Merge branch 'main' into js-use-shared-cryptography

2026-05-01 19:55:15 +02:00 · 2023-02-03 15:18:30 +00:00
parent 6c35feaa98 b8bd98e476
commit 7768026e70
858 changed files with 237441 additions and 19245 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,19 +1,12 @@
 version: 2
 updates:
  - package-ecosystem: "cargo"
-    directory: "ruby/node-types"
+    directory: "ruby"
    schedule:
      interval: "daily"
+
  - package-ecosystem: "cargo"
-    directory: "ruby/generator"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/extractor"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/autobuilder"
+    directory: "ql"
    schedule:
      interval: "daily"

--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,9 +28,9 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@v3
      with:
-        dotnet-version: 6.0.202
+        dotnet-version: 7.0.102

    - name: Checkout repository
      uses: actions/checkout@v3
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -77,10 +77,10 @@ jobs:
      - name: Setup dotnet
        uses: actions/setup-dotnet@v3
        with:
-          dotnet-version: 6.0.202
+          dotnet-version: 7.0.102
      - name: Extractor unit tests
        run: |
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -27,7 +27,7 @@ jobs:
        uses: ./.github/actions/find-latest-bundle
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          languages: javascript # does not matter
          tools: ${{ steps.find-latest-bundle.outputs.url }}
@@ -139,7 +139,7 @@ jobs:
        env:
          CONF: ./ql-for-ql-config.yml
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          languages: ql
          db-location: ${{ runner.temp }}/db
@@ -152,7 +152,7 @@ jobs:
          PACK: ${{ runner.temp }}/pack

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/analyze@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          category: "ql-for-ql"
      - name: Copy sarif file to CWD
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -25,7 +25,7 @@ jobs:

      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          languages: javascript # does not matter
      - uses: ./.github/actions/os-version
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -6,11 +6,13 @@ on:
    paths:
      - "ql/**"
      - codeql-workspace.yml
+      - .github/workflows/ql-for-ql-tests.yml
  pull_request:
    branches: [main]
    paths:
      - "ql/**"
      - codeql-workspace.yml
+      - .github/workflows/ql-for-ql-tests.yml

 env:
  CARGO_TERM_COLOR: always
@@ -22,7 +24,7 @@ jobs:
      - uses: actions/checkout@v3
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          languages: javascript # does not matter
      - uses: ./.github/actions/os-version
@@ -65,7 +67,7 @@ jobs:
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        uses: github/codeql-action/init@beae46e6b1da530ed5e9fc6a756f92433ca47ae1
        with:
          languages: javascript # does not matter
      - uses: ./.github/actions/os-version
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@ There is [extensive documentation](https://codeql.github.com/docs/) on getting s

 We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

+For information on contributing to CodeQL documentation, see the "[contributing guide](docs/codeql/CONTRIBUTING.md)" for docs.
+
 ## License

 The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -34,9 +34,9 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplForRegExp.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
    <Nullable>enable</Nullable>
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
    <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
    <ApplicationIcon />
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.5.2
+
+No user-facing changes.
+
+## 0.5.1
+
+No user-facing changes.
+
 ## 0.5.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/released/0.5.1.md
+++ b/cpp/ql/lib/change-notes/released/0.5.1.md
@@ -0,0 +1,3 @@
+## 0.5.1
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.5.2.md
+++ b/cpp/ql/lib/change-notes/released/0.5.2.md
@@ -0,0 +1,3 @@
+## 0.5.2
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.5.2
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantShiftExprRange.qll
@@ -0,0 +1,263 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+
+float evaluateConstantExpr(Expr e) {
+  result = e.getValue().toFloat()
+  or
+  // This handles when a constant value is put into a variable
+  // and the variable is used later
+  exists(SsaDefinition defn, StackVariable sv |
+    defn.getAUse(sv) = e and
+    result = defn.getDefiningValue(sv).getValue().toFloat()
+  )
+}
+
+// If the constant right operand is negative or is greater than or equal to the number of
+// bits in the left operands type, then the result is undefined (except on the IA-32
+// architecture where the shift value is masked with 0b00011111, but we can't
+// assume the architecture).
+bindingset[val]
+private predicate isValidShiftExprShift(float val, Expr l) {
+  val >= 0 and
+  // We use getFullyConverted because the spec says to use the *promoted* left operand
+  val < (l.getFullyConverted().getUnderlyingType().getSize() * 8)
+}
+
+bindingset[val, shift, max_val]
+private predicate canLShiftOverflow(int val, int shift, int max_val) {
+  // val << shift = val * 2^shift > max_val => val > max_val/2^shift = max_val >> b
+  val > max_val.bitShiftRight(shift)
+}
+
+/**
+ * A range analysis expression consisting of the `>>` or `>>=` operator when at least
+ * one operand is a constant (and if the right operand is a constant, it must be "valid"
+ * (see `isValidShiftExprShift`)). When handling any undefined behavior, it leaves the
+ * values unconstrained. From the C++ standard: "The behavior is undefined if the right
+ * operand is negative, or greater than or equal to the length in bits of the promoted
+ * left operand. The value of E1 >> E2 is E1 right-shifted E2 bit positions. If E1 has an
+ * unsigned type or if E1 has a signed type and a non-negative value, the value of the
+ * result is the integral part of the quotient of E1/2^E2. If E1 has a signed type and a
+ * negative value, the resulting value is implementation-defined."
+ */
+class ConstantRShiftExprRange extends SimpleRangeAnalysisExpr {
+  /**
+   * Holds for `a >> b` or `a >>= b` in one of the following two cases:
+   * 1. `a` is a constant and `b` is not
+   * 2. `b` is constant
+   *
+   * We don't handle the case where `a` and `b` are both non-constant values.
+   */
+  ConstantRShiftExprRange() {
+    getUnspecifiedType() instanceof IntegralType and
+    exists(Expr l, Expr r |
+      l = this.(RShiftExpr).getLeftOperand() and
+      r = this.(RShiftExpr).getRightOperand()
+      or
+      l = this.(AssignRShiftExpr).getLValue() and
+      r = this.(AssignRShiftExpr).getRValue()
+    |
+      l.getUnspecifiedType() instanceof IntegralType and
+      r.getUnspecifiedType() instanceof IntegralType and
+      (
+        // If the left operand is a constant, verify that the right operand is not a constant
+        exists(evaluateConstantExpr(l)) and not exists(evaluateConstantExpr(r))
+        or
+        // If the right operand is a constant, check if it is a valid shift expression
+        exists(float constROp |
+          constROp = evaluateConstantExpr(r) and isValidShiftExprShift(constROp, l)
+        )
+      )
+    )
+  }
+
+  Expr getLeftOperand() {
+    result = this.(RShiftExpr).getLeftOperand() or
+    result = this.(AssignRShiftExpr).getLValue()
+  }
+
+  Expr getRightOperand() {
+    result = this.(RShiftExpr).getRightOperand() or
+    result = this.(AssignRShiftExpr).getRValue()
+  }
+
+  override float getLowerBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is implementation defined, so we set the result
+        // to the minimum value
+        result = exprMinVal(this)
+      else
+        // We can get the smallest value by shifting the smallest bound by the largest bound
+        result = lLower.bitShiftRight(rUpper)
+    )
+  }
+
+  override float getUpperBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is implementation defined, so we set the result
+        // to the maximum value
+        result = exprMaxVal(this)
+      else
+        // We can get the largest value by shifting the largest bound by the smallest bound
+        result = lUpper.bitShiftRight(rLower)
+    )
+  }
+
+  override predicate dependsOnChild(Expr child) {
+    child = getLeftOperand() or child = getRightOperand()
+  }
+}
+
+/**
+ * A range analysis expression consisting of the `<<` or `<<=` operator when at least
+ * one operand is a constant (and if the right operand is a constant, it must be "valid"
+ * (see `isValidShiftExprShift`)). When handling any undefined behavior, it leaves the
+ * values unconstrained. From the C++ standard: "The behavior is undefined if the right
+ * operand is negative, or greater than or equal to the length in bits of the promoted left operand.
+ * The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are zero-filled. If E1
+ * has an unsigned type, the value of the result is E1 x 2 E2, reduced modulo one more than the
+ * maximum value representable in the result type. Otherwise, if E1 has a signed type and
+ * non-negative value, and E1 x 2 E2 is representable in the corresponding unsigned type of the
+ * result type, then that value, converted to the result type, is the resulting value; otherwise,
+ * the behavior is undefined."
+ */
+class ConstantLShiftExprRange extends SimpleRangeAnalysisExpr {
+  /**
+   * Holds for `a << b` or `a <<= b` in one of the following two cases:
+   * 1. `a` is a constant and `b` is not
+   * 2. `b` is constant
+   *
+   * We don't handle the case where `a` and `b` are both non-constant values.
+   */
+  ConstantLShiftExprRange() {
+    getUnspecifiedType() instanceof IntegralType and
+    exists(Expr l, Expr r |
+      l = this.(LShiftExpr).getLeftOperand() and
+      r = this.(LShiftExpr).getRightOperand()
+      or
+      l = this.(AssignLShiftExpr).getLValue() and
+      r = this.(AssignLShiftExpr).getRValue()
+    |
+      l.getUnspecifiedType() instanceof IntegralType and
+      r.getUnspecifiedType() instanceof IntegralType and
+      (
+        // If the left operand is a constant, verify that the right operand is not a constant
+        exists(evaluateConstantExpr(l)) and not exists(evaluateConstantExpr(r))
+        or
+        // If the right operand is a constant, check if it is a valid shift expression
+        exists(float constROp |
+          constROp = evaluateConstantExpr(r) and isValidShiftExprShift(constROp, l)
+        )
+      )
+    )
+  }
+
+  Expr getLeftOperand() {
+    result = this.(LShiftExpr).getLeftOperand() or
+    result = this.(AssignLShiftExpr).getLValue()
+  }
+
+  Expr getRightOperand() {
+    result = this.(LShiftExpr).getRightOperand() or
+    result = this.(AssignLShiftExpr).getRValue()
+  }
+
+  override float getLowerBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is undefined, so we set to the minimum value
+        result = exprMinVal(this)
+      else
+        // If we have `0b01010000 << [0, 2]`, the max value for 8 bits is 0b10100000
+        // (a shift of 1) but doing a shift by the upper bound would give 0b01000000.
+        // So if the left shift operation causes an overflow, we just assume the max value
+        // If necessary, we may be able to improve this bound in the future
+        if canLShiftOverflow(lUpper, rUpper, exprMaxVal(this))
+        then result = exprMinVal(this)
+        else result = lLower.bitShiftLeft(rLower)
+    )
+  }
+
+  override float getUpperBounds() {
+    exists(int lLower, int lUpper, int rLower, int rUpper |
+      lLower = getFullyConvertedLowerBounds(getLeftOperand()) and
+      lUpper = getFullyConvertedUpperBounds(getLeftOperand()) and
+      rLower = getFullyConvertedLowerBounds(getRightOperand()) and
+      rUpper = getFullyConvertedUpperBounds(getRightOperand()) and
+      lLower <= lUpper and
+      rLower <= rUpper
+    |
+      if
+        lLower < 0
+        or
+        not (
+          isValidShiftExprShift(rLower, getLeftOperand()) and
+          isValidShiftExprShift(rUpper, getLeftOperand())
+        )
+      then
+        // We don't want to deal with shifting negative numbers at the moment,
+        // and a negative shift is undefined, so we set it to the maximum value
+        result = exprMaxVal(this)
+      else
+        // If we have `0b01010000 << [0, 2]`, the max value for 8 bits is 0b10100000
+        // (a shift of 1) but doing a shift by the upper bound would give 0b01000000.
+        // So if the left shift operation causes an overflow, we just assume the max value
+        // If necessary, we may be able to improve this bound in the future
+        if canLShiftOverflow(lUpper, rUpper, exprMaxVal(this))
+        then result = exprMaxVal(this)
+        else result = lUpper.bitShiftLeft(rUpper)
+    )
+  }
+
+  override predicate dependsOnChild(Expr child) {
+    child = getLeftOperand() or child = getRightOperand()
+  }
+}
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.1-dev
+version: 0.5.3-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -1487,6 +1487,10 @@ private module MkStage<StageSig PrevStage> {
      PrevStage::readStepCand(node1, _, _, config)
    }

+    bindingset[ap, c]
+    pragma[inline_late]
+    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
+
    pragma[nomagic]
    private predicate fwdFlowRead(
      Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
@@ -1494,7 +1498,7 @@ private module MkStage<StageSig PrevStage> {
    ) {
      fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
      PrevStage::readStepCand(node1, c, node2, config) and
-      getHeadContent(ap) = c
+      hasHeadContent(ap, c)
    }

    pragma[nomagic]
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -169,19 +169,11 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 */
 predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
  exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
-    (
-      nodeIn = callInput(call, modelIn)
-      or
-      exists(int n |
-        modelIn.isParameterDerefOrQualifierObject(n) and
-        if n = -1
-        then nodeIn = callInput(call, any(InQualifierObject inQualifier))
-        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
-      )
-    ) and
-    nodeOut = callOutput(call, modelOut) and
    call.getStaticCallTarget() = func and
    func.hasTaintFlow(modelIn, modelOut)
+  |
+    nodeIn = callInput(call, modelIn) and
+    nodeOut = callOutput(call, modelOut)
  )
  or
  // Taint flow from one argument to another and data flow from an argument to a
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
 */
 class ArgumentOperand extends RegisterOperand {
  override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
 */
 class ArgumentOperand extends RegisterOperand {
  override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -412,6 +412,9 @@ class CallTargetOperand extends RegisterOperand {
 */
 class ArgumentOperand extends RegisterOperand {
  override ArgumentOperandTag tag;
+
+  /** Gets the `CallInstruction` for which this is an argument. */
+  CallInstruction getCall() { result.getAnArgumentOperand() = this }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
@@ -107,130 +107,34 @@ private FunctionInput getIteratorArgumentInput(Operator op, int index) {
  )
 }

-/**
- * A non-member prefix `operator*` function for an iterator type.
- */
-private class IteratorPointerDereferenceOperator extends Operator, TaintFunction,
-  IteratorReferenceFunction {
-  FunctionInput iteratorInput;
-
-  IteratorPointerDereferenceOperator() {
-    this.hasName("operator*") and
-    iteratorInput = getIteratorArgumentInput(this, 0)
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
-  }
-}
-
 /**
 * A non-member `operator++` or `operator--` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and versions, use `IteratorCrementOperator`.
 */
-private class IteratorCrementOperator extends Operator, DataFlowFunction {
-  FunctionInput iteratorInput;
-
-  IteratorCrementOperator() {
+class IteratorCrementNonMemberOperator extends Operator {
+  IteratorCrementNonMemberOperator() {
    this.hasName(["operator++", "operator--"]) and
-    iteratorInput = getIteratorArgumentInput(this, 0)
-  }
-
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-    or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
-  }
-}
-
-/**
- * A non-member `operator+` function for an iterator type.
- */
-private class IteratorAddOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
-
-  IteratorAddOperator() {
-    this.hasName("operator+") and
-    iteratorInput = getIteratorArgumentInput(this, [0, 1])
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-  }
-}
-
-/**
- * A non-member `operator-` function that takes a pointer difference type as its second argument.
- */
-private class IteratorSubOperator extends Operator, TaintFunction {
-  FunctionInput iteratorInput;
-
-  IteratorSubOperator() {
-    this.hasName("operator-") and
-    iteratorInput = getIteratorArgumentInput(this, 0) and
-    this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input = iteratorInput and
-    output.isReturnValue()
-  }
-}
-
-/**
- * A non-member `operator+=` or `operator-=` function for an iterator type.
- */
-class IteratorAssignArithmeticOperator extends Operator {
-  IteratorAssignArithmeticOperator() {
-    this.hasName(["operator+=", "operator-="]) and
    exists(getIteratorArgumentInput(this, 0))
  }
 }

-private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithmeticOperator,
-  DataFlowFunction, TaintFunction {
+private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMemberOperator,
+  DataFlowFunction {
  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameter(0) and
+    input = getIteratorArgumentInput(this, 0) and
    output.isReturnValue()
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    or
    input.isParameterDeref(0) and output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the object referenced by the first parameter
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
-    or
-    input.isParameterDeref(1) and
-    output.isParameterDeref(0)
-  }
-}
-
-/**
- * A prefix `operator*` member function for an iterator type.
- */
-class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
-  IteratorReferenceFunction {
-  IteratorPointerDereferenceMemberOperator() {
-    this.getClassAndName("operator*") instanceof Iterator
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
  }
 }

 /**
 * An `operator++` or `operator--` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorCrementOperator`.
 */
 class IteratorCrementMemberOperator extends MemberFunction {
  IteratorCrementMemberOperator() {
@@ -258,25 +162,49 @@ private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOp
 }

 /**
- * A member `operator->` function for an iterator type.
+ * A (member or non-member) `operator++` or `operator--` function for an iterator type.
 */
-private class IteratorFieldMemberOperator extends Operator, TaintFunction {
-  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+class IteratorCrementOperator extends Function {
+  IteratorCrementOperator() {
+    this instanceof IteratorCrementNonMemberOperator or
+    this instanceof IteratorCrementMemberOperator
+  }
+}

+/**
+ * A non-member `operator+` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
+ */
+class IteratorAddNonMemberOperator extends Operator {
+  IteratorAddNonMemberOperator() {
+    this.hasName("operator+") and
+    exists(getIteratorArgumentInput(this, [0, 1]))
+  }
+}
+
+private class IteratorAddNonMemberOperatorModel extends IteratorAddNonMemberOperator, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
+    input = getIteratorArgumentInput(this, [0, 1]) and
    output.isReturnValue()
  }
 }

 /**
 * An `operator+` or `operator-` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorBinaryAddOperator`.
 */
-private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFunction {
+class IteratorBinaryArithmeticMemberOperator extends MemberFunction {
  IteratorBinaryArithmeticMemberOperator() {
    this.getClassAndName(["operator+", "operator-"]) instanceof Iterator
  }
+}

+private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinaryArithmeticMemberOperator,
+  TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    input.isQualifierObject() and
    output.isReturnValue()
@@ -284,14 +212,84 @@ private class IteratorBinaryArithmeticMemberOperator extends MemberFunction, Tai
 }

 /**
- * An `operator+=` or `operator-=` member function of an iterator class.
+ * A (member or non-member) `operator+` or `operator-` function for an iterator type.
 */
-private class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFunction,
-  TaintFunction {
+class IteratorBinaryArithmeticOperator extends Function {
+  IteratorBinaryArithmeticOperator() {
+    this instanceof IteratorAddNonMemberOperator or
+    this instanceof IteratorSubNonMemberOperator or
+    this instanceof IteratorBinaryArithmeticMemberOperator
+  }
+}
+
+/**
+ * A non-member `operator-` function that takes a pointer difference type as its second argument.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorBinaryArithmeticOperator` (which also
+ * includes `operator+` versions).
+ */
+class IteratorSubNonMemberOperator extends Operator {
+  IteratorSubNonMemberOperator() {
+    this.hasName("operator-") and
+    exists(getIteratorArgumentInput(this, 0)) and
+    this.getParameter(1).getUnspecifiedType() instanceof IntegralType // not an iterator difference
+  }
+}
+
+private class IteratorSubOperatorModel extends IteratorSubNonMemberOperator, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * A non-member `operator+=` or `operator-=` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
+ */
+class IteratorAssignArithmeticNonMemberOperator extends Operator {
+  IteratorAssignArithmeticNonMemberOperator() {
+    this.hasName(["operator+=", "operator-="]) and
+    exists(getIteratorArgumentInput(this, 0))
+  }
+}
+
+private class IteratorAssignArithmeticNonMemberOperatorModel extends IteratorAssignArithmeticNonMemberOperator,
+  DataFlowFunction, TaintFunction {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the object referenced by the first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+    or
+    (input.isParameter(1) or input.isParameterDeref(1)) and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * An `operator+=` or `operator-=` member function of an iterator class.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorAssignArithmeticOperator`.
+ */
+class IteratorAssignArithmeticMemberOperator extends MemberFunction {
  IteratorAssignArithmeticMemberOperator() {
    this.getClassAndName(["operator+=", "operator-="]) instanceof Iterator
  }
+}

+private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssignArithmeticMemberOperator,
+  DataFlowFunction, TaintFunction {
  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    input.isQualifierAddress() and
    output.isReturnValue()
@@ -305,11 +303,88 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
    input.isReturnValueDeref() and
    output.isQualifierObject()
    or
-    input.isParameterDeref(0) and
+    (input.isParameter(0) or input.isParameterDeref(0)) and
    output.isQualifierObject()
  }
 }

+/**
+ * A (member or non-member) `operator+=` or `operator-=` function for an iterator type.
+ */
+class IteratorAssignArithmeticOperator extends Function {
+  IteratorAssignArithmeticOperator() {
+    this instanceof IteratorAssignArithmeticNonMemberOperator or
+    this instanceof IteratorAssignArithmeticMemberOperator
+  }
+}
+
+/**
+ * A prefix `operator*` member function for an iterator type.
+ *
+ * Note that this class _only_ matches member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
+ */
+class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction,
+  IteratorReferenceFunction {
+  IteratorPointerDereferenceMemberOperator() {
+    this.getClassAndName("operator*") instanceof Iterator
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * A non-member prefix `operator*` function for an iterator type.
+ *
+ * Note that this class _only_ matches non-member functions. To find both
+ * non-member and member versions, use `IteratorPointerDereferenceOperator`.
+ */
+class IteratorPointerDereferenceNonMemberOperator extends Operator, IteratorReferenceFunction {
+  IteratorPointerDereferenceNonMemberOperator() {
+    this.hasName("operator*") and
+    exists(getIteratorArgumentInput(this, 0))
+  }
+}
+
+private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorPointerDereferenceNonMemberOperator,
+  TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input = getIteratorArgumentInput(this, 0) and
+    output.isReturnValue()
+    or
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * A (member or non-member) prefix `operator*` function for an iterator type.
+ */
+class IteratorPointerDereferenceOperator extends Function {
+  IteratorPointerDereferenceOperator() {
+    this instanceof IteratorPointerDereferenceNonMemberOperator or
+    this instanceof IteratorPointerDereferenceMemberOperator
+  }
+}
+
+/**
+ * A member `operator->` function for an iterator type.
+ */
+private class IteratorFieldMemberOperator extends Operator, TaintFunction {
+  IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
 /**
 * An `operator[]` member function of an iterator class.
 */
@@ -326,17 +401,24 @@ private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
 /**
 * An `operator=` member function of an iterator class that is not a copy or move assignment
 * operator.
- *
- * The `hasTaintFlow` override provides flow through output iterators that return themselves with
- * `operator*` and use their own `operator=` to assign to the container.
 */
-private class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunction {
+class IteratorAssignmentMemberOperator extends MemberFunction {
  IteratorAssignmentMemberOperator() {
    this.getClassAndName("operator=") instanceof Iterator and
    not this instanceof CopyAssignmentOperator and
    not this instanceof MoveAssignmentOperator
  }
+}

+/**
+ * An `operator=` member function of an iterator class that is not a copy or move assignment
+ * operator.
+ *
+ * The `hasTaintFlow` override provides flow through output iterators that return themselves with
+ * `operator*` and use their own `operator=` to assign to the container.
+ */
+private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMemberOperator,
+  TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    input.isParameterDeref(0) and
    output.isQualifierObject()
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll
@@ -27,7 +27,12 @@ private class StdSetConstructor extends Constructor, TaintFunction {

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // taint flow from any parameter of an iterator type to the qualifier
-    input.isParameterDeref(this.getAnIteratorParameterIndex()) and
+    (
+      // AST dataflow doesn't have indirection for iterators.
+      // Once we deprecate AST dataflow we can delete this first disjunct.
+      input.isParameter(this.getAnIteratorParameterIndex()) or
+      input.isParameterDeref(this.getAnIteratorParameterIndex())
+    ) and
    (
      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
      or
@@ -45,7 +50,12 @@ private class StdSetInsert extends TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from last parameter to qualifier and return value
    // (where the return value is a pair, this should really flow just to the first part of it)
-    input.isParameterDeref(this.getNumberOfParameters() - 1) and
+    (
+      // AST dataflow doesn't have indirection for iterators.
+      // Once we deprecate AST dataflow we can delete this first disjunct.
+      input.isParameter(this.getNumberOfParameters() - 1) or
+      input.isParameterDeref(this.getNumberOfParameters() - 1)
+    ) and
    (
      output.isQualifierObject() or
      output.isReturnValue()
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@@ -38,8 +38,7 @@ private class StdBasicStringIterator extends Iterator, Type {
 */
 abstract private class StdStringTaintFunction extends TaintFunction {
  /**
-   * Gets the index of a parameter to this function that is a string (or
-   * character).
+   * Gets the index of a parameter to this function that is a string.
   */
  final int getAStringParameterIndex() {
    exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
@@ -50,7 +49,14 @@ abstract private class StdStringTaintFunction extends TaintFunction {
      paramType instanceof ReferenceType and
      not paramType.(ReferenceType).getBaseType() =
        this.getDeclaringType().getTemplateArgument(2).(Type).getUnspecifiedType()
-      or
+    )
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a character.
+   */
+  final int getACharParameterIndex() {
+    exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
      // i.e. `std::basic_string::CharT`
      paramType = this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
    )
@@ -79,6 +85,7 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
    // taint flow from any parameter of the value type to the returned object
    (
      input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
      input.isParameter(this.getAnIteratorParameterIndex())
    ) and
    (
@@ -128,7 +135,7 @@ private class StdStringPush extends StdStringTaintFunction {

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to qualifier
-    input.isParameterDeref(0) and
+    input.isParameter(0) and
    output.isQualifierObject()
  }
 }
@@ -180,6 +187,7 @@ private class StdStringAppend extends StdStringTaintFunction {
    (
      input.isQualifierObject() or
      input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
      input.isParameter(this.getAnIteratorParameterIndex())
    ) and
    (
@@ -210,6 +218,7 @@ private class StdStringInsert extends StdStringTaintFunction {
    (
      input.isQualifierObject() or
      input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
      input.isParameter(this.getAnIteratorParameterIndex())
    ) and
    (
@@ -236,6 +245,7 @@ private class StdStringAssign extends StdStringTaintFunction {
    // flow from parameter to string itself (qualifier) and return value
    (
      input.isParameterDeref(this.getAStringParameterIndex()) or
+      input.isParameter(this.getACharParameterIndex()) or
      input.isParameter(this.getAnIteratorParameterIndex())
    ) and
    (
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -158,11 +158,10 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    exists(int arg |
-      (
-        arg = getFormatParameterIndex() or
-        arg >= getFirstFormatArgumentIndex()
-      ) and
-      input.isParameterDeref(arg) and
+      arg = getFormatParameterIndex() or
+      arg >= getFirstFormatArgumentIndex()
+    |
+      (input.isParameterDeref(arg) or input.isParameter(arg)) and
      output.isParameterDeref(getOutputParameterIndex(_))
    )
  }
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.5.2
+
+No user-facing changes.
+
+## 0.5.1
+
+### Minor Analysis Improvements
+
+* The `cpp/no-space-for-terminator` and `cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.
+
 ## 0.5.0

 ### Minor Analysis Improvements
--- a/cpp/ql/src/Critical/MissingCheckScanf.ql
+++ b/cpp/ql/src/Critical/MissingCheckScanf.ql
@@ -100,7 +100,7 @@ private predicate fwdFlow(Instruction instr, ValueNumber vn) {
 */
 pragma[nomagic]
 predicate revFlow(Instruction instr, ValueNumber vn) {
-  fwdFlow(instr, vn) and
+  fwdFlow(instr, pragma[only_bind_out](vn)) and
  (
    isSink(instr, _, vn)
    or
@@ -126,7 +126,7 @@ class Node extends MkNode {

  final string toString() { result = instr.toString() }

-  final Node getASuccessor() { result = MkNode(instr.getASuccessor(), vn) }
+  final Node getASuccessor() { result = MkNode(pragma[only_bind_out](instr.getASuccessor()), vn) }

  final Location getLocation() { result = instr.getLocation() }
 }
@@ -167,7 +167,7 @@ predicate hasFlow(
 ) {
  exists(ValueNumber vn |
    isSource(call, index, source, vn, _) and
-    hasFlow(getNode(source, vn), getNode(sink, vn)) and
+    hasFlow(getNode(source, pragma[only_bind_into](vn)), getNode(sink, pragma[only_bind_into](vn))) and
    isSink(sink, access, vn)
  )
 }
--- a/cpp/ql/src/change-notes/2023-01-05-heuristic-allocations.md
+++ b/cpp/ql/src/change-notes/2023-01-05-heuristic-allocations.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.5.1
+
+### Minor Analysis Improvements
+
 * The `cpp/no-space-for-terminator` and `cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.
--- a/cpp/ql/src/change-notes/released/0.5.2.md
+++ b/cpp/ql/src/change-notes/released/0.5.2.md
@@ -0,0 +1,3 @@
+## 0.5.2
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.5.2
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.5.1-dev
+version: 0.5.3-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.expected
+++ b/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.expected
@@ -0,0 +1,44 @@
+| bitshift.cpp:23:3:23:9 | ... <<= ... | 0.0 | 255.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
+| bitshift.cpp:25:5:25:11 | ... <<= ... | 0.0 | 240.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
+| bitshift.cpp:29:3:29:8 | ... << ... | 0.0 | 1020.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:32:3:32:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:35:3:35:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:38:3:38:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:39:3:39:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:40:3:40:22 | ... << ... | 0.0 | 32640.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:43:3:43:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:46:3:46:22 | ... << ... | 128.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:49:3:49:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:52:5:52:10 | ... << ... | 1.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:57:3:57:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:58:3:58:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:59:3:59:9 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:60:3:60:22 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:61:3:61:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:64:3:64:19 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:67:3:67:8 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:70:5:70:10 | ... << ... | 1.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:75:5:75:10 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:76:5:76:10 | ... << ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:90:3:90:9 | ... >>= ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
+| bitshift.cpp:92:5:92:11 | ... >>= ... | 0.0 | 15.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int |
+| bitshift.cpp:96:3:96:8 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:99:3:99:9 | ... >> ... | 0.0 | 0.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:103:3:103:9 | ... >> ... | 0.0 | 0.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:106:3:106:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:107:3:107:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:108:3:108:22 | ... >> ... | 0.0 | 63.0 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:111:3:111:19 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:114:3:114:24 | ... >> ... | 32.0 | 32.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:117:3:117:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:120:5:120:12 | ... >> ... | 32.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:126:3:126:8 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:127:3:127:9 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:128:3:128:9 | ... >> ... | -1.0 | 0.0 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:129:3:129:22 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:130:3:130:19 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:133:3:133:21 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:136:3:136:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:139:5:139:12 | ... >> ... | 32.0 | 128.0 | file://:0:0:0:0 | int | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:144:5:144:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | signed char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
+| bitshift.cpp:145:5:145:10 | ... >> ... | -2.147483648E9 | 2.147483647E9 | file://:0:0:0:0 | signed char | file://:0:0:0:0 | unsigned char | file://:0:0:0:0 | int | file://:0:0:0:0 | int |
--- a/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.ql
+++ b/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/BitShiftRange.ql
@@ -0,0 +1,24 @@
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import experimental.semmle.code.cpp.rangeanalysis.extensions.ConstantShiftExprRange
+
+Expr getLOp(Operation o) {
+  result = o.(BinaryOperation).getLeftOperand() or
+  result = o.(Assignment).getLValue()
+}
+
+Expr getROp(Operation o) {
+  result = o.(BinaryOperation).getRightOperand() or
+  result = o.(Assignment).getRValue()
+}
+
+from Operation o
+where
+  (
+    o instanceof BinaryBitwiseOperation
+    or
+    o instanceof AssignBitwiseOperation
+  )
+select o, lowerBound(o), upperBound(o), getLOp(o).getUnderlyingType(),
+  getROp(o).getUnderlyingType(), getLOp(o).getFullyConverted().getUnderlyingType(),
+  getROp(o).getFullyConverted().getUnderlyingType()
--- a/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/bitshift.cpp
+++ b/cpp/ql/test/experimental/library-tests/rangeanalysis/bitshift/bitshift.cpp
@@ -0,0 +1,147 @@
+typedef signed char int8_t;
+typedef short int16_t;
+typedef int int32_t;
+typedef long int64_t;
+
+typedef unsigned char uint8_t;
+typedef unsigned short uint16_t;
+typedef unsigned int uint32_t;
+typedef unsigned long uint64_t;
+
+extern uint8_t value_known_at_runtime8();
+
+void testLShiftOperator() {
+  uint8_t unsigned_const1 = 7;
+  uint8_t unsigned_const2(7);
+  uint8_t unsigned_const3{7};
+  int8_t signed_const = -7;
+  uint8_t x = value_known_at_runtime8();
+  int8_t y = (int8_t)value_known_at_runtime8();
+  uint8_t z = value_known_at_runtime8();
+
+  // An assign left shift operator. Note that no promotion occurs here
+  z <<= 2;  // [0, 255]
+  if (z <= 60) {
+    z <<= 2;  // [0, 240]
+  }
+
+  // A normal shift
+  x << 2;  // [0, 1020]
+
+  // Possible to exceed the maximum size
+  x << 25;  // [-2147483648, 2147483648]
+
+  // Undefined behavior
+  x << 34;  // [-2147483648, 2147483648]
+
+  // A normal shift by a constant in a variable
+  x << unsigned_const1;  // [0, 32640]
+  x << unsigned_const2;  // [0, 32640]
+  x << unsigned_const3;  // [0, 32640]
+
+  // Negative shifts are undefined
+  x << signed_const;  // [-2147483648, 2147483648]
+
+  // Now the left operand is a constant
+  1 << unsigned_const1;  // [128, 128]
+
+  // x could be large enough to cause undefined behavior
+  1 << x;  // [-2147483648, 2147483647]
+  if (x < 8) {
+    // x is now constrained so the shift is defined
+    1 << x;  // [1, 128]
+  }
+
+  // We don't support shifting negative values (and some of these are undefined
+  // anyway)
+  y << 2;                // [-2147483648, 2147483647]
+  y << 25;               // [-2147483648, 2147483648]
+  y << 34;               // [-2147483648, 2147483648]
+  y << unsigned_const1;  // [-2147483648, 2147483647]
+  y << signed_const;     // [-2147483648, 2147483648]
+
+  // Negative shifts are undefined
+  1 << signed_const;  // [-2147483648, 2147483648]
+
+  // We don't handle cases where the shift range could be negative
+  1 << y;  // [-2147483648, 2147483648]
+  if (y >= 0 && y < 8) {
+    // The shift range is now positive
+    1 << y;  // [1, 128]
+  }
+
+  if (x > 0 and x < 2 and y > 0 and x < 2) {
+    // We don't support shifts where neither operand is a constant at the moment
+    x << y;  // [-2147483648, 2147483648]
+    y << x;  // [-2147483648, 2147483648]
+  }
+}
+
+void testRShiftOperator() {
+  uint8_t unsigned_const1 = 2;
+  uint8_t unsigned_const2(2);
+  uint8_t unsigned_const3{2};
+  int8_t signed_const = -2;
+  uint8_t x = value_known_at_runtime8();
+  int8_t y = (int8_t)value_known_at_runtime8();
+  uint8_t z = value_known_at_runtime8();
+
+  // An assign right shift operator. Note that no promotion occurs here
+  z >>= 2;  // [0, 63]
+  if (z <= 60) {
+    z >>= 2;  // [0, 15]
+  }
+
+  // A normal shift
+  x >> 2;  // [0, 63]
+
+  // Possible to exceed the maximum size
+  x >> 25;  // [0, 0]
+
+  // Undefined behavior, but this case is handled by the SimpleRangeAnalysis
+  // library and sets the the bounds to [0, 0], which is fine
+  x >> 34;  // [0, 0]
+
+  // A normal shift by a constant in a variable
+  x >> unsigned_const1;  // [0, 63]
+  x >> unsigned_const2;  // [0, 63]
+  x >> unsigned_const3;  // [0, 63]
+
+  // Negative shifts are undefined
+  x >> signed_const;  // [-2147483648, 2147483648]
+
+  // Now the left operand is a constant
+  128 >> unsigned_const1;  // [32, 32]
+
+  // x could be large enough to cause undefined behavior
+  128 >> x;  // [-2147483648, 2147483647]
+  if (x < 3) {
+    // x is now constrained so the shift is defined
+    128 >> x;  // [32, 128]
+  }
+
+  // We don't support shifting negative values, but the SimpleRangeAnalysis
+  // library handles the first three cases even though they're implementation
+  // defined or undefined behavior (TODO: Check ideone)
+  y >> 2;   // [-2147483648, 2147483647] (Default is [-32, 31])
+  y >> 25;  // -2147483648, 2147483647] (Default is [-1, 0])
+  y >> 34;  // [-1, 0] (My code doesn't touch this, so default code is used)
+  y >> unsigned_const1;  // [-2147483648, 2147483647]
+  y >> signed_const;     // [-2147483648, 2147483648]
+
+  // Negative shifts are undefined
+  128 >> signed_const;  // [-2147483648, 2147483648]
+
+  // We don't handle cases where the shift range could be negative
+  128 >> y;  // [-2147483648, 2147483648]
+  if (y >= 0 && y < 3) {
+    // The shift range is now positive
+    128 >> y;  // [32, 128]
+  }
+
+  if (x > 0 and x < 2 and y > 0 and x < 2) {
+    // We don't support shifts where neither operand is a constant at the moment
+    x >> y;  // [-2147483648, 2147483648]
+    y >> x;  // [-2147483648, 2147483648]
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -92,6 +92,12 @@ postWithInFlow
 | test.cpp:499:3:499:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:499:4:499:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:505:35:505:35 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:511:5:511:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:511:6:511:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:516:5:516:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:516:6:516:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:522:25:522:25 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:526:25:526:25 | y [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -591,6 +591,18 @@ postWithInFlow
 | test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:505:34:505:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:505:35:505:35 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:511:5:511:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:511:6:511:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:511:6:511:6 | p [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:516:5:516:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:516:6:516:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:516:6:516:6 | p [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:522:24:522:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:522:24:522:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:522:25:522:25 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:526:24:526:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:526:24:526:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:526:25:526:25 | y [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:9:7:9:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:10:12:10:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | true_upon_entry.cpp:10:27:10:27 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -505,3 +505,24 @@ void viaOutparamMissingReturn() {
  intOutparamSourceMissingReturn(&x);
  sink(x); // $ ast,ir
 }
+
+void sink_then_source_1(int* p) {
+    sink(*p); // clean
+    *p = source();
+}
+
+void sink_then_source_2(int* p, int y) {
+    sink(y); // $ SPURIOUS: ast
+    *p = source();
+}
+
+void test_sink_then_source() {
+  {
+    int x;
+    sink_then_source_1(&x);
+  }
+  {
+    int y;
+    sink_then_source_2(&y, y);
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
@@ -34,3 +34,6 @@
 | test.cpp:441:7:441:11 | local | test.cpp:442:18:442:22 | local |
 | test.cpp:441:7:441:11 | local | test.cpp:443:8:443:12 | local |
 | test.cpp:441:7:441:11 | local | test.cpp:444:9:444:13 | local |
+| test.cpp:521:9:521:9 | x | test.cpp:522:25:522:25 | x |
+| test.cpp:525:9:525:9 | y | test.cpp:526:25:526:25 | y |
+| test.cpp:525:9:525:9 | y | test.cpp:526:28:526:28 | y |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3482,106 +3482,106 @@
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
-| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
-| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
-| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
-| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:42:14:42:20 | source1 |  |
-| standalone_iterators.cpp:40:11:40:17 | source1 | standalone_iterators.cpp:40:10:40:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:41:12:41:18 | ref arg source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
-| standalone_iterators.cpp:41:12:41:18 | ref arg source1 | standalone_iterators.cpp:42:14:42:20 | source1 |  |
-| standalone_iterators.cpp:41:12:41:18 | source1 | standalone_iterators.cpp:41:19:41:19 | call to operator++ |  |
-| standalone_iterators.cpp:41:19:41:19 | call to operator++ | standalone_iterators.cpp:41:10:41:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:42:12:42:12 | call to operator++ | standalone_iterators.cpp:42:10:42:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:42:14:42:20 | ref arg source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
-| standalone_iterators.cpp:42:14:42:20 | source1 | standalone_iterators.cpp:42:12:42:12 | call to operator++ |  |
-| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:45:39:45:45 | source1 |  |
-| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:46:11:46:17 | source1 |  |
-| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:47:12:47:18 | source1 |  |
-| standalone_iterators.cpp:45:39:45:45 | source1 | standalone_iterators.cpp:48:14:48:20 | source1 |  |
-| standalone_iterators.cpp:46:11:46:17 | source1 | standalone_iterators.cpp:46:10:46:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:47:12:47:18 | ref arg source1 | standalone_iterators.cpp:45:39:45:45 | source1 |  |
-| standalone_iterators.cpp:47:12:47:18 | ref arg source1 | standalone_iterators.cpp:48:14:48:20 | source1 |  |
-| standalone_iterators.cpp:47:12:47:18 | source1 | standalone_iterators.cpp:47:19:47:19 | call to operator++ |  |
-| standalone_iterators.cpp:47:19:47:19 | call to operator++ | standalone_iterators.cpp:47:10:47:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:48:12:48:12 | call to operator++ | standalone_iterators.cpp:48:10:48:10 | call to operator* | TAINT |
-| standalone_iterators.cpp:48:14:48:20 | ref arg source1 | standalone_iterators.cpp:45:39:45:45 | source1 |  |
-| standalone_iterators.cpp:48:14:48:20 | source1 | standalone_iterators.cpp:48:12:48:12 | call to operator++ |  |
-| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:52:11:52:17 | source1 |  |
-| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:53:12:53:18 | source1 |  |
-| standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
-| standalone_iterators.cpp:53:12:53:18 | ref arg source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
-| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:85:35:85:36 | c1 |  |
-| standalone_iterators.cpp:83:15:83:16 | call to container | standalone_iterators.cpp:87:10:87:11 | c1 |  |
-| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:89:35:89:36 | c2 |  |
-| standalone_iterators.cpp:83:19:83:20 | call to container | standalone_iterators.cpp:91:10:91:11 | c2 |  |
-| standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
-| standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 |  |
-| standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 |  |
-| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
-| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 |  |
-| standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- |  |
-| standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
-| standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
-| standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
-| standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 |  |
-| standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 |  |
-| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
-| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 |  |
-| standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- |  |
-| standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
-| standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
-| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
-| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
-| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:106:6:106:7 | c1 |  |
-| standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:101:6:101:7 | c1 | standalone_iterators.cpp:101:9:101:13 | call to begin | TAINT |
-| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:102:6:102:7 | c1 |  |
-| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 |  |
-| standalone_iterators.cpp:101:6:101:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:101:2:101:15 | ... = ... |  |
-| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:103:3:103:3 | a |  |
-| standalone_iterators.cpp:101:9:101:13 | call to begin | standalone_iterators.cpp:104:7:104:7 | a |  |
-| standalone_iterators.cpp:102:6:102:7 | c1 | standalone_iterators.cpp:102:9:102:13 | call to begin | TAINT |
-| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:106:6:106:7 | c1 |  |
-| standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
-| standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
-| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
-| standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
-| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |
-| standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:106:6:106:7 | c1 | standalone_iterators.cpp:106:9:106:13 | call to begin | TAINT |
-| standalone_iterators.cpp:106:6:106:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:106:2:106:15 | ... = ... |  |
-| standalone_iterators.cpp:106:9:106:13 | call to begin | standalone_iterators.cpp:108:7:108:7 | c |  |
-| standalone_iterators.cpp:107:7:107:7 | b [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:108:7:108:7 | c [post update] | standalone_iterators.cpp:109:7:109:8 | c1 |  |
-| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:116:7:116:8 | c1 |  |
-| standalone_iterators.cpp:113:15:113:16 | call to container | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:116:7:116:8 | c1 | standalone_iterators.cpp:116:10:116:14 | call to begin | TAINT |
-| standalone_iterators.cpp:116:7:116:8 | ref arg c1 | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:116:2:116:16 | ... = ... |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:117:7:117:8 | it |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:118:2:118:3 | it |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:119:7:119:8 | it |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it |  |
-| standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it |  |
-| standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | TAINT |
-| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it |  |
-| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it |  |
-| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
-| standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
-| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
-| standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
-| standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
+| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:43:45:43:51 | source1 |  |
+| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:44:11:44:17 | source1 |  |
+| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:45:12:45:18 | source1 |  |
+| standalone_iterators.cpp:43:45:43:51 | source1 | standalone_iterators.cpp:46:14:46:20 | source1 |  |
+| standalone_iterators.cpp:44:11:44:17 | source1 | standalone_iterators.cpp:44:10:44:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:45:12:45:18 | ref arg source1 | standalone_iterators.cpp:43:45:43:51 | source1 |  |
+| standalone_iterators.cpp:45:12:45:18 | ref arg source1 | standalone_iterators.cpp:46:14:46:20 | source1 |  |
+| standalone_iterators.cpp:45:12:45:18 | source1 | standalone_iterators.cpp:45:19:45:19 | call to operator++ |  |
+| standalone_iterators.cpp:45:19:45:19 | call to operator++ | standalone_iterators.cpp:45:10:45:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:46:12:46:12 | call to operator++ | standalone_iterators.cpp:46:10:46:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:46:14:46:20 | ref arg source1 | standalone_iterators.cpp:43:45:43:51 | source1 |  |
+| standalone_iterators.cpp:46:14:46:20 | source1 | standalone_iterators.cpp:46:12:46:12 | call to operator++ |  |
+| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:49:39:49:45 | source1 |  |
+| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:50:11:50:17 | source1 |  |
+| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:51:12:51:18 | source1 |  |
+| standalone_iterators.cpp:49:39:49:45 | source1 | standalone_iterators.cpp:52:14:52:20 | source1 |  |
+| standalone_iterators.cpp:50:11:50:17 | source1 | standalone_iterators.cpp:50:10:50:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:51:12:51:18 | ref arg source1 | standalone_iterators.cpp:49:39:49:45 | source1 |  |
+| standalone_iterators.cpp:51:12:51:18 | ref arg source1 | standalone_iterators.cpp:52:14:52:20 | source1 |  |
+| standalone_iterators.cpp:51:12:51:18 | source1 | standalone_iterators.cpp:51:19:51:19 | call to operator++ |  |
+| standalone_iterators.cpp:51:19:51:19 | call to operator++ | standalone_iterators.cpp:51:10:51:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:52:12:52:12 | call to operator++ | standalone_iterators.cpp:52:10:52:10 | call to operator* | TAINT |
+| standalone_iterators.cpp:52:14:52:20 | ref arg source1 | standalone_iterators.cpp:49:39:49:45 | source1 |  |
+| standalone_iterators.cpp:52:14:52:20 | source1 | standalone_iterators.cpp:52:12:52:12 | call to operator++ |  |
+| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:56:11:56:17 | source1 |  |
+| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:57:12:57:18 | source1 |  |
+| standalone_iterators.cpp:55:37:55:43 | source1 | standalone_iterators.cpp:58:14:58:20 | source1 |  |
+| standalone_iterators.cpp:57:12:57:18 | ref arg source1 | standalone_iterators.cpp:58:14:58:20 | source1 |  |
+| standalone_iterators.cpp:91:15:91:16 | call to container | standalone_iterators.cpp:93:35:93:36 | c1 |  |
+| standalone_iterators.cpp:91:15:91:16 | call to container | standalone_iterators.cpp:95:10:95:11 | c1 |  |
+| standalone_iterators.cpp:91:19:91:20 | call to container | standalone_iterators.cpp:97:35:97:36 | c2 |  |
+| standalone_iterators.cpp:91:19:91:20 | call to container | standalone_iterators.cpp:99:10:99:11 | c2 |  |
+| standalone_iterators.cpp:93:35:93:36 | c1 | standalone_iterators.cpp:93:38:93:42 | call to begin | TAINT |
+| standalone_iterators.cpp:93:35:93:36 | ref arg c1 | standalone_iterators.cpp:95:10:95:11 | c1 |  |
+| standalone_iterators.cpp:93:38:93:42 | call to begin | standalone_iterators.cpp:94:6:94:7 | i1 |  |
+| standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | standalone_iterators.cpp:94:8:94:8 | ref arg call to operator-- | TAINT |
+| standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | standalone_iterators.cpp:95:10:95:11 | c1 |  |
+| standalone_iterators.cpp:94:6:94:7 | i1 | standalone_iterators.cpp:94:8:94:8 | call to operator-- |  |
+| standalone_iterators.cpp:94:8:94:8 | call to operator-- | standalone_iterators.cpp:94:5:94:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:94:8:94:8 | ref arg call to operator-- | standalone_iterators.cpp:94:6:94:7 | ref arg i1 |  |
+| standalone_iterators.cpp:94:13:94:18 | call to source | standalone_iterators.cpp:94:5:94:5 | ref arg call to operator* | TAINT |
+| standalone_iterators.cpp:97:35:97:36 | c2 | standalone_iterators.cpp:97:38:97:42 | call to begin | TAINT |
+| standalone_iterators.cpp:97:35:97:36 | ref arg c2 | standalone_iterators.cpp:99:10:99:11 | c2 |  |
+| standalone_iterators.cpp:97:38:97:42 | call to begin | standalone_iterators.cpp:98:6:98:7 | i2 |  |
+| standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | standalone_iterators.cpp:98:8:98:8 | ref arg call to operator-- | TAINT |
+| standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | standalone_iterators.cpp:99:10:99:11 | c2 |  |
+| standalone_iterators.cpp:98:6:98:7 | i2 | standalone_iterators.cpp:98:8:98:8 | call to operator-- |  |
+| standalone_iterators.cpp:98:8:98:8 | call to operator-- | standalone_iterators.cpp:98:5:98:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:98:8:98:8 | ref arg call to operator-- | standalone_iterators.cpp:98:6:98:7 | ref arg i2 |  |
+| standalone_iterators.cpp:98:13:98:13 | 0 | standalone_iterators.cpp:98:5:98:5 | ref arg call to operator* | TAINT |
+| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:109:6:109:7 | c1 |  |
+| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:110:6:110:7 | c1 |  |
+| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:114:6:114:7 | c1 |  |
+| standalone_iterators.cpp:106:15:106:16 | call to container | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:109:6:109:7 | c1 | standalone_iterators.cpp:109:9:109:13 | call to begin | TAINT |
+| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:110:6:110:7 | c1 |  |
+| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:114:6:114:7 | c1 |  |
+| standalone_iterators.cpp:109:6:109:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:109:2:109:15 | ... = ... |  |
+| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:111:3:111:3 | a |  |
+| standalone_iterators.cpp:109:9:109:13 | call to begin | standalone_iterators.cpp:112:7:112:7 | a |  |
+| standalone_iterators.cpp:110:6:110:7 | c1 | standalone_iterators.cpp:110:9:110:13 | call to begin | TAINT |
+| standalone_iterators.cpp:110:6:110:7 | ref arg c1 | standalone_iterators.cpp:114:6:114:7 | c1 |  |
+| standalone_iterators.cpp:110:6:110:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:110:9:110:13 | call to begin | standalone_iterators.cpp:110:2:110:15 | ... = ... |  |
+| standalone_iterators.cpp:110:9:110:13 | call to begin | standalone_iterators.cpp:115:7:115:7 | b |  |
+| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:111:3:111:3 | ref arg a | TAINT |
+| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:114:6:114:7 | c1 |  |
+| standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:111:3:111:3 | a | standalone_iterators.cpp:111:2:111:2 | call to operator* | TAINT |
+| standalone_iterators.cpp:111:3:111:3 | ref arg a | standalone_iterators.cpp:112:7:112:7 | a |  |
+| standalone_iterators.cpp:111:7:111:12 | call to source | standalone_iterators.cpp:111:2:111:2 | ref arg call to operator* | TAINT |
+| standalone_iterators.cpp:112:7:112:7 | a [post update] | standalone_iterators.cpp:114:6:114:7 | c1 |  |
+| standalone_iterators.cpp:112:7:112:7 | a [post update] | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:114:6:114:7 | c1 | standalone_iterators.cpp:114:9:114:13 | call to begin | TAINT |
+| standalone_iterators.cpp:114:6:114:7 | ref arg c1 | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:114:9:114:13 | call to begin | standalone_iterators.cpp:114:2:114:15 | ... = ... |  |
+| standalone_iterators.cpp:114:9:114:13 | call to begin | standalone_iterators.cpp:116:7:116:7 | c |  |
+| standalone_iterators.cpp:115:7:115:7 | b [post update] | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:116:7:116:7 | c [post update] | standalone_iterators.cpp:117:7:117:8 | c1 |  |
+| standalone_iterators.cpp:121:15:121:16 | call to container | standalone_iterators.cpp:124:7:124:8 | c1 |  |
+| standalone_iterators.cpp:121:15:121:16 | call to container | standalone_iterators.cpp:130:7:130:8 | c1 |  |
+| standalone_iterators.cpp:124:7:124:8 | c1 | standalone_iterators.cpp:124:10:124:14 | call to begin | TAINT |
+| standalone_iterators.cpp:124:7:124:8 | ref arg c1 | standalone_iterators.cpp:130:7:130:8 | c1 |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:124:2:124:16 | ... = ... |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:125:7:125:8 | it |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:126:2:126:3 | it |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:127:7:127:8 | it |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:128:2:128:3 | it |  |
+| standalone_iterators.cpp:124:10:124:14 | call to begin | standalone_iterators.cpp:129:7:129:8 | it |  |
+| standalone_iterators.cpp:125:7:125:8 | it [post update] | standalone_iterators.cpp:130:7:130:8 | c1 |  |
+| standalone_iterators.cpp:126:2:126:3 | it | standalone_iterators.cpp:126:5:126:5 | call to operator+= | TAINT |
+| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:127:7:127:8 | it |  |
+| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:128:2:128:3 | it |  |
+| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:129:7:129:8 | it |  |
+| standalone_iterators.cpp:126:2:126:3 | ref arg it | standalone_iterators.cpp:130:7:130:8 | c1 |  |
+| standalone_iterators.cpp:126:8:126:8 | 1 | standalone_iterators.cpp:126:2:126:3 | ref arg it | TAINT |
+| standalone_iterators.cpp:128:2:128:3 | it | standalone_iterators.cpp:128:5:128:5 | call to operator+= | TAINT |
+| standalone_iterators.cpp:128:2:128:3 | ref arg it | standalone_iterators.cpp:129:7:129:8 | it |  |
+| standalone_iterators.cpp:128:8:128:13 | call to source | standalone_iterators.cpp:128:2:128:3 | ref arg it | TAINT |
 | stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
 | stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
@@ -27,6 +27,10 @@ public:
 template<>
 struct std::iterator_traits<int_iterator_by_trait> {
    typedef input_iterator_tag iterator_category;
+    typedef int value_type;
+    typedef size_t difference_type;
+    typedef int* pointer;
+    typedef int& reference;
 };

 class non_iterator {
@@ -69,6 +73,10 @@ public:
 template<>
 struct std::iterator_traits<insert_iterator_by_trait> {
    typedef output_iterator_tag iterator_category;
+    typedef int value_type;
+    typedef size_t difference_type;
+    typedef int* pointer;
+    typedef int& reference;
 };

 class container {
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c
@@ -168,4 +168,34 @@ int main(int argc, char **argv) {
 	int i10 = (int) argv[1];
 	printf((char *) i10);
 	printWrapper((char *) i10);
+
+	// BAD: b value comes from argv
+	{
+		char b[64];
+		char *bp = &b[0];
+		char *t;
+		if (0) {
+			t = 0;
+		} else {
+			t = bp;
+		}
+		memcpy(t, argv[1] + 1, 1);
+		printf(bp);
+		printWrapper(bp);
+	}
+
+	// BAD: b value comes from argv
+	{
+		char b[64];
+		char *bp = &b[0];
+		char *t;
+		if (1) {
+			t = ++bp;
+		} else {
+			t = 0;
+		}
+		memcpy(t, argv[1] + 1, 1);
+		printf(bp);
+		printWrapper(bp);
+	}
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -260,6 +260,30 @@ edges
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | (const char *)... |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | (const char *)... |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp indirection |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp indirection |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp indirection |
+| argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp indirection |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | (const char *)... |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | (const char *)... |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp indirection |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp indirection |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp indirection |
+| argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp indirection |
 subpaths
 | argvLocal.c:102:15:102:16 | i1 indirection | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | ReturnIndirection | argvLocal.c:102:15:102:16 | printWrapper output argument |
 | argvLocal.c:107:15:107:19 | access to array indirection | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | ReturnIndirection | argvLocal.c:107:15:107:19 | printWrapper output argument |
@@ -396,6 +420,22 @@ nodes
 | argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
 | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
 | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
+| argvLocal.c:182:13:182:16 | argv | semmle.label | argv |
+| argvLocal.c:182:13:182:16 | argv | semmle.label | argv |
+| argvLocal.c:183:10:183:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:183:10:183:11 | bp | semmle.label | bp |
+| argvLocal.c:183:10:183:11 | bp indirection | semmle.label | bp indirection |
+| argvLocal.c:184:16:184:17 | bp | semmle.label | bp |
+| argvLocal.c:184:16:184:17 | bp | semmle.label | bp |
+| argvLocal.c:184:16:184:17 | bp indirection | semmle.label | bp indirection |
+| argvLocal.c:197:13:197:16 | argv | semmle.label | argv |
+| argvLocal.c:197:13:197:16 | argv | semmle.label | argv |
+| argvLocal.c:198:10:198:11 | (const char *)... | semmle.label | (const char *)... |
+| argvLocal.c:198:10:198:11 | bp | semmle.label | bp |
+| argvLocal.c:198:10:198:11 | bp indirection | semmle.label | bp indirection |
+| argvLocal.c:199:16:199:17 | bp | semmle.label | bp |
+| argvLocal.c:199:16:199:17 | bp | semmle.label | bp |
+| argvLocal.c:199:16:199:17 | bp indirection | semmle.label | bp indirection |
 #select
 | argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:95:9:95:12 | argv | argv |
 | argvLocal.c:96:15:96:21 | access to array | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:96:15:96:18 | argv | argv |
@@ -425,3 +465,7 @@ nodes
 | argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:163:22:163:25 | argv | argv |
 | argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
 | argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:168:18:168:21 | argv | argv |
+| argvLocal.c:183:10:183:11 | bp | argvLocal.c:182:13:182:16 | argv | argvLocal.c:183:10:183:11 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:182:13:182:16 | argv | argv |
+| argvLocal.c:184:16:184:17 | bp | argvLocal.c:182:13:182:16 | argv | argvLocal.c:184:16:184:17 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:182:13:182:16 | argv | argv |
+| argvLocal.c:198:10:198:11 | bp | argvLocal.c:197:13:197:16 | argv | argvLocal.c:198:10:198:11 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:197:13:197:16 | argv | argv |
+| argvLocal.c:199:16:199:17 | bp | argvLocal.c:197:13:197:16 | argv | argvLocal.c:199:16:199:17 | bp | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:197:13:197:16 | argv | argv |
--- a/csharp/actions/create-extractor-pack/action.yml
+++ b/csharp/actions/create-extractor-pack/action.yml
@@ -6,7 +6,7 @@ runs:
    - name: Setup dotnet
      uses: actions/setup-dotnet@v3
      with:
-        dotnet-version: 6.0.202
+        dotnet-version: 7.0.102
    - name: Build Extractor
      shell: bash
      run: scripts/create-extractor-pack.sh
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
 		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
 		<Nullable>enable</Nullable>
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<AssemblyName>Semmle.Autobuild.CSharp</AssemblyName>
 		<RootNamespace>Semmle.Autobuild.CSharp</RootNamespace>
 		<ApplicationIcon/>
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<AssemblyName>Semmle.Autobuild.Shared</AssemblyName>
 		<RootNamespace>Semmle.Autobuild.Shared</RootNamespace>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/expressions.ql
+++ b/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/expressions.ql
@@ -0,0 +1,13 @@
+class Expression extends @expr {
+  string toString() { none() }
+}
+
+class TypeOrRef extends @type_or_ref {
+  string toString() { none() }
+}
+
+from Expression e, int k, int kind, TypeOrRef t
+where
+  expressions(e, k, t) and
+  if k = 135 then kind = 106 else kind = k
+select e, kind, t
--- a/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/old.dbscheme
+++ b/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/old.dbscheme
--- a/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/semmlecode.csharp.dbscheme
+++ b/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/semmlecode.csharp.dbscheme
--- a/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/upgrade.properties
+++ b/csharp/downgrades/81a394bedda3d4747e36496c7be4d958424636d6/upgrade.properties
@@ -0,0 +1,3 @@
+description: Remove UTF-8 expression kind.
+compatibility: backwards
+expressions.rel: run expressions.qlo
--- a/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/cil_type_annotation.ql
+++ b/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/cil_type_annotation.ql
@@ -0,0 +1,11 @@
+class AnnotatedElement extends @cil_has_type_annotation {
+  string toString() { none() }
+}
+
+class Field extends @cil_field {
+  string toString() { none() }
+}
+
+from AnnotatedElement element, int annotation
+where cil_type_annotation(element, annotation) and not element instanceof Field
+select element, annotation
--- a/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/old.dbscheme
+++ b/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/old.dbscheme
--- a/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/semmlecode.csharp.dbscheme
+++ b/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/semmlecode.csharp.dbscheme
--- a/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/type_annotation.ql
+++ b/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/type_annotation.ql
@@ -0,0 +1,11 @@
+class AnnotatedElement extends @has_type_annotation {
+  string toString() { none() }
+}
+
+class Field extends @field {
+  string toString() { none() }
+}
+
+from AnnotatedElement element, int annotation
+where type_annotation(element, annotation) and not element instanceof Field
+select element, annotation
--- a/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/upgrade.properties
+++ b/csharp/downgrades/97da4e8c5750e07c4f7c8a366b21060e05ecd5ed/upgrade.properties
@@ -0,0 +1,4 @@
+description: Remove CIL fields as entities that can have type annotations and remove field type annotations.
+compatibility: backwards
+cil_type_annotation.rel: run cil_type_annotation.qlo
+type_annotation.rel: run type_annotation.qlo
--- a/csharp/extractor/Semmle.Extraction.CIL.Driver/Semmle.Extraction.CIL.Driver.csproj
+++ b/csharp/extractor/Semmle.Extraction.CIL.Driver/Semmle.Extraction.CIL.Driver.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <AssemblyName>Semmle.Extraction.CIL.Driver</AssemblyName>
    <RootNamespace>Semmle.Extraction.CIL.Driver</RootNamespace>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
@@ -1,7 +1,4 @@
-using System;
-using System.Collections.Generic;
-using Microsoft.CodeAnalysis;
-using System.IO;
+using System.Collections.Generic;

 namespace Semmle.Extraction.CIL.Entities
 {
@@ -38,6 +35,11 @@ namespace Semmle.Extraction.CIL.Entities
                    t = mt.Unmodified;
                    yield return Tuples.cil_custom_modifiers(this, mt.Modifier, mt.IsRequired);
                }
+                if (t is ByRefType brt)
+                {
+                    t = brt.ElementType;
+                    yield return Tuples.cil_type_annotation(this, TypeAnnotation.Ref);
+                }
                yield return Tuples.cil_field(this, DeclaringType, Name, t);
            }
        }
--- a/csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj
+++ b/csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <AssemblyName>Semmle.Extraction.CIL</AssemblyName>
    <RootNamespace>Semmle.Extraction.CIL</RootNamespace>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Extraction.CSharp.Driver/Semmle.Extraction.CSharp.Driver.csproj
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Driver/Semmle.Extraction.CSharp.Driver.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <AssemblyName>Semmle.Extraction.CSharp.Driver</AssemblyName>
    <RootNamespace>Semmle.Extraction.CSharp.Driver</RootNamespace>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
 		<OutputType>Exe</OutputType>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<AssemblyName>Semmle.Extraction.CSharp.Standalone</AssemblyName>
 		<RootNamespace>Semmle.Extraction.CSharp.Standalone</RootNamespace>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/ExpressionNodeInfo.cs
@@ -2,7 +2,6 @@ using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.CSharp.Populators;
-using Semmle.Extraction.Entities;
 using Semmle.Extraction.Kinds;

 namespace Semmle.Extraction.CSharp.Entities
@@ -107,6 +106,11 @@ namespace Semmle.Extraction.CSharp.Entities
                    return Expression.ValueAsString(val);
                }

+                if (TryGetStringValueFromUtf8Literal(out var s))
+                {
+                    return s;
+                }
+
                return null;
            }
        }
@@ -181,6 +185,17 @@ namespace Semmle.Extraction.CSharp.Entities
            return isTrue || isFalse;
        }

+        private bool TryGetStringValueFromUtf8Literal(out string? value)
+        {
+            value = null;
+            if (Node.IsKind(SyntaxKind.Utf8StringLiteralExpression) && Node is LiteralExpressionSyntax literal)
+            {
+                value = literal.Token.ValueText;
+                return true;
+            }
+            return false;
+        }
+
        public bool IsBoolLiteral()
        {
            return TryGetBoolValueFromLiteral(out var _);
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs
@@ -47,6 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                    case SyntaxKind.FalseLiteralExpression:
                    case SyntaxKind.TrueLiteralExpression:
                    case SyntaxKind.StringLiteralExpression:
+                    case SyntaxKind.Utf8StringLiteralExpression:
                    case SyntaxKind.NullLiteralExpression:
                    case SyntaxKind.NumericLiteralExpression:
                    case SyntaxKind.CharacterLiteralExpression:
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                    case SyntaxKind.InterpolatedStringText:
                        // Create a string literal
                        var interpolatedText = (InterpolatedStringTextSyntax)c;
-                        new Expression(new ExpressionInfo(Context, Type, Context.CreateLocation(c.GetLocation()), ExprKind.STRING_LITERAL, this, child++, false, interpolatedText.TextToken.Text));
+                        new Expression(new ExpressionInfo(Context, Type, Context.CreateLocation(c.GetLocation()), ExprKind.UTF16_STRING_LITERAL, this, child++, false, interpolatedText.TextToken.ValueText));
                        break;
                    default:
                        throw new InternalError(c, $"Unhandled interpolation kind {c.Kind()}");
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Literal.cs
@@ -20,6 +20,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
            {
                case SyntaxKind.DefaultLiteralExpression:
                    return ExprKind.DEFAULT;
+                case SyntaxKind.Utf8StringLiteralExpression:
+                    return ExprKind.UTF8_STRING_LITERAL;
                case SyntaxKind.NullLiteralExpression:
                    info.SetType(null);  // Don't use converted type.
                    return ExprKind.NULL_LITERAL;
@@ -63,7 +65,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                    return ExprKind.FLOAT_LITERAL;

                case SpecialType.System_String:
-                    return ExprKind.STRING_LITERAL;
+                    return ExprKind.UTF16_STRING_LITERAL;

                case SpecialType.System_UInt16:
                case SpecialType.System_UInt32:
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
@@ -30,6 +30,7 @@ namespace Semmle.Extraction.CSharp.Entities
            PopulateAttributes();
            ContainingType!.PopulateGenerics();
            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
+            PopulateRefKind(trapFile, Symbol.RefKind);

            var unboundFieldKey = Field.Create(Context, Symbol.OriginalDefinition);
            trapFile.fields(this, (Symbol.IsConst ? 2 : 1), Symbol.Name, ContainingType, Type.TypeRef, unboundFieldKey);
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
@@ -25,19 +25,14 @@ namespace Semmle.Extraction.CSharp.Entities

        public static string AccessibilityModifier(Accessibility access)
        {
-            switch (access)
+            return access switch
            {
-                case Accessibility.Private:
-                    return "private";
-                case Accessibility.Protected:
-                    return "protected";
-                case Accessibility.Public:
-                    return "public";
-                case Accessibility.Internal:
-                    return "internal";
-                default:
-                    throw new InternalError("Unavailable modifier combination");
-            }
+                Accessibility.Private => Modifiers.Private,
+                Accessibility.Protected => Modifiers.Protected,
+                Accessibility.Public => Modifiers.Public,
+                Accessibility.Internal => Modifiers.Internal,
+                _ => throw new InternalError("Unavailable modifier combination"),
+            };
        }

        public static void HasAccessibility(Context cx, TextWriter trapFile, IEntity type, Accessibility access)
@@ -48,17 +43,17 @@ namespace Semmle.Extraction.CSharp.Entities
                case Accessibility.Public:
                case Accessibility.Protected:
                case Accessibility.Internal:
-                    HasModifier(cx, trapFile, type, Modifier.AccessibilityModifier(access));
+                    HasModifier(cx, trapFile, type, AccessibilityModifier(access));
                    break;
                case Accessibility.NotApplicable:
                    break;
                case Accessibility.ProtectedOrInternal:
-                    HasModifier(cx, trapFile, type, "protected");
-                    HasModifier(cx, trapFile, type, "internal");
+                    HasModifier(cx, trapFile, type, Modifiers.Protected);
+                    HasModifier(cx, trapFile, type, Modifiers.Internal);
                    break;
                case Accessibility.ProtectedAndInternal:
-                    HasModifier(cx, trapFile, type, "protected");
-                    HasModifier(cx, trapFile, type, "private");
+                    HasModifier(cx, trapFile, type, Modifiers.Protected);
+                    HasModifier(cx, trapFile, type, Modifiers.Private);
                    break;
                default:
                    throw new InternalError($"Unhandled Microsoft.CodeAnalysis.Accessibility value: {access}");
@@ -70,6 +65,27 @@ namespace Semmle.Extraction.CSharp.Entities
            trapFile.has_modifiers(target, Modifier.Create(cx, modifier));
        }

+        private static void ExtractNamedTypeModifiers(Context cx, TextWriter trapFile, IEntity key, ISymbol symbol)
+        {
+            if (symbol.Kind != SymbolKind.NamedType)
+                return;
+
+            if (symbol is not INamedTypeSymbol nt)
+                throw new InternalError(symbol, "Symbol kind is inconsistent with its type");
+
+            if (nt.IsRecord)
+                HasModifier(cx, trapFile, key, Modifiers.Record);
+
+            if (nt.TypeKind == TypeKind.Struct)
+            {
+                if (nt.IsReadOnly)
+                    HasModifier(cx, trapFile, key, Modifiers.Readonly);
+
+                if (nt.IsRefLikeType)
+                    HasModifier(cx, trapFile, key, Modifiers.Ref);
+            }
+        }
+
        public static void ExtractModifiers(Context cx, TextWriter trapFile, IEntity key, ISymbol symbol)
        {
            HasAccessibility(cx, trapFile, key, symbol.DeclaredAccessibility);
@@ -77,51 +93,35 @@ namespace Semmle.Extraction.CSharp.Entities
                trapFile.has_modifiers(key, Modifier.Create(cx, Accessibility.Public));

            if (symbol.IsAbstract && (symbol.Kind != SymbolKind.NamedType || ((INamedTypeSymbol)symbol).TypeKind != TypeKind.Interface))
-                HasModifier(cx, trapFile, key, "abstract");
+                HasModifier(cx, trapFile, key, Modifiers.Abstract);

            if (symbol.IsSealed)
-                HasModifier(cx, trapFile, key, "sealed");
+                HasModifier(cx, trapFile, key, Modifiers.Sealed);

            var fromSource = symbol.DeclaringSyntaxReferences.Length > 0;

            if (symbol.IsStatic && !(symbol.Kind == SymbolKind.Field && ((IFieldSymbol)symbol).IsConst && !fromSource))
-                HasModifier(cx, trapFile, key, "static");
+                HasModifier(cx, trapFile, key, Modifiers.Static);

            if (symbol.IsVirtual)
-                HasModifier(cx, trapFile, key, "virtual");
+                HasModifier(cx, trapFile, key, Modifiers.Virtual);

            if (symbol.Kind == SymbolKind.Field && ((IFieldSymbol)symbol).IsReadOnly)
-                HasModifier(cx, trapFile, key, "readonly");
+                HasModifier(cx, trapFile, key, Modifiers.Readonly);

            if (symbol.IsOverride)
-                HasModifier(cx, trapFile, key, "override");
+                HasModifier(cx, trapFile, key, Modifiers.Override);

            if (symbol.Kind == SymbolKind.Method && ((IMethodSymbol)symbol).IsAsync)
-                HasModifier(cx, trapFile, key, "async");
+                HasModifier(cx, trapFile, key, Modifiers.Async);

            if (symbol.IsExtern)
-                HasModifier(cx, trapFile, key, "extern");
+                HasModifier(cx, trapFile, key, Modifiers.Extern);

            foreach (var modifier in symbol.GetSourceLevelModifiers())
                HasModifier(cx, trapFile, key, modifier);

-            if (symbol.Kind == SymbolKind.NamedType)
-            {
-                var nt = symbol as INamedTypeSymbol;
-                if (nt is null)
-                    throw new InternalError(symbol, "Symbol kind is inconsistent with its type");
-
-                if (nt.IsRecord)
-                    HasModifier(cx, trapFile, key, "record");
-
-                if (nt.TypeKind == TypeKind.Struct)
-                {
-                    if (nt.IsReadOnly)
-                        HasModifier(cx, trapFile, key, "readonly");
-                    if (nt.IsRefLikeType)
-                        HasModifier(cx, trapFile, key, "ref");
-                }
-            }
+            ExtractNamedTypeModifiers(cx, trapFile, key, symbol);
        }

        public static Modifier Create(Context cx, string modifier)
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifiers.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifiers.cs
@@ -0,0 +1,20 @@
+internal static class Modifiers
+{
+    public const string Abstract = "abstract";
+    public const string Async = "async";
+    public const string Const = "const";
+    public const string Extern = "extern";
+    public const string Internal = "internal";
+    public const string New = "new";
+    public const string Override = "override";
+    public const string Partial = "partial";
+    public const string Private = "private";
+    public const string Protected = "protected";
+    public const string Public = "public";
+    public const string Readonly = "readonly";
+    public const string Record = "record";
+    public const string Ref = "ref";
+    public const string Sealed = "sealed";
+    public const string Static = "static";
+    public const string Virtual = "virtual";
+}
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/UsingDirective.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities
        {
            var info = Context.GetModel(node).GetSymbolInfo(node.Name);

-            if (node.StaticKeyword.Kind() == SyntaxKind.None)
+            if (node.StaticKeyword.IsKind(SyntaxKind.None))
            {
                // A normal using
                if (info.Symbol is INamespaceSymbol namespaceSymbol)
@@ -47,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities
                trapFile.using_directive_location(this, Context.CreateLocation(ReportingLocation));
            }

-            if (node.GlobalKeyword.Kind() == SyntaxKind.GlobalKeyword)
+            if (node.GlobalKeyword.IsKind(SyntaxKind.GlobalKeyword))
            {
                trapFile.using_global(this);
            }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.Kinds
        ULONG_LITERAL = 7,
        FLOAT_LITERAL = 8,
        DOUBLE_LITERAL = 9,
-        STRING_LITERAL = 10,
+        UTF16_STRING_LITERAL = 10,
        NULL_LITERAL = 11,
        THIS_ACCESS = 12,
        BASE_ACCESS = 13,
@@ -129,6 +129,7 @@ namespace Semmle.Extraction.Kinds
        SLICE_PATTERN = 132,
        URSHIFT = 133,
        ASSIGN_URSHIFT = 134,
+        UTF8_STRING_LITERAL = 135,
        DEFINE_SYMBOL = 999,
    }
 }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<AssemblyName>Semmle.Extraction.CSharp</AssemblyName>
 		<RootNamespace>Semmle.Extraction.CSharp</RootNamespace>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj
+++ b/csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
 		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
 		<Nullable>enable</Nullable>
--- a/csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj
+++ b/csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<AssemblyName>Semmle.Extraction</AssemblyName>
 		<RootNamespace>Semmle.Extraction</RootNamespace>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj
+++ b/csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
-		<TargetFramework>net6.0</TargetFramework>
+		<TargetFramework>net7.0</TargetFramework>
 		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
 		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
 		<Nullable>enable</Nullable>
--- a/csharp/extractor/Semmle.Util/Semmle.Util.csproj
+++ b/csharp/extractor/Semmle.Util/Semmle.Util.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <AssemblyName>Semmle.Util</AssemblyName>
    <RootNamespace>Semmle.Util</RootNamespace>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 1.4.2
+
+No user-facing changes.
+
+## 1.4.1
+
+No user-facing changes.
+
 ## 1.4.0

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.1.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.1.md
@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.2.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.2
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.4.1-dev
+version: 1.4.3-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 1.4.2
+
+No user-facing changes.
+
+## 1.4.1
+
+No user-facing changes.
+
 ## 1.4.0

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.1.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.1.md
@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.2.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.0
+lastReleaseVersion: 1.4.2
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.4.1-dev
+version: 1.4.3-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/integration-tests/all-platforms/dotnet_build/dotnet_build.csproj
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_build/dotnet_build.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
--- a/csharp/ql/integration-tests/all-platforms/dotnet_pack/dotnet_pack.csproj
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_pack/dotnet_pack.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
--- a/csharp/ql/integration-tests/all-platforms/dotnet_publish/dotnet_publish.csproj
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_publish/dotnet_publish.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
--- a/csharp/ql/integration-tests/all-platforms/dotnet_publish/test.py
+++ b/csharp/ql/integration-tests/all-platforms/dotnet_publish/test.py
@@ -1,8 +1,9 @@
 import os
 from create_database_utils import *

-run_codeql_database_create(['dotnet publish'], test_db="default-db", db=None, lang="csharp")
+artifacts = 'bin/Temp'
+run_codeql_database_create([f"dotnet publish -o {artifacts}"], test_db="default-db", db=None, lang="csharp")

 ## Check that the publish folder is created.
-if not os.path.isdir("bin/Debug/net6.0/publish/"):
+if not os.path.isdir(artifacts):
    raise Exception("The publish artifact folder was not created.") 
--- a/Show More
+++ b/Show More