Merge from master

cpp/ql/src/semmle/code/cpp/controlflow/BasicBlocks.qll

@@ -1,3 +1,8 @@
+/**
+ * Provides a library for reasoning about control flow at the granularity of basic blocks.
+ * This is usually much more efficient than reasoning directly at the level of `ControlFlowNode`s.
+ */
+
 import cpp
 private import internal.PrimitiveBasicBlocks
 private import internal.ConstantExprs
@@ -148,22 +153,37 @@ predicate bb_successor = bb_successor_cached/2;
 class BasicBlock extends ControlFlowNodeBase {
   BasicBlock() { basic_block_entry_node(this) }
 
+  /** Holds if this basic block contains `node`. */
   predicate contains(ControlFlowNode node) { basic_block_member(node, this, _) }
 
+  /** Gets the `ControlFlowNode` at position `pos` in this basic block. */
   ControlFlowNode getNode(int pos) { basic_block_member(result, this, pos) }
 
+  /** Gets a `ControlFlowNode` in this basic block. */
   ControlFlowNode getANode() { basic_block_member(result, this, _) }
 
+  /** Gets a `BasicBlock` that is a direct successor of this basic block. */
   BasicBlock getASuccessor() { bb_successor(this, result) }
 
+  /** Gets a `BasicBlock` that is a direct predecessor of this basic block. */
   BasicBlock getAPredecessor() { bb_successor(result, this) }
 
+  /**
+   * Gets a `BasicBlock` such that the control-flow edge `(this, result)` may be taken
+   * when the outgoing edge of this basic block is an expression that is true.
+   */
   BasicBlock getATrueSuccessor() { result.getStart() = this.getEnd().getATrueSuccessor() }
 
+  /**
+   * Gets a `BasicBlock` such that the control-flow edge `(this, result)` may be taken
+   * when the outgoing edge of this basic block is an expression that is false.
+   */
   BasicBlock getAFalseSuccessor() { result.getStart() = this.getEnd().getAFalseSuccessor() }
 
+  /** Gets the final `ControlFlowNode` of this basic block. */
   ControlFlowNode getEnd() { basic_block_member(result, this, bb_length(this) - 1) }
 
+  /** Gets the first `ControlFlowNode` of this basic block. */
   ControlFlowNode getStart() { result = this }
 
   /** Gets the number of `ControlFlowNode`s in this basic block. */
@@ -192,6 +212,7 @@ class BasicBlock extends ControlFlowNodeBase {
     this.getEnd().getLocation().hasLocationInfo(endf, _, _, endl, endc)
   }
 
+  /** Gets the function containing this basic block. */
   Function getEnclosingFunction() { result = this.getStart().getControlFlowScope() }
 
   /**

cpp/ql/src/semmle/code/cpp/controlflow/ControlFlowGraph.qll

@@ -1,3 +1,8 @@
+/**
+ * Provides a library for reasoning about control flow at the granularity of
+ * individual nodes in the control-flow graph.
+ */
+
 import cpp
 import BasicBlocks
 private import semmle.code.cpp.controlflow.internal.ConstantExprs
@@ -29,8 +34,10 @@ private import semmle.code.cpp.controlflow.internal.CFG
  * `Handler`. There are no edges from function calls to `Handler`s.
  */
 class ControlFlowNode extends Locatable, ControlFlowNodeBase {
+  /** Gets a direct successor of this control-flow node, if any. */
   ControlFlowNode getASuccessor() { successors_adapted(this, result) }
 
+  /** Gets a direct predecessor of this control-flow node, if any. */
   ControlFlowNode getAPredecessor() { this = result.getASuccessor() }
 
   /** Gets the function containing this control-flow node. */
@@ -71,6 +78,7 @@ class ControlFlowNode extends Locatable, ControlFlowNodeBase {
     result = getASuccessor()
   }
 
+  /** Gets the `BasicBlock` containing this control-flow node. */
   BasicBlock getBasicBlock() { result.getANode() = this }
 }
 
@@ -86,10 +94,18 @@ import ControlFlowGraphPublic
  */
 class ControlFlowNodeBase extends ElementBase, @cfgnode { }
 
+/**
+ * Holds when `n2` is a control-flow node such that the control-flow
+ * edge `(n1, n2)` may be taken when `n1` is an expression that is true.
+ */
 predicate truecond_base(ControlFlowNodeBase n1, ControlFlowNodeBase n2) {
   qlCFGTrueSuccessor(n1, n2)
 }
 
+/**
+ * Holds when `n2` is a control-flow node such that the control-flow
+ * edge `(n1, n2)` may be taken when `n1` is an expression that is false.
+ */
 predicate falsecond_base(ControlFlowNodeBase n1, ControlFlowNodeBase n2) {
   qlCFGFalseSuccessor(n1, n2)
 }

cpp/ql/src/semmle/code/cpp/controlflow/Dataflow.qll

@@ -15,14 +15,25 @@ import Dereferenced
 abstract class DataflowAnnotation extends string {
   DataflowAnnotation() { this = "pointer-null" or this = "pointer-valid" }
 
+  /** Holds if this annotation is the default annotation. */
   abstract predicate isDefault();
 
+  /** Holds if this annotation is generated when analyzing expression `e`. */
   abstract predicate generatedOn(Expr e);
 
+  /**
+   * Holds if this annotation is generated for the variable `v` when
+   * the control-flow edge `(src, dest)` is taken.
+   */
   abstract predicate generatedBy(LocalScopeVariable v, ControlFlowNode src, ControlFlowNode dest);
 
+  /**
+   * Holds if this annotation is removed for the variable `v` when
+   * the control-flow edge `(src, dest)` is taken.
+   */
   abstract predicate killedBy(LocalScopeVariable v, ControlFlowNode src, ControlFlowNode dest);
 
+  /** Holds if expression `e` is given this annotation. */
   predicate marks(Expr e) {
     this.generatedOn(e) and reachable(e)
     or
@@ -31,6 +42,7 @@ abstract class DataflowAnnotation extends string {
     exists(LocalScopeVariable v | this.marks(v, e) and e = v.getAnAccess())
   }
 
+  /** Holds if the variable `v` accessed in control-flow node `n` is given this annotation. */
   predicate marks(LocalScopeVariable v, ControlFlowNode n) {
     v.getAnAccess().getEnclosingFunction().getBlock() = n and
     this.isDefault()
@@ -57,6 +69,10 @@ abstract class DataflowAnnotation extends string {
     )
   }
 
+  /**
+   * Holds if the variable `v` preserves this annotation when the control-flow
+   * edge `(src, dest)` is taken.
+   */
   predicate preservedBy(LocalScopeVariable v, ControlFlowNode src, ControlFlowNode dest) {
     this.marks(v, src) and
     src.getASuccessor() = dest and
@@ -64,6 +80,10 @@ abstract class DataflowAnnotation extends string {
     not v.getAnAssignment() = src
   }
 
+  /**
+   * Holds if the variable `v` is assigned this annotation when `src` is an assignment
+   * expression that assigns to `v` and the control-flow edge `(src, dest)` is taken.
+   */
   predicate assignedBy(LocalScopeVariable v, ControlFlowNode src, ControlFlowNode dest) {
     this.marks(src.(AssignExpr).getRValue()) and
     src = v.getAnAssignment() and

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -1,6 +1,7 @@
 import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.DataFlow2
 private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -71,9 +71,7 @@ class Node extends TIRDataFlowNode {
    * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
    * a partial definition of `&x`).
    */
-  Expr asPartialDefinition() {
-    result = this.(PartialDefinitionNode).getInstruction().getUnconvertedResultExpression()
-  }
+  Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefinedExpr() }
 
   /**
    * DEPRECATED: See UninitializedNode.
@@ -162,11 +160,7 @@ class ExprNode extends InstructionNode {
  * as `x` in `f(x)` and implicit parameters such as `this` in `x.f()`
  */
 class ParameterNode extends InstructionNode {
-  ParameterNode() {
-    instr instanceof InitializeParameterInstruction
-    or
-    instr instanceof InitializeThisInstruction
-  }
+  override InitializeParameterInstruction instr;
 
   /**
    * Holds if this node is the parameter of `c` at the specified (zero-based)
@@ -180,7 +174,7 @@ class ParameterNode extends InstructionNode {
  * flow graph.
  */
 private class ExplicitParameterNode extends ParameterNode {
-  override InitializeParameterInstruction instr;
+  ExplicitParameterNode() { exists(instr.getParameter()) }
 
   override predicate isParameterOf(Function f, int i) { f.getParameter(i) = instr.getParameter() }
 
@@ -191,7 +185,7 @@ private class ExplicitParameterNode extends ParameterNode {
 }
 
 private class ThisParameterNode extends ParameterNode {
-  override InitializeThisInstruction instr;
+  ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }
 
   override predicate isParameterOf(Function f, int i) {
     i = -1 and instr.getEnclosingFunction() = f
@@ -251,14 +245,17 @@ abstract class PostUpdateNode extends InstructionNode {
  * setY(&x); // a partial definition of the object `x`.
  * ```
  */
-abstract private class PartialDefinitionNode extends PostUpdateNode, TInstructionNode { }
+abstract private class PartialDefinitionNode extends PostUpdateNode, TInstructionNode {
+  abstract Expr getDefinedExpr();
+}
 
 private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
   override ChiInstruction instr;
+  FieldAddressInstruction field;
 
   ExplicitFieldStoreQualifierNode() {
     not instr.isResultConflated() and
-    exists(StoreInstruction store, FieldInstruction field |
+    exists(StoreInstruction store |
       instr.getPartial() = store and field = store.getDestinationAddress()
     )
   }
@@ -268,6 +265,10 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
   // DataFlowImplConsistency::Consistency. However, it's not clear what (if any) implications
   // this consistency failure has.
   override Node getPreUpdateNode() { result.asInstruction() = instr.getTotal() }
+
+  override Expr getDefinedExpr() {
+    result = field.getObjectAddress().getUnconvertedResultExpression()
+  }
 }
 
 /**
@@ -278,15 +279,18 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
  */
 private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
   override StoreInstruction instr;
+  FieldAddressInstruction field;
 
   ExplicitSingleFieldStoreQualifierNode() {
-    exists(FieldAddressInstruction field |
-      field = instr.getDestinationAddress() and
-      not exists(ChiInstruction chi | chi.getPartial() = instr)
-    )
+    field = instr.getDestinationAddress() and
+    not exists(ChiInstruction chi | chi.getPartial() = instr)
   }
 
   override Node getPreUpdateNode() { none() }
+
+  override Expr getDefinedExpr() {
+    result = field.getObjectAddress().getUnconvertedResultExpression()
+  }
 }
 
 /**
@@ -458,9 +462,9 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   // for now.
   iTo.getAnOperand().(ChiTotalOperand).getDef() = iFrom
   or
-  // The next two rules allow flow from partial definitions in setters to succeeding loads in the caller.
-  // First, we add flow from write side-effects to non-conflated chi instructions through their
-  // partial operands. Consider the following example:
+  // Add flow from write side-effects to non-conflated chi instructions through their
+  // partial operands. From there, a `readStep` will find subsequent reads of that field.
+  // Consider the following example:
   // ```
   // void setX(Point* p, int new_x) {
   //   p->x = new_x;
@@ -470,14 +474,9 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   // ```
   // Here, a `WriteSideEffectInstruction` will provide a new definition for `p->x` after the call to
   // `setX`, which will be melded into `p` through a chi instruction.
-  iTo.getAnOperand().(ChiPartialOperand).getDef() = iFrom.(WriteSideEffectInstruction) and
-  not iTo.isResultConflated()
-  or
-  // Next, we add flow from non-conflated chi instructions to loads (even when they are not precise).
-  // This ensures that loads of `p->x` gets data flow from the `WriteSideEffectInstruction` above.
-  exists(ChiInstruction chi | iFrom = chi |
-    not chi.isResultConflated() and
-    iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = chi
+  exists(ChiInstruction chi | chi = iTo |
+    chi.getPartialOperand().getDef() = iFrom.(WriteSideEffectInstruction) and
+    not chi.isResultConflated()
   )
   or
   // Flow from stores to structs with a single field to a load of that field.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -223,6 +223,15 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the `this` pointer.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -204,7 +204,7 @@ private predicate isArgumentForParameter(CallInstruction ci, Operand operand, In
       init.(InitializeParameterInstruction).getParameter() =
         f.getParameter(operand.(PositionalArgumentOperand).getIndex())
       or
-      init instanceof InitializeThisInstruction and
+      init.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable and
       init.getEnclosingFunction() = f and
       operand instanceof ThisArgumentOperand
     ) and

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll

@@ -5,7 +5,7 @@ private import AliasAnalysis
 
 private newtype TAllocation =
   TVariableAllocation(IRVariable var) or
-  TIndirectParameterAllocation(IRAutomaticUserVariable var) {
+  TIndirectParameterAllocation(IRAutomaticVariable var) {
     exists(InitializeIndirectionInstruction instr | instr.getIRVariable() = var)
   } or
   TDynamicAllocation(CallInstruction call) {
@@ -74,7 +74,7 @@ class VariableAllocation extends Allocation, TVariableAllocation {
 }
 
 class IndirectParameterAllocation extends Allocation, TIndirectParameterAllocation {
-  IRAutomaticUserVariable var;
+  IRAutomaticVariable var;
 
   IndirectParameterAllocation() { this = TIndirectParameterAllocation(var) }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -223,6 +223,15 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the `this` pointer.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -35,6 +35,11 @@ private module Cached {
     getTranslatedFunction(func).hasUserVariable(var, type)
   }
 
+  cached
+  predicate hasThisVariable(Function func, CppType type) {
+    type = getTypeForGLValue(getTranslatedFunction(func).getThisType())
+  }
+
   cached
   predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) {
     exists(TranslatedElement element |

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -2,7 +2,6 @@ private import cpp
 
 newtype TInstructionTag =
   OnlyInstructionTag() or // Single instruction (not including implicit Load)
-  InitializeThisTag() or
   InitializerVariableAddressTag() or
   InitializerLoadStringTag() or
   InitializerStoreTag() or
@@ -70,7 +69,9 @@ newtype TInstructionTag =
   VarArgsMoveNextTag() or
   VarArgsVAListStoreTag() or
   AsmTag() or
-  AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) }
+  AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) } or
+  ThisAddressTag() or
+  ThisLoadTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = "Tag" }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -400,6 +400,9 @@ newtype TTranslatedElement =
   TTranslatedConstructorInitList(Function func) { translateFunction(func) } or
   // A destructor destruction list
   TTranslatedDestructorDestructionList(Function func) { translateFunction(func) } or
+  TTranslatedThisParameter(Function func) {
+    translateFunction(func) and func.isMember() and not func.isStatic()
+  } or
   // A function parameter
   TTranslatedParameter(Parameter param) {
     exists(Function func |

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -664,31 +664,40 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {
   final override TranslatedElement getChild(int id) { none() }
 
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    tag = OnlyInstructionTag() and
-    opcode instanceof Opcode::CopyValue and
+    tag = ThisAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    resultType = getTypeForGLValue(any(UnknownType t))
+    or
+    tag = ThisLoadTag() and
+    opcode instanceof Opcode::Load and
     resultType = getResultType()
   }
 
-  final override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) }
+  final override Instruction getResult() { result = getInstruction(ThisLoadTag()) }
 
-  final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
+  final override Instruction getFirstInstruction() { result = getInstruction(ThisAddressTag()) }
 
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
-    tag = OnlyInstructionTag() and
+    tag = ThisAddressTag() and
+    result = getInstruction(ThisLoadTag())
+    or
+    kind instanceof GotoEdge and
+    tag = ThisLoadTag() and
     result = getParent().getChildSuccessor(this)
   }
 
   final override Instruction getChildSuccessor(TranslatedElement child) { none() }
 
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    operandTag instanceof UnaryOperandTag and
-    result = getInitializeThisInstruction()
+    tag = ThisLoadTag() and
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(ThisAddressTag())
   }
 
-  private Instruction getInitializeThisInstruction() {
-    result = getTranslatedFunction(expr.getEnclosingFunction()).getInitializeThisInstruction()
+  override IRVariable getInstructionVariable(InstructionTag tag) {
+    tag = ThisAddressTag() and
+    result = this.getEnclosingFunction().getThisVariable()
   }
 }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -73,15 +73,15 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Function getFunction() { result = func }
 
   final override TranslatedElement getChild(int id) {
-    id = -4 and result = getReadEffects()
+    id = -5 and result = getReadEffects()
     or
-    id = -3 and result = getConstructorInitList()
+    id = -4 and result = getConstructorInitList()
     or
-    id = -2 and result = getBody()
+    id = -3 and result = getBody()
     or
-    id = -1 and result = getDestructorDestructionList()
+    id = -2 and result = getDestructorDestructionList()
     or
-    id >= 0 and result = getParameter(id)
+    id >= -1 and result = getParameter(id)
   }
 
   final private TranslatedConstructorInitList getConstructorInitList() {
@@ -97,6 +97,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final private TranslatedReadEffects getReadEffects() { result = getTranslatedReadEffects(func) }
 
   final private TranslatedParameter getParameter(int index) {
+    result = getTranslatedThisParameter(func) and
+    index = -1
+    or
     result = getTranslatedParameter(func.getParameter(index))
     or
     index = getEllipsisParameterIndexForFunction(func) and
@@ -117,20 +120,13 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       (
         tag = InitializeNonLocalTag() and
         if exists(getThisType())
-        then result = getInstruction(InitializeThisTag())
+        then result = getParameter(-1).getFirstInstruction()
         else
           if exists(getParameter(0))
           then result = getParameter(0).getFirstInstruction()
           else result = getBody().getFirstInstruction()
       )
       or
-      (
-        tag = InitializeThisTag() and
-        if exists(getParameter(0))
-        then result = getParameter(0).getFirstInstruction()
-        else result = getConstructorInitList().getFirstInstruction()
-      )
-      or
       tag = ReturnValueAddressTag() and
       result = getInstruction(ReturnTag())
       or
@@ -184,10 +180,6 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
       opcode instanceof Opcode::InitializeNonLocal and
       resultType = getUnknownType()
       or
-      tag = InitializeThisTag() and
-      opcode instanceof Opcode::InitializeThis and
-      resultType = getTypeForGLValue(getThisType())
-      or
       tag = ReturnValueAddressTag() and
       opcode instanceof Opcode::VariableAddress and
       resultType = getTypeForGLValue(getReturnType()) and
@@ -228,10 +220,8 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = ReturnTag() and
     hasReturnValue() and
-    (
-      operandTag instanceof AddressOperandTag and
-      result = getInstruction(ReturnValueAddressTag())
-    )
+    operandTag instanceof AddressOperandTag and
+    result = getInstruction(ReturnValueAddressTag())
   }
 
   final override CppType getInstructionMemoryOperandType(
@@ -264,6 +254,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     tag = EllipsisTempVar() and
     func.isVarargs() and
     type = getEllipsisVariablePRValueType()
+    or
+    tag = ThisTempVar() and
+    type = getTypeForGLValue(getThisType())
   }
 
   /**
@@ -286,6 +279,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
    */
   final IREllipsisVariable getEllipsisVariable() { result.getEnclosingFunction() = func }
 
+  /**
+   * Gets the variable that represents the `this` pointer for this function, if any.
+   */
+  final IRThisVariable getThisVariable() { result = getIRTempVariable(func, ThisTempVar()) }
+
   /**
    * Holds if the function has a non-`void` return type.
    */
@@ -295,7 +293,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
    * Gets the single `InitializeThis` instruction for this function. Holds only
    * if the function is an instance member function, constructor, or destructor.
    */
-  final Instruction getInitializeThisInstruction() { result = getInstruction(InitializeThisTag()) }
+  final Instruction getInitializeThisInstruction() {
+    result = getTranslatedThisParameter(func).getInstruction(InitializerStoreTag())
+  }
 
   /**
    * Gets the type pointed to by the `this` pointer for this function (i.e. `*this`).
@@ -336,6 +336,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final Type getReturnType() { result = func.getType() }
 }
 
+/**
+ * Gets the `TranslatedThisParameter` for function `func`, if one exists.
+ */
+TranslatedThisParameter getTranslatedThisParameter(Function func) { result.getFunction() = func }
+
 /**
  * Gets the `TranslatedPositionalParameter` that represents parameter `param`.
  */
@@ -350,8 +355,9 @@ TranslatedEllipsisParameter getTranslatedEllipsisParameter(Function func) {
 
 /**
  * The IR translation of a parameter to a function. This can be either a user-declared parameter
- * (`TranslatedPositionParameter`) or the synthesized parameter used to represent a `...` in a
- * varargs function (`TranslatedEllipsisParameter`).
+ * (`TranslatedPositionParameter`), the synthesized parameter used to represent `this`, or the
+ * synthesized parameter used to represent a `...` in a varargs function
+ * (`TranslatedEllipsisParameter`).
  */
 abstract class TranslatedParameter extends TranslatedElement {
   final override TranslatedElement getChild(int id) { none() }
@@ -398,7 +404,7 @@ abstract class TranslatedParameter extends TranslatedElement {
     hasIndirection() and
     tag = InitializerIndirectStoreTag() and
     opcode instanceof Opcode::InitializeIndirection and
-    resultType = getUnknownType()
+    resultType = getInitializationResultType()
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -435,9 +441,43 @@ abstract class TranslatedParameter extends TranslatedElement {
 
   abstract CppType getPRValueType();
 
+  abstract CppType getInitializationResultType();
+
   abstract IRAutomaticVariable getIRVariable();
 }
 
+/**
+ * The IR translation of the synthesized parameter used to represent the `...` in a varargs
+ * function.
+ */
+class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParameter {
+  Function func;
+
+  TranslatedThisParameter() { this = TTranslatedThisParameter(func) }
+
+  final override string toString() { result = "this" }
+
+  final override Locatable getAST() { result = func }
+
+  final override Function getFunction() { result = func }
+
+  final override predicate hasIndirection() { any() }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }
+
+  final override CppType getPRValueType() {
+    result = getTypeForGLValue(getTranslatedFunction(func).getThisType())
+  }
+
+  final override CppType getInitializationResultType() {
+    result = getTypeForPRValue(getTranslatedFunction(func).getThisType())
+  }
+
+  final override IRThisVariable getIRVariable() {
+    result = getTranslatedFunction(func).getThisVariable()
+  }
+}
+
 /**
  * Represents the IR translation of a function parameter, including the
  * initialization of that parameter with the incoming argument.
@@ -468,6 +508,8 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
 
   final override CppType getPRValueType() { result = getTypeForPRValue(getVariableType(param)) }
 
+  final override CppType getInitializationResultType() { result = getUnknownType() }
+
   final override IRAutomaticUserVariable getIRVariable() {
     result = getIRUserVariable(getFunction(), param)
   }
@@ -494,6 +536,8 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips
 
   final override CppType getPRValueType() { result = getEllipsisVariablePRValueType() }
 
+  final override CppType getInitializationResultType() { result = getUnknownType() }
+
   final override IREllipsisVariable getIRVariable() {
     result = getTranslatedFunction(func).getEllipsisVariable()
   }

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -223,6 +223,15 @@ class IREllipsisVariable extends IRTempVariable {
   final override string toString() { result = "#ellipsis" }
 }
 
+/**
+ * A temporary variable generated to hold the `this` pointer.
+ */
+class IRThisVariable extends IRTempVariable {
+  IRThisVariable() { tag = ThisTempVar() }
+
+  final override string toString() { result = "#this" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -204,7 +204,7 @@ private predicate isArgumentForParameter(CallInstruction ci, Operand operand, In
       init.(InitializeParameterInstruction).getParameter() =
         f.getParameter(operand.(PositionalArgumentOperand).getIndex())
       or
-      init instanceof InitializeThisInstruction and
+      init.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable and
       init.getEnclosingFunction() = f and
       operand instanceof ThisArgumentOperand
     ) and

cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll

@@ -3,7 +3,8 @@ newtype TTempVariableTag =
   ReturnValueTempVar() or
   ThrowTempVar() or
   LambdaTempVar() or
-  EllipsisTempVar()
+  EllipsisTempVar() or
+  ThisTempVar()
 
 string getTempVariableTagId(TTempVariableTag tag) {
   tag = ConditionValueTempVar() and result = "CondVal"
@@ -15,4 +16,6 @@ string getTempVariableTagId(TTempVariableTag tag) {
   tag = LambdaTempVar() and result = "Lambda"
   or
   tag = EllipsisTempVar() and result = "Ellipsis"
+  or
+  tag = ThisTempVar() and result = "This"
 }

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp

@@ -115,5 +115,5 @@ void test_conflated_fields3() {
   XY xy;
   xy.x = 0;
   taint_y(&xy);
-  sink(xy.x); // not tainted [FALSE POSITIVE]
+  sink(xy.x); // not tainted
 }

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected

@@ -103,8 +103,6 @@
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:17:110:32 | (int)... |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:17:110:32 | access to array |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:12:111:18 | tainted |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:118:11:118:11 | x |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | shared.h:6:15:6:23 | sinkparam |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:24:28:27 | call to atoi |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:34 | call to getenv |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:45 | (const char *)... |

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected

@@ -21,8 +21,6 @@
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | p2 | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | shared.h:5:23:5:31 | sinkparam | IR only |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:8:111:8 | y | AST only |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:118:11:118:11 | x | IR only |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | shared.h:6:15:6:23 | sinkparam | IR only |
 | globals.cpp:13:15:13:20 | call to getenv | globals.cpp:13:5:13:11 | global1 | AST only |
 | globals.cpp:23:15:23:20 | call to getenv | globals.cpp:23:5:23:11 | global2 | AST only |
 | test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:11:104:20 | (...) | IR only |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -19,9 +19,7 @@ uniqueNodeLocation
 missingLocation
 | Nodes without location: 4 |
 uniqueNodeToString
-| lambdas.cpp:2:6:2:9 | (no string representation) | Node should have one toString but has 0. |
 missingToString
-| Nodes without toString: 1 |
 parameterCallable
 localFlowIsLocal
 compatibleTypesReflexive

cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected

@@ -40,7 +40,6 @@
 | test.cpp:347:17:347:22 | test.cpp:349:10:349:18 | AST only |
 | test.cpp:359:13:359:18 | test.cpp:365:10:365:14 | AST only |
 | test.cpp:373:13:373:18 | test.cpp:369:10:369:14 | AST only |
-| test.cpp:373:13:373:18 | test.cpp:375:10:375:14 | AST only |
 | test.cpp:399:7:399:9 | test.cpp:401:8:401:10 | AST only |
 | test.cpp:405:7:405:9 | test.cpp:408:8:408:10 | AST only |
 | test.cpp:416:7:416:11 | test.cpp:418:8:418:12 | AST only |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected

@@ -65,6 +65,7 @@
 | test.cpp:266:12:266:12 | x | test.cpp:265:22:265:27 | call to source |
 | test.cpp:289:14:289:14 | x | test.cpp:305:17:305:22 | call to source |
 | test.cpp:318:7:318:7 | x | test.cpp:314:4:314:9 | call to source |
+| test.cpp:375:10:375:14 | field | test.cpp:373:13:373:18 | call to source |
 | test.cpp:385:8:385:10 | tmp | test.cpp:382:48:382:54 | source1 |
 | test.cpp:392:8:392:10 | tmp | test.cpp:388:53:388:59 | source1 |
 | test.cpp:394:10:394:12 | tmp | test.cpp:388:53:388:59 | source1 |

cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected

@@ -0,0 +1,347 @@
+| A.cpp:25:13:25:13 | c | AST only |
+| A.cpp:27:28:27:28 | c | AST only |
+| A.cpp:31:20:31:20 | c | AST only |
+| A.cpp:40:5:40:6 | cc | AST only |
+| A.cpp:41:5:41:6 | ct | AST only |
+| A.cpp:42:10:42:12 | & ... | AST only |
+| A.cpp:43:10:43:12 | & ... | AST only |
+| A.cpp:48:20:48:20 | c | AST only |
+| A.cpp:49:10:49:10 | b | AST only |
+| A.cpp:49:13:49:13 | c | AST only |
+| A.cpp:55:5:55:5 | b | AST only |
+| A.cpp:56:10:56:10 | b | AST only |
+| A.cpp:56:13:56:15 | call to get | AST only |
+| A.cpp:57:28:57:30 | call to get | AST only |
+| A.cpp:64:17:64:18 | b1 | AST only |
+| A.cpp:65:10:65:11 | b1 | AST only |
+| A.cpp:65:14:65:14 | c | AST only |
+| A.cpp:66:10:66:11 | b2 | AST only |
+| A.cpp:66:14:66:14 | c | AST only |
+| A.cpp:73:21:73:22 | b1 | AST only |
+| A.cpp:74:10:74:11 | b1 | AST only |
+| A.cpp:74:14:74:14 | c | AST only |
+| A.cpp:75:10:75:11 | b2 | AST only |
+| A.cpp:75:14:75:14 | c | AST only |
+| A.cpp:81:17:81:18 | b1 | AST only |
+| A.cpp:81:21:81:21 | c | AST only |
+| A.cpp:90:7:90:8 | b2 | AST only |
+| A.cpp:90:15:90:15 | c | AST only |
+| A.cpp:100:9:100:9 | a | AST only |
+| A.cpp:101:8:101:9 | c1 | AST only |
+| A.cpp:107:12:107:13 | c1 | AST only |
+| A.cpp:107:16:107:16 | a | AST only |
+| A.cpp:120:12:120:13 | c1 | AST only |
+| A.cpp:120:16:120:16 | a | AST only |
+| A.cpp:126:5:126:5 | b | AST only |
+| A.cpp:131:8:131:8 | b | AST only |
+| A.cpp:132:10:132:10 | b | AST only |
+| A.cpp:132:13:132:13 | c | AST only |
+| A.cpp:142:10:142:10 | c | AST only |
+| A.cpp:143:13:143:13 | b | AST only |
+| A.cpp:151:18:151:18 | b | AST only |
+| A.cpp:152:10:152:10 | d | AST only |
+| A.cpp:152:13:152:13 | b | AST only |
+| A.cpp:153:10:153:10 | d | AST only |
+| A.cpp:153:13:153:13 | b | AST only |
+| A.cpp:153:16:153:16 | c | AST only |
+| A.cpp:154:10:154:10 | b | AST only |
+| A.cpp:154:13:154:13 | c | AST only |
+| A.cpp:160:29:160:29 | b | AST only |
+| A.cpp:161:38:161:39 | l1 | AST only |
+| A.cpp:162:38:162:39 | l2 | AST only |
+| A.cpp:163:10:163:11 | l3 | AST only |
+| A.cpp:163:14:163:17 | head | AST only |
+| A.cpp:164:10:164:11 | l3 | AST only |
+| A.cpp:164:14:164:17 | next | AST only |
+| A.cpp:164:20:164:23 | head | AST only |
+| A.cpp:165:10:165:11 | l3 | AST only |
+| A.cpp:165:14:165:17 | next | AST only |
+| A.cpp:165:20:165:23 | next | AST only |
+| A.cpp:165:26:165:29 | head | AST only |
+| A.cpp:166:10:166:11 | l3 | AST only |
+| A.cpp:166:14:166:17 | next | AST only |
+| A.cpp:166:20:166:23 | next | AST only |
+| A.cpp:166:26:166:29 | next | AST only |
+| A.cpp:166:32:166:35 | head | AST only |
+| A.cpp:169:12:169:12 | l | AST only |
+| A.cpp:169:15:169:18 | head | AST only |
+| A.cpp:183:7:183:10 | head | AST only |
+| A.cpp:184:13:184:16 | next | AST only |
+| B.cpp:7:25:7:25 | e | AST only |
+| B.cpp:8:25:8:26 | b1 | AST only |
+| B.cpp:9:10:9:11 | b2 | AST only |
+| B.cpp:9:14:9:17 | box1 | AST only |
+| B.cpp:9:20:9:24 | elem1 | AST only |
+| B.cpp:10:10:10:11 | b2 | AST only |
+| B.cpp:10:14:10:17 | box1 | AST only |
+| B.cpp:10:20:10:24 | elem2 | AST only |
+| B.cpp:16:37:16:37 | e | AST only |
+| B.cpp:17:25:17:26 | b1 | AST only |
+| B.cpp:18:10:18:11 | b2 | AST only |
+| B.cpp:18:14:18:17 | box1 | AST only |
+| B.cpp:18:20:18:24 | elem1 | AST only |
+| B.cpp:19:10:19:11 | b2 | AST only |
+| B.cpp:19:14:19:17 | box1 | AST only |
+| B.cpp:19:20:19:24 | elem2 | AST only |
+| B.cpp:35:13:35:17 | elem1 | AST only |
+| B.cpp:36:13:36:17 | elem2 | AST only |
+| B.cpp:46:13:46:16 | box1 | AST only |
+| C.cpp:19:5:19:5 | c | AST only |
+| C.cpp:24:11:24:12 | s3 | AST only |
+| D.cpp:9:21:9:24 | elem | AST only |
+| D.cpp:11:29:11:32 | elem | AST only |
+| D.cpp:16:21:16:23 | box | AST only |
+| D.cpp:18:29:18:31 | box | AST only |
+| D.cpp:22:10:22:11 | b2 | AST only |
+| D.cpp:22:14:22:20 | call to getBox1 | AST only |
+| D.cpp:22:25:22:31 | call to getElem | AST only |
+| D.cpp:30:5:30:5 | b | AST only |
+| D.cpp:30:8:30:10 | box | AST only |
+| D.cpp:30:13:30:16 | elem | AST only |
+| D.cpp:31:14:31:14 | b | AST only |
+| D.cpp:37:5:37:5 | b | AST only |
+| D.cpp:37:8:37:10 | box | AST only |
+| D.cpp:37:21:37:21 | e | AST only |
+| D.cpp:38:14:38:14 | b | AST only |
+| D.cpp:44:5:44:5 | b | AST only |
+| D.cpp:44:8:44:14 | call to getBox1 | AST only |
+| D.cpp:44:19:44:22 | elem | AST only |
+| D.cpp:45:14:45:14 | b | AST only |
+| D.cpp:51:5:51:5 | b | AST only |
+| D.cpp:51:8:51:14 | call to getBox1 | AST only |
+| D.cpp:51:27:51:27 | e | AST only |
+| D.cpp:52:14:52:14 | b | AST only |
+| D.cpp:57:5:57:12 | boxfield | AST only |
+| D.cpp:58:5:58:12 | boxfield | AST only |
+| D.cpp:58:5:58:12 | this | AST only |
+| D.cpp:58:15:58:17 | box | AST only |
+| D.cpp:58:20:58:23 | elem | AST only |
+| D.cpp:64:10:64:17 | boxfield | AST only |
+| D.cpp:64:10:64:17 | this | AST only |
+| D.cpp:64:20:64:22 | box | AST only |
+| D.cpp:64:25:64:28 | elem | AST only |
+| E.cpp:21:10:21:10 | p | AST only |
+| E.cpp:21:13:21:16 | data | AST only |
+| E.cpp:21:18:21:23 | buffer | AST only |
+| E.cpp:28:21:28:23 | raw | AST only |
+| E.cpp:29:21:29:21 | b | AST only |
+| E.cpp:29:24:29:29 | buffer | AST only |
+| E.cpp:30:21:30:21 | p | AST only |
+| E.cpp:30:23:30:26 | data | AST only |
+| E.cpp:30:28:30:33 | buffer | AST only |
+| E.cpp:31:10:31:12 | raw | AST only |
+| E.cpp:32:10:32:10 | b | AST only |
+| E.cpp:32:13:32:18 | buffer | AST only |
+| E.cpp:33:18:33:19 | & ... | AST only |
+| aliasing.cpp:9:6:9:7 | m1 | AST only |
+| aliasing.cpp:13:5:13:6 | m1 | AST only |
+| aliasing.cpp:17:5:17:6 | m1 | AST only |
+| aliasing.cpp:25:17:25:19 | & ... | AST only |
+| aliasing.cpp:26:19:26:20 | s2 | AST only |
+| aliasing.cpp:37:8:37:9 | m1 | AST only |
+| aliasing.cpp:42:6:42:7 | m1 | AST only |
+| aliasing.cpp:49:9:49:10 | m1 | AST only |
+| aliasing.cpp:54:6:54:7 | m1 | AST only |
+| aliasing.cpp:60:6:60:7 | m1 | AST only |
+| aliasing.cpp:72:5:72:6 | m1 | AST only |
+| aliasing.cpp:79:6:79:7 | m1 | AST only |
+| aliasing.cpp:86:5:86:6 | m1 | AST only |
+| aliasing.cpp:92:3:92:3 | w | AST only |
+| aliasing.cpp:92:7:92:8 | m1 | AST only |
+| by_reference.cpp:12:8:12:8 | a | AST only |
+| by_reference.cpp:16:11:16:11 | a | AST only |
+| by_reference.cpp:20:5:20:8 | this | AST only |
+| by_reference.cpp:20:23:20:27 | value | AST only |
+| by_reference.cpp:24:19:24:22 | this | AST only |
+| by_reference.cpp:24:25:24:29 | value | AST only |
+| by_reference.cpp:50:3:50:3 | s | AST only |
+| by_reference.cpp:50:17:50:26 | call to user_input | AST only |
+| by_reference.cpp:51:10:51:20 | call to getDirectly | AST only |
+| by_reference.cpp:56:3:56:3 | s | AST only |
+| by_reference.cpp:56:19:56:28 | call to user_input | AST only |
+| by_reference.cpp:57:10:57:22 | call to getIndirectly | AST only |
+| by_reference.cpp:62:3:62:3 | s | AST only |
+| by_reference.cpp:62:25:62:34 | call to user_input | AST only |
+| by_reference.cpp:63:10:63:28 | call to getThroughNonMember | AST only |
+| by_reference.cpp:68:17:68:18 | & ... | AST only |
+| by_reference.cpp:68:21:68:30 | call to user_input | AST only |
+| by_reference.cpp:69:8:69:20 | call to nonMemberGetA | AST only |
+| by_reference.cpp:84:10:84:10 | a | AST only |
+| by_reference.cpp:88:9:88:9 | a | AST only |
+| by_reference.cpp:102:21:102:39 | & ... | AST only |
+| by_reference.cpp:102:22:102:26 | outer | AST only |
+| by_reference.cpp:103:21:103:25 | outer | AST only |
+| by_reference.cpp:103:27:103:35 | inner_ptr | AST only |
+| by_reference.cpp:104:15:104:22 | & ... | AST only |
+| by_reference.cpp:104:16:104:20 | outer | AST only |
+| by_reference.cpp:106:21:106:41 | & ... | AST only |
+| by_reference.cpp:106:22:106:27 | pouter | AST only |
+| by_reference.cpp:107:21:107:26 | pouter | AST only |
+| by_reference.cpp:107:29:107:37 | inner_ptr | AST only |
+| by_reference.cpp:108:15:108:24 | & ... | AST only |
+| by_reference.cpp:108:16:108:21 | pouter | AST only |
+| by_reference.cpp:110:8:110:12 | outer | AST only |
+| by_reference.cpp:110:14:110:25 | inner_nested | AST only |
+| by_reference.cpp:110:27:110:27 | a | AST only |
+| by_reference.cpp:111:8:111:12 | outer | AST only |
+| by_reference.cpp:111:14:111:22 | inner_ptr | AST only |
+| by_reference.cpp:111:25:111:25 | a | AST only |
+| by_reference.cpp:112:8:112:12 | outer | AST only |
+| by_reference.cpp:112:14:112:14 | a | AST only |
+| by_reference.cpp:114:8:114:13 | pouter | AST only |
+| by_reference.cpp:114:16:114:27 | inner_nested | AST only |
+| by_reference.cpp:114:29:114:29 | a | AST only |
+| by_reference.cpp:115:8:115:13 | pouter | AST only |
+| by_reference.cpp:115:16:115:24 | inner_ptr | AST only |
+| by_reference.cpp:115:27:115:27 | a | AST only |
+| by_reference.cpp:116:8:116:13 | pouter | AST only |
+| by_reference.cpp:116:16:116:16 | a | AST only |
+| by_reference.cpp:122:21:122:25 | outer | AST only |
+| by_reference.cpp:122:27:122:38 | inner_nested | AST only |
+| by_reference.cpp:123:21:123:36 | * ... | AST only |
+| by_reference.cpp:123:22:123:26 | outer | AST only |
+| by_reference.cpp:124:15:124:19 | outer | AST only |
+| by_reference.cpp:124:21:124:21 | a | AST only |
+| by_reference.cpp:126:21:126:26 | pouter | AST only |
+| by_reference.cpp:126:29:126:40 | inner_nested | AST only |
+| by_reference.cpp:127:21:127:38 | * ... | AST only |
+| by_reference.cpp:127:22:127:27 | pouter | AST only |
+| by_reference.cpp:128:15:128:20 | pouter | AST only |
+| by_reference.cpp:128:23:128:23 | a | AST only |
+| by_reference.cpp:130:8:130:12 | outer | AST only |
+| by_reference.cpp:130:14:130:25 | inner_nested | AST only |
+| by_reference.cpp:130:27:130:27 | a | AST only |
+| by_reference.cpp:131:8:131:12 | outer | AST only |
+| by_reference.cpp:131:14:131:22 | inner_ptr | AST only |
+| by_reference.cpp:131:25:131:25 | a | AST only |
+| by_reference.cpp:132:8:132:12 | outer | AST only |
+| by_reference.cpp:132:14:132:14 | a | AST only |
+| by_reference.cpp:134:8:134:13 | pouter | AST only |
+| by_reference.cpp:134:16:134:27 | inner_nested | AST only |
+| by_reference.cpp:134:29:134:29 | a | AST only |
+| by_reference.cpp:135:8:135:13 | pouter | AST only |
+| by_reference.cpp:135:16:135:24 | inner_ptr | AST only |
+| by_reference.cpp:135:27:135:27 | a | AST only |
+| by_reference.cpp:136:8:136:13 | pouter | AST only |
+| by_reference.cpp:136:16:136:16 | a | AST only |
+| complex.cpp:11:22:11:23 | a_ | AST only |
+| complex.cpp:12:22:12:23 | b_ | AST only |
+| complex.cpp:51:8:51:8 | b | AST only |
+| complex.cpp:51:10:51:14 | inner | AST only |
+| complex.cpp:51:16:51:16 | f | AST only |
+| complex.cpp:52:8:52:8 | b | AST only |
+| complex.cpp:52:10:52:14 | inner | AST only |
+| complex.cpp:52:16:52:16 | f | AST only |
+| complex.cpp:62:3:62:4 | b1 | AST only |
+| complex.cpp:62:6:62:10 | inner | AST only |
+| complex.cpp:62:12:62:12 | f | AST only |
+| complex.cpp:63:3:63:4 | b2 | AST only |
+| complex.cpp:63:6:63:10 | inner | AST only |
+| complex.cpp:63:12:63:12 | f | AST only |
+| complex.cpp:64:3:64:4 | b3 | AST only |
+| complex.cpp:64:6:64:10 | inner | AST only |
+| complex.cpp:64:12:64:12 | f | AST only |
+| complex.cpp:65:3:65:4 | b3 | AST only |
+| complex.cpp:65:6:65:10 | inner | AST only |
+| complex.cpp:65:12:65:12 | f | AST only |
+| complex.cpp:68:7:68:8 | b1 | AST only |
+| complex.cpp:71:7:71:8 | b2 | AST only |
+| complex.cpp:74:7:74:8 | b3 | AST only |
+| complex.cpp:77:7:77:8 | b4 | AST only |
+| constructors.cpp:20:24:20:25 | a_ | AST only |
+| constructors.cpp:21:24:21:25 | b_ | AST only |
+| constructors.cpp:28:10:28:10 | f | AST only |
+| constructors.cpp:29:10:29:10 | f | AST only |
+| constructors.cpp:40:9:40:9 | f | AST only |
+| constructors.cpp:43:9:43:9 | g | AST only |
+| constructors.cpp:46:9:46:9 | h | AST only |
+| constructors.cpp:49:9:49:9 | i | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| file://:0:0:0:0 | this | AST only |
+| qualifiers.cpp:9:36:9:36 | a | AST only |
+| qualifiers.cpp:12:56:12:56 | a | AST only |
+| qualifiers.cpp:13:57:13:57 | a | AST only |
+| qualifiers.cpp:22:5:22:9 | outer | AST only |
+| qualifiers.cpp:22:11:22:18 | call to getInner | AST only |
+| qualifiers.cpp:22:23:22:23 | a | AST only |
+| qualifiers.cpp:23:10:23:14 | outer | AST only |
+| qualifiers.cpp:23:16:23:20 | inner | AST only |
+| qualifiers.cpp:23:23:23:23 | a | AST only |
+| qualifiers.cpp:27:5:27:9 | outer | AST only |
+| qualifiers.cpp:27:11:27:18 | call to getInner | AST only |
+| qualifiers.cpp:27:28:27:37 | call to user_input | AST only |
+| qualifiers.cpp:28:10:28:14 | outer | AST only |
+| qualifiers.cpp:28:16:28:20 | inner | AST only |
+| qualifiers.cpp:28:23:28:23 | a | AST only |
+| qualifiers.cpp:32:17:32:21 | outer | AST only |
+| qualifiers.cpp:32:23:32:30 | call to getInner | AST only |
+| qualifiers.cpp:32:35:32:44 | call to user_input | AST only |
+| qualifiers.cpp:33:10:33:14 | outer | AST only |
+| qualifiers.cpp:33:16:33:20 | inner | AST only |
+| qualifiers.cpp:33:23:33:23 | a | AST only |
+| qualifiers.cpp:37:19:37:35 | * ... | AST only |
+| qualifiers.cpp:37:20:37:24 | outer | AST only |
+| qualifiers.cpp:37:38:37:47 | call to user_input | AST only |
+| qualifiers.cpp:38:10:38:14 | outer | AST only |
+| qualifiers.cpp:38:16:38:20 | inner | AST only |
+| qualifiers.cpp:38:23:38:23 | a | AST only |
+| qualifiers.cpp:42:6:42:22 | * ... | AST only |
+| qualifiers.cpp:42:7:42:11 | outer | AST only |
+| qualifiers.cpp:42:25:42:25 | a | AST only |
+| qualifiers.cpp:43:10:43:14 | outer | AST only |
+| qualifiers.cpp:43:16:43:20 | inner | AST only |
+| qualifiers.cpp:43:23:43:23 | a | AST only |
+| qualifiers.cpp:47:6:47:11 | & ... | AST only |
+| qualifiers.cpp:47:15:47:22 | call to getInner | AST only |
+| qualifiers.cpp:47:27:47:27 | a | AST only |
+| qualifiers.cpp:48:10:48:14 | outer | AST only |
+| qualifiers.cpp:48:16:48:20 | inner | AST only |
+| qualifiers.cpp:48:23:48:23 | a | AST only |
+| simple.cpp:20:24:20:25 | a_ | AST only |
+| simple.cpp:21:24:21:25 | b_ | AST only |
+| simple.cpp:28:10:28:10 | f | AST only |
+| simple.cpp:29:10:29:10 | f | AST only |
+| simple.cpp:39:5:39:5 | f | AST only |
+| simple.cpp:40:5:40:5 | g | AST only |
+| simple.cpp:41:5:41:5 | h | AST only |
+| simple.cpp:42:5:42:5 | h | AST only |
+| simple.cpp:45:9:45:9 | f | AST only |
+| simple.cpp:48:9:48:9 | g | AST only |
+| simple.cpp:51:9:51:9 | h | AST only |
+| simple.cpp:54:9:54:9 | i | AST only |
+| simple.cpp:65:7:65:7 | i | AST only |
+| simple.cpp:83:9:83:10 | this | AST only |
+| simple.cpp:83:12:83:13 | f1 | AST only |
+| struct_init.c:15:8:15:9 | ab | AST only |
+| struct_init.c:15:12:15:12 | a | AST only |
+| struct_init.c:16:8:16:9 | ab | AST only |
+| struct_init.c:16:12:16:12 | b | AST only |
+| struct_init.c:22:8:22:9 | ab | AST only |
+| struct_init.c:22:11:22:11 | a | AST only |
+| struct_init.c:23:8:23:9 | ab | AST only |
+| struct_init.c:23:11:23:11 | b | AST only |
+| struct_init.c:24:10:24:12 | & ... | AST only |
+| struct_init.c:31:8:31:12 | outer | AST only |
+| struct_init.c:31:14:31:21 | nestedAB | AST only |
+| struct_init.c:31:23:31:23 | a | AST only |
+| struct_init.c:32:8:32:12 | outer | AST only |
+| struct_init.c:32:14:32:21 | nestedAB | AST only |
+| struct_init.c:32:23:32:23 | b | AST only |
+| struct_init.c:33:8:33:12 | outer | AST only |
+| struct_init.c:33:14:33:22 | pointerAB | AST only |
+| struct_init.c:33:25:33:25 | a | AST only |
+| struct_init.c:34:8:34:12 | outer | AST only |
+| struct_init.c:34:14:34:22 | pointerAB | AST only |
+| struct_init.c:34:25:34:25 | b | AST only |
+| struct_init.c:36:10:36:24 | & ... | AST only |
+| struct_init.c:36:11:36:15 | outer | AST only |
+| struct_init.c:46:10:46:14 | outer | AST only |
+| struct_init.c:46:16:46:24 | pointerAB | AST only |

cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql

@@ -0,0 +1,58 @@
+/**
+ * @kind problem
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IR
+import semmle.code.cpp.dataflow.DataFlow::DataFlow as AST
+
+newtype TNode =
+  TASTNode(AST::Node n) or
+  TIRNode(IR::Node n)
+
+class Node extends TNode {
+  string toString() { none() }
+
+  IR::Node asIR() { none() }
+
+  AST::Node asAST() { none() }
+
+  Location getLocation() { none() }
+}
+
+class ASTNode extends Node, TASTNode {
+  AST::Node n;
+
+  ASTNode() { this = TASTNode(n) }
+
+  override string toString() { result = n.asPartialDefinition().toString() }
+
+  override AST::Node asAST() { result = n }
+
+  override Location getLocation() { result = n.getLocation() }
+}
+
+class IRNode extends Node, TIRNode {
+  IR::Node n;
+
+  IRNode() { this = TIRNode(n) }
+
+  override string toString() { result = n.asPartialDefinition().toString() }
+
+  override IR::Node asIR() { result = n }
+
+  override Location getLocation() { result = n.getLocation() }
+}
+
+from Node node, AST::Node astNode, IR::Node irNode, string msg
+where
+  node.asIR() = irNode and
+  exists(irNode.asPartialDefinition()) and
+  not exists(AST::Node otherNode | otherNode.asPartialDefinition() = irNode.asPartialDefinition()) and
+  msg = "IR only"
+  or
+  node.asAST() = astNode and
+  exists(astNode.asPartialDefinition()) and
+  not exists(IR::Node otherNode | otherNode.asPartialDefinition() = astNode.asPartialDefinition()) and
+  msg = "AST only"
+select node, msg

cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected

@@ -0,0 +1,43 @@
+| A.cpp:25:7:25:10 | this |
+| A.cpp:27:22:27:25 | this |
+| A.cpp:100:5:100:6 | c1 |
+| A.cpp:142:7:142:7 | b |
+| A.cpp:143:7:143:10 | this |
+| A.cpp:184:7:184:10 | this |
+| B.cpp:35:7:35:10 | this |
+| B.cpp:36:7:36:10 | this |
+| B.cpp:46:7:46:10 | this |
+| C.cpp:24:5:24:8 | this |
+| aliasing.cpp:9:3:9:3 | s |
+| aliasing.cpp:13:3:13:3 | s |
+| aliasing.cpp:17:3:17:3 | s |
+| aliasing.cpp:37:3:37:6 | ref1 |
+| aliasing.cpp:42:3:42:4 | s2 |
+| aliasing.cpp:49:3:49:7 | copy1 |
+| aliasing.cpp:54:3:54:4 | s2 |
+| aliasing.cpp:60:3:60:4 | s2 |
+| aliasing.cpp:72:3:72:3 | s |
+| aliasing.cpp:79:3:79:3 | s |
+| aliasing.cpp:86:3:86:3 | s |
+| aliasing.cpp:92:5:92:5 | s |
+| by_reference.cpp:12:5:12:5 | s |
+| by_reference.cpp:16:5:16:8 | this |
+| by_reference.cpp:84:3:84:7 | inner |
+| by_reference.cpp:88:3:88:7 | inner |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| qualifiers.cpp:9:30:9:33 | this |
+| qualifiers.cpp:12:49:12:53 | inner |
+| qualifiers.cpp:13:51:13:55 | inner |
+| simple.cpp:65:5:65:5 | a |
+| simple.cpp:83:9:83:10 | f2 |

cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.ql

@@ -0,0 +1,8 @@
+/**
+ * @kind problem
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow
+
+select any(Node n).asPartialDefinition()

cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected

@@ -0,0 +1,390 @@
+| A.cpp:25:7:25:10 | this |
+| A.cpp:25:13:25:13 | c |
+| A.cpp:27:22:27:25 | this |
+| A.cpp:27:28:27:28 | c |
+| A.cpp:31:20:31:20 | c |
+| A.cpp:40:5:40:6 | cc |
+| A.cpp:41:5:41:6 | ct |
+| A.cpp:42:10:42:12 | & ... |
+| A.cpp:43:10:43:12 | & ... |
+| A.cpp:48:20:48:20 | c |
+| A.cpp:49:10:49:10 | b |
+| A.cpp:49:13:49:13 | c |
+| A.cpp:55:5:55:5 | b |
+| A.cpp:56:10:56:10 | b |
+| A.cpp:56:13:56:15 | call to get |
+| A.cpp:57:28:57:30 | call to get |
+| A.cpp:64:17:64:18 | b1 |
+| A.cpp:65:10:65:11 | b1 |
+| A.cpp:65:14:65:14 | c |
+| A.cpp:66:10:66:11 | b2 |
+| A.cpp:66:14:66:14 | c |
+| A.cpp:73:21:73:22 | b1 |
+| A.cpp:74:10:74:11 | b1 |
+| A.cpp:74:14:74:14 | c |
+| A.cpp:75:10:75:11 | b2 |
+| A.cpp:75:14:75:14 | c |
+| A.cpp:81:17:81:18 | b1 |
+| A.cpp:81:21:81:21 | c |
+| A.cpp:90:7:90:8 | b2 |
+| A.cpp:90:15:90:15 | c |
+| A.cpp:100:5:100:6 | c1 |
+| A.cpp:100:9:100:9 | a |
+| A.cpp:101:8:101:9 | c1 |
+| A.cpp:107:12:107:13 | c1 |
+| A.cpp:107:16:107:16 | a |
+| A.cpp:120:12:120:13 | c1 |
+| A.cpp:120:16:120:16 | a |
+| A.cpp:126:5:126:5 | b |
+| A.cpp:131:8:131:8 | b |
+| A.cpp:132:10:132:10 | b |
+| A.cpp:132:13:132:13 | c |
+| A.cpp:142:7:142:7 | b |
+| A.cpp:142:10:142:10 | c |
+| A.cpp:143:7:143:10 | this |
+| A.cpp:143:13:143:13 | b |
+| A.cpp:151:18:151:18 | b |
+| A.cpp:152:10:152:10 | d |
+| A.cpp:152:13:152:13 | b |
+| A.cpp:153:10:153:10 | d |
+| A.cpp:153:13:153:13 | b |
+| A.cpp:153:16:153:16 | c |
+| A.cpp:154:10:154:10 | b |
+| A.cpp:154:13:154:13 | c |
+| A.cpp:160:29:160:29 | b |
+| A.cpp:161:38:161:39 | l1 |
+| A.cpp:162:38:162:39 | l2 |
+| A.cpp:163:10:163:11 | l3 |
+| A.cpp:163:14:163:17 | head |
+| A.cpp:164:10:164:11 | l3 |
+| A.cpp:164:14:164:17 | next |
+| A.cpp:164:20:164:23 | head |
+| A.cpp:165:10:165:11 | l3 |
+| A.cpp:165:14:165:17 | next |
+| A.cpp:165:20:165:23 | next |
+| A.cpp:165:26:165:29 | head |
+| A.cpp:166:10:166:11 | l3 |
+| A.cpp:166:14:166:17 | next |
+| A.cpp:166:20:166:23 | next |
+| A.cpp:166:26:166:29 | next |
+| A.cpp:166:32:166:35 | head |
+| A.cpp:169:12:169:12 | l |
+| A.cpp:169:15:169:18 | head |
+| A.cpp:183:7:183:10 | head |
+| A.cpp:184:7:184:10 | this |
+| A.cpp:184:13:184:16 | next |
+| B.cpp:7:25:7:25 | e |
+| B.cpp:8:25:8:26 | b1 |
+| B.cpp:9:10:9:11 | b2 |
+| B.cpp:9:14:9:17 | box1 |
+| B.cpp:9:20:9:24 | elem1 |
+| B.cpp:10:10:10:11 | b2 |
+| B.cpp:10:14:10:17 | box1 |
+| B.cpp:10:20:10:24 | elem2 |
+| B.cpp:16:37:16:37 | e |
+| B.cpp:17:25:17:26 | b1 |
+| B.cpp:18:10:18:11 | b2 |
+| B.cpp:18:14:18:17 | box1 |
+| B.cpp:18:20:18:24 | elem1 |
+| B.cpp:19:10:19:11 | b2 |
+| B.cpp:19:14:19:17 | box1 |
+| B.cpp:19:20:19:24 | elem2 |
+| B.cpp:35:7:35:10 | this |
+| B.cpp:35:13:35:17 | elem1 |
+| B.cpp:36:7:36:10 | this |
+| B.cpp:36:13:36:17 | elem2 |
+| B.cpp:46:7:46:10 | this |
+| B.cpp:46:13:46:16 | box1 |
+| C.cpp:19:5:19:5 | c |
+| C.cpp:24:5:24:8 | this |
+| C.cpp:24:11:24:12 | s3 |
+| D.cpp:9:21:9:24 | elem |
+| D.cpp:11:29:11:32 | elem |
+| D.cpp:16:21:16:23 | box |
+| D.cpp:18:29:18:31 | box |
+| D.cpp:22:10:22:11 | b2 |
+| D.cpp:22:14:22:20 | call to getBox1 |
+| D.cpp:22:25:22:31 | call to getElem |
+| D.cpp:30:5:30:5 | b |
+| D.cpp:30:8:30:10 | box |
+| D.cpp:30:13:30:16 | elem |
+| D.cpp:31:14:31:14 | b |
+| D.cpp:37:5:37:5 | b |
+| D.cpp:37:8:37:10 | box |
+| D.cpp:37:21:37:21 | e |
+| D.cpp:38:14:38:14 | b |
+| D.cpp:44:5:44:5 | b |
+| D.cpp:44:8:44:14 | call to getBox1 |
+| D.cpp:44:19:44:22 | elem |
+| D.cpp:45:14:45:14 | b |
+| D.cpp:51:5:51:5 | b |
+| D.cpp:51:8:51:14 | call to getBox1 |
+| D.cpp:51:27:51:27 | e |
+| D.cpp:52:14:52:14 | b |
+| D.cpp:57:5:57:12 | boxfield |
+| D.cpp:58:5:58:12 | boxfield |
+| D.cpp:58:15:58:17 | box |
+| D.cpp:58:20:58:23 | elem |
+| D.cpp:64:10:64:17 | boxfield |
+| D.cpp:64:20:64:22 | box |
+| D.cpp:64:25:64:28 | elem |
+| E.cpp:21:10:21:10 | p |
+| E.cpp:21:13:21:16 | data |
+| E.cpp:21:18:21:23 | buffer |
+| E.cpp:28:21:28:23 | raw |
+| E.cpp:29:21:29:21 | b |
+| E.cpp:29:24:29:29 | buffer |
+| E.cpp:30:21:30:21 | p |
+| E.cpp:30:23:30:26 | data |
+| E.cpp:30:28:30:33 | buffer |
+| E.cpp:31:10:31:12 | raw |
+| E.cpp:32:10:32:10 | b |
+| E.cpp:32:13:32:18 | buffer |
+| E.cpp:33:18:33:19 | & ... |
+| aliasing.cpp:9:3:9:3 | s |
+| aliasing.cpp:9:6:9:7 | m1 |
+| aliasing.cpp:13:3:13:3 | s |
+| aliasing.cpp:13:5:13:6 | m1 |
+| aliasing.cpp:17:3:17:3 | s |
+| aliasing.cpp:17:5:17:6 | m1 |
+| aliasing.cpp:25:17:25:19 | & ... |
+| aliasing.cpp:26:19:26:20 | s2 |
+| aliasing.cpp:37:3:37:6 | ref1 |
+| aliasing.cpp:37:8:37:9 | m1 |
+| aliasing.cpp:42:3:42:4 | s2 |
+| aliasing.cpp:42:6:42:7 | m1 |
+| aliasing.cpp:49:3:49:7 | copy1 |
+| aliasing.cpp:49:9:49:10 | m1 |
+| aliasing.cpp:54:3:54:4 | s2 |
+| aliasing.cpp:54:6:54:7 | m1 |
+| aliasing.cpp:60:3:60:4 | s2 |
+| aliasing.cpp:60:6:60:7 | m1 |
+| aliasing.cpp:72:3:72:3 | s |
+| aliasing.cpp:72:5:72:6 | m1 |
+| aliasing.cpp:79:3:79:3 | s |
+| aliasing.cpp:79:6:79:7 | m1 |
+| aliasing.cpp:86:3:86:3 | s |
+| aliasing.cpp:86:5:86:6 | m1 |
+| aliasing.cpp:92:3:92:3 | w |
+| aliasing.cpp:92:5:92:5 | s |
+| aliasing.cpp:92:7:92:8 | m1 |
+| by_reference.cpp:12:5:12:5 | s |
+| by_reference.cpp:12:8:12:8 | a |
+| by_reference.cpp:16:5:16:8 | this |
+| by_reference.cpp:16:11:16:11 | a |
+| by_reference.cpp:20:5:20:8 | this |
+| by_reference.cpp:20:23:20:27 | value |
+| by_reference.cpp:24:19:24:22 | this |
+| by_reference.cpp:24:25:24:29 | value |
+| by_reference.cpp:50:3:50:3 | s |
+| by_reference.cpp:50:17:50:26 | call to user_input |
+| by_reference.cpp:51:10:51:20 | call to getDirectly |
+| by_reference.cpp:56:3:56:3 | s |
+| by_reference.cpp:56:19:56:28 | call to user_input |
+| by_reference.cpp:57:10:57:22 | call to getIndirectly |
+| by_reference.cpp:62:3:62:3 | s |
+| by_reference.cpp:62:25:62:34 | call to user_input |
+| by_reference.cpp:63:10:63:28 | call to getThroughNonMember |
+| by_reference.cpp:68:17:68:18 | & ... |
+| by_reference.cpp:68:21:68:30 | call to user_input |
+| by_reference.cpp:69:8:69:20 | call to nonMemberGetA |
+| by_reference.cpp:84:3:84:7 | inner |
+| by_reference.cpp:84:10:84:10 | a |
+| by_reference.cpp:88:3:88:7 | inner |
+| by_reference.cpp:88:9:88:9 | a |
+| by_reference.cpp:102:21:102:39 | & ... |
+| by_reference.cpp:102:22:102:26 | outer |
+| by_reference.cpp:103:21:103:25 | outer |
+| by_reference.cpp:103:27:103:35 | inner_ptr |
+| by_reference.cpp:104:15:104:22 | & ... |
+| by_reference.cpp:104:16:104:20 | outer |
+| by_reference.cpp:106:21:106:41 | & ... |
+| by_reference.cpp:106:22:106:27 | pouter |
+| by_reference.cpp:107:21:107:26 | pouter |
+| by_reference.cpp:107:29:107:37 | inner_ptr |
+| by_reference.cpp:108:15:108:24 | & ... |
+| by_reference.cpp:108:16:108:21 | pouter |
+| by_reference.cpp:110:8:110:12 | outer |
+| by_reference.cpp:110:14:110:25 | inner_nested |
+| by_reference.cpp:110:27:110:27 | a |
+| by_reference.cpp:111:8:111:12 | outer |
+| by_reference.cpp:111:14:111:22 | inner_ptr |
+| by_reference.cpp:111:25:111:25 | a |
+| by_reference.cpp:112:8:112:12 | outer |
+| by_reference.cpp:112:14:112:14 | a |
+| by_reference.cpp:114:8:114:13 | pouter |
+| by_reference.cpp:114:16:114:27 | inner_nested |
+| by_reference.cpp:114:29:114:29 | a |
+| by_reference.cpp:115:8:115:13 | pouter |
+| by_reference.cpp:115:16:115:24 | inner_ptr |
+| by_reference.cpp:115:27:115:27 | a |
+| by_reference.cpp:116:8:116:13 | pouter |
+| by_reference.cpp:116:16:116:16 | a |
+| by_reference.cpp:122:21:122:25 | outer |
+| by_reference.cpp:122:27:122:38 | inner_nested |
+| by_reference.cpp:123:21:123:36 | * ... |
+| by_reference.cpp:123:22:123:26 | outer |
+| by_reference.cpp:124:15:124:19 | outer |
+| by_reference.cpp:124:21:124:21 | a |
+| by_reference.cpp:126:21:126:26 | pouter |
+| by_reference.cpp:126:29:126:40 | inner_nested |
+| by_reference.cpp:127:21:127:38 | * ... |
+| by_reference.cpp:127:22:127:27 | pouter |
+| by_reference.cpp:128:15:128:20 | pouter |
+| by_reference.cpp:128:23:128:23 | a |
+| by_reference.cpp:130:8:130:12 | outer |
+| by_reference.cpp:130:14:130:25 | inner_nested |
+| by_reference.cpp:130:27:130:27 | a |
+| by_reference.cpp:131:8:131:12 | outer |
+| by_reference.cpp:131:14:131:22 | inner_ptr |
+| by_reference.cpp:131:25:131:25 | a |
+| by_reference.cpp:132:8:132:12 | outer |
+| by_reference.cpp:132:14:132:14 | a |
+| by_reference.cpp:134:8:134:13 | pouter |
+| by_reference.cpp:134:16:134:27 | inner_nested |
+| by_reference.cpp:134:29:134:29 | a |
+| by_reference.cpp:135:8:135:13 | pouter |
+| by_reference.cpp:135:16:135:24 | inner_ptr |
+| by_reference.cpp:135:27:135:27 | a |
+| by_reference.cpp:136:8:136:13 | pouter |
+| by_reference.cpp:136:16:136:16 | a |
+| complex.cpp:11:22:11:23 | a_ |
+| complex.cpp:12:22:12:23 | b_ |
+| complex.cpp:51:8:51:8 | b |
+| complex.cpp:51:10:51:14 | inner |
+| complex.cpp:51:16:51:16 | f |
+| complex.cpp:52:8:52:8 | b |
+| complex.cpp:52:10:52:14 | inner |
+| complex.cpp:52:16:52:16 | f |
+| complex.cpp:62:3:62:4 | b1 |
+| complex.cpp:62:6:62:10 | inner |
+| complex.cpp:62:12:62:12 | f |
+| complex.cpp:63:3:63:4 | b2 |
+| complex.cpp:63:6:63:10 | inner |
+| complex.cpp:63:12:63:12 | f |
+| complex.cpp:64:3:64:4 | b3 |
+| complex.cpp:64:6:64:10 | inner |
+| complex.cpp:64:12:64:12 | f |
+| complex.cpp:65:3:65:4 | b3 |
+| complex.cpp:65:6:65:10 | inner |
+| complex.cpp:65:12:65:12 | f |
+| complex.cpp:68:7:68:8 | b1 |
+| complex.cpp:71:7:71:8 | b2 |
+| complex.cpp:74:7:74:8 | b3 |
+| complex.cpp:77:7:77:8 | b4 |
+| constructors.cpp:20:24:20:25 | a_ |
+| constructors.cpp:21:24:21:25 | b_ |
+| constructors.cpp:28:10:28:10 | f |
+| constructors.cpp:29:10:29:10 | f |
+| constructors.cpp:40:9:40:9 | f |
+| constructors.cpp:43:9:43:9 | g |
+| constructors.cpp:46:9:46:9 | h |
+| constructors.cpp:49:9:49:9 | i |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| file://:0:0:0:0 | this |
+| qualifiers.cpp:9:30:9:33 | this |
+| qualifiers.cpp:9:36:9:36 | a |
+| qualifiers.cpp:12:49:12:53 | inner |
+| qualifiers.cpp:12:56:12:56 | a |
+| qualifiers.cpp:13:51:13:55 | inner |
+| qualifiers.cpp:13:57:13:57 | a |
+| qualifiers.cpp:22:5:22:9 | outer |
+| qualifiers.cpp:22:11:22:18 | call to getInner |
+| qualifiers.cpp:22:23:22:23 | a |
+| qualifiers.cpp:23:10:23:14 | outer |
+| qualifiers.cpp:23:16:23:20 | inner |
+| qualifiers.cpp:23:23:23:23 | a |
+| qualifiers.cpp:27:5:27:9 | outer |
+| qualifiers.cpp:27:11:27:18 | call to getInner |
+| qualifiers.cpp:27:28:27:37 | call to user_input |
+| qualifiers.cpp:28:10:28:14 | outer |
+| qualifiers.cpp:28:16:28:20 | inner |
+| qualifiers.cpp:28:23:28:23 | a |
+| qualifiers.cpp:32:17:32:21 | outer |
+| qualifiers.cpp:32:23:32:30 | call to getInner |
+| qualifiers.cpp:32:35:32:44 | call to user_input |
+| qualifiers.cpp:33:10:33:14 | outer |
+| qualifiers.cpp:33:16:33:20 | inner |
+| qualifiers.cpp:33:23:33:23 | a |
+| qualifiers.cpp:37:19:37:35 | * ... |
+| qualifiers.cpp:37:20:37:24 | outer |
+| qualifiers.cpp:37:38:37:47 | call to user_input |
+| qualifiers.cpp:38:10:38:14 | outer |
+| qualifiers.cpp:38:16:38:20 | inner |
+| qualifiers.cpp:38:23:38:23 | a |
+| qualifiers.cpp:42:6:42:22 | * ... |
+| qualifiers.cpp:42:7:42:11 | outer |
+| qualifiers.cpp:42:25:42:25 | a |
+| qualifiers.cpp:43:10:43:14 | outer |
+| qualifiers.cpp:43:16:43:20 | inner |
+| qualifiers.cpp:43:23:43:23 | a |
+| qualifiers.cpp:47:6:47:11 | & ... |
+| qualifiers.cpp:47:15:47:22 | call to getInner |
+| qualifiers.cpp:47:27:47:27 | a |
+| qualifiers.cpp:48:10:48:14 | outer |
+| qualifiers.cpp:48:16:48:20 | inner |
+| qualifiers.cpp:48:23:48:23 | a |
+| simple.cpp:20:24:20:25 | a_ |
+| simple.cpp:21:24:21:25 | b_ |
+| simple.cpp:28:10:28:10 | f |
+| simple.cpp:29:10:29:10 | f |
+| simple.cpp:39:5:39:5 | f |
+| simple.cpp:40:5:40:5 | g |
+| simple.cpp:41:5:41:5 | h |
+| simple.cpp:42:5:42:5 | h |
+| simple.cpp:45:9:45:9 | f |
+| simple.cpp:48:9:48:9 | g |
+| simple.cpp:51:9:51:9 | h |
+| simple.cpp:54:9:54:9 | i |
+| simple.cpp:65:5:65:5 | a |
+| simple.cpp:65:7:65:7 | i |
+| simple.cpp:83:9:83:10 | f2 |
+| simple.cpp:83:12:83:13 | f1 |
+| struct_init.c:15:8:15:9 | ab |
+| struct_init.c:15:12:15:12 | a |
+| struct_init.c:16:8:16:9 | ab |
+| struct_init.c:16:12:16:12 | b |
+| struct_init.c:22:8:22:9 | ab |
+| struct_init.c:22:11:22:11 | a |
+| struct_init.c:23:8:23:9 | ab |
+| struct_init.c:23:11:23:11 | b |
+| struct_init.c:24:10:24:12 | & ... |
+| struct_init.c:31:8:31:12 | outer |
+| struct_init.c:31:14:31:21 | nestedAB |
+| struct_init.c:31:23:31:23 | a |
+| struct_init.c:32:8:32:12 | outer |
+| struct_init.c:32:14:32:21 | nestedAB |
+| struct_init.c:32:23:32:23 | b |
+| struct_init.c:33:8:33:12 | outer |
+| struct_init.c:33:14:33:22 | pointerAB |
+| struct_init.c:33:25:33:25 | a |
+| struct_init.c:34:8:34:12 | outer |
+| struct_init.c:34:14:34:22 | pointerAB |
+| struct_init.c:34:25:34:25 | b |
+| struct_init.c:36:10:36:24 | & ... |
+| struct_init.c:36:11:36:15 | outer |
+| struct_init.c:46:10:46:14 | outer |
+| struct_init.c:46:16:46:24 | pointerAB |

cpp/ql/test/library-tests/dataflow/fields/partial-definition.ql

@@ -0,0 +1,8 @@
+/**
+ * @kind problem
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.DataFlow::DataFlow
+
+select any(Node n).asPartialDefinition()

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

@@ -1009,29 +1009,35 @@ ssa.cpp:
 
 #  235| void Constructible::Constructible(int)
 #  235|   Block 0
-#  235|     v235_1(void)                 = EnterFunction          : 
-#  235|     m235_2(unknown)              = AliasedDefinition      : 
-#  235|     m235_3(unknown)              = InitializeNonLocal     : 
-#  235|     m235_4(unknown)              = Chi                    : total:m235_2, partial:m235_3
-#  235|     r235_5(glval<Constructible>) = InitializeThis         : 
-#  235|     r235_6(glval<int>)           = VariableAddress[x]     : 
-#  235|     m235_7(int)                  = InitializeParameter[x] : &:r235_6
-#  235|     v235_8(void)                 = NoOp                   : 
-#  235|     v235_9(void)                 = ReturnVoid             : 
-#  235|     v235_10(void)                = AliasedUse             : m235_3
-#  235|     v235_11(void)                = ExitFunction           : 
+#  235|     v235_1(void)                 = EnterFunction                : 
+#  235|     m235_2(unknown)              = AliasedDefinition            : 
+#  235|     m235_3(unknown)              = InitializeNonLocal           : 
+#  235|     m235_4(unknown)              = Chi                          : total:m235_2, partial:m235_3
+#  235|     r235_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  235|     m235_6(glval<Constructible>) = InitializeParameter[#this]   : &:r235_5
+#  235|     r235_7(glval<Constructible>) = Load                         : &:r235_5, m235_6
+#  235|     m235_8(Constructible)        = InitializeIndirection[#this] : &:r235_7
+#  235|     r235_9(glval<int>)           = VariableAddress[x]           : 
+#  235|     m235_10(int)                 = InitializeParameter[x]       : &:r235_9
+#  235|     v235_11(void)                = NoOp                         : 
+#  235|     v235_12(void)                = ReturnVoid                   : 
+#  235|     v235_13(void)                = AliasedUse                   : m235_3
+#  235|     v235_14(void)                = ExitFunction                 : 
 
 #  236| void Constructible::g()
 #  236|   Block 0
-#  236|     v236_1(void)                 = EnterFunction      : 
-#  236|     m236_2(unknown)              = AliasedDefinition  : 
-#  236|     m236_3(unknown)              = InitializeNonLocal : 
-#  236|     m236_4(unknown)              = Chi                : total:m236_2, partial:m236_3
-#  236|     r236_5(glval<Constructible>) = InitializeThis     : 
-#  236|     v236_6(void)                 = NoOp               : 
-#  236|     v236_7(void)                 = ReturnVoid         : 
-#  236|     v236_8(void)                 = AliasedUse         : m236_3
-#  236|     v236_9(void)                 = ExitFunction       : 
+#  236|     v236_1(void)                 = EnterFunction                : 
+#  236|     m236_2(unknown)              = AliasedDefinition            : 
+#  236|     m236_3(unknown)              = InitializeNonLocal           : 
+#  236|     m236_4(unknown)              = Chi                          : total:m236_2, partial:m236_3
+#  236|     r236_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  236|     m236_6(glval<Constructible>) = InitializeParameter[#this]   : &:r236_5
+#  236|     r236_7(glval<Constructible>) = Load                         : &:r236_5, m236_6
+#  236|     m236_8(Constructible)        = InitializeIndirection[#this] : &:r236_7
+#  236|     v236_9(void)                 = NoOp                         : 
+#  236|     v236_10(void)                = ReturnVoid                   : 
+#  236|     v236_11(void)                = AliasedUse                   : m236_3
+#  236|     v236_12(void)                = ExitFunction                 : 
 
 #  239| void ExplicitConstructorCalls()
 #  239|   Block 0
@@ -1290,46 +1296,55 @@ ssa.cpp:
 
 #  286| void A::A(int)
 #  286|   Block 0
-#  286|     v286_1(void)       = EnterFunction          : 
-#  286|     m286_2(unknown)    = AliasedDefinition      : 
-#  286|     m286_3(unknown)    = InitializeNonLocal     : 
-#  286|     m286_4(unknown)    = Chi                    : total:m286_2, partial:m286_3
-#  286|     r286_5(glval<A>)   = InitializeThis         : 
-#  286|     r286_6(glval<int>) = VariableAddress[x]     : 
-#  286|     m286_7(int)        = InitializeParameter[x] : &:r286_6
-#  286|     v286_8(void)       = NoOp                   : 
-#  286|     v286_9(void)       = ReturnVoid             : 
-#  286|     v286_10(void)      = AliasedUse             : m286_3
-#  286|     v286_11(void)      = ExitFunction           : 
+#  286|     v286_1(void)           = EnterFunction                : 
+#  286|     m286_2(unknown)        = AliasedDefinition            : 
+#  286|     m286_3(unknown)        = InitializeNonLocal           : 
+#  286|     m286_4(unknown)        = Chi                          : total:m286_2, partial:m286_3
+#  286|     r286_5(glval<unknown>) = VariableAddress[#this]       : 
+#  286|     m286_6(glval<A>)       = InitializeParameter[#this]   : &:r286_5
+#  286|     r286_7(glval<A>)       = Load                         : &:r286_5, m286_6
+#  286|     m286_8(A)              = InitializeIndirection[#this] : &:r286_7
+#  286|     r286_9(glval<int>)     = VariableAddress[x]           : 
+#  286|     m286_10(int)           = InitializeParameter[x]       : &:r286_9
+#  286|     v286_11(void)          = NoOp                         : 
+#  286|     v286_12(void)          = ReturnVoid                   : 
+#  286|     v286_13(void)          = AliasedUse                   : m286_3
+#  286|     v286_14(void)          = ExitFunction                 : 
 
 #  287| void A::A(A*)
 #  287|   Block 0
-#  287|     v287_1(void)       = EnterFunction              : 
-#  287|     m287_2(unknown)    = AliasedDefinition          : 
-#  287|     m287_3(unknown)    = InitializeNonLocal         : 
-#  287|     m287_4(unknown)    = Chi                        : total:m287_2, partial:m287_3
-#  287|     r287_5(glval<A>)   = InitializeThis             : 
-#  287|     r287_6(glval<A *>) = VariableAddress[p#0]       : 
-#  287|     m287_7(A *)        = InitializeParameter[p#0]   : &:r287_6
-#  287|     r287_8(A *)        = Load                       : &:r287_6, m287_7
-#  287|     m287_9(unknown)    = InitializeIndirection[p#0] : &:r287_8
-#  287|     v287_10(void)      = NoOp                       : 
-#  287|     v287_11(void)      = ReturnIndirection[p#0]     : &:r287_8, m287_9
-#  287|     v287_12(void)      = ReturnVoid                 : 
-#  287|     v287_13(void)      = AliasedUse                 : m287_3
-#  287|     v287_14(void)      = ExitFunction               : 
+#  287|     v287_1(void)           = EnterFunction                : 
+#  287|     m287_2(unknown)        = AliasedDefinition            : 
+#  287|     m287_3(unknown)        = InitializeNonLocal           : 
+#  287|     m287_4(unknown)        = Chi                          : total:m287_2, partial:m287_3
+#  287|     r287_5(glval<unknown>) = VariableAddress[#this]       : 
+#  287|     m287_6(glval<A>)       = InitializeParameter[#this]   : &:r287_5
+#  287|     r287_7(glval<A>)       = Load                         : &:r287_5, m287_6
+#  287|     m287_8(A)              = InitializeIndirection[#this] : &:r287_7
+#  287|     r287_9(glval<A *>)     = VariableAddress[p#0]         : 
+#  287|     m287_10(A *)           = InitializeParameter[p#0]     : &:r287_9
+#  287|     r287_11(A *)           = Load                         : &:r287_9, m287_10
+#  287|     m287_12(unknown)       = InitializeIndirection[p#0]   : &:r287_11
+#  287|     v287_13(void)          = NoOp                         : 
+#  287|     v287_14(void)          = ReturnIndirection[p#0]       : &:r287_11, m287_12
+#  287|     v287_15(void)          = ReturnVoid                   : 
+#  287|     v287_16(void)          = AliasedUse                   : m287_3
+#  287|     v287_17(void)          = ExitFunction                 : 
 
 #  288| void A::A()
 #  288|   Block 0
-#  288|     v288_1(void)     = EnterFunction      : 
-#  288|     m288_2(unknown)  = AliasedDefinition  : 
-#  288|     m288_3(unknown)  = InitializeNonLocal : 
-#  288|     m288_4(unknown)  = Chi                : total:m288_2, partial:m288_3
-#  288|     r288_5(glval<A>) = InitializeThis     : 
-#  288|     v288_6(void)     = NoOp               : 
-#  288|     v288_7(void)     = ReturnVoid         : 
-#  288|     v288_8(void)     = AliasedUse         : m288_3
-#  288|     v288_9(void)     = ExitFunction       : 
+#  288|     v288_1(void)           = EnterFunction                : 
+#  288|     m288_2(unknown)        = AliasedDefinition            : 
+#  288|     m288_3(unknown)        = InitializeNonLocal           : 
+#  288|     m288_4(unknown)        = Chi                          : total:m288_2, partial:m288_3
+#  288|     r288_5(glval<unknown>) = VariableAddress[#this]       : 
+#  288|     m288_6(glval<A>)       = InitializeParameter[#this]   : &:r288_5
+#  288|     r288_7(glval<A>)       = Load                         : &:r288_5, m288_6
+#  288|     m288_8(A)              = InitializeIndirection[#this] : &:r288_7
+#  288|     v288_9(void)           = NoOp                         : 
+#  288|     v288_10(void)          = ReturnVoid                   : 
+#  288|     v288_11(void)          = AliasedUse                   : m288_3
+#  288|     v288_12(void)          = ExitFunction                 : 
 
 #  291| Point* NewAliasing(int)
 #  291|   Block 0
@@ -1463,3 +1478,27 @@ ssa.cpp:
 #  301|     v301_14(void)          = ReturnValue                      : &:r301_13, m304_7
 #  301|     v301_15(void)          = AliasedUse                       : ~m303_11
 #  301|     v301_16(void)          = ExitFunction                     : 
+
+#  310| void ThisAliasTest::setX(int)
+#  310|   Block 0
+#  310|     v310_1(void)                 = EnterFunction                : 
+#  310|     m310_2(unknown)              = AliasedDefinition            : 
+#  310|     m310_3(unknown)              = InitializeNonLocal           : 
+#  310|     m310_4(unknown)              = Chi                          : total:m310_2, partial:m310_3
+#  310|     r310_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  310|     m310_6(glval<ThisAliasTest>) = InitializeParameter[#this]   : &:r310_5
+#  310|     r310_7(glval<ThisAliasTest>) = Load                         : &:r310_5, m310_6
+#  310|     m310_8(ThisAliasTest)        = InitializeIndirection[#this] : &:r310_7
+#  310|     r310_9(glval<int>)           = VariableAddress[arg]         : 
+#  310|     m310_10(int)                 = InitializeParameter[arg]     : &:r310_9
+#  311|     r311_1(glval<int>)           = VariableAddress[arg]         : 
+#  311|     r311_2(int)                  = Load                         : &:r311_1, m310_10
+#  311|     r311_3(glval<unknown>)       = VariableAddress[#this]       : 
+#  311|     r311_4(ThisAliasTest *)      = Load                         : &:r311_3, m310_6
+#  311|     r311_5(glval<int>)           = FieldAddress[x]              : r311_4
+#  311|     m311_6(int)                  = Store                        : &:r311_5, r311_2
+#  311|     m311_7(unknown)              = Chi                          : total:m310_8, partial:m311_6
+#  312|     v312_1(void)                 = NoOp                         : 
+#  310|     v310_11(void)                = ReturnVoid                   : 
+#  310|     v310_12(void)                = AliasedUse                   : m310_3
+#  310|     v310_13(void)                = ExitFunction                 : 

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected

@@ -1002,29 +1002,35 @@ ssa.cpp:
 
 #  235| void Constructible::Constructible(int)
 #  235|   Block 0
-#  235|     v235_1(void)                 = EnterFunction          : 
-#  235|     m235_2(unknown)              = AliasedDefinition      : 
-#  235|     m235_3(unknown)              = InitializeNonLocal     : 
-#  235|     m235_4(unknown)              = Chi                    : total:m235_2, partial:m235_3
-#  235|     r235_5(glval<Constructible>) = InitializeThis         : 
-#  235|     r235_6(glval<int>)           = VariableAddress[x]     : 
-#  235|     m235_7(int)                  = InitializeParameter[x] : &:r235_6
-#  235|     v235_8(void)                 = NoOp                   : 
-#  235|     v235_9(void)                 = ReturnVoid             : 
-#  235|     v235_10(void)                = AliasedUse             : m235_3
-#  235|     v235_11(void)                = ExitFunction           : 
+#  235|     v235_1(void)                 = EnterFunction                : 
+#  235|     m235_2(unknown)              = AliasedDefinition            : 
+#  235|     m235_3(unknown)              = InitializeNonLocal           : 
+#  235|     m235_4(unknown)              = Chi                          : total:m235_2, partial:m235_3
+#  235|     r235_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  235|     m235_6(glval<Constructible>) = InitializeParameter[#this]   : &:r235_5
+#  235|     r235_7(glval<Constructible>) = Load                         : &:r235_5, m235_6
+#  235|     m235_8(Constructible)        = InitializeIndirection[#this] : &:r235_7
+#  235|     r235_9(glval<int>)           = VariableAddress[x]           : 
+#  235|     m235_10(int)                 = InitializeParameter[x]       : &:r235_9
+#  235|     v235_11(void)                = NoOp                         : 
+#  235|     v235_12(void)                = ReturnVoid                   : 
+#  235|     v235_13(void)                = AliasedUse                   : m235_3
+#  235|     v235_14(void)                = ExitFunction                 : 
 
 #  236| void Constructible::g()
 #  236|   Block 0
-#  236|     v236_1(void)                 = EnterFunction      : 
-#  236|     m236_2(unknown)              = AliasedDefinition  : 
-#  236|     m236_3(unknown)              = InitializeNonLocal : 
-#  236|     m236_4(unknown)              = Chi                : total:m236_2, partial:m236_3
-#  236|     r236_5(glval<Constructible>) = InitializeThis     : 
-#  236|     v236_6(void)                 = NoOp               : 
-#  236|     v236_7(void)                 = ReturnVoid         : 
-#  236|     v236_8(void)                 = AliasedUse         : m236_3
-#  236|     v236_9(void)                 = ExitFunction       : 
+#  236|     v236_1(void)                 = EnterFunction                : 
+#  236|     m236_2(unknown)              = AliasedDefinition            : 
+#  236|     m236_3(unknown)              = InitializeNonLocal           : 
+#  236|     m236_4(unknown)              = Chi                          : total:m236_2, partial:m236_3
+#  236|     r236_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  236|     m236_6(glval<Constructible>) = InitializeParameter[#this]   : &:r236_5
+#  236|     r236_7(glval<Constructible>) = Load                         : &:r236_5, m236_6
+#  236|     m236_8(Constructible)        = InitializeIndirection[#this] : &:r236_7
+#  236|     v236_9(void)                 = NoOp                         : 
+#  236|     v236_10(void)                = ReturnVoid                   : 
+#  236|     v236_11(void)                = AliasedUse                   : m236_3
+#  236|     v236_12(void)                = ExitFunction                 : 
 
 #  239| void ExplicitConstructorCalls()
 #  239|   Block 0
@@ -1278,46 +1284,55 @@ ssa.cpp:
 
 #  286| void A::A(int)
 #  286|   Block 0
-#  286|     v286_1(void)       = EnterFunction          : 
-#  286|     m286_2(unknown)    = AliasedDefinition      : 
-#  286|     m286_3(unknown)    = InitializeNonLocal     : 
-#  286|     m286_4(unknown)    = Chi                    : total:m286_2, partial:m286_3
-#  286|     r286_5(glval<A>)   = InitializeThis         : 
-#  286|     r286_6(glval<int>) = VariableAddress[x]     : 
-#  286|     m286_7(int)        = InitializeParameter[x] : &:r286_6
-#  286|     v286_8(void)       = NoOp                   : 
-#  286|     v286_9(void)       = ReturnVoid             : 
-#  286|     v286_10(void)      = AliasedUse             : m286_3
-#  286|     v286_11(void)      = ExitFunction           : 
+#  286|     v286_1(void)           = EnterFunction                : 
+#  286|     m286_2(unknown)        = AliasedDefinition            : 
+#  286|     m286_3(unknown)        = InitializeNonLocal           : 
+#  286|     m286_4(unknown)        = Chi                          : total:m286_2, partial:m286_3
+#  286|     r286_5(glval<unknown>) = VariableAddress[#this]       : 
+#  286|     m286_6(glval<A>)       = InitializeParameter[#this]   : &:r286_5
+#  286|     r286_7(glval<A>)       = Load                         : &:r286_5, m286_6
+#  286|     m286_8(A)              = InitializeIndirection[#this] : &:r286_7
+#  286|     r286_9(glval<int>)     = VariableAddress[x]           : 
+#  286|     m286_10(int)           = InitializeParameter[x]       : &:r286_9
+#  286|     v286_11(void)          = NoOp                         : 
+#  286|     v286_12(void)          = ReturnVoid                   : 
+#  286|     v286_13(void)          = AliasedUse                   : m286_3
+#  286|     v286_14(void)          = ExitFunction                 : 
 
 #  287| void A::A(A*)
 #  287|   Block 0
-#  287|     v287_1(void)       = EnterFunction              : 
-#  287|     m287_2(unknown)    = AliasedDefinition          : 
-#  287|     m287_3(unknown)    = InitializeNonLocal         : 
-#  287|     m287_4(unknown)    = Chi                        : total:m287_2, partial:m287_3
-#  287|     r287_5(glval<A>)   = InitializeThis             : 
-#  287|     r287_6(glval<A *>) = VariableAddress[p#0]       : 
-#  287|     m287_7(A *)        = InitializeParameter[p#0]   : &:r287_6
-#  287|     r287_8(A *)        = Load                       : &:r287_6, m287_7
-#  287|     m287_9(unknown)    = InitializeIndirection[p#0] : &:r287_8
-#  287|     v287_10(void)      = NoOp                       : 
-#  287|     v287_11(void)      = ReturnIndirection[p#0]     : &:r287_8, m287_9
-#  287|     v287_12(void)      = ReturnVoid                 : 
-#  287|     v287_13(void)      = AliasedUse                 : m287_3
-#  287|     v287_14(void)      = ExitFunction               : 
+#  287|     v287_1(void)           = EnterFunction                : 
+#  287|     m287_2(unknown)        = AliasedDefinition            : 
+#  287|     m287_3(unknown)        = InitializeNonLocal           : 
+#  287|     m287_4(unknown)        = Chi                          : total:m287_2, partial:m287_3
+#  287|     r287_5(glval<unknown>) = VariableAddress[#this]       : 
+#  287|     m287_6(glval<A>)       = InitializeParameter[#this]   : &:r287_5
+#  287|     r287_7(glval<A>)       = Load                         : &:r287_5, m287_6
+#  287|     m287_8(A)              = InitializeIndirection[#this] : &:r287_7
+#  287|     r287_9(glval<A *>)     = VariableAddress[p#0]         : 
+#  287|     m287_10(A *)           = InitializeParameter[p#0]     : &:r287_9
+#  287|     r287_11(A *)           = Load                         : &:r287_9, m287_10
+#  287|     m287_12(unknown)       = InitializeIndirection[p#0]   : &:r287_11
+#  287|     v287_13(void)          = NoOp                         : 
+#  287|     v287_14(void)          = ReturnIndirection[p#0]       : &:r287_11, m287_12
+#  287|     v287_15(void)          = ReturnVoid                   : 
+#  287|     v287_16(void)          = AliasedUse                   : m287_3
+#  287|     v287_17(void)          = ExitFunction                 : 
 
 #  288| void A::A()
 #  288|   Block 0
-#  288|     v288_1(void)     = EnterFunction      : 
-#  288|     m288_2(unknown)  = AliasedDefinition  : 
-#  288|     m288_3(unknown)  = InitializeNonLocal : 
-#  288|     m288_4(unknown)  = Chi                : total:m288_2, partial:m288_3
-#  288|     r288_5(glval<A>) = InitializeThis     : 
-#  288|     v288_6(void)     = NoOp               : 
-#  288|     v288_7(void)     = ReturnVoid         : 
-#  288|     v288_8(void)     = AliasedUse         : m288_3
-#  288|     v288_9(void)     = ExitFunction       : 
+#  288|     v288_1(void)           = EnterFunction                : 
+#  288|     m288_2(unknown)        = AliasedDefinition            : 
+#  288|     m288_3(unknown)        = InitializeNonLocal           : 
+#  288|     m288_4(unknown)        = Chi                          : total:m288_2, partial:m288_3
+#  288|     r288_5(glval<unknown>) = VariableAddress[#this]       : 
+#  288|     m288_6(glval<A>)       = InitializeParameter[#this]   : &:r288_5
+#  288|     r288_7(glval<A>)       = Load                         : &:r288_5, m288_6
+#  288|     m288_8(A)              = InitializeIndirection[#this] : &:r288_7
+#  288|     v288_9(void)           = NoOp                         : 
+#  288|     v288_10(void)          = ReturnVoid                   : 
+#  288|     v288_11(void)          = AliasedUse                   : m288_3
+#  288|     v288_12(void)          = ExitFunction                 : 
 
 #  291| Point* NewAliasing(int)
 #  291|   Block 0
@@ -1450,3 +1465,27 @@ ssa.cpp:
 #  301|     v301_13(void)          = ReturnValue                      : &:r301_12, m304_7
 #  301|     v301_14(void)          = AliasedUse                       : ~m303_8
 #  301|     v301_15(void)          = ExitFunction                     : 
+
+#  310| void ThisAliasTest::setX(int)
+#  310|   Block 0
+#  310|     v310_1(void)                 = EnterFunction                : 
+#  310|     m310_2(unknown)              = AliasedDefinition            : 
+#  310|     m310_3(unknown)              = InitializeNonLocal           : 
+#  310|     m310_4(unknown)              = Chi                          : total:m310_2, partial:m310_3
+#  310|     r310_5(glval<unknown>)       = VariableAddress[#this]       : 
+#  310|     m310_6(glval<ThisAliasTest>) = InitializeParameter[#this]   : &:r310_5
+#  310|     r310_7(glval<ThisAliasTest>) = Load                         : &:r310_5, m310_6
+#  310|     m310_8(ThisAliasTest)        = InitializeIndirection[#this] : &:r310_7
+#  310|     r310_9(glval<int>)           = VariableAddress[arg]         : 
+#  310|     m310_10(int)                 = InitializeParameter[arg]     : &:r310_9
+#  311|     r311_1(glval<int>)           = VariableAddress[arg]         : 
+#  311|     r311_2(int)                  = Load                         : &:r311_1, m310_10
+#  311|     r311_3(glval<unknown>)       = VariableAddress[#this]       : 
+#  311|     r311_4(ThisAliasTest *)      = Load                         : &:r311_3, m310_6
+#  311|     r311_5(glval<int>)           = FieldAddress[x]              : r311_4
+#  311|     m311_6(int)                  = Store                        : &:r311_5, r311_2
+#  311|     m311_7(unknown)              = Chi                          : total:m310_8, partial:m311_6
+#  312|     v312_1(void)                 = NoOp                         : 
+#  310|     v310_11(void)                = ReturnVoid                   : 
+#  310|     v310_12(void)                = AliasedUse                   : m310_3
+#  310|     v310_13(void)                = ExitFunction                 : 

cpp/ql/test/library-tests/ir/ssa/ssa.cpp

@@ -302,4 +302,12 @@ int main(int argc, char **argv) {
   unknownFunction(argc, argv);
   unknownFunction(argc, argv);
   return **argv; // Chi chain goes through side effects from unknownFunction
-}
+}
+
+class ThisAliasTest {
+  int x, y;
+  
+  void setX(int arg) {
+    this->x = arg;
+  }
+};

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected

@@ -937,27 +937,33 @@ ssa.cpp:
 
 #  235| void Constructible::Constructible(int)
 #  235|   Block 0
-#  235|     v235_1(void)                 = EnterFunction          : 
-#  235|     mu235_2(unknown)             = AliasedDefinition      : 
-#  235|     mu235_3(unknown)             = InitializeNonLocal     : 
-#  235|     r235_4(glval<Constructible>) = InitializeThis         : 
-#  235|     r235_5(glval<int>)           = VariableAddress[x]     : 
-#  235|     m235_6(int)                  = InitializeParameter[x] : &:r235_5
-#  235|     v235_7(void)                 = NoOp                   : 
-#  235|     v235_8(void)                 = ReturnVoid             : 
-#  235|     v235_9(void)                 = AliasedUse             : ~m?
-#  235|     v235_10(void)                = ExitFunction           : 
+#  235|     v235_1(void)                 = EnterFunction                : 
+#  235|     mu235_2(unknown)             = AliasedDefinition            : 
+#  235|     mu235_3(unknown)             = InitializeNonLocal           : 
+#  235|     r235_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  235|     m235_5(glval<Constructible>) = InitializeParameter[#this]   : &:r235_4
+#  235|     r235_6(glval<Constructible>) = Load                         : &:r235_4, m235_5
+#  235|     mu235_7(Constructible)       = InitializeIndirection[#this] : &:r235_6
+#  235|     r235_8(glval<int>)           = VariableAddress[x]           : 
+#  235|     m235_9(int)                  = InitializeParameter[x]       : &:r235_8
+#  235|     v235_10(void)                = NoOp                         : 
+#  235|     v235_11(void)                = ReturnVoid                   : 
+#  235|     v235_12(void)                = AliasedUse                   : ~m?
+#  235|     v235_13(void)                = ExitFunction                 : 
 
 #  236| void Constructible::g()
 #  236|   Block 0
-#  236|     v236_1(void)                 = EnterFunction      : 
-#  236|     mu236_2(unknown)             = AliasedDefinition  : 
-#  236|     mu236_3(unknown)             = InitializeNonLocal : 
-#  236|     r236_4(glval<Constructible>) = InitializeThis     : 
-#  236|     v236_5(void)                 = NoOp               : 
-#  236|     v236_6(void)                 = ReturnVoid         : 
-#  236|     v236_7(void)                 = AliasedUse         : ~m?
-#  236|     v236_8(void)                 = ExitFunction       : 
+#  236|     v236_1(void)                 = EnterFunction                : 
+#  236|     mu236_2(unknown)             = AliasedDefinition            : 
+#  236|     mu236_3(unknown)             = InitializeNonLocal           : 
+#  236|     r236_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  236|     m236_5(glval<Constructible>) = InitializeParameter[#this]   : &:r236_4
+#  236|     r236_6(glval<Constructible>) = Load                         : &:r236_4, m236_5
+#  236|     mu236_7(Constructible)       = InitializeIndirection[#this] : &:r236_6
+#  236|     v236_8(void)                 = NoOp                         : 
+#  236|     v236_9(void)                 = ReturnVoid                   : 
+#  236|     v236_10(void)                = AliasedUse                   : ~m?
+#  236|     v236_11(void)                = ExitFunction                 : 
 
 #  239| void ExplicitConstructorCalls()
 #  239|   Block 0
@@ -1182,43 +1188,52 @@ ssa.cpp:
 
 #  286| void A::A(int)
 #  286|   Block 0
-#  286|     v286_1(void)       = EnterFunction          : 
-#  286|     mu286_2(unknown)   = AliasedDefinition      : 
-#  286|     mu286_3(unknown)   = InitializeNonLocal     : 
-#  286|     r286_4(glval<A>)   = InitializeThis         : 
-#  286|     r286_5(glval<int>) = VariableAddress[x]     : 
-#  286|     m286_6(int)        = InitializeParameter[x] : &:r286_5
-#  286|     v286_7(void)       = NoOp                   : 
-#  286|     v286_8(void)       = ReturnVoid             : 
-#  286|     v286_9(void)       = AliasedUse             : ~m?
-#  286|     v286_10(void)      = ExitFunction           : 
+#  286|     v286_1(void)           = EnterFunction                : 
+#  286|     mu286_2(unknown)       = AliasedDefinition            : 
+#  286|     mu286_3(unknown)       = InitializeNonLocal           : 
+#  286|     r286_4(glval<unknown>) = VariableAddress[#this]       : 
+#  286|     m286_5(glval<A>)       = InitializeParameter[#this]   : &:r286_4
+#  286|     r286_6(glval<A>)       = Load                         : &:r286_4, m286_5
+#  286|     mu286_7(A)             = InitializeIndirection[#this] : &:r286_6
+#  286|     r286_8(glval<int>)     = VariableAddress[x]           : 
+#  286|     m286_9(int)            = InitializeParameter[x]       : &:r286_8
+#  286|     v286_10(void)          = NoOp                         : 
+#  286|     v286_11(void)          = ReturnVoid                   : 
+#  286|     v286_12(void)          = AliasedUse                   : ~m?
+#  286|     v286_13(void)          = ExitFunction                 : 
 
 #  287| void A::A(A*)
 #  287|   Block 0
-#  287|     v287_1(void)       = EnterFunction              : 
-#  287|     mu287_2(unknown)   = AliasedDefinition          : 
-#  287|     mu287_3(unknown)   = InitializeNonLocal         : 
-#  287|     r287_4(glval<A>)   = InitializeThis             : 
-#  287|     r287_5(glval<A *>) = VariableAddress[p#0]       : 
-#  287|     m287_6(A *)        = InitializeParameter[p#0]   : &:r287_5
-#  287|     r287_7(A *)        = Load                       : &:r287_5, m287_6
-#  287|     mu287_8(unknown)   = InitializeIndirection[p#0] : &:r287_7
-#  287|     v287_9(void)       = NoOp                       : 
-#  287|     v287_10(void)      = ReturnIndirection[p#0]     : &:r287_7, ~m?
-#  287|     v287_11(void)      = ReturnVoid                 : 
-#  287|     v287_12(void)      = AliasedUse                 : ~m?
-#  287|     v287_13(void)      = ExitFunction               : 
+#  287|     v287_1(void)           = EnterFunction                : 
+#  287|     mu287_2(unknown)       = AliasedDefinition            : 
+#  287|     mu287_3(unknown)       = InitializeNonLocal           : 
+#  287|     r287_4(glval<unknown>) = VariableAddress[#this]       : 
+#  287|     m287_5(glval<A>)       = InitializeParameter[#this]   : &:r287_4
+#  287|     r287_6(glval<A>)       = Load                         : &:r287_4, m287_5
+#  287|     mu287_7(A)             = InitializeIndirection[#this] : &:r287_6
+#  287|     r287_8(glval<A *>)     = VariableAddress[p#0]         : 
+#  287|     m287_9(A *)            = InitializeParameter[p#0]     : &:r287_8
+#  287|     r287_10(A *)           = Load                         : &:r287_8, m287_9
+#  287|     mu287_11(unknown)      = InitializeIndirection[p#0]   : &:r287_10
+#  287|     v287_12(void)          = NoOp                         : 
+#  287|     v287_13(void)          = ReturnIndirection[p#0]       : &:r287_10, ~m?
+#  287|     v287_14(void)          = ReturnVoid                   : 
+#  287|     v287_15(void)          = AliasedUse                   : ~m?
+#  287|     v287_16(void)          = ExitFunction                 : 
 
 #  288| void A::A()
 #  288|   Block 0
-#  288|     v288_1(void)     = EnterFunction      : 
-#  288|     mu288_2(unknown) = AliasedDefinition  : 
-#  288|     mu288_3(unknown) = InitializeNonLocal : 
-#  288|     r288_4(glval<A>) = InitializeThis     : 
-#  288|     v288_5(void)     = NoOp               : 
-#  288|     v288_6(void)     = ReturnVoid         : 
-#  288|     v288_7(void)     = AliasedUse         : ~m?
-#  288|     v288_8(void)     = ExitFunction       : 
+#  288|     v288_1(void)           = EnterFunction                : 
+#  288|     mu288_2(unknown)       = AliasedDefinition            : 
+#  288|     mu288_3(unknown)       = InitializeNonLocal           : 
+#  288|     r288_4(glval<unknown>) = VariableAddress[#this]       : 
+#  288|     m288_5(glval<A>)       = InitializeParameter[#this]   : &:r288_4
+#  288|     r288_6(glval<A>)       = Load                         : &:r288_4, m288_5
+#  288|     mu288_7(A)             = InitializeIndirection[#this] : &:r288_6
+#  288|     v288_8(void)           = NoOp                         : 
+#  288|     v288_9(void)           = ReturnVoid                   : 
+#  288|     v288_10(void)          = AliasedUse                   : ~m?
+#  288|     v288_11(void)          = ExitFunction                 : 
 
 #  291| Point* NewAliasing(int)
 #  291|   Block 0
@@ -1333,3 +1348,25 @@ ssa.cpp:
 #  301|     v301_12(void)          = ReturnValue                      : &:r301_11, m304_7
 #  301|     v301_13(void)          = AliasedUse                       : ~m?
 #  301|     v301_14(void)          = ExitFunction                     : 
+
+#  310| void ThisAliasTest::setX(int)
+#  310|   Block 0
+#  310|     v310_1(void)                 = EnterFunction                : 
+#  310|     mu310_2(unknown)             = AliasedDefinition            : 
+#  310|     mu310_3(unknown)             = InitializeNonLocal           : 
+#  310|     r310_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  310|     m310_5(glval<ThisAliasTest>) = InitializeParameter[#this]   : &:r310_4
+#  310|     r310_6(glval<ThisAliasTest>) = Load                         : &:r310_4, m310_5
+#  310|     mu310_7(ThisAliasTest)       = InitializeIndirection[#this] : &:r310_6
+#  310|     r310_8(glval<int>)           = VariableAddress[arg]         : 
+#  310|     m310_9(int)                  = InitializeParameter[arg]     : &:r310_8
+#  311|     r311_1(glval<int>)           = VariableAddress[arg]         : 
+#  311|     r311_2(int)                  = Load                         : &:r311_1, m310_9
+#  311|     r311_3(glval<unknown>)       = VariableAddress[#this]       : 
+#  311|     r311_4(ThisAliasTest *)      = Load                         : &:r311_3, m310_5
+#  311|     r311_5(glval<int>)           = FieldAddress[x]              : r311_4
+#  311|     mu311_6(int)                 = Store                        : &:r311_5, r311_2
+#  312|     v312_1(void)                 = NoOp                         : 
+#  310|     v310_10(void)                = ReturnVoid                   : 
+#  310|     v310_11(void)                = AliasedUse                   : ~m?
+#  310|     v310_12(void)                = ExitFunction                 : 

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected

@@ -937,27 +937,33 @@ ssa.cpp:
 
 #  235| void Constructible::Constructible(int)
 #  235|   Block 0
-#  235|     v235_1(void)                 = EnterFunction          : 
-#  235|     mu235_2(unknown)             = AliasedDefinition      : 
-#  235|     mu235_3(unknown)             = InitializeNonLocal     : 
-#  235|     r235_4(glval<Constructible>) = InitializeThis         : 
-#  235|     r235_5(glval<int>)           = VariableAddress[x]     : 
-#  235|     m235_6(int)                  = InitializeParameter[x] : &:r235_5
-#  235|     v235_7(void)                 = NoOp                   : 
-#  235|     v235_8(void)                 = ReturnVoid             : 
-#  235|     v235_9(void)                 = AliasedUse             : ~m?
-#  235|     v235_10(void)                = ExitFunction           : 
+#  235|     v235_1(void)                 = EnterFunction                : 
+#  235|     mu235_2(unknown)             = AliasedDefinition            : 
+#  235|     mu235_3(unknown)             = InitializeNonLocal           : 
+#  235|     r235_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  235|     m235_5(glval<Constructible>) = InitializeParameter[#this]   : &:r235_4
+#  235|     r235_6(glval<Constructible>) = Load                         : &:r235_4, m235_5
+#  235|     mu235_7(Constructible)       = InitializeIndirection[#this] : &:r235_6
+#  235|     r235_8(glval<int>)           = VariableAddress[x]           : 
+#  235|     m235_9(int)                  = InitializeParameter[x]       : &:r235_8
+#  235|     v235_10(void)                = NoOp                         : 
+#  235|     v235_11(void)                = ReturnVoid                   : 
+#  235|     v235_12(void)                = AliasedUse                   : ~m?
+#  235|     v235_13(void)                = ExitFunction                 : 
 
 #  236| void Constructible::g()
 #  236|   Block 0
-#  236|     v236_1(void)                 = EnterFunction      : 
-#  236|     mu236_2(unknown)             = AliasedDefinition  : 
-#  236|     mu236_3(unknown)             = InitializeNonLocal : 
-#  236|     r236_4(glval<Constructible>) = InitializeThis     : 
-#  236|     v236_5(void)                 = NoOp               : 
-#  236|     v236_6(void)                 = ReturnVoid         : 
-#  236|     v236_7(void)                 = AliasedUse         : ~m?
-#  236|     v236_8(void)                 = ExitFunction       : 
+#  236|     v236_1(void)                 = EnterFunction                : 
+#  236|     mu236_2(unknown)             = AliasedDefinition            : 
+#  236|     mu236_3(unknown)             = InitializeNonLocal           : 
+#  236|     r236_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  236|     m236_5(glval<Constructible>) = InitializeParameter[#this]   : &:r236_4
+#  236|     r236_6(glval<Constructible>) = Load                         : &:r236_4, m236_5
+#  236|     mu236_7(Constructible)       = InitializeIndirection[#this] : &:r236_6
+#  236|     v236_8(void)                 = NoOp                         : 
+#  236|     v236_9(void)                 = ReturnVoid                   : 
+#  236|     v236_10(void)                = AliasedUse                   : ~m?
+#  236|     v236_11(void)                = ExitFunction                 : 
 
 #  239| void ExplicitConstructorCalls()
 #  239|   Block 0
@@ -1182,43 +1188,52 @@ ssa.cpp:
 
 #  286| void A::A(int)
 #  286|   Block 0
-#  286|     v286_1(void)       = EnterFunction          : 
-#  286|     mu286_2(unknown)   = AliasedDefinition      : 
-#  286|     mu286_3(unknown)   = InitializeNonLocal     : 
-#  286|     r286_4(glval<A>)   = InitializeThis         : 
-#  286|     r286_5(glval<int>) = VariableAddress[x]     : 
-#  286|     m286_6(int)        = InitializeParameter[x] : &:r286_5
-#  286|     v286_7(void)       = NoOp                   : 
-#  286|     v286_8(void)       = ReturnVoid             : 
-#  286|     v286_9(void)       = AliasedUse             : ~m?
-#  286|     v286_10(void)      = ExitFunction           : 
+#  286|     v286_1(void)           = EnterFunction                : 
+#  286|     mu286_2(unknown)       = AliasedDefinition            : 
+#  286|     mu286_3(unknown)       = InitializeNonLocal           : 
+#  286|     r286_4(glval<unknown>) = VariableAddress[#this]       : 
+#  286|     m286_5(glval<A>)       = InitializeParameter[#this]   : &:r286_4
+#  286|     r286_6(glval<A>)       = Load                         : &:r286_4, m286_5
+#  286|     mu286_7(A)             = InitializeIndirection[#this] : &:r286_6
+#  286|     r286_8(glval<int>)     = VariableAddress[x]           : 
+#  286|     m286_9(int)            = InitializeParameter[x]       : &:r286_8
+#  286|     v286_10(void)          = NoOp                         : 
+#  286|     v286_11(void)          = ReturnVoid                   : 
+#  286|     v286_12(void)          = AliasedUse                   : ~m?
+#  286|     v286_13(void)          = ExitFunction                 : 
 
 #  287| void A::A(A*)
 #  287|   Block 0
-#  287|     v287_1(void)       = EnterFunction              : 
-#  287|     mu287_2(unknown)   = AliasedDefinition          : 
-#  287|     mu287_3(unknown)   = InitializeNonLocal         : 
-#  287|     r287_4(glval<A>)   = InitializeThis             : 
-#  287|     r287_5(glval<A *>) = VariableAddress[p#0]       : 
-#  287|     m287_6(A *)        = InitializeParameter[p#0]   : &:r287_5
-#  287|     r287_7(A *)        = Load                       : &:r287_5, m287_6
-#  287|     mu287_8(unknown)   = InitializeIndirection[p#0] : &:r287_7
-#  287|     v287_9(void)       = NoOp                       : 
-#  287|     v287_10(void)      = ReturnIndirection[p#0]     : &:r287_7, ~m?
-#  287|     v287_11(void)      = ReturnVoid                 : 
-#  287|     v287_12(void)      = AliasedUse                 : ~m?
-#  287|     v287_13(void)      = ExitFunction               : 
+#  287|     v287_1(void)           = EnterFunction                : 
+#  287|     mu287_2(unknown)       = AliasedDefinition            : 
+#  287|     mu287_3(unknown)       = InitializeNonLocal           : 
+#  287|     r287_4(glval<unknown>) = VariableAddress[#this]       : 
+#  287|     m287_5(glval<A>)       = InitializeParameter[#this]   : &:r287_4
+#  287|     r287_6(glval<A>)       = Load                         : &:r287_4, m287_5
+#  287|     mu287_7(A)             = InitializeIndirection[#this] : &:r287_6
+#  287|     r287_8(glval<A *>)     = VariableAddress[p#0]         : 
+#  287|     m287_9(A *)            = InitializeParameter[p#0]     : &:r287_8
+#  287|     r287_10(A *)           = Load                         : &:r287_8, m287_9
+#  287|     mu287_11(unknown)      = InitializeIndirection[p#0]   : &:r287_10
+#  287|     v287_12(void)          = NoOp                         : 
+#  287|     v287_13(void)          = ReturnIndirection[p#0]       : &:r287_10, ~m?
+#  287|     v287_14(void)          = ReturnVoid                   : 
+#  287|     v287_15(void)          = AliasedUse                   : ~m?
+#  287|     v287_16(void)          = ExitFunction                 : 
 
 #  288| void A::A()
 #  288|   Block 0
-#  288|     v288_1(void)     = EnterFunction      : 
-#  288|     mu288_2(unknown) = AliasedDefinition  : 
-#  288|     mu288_3(unknown) = InitializeNonLocal : 
-#  288|     r288_4(glval<A>) = InitializeThis     : 
-#  288|     v288_5(void)     = NoOp               : 
-#  288|     v288_6(void)     = ReturnVoid         : 
-#  288|     v288_7(void)     = AliasedUse         : ~m?
-#  288|     v288_8(void)     = ExitFunction       : 
+#  288|     v288_1(void)           = EnterFunction                : 
+#  288|     mu288_2(unknown)       = AliasedDefinition            : 
+#  288|     mu288_3(unknown)       = InitializeNonLocal           : 
+#  288|     r288_4(glval<unknown>) = VariableAddress[#this]       : 
+#  288|     m288_5(glval<A>)       = InitializeParameter[#this]   : &:r288_4
+#  288|     r288_6(glval<A>)       = Load                         : &:r288_4, m288_5
+#  288|     mu288_7(A)             = InitializeIndirection[#this] : &:r288_6
+#  288|     v288_8(void)           = NoOp                         : 
+#  288|     v288_9(void)           = ReturnVoid                   : 
+#  288|     v288_10(void)          = AliasedUse                   : ~m?
+#  288|     v288_11(void)          = ExitFunction                 : 
 
 #  291| Point* NewAliasing(int)
 #  291|   Block 0
@@ -1333,3 +1348,25 @@ ssa.cpp:
 #  301|     v301_12(void)          = ReturnValue                      : &:r301_11, m304_7
 #  301|     v301_13(void)          = AliasedUse                       : ~m?
 #  301|     v301_14(void)          = ExitFunction                     : 
+
+#  310| void ThisAliasTest::setX(int)
+#  310|   Block 0
+#  310|     v310_1(void)                 = EnterFunction                : 
+#  310|     mu310_2(unknown)             = AliasedDefinition            : 
+#  310|     mu310_3(unknown)             = InitializeNonLocal           : 
+#  310|     r310_4(glval<unknown>)       = VariableAddress[#this]       : 
+#  310|     m310_5(glval<ThisAliasTest>) = InitializeParameter[#this]   : &:r310_4
+#  310|     r310_6(glval<ThisAliasTest>) = Load                         : &:r310_4, m310_5
+#  310|     mu310_7(ThisAliasTest)       = InitializeIndirection[#this] : &:r310_6
+#  310|     r310_8(glval<int>)           = VariableAddress[arg]         : 
+#  310|     m310_9(int)                  = InitializeParameter[arg]     : &:r310_8
+#  311|     r311_1(glval<int>)           = VariableAddress[arg]         : 
+#  311|     r311_2(int)                  = Load                         : &:r311_1, m310_9
+#  311|     r311_3(glval<unknown>)       = VariableAddress[#this]       : 
+#  311|     r311_4(ThisAliasTest *)      = Load                         : &:r311_3, m310_5
+#  311|     r311_5(glval<int>)           = FieldAddress[x]              : r311_4
+#  311|     mu311_6(int)                 = Store                        : &:r311_5, r311_2
+#  312|     v312_1(void)                 = NoOp                         : 
+#  310|     v310_10(void)                = ReturnVoid                   : 
+#  310|     v310_11(void)                = AliasedUse                   : ~m?
+#  310|     v310_12(void)                = ExitFunction                 : 

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -635,8 +635,6 @@ uniqueNodeToString
 | duff.c:3:14:3:14 | x | Node should have one toString but has 2. |
 | duff.c:4:13:4:13 | i | Node should have one toString but has 2. |
 | duff.c:4:13:4:13 | x | Node should have one toString but has 2. |
-| ir.cpp:888:6:888:16 | (no string representation) | Node should have one toString but has 0. |
-| misc.c:197:6:197:9 | (no string representation) | Node should have one toString but has 0. |
 | newexpr.cpp:3:9:3:9 | i | Node should have one toString but has 2. |
 | newexpr.cpp:3:9:3:9 | x | Node should have one toString but has 2. |
 | newexpr.cpp:3:16:3:16 | j | Node should have one toString but has 2. |
@@ -654,7 +652,6 @@ uniqueNodeToString
 | switchstmt.c:2:14:2:14 | i | Node should have one toString but has 2. |
 | switchstmt.c:2:14:2:14 | x | Node should have one toString but has 2. |
 missingToString
-| Nodes without toString: 2 |
 parameterCallable
 localFlowIsLocal
 compatibleTypesReflexive

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -1,13 +1,4 @@
 edges
-| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:3:13:18 | Chi |
-| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:3:13:18 | Chi |
-| field_conflation.c:13:3:13:18 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
-| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:10:20:13 | (unsigned long)... |
-| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
-| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
-| field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
-| field_conflation.c:20:13:20:13 | x | field_conflation.c:20:10:20:13 | (unsigned long)... |
-| field_conflation.c:20:13:20:13 | x | field_conflation.c:20:13:20:13 | x |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
@@ -89,15 +80,6 @@ edges
 | test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 | test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 nodes
-| field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
-| field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
-| field_conflation.c:13:3:13:18 | Chi | semmle.label | Chi |
-| field_conflation.c:19:15:19:17 | taint_array output argument | semmle.label | taint_array output argument |
-| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
-| field_conflation.c:20:13:20:13 | x | semmle.label | x |
-| field_conflation.c:20:13:20:13 | x | semmle.label | x |
-| field_conflation.c:20:13:20:13 | x | semmle.label | x |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
@@ -187,7 +169,6 @@ nodes
 | test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 #select
-| field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/field_conflation.c

@@ -17,5 +17,5 @@ void test_conflated_fields3(void) {
   struct XY xy;
   xy.x = 4;
   taint_array(&xy);
-  malloc(xy.x); // not tainted [FALSE POSITIVE]
+  malloc(xy.x); // not tainted
 }