Merge branch 'main' into js/remote-property-injection-update

.github/workflows/build-ripunzip.yml

@@ -20,7 +20,7 @@ jobs:
         os: [ubuntu-22.04, macos-13, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           repository: google/ripunzip
           ref: ${{ inputs.ripunzip-version }}
@@ -28,7 +28,7 @@ jobs:
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
         name: checkout openssl
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: openssl/openssl
           path: openssl

.github/workflows/buildifier.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check bazel formatting
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:

.github/workflows/check-implicit-this.yml

@@ -16,7 +16,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-overlay-annotations.yml

@@ -17,7 +17,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check overlay annotations
         run: python config/add-overlay-annotations.py --check java
 

.github/workflows/check-qldoc.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -19,6 +19,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/codeql-analysis.yml

@@ -37,7 +37,7 @@ jobs:
         dotnet-version: 9.0.100
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:

.github/workflows/cpp-swift-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/csharp-qltest.yml

@@ -39,7 +39,7 @@ jobs:
         os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
@@ -55,7 +55,7 @@ jobs:
   stubgentest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./csharp/actions/create-extractor-pack
       - name: Run stub generator tests
         run: |

.github/workflows/csv-coverage-metrics.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -35,11 +35,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 2
           path: base

.github/workflows/csv-coverage-pr-comment.yml

@@ -24,7 +24,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -12,11 +12,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -21,7 +21,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -16,11 +16,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -26,7 +26,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Git config
         shell: bash

.github/workflows/go-tests.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Run tests
         uses: ./go/actions/test
         with:

.github/workflows/kotlin-build.yml

@@ -20,7 +20,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: |
           bazel query //java/kotlin-extractor/...
           # only build the default version as a quick check that we can build from `codeql`

.github/workflows/mad_modelDiff.yml

@@ -28,12 +28,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: codeql-main
           ref: main

.github/workflows/mad_regenerate-models.yml

@@ -30,11 +30,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/python-tooling.yml

@@ -21,7 +21,7 @@ jobs:
   check-python-tooling:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,7 +25,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Find codeql
         id: find-codeql
@@ -46,7 +46,7 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -75,7 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -24,7 +24,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@main
@@ -64,7 +64,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         path: codeql 
     - name: Set up Python 3.8

.github/workflows/ruby-build.yml

@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
     if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -146,7 +146,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           name: ruby.dbscheme
@@ -209,7 +209,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -30,14 +30,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/download-artifact@v4
         with:
           path: stats

.github/workflows/ruby-qltest-rtjo.yml

@@ -25,7 +25,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache

.github/workflows/ruby-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -58,7 +58,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache

.github/workflows/rust-analysis.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: Query latest nightly CodeQL bundle
       shell: bash

.github/workflows/rust.yml

@@ -30,7 +30,7 @@ jobs:
         working-directory: rust/ast-generator
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Inject sources
         shell: bash
         run: |
@@ -53,7 +53,7 @@ jobs:
         working-directory: rust/extractor
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Format
         shell: bash
         run: |
@@ -69,7 +69,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Install CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Code generation

.github/workflows/swift.yml

@@ -36,7 +36,7 @@ jobs:
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup (Linux)
         if: runner.os == 'Linux'
         run: |
@@ -53,7 +53,7 @@ jobs:
   clang-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
@@ -61,7 +61,7 @@ jobs:
   codegen:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/fetch-codeql
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
   check-no-override:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check that no override is present in load.bzl
         run: bazel test ... --test_tag_filters=override --test_output=errors

.github/workflows/sync-files.yml

@@ -17,7 +17,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -30,7 +30,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check formatting
         run: cargo fmt -- --check
       - name: Run tests
@@ -38,12 +38,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql

.github/workflows/zipmerge-test.yml

@@ -18,6 +18,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: |
           bazel test //misc/bazel/internal/zipmerge:test --test_output=all

actions/extractor/codeql-extractor.yml

@@ -6,6 +6,8 @@ column_kind: "utf16"
 unicode_newlines: true
 build_modes:
   - none
+default_queries:
+  - codeql/actions-queries
 file_coverage_languages: []
 github_api_languages: []
 scc_languages: []

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.16
+
+No user-facing changes.
+
 ## 0.4.15
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.16.md

@@ -0,0 +1,3 @@
+## 0.4.16
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.15
+lastReleaseVersion: 0.4.16

actions/ql/lib/codeql/Locations.qll

@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {
 
   /**
    * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
+   * The location spans column `sc` of line `sl` to
+   * column `ec` of line `el` in file `p`.
    * For more information, see
    * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */

actions/ql/lib/codeql/actions/Ast.qll

@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
 }
 
 /**
- * An Environemnt node representing a deployment environment.
+ * An Environment node representing a deployment environment.
  */
 class Environment extends AstNode instanceof EnvironmentImpl {
   string getName() { result = super.getName() }

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -125,12 +125,11 @@ abstract class AstNodeImpl extends TAstNode {
    * Gets the enclosing Step.
    */
   StepImpl getEnclosingStep() {
-    if this instanceof StepImpl
-    then result = this
-    else
-      if this instanceof ScalarValueImpl
-      then result.getAChildNode*() = this.getParentNode()
-      else none()
+    this instanceof StepImpl and
+    result = this
+    or
+    this instanceof ScalarValueImpl and
+    result.getAChildNode*() = this.getParentNode()
   }
 
   /**
@@ -1416,9 +1415,8 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
   override string getVersion() {
     exists(YamlString name |
       n.lookup("uses") = name and
-      if not name.getValue().matches("\\.%")
-      then result = name.getValue().regexpCapture(repoUsesParser(), 4)
-      else none()
+      not name.getValue().matches("\\.%") and
+      result = name.getValue().regexpCapture(repoUsesParser(), 4)
     )
   }
 }

actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll

@@ -286,7 +286,7 @@ private module Cached {
   /**
    * Holds if `cfn` is the `i`th node in basic block `bb`.
    *
-   * In other words, `i` is the shortest distance from a node `bb`
+   * In other words, `i` is the shortest distance from a node `bbStart`
    * that starts a basic block to `cfn` along the `intraBBSucc` relation.
    */
   cached

actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll

@@ -3,6 +3,8 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations
 
 module Completion {
+  import codeql.controlflow.SuccessorType
+
   private newtype TCompletion =
     TSimpleCompletion() or
     TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -25,7 +27,7 @@ module Completion {
 
     override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
 
-    override NormalSuccessor getAMatchingSuccessorType() { any() }
+    override DirectSuccessor getAMatchingSuccessorType() { any() }
   }
 
   class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -49,34 +51,6 @@ module Completion {
 
     override ReturnSuccessor getAMatchingSuccessorType() { any() }
   }
-
-  cached
-  private newtype TSuccessorType =
-    TNormalSuccessor() or
-    TBooleanSuccessor(boolean b) { b in [false, true] } or
-    TReturnSuccessor()
-
-  class SuccessorType extends TSuccessorType {
-    string toString() { none() }
-  }
-
-  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
-    override string toString() { result = "successor" }
-  }
-
-  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
-    boolean value;
-
-    BooleanSuccessor() { this = TBooleanSuccessor(value) }
-
-    override string toString() { result = value.toString() }
-
-    boolean getValue() { result = value }
-  }
-
-  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
-    override string toString() { result = "return" }
-  }
 }
 
 module CfgScope {
@@ -127,14 +101,8 @@ private module Implementation implements CfgShared::InputSig<Location> {
     last(scope.(CompositeAction), e, c)
   }
 
-  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
-
-  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
-
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
 
-  predicate isAbnormalExitType(SuccessorType t) { none() }
-
   int idOfAstNode(AstNode node) { none() }
 
   int idOfCfgScope(CfgScope scope) { none() }

actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
     (
       if fieldName.trim().matches("env.%")
       then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
-      else
-        if fieldName.trim().matches("output.%")
-        then source.asExpr() = uses
-        else none()
+      else (
+        fieldName.trim().matches("output.%") and
+        source.asExpr() = uses
+      )
     )
   )
 }

actions/ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
   string flag;
   string event;
-  GitHubExpression e;
 
   GitHubCtxSource() {
-    this.asExpr() = e and
-    // github.head_ref
-    e.getFieldName() = "head_ref" and
-    flag = "branch" and
-    (
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
       event = e.getATriggerEvent().getName() and
       event = "pull_request_target"
       or
@@ -148,7 +148,6 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
-  string access_path;
   Run run;
 
   // Examples
@@ -163,7 +162,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
     run.getScript().getACommand() = cmd and
     cmd.matches("jq%") and
     cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp |
+    exists(string regexp, string access_path |
       untrustedEventPropertiesDataModel(regexp, flag) and
       not flag = "json" and
       access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -19,7 +19,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
  */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromEnvVarSink() {
     exists(Run run, string var |
@@ -28,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
         exists(run.getInScopeEnvVarExpr(var)) or
         var = "GITHUB_HEAD_REF"
       ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
     )
   }
 
@@ -44,13 +43,12 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromCommandSink() {
     exists(CommandSource source, Run run |
       run = source.getEnclosingRun() and
       this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
     )
   }
 

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -125,8 +125,6 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
 }
 
 class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
-  string script;
-
   ActionsGitHubScriptDownloadStep() {
     // eg:
     // - uses: actions/github-script@v6
@@ -149,12 +147,14 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
     //      var fs = require('fs');
     //      fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
     this.getCallee() = "actions/github-script" and
-    this.getArgument("script") = script and
-    script.matches("%listWorkflowRunArtifacts(%") and
-    script.matches("%downloadArtifact(%") and
-    script.matches("%writeFileSync(%") and
-    // Filter out artifacts that were created by pull-request.
-    not script.matches("%exclude_pull_requests: true%")
+    exists(string script |
+      this.getArgument("script") = script and
+      script.matches("%listWorkflowRunArtifacts(%") and
+      script.matches("%downloadArtifact(%") and
+      script.matches("%writeFileSync(%") and
+      // Filter out artifacts that were created by pull-request.
+      not script.matches("%exclude_pull_requests: true%")
+    )
   }
 
   override string getPath() {
@@ -171,10 +171,10 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                 .getScript()
                 .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else
-      if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
-      then result = "GITHUB_WORKSPACE/"
-      else none()
+    else (
+      this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) and
+      result = "GITHUB_WORKSPACE/"
+    )
   }
 }
 
@@ -207,12 +207,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
                 .getScript()
                 .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else
-      if
+    else (
+      (
         this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
         this.getScript().getACommand().regexpMatch(unzipRegexp())
-      then result = "GITHUB_WORKSPACE/"
-      else none()
+      ) and
+      result = "GITHUB_WORKSPACE/"
+    )
   }
 }
 
@@ -259,15 +260,15 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
 
 class ArtifactPoisoningSink extends DataFlow::Node {
   UntrustedArtifactDownloadStep download;
-  PoisonableStep poisonable;
 
   ArtifactPoisoningSink() {
-    download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to the temporary directory
-    not download.getPath().regexpMatch("^/tmp.*") and
-    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
-    (
+    exists(PoisonableStep poisonable |
+      download.getAFollowingStep() = poisonable and
+      // excluding artifacts downloaded to the temporary directory
+      not download.getPath().regexpMatch("^/tmp.*") and
+      not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
+      not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
+    |
       poisonable.(Run).getScript() = this.asExpr() and
       (
         // Check if the poisonable step is a local script execution step

actions/ql/lib/codeql/actions/security/ControlChecks.qll

@@ -159,11 +159,8 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {
 
 /* Specific implementations of control checks */
 class LabelIfCheck extends LabelCheck instanceof If {
-  string condition;
-
   LabelIfCheck() {
-    condition = normalizeExpr(this.getCondition()) and
-    (
+    exists(string condition | condition = normalizeExpr(this.getCondition()) |
       // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
       condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
       or

actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -55,12 +55,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
  *          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
-  CommandSource inCommand;
-  string injectedVar;
-  string command;
-
   EnvVarInjectionFromCommandSink() {
-    exists(Run run |
+    exists(Run run, CommandSource inCommand, string injectedVar, string command |
       this.asExpr() = inCommand.getEnclosingRun().getScript() and
       run = inCommand.getEnclosingRun() and
       run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
@@ -86,12 +82,8 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
  *      echo "FOO=$BODY" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
-  string inVar;
-  string injectedVar;
-  string command;
-
   EnvVarInjectionFromEnvVarSink() {
-    exists(Run run |
+    exists(Run run, string inVar, string injectedVar, string command |
       run.getScript() = this.asExpr() and
       exists(run.getInScopeEnvVarExpr(inVar)) and
       run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -99,18 +99,14 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
  *          echo $BODY
  */
 class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
-  string clobbering_var;
-  string clobbered_value;
-
   WorkflowCommandClobberingFromEnvVarSink() {
-    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
+    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
       run.getScript() = this.asExpr() and
       run.getScript().getAStmt() = clobbering_stmt and
       clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
       exists(run.getInScopeEnvVarExpr(clobbering_var)) and
       run.getScript().getAStmt() = workflow_cmd_stmt and
-      clobbered_value =
-        trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
+      exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
     )
   }
 }

actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -1,10 +1,8 @@
 import actions
 
 class UnversionedImmutableAction extends UsesStep {
-  string immutable_action;
-
   UnversionedImmutableAction() {
-    isImmutableAction(this, immutable_action) and
+    isImmutableAction(this, _) and
     not isSemVer(this.getVersion())
   }
 }

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.16-dev
+version: 0.4.17-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.8
+
+No user-facing changes.
+
 ## 0.6.7
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.8.md

@@ -0,0 +1,3 @@
+## 0.6.8
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.7
+lastReleaseVersion: 0.6.8

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -37,8 +37,6 @@ where
     )
     or
     // upload artifact is not used in the same workflow
-    not exists(UsesStep upload |
-      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
-    )
+    not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
   )
 select download, "Potential artifact poisoning"

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.8-dev
+version: 0.6.9-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties

@@ -0,0 +1,4 @@
+description: Link PCH creations and uses
+compatibility: full
+pch_uses.rel: delete
+pch_creations.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 5.5.0
+
+### New Features
+
+* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
+
+### Minor Analysis Improvements
+
+* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
+* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.
+
 ## 5.4.1
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

cpp/ql/lib/change-notes/2025-09-02-vla.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type defined in terms of an other `VlaDeclStmt` via a `typedef`.

cpp/ql/lib/change-notes/released/5.5.0.md

@@ -0,0 +1,10 @@
+## 5.5.0
+
+### New Features
+
+* Added a new class `PchFile` representing precompiled header (PCH) files used during project compilation.
+
+### Minor Analysis Improvements
+
+* Added flow summaries for the `Microsoft::WRL::ComPtr` member functions.
+* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.1
+lastReleaseVersion: 5.5.0

cpp/ql/lib/cpp.qll

@@ -15,6 +15,7 @@
 
 import Customizations
 import semmle.code.cpp.File
+import semmle.code.cpp.PchFile
 import semmle.code.cpp.Linkage
 import semmle.code.cpp.Location
 import semmle.code.cpp.Compilation

cpp/ql/lib/ext/ComPtr.model.yml

@@ -0,0 +1,31 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["Microsoft::WRL", "ComPtr", True, "ComPtr<T>", "(T *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(const ComPtr &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(ComPtr &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "AsIID", "", "", "Argument[-1]", "Argument[*1]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "Attach", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr<T>", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "CopyTo<T>", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(REFIID,void **)", "", "Argument[-1].Element[@]", "Argument[**@1]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "Get", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator&", "", "", "Argument[-1]", "ReturnValue.Element", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr<T>", True, "operator=", "(T *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr<T>", True, "operator=", "(T *)", "", "Argument[*@0]", "ReturnValue[*].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=<U>", "(U *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=<U>", "(U *)", "", "Argument[*@0]", "ReturnValue[*].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=", "(const ComPtr &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=", "(const ComPtr &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=", "(ComPtr &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["Microsoft::WRL", "ComPtr", True, "operator=", "(ComPtr &&)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/ComPtrRef.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["Microsoft::WRL::Details", "ComPtrRef", True, "ComPtrRef", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["Microsoft::WRL::Details", "ComPtrRef", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      # TODO: We cannot yet model https://learn.microsoft.com/en-us/cpp/cppcx/wrl/comptrref-class?view=msvc-170#operator-interfacetype-star-star
+      - ["Microsoft::WRL::Details", "ComPtrRef", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      # TODO: We cannot yet model https://learn.microsoft.com/en-us/cpp/cppcx/wrl/comptrref-class?view=msvc-170#operator-t-star
+      - ["Microsoft::WRL::Details", "ComPtrRef", True, "operator void**", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]
+      - ["Microsoft::WRL::Details", "ComPtrRef", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**@]", "value", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.4.2-dev
+version: 5.5.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/PchFile.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides the `PchFile` class representing precompiled header (PCH) files created and
+ * used during the build process.
+ */
+
+import semmle.code.cpp.File
+
+/**
+ * A precompiled header (PCH) file created during the build process.
+ */
+class PchFile extends @pch {
+  /**
+   *  Gets a textual representation of this element.
+   */
+  string toString() { result = "PCH for " + this.getHeaderFile() }
+
+  /**
+   * Gets the header file from which the PCH file was created.
+   */
+  File getHeaderFile() { pch_creations(this, _, result) }
+
+  /**
+   * Gets a source file that includes the PCH.
+   */
+  File getAUse() { pch_uses(this, _, result) }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1880,9 +1880,7 @@ module IteratorFlow {
     }
   }
 
-  private module SsaInput implements SsaImpl::InputSig<Location> {
-    import Ssa::InputSigCommon
-
+  private module SsaInput implements SsaImpl::InputSig<Location, IRCfg::BasicBlock> {
     class SourceVariable = IteratorFlow::SourceVariable;
 
     /** A call to function that dereferences an iterator. */
@@ -1960,7 +1958,7 @@ module IteratorFlow {
      * Holds if `(bb, i)` contains a write to an iterator that may have been obtained
      * by calling `begin` (or related functions) on the variable `v`.
      */
-    predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableWrite(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
       certain = false and
       exists(GetsIteratorCall beginCall, Instruction writeToDeref, IRBlock bbQual, int iQual |
         isIteratorStoreInstruction(beginCall, writeToDeref) and
@@ -1971,12 +1969,12 @@ module IteratorFlow {
     }
 
     /** Holds if `(bb, i)` reads the container variable `v`. */
-    predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableRead(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
       Ssa::variableRead(bb, i, v, certain)
     }
   }
 
-  private module IteratorSsa = SsaImpl::Make<Location, SsaInput>;
+  private module IteratorSsa = SsaImpl::Make<Location, IRCfg, SsaInput>;
 
   private module DataFlowIntegrationInput implements IteratorSsa::DataFlowIntegrationInputSig {
     private import codeql.util.Void
@@ -1989,7 +1987,7 @@ module IteratorFlow {
         )
       }
 
-      predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
+      predicate hasCfgNode(IRCfg::BasicBlock bb, int i) { bb.getInstruction(i) = this }
     }
 
     predicate ssaDefHasSource(IteratorSsa::WriteDefinition def) { none() }
@@ -1999,20 +1997,16 @@ module IteratorFlow {
     class GuardValue = Void;
 
     class Guard extends Void {
-      predicate hasValueBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
-      ) {
+      predicate hasValueBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue val) {
         none()
       }
 
-      predicate valueControlsBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
-      ) {
+      predicate valueControlsBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue val) {
         none()
       }
     }
 
-    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue val) {
+    predicate guardDirectlyControlsBlock(Guard guard, IRCfg::BasicBlock bb, GuardValue val) {
       none()
     }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -891,15 +891,14 @@ private predicate baseSourceVariableIsGlobal(
   )
 }
 
-private module SsaInput implements Ssa::InputSig<Location> {
-  import InputSigCommon
+private module SsaInput implements Ssa::InputSig<Location, IRCfg::BasicBlock> {
   import SourceVariables
 
   /**
    * Holds if the `i`'th write in block `bb` writes to the variable `v`.
    * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
    */
-  predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableWrite(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
     (
       exists(DefImpl def | def.hasIndexInBlock(v, bb, i) |
@@ -917,7 +916,7 @@ private module SsaInput implements Ssa::InputSig<Location> {
    * Holds if the `i`'th read in block `bb` reads to the variable `v`.
    * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
    */
-  predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableRead(IRCfg::BasicBlock bb, int i, SourceVariable v, boolean certain) {
     exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
       if use.isCertain() then certain = true else certain = false
     )
@@ -965,7 +964,7 @@ class GlobalDef extends Definition {
   GlobalLikeVariable getVariable() { result = impl.getVariable() }
 }
 
-private module SsaImpl = Ssa::Make<Location, SsaInput>;
+private module SsaImpl = Ssa::Make<Location, IRCfg, SsaInput>;
 
 private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
   private import codeql.util.Boolean
@@ -978,7 +977,7 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
       )
     }
 
-    predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
+    predicate hasCfgNode(IRCfg::BasicBlock bb, int i) { bb.getInstruction(i) = this }
   }
 
   Expr getARead(SsaImpl::Definition def) {
@@ -1006,9 +1005,7 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
   class Guard instanceof IRGuards::IRGuardCondition {
     string toString() { result = super.toString() }
 
-    predicate hasValueBranchEdge(
-      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
-    ) {
+    predicate hasValueBranchEdge(IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue branch) {
       exists(EdgeKind kind |
         super.getBlock() = bb1 and
         kind = getConditionalEdge(branch) and
@@ -1017,13 +1014,13 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
     }
 
     predicate valueControlsBranchEdge(
-      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
+      IRCfg::BasicBlock bb1, IRCfg::BasicBlock bb2, GuardValue branch
     ) {
       this.hasValueBranchEdge(bb1, bb2, branch)
     }
   }
 
-  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue branch) {
+  predicate guardDirectlyControlsBlock(Guard guard, IRCfg::BasicBlock bb, GuardValue branch) {
     guard.(IRGuards::IRGuardCondition).controls(bb, branch)
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -768,21 +768,3 @@ private module Cached {
 }
 
 import Cached
-
-/**
- * Inputs to the shared SSA library's parameterized module that is shared
- * between the SSA pruning stage, and the final SSA stage.
- */
-module InputSigCommon {
-  class BasicBlock extends IRBlock {
-    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
-
-    int length() { result = this.getInstructionCount() }
-  }
-
-  class ControlFlowNode = Instruction;
-
-  BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
-
-  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll

@@ -2,6 +2,7 @@
  * Provides classes that specify the conditions under which control flows along a given edge.
  */
 
+private import codeql.controlflow.SuccessorType
 private import internal.EdgeKindInternal
 
 private newtype TEdgeKind =
@@ -28,6 +29,21 @@ abstract private class EdgeKindImpl extends TEdgeKind {
 
 final class EdgeKind = EdgeKindImpl;
 
+private SuccessorType getAMatchingSpecificSuccessorType(EdgeKind k) {
+  result.(BooleanSuccessor).getValue() = true and k instanceof TrueEdge
+  or
+  result.(BooleanSuccessor).getValue() = false and k instanceof FalseEdge
+  or
+  result instanceof ExceptionSuccessor and k instanceof ExceptionEdge
+}
+
+SuccessorType getAMatchingSuccessorType(EdgeKind k) {
+  result = getAMatchingSpecificSuccessorType(k)
+  or
+  not exists(getAMatchingSpecificSuccessorType(k)) and
+  result instanceof DirectSuccessor
+}
+
 /**
  * A "goto" edge, representing the unconditional successor of an `Instruction`
  * or `IRBlock`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -7,6 +7,7 @@ import Instruction
 private import internal.IRBlockImports as Imports
 import Imports::EdgeKind
 private import Cached
+private import codeql.controlflow.BasicBlock as BB
 
 /**
  * Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
   block = MkIRBlock(any(EnterFunctionInstruction enter))
 }
 
+module IRCfg implements BB::CfgSig<Language::Location> {
+  private import codeql.controlflow.SuccessorType
+
+  class ControlFlowNode = Instruction;
+
+  final private class FinalIRBlock = IRBlock;
+
+  class BasicBlock extends FinalIRBlock {
+    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
+
+    ControlFlowNode getLastNode() { result = super.getLastInstruction() }
+
+    int length() { result = this.getInstructionCount() }
+
+    BasicBlock getASuccessor() { result = super.getASuccessor() }
+
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
+
+    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
+
+    predicate dominates(BasicBlock bb) { super.dominates(bb) }
+
+    BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
+
+    predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
+
+    predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
+
+    predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
+  }
+
+  class EntryBasicBlock extends BasicBlock {
+    EntryBasicBlock() { isEntryBlock(this) }
+  }
+
+  pragma[nomagic]
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    bb1.getASuccessor() = bb2 and
+    bb1 = bb2.getImmediateDominator() and
+    forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
+  }
+}
+
 cached
 private module Cached {
   cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll

@@ -7,6 +7,7 @@ import Instruction
 private import internal.IRBlockImports as Imports
 import Imports::EdgeKind
 private import Cached
+private import codeql.controlflow.BasicBlock as BB
 
 /**
  * Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
   block = MkIRBlock(any(EnterFunctionInstruction enter))
 }
 
+module IRCfg implements BB::CfgSig<Language::Location> {
+  private import codeql.controlflow.SuccessorType
+
+  class ControlFlowNode = Instruction;
+
+  final private class FinalIRBlock = IRBlock;
+
+  class BasicBlock extends FinalIRBlock {
+    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
+
+    ControlFlowNode getLastNode() { result = super.getLastInstruction() }
+
+    int length() { result = this.getInstructionCount() }
+
+    BasicBlock getASuccessor() { result = super.getASuccessor() }
+
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
+
+    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
+
+    predicate dominates(BasicBlock bb) { super.dominates(bb) }
+
+    BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
+
+    predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
+
+    predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
+
+    predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
+  }
+
+  class EntryBasicBlock extends BasicBlock {
+    EntryBasicBlock() { isEntryBlock(this) }
+  }
+
+  pragma[nomagic]
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    bb1.getASuccessor() = bb2 and
+    bb1 = bb2.getImmediateDominator() and
+    forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
+  }
+}
+
 cached
 private module Cached {
   cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -97,7 +97,14 @@ newtype TInstructionTag =
     exists(Stmt s | exists(s.getImplicitDestructorCall(index)))
   } or
   CoAwaitBranchTag() or
-  BoolToIntConversionTag()
+  BoolToIntConversionTag() or
+  SizeofVlaBaseSizeTag() or
+  SizeofVlaConversionTag(int index) {
+    exists(VlaDeclStmt v | exists(v.getTransitiveVlaDimensionStmt(index)))
+  } or
+  SizeofVlaDimensionTag(int index) {
+    exists(VlaDeclStmt v | exists(v.getTransitiveVlaDimensionStmt(index)))
+  }
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = getInstructionTagId(this) }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -123,13 +123,16 @@ private predicate ignoreExprAndDescendants(Expr expr) {
   //  or
   ignoreExprAndDescendants(getRealParent(expr)) // recursive case
   or
-  // va_start doesn't evaluate its argument, so we don't need to translate it.
+  // va_start does not evaluate its argument, so we do not need to translate it.
   exists(BuiltInVarArgsStart vaStartExpr |
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
   or
+  // sizeof does not evaluate its argument, so we do not need to translate it.
+  exists(SizeofExprOperator sizeofExpr | sizeofExpr.getExprOperand().getFullyConverted() = expr)
+  or
   // The children of C11 _Generic expressions are just surface syntax.
-  exists(C11GenericExpr generic | generic.getAChild() = expr)
+  exists(C11GenericExpr generic | generic.getAChild().getFullyConverted() = expr)
   or
   // Do not translate implicit destructor calls for unnamed temporary variables that are
   // conditionally constructed (until we have a mechanism for calling these only when the

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -187,7 +187,7 @@ Variable getEnclosingVariable(Expr e) {
 }
 
 /**
- * The IR translation of the "core"  part of an expression. This is the part of
+ * The IR translation of the "core" part of an expression. This is the part of
  * the expression that produces the result value of the expression, before any
  * lvalue-to-rvalue conversion on the result. Every expression has a single
  * `TranslatedCoreExpr`.
@@ -3884,7 +3884,7 @@ class TranslatedNewExpr extends TranslatedNewOrNewArrayExpr {
   final override Type getTargetType() { result = expr.getAllocatedType().getUnspecifiedType() }
 
   final override TranslatedInitialization getInitialization() {
-    result = getTranslatedInitialization(expr.getInitializer())
+    result = getTranslatedInitialization(expr.getInitializer().getFullyConverted())
   }
 }
 
@@ -4094,6 +4094,155 @@ class TranslatedStmtExpr extends TranslatedNonConstantExpr {
   TranslatedStmt getStmt() { result = getTranslatedStmt(expr.getStmt()) }
 }
 
+private VlaDeclStmt getVlaDeclStmt(Expr expr, int pointerDerefCount) {
+  expr.(VariableAccess).getTarget() = result.getVariable() and
+  pointerDerefCount = 0
+  or
+  not expr.(PointerDereferenceExpr).getOperand() instanceof AddressOfExpr and
+  result = getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand(), pointerDerefCount - 1)
+  or
+  // Skip sequences of the form `*&...`
+  result =
+    getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand().(AddressOfExpr).getOperand(),
+      pointerDerefCount)
+  or
+  result = getVlaDeclStmt(expr.(ArrayExpr).getArrayBase(), pointerDerefCount - 1)
+}
+
+/**
+ * The IR translation of `SizeofExprOperator` when its result is non-constant, i.e.,
+ * when the operand expression refers to a variable length array.
+ */
+class TranslatedSizeofExpr extends TranslatedNonConstantExpr {
+  override SizeofExprOperator expr;
+  VlaDeclStmt vlaDeclStmt;
+  int vlaDimensions;
+  int pointerDerefCount;
+
+  TranslatedSizeofExpr() {
+    vlaDeclStmt = getVlaDeclStmt(expr.getExprOperand(), pointerDerefCount) and
+    vlaDimensions = vlaDeclStmt.getTransitiveNumberOfVlaDimensionStmts() and
+    pointerDerefCount < vlaDimensions
+  }
+
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(SizeofVlaBaseSizeTag()) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getInstruction(SizeofVlaDimensionTag(vlaDimensions - 1))
+  }
+
+  final override TranslatedElement getChildInternal(int id) { none() }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    opcode instanceof Opcode::Constant and
+    tag = SizeofVlaBaseSizeTag() and
+    resultType = this.getResultType()
+    or
+    exists(int n, Type dimType |
+      pointerDerefCount <= n and
+      n < vlaDimensions and
+      dimType = this.getDimensionExpr(n).getUnderlyingType() and
+      tag = SizeofVlaConversionTag(n)
+    |
+      (
+        expr.getUnderlyingType() = dimType and
+        opcode instanceof Opcode::CopyValue
+        or
+        not expr.getUnderlyingType() = dimType and
+        opcode instanceof Opcode::Convert
+      )
+    ) and
+    resultType = this.getResultType()
+    or
+    opcode instanceof Opcode::Mul and
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions | tag = SizeofVlaDimensionTag(n)) and
+    resultType = this.getResultType()
+  }
+
+  final override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    tag = SizeofVlaBaseSizeTag() and
+    result = this.getInstruction(SizeofVlaConversionTag(pointerDerefCount)) and
+    kind instanceof GotoEdge
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaConversionTag(n) and
+      result = this.getInstruction(SizeofVlaDimensionTag(n))
+    ) and
+    kind instanceof GotoEdge
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions - 1 |
+      tag = SizeofVlaDimensionTag(n) and
+      result = this.getInstruction(SizeofVlaConversionTag(n + 1))
+    ) and
+    kind instanceof GotoEdge
+    or
+    tag = SizeofVlaDimensionTag(vlaDimensions - 1) and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override string getInstructionConstantValue(InstructionTag tag) {
+    tag = SizeofVlaBaseSizeTag() and
+    result = this.getBaseType(vlaDeclStmt).getSize().toString()
+  }
+
+  private Type getBaseType(VlaDeclStmt v) {
+    not exists(v.getParentVlaDecl()) and
+    (
+      result =
+        this.getBaseType(v.getVariable().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+      or
+      result = this.getBaseType(v.getType().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+    )
+    or
+    result = this.getBaseType(v.getParentVlaDecl())
+  }
+
+  private Type getBaseType(Type type, int n) {
+    n = 0 and
+    result = type
+    or
+    result = this.getBaseType(type.(DerivedType).getBaseType(), n - 1)
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaConversionTag(n) and
+      (
+        operandTag instanceof UnaryOperandTag and
+        result = getTranslatedExpr(this.getDimensionExpr(n)).getResult()
+      )
+    )
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaDimensionTag(n) and
+      (
+        operandTag instanceof LeftOperandTag and
+        (
+          n - 1 >= pointerDerefCount and
+          result = this.getInstruction(SizeofVlaDimensionTag(n - 1))
+          or
+          n - 1 < pointerDerefCount and
+          result = this.getInstruction(SizeofVlaBaseSizeTag())
+        )
+        or
+        operandTag instanceof RightOperandTag and
+        result = this.getInstruction(SizeofVlaConversionTag(n))
+      )
+    )
+  }
+
+  private Expr getDimensionExpr(int n) {
+    result = vlaDeclStmt.getTransitiveVlaDimensionStmt(n).getDimensionExpr().getFullyConverted()
+  }
+
+  final override Instruction getResult() {
+    result = this.getInstruction(SizeofVlaDimensionTag(vlaDimensions - 1))
+  }
+}
+
 class TranslatedErrorExpr extends TranslatedSingleInstructionExpr {
   override ErrorExpr expr;
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -7,6 +7,7 @@ import Instruction
 private import internal.IRBlockImports as Imports
 import Imports::EdgeKind
 private import Cached
+private import codeql.controlflow.BasicBlock as BB
 
 /**
  * Holds if `block` is a block in `func` and `sortOverride`, `sortKey1`, and `sortKey2` are the
@@ -263,6 +264,54 @@ private predicate isEntryBlock(TIRBlock block) {
   block = MkIRBlock(any(EnterFunctionInstruction enter))
 }
 
+module IRCfg implements BB::CfgSig<Language::Location> {
+  private import codeql.controlflow.SuccessorType
+
+  class ControlFlowNode = Instruction;
+
+  final private class FinalIRBlock = IRBlock;
+
+  class BasicBlock extends FinalIRBlock {
+    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
+
+    ControlFlowNode getLastNode() { result = super.getLastInstruction() }
+
+    int length() { result = this.getInstructionCount() }
+
+    BasicBlock getASuccessor() { result = super.getASuccessor() }
+
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
+
+    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
+
+    predicate dominates(BasicBlock bb) { super.dominates(bb) }
+
+    BasicBlock getImmediateDominator() { result.immediatelyDominates(this) }
+
+    predicate inDominanceFrontier(BasicBlock df) { super.dominanceFrontier() = df }
+
+    predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
+
+    predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
+  }
+
+  class EntryBasicBlock extends BasicBlock {
+    EntryBasicBlock() { isEntryBlock(this) }
+  }
+
+  pragma[nomagic]
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    bb1.getASuccessor() = bb2 and
+    bb1 = bb2.getImmediateDominator() and
+    forall(BasicBlock pred | pred = bb2.getAPredecessor() and pred != bb1 | bb2.dominates(pred))
+  }
+}
+
 cached
 private module Cached {
   cached

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -2355,6 +2355,20 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
     )
   }
 
+  /**
+   * Gets the number of VLA dimension statements in this VLA declaration
+   * statement and transitively of the VLA declaration used to define its
+   * base type. if any.
+   */
+  int getTransitiveNumberOfVlaDimensionStmts() {
+    not exists(this.getParentVlaDecl()) and
+    result = this.getNumberOfVlaDimensionStmts()
+    or
+    result =
+      this.getNumberOfVlaDimensionStmts() +
+        this.getParentVlaDecl().getTransitiveNumberOfVlaDimensionStmts()
+  }
+
   /**
    * Gets the `i`th VLA dimension statement in this VLA
    * declaration statement.
@@ -2367,6 +2381,19 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
     )
   }
 
+  /**
+   * Gets the `i`th VLA dimension statement in this VLA declaration
+   * statement or transitively of the VLA declaration used to define
+   * its base type.
+   */
+  VlaDimensionStmt getTransitiveVlaDimensionStmt(int i) {
+    i < this.getNumberOfVlaDimensionStmts() and
+    result = this.getVlaDimensionStmt(i)
+    or
+    result =
+      this.getParentVlaDecl().getTransitiveVlaDimensionStmt(i - this.getNumberOfVlaDimensionStmts())
+  }
+
   /**
    * Gets the type that this VLA declaration statement relates to,
    * if any.
@@ -2378,4 +2405,31 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
    * if any.
    */
   Variable getVariable() { variable_vla(unresolveElement(result), underlyingElement(this)) }
+
+  /**
+   * Get the VLA declaration used to define the base type of
+   * this VLA declaration, if any.
+   */
+  VlaDeclStmt getParentVlaDecl() {
+    exists(Variable v, Type baseType |
+      v = this.getVariable() and
+      baseType = this.getBaseType(v.getType(), this.getNumberOfVlaDimensionStmts())
+    |
+      result.getType() = baseType
+    )
+    or
+    exists(Type t, Type baseType |
+      t = this.getType().(TypedefType).getBaseType() and
+      baseType = this.getBaseType(t, this.getNumberOfVlaDimensionStmts())
+    |
+      result.getType() = baseType
+    )
+  }
+
+  private Type getBaseType(Type type, int n) {
+    n = 0 and
+    result = type
+    or
+    result = this.getBaseType(type.(DerivedType).getBaseType(), n - 1)
+  }
 }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -222,6 +222,19 @@ extractor_version(
     string frontend_version: string ref
 )
 
+pch_uses(
+    int pch: @pch ref,
+    int compilation: @compilation ref,
+    int id: @file ref
+)
+
+#keyset[pch, compilation]
+pch_creations(
+    int pch: @pch,
+    int compilation: @compilation ref,
+    int from: @file ref
+)
+
 /** An element for which line-count information is available. */
 @sourceline = @file | @function | @variable | @enumconstant | @xmllocatable;
 

cpp/ql/lib/upgrades/5340d6d5f428557632b1a50113e406430f29ef7d/upgrade.properties

@@ -0,0 +1,2 @@
+description: Link PCH creations and uses
+compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.4.7
+
+### Bug Fixes
+
+* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.
+
 ## 1.4.6
 
 ### Minor Analysis Improvements

cpp/ql/src/change-notes/released/1.4.7.md

@@ -1,4 +1,5 @@
----
-category: fix
----
-* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.
+## 1.4.7
+
+### Bug Fixes
+
+* Fixed an inconsistency across languages where most have a `Customizations.qll` file for adding customizations, but not all did.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.6
+lastReleaseVersion: 1.4.7

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.7-dev
+version: 1.4.8-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -6,12 +6,14 @@
 | Dubious member name "operator LPWSTR" in summary model. |
 | Dubious member name "operator PCXSTR" in summary model. |
 | Dubious member name "operator PXSTR" in summary model. |
+| Dubious member name "operator void**" in summary model. |
 | Dubious member name "operator&" in summary model. |
 | Dubious member name "operator*" in summary model. |
 | Dubious member name "operator+" in summary model. |
 | Dubious member name "operator+=" in summary model. |
 | Dubious member name "operator->" in summary model. |
 | Dubious member name "operator=" in summary model. |
+| Dubious member name "operator=<U>" in summary model. |
 | Dubious member name "operator[]" in summary model. |
 | Dubious signature "(..(*)(..))" in summary model. |
 | Dubious signature "(..(*)(..),..(*)(..),..(*)(..),..(*)(..))" in summary model. |
@@ -503,6 +505,7 @@
 | Dubious signature "(CURLU *,CURLUPart,const char *,unsigned int)" in summary model. |
 | Dubious signature "(CURLU *,const char *)" in summary model. |
 | Dubious signature "(CURLU *,const char *,char **,OperationConfig *)" in summary model. |
+| Dubious signature "(ComPtr &&)" in summary model. |
 | Dubious signature "(CompoundDictionary *,const PreparedDictionary *)" in summary model. |
 | Dubious signature "(Curl_cfilter *)" in summary model. |
 | Dubious signature "(Curl_cfilter **,Curl_easy *)" in summary model. |
@@ -2130,6 +2133,7 @@
 | Dubious signature "(RAND_POOL *,unsigned char *)" in summary model. |
 | Dubious signature "(RAND_POOL *,unsigned int)" in summary model. |
 | Dubious signature "(RECORD_LAYER *,SSL_CONNECTION *)" in summary model. |
+| Dubious signature "(REFIID,void **)" in summary model. |
 | Dubious signature "(RIO_NOTIFIER *)" in summary model. |
 | Dubious signature "(RIPEMD160_CTX *,const unsigned char *)" in summary model. |
 | Dubious signature "(RIPEMD160_CTX *,const void *,size_t)" in summary model. |
@@ -2431,6 +2435,8 @@
 | Dubious signature "(Strent *)" in summary model. |
 | Dubious signature "(Strtab *,const char *,size_t)" in summary model. |
 | Dubious signature "(Strtab *,size_t *)" in summary model. |
+| Dubious signature "(T *)" in summary model. |
+| Dubious signature "(T **)" in summary model. |
 | Dubious signature "(TLS_FEATURE *)" in summary model. |
 | Dubious signature "(TLS_RL_RECORD *,const unsigned char *)" in summary model. |
 | Dubious signature "(TS_ACCURACY *)" in summary model. |
@@ -2493,6 +2499,7 @@
 | Dubious signature "(TS_VERIFY_CTX *,unsigned char *,long)" in summary model. |
 | Dubious signature "(TXT_DB *,OPENSSL_STRING *)" in summary model. |
 | Dubious signature "(TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC)" in summary model. |
+| Dubious signature "(U *)" in summary model. |
 | Dubious signature "(UI *)" in summary model. |
 | Dubious signature "(UI *,UI_STRING *,const char *)" in summary model. |
 | Dubious signature "(UI *,UI_STRING *,const char *,int)" in summary model. |
@@ -3155,6 +3162,7 @@
 | Dubious signature "(const CT_POLICY_EVAL_CTX *)" in summary model. |
 | Dubious signature "(const CURLU *)" in summary model. |
 | Dubious signature "(const CURLU *,CURLUPart,char **,unsigned int)" in summary model. |
+| Dubious signature "(const ComPtr &)" in summary model. |
 | Dubious signature "(const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *)" in summary model. |
 | Dubious signature "(const Curl_easy *,const connectdata *,int)" in summary model. |
 | Dubious signature "(const DH *)" in summary model. |

cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp

@@ -1241,4 +1241,221 @@ namespace ATL {
     sink(static_cast<CStrBufT<char>::PCXSTR>(b)); // $ ir
     sink(static_cast<CStrBufT<char>::PXSTR>(b)); // $ ir
   }
+}
+
+namespace Microsoft {
+  namespace WRL {
+  template <typename T>
+  class ComPtr;
+
+  struct GUID;
+
+  typedef GUID IID;
+
+  typedef IID *REFIID;
+
+  class IUnknown;
+
+  class WeakRef;
+
+  namespace Details {
+    template <typename T>
+    class ComPtrRef {
+      public:
+      using InterfaceType = T;
+
+      ComPtrRef(T*);
+
+      InterfaceType* const * GetAddressOf() const;
+      InterfaceType** ReleaseAndGetAddressOf();
+
+      operator InterfaceType**();
+      operator T*();
+      operator void**() const;
+      InterfaceType* operator *();
+    };
+  }
+
+  template <typename T>
+  class ComPtr
+  {
+  public:
+    using InterfaceType = T;
+
+    ComPtr();
+    ComPtr(const ComPtr &);
+    ComPtr(ComPtr &&);
+
+    template <typename U>
+    ComPtr(U *);
+
+    ~ComPtr();
+
+    template <typename U>
+    HRESULT As(ComPtr<U> *p) const;
+
+    HRESULT AsWeak(WeakRef *);
+
+    void Attach(InterfaceType *);
+
+    HRESULT CopyTo(InterfaceType **);
+
+    HRESULT CopyTo(REFIID, void **) const;
+
+    template <typename U>
+    HRESULT CopyTo(U **) const;
+
+    T *Detach();
+
+    T *Get() const;
+
+    T *const *GetAddressOf() const;
+    T **GetAddressOf();
+
+    T **ReleaseAndGetAddressOf();
+
+    unsigned long Reset();
+
+    void Swap(ComPtr &&r);
+
+    void Swap(ComPtr &r);
+
+    Details::ComPtrRef<ComPtr<T>> operator&();
+    const Details::ComPtrRef<const ComPtr<T>> operator&() const;
+
+    InterfaceType* operator->() const; // return type simplified from Microsoft::WRL::Details::RemoveIUnknown<InterfaceType>*
+
+    ComPtr& operator=(T *);
+    template <typename U>
+    ComPtr& operator=(U *);
+    ComPtr& operator=(const ComPtr &);
+    template<class U>
+    ComPtr& operator=(const ComPtr<U>&);
+    ComPtr& operator=(ComPtr &&);
+    template<class U>
+    ComPtr& operator=(ComPtr<U>&&);
+    };
+
+  }
+}
+
+namespace std {
+  template<class T> T&& move(T& t) noexcept; // simplified signature
+}
+
+void test_constructor()
+{
+  Microsoft::WRL::ComPtr<int> p0;
+  sink(*p0.Get()); // clean
+
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  sink(*p1.Get()); // $ ir MISSING: ast
+  sink(*p1.Detach()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p2(p1);
+  sink(*p2.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p3(std::move(p1));
+  sink(*p3.Get()); // $ ir MISSING: ast
+}
+
+void test_As()
+{
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  Microsoft::WRL::ComPtr<int>* p2;
+  p1.As(p2);
+  sink(*p2->Get()); // $ ir MISSING: ast
+}
+
+void test_CopyTo()
+{
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  int *raw = nullptr;
+  p1.CopyTo(&raw);
+  sink(*raw); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p2;
+  p1.CopyTo(nullptr, (void**)&raw);
+  sink(*raw); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p3(new int(x));
+
+  int* raw2 = nullptr;
+  p3.CopyTo<int>(&raw2);
+  sink(*raw2); // $ ir MISSING: ast
+}
+
+void test_Swap()
+{
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  Microsoft::WRL::ComPtr<int> p2;
+  p1.Swap(p2);
+  sink(*p2.Get()); // $ ir MISSING: ast
+  sink(*p1.Get()); // $ SPURIOUS: ir
+}
+
+void test_GetAddressOf()
+{
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  sink(**p1.GetAddressOf()); // $ ir MISSING: ast
+ 
+  const Microsoft::WRL::ComPtr<int> p2(new int(x));
+  sink(**p2.GetAddressOf()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p3(new int(x));
+  int **pp = p3.ReleaseAndGetAddressOf();
+  sink(**pp); // $ ir MISSING: ast
+}
+
+struct S {
+  int x;
+};
+
+void test_address_of_deref_operators() {
+  int x = source<int>();
+  Microsoft::WRL::ComPtr<int> p1(new int(x));
+  Microsoft::WRL::Details::ComPtrRef<Microsoft::WRL::ComPtr<int>> pp = &p1;
+  Microsoft::WRL::ComPtr<int>* qq = *pp;
+  sink(*qq->Get()); // $ ir MISSING: ast
+  
+  const Microsoft::WRL::ComPtr<int> p2(new int(x));
+  Microsoft::WRL::Details::ComPtrRef<const Microsoft::WRL::ComPtr<int>> pp2 = &p2;
+  const Microsoft::WRL::ComPtr<int>* qq2 = *pp2;
+  sink(*qq2->Get()); // $ ir MISSING: ast
+
+  S s;
+  s.x = source<int>();
+  Microsoft::WRL::ComPtr<S> p3(&s);
+  sink(p3->x); // $ ir MISSING: ast
+}
+
+void test_assignments() {
+  Microsoft::WRL::ComPtr<int> p1;
+  p1 = new int(source<int>());
+  sink(*p1.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p2;
+  p2 = new long(source<long>());
+  sink(*p2.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p3;
+  p3 = p1;
+  sink(*p3.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<long> p4;
+  p4 = p1;
+  sink(*p4.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<int> p5;
+  p5 = std::move(p1);
+  sink(*p5.Get()); // $ ir MISSING: ast
+
+  Microsoft::WRL::ComPtr<long> p6;
+  p6 = std::move(p1);
+  sink(*p6.Get()); // $ ir MISSING: ast
 }

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -1278,6 +1278,223 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1241:46:1241:46 | b |  |
 | atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1242:45:1242:45 | b |  |
 | atl.cpp:1241:46:1241:46 | ref arg b | atl.cpp:1242:45:1242:45 | b |  |
+| atl.cpp:1348:31:1348:32 | call to ComPtr | atl.cpp:1349:9:1349:10 | p0 |  |
+| atl.cpp:1348:31:1348:32 | call to ComPtr | atl.cpp:1361:1:1361:1 | p0 |  |
+| atl.cpp:1349:9:1349:10 | ref arg p0 | atl.cpp:1361:1:1361:1 | p0 |  |
+| atl.cpp:1349:12:1349:14 | call to Get | atl.cpp:1349:8:1349:16 | * ... | TAINT |
+| atl.cpp:1351:11:1351:21 | call to source | atl.cpp:1352:42:1352:42 | x |  |
+| atl.cpp:1352:34:1352:43 | new | atl.cpp:1352:34:1352:44 | call to ComPtr | TAINT |
+| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1353:9:1353:10 | p1 |  |
+| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1354:9:1354:10 | p1 |  |
+| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1356:34:1356:35 | p1 |  |
+| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1359:44:1359:45 | p1 |  |
+| atl.cpp:1352:34:1352:44 | call to ComPtr | atl.cpp:1361:1:1361:1 | p1 |  |
+| atl.cpp:1352:42:1352:42 | x | atl.cpp:1352:34:1352:43 | new |  |
+| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1354:9:1354:10 | p1 |  |
+| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1356:34:1356:35 | p1 |  |
+| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1359:44:1359:45 | p1 |  |
+| atl.cpp:1353:9:1353:10 | ref arg p1 | atl.cpp:1361:1:1361:1 | p1 |  |
+| atl.cpp:1353:12:1353:14 | call to Get | atl.cpp:1353:8:1353:16 | * ... | TAINT |
+| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1356:34:1356:35 | p1 |  |
+| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1359:44:1359:45 | p1 |  |
+| atl.cpp:1354:9:1354:10 | ref arg p1 | atl.cpp:1361:1:1361:1 | p1 |  |
+| atl.cpp:1354:12:1354:17 | call to Detach | atl.cpp:1354:8:1354:19 | * ... | TAINT |
+| atl.cpp:1356:34:1356:35 | p1 | atl.cpp:1356:34:1356:36 | call to ComPtr |  |
+| atl.cpp:1356:34:1356:36 | call to ComPtr | atl.cpp:1357:9:1357:10 | p2 |  |
+| atl.cpp:1356:34:1356:36 | call to ComPtr | atl.cpp:1361:1:1361:1 | p2 |  |
+| atl.cpp:1357:9:1357:10 | ref arg p2 | atl.cpp:1361:1:1361:1 | p2 |  |
+| atl.cpp:1357:12:1357:14 | call to Get | atl.cpp:1357:8:1357:16 | * ... | TAINT |
+| atl.cpp:1359:34:1359:42 | call to move | atl.cpp:1359:34:1359:47 | call to ComPtr | TAINT |
+| atl.cpp:1359:34:1359:42 | ref arg call to move | atl.cpp:1359:44:1359:45 | p1 [inner post update] |  |
+| atl.cpp:1359:34:1359:42 | ref arg call to move | atl.cpp:1361:1:1361:1 | p1 |  |
+| atl.cpp:1359:34:1359:47 | call to ComPtr | atl.cpp:1360:9:1360:10 | p3 |  |
+| atl.cpp:1359:34:1359:47 | call to ComPtr | atl.cpp:1361:1:1361:1 | p3 |  |
+| atl.cpp:1359:44:1359:45 | p1 | atl.cpp:1359:34:1359:42 | call to move | TAINT |
+| atl.cpp:1359:44:1359:45 | p1 | atl.cpp:1359:34:1359:47 | call to ComPtr |  |
+| atl.cpp:1360:9:1360:10 | ref arg p3 | atl.cpp:1361:1:1361:1 | p3 |  |
+| atl.cpp:1360:12:1360:14 | call to Get | atl.cpp:1360:8:1360:16 | * ... | TAINT |
+| atl.cpp:1365:11:1365:21 | call to source | atl.cpp:1366:42:1366:42 | x |  |
+| atl.cpp:1366:34:1366:43 | new | atl.cpp:1366:34:1366:44 | call to ComPtr | TAINT |
+| atl.cpp:1366:34:1366:44 | call to ComPtr | atl.cpp:1368:3:1368:4 | p1 |  |
+| atl.cpp:1366:34:1366:44 | call to ComPtr | atl.cpp:1370:1:1370:1 | p1 |  |
+| atl.cpp:1366:42:1366:42 | x | atl.cpp:1366:34:1366:43 | new |  |
+| atl.cpp:1367:32:1367:33 | p2 | atl.cpp:1368:9:1368:10 | p2 |  |
+| atl.cpp:1367:32:1367:33 | p2 | atl.cpp:1369:9:1369:10 | p2 |  |
+| atl.cpp:1368:9:1368:10 | ref arg p2 | atl.cpp:1369:9:1369:10 | p2 |  |
+| atl.cpp:1369:13:1369:15 | call to Get | atl.cpp:1369:8:1369:17 | * ... | TAINT |
+| atl.cpp:1374:11:1374:21 | call to source | atl.cpp:1375:42:1375:42 | x |  |
+| atl.cpp:1374:11:1374:21 | call to source | atl.cpp:1384:42:1384:42 | x |  |
+| atl.cpp:1375:34:1375:43 | new | atl.cpp:1375:34:1375:44 | call to ComPtr | TAINT |
+| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1377:3:1377:4 | p1 |  |
+| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1381:3:1381:4 | p1 |  |
+| atl.cpp:1375:34:1375:44 | call to ComPtr | atl.cpp:1389:1:1389:1 | p1 |  |
+| atl.cpp:1375:42:1375:42 | x | atl.cpp:1375:34:1375:43 | new |  |
+| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1377:14:1377:16 | raw |  |
+| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1378:9:1378:11 | raw |  |
+| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1381:31:1381:33 | raw |  |
+| atl.cpp:1376:14:1376:20 | 0 | atl.cpp:1382:9:1382:11 | raw |  |
+| atl.cpp:1377:3:1377:4 | ref arg p1 | atl.cpp:1381:3:1381:4 | p1 |  |
+| atl.cpp:1377:3:1377:4 | ref arg p1 | atl.cpp:1389:1:1389:1 | p1 |  |
+| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1377:14:1377:16 | raw [inner post update] |  |
+| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1378:9:1378:11 | raw |  |
+| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1381:31:1381:33 | raw |  |
+| atl.cpp:1377:13:1377:16 | ref arg & ... | atl.cpp:1382:9:1382:11 | raw |  |
+| atl.cpp:1377:14:1377:16 | raw | atl.cpp:1377:13:1377:16 | & ... |  |
+| atl.cpp:1378:9:1378:11 | raw | atl.cpp:1378:8:1378:11 | * ... | TAINT |
+| atl.cpp:1380:31:1380:32 | call to ComPtr | atl.cpp:1389:1:1389:1 | p2 |  |
+| atl.cpp:1381:30:1381:33 | ref arg & ... | atl.cpp:1381:31:1381:33 | raw [inner post update] |  |
+| atl.cpp:1381:30:1381:33 | ref arg & ... | atl.cpp:1382:9:1382:11 | raw |  |
+| atl.cpp:1381:31:1381:33 | raw | atl.cpp:1381:30:1381:33 | & ... |  |
+| atl.cpp:1382:9:1382:11 | raw | atl.cpp:1382:8:1382:11 | * ... | TAINT |
+| atl.cpp:1384:34:1384:43 | new | atl.cpp:1384:34:1384:44 | call to ComPtr | TAINT |
+| atl.cpp:1384:34:1384:44 | call to ComPtr | atl.cpp:1387:3:1387:4 | p3 |  |
+| atl.cpp:1384:34:1384:44 | call to ComPtr | atl.cpp:1389:1:1389:1 | p3 |  |
+| atl.cpp:1384:42:1384:42 | x | atl.cpp:1384:34:1384:43 | new |  |
+| atl.cpp:1386:15:1386:21 | 0 | atl.cpp:1387:19:1387:22 | raw2 |  |
+| atl.cpp:1386:15:1386:21 | 0 | atl.cpp:1388:9:1388:12 | raw2 |  |
+| atl.cpp:1387:18:1387:22 | ref arg & ... | atl.cpp:1387:19:1387:22 | raw2 [inner post update] |  |
+| atl.cpp:1387:18:1387:22 | ref arg & ... | atl.cpp:1388:9:1388:12 | raw2 |  |
+| atl.cpp:1387:19:1387:22 | raw2 | atl.cpp:1387:18:1387:22 | & ... |  |
+| atl.cpp:1388:9:1388:12 | raw2 | atl.cpp:1388:8:1388:12 | * ... | TAINT |
+| atl.cpp:1393:11:1393:21 | call to source | atl.cpp:1394:42:1394:42 | x |  |
+| atl.cpp:1394:34:1394:43 | new | atl.cpp:1394:34:1394:44 | call to ComPtr | TAINT |
+| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1396:3:1396:4 | p1 |  |
+| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1398:9:1398:10 | p1 |  |
+| atl.cpp:1394:34:1394:44 | call to ComPtr | atl.cpp:1399:1:1399:1 | p1 |  |
+| atl.cpp:1394:42:1394:42 | x | atl.cpp:1394:34:1394:43 | new |  |
+| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1396:11:1396:12 | p2 |  |
+| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1397:9:1397:10 | p2 |  |
+| atl.cpp:1395:31:1395:32 | call to ComPtr | atl.cpp:1399:1:1399:1 | p2 |  |
+| atl.cpp:1396:3:1396:4 | ref arg p1 | atl.cpp:1398:9:1398:10 | p1 |  |
+| atl.cpp:1396:3:1396:4 | ref arg p1 | atl.cpp:1399:1:1399:1 | p1 |  |
+| atl.cpp:1396:11:1396:12 | ref arg p2 | atl.cpp:1397:9:1397:10 | p2 |  |
+| atl.cpp:1396:11:1396:12 | ref arg p2 | atl.cpp:1399:1:1399:1 | p2 |  |
+| atl.cpp:1397:9:1397:10 | ref arg p2 | atl.cpp:1399:1:1399:1 | p2 |  |
+| atl.cpp:1397:12:1397:14 | call to Get | atl.cpp:1397:8:1397:16 | * ... | TAINT |
+| atl.cpp:1398:9:1398:10 | ref arg p1 | atl.cpp:1399:1:1399:1 | p1 |  |
+| atl.cpp:1398:12:1398:14 | call to Get | atl.cpp:1398:8:1398:16 | * ... | TAINT |
+| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1404:42:1404:42 | x |  |
+| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1407:48:1407:48 | x |  |
+| atl.cpp:1403:11:1403:21 | call to source | atl.cpp:1410:42:1410:42 | x |  |
+| atl.cpp:1404:34:1404:43 | new | atl.cpp:1404:34:1404:44 | call to ComPtr | TAINT |
+| atl.cpp:1404:34:1404:44 | call to ComPtr | atl.cpp:1405:10:1405:11 | p1 |  |
+| atl.cpp:1404:34:1404:44 | call to ComPtr | atl.cpp:1413:1:1413:1 | p1 |  |
+| atl.cpp:1404:42:1404:42 | x | atl.cpp:1404:34:1404:43 | new |  |
+| atl.cpp:1405:9:1405:26 | * ... | atl.cpp:1405:8:1405:26 | * ... | TAINT |
+| atl.cpp:1405:10:1405:11 | ref arg p1 | atl.cpp:1413:1:1413:1 | p1 |  |
+| atl.cpp:1405:13:1405:24 | call to GetAddressOf | atl.cpp:1405:9:1405:26 | * ... | TAINT |
+| atl.cpp:1407:40:1407:49 | new | atl.cpp:1407:40:1407:50 | call to ComPtr | TAINT |
+| atl.cpp:1407:40:1407:50 | call to ComPtr | atl.cpp:1408:10:1408:11 | p2 |  |
+| atl.cpp:1407:40:1407:50 | call to ComPtr | atl.cpp:1413:1:1413:1 | p2 |  |
+| atl.cpp:1407:48:1407:48 | x | atl.cpp:1407:40:1407:49 | new |  |
+| atl.cpp:1408:9:1408:26 | * ... | atl.cpp:1408:8:1408:26 | * ... | TAINT |
+| atl.cpp:1408:10:1408:11 | ref arg p2 | atl.cpp:1413:1:1413:1 | p2 |  |
+| atl.cpp:1408:13:1408:24 | call to GetAddressOf | atl.cpp:1408:9:1408:26 | * ... | TAINT |
+| atl.cpp:1410:34:1410:43 | new | atl.cpp:1410:34:1410:44 | call to ComPtr | TAINT |
+| atl.cpp:1410:34:1410:44 | call to ComPtr | atl.cpp:1411:14:1411:15 | p3 |  |
+| atl.cpp:1410:34:1410:44 | call to ComPtr | atl.cpp:1413:1:1413:1 | p3 |  |
+| atl.cpp:1410:42:1410:42 | x | atl.cpp:1410:34:1410:43 | new |  |
+| atl.cpp:1411:14:1411:15 | ref arg p3 | atl.cpp:1413:1:1413:1 | p3 |  |
+| atl.cpp:1411:17:1411:38 | call to ReleaseAndGetAddressOf | atl.cpp:1412:10:1412:11 | pp |  |
+| atl.cpp:1412:9:1412:11 | * ... | atl.cpp:1412:8:1412:11 | * ... | TAINT |
+| atl.cpp:1412:10:1412:11 | pp | atl.cpp:1412:9:1412:11 | * ... | TAINT |
+| atl.cpp:1420:11:1420:21 | call to source | atl.cpp:1421:42:1421:42 | x |  |
+| atl.cpp:1420:11:1420:21 | call to source | atl.cpp:1426:48:1426:48 | x |  |
+| atl.cpp:1421:34:1421:43 | new | atl.cpp:1421:34:1421:44 | call to ComPtr | TAINT |
+| atl.cpp:1421:34:1421:44 | call to ComPtr | atl.cpp:1422:73:1422:74 | p1 |  |
+| atl.cpp:1421:34:1421:44 | call to ComPtr | atl.cpp:1435:1:1435:1 | p1 |  |
+| atl.cpp:1421:42:1421:42 | x | atl.cpp:1421:34:1421:43 | new |  |
+| atl.cpp:1422:72:1422:72 | call to operator& | atl.cpp:1423:38:1423:39 | pp |  |
+| atl.cpp:1422:73:1422:74 | ref arg p1 | atl.cpp:1435:1:1435:1 | p1 |  |
+| atl.cpp:1423:37:1423:37 | call to operator* | atl.cpp:1424:9:1424:10 | qq |  |
+| atl.cpp:1424:13:1424:15 | call to Get | atl.cpp:1424:8:1424:17 | * ... | TAINT |
+| atl.cpp:1426:40:1426:49 | new | atl.cpp:1426:40:1426:50 | call to ComPtr | TAINT |
+| atl.cpp:1426:40:1426:50 | call to ComPtr | atl.cpp:1427:80:1427:81 | p2 |  |
+| atl.cpp:1426:40:1426:50 | call to ComPtr | atl.cpp:1435:1:1435:1 | p2 |  |
+| atl.cpp:1426:48:1426:48 | x | atl.cpp:1426:40:1426:49 | new |  |
+| atl.cpp:1427:79:1427:79 | call to operator& | atl.cpp:1428:45:1428:47 | pp2 |  |
+| atl.cpp:1428:44:1428:44 | call to operator* | atl.cpp:1429:9:1429:11 | qq2 |  |
+| atl.cpp:1429:14:1429:16 | call to Get | atl.cpp:1429:8:1429:18 | * ... | TAINT |
+| atl.cpp:1431:5:1431:5 | s | atl.cpp:1432:3:1432:3 | s |  |
+| atl.cpp:1431:5:1431:5 | s | atl.cpp:1433:33:1433:33 | s |  |
+| atl.cpp:1432:3:1432:3 | s [post update] | atl.cpp:1433:33:1433:33 | s |  |
+| atl.cpp:1432:3:1432:21 | ... = ... | atl.cpp:1432:5:1432:5 | x [post update] |  |
+| atl.cpp:1432:9:1432:19 | call to source | atl.cpp:1432:3:1432:21 | ... = ... |  |
+| atl.cpp:1433:32:1433:33 | & ... | atl.cpp:1433:32:1433:34 | call to ComPtr | TAINT |
+| atl.cpp:1433:32:1433:33 | ref arg & ... | atl.cpp:1433:33:1433:33 | s [inner post update] |  |
+| atl.cpp:1433:32:1433:34 | call to ComPtr | atl.cpp:1434:8:1434:9 | p3 |  |
+| atl.cpp:1433:32:1433:34 | call to ComPtr | atl.cpp:1435:1:1435:1 | p3 |  |
+| atl.cpp:1433:33:1433:33 | s | atl.cpp:1433:32:1433:33 | & ... |  |
+| atl.cpp:1434:8:1434:9 | ref arg p3 | atl.cpp:1435:1:1435:1 | p3 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1439:3:1439:4 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1440:9:1440:10 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1447:8:1447:9 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1451:8:1451:9 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1455:18:1455:19 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1459:18:1459:19 | p1 |  |
+| atl.cpp:1438:31:1438:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1440:9:1440:10 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1447:8:1447:9 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1451:8:1451:9 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1455:18:1455:19 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1459:18:1459:19 | p1 |  |
+| atl.cpp:1439:3:1439:4 | ref arg p1 | atl.cpp:1461:1:1461:1 | p1 |  |
+| atl.cpp:1439:16:1439:26 | call to source | atl.cpp:1439:8:1439:29 | new |  |
+| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1447:8:1447:9 | p1 |  |
+| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1451:8:1451:9 | p1 |  |
+| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1455:18:1455:19 | p1 |  |
+| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1459:18:1459:19 | p1 |  |
+| atl.cpp:1440:9:1440:10 | ref arg p1 | atl.cpp:1461:1:1461:1 | p1 |  |
+| atl.cpp:1440:12:1440:14 | call to Get | atl.cpp:1440:8:1440:16 | * ... | TAINT |
+| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1443:3:1443:4 | p2 |  |
+| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1444:9:1444:10 | p2 |  |
+| atl.cpp:1442:31:1442:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p2 |  |
+| atl.cpp:1443:3:1443:4 | ref arg p2 | atl.cpp:1444:9:1444:10 | p2 |  |
+| atl.cpp:1443:3:1443:4 | ref arg p2 | atl.cpp:1461:1:1461:1 | p2 |  |
+| atl.cpp:1443:17:1443:28 | call to source | atl.cpp:1443:8:1443:31 | new |  |
+| atl.cpp:1444:9:1444:10 | ref arg p2 | atl.cpp:1461:1:1461:1 | p2 |  |
+| atl.cpp:1444:12:1444:14 | call to Get | atl.cpp:1444:8:1444:16 | * ... | TAINT |
+| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1447:3:1447:4 | p3 |  |
+| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1448:9:1448:10 | p3 |  |
+| atl.cpp:1446:31:1446:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p3 |  |
+| atl.cpp:1447:3:1447:4 | ref arg p3 | atl.cpp:1448:9:1448:10 | p3 |  |
+| atl.cpp:1447:3:1447:4 | ref arg p3 | atl.cpp:1461:1:1461:1 | p3 |  |
+| atl.cpp:1447:8:1447:9 | p1 | atl.cpp:1447:3:1447:4 | ref arg p3 | TAINT |
+| atl.cpp:1447:8:1447:9 | p1 | atl.cpp:1447:6:1447:6 | call to operator= | TAINT |
+| atl.cpp:1448:9:1448:10 | ref arg p3 | atl.cpp:1461:1:1461:1 | p3 |  |
+| atl.cpp:1448:12:1448:14 | call to Get | atl.cpp:1448:8:1448:16 | * ... | TAINT |
+| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1451:3:1451:4 | p4 |  |
+| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1452:9:1452:10 | p4 |  |
+| atl.cpp:1450:32:1450:33 | call to ComPtr | atl.cpp:1461:1:1461:1 | p4 |  |
+| atl.cpp:1451:3:1451:4 | ref arg p4 | atl.cpp:1452:9:1452:10 | p4 |  |
+| atl.cpp:1451:3:1451:4 | ref arg p4 | atl.cpp:1461:1:1461:1 | p4 |  |
+| atl.cpp:1452:9:1452:10 | ref arg p4 | atl.cpp:1461:1:1461:1 | p4 |  |
+| atl.cpp:1452:12:1452:14 | call to Get | atl.cpp:1452:8:1452:16 | * ... | TAINT |
+| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1455:3:1455:4 | p5 |  |
+| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1456:9:1456:10 | p5 |  |
+| atl.cpp:1454:31:1454:32 | call to ComPtr | atl.cpp:1461:1:1461:1 | p5 |  |
+| atl.cpp:1455:3:1455:4 | ref arg p5 | atl.cpp:1456:9:1456:10 | p5 |  |
+| atl.cpp:1455:3:1455:4 | ref arg p5 | atl.cpp:1461:1:1461:1 | p5 |  |
+| atl.cpp:1455:8:1455:16 | call to move | atl.cpp:1455:3:1455:4 | ref arg p5 | TAINT |
+| atl.cpp:1455:8:1455:16 | call to move | atl.cpp:1455:6:1455:6 | call to operator= | TAINT |
+| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1455:18:1455:19 | p1 [inner post update] |  |
+| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1459:18:1459:19 | p1 |  |
+| atl.cpp:1455:8:1455:16 | ref arg call to move | atl.cpp:1461:1:1461:1 | p1 |  |
+| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:3:1455:4 | ref arg p5 | TAINT |
+| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:6:1455:6 | call to operator= | TAINT |
+| atl.cpp:1455:18:1455:19 | p1 | atl.cpp:1455:8:1455:16 | call to move | TAINT |
+| atl.cpp:1456:9:1456:10 | ref arg p5 | atl.cpp:1461:1:1461:1 | p5 |  |
+| atl.cpp:1456:12:1456:14 | call to Get | atl.cpp:1456:8:1456:16 | * ... | TAINT |
+| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1459:3:1459:4 | p6 |  |
+| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1460:9:1460:10 | p6 |  |
+| atl.cpp:1458:32:1458:33 | call to ComPtr | atl.cpp:1461:1:1461:1 | p6 |  |
+| atl.cpp:1459:3:1459:4 | ref arg p6 | atl.cpp:1460:9:1460:10 | p6 |  |
+| atl.cpp:1459:3:1459:4 | ref arg p6 | atl.cpp:1461:1:1461:1 | p6 |  |
+| atl.cpp:1459:8:1459:16 | ref arg call to move | atl.cpp:1459:18:1459:19 | p1 [inner post update] |  |
+| atl.cpp:1459:8:1459:16 | ref arg call to move | atl.cpp:1461:1:1461:1 | p1 |  |
+| atl.cpp:1459:18:1459:19 | p1 | atl.cpp:1459:8:1459:16 | call to move | TAINT |
+| atl.cpp:1460:9:1460:10 | ref arg p6 | atl.cpp:1461:1:1461:1 | p6 |  |
+| atl.cpp:1460:12:1460:14 | call to Get | atl.cpp:1460:8:1460:16 | * ... | TAINT |
 | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s |  |
 | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr |  |
 | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr |  |

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -5567,6 +5567,31 @@ signatureMatches
 | atl.cpp:1231:5:1231:12 | CStrBufT | (const char *,const char *,unsigned long) |  | __ngettext | 2 |
 | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) |  | UTF8_putc | 1 |
 | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) |  | UTF8_putc | 2 |
+| atl.cpp:1286:5:1286:10 | ComPtr | (const ComPtr &) | ComPtr | ComPtr | 0 |
+| atl.cpp:1286:5:1286:10 | ComPtr | (const ComPtr &) | ComPtr | operator= | 0 |
+| atl.cpp:1287:5:1287:10 | ComPtr | (ComPtr &&) | ComPtr | ComPtr | 0 |
+| atl.cpp:1287:5:1287:10 | ComPtr | (ComPtr &&) | ComPtr | operator= | 0 |
+| atl.cpp:1290:5:1290:10 | ComPtr | (T *) | ComPtr | ComPtr<T> | 0 |
+| atl.cpp:1290:5:1290:10 | ComPtr | (T *) | ComPtr | ComPtr<T> | 0 |
+| atl.cpp:1290:5:1290:10 | ComPtr | (U *) | ComPtr | operator=<U> | 0 |
+| atl.cpp:1290:5:1290:10 | ComPtr | (U *) | ComPtr | operator=<U> | 0 |
+| atl.cpp:1301:13:1301:18 | CopyTo | (T **) | ComPtr<T> | CopyTo | 0 |
+| atl.cpp:1303:13:1303:18 | CopyTo | (Curl_easy *,void **) |  | Curl_resolver_init | 1 |
+| atl.cpp:1303:13:1303:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 0 |
+| atl.cpp:1303:13:1303:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 1 |
+| atl.cpp:1303:13:1303:18 | CopyTo | (size_t,void **) |  | __libc_alloc_buffer_allocate | 1 |
+| atl.cpp:1306:13:1306:18 | CopyTo | (T **) | ComPtr | CopyTo<T> | 0 |
+| atl.cpp:1328:13:1328:21 | operator= | (T *) | ComPtr<T> | operator= | 0 |
+| atl.cpp:1330:13:1330:21 | operator= | (T *) | ComPtr | ComPtr<T> | 0 |
+| atl.cpp:1330:13:1330:21 | operator= | (U *) | ComPtr | operator=<U> | 0 |
+| atl.cpp:1331:13:1331:21 | operator= | (const ComPtr &) | ComPtr | ComPtr | 0 |
+| atl.cpp:1331:13:1331:21 | operator= | (const ComPtr &) | ComPtr | operator= | 0 |
+| atl.cpp:1333:13:1333:21 | operator= | (const ComPtr &) | ComPtr | ComPtr | 0 |
+| atl.cpp:1333:13:1333:21 | operator= | (const ComPtr &) | ComPtr | operator= | 0 |
+| atl.cpp:1334:13:1334:21 | operator= | (ComPtr &&) | ComPtr | ComPtr | 0 |
+| atl.cpp:1334:13:1334:21 | operator= | (ComPtr &&) | ComPtr | operator= | 0 |
+| atl.cpp:1336:13:1336:21 | operator= | (ComPtr &&) | ComPtr | ComPtr | 0 |
+| atl.cpp:1336:13:1336:21 | operator= | (ComPtr &&) | ComPtr | operator= | 0 |
 | bsd.cpp:12:5:12:10 | accept | (CURLM *,curl_socket_t,int *) |  | curl_multi_socket | 2 |
 | bsd.cpp:12:5:12:10 | accept | (Curl_easy *,ssize_t *,int *) |  | Curl_GetFTPResponse | 2 |
 | bsd.cpp:12:5:12:10 | accept | (EVP_CIPHER_CTX *,unsigned char *,int *) |  | EVP_CipherFinal | 2 |
@@ -9386,6 +9411,8 @@ signatureMatches
 | stl.h:333:42:333:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert<InputIt> | 2 |
 | stl.h:333:42:333:47 | insert | (const_iterator,InputIt,InputIt) | vector | insert<InputIt> | 2 |
 | stl.h:335:37:335:43 | emplace | (format_string,Args &&) |  | format<Args> | 1 |
+| stl.h:351:12:351:21 | shared_ptr | (T *) | ComPtr<T> | operator= | 0 |
+| stl.h:369:12:369:21 | unique_ptr | (T *) | ComPtr<T> | operator= | 0 |
 | stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
 | stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
 | stl.h:396:3:396:3 | pair | (const deque &,const Allocator &) | deque<T,Allocator> | deque | 1 |
@@ -21750,6 +21777,8 @@ getSignatureParameterName
 | (CURLU *,const char *,char **,OperationConfig *) |  | ipfs_url_rewrite | 1 | const char * |
 | (CURLU *,const char *,char **,OperationConfig *) |  | ipfs_url_rewrite | 2 | char ** |
 | (CURLU *,const char *,char **,OperationConfig *) |  | ipfs_url_rewrite | 3 | OperationConfig * |
+| (ComPtr &&) | ComPtr | ComPtr | 0 | ComPtr && |
+| (ComPtr &&) | ComPtr | operator= | 0 | ComPtr && |
 | (CompoundDictionary *,const PreparedDictionary *) |  | AttachPreparedDictionary | 0 | CompoundDictionary * |
 | (CompoundDictionary *,const PreparedDictionary *) |  | AttachPreparedDictionary | 1 | const PreparedDictionary * |
 | (Curl_cfilter *) |  | Curl_conn_cf_is_ssl | 0 | Curl_cfilter * |
@@ -28580,6 +28609,8 @@ getSignatureParameterName
 | (RAND_POOL *,unsigned int) |  | ossl_rand_pool_bytes_needed | 1 | unsigned int |
 | (RECORD_LAYER *,SSL_CONNECTION *) |  | RECORD_LAYER_init | 0 | RECORD_LAYER * |
 | (RECORD_LAYER *,SSL_CONNECTION *) |  | RECORD_LAYER_init | 1 | SSL_CONNECTION * |
+| (REFIID,void **) | ComPtr | CopyTo | 0 | REFIID |
+| (REFIID,void **) | ComPtr | CopyTo | 1 | void ** |
 | (RIO_NOTIFIER *) |  | ossl_rio_notifier_cleanup | 0 | RIO_NOTIFIER * |
 | (RIPEMD160_CTX *,const unsigned char *) |  | RIPEMD160_Transform | 0 | RIPEMD160_CTX * |
 | (RIPEMD160_CTX *,const unsigned char *) |  | RIPEMD160_Transform | 1 | const unsigned char * |
@@ -30163,6 +30194,10 @@ getSignatureParameterName
 | (Strtab *,const char *,size_t) |  | strtabadd | 2 | size_t |
 | (Strtab *,size_t *) |  | strtabfinalize | 0 | Strtab * |
 | (Strtab *,size_t *) |  | strtabfinalize | 1 | size_t * |
+| (T *) | ComPtr | ComPtr<T> | 0 | func:0 * |
+| (T *) | ComPtr<T> | operator= | 0 | class:0 * |
+| (T **) | ComPtr | CopyTo<T> | 0 | func:0 ** |
+| (T **) | ComPtr<T> | CopyTo | 0 | class:0 ** |
 | (TLS_FEATURE *) |  | TLS_FEATURE_free | 0 | TLS_FEATURE * |
 | (TLS_RL_RECORD *,const unsigned char *) |  | ossl_tls_rl_record_set_seq_num | 0 | TLS_RL_RECORD * |
 | (TLS_RL_RECORD *,const unsigned char *) |  | ossl_tls_rl_record_set_seq_num | 1 | const unsigned char * |
@@ -30355,6 +30390,7 @@ getSignatureParameterName
 | (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) |  | TXT_DB_create_index | 2 | ..(*)(..) |
 | (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) |  | TXT_DB_create_index | 3 | OPENSSL_LH_HASHFUNC |
 | (TXT_DB *,int,..(*)(..),OPENSSL_LH_HASHFUNC,OPENSSL_LH_COMPFUNC) |  | TXT_DB_create_index | 4 | OPENSSL_LH_COMPFUNC |
+| (U *) | ComPtr | operator=<U> | 0 | func:0 * |
 | (UI *) |  | UI_get0_user_data | 0 | UI * |
 | (UI *) |  | UI_get_method | 0 | UI * |
 | (UI *,UI_STRING *,const char *) |  | UI_set_result | 0 | UI * |
@@ -33305,6 +33341,8 @@ getSignatureParameterName
 | (const CURLU *,CURLUPart,char **,unsigned int) |  | curl_url_get | 1 | CURLUPart |
 | (const CURLU *,CURLUPart,char **,unsigned int) |  | curl_url_get | 2 | char ** |
 | (const CURLU *,CURLUPart,char **,unsigned int) |  | curl_url_get | 3 | unsigned int |
+| (const ComPtr &) | ComPtr | ComPtr | 0 | const ComPtr & |
+| (const ComPtr &) | ComPtr | operator= | 0 | const ComPtr & |
 | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) |  | BrotliBuildHistogramsWithContext | 0 | const Command * |
 | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) |  | BrotliBuildHistogramsWithContext | 1 | const size_t |
 | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) |  | BrotliBuildHistogramsWithContext | 2 | const BlockSplit * |
@@ -46404,6 +46442,27 @@ getParameterTypeName
 | atl.cpp:1231:5:1231:12 | CStrBufT | 1 | int |
 | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | DWORD |
 | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | unsigned long |
+| atl.cpp:1286:5:1286:10 | ComPtr | 0 | const ComPtr & |
+| atl.cpp:1287:5:1287:10 | ComPtr | 0 | ComPtr && |
+| atl.cpp:1290:5:1290:10 | ComPtr | 0 | func:0 * |
+| atl.cpp:1290:5:1290:10 | ComPtr | 0 | func:0 * |
+| atl.cpp:1295:13:1295:14 | As | 0 | ComPtr * |
+| atl.cpp:1301:13:1301:18 | CopyTo | 0 | Interfaceclass:0ype ** |
+| atl.cpp:1301:13:1301:18 | CopyTo | 0 | class:0 ** |
+| atl.cpp:1303:13:1303:18 | CopyTo | 0 | GUID * |
+| atl.cpp:1303:13:1303:18 | CopyTo | 0 | REFIID |
+| atl.cpp:1303:13:1303:18 | CopyTo | 1 | void ** |
+| atl.cpp:1306:13:1306:18 | CopyTo | 0 | func:0 ** |
+| atl.cpp:1321:10:1321:13 | Swap | 0 | ComPtr & |
+| atl.cpp:1328:13:1328:21 | operator= | 0 | class:0 * |
+| atl.cpp:1330:13:1330:21 | operator= | 0 | func:0 * |
+| atl.cpp:1331:13:1331:21 | operator= | 0 | const ComPtr & |
+| atl.cpp:1333:13:1333:21 | operator= | 0 | const ComPtr & |
+| atl.cpp:1334:13:1334:21 | operator= | 0 | ComPtr && |
+| atl.cpp:1336:13:1336:21 | operator= | 0 | ComPtr && |
+| atl.cpp:1343:25:1343:28 | move | 0 | func:0 & |
+| atl.cpp:1415:8:1415:8 | operator= | 0 | S && |
+| atl.cpp:1415:8:1415:8 | operator= | 0 | const S & |
 | bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & |
 | bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && |
 | bsd.cpp:12:5:12:10 | accept | 0 | int |

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -24550,6 +24550,547 @@ ir.cpp:
 # 2771|                 Type = [LValueReferenceType] ThreeWay &
 # 2771|                 ValueCategory = prvalue
 # 2772|     getStmt(2): [ReturnStmt] return ...
+# 2774| [TopLevelFunction] void test_allocation_with_initializer()
+# 2774|   <params>: 
+# 2774|   getEntryPoint(): [BlockStmt] { ... }
+# 2775|     getStmt(0): [DeclStmt] declaration
+# 2775|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of p1
+# 2775|           Type = [IntPointerType] int *
+# 2775|         getVariable().getInitializer(): [Initializer] initializer for p1
+# 2775|           getExpr(): [NewExpr] new
+# 2775|               Type = [IntPointerType] int *
+# 2775|               ValueCategory = prvalue
+# 2775|             getInitializer(): [Literal] 42
+# 2775|                 Type = [IntType] int
+# 2775|                 Value = [Literal] 42
+# 2775|                 ValueCategory = prvalue
+# 2776|     getStmt(1): [DeclStmt] declaration
+# 2776|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of p2
+# 2776|           Type = [PointerType] long *
+# 2776|         getVariable().getInitializer(): [Initializer] initializer for p2
+# 2776|           getExpr(): [NewExpr] new
+# 2776|               Type = [PointerType] long *
+# 2776|               ValueCategory = prvalue
+# 2776|             getInitializer(): [Literal] 42
+# 2776|                 Type = [IntType] int
+# 2776|                 Value = [Literal] 42
+# 2776|                 ValueCategory = prvalue
+# 2776|             getInitializer().getFullyConverted(): [CStyleCast] (long)...
+# 2776|                 Conversion = [IntegralConversion] integral conversion
+# 2776|                 Type = [LongType] long
+# 2776|                 Value = [CStyleCast] 42
+# 2776|                 ValueCategory = prvalue
+# 2777|     getStmt(2): [ReturnStmt] return ...
+# 2779| [TopLevelFunction] void vla_sizeof_test(int, size_t, char)
+# 2779|   <params>: 
+# 2779|     getParameter(0): [Parameter] len1
+# 2779|         Type = [IntType] int
+# 2779|     getParameter(1): [Parameter] len2
+# 2779|         Type = [CTypedefType,Size_t] size_t
+# 2779|     getParameter(2): [Parameter] len3
+# 2779|         Type = [PlainCharType] char
+# 2779|   getEntryPoint(): [BlockStmt] { ... }
+# 2780|     getStmt(0): [DeclStmt] declaration
+# 2780|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2780|           Type = [ArrayType] char[]
+# 2780|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2780|       getDimensionExpr(): [VariableAccess] len1
+# 2780|           Type = [IntType] int
+# 2780|           ValueCategory = prvalue(load)
+# 2780|     getStmt(2): [VlaDeclStmt] VLA declaration
+# 2781|     getStmt(3): [DeclStmt] declaration
+# 2781|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 2781|           Type = [CTypedefType,Size_t] size_t
+# 2781|         getVariable().getInitializer(): [Initializer] initializer for x
+# 2781|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2781|               Type = [LongType] unsigned long
+# 2781|               ValueCategory = prvalue
+# 2781|             getExprOperand(): [VariableAccess] tmp1
+# 2781|                 Type = [ArrayType] char[]
+# 2781|                 ValueCategory = lvalue
+# 2781|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2781|                 Type = [ArrayType] char[]
+# 2781|                 ValueCategory = lvalue
+# 2782|     getStmt(4): [DeclStmt] declaration
+# 2782|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp2
+# 2782|           Type = [ArrayType] int[][]
+# 2782|     getStmt(5): [VlaDimensionStmt] VLA dimension size
+# 2782|       getDimensionExpr(): [VariableAccess] len1
+# 2782|           Type = [IntType] int
+# 2782|           ValueCategory = prvalue(load)
+# 2782|     getStmt(6): [VlaDimensionStmt] VLA dimension size
+# 2782|       getDimensionExpr(): [VariableAccess] len2
+# 2782|           Type = [CTypedefType,Size_t] size_t
+# 2782|           ValueCategory = prvalue(load)
+# 2782|     getStmt(7): [VlaDeclStmt] VLA declaration
+# 2783|     getStmt(8): [DeclStmt] declaration
+# 2783|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of y
+# 2783|           Type = [CTypedefType,Size_t] size_t
+# 2783|         getVariable().getInitializer(): [Initializer] initializer for y
+# 2783|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2783|               Type = [LongType] unsigned long
+# 2783|               ValueCategory = prvalue
+# 2783|             getExprOperand(): [VariableAccess] tmp2
+# 2783|                 Type = [ArrayType] int[][]
+# 2783|                 ValueCategory = lvalue
+# 2783|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2783|                 Type = [ArrayType] int[][]
+# 2783|                 ValueCategory = lvalue
+# 2784|     getStmt(9): [DeclStmt] declaration
+# 2784|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2784|           Type = [CTypedefType,Size_t] size_t
+# 2784|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2784|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2784|               Type = [LongType] unsigned long
+# 2784|               ValueCategory = prvalue
+# 2784|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2784|                 Type = [ArrayType] int[]
+# 2784|                 ValueCategory = lvalue
+# 2784|               getOperand(): [VariableAccess] tmp2
+# 2784|                   Type = [ArrayType] int[][]
+# 2784|                   ValueCategory = lvalue
+# 2784|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2784|                   Type = [PointerType] int(*)[]
+# 2784|                   ValueCategory = prvalue
+# 2784|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2784|                 Type = [ArrayType] int[]
+# 2784|                 ValueCategory = lvalue
+# 2785|     getStmt(10): [DeclStmt] declaration
+# 2785|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp3
+# 2785|           Type = [ArrayType] int[][][]
+# 2785|     getStmt(11): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len1
+# 2785|           Type = [IntType] int
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(12): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len2
+# 2785|           Type = [CTypedefType,Size_t] size_t
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(13): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len3
+# 2785|           Type = [PlainCharType] char
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(14): [VlaDeclStmt] VLA declaration
+# 2786|     getStmt(15): [DeclStmt] declaration
+# 2786|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of w
+# 2786|           Type = [CTypedefType,Size_t] size_t
+# 2786|         getVariable().getInitializer(): [Initializer] initializer for w
+# 2786|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2786|               Type = [LongType] unsigned long
+# 2786|               ValueCategory = prvalue
+# 2786|             getExprOperand(): [VariableAccess] tmp3
+# 2786|                 Type = [ArrayType] int[][][]
+# 2786|                 ValueCategory = lvalue
+# 2786|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2786|                 Type = [ArrayType] int[][][]
+# 2786|                 ValueCategory = lvalue
+# 2787|     getStmt(16): [DeclStmt] declaration
+# 2787|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of v
+# 2787|           Type = [CTypedefType,Size_t] size_t
+# 2787|         getVariable().getInitializer(): [Initializer] initializer for v
+# 2787|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2787|               Type = [LongType] unsigned long
+# 2787|               ValueCategory = prvalue
+# 2787|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2787|                 Type = [ArrayType] int[][]
+# 2787|                 ValueCategory = lvalue
+# 2787|               getOperand(): [VariableAccess] tmp3
+# 2787|                   Type = [ArrayType] int[][][]
+# 2787|                   ValueCategory = lvalue
+# 2787|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2787|                   Type = [PointerType] int(*)[][]
+# 2787|                   ValueCategory = prvalue
+# 2787|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2787|                 Type = [ArrayType] int[][]
+# 2787|                 ValueCategory = lvalue
+# 2788|     getStmt(17): [DeclStmt] declaration
+# 2788|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of u
+# 2788|           Type = [CTypedefType,Size_t] size_t
+# 2788|         getVariable().getInitializer(): [Initializer] initializer for u
+# 2788|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2788|               Type = [LongType] unsigned long
+# 2788|               ValueCategory = prvalue
+# 2788|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2788|                 Type = [ArrayType] int[]
+# 2788|                 ValueCategory = lvalue
+# 2788|               getOperand(): [PointerDereferenceExpr] * ...
+# 2788|                   Type = [ArrayType] int[][]
+# 2788|                   ValueCategory = lvalue
+# 2788|                 getOperand(): [VariableAccess] tmp3
+# 2788|                     Type = [ArrayType] int[][][]
+# 2788|                     ValueCategory = lvalue
+# 2788|                 getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2788|                     Type = [PointerType] int(*)[][]
+# 2788|                     ValueCategory = prvalue
+# 2788|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2788|                   Type = [PointerType] int(*)[]
+# 2788|                   ValueCategory = prvalue
+# 2788|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2788|                 Type = [ArrayType] int[]
+# 2788|                 ValueCategory = lvalue
+# 2789|     getStmt(18): [DeclStmt] declaration
+# 2789|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of t
+# 2789|           Type = [CTypedefType,Size_t] size_t
+# 2789|         getVariable().getInitializer(): [Initializer] initializer for t
+# 2789|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2789|               Type = [LongType] unsigned long
+# 2789|               Value = [SizeofExprOperator] 4
+# 2789|               ValueCategory = prvalue
+# 2789|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2789|                 Type = [IntType] int
+# 2789|                 ValueCategory = lvalue
+# 2789|               getOperand(): [PointerDereferenceExpr] * ...
+# 2789|                   Type = [ArrayType] int[]
+# 2789|                   ValueCategory = lvalue
+# 2789|                 getOperand(): [PointerDereferenceExpr] * ...
+# 2789|                     Type = [ArrayType] int[][]
+# 2789|                     ValueCategory = lvalue
+# 2789|                   getOperand(): [VariableAccess] tmp3
+# 2789|                       Type = [ArrayType] int[][][]
+# 2789|                       ValueCategory = lvalue
+# 2789|                   getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                       Type = [PointerType] int(*)[][]
+# 2789|                       ValueCategory = prvalue
+# 2789|                 getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                     Type = [PointerType] int(*)[]
+# 2789|                     ValueCategory = prvalue
+# 2789|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                   Type = [IntPointerType] int *
+# 2789|                   ValueCategory = prvalue
+# 2789|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2789|                 Type = [IntType] int
+# 2789|                 ValueCategory = lvalue
+# 2790|     getStmt(19): [ReturnStmt] return ...
+# 2792| [TopLevelFunction] void vla_sizeof_test2(int, size_t, char)
+# 2792|   <params>: 
+# 2792|     getParameter(0): [Parameter] len1
+# 2792|         Type = [IntType] int
+# 2792|     getParameter(1): [Parameter] len2
+# 2792|         Type = [CTypedefType,Size_t] size_t
+# 2792|     getParameter(2): [Parameter] len3
+# 2792|         Type = [PlainCharType] char
+# 2792|   getEntryPoint(): [BlockStmt] { ... }
+# 2793|     getStmt(0): [DeclStmt] declaration
+# 2793|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2793|           Type = [ArrayType] int[][]
+# 2793|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2793|       getDimensionExpr(): [VariableAccess] len1
+# 2793|           Type = [IntType] int
+# 2793|           ValueCategory = prvalue(load)
+# 2793|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2793|       getDimensionExpr(): [VariableAccess] len2
+# 2793|           Type = [CTypedefType,Size_t] size_t
+# 2793|           ValueCategory = prvalue(load)
+# 2793|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2794|     getStmt(4): [DeclStmt] declaration
+# 2794|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2794|           Type = [CTypedefType,Size_t] size_t
+# 2794|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2794|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2794|               Type = [LongType] unsigned long
+# 2794|               ValueCategory = prvalue
+# 2794|             getExprOperand(): [ArrayExpr] access to array
+# 2794|                 Type = [ArrayType] int[]
+# 2794|                 ValueCategory = lvalue
+# 2794|               getArrayBase(): [VariableAccess] tmp1
+# 2794|                   Type = [ArrayType] int[][]
+# 2794|                   ValueCategory = lvalue
+# 2794|               getArrayOffset(): [Literal] 1
+# 2794|                   Type = [IntType] int
+# 2794|                   Value = [Literal] 1
+# 2794|                   ValueCategory = prvalue
+# 2794|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2794|                   Type = [PointerType] int(*)[]
+# 2794|                   ValueCategory = prvalue
+# 2794|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2794|                 Type = [ArrayType] int[]
+# 2794|                 ValueCategory = lvalue
+# 2795|     getStmt(5): [DeclStmt] declaration
+# 2795|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp2
+# 2795|           Type = [ArrayType] int[][][]
+# 2795|     getStmt(6): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len1
+# 2795|           Type = [IntType] int
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(7): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len2
+# 2795|           Type = [CTypedefType,Size_t] size_t
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(8): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len3
+# 2795|           Type = [PlainCharType] char
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(9): [VlaDeclStmt] VLA declaration
+# 2796|     getStmt(10): [DeclStmt] declaration
+# 2796|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of v
+# 2796|           Type = [CTypedefType,Size_t] size_t
+# 2796|         getVariable().getInitializer(): [Initializer] initializer for v
+# 2796|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2796|               Type = [LongType] unsigned long
+# 2796|               ValueCategory = prvalue
+# 2796|             getExprOperand(): [ArrayExpr] access to array
+# 2796|                 Type = [ArrayType] int[][]
+# 2796|                 ValueCategory = lvalue
+# 2796|               getArrayBase(): [VariableAccess] tmp2
+# 2796|                   Type = [ArrayType] int[][][]
+# 2796|                   ValueCategory = lvalue
+# 2796|               getArrayOffset(): [Literal] 1
+# 2796|                   Type = [IntType] int
+# 2796|                   Value = [Literal] 1
+# 2796|                   ValueCategory = prvalue
+# 2796|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2796|                   Type = [PointerType] int(*)[][]
+# 2796|                   ValueCategory = prvalue
+# 2796|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2796|                 Type = [ArrayType] int[][]
+# 2796|                 ValueCategory = lvalue
+# 2797|     getStmt(11): [DeclStmt] declaration
+# 2797|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of u
+# 2797|           Type = [CTypedefType,Size_t] size_t
+# 2797|         getVariable().getInitializer(): [Initializer] initializer for u
+# 2797|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2797|               Type = [LongType] unsigned long
+# 2797|               ValueCategory = prvalue
+# 2797|             getExprOperand(): [ArrayExpr] access to array
+# 2797|                 Type = [ArrayType] int[]
+# 2797|                 ValueCategory = lvalue
+# 2797|               getArrayBase(): [ArrayExpr] access to array
+# 2797|                   Type = [ArrayType] int[][]
+# 2797|                   ValueCategory = lvalue
+# 2797|                 getArrayBase(): [VariableAccess] tmp2
+# 2797|                     Type = [ArrayType] int[][][]
+# 2797|                     ValueCategory = lvalue
+# 2797|                 getArrayOffset(): [Literal] 1
+# 2797|                     Type = [IntType] int
+# 2797|                     Value = [Literal] 1
+# 2797|                     ValueCategory = prvalue
+# 2797|                 getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2797|                     Type = [PointerType] int(*)[][]
+# 2797|                     ValueCategory = prvalue
+# 2797|               getArrayOffset(): [Literal] 2
+# 2797|                   Type = [IntType] int
+# 2797|                   Value = [Literal] 2
+# 2797|                   ValueCategory = prvalue
+# 2797|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2797|                   Type = [PointerType] int(*)[]
+# 2797|                   ValueCategory = prvalue
+# 2797|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2797|                 Type = [ArrayType] int[]
+# 2797|                 ValueCategory = lvalue
+# 2798|     getStmt(12): [DeclStmt] declaration
+# 2798|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of t
+# 2798|           Type = [CTypedefType,Size_t] size_t
+# 2798|         getVariable().getInitializer(): [Initializer] initializer for t
+# 2798|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2798|               Type = [LongType] unsigned long
+# 2798|               Value = [SizeofExprOperator] 4
+# 2798|               ValueCategory = prvalue
+# 2798|             getExprOperand(): [ArrayExpr] access to array
+# 2798|                 Type = [IntType] int
+# 2798|                 ValueCategory = lvalue
+# 2798|               getArrayBase(): [ArrayExpr] access to array
+# 2798|                   Type = [ArrayType] int[]
+# 2798|                   ValueCategory = lvalue
+# 2798|                 getArrayBase(): [ArrayExpr] access to array
+# 2798|                     Type = [ArrayType] int[][]
+# 2798|                     ValueCategory = lvalue
+# 2798|                   getArrayBase(): [VariableAccess] tmp2
+# 2798|                       Type = [ArrayType] int[][][]
+# 2798|                       ValueCategory = lvalue
+# 2798|                   getArrayOffset(): [Literal] 1
+# 2798|                       Type = [IntType] int
+# 2798|                       Value = [Literal] 1
+# 2798|                       ValueCategory = prvalue
+# 2798|                   getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                       Type = [PointerType] int(*)[][]
+# 2798|                       ValueCategory = prvalue
+# 2798|                 getArrayOffset(): [Literal] 2
+# 2798|                     Type = [IntType] int
+# 2798|                     Value = [Literal] 2
+# 2798|                     ValueCategory = prvalue
+# 2798|                 getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                     Type = [PointerType] int(*)[]
+# 2798|                     ValueCategory = prvalue
+# 2798|               getArrayOffset(): [Literal] 3
+# 2798|                   Type = [IntType] int
+# 2798|                   Value = [Literal] 3
+# 2798|                   ValueCategory = prvalue
+# 2798|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                   Type = [IntPointerType] int *
+# 2798|                   ValueCategory = prvalue
+# 2798|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2798|                 Type = [IntType] int
+# 2798|                 ValueCategory = lvalue
+# 2799|     getStmt(13): [ReturnStmt] return ...
+# 2801| [TopLevelFunction] size_t vla_sizeof_test3(int, size_t, char, bool)
+# 2801|   <params>: 
+# 2801|     getParameter(0): [Parameter] len1
+# 2801|         Type = [IntType] int
+# 2801|     getParameter(1): [Parameter] len2
+# 2801|         Type = [CTypedefType,Size_t] size_t
+# 2801|     getParameter(2): [Parameter] len3
+# 2801|         Type = [PlainCharType] char
+# 2801|     getParameter(3): [Parameter] b
+# 2801|         Type = [BoolType] bool
+# 2801|   getEntryPoint(): [BlockStmt] { ... }
+# 2802|     getStmt(0): [DeclStmt] declaration
+# 2802|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr
+# 2802|           Type = [CTypedefType,LocalTypedefType] arr
+# 2802|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2802|       getDimensionExpr(): [VariableAccess] len1
+# 2802|           Type = [IntType] int
+# 2802|           ValueCategory = prvalue(load)
+# 2802|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2802|       getDimensionExpr(): [VariableAccess] len2
+# 2802|           Type = [CTypedefType,Size_t] size_t
+# 2802|           ValueCategory = prvalue(load)
+# 2802|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2803|     getStmt(4): [DeclStmt] declaration
+# 2803|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr2
+# 2803|           Type = [CTypedefType,LocalTypedefType] arr2
+# 2803|     getStmt(5): [VlaDeclStmt] VLA declaration
+# 2804|     getStmt(6): [DeclStmt] declaration
+# 2804|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr3
+# 2804|           Type = [CTypedefType,LocalTypedefType] arr3
+# 2804|     getStmt(7): [VlaDimensionStmt] VLA dimension size
+# 2804|       getDimensionExpr(): [VariableAccess] len3
+# 2804|           Type = [PlainCharType] char
+# 2804|           ValueCategory = prvalue(load)
+# 2804|     getStmt(8): [VlaDeclStmt] VLA declaration
+# 2806|     getStmt(9): [IfStmt] if (...) ... 
+# 2806|       getCondition(): [VariableAccess] b
+# 2806|           Type = [BoolType] bool
+# 2806|           ValueCategory = prvalue(load)
+# 2806|       getThen(): [BlockStmt] { ... }
+# 2807|         getStmt(0): [DeclStmt] declaration
+# 2807|           getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp
+# 2807|               Type = [CTypedefType,LocalTypedefType] arr3
+# 2807|         getStmt(1): [VlaDeclStmt] VLA declaration
+# 2808|         getStmt(2): [ReturnStmt] return ...
+# 2808|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2808|               Type = [LongType] unsigned long
+# 2808|               ValueCategory = prvalue
+# 2808|             getExprOperand(): [ArrayExpr] access to array
+# 2808|                 Type = [CTypedefType,LocalTypedefType] arr2
+# 2808|                 ValueCategory = lvalue
+# 2808|               getArrayBase(): [VariableAccess] tmp
+# 2808|                   Type = [CTypedefType,LocalTypedefType] arr3
+# 2808|                   ValueCategory = lvalue
+# 2808|               getArrayOffset(): [Literal] 1
+# 2808|                   Type = [IntType] int
+# 2808|                   Value = [Literal] 1
+# 2808|                   ValueCategory = prvalue
+# 2808|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2808|                   Type = [PointerType] arr2 *
+# 2808|                   ValueCategory = prvalue
+# 2808|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2808|                 Type = [CTypedefType,LocalTypedefType] arr2
+# 2808|                 ValueCategory = lvalue
+# 2811|     getStmt(10): [ReturnStmt] return ...
+# 2811|       getExpr(): [Literal] 0
+# 2811|           Type = [IntType] int
+# 2811|           Value = [Literal] 0
+# 2811|           ValueCategory = prvalue
+# 2811|       getExpr().getFullyConverted(): [CStyleCast] (size_t)...
+# 2811|           Conversion = [IntegralConversion] integral conversion
+# 2811|           Type = [CTypedefType,Size_t] size_t
+# 2811|           Value = [CStyleCast] 0
+# 2811|           ValueCategory = prvalue
+# 2814| [TopLevelFunction] void vla_sizeof_test4(int, size_t)
+# 2814|   <params>: 
+# 2814|     getParameter(0): [Parameter] len1
+# 2814|         Type = [IntType] int
+# 2814|     getParameter(1): [Parameter] len2
+# 2814|         Type = [CTypedefType,Size_t] size_t
+# 2814|   getEntryPoint(): [BlockStmt] { ... }
+# 2815|     getStmt(0): [DeclStmt] declaration
+# 2815|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2815|           Type = [ArrayType] int[][]
+# 2815|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2815|       getDimensionExpr(): [VariableAccess] len1
+# 2815|           Type = [IntType] int
+# 2815|           ValueCategory = prvalue(load)
+# 2815|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2815|       getDimensionExpr(): [VariableAccess] len2
+# 2815|           Type = [CTypedefType,Size_t] size_t
+# 2815|           ValueCategory = prvalue(load)
+# 2815|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2816|     getStmt(4): [DeclStmt] declaration
+# 2816|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2816|           Type = [CTypedefType,Size_t] size_t
+# 2816|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2816|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2816|               Type = [LongType] unsigned long
+# 2816|               ValueCategory = prvalue
+# 2816|             getExprOperand(): [ArrayExpr] access to array
+# 2816|                 Type = [ArrayType] int[]
+# 2816|                 ValueCategory = lvalue
+# 2816|               getArrayBase(): [VariableAccess] tmp1
+# 2816|                   Type = [ArrayType] int[][]
+# 2816|                   ValueCategory = lvalue
+# 2816|               getArrayOffset(): [Literal] 1
+# 2816|                   Type = [IntType] int
+# 2816|                   Value = [Literal] 1
+# 2816|                   ValueCategory = prvalue
+# 2816|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2816|                   Type = [PointerType] int(*)[]
+# 2816|                   ValueCategory = prvalue
+# 2816|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2816|                 Type = [ArrayType] int[]
+# 2816|                 ValueCategory = lvalue
+# 2817|     getStmt(5): [ReturnStmt] return ...
+# 2819| [TopLevelFunction] void vla_sizeof_test5(int, size_t)
+# 2819|   <params>: 
+# 2819|     getParameter(0): [Parameter] len1
+# 2819|         Type = [IntType] int
+# 2819|     getParameter(1): [Parameter] len2
+# 2819|         Type = [CTypedefType,Size_t] size_t
+# 2819|   getEntryPoint(): [BlockStmt] { ... }
+# 2820|     getStmt(0): [DeclStmt] declaration
+# 2820|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2820|           Type = [ArrayType] int[][]
+# 2820|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2820|       getDimensionExpr(): [VariableAccess] len1
+# 2820|           Type = [IntType] int
+# 2820|           ValueCategory = prvalue(load)
+# 2820|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2820|       getDimensionExpr(): [VariableAccess] len2
+# 2820|           Type = [CTypedefType,Size_t] size_t
+# 2820|           ValueCategory = prvalue(load)
+# 2820|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2821|     getStmt(4): [DeclStmt] declaration
+# 2821|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2821|           Type = [CTypedefType,Size_t] size_t
+# 2821|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2821|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2821|               Type = [LongType] unsigned long
+# 2821|               ValueCategory = prvalue
+# 2821|             getExprOperand(): [ArrayExpr] access to array
+# 2821|                 Type = [ArrayType] int[]
+# 2821|                 ValueCategory = lvalue
+# 2821|               getArrayBase(): [PointerDereferenceExpr] * ...
+# 2821|                   Type = [ArrayType] int[][]
+# 2821|                   ValueCategory = lvalue
+# 2821|                 getOperand(): [AddressOfExpr] & ...
+# 2821|                     Type = [PointerType] int(*)[][]
+# 2821|                     ValueCategory = prvalue
+# 2821|                   getOperand(): [VariableAccess] tmp1
+# 2821|                       Type = [ArrayType] int[][]
+# 2821|                       ValueCategory = lvalue
+# 2821|               getArrayOffset(): [Literal] 1
+# 2821|                   Type = [IntType] int
+# 2821|                   Value = [Literal] 1
+# 2821|                   ValueCategory = prvalue
+# 2821|               getArrayBase().getFullyConverted(): [ParenthesisExpr] (...)
+# 2821|                   Type = [PointerType] int(*)[]
+# 2821|                   ValueCategory = prvalue
+# 2821|                 getExpr(): [ArrayToPointerConversion] array to pointer conversion
+# 2821|                     Type = [PointerType] int(*)[]
+# 2821|                     ValueCategory = prvalue
+# 2821|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2821|                 Type = [ArrayType] int[]
+# 2821|                 ValueCategory = lvalue
+# 2822|     getStmt(5): [ReturnStmt] return ...
 ir23.cpp:
 #    1| [TopLevelFunction] bool consteval_1()
 #    1|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -20395,6 +20395,282 @@ ir.cpp:
 # 2769|     v2769_14(void)                  = AliasedUse                      : ~m2771_8
 # 2769|     v2769_15(void)                  = ExitFunction                    : 
 
+# 2774| void test_allocation_with_initializer()
+# 2774|   Block 0
+# 2774|     v2774_1(void)           = EnterFunction                 : 
+# 2774|     m2774_2(unknown)        = AliasedDefinition             : 
+# 2774|     m2774_3(unknown)        = InitializeNonLocal            : 
+# 2774|     m2774_4(unknown)        = Chi                           : total:m2774_2, partial:m2774_3
+# 2775|     r2775_1(glval<int *>)   = VariableAddress[p1]           : 
+# 2775|     r2775_2(glval<unknown>) = FunctionAddress[operator new] : 
+# 2775|     r2775_3(unsigned long)  = Constant[4]                   : 
+# 2775|     r2775_4(void *)         = Call[operator new]            : func:r2775_2, 0:r2775_3
+# 2775|     m2775_5(unknown)        = ^CallSideEffect               : ~m2774_4
+# 2775|     m2775_6(unknown)        = Chi                           : total:m2774_4, partial:m2775_5
+# 2775|     m2775_7(unknown)        = ^InitializeDynamicAllocation  : &:r2775_4
+# 2775|     r2775_8(int *)          = Convert                       : r2775_4
+# 2775|     r2775_9(int)            = Constant[42]                  : 
+# 2775|     m2775_10(int)           = Store[?]                      : &:r2775_8, r2775_9
+# 2775|     m2775_11(unknown)       = Chi                           : total:m2775_7, partial:m2775_10
+# 2775|     m2775_12(int *)         = Store[p1]                     : &:r2775_1, r2775_8
+# 2776|     r2776_1(glval<long *>)  = VariableAddress[p2]           : 
+# 2776|     r2776_2(glval<unknown>) = FunctionAddress[operator new] : 
+# 2776|     r2776_3(unsigned long)  = Constant[8]                   : 
+# 2776|     r2776_4(void *)         = Call[operator new]            : func:r2776_2, 0:r2776_3
+# 2776|     m2776_5(unknown)        = ^CallSideEffect               : ~m2775_6
+# 2776|     m2776_6(unknown)        = Chi                           : total:m2775_6, partial:m2776_5
+# 2776|     m2776_7(unknown)        = ^InitializeDynamicAllocation  : &:r2776_4
+# 2776|     r2776_8(long *)         = Convert                       : r2776_4
+# 2776|     r2776_9(long)           = Constant[42]                  : 
+# 2776|     m2776_10(long)          = Store[?]                      : &:r2776_8, r2776_9
+# 2776|     m2776_11(unknown)       = Chi                           : total:m2776_7, partial:m2776_10
+# 2776|     m2776_12(long *)        = Store[p2]                     : &:r2776_1, r2776_8
+# 2777|     v2777_1(void)           = NoOp                          : 
+# 2774|     v2774_5(void)           = ReturnVoid                    : 
+# 2774|     v2774_6(void)           = AliasedUse                    : ~m2776_6
+# 2774|     v2774_7(void)           = ExitFunction                  : 
+
+# 2779| void vla_sizeof_test(int, size_t, char)
+# 2779|   Block 0
+# 2779|     v2779_1(void)                 = EnterFunction             : 
+# 2779|     m2779_2(unknown)              = AliasedDefinition         : 
+# 2779|     m2779_3(unknown)              = InitializeNonLocal        : 
+# 2779|     m2779_4(unknown)              = Chi                       : total:m2779_2, partial:m2779_3
+# 2779|     r2779_5(glval<int>)           = VariableAddress[len1]     : 
+# 2779|     m2779_6(int)                  = InitializeParameter[len1] : &:r2779_5
+# 2779|     r2779_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2779|     m2779_8(unsigned long)        = InitializeParameter[len2] : &:r2779_7
+# 2779|     r2779_9(glval<char>)          = VariableAddress[len3]     : 
+# 2779|     m2779_10(char)                = InitializeParameter[len3] : &:r2779_9
+# 2780|     r2780_1(glval<char[]>)        = VariableAddress[tmp1]     : 
+# 2780|     m2780_2(char[])               = Uninitialized[tmp1]       : &:r2780_1
+# 2780|     r2780_3(glval<int>)           = VariableAddress[len1]     : 
+# 2780|     r2780_4(int)                  = Load[len1]                : &:r2780_3, m2779_6
+# 2780|     v2780_5(void)                 = NoOp                      : 
+# 2781|     r2781_1(glval<unsigned long>) = VariableAddress[x]        : 
+# 2781|     r2781_2(unsigned long)        = Constant[1]               : 
+# 2781|     r2781_3(unsigned long)        = Convert                   : r2780_4
+# 2781|     r2781_4(unsigned long)        = Mul                       : r2781_2, r2781_3
+# 2781|     m2781_5(unsigned long)        = Store[x]                  : &:r2781_1, r2781_4
+# 2782|     r2782_1(glval<int[][]>)       = VariableAddress[tmp2]     : 
+# 2782|     m2782_2(int[][])              = Uninitialized[tmp2]       : &:r2782_1
+# 2782|     r2782_3(glval<int>)           = VariableAddress[len1]     : 
+# 2782|     r2782_4(int)                  = Load[len1]                : &:r2782_3, m2779_6
+# 2782|     r2782_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2782|     r2782_6(unsigned long)        = Load[len2]                : &:r2782_5, m2779_8
+# 2782|     v2782_7(void)                 = NoOp                      : 
+# 2783|     r2783_1(glval<unsigned long>) = VariableAddress[y]        : 
+# 2783|     r2783_2(unsigned long)        = Constant[4]               : 
+# 2783|     r2783_3(unsigned long)        = Convert                   : r2782_4
+# 2783|     r2783_4(unsigned long)        = Mul                       : r2783_2, r2783_3
+# 2783|     r2783_5(unsigned long)        = CopyValue                 : r2782_6
+# 2783|     r2783_6(unsigned long)        = Mul                       : r2783_4, r2783_5
+# 2783|     m2783_7(unsigned long)        = Store[y]                  : &:r2783_1, r2783_6
+# 2784|     r2784_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2784|     r2784_2(unsigned long)        = Constant[4]               : 
+# 2784|     r2784_3(unsigned long)        = CopyValue                 : r2782_6
+# 2784|     r2784_4(unsigned long)        = Mul                       : r2784_2, r2784_3
+# 2784|     m2784_5(unsigned long)        = Store[z]                  : &:r2784_1, r2784_4
+# 2785|     r2785_1(glval<int[][][]>)     = VariableAddress[tmp3]     : 
+# 2785|     m2785_2(int[][][])            = Uninitialized[tmp3]       : &:r2785_1
+# 2785|     r2785_3(glval<int>)           = VariableAddress[len1]     : 
+# 2785|     r2785_4(int)                  = Load[len1]                : &:r2785_3, m2779_6
+# 2785|     r2785_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2785|     r2785_6(unsigned long)        = Load[len2]                : &:r2785_5, m2779_8
+# 2785|     r2785_7(glval<char>)          = VariableAddress[len3]     : 
+# 2785|     r2785_8(char)                 = Load[len3]                : &:r2785_7, m2779_10
+# 2785|     v2785_9(void)                 = NoOp                      : 
+# 2786|     r2786_1(glval<unsigned long>) = VariableAddress[w]        : 
+# 2786|     r2786_2(unsigned long)        = Constant[4]               : 
+# 2786|     r2786_3(unsigned long)        = Convert                   : r2785_4
+# 2786|     r2786_4(unsigned long)        = Mul                       : r2786_2, r2786_3
+# 2786|     r2786_5(unsigned long)        = CopyValue                 : r2785_6
+# 2786|     r2786_6(unsigned long)        = Mul                       : r2786_4, r2786_5
+# 2786|     r2786_7(unsigned long)        = Convert                   : r2785_8
+# 2786|     r2786_8(unsigned long)        = Mul                       : r2786_6, r2786_7
+# 2786|     m2786_9(unsigned long)        = Store[w]                  : &:r2786_1, r2786_8
+# 2787|     r2787_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2787|     r2787_2(unsigned long)        = Constant[4]               : 
+# 2787|     r2787_3(unsigned long)        = CopyValue                 : r2785_6
+# 2787|     r2787_4(unsigned long)        = Mul                       : r2787_2, r2787_3
+# 2787|     r2787_5(unsigned long)        = Convert                   : r2785_8
+# 2787|     r2787_6(unsigned long)        = Mul                       : r2787_4, r2787_5
+# 2787|     m2787_7(unsigned long)        = Store[v]                  : &:r2787_1, r2787_6
+# 2788|     r2788_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2788|     r2788_2(unsigned long)        = Constant[4]               : 
+# 2788|     r2788_3(unsigned long)        = Convert                   : r2785_8
+# 2788|     r2788_4(unsigned long)        = Mul                       : r2788_2, r2788_3
+# 2788|     m2788_5(unsigned long)        = Store[u]                  : &:r2788_1, r2788_4
+# 2789|     r2789_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2789|     r2789_2(unsigned long)        = Constant[4]               : 
+# 2789|     m2789_3(unsigned long)        = Store[t]                  : &:r2789_1, r2789_2
+# 2790|     v2790_1(void)                 = NoOp                      : 
+# 2779|     v2779_11(void)                = ReturnVoid                : 
+# 2779|     v2779_12(void)                = AliasedUse                : m2779_3
+# 2779|     v2779_13(void)                = ExitFunction              : 
+
+# 2792| void vla_sizeof_test2(int, size_t, char)
+# 2792|   Block 0
+# 2792|     v2792_1(void)                 = EnterFunction             : 
+# 2792|     m2792_2(unknown)              = AliasedDefinition         : 
+# 2792|     m2792_3(unknown)              = InitializeNonLocal        : 
+# 2792|     m2792_4(unknown)              = Chi                       : total:m2792_2, partial:m2792_3
+# 2792|     r2792_5(glval<int>)           = VariableAddress[len1]     : 
+# 2792|     m2792_6(int)                  = InitializeParameter[len1] : &:r2792_5
+# 2792|     r2792_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2792|     m2792_8(unsigned long)        = InitializeParameter[len2] : &:r2792_7
+# 2792|     r2792_9(glval<char>)          = VariableAddress[len3]     : 
+# 2792|     m2792_10(char)                = InitializeParameter[len3] : &:r2792_9
+# 2793|     r2793_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2793|     m2793_2(int[][])              = Uninitialized[tmp1]       : &:r2793_1
+# 2793|     r2793_3(glval<int>)           = VariableAddress[len1]     : 
+# 2793|     r2793_4(int)                  = Load[len1]                : &:r2793_3, m2792_6
+# 2793|     r2793_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2793|     r2793_6(unsigned long)        = Load[len2]                : &:r2793_5, m2792_8
+# 2793|     v2793_7(void)                 = NoOp                      : 
+# 2794|     r2794_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2794|     r2794_2(unsigned long)        = Constant[4]               : 
+# 2794|     r2794_3(unsigned long)        = CopyValue                 : r2793_6
+# 2794|     r2794_4(unsigned long)        = Mul                       : r2794_2, r2794_3
+# 2794|     m2794_5(unsigned long)        = Store[z]                  : &:r2794_1, r2794_4
+# 2795|     r2795_1(glval<int[][][]>)     = VariableAddress[tmp2]     : 
+# 2795|     m2795_2(int[][][])            = Uninitialized[tmp2]       : &:r2795_1
+# 2795|     r2795_3(glval<int>)           = VariableAddress[len1]     : 
+# 2795|     r2795_4(int)                  = Load[len1]                : &:r2795_3, m2792_6
+# 2795|     r2795_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2795|     r2795_6(unsigned long)        = Load[len2]                : &:r2795_5, m2792_8
+# 2795|     r2795_7(glval<char>)          = VariableAddress[len3]     : 
+# 2795|     r2795_8(char)                 = Load[len3]                : &:r2795_7, m2792_10
+# 2795|     v2795_9(void)                 = NoOp                      : 
+# 2796|     r2796_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2796|     r2796_2(unsigned long)        = Constant[4]               : 
+# 2796|     r2796_3(unsigned long)        = CopyValue                 : r2795_6
+# 2796|     r2796_4(unsigned long)        = Mul                       : r2796_2, r2796_3
+# 2796|     r2796_5(unsigned long)        = Convert                   : r2795_8
+# 2796|     r2796_6(unsigned long)        = Mul                       : r2796_4, r2796_5
+# 2796|     m2796_7(unsigned long)        = Store[v]                  : &:r2796_1, r2796_6
+# 2797|     r2797_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2797|     r2797_2(unsigned long)        = Constant[4]               : 
+# 2797|     r2797_3(unsigned long)        = Convert                   : r2795_8
+# 2797|     r2797_4(unsigned long)        = Mul                       : r2797_2, r2797_3
+# 2797|     m2797_5(unsigned long)        = Store[u]                  : &:r2797_1, r2797_4
+# 2798|     r2798_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2798|     r2798_2(unsigned long)        = Constant[4]               : 
+# 2798|     m2798_3(unsigned long)        = Store[t]                  : &:r2798_1, r2798_2
+# 2799|     v2799_1(void)                 = NoOp                      : 
+# 2792|     v2792_11(void)                = ReturnVoid                : 
+# 2792|     v2792_12(void)                = AliasedUse                : m2792_3
+# 2792|     v2792_13(void)                = ExitFunction              : 
+
+# 2801| size_t vla_sizeof_test3(int, size_t, char, bool)
+# 2801|   Block 0
+# 2801|     v2801_1(void)                 = EnterFunction             : 
+# 2801|     m2801_2(unknown)              = AliasedDefinition         : 
+# 2801|     m2801_3(unknown)              = InitializeNonLocal        : 
+# 2801|     m2801_4(unknown)              = Chi                       : total:m2801_2, partial:m2801_3
+# 2801|     r2801_5(glval<int>)           = VariableAddress[len1]     : 
+# 2801|     m2801_6(int)                  = InitializeParameter[len1] : &:r2801_5
+# 2801|     r2801_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2801|     m2801_8(unsigned long)        = InitializeParameter[len2] : &:r2801_7
+# 2801|     r2801_9(glval<char>)          = VariableAddress[len3]     : 
+# 2801|     m2801_10(char)                = InitializeParameter[len3] : &:r2801_9
+# 2801|     r2801_11(glval<bool>)         = VariableAddress[b]        : 
+# 2801|     m2801_12(bool)                = InitializeParameter[b]    : &:r2801_11
+# 2802|     r2802_1(glval<int>)           = VariableAddress[len1]     : 
+# 2802|     r2802_2(int)                  = Load[len1]                : &:r2802_1, m2801_6
+# 2802|     r2802_3(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2802|     r2802_4(unsigned long)        = Load[len2]                : &:r2802_3, m2801_8
+# 2802|     v2802_5(void)                 = NoOp                      : 
+# 2803|     v2803_1(void)                 = NoOp                      : 
+# 2804|     r2804_1(glval<char>)          = VariableAddress[len3]     : 
+# 2804|     r2804_2(char)                 = Load[len3]                : &:r2804_1, m2801_10
+# 2804|     v2804_3(void)                 = NoOp                      : 
+# 2806|     r2806_1(glval<bool>)          = VariableAddress[b]        : 
+# 2806|     r2806_2(bool)                 = Load[b]                   : &:r2806_1, m2801_12
+# 2806|     v2806_3(void)                 = ConditionalBranch         : r2806_2
+#-----|   False -> Block 3
+#-----|   True -> Block 2
+
+# 2801|   Block 1
+# 2801|     m2801_13(unsigned long)        = Phi                      : from 2:m2808_7, from 3:m2811_3
+# 2801|     r2801_14(glval<unsigned long>) = VariableAddress[#return] : 
+# 2801|     v2801_15(void)                 = ReturnValue              : &:r2801_14, m2801_13
+# 2801|     v2801_16(void)                 = AliasedUse               : m2801_3
+# 2801|     v2801_17(void)                 = ExitFunction             : 
+
+# 2807|   Block 2
+# 2807|     r2807_1(glval<long[][][]>)    = VariableAddress[tmp]     : 
+# 2807|     m2807_2(long[][][])           = Uninitialized[tmp]       : &:r2807_1
+# 2807|     v2807_3(void)                 = NoOp                     : 
+# 2808|     r2808_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2808|     r2808_2(unsigned long)        = Constant[8]              : 
+# 2808|     r2808_3(unsigned long)        = Convert                  : r2802_2
+# 2808|     r2808_4(unsigned long)        = Mul                      : r2808_2, r2808_3
+# 2808|     r2808_5(unsigned long)        = CopyValue                : r2802_4
+# 2808|     r2808_6(unsigned long)        = Mul                      : r2808_4, r2808_5
+# 2808|     m2808_7(unsigned long)        = Store[#return]           : &:r2808_1, r2808_6
+#-----|   Goto -> Block 1
+
+# 2811|   Block 3
+# 2811|     r2811_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2811|     r2811_2(unsigned long)        = Constant[0]              : 
+# 2811|     m2811_3(unsigned long)        = Store[#return]           : &:r2811_1, r2811_2
+#-----|   Goto -> Block 1
+
+# 2814| void vla_sizeof_test4(int, size_t)
+# 2814|   Block 0
+# 2814|     v2814_1(void)                 = EnterFunction             : 
+# 2814|     m2814_2(unknown)              = AliasedDefinition         : 
+# 2814|     m2814_3(unknown)              = InitializeNonLocal        : 
+# 2814|     m2814_4(unknown)              = Chi                       : total:m2814_2, partial:m2814_3
+# 2814|     r2814_5(glval<int>)           = VariableAddress[len1]     : 
+# 2814|     m2814_6(int)                  = InitializeParameter[len1] : &:r2814_5
+# 2814|     r2814_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2814|     m2814_8(unsigned long)        = InitializeParameter[len2] : &:r2814_7
+# 2815|     r2815_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2815|     m2815_2(int[][])              = Uninitialized[tmp1]       : &:r2815_1
+# 2815|     r2815_3(glval<int>)           = VariableAddress[len1]     : 
+# 2815|     r2815_4(int)                  = Load[len1]                : &:r2815_3, m2814_6
+# 2815|     r2815_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2815|     r2815_6(unsigned long)        = Load[len2]                : &:r2815_5, m2814_8
+# 2815|     v2815_7(void)                 = NoOp                      : 
+# 2816|     r2816_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2816|     r2816_2(unsigned long)        = Constant[4]               : 
+# 2816|     r2816_3(unsigned long)        = CopyValue                 : r2815_6
+# 2816|     r2816_4(unsigned long)        = Mul                       : r2816_2, r2816_3
+# 2816|     m2816_5(unsigned long)        = Store[z]                  : &:r2816_1, r2816_4
+# 2817|     v2817_1(void)                 = NoOp                      : 
+# 2814|     v2814_9(void)                 = ReturnVoid                : 
+# 2814|     v2814_10(void)                = AliasedUse                : m2814_3
+# 2814|     v2814_11(void)                = ExitFunction              : 
+
+# 2819| void vla_sizeof_test5(int, size_t)
+# 2819|   Block 0
+# 2819|     v2819_1(void)                 = EnterFunction             : 
+# 2819|     m2819_2(unknown)              = AliasedDefinition         : 
+# 2819|     m2819_3(unknown)              = InitializeNonLocal        : 
+# 2819|     m2819_4(unknown)              = Chi                       : total:m2819_2, partial:m2819_3
+# 2819|     r2819_5(glval<int>)           = VariableAddress[len1]     : 
+# 2819|     m2819_6(int)                  = InitializeParameter[len1] : &:r2819_5
+# 2819|     r2819_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2819|     m2819_8(unsigned long)        = InitializeParameter[len2] : &:r2819_7
+# 2820|     r2820_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2820|     m2820_2(int[][])              = Uninitialized[tmp1]       : &:r2820_1
+# 2820|     r2820_3(glval<int>)           = VariableAddress[len1]     : 
+# 2820|     r2820_4(int)                  = Load[len1]                : &:r2820_3, m2819_6
+# 2820|     r2820_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2820|     r2820_6(unsigned long)        = Load[len2]                : &:r2820_5, m2819_8
+# 2820|     v2820_7(void)                 = NoOp                      : 
+# 2821|     r2821_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2821|     r2821_2(unsigned long)        = Constant[4]               : 
+# 2821|     r2821_3(unsigned long)        = CopyValue                 : r2820_6
+# 2821|     r2821_4(unsigned long)        = Mul                       : r2821_2, r2821_3
+# 2821|     m2821_5(unsigned long)        = Store[z]                  : &:r2821_1, r2821_4
+# 2822|     v2822_1(void)                 = NoOp                      : 
+# 2819|     v2819_9(void)                 = ReturnVoid                : 
+# 2819|     v2819_10(void)                = AliasedUse                : m2819_3
+# 2819|     v2819_11(void)                = ExitFunction              : 
+
 ir23.cpp:
 #    1| bool consteval_1()
 #    1|   Block 0