Merge branch 'master' into sideeffect

cpp/ql/src/semmle/code/cpp/Function.qll

@@ -133,10 +133,16 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   Type getUnspecifiedType() { result = getType().getUnspecifiedType() }
 
-  /** Gets the nth parameter of this function. */
+  /**
+   * Gets the nth parameter of this function. There is no result for the
+   * implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
   Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
 
-  /** Gets a parameter of this function. */
+  /**
+   * Gets a parameter of this function. There is no result for the implicit
+   * `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
   Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
 
   /**

cpp/ql/src/semmle/code/cpp/Variable.qll

@@ -397,16 +397,21 @@ class StaticStorageDurationVariable extends Variable {
  */
 private predicate runtimeExprInStaticInitializer(Expr e) {
   inStaticInitializer(e) and
-  if e instanceof AggregateLiteral
+  if e instanceof AggregateLiteral // in sync with the cast in `inStaticInitializer`
   then runtimeExprInStaticInitializer(e.getAChild())
   else not e.getFullyConverted().isConstant()
 }
 
-/** Holds if `e` is part of the initializer of a `StaticStorageDurationVariable`. */
+/**
+ * Holds if `e` is the initializer of a `StaticStorageDurationVariable`, either
+ * directly or below some top-level `AggregateLiteral`s.
+ */
 private predicate inStaticInitializer(Expr e) {
   exists(StaticStorageDurationVariable var | e = var.getInitializer().getExpr())
   or
-  inStaticInitializer(e.getParent())
+  // The cast to `AggregateLiteral` ensures we only compute what'll later be
+  // needed by `runtimeExprInStaticInitializer`.
+  inStaticInitializer(e.getParent().(AggregateLiteral))
 }
 
 /**

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -243,7 +243,7 @@ private module Cached {
      * - Types are checked using the `compatibleTypes()` relation.
      */
     cached
-    module Final {
+    private module Final {
       /**
        * Holds if `p` can flow to `node` in the same callable using only
        * value-preserving steps, not taking call contexts into account.

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -0,0 +1,175 @@
+/**
+ * Provides consistency queries for checking invariants in the language-specific
+ * data-flow classes and predicates.
+ */
+
+private import DataFlowImplSpecific::Private
+private import DataFlowImplSpecific::Public
+private import tainttracking1.TaintTrackingParameter::Private
+private import tainttracking1.TaintTrackingParameter::Public
+
+module Consistency {
+  private class RelevantNode extends Node {
+    RelevantNode() {
+      this instanceof ArgumentNode or
+      this instanceof ParameterNode or
+      this instanceof ReturnNode or
+      this = getAnOutNode(_, _) or
+      simpleLocalFlowStep(this, _) or
+      simpleLocalFlowStep(_, this) or
+      jumpStep(this, _) or
+      jumpStep(_, this) or
+      storeStep(this, _, _) or
+      storeStep(_, _, this) or
+      readStep(this, _, _) or
+      readStep(_, _, this) or
+      defaultAdditionalTaintStep(this, _) or
+      defaultAdditionalTaintStep(_, this)
+    }
+  }
+
+  query predicate uniqueEnclosingCallable(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(n.getEnclosingCallable()) and
+      c != 1 and
+      msg = "Node should have one enclosing callable but has " + c + "."
+    )
+  }
+
+  query predicate uniqueTypeBound(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(n.getTypeBound()) and
+      c != 1 and
+      msg = "Node should have one type bound but has " + c + "."
+    )
+  }
+
+  query predicate uniqueTypeRepr(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(getErasedRepr(n.getTypeBound())) and
+      c != 1 and
+      msg = "Node should have one type representation but has " + c + "."
+    )
+  }
+
+  query predicate uniqueNodeLocation(Node n, string msg) {
+    exists(int c |
+      c =
+        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+        ) and
+      c != 1 and
+      msg = "Node should have one location but has " + c + "."
+    )
+  }
+
+  query predicate missingLocation(string msg) {
+    exists(int c |
+      c =
+        strictcount(Node n |
+          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+          )
+        ) and
+      msg = "Nodes without location: " + c
+    )
+  }
+
+  query predicate uniqueNodeToString(Node n, string msg) {
+    exists(int c |
+      c = count(n.toString()) and
+      c != 1 and
+      msg = "Node should have one toString but has " + c + "."
+    )
+  }
+
+  query predicate missingToString(string msg) {
+    exists(int c |
+      c = strictcount(Node n | not exists(n.toString())) and
+      msg = "Nodes without toString: " + c
+    )
+  }
+
+  query predicate parameterCallable(ParameterNode p, string msg) {
+    exists(DataFlowCallable c | p.isParameterOf(c, _) and c != p.getEnclosingCallable()) and
+    msg = "Callable mismatch for parameter."
+  }
+
+  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
+    simpleLocalFlowStep(n1, n2) and
+    n1.getEnclosingCallable() != n2.getEnclosingCallable() and
+    msg = "Local flow step does not preserve enclosing callable."
+  }
+
+  private DataFlowType typeRepr() { result = getErasedRepr(any(Node n).getTypeBound()) }
+
+  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
+    t = typeRepr() and
+    not compatibleTypes(t, t) and
+    msg = "Type compatibility predicate is not reflexive."
+  }
+
+  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
+    isUnreachableInCall(n, call) and
+    exists(DataFlowCallable c |
+      c = n.getEnclosingCallable() and
+      not viableCallable(call) = c
+    ) and
+    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
+  }
+
+  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
+    (
+      n = getAnOutNode(call, _) and
+      msg = "OutNode and call does not share enclosing callable."
+      or
+      n.(ArgumentNode).argumentOf(call, _) and
+      msg = "ArgumentNode and call does not share enclosing callable."
+    ) and
+    n.getEnclosingCallable() != call.getEnclosingCallable()
+  }
+
+  query predicate postIsNotPre(PostUpdateNode n, string msg) {
+    n.getPreUpdateNode() = n and msg = "PostUpdateNode should not equal its pre-update node."
+  }
+
+  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
+    exists(int c |
+      c = count(n.getPreUpdateNode()) and
+      c != 1 and
+      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
+    )
+  }
+
+  query predicate uniquePostUpdate(Node n, string msg) {
+    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
+    msg = "Node has multiple PostUpdateNodes."
+  }
+
+  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
+    n.getEnclosingCallable() != n.getPreUpdateNode().getEnclosingCallable() and
+    msg = "PostUpdateNode does not share callable with its pre-update node."
+  }
+
+  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
+
+  query predicate reverseRead(Node n, string msg) {
+    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
+    msg = "Origin of readStep is missing a PostUpdateNode."
+  }
+
+  query predicate storeIsPostUpdate(Node n, string msg) {
+    storeStep(_, _, n) and
+    not n instanceof PostUpdateNode and
+    msg = "Store targets should be PostUpdateNodes."
+  }
+
+  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
+    not hasPost(n) and
+    not isImmutableOrUnobservable(n) and
+    msg = "ArgumentNode is missing PostUpdateNode."
+  }
+}

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -293,3 +293,12 @@ class DataFlowCall extends Expr {
 predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
 
 int accessPathLimit() { result = 5 }
+
+/**
+ * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
+ * modified or its modification cannot be observed, for example if it is a
+ * freshly created object that is not saved in a variable.
+ *
+ * This predicate is only used for consistency checks.
+ */
+predicate isImmutableOrUnobservable(Node n) { none() }

cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,3 +1,13 @@
+/**
+ * Provides an implementation of global (interprocedural) taint tracking.
+ * This file re-exports the local (intraprocedural) taint-tracking analysis
+ * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
+ * exposed through the `Configuration` class. For some languages, this file
+ * exists in several identical copies, allowing queries to use multiple
+ * `Configuration` classes that depend on each other without introducing
+ * mutual recursion among those configurations.
+ */
+
 import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 

cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,3 +1,13 @@
+/**
+ * Provides an implementation of global (interprocedural) taint tracking.
+ * This file re-exports the local (intraprocedural) taint-tracking analysis
+ * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
+ * exposed through the `Configuration` class. For some languages, this file
+ * exists in several identical copies, allowing queries to use multiple
+ * `Configuration` classes that depend on each other without introducing
+ * mutual recursion among those configurations.
+ */
+
 import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 

cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -8,6 +8,22 @@ abstract class BuiltInOperation extends Expr {
   override string getCanonicalQLClass() { result = "BuiltInOperation" }
 }
 
+/**
+ * A C/C++ built-in operation that is used to support functions with variable numbers of arguments.
+ * This includes `va_start`, `va_end`, `va_copy`, and `va_arg`.
+ */
+class VarArgsExpr extends BuiltInOperation {
+  VarArgsExpr() {
+    this instanceof BuiltInVarArgsStart
+    or
+    this instanceof BuiltInVarArgsEnd
+    or
+    this instanceof BuiltInVarArg
+    or
+    this instanceof BuiltInVarArgCopy
+  }
+}
+
 /**
  * A C/C++ `__builtin_va_start` built-in operation (used by some
  * implementations of `va_start`).
@@ -20,6 +36,16 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
   override string toString() { result = "__builtin_va_start" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsStart" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
+
+  /**
+   * Gets the argument that specifies the last named parameter before the ellipsis.
+   */
+  final VariableAccess getLastNamedParameter() { result = getChild(1) }
 }
 
 /**
@@ -35,6 +61,11 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
   override string toString() { result = "__builtin_va_end" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgsEnd" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
 }
 
 /**
@@ -48,6 +79,11 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
   override string toString() { result = "__builtin_va_arg" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArg" }
+
+  /**
+   * Gets the `va_list` argument.
+   */
+  final Expr getVAList() { result = getChild(0) }
 }
 
 /**
@@ -63,6 +99,16 @@ class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
   override string toString() { result = "__builtin_va_copy" }
 
   override string getCanonicalQLClass() { result = "BuiltInVarArgCopy" }
+
+  /**
+   * Gets the destination `va_list` argument.
+   */
+  final Expr getDestinationVAList() { result = getChild(0) }
+
+  /**
+   * Gets the the source `va_list` argument.
+   */
+  final Expr getSourceVAList() { result = getChild(1) }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/exprs/Call.qll

@@ -196,7 +196,7 @@ class FunctionCall extends Call, @funbindexpr {
    * constructor calls, this predicate instead gets the `Class` of the constructor
    * being called.
    */
-  private Type getTargetType() { result = Call.super.getType().stripType() }
+  Type getTargetType() { result = Call.super.getType().stripType() }
 
   /**
    * Gets the expected return type of the function called by this call.

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -60,7 +60,14 @@ private DataFlow::Node getNodeForSource(Expr source) {
   (
     result = DataFlow::exprNode(source)
     or
-    result = DataFlow::definitionByReferenceNode(source)
+    // Some of the sources in `isUserInput` are intended to match the value of
+    // an expression, while others (those modeled below) are intended to match
+    // the taint that propagates out of an argument, like the `char *` argument
+    // to `gets`. It's impossible here to tell which is which, but the "access
+    // to argv" source is definitely not intended to match an output argument,
+    // and it causes false positives if we let it.
+    result = DataFlow::definitionByReferenceNode(source) and
+    not argv(source.(VariableAccess).getTarget())
   )
 }
 
@@ -183,7 +190,7 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   i2.(UnaryInstruction).getUnary() = i1
   or
   i2.(ChiInstruction).getPartial() = i1 and
-  not isChiForAllAliasedMemory(i2)
+  not i2.isResultConflated()
   or
   exists(BinaryInstruction bin |
     bin = i2 and
@@ -276,19 +283,6 @@ private predicate modelTaintToParameter(Function f, int parameterIn, int paramet
   )
 }
 
-/**
- * Holds if `chi` is on the chain of chi-instructions for all aliased memory.
- * Taint should not pass through these instructions since they tend to mix up
- * unrelated objects.
- */
-private predicate isChiForAllAliasedMemory(Instruction instr) {
-  instr.(ChiInstruction).getTotal() instanceof AliasedDefinitionInstruction
-  or
-  isChiForAllAliasedMemory(instr.(ChiInstruction).getTotal())
-  or
-  isChiForAllAliasedMemory(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
-}
-
 private predicate modelTaintToReturnValue(Function f, int parameterIn) {
   // Taint flow from parameter to return value
   exists(FunctionInput modelIn, FunctionOutput modelOut |

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -243,7 +243,7 @@ private module Cached {
      * - Types are checked using the `compatibleTypes()` relation.
      */
     cached
-    module Final {
+    private module Final {
       /**
        * Holds if `p` can flow to `node` in the same callable using only
        * value-preserving steps, not taking call contexts into account.

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -0,0 +1,175 @@
+/**
+ * Provides consistency queries for checking invariants in the language-specific
+ * data-flow classes and predicates.
+ */
+
+private import DataFlowImplSpecific::Private
+private import DataFlowImplSpecific::Public
+private import tainttracking1.TaintTrackingParameter::Private
+private import tainttracking1.TaintTrackingParameter::Public
+
+module Consistency {
+  private class RelevantNode extends Node {
+    RelevantNode() {
+      this instanceof ArgumentNode or
+      this instanceof ParameterNode or
+      this instanceof ReturnNode or
+      this = getAnOutNode(_, _) or
+      simpleLocalFlowStep(this, _) or
+      simpleLocalFlowStep(_, this) or
+      jumpStep(this, _) or
+      jumpStep(_, this) or
+      storeStep(this, _, _) or
+      storeStep(_, _, this) or
+      readStep(this, _, _) or
+      readStep(_, _, this) or
+      defaultAdditionalTaintStep(this, _) or
+      defaultAdditionalTaintStep(_, this)
+    }
+  }
+
+  query predicate uniqueEnclosingCallable(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(n.getEnclosingCallable()) and
+      c != 1 and
+      msg = "Node should have one enclosing callable but has " + c + "."
+    )
+  }
+
+  query predicate uniqueTypeBound(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(n.getTypeBound()) and
+      c != 1 and
+      msg = "Node should have one type bound but has " + c + "."
+    )
+  }
+
+  query predicate uniqueTypeRepr(Node n, string msg) {
+    exists(int c |
+      n instanceof RelevantNode and
+      c = count(getErasedRepr(n.getTypeBound())) and
+      c != 1 and
+      msg = "Node should have one type representation but has " + c + "."
+    )
+  }
+
+  query predicate uniqueNodeLocation(Node n, string msg) {
+    exists(int c |
+      c =
+        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+        ) and
+      c != 1 and
+      msg = "Node should have one location but has " + c + "."
+    )
+  }
+
+  query predicate missingLocation(string msg) {
+    exists(int c |
+      c =
+        strictcount(Node n |
+          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+          )
+        ) and
+      msg = "Nodes without location: " + c
+    )
+  }
+
+  query predicate uniqueNodeToString(Node n, string msg) {
+    exists(int c |
+      c = count(n.toString()) and
+      c != 1 and
+      msg = "Node should have one toString but has " + c + "."
+    )
+  }
+
+  query predicate missingToString(string msg) {
+    exists(int c |
+      c = strictcount(Node n | not exists(n.toString())) and
+      msg = "Nodes without toString: " + c
+    )
+  }
+
+  query predicate parameterCallable(ParameterNode p, string msg) {
+    exists(DataFlowCallable c | p.isParameterOf(c, _) and c != p.getEnclosingCallable()) and
+    msg = "Callable mismatch for parameter."
+  }
+
+  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
+    simpleLocalFlowStep(n1, n2) and
+    n1.getEnclosingCallable() != n2.getEnclosingCallable() and
+    msg = "Local flow step does not preserve enclosing callable."
+  }
+
+  private DataFlowType typeRepr() { result = getErasedRepr(any(Node n).getTypeBound()) }
+
+  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
+    t = typeRepr() and
+    not compatibleTypes(t, t) and
+    msg = "Type compatibility predicate is not reflexive."
+  }
+
+  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
+    isUnreachableInCall(n, call) and
+    exists(DataFlowCallable c |
+      c = n.getEnclosingCallable() and
+      not viableCallable(call) = c
+    ) and
+    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
+  }
+
+  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
+    (
+      n = getAnOutNode(call, _) and
+      msg = "OutNode and call does not share enclosing callable."
+      or
+      n.(ArgumentNode).argumentOf(call, _) and
+      msg = "ArgumentNode and call does not share enclosing callable."
+    ) and
+    n.getEnclosingCallable() != call.getEnclosingCallable()
+  }
+
+  query predicate postIsNotPre(PostUpdateNode n, string msg) {
+    n.getPreUpdateNode() = n and msg = "PostUpdateNode should not equal its pre-update node."
+  }
+
+  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
+    exists(int c |
+      c = count(n.getPreUpdateNode()) and
+      c != 1 and
+      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
+    )
+  }
+
+  query predicate uniquePostUpdate(Node n, string msg) {
+    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
+    msg = "Node has multiple PostUpdateNodes."
+  }
+
+  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
+    n.getEnclosingCallable() != n.getPreUpdateNode().getEnclosingCallable() and
+    msg = "PostUpdateNode does not share callable with its pre-update node."
+  }
+
+  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
+
+  query predicate reverseRead(Node n, string msg) {
+    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
+    msg = "Origin of readStep is missing a PostUpdateNode."
+  }
+
+  query predicate storeIsPostUpdate(Node n, string msg) {
+    storeStep(_, _, n) and
+    not n instanceof PostUpdateNode and
+    msg = "Store targets should be PostUpdateNodes."
+  }
+
+  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
+    not hasPost(n) and
+    not isImmutableOrUnobservable(n) and
+    msg = "ArgumentNode is missing PostUpdateNode."
+  }
+}

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -202,3 +202,12 @@ class DataFlowCall extends CallInstruction {
 predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
 
 int accessPathLimit() { result = 5 }
+
+/**
+ * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
+ * modified or its modification cannot be observed, for example if it is a
+ * freshly created object that is not saved in a variable.
+ *
+ * This predicate is only used for consistency checks.
+ */
+predicate isImmutableOrUnobservable(Node n) { none() }

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,3 +1,13 @@
+/**
+ * Provides an implementation of global (interprocedural) taint tracking.
+ * This file re-exports the local (intraprocedural) taint-tracking analysis
+ * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
+ * exposed through the `Configuration` class. For some languages, this file
+ * exists in several identical copies, allowing queries to use multiple
+ * `Configuration` classes that depend on each other without introducing
+ * mutual recursion among those configurations.
+ */
+
 import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,3 +1,13 @@
+/**
+ * Provides an implementation of global (interprocedural) taint tracking.
+ * This file re-exports the local (intraprocedural) taint-tracking analysis
+ * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
+ * exposed through the `Configuration` class. For some languages, this file
+ * exists in several identical copies, allowing queries to use multiple
+ * `Configuration` classes that depend on each other without introducing
+ * mutual recursion among those configurations.
+ */
+
 import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 

cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll

@@ -16,6 +16,8 @@ class IRConfiguration extends TIRConfiguration {
    * Holds if IR should be created for function `func`. By default, holds for all functions.
    */
   predicate shouldCreateIRForFunction(Language::Function func) { any() }
+
+  predicate shouldEvaluateDebugStringsForFunction(Language::Function func) { any() }
 }
 
 private newtype TIREscapeAnalysisConfiguration = MkIREscapeAnalysisConfiguration()

cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -70,7 +70,7 @@ private newtype TOpcode =
   TVarArgsStart() or
   TVarArgsEnd() or
   TVarArg() or
-  TVarArgCopy() or
+  TNextVarArg() or
   TCallSideEffect() or
   TCallReadSideEffect() or
   TIndirectReadSideEffect() or
@@ -629,20 +629,20 @@ module Opcode {
     final override string toString() { result = "BuiltIn" }
   }
 
-  class VarArgsStart extends BuiltInOperationOpcode, TVarArgsStart {
+  class VarArgsStart extends UnaryOpcode, TVarArgsStart {
     final override string toString() { result = "VarArgsStart" }
   }
 
-  class VarArgsEnd extends BuiltInOperationOpcode, TVarArgsEnd {
+  class VarArgsEnd extends UnaryOpcode, TVarArgsEnd {
     final override string toString() { result = "VarArgsEnd" }
   }
 
-  class VarArg extends BuiltInOperationOpcode, TVarArg {
+  class VarArg extends UnaryOpcode, TVarArg {
     final override string toString() { result = "VarArg" }
   }
 
-  class VarArgCopy extends BuiltInOperationOpcode, TVarArgCopy {
-    final override string toString() { result = "VarArgCopy" }
+  class NextVarArg extends UnaryOpcode, TNextVarArg {
+    final override string toString() { result = "NextVarArg" }
   }
 
   class CallSideEffect extends WriteSideEffectOpcode, EscapedWriteOpcode, MayWriteOpcode,

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -27,6 +27,9 @@ class IRBlockBase extends TIRBlock {
    * by debugging and printing code only.
    */
   int getDisplayIndex() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    ) and
     this =
       rank[result + 1](IRBlock funcBlock |
         funcBlock.getEnclosingFunction() = getEnclosingFunction()

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll

@@ -5,6 +5,7 @@ import IRTypeSanity // module is in IRType.qll
 module InstructionSanity {
   private import internal.InstructionImports as Imports
   private import Imports::OperandTag
+  private import Imports::Overlap
   private import internal.IRInternal
 
   /**
@@ -272,4 +273,48 @@ module InstructionSanity {
     func = switchInstr.getEnclosingIRFunction() and
     funcText = Language::getIdentityString(func.getFunction())
   }
+
+  /**
+   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
+   * memory.
+   */
+  private predicate isOnAliasedDefinitionChain(Instruction instr) {
+    instr instanceof AliasedDefinitionInstruction
+    or
+    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
+    or
+    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
+  }
+
+  private predicate shouldBeConflated(Instruction instr) {
+    isOnAliasedDefinitionChain(instr)
+    or
+    instr instanceof UnmodeledDefinitionInstruction
+    or
+    instr.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
+  query predicate notMarkedAsConflated(Instruction instr) {
+    shouldBeConflated(instr) and
+    not instr.isResultConflated()
+  }
+
+  query predicate wronglyMarkedAsConflated(Instruction instr) {
+    instr.isResultConflated() and
+    not shouldBeConflated(instr)
+  }
+
+  query predicate invalidOverlap(
+    MemoryOperand useOperand, string message, IRFunction func, string funcText
+  ) {
+    exists(Overlap overlap |
+      overlap = useOperand.getDefinitionOverlap() and
+      overlap instanceof MayPartiallyOverlap and
+      message =
+        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
+          overlap.toString() + "'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -15,6 +15,9 @@ private import Imports::OperandTag
  * `File` and line number. Used for assigning register names when printing IR.
  */
 private Instruction getAnInstructionAtLine(IRFunction irFunc, Language::File file, int line) {
+  exists(IRConfiguration::IRConfiguration config |
+    config.shouldEvaluateDebugStringsForFunction(irFunc.getFunction())
+  ) and
   exists(Language::Location location |
     irFunc = result.getEnclosingIRFunction() and
     location = result.getLocation() and
@@ -39,6 +42,12 @@ class Instruction extends Construction::TInstruction {
     result = getResultString() + " = " + getOperationString() + " " + getOperandsString()
   }
 
+  private predicate shouldGenerateDumpStrings() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    )
+  }
+
   /**
    * Gets a string describing the operation of this instruction. This includes
    * the opcode and the immediate value, if any. For example:
@@ -46,6 +55,7 @@ class Instruction extends Construction::TInstruction {
    * VariableAddress[x]
    */
   final string getOperationString() {
+    shouldGenerateDumpStrings() and
     if exists(getImmediateString())
     then result = getOperationPrefix() + getOpcode().toString() + "[" + getImmediateString() + "]"
     else result = getOperationPrefix() + getOpcode().toString()
@@ -57,10 +67,12 @@ class Instruction extends Construction::TInstruction {
   string getImmediateString() { none() }
 
   private string getOperationPrefix() {
+    shouldGenerateDumpStrings() and
     if this instanceof SideEffectInstruction then result = "^" else result = ""
   }
 
   private string getResultPrefix() {
+    shouldGenerateDumpStrings() and
     if getResultIRType() instanceof IRVoidType
     then result = "v"
     else
@@ -74,6 +86,7 @@ class Instruction extends Construction::TInstruction {
    * used by debugging and printing code only.
    */
   int getDisplayIndexInBlock() {
+    shouldGenerateDumpStrings() and
     exists(IRBlock block |
       this = block.getInstruction(result)
       or
@@ -87,6 +100,7 @@ class Instruction extends Construction::TInstruction {
   }
 
   private int getLineRank() {
+    shouldGenerateDumpStrings() and
     this =
       rank[result](Instruction instr |
         instr =
@@ -105,6 +119,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1`
    */
   string getResultId() {
+    shouldGenerateDumpStrings() and
     result = getResultPrefix() + getAST().getLocation().getStartLine() + "_" + getLineRank()
   }
 
@@ -116,6 +131,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1(int*)`
    */
   final string getResultString() {
+    shouldGenerateDumpStrings() and
     result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")"
   }
 
@@ -126,6 +142,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `func:r3_4, this:r3_5`
    */
   string getOperandsString() {
+    shouldGenerateDumpStrings() and
     result =
       concat(Operand operand |
         operand = getAnOperand()
@@ -321,6 +338,17 @@ class Instruction extends Construction::TInstruction {
     Construction::hasModeledMemoryResult(this)
   }
 
+  /**
+   * Holds if this is an instruction with a memory result that represents a
+   * conflation of more than one memory allocation.
+   *
+   * This happens in practice when dereferencing a pointer that cannot be
+   * tracked back to a single local allocation. Such memory is instead modeled
+   * as originating on the `AliasedDefinitionInstruction` at the entry of the
+   * function.
+   */
+  final predicate isResultConflated() { Construction::hasConflatedMemoryResult(this) }
+
   /**
    * Gets the successor of this instruction along the control flow edge
    * specified by `kind`.

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -384,6 +384,8 @@ class PositionalArgumentOperand extends ArgumentOperand {
 
 class SideEffectOperand extends TypedOperand {
   override SideEffectOperandTag tag;
+
+  override string toString() { result = "SideEffect" }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll

@@ -18,19 +18,19 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   predicate shouldPrintFunction(Language::Function func) { any() }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
-}
-
 /**
- * Override of `IRConfiguration` to only create IR for the functions that are to be dumped.
+ * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldCreateIRForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
     shouldPrintFunction(func)
   }
 }
 
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -354,6 +354,7 @@ class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation {
   final override predicate isMayAccess() { isMayAccess = true }
 }
 
+/** A virtual variable that groups all escaped memory within a function. */
 class AliasedVirtualVariable extends AllAliasedMemory, VirtualVariable {
   AliasedVirtualVariable() { not isMayAccess() }
 }
@@ -429,10 +430,18 @@ private Overlap getExtentOverlap(MemoryLocation def, MemoryLocation use) {
       use instanceof EntireAllocationMemoryLocation and
       result instanceof MustExactlyOverlap
       or
-      // EntireAllocationMemoryLocation totally overlaps any location within the same virtual
-      // variable.
       not use instanceof EntireAllocationMemoryLocation and
-      result instanceof MustTotallyOverlap
+      if def.getAllocation() = use.getAllocation()
+      then
+        // EntireAllocationMemoryLocation totally overlaps any location within
+        // the same allocation.
+        result instanceof MustTotallyOverlap
+      else (
+        // There is no overlap with a location that's known to belong to a
+        // different allocation, but all other locations may partially overlap.
+        not exists(use.getAllocation()) and
+        result instanceof MayPartiallyOverlap
+      )
     )
     or
     exists(VariableMemoryLocation defVariableLocation |

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRInternal.qll

@@ -1,2 +1,3 @@
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import SSAConstruction as Construction
+import semmle.code.cpp.ir.implementation.IRConfiguration as IRConfiguration

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll

@@ -3,3 +3,4 @@ import semmle.code.cpp.ir.implementation.IRType as IRType
 import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind
 import semmle.code.cpp.ir.implementation.Opcode as Opcode
 import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag
+import semmle.code.cpp.ir.internal.Overlap as Overlap

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -65,6 +65,29 @@ private module Cached {
     instruction instanceof ChiInstruction // Chis always have modeled results
   }
 
+  cached
+  predicate hasConflatedMemoryResult(Instruction instruction) {
+    instruction instanceof UnmodeledDefinitionInstruction
+    or
+    instruction instanceof AliasedDefinitionInstruction
+    or
+    instruction.getOpcode() instanceof Opcode::InitializeNonLocal
+    or
+    // Chi instructions track virtual variables, and therefore a chi instruction is
+    // conflated if it's associated with the aliased virtual variable.
+    exists(OldInstruction oldInstruction | instruction = Chi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
+        Alias::AliasedVirtualVariable
+    )
+    or
+    // Phi instructions track locations, and therefore a phi instruction is
+    // conflated if it's associated with a conflated location.
+    exists(Alias::MemoryLocation location |
+      instruction = Phi(_, location) and
+      not exists(location.getAllocation())
+    )
+  }
+
   cached
   Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
     exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
@@ -84,14 +107,15 @@ private module Cached {
     oldOperand instanceof OldIR::NonPhiMemoryOperand and
     exists(
       OldBlock useBlock, int useRank, Alias::MemoryLocation useLocation,
-      Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset
+      Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset,
+      Alias::MemoryLocation actualDefLocation
     |
       useLocation = Alias::getOperandMemoryLocation(oldOperand) and
       hasUseAtRank(useLocation, useBlock, useRank, oldInstruction) and
       definitionReachesUse(useLocation, defBlock, defRank, useBlock, useRank) and
       hasDefinitionAtRank(useLocation, defLocation, defBlock, defRank, defOffset) and
-      instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, _) and
-      overlap = Alias::getOverlap(defLocation, useLocation)
+      instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
+      overlap = Alias::getOverlap(actualDefLocation, useLocation)
     )
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll

@@ -27,6 +27,9 @@ class IRBlockBase extends TIRBlock {
    * by debugging and printing code only.
    */
   int getDisplayIndex() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    ) and
     this =
       rank[result + 1](IRBlock funcBlock |
         funcBlock.getEnclosingFunction() = getEnclosingFunction()

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll

@@ -5,6 +5,7 @@ import IRTypeSanity // module is in IRType.qll
 module InstructionSanity {
   private import internal.InstructionImports as Imports
   private import Imports::OperandTag
+  private import Imports::Overlap
   private import internal.IRInternal
 
   /**
@@ -272,4 +273,48 @@ module InstructionSanity {
     func = switchInstr.getEnclosingIRFunction() and
     funcText = Language::getIdentityString(func.getFunction())
   }
+
+  /**
+   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
+   * memory.
+   */
+  private predicate isOnAliasedDefinitionChain(Instruction instr) {
+    instr instanceof AliasedDefinitionInstruction
+    or
+    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
+    or
+    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
+  }
+
+  private predicate shouldBeConflated(Instruction instr) {
+    isOnAliasedDefinitionChain(instr)
+    or
+    instr instanceof UnmodeledDefinitionInstruction
+    or
+    instr.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
+  query predicate notMarkedAsConflated(Instruction instr) {
+    shouldBeConflated(instr) and
+    not instr.isResultConflated()
+  }
+
+  query predicate wronglyMarkedAsConflated(Instruction instr) {
+    instr.isResultConflated() and
+    not shouldBeConflated(instr)
+  }
+
+  query predicate invalidOverlap(
+    MemoryOperand useOperand, string message, IRFunction func, string funcText
+  ) {
+    exists(Overlap overlap |
+      overlap = useOperand.getDefinitionOverlap() and
+      overlap instanceof MayPartiallyOverlap and
+      message =
+        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
+          overlap.toString() + "'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -15,6 +15,9 @@ private import Imports::OperandTag
  * `File` and line number. Used for assigning register names when printing IR.
  */
 private Instruction getAnInstructionAtLine(IRFunction irFunc, Language::File file, int line) {
+  exists(IRConfiguration::IRConfiguration config |
+    config.shouldEvaluateDebugStringsForFunction(irFunc.getFunction())
+  ) and
   exists(Language::Location location |
     irFunc = result.getEnclosingIRFunction() and
     location = result.getLocation() and
@@ -39,6 +42,12 @@ class Instruction extends Construction::TInstruction {
     result = getResultString() + " = " + getOperationString() + " " + getOperandsString()
   }
 
+  private predicate shouldGenerateDumpStrings() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    )
+  }
+
   /**
    * Gets a string describing the operation of this instruction. This includes
    * the opcode and the immediate value, if any. For example:
@@ -46,6 +55,7 @@ class Instruction extends Construction::TInstruction {
    * VariableAddress[x]
    */
   final string getOperationString() {
+    shouldGenerateDumpStrings() and
     if exists(getImmediateString())
     then result = getOperationPrefix() + getOpcode().toString() + "[" + getImmediateString() + "]"
     else result = getOperationPrefix() + getOpcode().toString()
@@ -57,10 +67,12 @@ class Instruction extends Construction::TInstruction {
   string getImmediateString() { none() }
 
   private string getOperationPrefix() {
+    shouldGenerateDumpStrings() and
     if this instanceof SideEffectInstruction then result = "^" else result = ""
   }
 
   private string getResultPrefix() {
+    shouldGenerateDumpStrings() and
     if getResultIRType() instanceof IRVoidType
     then result = "v"
     else
@@ -74,6 +86,7 @@ class Instruction extends Construction::TInstruction {
    * used by debugging and printing code only.
    */
   int getDisplayIndexInBlock() {
+    shouldGenerateDumpStrings() and
     exists(IRBlock block |
       this = block.getInstruction(result)
       or
@@ -87,6 +100,7 @@ class Instruction extends Construction::TInstruction {
   }
 
   private int getLineRank() {
+    shouldGenerateDumpStrings() and
     this =
       rank[result](Instruction instr |
         instr =
@@ -105,6 +119,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1`
    */
   string getResultId() {
+    shouldGenerateDumpStrings() and
     result = getResultPrefix() + getAST().getLocation().getStartLine() + "_" + getLineRank()
   }
 
@@ -116,6 +131,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1(int*)`
    */
   final string getResultString() {
+    shouldGenerateDumpStrings() and
     result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")"
   }
 
@@ -126,6 +142,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `func:r3_4, this:r3_5`
    */
   string getOperandsString() {
+    shouldGenerateDumpStrings() and
     result =
       concat(Operand operand |
         operand = getAnOperand()
@@ -321,6 +338,17 @@ class Instruction extends Construction::TInstruction {
     Construction::hasModeledMemoryResult(this)
   }
 
+  /**
+   * Holds if this is an instruction with a memory result that represents a
+   * conflation of more than one memory allocation.
+   *
+   * This happens in practice when dereferencing a pointer that cannot be
+   * tracked back to a single local allocation. Such memory is instead modeled
+   * as originating on the `AliasedDefinitionInstruction` at the entry of the
+   * function.
+   */
+  final predicate isResultConflated() { Construction::hasConflatedMemoryResult(this) }
+
   /**
    * Gets the successor of this instruction along the control flow edge
    * specified by `kind`.

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -384,6 +384,8 @@ class PositionalArgumentOperand extends ArgumentOperand {
 
 class SideEffectOperand extends TypedOperand {
   override SideEffectOperandTag tag;
+
+  override string toString() { result = "SideEffect" }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll

@@ -18,19 +18,19 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   predicate shouldPrintFunction(Language::Function func) { any() }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
-}
-
 /**
- * Override of `IRConfiguration` to only create IR for the functions that are to be dumped.
+ * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldCreateIRForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
     shouldPrintFunction(func)
   }
 }
 
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -61,6 +61,15 @@ private module Cached {
   cached
   predicate hasModeledMemoryResult(Instruction instruction) { none() }
 
+  cached
+  predicate hasConflatedMemoryResult(Instruction instruction) {
+    instruction instanceof UnmodeledDefinitionInstruction
+    or
+    instruction instanceof AliasedDefinitionInstruction
+    or
+    instruction.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
   cached
   Expr getInstructionConvertedResultExpression(Instruction instruction) {
     exists(TranslatedExpr translatedExpr |

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRInternal.qll

@@ -1,2 +1,3 @@
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import IRConstruction as Construction
+import semmle.code.cpp.ir.implementation.IRConfiguration as IRConfiguration

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll

@@ -3,3 +3,4 @@ import semmle.code.cpp.ir.implementation.IRType as IRType
 import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind
 import semmle.code.cpp.ir.implementation.Opcode as Opcode
 import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag
+import semmle.code.cpp.ir.internal.Overlap as Overlap

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -64,6 +64,13 @@ newtype TInstructionTag =
   InitializerElementAddressTag() or
   InitializerElementDefaultValueTag() or
   InitializerElementDefaultValueStoreTag() or
+  VarArgsStartEllipsisAddressTag() or
+  VarArgsStartTag() or
+  VarArgsVAListLoadTag() or
+  VarArgsArgAddressTag() or
+  VarArgsArgLoadTag() or
+  VarArgsMoveNextTag() or
+  VarArgsVAListStoreTag() or
   AsmTag() or
   AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) }
 
@@ -188,6 +195,20 @@ string getInstructionTagId(TInstructionTag tag) {
   or
   tag = InitializerElementDefaultValueStoreTag() and result = "InitElemDefValStore"
   or
+  tag = VarArgsStartEllipsisAddressTag() and result = "VarArgsStartEllipsisAddr"
+  or
+  tag = VarArgsStartTag() and result = "VarArgsStart"
+  or
+  tag = VarArgsVAListLoadTag() and result = "VarArgsVAListLoad"
+  or
+  tag = VarArgsArgAddressTag() and result = "VarArgsArgAddr"
+  or
+  tag = VarArgsArgLoadTag() and result = "VaArgsArgLoad"
+  or
+  tag = VarArgsMoveNextTag() and result = "VarArgsMoveNext"
+  or
+  tag = VarArgsVAListStoreTag() and result = "VarArgsVAListStore"
+  or
   tag = AsmTag() and result = "Asm"
   or
   exists(int index | tag = AsmInputTag(index) and result = "AsmInputTag(" + index + ")")

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -83,6 +83,10 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   exists(DeleteExpr deleteExpr | deleteExpr.getAllocatorCall() = expr)
   or
   exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getAllocatorCall() = expr)
+  or
+  exists(BuiltInVarArgsStart vaStartExpr |
+    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
+  )
 }
 
 /**
@@ -402,6 +406,7 @@ newtype TTranslatedElement =
       translateFunction(func)
     )
   } or
+  TTranslatedEllipsisParameter(Function func) { translateFunction(func) and func.isVarargs() } or
   TTranslatedReadEffects(Function func) { translateFunction(func) } or
   // The read side effects in a function's return block
   TTranslatedReadEffect(Parameter param) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2020,7 +2020,12 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr {
   override BuiltInOperation expr;
 
   TranslatedBuiltInOperation() {
-    not expr instanceof BuiltInOperationBuiltInAddressOf // Handled specially
+    // The following expressions are handled specially.
+    not expr instanceof BuiltInOperationBuiltInAddressOf and
+    not expr instanceof BuiltInVarArgsStart and
+    not expr instanceof BuiltInVarArg and
+    not expr instanceof BuiltInVarArgsEnd and
+    not expr instanceof BuiltInVarArgCopy
   }
 
   final override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) }
@@ -2075,39 +2080,318 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr {
 }
 
 /**
- * The IR translation of a `BuiltInVarArgsStart` expression.
+ * Holds if the expression `expr` is one of the `va_list` operands to a `va_*` macro.
  */
-class TranslatedVarArgsStart extends TranslatedBuiltInOperation {
-  override BuiltInVarArgsStart expr;
-
-  final override Opcode getOpcode() { result instanceof Opcode::VarArgsStart }
+private predicate isVAListExpr(Expr expr) {
+  exists(VarArgsExpr parent, Expr originalExpr |
+    (
+      originalExpr = parent.(BuiltInVarArgsStart).getVAList()
+      or
+      originalExpr = parent.(BuiltInVarArgsEnd).getVAList()
+      or
+      originalExpr = parent.(BuiltInVarArg).getVAList()
+      or
+      originalExpr = parent.(BuiltInVarArgCopy).getSourceVAList()
+      or
+      originalExpr = parent.(BuiltInVarArgCopy).getDestinationVAList()
+    ) and
+    expr = originalExpr.getFullyConverted()
+  )
 }
 
 /**
- * The IR translation of a `BuiltInVarArgsEnd` expression.
+ * Gets the type of the `va_list` being accessed by `expr`, where `expr` is a `va_list` operand of a
+ * `va_*` macro.
+ *
+ * In the Unix ABI, `va_list` is declared as `typedef struct __va_list_tag va_list[1];`. When used
+ * as the type of a local variable, this gets an implicit array-to-pointer conversion, so that the
+ * actual argument to the `va_*` macro is a prvalue of type `__va_list_tag*`. When used as the type
+ * of a function parameter, the parameter's type decays to `__va_list_tag*`, so that the argument
+ * to the `va_*` macro is still a prvalue of type `__va_list_tag*`, with no implicit conversion
+ * necessary. In either case, we treat `__va_list_tag` as the representative type of the `va_list`.
+ *
+ * In the Windows ABI, `va_list` is declared as a pointer type (usually `char*`). Whether used as
+ * the type of a local variable or of a parameter, this means that the argument to the `va_*` macro
+ * is always an _lvalue_ of type `char*`. We treat `char*` as the representative type of the
+ * `va_list`.
  */
-class TranslatedVarArgsEnd extends TranslatedBuiltInOperation {
-  override BuiltInVarArgsEnd expr;
+private Type getVAListType(Expr expr) {
+  isVAListExpr(expr) and
+  if expr.isPRValueCategory()
+  then
+    // In the Unix ABI, this will be a prvalue of type `__va_list_tag*`. We want the `__va_list_tag`
+    // type.
+    result = expr.getType().getUnderlyingType().(PointerType).getBaseType()
+  else
+    // In the Windows ABI, this will be an lvalue of some pointer type. We want that pointer type.
+    result = expr.getType()
+}
 
-  final override Opcode getOpcode() { result instanceof Opcode::VarArgsEnd }
+/**
+ * The IR translation of a `BuiltInVarArgsStart` expression.
+ */
+class TranslatedVarArgsStart extends TranslatedNonConstantExpr {
+  override BuiltInVarArgsStart expr;
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = VarArgsStartEllipsisAddressTag() and
+    opcode instanceof Opcode::VariableAddress and
+    resultType = getEllipsisVariableGLValueType()
+    or
+    tag = VarArgsStartTag() and
+    opcode instanceof Opcode::VarArgsStart and
+    resultType = getTypeForPRValue(getVAListType(expr.getVAList().getFullyConverted()))
+    or
+    tag = VarArgsVAListStoreTag() and
+    opcode instanceof Opcode::Store and
+    resultType = getTypeForPRValue(getVAListType(expr.getVAList().getFullyConverted()))
+  }
+
+  final override Instruction getFirstInstruction() {
+    result = getInstruction(VarArgsStartEllipsisAddressTag())
+  }
+
+  final override Instruction getResult() { none() }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getVAList() }
+
+  private TranslatedExpr getVAList() {
+    result = getTranslatedExpr(expr.getVAList().getFullyConverted())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = VarArgsStartEllipsisAddressTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(VarArgsStartTag())
+    or
+    tag = VarArgsStartTag() and
+    kind instanceof GotoEdge and
+    result = getVAList().getFirstInstruction()
+    or
+    tag = VarArgsVAListStoreTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getVAList() and
+    result = getInstruction(VarArgsVAListStoreTag())
+  }
+
+  final override IRVariable getInstructionVariable(InstructionTag tag) {
+    tag = VarArgsStartEllipsisAddressTag() and
+    result = getEnclosingFunction().getEllipsisVariable()
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = VarArgsStartTag() and
+    operandTag instanceof UnaryOperandTag and
+    result = getInstruction(VarArgsStartEllipsisAddressTag())
+    or
+    tag = VarArgsVAListStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and result = getVAList().getResult()
+      or
+      operandTag instanceof StoreValueOperandTag and result = getInstruction(VarArgsStartTag())
+    )
+  }
 }
 
 /**
  * The IR translation of a `BuiltInVarArg` expression.
  */
-class TranslatedVarArg extends TranslatedBuiltInOperation {
+class TranslatedVarArg extends TranslatedNonConstantExpr {
   override BuiltInVarArg expr;
 
-  final override Opcode getOpcode() { result instanceof Opcode::VarArg }
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = VarArgsVAListLoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = getTypeForPRValue(getVAListType(expr.getVAList().getFullyConverted()))
+    or
+    tag = VarArgsArgAddressTag() and
+    opcode instanceof Opcode::VarArg and
+    resultType = getResultType()
+    or
+    tag = VarArgsMoveNextTag() and
+    opcode instanceof Opcode::NextVarArg and
+    resultType = getTypeForPRValue(getVAListType(expr.getVAList().getFullyConverted()))
+    or
+    tag = VarArgsVAListStoreTag() and
+    opcode instanceof Opcode::Store and
+    resultType = getTypeForPRValue(getVAListType(expr.getVAList().getFullyConverted()))
+  }
+
+  final override Instruction getFirstInstruction() { result = getVAList().getFirstInstruction() }
+
+  final override Instruction getResult() { result = getInstruction(VarArgsArgAddressTag()) }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getVAList() }
+
+  private TranslatedExpr getVAList() {
+    result = getTranslatedExpr(expr.getVAList().getFullyConverted())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = VarArgsVAListLoadTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(VarArgsArgAddressTag())
+    or
+    tag = VarArgsArgAddressTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(VarArgsMoveNextTag())
+    or
+    tag = VarArgsMoveNextTag() and
+    kind instanceof GotoEdge and
+    result = getInstruction(VarArgsVAListStoreTag())
+    or
+    tag = VarArgsVAListStoreTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getVAList() and
+    result = getInstruction(VarArgsVAListLoadTag())
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = VarArgsVAListLoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getVAList().getResult()
+      or
+      operandTag instanceof LoadOperandTag and
+      result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    )
+    or
+    tag = VarArgsArgAddressTag() and
+    operandTag instanceof UnaryOperandTag and
+    result = getInstruction(VarArgsVAListLoadTag())
+    or
+    tag = VarArgsMoveNextTag() and
+    operandTag instanceof UnaryOperandTag and
+    result = getInstruction(VarArgsVAListLoadTag())
+    or
+    tag = VarArgsVAListStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and result = getVAList().getResult()
+      or
+      operandTag instanceof StoreValueOperandTag and result = getInstruction(VarArgsMoveNextTag())
+    )
+  }
+}
+
+/**
+ * The IR translation of a `BuiltInVarArgsEnd` expression.
+ */
+class TranslatedVarArgsEnd extends TranslatedNonConstantExpr {
+  override BuiltInVarArgsEnd expr;
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = OnlyInstructionTag() and
+    opcode instanceof Opcode::VarArgsEnd and
+    resultType = getVoidType()
+  }
+
+  final override Instruction getFirstInstruction() { result = getVAList().getFirstInstruction() }
+
+  final override Instruction getResult() { none() }
+
+  final override TranslatedElement getChild(int id) { id = 0 and result = getVAList() }
+
+  private TranslatedExpr getVAList() {
+    result = getTranslatedExpr(expr.getVAList().getFullyConverted())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = OnlyInstructionTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getVAList() and
+    result = getInstruction(OnlyInstructionTag())
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = OnlyInstructionTag() and
+    operandTag instanceof UnaryOperandTag and
+    result = getVAList().getResult()
+  }
 }
 
 /**
  * The IR translation of a `BuiltInVarArgCopy` expression.
  */
-class TranslatedVarArgCopy extends TranslatedBuiltInOperation {
+class TranslatedVarArgCopy extends TranslatedNonConstantExpr {
   override BuiltInVarArgCopy expr;
 
-  final override Opcode getOpcode() { result instanceof Opcode::VarArgCopy }
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = VarArgsVAListLoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = getTypeForPRValue(getVAListType(expr.getSourceVAList().getFullyConverted()))
+    or
+    tag = VarArgsVAListStoreTag() and
+    opcode instanceof Opcode::Store and
+    resultType = getTypeForPRValue(getVAListType(expr.getDestinationVAList().getFullyConverted()))
+  }
+
+  final override Instruction getFirstInstruction() {
+    result = getSourceVAList().getFirstInstruction()
+  }
+
+  final override Instruction getResult() { result = getInstruction(VarArgsVAListStoreTag()) }
+
+  final override TranslatedElement getChild(int id) {
+    id = 0 and result = getDestinationVAList()
+    or
+    id = 1 and result = getSourceVAList()
+  }
+
+  private TranslatedExpr getDestinationVAList() {
+    result = getTranslatedExpr(expr.getDestinationVAList().getFullyConverted())
+  }
+
+  private TranslatedExpr getSourceVAList() {
+    result = getTranslatedExpr(expr.getSourceVAList().getFullyConverted())
+  }
+
+  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = VarArgsVAListLoadTag() and
+    kind instanceof GotoEdge and
+    result = getDestinationVAList().getFirstInstruction()
+    or
+    tag = VarArgsVAListStoreTag() and
+    kind instanceof GotoEdge and
+    result = getParent().getChildSuccessor(this)
+  }
+
+  final override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getSourceVAList() and
+    result = getInstruction(VarArgsVAListLoadTag())
+    or
+    child = getDestinationVAList() and
+    result = getInstruction(VarArgsVAListStoreTag())
+  }
+
+  final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = VarArgsVAListLoadTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = getSourceVAList().getResult()
+      or
+      operandTag instanceof LoadOperandTag and
+      result = getEnclosingFunction().getUnmodeledDefinitionInstruction()
+    )
+    or
+    tag = VarArgsVAListStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and result = getDestinationVAList().getResult()
+      or
+      operandTag instanceof StoreValueOperandTag and result = getInstruction(VarArgsVAListLoadTag())
+    )
+  }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -10,12 +10,45 @@ private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedInitialization
 private import TranslatedStmt
+private import VarArgs
 
 /**
  * Gets the `TranslatedFunction` that represents function `func`.
  */
 TranslatedFunction getTranslatedFunction(Function func) { result.getAST() = func }
 
+/**
+ * Gets the size, in bytes, of the variable used to represent the `...` parameter in a varargs
+ * function. This is determined by finding the total size of all of the arguments passed to the
+ * `...` in each call in the program, and choosing the maximum of those, with a minimum of 8 bytes.
+ */
+private int getEllipsisVariableByteSize() {
+  result =
+    max(int variableSize |
+      variableSize =
+        max(Call call, int callSize |
+          callSize =
+            sum(int argIndex |
+              isEllipsisArgumentIndex(call, argIndex)
+            |
+              call.getArgument(argIndex).getType().getSize()
+            )
+        |
+          callSize
+        )
+      or
+      variableSize = 8
+    |
+      variableSize
+    )
+}
+
+CppType getEllipsisVariablePRValueType() {
+  result = getUnknownOpaqueType(getEllipsisVariableByteSize())
+}
+
+CppType getEllipsisVariableGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }
+
 /**
  * Represents the IR translation of a function. This is the root elements for
  * all other elements associated with this function.
@@ -60,6 +93,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 
   final private TranslatedParameter getParameter(int index) {
     result = getTranslatedParameter(func.getParameter(index))
+    or
+    index = getEllipsisParameterIndexForFunction(func) and
+    result = getTranslatedEllipsisParameter(func)
   }
 
   final override Instruction getFirstInstruction() { result = getInstruction(EnterFunctionTag()) }
@@ -113,7 +149,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
   final override Instruction getChildSuccessor(TranslatedElement child) {
     exists(int paramIndex |
       child = getParameter(paramIndex) and
-      if exists(func.getParameter(paramIndex + 1))
+      if
+        exists(func.getParameter(paramIndex + 1)) or
+        getEllipsisParameterIndexForFunction(func) = paramIndex + 1
       then result = getParameter(paramIndex + 1).getFirstInstruction()
       else result = getConstructorInitList().getFirstInstruction()
     )
@@ -237,10 +275,18 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     result = getReturnVariable()
   }
 
+  final override predicate needsUnknownOpaqueType(int byteSize) {
+    byteSize = getEllipsisVariableByteSize()
+  }
+
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     tag = ReturnValueTempVar() and
     hasReturnValue() and
     type = getTypeForPRValue(getReturnType())
+    or
+    tag = EllipsisTempVar() and
+    func.isVarargs() and
+    type = getEllipsisVariablePRValueType()
   }
 
   /**
@@ -258,6 +304,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
     result = getIRTempVariable(func, ReturnValueTempVar())
   }
 
+  /**
+   * Get the variable that represents the `...` parameter, if any.
+   */
+  final IREllipsisVariable getEllipsisVariable() { result.getEnclosingFunction() = func }
+
   /**
    * Holds if the function has a non-`void` return type.
    */
@@ -316,34 +367,29 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
 }
 
 /**
- * Gets the `TranslatedParameter` that represents parameter `param`.
+ * Gets the `TranslatedPositionalParameter` that represents parameter `param`.
  */
-TranslatedParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
+TranslatedPositionalParameter getTranslatedParameter(Parameter param) { result.getAST() = param }
 
 /**
- * Represents the IR translation of a function parameter, including the
- * initialization of that parameter with the incoming argument.
+ * Gets the `TranslatedEllipsisParameter` for function `func`, if one exists.
  */
-class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
-  Parameter param;
+TranslatedEllipsisParameter getTranslatedEllipsisParameter(Function func) {
+  result.getFunction() = func
+}
 
-  TranslatedParameter() { this = TTranslatedParameter(param) }
-
-  final override string toString() { result = param.toString() }
-
-  final override Locatable getAST() { result = param }
-
-  final override Function getFunction() {
-    result = param.getFunction() or
-    result = param.getCatchBlock().getEnclosingFunction()
-  }
+/**
+ * The IR translation of a parameter to a function. This can be either a user-declared parameter
+ * (`TranslatedPositionParameter`) or the synthesized parameter used to represent a `...` in a
+ * varargs function (`TranslatedEllipsisParameter`).
+ */
+abstract class TranslatedParameter extends TranslatedElement {
+  final override TranslatedElement getChild(int id) { none() }
 
   final override Instruction getFirstInstruction() {
     result = getInstruction(InitializerVariableAddressTag())
   }
 
-  final override TranslatedElement getChild(int id) { none() }
-
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
     (
@@ -368,16 +414,16 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     tag = InitializerVariableAddressTag() and
     opcode instanceof Opcode::VariableAddress and
-    resultType = getTypeForGLValue(getVariableType(param))
+    resultType = getGLValueType()
     or
     tag = InitializerStoreTag() and
     opcode instanceof Opcode::InitializeParameter and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectAddressTag() and
     opcode instanceof Opcode::Load and
-    resultType = getTypeForPRValue(getVariableType(param))
+    resultType = getPRValueType()
     or
     hasIndirection() and
     tag = InitializerIndirectStoreTag() and
@@ -391,7 +437,7 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
       tag = InitializerVariableAddressTag() or
       tag = InitializerIndirectStoreTag()
     ) and
-    result = getIRUserVariable(getFunction(), param)
+    result = getIRVariable()
   }
 
   final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
@@ -416,13 +462,74 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter {
     result = getInstruction(InitializerIndirectAddressTag())
   }
 
-  predicate hasIndirection() {
+  abstract predicate hasIndirection();
+
+  abstract CppType getGLValueType();
+
+  abstract CppType getPRValueType();
+
+  abstract IRAutomaticVariable getIRVariable();
+}
+
+/**
+ * Represents the IR translation of a function parameter, including the
+ * initialization of that parameter with the incoming argument.
+ */
+class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedParameter {
+  Parameter param;
+
+  TranslatedPositionalParameter() { this = TTranslatedParameter(param) }
+
+  final override string toString() { result = param.toString() }
+
+  final override Locatable getAST() { result = param }
+
+  final override Function getFunction() {
+    result = param.getFunction() or
+    result = param.getCatchBlock().getEnclosingFunction()
+  }
+
+  final override predicate hasIndirection() {
     exists(Type t | t = param.getUnspecifiedType() |
       t instanceof ArrayType or
       t instanceof PointerType or
       t instanceof ReferenceType
     )
   }
+
+  final override CppType getGLValueType() { result = getTypeForGLValue(getVariableType(param)) }
+
+  final override CppType getPRValueType() { result = getTypeForPRValue(getVariableType(param)) }
+
+  final override IRAutomaticUserVariable getIRVariable() {
+    result = getIRUserVariable(getFunction(), param)
+  }
+}
+
+/**
+ * The IR translation of the synthesized parameter used to represent the `...` in a varargs
+ * function.
+ */
+class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllipsisParameter {
+  Function func;
+
+  TranslatedEllipsisParameter() { this = TTranslatedEllipsisParameter(func) }
+
+  final override string toString() { result = "..." }
+
+  final override Locatable getAST() { result = func }
+
+  final override Function getFunction() { result = func }
+
+  final override predicate hasIndirection() { any() }
+
+  final override CppType getGLValueType() { result = getEllipsisVariableGLValueType() }
+
+  final override CppType getPRValueType() { result = getEllipsisVariablePRValueType() }
+
+  final override IREllipsisVariable getIRVariable() {
+    result = getTranslatedFunction(func).getEllipsisVariable()
+  }
 }
 
 private TranslatedConstructorInitList getTranslatedConstructorInitList(Function func) {

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/VarArgs.qll

@@ -0,0 +1,62 @@
+/**
+ * Utilities for determining which parameters and arguments correspond to the `...` parameter for
+ * varargs functions.
+ */
+
+private import cpp
+
+/**
+ * Gets the index of the `...` parameter, if any. If present, the value will always be equal to
+ * `func.getNumberOfParameters()`.
+ */
+int getEllipsisParameterIndexForFunction(Function func) {
+  func.isVarargs() and result = func.getNumberOfParameters()
+}
+
+/**
+ * Gets the index of the `...` parameter, if any.
+ */
+int getEllipsisParameterIndexForRoutineType(RoutineType type) {
+  // Since the extractor doesn't record this information directly, we look for routine types whose
+  // last parameter type is `UnknownType`.
+  type.getParameterType(result) instanceof UnknownType and
+  result = strictcount(type.getAParameterType()) - 1
+}
+
+/**
+ * Gets the index of the `...` parameter, if any. This will be one greater than the index of the
+ * last declared positional parameter.
+ */
+int getEllipsisParameterIndex(Call call) {
+  exists(FunctionCall funcCall |
+    funcCall = call and
+    if funcCall.getTargetType() instanceof RoutineType
+    then result = getEllipsisParameterIndexForRoutineType(funcCall.getTargetType())
+    else result = getEllipsisParameterIndexForFunction(funcCall.getTarget())
+  )
+  or
+  exists(ExprCall exprCall |
+    exprCall = call and
+    result = getEllipsisParameterIndexForRoutineType(exprCall.getExpr().getType().stripType())
+  )
+}
+
+/**
+ * Gets the index of the parameter that will be initialized with the value of the argument
+ * specified by `argIndex`. For ordinary positional parameters, the argument and parameter indices
+ * will be equal. For a call to a varargs function, all arguments passed to the `...` will be
+ * mapped to the index returned by `getEllipsisParameterIndex()`.
+ */
+int getParameterIndexForArgument(Call call, int argIndex) {
+  exists(call.getArgument(argIndex)) and
+  if argIndex >= getEllipsisParameterIndex(call)
+  then result = getEllipsisParameterIndex(call)
+  else result = argIndex
+}
+
+/**
+ * Holds if the argument specified by `index` is an argument to the `...` of a varargs function.
+ */
+predicate isEllipsisArgumentIndex(Call call, int index) {
+  exists(call.getArgument(index)) and index >= getEllipsisParameterIndex(call)
+}

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -27,6 +27,9 @@ class IRBlockBase extends TIRBlock {
    * by debugging and printing code only.
    */
   int getDisplayIndex() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    ) and
     this =
       rank[result + 1](IRBlock funcBlock |
         funcBlock.getEnclosingFunction() = getEnclosingFunction()

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll

@@ -5,6 +5,7 @@ import IRTypeSanity // module is in IRType.qll
 module InstructionSanity {
   private import internal.InstructionImports as Imports
   private import Imports::OperandTag
+  private import Imports::Overlap
   private import internal.IRInternal
 
   /**
@@ -272,4 +273,48 @@ module InstructionSanity {
     func = switchInstr.getEnclosingIRFunction() and
     funcText = Language::getIdentityString(func.getFunction())
   }
+
+  /**
+   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
+   * memory.
+   */
+  private predicate isOnAliasedDefinitionChain(Instruction instr) {
+    instr instanceof AliasedDefinitionInstruction
+    or
+    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
+    or
+    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
+  }
+
+  private predicate shouldBeConflated(Instruction instr) {
+    isOnAliasedDefinitionChain(instr)
+    or
+    instr instanceof UnmodeledDefinitionInstruction
+    or
+    instr.getOpcode() instanceof Opcode::InitializeNonLocal
+  }
+
+  query predicate notMarkedAsConflated(Instruction instr) {
+    shouldBeConflated(instr) and
+    not instr.isResultConflated()
+  }
+
+  query predicate wronglyMarkedAsConflated(Instruction instr) {
+    instr.isResultConflated() and
+    not shouldBeConflated(instr)
+  }
+
+  query predicate invalidOverlap(
+    MemoryOperand useOperand, string message, IRFunction func, string funcText
+  ) {
+    exists(Overlap overlap |
+      overlap = useOperand.getDefinitionOverlap() and
+      overlap instanceof MayPartiallyOverlap and
+      message =
+        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
+          overlap.toString() + "'." and
+      func = useOperand.getEnclosingIRFunction() and
+      funcText = Language::getIdentityString(func.getFunction())
+    )
+  }
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -213,6 +213,16 @@ class IRThrowVariable extends IRTempVariable {
   final override string getBaseString() { result = "#throw" }
 }
 
+/**
+ * A temporary variable generated to hold the contents of all arguments passed to the `...` of a
+ * function that accepts a variable number of arguments.
+ */
+class IREllipsisVariable extends IRTempVariable {
+  IREllipsisVariable() { tag = EllipsisTempVar() }
+
+  final override string toString() { result = "#ellipsis" }
+}
+
 /**
  * A variable generated to represent the contents of a string literal. This variable acts much like
  * a read-only global variable.

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -15,6 +15,9 @@ private import Imports::OperandTag
  * `File` and line number. Used for assigning register names when printing IR.
  */
 private Instruction getAnInstructionAtLine(IRFunction irFunc, Language::File file, int line) {
+  exists(IRConfiguration::IRConfiguration config |
+    config.shouldEvaluateDebugStringsForFunction(irFunc.getFunction())
+  ) and
   exists(Language::Location location |
     irFunc = result.getEnclosingIRFunction() and
     location = result.getLocation() and
@@ -39,6 +42,12 @@ class Instruction extends Construction::TInstruction {
     result = getResultString() + " = " + getOperationString() + " " + getOperandsString()
   }
 
+  private predicate shouldGenerateDumpStrings() {
+    exists(IRConfiguration::IRConfiguration config |
+      config.shouldEvaluateDebugStringsForFunction(this.getEnclosingFunction())
+    )
+  }
+
   /**
    * Gets a string describing the operation of this instruction. This includes
    * the opcode and the immediate value, if any. For example:
@@ -46,6 +55,7 @@ class Instruction extends Construction::TInstruction {
    * VariableAddress[x]
    */
   final string getOperationString() {
+    shouldGenerateDumpStrings() and
     if exists(getImmediateString())
     then result = getOperationPrefix() + getOpcode().toString() + "[" + getImmediateString() + "]"
     else result = getOperationPrefix() + getOpcode().toString()
@@ -57,10 +67,12 @@ class Instruction extends Construction::TInstruction {
   string getImmediateString() { none() }
 
   private string getOperationPrefix() {
+    shouldGenerateDumpStrings() and
     if this instanceof SideEffectInstruction then result = "^" else result = ""
   }
 
   private string getResultPrefix() {
+    shouldGenerateDumpStrings() and
     if getResultIRType() instanceof IRVoidType
     then result = "v"
     else
@@ -74,6 +86,7 @@ class Instruction extends Construction::TInstruction {
    * used by debugging and printing code only.
    */
   int getDisplayIndexInBlock() {
+    shouldGenerateDumpStrings() and
     exists(IRBlock block |
       this = block.getInstruction(result)
       or
@@ -87,6 +100,7 @@ class Instruction extends Construction::TInstruction {
   }
 
   private int getLineRank() {
+    shouldGenerateDumpStrings() and
     this =
       rank[result](Instruction instr |
         instr =
@@ -105,6 +119,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1`
    */
   string getResultId() {
+    shouldGenerateDumpStrings() and
     result = getResultPrefix() + getAST().getLocation().getStartLine() + "_" + getLineRank()
   }
 
@@ -116,6 +131,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `r1_1(int*)`
    */
   final string getResultString() {
+    shouldGenerateDumpStrings() and
     result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")"
   }
 
@@ -126,6 +142,7 @@ class Instruction extends Construction::TInstruction {
    * Example: `func:r3_4, this:r3_5`
    */
   string getOperandsString() {
+    shouldGenerateDumpStrings() and
     result =
       concat(Operand operand |
         operand = getAnOperand()
@@ -321,6 +338,17 @@ class Instruction extends Construction::TInstruction {
     Construction::hasModeledMemoryResult(this)
   }
 
+  /**
+   * Holds if this is an instruction with a memory result that represents a
+   * conflation of more than one memory allocation.
+   *
+   * This happens in practice when dereferencing a pointer that cannot be
+   * tracked back to a single local allocation. Such memory is instead modeled
+   * as originating on the `AliasedDefinitionInstruction` at the entry of the
+   * function.
+   */
+  final predicate isResultConflated() { Construction::hasConflatedMemoryResult(this) }
+
   /**
    * Gets the successor of this instruction along the control flow edge
    * specified by `kind`.

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -384,6 +384,8 @@ class PositionalArgumentOperand extends ArgumentOperand {
 
 class SideEffectOperand extends TypedOperand {
   override SideEffectOperandTag tag;
+
+  override string toString() { result = "SideEffect" }
 }
 
 /**

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll

@@ -18,19 +18,19 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   predicate shouldPrintFunction(Language::Function func) { any() }
 }
 
-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
-}
-
 /**
- * Override of `IRConfiguration` to only create IR for the functions that are to be dumped.
+ * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
  */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldCreateIRForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
     shouldPrintFunction(func)
   }
 }
 
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRInternal.qll

@@ -1,2 +1,3 @@
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import SSAConstruction as Construction
+import semmle.code.cpp.ir.implementation.IRConfiguration as IRConfiguration

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll

@@ -3,3 +3,4 @@ import semmle.code.cpp.ir.implementation.IRType as IRType
 import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind
 import semmle.code.cpp.ir.implementation.Opcode as Opcode
 import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag
+import semmle.code.cpp.ir.internal.Overlap as Overlap

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -65,6 +65,29 @@ private module Cached {
     instruction instanceof ChiInstruction // Chis always have modeled results
   }
 
+  cached
+  predicate hasConflatedMemoryResult(Instruction instruction) {
+    instruction instanceof UnmodeledDefinitionInstruction
+    or
+    instruction instanceof AliasedDefinitionInstruction
+    or
+    instruction.getOpcode() instanceof Opcode::InitializeNonLocal
+    or
+    // Chi instructions track virtual variables, and therefore a chi instruction is
+    // conflated if it's associated with the aliased virtual variable.
+    exists(OldInstruction oldInstruction | instruction = Chi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
+        Alias::AliasedVirtualVariable
+    )
+    or
+    // Phi instructions track locations, and therefore a phi instruction is
+    // conflated if it's associated with a conflated location.
+    exists(Alias::MemoryLocation location |
+      instruction = Phi(_, location) and
+      not exists(location.getAllocation())
+    )
+  }
+
   cached
   Instruction getRegisterOperandDefinition(Instruction instruction, RegisterOperandTag tag) {
     exists(OldInstruction oldInstruction, OldIR::RegisterOperand oldOperand |
@@ -84,14 +107,15 @@ private module Cached {
     oldOperand instanceof OldIR::NonPhiMemoryOperand and
     exists(
       OldBlock useBlock, int useRank, Alias::MemoryLocation useLocation,
-      Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset
+      Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset,
+      Alias::MemoryLocation actualDefLocation
     |
       useLocation = Alias::getOperandMemoryLocation(oldOperand) and
       hasUseAtRank(useLocation, useBlock, useRank, oldInstruction) and
       definitionReachesUse(useLocation, defBlock, defRank, useBlock, useRank) and
       hasDefinitionAtRank(useLocation, defLocation, defBlock, defRank, defOffset) and
-      instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, _) and
-      overlap = Alias::getOverlap(defLocation, useLocation)
+      instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
+      overlap = Alias::getOverlap(actualDefLocation, useLocation)
     )
   }
 

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -61,6 +61,11 @@ class MemoryLocation extends TMemoryLocation {
 
 class VirtualVariable extends MemoryLocation { }
 
+/** A virtual variable that groups all escaped memory within a function. */
+class AliasedVirtualVariable extends VirtualVariable {
+  AliasedVirtualVariable() { none() }
+}
+
 Overlap getOverlap(MemoryLocation def, MemoryLocation use) {
   def = use and result instanceof MustExactlyOverlap
   or

cpp/ql/src/semmle/code/cpp/ir/internal/TempVariableTag.qll

@@ -2,7 +2,8 @@ newtype TTempVariableTag =
   ConditionValueTempVar() or
   ReturnValueTempVar() or
   ThrowTempVar() or
-  LambdaTempVar()
+  LambdaTempVar() or
+  EllipsisTempVar()
 
 string getTempVariableTagId(TTempVariableTag tag) {
   tag = ConditionValueTempVar() and result = "CondVal"
@@ -12,4 +13,6 @@ string getTempVariableTagId(TTempVariableTag tag) {
   tag = ThrowTempVar() and result = "Throw"
   or
   tag = LambdaTempVar() and result = "Lambda"
+  or
+  tag = EllipsisTempVar() and result = "Ellipsis"
 }

cpp/ql/test/library-tests/arg_matching/arg_matching.expected

@@ -0,0 +1,34 @@
+| args.cpp:8:5:8:12 | call to global_1 | 0 | 0 |
+| args.cpp:9:5:9:12 | call to global_2 | 0 | 0 |
+| args.cpp:9:5:9:12 | call to global_2 | 1 | 1 |
+| args.cpp:10:5:10:19 | call to global_2_vararg | 0 | 0 |
+| args.cpp:10:5:10:19 | call to global_2_vararg | 1 | 1 |
+| args.cpp:11:5:11:19 | call to global_2_vararg | 0 | 0 |
+| args.cpp:11:5:11:19 | call to global_2_vararg | 1 | 1 |
+| args.cpp:11:5:11:19 | call to global_2_vararg | 2 | 2 |
+| args.cpp:12:5:12:19 | call to global_2_vararg | 0 | 0 |
+| args.cpp:12:5:12:19 | call to global_2_vararg | 1 | 1 |
+| args.cpp:12:5:12:19 | call to global_2_vararg | 2 | 2 |
+| args.cpp:12:5:12:19 | call to global_2_vararg | 3 | 2 |
+| args.cpp:22:5:22:12 | call to expression | 0 | 0 |
+| args.cpp:23:5:23:15 | call to expression | 0 | 0 |
+| args.cpp:23:5:23:15 | call to expression | 1 | 1 |
+| args.cpp:24:5:24:22 | call to expression | 0 | 0 |
+| args.cpp:24:5:24:22 | call to expression | 1 | 1 |
+| args.cpp:25:5:25:25 | call to expression | 0 | 0 |
+| args.cpp:25:5:25:25 | call to expression | 1 | 1 |
+| args.cpp:25:5:25:25 | call to expression | 2 | 2 |
+| args.cpp:26:5:26:28 | call to expression | 0 | 0 |
+| args.cpp:26:5:26:28 | call to expression | 1 | 1 |
+| args.cpp:26:5:26:28 | call to expression | 2 | 2 |
+| args.cpp:26:5:26:28 | call to expression | 3 | 2 |
+| args.cpp:37:10:37:11 | call to S | 0 | 0 |
+| args.cpp:38:19:38:23 | call to S | 0 | 0 |
+| args.cpp:38:19:38:23 | call to S | 1 | 1 |
+| args.cpp:39:19:39:26 | call to S | 0 | 0 |
+| args.cpp:39:19:39:26 | call to S | 1 | 1 |
+| args.cpp:39:19:39:26 | call to S | 2 | 2 |
+| args.cpp:40:19:40:29 | call to S | 0 | 0 |
+| args.cpp:40:19:40:29 | call to S | 1 | 1 |
+| args.cpp:40:19:40:29 | call to S | 2 | 2 |
+| args.cpp:40:19:40:29 | call to S | 3 | 2 |

cpp/ql/test/library-tests/arg_matching/arg_matching.ql

@@ -0,0 +1,6 @@
+import cpp
+import semmle.code.cpp.ir.implementation.raw.internal.VarArgs
+
+from Call call, int argIndex, int paramIndex
+where paramIndex = getParameterIndexForArgument(call, argIndex)
+select call, argIndex, paramIndex

cpp/ql/test/library-tests/arg_matching/args.cpp

@@ -0,0 +1,41 @@
+void global_0();
+void global_1(int a);
+void global_2(int a, float b);
+void global_2_vararg(int a, float b, ...);
+
+void call_globals(int a, float b, void* c, bool d) {
+    global_0();
+    global_1(a);
+    global_2(a, b);
+    global_2_vararg(a, b);
+    global_2_vararg(a, b, c);
+    global_2_vararg(a, b, c, d);
+}
+
+void (*pfn_0)();
+void (*pfn_1)(int a);
+void (*pfn_2)(int a, float b);
+void (*pfn_2_vararg)(int a, float b ...);
+
+void call_pfns(int a, float b, void* c, bool d) {
+    pfn_0();
+    pfn_1(a);
+    pfn_2(a, b);
+    pfn_2_vararg(a, b);
+    pfn_2_vararg(a, b, c);
+    pfn_2_vararg(a, b, c, d);
+}
+
+struct S {
+    S();
+    S(int a);
+    S(int a, float b, ...);
+};
+
+void call_constructors(int a, float b, void* c, bool d) {
+    S s0;
+    S s1(a);
+    S s2_vararg_0(a, b);
+    S s2_vararg_1(a, b, c);
+    S s2_vararg_2(a, b, c, d);
+}

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -0,0 +1,261 @@
+uniqueEnclosingCallable
+uniqueTypeBound
+uniqueTypeRepr
+uniqueNodeLocation
+| dispatch.cpp:60:18:60:29 | call to Bottom | Node should have one location but has 2. |
+| dispatch.cpp:61:18:61:29 | call to Middle | Node should have one location but has 2. |
+| dispatch.cpp:65:10:65:21 | call to Bottom | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to Bottom | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to Bottom | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to Middle | Node should have one location but has 2. |
+missingLocation
+uniqueNodeToString
+missingToString
+parameterCallable
+localFlowIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+storeIsPostUpdate
+argHasPostUpdate
+| BarrierGuard.cpp:6:15:6:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:7:10:7:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:9:10:9:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:14:16:14:21 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:15:10:15:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:17:10:17:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:22:15:22:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:23:10:23:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:25:10:25:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:30:15:30:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:31:10:31:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:33:10:33:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:38:16:38:21 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:41:8:41:13 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:50:18:50:18 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:51:13:51:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:52:25:52:25 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:53:13:53:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:54:25:54:25 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:55:13:55:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:61:19:61:19 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:62:14:62:14 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:63:26:63:26 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:64:14:64:14 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:65:26:65:26 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:66:14:66:14 | x | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:12:8:12:8 | x | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:19:27:19:32 | call to source | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:28:8:28:8 | x | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:34:8:34:8 | x | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:41:19:41:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:18:8:18:19 | sourceArray1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:20:8:20:22 | access to array | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:21:8:21:20 | * ... | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:24:22:24:23 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:25:27:25:28 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:26:27:26:34 | call to getFirst | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:29:27:29:28 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:30:27:30:34 | call to getFirst | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:31:27:31:28 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:32:22:32:23 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:37:10:37:11 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:41:18:41:19 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:45:17:45:18 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:47:8:47:30 | call to expression | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:51:8:51:17 | stackArray | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:11:38:11:38 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:23:38:23:38 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:31:16:31:24 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:32:16:32:24 | call to isSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:33:18:33:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:35:16:35:25 | call to notSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:36:16:36:25 | call to notSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:37:19:37:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:39:15:39:23 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:40:15:40:23 | call to isSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:41:17:41:22 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:43:15:43:24 | call to notSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:44:15:44:24 | call to notSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:45:18:45:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:55:22:55:30 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:56:22:56:30 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:58:28:58:36 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:69:15:69:20 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:73:14:73:19 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:77:21:77:34 | call to allocateBottom | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:78:23:78:39 | * ... | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:81:13:81:18 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:89:28:89:33 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:90:25:90:30 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:96:8:96:8 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:107:17:107:22 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:108:16:108:21 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:129:18:129:25 | call to isSource | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:130:17:130:24 | call to isSource | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:140:8:140:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:144:8:144:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:153:37:153:37 | f | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:154:37:154:37 | g | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:160:8:160:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:164:8:164:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:173:42:173:42 | f | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:174:42:174:42 | g | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:6:10:6:14 | local | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:12:10:12:24 | flowTestGlobal1 | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:19:10:19:24 | flowTestGlobal2 | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:14:3:14:6 | t | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:15:3:15:6 | u | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:18:7:18:7 | a | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:18:8:18:8 | call to operator() | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:21:3:21:6 | t | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:22:3:22:6 | u | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:25:2:25:2 | b | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:26:7:26:7 | v | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:29:3:29:6 | t | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:30:3:30:6 | u | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:32:2:32:2 | c | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:35:8:35:8 | a | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:36:8:36:8 | b | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:2:38:2 | d | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:4:38:4 | t | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:7:38:7 | u | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:41:8:41:8 | a | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:42:8:42:8 | b | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:45:2:45:2 | e | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:46:7:46:7 | w | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:16:12:16:14 | lhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:16:17:16:19 | rhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:16:17:16:19 | rhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:55:23:55:28 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:56:10:56:11 | x1 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:58:19:58:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:59:10:59:11 | x2 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:62:10:62:11 | x3 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:65:10:65:11 | x4 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:79:17:79:19 | rhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:122:23:122:28 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:123:13:123:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:125:19:125:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:126:13:126:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:129:13:129:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:132:13:132:15 | val | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:7:8:7:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:9:8:9:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:10:8:10:9 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:13:10:13:11 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:15:8:15:9 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:21:8:21:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:26:8:26:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:30:8:30:8 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:31:8:31:8 | c | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:35:10:35:15 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:35:20:35:20 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:36:10:36:10 | 1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:36:13:36:18 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:43:10:43:20 | ... ? ... : ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:46:10:46:10 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:58:10:58:10 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:71:8:71:9 | x4 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:76:8:76:9 | u1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:78:8:78:9 | u1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:81:8:81:9 | i1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:84:8:84:18 | ... ? ... : ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:86:8:86:9 | i1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:90:8:90:14 | source1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:92:8:92:14 | source1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:103:10:103:12 | ref | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:110:10:110:12 | ref | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:138:27:138:32 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:140:8:140:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:144:8:144:8 | s | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:149:33:149:33 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:150:8:150:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:151:33:151:38 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:152:8:152:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:157:8:157:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:162:34:162:34 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:163:8:163:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:164:34:164:39 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:165:8:165:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:178:8:178:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:194:29:194:34 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:197:10:197:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:202:10:202:16 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:207:35:207:35 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:208:10:208:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:209:35:209:40 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:210:10:210:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:216:10:216:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:221:36:221:36 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:222:10:222:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:223:36:223:41 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:224:10:224:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:238:10:238:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:245:14:245:19 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:246:18:246:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:251:14:251:14 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:256:14:256:20 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:260:12:260:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:265:22:265:27 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:266:12:266:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:267:22:267:27 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:268:12:268:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:273:21:273:21 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:278:21:278:27 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:289:14:289:14 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:291:14:291:14 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:314:4:314:9 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:317:12:317:12 | p | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:318:7:318:7 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:319:12:319:12 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:320:7:320:7 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:337:10:337:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:339:10:339:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:343:10:343:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:349:10:349:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:363:10:363:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:365:10:365:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:369:10:369:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:375:10:375:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:384:16:384:23 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:384:26:384:35 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:385:8:385:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:391:16:391:23 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:391:26:391:35 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:392:8:392:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:394:10:394:12 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:400:16:400:22 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:400:25:400:34 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:401:8:401:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:407:16:407:22 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:407:25:407:34 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:408:8:408:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:418:8:418:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:424:8:424:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:430:8:430:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:431:8:431:13 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:436:26:436:26 | 1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:437:8:437:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:442:25:442:25 | 2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:443:8:443:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:444:8:444:13 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:450:9:450:22 | (statement expression) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:451:9:451:21 | (statement expression) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:461:8:461:12 | local | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:13:8:13:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:21:8:21:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:29:8:29:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:39:8:39:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:49:8:49:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:57:8:57:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:66:8:66:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:78:8:78:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:86:8:86:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:93:8:93:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:105:8:105:8 | x | ArgumentNode is missing PostUpdateNode. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -0,0 +1,354 @@
+uniqueEnclosingCallable
+uniqueTypeBound
+uniqueTypeRepr
+uniqueNodeLocation
+| BarrierGuard.cpp:2:11:2:13 | p#0 | Node should have one location but has 6. |
+| acrossLinkTargets.cpp:2:11:2:13 | p#0 | Node should have one location but has 6. |
+| clang.cpp:4:11:4:13 | p#0 | Node should have one location but has 6. |
+| clang.cpp:4:27:4:35 | p#0 | Node should have one location but has 2. |
+| clang.cpp:4:51:4:53 | p#0 | Node should have one location but has 2. |
+| dispatch.cpp:2:11:2:13 | p#0 | Node should have one location but has 6. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| globals.cpp:2:11:2:13 | p#0 | Node should have one location but has 6. |
+| test.cpp:2:11:2:13 | p#0 | Node should have one location but has 6. |
+| test.cpp:2:27:2:35 | p#0 | Node should have one location but has 2. |
+| test.cpp:2:51:2:53 | p#0 | Node should have one location but has 2. |
+missingLocation
+| Nodes without location: 4 |
+uniqueNodeToString
+missingToString
+parameterCallable
+localFlowIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+storeIsPostUpdate
+argHasPostUpdate
+| BarrierGuard.cpp:6:15:6:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:7:10:7:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:9:10:9:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:14:16:14:21 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:15:10:15:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:17:10:17:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:22:15:22:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:23:10:23:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:25:10:25:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:30:15:30:20 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:31:10:31:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:33:10:33:15 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:38:16:38:21 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:41:8:41:13 | source | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:50:18:50:18 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:51:13:51:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:52:25:52:25 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:53:13:53:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:54:25:54:25 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:55:13:55:13 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:61:19:61:19 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:62:14:62:14 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:63:26:63:26 | y | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:64:14:64:14 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:65:26:65:26 | x | ArgumentNode is missing PostUpdateNode. |
+| BarrierGuard.cpp:66:14:66:14 | x | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:12:8:12:8 | (int)... | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:19:27:19:32 | call to source | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:28:8:28:8 | (int)... | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:34:8:34:8 | (int)... | ArgumentNode is missing PostUpdateNode. |
+| acrossLinkTargets.cpp:41:19:41:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:18:8:18:19 | (const int *)... | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:20:8:20:22 | access to array | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:21:8:21:20 | * ... | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:22:8:22:20 | & ... | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:24:22:24:23 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:25:27:25:28 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:26:8:26:24 | sourceStruct1_ptr | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:26:27:26:34 | call to getFirst | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:29:27:29:28 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:30:8:30:24 | sourceStruct1_ptr | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:30:27:30:34 | call to getFirst | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:31:27:31:28 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:32:22:32:23 | m1 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:37:10:37:11 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:41:18:41:19 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:45:17:45:18 | m2 | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:47:8:47:30 | call to expression | ArgumentNode is missing PostUpdateNode. |
+| clang.cpp:51:8:51:17 | (const int *)... | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:11:38:11:38 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:15:8:15:8 | ConvertToNonVirtualBase | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:21:8:21:8 | ConvertToNonVirtualBase | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:23:38:23:38 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:31:8:31:13 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:31:16:31:24 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:32:8:32:13 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:32:16:32:24 | call to isSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:33:3:33:8 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:33:18:33:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:35:8:35:13 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:35:16:35:25 | call to notSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:36:8:36:13 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:36:16:36:25 | call to notSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:37:3:37:8 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:37:19:37:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:39:8:39:13 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:39:15:39:23 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:40:8:40:13 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:40:15:40:23 | call to isSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:41:3:41:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:41:17:41:22 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:43:8:43:13 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:43:15:43:24 | call to notSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:44:8:44:13 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:44:15:44:24 | call to notSource2 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:45:3:45:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:45:18:45:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:55:8:55:19 | globalBottom | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:55:22:55:30 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:56:8:56:19 | globalMiddle | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:56:22:56:30 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:58:8:58:23 | call to readGlobalBottom | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:58:28:58:36 | call to isSource1 | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:60:18:60:29 | Constant | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:60:18:60:29 | new | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:61:18:61:29 | Constant | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:61:18:61:29 | new | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:65:10:65:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:65:10:65:21 | new | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:69:3:69:5 | top | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:69:15:69:20 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:73:3:73:5 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:73:14:73:19 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:77:21:77:34 | call to allocateBottom | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:78:23:78:39 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:81:3:81:3 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:81:13:81:18 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:89:3:89:10 | call to identity | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:89:12:89:17 | (Top *)... | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:89:28:89:33 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:90:3:90:10 | call to identity | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:90:12:90:14 | top | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:90:25:90:30 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:96:8:96:8 | x | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:107:17:107:22 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:108:16:108:21 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:129:10:129:15 | topPtr | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:129:18:129:25 | call to isSource | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:130:10:130:15 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:130:17:130:24 | call to isSource | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:140:8:140:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:144:8:144:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:153:37:153:37 | f | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:154:37:154:37 | g | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:160:8:160:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:164:8:164:13 | call to source | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:173:42:173:42 | f | ArgumentNode is missing PostUpdateNode. |
+| dispatch.cpp:174:42:174:42 | g | ArgumentNode is missing PostUpdateNode. |
+| example.c:26:18:26:24 | & ... | ArgumentNode is missing PostUpdateNode. |
+| example.c:28:14:28:25 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | t | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | t | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | u | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | u | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:6:10:6:14 | local | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:12:10:12:24 | flowTestGlobal1 | ArgumentNode is missing PostUpdateNode. |
+| globals.cpp:19:10:19:24 | flowTestGlobal2 | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:18:7:18:7 | (const lambda [] type at line 13, col. 11)... | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:18:8:18:8 | call to operator() | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:21:8:21:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:22:8:22:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:25:2:25:2 | (const lambda [] type at line 20, col. 11)... | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:26:7:26:7 | v | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:32:2:32:2 | (const lambda [] type at line 28, col. 11)... | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:35:8:35:8 | a | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:36:8:36:8 | b | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:2:38:2 | (const lambda [] type at line 34, col. 11)... | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:4:38:4 | t | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:38:7:38:7 | u | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:41:8:41:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:42:8:42:8 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:45:2:45:2 | (const lambda [] type at line 40, col. 11)... | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:45:4:45:4 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:45:7:45:7 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:45:10:45:10 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| lambdas.cpp:46:7:46:7 | w | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:16:12:16:14 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:16:17:16:19 | rhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:37:21:37:23 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:55:19:55:20 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:55:23:55:28 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:56:10:56:11 | x1 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:58:15:58:16 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:58:19:58:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:59:10:59:11 | x2 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:61:26:61:27 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:62:10:62:11 | x3 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:64:15:64:16 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:65:10:65:11 | x4 | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:79:12:79:14 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:79:17:79:19 | rhs | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:102:21:102:23 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:122:19:122:20 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:122:23:122:28 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:123:13:123:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:125:15:125:16 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:125:19:125:24 | call to source | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:126:13:126:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:128:26:128:27 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:129:13:129:15 | val | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:131:15:131:16 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| ref.cpp:132:13:132:15 | val | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:7:8:7:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:9:8:9:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:10:8:10:9 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:13:10:13:11 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:15:8:15:9 | t2 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:21:8:21:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:26:8:26:9 | t1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:30:8:30:8 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:31:8:31:8 | c | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:35:10:35:15 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:35:20:35:20 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:36:10:36:10 | 1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:36:13:36:18 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:43:10:43:20 | ... ? ... : ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:46:10:46:10 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:58:10:58:10 | t | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:67:29:67:35 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:71:8:71:9 | x4 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:76:8:76:9 | u1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:78:8:78:9 | u1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:81:8:81:9 | i1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:84:8:84:18 | ... ? ... : ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:86:8:86:9 | i1 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:90:8:90:14 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:92:8:92:14 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:103:10:103:12 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:110:10:110:12 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:138:27:138:32 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:140:8:140:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:144:8:144:8 | s | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:149:33:149:33 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:150:8:150:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:151:33:151:38 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:152:8:152:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:157:8:157:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:162:34:162:34 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:163:8:163:8 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:164:34:164:39 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:165:8:165:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:178:8:178:8 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:194:29:194:34 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:197:10:197:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:202:10:202:16 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:207:35:207:35 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:208:10:208:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:209:35:209:40 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:210:10:210:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:216:10:216:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:221:36:221:36 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:222:10:222:10 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:223:36:223:41 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:224:10:224:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:238:10:238:10 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:245:14:245:19 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:246:18:246:23 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:251:14:251:14 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:256:14:256:20 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:260:12:260:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:265:22:265:27 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:266:12:266:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:267:22:267:27 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:268:12:268:12 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:273:21:273:21 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:278:21:278:27 | barrier | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:289:14:289:14 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:291:14:291:14 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:314:4:314:9 | call to source | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:317:12:317:12 | p | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:318:7:318:7 | x | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:319:12:319:12 | 0 | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:320:7:320:7 | y | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:337:10:337:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:339:10:339:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:343:10:343:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:349:10:349:18 | globalVar | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:363:10:363:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:365:10:365:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:369:10:369:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:375:10:375:14 | field | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:384:10:384:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:384:16:384:23 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:384:26:384:35 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:385:8:385:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:391:10:391:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:391:16:391:23 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:391:26:391:35 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:392:8:392:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:394:10:394:12 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:400:10:400:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:400:16:400:22 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:400:25:400:34 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:401:8:401:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:407:10:407:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:407:16:407:22 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:407:25:407:34 | sizeof(<expr>) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:408:8:408:10 | tmp | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:417:16:417:20 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:418:8:418:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:423:20:423:25 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:424:8:424:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:429:20:429:24 | array to pointer conversion | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:430:8:430:12 | (const int *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:431:8:431:13 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:436:18:436:23 | & ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:436:26:436:26 | (size_t)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:437:8:437:12 | local | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:442:18:442:22 | array to pointer conversion | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:442:25:442:25 | (size_t)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:443:8:443:12 | (const int *)... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:444:8:444:13 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:450:9:450:22 | (statement expression) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:451:9:451:21 | (statement expression) | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:461:8:461:12 | local | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:13:8:13:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:21:8:21:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:29:8:29:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:39:8:39:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:49:8:49:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:57:8:57:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:66:8:66:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:78:8:78:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:86:8:86:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:93:8:93:8 | x | ArgumentNode is missing PostUpdateNode. |
+| true_upon_entry.cpp:105:8:105:8 | x | ArgumentNode is missing PostUpdateNode. |

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected

@@ -0,0 +1,134 @@
+uniqueEnclosingCallable
+| C.cpp:37:24:37:33 | 0 | Node should have one enclosing callable but has 0. |
+| C.cpp:37:24:37:33 | new | Node should have one enclosing callable but has 0. |
+uniqueTypeBound
+| complex.cpp:22:11:22:17 | constructor init of field f [post-this] | Node should have one type bound but has 0. |
+| complex.cpp:22:11:22:17 | constructor init of field f [pre-this] | Node should have one type bound but has 0. |
+uniqueTypeRepr
+| complex.cpp:22:11:22:17 | constructor init of field f [post-this] | Node should have one type representation but has 0. |
+| complex.cpp:22:11:22:17 | constructor init of field f [pre-this] | Node should have one type representation but has 0. |
+uniqueNodeLocation
+| A.cpp:38:7:38:8 | call to C | Node should have one location but has 2. |
+| A.cpp:39:7:39:8 | call to C | Node should have one location but has 2. |
+| A.cpp:41:15:41:21 | call to C | Node should have one location but has 2. |
+| A.cpp:47:12:47:18 | call to C | Node should have one location but has 2. |
+| A.cpp:57:17:57:23 | call to C | Node should have one location but has 2. |
+| A.cpp:64:21:64:28 | call to C2 | Node should have one location but has 2. |
+| A.cpp:73:25:73:32 | call to C2 | Node should have one location but has 2. |
+| A.cpp:126:12:126:18 | call to C | Node should have one location but has 2. |
+| A.cpp:142:14:142:20 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C2 | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to C2 | Node should have one location but has 2. |
+missingLocation
+uniqueNodeToString
+missingToString
+parameterCallable
+localFlowIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+storeIsPostUpdate
+argHasPostUpdate
+| A.cpp:40:15:40:21 | 0 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:41:15:41:21 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:55:12:55:19 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:56:13:56:15 | call to get | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:17:57:23 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:28:57:30 | call to get | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:64:21:64:28 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:73:25:73:32 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:126:12:126:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:151:21:151:21 | call to r | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:32:160:59 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:43:160:49 | 0 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:52:160:58 | 0 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:161:29:161:35 | 0 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:162:29:162:35 | 0 | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:7:28:7:34 | 0 | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:16:28:16:34 | 0 | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:29:10:29:11 | s1 | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:30:10:30:11 | s2 | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:31:10:31:11 | s3 | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:32:10:32:11 | s4 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:22:25:22:31 | call to getElem | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:24:29:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:33:29:39 | 0 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:24:36:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:33:36:39 | 0 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:24:43:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:33:43:39 | 0 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:24:50:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:33:50:39 | 0 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:25:57:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:34:57:40 | 0 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:27:14:27:15 | s3 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:29:11:29:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:30:11:30:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:31:11:31:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:38:11:38:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:43:13:43:14 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:50:11:50:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:55:14:55:15 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:62:14:62:15 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:73:12:73:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:80:12:80:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:87:12:87:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:93:12:93:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:40:12:40:15 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:44:26:44:29 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:50:17:50:26 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:51:8:51:8 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:51:10:51:20 | call to getDirectly | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:56:19:56:28 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:57:8:57:8 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:57:10:57:22 | call to getIndirectly | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:62:25:62:34 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:63:8:63:8 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:63:10:63:28 | call to getThroughNonMember | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:68:21:68:30 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:69:8:69:20 | call to nonMemberGetA | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:69:22:69:23 | & ... | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:22:13:22:13 | 0 | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:22:16:22:16 | 0 | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:44:12:44:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:45:12:45:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:55:13:55:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:56:13:56:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:57:13:57:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:58:13:58:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:28:12:28:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:29:12:29:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:34:11:34:20 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:34:25:34:25 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:35:11:35:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:35:14:35:23 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:36:11:36:20 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:36:25:36:34 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:37:11:37:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:37:14:37:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:28:12:28:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:29:12:29:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:34:11:34:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:34:14:34:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:35:11:35:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:35:14:35:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:36:11:36:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:36:14:36:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:37:11:37:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:37:14:37:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:39:12:39:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:40:12:40:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:41:12:41:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:42:12:42:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected

@@ -0,0 +1,338 @@
+uniqueEnclosingCallable
+uniqueTypeBound
+uniqueTypeRepr
+uniqueNodeLocation
+| D.cpp:1:17:1:17 | o | Node should have one location but has 2. |
+| by_reference.cpp:1:17:1:17 | o | Node should have one location but has 2. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
+missingLocation
+| Nodes without location: 4 |
+uniqueNodeToString
+missingToString
+parameterCallable
+localFlowIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+storeIsPostUpdate
+argHasPostUpdate
+| A.cpp:9:9:9:9 | ConvertToNonVirtualBase | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:14:9:14:9 | ConvertToNonVirtualBase | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:31:14:31:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:31:14:31:21 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:31:20:31:20 | c | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:38:7:38:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:39:7:39:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:40:5:40:6 | cc | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:40:15:40:21 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:41:5:41:6 | ct | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:41:15:41:21 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:41:15:41:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:41:15:41:21 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:42:10:42:12 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:43:10:43:12 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:47:12:47:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:47:12:47:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:48:20:48:20 | c | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:49:10:49:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:54:12:54:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:54:12:54:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:55:5:55:5 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:55:12:55:19 | (C *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:55:12:55:19 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:55:12:55:19 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:56:10:56:10 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:56:10:56:17 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:10:57:32 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:11:57:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:11:57:24 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:17:57:23 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:57:17:57:23 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:62:13:62:19 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:62:13:62:19 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:64:17:64:18 | b1 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:64:21:64:28 | (C *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:64:21:64:28 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:64:21:64:28 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:65:10:65:14 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:66:10:66:14 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:71:13:71:19 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:71:13:71:19 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:73:21:73:22 | b1 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:73:25:73:32 | (C *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:73:25:73:32 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:73:25:73:32 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:74:10:74:14 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:75:10:75:14 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:81:17:81:18 | b1 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:81:21:81:21 | c | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:89:15:89:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:89:15:89:21 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:90:7:90:8 | b2 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:90:15:90:15 | c | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:98:12:98:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:99:14:99:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:99:14:99:21 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:101:8:101:9 | (C *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:107:12:107:16 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:116:12:116:19 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:116:12:116:19 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:120:12:120:16 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:126:5:126:5 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:126:12:126:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:126:12:126:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:130:12:130:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:130:12:130:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:131:8:131:8 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:132:10:132:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:142:14:142:20 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:142:14:142:20 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:143:25:143:31 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:143:25:143:31 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:150:12:150:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:150:12:150:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:151:12:151:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:151:12:151:24 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:151:18:151:18 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:151:21:151:21 | call to r | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:152:10:152:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:153:10:153:16 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:154:10:154:13 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:159:12:159:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:159:12:159:18 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:18:160:60 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:18:160:60 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:29:160:29 | b | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:32:160:59 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:32:160:59 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:43:160:49 | (B *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:160:52:160:58 | (MyList *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:161:18:161:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:161:18:161:40 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:161:29:161:35 | (B *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:161:38:161:39 | l1 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:162:18:162:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:162:18:162:40 | new | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:162:29:162:35 | (B *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:162:38:162:39 | l2 | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:163:10:163:17 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:164:10:164:23 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:165:10:165:29 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:166:10:166:35 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| A.cpp:169:12:169:18 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:6:15:6:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:7:16:7:35 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:7:16:7:35 | new | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:7:25:7:25 | e | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:7:28:7:34 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:8:16:8:27 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:8:16:8:27 | new | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:8:25:8:26 | b1 | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:9:10:9:24 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:10:10:10:24 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:15:15:15:27 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:16:16:16:38 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:16:16:16:38 | new | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:16:28:16:34 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:16:37:16:37 | e | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:17:16:17:27 | Constant | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:17:16:17:27 | new | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:17:25:17:26 | b1 | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:18:10:18:24 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| B.cpp:19:10:19:24 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:18:12:18:18 | Constant | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:18:12:18:18 | new | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:19:5:19:5 | c | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:22:12:22:21 | Constant | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:24:16:24:25 | Constant | ArgumentNode is missing PostUpdateNode. |
+| C.cpp:32:10:32:11 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:22:10:22:11 | b2 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:22:10:22:33 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:22:14:22:20 | call to getBox1 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:28:15:28:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:15:29:41 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:15:29:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:24:29:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:24:29:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:29:33:29:39 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:31:14:31:14 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:35:15:35:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:15:36:41 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:15:36:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:24:36:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:24:36:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:36:33:36:39 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:37:8:37:10 | box | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:37:21:37:21 | e | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:38:14:38:14 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:42:15:42:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:15:43:41 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:15:43:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:24:43:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:24:43:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:43:33:43:39 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:44:5:44:5 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:45:14:45:14 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:49:15:49:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:15:50:41 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:15:50:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:24:50:40 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:24:50:40 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:50:33:50:39 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:51:5:51:5 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:51:8:51:14 | call to getBox1 | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:51:27:51:27 | e | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:52:14:52:14 | b | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:56:15:56:24 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:16:57:42 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:16:57:42 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:25:57:41 | Constant | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:25:57:41 | new | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:57:34:57:40 | (Elem *)... | ArgumentNode is missing PostUpdateNode. |
+| D.cpp:64:10:64:28 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:21:18:21:23 | buffer | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:28:21:28:23 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:29:21:29:29 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:30:21:30:33 | (void *)... | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:31:10:31:12 | raw | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:32:13:32:18 | buffer | ArgumentNode is missing PostUpdateNode. |
+| E.cpp:33:18:33:19 | & ... | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:25:17:25:19 | & ... | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:26:19:26:20 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:27:14:27:15 | s3 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:29:11:29:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:30:11:30:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:31:11:31:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:38:11:38:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:43:13:43:14 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:50:11:50:12 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:55:14:55:15 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:62:14:62:15 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:73:12:73:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:80:12:80:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:87:12:87:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| aliasing.cpp:93:12:93:13 | m1 | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:20:5:20:8 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:20:23:20:27 | value | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:24:19:24:22 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:24:25:24:29 | value | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:40:12:40:15 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:44:26:44:29 | this | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:50:3:50:3 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:50:17:50:26 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:51:8:51:8 | (const S)... | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:51:10:51:20 | call to getDirectly | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:56:3:56:3 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:56:19:56:28 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:57:8:57:8 | (const S)... | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:57:10:57:22 | call to getIndirectly | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:62:3:62:3 | s | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:62:25:62:34 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:63:8:63:8 | (const S)... | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:63:10:63:28 | call to getThroughNonMember | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:68:17:68:18 | & ... | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:68:21:68:30 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:69:8:69:20 | call to nonMemberGetA | ArgumentNode is missing PostUpdateNode. |
+| by_reference.cpp:69:22:69:23 | (const S *)... | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:22:11:22:17 | FieldAddress | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:22:13:22:13 | 0 | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:22:16:22:16 | 0 | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:44:10:44:10 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:44:12:44:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:45:10:45:10 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:45:12:45:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:50:7:50:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:51:7:51:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:52:7:52:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:53:7:53:8 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:55:6:55:6 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:55:13:55:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:56:6:56:6 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:56:13:56:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:57:6:57:6 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:57:13:57:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:58:6:58:6 | f | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:58:13:58:22 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:61:7:61:8 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:64:7:64:8 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:67:7:67:8 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| complex.cpp:70:7:70:8 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:28:10:28:10 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:28:12:28:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:29:10:29:10 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:29:12:29:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:34:9:34:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:34:11:34:20 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:34:25:34:25 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:35:9:35:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:35:11:35:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:35:14:35:23 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:36:9:36:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:36:11:36:20 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:36:25:36:34 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:37:9:37:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:37:11:37:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:37:14:37:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:40:9:40:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:43:9:43:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:46:9:46:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| constructors.cpp:49:9:49:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | (const void *)... | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| file://:0:0:0:0 | this | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:28:10:28:10 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:28:12:28:12 | call to a | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:29:10:29:10 | (reference dereference) | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:29:12:29:12 | call to b | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:34:9:34:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:34:11:34:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:34:14:34:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:35:9:35:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:35:11:35:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:35:14:35:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:36:9:36:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:36:11:36:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:36:14:36:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:37:9:37:9 | VariableAddress | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:37:11:37:11 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:37:14:37:14 | 0 | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:39:5:39:5 | f | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:39:12:39:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:40:5:40:5 | g | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:40:12:40:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:41:5:41:5 | h | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:41:12:41:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:42:5:42:5 | h | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:42:12:42:21 | call to user_input | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:45:9:45:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:48:9:48:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:51:9:51:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| simple.cpp:54:9:54:9 | (reference to) | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:15:12:15:12 | a | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:16:12:16:12 | b | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:22:11:22:11 | a | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:23:11:23:11 | b | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:24:10:24:12 | & ... | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:31:23:31:23 | a | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:32:23:32:23 | b | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:33:25:33:25 | a | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:34:25:34:25 | b | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:36:10:36:24 | & ... | ArgumentNode is missing PostUpdateNode. |
+| struct_init.c:46:16:46:24 | pointerAB | ArgumentNode is missing PostUpdateNode. |

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected

@@ -20,6 +20,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity_unsound.expected

@@ -20,6 +20,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -885,15 +885,24 @@ void FuncPtrConversions(int(*pfn)(int), void* p) {
   pfn = (int(*)(int))p;
 }
 
+void VAListUsage(int x, __builtin_va_list args) {
+  __builtin_va_list args2;
+  __builtin_va_copy(args2, args);
+  double d = __builtin_va_arg(args, double);
+  float f = __builtin_va_arg(args, int);
+  __builtin_va_end(args2);
+}
+
 void VarArgUsage(int x, ...) {
   __builtin_va_list args;
 
   __builtin_va_start(args, x);
   __builtin_va_list args2;
-  __builtin_va_start(args2, args);
+  __builtin_va_copy(args2, args);
   double d = __builtin_va_arg(args, double);
-  float f = __builtin_va_arg(args, float);
+  float f = __builtin_va_arg(args, int);
   __builtin_va_end(args);
+  VAListUsage(x, args2);
   __builtin_va_end(args2);
 }
 

cpp/ql/test/library-tests/ir/ir/raw_sanity.expected

@@ -20,6 +20,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected

@@ -20,6 +20,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity_unsound.expected

@@ -20,6 +20,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

@@ -459,7 +459,7 @@ ssa.cpp:
 #  112|     m112_12(Point)       = Chi                    : total:m112_7, partial:m112_11
 #  113|     r113_1(glval<Point>) = VariableAddress[b]     : 
 #  113|     r113_2(glval<Point>) = VariableAddress[a]     : 
-#  113|     r113_3(Point)        = Load                   : &:r113_2, ~m112_12
+#  113|     r113_3(Point)        = Load                   : &:r113_2, m112_12
 #  113|     m113_4(Point)        = Store                  : &:r113_1, r113_3
 #  114|     v114_1(void)         = NoOp                   : 
 #  111|     v111_10(void)        = ReturnVoid             : 
@@ -824,41 +824,43 @@ ssa.cpp:
 #  184|     m184_7(unsigned int &)         = InitializeParameter[a]   : &:r184_6
 #  184|     r184_8(unsigned int &)         = Load                     : &:r184_6, m184_7
 #  184|     m184_9(unknown)                = InitializeIndirection[a] : &:r184_8
-#  184|     r184_10(glval<unsigned int &>) = VariableAddress[b]       : 
-#  184|     m184_11(unsigned int &)        = InitializeParameter[b]   : &:r184_10
-#  184|     r184_12(unsigned int &)        = Load                     : &:r184_10, m184_11
-#  184|     m184_13(unknown)               = InitializeIndirection[b] : &:r184_12
-#  184|     r184_14(glval<unsigned int &>) = VariableAddress[c]       : 
-#  184|     m184_15(unsigned int &)        = InitializeParameter[c]   : &:r184_14
-#  184|     r184_16(unsigned int &)        = Load                     : &:r184_14, m184_15
-#  184|     m184_17(unknown)               = InitializeIndirection[c] : &:r184_16
-#  184|     r184_18(glval<unsigned int &>) = VariableAddress[d]       : 
-#  184|     m184_19(unsigned int &)        = InitializeParameter[d]   : &:r184_18
-#  184|     r184_20(unsigned int &)        = Load                     : &:r184_18, m184_19
-#  184|     m184_21(unknown)               = InitializeIndirection[d] : &:r184_20
+#  184|     m184_10(unknown)               = Chi                      : total:m184_4, partial:m184_9
+#  184|     r184_11(glval<unsigned int &>) = VariableAddress[b]       : 
+#  184|     m184_12(unsigned int &)        = InitializeParameter[b]   : &:r184_11
+#  184|     r184_13(unsigned int &)        = Load                     : &:r184_11, m184_12
+#  184|     m184_14(unknown)               = InitializeIndirection[b] : &:r184_13
+#  184|     m184_15(unknown)               = Chi                      : total:m184_10, partial:m184_14
+#  184|     r184_16(glval<unsigned int &>) = VariableAddress[c]       : 
+#  184|     m184_17(unsigned int &)        = InitializeParameter[c]   : &:r184_16
+#  184|     r184_18(unsigned int &)        = Load                     : &:r184_16, m184_17
+#  184|     m184_19(unknown)               = InitializeIndirection[c] : &:r184_18
+#  184|     r184_20(glval<unsigned int &>) = VariableAddress[d]       : 
+#  184|     m184_21(unsigned int &)        = InitializeParameter[d]   : &:r184_20
+#  184|     r184_22(unsigned int &)        = Load                     : &:r184_20, m184_21
+#  184|     m184_23(unknown)               = InitializeIndirection[d] : &:r184_22
 #  189|     r189_1(glval<unsigned int &>)  = VariableAddress[a]       : 
 #  189|     r189_2(unsigned int &)         = Load                     : &:r189_1, m184_7
 #  189|     r189_3(glval<unsigned int>)    = CopyValue                : r189_2
 #  189|     r189_4(glval<unsigned int &>)  = VariableAddress[b]       : 
-#  189|     r189_5(unsigned int &)         = Load                     : &:r189_4, m184_11
+#  189|     r189_5(unsigned int &)         = Load                     : &:r189_4, m184_12
 #  189|     r189_6(glval<unsigned int>)    = CopyValue                : r189_5
 #  190|     r190_1(glval<unsigned int &>)  = VariableAddress[c]       : 
-#  190|     r190_2(unsigned int &)         = Load                     : &:r190_1, m184_15
-#  190|     r190_3(unsigned int)           = Load                     : &:r190_2, ~m184_17
+#  190|     r190_2(unsigned int &)         = Load                     : &:r190_1, m184_17
+#  190|     r190_3(unsigned int)           = Load                     : &:r190_2, ~m184_19
 #  190|     r190_4(glval<unsigned int &>)  = VariableAddress[d]       : 
-#  190|     r190_5(unsigned int &)         = Load                     : &:r190_4, m184_19
-#  190|     r190_6(unsigned int)           = Load                     : &:r190_5, ~m184_21
-#  186|     m186_1(unknown)                = InlineAsm                : ~m184_13, 0:r189_3, 1:r189_6, 2:r190_3, 3:r190_6
-#  186|     m186_2(unknown)                = Chi                      : total:m184_13, partial:m186_1
+#  190|     r190_5(unsigned int &)         = Load                     : &:r190_4, m184_21
+#  190|     r190_6(unsigned int)           = Load                     : &:r190_5, ~m184_23
+#  186|     m186_1(unknown)                = InlineAsm                : ~m184_15, 0:r189_3, 1:r189_6, 2:r190_3, 3:r190_6
+#  186|     m186_2(unknown)                = Chi                      : total:m184_15, partial:m186_1
 #  192|     v192_1(void)                   = NoOp                     : 
-#  184|     v184_22(void)                  = ReturnIndirection        : &:r184_8, ~m186_2
-#  184|     v184_23(void)                  = ReturnIndirection        : &:r184_12, ~m186_2
-#  184|     v184_24(void)                  = ReturnIndirection        : &:r184_16, m184_17
-#  184|     v184_25(void)                  = ReturnIndirection        : &:r184_20, m184_21
-#  184|     v184_26(void)                  = ReturnVoid               : 
-#  184|     v184_27(void)                  = UnmodeledUse             : mu*
-#  184|     v184_28(void)                  = AliasedUse               : ~m186_2
-#  184|     v184_29(void)                  = ExitFunction             : 
+#  184|     v184_24(void)                  = ReturnIndirection        : &:r184_8, ~m186_2
+#  184|     v184_25(void)                  = ReturnIndirection        : &:r184_13, ~m186_2
+#  184|     v184_26(void)                  = ReturnIndirection        : &:r184_18, m184_19
+#  184|     v184_27(void)                  = ReturnIndirection        : &:r184_22, m184_23
+#  184|     v184_28(void)                  = ReturnVoid               : 
+#  184|     v184_29(void)                  = UnmodeledUse             : mu*
+#  184|     v184_30(void)                  = AliasedUse               : ~m186_2
+#  184|     v184_31(void)                  = ExitFunction             : 
 
 #  198| int PureFunctions(char*, char*, int)
 #  198|   Block 0
@@ -1147,18 +1149,19 @@ ssa.cpp:
 #  247|     m247_7(char *)         = InitializeParameter[src]           : &:r247_6
 #  247|     r247_8(char *)         = Load                               : &:r247_6, m247_7
 #  247|     m247_9(unknown)        = InitializeIndirection[src]         : &:r247_8
-#  247|     r247_10(glval<int>)    = VariableAddress[size]              : 
-#  247|     m247_11(int)           = InitializeParameter[size]          : &:r247_10
+#  247|     m247_10(unknown)       = Chi                                : total:m247_4, partial:m247_9
+#  247|     r247_11(glval<int>)    = VariableAddress[size]              : 
+#  247|     m247_12(int)           = InitializeParameter[size]          : &:r247_11
 #  248|     r248_1(glval<char *>)  = VariableAddress[dst]               : 
 #  248|     r248_2(glval<unknown>) = FunctionAddress[operator new[]]    : 
 #  248|     r248_3(glval<int>)     = VariableAddress[size]              : 
-#  248|     r248_4(int)            = Load                               : &:r248_3, m247_11
+#  248|     r248_4(int)            = Load                               : &:r248_3, m247_12
 #  248|     r248_5(unsigned long)  = Convert                            : r248_4
 #  248|     r248_6(unsigned long)  = Constant[1]                        : 
 #  248|     r248_7(unsigned long)  = Mul                                : r248_5, r248_6
 #  248|     r248_8(void *)         = Call                               : func:r248_2, 0:r248_7
-#  248|     m248_9(unknown)        = ^CallSideEffect                    : ~m247_9
-#  248|     m248_10(unknown)       = Chi                                : total:m247_9, partial:m248_9
+#  248|     m248_9(unknown)        = ^CallSideEffect                    : ~m247_10
+#  248|     m248_10(unknown)       = Chi                                : total:m247_10, partial:m248_9
 #  248|     r248_11(char *)        = Convert                            : r248_8
 #  248|     m248_12(char *)        = Store                              : &:r248_1, r248_11
 #  249|     r249_1(char)           = Constant[97]                       : 
@@ -1175,7 +1178,7 @@ ssa.cpp:
 #  250|     r250_6(char *)         = Load                               : &:r250_5, m247_7
 #  250|     r250_7(void *)         = Convert                            : r250_6
 #  250|     r250_8(glval<int>)     = VariableAddress[size]              : 
-#  250|     r250_9(int)            = Load                               : &:r250_8, m247_11
+#  250|     r250_9(int)            = Load                               : &:r250_8, m247_12
 #  250|     r250_10(void *)        = Call                               : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
 #  250|     v250_11(void)          = ^SizedBufferReadSideEffect[1]      : &:r250_7, r250_9, ~m249_6
 #  250|     m250_12(unknown)       = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
@@ -1184,12 +1187,12 @@ ssa.cpp:
 #  251|     r251_2(glval<char *>)  = VariableAddress[dst]               : 
 #  251|     r251_3(char *)         = Load                               : &:r251_2, m248_12
 #  251|     m251_4(char *)         = Store                              : &:r251_1, r251_3
-#  247|     v247_12(void)          = ReturnIndirection                  : &:r247_8, ~m250_13
-#  247|     r247_13(glval<char *>) = VariableAddress[#return]           : 
-#  247|     v247_14(void)          = ReturnValue                        : &:r247_13, m251_4
-#  247|     v247_15(void)          = UnmodeledUse                       : mu*
-#  247|     v247_16(void)          = AliasedUse                         : ~m250_13
-#  247|     v247_17(void)          = ExitFunction                       : 
+#  247|     v247_13(void)          = ReturnIndirection                  : &:r247_8, ~m250_13
+#  247|     r247_14(glval<char *>) = VariableAddress[#return]           : 
+#  247|     v247_15(void)          = ReturnValue                        : &:r247_14, m251_4
+#  247|     v247_16(void)          = UnmodeledUse                       : mu*
+#  247|     v247_17(void)          = AliasedUse                         : ~m250_13
+#  247|     v247_18(void)          = ExitFunction                       : 
 
 #  254| char StringLiteralAliasing2(bool)
 #  254|   Block 0
@@ -1250,35 +1253,95 @@ ssa.cpp:
 #  268|     m268_7(void *)         = InitializeParameter[s]             : &:r268_6
 #  268|     r268_8(void *)         = Load                               : &:r268_6, m268_7
 #  268|     m268_9(unknown)        = InitializeIndirection[s]           : &:r268_8
-#  268|     r268_10(glval<int>)    = VariableAddress[size]              : 
-#  268|     m268_11(int)           = InitializeParameter[size]          : &:r268_10
+#  268|     m268_10(unknown)       = Chi                                : total:m268_4, partial:m268_9
+#  268|     r268_11(glval<int>)    = VariableAddress[size]              : 
+#  268|     m268_12(int)           = InitializeParameter[size]          : &:r268_11
 #  269|     r269_1(glval<void *>)  = VariableAddress[buf]               : 
 #  269|     r269_2(glval<unknown>) = FunctionAddress[malloc]            : 
 #  269|     r269_3(glval<int>)     = VariableAddress[size]              : 
-#  269|     r269_4(int)            = Load                               : &:r269_3, m268_11
+#  269|     r269_4(int)            = Load                               : &:r269_3, m268_12
 #  269|     r269_5(void *)         = Call                               : func:r269_2, 0:r269_4
-#  269|     m269_6(unknown)        = ^CallSideEffect                    : ~m268_9
-#  269|     m269_7(unknown)        = Chi                                : total:m268_9, partial:m269_6
+#  269|     m269_6(unknown)        = ^CallSideEffect                    : ~m268_10
+#  269|     m269_7(unknown)        = Chi                                : total:m268_10, partial:m269_6
 #  269|     m269_8(unknown)        = ^InitializeDynamicAllocation       : &:r269_5
-#  269|     m269_9(void *)         = Store                              : &:r269_1, r269_5
+#  269|     m269_9(unknown)        = Chi                                : total:m269_7, partial:m269_8
+#  269|     m269_10(void *)        = Store                              : &:r269_1, r269_5
 #  270|     r270_1(glval<unknown>) = FunctionAddress[memcpy]            : 
 #  270|     r270_2(glval<void *>)  = VariableAddress[buf]               : 
-#  270|     r270_3(void *)         = Load                               : &:r270_2, m269_9
+#  270|     r270_3(void *)         = Load                               : &:r270_2, m269_10
 #  270|     r270_4(glval<void *>)  = VariableAddress[s]                 : 
 #  270|     r270_5(void *)         = Load                               : &:r270_4, m268_7
 #  270|     r270_6(glval<int>)     = VariableAddress[size]              : 
-#  270|     r270_7(int)            = Load                               : &:r270_6, m268_11
+#  270|     r270_7(int)            = Load                               : &:r270_6, m268_12
 #  270|     r270_8(void *)         = Call                               : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
-#  270|     v270_9(void)           = ^SizedBufferReadSideEffect[1]      : &:r270_5, r270_7, ~m269_8
+#  270|     v270_9(void)           = ^SizedBufferReadSideEffect[1]      : &:r270_5, r270_7, ~m269_7
 #  270|     m270_10(unknown)       = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
-#  270|     m270_11(unknown)       = Chi                                : total:m269_8, partial:m270_10
+#  270|     m270_11(unknown)       = Chi                                : total:m269_9, partial:m270_10
 #  271|     r271_1(glval<void *>)  = VariableAddress[#return]           : 
 #  271|     r271_2(glval<void *>)  = VariableAddress[buf]               : 
-#  271|     r271_3(void *)         = Load                               : &:r271_2, m269_9
+#  271|     r271_3(void *)         = Load                               : &:r271_2, m269_10
 #  271|     m271_4(void *)         = Store                              : &:r271_1, r271_3
-#  268|     v268_12(void)          = ReturnIndirection                  : &:r268_8, ~m270_11
-#  268|     r268_13(glval<void *>) = VariableAddress[#return]           : 
-#  268|     v268_14(void)          = ReturnValue                        : &:r268_13, m271_4
-#  268|     v268_15(void)          = UnmodeledUse                       : mu*
-#  268|     v268_16(void)          = AliasedUse                         : ~m270_11
-#  268|     v268_17(void)          = ExitFunction                       : 
+#  268|     v268_13(void)          = ReturnIndirection                  : &:r268_8, ~m270_11
+#  268|     r268_14(glval<void *>) = VariableAddress[#return]           : 
+#  268|     v268_15(void)          = ReturnValue                        : &:r268_14, m271_4
+#  268|     v268_16(void)          = UnmodeledUse                       : mu*
+#  268|     v268_17(void)          = AliasedUse                         : ~m270_11
+#  268|     v268_18(void)          = ExitFunction                       : 
+
+#  275| void EscapedButNotConflated(bool, Point, int)
+#  275|   Block 0
+#  275|     v275_1(void)           = EnterFunction           : 
+#  275|     m275_2(unknown)        = AliasedDefinition       : 
+#  275|     m275_3(unknown)        = InitializeNonLocal      : 
+#  275|     m275_4(unknown)        = Chi                     : total:m275_2, partial:m275_3
+#  275|     mu275_5(unknown)       = UnmodeledDefinition     : 
+#  275|     r275_6(glval<bool>)    = VariableAddress[c]      : 
+#  275|     m275_7(bool)           = InitializeParameter[c]  : &:r275_6
+#  275|     r275_8(glval<Point>)   = VariableAddress[p]      : 
+#  275|     m275_9(Point)          = InitializeParameter[p]  : &:r275_8
+#  275|     r275_10(glval<int>)    = VariableAddress[x1]     : 
+#  275|     m275_11(int)           = InitializeParameter[x1] : &:r275_10
+#  276|     r276_1(glval<Point>)   = VariableAddress[a]      : 
+#  276|     m276_2(Point)          = Uninitialized[a]        : &:r276_1
+#  276|     m276_3(unknown)        = Chi                     : total:m275_4, partial:m276_2
+#  276|     r276_4(glval<int>)     = FieldAddress[x]         : r276_1
+#  276|     r276_5(int)            = Constant[0]             : 
+#  276|     m276_6(int)            = Store                   : &:r276_4, r276_5
+#  276|     m276_7(unknown)        = Chi                     : total:m276_3, partial:m276_6
+#  276|     r276_8(glval<int>)     = FieldAddress[y]         : r276_1
+#  276|     r276_9(int)            = Constant[0]             : 
+#  276|     m276_10(int)           = Store                   : &:r276_8, r276_9
+#  276|     m276_11(unknown)       = Chi                     : total:m276_7, partial:m276_10
+#  277|     r277_1(glval<Point>)   = VariableAddress[a]      : 
+#  277|     r277_2(Point *)        = CopyValue               : r277_1
+#  277|     r277_3(glval<Point *>) = VariableAddress[pp]     : 
+#  277|     m277_4(Point *)        = Store                   : &:r277_3, r277_2
+#  277|     m277_5(unknown)        = Chi                     : total:m276_11, partial:m277_4
+#  278|     r278_1(glval<bool>)    = VariableAddress[c]      : 
+#  278|     r278_2(bool)           = Load                    : &:r278_1, m275_7
+#  278|     v278_3(void)           = ConditionalBranch       : r278_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  279|   Block 1
+#  279|     r279_1(glval<int>)   = VariableAddress[x1] : 
+#  279|     r279_2(int)          = Load                : &:r279_1, m275_11
+#  279|     r279_3(glval<Point>) = VariableAddress[a]  : 
+#  279|     r279_4(glval<int>)   = FieldAddress[x]     : r279_3
+#  279|     m279_5(int)          = Store               : &:r279_4, r279_2
+#  279|     m279_6(unknown)      = Chi                 : total:m277_5, partial:m279_5
+#-----|   Goto -> Block 2
+
+#  281|   Block 2
+#  281|     m281_1(int)          = Phi                : from 0:m276_6, from 1:m279_5
+#  281|     m281_2(unknown)      = Phi                : from 0:~m277_5, from 1:~m279_6
+#  281|     r281_3(glval<int>)   = VariableAddress[x] : 
+#  281|     r281_4(glval<Point>) = VariableAddress[a] : 
+#  281|     r281_5(glval<int>)   = FieldAddress[x]    : r281_4
+#  281|     r281_6(int)          = Load               : &:r281_5, m281_1
+#  281|     m281_7(int)          = Store              : &:r281_3, r281_6
+#  282|     v282_1(void)         = NoOp               : 
+#  275|     v275_12(void)        = ReturnVoid         : 
+#  275|     v275_13(void)        = UnmodeledUse       : mu*
+#  275|     v275_14(void)        = AliasedUse         : ~m281_2
+#  275|     v275_15(void)        = ExitFunction       : 

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected

@@ -457,7 +457,7 @@ ssa.cpp:
 #  112|     m112_12(Point)       = Chi                    : total:m112_7, partial:m112_11
 #  113|     r113_1(glval<Point>) = VariableAddress[b]     : 
 #  113|     r113_2(glval<Point>) = VariableAddress[a]     : 
-#  113|     r113_3(Point)        = Load                   : &:r113_2, ~m112_12
+#  113|     r113_3(Point)        = Load                   : &:r113_2, m112_12
 #  113|     m113_4(Point)        = Store                  : &:r113_1, r113_3
 #  114|     v114_1(void)         = NoOp                   : 
 #  111|     v111_10(void)        = ReturnVoid             : 
@@ -490,7 +490,7 @@ ssa.cpp:
 #  117|     m117_12(Point)         = Chi                          : total:m117_7, partial:m117_11
 #  118|     r118_1(glval<Point>)   = VariableAddress[b]           : 
 #  118|     r118_2(glval<Point>)   = VariableAddress[a]           : 
-#  118|     r118_3(Point)          = Load                         : &:r118_2, ~m117_12
+#  118|     r118_3(Point)          = Load                         : &:r118_2, m117_12
 #  118|     m118_4(Point)          = Store                        : &:r118_1, r118_3
 #  119|     r119_1(glval<unknown>) = FunctionAddress[Escape]      : 
 #  119|     r119_2(glval<Point>)   = VariableAddress[a]           : 
@@ -941,7 +941,7 @@ ssa.cpp:
 #  209|     m209_12(int)           = Chi                                : total:m208_2, partial:m209_11
 #  210|     r210_1(glval<int>)     = VariableAddress[#return]           : 
 #  210|     r210_2(glval<int>)     = VariableAddress[y]                 : 
-#  210|     r210_3(int)            = Load                               : &:r210_2, ~m209_12
+#  210|     r210_3(int)            = Load                               : &:r210_2, m209_12
 #  210|     m210_4(int)            = Store                              : &:r210_1, r210_3
 #  207|     r207_8(glval<int>)     = VariableAddress[#return]           : 
 #  207|     v207_9(void)           = ReturnValue                        : &:r207_8, m210_4
@@ -1179,7 +1179,7 @@ ssa.cpp:
 #  251|     r251_2(glval<char *>)  = VariableAddress[dst]               : 
 #  251|     r251_3(char *)         = Load                               : &:r251_2, m248_12
 #  251|     m251_4(char *)         = Store                              : &:r251_1, r251_3
-#  247|     v247_12(void)          = ReturnIndirection                  : &:r247_8, ~m249_6
+#  247|     v247_12(void)          = ReturnIndirection                  : &:r247_8, m249_6
 #  247|     r247_13(glval<char *>) = VariableAddress[#return]           : 
 #  247|     v247_14(void)          = ReturnValue                        : &:r247_13, m251_4
 #  247|     v247_15(void)          = UnmodeledUse                       : mu*
@@ -1277,3 +1277,60 @@ ssa.cpp:
 #  268|     v268_15(void)          = UnmodeledUse                       : mu*
 #  268|     v268_16(void)          = AliasedUse                         : ~m269_7
 #  268|     v268_17(void)          = ExitFunction                       : 
+
+#  275| void EscapedButNotConflated(bool, Point, int)
+#  275|   Block 0
+#  275|     v275_1(void)           = EnterFunction           : 
+#  275|     m275_2(unknown)        = AliasedDefinition       : 
+#  275|     m275_3(unknown)        = InitializeNonLocal      : 
+#  275|     m275_4(unknown)        = Chi                     : total:m275_2, partial:m275_3
+#  275|     mu275_5(unknown)       = UnmodeledDefinition     : 
+#  275|     r275_6(glval<bool>)    = VariableAddress[c]      : 
+#  275|     m275_7(bool)           = InitializeParameter[c]  : &:r275_6
+#  275|     r275_8(glval<Point>)   = VariableAddress[p]      : 
+#  275|     m275_9(Point)          = InitializeParameter[p]  : &:r275_8
+#  275|     r275_10(glval<int>)    = VariableAddress[x1]     : 
+#  275|     m275_11(int)           = InitializeParameter[x1] : &:r275_10
+#  276|     r276_1(glval<Point>)   = VariableAddress[a]      : 
+#  276|     m276_2(Point)          = Uninitialized[a]        : &:r276_1
+#  276|     r276_3(glval<int>)     = FieldAddress[x]         : r276_1
+#  276|     r276_4(int)            = Constant[0]             : 
+#  276|     m276_5(int)            = Store                   : &:r276_3, r276_4
+#  276|     m276_6(Point)          = Chi                     : total:m276_2, partial:m276_5
+#  276|     r276_7(glval<int>)     = FieldAddress[y]         : r276_1
+#  276|     r276_8(int)            = Constant[0]             : 
+#  276|     m276_9(int)            = Store                   : &:r276_7, r276_8
+#  276|     m276_10(Point)         = Chi                     : total:m276_6, partial:m276_9
+#  277|     r277_1(glval<Point>)   = VariableAddress[a]      : 
+#  277|     r277_2(Point *)        = CopyValue               : r277_1
+#  277|     r277_3(glval<Point *>) = VariableAddress[pp]     : 
+#  277|     m277_4(Point *)        = Store                   : &:r277_3, r277_2
+#  277|     m277_5(unknown)        = Chi                     : total:m275_4, partial:m277_4
+#  278|     r278_1(glval<bool>)    = VariableAddress[c]      : 
+#  278|     r278_2(bool)           = Load                    : &:r278_1, m275_7
+#  278|     v278_3(void)           = ConditionalBranch       : r278_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  279|   Block 1
+#  279|     r279_1(glval<int>)   = VariableAddress[x1] : 
+#  279|     r279_2(int)          = Load                : &:r279_1, m275_11
+#  279|     r279_3(glval<Point>) = VariableAddress[a]  : 
+#  279|     r279_4(glval<int>)   = FieldAddress[x]     : r279_3
+#  279|     m279_5(int)          = Store               : &:r279_4, r279_2
+#  279|     m279_6(Point)        = Chi                 : total:m276_10, partial:m279_5
+#-----|   Goto -> Block 2
+
+#  281|   Block 2
+#  281|     m281_1(int)          = Phi                : from 0:m276_5, from 1:m279_5
+#  281|     m281_2(Point)        = Phi                : from 0:m276_10, from 1:m279_6
+#  281|     r281_3(glval<int>)   = VariableAddress[x] : 
+#  281|     r281_4(glval<Point>) = VariableAddress[a] : 
+#  281|     r281_5(glval<int>)   = FieldAddress[x]    : r281_4
+#  281|     r281_6(int)          = Load               : &:r281_5, m281_1
+#  281|     m281_7(int)          = Store              : &:r281_3, r281_6
+#  282|     v282_1(void)         = NoOp               : 
+#  275|     v275_12(void)        = ReturnVoid         : 
+#  275|     v275_13(void)        = UnmodeledUse       : mu*
+#  275|     v275_14(void)        = AliasedUse         : ~m277_5
+#  275|     v275_15(void)        = ExitFunction       : 

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected

@@ -16,6 +16,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity_unsound.expected

@@ -16,6 +16,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ssa/ssa.cpp

@@ -269,4 +269,14 @@ void *MallocAliasing(void *s, int size) {
   void *buf = malloc(size);
   memcpy(buf, s, size);
   return buf;
-}
+}
+
+Point *pp;
+void EscapedButNotConflated(bool c, Point p, int x1) {
+  Point a = {};
+  pp = &a; // `a` escapes here and therefore belongs to the aliased vvar
+  if (c) {
+    a.x = x1;
+  }
+  int x = a.x; // The phi node here is not conflated
+}

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected

@@ -1188,3 +1188,53 @@ ssa.cpp:
 #  268|     v268_14(void)          = UnmodeledUse                       : mu*
 #  268|     v268_15(void)          = AliasedUse                         : ~mu268_4
 #  268|     v268_16(void)          = ExitFunction                       : 
+
+#  275| void EscapedButNotConflated(bool, Point, int)
+#  275|   Block 0
+#  275|     v275_1(void)           = EnterFunction           : 
+#  275|     mu275_2(unknown)       = AliasedDefinition       : 
+#  275|     mu275_3(unknown)       = InitializeNonLocal      : 
+#  275|     mu275_4(unknown)       = UnmodeledDefinition     : 
+#  275|     r275_5(glval<bool>)    = VariableAddress[c]      : 
+#  275|     m275_6(bool)           = InitializeParameter[c]  : &:r275_5
+#  275|     r275_7(glval<Point>)   = VariableAddress[p]      : 
+#  275|     m275_8(Point)          = InitializeParameter[p]  : &:r275_7
+#  275|     r275_9(glval<int>)     = VariableAddress[x1]     : 
+#  275|     m275_10(int)           = InitializeParameter[x1] : &:r275_9
+#  276|     r276_1(glval<Point>)   = VariableAddress[a]      : 
+#  276|     mu276_2(Point)         = Uninitialized[a]        : &:r276_1
+#  276|     r276_3(glval<int>)     = FieldAddress[x]         : r276_1
+#  276|     r276_4(int)            = Constant[0]             : 
+#  276|     mu276_5(int)           = Store                   : &:r276_3, r276_4
+#  276|     r276_6(glval<int>)     = FieldAddress[y]         : r276_1
+#  276|     r276_7(int)            = Constant[0]             : 
+#  276|     mu276_8(int)           = Store                   : &:r276_6, r276_7
+#  277|     r277_1(glval<Point>)   = VariableAddress[a]      : 
+#  277|     r277_2(Point *)        = CopyValue               : r277_1
+#  277|     r277_3(glval<Point *>) = VariableAddress[pp]     : 
+#  277|     mu277_4(Point *)       = Store                   : &:r277_3, r277_2
+#  278|     r278_1(glval<bool>)    = VariableAddress[c]      : 
+#  278|     r278_2(bool)           = Load                    : &:r278_1, m275_6
+#  278|     v278_3(void)           = ConditionalBranch       : r278_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  279|   Block 1
+#  279|     r279_1(glval<int>)   = VariableAddress[x1] : 
+#  279|     r279_2(int)          = Load                : &:r279_1, m275_10
+#  279|     r279_3(glval<Point>) = VariableAddress[a]  : 
+#  279|     r279_4(glval<int>)   = FieldAddress[x]     : r279_3
+#  279|     mu279_5(int)         = Store               : &:r279_4, r279_2
+#-----|   Goto -> Block 2
+
+#  281|   Block 2
+#  281|     r281_1(glval<int>)   = VariableAddress[x] : 
+#  281|     r281_2(glval<Point>) = VariableAddress[a] : 
+#  281|     r281_3(glval<int>)   = FieldAddress[x]    : r281_2
+#  281|     r281_4(int)          = Load               : &:r281_3, ~mu275_4
+#  281|     m281_5(int)          = Store              : &:r281_1, r281_4
+#  282|     v282_1(void)         = NoOp               : 
+#  275|     v275_11(void)        = ReturnVoid         : 
+#  275|     v275_12(void)        = UnmodeledUse       : mu*
+#  275|     v275_13(void)        = AliasedUse         : ~mu275_4
+#  275|     v275_14(void)        = ExitFunction       : 

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected

@@ -1188,3 +1188,53 @@ ssa.cpp:
 #  268|     v268_14(void)          = UnmodeledUse                       : mu*
 #  268|     v268_15(void)          = AliasedUse                         : ~mu268_4
 #  268|     v268_16(void)          = ExitFunction                       : 
+
+#  275| void EscapedButNotConflated(bool, Point, int)
+#  275|   Block 0
+#  275|     v275_1(void)           = EnterFunction           : 
+#  275|     mu275_2(unknown)       = AliasedDefinition       : 
+#  275|     mu275_3(unknown)       = InitializeNonLocal      : 
+#  275|     mu275_4(unknown)       = UnmodeledDefinition     : 
+#  275|     r275_5(glval<bool>)    = VariableAddress[c]      : 
+#  275|     m275_6(bool)           = InitializeParameter[c]  : &:r275_5
+#  275|     r275_7(glval<Point>)   = VariableAddress[p]      : 
+#  275|     m275_8(Point)          = InitializeParameter[p]  : &:r275_7
+#  275|     r275_9(glval<int>)     = VariableAddress[x1]     : 
+#  275|     m275_10(int)           = InitializeParameter[x1] : &:r275_9
+#  276|     r276_1(glval<Point>)   = VariableAddress[a]      : 
+#  276|     mu276_2(Point)         = Uninitialized[a]        : &:r276_1
+#  276|     r276_3(glval<int>)     = FieldAddress[x]         : r276_1
+#  276|     r276_4(int)            = Constant[0]             : 
+#  276|     mu276_5(int)           = Store                   : &:r276_3, r276_4
+#  276|     r276_6(glval<int>)     = FieldAddress[y]         : r276_1
+#  276|     r276_7(int)            = Constant[0]             : 
+#  276|     mu276_8(int)           = Store                   : &:r276_6, r276_7
+#  277|     r277_1(glval<Point>)   = VariableAddress[a]      : 
+#  277|     r277_2(Point *)        = CopyValue               : r277_1
+#  277|     r277_3(glval<Point *>) = VariableAddress[pp]     : 
+#  277|     mu277_4(Point *)       = Store                   : &:r277_3, r277_2
+#  278|     r278_1(glval<bool>)    = VariableAddress[c]      : 
+#  278|     r278_2(bool)           = Load                    : &:r278_1, m275_6
+#  278|     v278_3(void)           = ConditionalBranch       : r278_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  279|   Block 1
+#  279|     r279_1(glval<int>)   = VariableAddress[x1] : 
+#  279|     r279_2(int)          = Load                : &:r279_1, m275_10
+#  279|     r279_3(glval<Point>) = VariableAddress[a]  : 
+#  279|     r279_4(glval<int>)   = FieldAddress[x]     : r279_3
+#  279|     mu279_5(int)         = Store               : &:r279_4, r279_2
+#-----|   Goto -> Block 2
+
+#  281|   Block 2
+#  281|     r281_1(glval<int>)   = VariableAddress[x] : 
+#  281|     r281_2(glval<Point>) = VariableAddress[a] : 
+#  281|     r281_3(glval<int>)   = FieldAddress[x]    : r281_2
+#  281|     r281_4(int)          = Load               : &:r281_3, ~mu275_4
+#  281|     m281_5(int)          = Store              : &:r281_1, r281_4
+#  282|     v282_1(void)         = NoOp               : 
+#  275|     v275_11(void)        = ReturnVoid         : 
+#  275|     v275_12(void)        = UnmodeledUse       : mu*
+#  275|     v275_13(void)        = AliasedUse         : ~mu275_4
+#  275|     v275_14(void)        = ExitFunction       : 

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected

@@ -16,6 +16,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity_unsound.expected

@@ -16,6 +16,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/literals/literals/literals.expected

@@ -2,10 +2,10 @@
 | literals.c:3:13:3:16 | 1.0 |
 | literals.c:4:13:4:16 | 1.0 |
 | literals.c:5:13:5:16 | 1.0 |
-| literals.c:6:13:6:16 | (1.0,1.0i) |
-| literals.c:7:13:7:16 | (1.0,1.0i) |
-| literals.c:8:13:8:16 | (1.0,1.0i) |
-| literals.c:9:13:9:16 | (1.0,1.0i) |
+| literals.c:6:13:6:16 | (0.0,1.0i) |
+| literals.c:7:13:7:16 | (0.0,1.0i) |
+| literals.c:8:13:8:16 | (0.0,1.0i) |
+| literals.c:9:13:9:16 | (0.0,1.0i) |
 | literals.c:10:13:10:16 | 1.0 |
 | literals.c:11:13:11:16 | 1.0 |
 | literals.c:12:13:12:16 | 1.0 |

cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected

@@ -568,6 +568,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected

@@ -0,0 +1,286 @@
+uniqueEnclosingCallable
+| enum.c:2:6:2:6 | 1 | Node should have one enclosing callable but has 0. |
+| enum.c:2:6:2:10 | ... + ... | Node should have one enclosing callable but has 0. |
+| enum.c:2:10:2:10 | 1 | Node should have one enclosing callable but has 0. |
+| misc.c:11:17:11:17 | 1 | Node should have one enclosing callable but has 0. |
+| misc.c:11:17:11:21 | ... + ... | Node should have one enclosing callable but has 0. |
+| misc.c:11:21:11:21 | 2 | Node should have one enclosing callable but has 0. |
+| misc.c:210:24:210:24 | 0 | Node should have one enclosing callable but has 0. |
+| misc.c:210:24:210:28 | ... + ... | Node should have one enclosing callable but has 0. |
+| misc.c:210:28:210:28 | 1 | Node should have one enclosing callable but has 0. |
+uniqueTypeBound
+| bad_asts.cpp:19:10:19:10 | constructor init of field x [post-this] | Node should have one type bound but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field x [pre-this] | Node should have one type bound but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field y [post-this] | Node should have one type bound but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field y [pre-this] | Node should have one type bound but has 0. |
+| cpp17.cpp:15:5:15:45 | call to unknown function | Node should have one type bound but has 0. |
+| ir.cpp:784:15:784:15 | constructor init of field middlevb2_s [post-this] | Node should have one type bound but has 0. |
+| ir.cpp:784:15:784:15 | constructor init of field middlevb2_s [pre-this] | Node should have one type bound but has 0. |
+| static_init_templates.cpp:240:7:240:7 | constructor init of field mcc [post-this] | Node should have one type bound but has 0. |
+| static_init_templates.cpp:240:7:240:7 | constructor init of field mcc [pre-this] | Node should have one type bound but has 0. |
+uniqueTypeRepr
+| bad_asts.cpp:19:10:19:10 | constructor init of field x [post-this] | Node should have one type representation but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field x [pre-this] | Node should have one type representation but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field y [post-this] | Node should have one type representation but has 0. |
+| bad_asts.cpp:19:10:19:10 | constructor init of field y [pre-this] | Node should have one type representation but has 0. |
+| cpp17.cpp:15:5:15:45 | call to unknown function | Node should have one type representation but has 0. |
+| ir.cpp:784:15:784:15 | constructor init of field middlevb2_s [post-this] | Node should have one type representation but has 0. |
+| ir.cpp:784:15:784:15 | constructor init of field middlevb2_s [pre-this] | Node should have one type representation but has 0. |
+| static_init_templates.cpp:240:7:240:7 | constructor init of field mcc [post-this] | Node should have one type representation but has 0. |
+| static_init_templates.cpp:240:7:240:7 | constructor init of field mcc [pre-this] | Node should have one type representation but has 0. |
+uniqueNodeLocation
+| break_labels.c:2:11:2:11 | i | Node should have one location but has 4. |
+| break_labels.c:2:11:2:11 | x | Node should have one location but has 4. |
+| cpp11.cpp:82:17:82:55 | call to Val | Node should have one location but has 2. |
+| cpp11.cpp:82:17:82:55 | call to Val | Node should have one location but has 2. |
+| duff.c:2:12:2:12 | i | Node should have one location but has 4. |
+| duff.c:2:12:2:12 | x | Node should have one location but has 4. |
+| file://:0:0:0:0 | call to PolymorphicBase | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to PolymorphicDerived | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to Val | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to Val | Node should have one location but has 2. |
+| file://:0:0:0:0 | call to exn1 | Node should have one location but has 2. |
+| file://:0:0:0:0 | p#2 | Node should have one location but has 0. |
+| file://:0:0:0:0 | p#2 | Node should have one location but has 0. |
+| ifelsestmt.c:37:17:37:17 | x | Node should have one location but has 2. |
+| ifelsestmt.c:37:24:37:24 | y | Node should have one location but has 2. |
+| ifstmt.c:27:17:27:17 | x | Node should have one location but has 2. |
+| ifstmt.c:27:24:27:24 | y | Node should have one location but has 2. |
+| ir.cpp:850:19:850:19 | call to PolymorphicBase | Node should have one location but has 2. |
+| ir.cpp:851:22:851:22 | call to PolymorphicDerived | Node should have one location but has 2. |
+| nodefaultswitchstmt.c:1:12:1:12 | i | Node should have one location but has 4. |
+| nodefaultswitchstmt.c:1:12:1:12 | x | Node should have one location but has 4. |
+| switchstmt.c:1:12:1:12 | i | Node should have one location but has 4. |
+| switchstmt.c:1:12:1:12 | x | Node should have one location but has 4. |
+| try_catch.cpp:13:5:13:16 | call to exn1 | Node should have one location but has 2. |
+missingLocation
+| Nodes without location: 2 |
+uniqueNodeToString
+| break_labels.c:2:11:2:11 | i | Node should have one toString but has 2. |
+| break_labels.c:2:11:2:11 | x | Node should have one toString but has 2. |
+| break_labels.c:4:9:4:9 | i | Node should have one toString but has 2. |
+| break_labels.c:4:9:4:9 | x | Node should have one toString but has 2. |
+| break_labels.c:6:16:6:16 | i | Node should have one toString but has 2. |
+| break_labels.c:6:16:6:16 | x | Node should have one toString but has 2. |
+| break_labels.c:7:17:7:17 | i | Node should have one toString but has 2. |
+| break_labels.c:7:17:7:17 | x | Node should have one toString but has 2. |
+| duff.c:2:12:2:12 | i | Node should have one toString but has 2. |
+| duff.c:2:12:2:12 | x | Node should have one toString but has 2. |
+| duff.c:3:14:3:14 | i | Node should have one toString but has 2. |
+| duff.c:3:14:3:14 | x | Node should have one toString but has 2. |
+| duff.c:4:13:4:13 | i | Node should have one toString but has 2. |
+| duff.c:4:13:4:13 | x | Node should have one toString but has 2. |
+| nodefaultswitchstmt.c:1:12:1:12 | i | Node should have one toString but has 2. |
+| nodefaultswitchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. |
+| nodefaultswitchstmt.c:2:14:2:14 | i | Node should have one toString but has 2. |
+| nodefaultswitchstmt.c:2:14:2:14 | x | Node should have one toString but has 2. |
+| switchstmt.c:1:12:1:12 | i | Node should have one toString but has 2. |
+| switchstmt.c:1:12:1:12 | x | Node should have one toString but has 2. |
+| switchstmt.c:2:14:2:14 | i | Node should have one toString but has 2. |
+| switchstmt.c:2:14:2:14 | x | Node should have one toString but has 2. |
+missingToString
+parameterCallable
+localFlowIsLocal
+compatibleTypesReflexive
+unreachableNodeCCtx
+localCallNodes
+postIsNotPre
+postHasUniquePre
+uniquePostUpdate
+postIsInSameCallable
+reverseRead
+storeIsPostUpdate
+argHasPostUpdate
+| CPP-309.cpp:7:5:7:20 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| CPP-309.cpp:7:9:7:9 | 2 | ArgumentNode is missing PostUpdateNode. |
+| CPP-309.cpp:7:12:7:12 | 3 | ArgumentNode is missing PostUpdateNode. |
+| CPP-309.cpp:11:13:11:13 | 1 | ArgumentNode is missing PostUpdateNode. |
+| VacuousDestructorCall.cpp:10:18:10:18 | i | ArgumentNode is missing PostUpdateNode. |
+| abortingfunctions.cpp:45:13:45:13 | 0 | ArgumentNode is missing PostUpdateNode. |
+| abortingfunctions.cpp:45:16:45:16 | 0 | ArgumentNode is missing PostUpdateNode. |
+| allocators.cpp:16:14:16:36 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| allocators.cpp:16:18:16:19 | 11 | ArgumentNode is missing PostUpdateNode. |
+| allocators.cpp:16:22:16:23 | 22 | ArgumentNode is missing PostUpdateNode. |
+| allocators.cpp:16:30:16:31 | 33 | ArgumentNode is missing PostUpdateNode. |
+| allocators.cpp:16:34:16:35 | 44 | ArgumentNode is missing PostUpdateNode. |
+| bad_asts.cpp:16:25:16:25 | 1 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:8:32:8:32 | 0 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:8:35:8:37 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:8:40:8:40 | y | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:10:20:10:26 | ... != ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:20:33:20:35 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:21:33:21:35 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:21:38:21:38 | y | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:22:34:22:36 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:22:39:22:39 | y | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:28:31:28:38 | ... == ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:34:34:34:34 | x | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:39:25:39:27 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:39:30:39:30 | y | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:39:33:39:33 | 1 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:43:26:43:28 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:43:37:43:37 | y | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:45:33:45:41 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:47:24:47:30 | Hello | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:47:33:47:35 | 101 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:47:38:47:38 | 5 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:51:41:51:43 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:51:46:51:46 | 0 | ArgumentNode is missing PostUpdateNode. |
+| builtin.c:54:41:54:41 | 0 | ArgumentNode is missing PostUpdateNode. |
+| builtin.cpp:14:40:14:44 | ... - ... | ArgumentNode is missing PostUpdateNode. |
+| builtin.cpp:15:31:15:35 | * ... | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:16:20:16:20 | x | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:26:24:26:24 | x | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:41:23:41:23 | x | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:48:23:48:24 | - ... | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:48:35:48:36 | - ... | ArgumentNode is missing PostUpdateNode. |
+| condition_decls.cpp:48:53:48:53 | x | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:30:9:30:13 | call to C1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:30:12:30:12 | 1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:30:18:30:22 | call to C1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:30:21:30:21 | 2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:33:9:33:13 | call to C1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:33:12:33:12 | 3 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:33:18:33:22 | call to C1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:33:21:33:21 | 3 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:39:9:39:13 | call to C2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:39:12:39:12 | 1 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:39:18:39:22 | call to C2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:39:21:39:21 | 2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:42:9:42:13 | call to C2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:42:12:42:12 | 3 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:42:18:42:22 | call to C2 | ArgumentNode is missing PostUpdateNode. |
+| conditional_destructors.cpp:42:21:42:21 | 3 | ArgumentNode is missing PostUpdateNode. |
+| constructorinitializer.cpp:8:6:8:10 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| constructorinitializer.cpp:8:13:8:17 | ... - ... | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:28:21:28:21 | (__end) | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:77:5:77:17 | unaryFunction | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:77:19:77:21 | arg | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:77:19:77:21 | arg | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:77:19:77:21 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:11:82:14 | arg2 | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:11:82:14 | arg2 | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:11:82:14 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:17:82:55 | [...](...){...} | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:17:82:55 | [...](...){...} | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:30:82:52 | arg1 | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:45:82:48 | arg1 | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:45:82:48 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:51:82:51 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:51:82:51 | x | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:82:51:82:51 | x | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:88:12:88:22 | doSomething | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:88:25:88:30 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:88:29:88:29 | 1 | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:88:33:88:38 | call to Val | ArgumentNode is missing PostUpdateNode. |
+| cpp11.cpp:88:37:88:37 | 2 | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:15:5:15:45 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:15:38:15:41 | args | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:15:38:15:41 | args | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:15:38:15:41 | p#2 | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:19:13:19:13 | 1 | ArgumentNode is missing PostUpdateNode. |
+| cpp17.cpp:19:16:19:16 | 2 | ArgumentNode is missing PostUpdateNode. |
+| destructors.cpp:52:14:52:16 | ref | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:377:16:377:16 | x | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:377:19:377:19 | y | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:381:32:381:32 | x | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:381:35:381:35 | y | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:552:16:552:16 | 5 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:585:20:585:26 | %d %s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:585:29:585:29 | 1 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:585:32:585:39 | string | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:617:15:617:21 | hello | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:619:24:619:29 | test | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:623:5:623:5 | r | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:624:5:624:5 | p | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:625:5:625:5 | s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:653:38:653:38 | 0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:654:40:654:40 | 1 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:655:32:655:32 | 2 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:662:13:662:18 | test | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:700:7:700:7 | 5 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:709:14:709:14 | x | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:709:17:709:17 | y | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:721:41:721:47 | 0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:721:50:721:52 | 111 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:731:32:731:46 | String object | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:736:18:736:18 | s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:745:8:745:8 | base_s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:754:8:754:8 | * ... | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:754:8:754:8 | middle_s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:763:8:763:8 | * ... | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:763:8:763:8 | derived_s | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:808:7:808:7 | m | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:809:7:809:13 | call to Base | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:809:13:809:13 | m | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:810:7:810:26 | call to Base | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:810:25:810:25 | m | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:816:16:816:16 | b | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:817:28:817:28 | b | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:822:7:822:7 | d | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:823:7:823:13 | call to Base | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:823:13:823:13 | d | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:824:7:824:26 | call to Base | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:824:25:824:25 | d | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:830:17:830:17 | b | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:831:29:831:29 | b | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:868:10:868:11 |  | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:942:3:942:15 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:942:7:942:10 | 1.0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:945:3:945:27 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:945:7:945:10 | 1.0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:945:20:945:26 | hello | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:947:3:947:25 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:947:7:947:10 | 1.0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:947:25:947:25 | 128 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:953:3:953:18 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:953:7:953:10 | 1.0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:956:3:956:27 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:956:7:956:10 | 1.0 | ArgumentNode is missing PostUpdateNode. |
+| ir.cpp:956:28:956:28 | 128 | ArgumentNode is missing PostUpdateNode. |
+| membercallexpr_args.cpp:10:10:10:14 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| membercallexpr_args.cpp:10:17:10:21 | ... - ... | ArgumentNode is missing PostUpdateNode. |
+| misc.c:83:14:83:14 | i | ArgumentNode is missing PostUpdateNode. |
+| misc.c:83:17:83:17 | j | ArgumentNode is missing PostUpdateNode. |
+| misc.c:84:16:84:16 | i | ArgumentNode is missing PostUpdateNode. |
+| misc.c:84:19:84:19 | j | ArgumentNode is missing PostUpdateNode. |
+| misc.c:147:16:147:16 | i | ArgumentNode is missing PostUpdateNode. |
+| misc.c:147:19:147:19 | j | ArgumentNode is missing PostUpdateNode. |
+| misc.c:228:31:228:40 | global_int | ArgumentNode is missing PostUpdateNode. |
+| misc.c:229:32:229:41 | global_int | ArgumentNode is missing PostUpdateNode. |
+| misc.c:230:27:230:36 | global_int | ArgumentNode is missing PostUpdateNode. |
+| misc.c:231:29:231:38 | global_int | ArgumentNode is missing PostUpdateNode. |
+| ms_assume.cpp:13:21:13:35 | Hello, world! | ArgumentNode is missing PostUpdateNode. |
+| ms_assume.cpp:14:21:14:21 | 0 | ArgumentNode is missing PostUpdateNode. |
+| ms_assume.cpp:28:26:28:28 | 256 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:11:12:11:14 | 101 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:14:16:14:18 | 102 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:18:16:18:18 | 103 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:21:16:21:18 | 104 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:24:12:24:14 | 105 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:28:12:28:14 | 101 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:31:16:31:18 | 106 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:35:16:35:18 | 107 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:38:16:38:18 | 108 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:41:12:41:14 | 109 | ArgumentNode is missing PostUpdateNode. |
+| ms_try_mix.cpp:48:10:48:12 | 201 | ArgumentNode is missing PostUpdateNode. |
+| newexpr.cpp:8:8:8:12 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| newexpr.cpp:8:15:8:19 | ... - ... | ArgumentNode is missing PostUpdateNode. |
+| no_dynamic_init.cpp:5:12:5:35 | Goodbye cruel world.\n | ArgumentNode is missing PostUpdateNode. |
+| ops.cpp:19:15:19:22 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ops.cpp:20:18:20:30 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ops.cpp:21:18:21:34 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| ops.cpp:26:31:26:53 | <error expr> | ArgumentNode is missing PostUpdateNode. |
+| parameterinitializer.cpp:8:12:8:21 | Got %d\n | ArgumentNode is missing PostUpdateNode. |
+| parameterinitializer.cpp:8:24:8:24 | i | ArgumentNode is missing PostUpdateNode. |
+| parameterinitializer.cpp:19:7:19:7 | 3 | ArgumentNode is missing PostUpdateNode. |
+| parameterinitializer.cpp:21:7:21:7 | 4 | ArgumentNode is missing PostUpdateNode. |
+| pointer_to_member.cpp:23:46:23:50 | 0 | ArgumentNode is missing PostUpdateNode. |
+| pointer_to_member.cpp:24:42:24:45 | 1 | ArgumentNode is missing PostUpdateNode. |
+| staticlocals.cpp:27:27:27:29 | two | ArgumentNode is missing PostUpdateNode. |
+| staticlocals.cpp:28:27:28:27 | 2 | ArgumentNode is missing PostUpdateNode. |
+| staticmembercallexpr_args.cpp:10:9:10:13 | ... + ... | ArgumentNode is missing PostUpdateNode. |
+| staticmembercallexpr_args.cpp:10:16:10:20 | ... - ... | ArgumentNode is missing PostUpdateNode. |
+| stmt_expr.cpp:13:18:13:18 | 1 | ArgumentNode is missing PostUpdateNode. |
+| stmt_expr.cpp:30:20:30:20 | 3 | ArgumentNode is missing PostUpdateNode. |
+| vla.c:5:27:5:33 | access to array | ArgumentNode is missing PostUpdateNode. |

cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.ql

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected

@@ -631,6 +631,9 @@ useNotDominatedByDefinition
 | try_catch.cpp:21:13:21:24 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | try_catch.cpp:19:6:19:23 | IR: throw_from_nonstmt | void throw_from_nonstmt(int) |
 | vla.c:3:27:3:30 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) |
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected

@@ -577,6 +577,9 @@ lostReachability
 backEdgeCountMismatch
 useNotDominatedByDefinition
 switchInstructionWithoutDefaultEdge
+notMarkedAsConflated
+wronglyMarkedAsConflated
+invalidOverlap
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/diff_ir_expr.expected

@@ -52,16 +52,12 @@
 | test.cpp:56:13:56:16 | (int)... | test.cpp:56:13:56:16 | (int)... | AST only |
 | test.cpp:56:13:56:16 | (int)... | test.cpp:56:31:56:34 | (int)... | AST only |
 | test.cpp:56:13:56:16 | (int)... | test.cpp:59:9:59:12 | (int)... | AST only |
-| test.cpp:56:13:56:16 | * ... | test.cpp:56:31:56:34 | * ... | AST only |
-| test.cpp:56:13:56:16 | * ... | test.cpp:59:9:59:12 | * ... | AST only |
 | test.cpp:56:21:56:24 | (int)... | test.cpp:53:10:53:13 | (int)... | AST only |
 | test.cpp:56:21:56:24 | (int)... | test.cpp:56:21:56:24 | (int)... | AST only |
 | test.cpp:56:30:56:43 | (...) | test.cpp:56:30:56:43 | (...) | AST only |
 | test.cpp:56:31:56:34 | (int)... | test.cpp:56:13:56:16 | (int)... | AST only |
 | test.cpp:56:31:56:34 | (int)... | test.cpp:56:31:56:34 | (int)... | AST only |
 | test.cpp:56:31:56:34 | (int)... | test.cpp:59:9:59:12 | (int)... | AST only |
-| test.cpp:56:31:56:34 | * ... | test.cpp:56:13:56:16 | * ... | AST only |
-| test.cpp:56:31:56:34 | * ... | test.cpp:59:9:59:12 | * ... | AST only |
 | test.cpp:56:39:56:42 | (int)... | test.cpp:44:9:44:9 | 0 | AST only |
 | test.cpp:56:39:56:42 | (int)... | test.cpp:51:25:51:25 | 0 | AST only |
 | test.cpp:56:39:56:42 | (int)... | test.cpp:53:18:53:21 | (int)... | AST only |
@@ -72,8 +68,6 @@
 | test.cpp:59:9:59:12 | (int)... | test.cpp:56:13:56:16 | (int)... | AST only |
 | test.cpp:59:9:59:12 | (int)... | test.cpp:56:31:56:34 | (int)... | AST only |
 | test.cpp:59:9:59:12 | (int)... | test.cpp:59:9:59:12 | (int)... | AST only |
-| test.cpp:59:9:59:12 | * ... | test.cpp:56:13:56:16 | * ... | AST only |
-| test.cpp:59:9:59:12 | * ... | test.cpp:56:31:56:34 | * ... | AST only |
 | test.cpp:59:17:59:20 | (int)... | test.cpp:44:9:44:9 | 0 | AST only |
 | test.cpp:59:17:59:20 | (int)... | test.cpp:51:25:51:25 | 0 | AST only |
 | test.cpp:59:17:59:20 | (int)... | test.cpp:53:18:53:21 | (int)... | AST only |
@@ -125,9 +119,7 @@
 | test.cpp:128:7:128:7 | x | test.cpp:126:15:126:15 | x | AST only |
 | test.cpp:128:11:128:11 | n | test.cpp:129:15:129:15 | x | IR only |
 | test.cpp:129:15:129:15 | x | test.cpp:128:11:128:11 | n | IR only |
-| test.cpp:136:21:136:21 | x | test.cpp:137:21:137:21 | x | AST only |
 | test.cpp:136:21:136:21 | x | test.cpp:139:13:139:13 | x | AST only |
-| test.cpp:137:21:137:21 | x | test.cpp:136:21:136:21 | x | AST only |
 | test.cpp:137:21:137:21 | x | test.cpp:139:13:139:13 | x | AST only |
 | test.cpp:139:3:139:24 | ... = ... | test.cpp:139:3:139:24 | ... = ... | AST only |
 | test.cpp:139:13:139:13 | x | test.cpp:136:21:136:21 | x | AST only |
@@ -137,6 +129,4 @@
 | test.cpp:147:3:147:18 | ... = ... | test.cpp:147:3:147:18 | ... = ... | AST only |
 | test.cpp:147:7:147:7 | y | test.cpp:145:15:145:15 | y | AST only |
 | test.cpp:149:15:149:15 | x | test.cpp:144:15:144:15 | x | IR only |
-| test.cpp:153:21:153:21 | x | test.cpp:154:21:154:21 | x | AST only |
-| test.cpp:154:21:154:21 | x | test.cpp:153:21:153:21 | x | AST only |
 | test.cpp:156:3:156:17 | ... = ... | test.cpp:156:3:156:17 | ... = ... | AST only |

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected

@@ -355,7 +355,7 @@ test.cpp:
 #   46|     m46_4(int)                  = Store                     : &:r46_3, r46_2
 #   46|         valnum = m43_10, m45_10, m46_4, r43_8, r45_8, r46_2
 #   47|     v47_1(void)                 = NoOp                      : 
-#   39|     v39_14(void)                = ReturnIndirection         : &:r39_12, ~m44_6
+#   39|     v39_14(void)                = ReturnIndirection         : &:r39_12, m44_6
 #   39|     r39_15(glval<int>)          = VariableAddress[#return]  : 
 #   39|         valnum = unique
 #   39|     v39_16(void)                = ReturnValue               : &:r39_15
@@ -440,9 +440,9 @@ test.cpp:
 #   56|     r56_3(char *)            = Load                 : &:r56_2, m56_1
 #   56|         valnum = m56_1, r56_13, r56_20, r56_3, r59_2
 #   56|     r56_4(char)              = Load                 : &:r56_3, ~m49_4
-#   56|         valnum = unique
+#   56|         valnum = r56_14, r56_4, r59_3
 #   56|     r56_5(int)               = Convert              : r56_4
-#   56|         valnum = unique
+#   56|         valnum = r56_15, r56_5, r59_4
 #   56|     r56_6(glval<char *>)     = VariableAddress[str] : 
 #   56|         valnum = r49_6, r53_2, r56_6
 #   56|     r56_7(char *)            = Load                 : &:r56_6, m49_7
@@ -463,9 +463,9 @@ test.cpp:
 #   56|     r56_13(char *)        = Load                 : &:r56_12, m56_1
 #   56|         valnum = m56_1, r56_13, r56_20, r56_3, r59_2
 #   56|     r56_14(char)          = Load                 : &:r56_13, ~m49_4
-#   56|         valnum = unique
+#   56|         valnum = r56_14, r56_4, r59_3
 #   56|     r56_15(int)           = Convert              : r56_14
-#   56|         valnum = unique
+#   56|         valnum = r56_15, r56_5, r59_4
 #   56|     r56_16(int)           = Constant[0]          : 
 #   56|         valnum = r53_6, r56_16, r59_5
 #   56|     r56_17(bool)          = CompareNE            : r56_15, r56_16
@@ -493,9 +493,9 @@ test.cpp:
 #   59|     r59_2(char *)        = Load                 : &:r59_1, m56_1
 #   59|         valnum = m56_1, r56_13, r56_20, r56_3, r59_2
 #   59|     r59_3(char)          = Load                 : &:r59_2, ~m49_4
-#   59|         valnum = unique
+#   59|         valnum = r56_14, r56_4, r59_3
 #   59|     r59_4(int)           = Convert              : r59_3
-#   59|         valnum = unique
+#   59|         valnum = r56_15, r56_5, r59_4
 #   59|     r59_5(int)           = Constant[0]          : 
 #   59|         valnum = r53_6, r56_16, r59_5
 #   59|     r59_6(bool)          = CompareEQ            : r59_4, r59_5
@@ -925,7 +925,7 @@ test.cpp:
 #  129|     m129_6(int)         = Store                     : &:r129_1, r129_5
 #  129|         valnum = m124_11, m128_6, m129_6, r128_2, r129_5
 #  130|     v130_1(void)        = NoOp                      : 
-#  124|     v124_12(void)       = ReturnIndirection         : &:r124_8, ~m128_7
+#  124|     v124_12(void)       = ReturnIndirection         : &:r124_8, m128_7
 #  124|     v124_13(void)       = ReturnVoid                : 
 #  124|     v124_14(void)       = UnmodeledUse              : mu*
 #  124|     v124_15(void)       = AliasedUse                : m124_3
@@ -951,9 +951,9 @@ test.cpp:
 #  136|     r136_4(glval<int>) = FieldAddress[x]           : r136_3
 #  136|         valnum = r136_4, r137_4, r139_5
 #  136|     r136_5(int)        = Load                      : &:r136_4, ~m135_4
-#  136|         valnum = m136_6, r136_5
+#  136|         valnum = m136_6, m137_6, r136_5, r137_5
 #  136|     m136_6(int)        = Store                     : &:r136_1, r136_5
-#  136|         valnum = m136_6, r136_5
+#  136|         valnum = m136_6, m137_6, r136_5, r137_5
 #  137|     r137_1(glval<int>) = VariableAddress[c]        : 
 #  137|         valnum = unique
 #  137|     r137_2(glval<A *>) = VariableAddress[global_a] : 
@@ -963,9 +963,9 @@ test.cpp:
 #  137|     r137_4(glval<int>) = FieldAddress[x]           : r137_3
 #  137|         valnum = r136_4, r137_4, r139_5
 #  137|     r137_5(int)        = Load                      : &:r137_4, ~m135_4
-#  137|         valnum = m137_6, r137_5
+#  137|         valnum = m136_6, m137_6, r136_5, r137_5
 #  137|     m137_6(int)        = Store                     : &:r137_1, r137_5
-#  137|         valnum = m137_6, r137_5
+#  137|         valnum = m136_6, m137_6, r136_5, r137_5
 #  139|     r139_1(glval<int>) = VariableAddress[global_n] : 
 #  139|         valnum = unique
 #  139|     r139_2(int)        = Load                      : &:r139_1, ~m135_3
@@ -1068,7 +1068,7 @@ test.cpp:
 #  149|     m149_6(int)        = Store                     : &:r149_1, r149_5
 #  149|         valnum = m144_6, m149_6, r144_5, r149_5
 #  150|     v150_1(void)       = NoOp                      : 
-#  143|     v143_10(void)      = ReturnIndirection         : &:r143_8, ~m147_7
+#  143|     v143_10(void)      = ReturnIndirection         : &:r143_8, m147_7
 #  143|     v143_11(void)      = ReturnVoid                : 
 #  143|     v143_12(void)      = UnmodeledUse              : mu*
 #  143|     v143_13(void)      = AliasedUse                : m143_3
@@ -1098,9 +1098,9 @@ test.cpp:
 #  153|     r153_4(glval<int>) = FieldAddress[x]           : r153_3
 #  153|         valnum = r153_4, r154_4
 #  153|     r153_5(int)        = Load                      : &:r153_4, ~m152_4
-#  153|         valnum = m153_6, r153_5
+#  153|         valnum = m153_6, m154_6, r153_5, r154_5
 #  153|     m153_6(int)        = Store                     : &:r153_1, r153_5
-#  153|         valnum = m153_6, r153_5
+#  153|         valnum = m153_6, m154_6, r153_5, r154_5
 #  154|     r154_1(glval<int>) = VariableAddress[c]        : 
 #  154|         valnum = unique
 #  154|     r154_2(glval<A *>) = VariableAddress[global_a] : 
@@ -1110,9 +1110,9 @@ test.cpp:
 #  154|     r154_4(glval<int>) = FieldAddress[x]           : r154_3
 #  154|         valnum = r153_4, r154_4
 #  154|     r154_5(int)        = Load                      : &:r154_4, ~m152_4
-#  154|         valnum = m154_6, r154_5
+#  154|         valnum = m153_6, m154_6, r153_5, r154_5
 #  154|     m154_6(int)        = Store                     : &:r154_1, r154_5
-#  154|         valnum = m154_6, r154_5
+#  154|         valnum = m153_6, m154_6, r153_5, r154_5
 #  156|     r156_1(glval<int>) = VariableAddress[n]        : 
 #  156|         valnum = r152_6, r156_1
 #  156|     r156_2(int)        = Load                      : &:r156_1, m152_7

cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.expected

@@ -15,3 +15,4 @@
 | test.cpp:63:3:63:9 | call to strncpy | Potentially unsafe call to strncpy; third argument should be size of destination. |
 | test.cpp:68:2:68:8 | call to strncpy | Potentially unsafe call to strncpy; third argument should be size of destination. |
 | test.cpp:79:3:79:9 | call to strncpy | Potentially unsafe call to strncpy; third argument should be size of destination. |
+| test.cpp:82:3:82:9 | call to strncpy | Potentially unsafe call to strncpy; third argument should be size of destination. |