Merge pull request #18394 from paldepind/rust-format

Rust: Value flow and taint flow through formatting strings
2026-04-22 23:35:14 +02:00 · 2025-01-06 13:55:04 +01:00
parent 01a7a5323b c55b256d47
commit 7248fb70c3
38 changed files with 358 additions and 99 deletions
--- a/rust/ql/.generated.list
+++ b/rust/ql/.generated.list
@@ -1,4 +1,4 @@
-lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll c25526db135a85c2a2aa4e3f2fe051a2d9d76e4225e98fbcd777e7bc6cde0844 c8acc325e4c8dbb9582bf8c97ed96d7070fc88e721041b56d7105a175aa233d4
+lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll 8067b2d0a930b90b430c0b6d47709f924305492317a7baed92011c37176dbc21 25e598a69493a9d21b2f5dc676c73578287f3659601a1fe19f7afd0c4bba2cc0
 lib/codeql/rust/elements/Abi.qll 4c973d28b6d628f5959d1f1cc793704572fd0acaae9a97dfce82ff9d73f73476 250f68350180af080f904cd34cb2af481c5c688dc93edf7365fd0ae99855e893
 lib/codeql/rust/elements/Addressable.qll 13011bfd2e1556694c3d440cc34af8527da4df49ad92b62f2939d3699ff2cea5 ddb25935f7553a1a384b1abe2e4b4fa90ab50b952dadec32fd867afcb054f4be
 lib/codeql/rust/elements/ArgList.qll 661f5100f5d3ef8351452d9058b663a2a5c720eea8cf11bedd628969741486a2 28e424aac01a90fb58cd6f9f83c7e4cf379eea39e636bc0ba07efc818be71c71
@@ -57,8 +57,8 @@ lib/codeql/rust/elements/FieldList.qll bd243adc4696c60f636055a1c2da28039fe202847
 lib/codeql/rust/elements/FnPtrTypeRepr.qll 25a88a8445b4abfaf7c95fcef03db5328aa81e35cebe56516bdda01380f0a69e 0a77d08b6b2d63e7a037f366b6dffd5006e975a8af2424af60a4f9ad74d441ba
 lib/codeql/rust/elements/ForExpr.qll 0cc8bfe10b8baf62a1ff65c8463cfb17ab64b41c30c9e1edb962a227df2036d9 b1be73294e6da0f49fd32177ad0b05fecf26081d5ce424f288be99a4bd59cc84
 lib/codeql/rust/elements/ForTypeRepr.qll dc4e00cd23606df93d753f2ca6862b55a10c722a7e952bb2e11b494738d2a3d2 ca169d2faca3baab3720086f7b2de5c26f55faf2dbab958298377ad65f73949b
-lib/codeql/rust/elements/Format.qll 51222fa2d2e85d496ab093d74d3bc606ede3ce48f926106e059dc8478e657203 b4da6be38413c86f2e9d82004624abab16e23ef238197a5c85246009cce276d5
-lib/codeql/rust/elements/FormatArgsArg.qll 5bc9b4cd1bac7131165836e93838c45452a08ea6011741cbddace3cbf9c69440 f825140e98dc9800d5c045402186793c7b21511448e2f6bf6402d1e06305219c
+lib/codeql/rust/elements/Format.qll 1b186730710e7e29ea47594998f0b359ad308927f84841adae0c0cb35fc8aeda d6f7bfdda60a529fb9e9a1975628d5bd11aa28a45e295c7526692ac662fd19f8
+lib/codeql/rust/elements/FormatArgsArg.qll a2c23cd512d44dd60b7d65eba52cc3adf6e2fbbcd0588be375daa16002cd7741 d9c5fe183fb228375223d83f857b7a9ee686f1d3e341bcf323d7c6f39652f88b
 lib/codeql/rust/elements/FormatArgsExpr.qll 8127cbe4082f7acc3d8a05298c2c9bea302519b8a6cd2d158a83c516d18fc487 88cf9b3bedd69a1150968f9a465c904bbb6805da0e0b90cfd1fc0dab1f6d9319
 lib/codeql/rust/elements/FormatArgument.qll f6fe17ee1481c353dd42edae8b5fa79aeb99dff25b4842ec9a6f267b1837d1e3 5aed19c2daf2383b89ad7fd527375641cff26ddee7afddb89bc0d18d520f4034
 lib/codeql/rust/elements/FormatTemplateVariableAccess.qll ff3218a1dda30c232d0ecd9d1c60bbb9f3973456ef0bee1d1a12ad14b1e082b5 e4316291c939800d8b34d477d92be9404a30d52b7eee37302aef3d3205cf4ae0
@@ -277,7 +277,7 @@ lib/codeql/rust/elements/internal/ForExprConstructor.qll d79b88dac19256300b758ba
 lib/codeql/rust/elements/internal/ForTypeReprConstructor.qll eae141dbe9256ab0eb812a926ebf226075d150f6506dfecb56c85eb169cdc76b 721c2272193a6f9504fb780d40e316a93247ebfb1f302bb0a0222af689300245
 lib/codeql/rust/elements/internal/ForTypeReprImpl.qll 5595a576085f032f056c0c5c4e78076b60520df420396fbc785eb912a88fa2b2 e8ee94d7722ece3483872411f60a7b01f1c2578823b0263236f25eedd2c2a6ac
 lib/codeql/rust/elements/internal/FormatArgsArgConstructor.qll 8bd9b4e035ef8adeb3ac510dd68043934c0140facb933be1f240096d01cdfa11 74e9d3bbd8882ae59a7e88935d468e0a90a6529a4e2af6a3d83e93944470f0ee
-lib/codeql/rust/elements/internal/FormatArgsArgImpl.qll 601f7715e9a65bcfa7cea1979fa30d694b5bea29650d799d7dd3080b8eea58e9 ecb0800cdb8c0f93277982dad295ac6a5332e42eff4fb5c8ff19f903b9857003
+lib/codeql/rust/elements/internal/FormatArgsArgImpl.qll 6a8f55e51e141e4875ed03a7cc65eea49daa349de370b957e1e8c6bc4478425c 7efab8981ccbe75a4843315404674793dda66dde02ba432edbca25c7d355778a
 lib/codeql/rust/elements/internal/FormatArgsExprConstructor.qll ce29ff5a839b885b1ab7a02d6a381ae474ab1be3e6ee7dcfd7595bdf28e4b558 63bf957426871905a51ea319662a59e38104c197a1024360aca364dc145b11e8
 lib/codeql/rust/elements/internal/FunctionConstructor.qll b50aea579938d03745dfbd8b5fa8498f7f83b967369f63d6875510e09ab7f5d2 19cca32aeaecaf9debc27329e8c39ecec69464bb1d89d7b09908a1d73a8d92a2
 lib/codeql/rust/elements/internal/GenericArgImpl.qll 6b1b804c357425c223f926e560a688e81506f5a35b95485cecf704e88cc009ee cc1ccf6a23dadc397e82664f3911d4b385d4c8ca80b1ee16d5275d9c936148dd
@@ -521,8 +521,8 @@ lib/codeql/rust/elements/internal/generated/FieldList.qll 43c13c6e3c9ba75a7a4cb8
 lib/codeql/rust/elements/internal/generated/FnPtrTypeRepr.qll d490ab9f2e3654d9abde18a06e534abd99ca62f518ca08670b696a97e9d5c592 01500319820f66cb4bbda6fe7c26270f76ea934efff4bb3cbf88e9b1e07e8be2
 lib/codeql/rust/elements/internal/generated/ForExpr.qll 6c1838d952be65acaa9744736e73d9bfdcf58d7b392394223bf6fbfdcc172906 44237a248a5aa326a2544e84bc77f536f118f57a98c51562b71ddc81edfcccb8
 lib/codeql/rust/elements/internal/generated/ForTypeRepr.qll 3027879795a6be5bfb370b8c2231b579f9df8afde54345416c6ce2c64bd3dfec f871d73b36f079f473915db298951020e5a05bb5e8e4d570822063afb4807559
-lib/codeql/rust/elements/internal/generated/Format.qll df7ef61e6ba61fa0eb093f8e6b3e7a0329104e03f659c9507db9535b8b4ea759 ef8ddd98405fc84938ad8cd5f87d2858e01d06a6bb00566a785a984b60a79dc6
-lib/codeql/rust/elements/internal/generated/FormatArgsArg.qll e07a1ae310f590003f1b88fada7dcf4847c99adb9d4c838d1c88e66e1da85c5f 0ef7342451fe2cb06e765fb4b33bb8c4a9b927f5edbc8feb5c6ba3655697f447
+lib/codeql/rust/elements/internal/generated/Format.qll b1c2ce8dc4ee3cee9f637a007aa3d282e2001c754207604c8c4412ed94a20b4b 880e43fdaadae50e8b0e87ccaab93122d48cdbf73c612cbbd748ccacb91ea5a7
+lib/codeql/rust/elements/internal/generated/FormatArgsArg.qll c762a4af8609472e285dd1b1aec8251421aec49f8d0e5ce9df2cc5e2722326f8 c8c226b94b32447634b445c62bd9af7e11b93a706f8fa35d2de4fda3ce951926
 lib/codeql/rust/elements/internal/generated/FormatArgsExpr.qll 8aed8715a27d3af3de56ded4610c6792a25216b1544eb7e57c8b0b37c14bd9c1 590a2b0063d2ecd00bbbd1ce29603c8fd69972e34e6daddf309c915ce4ec1375
 lib/codeql/rust/elements/internal/generated/FormatArgument.qll cd05153276e63e689c95d5537fbc7d892615f62e110323759ef02e23a7587407 be2a4531b498f01625effa4c631d51ee8857698b00cfb829074120a0f2696d57
 lib/codeql/rust/elements/internal/generated/FormatTemplateVariableAccess.qll a6175214fad445df9234b3ee9bf5147da75baf82473fb8d384b455e3add0dac1 a928db0ff126b2e54a18f5c488232abd1bd6c5eda24591d3c3bb80c6ee71c770
@@ -594,7 +594,7 @@ lib/codeql/rust/elements/internal/generated/PtrTypeRepr.qll 51d1e9e683fc79dddbff
 lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f
 lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9
 lib/codeql/rust/elements/internal/generated/RangePat.qll 80826a6a6868a803aa2372e31c52a03e1811a3f1f2abdb469f91ca0bfdd9ecb6 34ee1e208c1690cba505dff2c588837c0cd91e185e2a87d1fe673191962276a9
-lib/codeql/rust/elements/internal/generated/Raw.qll aac2ca733fa3ee544307443f4ab78ec8dc6d635d8047ec706ed46d2101321d35 aec95fb3b33a96aed2ee7a46d0d8cacef13389f0f107ce2736b4d39502d512d5
+lib/codeql/rust/elements/internal/generated/Raw.qll db71278eea846cffd8748f1650493822d95108609a5c055bfaed7af4f42011c1 fabbf440a40ff5b1e9da26a95d20db89fbe7d33717bbc4f02ef518fc9dfd1e54
 lib/codeql/rust/elements/internal/generated/RecordExpr.qll 2131b2cb336caa76170082e69776011bf02576bbfdd34ba68ca84af24209250a 39a2e3ec32352b594c43cc1295e0e8b3f9808173322d3d73cb7d48ef969d5565
 lib/codeql/rust/elements/internal/generated/RecordExprField.qll 7e9f8663d3b74ebbc9603b10c9912f082febba6bd73d344b100bbd3edf837802 fbe6b578e7fd5d5a6f21bbb8c388957ab7210a6a249ec71510a50fb35b319ea1
 lib/codeql/rust/elements/internal/generated/RecordExprFieldList.qll 179a97211fe7aa6265085d4d54115cdbc0e1cd7c9b2135591e8f36d6432f13d3 dd44bbbc1e83a1ed3a587afb729d7debf7aeb7b63245de181726af13090e50c0
--- a/rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll
+++ b/rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll
@@ -173,6 +173,53 @@ final class MethodCallExprCfgNode extends CallExprBaseCfgNode, Nodes::MethodCall
 */
 final class CallExprCfgNode extends CallExprBaseCfgNode, Nodes::CallExprCfgNode { }

+/**
+ * A FormatArgsExpr. For example:
+ * ```rust
+ * format_args!("no args");
+ * format_args!("{} foo {:?}", 1, 2);
+ * format_args!("{b} foo {a:?}", a=1, b=2);
+ * let (x, y) = (1, 42);
+ * format_args!("{x}, {y}");
+ * ```
+ */
+final class FormatArgsExprCfgNode extends Nodes::FormatArgsExprCfgNode {
+  private FormatArgsExprChildMapping node;
+
+  FormatArgsExprCfgNode() { node = this.getAstNode() }
+
+  /** Gets the `i`th argument of this format arguments expression (0-based). */
+  ExprCfgNode getArgumentExpr(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArg(i).getExpr(), this, result)
+  }
+
+  /** Gets a format argument of the `i`th format of this format arguments expression (0-based). */
+  FormatTemplateVariableAccessCfgNode getFormatTemplateVariableAccess(int i) {
+    exists(FormatTemplateVariableAccess v |
+      v.getArgument() = node.getFormat(i).getArgument() and
+      result.getFormatTemplateVariableAccess() = v and
+      any(ChildMapping mapping).hasCfgChild(node, v, this, result)
+    )
+  }
+}
+
+/**
+ * A MacroCall. For example:
+ * ```rust
+ * todo!()
+ * ```
+ */
+final class MacroCallCfgNode extends Nodes::MacroCallCfgNode {
+  private MacroCallChildMapping node;
+
+  MacroCallCfgNode() { node = this.getAstNode() }
+
+  /** Gets the CFG node for the expansion of this macro call, if it exists. */
+  CfgNode getExpandedNode() {
+    any(ChildMapping mapping).hasCfgChild(node, node.getExpanded(), this, result)
+  }
+}
+
 /**
 * A record expression. For example:
 * ```rust
--- a/rust/ql/lib/codeql/rust/controlflow/internal/CfgNodes.qll
+++ b/rust/ql/lib/codeql/rust/controlflow/internal/CfgNodes.qll
@@ -74,6 +74,10 @@ class RecordPatChildMapping extends ParentAstNode, RecordPat {
  }
 }

+class MacroCallChildMapping extends ParentAstNode, MacroCall {
+  override predicate relevantChild(AstNode child) { child = this.getExpanded() }
+}
+
 class FormatArgsExprChildMapping extends ParentAstNode, CfgImpl::ExprTrees::FormatArgsExprTree {
  override predicate relevantChild(AstNode child) { child = this.getChildNode(_) }
 }
--- a/rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll
@@ -131,24 +131,8 @@ class LetStmtTree extends PreOrderTree, LetStmt {
  }
 }

-class MacroCallTree extends ControlFlowTree, MacroCall {
-  override predicate first(AstNode first) {
-    first(this.getExpanded(), first)
-    or
-    not exists(this.getExpanded()) and first = this
-  }
-
-  override predicate last(AstNode last, Completion c) {
-    last(this.getExpanded(), last, c)
-    or
-    not exists(this.getExpanded()) and
-    last = this and
-    completionIsValidFor(c, last)
-  }
-
-  override predicate succ(AstNode pred, AstNode succ, Completion c) { none() }
-
-  override predicate propagatesAbnormal(AstNode child) { child = this.getExpanded() }
+class MacroCallTree extends StandardPostOrderTree, MacroCall {
+  override AstNode getChildNode(int i) { i = 0 and result = this.getExpanded() }
 }

 class MacroStmtsTree extends StandardPreOrderTree, MacroStmts {
--- a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll
+++ b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll
@@ -1021,10 +1021,57 @@ module MakeCfgNodes<LocationSig Loc, InputSig<Loc> Input> {
      predicate hasPat() { exists(this.getPat()) }
    }

+    final private class ParentFormatArgsArg extends ParentAstNode, FormatArgsArg {
+      override predicate relevantChild(AstNode child) {
+        none()
+        or
+        child = this.getExpr()
+      }
+    }
+
+    /**
+     * A FormatArgsArg. For example the `"world"` in:
+     * ```rust
+     * format_args!("Hello, {}!", "world")
+     * ```
+     */
+    final class FormatArgsArgCfgNode extends CfgNodeFinal {
+      private FormatArgsArg node;
+
+      FormatArgsArgCfgNode() { node = this.getAstNode() }
+
+      /** Gets the underlying `FormatArgsArg`. */
+      FormatArgsArg getFormatArgsArg() { result = node }
+
+      /**
+       * Gets the expression of this format arguments argument, if it exists.
+       */
+      ExprCfgNode getExpr() {
+        any(ChildMapping mapping).hasCfgChild(node, node.getExpr(), this, result)
+      }
+
+      /**
+       * Holds if `getExpr()` exists.
+       */
+      predicate hasExpr() { exists(this.getExpr()) }
+
+      /**
+       * Gets the name of this format arguments argument, if it exists.
+       */
+      Name getName() { result = node.getName() }
+
+      /**
+       * Holds if `getName()` exists.
+       */
+      predicate hasName() { exists(this.getName()) }
+    }
+
    final private class ParentFormatArgsExpr extends ParentAstNode, FormatArgsExpr {
      override predicate relevantChild(AstNode child) {
        none()
        or
+        child = this.getArg(_)
+        or
        child = this.getTemplate()
      }
    }
@@ -1050,12 +1097,14 @@ module MakeCfgNodes<LocationSig Loc, InputSig<Loc> Input> {
      /**
       * Gets the `index`th argument of this format arguments expression (0-based).
       */
-      FormatArgsArg getArg(int index) { result = node.getArg(index) }
+      FormatArgsArgCfgNode getArg(int index) {
+        any(ChildMapping mapping).hasCfgChild(node, node.getArg(index), this, result)
+      }

      /**
       * Gets any of the arguments of this format arguments expression.
       */
-      FormatArgsArg getAnArg() { result = this.getArg(_) }
+      FormatArgsArgCfgNode getAnArg() { result = this.getArg(_) }

      /**
       * Gets the number of arguments of this format arguments expression.
@@ -3404,6 +3453,29 @@ module MakeCfgNodes<LocationSig Loc, InputSig<Loc> Input> {
          cfgNode
        )
      or
+      pred = "getExpr" and
+      parent =
+        any(Nodes::FormatArgsArgCfgNode cfgNode, FormatArgsArg astNode |
+          astNode = cfgNode.getFormatArgsArg() and
+          child = getDesugared(astNode.getExpr()) and
+          i = -1 and
+          hasCfgNode(child) and
+          not child = cfgNode.getExpr().getAstNode()
+        |
+          cfgNode
+        )
+      or
+      pred = "getArg" and
+      parent =
+        any(Nodes::FormatArgsExprCfgNode cfgNode, FormatArgsExpr astNode |
+          astNode = cfgNode.getFormatArgsExpr() and
+          child = getDesugared(astNode.getArg(i)) and
+          hasCfgNode(child) and
+          not child = cfgNode.getArg(i).getAstNode()
+        |
+          cfgNode
+        )
+      or
      pred = "getTemplate" and
      parent =
        any(Nodes::FormatArgsExprCfgNode cfgNode, FormatArgsExpr astNode |
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -522,6 +522,7 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
  result = e.(BreakExprCfgNode).getExpr() or
  result = e.(BlockExprCfgNode).getTailExpr() or
  result = e.(MatchExprCfgNode).getArmExpr(_) or
+  result = e.(MacroExprCfgNode).getMacroCall().(MacroCallCfgNode).getExpandedNode() or
  result.(BreakExprCfgNode).getTarget() = e
 }

--- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -46,6 +46,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
        RustDataFlow::readStep(pred, cs, succ) and
        cs.getContent() instanceof ArrayElementContent
      )
+      or
+      exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
+        pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
+      )
    )
    or
    FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
--- a/rust/ql/lib/codeql/rust/elements/Format.qll
+++ b/rust/ql/lib/codeql/rust/elements/Format.qll
@@ -13,5 +13,9 @@ import codeql.rust.elements.Locatable
 * ```rust
 * println!("Hello {}", "world");
 * ```
+ * or the `{value:#width$.precision$}` in:
+ * ```rust
+ * println!("Value {value:#width$.precision$}");
+ * ```
 */
 final class Format = Impl::Format;
--- a/rust/ql/lib/codeql/rust/elements/FormatArgsArg.qll
+++ b/rust/ql/lib/codeql/rust/elements/FormatArgsArg.qll
@@ -9,9 +9,9 @@ import codeql.rust.elements.Expr
 import codeql.rust.elements.Name

 /**
- * A FormatArgsArg. For example:
+ * A FormatArgsArg. For example the `"world"` in:
 * ```rust
- * todo!()
+ * format_args!("Hello, {}!", "world")
 * ```
 */
 final class FormatArgsArg = Impl::FormatArgsArg;
--- a/rust/ql/lib/codeql/rust/elements/internal/FormatArgsArgImpl.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/FormatArgsArgImpl.qll
@@ -13,9 +13,9 @@ private import codeql.rust.elements.internal.generated.FormatArgsArg
 */
 module Impl {
  /**
-   * A FormatArgsArg. For example:
+   * A FormatArgsArg. For example the `"world"` in:
   * ```rust
-   * todo!()
+   * format_args!("Hello, {}!", "world")
   * ```
   */
  class FormatArgsArg extends Generated::FormatArgsArg { }
--- a/rust/ql/lib/codeql/rust/elements/internal/FormatImpl.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/FormatImpl.qll
@@ -23,6 +23,10 @@ module Impl {
   * ```rust
   * println!("Hello {}", "world");
   * ```
+   * or the `{value:#width$.precision$}` in:
+   * ```rust
+   * println!("Value {value:#width$.precision$}");
+   * ```
   */
  class Format extends Generated::Format {
    private Raw::FormatArgsExpr parent;
--- a/rust/ql/lib/codeql/rust/elements/internal/generated/Format.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Format.qll
@@ -20,6 +20,10 @@ module Generated {
   * ```rust
   * println!("Hello {}", "world");
   * ```
+   * or the `{value:#width$.precision$}` in:
+   * ```rust
+   * println!("Value {value:#width$.precision$}");
+   * ```
   * INTERNAL: Do not reference the `Generated::Format` class directly.
   * Use the subclass `Format`, where the following predicates are available.
   */
--- a/rust/ql/lib/codeql/rust/elements/internal/generated/FormatArgsArg.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/generated/FormatArgsArg.qll
@@ -16,9 +16,9 @@ import codeql.rust.elements.Name
 */
 module Generated {
  /**
-   * A FormatArgsArg. For example:
+   * A FormatArgsArg. For example the `"world"` in:
   * ```rust
-   * todo!()
+   * format_args!("Hello, {}!", "world")
   * ```
   * INTERNAL: Do not reference the `Generated::FormatArgsArg` class directly.
   * Use the subclass `FormatArgsArg`, where the following predicates are available.
--- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll
@@ -305,9 +305,9 @@ module Raw {

  /**
   * INTERNAL: Do not use.
-   * A FormatArgsArg. For example:
+   * A FormatArgsArg. For example the `"world"` in:
   * ```rust
-   * todo!()
+   * format_args!("Hello, {}!", "world")
   * ```
   */
  class FormatArgsArg extends @format_args_arg, AstNode {
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -13,3 +13,7 @@ extensions:
      - ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
      # String
      - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
+      # Hint
+      - ["lang:core", "crate::hint::must_use", "Argument[0]", "ReturnValue", "value", "manual"]
+      # Fmt
+      - ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]
--- a/rust/ql/test/extractor-tests/generated/.generated_tests.list
+++ b/rust/ql/test/extractor-tests/generated/.generated_tests.list
@@ -32,8 +32,8 @@ FieldExpr/gen_field_expr.rs 9a70500d592e0a071b03d974a55558b3bc0df531ff11bce5898f
 FnPtrTypeRepr/gen_fn_ptr_type_repr.rs 46af312570a9caec11e14ba05190e95e750c32565559f1622a132f7145320253 46af312570a9caec11e14ba05190e95e750c32565559f1622a132f7145320253
 ForExpr/gen_for_expr.rs 67decf3073e1a9363d9df05a5a64a6059349e50b81356f480f7aeb352189136d 67decf3073e1a9363d9df05a5a64a6059349e50b81356f480f7aeb352189136d
 ForTypeRepr/gen_for_type_repr.rs 5108a5d63ce440305b92dd87387c22a0a57abfd19d88e03e1984e1537779f4a4 5108a5d63ce440305b92dd87387c22a0a57abfd19d88e03e1984e1537779f4a4
-FormatArgsExpr/gen_format.rs bd009cb152c35e2aacd147b5520a42be31e66e9a8715ec1d0fd57b8e97c743ed bd009cb152c35e2aacd147b5520a42be31e66e9a8715ec1d0fd57b8e97c743ed
-FormatArgsExpr/gen_format_args_arg.rs c466f2fc2c0f9592061a159a217a87551d67f1ccb0e4d8f7f56a463a2aa4a73a c466f2fc2c0f9592061a159a217a87551d67f1ccb0e4d8f7f56a463a2aa4a73a
+FormatArgsExpr/gen_format.rs 38adb675e5d635a08fb5353982a03a484b34e92042a15ae3b57f0ff40479b59f 38adb675e5d635a08fb5353982a03a484b34e92042a15ae3b57f0ff40479b59f
+FormatArgsExpr/gen_format_args_arg.rs 53ffd6abe4cd899c57d1973b31df0edc1d5eaa5835b19172ec4cda15bb3db28f 53ffd6abe4cd899c57d1973b31df0edc1d5eaa5835b19172ec4cda15bb3db28f
 FormatArgsExpr/gen_format_args_expr.rs 72c806ed163e9dcce2d0c5c8664d409b2aa635c1022c91959f9e8ae084f05bf2 72c806ed163e9dcce2d0c5c8664d409b2aa635c1022c91959f9e8ae084f05bf2
 FormatArgsExpr/gen_format_argument.rs 350d370e6f1db03d756384a3dbdb294697d241ff7c28d159cf57748abe99cfe9 350d370e6f1db03d756384a3dbdb294697d241ff7c28d159cf57748abe99cfe9
 Function/gen_function.rs ba6ecb9e0d89183295eb02f3c20ebbf5c209f89bd0172c73a3b4a6dacbf3a54c ba6ecb9e0d89183295eb02f3c20ebbf5c209f89bd0172c73a3b4a6dacbf3a54c
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/Format.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/Format.expected
@@ -1,4 +1,6 @@
 | gen_format.rs:5:21:5:22 | {} | getParent: | gen_format.rs:5:14:5:32 | FormatArgsExpr | getIndex: | 1 | hasArgument: | no |
+| gen_format.rs:7:21:7:46 | {value:#width$.precision$} | getParent: | gen_format.rs:7:14:7:47 | FormatArgsExpr | getIndex: | 1 | hasArgument: | yes |
+| gen_format_args_arg.rs:5:26:5:27 | {} | getParent: | gen_format_args_arg.rs:5:17:5:39 | FormatArgsExpr | getIndex: | 1 | hasArgument: | no |
 | gen_format_args_expr.rs:6:19:6:20 | {} | getParent: | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | getIndex: | 1 | hasArgument: | no |
 | gen_format_args_expr.rs:6:26:6:29 | {:?} | getParent: | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | getIndex: | 3 | hasArgument: | no |
 | gen_format_args_expr.rs:7:19:7:21 | {b} | getParent: | gen_format_args_expr.rs:7:17:7:43 | FormatArgsExpr | getIndex: | 1 | hasArgument: | yes |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsArg.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsArg.expected
@@ -1,4 +1,5 @@
 | gen_format.rs:5:26:5:32 | FormatArgsArg | hasExpr: | yes | hasName: | no |
+| gen_format_args_arg.rs:5:32:5:38 | FormatArgsArg | hasExpr: | yes | hasName: | no |
 | gen_format_args_expr.rs:6:33:6:33 | FormatArgsArg | hasExpr: | yes | hasName: | no |
 | gen_format_args_expr.rs:6:36:6:36 | FormatArgsArg | hasExpr: | yes | hasName: | no |
 | gen_format_args_expr.rs:7:35:7:37 | FormatArgsArg | hasExpr: | yes | hasName: | yes |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsArg_getExpr.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsArg_getExpr.expected
@@ -1,4 +1,5 @@
 | gen_format.rs:5:26:5:32 | FormatArgsArg | gen_format.rs:5:26:5:32 | "world" |
+| gen_format_args_arg.rs:5:32:5:38 | FormatArgsArg | gen_format_args_arg.rs:5:32:5:38 | "world" |
 | gen_format_args_expr.rs:6:33:6:33 | FormatArgsArg | gen_format_args_expr.rs:6:33:6:33 | 1 |
 | gen_format_args_expr.rs:6:36:6:36 | FormatArgsArg | gen_format_args_expr.rs:6:36:6:36 | 2 |
 | gen_format_args_expr.rs:7:35:7:37 | FormatArgsArg | gen_format_args_expr.rs:7:37:7:37 | 1 |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr.expected
@@ -1,4 +1,6 @@
 | gen_format.rs:5:14:5:32 | FormatArgsExpr | getNumberOfArgs: | 1 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 1 |
+| gen_format.rs:7:14:7:47 | FormatArgsExpr | getNumberOfArgs: | 0 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 1 |
+| gen_format_args_arg.rs:5:17:5:39 | FormatArgsExpr | getNumberOfArgs: | 1 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 1 |
 | gen_format_args_expr.rs:5:17:5:27 | FormatArgsExpr | getNumberOfArgs: | 0 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 0 |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | getNumberOfArgs: | 2 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 2 |
 | gen_format_args_expr.rs:7:17:7:43 | FormatArgsExpr | getNumberOfArgs: | 2 | getNumberOfAttrs: | 0 | hasTemplate: | yes | getNumberOfFormats: | 2 |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getArg.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getArg.expected
@@ -1,4 +1,5 @@
 | gen_format.rs:5:14:5:32 | FormatArgsExpr | 0 | gen_format.rs:5:26:5:32 | FormatArgsArg |
+| gen_format_args_arg.rs:5:17:5:39 | FormatArgsExpr | 0 | gen_format_args_arg.rs:5:32:5:38 | FormatArgsArg |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | 0 | gen_format_args_expr.rs:6:33:6:33 | FormatArgsArg |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | 1 | gen_format_args_expr.rs:6:36:6:36 | FormatArgsArg |
 | gen_format_args_expr.rs:7:17:7:43 | FormatArgsExpr | 0 | gen_format_args_expr.rs:7:35:7:37 | FormatArgsArg |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getFormat.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getFormat.expected
@@ -1,4 +1,6 @@
 | gen_format.rs:5:14:5:32 | FormatArgsExpr | 0 | gen_format.rs:5:21:5:22 | {} |
+| gen_format.rs:7:14:7:47 | FormatArgsExpr | 0 | gen_format.rs:7:21:7:46 | {value:#width$.precision$} |
+| gen_format_args_arg.rs:5:17:5:39 | FormatArgsExpr | 0 | gen_format_args_arg.rs:5:26:5:27 | {} |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | 0 | gen_format_args_expr.rs:6:19:6:20 | {} |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | 1 | gen_format_args_expr.rs:6:26:6:29 | {:?} |
 | gen_format_args_expr.rs:7:17:7:43 | FormatArgsExpr | 0 | gen_format_args_expr.rs:7:19:7:21 | {b} |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getTemplate.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgsExpr_getTemplate.expected
@@ -1,4 +1,6 @@
 | gen_format.rs:5:14:5:32 | FormatArgsExpr | gen_format.rs:5:14:5:23 | "Hello {}\\n" |
+| gen_format.rs:7:14:7:47 | FormatArgsExpr | gen_format.rs:7:14:7:47 | "Value {value:#width$.precisio... |
+| gen_format_args_arg.rs:5:17:5:39 | FormatArgsExpr | gen_format_args_arg.rs:5:18:5:29 | "Hello, {}!" |
 | gen_format_args_expr.rs:5:17:5:27 | FormatArgsExpr | gen_format_args_expr.rs:5:18:5:26 | "no args" |
 | gen_format_args_expr.rs:6:17:6:37 | FormatArgsExpr | gen_format_args_expr.rs:6:18:6:30 | "{} foo {:?}" |
 | gen_format_args_expr.rs:7:17:7:43 | FormatArgsExpr | gen_format_args_expr.rs:7:18:7:32 | "{b} foo {a:?}" |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgument.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgument.expected
@@ -1,3 +1,6 @@
+| gen_format.rs:7:22:7:26 | value | getParent: | gen_format.rs:7:21:7:46 | {value:#width$.precision$} | hasVariable: | yes |
+| gen_format.rs:7:29:7:33 | width | getParent: | gen_format.rs:7:21:7:46 | {value:#width$.precision$} | hasVariable: | yes |
+| gen_format.rs:7:36:7:44 | precision | getParent: | gen_format.rs:7:21:7:46 | {value:#width$.precision$} | hasVariable: | yes |
 | gen_format_args_expr.rs:7:20:7:20 | b | getParent: | gen_format_args_expr.rs:7:19:7:21 | {b} | hasVariable: | no |
 | gen_format_args_expr.rs:7:28:7:28 | a | getParent: | gen_format_args_expr.rs:7:27:7:31 | {a:?} | hasVariable: | no |
 | gen_format_args_expr.rs:9:20:9:20 | x | getParent: | gen_format_args_expr.rs:9:19:9:21 | {x} | hasVariable: | yes |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatArgument_getVariable.expected
@@ -1,3 +1,6 @@
+| gen_format.rs:7:22:7:26 | value | gen_format.rs:7:22:7:26 | value |
+| gen_format.rs:7:29:7:33 | width | gen_format.rs:7:29:7:33 | width |
+| gen_format.rs:7:36:7:44 | precision | gen_format.rs:7:36:7:44 | precision |
 | gen_format_args_expr.rs:9:20:9:20 | x | gen_format_args_expr.rs:9:20:9:20 | x |
 | gen_format_args_expr.rs:9:25:9:25 | y | gen_format_args_expr.rs:9:25:9:25 | y |
 | gen_format_argument.rs:5:22:5:26 | value | gen_format_argument.rs:5:22:5:26 | value |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/FormatTemplateVariableAccess.expected
@@ -1,3 +1,6 @@
+| gen_format.rs:7:22:7:26 | value |
+| gen_format.rs:7:29:7:33 | width |
+| gen_format.rs:7:36:7:44 | precision |
 | gen_format_args_expr.rs:9:20:9:20 | x |
 | gen_format_args_expr.rs:9:25:9:25 | y |
 | gen_format_argument.rs:5:22:5:26 | value |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.expected
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/Format_getArgument.expected
@@ -1,3 +1,6 @@
+| gen_format.rs:7:21:7:46 | {value:#width$.precision$} | gen_format.rs:7:22:7:26 | value |
+| gen_format.rs:7:21:7:46 | {value:#width$.precision$} | gen_format.rs:7:29:7:33 | width |
+| gen_format.rs:7:21:7:46 | {value:#width$.precision$} | gen_format.rs:7:36:7:44 | precision |
 | gen_format_args_expr.rs:7:19:7:21 | {b} | gen_format_args_expr.rs:7:20:7:20 | b |
 | gen_format_args_expr.rs:7:27:7:31 | {a:?} | gen_format_args_expr.rs:7:28:7:28 | a |
 | gen_format_args_expr.rs:9:19:9:21 | {x} | gen_format_args_expr.rs:9:20:9:20 | x |
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/gen_format.rs
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/gen_format.rs
@@ -3,4 +3,6 @@
 fn test_format() -> () {
    // A format element in a formatting template. For example the `{}` in:
    println!("Hello {}", "world");
+    // or the `{value:#width$.precision$}` in:
+    println!("Value {value:#width$.precision$}");
 }
--- a/rust/ql/test/extractor-tests/generated/FormatArgsExpr/gen_format_args_arg.rs
+++ b/rust/ql/test/extractor-tests/generated/FormatArgsExpr/gen_format_args_arg.rs
@@ -1,6 +1,6 @@
 // generated by codegen, do not edit

 fn test_format_args_arg() -> () {
-    // A FormatArgsArg. For example:
-    todo!()
+    // A FormatArgsArg. For example the `"world"` in:
+    format_args!("Hello, {}!", "world")
 }
--- a/rust/ql/test/library-tests/controlflow/Cfg.expected
+++ b/rust/ql/test/library-tests/controlflow/Cfg.expected
@@ -752,15 +752,18 @@ edges
 | test.rs:344:23:344:23 | a | test.rs:344:13:344:19 | Some(...) |  |
 | test.rs:344:32:344:54 | ...::panic_fmt | test.rs:344:39:344:53 | "Expected some" |  |
 | test.rs:344:32:344:54 | MacroExpr | test.rs:344:30:344:56 | { ... } |  |
+| test.rs:344:32:344:54 | panic!... | test.rs:344:32:344:54 | MacroExpr |  |
 | test.rs:344:39:344:53 | "Expected some" | test.rs:344:39:344:53 | FormatArgsExpr |  |
+| test.rs:344:39:344:53 | ...::const_format_args!... | test.rs:344:39:344:53 | MacroExpr |  |
+| test.rs:344:39:344:53 | ...::panic_2021!... | test.rs:344:39:344:53 | MacroExpr |  |
 | test.rs:344:39:344:53 | ...::panic_fmt(...) | test.rs:344:39:344:53 | { ... } |  |
 | test.rs:344:39:344:53 | ExprStmt | test.rs:344:32:344:54 | ...::panic_fmt |  |
-| test.rs:344:39:344:53 | FormatArgsExpr | test.rs:344:39:344:53 | MacroExpr |  |
-| test.rs:344:39:344:53 | MacroExpr | test.rs:344:32:344:54 | MacroExpr |  |
+| test.rs:344:39:344:53 | FormatArgsExpr | test.rs:344:39:344:53 | ...::const_format_args!... |  |
+| test.rs:344:39:344:53 | MacroExpr | test.rs:344:32:344:54 | panic!... |  |
 | test.rs:344:39:344:53 | MacroExpr | test.rs:344:39:344:53 | ...::panic_fmt(...) |  |
 | test.rs:344:39:344:53 | MacroStmts | test.rs:344:39:344:53 | ExprStmt |  |
 | test.rs:344:39:344:53 | MacroStmts | test.rs:344:39:344:53 | MacroStmts |  |
-| test.rs:344:39:344:53 | { ... } | test.rs:344:39:344:53 | MacroExpr |  |
+| test.rs:344:39:344:53 | { ... } | test.rs:344:39:344:53 | ...::panic_2021!... |  |
 | test.rs:345:9:345:9 | n | test.rs:343:46:346:5 | { ... } |  |
 | test.rs:348:5:354:5 | enter fn test_let_with_return | test.rs:348:29:348:29 | m |  |
 | test.rs:348:5:354:5 | exit fn test_let_with_return (normal) | test.rs:348:5:354:5 | exit fn test_let_with_return |  |
@@ -835,14 +838,16 @@ edges
 | test.rs:392:26:394:5 | { ... } | test.rs:392:5:394:5 | exit fn say_hello (normal) |  |
 | test.rs:393:9:393:33 | ...::_print | test.rs:393:18:393:32 | "hello, world!\\n" |  |
 | test.rs:393:9:393:33 | MacroExpr | test.rs:392:26:394:5 | { ... } |  |
+| test.rs:393:9:393:33 | println!... | test.rs:393:9:393:33 | MacroExpr |  |
 | test.rs:393:9:393:34 | ExprStmt | test.rs:393:18:393:32 | MacroStmts |  |
 | test.rs:393:18:393:32 | "hello, world!\\n" | test.rs:393:18:393:32 | FormatArgsExpr |  |
 | test.rs:393:18:393:32 | ...::_print(...) | test.rs:393:18:393:32 | { ... } |  |
+| test.rs:393:18:393:32 | ...::format_args_nl!... | test.rs:393:18:393:32 | MacroExpr |  |
 | test.rs:393:18:393:32 | ExprStmt | test.rs:393:9:393:33 | ...::_print |  |
-| test.rs:393:18:393:32 | FormatArgsExpr | test.rs:393:18:393:32 | MacroExpr |  |
+| test.rs:393:18:393:32 | FormatArgsExpr | test.rs:393:18:393:32 | ...::format_args_nl!... |  |
 | test.rs:393:18:393:32 | MacroExpr | test.rs:393:18:393:32 | ...::_print(...) |  |
 | test.rs:393:18:393:32 | MacroStmts | test.rs:393:18:393:32 | ExprStmt |  |
-| test.rs:393:18:393:32 | { ... } | test.rs:393:9:393:33 | MacroExpr |  |
+| test.rs:393:18:393:32 | { ... } | test.rs:393:9:393:33 | println!... |  |
 | test.rs:396:5:415:5 | enter fn async_block | test.rs:396:26:396:26 | b |  |
 | test.rs:396:5:415:5 | exit fn async_block (normal) | test.rs:396:5:415:5 | exit fn async_block |  |
 | test.rs:396:26:396:26 | b | test.rs:396:26:396:32 | ...: bool | match |
@@ -855,14 +860,16 @@ edges
 | test.rs:397:26:399:9 | { ... } | test.rs:397:13:397:22 | say_godbye |  |
 | test.rs:398:13:398:41 | ...::_print | test.rs:398:22:398:40 | "godbye, everyone!\\n" |  |
 | test.rs:398:13:398:41 | MacroExpr | test.rs:397:26:399:9 | exit { ... } (normal) |  |
+| test.rs:398:13:398:41 | println!... | test.rs:398:13:398:41 | MacroExpr |  |
 | test.rs:398:13:398:42 | ExprStmt | test.rs:398:22:398:40 | MacroStmts |  |
 | test.rs:398:22:398:40 | "godbye, everyone!\\n" | test.rs:398:22:398:40 | FormatArgsExpr |  |
 | test.rs:398:22:398:40 | ...::_print(...) | test.rs:398:22:398:40 | { ... } |  |
+| test.rs:398:22:398:40 | ...::format_args_nl!... | test.rs:398:22:398:40 | MacroExpr |  |
 | test.rs:398:22:398:40 | ExprStmt | test.rs:398:13:398:41 | ...::_print |  |
-| test.rs:398:22:398:40 | FormatArgsExpr | test.rs:398:22:398:40 | MacroExpr |  |
+| test.rs:398:22:398:40 | FormatArgsExpr | test.rs:398:22:398:40 | ...::format_args_nl!... |  |
 | test.rs:398:22:398:40 | MacroExpr | test.rs:398:22:398:40 | ...::_print(...) |  |
 | test.rs:398:22:398:40 | MacroStmts | test.rs:398:22:398:40 | ExprStmt |  |
-| test.rs:398:22:398:40 | { ... } | test.rs:398:13:398:41 | MacroExpr |  |
+| test.rs:398:22:398:40 | { ... } | test.rs:398:13:398:41 | println!... |  |
 | test.rs:400:9:402:10 | let ... = ... | test.rs:400:31:402:9 | { ... } |  |
 | test.rs:400:13:400:27 | say_how_are_you | test.rs:403:9:403:28 | let ... = ... | match |
 | test.rs:400:31:402:9 | enter { ... } | test.rs:401:13:401:37 | ExprStmt |  |
@@ -870,14 +877,16 @@ edges
 | test.rs:400:31:402:9 | { ... } | test.rs:400:13:400:27 | say_how_are_you |  |
 | test.rs:401:13:401:36 | ...::_print | test.rs:401:22:401:35 | "how are you?\\n" |  |
 | test.rs:401:13:401:36 | MacroExpr | test.rs:400:31:402:9 | exit { ... } (normal) |  |
+| test.rs:401:13:401:36 | println!... | test.rs:401:13:401:36 | MacroExpr |  |
 | test.rs:401:13:401:37 | ExprStmt | test.rs:401:22:401:35 | MacroStmts |  |
 | test.rs:401:22:401:35 | "how are you?\\n" | test.rs:401:22:401:35 | FormatArgsExpr |  |
 | test.rs:401:22:401:35 | ...::_print(...) | test.rs:401:22:401:35 | { ... } |  |
+| test.rs:401:22:401:35 | ...::format_args_nl!... | test.rs:401:22:401:35 | MacroExpr |  |
 | test.rs:401:22:401:35 | ExprStmt | test.rs:401:13:401:36 | ...::_print |  |
-| test.rs:401:22:401:35 | FormatArgsExpr | test.rs:401:22:401:35 | MacroExpr |  |
+| test.rs:401:22:401:35 | FormatArgsExpr | test.rs:401:22:401:35 | ...::format_args_nl!... |  |
 | test.rs:401:22:401:35 | MacroExpr | test.rs:401:22:401:35 | ...::_print(...) |  |
 | test.rs:401:22:401:35 | MacroStmts | test.rs:401:22:401:35 | ExprStmt |  |
-| test.rs:401:22:401:35 | { ... } | test.rs:401:13:401:36 | MacroExpr |  |
+| test.rs:401:22:401:35 | { ... } | test.rs:401:13:401:36 | println!... |  |
 | test.rs:403:9:403:28 | let ... = ... | test.rs:403:20:403:27 | { ... } |  |
 | test.rs:403:13:403:16 | noop | test.rs:404:9:404:26 | ExprStmt | match |
 | test.rs:403:20:403:27 | { ... } | test.rs:403:13:403:16 | noop |  |
@@ -927,6 +936,7 @@ edges
 | test.rs:427:41:435:5 | { ... } | test.rs:427:5:435:5 | exit fn const_block_assert (normal) |  |
 | test.rs:430:9:432:9 | ExprStmt | test.rs:431:13:431:50 | ExprStmt |  |
 | test.rs:430:9:432:9 | { ... } | test.rs:434:9:434:10 | 42 |  |
+| test.rs:431:13:431:49 | ...::panic_2021!... | test.rs:431:13:431:49 | MacroExpr |  |
 | test.rs:431:13:431:49 | ...::panic_explicit | test.rs:431:13:431:49 | ...::panic_explicit(...) |  |
 | test.rs:431:13:431:49 | ...::panic_explicit(...) | test.rs:431:13:431:49 | { ... } |  |
 | test.rs:431:13:431:49 | ExprStmt | test.rs:431:13:431:49 | MacroStmts |  |
@@ -934,12 +944,13 @@ edges
 | test.rs:431:13:431:49 | MacroExpr | test.rs:430:9:432:9 | { ... } |  |
 | test.rs:431:13:431:49 | MacroExpr | test.rs:431:13:431:49 | { ... } |  |
 | test.rs:431:13:431:49 | MacroStmts | test.rs:431:13:431:49 | fn panic_cold_explicit |  |
+| test.rs:431:13:431:49 | assert!... | test.rs:431:13:431:49 | MacroExpr |  |
 | test.rs:431:13:431:49 | enter fn panic_cold_explicit | test.rs:431:13:431:49 | ...::panic_explicit |  |
 | test.rs:431:13:431:49 | exit fn panic_cold_explicit (normal) | test.rs:431:13:431:49 | exit fn panic_cold_explicit |  |
 | test.rs:431:13:431:49 | fn panic_cold_explicit | test.rs:431:13:431:49 | ExprStmt |  |
 | test.rs:431:13:431:49 | panic_cold_explicit | test.rs:431:13:431:49 | panic_cold_explicit(...) |  |
 | test.rs:431:13:431:49 | panic_cold_explicit(...) | test.rs:431:13:431:49 | { ... } |  |
-| test.rs:431:13:431:49 | { ... } | test.rs:431:13:431:49 | MacroExpr |  |
+| test.rs:431:13:431:49 | { ... } | test.rs:431:13:431:49 | ...::panic_2021!... |  |
 | test.rs:431:13:431:49 | { ... } | test.rs:431:13:431:49 | exit fn panic_cold_explicit (normal) |  |
 | test.rs:431:13:431:49 | { ... } | test.rs:431:21:431:48 | if ... {...} |  |
 | test.rs:431:13:431:50 | ExprStmt | test.rs:431:21:431:48 | MacroStmts |  |
@@ -951,7 +962,7 @@ edges
 | test.rs:431:21:431:48 | [boolean(false)] ! ... | test.rs:431:21:431:48 | if ... {...} | false |
 | test.rs:431:21:431:48 | [boolean(true)] ! ... | test.rs:431:13:431:49 | ExprStmt | true |
 | test.rs:431:21:431:48 | if ... {...} | test.rs:431:21:431:48 | { ... } |  |
-| test.rs:431:21:431:48 | { ... } | test.rs:431:13:431:49 | MacroExpr |  |
+| test.rs:431:21:431:48 | { ... } | test.rs:431:13:431:49 | assert!... |  |
 | test.rs:431:48:431:48 | 0 | test.rs:431:21:431:48 | ... > ... |  |
 | test.rs:434:9:434:10 | 42 | test.rs:427:41:435:5 | { ... } |  |
 | test.rs:437:5:446:5 | enter fn const_block_panic | test.rs:438:9:438:30 | Const |  |
--- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -6,6 +6,7 @@ localStep
 | main.rs:7:9:7:9 | [SSA] s | main.rs:8:20:8:20 | s |
 | main.rs:7:9:7:9 | s | main.rs:7:9:7:9 | [SSA] s |
 | main.rs:7:9:7:14 | ...: i64 | main.rs:7:9:7:9 | s |
+| main.rs:8:14:8:20 | FormatArgsExpr | main.rs:8:14:8:20 | MacroExpr |
 | main.rs:19:9:19:9 | [SSA] s | main.rs:20:10:20:10 | s |
 | main.rs:19:9:19:9 | s | main.rs:19:9:19:9 | [SSA] s |
 | main.rs:19:13:19:21 | source(...) | main.rs:19:9:19:9 | s |
@@ -456,7 +457,12 @@ localStep
 | main.rs:396:15:396:62 | name.unwrap_or_else(...) | main.rs:396:11:396:11 | n |
 | main.rs:396:35:396:61 | [SSA] <captured entry> default_name | main.rs:396:38:396:49 | default_name |
 | main.rs:398:7:398:14 | [SSA] [input] SSA phi read(default_name) | main.rs:394:7:394:18 | [SSA] SSA phi read(default_name) |
-| main.rs:425:13:425:33 | result_questionmark(...) | main.rs:425:9:425:9 | _ |
+| main.rs:410:9:410:9 | [SSA] s | main.rs:411:10:411:10 | s |
+| main.rs:410:9:410:9 | s | main.rs:410:9:410:9 | [SSA] s |
+| main.rs:410:13:410:27 | MacroExpr | main.rs:410:9:410:9 | s |
+| main.rs:410:25:410:26 | source(...) | main.rs:410:13:410:27 | MacroExpr |
+| main.rs:436:13:436:33 | result_questionmark(...) | main.rs:436:9:436:9 | _ |
+| main.rs:448:36:448:41 | ...::new(...) | main.rs:448:36:448:41 | MacroExpr |
 storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text |
 | main.rs:94:14:94:22 | source(...) | tuple.0 | main.rs:94:13:94:26 | TupleExpr |
@@ -529,7 +535,7 @@ storeStep
 | main.rs:381:30:381:30 | 3 | array[] | main.rs:381:23:381:31 | [...] |
 | main.rs:384:18:384:27 | source(...) | array[] | main.rs:384:5:384:11 | [post] mut_arr |
 | main.rs:396:35:396:61 | default_name | captured default_name | main.rs:396:35:396:61 | \|...\| ... |
-| main.rs:407:27:407:27 | 0 | Some | main.rs:407:22:407:28 | Some(...) |
+| main.rs:418:27:418:27 | 0 | Some | main.rs:418:22:418:28 | Some(...) |
 readStep
 | file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap |
 | file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap_or | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap_or |
--- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected
@@ -152,6 +152,8 @@ edges
 | main.rs:385:13:385:19 | mut_arr [array[]] | main.rs:385:13:385:22 | mut_arr[1] | provenance |  |
 | main.rs:385:13:385:22 | mut_arr[1] | main.rs:385:9:385:9 | d | provenance |  |
 | main.rs:387:10:387:16 | mut_arr [array[]] | main.rs:387:10:387:19 | mut_arr[0] | provenance |  |
+| main.rs:410:9:410:9 | s | main.rs:411:10:411:10 | s | provenance |  |
+| main.rs:410:25:410:26 | source(...) | main.rs:410:9:410:9 | s | provenance |  |
 nodes
 | main.rs:15:10:15:18 | source(...) | semmle.label | source(...) |
 | main.rs:19:9:19:9 | s | semmle.label | s |
@@ -330,6 +332,9 @@ nodes
 | main.rs:386:10:386:10 | d | semmle.label | d |
 | main.rs:387:10:387:16 | mut_arr [array[]] | semmle.label | mut_arr [array[]] |
 | main.rs:387:10:387:19 | mut_arr[0] | semmle.label | mut_arr[0] |
+| main.rs:410:9:410:9 | s | semmle.label | s |
+| main.rs:410:25:410:26 | source(...) | semmle.label | source(...) |
+| main.rs:411:10:411:10 | s | semmle.label | s |
 subpaths
 testFailures
 #select
@@ -368,3 +373,4 @@ testFailures
 | main.rs:375:18:375:18 | c | main.rs:370:23:370:32 | source(...) | main.rs:375:18:375:18 | c | $@ | main.rs:370:23:370:32 | source(...) | source(...) |
 | main.rs:386:10:386:10 | d | main.rs:384:18:384:27 | source(...) | main.rs:386:10:386:10 | d | $@ | main.rs:384:18:384:27 | source(...) | source(...) |
 | main.rs:387:10:387:19 | mut_arr[0] | main.rs:384:18:384:27 | source(...) | main.rs:387:10:387:19 | mut_arr[0] | $@ | main.rs:384:18:384:27 | source(...) | source(...) |
+| main.rs:411:10:411:10 | s | main.rs:410:25:410:26 | source(...) | main.rs:411:10:411:10 | s | $@ | main.rs:410:25:410:26 | source(...) | source(...) |
--- a/rust/ql/test/library-tests/dataflow/local/main.rs
+++ b/rust/ql/test/library-tests/dataflow/local/main.rs
@@ -400,6 +400,17 @@ pub fn captured_variable_and_continue(names: Vec<(bool, Option<String>)>) {
  }
 }

+macro_rules! get_source {
+    ($e:expr) => {
+        source($e)
+    };
+}
+
+fn macro_invocation() {
+    let s = get_source!(37);
+    sink(s); // $ hasValueFlow=37
+}
+
 fn main() {
    direct();
    variable_usage();
@@ -435,4 +446,5 @@ fn main() {
    array_slice_pattern();
    array_assignment();
    captured_variable_and_continue(vec![]);
+    macro_invocation();
 }
--- a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
@@ -1,35 +1,69 @@
 models
 | 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
+| 2 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint |
 edges
-| main.rs:20:9:20:9 | s | main.rs:21:19:21:25 | s[...] | provenance |  |
-| main.rs:20:13:20:22 | source(...) | main.rs:20:9:20:9 | s | provenance |  |
-| main.rs:21:9:21:14 | sliced [&ref] | main.rs:22:16:22:21 | sliced | provenance |  |
-| main.rs:21:18:21:25 | &... [&ref] | main.rs:21:9:21:14 | sliced [&ref] | provenance |  |
-| main.rs:21:19:21:25 | s[...] | main.rs:21:18:21:25 | &... [&ref] | provenance |  |
-| main.rs:26:9:26:10 | s1 | main.rs:29:9:29:10 | s4 | provenance |  |
-| main.rs:26:14:26:23 | source(...) | main.rs:26:9:26:10 | s1 | provenance |  |
-| main.rs:29:9:29:10 | s4 | main.rs:32:10:32:11 | s4 | provenance |  |
-| main.rs:57:9:57:9 | s | main.rs:58:16:58:16 | s | provenance |  |
-| main.rs:57:13:57:22 | source(...) | main.rs:57:9:57:9 | s | provenance |  |
-| main.rs:58:16:58:16 | s | main.rs:58:16:58:25 | s.as_str(...) | provenance | MaD:1 |
+| main.rs:26:9:26:9 | s | main.rs:27:19:27:25 | s[...] | provenance |  |
+| main.rs:26:13:26:22 | source(...) | main.rs:26:9:26:9 | s | provenance |  |
+| main.rs:27:9:27:14 | sliced [&ref] | main.rs:28:16:28:21 | sliced | provenance |  |
+| main.rs:27:18:27:25 | &... [&ref] | main.rs:27:9:27:14 | sliced [&ref] | provenance |  |
+| main.rs:27:19:27:25 | s[...] | main.rs:27:18:27:25 | &... [&ref] | provenance |  |
+| main.rs:32:9:32:10 | s1 | main.rs:35:9:35:10 | s4 | provenance |  |
+| main.rs:32:14:32:23 | source(...) | main.rs:32:9:32:10 | s1 | provenance |  |
+| main.rs:35:9:35:10 | s4 | main.rs:38:10:38:11 | s4 | provenance |  |
+| main.rs:63:9:63:9 | s | main.rs:64:16:64:16 | s | provenance |  |
+| main.rs:63:13:63:22 | source(...) | main.rs:63:9:63:9 | s | provenance |  |
+| main.rs:64:16:64:16 | s | main.rs:64:16:64:25 | s.as_str(...) | provenance | MaD:1 |
+| main.rs:68:9:68:9 | s | main.rs:70:34:70:61 | MacroExpr | provenance |  |
+| main.rs:68:9:68:9 | s | main.rs:73:34:73:59 | MacroExpr | provenance |  |
+| main.rs:68:13:68:22 | source(...) | main.rs:68:9:68:9 | s | provenance |  |
+| main.rs:70:9:70:18 | formatted1 | main.rs:71:10:71:19 | formatted1 | provenance |  |
+| main.rs:70:22:70:62 | ...::format(...) | main.rs:70:9:70:18 | formatted1 | provenance |  |
+| main.rs:70:34:70:61 | MacroExpr | main.rs:70:22:70:62 | ...::format(...) | provenance | MaD:2 |
+| main.rs:73:9:73:18 | formatted2 | main.rs:74:10:74:19 | formatted2 | provenance |  |
+| main.rs:73:22:73:60 | ...::format(...) | main.rs:73:9:73:18 | formatted2 | provenance |  |
+| main.rs:73:34:73:59 | MacroExpr | main.rs:73:22:73:60 | ...::format(...) | provenance | MaD:2 |
+| main.rs:76:9:76:13 | width | main.rs:77:34:77:74 | MacroExpr | provenance |  |
+| main.rs:76:17:76:32 | source_usize(...) | main.rs:76:9:76:13 | width | provenance |  |
+| main.rs:77:9:77:18 | formatted3 | main.rs:78:10:78:19 | formatted3 | provenance |  |
+| main.rs:77:22:77:75 | ...::format(...) | main.rs:77:9:77:18 | formatted3 | provenance |  |
+| main.rs:77:34:77:74 | MacroExpr | main.rs:77:22:77:75 | ...::format(...) | provenance | MaD:2 |
 nodes
-| main.rs:20:9:20:9 | s | semmle.label | s |
-| main.rs:20:13:20:22 | source(...) | semmle.label | source(...) |
-| main.rs:21:9:21:14 | sliced [&ref] | semmle.label | sliced [&ref] |
-| main.rs:21:18:21:25 | &... [&ref] | semmle.label | &... [&ref] |
-| main.rs:21:19:21:25 | s[...] | semmle.label | s[...] |
-| main.rs:22:16:22:21 | sliced | semmle.label | sliced |
-| main.rs:26:9:26:10 | s1 | semmle.label | s1 |
-| main.rs:26:14:26:23 | source(...) | semmle.label | source(...) |
-| main.rs:29:9:29:10 | s4 | semmle.label | s4 |
-| main.rs:32:10:32:11 | s4 | semmle.label | s4 |
-| main.rs:57:9:57:9 | s | semmle.label | s |
-| main.rs:57:13:57:22 | source(...) | semmle.label | source(...) |
-| main.rs:58:16:58:16 | s | semmle.label | s |
-| main.rs:58:16:58:25 | s.as_str(...) | semmle.label | s.as_str(...) |
+| main.rs:26:9:26:9 | s | semmle.label | s |
+| main.rs:26:13:26:22 | source(...) | semmle.label | source(...) |
+| main.rs:27:9:27:14 | sliced [&ref] | semmle.label | sliced [&ref] |
+| main.rs:27:18:27:25 | &... [&ref] | semmle.label | &... [&ref] |
+| main.rs:27:19:27:25 | s[...] | semmle.label | s[...] |
+| main.rs:28:16:28:21 | sliced | semmle.label | sliced |
+| main.rs:32:9:32:10 | s1 | semmle.label | s1 |
+| main.rs:32:14:32:23 | source(...) | semmle.label | source(...) |
+| main.rs:35:9:35:10 | s4 | semmle.label | s4 |
+| main.rs:38:10:38:11 | s4 | semmle.label | s4 |
+| main.rs:63:9:63:9 | s | semmle.label | s |
+| main.rs:63:13:63:22 | source(...) | semmle.label | source(...) |
+| main.rs:64:16:64:16 | s | semmle.label | s |
+| main.rs:64:16:64:25 | s.as_str(...) | semmle.label | s.as_str(...) |
+| main.rs:68:9:68:9 | s | semmle.label | s |
+| main.rs:68:13:68:22 | source(...) | semmle.label | source(...) |
+| main.rs:70:9:70:18 | formatted1 | semmle.label | formatted1 |
+| main.rs:70:22:70:62 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:70:34:70:61 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:71:10:71:19 | formatted1 | semmle.label | formatted1 |
+| main.rs:73:9:73:18 | formatted2 | semmle.label | formatted2 |
+| main.rs:73:22:73:60 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:73:34:73:59 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:74:10:74:19 | formatted2 | semmle.label | formatted2 |
+| main.rs:76:9:76:13 | width | semmle.label | width |
+| main.rs:76:17:76:32 | source_usize(...) | semmle.label | source_usize(...) |
+| main.rs:77:9:77:18 | formatted3 | semmle.label | formatted3 |
+| main.rs:77:22:77:75 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:77:34:77:74 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:78:10:78:19 | formatted3 | semmle.label | formatted3 |
 subpaths
 testFailures
 #select
-| main.rs:22:16:22:21 | sliced | main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | $@ | main.rs:20:13:20:22 | source(...) | source(...) |
-| main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |
-| main.rs:58:16:58:25 | s.as_str(...) | main.rs:57:13:57:22 | source(...) | main.rs:58:16:58:25 | s.as_str(...) | $@ | main.rs:57:13:57:22 | source(...) | source(...) |
+| main.rs:28:16:28:21 | sliced | main.rs:26:13:26:22 | source(...) | main.rs:28:16:28:21 | sliced | $@ | main.rs:26:13:26:22 | source(...) | source(...) |
+| main.rs:38:10:38:11 | s4 | main.rs:32:14:32:23 | source(...) | main.rs:38:10:38:11 | s4 | $@ | main.rs:32:14:32:23 | source(...) | source(...) |
+| main.rs:64:16:64:25 | s.as_str(...) | main.rs:63:13:63:22 | source(...) | main.rs:64:16:64:25 | s.as_str(...) | $@ | main.rs:63:13:63:22 | source(...) | source(...) |
+| main.rs:71:10:71:19 | formatted1 | main.rs:68:13:68:22 | source(...) | main.rs:71:10:71:19 | formatted1 | $@ | main.rs:68:13:68:22 | source(...) | source(...) |
+| main.rs:74:10:74:19 | formatted2 | main.rs:68:13:68:22 | source(...) | main.rs:74:10:74:19 | formatted2 | $@ | main.rs:68:13:68:22 | source(...) | source(...) |
+| main.rs:78:10:78:19 | formatted3 | main.rs:76:17:76:32 | source_usize(...) | main.rs:78:10:78:19 | formatted3 | $@ | main.rs:76:17:76:32 | source_usize(...) | source_usize(...) |
--- a/rust/ql/test/library-tests/dataflow/strings/main.rs
+++ b/rust/ql/test/library-tests/dataflow/strings/main.rs
@@ -1,9 +1,15 @@
+use std::fmt;
+
 // Taint tests for strings

 fn source(i: i64) -> String {
    format!("{}", i)
 }

+fn source_usize(i: usize) -> usize {
+    i
+}
+
 fn source_slice(_i: i64) -> &'static str {
    "source"
 }
@@ -18,7 +24,7 @@ fn sink(s: String) {

 fn string_slice() {
    let s = source(35);
-    let sliced = &s[1..3];
+    let sliced = &s[1..2];
    sink_slice(sliced); // $ hasTaintFlow=35
 }

@@ -58,16 +64,28 @@ fn as_str() {
    sink_slice(s.as_str()); // $ hasTaintFlow=67
 }

-fn string_format() {
+fn format_args_built_in() {
+    let s = source(88);
+
+    let formatted1 = fmt::format(format_args!("Hello {}!", s));
+    sink(formatted1); // $ hasTaintFlow=88
+
+    let formatted2 = fmt::format(format_args!("Hello {s}!"));
+    sink(formatted2); // $ hasTaintFlow=88
+
+    let width = source_usize(10);
+    let formatted3 = fmt::format(format_args!("Hello {:width$}!", "World"));
+    sink(formatted3); // $ hasTaintFlow=10
+}
+
+fn format_macro() {
    let s1 = source(34);
    let s2 = "2";
    let s3 = "3";

-    let s4 = format!("{s1} and {s3}");
-    let s5 = format!("{s2} and {s3}");
-
-    sink_slice(&s4); // $ MISSING: hasTaintFlow=34
-    sink_slice(&s5);
+    sink(format!("{}", s1)); // $ MISSING: hasTaintFlow=34
+    sink(format!("{s1} and {s3}")); // $ MISSING: hasTaintFlow=34
+    sink(format!("{s2} and {s3}"));
 }

 fn main() {
@@ -77,5 +95,6 @@ fn main() {
    string_from();
    as_str();
    string_to_string();
-    string_format();
+    format_args_built_in();
+    format_macro();
 }
--- a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
+++ b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
@@ -1,13 +1,19 @@
+| file://:0:0:0:0 | [summary param] 0 in lang:alloc::_::crate::fmt::format | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::crate::fmt::format | MaD:9 |
 | file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:7 |
 | file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:0 |
 | main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... |  |
 | main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... |  |
+| main.rs:8:20:8:20 | s | main.rs:8:14:8:20 | FormatArgsExpr |  |
 | main.rs:13:10:13:10 | a | main.rs:13:10:13:14 | ... + ... |  |
 | main.rs:13:14:13:14 | 1 | main.rs:13:10:13:14 | ... + ... |  |
 | main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... |  |
 | main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |  |
 | main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |  |
+| main.rs:29:23:29:23 | i | main.rs:29:17:29:23 | FormatArgsExpr |  |
+| main.rs:33:24:33:24 | s | main.rs:33:18:33:24 | FormatArgsExpr |  |
 | main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |  |
+| main.rs:49:24:49:24 | i | main.rs:49:18:49:24 | FormatArgsExpr |  |
 | main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] |  |
 | main.rs:64:24:64:24 | s | main.rs:64:24:64:27 | s[1] |  |
+| main.rs:64:24:64:27 | s[1] | main.rs:64:18:64:27 | FormatArgsExpr |  |
 | main.rs:69:9:69:12 | arr2 | main.rs:69:9:69:15 | arr2[1] |  |
--- a/rust/ql/test/library-tests/variables/Cfg.expected
+++ b/rust/ql/test/library-tests/variables/Cfg.expected
@@ -6,14 +6,16 @@ edges
 | variables.rs:3:23:5:1 | { ... } | variables.rs:3:1:5:1 | exit fn print_str (normal) |  |
 | variables.rs:4:5:4:21 | ...::_print | variables.rs:4:14:4:17 | "{}\\n" |  |
 | variables.rs:4:5:4:21 | MacroExpr | variables.rs:3:23:5:1 | { ... } |  |
+| variables.rs:4:5:4:21 | println!... | variables.rs:4:5:4:21 | MacroExpr |  |
 | variables.rs:4:5:4:22 | ExprStmt | variables.rs:4:14:4:20 | MacroStmts |  |
 | variables.rs:4:14:4:17 | "{}\\n" | variables.rs:4:20:4:20 | s |  |
 | variables.rs:4:14:4:20 | ...::_print(...) | variables.rs:4:14:4:20 | { ... } |  |
+| variables.rs:4:14:4:20 | ...::format_args_nl!... | variables.rs:4:14:4:20 | MacroExpr |  |
 | variables.rs:4:14:4:20 | ExprStmt | variables.rs:4:5:4:21 | ...::_print |  |
-| variables.rs:4:14:4:20 | FormatArgsExpr | variables.rs:4:14:4:20 | MacroExpr |  |
+| variables.rs:4:14:4:20 | FormatArgsExpr | variables.rs:4:14:4:20 | ...::format_args_nl!... |  |
 | variables.rs:4:14:4:20 | MacroExpr | variables.rs:4:14:4:20 | ...::_print(...) |  |
 | variables.rs:4:14:4:20 | MacroStmts | variables.rs:4:14:4:20 | ExprStmt |  |
-| variables.rs:4:14:4:20 | { ... } | variables.rs:4:5:4:21 | MacroExpr |  |
+| variables.rs:4:14:4:20 | { ... } | variables.rs:4:5:4:21 | println!... |  |
 | variables.rs:4:20:4:20 | s | variables.rs:4:14:4:20 | FormatArgsExpr |  |
 | variables.rs:7:1:9:1 | enter fn print_i64 | variables.rs:7:14:7:14 | i |  |
 | variables.rs:7:1:9:1 | exit fn print_i64 (normal) | variables.rs:7:1:9:1 | exit fn print_i64 |  |
@@ -22,14 +24,16 @@ edges
 | variables.rs:7:22:9:1 | { ... } | variables.rs:7:1:9:1 | exit fn print_i64 (normal) |  |
 | variables.rs:8:5:8:21 | ...::_print | variables.rs:8:14:8:17 | "{}\\n" |  |
 | variables.rs:8:5:8:21 | MacroExpr | variables.rs:7:22:9:1 | { ... } |  |
+| variables.rs:8:5:8:21 | println!... | variables.rs:8:5:8:21 | MacroExpr |  |
 | variables.rs:8:5:8:22 | ExprStmt | variables.rs:8:14:8:20 | MacroStmts |  |
 | variables.rs:8:14:8:17 | "{}\\n" | variables.rs:8:20:8:20 | i |  |
 | variables.rs:8:14:8:20 | ...::_print(...) | variables.rs:8:14:8:20 | { ... } |  |
+| variables.rs:8:14:8:20 | ...::format_args_nl!... | variables.rs:8:14:8:20 | MacroExpr |  |
 | variables.rs:8:14:8:20 | ExprStmt | variables.rs:8:5:8:21 | ...::_print |  |
-| variables.rs:8:14:8:20 | FormatArgsExpr | variables.rs:8:14:8:20 | MacroExpr |  |
+| variables.rs:8:14:8:20 | FormatArgsExpr | variables.rs:8:14:8:20 | ...::format_args_nl!... |  |
 | variables.rs:8:14:8:20 | MacroExpr | variables.rs:8:14:8:20 | ...::_print(...) |  |
 | variables.rs:8:14:8:20 | MacroStmts | variables.rs:8:14:8:20 | ExprStmt |  |
-| variables.rs:8:14:8:20 | { ... } | variables.rs:8:5:8:21 | MacroExpr |  |
+| variables.rs:8:14:8:20 | { ... } | variables.rs:8:5:8:21 | println!... |  |
 | variables.rs:8:20:8:20 | i | variables.rs:8:14:8:20 | FormatArgsExpr |  |
 | variables.rs:11:1:13:1 | enter fn print_i64_ref | variables.rs:11:18:11:18 | i |  |
 | variables.rs:11:1:13:1 | exit fn print_i64_ref (normal) | variables.rs:11:1:13:1 | exit fn print_i64_ref |  |
@@ -218,9 +222,10 @@ edges
 | variables.rs:94:39:94:42 | "x5" | variables.rs:94:34:94:43 | Some(...) |  |
 | variables.rs:96:13:96:19 | "not yet implemented" | variables.rs:96:13:96:19 | ...::panic(...) |  |
 | variables.rs:96:13:96:19 | ...::panic | variables.rs:96:13:96:19 | "not yet implemented" |  |
-| variables.rs:96:13:96:19 | ...::panic(...) | variables.rs:96:13:96:19 | MacroExpr |  |
+| variables.rs:96:13:96:19 | ...::panic(...) | variables.rs:96:13:96:19 | todo!... |  |
 | variables.rs:96:13:96:19 | MacroExpr | variables.rs:95:14:97:9 | { ... } |  |
 | variables.rs:96:13:96:19 | MacroStmts | variables.rs:96:13:96:19 | ...::panic |  |
+| variables.rs:96:13:96:19 | todo!... | variables.rs:96:13:96:19 | MacroExpr |  |
 | variables.rs:98:5:98:13 | print_str | variables.rs:98:15:98:16 | x5 |  |
 | variables.rs:98:5:98:17 | print_str(...) | variables.rs:93:19:99:1 | { ... } |  |
 | variables.rs:98:5:98:18 | ExprStmt | variables.rs:98:5:98:13 | print_str |  |
@@ -383,13 +388,15 @@ edges
 | variables.rs:175:43:177:9 | { ... } | variables.rs:171:5:180:5 | match msg { ... } |  |
 | variables.rs:176:13:176:52 | ...::_print | variables.rs:176:22:176:51 | "Found an id in another range\\... |  |
 | variables.rs:176:13:176:52 | MacroExpr | variables.rs:175:43:177:9 | { ... } |  |
+| variables.rs:176:13:176:52 | println!... | variables.rs:176:13:176:52 | MacroExpr |  |
 | variables.rs:176:22:176:51 | "Found an id in another range\\... | variables.rs:176:22:176:51 | FormatArgsExpr |  |
 | variables.rs:176:22:176:51 | ...::_print(...) | variables.rs:176:22:176:51 | { ... } |  |
+| variables.rs:176:22:176:51 | ...::format_args_nl!... | variables.rs:176:22:176:51 | MacroExpr |  |
 | variables.rs:176:22:176:51 | ExprStmt | variables.rs:176:13:176:52 | ...::_print |  |
-| variables.rs:176:22:176:51 | FormatArgsExpr | variables.rs:176:22:176:51 | MacroExpr |  |
+| variables.rs:176:22:176:51 | FormatArgsExpr | variables.rs:176:22:176:51 | ...::format_args_nl!... |  |
 | variables.rs:176:22:176:51 | MacroExpr | variables.rs:176:22:176:51 | ...::_print(...) |  |
 | variables.rs:176:22:176:51 | MacroStmts | variables.rs:176:22:176:51 | ExprStmt |  |
-| variables.rs:176:22:176:51 | { ... } | variables.rs:176:13:176:52 | MacroExpr |  |
+| variables.rs:176:22:176:51 | { ... } | variables.rs:176:13:176:52 | println!... |  |
 | variables.rs:178:9:178:29 | ...::Hello {...} | variables.rs:178:26:178:27 | id | match |
 | variables.rs:178:26:178:27 | id | variables.rs:179:13:179:21 | print_i64 | match |
 | variables.rs:179:13:179:21 | print_i64 | variables.rs:179:23:179:24 | id |  |
@@ -1237,11 +1244,12 @@ edges
 | variables.rs:554:5:555:26 | let ... = ... | variables.rs:555:23:555:24 | let ... = 37 |  |
 | variables.rs:554:9:554:22 | var_from_macro | variables.rs:556:5:556:30 | ExprStmt | match |
 | variables.rs:555:9:555:25 | MacroExpr | variables.rs:554:9:554:22 | var_from_macro |  |
+| variables.rs:555:9:555:25 | let_in_macro!... | variables.rs:555:9:555:25 | MacroExpr |  |
 | variables.rs:555:9:555:25 | var_in_macro | variables.rs:555:9:555:25 | var_in_macro | match |
 | variables.rs:555:9:555:25 | var_in_macro | variables.rs:555:23:555:24 | { ... } |  |
 | variables.rs:555:23:555:24 | 37 | variables.rs:555:9:555:25 | var_in_macro |  |
 | variables.rs:555:23:555:24 | let ... = 37 | variables.rs:555:23:555:24 | 37 |  |
-| variables.rs:555:23:555:24 | { ... } | variables.rs:555:9:555:25 | MacroExpr |  |
+| variables.rs:555:23:555:24 | { ... } | variables.rs:555:9:555:25 | let_in_macro!... |  |
 | variables.rs:556:5:556:13 | print_i64 | variables.rs:556:15:556:28 | var_from_macro |  |
 | variables.rs:556:5:556:29 | print_i64(...) | variables.rs:553:23:557:1 | { ... } |  |
 | variables.rs:556:5:556:30 | ExprStmt | variables.rs:556:5:556:13 | print_i64 |  |
--- a/rust/schema/annotations.py
+++ b/rust/schema/annotations.py
@@ -1067,13 +1067,13 @@ class _:
    """


-@annotate(FormatArgsArg)
+@annotate(FormatArgsArg, cfg = True)
@qltest.test_with(FormatArgsExpr)
 class _:
    """
-    A FormatArgsArg. For example:
+    A FormatArgsArg. For example the `"world"` in:
    ```rust
-    todo!()
+    format_args!("Hello, {}!", "world")
    ```
    """

@@ -1871,6 +1871,10 @@ class Format(Locatable):
    ```rust
    println!("Hello {}", "world");
    ```
+    or the `{value:#width$.precision$}` in:
+    ```rust
+    println!("Value {value:#width$.precision$}");
+    ```
    """
    parent: FormatArgsExpr
    index: int