argument | clearning.cpp:91:7:91:12 | * ... | * ... flows from $@ | clearning.cpp:89:20:89:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:98:7:98:12 | * ... | clearning.cpp:96:20:96:22 | argument_source output argument | clearning.cpp:98:7:98:12 | * ... | * ... flows from $@ | clearning.cpp:96:20:96:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:105:7:105:12 | * ... | clearning.cpp:103:20:103:22 | argument_source output argument | clearning.cpp:105:7:105:12 | * ... | * ... flows from $@ | clearning.cpp:103:20:103:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:112:7:112:12 | * ... | clearning.cpp:110:20:110:22 | argument_source output argument | clearning.cpp:112:7:112:12 | * ... | * ... flows from $@ | clearning.cpp:110:20:110:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:119:7:119:12 | * ... | clearning.cpp:117:20:117:22 | argument_source output argument | clearning.cpp:119:7:119:12 | * ... | * ... flows from $@ | clearning.cpp:117:20:117:22 | argument_source output argument | argument_source output argument |
+| clearning.cpp:152:10:152:12 | val | clearning.cpp:151:11:151:20 | call to user_input | clearning.cpp:152:10:152:12 | val | val flows from $@ | clearning.cpp:151:11:151:20 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:53:19:53:28 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:55:19:55:28 | call to user_input | call to user_input |
 | complex.cpp:43:18:43:18 | call to b | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:43:18:43:18 | call to b | call to b flows from $@ | complex.cpp:54:19:54:28 | call to user_input | call to user_input |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
@@ -167,6 +167,66 @@
 | by_reference.cpp:88:9:88:9 | a | AST only |
 | by_reference.cpp:92:3:92:5 | * ... | AST only |
 | by_reference.cpp:96:3:96:4 | pa | AST only |
+| clearning.cpp:18:7:18:7 | s | IR only |
+| clearning.cpp:19:3:19:6 | * ... | AST only |
+| clearning.cpp:20:12:20:12 | s | IR only |
+| clearning.cpp:25:7:25:7 | s | IR only |
+| clearning.cpp:26:7:26:7 | s | IR only |
+| clearning.cpp:27:12:27:12 | s | IR only |
+| clearning.cpp:32:3:32:6 | * ... | AST only |
+| clearning.cpp:33:7:33:7 | s | IR only |
+| clearning.cpp:34:8:34:11 | * ... | IR only |
+| clearning.cpp:34:11:34:11 | s | IR only |
+| clearning.cpp:39:3:39:6 | * ... | AST only |
+| clearning.cpp:40:5:40:5 | x | AST only |
+| clearning.cpp:41:8:41:11 | * ... | IR only |
+| clearning.cpp:41:11:41:11 | s | IR only |
+| clearning.cpp:46:7:46:7 | s | IR only |
+| clearning.cpp:47:5:47:5 | x | AST only |
+| clearning.cpp:48:8:48:11 | * ... | IR only |
+| clearning.cpp:48:11:48:11 | s | IR only |
+| clearning.cpp:53:3:53:6 | * ... | AST only |
+| clearning.cpp:54:5:54:5 | x | AST only |
+| clearning.cpp:60:7:60:7 | s | IR only |
+| clearning.cpp:61:5:61:5 | x | AST only |
+| clearning.cpp:75:2:75:10 | access to array | AST only |
+| clearning.cpp:76:10:76:12 | s | IR only |
+| clearning.cpp:82:2:82:9 | access to array | AST only |
+| clearning.cpp:83:7:83:9 | val | AST only |
+| clearning.cpp:83:15:83:17 | s | IR only |
+| clearning.cpp:84:10:84:12 | s | IR only |
+| clearning.cpp:90:5:90:7 | val | AST only |
+| clearning.cpp:91:10:91:12 | s | IR only |
+| clearning.cpp:97:4:97:6 | val | AST only |
+| clearning.cpp:97:12:97:14 | s | IR only |
+| clearning.cpp:98:10:98:12 | s | IR only |
+| clearning.cpp:104:4:104:6 | val | AST only |
+| clearning.cpp:105:10:105:12 | s | IR only |
+| clearning.cpp:111:6:111:8 | val | AST only |
+| clearning.cpp:112:10:112:12 | s | IR only |
+| clearning.cpp:118:4:118:6 | val | AST only |
+| clearning.cpp:119:10:119:12 | s | IR only |
+| clearning.cpp:124:4:124:6 | val | AST only |
+| clearning.cpp:125:4:125:6 | val | AST only |
+| clearning.cpp:131:4:131:6 | val | AST only |
+| clearning.cpp:132:4:132:6 | val | AST only |
+| clearning.cpp:138:4:138:6 | val | AST only |
+| clearning.cpp:139:6:139:8 | val | AST only |
+| clearning.cpp:151:5:151:7 | val | AST only |
+| clearning.cpp:152:10:152:12 | s | IR only |
+| clearning.cpp:157:5:157:7 | val | AST only |
+| clearning.cpp:158:5:158:7 | val | AST only |
+| clearning.cpp:159:10:159:12 | s | IR only |
+| clearning.cpp:164:5:164:7 | val | AST only |
+| clearning.cpp:165:5:165:7 | val | AST only |
+| clearning.cpp:166:10:166:12 | s | IR only |
+| clearning.cpp:171:5:171:7 | val | AST only |
+| clearning.cpp:172:5:172:7 | val | AST only |
+| clearning.cpp:173:10:173:12 | s | IR only |
+| clearning.cpp:178:5:178:7 | val | AST only |
+| clearning.cpp:179:5:179:7 | val | AST only |
+| clearning.cpp:179:13:179:15 | s | IR only |
+| clearning.cpp:180:10:180:12 | s | IR only |
 | complex.cpp:9:20:9:21 | this | IR only |
 | complex.cpp:10:20:10:21 | this | IR only |
 | complex.cpp:11:22:11:23 | a_ | AST only |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
@@ -408,6 +408,90 @@
 | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter |
 | by_reference.cpp:136:16:136:16 | a |
+| clearning.cpp:18:5:18:5 | s |
+| clearning.cpp:19:4:19:4 | s |
+| clearning.cpp:20:10:20:10 | s |
+| clearning.cpp:25:5:25:5 | s |
+| clearning.cpp:26:5:26:5 | s |
+| clearning.cpp:27:10:27:10 | s |
+| clearning.cpp:32:4:32:4 | s |
+| clearning.cpp:33:5:33:5 | s |
+| clearning.cpp:34:8:34:11 | * ... |
+| clearning.cpp:34:9:34:9 | s |
+| clearning.cpp:39:4:39:4 | s |
+| clearning.cpp:40:3:40:3 | s |
+| clearning.cpp:41:8:41:11 | * ... |
+| clearning.cpp:41:9:41:9 | s |
+| clearning.cpp:46:5:46:5 | s |
+| clearning.cpp:47:3:47:3 | s |
+| clearning.cpp:48:8:48:11 | * ... |
+| clearning.cpp:48:9:48:9 | s |
+| clearning.cpp:53:4:53:4 | s |
+| clearning.cpp:54:3:54:3 | s |
+| clearning.cpp:55:8:55:8 | s |
+| clearning.cpp:55:10:55:10 | x |
+| clearning.cpp:60:5:60:5 | s |
+| clearning.cpp:61:3:61:3 | s |
+| clearning.cpp:62:8:62:8 | s |
+| clearning.cpp:62:10:62:10 | x |
+| clearning.cpp:74:18:74:18 | s |
+| clearning.cpp:74:20:74:22 | val |
+| clearning.cpp:75:2:75:2 | s |
+| clearning.cpp:76:8:76:8 | s |
+| clearning.cpp:81:18:81:18 | s |
+| clearning.cpp:81:20:81:22 | val |
+| clearning.cpp:82:2:82:2 | s |
+| clearning.cpp:83:5:83:5 | s |
+| clearning.cpp:83:13:83:13 | s |
+| clearning.cpp:84:8:84:8 | s |
+| clearning.cpp:89:18:89:18 | s |
+| clearning.cpp:89:20:89:22 | val |
+| clearning.cpp:90:3:90:3 | s |
+| clearning.cpp:91:8:91:8 | s |
+| clearning.cpp:96:18:96:18 | s |
+| clearning.cpp:96:20:96:22 | val |
+| clearning.cpp:97:2:97:2 | s |
+| clearning.cpp:97:10:97:10 | s |
+| clearning.cpp:98:8:98:8 | s |
+| clearning.cpp:103:18:103:18 | s |
+| clearning.cpp:103:20:103:22 | val |
+| clearning.cpp:104:2:104:2 | s |
+| clearning.cpp:105:8:105:8 | s |
+| clearning.cpp:110:18:110:18 | s |
+| clearning.cpp:110:20:110:22 | val |
+| clearning.cpp:111:4:111:4 | s |
+| clearning.cpp:112:8:112:8 | s |
+| clearning.cpp:117:18:117:18 | s |
+| clearning.cpp:117:20:117:22 | val |
+| clearning.cpp:118:2:118:2 | s |
+| clearning.cpp:119:8:119:8 | s |
+| clearning.cpp:124:2:124:2 | s |
+| clearning.cpp:125:2:125:2 | s |
+| clearning.cpp:126:7:126:7 | s |
+| clearning.cpp:126:9:126:11 | val |
+| clearning.cpp:131:2:131:2 | s |
+| clearning.cpp:132:2:132:2 | s |
+| clearning.cpp:133:7:133:7 | s |
+| clearning.cpp:133:9:133:11 | val |
+| clearning.cpp:138:2:138:2 | s |
+| clearning.cpp:139:4:139:4 | s |
+| clearning.cpp:140:7:140:7 | s |
+| clearning.cpp:140:9:140:11 | val |
+| clearning.cpp:151:3:151:3 | s |
+| clearning.cpp:152:8:152:8 | s |
+| clearning.cpp:157:3:157:3 | s |
+| clearning.cpp:158:3:158:3 | s |
+| clearning.cpp:159:8:159:8 | s |
+| clearning.cpp:164:3:164:3 | s |
+| clearning.cpp:165:3:165:3 | s |
+| clearning.cpp:166:8:166:8 | s |
+| clearning.cpp:171:3:171:3 | s |
+| clearning.cpp:172:3:172:3 | s |
+| clearning.cpp:173:8:173:8 | s |
+| clearning.cpp:178:3:178:3 | s |
+| clearning.cpp:179:3:179:3 | s |
+| clearning.cpp:179:11:179:11 | s |
+| clearning.cpp:180:8:180:8 | s |
 | complex.cpp:9:20:9:21 | this |
 | complex.cpp:10:20:10:21 | this |
 | complex.cpp:11:22:11:23 | this |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
@@ -348,6 +348,92 @@
 | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter |
 | by_reference.cpp:136:16:136:16 | a |
+| clearning.cpp:19:3:19:6 | * ... |
+| clearning.cpp:19:4:19:4 | s |
+| clearning.cpp:32:3:32:6 | * ... |
+| clearning.cpp:32:4:32:4 | s |
+| clearning.cpp:39:3:39:6 | * ... |
+| clearning.cpp:39:4:39:4 | s |
+| clearning.cpp:40:3:40:3 | s |
+| clearning.cpp:40:5:40:5 | x |
+| clearning.cpp:47:3:47:3 | s |
+| clearning.cpp:47:5:47:5 | x |
+| clearning.cpp:53:3:53:6 | * ... |
+| clearning.cpp:53:4:53:4 | s |
+| clearning.cpp:54:3:54:3 | s |
+| clearning.cpp:54:5:54:5 | x |
+| clearning.cpp:55:8:55:8 | s |
+| clearning.cpp:55:10:55:10 | x |
+| clearning.cpp:61:3:61:3 | s |
+| clearning.cpp:61:5:61:5 | x |
+| clearning.cpp:62:8:62:8 | s |
+| clearning.cpp:62:10:62:10 | x |
+| clearning.cpp:74:18:74:18 | s |
+| clearning.cpp:74:20:74:22 | val |
+| clearning.cpp:75:2:75:2 | s |
+| clearning.cpp:75:2:75:10 | access to array |
+| clearning.cpp:81:18:81:18 | s |
+| clearning.cpp:81:20:81:22 | val |
+| clearning.cpp:82:2:82:2 | s |
+| clearning.cpp:82:2:82:9 | access to array |
+| clearning.cpp:83:5:83:5 | s |
+| clearning.cpp:83:7:83:9 | val |
+| clearning.cpp:89:18:89:18 | s |
+| clearning.cpp:89:20:89:22 | val |
+| clearning.cpp:90:3:90:3 | s |
+| clearning.cpp:90:5:90:7 | val |
+| clearning.cpp:96:18:96:18 | s |
+| clearning.cpp:96:20:96:22 | val |
+| clearning.cpp:97:2:97:2 | s |
+| clearning.cpp:97:4:97:6 | val |
+| clearning.cpp:103:18:103:18 | s |
+| clearning.cpp:103:20:103:22 | val |
+| clearning.cpp:104:2:104:2 | s |
+| clearning.cpp:104:4:104:6 | val |
+| clearning.cpp:110:18:110:18 | s |
+| clearning.cpp:110:20:110:22 | val |
+| clearning.cpp:111:4:111:4 | s |
+| clearning.cpp:111:6:111:8 | val |
+| clearning.cpp:117:18:117:18 | s |
+| clearning.cpp:117:20:117:22 | val |
+| clearning.cpp:118:2:118:2 | s |
+| clearning.cpp:118:4:118:6 | val |
+| clearning.cpp:124:2:124:2 | s |
+| clearning.cpp:124:4:124:6 | val |
+| clearning.cpp:125:2:125:2 | s |
+| clearning.cpp:125:4:125:6 | val |
+| clearning.cpp:126:7:126:7 | s |
+| clearning.cpp:126:9:126:11 | val |
+| clearning.cpp:131:2:131:2 | s |
+| clearning.cpp:131:4:131:6 | val |
+| clearning.cpp:132:2:132:2 | s |
+| clearning.cpp:132:4:132:6 | val |
+| clearning.cpp:133:7:133:7 | s |
+| clearning.cpp:133:9:133:11 | val |
+| clearning.cpp:138:2:138:2 | s |
+| clearning.cpp:138:4:138:6 | val |
+| clearning.cpp:139:4:139:4 | s |
+| clearning.cpp:139:6:139:8 | val |
+| clearning.cpp:140:7:140:7 | s |
+| clearning.cpp:140:9:140:11 | val |
+| clearning.cpp:151:3:151:3 | s |
+| clearning.cpp:151:5:151:7 | val |
+| clearning.cpp:157:3:157:3 | s |
+| clearning.cpp:157:5:157:7 | val |
+| clearning.cpp:158:3:158:3 | s |
+| clearning.cpp:158:5:158:7 | val |
+| clearning.cpp:164:3:164:3 | s |
+| clearning.cpp:164:5:164:7 | val |
+| clearning.cpp:165:3:165:3 | s |
+| clearning.cpp:165:5:165:7 | val |
+| clearning.cpp:171:3:171:3 | s |
+| clearning.cpp:171:5:171:7 | val |
+| clearning.cpp:172:3:172:3 | s |
+| clearning.cpp:172:5:172:7 | val |
+| clearning.cpp:178:3:178:3 | s |
+| clearning.cpp:178:5:178:7 | val |
+| clearning.cpp:179:3:179:3 | s |
+| clearning.cpp:179:5:179:7 | val |
 | complex.cpp:11:22:11:23 | a_ |
 | complex.cpp:11:22:11:23 | this |
 | complex.cpp:12:22:12:23 | b_ |
--- a/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
@@ -448,6 +448,42 @@ edges
 | by_reference.cpp:135:8:135:13 | pouter [inner_ptr, a] | by_reference.cpp:135:16:135:24 | inner_ptr [a] |
 | by_reference.cpp:135:16:135:24 | inner_ptr [a] | by_reference.cpp:135:27:135:27 | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | by_reference.cpp:136:16:136:16 | a |
+| clearning.cpp:53:4:53:4 | s [post update] [x] | clearning.cpp:55:8:55:8 | s [x] |
+| clearning.cpp:53:6:53:6 | x [inner post update] | clearning.cpp:53:4:53:4 | s [post update] [x] |
+| clearning.cpp:53:10:53:19 | call to user_input | clearning.cpp:53:6:53:6 | x [inner post update] |
+| clearning.cpp:55:8:55:8 | s [x] | clearning.cpp:55:10:55:10 | x |
+| clearning.cpp:124:2:124:2 | s [post update] [val] | clearning.cpp:126:7:126:7 | s [val] |
+| clearning.cpp:124:2:124:25 | ... = ... | clearning.cpp:124:2:124:2 | s [post update] [val] |
+| clearning.cpp:124:10:124:19 | call to user_input | clearning.cpp:124:2:124:25 | ... = ... |
+| clearning.cpp:126:7:126:7 | s [val] | clearning.cpp:126:9:126:11 | val |
+| clearning.cpp:131:2:131:2 | s [post update] [val] | clearning.cpp:133:7:133:7 | s [val] |
+| clearning.cpp:131:2:131:25 | ... = ... | clearning.cpp:131:2:131:2 | s [post update] [val] |
+| clearning.cpp:131:10:131:19 | call to user_input | clearning.cpp:131:2:131:25 | ... = ... |
+| clearning.cpp:133:7:133:7 | s [val] | clearning.cpp:133:9:133:11 | val |
+| clearning.cpp:138:2:138:2 | s [post update] [val] | clearning.cpp:140:7:140:7 | s [val] |
+| clearning.cpp:138:2:138:25 | ... = ... | clearning.cpp:138:2:138:2 | s [post update] [val] |
+| clearning.cpp:138:10:138:19 | call to user_input | clearning.cpp:138:2:138:25 | ... = ... |
+| clearning.cpp:140:7:140:7 | s [val] | clearning.cpp:140:9:140:11 | val |
+| clearning.cpp:151:3:151:3 | s [post update] [val] | clearning.cpp:152:8:152:8 | s [val] |
+| clearning.cpp:151:3:151:22 | ... = ... | clearning.cpp:151:3:151:3 | s [post update] [val] |
+| clearning.cpp:151:11:151:20 | call to user_input | clearning.cpp:151:3:151:22 | ... = ... |
+| clearning.cpp:152:8:152:8 | s [val] | clearning.cpp:152:10:152:12 | val |
+| clearning.cpp:157:3:157:3 | s [post update] [val] | clearning.cpp:159:8:159:8 | s [val] |
+| clearning.cpp:157:3:157:22 | ... = ... | clearning.cpp:157:3:157:3 | s [post update] [val] |
+| clearning.cpp:157:11:157:20 | call to user_input | clearning.cpp:157:3:157:22 | ... = ... |
+| clearning.cpp:159:8:159:8 | s [val] | clearning.cpp:159:10:159:12 | val |
+| clearning.cpp:164:3:164:3 | s [post update] [val] | clearning.cpp:166:8:166:8 | s [val] |
+| clearning.cpp:164:3:164:22 | ... = ... | clearning.cpp:164:3:164:3 | s [post update] [val] |
+| clearning.cpp:164:11:164:20 | call to user_input | clearning.cpp:164:3:164:22 | ... = ... |
+| clearning.cpp:166:8:166:8 | s [val] | clearning.cpp:166:10:166:12 | val |
+| clearning.cpp:171:3:171:3 | s [post update] [val] | clearning.cpp:173:8:173:8 | s [val] |
+| clearning.cpp:171:3:171:22 | ... = ... | clearning.cpp:171:3:171:3 | s [post update] [val] |
+| clearning.cpp:171:11:171:20 | call to user_input | clearning.cpp:171:3:171:22 | ... = ... |
+| clearning.cpp:173:8:173:8 | s [val] | clearning.cpp:173:10:173:12 | val |
+| clearning.cpp:178:3:178:3 | s [post update] [val] | clearning.cpp:180:8:180:8 | s [val] |
+| clearning.cpp:178:3:178:22 | ... = ... | clearning.cpp:178:3:178:3 | s [post update] [val] |
+| clearning.cpp:178:11:178:20 | call to user_input | clearning.cpp:178:3:178:22 | ... = ... |
+| clearning.cpp:180:8:180:8 | s [val] | clearning.cpp:180:10:180:12 | val |
 | complex.cpp:9:7:9:7 | this [a_] | complex.cpp:9:20:9:21 | this [a_] |
 | complex.cpp:9:20:9:21 | this [a_] | complex.cpp:9:20:9:21 | a_ |
 | complex.cpp:10:7:10:7 | this [b_] | complex.cpp:10:20:10:21 | this [b_] |
@@ -1155,6 +1191,51 @@ nodes
 | by_reference.cpp:135:27:135:27 | a | semmle.label | a |
 | by_reference.cpp:136:8:136:13 | pouter [a] | semmle.label | pouter [a] |
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
+| clearning.cpp:53:4:53:4 | s [post update] [x] | semmle.label | s [post update] [x] |
+| clearning.cpp:53:6:53:6 | x [inner post update] | semmle.label | x [inner post update] |
+| clearning.cpp:53:10:53:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:55:8:55:8 | s [x] | semmle.label | s [x] |
+| clearning.cpp:55:10:55:10 | x | semmle.label | x |
+| clearning.cpp:124:2:124:2 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:124:2:124:25 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:124:10:124:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:126:7:126:7 | s [val] | semmle.label | s [val] |
+| clearning.cpp:126:9:126:11 | val | semmle.label | val |
+| clearning.cpp:131:2:131:2 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:131:2:131:25 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:131:10:131:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:133:7:133:7 | s [val] | semmle.label | s [val] |
+| clearning.cpp:133:9:133:11 | val | semmle.label | val |
+| clearning.cpp:138:2:138:2 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:138:2:138:25 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:138:10:138:19 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:140:7:140:7 | s [val] | semmle.label | s [val] |
+| clearning.cpp:140:9:140:11 | val | semmle.label | val |
+| clearning.cpp:151:3:151:3 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:151:3:151:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:151:11:151:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:152:8:152:8 | s [val] | semmle.label | s [val] |
+| clearning.cpp:152:10:152:12 | val | semmle.label | val |
+| clearning.cpp:157:3:157:3 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:157:3:157:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:157:11:157:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:159:8:159:8 | s [val] | semmle.label | s [val] |
+| clearning.cpp:159:10:159:12 | val | semmle.label | val |
+| clearning.cpp:164:3:164:3 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:164:3:164:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:164:11:164:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:166:8:166:8 | s [val] | semmle.label | s [val] |
+| clearning.cpp:166:10:166:12 | val | semmle.label | val |
+| clearning.cpp:171:3:171:3 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:171:3:171:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:171:11:171:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:173:8:173:8 | s [val] | semmle.label | s [val] |
+| clearning.cpp:173:10:173:12 | val | semmle.label | val |
+| clearning.cpp:178:3:178:3 | s [post update] [val] | semmle.label | s [post update] [val] |
+| clearning.cpp:178:3:178:22 | ... = ... | semmle.label | ... = ... |
+| clearning.cpp:178:11:178:20 | call to user_input | semmle.label | call to user_input |
+| clearning.cpp:180:8:180:8 | s [val] | semmle.label | s [val] |
+| clearning.cpp:180:10:180:12 | val | semmle.label | val |
 | complex.cpp:9:7:9:7 | this [a_] | semmle.label | this [a_] |
 | complex.cpp:9:20:9:21 | a_ | semmle.label | a_ |
 | complex.cpp:9:20:9:21 | this [a_] | semmle.label | this [a_] |
@@ -1551,6 +1632,15 @@ subpaths
 | by_reference.cpp:134:29:134:29 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:134:29:134:29 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:135:27:135:27 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:135:27:135:27 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
 | by_reference.cpp:136:16:136:16 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
+| clearning.cpp:55:10:55:10 | x | clearning.cpp:53:10:53:19 | call to user_input | clearning.cpp:55:10:55:10 | x | x flows from $@ | clearning.cpp:53:10:53:19 | call to user_input | call to user_input |
+| clearning.cpp:126:9:126:11 | val | clearning.cpp:124:10:124:19 | call to user_input | clearning.cpp:126:9:126:11 | val | val flows from $@ | clearning.cpp:124:10:124:19 | call to user_input | call to user_input |
+| clearning.cpp:133:9:133:11 | val | clearning.cpp:131:10:131:19 | call to user_input | clearning.cpp:133:9:133:11 | val | val flows from $@ | clearning.cpp:131:10:131:19 | call to user_input | call to user_input |
+| clearning.cpp:140:9:140:11 | val | clearning.cpp:138:10:138:19 | call to user_input | clearning.cpp:140:9:140:11 | val | val flows from $@ | clearning.cpp:138:10:138:19 | call to user_input | call to user_input |
+| clearning.cpp:152:10:152:12 | val | clearning.cpp:151:11:151:20 | call to user_input | clearning.cpp:152:10:152:12 | val | val flows from $@ | clearning.cpp:151:11:151:20 | call to user_input | call to user_input |
+| clearning.cpp:159:10:159:12 | val | clearning.cpp:157:11:157:20 | call to user_input | clearning.cpp:159:10:159:12 | val | val flows from $@ | clearning.cpp:157:11:157:20 | call to user_input | call to user_input |
+| clearning.cpp:166:10:166:12 | val | clearning.cpp:164:11:164:20 | call to user_input | clearning.cpp:166:10:166:12 | val | val flows from $@ | clearning.cpp:164:11:164:20 | call to user_input | call to user_input |
+| clearning.cpp:173:10:173:12 | val | clearning.cpp:171:11:171:20 | call to user_input | clearning.cpp:173:10:173:12 | val | val flows from $@ | clearning.cpp:171:11:171:20 | call to user_input | call to user_input |
+| clearning.cpp:180:10:180:12 | val | clearning.cpp:178:11:178:20 | call to user_input | clearning.cpp:180:10:180:12 | val | val flows from $@ | clearning.cpp:178:11:178:20 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:53:19:53:28 | call to user_input | call to user_input |
 | complex.cpp:42:18:42:18 | call to a | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:42:18:42:18 | call to a | call to a flows from $@ | complex.cpp:55:19:55:28 | call to user_input | call to user_input |
 | complex.cpp:43:18:43:18 | call to b | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:43:18:43:18 | call to b | call to b flows from $@ | complex.cpp:54:19:54:28 | call to user_input | call to user_input |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
@@ -1,8 +1,9 @@
 edges
 | test.cpp:16:11:16:21 | mk_string_t indirection [string] | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] |
 | test.cpp:18:5:18:30 | ... = ... | test.cpp:18:10:18:15 | str indirection [post update] [string] |
-| test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
+| test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] |
 | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
+| test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
@@ -17,8 +18,9 @@ edges
 | test.cpp:80:22:80:27 | string indirection | test.cpp:80:22:80:27 | string |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | test.cpp:90:10:90:15 | str indirection [post update] [string] |
-| test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
+| test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] |
 | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
+| test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
@@ -32,16 +34,17 @@ edges
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string indirection |
 | test.cpp:137:22:137:27 | string indirection | test.cpp:137:22:137:27 | string |
 | test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:152:13:152:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:154:13:154:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:156:13:156:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:175:17:175:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:187:17:187:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:195:17:195:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:199:17:199:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:203:17:203:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:207:17:207:19 | str indirection [string] |
+| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] |
 | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:175:17:175:19 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:187:17:187:19 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:195:17:195:19 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:199:17:199:19 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:203:17:203:19 | str indirection [string] |
+| test.cpp:148:5:148:7 | str indirection [string] | test.cpp:207:17:207:19 | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string indirection |
 | test.cpp:152:18:152:23 | string indirection | test.cpp:152:18:152:23 | string |
@@ -91,6 +94,7 @@ nodes
 | test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... |
 | test.cpp:18:10:18:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:19:5:19:7 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
 | test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:42:18:42:23 | string | semmle.label | string |
@@ -105,6 +109,7 @@ nodes
 | test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:90:19:90:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:91:5:91:7 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:99:18:99:23 | string | semmle.label | string |
@@ -118,6 +123,7 @@ nodes
 | test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:148:5:148:7 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:18:152:23 | string | semmle.label | string |
 | test.cpp:152:18:152:23 | string indirection | semmle.label | string indirection |