Merge pull request #10994 from rdmarsh2/rdmarsh2/return-cstr-repair

C++: repair the ReturnCstr query
2026-04-30 03:05:15 +02:00 · 2022-10-27 14:25:22 -04:00
parent e43422a090 24cb36a1e2
commit b7e42e805b
5 changed files with 112 additions and 90 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -738,11 +738,20 @@ private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e,
  not convertedExprMustBeOperand(e)
 }

+private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
+  exists(CallInstruction call |
+    call.getStaticCallTarget() instanceof Constructor and
+    e = call.getConvertedResultExpression() and
+    call.getThisArgumentOperand() = node.getAddressOperand()
+  )
+}
+
 /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
 predicate exprNodeShouldBeInstruction(Node node, Expr e) {
  e = node.asInstruction().getConvertedResultExpression() and
  not exprNodeShouldBeOperand(_, e) and
-  not exprNodeShouldBeIndirectOperand(_, e, _)
+  not exprNodeShouldBeIndirectOperand(_, e, _) and
+  not exprNodeShouldBeIndirectOutNode(_, e)
 }

 private class ExprNodeBase extends Node {
@@ -792,6 +801,16 @@ private class IndirectOperandExprNode extends ExprNodeBase, IndirectOperand {
  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
 }

+private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
+  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
+
+  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) }
+
+  final override Expr getExpr() { result = this.getConvertedExpr() }
+
+  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+}
+
 /**
 * An expression, viewed as a node in a data flow graph.
 */
--- a/Management/ReturnCstrOfLocalStdString.ql
+++ b/Management/ReturnCstrOfLocalStdString.ql
@@ -36,20 +36,20 @@ class StdString extends Class {
 * Holds if `e` is a direct or indirect reference to a locally
 * allocated `std::string`.
 */
-predicate refToStdString(Expr e, ConstructorCall source) {
+predicate refToStdString(DataFlow::Node node, ConstructorCall source) {
  exists(StdString stdstring |
    stdstring.getAMemberFunction() = source.getTarget() and
    not exists(LocalVariable v |
      source = v.getInitializer().getExpr() and
      v.isStatic()
    ) and
-    e = source
+    node.asExpr() = source
  )
  or
  // Indirect use.
-  exists(Expr prev |
+  exists(DataFlow::Node prev |
    refToStdString(prev, source) and
-    DataFlow::localFlowStep(DataFlow::exprNode(prev), DataFlow::exprNode(e))
+    DataFlow::localFlowStep(prev, node)
  )
 }

@@ -74,29 +74,30 @@ predicate flowFunction(Function fcn, int argIndex) {
 * Holds if `e` is a direct or indirect reference to the result of calling
 * `c_str` on a locally allocated `std::string`.
 */
-predicate refToCStr(Expr e, ConstructorCall source) {
-  exists(MemberFunction f, FunctionCall call |
+predicate refToCStr(DataFlow::Node node, ConstructorCall source) {
+  exists(MemberFunction f, FunctionCall call, DataFlow::Node qualifier |
    f.getName() = "c_str" and
-    call = e and
+    call = node.asExpr() and
    call.getTarget() = f and
-    refToStdString(call.getQualifier(), source)
+    qualifier.asIndirectArgument() = call.getQualifier() and
+    refToStdString(qualifier, source)
  )
  or
  // Indirect use.
-  exists(Expr prev |
+  exists(DataFlow::Node prev |
    refToCStr(prev, source) and
-    DataFlow::localFlowStep(DataFlow::exprNode(prev), DataFlow::exprNode(e))
+    DataFlow::localFlowStep(prev, node)
  )
  or
  // Some functions, such as `JNIEnv::NewStringUTF()` (from Java's JNI)
  // embed return a structure containing a reference to the C-style string.
  exists(Function f, int argIndex |
    flowFunction(f, argIndex) and
-    f = e.(Call).getTarget() and
-    refToCStr(e.(Call).getArgument(argIndex), source)
+    f = node.asExpr().(Call).getTarget() and
+    refToCStr(DataFlow::exprNode(node.asExpr().(Call).getArgument(argIndex)), source)
  )
 }

 from ReturnStmt r, ConstructorCall source
-where refToCStr(r.getExpr(), source)
+where refToCStr(DataFlow::exprNode(r.getExpr()), source)
 select r, "Return value may contain a dangling pointer to $@.", source, "this local std::string"
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -8,9 +8,9 @@ edges
 | A.cpp:28:23:28:26 | Load indirection [c] | A.cpp:28:29:28:29 | c |
 | A.cpp:28:29:28:29 | c | A.cpp:28:8:28:10 | VariableAddress indirection |
 | A.cpp:29:23:29:23 | c | A.cpp:31:20:31:20 | c |
-| A.cpp:31:14:31:21 | B output argument [c] | A.cpp:29:15:29:18 | VariableAddress indirection [c] |
+| A.cpp:31:14:31:21 | call to B [c] | A.cpp:29:15:29:18 | VariableAddress indirection [c] |
 | A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c |
-| A.cpp:31:20:31:20 | c | A.cpp:31:14:31:21 | B output argument [c] |
+| A.cpp:31:20:31:20 | c | A.cpp:31:14:31:21 | call to B [c] |
 | A.cpp:47:12:47:18 | new | A.cpp:48:20:48:20 | c |
 | A.cpp:48:12:48:18 | Call indirection [c] | A.cpp:49:10:49:10 | Load indirection [c] |
 | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c |
@@ -25,12 +25,12 @@ edges
 | A.cpp:55:12:55:19 | new | A.cpp:55:12:55:19 | new |
 | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | this indirection [c] |
 | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:56:10:56:17 | call to get |
-| A.cpp:57:11:57:24 | B output argument [c] | A.cpp:57:11:57:24 | new indirection [c] |
+| A.cpp:57:11:57:24 | call to B [c] | A.cpp:57:11:57:24 | new indirection [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:28:8:28:10 | this indirection [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:57:10:57:32 | call to get |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:57:11:57:24 | new indirection [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c |
-| A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | B output argument [c] |
+| A.cpp:57:17:57:23 | new | A.cpp:57:11:57:24 | call to B [c] |
 | A.cpp:57:17:57:23 | new | A.cpp:57:17:57:23 | new |
 | A.cpp:64:10:64:15 | Call indirection [c] | A.cpp:66:10:66:11 | Load indirection [c] |
 | A.cpp:64:21:64:28 | new | A.cpp:64:10:64:15 | Call indirection [c] |
@@ -87,15 +87,15 @@ edges
 | A.cpp:143:7:143:31 | Store | A.cpp:143:13:143:13 | Load indirection [post update] [b] |
 | A.cpp:143:7:143:31 | Store | A.cpp:143:13:143:13 | Load indirection [post update] [b] |
 | A.cpp:143:7:143:31 | Store indirection [c] | A.cpp:143:13:143:13 | Load indirection [post update] [b indirection, c] |
-| A.cpp:143:13:143:13 | Load indirection [post update] [b indirection, c] | A.cpp:151:12:151:24 | D output argument [b indirection, c] |
-| A.cpp:143:13:143:13 | Load indirection [post update] [b] | A.cpp:151:12:151:24 | D output argument [b] |
+| A.cpp:143:13:143:13 | Load indirection [post update] [b indirection, c] | A.cpp:151:12:151:24 | call to D [b indirection, c] |
+| A.cpp:143:13:143:13 | Load indirection [post update] [b] | A.cpp:151:12:151:24 | call to D [b] |
 | A.cpp:143:25:143:31 | new | A.cpp:143:7:143:31 | Store |
 | A.cpp:150:12:150:18 | new | A.cpp:151:18:151:18 | b |
-| A.cpp:151:12:151:24 | D output argument [b indirection, c] | A.cpp:153:10:153:10 | Load indirection [b indirection, c] |
-| A.cpp:151:12:151:24 | D output argument [b] | A.cpp:152:10:152:10 | Load indirection [b] |
+| A.cpp:151:12:151:24 | call to D [b indirection, c] | A.cpp:153:10:153:10 | Load indirection [b indirection, c] |
+| A.cpp:151:12:151:24 | call to D [b] | A.cpp:152:10:152:10 | Load indirection [b] |
 | A.cpp:151:18:151:18 | D output argument [c] | A.cpp:154:10:154:10 | Load indirection [c] |
 | A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b |
-| A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | D output argument [b] |
+| A.cpp:151:18:151:18 | b | A.cpp:151:12:151:24 | call to D [b] |
 | A.cpp:152:10:152:10 | Load indirection [b] | A.cpp:152:10:152:13 | b |
 | A.cpp:152:10:152:10 | Load indirection [b] | A.cpp:152:13:152:13 | b |
 | A.cpp:152:10:152:10 | Load indirection [b] | A.cpp:152:13:152:13 | b |
@@ -112,15 +112,15 @@ edges
 | A.cpp:154:10:154:10 | Load indirection [c] | A.cpp:154:13:154:13 | c |
 | A.cpp:154:13:154:13 | c | A.cpp:154:10:154:13 | c |
 | A.cpp:159:12:159:18 | new | A.cpp:160:29:160:29 | b |
-| A.cpp:160:18:160:60 | MyList output argument [head] | A.cpp:161:38:161:39 | l1 indirection [head] |
-| A.cpp:160:29:160:29 | b | A.cpp:160:18:160:60 | MyList output argument [head] |
+| A.cpp:160:18:160:60 | call to MyList [head] | A.cpp:161:38:161:39 | l1 indirection [head] |
+| A.cpp:160:29:160:29 | b | A.cpp:160:18:160:60 | call to MyList [head] |
 | A.cpp:160:29:160:29 | b | A.cpp:181:15:181:21 | newHead |
-| A.cpp:161:18:161:40 | MyList output argument [next indirection, head] | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] |
-| A.cpp:161:38:161:39 | l1 indirection [head] | A.cpp:161:18:161:40 | MyList output argument [next indirection, head] |
+| A.cpp:161:18:161:40 | call to MyList [next indirection, head] | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] |
+| A.cpp:161:38:161:39 | l1 indirection [head] | A.cpp:161:18:161:40 | call to MyList [next indirection, head] |
 | A.cpp:161:38:161:39 | l1 indirection [head] | A.cpp:181:32:181:35 | next indirection [head] |
-| A.cpp:162:18:162:40 | MyList output argument [next indirection, next indirection, head] | A.cpp:165:10:165:11 | Load indirection [next indirection, next indirection, head] |
-| A.cpp:162:18:162:40 | MyList output argument [next indirection, next indirection, head] | A.cpp:167:44:167:44 | Load indirection [next indirection, next indirection, head] |
-| A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:162:18:162:40 | MyList output argument [next indirection, next indirection, head] |
+| A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] | A.cpp:165:10:165:11 | Load indirection [next indirection, next indirection, head] |
+| A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] | A.cpp:167:44:167:44 | Load indirection [next indirection, next indirection, head] |
+| A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] |
 | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:181:32:181:35 | next indirection [next indirection, head] |
 | A.cpp:165:10:165:11 | Load indirection [next indirection, next indirection, head] | A.cpp:165:14:165:17 | FieldAddress indirection [next indirection, head] |
 | A.cpp:165:10:165:11 | Load indirection [next indirection, next indirection, head] | A.cpp:165:14:165:17 | Load indirection [next indirection, head] |
@@ -151,11 +151,11 @@ edges
 | A.cpp:184:7:184:23 | Store indirection [head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, head] |
 | A.cpp:184:7:184:23 | Store indirection [next indirection, head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, next indirection, head] |
 | B.cpp:6:15:6:24 | new | B.cpp:7:25:7:25 | e |
-| B.cpp:7:16:7:35 | Box1 output argument [elem1] | B.cpp:8:25:8:26 | b1 indirection [elem1] |
-| B.cpp:7:25:7:25 | e | B.cpp:7:16:7:35 | Box1 output argument [elem1] |
+| B.cpp:7:16:7:35 | call to Box1 [elem1] | B.cpp:8:25:8:26 | b1 indirection [elem1] |
+| B.cpp:7:25:7:25 | e | B.cpp:7:16:7:35 | call to Box1 [elem1] |
 | B.cpp:7:25:7:25 | e | B.cpp:33:16:33:17 | e1 |
-| B.cpp:8:16:8:27 | Box2 output argument [box1 indirection, elem1] | B.cpp:9:10:9:11 | Load indirection [box1 indirection, elem1] |
-| B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:8:16:8:27 | Box2 output argument [box1 indirection, elem1] |
+| B.cpp:8:16:8:27 | call to Box2 [box1 indirection, elem1] | B.cpp:9:10:9:11 | Load indirection [box1 indirection, elem1] |
+| B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:8:16:8:27 | call to Box2 [box1 indirection, elem1] |
 | B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:44:16:44:17 | b1 indirection [elem1] |
 | B.cpp:9:10:9:11 | Load indirection [box1 indirection, elem1] | B.cpp:9:14:9:17 | FieldAddress indirection [elem1] |
 | B.cpp:9:10:9:11 | Load indirection [box1 indirection, elem1] | B.cpp:9:14:9:17 | Load indirection [elem1] |
@@ -165,11 +165,11 @@ edges
 | B.cpp:9:14:9:17 | Load indirection [elem1] | B.cpp:9:20:9:24 | elem1 |
 | B.cpp:9:20:9:24 | elem1 | B.cpp:9:10:9:24 | elem1 |
 | B.cpp:15:15:15:27 | new | B.cpp:16:37:16:37 | e |
-| B.cpp:16:16:16:38 | Box1 output argument [elem2] | B.cpp:17:25:17:26 | b1 indirection [elem2] |
-| B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | Box1 output argument [elem2] |
+| B.cpp:16:16:16:38 | call to Box1 [elem2] | B.cpp:17:25:17:26 | b1 indirection [elem2] |
+| B.cpp:16:37:16:37 | e | B.cpp:16:16:16:38 | call to Box1 [elem2] |
 | B.cpp:16:37:16:37 | e | B.cpp:33:26:33:27 | e2 |
-| B.cpp:17:16:17:27 | Box2 output argument [box1 indirection, elem2] | B.cpp:19:10:19:11 | Load indirection [box1 indirection, elem2] |
-| B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:17:16:17:27 | Box2 output argument [box1 indirection, elem2] |
+| B.cpp:17:16:17:27 | call to Box2 [box1 indirection, elem2] | B.cpp:19:10:19:11 | Load indirection [box1 indirection, elem2] |
+| B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:17:16:17:27 | call to Box2 [box1 indirection, elem2] |
 | B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:44:16:44:17 | b1 indirection [elem2] |
 | B.cpp:19:10:19:11 | Load indirection [box1 indirection, elem2] | B.cpp:19:14:19:17 | FieldAddress indirection [elem2] |
 | B.cpp:19:10:19:11 | Load indirection [box1 indirection, elem2] | B.cpp:19:14:19:17 | Load indirection [elem2] |
@@ -186,15 +186,15 @@ edges
 | B.cpp:44:16:44:17 | b1 indirection [elem2] | B.cpp:46:7:46:21 | Store indirection [elem2] |
 | B.cpp:46:7:46:21 | Store indirection [elem1] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem1] |
 | B.cpp:46:7:46:21 | Store indirection [elem2] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem2] |
-| C.cpp:18:12:18:18 | C output argument [s1] | C.cpp:19:5:19:5 | c indirection [s1] |
-| C.cpp:18:12:18:18 | C output argument [s3] | C.cpp:19:5:19:5 | c indirection [s3] |
+| C.cpp:18:12:18:18 | call to C [s1] | C.cpp:19:5:19:5 | c indirection [s1] |
+| C.cpp:18:12:18:18 | call to C [s3] | C.cpp:19:5:19:5 | c indirection [s3] |
 | C.cpp:19:5:19:5 | c indirection [s1] | C.cpp:27:8:27:11 | this indirection [s1] |
 | C.cpp:19:5:19:5 | c indirection [s3] | C.cpp:27:8:27:11 | this indirection [s3] |
-| C.cpp:22:9:22:22 | this indirection [post update] [s1] | C.cpp:18:12:18:18 | C output argument [s1] |
+| C.cpp:22:9:22:22 | this indirection [post update] [s1] | C.cpp:18:12:18:18 | call to C [s1] |
 | C.cpp:22:12:22:21 | Store | C.cpp:22:9:22:22 | this indirection [post update] [s1] |
 | C.cpp:22:12:22:21 | new | C.cpp:22:12:22:21 | Store |
 | C.cpp:24:5:24:25 | Store | C.cpp:24:11:24:12 | Load indirection [post update] [s3] |
-| C.cpp:24:11:24:12 | Load indirection [post update] [s3] | C.cpp:18:12:18:18 | C output argument [s3] |
+| C.cpp:24:11:24:12 | Load indirection [post update] [s3] | C.cpp:18:12:18:18 | call to C [s3] |
 | C.cpp:24:16:24:25 | new | C.cpp:24:5:24:25 | Store |
 | C.cpp:27:8:27:11 | this indirection [s1] | C.cpp:29:10:29:11 | Load indirection [s1] |
 | C.cpp:27:8:27:11 | this indirection [s3] | C.cpp:31:10:31:11 | Load indirection [s3] |
@@ -669,18 +669,18 @@ edges
 | constructors.cpp:28:10:28:10 | f indirection [a_] | constructors.cpp:28:12:28:12 | call to a |
 | constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:19:9:19:9 | this indirection [b_] |
 | constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:29:12:29:12 | call to b |
-| constructors.cpp:34:9:34:9 | Foo output argument [a_] | constructors.cpp:40:9:40:9 | f indirection [a_] |
+| constructors.cpp:34:9:34:9 | call to Foo [a_] | constructors.cpp:40:9:40:9 | f indirection [a_] |
 | constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:23:13:23:13 | a |
-| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:34:9:34:9 | Foo output argument [a_] |
-| constructors.cpp:35:9:35:9 | Foo output argument [b_] | constructors.cpp:43:9:43:9 | g indirection [b_] |
+| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:34:9:34:9 | call to Foo [a_] |
+| constructors.cpp:35:9:35:9 | call to Foo [b_] | constructors.cpp:43:9:43:9 | g indirection [b_] |
 | constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:23:20:23:20 | b |
-| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:35:9:35:9 | Foo output argument [b_] |
-| constructors.cpp:36:9:36:9 | Foo output argument [a_] | constructors.cpp:46:9:46:9 | h indirection [a_] |
-| constructors.cpp:36:9:36:9 | Foo output argument [b_] | constructors.cpp:46:9:46:9 | h indirection [b_] |
+| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:35:9:35:9 | call to Foo [b_] |
+| constructors.cpp:36:9:36:9 | call to Foo [a_] | constructors.cpp:46:9:46:9 | h indirection [a_] |
+| constructors.cpp:36:9:36:9 | call to Foo [b_] | constructors.cpp:46:9:46:9 | h indirection [b_] |
 | constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:23:13:23:13 | a |
-| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:36:9:36:9 | Foo output argument [a_] |
+| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:36:9:36:9 | call to Foo [a_] |
 | constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:23:20:23:20 | b |
-| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:36:9:36:9 | Foo output argument [b_] |
+| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:36:9:36:9 | call to Foo [b_] |
 | constructors.cpp:40:9:40:9 | f indirection [a_] | constructors.cpp:26:15:26:15 | f indirection [a_] |
 | constructors.cpp:43:9:43:9 | g indirection [b_] | constructors.cpp:26:15:26:15 | f indirection [b_] |
 | constructors.cpp:46:9:46:9 | h indirection [a_] | constructors.cpp:26:15:26:15 | f indirection [a_] |
@@ -881,7 +881,7 @@ nodes
 | A.cpp:28:29:28:29 | c | semmle.label | c |
 | A.cpp:29:15:29:18 | VariableAddress indirection [c] | semmle.label | VariableAddress indirection [c] |
 | A.cpp:29:23:29:23 | c | semmle.label | c |
-| A.cpp:31:14:31:21 | B output argument [c] | semmle.label | B output argument [c] |
+| A.cpp:31:14:31:21 | call to B [c] | semmle.label | call to B [c] |
 | A.cpp:31:20:31:20 | c | semmle.label | c |
 | A.cpp:47:12:47:18 | new | semmle.label | new |
 | A.cpp:48:12:48:18 | Call indirection [c] | semmle.label | Call indirection [c] |
@@ -896,7 +896,7 @@ nodes
 | A.cpp:56:10:56:10 | b indirection [c] | semmle.label | b indirection [c] |
 | A.cpp:56:10:56:17 | call to get | semmle.label | call to get |
 | A.cpp:57:10:57:32 | call to get | semmle.label | call to get |
-| A.cpp:57:11:57:24 | B output argument [c] | semmle.label | B output argument [c] |
+| A.cpp:57:11:57:24 | call to B [c] | semmle.label | call to B [c] |
 | A.cpp:57:11:57:24 | new indirection [c] | semmle.label | new indirection [c] |
 | A.cpp:57:17:57:23 | new | semmle.label | new |
 | A.cpp:57:17:57:23 | new | semmle.label | new |
@@ -955,8 +955,8 @@ nodes
 | A.cpp:143:13:143:13 | Load indirection [post update] [b] | semmle.label | Load indirection [post update] [b] |
 | A.cpp:143:25:143:31 | new | semmle.label | new |
 | A.cpp:150:12:150:18 | new | semmle.label | new |
-| A.cpp:151:12:151:24 | D output argument [b indirection, c] | semmle.label | D output argument [b indirection, c] |
-| A.cpp:151:12:151:24 | D output argument [b] | semmle.label | D output argument [b] |
+| A.cpp:151:12:151:24 | call to D [b indirection, c] | semmle.label | call to D [b indirection, c] |
+| A.cpp:151:12:151:24 | call to D [b] | semmle.label | call to D [b] |
 | A.cpp:151:18:151:18 | D output argument [c] | semmle.label | D output argument [c] |
 | A.cpp:151:18:151:18 | b | semmle.label | b |
 | A.cpp:152:10:152:10 | Load indirection [b] | semmle.label | Load indirection [b] |
@@ -974,11 +974,11 @@ nodes
 | A.cpp:154:13:154:13 | c | semmle.label | c |
 | A.cpp:154:13:154:13 | c | semmle.label | c |
 | A.cpp:159:12:159:18 | new | semmle.label | new |
-| A.cpp:160:18:160:60 | MyList output argument [head] | semmle.label | MyList output argument [head] |
+| A.cpp:160:18:160:60 | call to MyList [head] | semmle.label | call to MyList [head] |
 | A.cpp:160:29:160:29 | b | semmle.label | b |
-| A.cpp:161:18:161:40 | MyList output argument [next indirection, head] | semmle.label | MyList output argument [next indirection, head] |
+| A.cpp:161:18:161:40 | call to MyList [next indirection, head] | semmle.label | call to MyList [next indirection, head] |
 | A.cpp:161:38:161:39 | l1 indirection [head] | semmle.label | l1 indirection [head] |
-| A.cpp:162:18:162:40 | MyList output argument [next indirection, next indirection, head] | semmle.label | MyList output argument [next indirection, next indirection, head] |
+| A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] | semmle.label | call to MyList [next indirection, next indirection, head] |
 | A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | semmle.label | l2 indirection [next indirection, head] |
 | A.cpp:165:10:165:11 | Load indirection [next indirection, next indirection, head] | semmle.label | Load indirection [next indirection, next indirection, head] |
 | A.cpp:165:10:165:29 | head | semmle.label | head |
@@ -1008,9 +1008,9 @@ nodes
 | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, head] | semmle.label | Load indirection [post update] [next indirection, head] |
 | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, next indirection, head] | semmle.label | Load indirection [post update] [next indirection, next indirection, head] |
 | B.cpp:6:15:6:24 | new | semmle.label | new |
-| B.cpp:7:16:7:35 | Box1 output argument [elem1] | semmle.label | Box1 output argument [elem1] |
+| B.cpp:7:16:7:35 | call to Box1 [elem1] | semmle.label | call to Box1 [elem1] |
 | B.cpp:7:25:7:25 | e | semmle.label | e |
-| B.cpp:8:16:8:27 | Box2 output argument [box1 indirection, elem1] | semmle.label | Box2 output argument [box1 indirection, elem1] |
+| B.cpp:8:16:8:27 | call to Box2 [box1 indirection, elem1] | semmle.label | call to Box2 [box1 indirection, elem1] |
 | B.cpp:8:25:8:26 | b1 indirection [elem1] | semmle.label | b1 indirection [elem1] |
 | B.cpp:9:10:9:11 | Load indirection [box1 indirection, elem1] | semmle.label | Load indirection [box1 indirection, elem1] |
 | B.cpp:9:10:9:24 | elem1 | semmle.label | elem1 |
@@ -1019,9 +1019,9 @@ nodes
 | B.cpp:9:20:9:24 | elem1 | semmle.label | elem1 |
 | B.cpp:9:20:9:24 | elem1 | semmle.label | elem1 |
 | B.cpp:15:15:15:27 | new | semmle.label | new |
-| B.cpp:16:16:16:38 | Box1 output argument [elem2] | semmle.label | Box1 output argument [elem2] |
+| B.cpp:16:16:16:38 | call to Box1 [elem2] | semmle.label | call to Box1 [elem2] |
 | B.cpp:16:37:16:37 | e | semmle.label | e |
-| B.cpp:17:16:17:27 | Box2 output argument [box1 indirection, elem2] | semmle.label | Box2 output argument [box1 indirection, elem2] |
+| B.cpp:17:16:17:27 | call to Box2 [box1 indirection, elem2] | semmle.label | call to Box2 [box1 indirection, elem2] |
 | B.cpp:17:25:17:26 | b1 indirection [elem2] | semmle.label | b1 indirection [elem2] |
 | B.cpp:19:10:19:11 | Load indirection [box1 indirection, elem2] | semmle.label | Load indirection [box1 indirection, elem2] |
 | B.cpp:19:10:19:24 | elem2 | semmle.label | elem2 |
@@ -1041,8 +1041,8 @@ nodes
 | B.cpp:46:7:46:21 | Store indirection [elem2] | semmle.label | Store indirection [elem2] |
 | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem1] | semmle.label | Load indirection [post update] [box1 indirection, elem1] |
 | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem2] | semmle.label | Load indirection [post update] [box1 indirection, elem2] |
-| C.cpp:18:12:18:18 | C output argument [s1] | semmle.label | C output argument [s1] |
-| C.cpp:18:12:18:18 | C output argument [s3] | semmle.label | C output argument [s3] |
+| C.cpp:18:12:18:18 | call to C [s1] | semmle.label | call to C [s1] |
+| C.cpp:18:12:18:18 | call to C [s3] | semmle.label | call to C [s3] |
 | C.cpp:19:5:19:5 | c indirection [s1] | semmle.label | c indirection [s1] |
 | C.cpp:19:5:19:5 | c indirection [s3] | semmle.label | c indirection [s3] |
 | C.cpp:22:9:22:22 | this indirection [post update] [s1] | semmle.label | this indirection [post update] [s1] |
@@ -1483,12 +1483,12 @@ nodes
 | constructors.cpp:28:12:28:12 | call to a | semmle.label | call to a |
 | constructors.cpp:29:10:29:10 | f indirection [b_] | semmle.label | f indirection [b_] |
 | constructors.cpp:29:12:29:12 | call to b | semmle.label | call to b |
-| constructors.cpp:34:9:34:9 | Foo output argument [a_] | semmle.label | Foo output argument [a_] |
+| constructors.cpp:34:9:34:9 | call to Foo [a_] | semmle.label | call to Foo [a_] |
 | constructors.cpp:34:11:34:20 | call to user_input | semmle.label | call to user_input |
-| constructors.cpp:35:9:35:9 | Foo output argument [b_] | semmle.label | Foo output argument [b_] |
+| constructors.cpp:35:9:35:9 | call to Foo [b_] | semmle.label | call to Foo [b_] |
 | constructors.cpp:35:14:35:23 | call to user_input | semmle.label | call to user_input |
-| constructors.cpp:36:9:36:9 | Foo output argument [a_] | semmle.label | Foo output argument [a_] |
-| constructors.cpp:36:9:36:9 | Foo output argument [b_] | semmle.label | Foo output argument [b_] |
+| constructors.cpp:36:9:36:9 | call to Foo [a_] | semmle.label | call to Foo [a_] |
+| constructors.cpp:36:9:36:9 | call to Foo [b_] | semmle.label | call to Foo [b_] |
 | constructors.cpp:36:11:36:20 | call to user_input | semmle.label | call to user_input |
 | constructors.cpp:36:25:36:34 | call to user_input | semmle.label | call to user_input |
 | constructors.cpp:40:9:40:9 | f indirection [a_] | semmle.label | f indirection [a_] |
@@ -1663,25 +1663,25 @@ nodes
 | struct_init.c:46:16:46:24 | FieldAddress indirection [a] | semmle.label | FieldAddress indirection [a] |
 | struct_init.c:46:16:46:24 | pointerAB indirection [a] | semmle.label | pointerAB indirection [a] |
 subpaths
-| A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | A.cpp:25:13:25:13 | Load indirection [post update] [c] | A.cpp:31:14:31:21 | B output argument [c] |
+| A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | A.cpp:25:13:25:13 | Load indirection [post update] [c] | A.cpp:31:14:31:21 | call to B [c] |
 | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | A.cpp:29:15:29:18 | VariableAddress indirection [c] | A.cpp:48:12:48:18 | Call indirection [c] |
 | A.cpp:55:12:55:19 | new | A.cpp:27:17:27:17 | c | A.cpp:27:28:27:28 | Load indirection [post update] [c] | A.cpp:55:5:55:5 | set output argument [c] |
 | A.cpp:56:10:56:10 | b indirection [c] | A.cpp:28:8:28:10 | this indirection [c] | A.cpp:28:8:28:10 | VariableAddress indirection | A.cpp:56:10:56:17 | call to get |
 | A.cpp:57:11:57:24 | new indirection [c] | A.cpp:28:8:28:10 | this indirection [c] | A.cpp:28:8:28:10 | VariableAddress indirection | A.cpp:57:10:57:32 | call to get |
-| A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c | A.cpp:25:13:25:13 | Load indirection [post update] [c] | A.cpp:57:11:57:24 | B output argument [c] |
+| A.cpp:57:17:57:23 | new | A.cpp:23:10:23:10 | c | A.cpp:25:13:25:13 | Load indirection [post update] [c] | A.cpp:57:11:57:24 | call to B [c] |
 | A.cpp:64:21:64:28 | new | A.cpp:85:26:85:26 | c | A.cpp:85:9:85:14 | VariableAddress indirection [c] | A.cpp:64:10:64:15 | Call indirection [c] |
 | A.cpp:73:25:73:32 | new | A.cpp:78:27:78:27 | c | A.cpp:78:6:78:15 | VariableAddress indirection [c] | A.cpp:73:10:73:19 | Call indirection [c] |
 | A.cpp:81:21:81:21 | c | A.cpp:85:26:85:26 | c | A.cpp:85:9:85:14 | VariableAddress indirection [c] | A.cpp:81:10:81:15 | Call indirection [c] |
 | A.cpp:90:15:90:15 | c | A.cpp:27:17:27:17 | c | A.cpp:27:28:27:28 | Load indirection [post update] [c] | A.cpp:90:7:90:8 | set output argument [c] |
 | A.cpp:126:12:126:18 | new | A.cpp:27:17:27:17 | c | A.cpp:27:28:27:28 | Load indirection [post update] [c] | A.cpp:126:5:126:5 | set output argument [c] |
-| A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b | A.cpp:143:13:143:13 | Load indirection [post update] [b] | A.cpp:151:12:151:24 | D output argument [b] |
-| A.cpp:160:29:160:29 | b | A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:10 | Load indirection [post update] [head] | A.cpp:160:18:160:60 | MyList output argument [head] |
-| A.cpp:161:38:161:39 | l1 indirection [head] | A.cpp:181:32:181:35 | next indirection [head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, head] | A.cpp:161:18:161:40 | MyList output argument [next indirection, head] |
-| A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:181:32:181:35 | next indirection [next indirection, head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, next indirection, head] | A.cpp:162:18:162:40 | MyList output argument [next indirection, next indirection, head] |
-| B.cpp:7:25:7:25 | e | B.cpp:33:16:33:17 | e1 | B.cpp:35:13:35:17 | Load indirection [post update] [elem1] | B.cpp:7:16:7:35 | Box1 output argument [elem1] |
-| B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:44:16:44:17 | b1 indirection [elem1] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem1] | B.cpp:8:16:8:27 | Box2 output argument [box1 indirection, elem1] |
-| B.cpp:16:37:16:37 | e | B.cpp:33:26:33:27 | e2 | B.cpp:36:13:36:17 | Load indirection [post update] [elem2] | B.cpp:16:16:16:38 | Box1 output argument [elem2] |
-| B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:44:16:44:17 | b1 indirection [elem2] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem2] | B.cpp:17:16:17:27 | Box2 output argument [box1 indirection, elem2] |
+| A.cpp:151:18:151:18 | b | A.cpp:140:13:140:13 | b | A.cpp:143:13:143:13 | Load indirection [post update] [b] | A.cpp:151:12:151:24 | call to D [b] |
+| A.cpp:160:29:160:29 | b | A.cpp:181:15:181:21 | newHead | A.cpp:183:7:183:10 | Load indirection [post update] [head] | A.cpp:160:18:160:60 | call to MyList [head] |
+| A.cpp:161:38:161:39 | l1 indirection [head] | A.cpp:181:32:181:35 | next indirection [head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, head] | A.cpp:161:18:161:40 | call to MyList [next indirection, head] |
+| A.cpp:162:38:162:39 | l2 indirection [next indirection, head] | A.cpp:181:32:181:35 | next indirection [next indirection, head] | A.cpp:184:13:184:16 | Load indirection [post update] [next indirection, next indirection, head] | A.cpp:162:18:162:40 | call to MyList [next indirection, next indirection, head] |
+| B.cpp:7:25:7:25 | e | B.cpp:33:16:33:17 | e1 | B.cpp:35:13:35:17 | Load indirection [post update] [elem1] | B.cpp:7:16:7:35 | call to Box1 [elem1] |
+| B.cpp:8:25:8:26 | b1 indirection [elem1] | B.cpp:44:16:44:17 | b1 indirection [elem1] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem1] | B.cpp:8:16:8:27 | call to Box2 [box1 indirection, elem1] |
+| B.cpp:16:37:16:37 | e | B.cpp:33:26:33:27 | e2 | B.cpp:36:13:36:17 | Load indirection [post update] [elem2] | B.cpp:16:16:16:38 | call to Box1 [elem2] |
+| B.cpp:17:25:17:26 | b1 indirection [elem2] | B.cpp:44:16:44:17 | b1 indirection [elem2] | B.cpp:46:13:46:16 | Load indirection [post update] [box1 indirection, elem2] | B.cpp:17:16:17:27 | call to Box2 [box1 indirection, elem2] |
 | D.cpp:22:10:22:11 | b2 indirection [box indirection, elem] | D.cpp:17:11:17:17 | this indirection [box indirection, elem] | D.cpp:17:11:17:17 | VariableAddress indirection [elem] | D.cpp:22:14:22:20 | call to getBox1 indirection [elem] |
 | D.cpp:22:14:22:20 | call to getBox1 indirection [elem] | D.cpp:10:11:10:17 | this indirection [elem] | D.cpp:10:11:10:17 | VariableAddress indirection | D.cpp:22:10:22:33 | call to getElem |
 | D.cpp:37:21:37:21 | e | D.cpp:11:24:11:24 | e | D.cpp:11:29:11:32 | Load indirection [post update] [elem] | D.cpp:37:8:37:10 | setElem output argument [elem] |
@@ -1704,10 +1704,10 @@ subpaths
 | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:12:17:12:17 | b | complex.cpp:12:22:12:23 | Load indirection [post update] [b_] | complex.cpp:56:12:56:12 | setB output argument [b_] |
 | constructors.cpp:28:10:28:10 | f indirection [a_] | constructors.cpp:18:9:18:9 | this indirection [a_] | constructors.cpp:18:9:18:9 | VariableAddress indirection | constructors.cpp:28:12:28:12 | call to a |
 | constructors.cpp:29:10:29:10 | f indirection [b_] | constructors.cpp:19:9:19:9 | this indirection [b_] | constructors.cpp:19:9:19:9 | VariableAddress indirection | constructors.cpp:29:12:29:12 | call to b |
-| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | this indirection [post update] [a_] | constructors.cpp:34:9:34:9 | Foo output argument [a_] |
-| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | this indirection [post update] [b_] | constructors.cpp:35:9:35:9 | Foo output argument [b_] |
-| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | this indirection [post update] [a_] | constructors.cpp:36:9:36:9 | Foo output argument [a_] |
-| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | this indirection [post update] [b_] | constructors.cpp:36:9:36:9 | Foo output argument [b_] |
+| constructors.cpp:34:11:34:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | this indirection [post update] [a_] | constructors.cpp:34:9:34:9 | call to Foo [a_] |
+| constructors.cpp:35:14:35:23 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | this indirection [post update] [b_] | constructors.cpp:35:9:35:9 | call to Foo [b_] |
+| constructors.cpp:36:11:36:20 | call to user_input | constructors.cpp:23:13:23:13 | a | constructors.cpp:23:25:23:29 | this indirection [post update] [a_] | constructors.cpp:36:9:36:9 | call to Foo [a_] |
+| constructors.cpp:36:25:36:34 | call to user_input | constructors.cpp:23:20:23:20 | b | constructors.cpp:23:32:23:36 | this indirection [post update] [b_] | constructors.cpp:36:9:36:9 | call to Foo [b_] |
 | qualifiers.cpp:27:28:27:37 | call to user_input | qualifiers.cpp:9:21:9:25 | value | qualifiers.cpp:9:36:9:36 | Load indirection [post update] [a] | qualifiers.cpp:27:11:27:18 | setA output argument [a] |
 | qualifiers.cpp:32:35:32:44 | call to user_input | qualifiers.cpp:12:40:12:44 | value | qualifiers.cpp:12:56:12:56 | Load indirection [post update] [a] | qualifiers.cpp:32:23:32:30 | pointerSetA output argument [a] |
 | qualifiers.cpp:37:38:37:47 | call to user_input | qualifiers.cpp:13:42:13:46 | value | qualifiers.cpp:13:57:13:57 | (reference dereference) indirection [post update] [a] | qualifiers.cpp:37:19:37:35 | referenceSetA output argument [a] |
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
@@ -653,13 +653,13 @@ reverseRead
 | static_init_templates.cpp:240:7:240:7 | Unary | Origin of readStep is missing a PostUpdateNode. |
 argHasPostUpdate
 postWithInFlow
-| cpp11.cpp:77:19:77:21 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:11:82:14 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:45:82:48 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| cpp11.cpp:82:51:82:51 | Val output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:809:7:809:13 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:810:7:810:26 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:823:7:823:13 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:824:7:824:26 | Base output argument | PostUpdateNode should not be the target of local flow. |
-| try_catch.cpp:7:8:7:8 | exception output argument | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:77:19:77:21 | call to Val | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:11:82:14 | call to Val | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:45:82:48 | call to Val | PostUpdateNode should not be the target of local flow. |
+| cpp11.cpp:82:51:82:51 | call to Val | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:809:7:809:13 | call to Base | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:810:7:810:26 | call to Base | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:823:7:823:13 | call to Base | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:824:7:824:26 | call to Base | PostUpdateNode should not be the target of local flow. |
+| try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
--- a/Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.expected
+++ b/Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.expected
@@ -1 +1,3 @@
+| test.cpp:24:3:24:26 | return ... | Return value may contain a dangling pointer to $@. | test.cpp:23:24:23:37 | call to basic_string | this local std::string |
 | test.cpp:32:3:32:44 | return ... | Return value may contain a dangling pointer to $@. | test.cpp:32:10:32:35 | call to basic_string | this local std::string |
+| test.cpp:45:3:45:42 | return ... | Return value may contain a dangling pointer to $@. | test.cpp:44:22:44:35 | call to basic_string | this local std::string |