Merge tag 'codeql-cli/latest'

Compatible with the latest released version of the CodeQL CLI
2025-12-23 20:26:32 +01:00 · 2023-09-12 16:13:57 +00:00
parent cd16271a56 1a575ef297
commit bc2bb19491
325 changed files with 7529 additions and 3089 deletions
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -55,15 +55,6 @@
    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
  ],
  "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
  ],
  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
@@ -11,12 +11,12 @@
  <ItemGroup>
    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.5.0" />
+    <PackageReference Include="xunit" Version="2.4.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
    </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
  </ItemGroup>
  <ItemGroup>
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -17,7 +17,7 @@
  </ItemGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="17.7.2" />
+    <PackageReference Include="Microsoft.Build" Version="17.3.2" />
  </ItemGroup>
  <ItemGroup>
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,18 @@
 ## 0.9.2
 ### Deprecated APIs
 * `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
 ### New Features
 * Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
 ### Minor Analysis Improvements
 * `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
 * Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
 ## 0.9.1
 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md
+++ b/cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
--- a/cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md
+++ b/cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md
@@ -1,4 +0,0 @@
 ---
 category: feature
 ---
 * Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
--- a/cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md
+++ b/cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md
@@ -1,4 +0,0 @@
 ---
 category: deprecated
 ---
 * `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
--- a/cpp/ql/lib/change-notes/released/0.9.2.md
+++ b/cpp/ql/lib/change-notes/released/0.9.2.md
@@ -0,0 +1,14 @@
 ## 0.9.2
 ### Deprecated APIs
 * `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
 ### New Features
 * Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
 ### Minor Analysis Improvements
 * `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
 * Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.9.2
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.9.2-dev
+version: 0.9.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -3,297 +3,25 @@
 * data-flow classes and predicates.
 */
-private import DataFlowImplSpecific::Private
+private import cpp
-private import DataFlowImplSpecific::Public
+private import DataFlowImplSpecific
-private import tainttracking1.TaintTrackingParameter::Private
+private import TaintTrackingImplSpecific
-private import tainttracking1.TaintTrackingParameter::Public
+private import codeql.dataflow.internal.DataFlowImplConsistency
-module Consistency {
+private module Input implements InputSig<CppOldDataFlow> {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
+  predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
-
+    // Is the null pointer (or something that's not really a pointer)
-  /** A class for configuring the consistency queries. */
+    exists(n.asExpr().getValue())
  class ConsistencyConfiguration extends TConsistencyConfiguration {
    string toString() { none() }
    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
    predicate uniqueEnclosingCallableExclude(Node n) { none() }
    /** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
    predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
    predicate uniqueNodeLocationExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
    predicate missingLocationExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
    predicate reverseReadExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
    predicate uniquePostUpdateExclude(Node n) { none() }
    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
    predicate viableImplInCallContextTooLargeExclude(
      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
    ) {
      none()
    }
    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
    predicate identityLocalStepExclude(Node n) { none() }
  }
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
      this instanceof ParameterNode or
      this instanceof ReturnNode or
      this = getAnOutNode(_, _) or
      simpleLocalFlowStep(this, _) or
      simpleLocalFlowStep(_, this) or
      jumpStep(this, _) or
      jumpStep(_, this) or
      storeStep(this, _, _) or
      storeStep(_, _, this) or
      readStep(this, _, _) or
      readStep(_, _, this) or
      defaultAdditionalTaintStep(this, _) or
      defaultAdditionalTaintStep(_, this)
    }
  }
  query predicate uniqueEnclosingCallable(Node n, string msg) {
    exists(int c |
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
  query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
    exists(int c |
      c = count(call.getEnclosingCallable()) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
      msg = "Call should have one enclosing callable but has " + c + "."
    )
  }
  query predicate uniqueType(Node n, string msg) {
    exists(int c |
      n instanceof RelevantNode and
      c = count(getNodeType(n)) and
      c != 1 and
      msg = "Node should have one type but has " + c + "."
    )
  }
  query predicate uniqueNodeLocation(Node n, string msg) {
    exists(int c |
      c =
        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
  query predicate missingLocation(string msg) {
    exists(int c |
      c =
        strictcount(Node n |
          not n.hasLocationInfo(_, _, _, _, _) and
          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
    )
  }
  query predicate uniqueNodeToString(Node n, string msg) {
    exists(int c |
      c = count(n.toString()) and
      c != 1 and
      msg = "Node should have one toString but has " + c + "."
    )
  }
  query predicate missingToString(string msg) {
    exists(int c |
      c = strictcount(Node n | not exists(n.toString())) and
      msg = "Nodes without toString: " + c
    )
  }
  query predicate parameterCallable(ParameterNode p, string msg) {
    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
    msg = "Callable mismatch for parameter."
  }
  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
    simpleLocalFlowStep(n1, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Local flow step does not preserve enclosing callable."
  }
  query predicate readStepIsLocal(Node n1, Node n2, string msg) {
    readStep(n1, _, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Read step does not preserve enclosing callable."
  }
  query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
    storeStep(n1, _, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Store step does not preserve enclosing callable."
  }
  private DataFlowType typeRepr() { result = getNodeType(_) }
  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
    t = typeRepr() and
    not compatibleTypes(t, t) and
    msg = "Type compatibility predicate is not reflexive."
  }
  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
    isUnreachableInCall(n, call) and
    exists(DataFlowCallable c |
      c = nodeGetEnclosingCallable(n) and
      not viableCallable(call) = c
    ) and
    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
  }
  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
    (
      n = getAnOutNode(call, _) and
      msg = "OutNode and call does not share enclosing callable."
    or
-      n.(ArgumentNode).argumentOf(call, _) and
+    // Isn't a pointer or is a pointer to const
-      msg = "ArgumentNode and call does not share enclosing callable."
+    forall(DerivedType dt | dt = n.asExpr().getActualType() |
-    ) and
+      dt.getBaseType().isConst()
    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
  }
  // This predicate helps the compiler forget that in some languages
  // it is impossible for a result of `getPreUpdateNode` to be an
  // instance of `PostUpdateNode`.
  private Node getPre(PostUpdateNode n) {
    result = n.getPreUpdateNode()
      or
-    none()
+      dt.getBaseType() instanceof RoutineType
  }
  query predicate postIsNotPre(PostUpdateNode n, string msg) {
    getPre(n) = n and
    msg = "PostUpdateNode should not equal its pre-update node."
  }
  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
    exists(int c |
      c = count(n.getPreUpdateNode()) and
      c != 1 and
      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
    )
-  }
+    // The above list of cases isn't exhaustive, but it narrows down the
-
+    // consistency alerts enough that most of them are interesting.
  query predicate uniquePostUpdate(Node n, string msg) {
    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
    msg = "Node has multiple PostUpdateNodes."
  }
  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
    msg = "PostUpdateNode does not share callable with its pre-update node."
  }
  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }
  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }
  // This predicate helps the compiler forget that in some languages
  // it is impossible for a `PostUpdateNode` to be the target of
  // `simpleLocalFlowStep`.
  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
  query predicate postWithInFlow(Node n, string msg) {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
  query predicate viableImplInCallContextTooLarge(
    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
  ) {
    callable = viableImplInCallContext(call, ctx) and
    not callable = viableCallable(call) and
    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
  }
  query predicate uniqueParameterNodeAtPosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
    msg = "Parameters with overlapping positions."
  }
  query predicate uniqueParameterNodePosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
    msg = "Parameter node with multiple positions."
  }
  query predicate uniqueContentApprox(Content c, string msg) {
    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
    msg = "Non-unique content approximation."
  }
  query predicate identityLocalStep(Node n, string msg) {
    simpleLocalFlowStep(n, n) and
    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
    msg = "Node steps to itself"
  }
 }
 module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -2,7 +2,6 @@ private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 private import DataFlowImplConsistency
 private import codeql.util.Unit
 /** Gets the callable in which this node occurs. */
@@ -297,22 +296,6 @@ class ContentApprox = Unit;
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
 private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
  override predicate argHasPostUpdateExclude(ArgumentNode n) {
    // Is the null pointer (or something that's not really a pointer)
    exists(n.asExpr().getValue())
    or
    // Isn't a pointer or is a pointer to const
    forall(DerivedType dt | dt = n.asExpr().getActualType() |
      dt.getBaseType().isConst()
      or
      dt.getBaseType() instanceof RoutineType
    )
    // The above list of cases isn't exhaustive, but it narrows down the
    // consistency alerts enough that most of them are interesting.
  }
 }
 /**
 * Gets an additional term that is added to the `join` and `branch` computations to reflect
 * an additional forward or backwards branching factor that is not taken into account
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -3,297 +3,17 @@
 * data-flow classes and predicates.
 */
-private import DataFlowImplSpecific::Private
+private import cpp
-private import DataFlowImplSpecific::Public
+private import DataFlowImplSpecific
-private import tainttracking1.TaintTrackingParameter::Private
+private import TaintTrackingImplSpecific
-private import tainttracking1.TaintTrackingParameter::Public
+private import codeql.dataflow.internal.DataFlowImplConsistency
-module Consistency {
+private module Input implements InputSig<CppDataFlow> {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
+  predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
-
+    // The rules for whether an IR argument gets a post-update node are too
-  /** A class for configuring the consistency queries. */
+    // complex to model here.
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
+    any()
    string toString() { none() }
    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
    predicate uniqueEnclosingCallableExclude(Node n) { none() }
    /** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
    predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
    predicate uniqueNodeLocationExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
    predicate missingLocationExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
    predicate reverseReadExclude(Node n) { none() }
    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
    predicate uniquePostUpdateExclude(Node n) { none() }
    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
    predicate viableImplInCallContextTooLargeExclude(
      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
    ) {
      none()
    }
    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
      none()
    }
    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
    predicate identityLocalStepExclude(Node n) { none() }
  }
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
      this instanceof ParameterNode or
      this instanceof ReturnNode or
      this = getAnOutNode(_, _) or
      simpleLocalFlowStep(this, _) or
      simpleLocalFlowStep(_, this) or
      jumpStep(this, _) or
      jumpStep(_, this) or
      storeStep(this, _, _) or
      storeStep(_, _, this) or
      readStep(this, _, _) or
      readStep(_, _, this) or
      defaultAdditionalTaintStep(this, _) or
      defaultAdditionalTaintStep(_, this)
  }
 }
-  query predicate uniqueEnclosingCallable(Node n, string msg) {
+module Consistency = MakeConsistency<CppDataFlow, CppTaintTracking, Input>;
    exists(int c |
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
  query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
    exists(int c |
      c = count(call.getEnclosingCallable()) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
      msg = "Call should have one enclosing callable but has " + c + "."
    )
  }
  query predicate uniqueType(Node n, string msg) {
    exists(int c |
      n instanceof RelevantNode and
      c = count(getNodeType(n)) and
      c != 1 and
      msg = "Node should have one type but has " + c + "."
    )
  }
  query predicate uniqueNodeLocation(Node n, string msg) {
    exists(int c |
      c =
        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
  query predicate missingLocation(string msg) {
    exists(int c |
      c =
        strictcount(Node n |
          not n.hasLocationInfo(_, _, _, _, _) and
          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
    )
  }
  query predicate uniqueNodeToString(Node n, string msg) {
    exists(int c |
      c = count(n.toString()) and
      c != 1 and
      msg = "Node should have one toString but has " + c + "."
    )
  }
  query predicate missingToString(string msg) {
    exists(int c |
      c = strictcount(Node n | not exists(n.toString())) and
      msg = "Nodes without toString: " + c
    )
  }
  query predicate parameterCallable(ParameterNode p, string msg) {
    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
    msg = "Callable mismatch for parameter."
  }
  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
    simpleLocalFlowStep(n1, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Local flow step does not preserve enclosing callable."
  }
  query predicate readStepIsLocal(Node n1, Node n2, string msg) {
    readStep(n1, _, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Read step does not preserve enclosing callable."
  }
  query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
    storeStep(n1, _, n2) and
    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
    msg = "Store step does not preserve enclosing callable."
  }
  private DataFlowType typeRepr() { result = getNodeType(_) }
  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
    t = typeRepr() and
    not compatibleTypes(t, t) and
    msg = "Type compatibility predicate is not reflexive."
  }
  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
    isUnreachableInCall(n, call) and
    exists(DataFlowCallable c |
      c = nodeGetEnclosingCallable(n) and
      not viableCallable(call) = c
    ) and
    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
  }
  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
    (
      n = getAnOutNode(call, _) and
      msg = "OutNode and call does not share enclosing callable."
      or
      n.(ArgumentNode).argumentOf(call, _) and
      msg = "ArgumentNode and call does not share enclosing callable."
    ) and
    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
  }
  // This predicate helps the compiler forget that in some languages
  // it is impossible for a result of `getPreUpdateNode` to be an
  // instance of `PostUpdateNode`.
  private Node getPre(PostUpdateNode n) {
    result = n.getPreUpdateNode()
    or
    none()
  }
  query predicate postIsNotPre(PostUpdateNode n, string msg) {
    getPre(n) = n and
    msg = "PostUpdateNode should not equal its pre-update node."
  }
  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
    exists(int c |
      c = count(n.getPreUpdateNode()) and
      c != 1 and
      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
    )
  }
  query predicate uniquePostUpdate(Node n, string msg) {
    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
    msg = "Node has multiple PostUpdateNodes."
  }
  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
    msg = "PostUpdateNode does not share callable with its pre-update node."
  }
  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }
  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }
  // This predicate helps the compiler forget that in some languages
  // it is impossible for a `PostUpdateNode` to be the target of
  // `simpleLocalFlowStep`.
  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
  query predicate postWithInFlow(Node n, string msg) {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
  query predicate viableImplInCallContextTooLarge(
    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
  ) {
    callable = viableImplInCallContext(call, ctx) and
    not callable = viableCallable(call) and
    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
  }
  query predicate uniqueParameterNodeAtPosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
    msg = "Parameters with overlapping positions."
  }
  query predicate uniqueParameterNodePosition(
    DataFlowCallable c, ParameterPosition pos, Node p, string msg
  ) {
    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
    isParameterNode(p, c, pos) and
    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
    msg = "Parameter node with multiple positions."
  }
  query predicate uniqueContentApprox(Content c, string msg) {
    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
    msg = "Non-unique content approximation."
  }
  query predicate identityLocalStep(Node n, string msg) {
    simpleLocalFlowStep(n, n) and
    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
    msg = "Node steps to itself"
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -2,7 +2,6 @@ private import cpp as Cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
 private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
@@ -220,9 +219,10 @@ private module IndirectOperands {
    int indirectionIndex;
    IndirectOperandFromIRRepr() {
-      exists(Operand repr |
+      exists(Operand repr, int indirectionIndexRepr |
-        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
+        Ssa::hasIRRepresentationOfIndirectOperand(operand, indirectionIndex, repr,
-        nodeHasOperand(this, repr, indirectionIndex - 1)
+          indirectionIndexRepr) and
        nodeHasOperand(this, repr, indirectionIndexRepr)
      )
    }
@@ -262,9 +262,10 @@ private module IndirectInstructions {
    int indirectionIndex;
    IndirectInstructionFromIRRepr() {
-      exists(Instruction repr |
+      exists(Instruction repr, int indirectionIndexRepr |
-        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
+        Ssa::hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, repr,
-        nodeHasInstruction(this, repr, indirectionIndex - 1)
+          indirectionIndexRepr) and
        nodeHasInstruction(this, repr, indirectionIndexRepr)
      )
    }
@@ -690,7 +691,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1,
 private predicate numberOfLoadsFromOperandRec(
  Operand operandFrom, Operand operandTo, int ind, boolean certain
 ) {
-  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
+  exists(Instruction load | Ssa::isDereference(load, operandFrom, _) |
    operandTo = operandFrom and ind = 0 and certain = true
    or
    numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
@@ -714,7 +715,7 @@ private predicate numberOfLoadsFromOperand(
 ) {
  numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
  or
-  not Ssa::isDereference(_, operandFrom) and
+  not Ssa::isDereference(_, operandFrom, _) and
  not conversionFlow(operandFrom, _, _, _) and
  operandFrom = operandTo and
  n = 0 and
@@ -1011,14 +1012,6 @@ ContentApprox getContentApprox(Content c) {
  )
 }
 private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
  override predicate argHasPostUpdateExclude(ArgumentNode n) {
    // The rules for whether an IR argument gets a post-update node are too
    // complex to model here.
    any()
  }
 }
 /**
 * A local flow relation that includes both local steps, read steps and
 * argument-to-return flow through summarized functions.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -74,7 +74,7 @@ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) {
    type = getLanguageType(op) and
    m = countIndirectionsForCppType(type) and
    indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectOperand(op, indirectionIndex))
+    not hasIRRepresentationOfIndirectOperand(op, indirectionIndex, _, _)
  )
 }
@@ -88,7 +88,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
    type = getResultLanguageType(instr) and
    m = countIndirectionsForCppType(type) and
    indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectInstruction(instr, indirectionIndex))
+    not hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, _, _)
  )
 }
@@ -108,7 +108,7 @@ private newtype TDefOrUseImpl =
  } or
  TUseImpl(BaseSourceVariableInstruction base, Operand operand, int indirectionIndex) {
    isUse(_, operand, base, _, indirectionIndex) and
-    not isDef(_, _, operand, _, _, _)
+    not isDef(true, _, operand, _, _, _)
  } or
  TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
    // Represents a final "use" of a global variable to ensure that
@@ -610,7 +610,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
      hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
      hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
      instr = op2.getDef() and
-      isDereference(instr, op1)
+      isDereference(instr, op1, _)
    )
  )
 }
@@ -638,12 +638,24 @@ private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) {
  )
 }
-private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
+/**
-  exists(UseOrPhi use |
+ * Holds if `nodeFrom` flows to `nodeTo` because there is `def-use` or
 * `use-use` flow from `defOrUse` to `use`.
 *
 * `uncertain` is `true` if the `defOrUse` is an uncertain definition.
 */
 private predicate localSsaFlow(
  SsaDefOrUse defOrUse, Node nodeFrom, UseOrPhi use, Node nodeTo, boolean uncertain
 ) {
  nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
  adjacentDefRead(defOrUse, use) and
  useToNode(use, nodeTo) and
  nodeFrom != nodeTo
 }
 private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
  exists(UseOrPhi use |
    localSsaFlow(defOrUse, nodeFrom, use, nodeTo, uncertain)
    or
    // Initial global variable value to a first use
    nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and
@@ -684,19 +696,99 @@ predicate ssaFlow(Node nodeFrom, Node nodeTo) {
  )
 }
-private predicate isArgumentOfCallable(DataFlowCall call, ArgumentNode arg) {
+private predicate isArgumentOfCallableInstruction(DataFlowCall call, Instruction instr) {
-  arg.argumentOf(call, _)
+  isArgumentOfCallableOperand(call, unique( | | getAUse(instr)))
 }
-/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
+private predicate isArgumentOfCallableOperand(DataFlowCall call, Operand operand) {
-predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
+  operand.(ArgumentOperand).getCall() = call
-  exists(UseOrPhi use, Node preUpdate |
+  or
-    adjustForPointerArith(pun, use) and
+  exists(FieldAddressInstruction fai |
-    useToNode(use, nodeTo) and
+    fai.getObjectAddressOperand() = operand and
-    preUpdate = pun.getPreUpdateNode() and
+    isArgumentOfCallableInstruction(call, fai)
    not exists(DataFlowCall call |
      isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo)
  )
  or
  exists(Instruction deref |
    isArgumentOfCallableInstruction(call, deref) and
    isDereference(deref, operand, _)
  )
  or
  exists(Instruction instr |
    isArgumentOfCallableInstruction(call, instr) and
    conversionFlow(operand, instr, _, _)
  )
 }
 private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
  isArgumentOfCallableOperand(call, n.asOperand())
  or
  exists(Operand op |
    n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
    isArgumentOfCallableOperand(call, op)
  )
  or
  exists(Instruction instr |
    n.(IndirectInstruction).hasInstructionAndIndirectionIndex(instr, _) and
    isArgumentOfCallableInstruction(call, instr)
  )
 }
 /**
 * Holds if there is use-use flow from `pun`'s pre-update node to `n`.
 */
 private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
  exists(UseOrPhi use |
    adjustForPointerArith(pun, use) and
    useToNode(use, n)
  )
 }
 private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) {
  isArgumentOfCallable(call, n1) and
  exists(Node mid | localSsaFlow(_, n1, _, mid, _) |
    isArgumentOfCallable(call, mid) and
    stepUntilNotInCall(call, mid, n2)
    or
    not isArgumentOfCallable(call, mid) and
    mid = n2
  )
 }
 bindingset[n1, n2]
 pragma[inline_late]
 private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) {
  isArgumentOfCallable(call, n1) and isArgumentOfCallable(call, n2)
 }
 /**
 * Holds if there is def-use or use-use flow from `pun` to `nodeTo`.
 *
 * Note: This is more complex than it sounds. Consider a call such as:
 * ```cpp
 * write_first_argument(x, x);
 * sink(x);
 * ```
 * Assume flow comes out of the first argument to `write_first_argument`. We
 * don't want flow to go to the `x` that's also an argument to
 * `write_first_argument` (because we just flowed out of that function, and we
 * don't want to flow back into it again).
 *
 * We do, however, want flow from the output argument to `x` on the next line, and
 * similarly we want flow from the second argument of `write_first_argument` to `x`
 * on the next line.
 */
 predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
  exists(Node preUpdate, Node mid |
    preUpdate = pun.getPreUpdateNode() and
    postUpdateNodeToFirstUse(pun, mid)
  |
    exists(DataFlowCall call |
      isArgumentOfSameCall(call, preUpdate, mid) and
      stepUntilNotInCall(call, mid, nodeTo)
    )
    or
    not isArgumentOfSameCall(_, preUpdate, mid) and
    nodeTo = mid
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -320,10 +320,20 @@ private module IteratorIndirections {
  }
 }
-predicate isDereference(Instruction deref, Operand address) {
+/**
-  any(Indirection ind).isAdditionalDereference(deref, address)
+ * Holds if `deref` is the result of loading the value at the address
 * represented by `address`.
 *
 * If `additional = true` then the dereference comes from an `Indirection`
 * class (such as a call to an iterator's `operator*`), and if
 * `additional = false` the dereference is a `LoadInstruction`.
 */
 predicate isDereference(Instruction deref, Operand address, boolean additional) {
  any(Indirection ind).isAdditionalDereference(deref, address) and
  additional = true
  or
-  deref.(LoadInstruction).getSourceAddressOperand() = address
+  deref.(LoadInstruction).getSourceAddressOperand() = address and
  additional = false
 }
 predicate isWrite(Node0Impl value, Operand address, boolean certain) {
@@ -545,7 +555,7 @@ private module Cached {
      isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
      isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
      iteratorBase.getResultType() instanceof Interfaces::Iterator and
-      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
+      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and
      memory = read.getSideEffectOperand().getAnyDef()
    )
  }
@@ -781,11 +791,14 @@ private module Cached {
   * instead associated with the operand returned by this predicate.
   */
  cached
-  Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectOperand(
    Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
  ) {
    indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
    exists(Instruction load |
-      isDereference(load, operand) and
+      isDereference(load, operand, false) and
-      result = unique( | | getAUse(load)) and
+      operandRepr = unique( | | getAUse(load)) and
-      isUseImpl(operand, _, indirectionIndex - 1)
+      indirectionIndexRepr = indirectionIndex - 1
    )
  }
@@ -797,12 +810,15 @@ private module Cached {
   * instead associated with the instruction returned by this predicate.
   */
  cached
-  Instruction getIRRepresentationOfIndirectInstruction(Instruction instr, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectInstruction(
    Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
  ) {
    indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
    exists(Instruction load, Operand address |
      address.getDef() = instr and
-      isDereference(load, address) and
+      isDereference(load, address, false) and
-      isUseImpl(address, _, indirectionIndex - 1) and
+      instrRepr = load and
-      result = load
+      indirectionIndexRepr = indirectionIndex - 1
    )
  }
@@ -823,7 +839,7 @@ private module Cached {
    or
    exists(int ind0 |
      exists(Operand address |
-        isDereference(operand.getDef(), address) and
+        isDereference(operand.getDef(), address, _) and
        isUseImpl(address, base, ind0)
      )
      or
@@ -893,7 +909,7 @@ private module Cached {
    )
    or
    exists(Operand address, boolean certain0 |
-      isDereference(operand.getDef(), address) and
+      isDereference(operand.getDef(), address, _) and
      isDefImpl(address, base, ind - 1, certain0)
    |
      if isCertainAddress(operand) then certain = certain0 else certain = false
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
  )
  or
  // Taint flow from an address to its dereference.
-  Ssa::isDereference(instrTo, opFrom)
+  Ssa::isDereference(instrTo, opFrom, _)
  or
  // Unary instructions tend to preserve enough information in practice that we
  // want taint to flow through.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll
@@ -55,6 +55,7 @@ private newtype TOpcode =
  TVariableAddress() or
  TFieldAddress() or
  TFunctionAddress() or
  TVirtualDeleteFunctionAddress() or
  TElementsAddress() or
  TConstant() or
  TStringConstant() or
@@ -887,6 +888,15 @@ module Opcode {
    final override string toString() { result = "FunctionAddress" }
  }
  /**
   * The `Opcode` for a `VirtualDeleteFunctionAddress`.
   *
   * See the `VirtualDeleteFunctionAddressInstruction` documentation for more details.
   */
  class VirtualDeleteFunctionAddress extends Opcode, TVirtualDeleteFunctionAddress {
    final override string toString() { result = "VirtualDeleteFunctionAddress" }
  }
  /**
   * The `Opcode` for a `ConstantInstruction`.
   *
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
  FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
 }
 /**
 * An instruction that returns the address of a "virtual" delete function.
 *
 * This function, which does not actually exist in the source code, is used to
 * delete objects of a class with a virtual destructor. In that case the deacllocation
 * function is selected at runtime based on the dynamic type of the object. So this
 * function dynamically dispatches to the correct deallocation function.
 * It also should pass in the required extra arguments to the deallocation function
 * which may differ dynamically depending on the type of the object.
 */
 class VirtualDeleteFunctionAddressInstruction extends Instruction {
  VirtualDeleteFunctionAddressInstruction() {
    this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
  }
 }
 /**
 * An instruction that initializes a parameter of the enclosing function with the value of the
 * corresponding argument passed by the caller.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
  FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
 }
 /**
 * An instruction that returns the address of a "virtual" delete function.
 *
 * This function, which does not actually exist in the source code, is used to
 * delete objects of a class with a virtual destructor. In that case the deacllocation
 * function is selected at runtime based on the dynamic type of the object. So this
 * function dynamically dispatches to the correct deallocation function.
 * It also should pass in the required extra arguments to the deallocation function
 * which may differ dynamically depending on the type of the object.
 */
 class VirtualDeleteFunctionAddressInstruction extends Instruction {
  VirtualDeleteFunctionAddressInstruction() {
    this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
  }
 }
 /**
 * An instruction that initializes a parameter of the enclosing function with the value of the
 * corresponding argument passed by the caller.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -120,9 +120,9 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
 }
 /**
- * A `Call` or `NewOrNewArrayExpr`.
+ * A `Call` or `NewOrNewArrayExpr` or `DeleteOrDeleteArrayExpr`.
 *
- * Both kinds of expression invoke a function as part of their evaluation. This class provides a
+ * All kinds of expression invoke a function as part of their evaluation. This class provides a
 * way to treat both kinds of function similarly, and to get the invoked `Function`.
 */
 class CallOrAllocationExpr extends Expr {
@@ -130,6 +130,8 @@ class CallOrAllocationExpr extends Expr {
    this instanceof Call
    or
    this instanceof NewOrNewArrayExpr
    or
    this instanceof DeleteOrDeleteArrayExpr
  }
  /** Gets the `Function` invoked by this expression, if known. */
@@ -137,6 +139,8 @@ class CallOrAllocationExpr extends Expr {
    result = this.(Call).getTarget()
    or
    result = this.(NewOrNewArrayExpr).getAllocator()
    or
    result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -350,6 +350,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
    or
    expr instanceof NewOrNewArrayExpr and
    result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
    or
    expr instanceof DeleteOrDeleteArrayExpr and
    result = getTranslatedDeleteOrDeleteArray(expr).getInstruction(CallTag())
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -77,17 +77,17 @@ private predicate ignoreExprAndDescendants(Expr expr) {
    newExpr.getInitializer().getFullyConverted() = expr
  )
  or
  exists(DeleteOrDeleteArrayExpr deleteExpr |
    // Ignore the deallocator call, because we always synthesize it.
    deleteExpr.getDeallocatorCall() = expr
  )
  or
  // Do not translate input/output variables in GNU asm statements
  //  getRealParent(expr) instanceof AsmStmt
  //  or
  ignoreExprAndDescendants(getRealParent(expr)) // recursive case
  or
-  // We do not yet translate destructors properly, so for now we ignore any
+  // va_start doesn't evaluate its argument, so we don't need to translate it.
  // custom deallocator call, if present.
  exists(DeleteExpr deleteExpr | deleteExpr.getDeallocatorCall() = expr)
  or
  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDeallocatorCall() = expr)
  or
  exists(BuiltInVarArgsStart vaStartExpr |
    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
  )
@@ -104,6 +104,12 @@ private predicate ignoreExprOnly(Expr expr) {
    newExpr.getAllocatorCall() = expr
  )
  or
  exists(DeleteOrDeleteArrayExpr deleteExpr |
    // Ignore the destructor call as we don't model it yet. Don't ignore
    // its arguments, though, as they are the arguments to the deallocator.
    deleteExpr.getDestructorCall() = expr
  )
  or
  // The extractor deliberately emits an `ErrorExpr` as the first argument to
  // the allocator call, if any, of a `NewOrNewArrayExpr`. That `ErrorExpr`
  // should not be translated.
@@ -111,13 +117,6 @@ private predicate ignoreExprOnly(Expr expr) {
  or
  not translateFunction(getEnclosingFunction(expr)) and
  not Raw::varHasIRFunc(getEnclosingVariable(expr))
  or
  // We do not yet translate destructors properly, so for now we ignore the
  // destructor call. We do, however, translate the expression being
  // destructed, and that expression can be a child of the destructor call.
  exists(DeleteExpr deleteExpr | deleteExpr.getDestructorCall() = expr)
  or
  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDestructorCall() = expr)
 }
 /**
@@ -416,7 +415,9 @@ predicate hasTranslatedLoad(Expr expr) {
  not ignoreExpr(expr) and
  not isNativeCondition(expr) and
  not isFlexibleCondition(expr) and
-  not ignoreLoad(expr)
+  not ignoreLoad(expr) and
  // don't insert a load since we'll just substitute the constant value.
  not isIRConstant(expr)
 }
 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -2017,6 +2017,66 @@ TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
  result.getAst() = newExpr
 }
 /**
 * The IR translation of a `delete` or `delete[]`
 * expression.
 */
 class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, TranslatedCall {
  override DeleteOrDeleteArrayExpr expr;
  final override Instruction getFirstCallTargetInstruction() {
    result = this.getInstruction(CallTargetTag())
  }
  final override Instruction getCallTargetResult() { result = this.getInstruction(CallTargetTag()) }
  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
    TranslatedCall.super.hasInstruction(opcode, tag, resultType)
    or
    tag = CallTargetTag() and
    resultType = getFunctionGLValueType() and
    if exists(expr.getDeallocator())
    then opcode instanceof Opcode::FunctionAddress
    else opcode instanceof Opcode::VirtualDeleteFunctionAddress
  }
  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    result = TranslatedCall.super.getInstructionSuccessor(tag, kind)
    or
    tag = CallTargetTag() and
    kind instanceof GotoEdge and
    result = this.getFirstArgumentOrCallInstruction()
  }
  override Function getInstructionFunction(InstructionTag tag) {
    tag = CallTargetTag() and result = expr.getDeallocator()
  }
  final override Type getCallResultType() { result = expr.getType() }
  final override TranslatedExpr getQualifier() { none() }
  final override predicate hasArguments() {
    // All deallocator calls have at least one argument.
    any()
  }
  final override int getNumberOfArguments() {
    // We ignore the other arguments for now as we would have to synthesize them.
    result = 1
  }
  final override TranslatedExpr getArgument(int index) {
    // The only argument we define is the pointer to be deallocated.
    index = 0 and
    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
  }
 }
 TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {
  result.getAst() = newExpr
 }
 /**
 * Abstract class implemented by any `TranslatedElement` that has a child
 * expression that is a call to a constructor or destructor, in order to
@@ -2954,78 +3014,6 @@ class TranslatedNewArrayExpr extends TranslatedNewOrNewArrayExpr {
  }
 }
 /**
 * A placeholder for the translation of a `delete[]` expression.
 *
 * Proper translation is not yet implemented, but this stub implementation
 * ensures that code following a `delete[]` is not unreachable.
 */
 class TranslatedDeleteArrayExprPlaceHolder extends TranslatedSingleInstructionExpr {
  override DeleteArrayExpr expr;
  final override Instruction getFirstInstruction() {
    result = this.getOperand().getFirstInstruction()
  }
  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    tag = OnlyInstructionTag() and
    result = this.getParent().getChildSuccessor(this) and
    kind instanceof GotoEdge
  }
  final override Instruction getChildSuccessor(TranslatedElement child) {
    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
  }
  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    none()
  }
  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
  private TranslatedExpr getOperand() {
    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
  }
 }
 /**
 * A placeholder for the translation of a `delete` expression.
 *
 * Proper translation is not yet implemented, but this stub implementation
 * ensures that code following a `delete` is not unreachable.
 */
 class TranslatedDeleteExprPlaceHolder extends TranslatedSingleInstructionExpr {
  override DeleteExpr expr;
  final override Instruction getFirstInstruction() {
    result = this.getOperand().getFirstInstruction()
  }
  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
    tag = OnlyInstructionTag() and
    result = this.getParent().getChildSuccessor(this) and
    kind instanceof GotoEdge
  }
  final override Instruction getChildSuccessor(TranslatedElement child) {
    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
  }
  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    none()
  }
  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
  private TranslatedExpr getOperand() {
    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
  }
 }
 /**
 * The IR translation of a `ConditionDeclExpr`, which represents the value of the declared variable
 * after conversion to `bool` in code such as:
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
  FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
 }
 /**
 * An instruction that returns the address of a "virtual" delete function.
 *
 * This function, which does not actually exist in the source code, is used to
 * delete objects of a class with a virtual destructor. In that case the deacllocation
 * function is selected at runtime based on the dynamic type of the object. So this
 * function dynamically dispatches to the correct deallocation function.
 * It also should pass in the required extra arguments to the deallocation function
 * which may differ dynamically depending on the type of the object.
 */
 class VirtualDeleteFunctionAddressInstruction extends Instruction {
  VirtualDeleteFunctionAddressInstruction() {
    this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
  }
 }
 /**
 * An instruction that initializes a parameter of the enclosing function with the value of the
 * corresponding argument passed by the caller.
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,15 @@
 ## 0.7.4
 ### New Queries
 * Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
 ### Minor Analysis Improvements
 * The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
 * Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
 * The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
 ## 0.7.3
 No user-facing changes.
--- a/cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md
+++ b/cpp/ql/src/change-notes/2023-08-21-invalid-pointer-deref.md
@@ -1,4 +0,0 @@
 ---
 category: newQuery
 ---
 * Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
--- a/cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md
+++ b/cpp/ql/src/change-notes/2023-08-24-no-taint-argv-indirections.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
--- a/cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md
+++ b/cpp/ql/src/change-notes/2023-08-24-remove-non-constant-assign-sources.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
--- a/cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md
+++ b/cpp/ql/src/change-notes/2023-08-25-compare-where-assign-meant.md
@@ -1,4 +0,0 @@
 ---
 category: minorAnalysis
 ---
 * The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
--- a/cpp/ql/src/change-notes/released/0.7.4.md
+++ b/cpp/ql/src/change-notes/released/0.7.4.md
@@ -0,0 +1,11 @@
 ## 0.7.4
 ### New Queries
 * Added a new query, `cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
 ### Minor Analysis Improvements
 * The "Comparison where assignment was intended" query (`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
 * Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
 * The `cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.7.4
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.7.4-dev
+version: 0.7.4
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
@@ -9,44 +9,35 @@ edges
 | test.cpp:22:5:22:7 | arr indirection [p] | test.cpp:19:9:19:16 | mk_array indirection [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | arr indirection [p] |
 | test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | arr indirection [p] |
-| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p indirection |
+| test.cpp:31:9:31:11 | arr indirection [p] | test.cpp:31:13:31:13 | p |
-| test.cpp:31:13:31:13 | p indirection | test.cpp:31:13:31:13 | p |
+| test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p |
 | test.cpp:35:9:35:11 | arr indirection [p] | test.cpp:35:13:35:13 | p indirection |
 | test.cpp:35:13:35:13 | p indirection | test.cpp:35:13:35:13 | p |
 | test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | arr indirection [p] |
 | test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | arr indirection [p] |
-| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p indirection |
+| test.cpp:41:9:41:11 | arr indirection [p] | test.cpp:41:13:41:13 | p |
-| test.cpp:41:13:41:13 | p indirection | test.cpp:41:13:41:13 | p |
+| test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p |
 | test.cpp:45:9:45:11 | arr indirection [p] | test.cpp:45:13:45:13 | p indirection |
 | test.cpp:45:13:45:13 | p indirection | test.cpp:45:13:45:13 | p |
 | test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
 | test.cpp:55:5:55:24 | ... = ... | test.cpp:55:9:55:9 | arr indirection [post update] [p] |
 | test.cpp:55:9:55:9 | arr indirection [post update] [p] | test.cpp:56:5:56:7 | arr indirection [p] |
 | test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
 | test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:59:9:59:11 | arr indirection [p] |
 | test.cpp:56:5:56:7 | arr indirection [p] | test.cpp:63:9:63:11 | arr indirection [p] |
-| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p indirection |
+| test.cpp:59:9:59:11 | arr indirection [p] | test.cpp:59:13:59:13 | p |
-| test.cpp:59:13:59:13 | p indirection | test.cpp:59:13:59:13 | p |
+| test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p |
 | test.cpp:63:9:63:11 | arr indirection [p] | test.cpp:63:13:63:13 | p indirection |
 | test.cpp:63:13:63:13 | p indirection | test.cpp:63:13:63:13 | p |
 | test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] |
 | test.cpp:67:10:67:19 | mk_array_p indirection [p] | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] |
 | test.cpp:69:5:69:25 | ... = ... | test.cpp:69:10:69:10 | arr indirection [post update] [p] |
 | test.cpp:69:10:69:10 | arr indirection [post update] [p] | test.cpp:70:5:70:7 | arr indirection [p] |
 | test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
 | test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:67:10:67:19 | mk_array_p indirection [p] |
 | test.cpp:70:5:70:7 | arr indirection [p] | test.cpp:70:5:70:7 | arr indirection [p] |
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:79:9:79:11 | arr indirection [p] |
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | test.cpp:83:9:83:11 | arr indirection [p] |
-| test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p indirection |
+| test.cpp:79:9:79:11 | arr indirection [p] | test.cpp:79:14:79:14 | p |
-| test.cpp:79:14:79:14 | p indirection | test.cpp:79:14:79:14 | p |
+| test.cpp:83:9:83:11 | arr indirection [p] | test.cpp:83:14:83:14 | p |
 | test.cpp:83:9:83:11 | arr indirection [p] | test.cpp:83:14:83:14 | p indirection |
 | test.cpp:83:14:83:14 | p indirection | test.cpp:83:14:83:14 | p |
 | test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:89:9:89:11 | arr indirection [p] |
 | test.cpp:87:28:87:30 | arr indirection [p] | test.cpp:93:9:93:11 | arr indirection [p] |
-| test.cpp:89:9:89:11 | arr indirection [p] | test.cpp:89:14:89:14 | p indirection |
+| test.cpp:89:9:89:11 | arr indirection [p] | test.cpp:89:14:89:14 | p |
-| test.cpp:89:14:89:14 | p indirection | test.cpp:89:14:89:14 | p |
+| test.cpp:93:9:93:11 | arr indirection [p] | test.cpp:93:14:93:14 | p |
 | test.cpp:93:9:93:11 | arr indirection [p] | test.cpp:93:14:93:14 | p indirection |
 | test.cpp:93:14:93:14 | p indirection | test.cpp:93:14:93:14 | p |
 | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | test.cpp:87:28:87:30 | arr indirection [p] |
 nodes
 | test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
@@ -60,17 +51,13 @@ nodes
 | test.cpp:28:19:28:26 | call to mk_array [p] | semmle.label | call to mk_array [p] |
 | test.cpp:31:9:31:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:31:13:31:13 | p | semmle.label | p |
 | test.cpp:31:13:31:13 | p indirection | semmle.label | p indirection |
 | test.cpp:35:9:35:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:35:13:35:13 | p | semmle.label | p |
 | test.cpp:35:13:35:13 | p indirection | semmle.label | p indirection |
 | test.cpp:39:27:39:29 | arr [p] | semmle.label | arr [p] |
 | test.cpp:41:9:41:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:41:13:41:13 | p | semmle.label | p |
 | test.cpp:41:13:41:13 | p indirection | semmle.label | p indirection |
 | test.cpp:45:9:45:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:45:13:45:13 | p | semmle.label | p |
 | test.cpp:45:13:45:13 | p indirection | semmle.label | p indirection |
 | test.cpp:50:18:50:25 | call to mk_array [p] | semmle.label | call to mk_array [p] |
 | test.cpp:55:5:55:24 | ... = ... | semmle.label | ... = ... |
 | test.cpp:55:9:55:9 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
@@ -78,10 +65,8 @@ nodes
 | test.cpp:56:5:56:7 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:59:9:59:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:59:13:59:13 | p | semmle.label | p |
 | test.cpp:59:13:59:13 | p indirection | semmle.label | p indirection |
 | test.cpp:63:9:63:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:63:13:63:13 | p | semmle.label | p |
 | test.cpp:63:13:63:13 | p indirection | semmle.label | p indirection |
 | test.cpp:67:10:67:19 | mk_array_p indirection [p] | semmle.label | mk_array_p indirection [p] |
 | test.cpp:69:5:69:25 | ... = ... | semmle.label | ... = ... |
 | test.cpp:69:10:69:10 | arr indirection [post update] [p] | semmle.label | arr indirection [post update] [p] |
@@ -90,17 +75,13 @@ nodes
 | test.cpp:76:20:76:29 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
 | test.cpp:79:9:79:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:79:14:79:14 | p | semmle.label | p |
 | test.cpp:79:14:79:14 | p indirection | semmle.label | p indirection |
 | test.cpp:83:9:83:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:83:14:83:14 | p | semmle.label | p |
 | test.cpp:83:14:83:14 | p indirection | semmle.label | p indirection |
 | test.cpp:87:28:87:30 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:89:9:89:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:89:14:89:14 | p | semmle.label | p |
 | test.cpp:89:14:89:14 | p indirection | semmle.label | p indirection |
 | test.cpp:93:9:93:11 | arr indirection [p] | semmle.label | arr indirection [p] |
 | test.cpp:93:14:93:14 | p | semmle.label | p |
 | test.cpp:93:14:93:14 | p indirection | semmle.label | p indirection |
 | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
 subpaths
 #select
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
@@ -1,4 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
 failures
 testFailures
 failures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/self_argument_flow.cpp
@@ -0,0 +1,14 @@
 namespace {
  struct Foo {
    char string[10];
  };
  void acquire(char*);
  Foo* test_self_argument_flow() {
    Foo *info;
    acquire(info->string); // clean
    return info;
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -789,3 +789,11 @@ void test_sometimes_calls_sink_switch() {
  sometimes_calls_sink_switch(0, 0);
  sometimes_calls_sink_switch(source(), 0);
 }
 void intPointerSource(int *ref_source, const int* another_arg);
 void test() {
  MyStruct a;
  intPointerSource(a.content, a.content);
  indirect_sink(a.content); // $ ast ir
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -5,5 +5,5 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (test.
 WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:40,25-33)
 WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:42,17-25)
 WARNING: Module DataFlow has been deprecated and may be removed in future (test.ql:46,20-28)
 failures
 testFailures
 failures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.expected
@@ -0,0 +1,2 @@
 testFailures
 failures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_self_argument_flow.ql
@@ -0,0 +1,33 @@
 import cpp
 import semmle.code.cpp.dataflow.new.DataFlow
 import TestUtilities.InlineExpectationsTest
 module TestConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source.getLocation().getFile().getBaseName() = "self_argument_flow.cpp" and
    source.asDefiningArgument() =
      any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
  }
  predicate isSink(DataFlow::Node sink) {
    sink.asIndirectArgument() = any(Call call | call.getTarget().hasName("acquire")).getAnArgument()
  }
 }
 import DataFlow::Global<TestConfig>
 module TestSelfArgumentFlow implements TestSig {
  string getARelevantTag() { result = "self-arg-flow" }
  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(DataFlow::Node sink |
      flowTo(sink) and
      location = sink.getLocation() and
      element = sink.toString() and
      tag = "self-arg-flow" and
      value = ""
    )
  }
 }
 import MakeTest<TestSelfArgumentFlow>
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected
@@ -14,6 +14,8 @@
 | ref.cpp:120:17:120:18 | x3 | ref.cpp:129:10:129:11 | x3 |
 | ref.cpp:120:21:120:22 | x4 | ref.cpp:131:15:131:16 | x4 |
 | ref.cpp:120:21:120:22 | x4 | ref.cpp:132:10:132:11 | x4 |
 | self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:10:13:10:16 | info |
 | self_argument_flow.cpp:9:10:9:13 | info | self_argument_flow.cpp:12:12:12:15 | info |
 | test.cpp:75:7:75:8 | u1 | test.cpp:76:8:76:9 | u1 |
 | test.cpp:83:7:83:8 | u2 | test.cpp:84:13:84:14 | u2 |
 | test.cpp:83:7:83:8 | u2 | test.cpp:85:8:85:9 | u2 |
@@ -44,3 +46,6 @@
 | test.cpp:595:8:595:9 | xs | test.cpp:597:9:597:10 | xs |
 | test.cpp:733:7:733:7 | x | test.cpp:734:41:734:41 | x |
 | test.cpp:733:7:733:7 | x | test.cpp:735:8:735:8 | x |
 | test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
--- a/cpp/ql/test/library-tests/dataflow/fields/flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/flow.expected
@@ -1,2 +1,2 @@
 failures
 testFailures
 failures
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -3,5 +3,5 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (taint
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:61,22-30)
 WARNING: Module DataFlow has been deprecated and may be removed in future (taint.ql:68,25-33)
 WARNING: Module TaintTracking has been deprecated and may be removed in future (taint.ql:73,20-33)
 failures
 testFailures
 failures
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -15553,6 +15553,193 @@ ir.cpp:
 # 2030|                 Type = [IntType] int
 # 2030|                 ValueCategory = prvalue
 # 2031|     getStmt(2): [ReturnStmt] return ...
 # 2033| [TopLevelFunction] void NewDeleteMem()
 # 2033|   <params>: 
 # 2033|   getEntryPoint(): [BlockStmt] { ... }
 # 2034|     getStmt(0): [DeclStmt] declaration
 # 2034|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
 # 2034|           Type = [IntPointerType] int *
 # 2034|         getVariable().getInitializer(): [Initializer] initializer for x
 # 2034|           getExpr(): [NewExpr] new
 # 2034|               Type = [IntPointerType] int *
 # 2034|               ValueCategory = prvalue
 # 2035|     getStmt(1): [ExprStmt] ExprStmt
 # 2035|       getExpr(): [AssignExpr] ... = ...
 # 2035|           Type = [IntType] int
 # 2035|           ValueCategory = lvalue
 # 2035|         getLValue(): [PointerDereferenceExpr] * ...
 # 2035|             Type = [IntType] int
 # 2035|             ValueCategory = lvalue
 # 2035|           getOperand(): [VariableAccess] x
 # 2035|               Type = [IntPointerType] int *
 # 2035|               ValueCategory = prvalue(load)
 # 2035|         getRValue(): [Literal] 6
 # 2035|             Type = [IntType] int
 # 2035|             Value = [Literal] 6
 # 2035|             ValueCategory = prvalue
 # 2036|     getStmt(2): [ExprStmt] ExprStmt
 # 2036|       getExpr(): [DeleteExpr] delete
 # 2036|           Type = [VoidType] void
 # 2036|           ValueCategory = prvalue
 # 2036|         getExpr(): [VariableAccess] x
 # 2036|             Type = [IntPointerType] int *
 # 2036|             ValueCategory = prvalue(load)
 # 2037|     getStmt(3): [ReturnStmt] return ...
 # 2039| [CopyAssignmentOperator] Base2& Base2::operator=(Base2 const&)
 # 2039|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Base2 &
 # 2039| [Constructor] void Base2::Base2()
 # 2039|   <params>: 
 # 2039|   <initializations>: 
 # 2039|   getEntryPoint(): [BlockStmt] { ... }
 # 2039|     getStmt(0): [ReturnStmt] return ...
 # 2039| [CopyConstructor] void Base2::Base2(Base2 const&)
 # 2039|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Base2 &
 # 2041| [MemberFunction] void Base2::operator delete(void*)
 # 2041|   <params>: 
 # 2041|     getParameter(0): [Parameter] p
 # 2041|         Type = [VoidPointerType] void *
 # 2041|   getEntryPoint(): [BlockStmt] { ... }
 # 2042|     getStmt(0): [ReturnStmt] return ...
 # 2043| [Destructor,VirtualFunction] void Base2::~Base2()
 # 2043|   <params>: 
 # 2043|   getEntryPoint(): [BlockStmt] { ... }
 # 2043|     getStmt(0): [ReturnStmt] return ...
 # 2043|   <destructions>: 
 # 2046| [CopyAssignmentOperator] Derived2& Derived2::operator=(Derived2 const&)
 # 2046|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Derived2 &
 # 2046| [Constructor] void Derived2::Derived2()
 # 2046|   <params>: 
 # 2046|   <initializations>: 
 # 2046|     getInitializer(0): [ConstructorDirectInit] call to Base2
 # 2046|         Type = [VoidType] void
 # 2046|         ValueCategory = prvalue
 # 2046|   getEntryPoint(): [BlockStmt] { ... }
 # 2046|     getStmt(0): [ReturnStmt] return ...
 # 2046| [CopyConstructor] void Derived2::Derived2(Derived2 const&)
 # 2046|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [LValueReferenceType] const Derived2 &
 # 2049| [Destructor,VirtualFunction] void Derived2::~Derived2()
 # 2049|   <params>: 
 # 2049|   getEntryPoint(): [BlockStmt] { ... }
 # 2049|     getStmt(0): [ReturnStmt] return ...
 # 2049|   <destructions>: 
 # 2049|     getDestruction(0): [DestructorDirectDestruction] call to ~Base2
 # 2049|         Type = [VoidType] void
 # 2049|         ValueCategory = prvalue
 # 2051| [MemberFunction] void Derived2::operator delete(void*)
 # 2051|   <params>: 
 # 2051|     getParameter(0): [Parameter] p
 # 2051|         Type = [VoidPointerType] void *
 # 2051|   getEntryPoint(): [BlockStmt] { ... }
 # 2052|     getStmt(0): [ReturnStmt] return ...
 # 2056| [TopLevelFunction] int virtual_delete()
 # 2056|   <params>: 
 # 2057|   getEntryPoint(): [BlockStmt] { ... }
 # 2058|     getStmt(0): [DeclStmt] declaration
 # 2058|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of b1
 # 2058|           Type = [PointerType] Base2 *
 # 2058|         getVariable().getInitializer(): [Initializer] initializer for b1
 # 2058|           getExpr(): [NewExpr] new
 # 2058|               Type = [PointerType] Base2 *
 # 2058|               ValueCategory = prvalue
 # 2058|             getInitializer(): [ConstructorCall] call to Base2
 # 2058|                 Type = [VoidType] void
 # 2058|                 ValueCategory = prvalue
 # 2059|     getStmt(1): [ExprStmt] ExprStmt
 # 2059|       getExpr(): [DeleteExpr] delete
 # 2059|           Type = [VoidType] void
 # 2059|           ValueCategory = prvalue
 # 2059|         getDeallocatorCall(): [FunctionCall] call to operator delete
 # 2059|             Type = [VoidType] void
 # 2059|             ValueCategory = prvalue
 # 2059|         getDestructorCall(): [DestructorCall] call to ~Base2
 # 2059|             Type = [VoidType] void
 # 2059|             ValueCategory = prvalue
 # 2059|           getQualifier(): [VariableAccess] b1
 # 2059|               Type = [PointerType] Base2 *
 # 2059|               ValueCategory = prvalue(load)
 # 2061|     getStmt(2): [DeclStmt] declaration
 # 2061|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of b2
 # 2061|           Type = [PointerType] Base2 *
 # 2061|         getVariable().getInitializer(): [Initializer] initializer for b2
 # 2061|           getExpr(): [NewExpr] new
 # 2061|               Type = [PointerType] Derived2 *
 # 2061|               ValueCategory = prvalue
 # 2061|             getInitializer(): [ConstructorCall] call to Derived2
 # 2061|                 Type = [VoidType] void
 # 2061|                 ValueCategory = prvalue
 # 2061|           getExpr().getFullyConverted(): [CStyleCast] (Base2 *)...
 # 2061|               Conversion = [BaseClassConversion] base class conversion
 # 2061|               Type = [PointerType] Base2 *
 # 2061|               ValueCategory = prvalue
 # 2062|     getStmt(3): [ExprStmt] ExprStmt
 # 2062|       getExpr(): [DeleteExpr] delete
 # 2062|           Type = [VoidType] void
 # 2062|           ValueCategory = prvalue
 # 2062|         getDeallocatorCall(): [FunctionCall] call to operator delete
 # 2062|             Type = [VoidType] void
 # 2062|             ValueCategory = prvalue
 # 2062|         getDestructorCall(): [DestructorCall] call to ~Base2
 # 2062|             Type = [VoidType] void
 # 2062|             ValueCategory = prvalue
 # 2062|           getQualifier(): [VariableAccess] b2
 # 2062|               Type = [PointerType] Base2 *
 # 2062|               ValueCategory = prvalue(load)
 # 2064|     getStmt(4): [DeclStmt] declaration
 # 2064|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of d
 # 2064|           Type = [PointerType] Derived2 *
 # 2064|         getVariable().getInitializer(): [Initializer] initializer for d
 # 2064|           getExpr(): [NewExpr] new
 # 2064|               Type = [PointerType] Derived2 *
 # 2064|               ValueCategory = prvalue
 # 2064|             getInitializer(): [ConstructorCall] call to Derived2
 # 2064|                 Type = [VoidType] void
 # 2064|                 ValueCategory = prvalue
 # 2065|     getStmt(5): [ExprStmt] ExprStmt
 # 2065|       getExpr(): [DeleteExpr] delete
 # 2065|           Type = [VoidType] void
 # 2065|           ValueCategory = prvalue
 # 2065|         getDeallocatorCall(): [FunctionCall] call to operator delete
 # 2065|             Type = [VoidType] void
 # 2065|             ValueCategory = prvalue
 # 2065|         getDestructorCall(): [DestructorCall] call to ~Derived2
 # 2065|             Type = [VoidType] void
 # 2065|             ValueCategory = prvalue
 # 2065|           getQualifier(): [VariableAccess] d
 # 2065|               Type = [PointerType] Derived2 *
 # 2065|               ValueCategory = prvalue(load)
 # 2066|     getStmt(6): [ReturnStmt] return ...
 # 2068| [TopLevelFunction] void test_constant_folding_use(int)
 # 2068|   <params>: 
 # 2068|     getParameter(0): [Parameter] (unnamed parameter 0)
 # 2068|         Type = [IntType] int
 # 2070| [TopLevelFunction] void test_constant_folding()
 # 2070|   <params>: 
 # 2070|   getEntryPoint(): [BlockStmt] { ... }
 # 2071|     getStmt(0): [DeclStmt] declaration
 # 2071|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
 # 2071|           Type = [SpecifiedType] const int
 # 2071|         getVariable().getInitializer(): [Initializer] initializer for x
 # 2071|           getExpr(): [Literal] 116
 # 2071|               Type = [IntType] int
 # 2071|               Value = [Literal] 116
 # 2071|               ValueCategory = prvalue
 # 2072|     getStmt(1): [ExprStmt] ExprStmt
 # 2072|       getExpr(): [FunctionCall] call to test_constant_folding_use
 # 2072|           Type = [VoidType] void
 # 2072|           ValueCategory = prvalue
 # 2072|         getArgument(0): [VariableAccess] x
 # 2072|             Type = [IntType] int
 # 2072|             Value = [VariableAccess] 116
 # 2072|             ValueCategory = prvalue(load)
 # 2073|     getStmt(2): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -2030,4 +2030,46 @@ unsigned int CommaTest(unsigned int x) {
    (CommaTestHelper(x), 10);
 }
 void NewDeleteMem() {
  int* x = new int;  // No constructor
  *x = 6;
  delete x;
 }
 class Base2 {
 public:
    void operator delete(void* p) {
    }
    virtual ~Base2() {};
 };
 class Derived2 : public Base2 {
    int i;
 public:
    ~Derived2() {};
    void operator delete(void* p) {
    }
 };
 // Delete is kind-of virtual in these cases
 int virtual_delete()
 {
    Base2* b1 = new Base2{};
    delete b1;
    Base2* b2 = new Derived2{};
    delete b2;
    Derived2* d = new Derived2{};
    delete d;
 }
 void test_constant_folding_use(int);
 void test_constant_folding() {
  const int x = 116;
  test_constant_folding_use(x);
 }
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -4887,10 +4887,60 @@
 | ir.cpp:1011:12:1011:12 | Unary | r1011_3 |
 | ir.cpp:1015:6:1015:19 | ChiPartial | partial:m1015_3 |
 | ir.cpp:1015:6:1015:19 | ChiTotal | total:m1015_2 |
-| ir.cpp:1015:6:1015:19 | SideEffect | m1015_3 |
+| ir.cpp:1015:6:1015:19 | SideEffect | ~m1020_5 |
 | ir.cpp:1016:3:1016:35 | CallTarget | func:r1016_1 |
 | ir.cpp:1016:3:1016:35 | ChiPartial | partial:m1016_4 |
 | ir.cpp:1016:3:1016:35 | ChiTotal | total:m1015_4 |
 | ir.cpp:1016:3:1016:35 | SideEffect | ~m1015_4 |
 | ir.cpp:1016:10:1016:35 | Arg(0) | 0:r1016_2 |
 | ir.cpp:1017:3:1017:38 | CallTarget | func:r1017_1 |
 | ir.cpp:1017:3:1017:38 | ChiPartial | partial:m1017_4 |
 | ir.cpp:1017:3:1017:38 | ChiTotal | total:m1016_5 |
 | ir.cpp:1017:3:1017:38 | SideEffect | ~m1016_5 |
 | ir.cpp:1017:10:1017:38 | Arg(0) | 0:r1017_2 |
 | ir.cpp:1018:3:1018:44 | CallTarget | func:r1018_1 |
 | ir.cpp:1018:3:1018:44 | ChiPartial | partial:m1018_4 |
 | ir.cpp:1018:3:1018:44 | ChiTotal | total:m1017_5 |
 | ir.cpp:1018:3:1018:44 | SideEffect | ~m1017_5 |
 | ir.cpp:1018:10:1018:44 | Arg(0) | 0:r1018_2 |
 | ir.cpp:1019:3:1019:43 | CallTarget | func:r1019_1 |
 | ir.cpp:1019:3:1019:43 | ChiPartial | partial:m1019_4 |
 | ir.cpp:1019:3:1019:43 | ChiTotal | total:m1018_5 |
 | ir.cpp:1019:3:1019:43 | SideEffect | ~m1018_5 |
 | ir.cpp:1019:10:1019:43 | Arg(0) | 0:r1019_2 |
 | ir.cpp:1020:3:1020:47 | CallTarget | func:r1020_1 |
 | ir.cpp:1020:3:1020:47 | ChiPartial | partial:m1020_4 |
 | ir.cpp:1020:3:1020:47 | ChiTotal | total:m1019_5 |
 | ir.cpp:1020:3:1020:47 | SideEffect | ~m1019_5 |
 | ir.cpp:1020:10:1020:47 | Arg(0) | 0:r1020_2 |
 | ir.cpp:1024:6:1024:24 | ChiPartial | partial:m1024_3 |
 | ir.cpp:1024:6:1024:24 | ChiTotal | total:m1024_2 |
-| ir.cpp:1024:6:1024:24 | SideEffect | m1024_3 |
+| ir.cpp:1024:6:1024:24 | SideEffect | ~m1029_5 |
 | ir.cpp:1025:3:1025:37 | CallTarget | func:r1025_1 |
 | ir.cpp:1025:3:1025:37 | ChiPartial | partial:m1025_4 |
 | ir.cpp:1025:3:1025:37 | ChiTotal | total:m1024_4 |
 | ir.cpp:1025:3:1025:37 | SideEffect | ~m1024_4 |
 | ir.cpp:1025:12:1025:37 | Arg(0) | 0:r1025_2 |
 | ir.cpp:1026:3:1026:40 | CallTarget | func:r1026_1 |
 | ir.cpp:1026:3:1026:40 | ChiPartial | partial:m1026_4 |
 | ir.cpp:1026:3:1026:40 | ChiTotal | total:m1025_5 |
 | ir.cpp:1026:3:1026:40 | SideEffect | ~m1025_5 |
 | ir.cpp:1026:12:1026:40 | Arg(0) | 0:r1026_2 |
 | ir.cpp:1027:3:1027:46 | CallTarget | func:r1027_1 |
 | ir.cpp:1027:3:1027:46 | ChiPartial | partial:m1027_4 |
 | ir.cpp:1027:3:1027:46 | ChiTotal | total:m1026_5 |
 | ir.cpp:1027:3:1027:46 | SideEffect | ~m1026_5 |
 | ir.cpp:1027:12:1027:46 | Arg(0) | 0:r1027_2 |
 | ir.cpp:1028:3:1028:45 | CallTarget | func:r1028_1 |
 | ir.cpp:1028:3:1028:45 | ChiPartial | partial:m1028_4 |
 | ir.cpp:1028:3:1028:45 | ChiTotal | total:m1027_5 |
 | ir.cpp:1028:3:1028:45 | SideEffect | ~m1027_5 |
 | ir.cpp:1028:12:1028:45 | Arg(0) | 0:r1028_2 |
 | ir.cpp:1029:3:1029:49 | CallTarget | func:r1029_1 |
 | ir.cpp:1029:3:1029:49 | ChiPartial | partial:m1029_4 |
 | ir.cpp:1029:3:1029:49 | ChiTotal | total:m1028_5 |
 | ir.cpp:1029:3:1029:49 | SideEffect | ~m1028_5 |
 | ir.cpp:1029:12:1029:49 | Arg(0) | 0:r1029_2 |
 | ir.cpp:1034:6:1034:20 | ChiPartial | partial:m1034_3 |
 | ir.cpp:1034:6:1034:20 | ChiTotal | total:m1034_2 |
 | ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |
@@ -9576,6 +9626,186 @@
 | ir.cpp:2030:22:2030:22 | Arg(0) | 0:r2030_3 |
 | ir.cpp:2030:22:2030:22 | Load | m2026_6 |
 | ir.cpp:2030:26:2030:27 | Unary | r2030_7 |
 | ir.cpp:2033:6:2033:17 | ChiPartial | partial:m2033_3 |
 | ir.cpp:2033:6:2033:17 | ChiTotal | total:m2033_2 |
 | ir.cpp:2033:6:2033:17 | SideEffect | ~m2036_6 |
 | ir.cpp:2034:8:2034:8 | Address | &:r2034_1 |
 | ir.cpp:2034:12:2034:18 | Address | &:r2034_4 |
 | ir.cpp:2034:12:2034:18 | Arg(0) | 0:r2034_3 |
 | ir.cpp:2034:12:2034:18 | CallTarget | func:r2034_2 |
 | ir.cpp:2034:12:2034:18 | ChiPartial | partial:m2034_5 |
 | ir.cpp:2034:12:2034:18 | ChiTotal | total:m2033_4 |
 | ir.cpp:2034:12:2034:18 | SideEffect | ~m2033_4 |
 | ir.cpp:2034:12:2034:18 | StoreValue | r2034_8 |
 | ir.cpp:2034:12:2034:18 | Unary | r2034_4 |
 | ir.cpp:2035:3:2035:4 | Address | &:r2035_4 |
 | ir.cpp:2035:3:2035:8 | ChiPartial | partial:m2035_5 |
 | ir.cpp:2035:3:2035:8 | ChiTotal | total:m2034_7 |
 | ir.cpp:2035:4:2035:4 | Address | &:r2035_2 |
 | ir.cpp:2035:4:2035:4 | Load | m2034_9 |
 | ir.cpp:2035:4:2035:4 | Unary | r2035_3 |
 | ir.cpp:2035:8:2035:8 | StoreValue | r2035_1 |
 | ir.cpp:2036:3:2036:10 | CallTarget | func:r2036_1 |
 | ir.cpp:2036:3:2036:10 | ChiPartial | partial:m2036_5 |
 | ir.cpp:2036:3:2036:10 | ChiTotal | total:m2034_6 |
 | ir.cpp:2036:3:2036:10 | SideEffect | ~m2034_6 |
 | ir.cpp:2036:10:2036:10 | Address | &:r2036_2 |
 | ir.cpp:2036:10:2036:10 | Arg(0) | 0:r2036_3 |
 | ir.cpp:2036:10:2036:10 | Load | m2034_9 |
 | ir.cpp:2039:7:2039:7 | Address | &:r2039_5 |
 | ir.cpp:2039:7:2039:7 | Address | &:r2039_5 |
 | ir.cpp:2039:7:2039:7 | Address | &:r2039_7 |
 | ir.cpp:2039:7:2039:7 | Address | &:r2039_7 |
 | ir.cpp:2039:7:2039:7 | ChiPartial | partial:m2039_3 |
 | ir.cpp:2039:7:2039:7 | ChiTotal | total:m2039_2 |
 | ir.cpp:2039:7:2039:7 | Load | m2039_6 |
 | ir.cpp:2039:7:2039:7 | SideEffect | m2039_3 |
 | ir.cpp:2039:7:2039:7 | SideEffect | m2039_8 |
 | ir.cpp:2041:10:2041:24 | ChiPartial | partial:m2041_3 |
 | ir.cpp:2041:10:2041:24 | ChiTotal | total:m2041_2 |
 | ir.cpp:2041:10:2041:24 | SideEffect | m2041_3 |
 | ir.cpp:2041:32:2041:32 | Address | &:r2041_5 |
 | ir.cpp:2041:32:2041:32 | Address | &:r2041_5 |
 | ir.cpp:2041:32:2041:32 | Address | &:r2041_7 |
 | ir.cpp:2041:32:2041:32 | Address | &:r2041_7 |
 | ir.cpp:2041:32:2041:32 | Load | m2041_6 |
 | ir.cpp:2041:32:2041:32 | SideEffect | m2041_8 |
 | ir.cpp:2043:13:2043:18 | Address | &:r2043_5 |
 | ir.cpp:2043:13:2043:18 | Address | &:r2043_5 |
 | ir.cpp:2043:13:2043:18 | Address | &:r2043_7 |
 | ir.cpp:2043:13:2043:18 | Address | &:r2043_7 |
 | ir.cpp:2043:13:2043:18 | ChiPartial | partial:m2043_3 |
 | ir.cpp:2043:13:2043:18 | ChiTotal | total:m2043_2 |
 | ir.cpp:2043:13:2043:18 | Load | m2043_6 |
 | ir.cpp:2043:13:2043:18 | SideEffect | m2043_3 |
 | ir.cpp:2043:13:2043:18 | SideEffect | m2043_8 |
 | ir.cpp:2046:7:2046:7 | Address | &:r2046_5 |
 | ir.cpp:2046:7:2046:7 | Address | &:r2046_5 |
 | ir.cpp:2046:7:2046:7 | Address | &:r2046_7 |
 | ir.cpp:2046:7:2046:7 | Address | &:r2046_7 |
 | ir.cpp:2046:7:2046:7 | Address | &:r2046_9 |
 | ir.cpp:2046:7:2046:7 | Arg(this) | this:r2046_9 |
 | ir.cpp:2046:7:2046:7 | CallTarget | func:r2046_10 |
 | ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_3 |
 | ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_12 |
 | ir.cpp:2046:7:2046:7 | ChiPartial | partial:m2046_14 |
 | ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_2 |
 | ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_4 |
 | ir.cpp:2046:7:2046:7 | ChiTotal | total:m2046_8 |
 | ir.cpp:2046:7:2046:7 | Load | m2046_6 |
 | ir.cpp:2046:7:2046:7 | SideEffect | m2046_15 |
 | ir.cpp:2046:7:2046:7 | SideEffect | ~m2046_4 |
 | ir.cpp:2046:7:2046:7 | SideEffect | ~m2046_13 |
 | ir.cpp:2046:7:2046:7 | Unary | m2046_6 |
 | ir.cpp:2049:5:2049:13 | Address | &:r2049_5 |
 | ir.cpp:2049:5:2049:13 | Address | &:r2049_5 |
 | ir.cpp:2049:5:2049:13 | Address | &:r2049_7 |
 | ir.cpp:2049:5:2049:13 | Address | &:r2049_7 |
 | ir.cpp:2049:5:2049:13 | ChiPartial | partial:m2049_3 |
 | ir.cpp:2049:5:2049:13 | ChiTotal | total:m2049_2 |
 | ir.cpp:2049:5:2049:13 | Load | m2049_6 |
 | ir.cpp:2049:5:2049:13 | SideEffect | m2049_8 |
 | ir.cpp:2049:5:2049:13 | SideEffect | ~m2049_14 |
 | ir.cpp:2049:5:2049:13 | Unary | m2049_6 |
 | ir.cpp:2049:18:2049:18 | Arg(this) | this:r2049_10 |
 | ir.cpp:2049:18:2049:18 | CallTarget | func:r2049_11 |
 | ir.cpp:2049:18:2049:18 | ChiPartial | partial:m2049_13 |
 | ir.cpp:2049:18:2049:18 | ChiTotal | total:m2049_4 |
 | ir.cpp:2049:18:2049:18 | SideEffect | ~m2049_4 |
 | ir.cpp:2051:10:2051:24 | ChiPartial | partial:m2051_3 |
 | ir.cpp:2051:10:2051:24 | ChiTotal | total:m2051_2 |
 | ir.cpp:2051:10:2051:24 | SideEffect | m2051_3 |
 | ir.cpp:2051:32:2051:32 | Address | &:r2051_5 |
 | ir.cpp:2051:32:2051:32 | Address | &:r2051_5 |
 | ir.cpp:2051:32:2051:32 | Address | &:r2051_7 |
 | ir.cpp:2051:32:2051:32 | Address | &:r2051_7 |
 | ir.cpp:2051:32:2051:32 | Load | m2051_6 |
 | ir.cpp:2051:32:2051:32 | SideEffect | m2051_8 |
 | ir.cpp:2056:5:2056:18 | ChiPartial | partial:m2056_3 |
 | ir.cpp:2056:5:2056:18 | ChiTotal | total:m2056_2 |
 | ir.cpp:2058:12:2058:13 | Address | &:r2058_1 |
 | ir.cpp:2058:17:2058:27 | Address | &:r2058_4 |
 | ir.cpp:2058:17:2058:27 | Address | &:r2058_8 |
 | ir.cpp:2058:17:2058:27 | Arg(0) | 0:r2058_3 |
 | ir.cpp:2058:17:2058:27 | Arg(this) | this:r2058_8 |
 | ir.cpp:2058:17:2058:27 | CallTarget | func:r2058_2 |
 | ir.cpp:2058:17:2058:27 | CallTarget | func:r2058_9 |
 | ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_5 |
 | ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_11 |
 | ir.cpp:2058:17:2058:27 | ChiPartial | partial:m2058_13 |
 | ir.cpp:2058:17:2058:27 | ChiTotal | total:m2056_4 |
 | ir.cpp:2058:17:2058:27 | ChiTotal | total:m2058_6 |
 | ir.cpp:2058:17:2058:27 | ChiTotal | total:m2058_7 |
 | ir.cpp:2058:17:2058:27 | SideEffect | ~m2056_4 |
 | ir.cpp:2058:17:2058:27 | SideEffect | ~m2058_6 |
 | ir.cpp:2058:17:2058:27 | StoreValue | r2058_8 |
 | ir.cpp:2058:17:2058:27 | Unary | r2058_4 |
 | ir.cpp:2059:5:2059:13 | CallTarget | func:r2059_1 |
 | ir.cpp:2059:5:2059:13 | ChiPartial | partial:m2059_5 |
 | ir.cpp:2059:5:2059:13 | ChiTotal | total:m2058_12 |
 | ir.cpp:2059:5:2059:13 | SideEffect | ~m2058_12 |
 | ir.cpp:2059:12:2059:13 | Address | &:r2059_2 |
 | ir.cpp:2059:12:2059:13 | Arg(0) | 0:r2059_3 |
 | ir.cpp:2059:12:2059:13 | Load | m2058_15 |
 | ir.cpp:2061:12:2061:13 | Address | &:r2061_1 |
 | ir.cpp:2061:17:2061:30 | Address | &:r2061_4 |
 | ir.cpp:2061:17:2061:30 | Address | &:r2061_8 |
 | ir.cpp:2061:17:2061:30 | Arg(0) | 0:r2061_3 |
 | ir.cpp:2061:17:2061:30 | Arg(this) | this:r2061_8 |
 | ir.cpp:2061:17:2061:30 | CallTarget | func:r2061_2 |
 | ir.cpp:2061:17:2061:30 | CallTarget | func:r2061_9 |
 | ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_5 |
 | ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_11 |
 | ir.cpp:2061:17:2061:30 | ChiPartial | partial:m2061_13 |
 | ir.cpp:2061:17:2061:30 | ChiTotal | total:m2059_6 |
 | ir.cpp:2061:17:2061:30 | ChiTotal | total:m2061_6 |
 | ir.cpp:2061:17:2061:30 | ChiTotal | total:m2061_7 |
 | ir.cpp:2061:17:2061:30 | SideEffect | ~m2059_6 |
 | ir.cpp:2061:17:2061:30 | SideEffect | ~m2061_6 |
 | ir.cpp:2061:17:2061:30 | StoreValue | r2061_15 |
 | ir.cpp:2061:17:2061:30 | Unary | r2061_4 |
 | ir.cpp:2061:17:2061:30 | Unary | r2061_8 |
 | ir.cpp:2062:5:2062:13 | CallTarget | func:r2062_1 |
 | ir.cpp:2062:5:2062:13 | ChiPartial | partial:m2062_5 |
 | ir.cpp:2062:5:2062:13 | ChiTotal | total:m2061_12 |
 | ir.cpp:2062:5:2062:13 | SideEffect | ~m2061_12 |
 | ir.cpp:2062:12:2062:13 | Address | &:r2062_2 |
 | ir.cpp:2062:12:2062:13 | Arg(0) | 0:r2062_3 |
 | ir.cpp:2062:12:2062:13 | Load | m2061_16 |
 | ir.cpp:2064:15:2064:15 | Address | &:r2064_1 |
 | ir.cpp:2064:19:2064:32 | Address | &:r2064_4 |
 | ir.cpp:2064:19:2064:32 | Address | &:r2064_8 |
 | ir.cpp:2064:19:2064:32 | Arg(0) | 0:r2064_3 |
 | ir.cpp:2064:19:2064:32 | Arg(this) | this:r2064_8 |
 | ir.cpp:2064:19:2064:32 | CallTarget | func:r2064_2 |
 | ir.cpp:2064:19:2064:32 | CallTarget | func:r2064_9 |
 | ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_5 |
 | ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_11 |
 | ir.cpp:2064:19:2064:32 | ChiPartial | partial:m2064_13 |
 | ir.cpp:2064:19:2064:32 | ChiTotal | total:m2062_6 |
 | ir.cpp:2064:19:2064:32 | ChiTotal | total:m2064_6 |
 | ir.cpp:2064:19:2064:32 | ChiTotal | total:m2064_7 |
 | ir.cpp:2064:19:2064:32 | SideEffect | ~m2062_6 |
 | ir.cpp:2064:19:2064:32 | SideEffect | ~m2064_6 |
 | ir.cpp:2064:19:2064:32 | StoreValue | r2064_8 |
 | ir.cpp:2064:19:2064:32 | Unary | r2064_4 |
 | ir.cpp:2065:5:2065:12 | CallTarget | func:r2065_1 |
 | ir.cpp:2065:5:2065:12 | ChiPartial | partial:m2065_5 |
 | ir.cpp:2065:5:2065:12 | ChiTotal | total:m2064_12 |
 | ir.cpp:2065:5:2065:12 | SideEffect | ~m2064_12 |
 | ir.cpp:2065:12:2065:12 | Address | &:r2065_2 |
 | ir.cpp:2065:12:2065:12 | Arg(0) | 0:r2065_3 |
 | ir.cpp:2065:12:2065:12 | Load | m2064_15 |
 | ir.cpp:2070:6:2070:26 | ChiPartial | partial:m2070_3 |
 | ir.cpp:2070:6:2070:26 | ChiTotal | total:m2070_2 |
 | ir.cpp:2070:6:2070:26 | SideEffect | ~m2072_5 |
 | ir.cpp:2071:13:2071:13 | Address | &:r2071_1 |
 | ir.cpp:2071:16:2071:19 | StoreValue | r2071_2 |
 | ir.cpp:2072:3:2072:27 | CallTarget | func:r2072_1 |
 | ir.cpp:2072:3:2072:27 | ChiPartial | partial:m2072_4 |
 | ir.cpp:2072:3:2072:27 | ChiTotal | total:m2070_4 |
 | ir.cpp:2072:3:2072:27 | SideEffect | ~m2070_4 |
 | ir.cpp:2072:29:2072:29 | Arg(0) | 0:r2072_2 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -5666,16 +5666,26 @@ ir.cpp:
 # 1015|     v1015_1(void)              = EnterFunction                    : 
 # 1015|     mu1015_2(unknown)          = AliasedDefinition                : 
 # 1015|     mu1015_3(unknown)          = InitializeNonLocal               : 
-# 1016|     r1016_1(int *)             = Constant[0]        : 
+# 1016|     r1016_1(glval<unknown>)    = FunctionAddress[operator delete] : 
-# 1016|     v1016_2(void)              = NoOp               : 
+# 1016|     r1016_2(int *)             = Constant[0]                      : 
-# 1017|     r1017_1(String *)          = Constant[0]        : 
+# 1016|     v1016_3(void)              = Call[operator delete]            : func:r1016_1, 0:r1016_2
-# 1017|     v1017_2(void)              = NoOp               : 
+# 1016|     mu1016_4(unknown)          = ^CallSideEffect                  : ~m?
-# 1018|     r1018_1(SizedDealloc *)    = Constant[0]        : 
+# 1017|     r1017_1(glval<unknown>)    = FunctionAddress[operator delete] : 
-# 1018|     v1018_2(void)              = NoOp               : 
+# 1017|     r1017_2(String *)          = Constant[0]                      : 
-# 1019|     r1019_1(Overaligned *)     = Constant[0]        : 
+# 1017|     v1017_3(void)              = Call[operator delete]            : func:r1017_1, 0:r1017_2
-# 1019|     v1019_2(void)              = NoOp               : 
+# 1017|     mu1017_4(unknown)          = ^CallSideEffect                  : ~m?
-# 1020|     r1020_1(PolymorphicBase *) = Constant[0]        : 
+# 1018|     r1018_1(glval<unknown>)    = FunctionAddress[operator delete] : 
-# 1020|     v1020_2(void)              = NoOp               : 
+# 1018|     r1018_2(SizedDealloc *)    = Constant[0]                      : 
 # 1018|     v1018_3(void)              = Call[operator delete]            : func:r1018_1, 0:r1018_2
 # 1018|     mu1018_4(unknown)          = ^CallSideEffect                  : ~m?
 # 1019|     r1019_1(glval<unknown>)    = FunctionAddress[operator delete] : 
 # 1019|     r1019_2(Overaligned *)     = Constant[0]                      : 
 # 1019|     v1019_3(void)              = Call[operator delete]            : func:r1019_1, 0:r1019_2
 # 1019|     mu1019_4(unknown)          = ^CallSideEffect                  : ~m?
 # 1020|     r1020_1(glval<unknown>)    = VirtualDeleteFunctionAddress     : 
 # 1020|     r1020_2(PolymorphicBase *) = Constant[0]                      : 
 # 1020|     v1020_3(void)              = Call[?]                          : func:r1020_1, 0:r1020_2
 # 1020|     mu1020_4(unknown)          = ^CallSideEffect                  : ~m?
 # 1021|     v1021_1(void)              = NoOp                             : 
 # 1015|     v1015_4(void)              = ReturnVoid                       : 
 # 1015|     v1015_5(void)              = AliasedUse                       : ~m?
@@ -5686,16 +5696,26 @@ ir.cpp:
 # 1024|     v1024_1(void)              = EnterFunction                      : 
 # 1024|     mu1024_2(unknown)          = AliasedDefinition                  : 
 # 1024|     mu1024_3(unknown)          = InitializeNonLocal                 : 
-# 1025|     r1025_1(int *)             = Constant[0]        : 
+# 1025|     r1025_1(glval<unknown>)    = FunctionAddress[operator delete[]] : 
-# 1025|     v1025_2(void)              = NoOp               : 
+# 1025|     r1025_2(int *)             = Constant[0]                        : 
-# 1026|     r1026_1(String *)          = Constant[0]        : 
+# 1025|     v1025_3(void)              = Call[operator delete[]]            : func:r1025_1, 0:r1025_2
-# 1026|     v1026_2(void)              = NoOp               : 
+# 1025|     mu1025_4(unknown)          = ^CallSideEffect                    : ~m?
-# 1027|     r1027_1(SizedDealloc *)    = Constant[0]        : 
+# 1026|     r1026_1(glval<unknown>)    = FunctionAddress[operator delete[]] : 
-# 1027|     v1027_2(void)              = NoOp               : 
+# 1026|     r1026_2(String *)          = Constant[0]                        : 
-# 1028|     r1028_1(Overaligned *)     = Constant[0]        : 
+# 1026|     v1026_3(void)              = Call[operator delete[]]            : func:r1026_1, 0:r1026_2
-# 1028|     v1028_2(void)              = NoOp               : 
+# 1026|     mu1026_4(unknown)          = ^CallSideEffect                    : ~m?
-# 1029|     r1029_1(PolymorphicBase *) = Constant[0]        : 
+# 1027|     r1027_1(glval<unknown>)    = FunctionAddress[operator delete[]] : 
-# 1029|     v1029_2(void)              = NoOp               : 
+# 1027|     r1027_2(SizedDealloc *)    = Constant[0]                        : 
 # 1027|     v1027_3(void)              = Call[operator delete[]]            : func:r1027_1, 0:r1027_2
 # 1027|     mu1027_4(unknown)          = ^CallSideEffect                    : ~m?
 # 1028|     r1028_1(glval<unknown>)    = FunctionAddress[operator delete[]] : 
 # 1028|     r1028_2(Overaligned *)     = Constant[0]                        : 
 # 1028|     v1028_3(void)              = Call[operator delete[]]            : func:r1028_1, 0:r1028_2
 # 1028|     mu1028_4(unknown)          = ^CallSideEffect                    : ~m?
 # 1029|     r1029_1(glval<unknown>)    = FunctionAddress[operator delete[]] : 
 # 1029|     r1029_2(PolymorphicBase *) = Constant[0]                        : 
 # 1029|     v1029_3(void)              = Call[operator delete[]]            : func:r1029_1, 0:r1029_2
 # 1029|     mu1029_4(unknown)          = ^CallSideEffect                    : ~m?
 # 1030|     v1030_1(void)              = NoOp                               : 
 # 1024|     v1024_4(void)              = ReturnVoid                         : 
 # 1024|     v1024_5(void)              = AliasedUse                         : ~m?
@@ -11091,6 +11111,215 @@ ir.cpp:
 # 2028|     mu2028_13(unsigned int)       = Store[#temp2028:7]               : &:r2028_12, r2030_8
 #-----|   Goto -> Block 2
 # 2033| void NewDeleteMem()
 # 2033|   Block 0
 # 2033|     v2033_1(void)           = EnterFunction                    : 
 # 2033|     mu2033_2(unknown)       = AliasedDefinition                : 
 # 2033|     mu2033_3(unknown)       = InitializeNonLocal               : 
 # 2034|     r2034_1(glval<int *>)   = VariableAddress[x]               : 
 # 2034|     r2034_2(glval<unknown>) = FunctionAddress[operator new]    : 
 # 2034|     r2034_3(unsigned long)  = Constant[4]                      : 
 # 2034|     r2034_4(void *)         = Call[operator new]               : func:r2034_2, 0:r2034_3
 # 2034|     mu2034_5(unknown)       = ^CallSideEffect                  : ~m?
 # 2034|     mu2034_6(unknown)       = ^InitializeDynamicAllocation     : &:r2034_4
 # 2034|     r2034_7(int *)          = Convert                          : r2034_4
 # 2034|     mu2034_8(int *)         = Store[x]                         : &:r2034_1, r2034_7
 # 2035|     r2035_1(int)            = Constant[6]                      : 
 # 2035|     r2035_2(glval<int *>)   = VariableAddress[x]               : 
 # 2035|     r2035_3(int *)          = Load[x]                          : &:r2035_2, ~m?
 # 2035|     r2035_4(glval<int>)     = CopyValue                        : r2035_3
 # 2035|     mu2035_5(int)           = Store[?]                         : &:r2035_4, r2035_1
 # 2036|     r2036_1(glval<unknown>) = FunctionAddress[operator delete] : 
 # 2036|     r2036_2(glval<int *>)   = VariableAddress[x]               : 
 # 2036|     r2036_3(int *)          = Load[x]                          : &:r2036_2, ~m?
 # 2036|     v2036_4(void)           = Call[operator delete]            : func:r2036_1, 0:r2036_3
 # 2036|     mu2036_5(unknown)       = ^CallSideEffect                  : ~m?
 # 2037|     v2037_1(void)           = NoOp                             : 
 # 2033|     v2033_4(void)           = ReturnVoid                       : 
 # 2033|     v2033_5(void)           = AliasedUse                       : ~m?
 # 2033|     v2033_6(void)           = ExitFunction                     : 
 # 2039| void Base2::Base2()
 # 2039|   Block 0
 # 2039|     v2039_1(void)           = EnterFunction                : 
 # 2039|     mu2039_2(unknown)       = AliasedDefinition            : 
 # 2039|     mu2039_3(unknown)       = InitializeNonLocal           : 
 # 2039|     r2039_4(glval<unknown>) = VariableAddress[#this]       : 
 # 2039|     mu2039_5(glval<Base2>)  = InitializeParameter[#this]   : &:r2039_4
 # 2039|     r2039_6(glval<Base2>)   = Load[#this]                  : &:r2039_4, ~m?
 # 2039|     mu2039_7(Base2)         = InitializeIndirection[#this] : &:r2039_6
 # 2039|     v2039_8(void)           = NoOp                         : 
 # 2039|     v2039_9(void)           = ReturnIndirection[#this]     : &:r2039_6, ~m?
 # 2039|     v2039_10(void)          = ReturnVoid                   : 
 # 2039|     v2039_11(void)          = AliasedUse                   : ~m?
 # 2039|     v2039_12(void)          = ExitFunction                 : 
 # 2041| void Base2::operator delete(void*)
 # 2041|   Block 0
 # 2041|     v2041_1(void)          = EnterFunction            : 
 # 2041|     mu2041_2(unknown)      = AliasedDefinition        : 
 # 2041|     mu2041_3(unknown)      = InitializeNonLocal       : 
 # 2041|     r2041_4(glval<void *>) = VariableAddress[p]       : 
 # 2041|     mu2041_5(void *)       = InitializeParameter[p]   : &:r2041_4
 # 2041|     r2041_6(void *)        = Load[p]                  : &:r2041_4, ~m?
 # 2041|     mu2041_7(unknown)      = InitializeIndirection[p] : &:r2041_6
 # 2042|     v2042_1(void)          = NoOp                     : 
 # 2041|     v2041_8(void)          = ReturnIndirection[p]     : &:r2041_6, ~m?
 # 2041|     v2041_9(void)          = ReturnVoid               : 
 # 2041|     v2041_10(void)         = AliasedUse               : ~m?
 # 2041|     v2041_11(void)         = ExitFunction             : 
 # 2043| void Base2::~Base2()
 # 2043|   Block 0
 # 2043|     v2043_1(void)           = EnterFunction                : 
 # 2043|     mu2043_2(unknown)       = AliasedDefinition            : 
 # 2043|     mu2043_3(unknown)       = InitializeNonLocal           : 
 # 2043|     r2043_4(glval<unknown>) = VariableAddress[#this]       : 
 # 2043|     mu2043_5(glval<Base2>)  = InitializeParameter[#this]   : &:r2043_4
 # 2043|     r2043_6(glval<Base2>)   = Load[#this]                  : &:r2043_4, ~m?
 # 2043|     mu2043_7(Base2)         = InitializeIndirection[#this] : &:r2043_6
 # 2043|     v2043_8(void)           = NoOp                         : 
 # 2043|     v2043_9(void)           = ReturnIndirection[#this]     : &:r2043_6, ~m?
 # 2043|     v2043_10(void)          = ReturnVoid                   : 
 # 2043|     v2043_11(void)          = AliasedUse                   : ~m?
 # 2043|     v2043_12(void)          = ExitFunction                 : 
 # 2046| void Derived2::Derived2()
 # 2046|   Block 0
 # 2046|     v2046_1(void)             = EnterFunction                             : 
 # 2046|     mu2046_2(unknown)         = AliasedDefinition                         : 
 # 2046|     mu2046_3(unknown)         = InitializeNonLocal                        : 
 # 2046|     r2046_4(glval<unknown>)   = VariableAddress[#this]                    : 
 # 2046|     mu2046_5(glval<Derived2>) = InitializeParameter[#this]                : &:r2046_4
 # 2046|     r2046_6(glval<Derived2>)  = Load[#this]                               : &:r2046_4, ~m?
 # 2046|     mu2046_7(Derived2)        = InitializeIndirection[#this]              : &:r2046_6
 # 2046|     r2046_8(glval<Base2>)     = ConvertToNonVirtualBase[Derived2 : Base2] : mu2046_5
 # 2046|     r2046_9(glval<unknown>)   = FunctionAddress[Base2]                    : 
 # 2046|     v2046_10(void)            = Call[Base2]                               : func:r2046_9, this:r2046_8
 # 2046|     mu2046_11(unknown)        = ^CallSideEffect                           : ~m?
 # 2046|     mu2046_12(Base2)          = ^IndirectMayWriteSideEffect[-1]           : &:r2046_8
 # 2046|     v2046_13(void)            = NoOp                                      : 
 # 2046|     v2046_14(void)            = ReturnIndirection[#this]                  : &:r2046_6, ~m?
 # 2046|     v2046_15(void)            = ReturnVoid                                : 
 # 2046|     v2046_16(void)            = AliasedUse                                : ~m?
 # 2046|     v2046_17(void)            = ExitFunction                              : 
 # 2049| void Derived2::~Derived2()
 # 2049|   Block 0
 # 2049|     v2049_1(void)             = EnterFunction                             : 
 # 2049|     mu2049_2(unknown)         = AliasedDefinition                         : 
 # 2049|     mu2049_3(unknown)         = InitializeNonLocal                        : 
 # 2049|     r2049_4(glval<unknown>)   = VariableAddress[#this]                    : 
 # 2049|     mu2049_5(glval<Derived2>) = InitializeParameter[#this]                : &:r2049_4
 # 2049|     r2049_6(glval<Derived2>)  = Load[#this]                               : &:r2049_4, ~m?
 # 2049|     mu2049_7(Derived2)        = InitializeIndirection[#this]              : &:r2049_6
 # 2049|     v2049_8(void)             = NoOp                                      : 
 # 2049|     r2049_9(glval<Base2>)     = ConvertToNonVirtualBase[Derived2 : Base2] : mu2049_5
 # 2049|     r2049_10(glval<unknown>)  = FunctionAddress[~Base2]                   : 
 # 2049|     v2049_11(void)            = Call[~Base2]                              : func:r2049_10, this:r2049_9
 # 2049|     mu2049_12(unknown)        = ^CallSideEffect                           : ~m?
 # 2049|     v2049_13(void)            = ReturnIndirection[#this]                  : &:r2049_6, ~m?
 # 2049|     v2049_14(void)            = ReturnVoid                                : 
 # 2049|     v2049_15(void)            = AliasedUse                                : ~m?
 # 2049|     v2049_16(void)            = ExitFunction                              : 
 # 2051| void Derived2::operator delete(void*)
 # 2051|   Block 0
 # 2051|     v2051_1(void)          = EnterFunction            : 
 # 2051|     mu2051_2(unknown)      = AliasedDefinition        : 
 # 2051|     mu2051_3(unknown)      = InitializeNonLocal       : 
 # 2051|     r2051_4(glval<void *>) = VariableAddress[p]       : 
 # 2051|     mu2051_5(void *)       = InitializeParameter[p]   : &:r2051_4
 # 2051|     r2051_6(void *)        = Load[p]                  : &:r2051_4, ~m?
 # 2051|     mu2051_7(unknown)      = InitializeIndirection[p] : &:r2051_6
 # 2052|     v2052_1(void)          = NoOp                     : 
 # 2051|     v2051_8(void)          = ReturnIndirection[p]     : &:r2051_6, ~m?
 # 2051|     v2051_9(void)          = ReturnVoid               : 
 # 2051|     v2051_10(void)         = AliasedUse               : ~m?
 # 2051|     v2051_11(void)         = ExitFunction             : 
 # 2056| int virtual_delete()
 # 2056|   Block 0
 # 2056|     v2056_1(void)              = EnterFunction                             : 
 # 2056|     mu2056_2(unknown)          = AliasedDefinition                         : 
 # 2056|     mu2056_3(unknown)          = InitializeNonLocal                        : 
 # 2058|     r2058_1(glval<Base2 *>)    = VariableAddress[b1]                       : 
 # 2058|     r2058_2(glval<unknown>)    = FunctionAddress[operator new]             : 
 # 2058|     r2058_3(unsigned long)     = Constant[8]                               : 
 # 2058|     r2058_4(void *)            = Call[operator new]                        : func:r2058_2, 0:r2058_3
 # 2058|     mu2058_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2058|     mu2058_6(unknown)          = ^InitializeDynamicAllocation              : &:r2058_4
 # 2058|     r2058_7(Base2 *)           = Convert                                   : r2058_4
 # 2058|     r2058_8(glval<unknown>)    = FunctionAddress[Base2]                    : 
 # 2058|     v2058_9(void)              = Call[Base2]                               : func:r2058_8, this:r2058_7
 # 2058|     mu2058_10(unknown)         = ^CallSideEffect                           : ~m?
 # 2058|     mu2058_11(Base2)           = ^IndirectMayWriteSideEffect[-1]           : &:r2058_7
 # 2058|     mu2058_12(Base2 *)         = Store[b1]                                 : &:r2058_1, r2058_7
 # 2059|     r2059_1(glval<unknown>)    = VirtualDeleteFunctionAddress              : 
 # 2059|     r2059_2(glval<Base2 *>)    = VariableAddress[b1]                       : 
 # 2059|     r2059_3(Base2 *)           = Load[b1]                                  : &:r2059_2, ~m?
 # 2059|     v2059_4(void)              = Call[?]                                   : func:r2059_1, 0:r2059_3
 # 2059|     mu2059_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2061|     r2061_1(glval<Base2 *>)    = VariableAddress[b2]                       : 
 # 2061|     r2061_2(glval<unknown>)    = FunctionAddress[operator new]             : 
 # 2061|     r2061_3(unsigned long)     = Constant[16]                              : 
 # 2061|     r2061_4(void *)            = Call[operator new]                        : func:r2061_2, 0:r2061_3
 # 2061|     mu2061_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2061|     mu2061_6(unknown)          = ^InitializeDynamicAllocation              : &:r2061_4
 # 2061|     r2061_7(Derived2 *)        = Convert                                   : r2061_4
 # 2061|     r2061_8(glval<unknown>)    = FunctionAddress[Derived2]                 : 
 # 2061|     v2061_9(void)              = Call[Derived2]                            : func:r2061_8, this:r2061_7
 # 2061|     mu2061_10(unknown)         = ^CallSideEffect                           : ~m?
 # 2061|     mu2061_11(Derived2)        = ^IndirectMayWriteSideEffect[-1]           : &:r2061_7
 # 2061|     r2061_12(Base2 *)          = ConvertToNonVirtualBase[Derived2 : Base2] : r2061_7
 # 2061|     mu2061_13(Base2 *)         = Store[b2]                                 : &:r2061_1, r2061_12
 # 2062|     r2062_1(glval<unknown>)    = VirtualDeleteFunctionAddress              : 
 # 2062|     r2062_2(glval<Base2 *>)    = VariableAddress[b2]                       : 
 # 2062|     r2062_3(Base2 *)           = Load[b2]                                  : &:r2062_2, ~m?
 # 2062|     v2062_4(void)              = Call[?]                                   : func:r2062_1, 0:r2062_3
 # 2062|     mu2062_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2064|     r2064_1(glval<Derived2 *>) = VariableAddress[d]                        : 
 # 2064|     r2064_2(glval<unknown>)    = FunctionAddress[operator new]             : 
 # 2064|     r2064_3(unsigned long)     = Constant[16]                              : 
 # 2064|     r2064_4(void *)            = Call[operator new]                        : func:r2064_2, 0:r2064_3
 # 2064|     mu2064_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2064|     mu2064_6(unknown)          = ^InitializeDynamicAllocation              : &:r2064_4
 # 2064|     r2064_7(Derived2 *)        = Convert                                   : r2064_4
 # 2064|     r2064_8(glval<unknown>)    = FunctionAddress[Derived2]                 : 
 # 2064|     v2064_9(void)              = Call[Derived2]                            : func:r2064_8, this:r2064_7
 # 2064|     mu2064_10(unknown)         = ^CallSideEffect                           : ~m?
 # 2064|     mu2064_11(Derived2)        = ^IndirectMayWriteSideEffect[-1]           : &:r2064_7
 # 2064|     mu2064_12(Derived2 *)      = Store[d]                                  : &:r2064_1, r2064_7
 # 2065|     r2065_1(glval<unknown>)    = VirtualDeleteFunctionAddress              : 
 # 2065|     r2065_2(glval<Derived2 *>) = VariableAddress[d]                        : 
 # 2065|     r2065_3(Derived2 *)        = Load[d]                                   : &:r2065_2, ~m?
 # 2065|     v2065_4(void)              = Call[?]                                   : func:r2065_1, 0:r2065_3
 # 2065|     mu2065_5(unknown)          = ^CallSideEffect                           : ~m?
 # 2066|     v2066_1(void)              = Unreached                                 : 
 # 2056|   Block 1
 # 2056|     r2056_4(glval<int>) = VariableAddress[#return] : 
 # 2056|     v2056_5(void)       = ReturnValue              : &:r2056_4, ~m?
 # 2056|     v2056_6(void)       = AliasedUse               : ~m?
 # 2056|     v2056_7(void)       = ExitFunction             : 
 # 2070| void test_constant_folding()
 # 2070|   Block 0
 # 2070|     v2070_1(void)           = EnterFunction                              : 
 # 2070|     mu2070_2(unknown)       = AliasedDefinition                          : 
 # 2070|     mu2070_3(unknown)       = InitializeNonLocal                         : 
 # 2071|     r2071_1(glval<int>)     = VariableAddress[x]                         : 
 # 2071|     r2071_2(int)            = Constant[116]                              : 
 # 2071|     mu2071_3(int)           = Store[x]                                   : &:r2071_1, r2071_2
 # 2072|     r2072_1(glval<unknown>) = FunctionAddress[test_constant_folding_use] : 
 # 2072|     r2072_2(int)            = Constant[116]                              : 
 # 2072|     v2072_3(void)           = Call[test_constant_folding_use]            : func:r2072_1, 0:r2072_2
 # 2072|     mu2072_4(unknown)       = ^CallSideEffect                            : ~m?
 # 2073|     v2073_1(void)           = NoOp                                       : 
 # 2070|     v2070_4(void)           = ReturnVoid                                 : 
 # 2070|     v2070_5(void)           = AliasedUse                                 : ~m?
 # 2070|     v2070_6(void)           = ExitFunction                               : 
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
--- a/cpp/ql/test/library-tests/ir/modulus-analysis/test.cpp
+++ b/cpp/ql/test/library-tests/ir/modulus-analysis/test.cpp
@@ -10,7 +10,7 @@ void m(int i, bool cond, int x, int y) {
    int seven = 7;
    if (mul % c2 == seven) {
-        mod(mul); // congruent 3 mod 42, 7 mod 43
+        mod(mul); // $ mod=0,3,42
    }
    int j = cond
@@ -19,13 +19,11 @@ void m(int i, bool cond, int x, int y) {
    mod(j); // $ mod=0,3,4
    if (x % c1 == 3 && y % c1 == 7) {
-        // Need implies_v2
+        mod(x + y); // $ mod=0,10,42
        mod(x + y); // $ MISSING: 0,10,42
    }
    if (x % c1 == 3 && y % c1 == 7) {
-        // Need implies_v2
+        mod(x - y); // $ mod=0,38,42
        mod(x - y); // $ MISSING: mod=0,38,42
    }
    if (cond) {
--- a/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
@@ -1008,12 +1008,12 @@ label:
 void test_overflow() {
  const int x = 2147483647; // 2^31-1
-  range(x);
+  range(x); // $ range===2147483647
  const int y = 256;
-  range(y);
+  range(y); // $ range===256
  if ((x + y) <= 512) {
-    range(x);
+    range(x); // $ range===2147483647
-    range(y);
+    range(y); // $ range===256
    range(x + y); // $ range===-2147483393
  }
 }
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
@@ -18,6 +18,7 @@ edges
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a |
 | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a |
 | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a |
 | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... |
 | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a |
@@ -28,6 +29,8 @@ edges
 | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
 | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
 | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a |
 | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p |
 | test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -51,6 +54,8 @@ nodes
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:72:14:72:14 | a | semmle.label | a |
 | test_free.cpp:72:14:72:14 | a | semmle.label | a |
 | test_free.cpp:83:12:83:12 | a | semmle.label | a |
 | test_free.cpp:85:12:85:12 | a | semmle.label | a |
 | test_free.cpp:101:10:101:10 | a | semmle.label | a |
 | test_free.cpp:103:10:103:10 | a | semmle.label | a |
 | test_free.cpp:128:10:128:11 | * ... | semmle.label | * ... |
@@ -63,6 +68,10 @@ nodes
 | test_free.cpp:207:10:207:10 | a | semmle.label | a |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
 | test_free.cpp:252:7:252:7 | p | semmle.label | p |
 | test_free.cpp:255:10:255:10 | p | semmle.label | p |
 | test_free.cpp:260:9:260:9 | p | semmle.label | p |
 | test_free.cpp:263:12:263:12 | p | semmle.label | p |
 subpaths
 #select
 | test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -84,6 +93,7 @@ subpaths
 | test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:72:14:72:14 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | a | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | * ... | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
 | test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | a | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
@@ -94,3 +104,5 @@ subpaths
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | a | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |
 | test_free.cpp:255:10:255:10 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:255:10:255:10 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
 | test_free.cpp:263:12:263:12 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:263:12:263:12 | p | Memory pointed to by 'p' may already have been freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -92,6 +92,10 @@
 | test_free.cpp:233:14:233:15 | * ... |
 | test_free.cpp:239:14:239:15 | * ... |
 | test_free.cpp:245:10:245:11 | * ... |
 | test_free.cpp:252:7:252:7 | p |
 | test_free.cpp:255:10:255:10 | p |
 | test_free.cpp:260:9:260:9 | p |
 | test_free.cpp:263:12:263:12 | p |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
@@ -12,3 +12,5 @@
 | test.cpp:157:3:157:26 | new[] | This memory is never freed. |
 | test.cpp:169:14:169:19 | call to strdup | This memory is never freed. |
 | test_free.cpp:167:15:167:21 | call to realloc | This memory is never freed. |
 | test_free.cpp:253:14:253:19 | call to malloc | This memory is never freed. |
 | test_free.cpp:261:6:261:12 | new | This memory is never freed. |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -9,6 +9,7 @@ edges
 | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
 | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a |
 | test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a |
 | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
 | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a |
 | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a |
@@ -27,6 +28,8 @@ edges
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 | test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p |
 | test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
@@ -41,6 +44,8 @@ nodes
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:69:10:69:10 | a | semmle.label | a |
 | test_free.cpp:71:9:71:9 | a | semmle.label | a |
 | test_free.cpp:83:12:83:12 | a | semmle.label | a |
 | test_free.cpp:84:5:84:5 | a | semmle.label | a |
 | test_free.cpp:90:10:90:10 | a | semmle.label | a |
 | test_free.cpp:90:10:90:10 | a | semmle.label | a |
 | test_free.cpp:91:5:91:5 | a | semmle.label | a |
@@ -63,6 +68,10 @@ nodes
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 | test_free.cpp:252:7:252:7 | p | semmle.label | p |
 | test_free.cpp:254:6:254:6 | p | semmle.label | p |
 | test_free.cpp:260:9:260:9 | p | semmle.label | p |
 | test_free.cpp:262:6:262:6 | p | semmle.label | p |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -75,6 +84,7 @@ subpaths
 | test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | a | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free |
 | test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | a | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
 | test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | a | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free |
 | test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | a | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free |
@@ -93,3 +103,5 @@ subpaths
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
 | test_free.cpp:254:6:254:6 | p | test_free.cpp:252:7:252:7 | p | test_free.cpp:254:6:254:6 | p | Memory may have been previously freed by $@. | test_free.cpp:252:2:252:5 | call to free | call to free |
 | test_free.cpp:262:6:262:6 | p | test_free.cpp:260:9:260:9 | p | test_free.cpp:262:6:262:6 | p | Memory may have been previously freed by $@. | test_free.cpp:260:2:260:9 | delete | delete |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
@@ -81,8 +81,8 @@ public:
 void test_new1() {
    A *a = new A();
    delete(a);
-    a->f(); // BAD [NOT DETECTED]
+    a->f(); // BAD
-    delete(a); // BAD [NOT DETECTED]
+    delete(a); // BAD
 }
 void test_dereference1(A *a) {
@@ -245,3 +245,20 @@ void test_deref(char **a) {
    free(*a);
    use(*a); // GOOD [FALSE POSITIVE]
 }
 // Refs
 void test_ref(char *&p) {
 	free(p);
 	p = (char *)malloc(sizeof(char)*10);
 	use(p);  // GOOD [FALSE POSITIVE]
    free(p); // GOOD [FALSE POSITIVE]
 }
 void test_ref_delete(int *&p) {
 	delete p;
 	p = new int;
 	use(p);  // GOOD [FALSE POSITIVE]
    delete p;  // GOOD [FALSE POSITIVE]
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
@@ -2,9 +2,11 @@ edges
 | test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
 | test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
 | test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
 | test.cpp:22:45:22:52 | userName indirection | test.cpp:22:45:22:52 | userName indirection |
 | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection |
 | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
 | test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
 | test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:35:50:43 | envCflags indirection |
 | test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
 | test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
 | test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
@@ -4,38 +4,29 @@ edges
 | test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:19:5:19:7 | str indirection [string] |
 | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
 | test.cpp:19:5:19:7 | str indirection [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
 | test.cpp:19:5:19:7 | str indirection [string] | test.cpp:19:5:19:7 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
 | test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string |
 | test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string indirection |
 | test.cpp:42:18:42:23 | string indirection | test.cpp:42:18:42:23 | string |
 | test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string |
 | test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string indirection |
 | test.cpp:72:22:72:27 | string indirection | test.cpp:72:22:72:27 | string |
 | test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string |
 | test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string indirection |
 | test.cpp:80:22:80:27 | string indirection | test.cpp:80:22:80:27 | string |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | test.cpp:90:10:90:15 | str indirection [post update] [string] |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:91:5:91:7 | str indirection [string] |
 | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
 | test.cpp:91:5:91:7 | str indirection [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
 | test.cpp:91:5:91:7 | str indirection [string] | test.cpp:91:5:91:7 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
 | test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string |
 | test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string indirection |
 | test.cpp:99:18:99:23 | string indirection | test.cpp:99:18:99:23 | string |
 | test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string |
 | test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string indirection |
 | test.cpp:129:22:129:27 | string indirection | test.cpp:129:22:129:27 | string |
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string |
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string indirection |
 | test.cpp:137:22:137:27 | string indirection | test.cpp:137:22:137:27 | string |
 | test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:148:5:148:7 | str indirection [string] |
 | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:148:5:148:7 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:152:13:152:15 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:154:13:154:15 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:156:13:156:15 | str indirection [string] |
@@ -46,32 +37,14 @@ edges
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:203:17:203:19 | str indirection [string] |
 | test.cpp:148:5:148:7 | str indirection [string] | test.cpp:207:17:207:19 | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string indirection |
 | test.cpp:152:18:152:23 | string indirection | test.cpp:152:18:152:23 | string |
 | test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string |
 | test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string indirection |
 | test.cpp:154:18:154:23 | string indirection | test.cpp:154:18:154:23 | string |
 | test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string |
 | test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string indirection |
 | test.cpp:156:18:156:23 | string indirection | test.cpp:156:18:156:23 | string |
 | test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string |
 | test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string indirection |
 | test.cpp:175:22:175:27 | string indirection | test.cpp:175:22:175:27 | string |
 | test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string |
 | test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string indirection |
 | test.cpp:187:22:187:27 | string indirection | test.cpp:187:22:187:27 | string |
 | test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string |
 | test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string indirection |
 | test.cpp:195:22:195:27 | string indirection | test.cpp:195:22:195:27 | string |
 | test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string |
 | test.cpp:199:17:199:19 | str indirection [string] | test.cpp:199:22:199:27 | string indirection |
 | test.cpp:199:22:199:27 | string indirection | test.cpp:199:22:199:27 | string |
 | test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string |
 | test.cpp:203:17:203:19 | str indirection [string] | test.cpp:203:22:203:27 | string indirection |
 | test.cpp:203:22:203:27 | string indirection | test.cpp:203:22:203:27 | string |
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string indirection |
 | test.cpp:207:22:207:27 | string indirection | test.cpp:207:22:207:27 | string |
 | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
 | test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
 | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
@@ -83,8 +56,6 @@ edges
 | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
 | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
 | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
 | test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:16:243:21 | string indirection |
 | test.cpp:243:16:243:21 | string indirection | test.cpp:243:12:243:21 | string |
 | test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p |
 | test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
 | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
@@ -98,13 +69,10 @@ nodes
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
 | test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:42:18:42:23 | string | semmle.label | string |
 | test.cpp:42:18:42:23 | string indirection | semmle.label | string indirection |
 | test.cpp:72:17:72:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:72:22:72:27 | string | semmle.label | string |
 | test.cpp:72:22:72:27 | string indirection | semmle.label | string indirection |
 | test.cpp:80:17:80:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:80:22:80:27 | string | semmle.label | string |
 | test.cpp:80:22:80:27 | string indirection | semmle.label | string indirection |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | semmle.label | mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
@@ -113,44 +81,32 @@ nodes
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:99:18:99:23 | string | semmle.label | string |
 | test.cpp:99:18:99:23 | string indirection | semmle.label | string indirection |
 | test.cpp:129:17:129:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:129:22:129:27 | string | semmle.label | string |
 | test.cpp:129:22:129:27 | string indirection | semmle.label | string indirection |
 | test.cpp:137:17:137:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:137:22:137:27 | string | semmle.label | string |
 | test.cpp:137:22:137:27 | string indirection | semmle.label | string indirection |
 | test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
 | test.cpp:148:5:148:7 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:18:152:23 | string | semmle.label | string |
 | test.cpp:152:18:152:23 | string indirection | semmle.label | string indirection |
 | test.cpp:154:13:154:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:154:18:154:23 | string | semmle.label | string |
 | test.cpp:154:18:154:23 | string indirection | semmle.label | string indirection |
 | test.cpp:156:13:156:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:156:18:156:23 | string | semmle.label | string |
 | test.cpp:156:18:156:23 | string indirection | semmle.label | string indirection |
 | test.cpp:175:17:175:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:175:22:175:27 | string | semmle.label | string |
 | test.cpp:175:22:175:27 | string indirection | semmle.label | string indirection |
 | test.cpp:187:17:187:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:187:22:187:27 | string | semmle.label | string |
 | test.cpp:187:22:187:27 | string indirection | semmle.label | string indirection |
 | test.cpp:195:17:195:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:195:22:195:27 | string | semmle.label | string |
 | test.cpp:195:22:195:27 | string indirection | semmle.label | string indirection |
 | test.cpp:199:17:199:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:199:22:199:27 | string | semmle.label | string |
 | test.cpp:199:22:199:27 | string indirection | semmle.label | string indirection |
 | test.cpp:203:17:203:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:203:22:203:27 | string | semmle.label | string |
 | test.cpp:203:22:203:27 | string indirection | semmle.label | string indirection |
 | test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:207:22:207:27 | string | semmle.label | string |
 | test.cpp:207:22:207:27 | string indirection | semmle.label | string indirection |
 | test.cpp:214:24:214:24 | p | semmle.label | p |
 | test.cpp:216:10:216:10 | p | semmle.label | p |
 | test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
@@ -165,7 +121,6 @@ nodes
 | test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
 | test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:243:12:243:21 | string | semmle.label | string |
 | test.cpp:243:16:243:21 | string indirection | semmle.label | string indirection |
 | test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc |
 | test.cpp:250:12:250:12 | p | semmle.label | p |
 | test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
@@ -2,16 +2,13 @@ edges
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
 | main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
@@ -23,17 +20,14 @@ nodes
 | main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
 | overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
 | overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:46:15:46:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:53:9:53:12 | memcpy output argument | semmle.label | memcpy output argument |
 | overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | semmle.label | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
 | overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
@@ -43,9 +37,6 @@ subpaths
 | overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 #select
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,13 +1,10 @@
 edges
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 nodes
 | test2.cpp:110:3:110:6 | call to gets indirection | semmle.label | call to gets indirection |
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 subpaths
 #select
 | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets indirection | test2.cpp:110:3:110:6 | call to gets indirection | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets indirection | user input (string read by gets) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
@@ -1,6 +1,5 @@
 edges
 | test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | test.cpp:38:11:38:15 | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
@@ -23,7 +22,6 @@ edges
 nodes
 | test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
 | test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
 | test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
 | test.cpp:24:13:24:17 | url_g indirection | semmle.label | url_g indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
@@ -47,27 +45,14 @@ subpaths
 #select
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
@@ -11,6 +11,9 @@ edges
 | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data |
 | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
 | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data |
 | test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c |
 | test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... |
 | test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c |
 | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
 | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data |
 | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data |
@@ -19,6 +22,7 @@ edges
 | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data |
 | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
 | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data |
 | test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x |
 nodes
 | test.cpp:39:7:39:10 | data | semmle.label | data |
 | test.cpp:39:7:39:10 | data | semmle.label | data |
@@ -38,6 +42,10 @@ nodes
 | test.cpp:138:7:138:10 | data | semmle.label | data |
 | test.cpp:138:7:138:10 | data | semmle.label | data |
 | test.cpp:141:6:141:9 | data | semmle.label | data |
 | test.cpp:164:9:164:9 | c | semmle.label | c |
 | test.cpp:165:2:165:2 | c | semmle.label | c |
 | test.cpp:166:3:166:4 | * ... | semmle.label | * ... |
 | test.cpp:166:4:166:4 | c | semmle.label | c |
 | test.cpp:181:7:181:10 | data | semmle.label | data |
 | test.cpp:181:7:181:10 | data | semmle.label | data |
 | test.cpp:186:6:186:9 | data | semmle.label | data |
@@ -50,6 +58,8 @@ nodes
 | test.cpp:207:8:207:11 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
 | test.cpp:216:9:216:9 | x | semmle.label | x |
 | test.cpp:217:6:217:6 | x | semmle.label | x |
 subpaths
 #select
 | test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
@@ -64,6 +74,9 @@ subpaths
 | test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | data | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free |
 | test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
 | test.cpp:141:6:141:9 | data | test.cpp:138:7:138:10 | data | test.cpp:141:6:141:9 | data | Memory may have been previously freed by $@. | test.cpp:138:2:138:5 | call to free | call to free |
 | test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | c | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
 | test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | c | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
 | test.cpp:166:4:166:4 | c | test.cpp:164:9:164:9 | c | test.cpp:166:4:166:4 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete |
 | test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
 | test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | data | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free |
 | test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | data | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free |
@@ -72,3 +85,4 @@ subpaths
 | test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
 | test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
 | test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | data | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
 | test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | x | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -1,6 +1,5 @@
 edges
 | tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
 | tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
 | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:50:13:50:19 | global1 indirection |
 | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection |
 | tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection |
@@ -8,29 +7,24 @@ edges
 | tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection |
 | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
 | tests2.cpp:109:3:109:36 | ... = ... indirection | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] |
 | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] |
 | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:109:3:109:36 | ... = ... indirection |
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:14:111:19 | ptr indirection |
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
 | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:14:111:19 | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 nodes
@@ -52,13 +46,10 @@ nodes
 | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
 | tests2.cpp:81:14:81:19 | buffer indirection | semmle.label | buffer indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:91:42:91:45 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
 | tests2.cpp:101:8:101:15 | call to getpwuid indirection | semmle.label | call to getpwuid indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
 | tests2.cpp:109:3:109:36 | ... = ... indirection | semmle.label | ... = ... indirection |
 | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | semmle.label | c1 indirection [post update] [ptr indirection] |
 | tests2.cpp:109:12:109:17 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -69,21 +60,16 @@ nodes
 | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 subpaths
 #select
 | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
@@ -97,25 +83,17 @@ subpaths
 | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:81:14:81:19 | buffer indirection | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
 | tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 indirection | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 indirection | str1 indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:111:14:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:14:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:17:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
@@ -6,20 +6,15 @@ edges
 | tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection |
 | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
 | tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
 | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:62:7:62:18 | global_token indirection |
 | tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
 | tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
 | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
 | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:86:29:86:31 | msg indirection |
 | tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
 | tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
 | tests.cpp:114:30:114:32 | msg indirection | tests.cpp:119:7:119:12 | buffer indirection |
 | tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
 | tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
 | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:131:14:131:35 | call to getenv indirection |
 | tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:107:30:107:32 | msg indirection |
 | tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:132:14:132:35 | call to getenv indirection |
@@ -28,8 +23,6 @@ edges
 | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:122:30:122:32 | msg indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
 nodes
 | tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -53,24 +46,19 @@ nodes
 | tests.cpp:62:7:62:18 | global_token indirection | semmle.label | global_token indirection |
 | tests.cpp:62:22:62:27 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
 | tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
 | tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
 | tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
 | tests.cpp:86:29:86:31 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:107:30:107:32 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
 | tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
 | tests.cpp:114:30:114:32 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:119:7:119:12 | buffer indirection | semmle.label | buffer indirection |
 | tests.cpp:122:30:122:32 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
 | tests.cpp:131:14:131:19 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:131:14:131:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:132:14:132:19 | call to getenv indirection | semmle.label | call to getenv indirection |
@@ -81,8 +69,6 @@ nodes
 | tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | semmle.label | call to getpwnam indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 subpaths
 #select
@@ -99,21 +85,14 @@ subpaths
 | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:119:7:119:12 | buffer indirection | tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:119:7:119:12 | buffer indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
@@ -1,38 +1,25 @@
 edges
 | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection |
 | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection |
 | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection |
 | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection |
 | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | p indirection |
 | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection |
 | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection |
 | tests3.cpp:35:16:35:20 | p_3_3 indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection |
 | tests3.cpp:35:16:35:20 | p_3_3 indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection |
 | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:35:16:35:20 | p_3_3 indirection |
 | tests3.cpp:48:16:48:20 | p_3_5 indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection |
 | tests3.cpp:48:16:48:20 | p_3_5 indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection |
 | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:48:16:48:20 | p_3_5 indirection |
 | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection |
 | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection |
 | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection |
 | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection |
 | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection |
 | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection |
 | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection |
 | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection |
 | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection |
 | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection |
 | tests5.cpp:63:21:63:24 | g_p2 indirection | tests5.cpp:77:2:77:5 | g_p2 indirection |
 | tests5.cpp:63:21:63:24 | g_p2 indirection | tests5.cpp:77:2:77:5 | g_p2 indirection |
 | tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:63:21:63:24 | g_p2 indirection |
 | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
 | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
 | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection |
 | tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:85:2:85:2 | p indirection |
 | tests5.cpp:85:2:85:2 | p indirection | tests5.cpp:86:2:86:2 | p indirection |
 | tests5.cpp:86:2:86:2 | p indirection | tests5.cpp:88:2:88:2 | p indirection |
 | tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection |
 | tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:89:2:89:2 | p indirection |
 | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection |
 | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection |
 | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:35:23:35:43 | new indirection |
@@ -63,29 +50,22 @@ edges
 nodes
 | tests2.cpp:20:17:20:31 | call to SAXParser | semmle.label | call to SAXParser |
 | tests2.cpp:22:2:22:2 | p indirection | semmle.label | p indirection |
 | tests2.cpp:22:2:22:2 | p indirection | semmle.label | p indirection |
 | tests2.cpp:33:17:33:31 | call to SAXParser | semmle.label | call to SAXParser |
 | tests2.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
 | tests2.cpp:37:2:37:2 | p indirection | semmle.label | p indirection |
 | tests2.cpp:49:12:49:12 | call to SAXParser | semmle.label | call to SAXParser |
 | tests2.cpp:51:2:51:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
 | tests3.cpp:25:2:25:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:25:2:25:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:35:16:35:20 | p_3_3 indirection | semmle.label | p_3_3 indirection |
 | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
 | tests3.cpp:38:2:38:6 | p_3_3 indirection | semmle.label | p_3_3 indirection |
 | tests3.cpp:38:2:38:6 | p_3_3 indirection | semmle.label | p_3_3 indirection |
 | tests3.cpp:48:16:48:20 | p_3_5 indirection | semmle.label | p_3_5 indirection |
 | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
 | tests3.cpp:56:2:56:6 | p_3_5 indirection | semmle.label | p_3_5 indirection |
 | tests3.cpp:56:2:56:6 | p_3_5 indirection | semmle.label | p_3_5 indirection |
 | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
 | tests3.cpp:63:2:63:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:63:2:63:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | semmle.label | call to createXMLReader indirection |
 | tests3.cpp:70:2:70:2 | p indirection | semmle.label | p indirection |
 | tests3.cpp:70:2:70:2 | p indirection | semmle.label | p indirection |
 | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | semmle.label | XML_PARSE_NOENT |
 | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | semmle.label | XML_PARSE_DTDLOAD |
 | tests4.cpp:46:34:46:68 | ... \| ... | semmle.label | ... \| ... |
@@ -93,26 +73,20 @@ nodes
 | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | semmle.label | XML_PARSE_DTDLOAD |
 | tests5.cpp:27:25:27:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
 | tests5.cpp:29:2:29:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:29:2:29:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:40:25:40:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
 | tests5.cpp:43:2:43:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:43:2:43:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:55:25:55:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
 | tests5.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:59:2:59:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:63:21:63:24 | g_p2 indirection | semmle.label | g_p2 indirection |
 | tests5.cpp:70:17:70:30 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
 | tests5.cpp:77:2:77:5 | g_p2 indirection | semmle.label | g_p2 indirection |
 | tests5.cpp:77:2:77:5 | g_p2 indirection | semmle.label | g_p2 indirection |
 | tests5.cpp:81:25:81:38 | call to createLSParser indirection | semmle.label | call to createLSParser indirection |
 | tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:83:2:83:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:85:2:85:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:86:2:86:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:88:2:88:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:89:2:89:2 | p indirection | semmle.label | p indirection |
 | tests5.cpp:89:2:89:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:15:23:15:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
 | tests.cpp:17:2:17:2 | p indirection | semmle.label | p indirection |
 | tests.cpp:28:23:28:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
@@ -152,19 +126,12 @@ nodes
 subpaths
 #select
 | tests2.cpp:22:2:22:2 | p indirection | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |
 | tests2.cpp:22:2:22:2 | p indirection | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |
 | tests2.cpp:37:2:37:2 | p indirection | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser |
 | tests2.cpp:37:2:37:2 | p indirection | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser |
 | tests2.cpp:51:2:51:2 | p indirection | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser |
 | tests3.cpp:25:2:25:2 | p indirection | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:25:2:25:2 | p indirection | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | tests3.cpp:25:2:25:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:38:2:38:6 | p_3_3 indirection | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:38:2:38:6 | p_3_3 indirection | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | tests3.cpp:38:2:38:6 | p_3_3 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:56:2:56:6 | p_3_5 indirection | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:56:2:56:6 | p_3_5 indirection | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | tests3.cpp:56:2:56:6 | p_3_5 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:63:2:63:2 | p indirection | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:63:2:63:2 | p indirection | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | tests3.cpp:63:2:63:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:70:2:70:2 | p indirection | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | XML parser |
 | tests3.cpp:70:2:70:2 | p indirection | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | tests3.cpp:70:2:70:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | call to createXMLReader indirection | XML parser |
 | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser |
 | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser |
@@ -172,16 +139,10 @@ subpaths
 | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser |
 | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser |
 | tests5.cpp:29:2:29:2 | p indirection | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:29:2:29:2 | p indirection | tests5.cpp:27:25:27:38 | call to createLSParser indirection | tests5.cpp:29:2:29:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:43:2:43:2 | p indirection | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:43:2:43:2 | p indirection | tests5.cpp:40:25:40:38 | call to createLSParser indirection | tests5.cpp:43:2:43:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:59:2:59:2 | p indirection | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:59:2:59:2 | p indirection | tests5.cpp:55:25:55:38 | call to createLSParser indirection | tests5.cpp:59:2:59:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:77:2:77:5 | g_p2 indirection | tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:77:2:77:5 | g_p2 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser indirection | XML parser |
 | tests5.cpp:77:2:77:5 | g_p2 indirection | tests5.cpp:70:17:70:30 | call to createLSParser indirection | tests5.cpp:77:2:77:5 | g_p2 indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser indirection | XML parser |
 | tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:83:2:83:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:83:2:83:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:89:2:89:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:89:2:89:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
 | tests5.cpp:89:2:89:2 | p indirection | tests5.cpp:81:25:81:38 | call to createLSParser indirection | tests5.cpp:89:2:89:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser indirection | XML parser |
 | tests.cpp:17:2:17:2 | p indirection | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser |
 | tests.cpp:31:2:31:2 | p indirection | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser |
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj
@@ -8,12 +8,12 @@
 	<ItemGroup>
 		<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
 		<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-		<PackageReference Include="xunit" Version="2.5.0" />
+		<PackageReference Include="xunit" Version="2.4.2" />
-		<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
 			<PrivateAssets>all</PrivateAssets>
 			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
 		</PackageReference>
-		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\Semmle.Autobuild.CSharp\Semmle.Autobuild.CSharp.csproj" />
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj
@@ -14,8 +14,8 @@
 		<Folder Include="Properties\" />
 	</ItemGroup>
 	<ItemGroup>
-		<PackageReference Include="Microsoft.Build" Version="17.7.2" />
+		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
-		<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+		<PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj
@@ -11,7 +11,7 @@
 		<Folder Include="Properties\" />
 	</ItemGroup>
 	<ItemGroup>
-		<PackageReference Include="Microsoft.Build" Version="17.7.2" />
+		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />
--- a/csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj
+++ b/csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj
@@ -24,7 +24,7 @@
  </ItemGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.DiaSymReader" Version="2.0.0" />
+    <PackageReference Include="Microsoft.DiaSymReader" Version="1.4.0" />
    <PackageReference Include="Microsoft.DiaSymReader.Native" Version="1.7.0" />
    <PackageReference Include="Microsoft.DiaSymReader.PortablePdb" Version="1.6.0"><IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 <PrivateAssets>all</PrivateAssets>
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
@@ -85,11 +85,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                }
            }
            if (options.UseMscorlib)
            {
                UseReference(typeof(object).Assembly.Location);
            }
            if (options.UseNuGet)
            {
                dllDirNames.Add(packageDirectory.DirInfo.FullName);
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyOptions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyOptions.cs
@@ -40,11 +40,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// </summary>
        bool ScanNetFrameworkDlls { get; }
        /// <summary>
        /// Whether to use mscorlib as a reference.
        /// </summary>
        bool UseMscorlib { get; }
        /// <summary>
        /// Determine whether the given path should be excluded.
        /// </summary>
@@ -74,8 +69,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        public bool ScanNetFrameworkDlls { get; set; } = true;
        public bool UseMscorlib { get; set; } = true;
        public bool ExcludesFile(string path) =>
            Excludes.Any(path.Contains);
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotnetVersion.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotnetVersion.cs
@@ -10,16 +10,44 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        private readonly Version? preReleaseVersion;
        private readonly string? preReleaseVersionType;
        private bool IsPreRelease => preReleaseVersionType is not null && preReleaseVersion is not null;
-        public string FullPath
+
        private string FullVersion
        {
            get
            {
                var preRelease = IsPreRelease ? $"-{preReleaseVersionType}.{preReleaseVersion}" : "";
-                var version = this.version + preRelease;
+                return this.version + preRelease;
                return Path.Combine(dir, version);
            }
        }
        public string FullPath => Path.Combine(dir, FullVersion);
        /**
         * The full path to the reference assemblies for this runtime.
         * This is the same as FullPath, except that we assume that the
         * reference assemblies are in a directory called "packs" and
         * the reference assemblies themselves are in a directory called
         * "<Framework>.Ref/ref".
         * Example:
         *  FullPath: /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.2
         *  FullPathReferenceAssemblies: /usr/share/dotnet/packs/Microsoft.NETCore.App.Ref/7.0.2/ref
         */
        public string? FullPathReferenceAssemblies
        {
            get
            {
                var directories = dir.Split(Path.DirectorySeparatorChar);
                if (directories.Length >= 2)
                {
                    directories[^2] = "packs";
                    directories[^1] = $"{directories[^1]}.Ref";
                    return Path.Combine(string.Join(Path.DirectorySeparatorChar, directories), FullVersion, "ref");
                }
                return null;
            }
        }
        public DotnetVersion(string dir, string version, string preReleaseVersionType, string preReleaseVersion)
        {
            this.dir = dir;
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Runtime.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Runtime.cs
@@ -94,6 +94,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }
        }
        private string? GetVersion(string framework)
        {
            if (NewestRuntimes.TryGetValue(framework, out var version))
            {
                var refAssemblies = version.FullPathReferenceAssemblies;
                return Directory.Exists(refAssemblies)
                    ? refAssemblies
                    : version.FullPath;
            }
            return null;
        }
        /// <summary>
        /// Gets the .NET runtime location to use for extraction.
        /// </summary>
@@ -105,9 +117,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }
            // Location of the newest .NET Core Runtime.
-            if (NewestRuntimes.TryGetValue(netCoreApp, out var netCoreVersion))
+            if (GetVersion(netCoreApp) is string path)
            {
-                return netCoreVersion.FullPath;
+                return path;
            }
            if (DesktopRuntimes.Any())
@@ -122,14 +134,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// <summary>
        /// Gets the ASP.NET runtime location to use for extraction, if one exists.
        /// </summary>
-        public string? GetAspRuntime()
+        public string? GetAspRuntime() => GetVersion(aspNetCoreApp);
        {
            // Location of the newest ASP.NET Core Runtime.
            if (NewestRuntimes.TryGetValue(aspNetCoreApp, out var aspNetCoreVersion))
            {
                return aspNetCoreVersion.FullPath;
            }
            return null;
        }
    }
 }
--- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Options.cs
@@ -29,9 +29,6 @@ namespace Semmle.Extraction.CSharp.Standalone
                case "all-references":
                    AnalyseCsProjFiles = !value;
                    return true;
                case "stdlib":
                    dependencies.UseMscorlib = value;
                    return true;
                case "skip-dotnet":
                    dependencies.ScanNetFrameworkDlls = !value;
                    return true;
@@ -110,7 +107,7 @@ namespace Semmle.Extraction.CSharp.Standalone
        /// <summary>
        /// Outputs the command line options to the console.
        /// </summary>
-        public static void ShowHelp(System.IO.TextWriter output)
+        public static void ShowHelp(TextWriter output)
        {
            output.WriteLine("C# standalone extractor\n\nExtracts a C# project in the current directory without performing a build.\n");
            output.WriteLine("Additional options:\n");
@@ -121,7 +118,6 @@ namespace Semmle.Extraction.CSharp.Standalone
            output.WriteLine("    --dry-run        Stop before extraction");
            output.WriteLine("    --skip-nuget     Do not download nuget packages");
            output.WriteLine("    --all-references Use all references (default is to only use references in .csproj files)");
            output.WriteLine("    --nostdlib       Do not link mscorlib.dll (use only for extracting mscorlib itself)");
            output.WriteLine("    --threads:nnn    Specify number of threads (default=CPU cores)");
            output.WriteLine("    --verbose        Produce more output");
            output.WriteLine("    --pdb            Cross-reference information from PDBs where available");
--- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj
@@ -19,7 +19,7 @@
 		<Folder Include="Properties\" />
 	</ItemGroup>
 	<ItemGroup>
-		<PackageReference Include="Microsoft.Build" Version="17.7.2" />
+		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
 		<PackageReference Include="Microsoft.Win32.Primitives" Version="4.3.0" />
 		<PackageReference Include="System.Net.Primitives" Version="4.3.1" />
 		<PackageReference Include="System.Security.Principal" Version="4.3.0" />
--- a/csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj
@@ -18,7 +18,7 @@
 		<Folder Include="Properties\" />
 	</ItemGroup>
 	<ItemGroup>
-		<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.7.0" />
+		<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.4.0" />
-		<PackageReference Include="Microsoft.Build" Version="17.7.2" />
+		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
 	</ItemGroup>
 </Project>
--- a/csharp/extractor/Semmle.Extraction.Tests/Options.cs
+++ b/csharp/extractor/Semmle.Extraction.Tests/Options.cs
@@ -135,9 +135,8 @@ namespace Semmle.Extraction.Tests
        public void StandaloneDefaults()
        {
            standaloneOptions = CSharp.Standalone.Options.Create(Array.Empty<string>());
-            Assert.Equal(0, standaloneOptions.Dependencies.DllDirs.Count);
+            Assert.Empty(standaloneOptions.Dependencies.DllDirs);
            Assert.True(standaloneOptions.Dependencies.UseNuGet);
            Assert.True(standaloneOptions.Dependencies.UseMscorlib);
            Assert.False(standaloneOptions.SkipExtraction);
            Assert.Null(standaloneOptions.Dependencies.SolutionFile);
            Assert.True(standaloneOptions.Dependencies.ScanNetFrameworkDlls);
@@ -147,12 +146,11 @@ namespace Semmle.Extraction.Tests
        [Fact]
        public void StandaloneOptions()
        {
-            standaloneOptions = CSharp.Standalone.Options.Create(new string[] { "--references:foo", "--silent", "--skip-nuget", "--skip-dotnet", "--exclude", "bar", "--nostdlib" });
+            standaloneOptions = CSharp.Standalone.Options.Create(new string[] { "--references:foo", "--silent", "--skip-nuget", "--skip-dotnet", "--exclude", "bar" });
            Assert.Equal("foo", standaloneOptions.Dependencies.DllDirs[0]);
            Assert.Equal("bar", standaloneOptions.Dependencies.Excludes[0]);
            Assert.Equal(Verbosity.Off, standaloneOptions.Verbosity);
            Assert.False(standaloneOptions.Dependencies.UseNuGet);
            Assert.False(standaloneOptions.Dependencies.UseMscorlib);
            Assert.False(standaloneOptions.Dependencies.ScanNetFrameworkDlls);
            Assert.False(standaloneOptions.Errors);
            Assert.False(standaloneOptions.Help);
--- a/csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj
+++ b/csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj
@@ -8,12 +8,12 @@
 	<ItemGroup>
 		<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
 		<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-		<PackageReference Include="xunit" Version="2.5.0" />
+		<PackageReference Include="xunit" Version="2.4.2" />
-		<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
 			<PrivateAssets>all</PrivateAssets>
 			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
 		</PackageReference>
-		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\Semmle.Extraction.CSharp.Standalone\Semmle.Extraction.CSharp.Standalone.csproj" />
--- a/csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj
+++ b/csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj
@@ -12,9 +12,9 @@
 		<DefineConstants>TRACE;DEBUG;DEBUG_LABELS</DefineConstants>
 	</PropertyGroup>
 	<ItemGroup>
-		<PackageReference Include="Microsoft.Build" Version="17.7.2" />
+		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
-		<PackageReference Include="Microsoft.CodeAnalysis" Version="4.7.0" />
+		<PackageReference Include="Microsoft.CodeAnalysis" Version="4.4.0" />
-		<PackageReference Include="GitInfo" Version="3.3.1">
+		<PackageReference Include="GitInfo" Version="2.2.0">
 			<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 			<PrivateAssets>all</PrivateAssets>
 		</PackageReference>
--- a/csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj
+++ b/csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj
@@ -6,12 +6,12 @@
 		<Nullable>enable</Nullable>
 	</PropertyGroup>
 	<ItemGroup>
-		<PackageReference Include="xunit" Version="2.5.0" />
+		<PackageReference Include="xunit" Version="2.4.2" />
-		<PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
 			<PrivateAssets>all</PrivateAssets>
 			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
 		</PackageReference>
-		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
--- a/csharp/extractor/Semmle.Util/Semmle.Util.csproj
+++ b/csharp/extractor/Semmle.Util/Semmle.Util.csproj
@@ -15,7 +15,7 @@
  <ItemGroup>
    <PackageReference Include="Mono.Posix.NETStandard" Version="1.0.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
  </ItemGroup>
 </Project>
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
 ## 1.6.4
 No user-facing changes.
 ## 1.6.3
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.6.4.md
@@ -0,0 +1,3 @@
 ## 1.6.4
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.4
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.6.4-dev
+version: 1.6.4
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
 ## 1.6.4
 No user-facing changes.
 ## 1.6.3
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.6.4.md
@@ -0,0 +1,3 @@
 ## 1.6.4
 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.4
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.6.4-dev
+version: 1.6.4
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/consistency-queries/DataFlowConsistency.ql
+++ b/csharp/ql/consistency-queries/DataFlowConsistency.ql
@@ -1,12 +1,13 @@
 import csharp
 import cil
-import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.DataFlowImplSpecific
-import semmle.code.csharp.dataflow.internal.DataFlowPublic
+private import semmle.code.csharp.dataflow.internal.TaintTrackingImplSpecific
-import semmle.code.csharp.dataflow.internal.DataFlowDispatch
+private import codeql.dataflow.internal.DataFlowImplConsistency
 import semmle.code.csharp.dataflow.internal.DataFlowImplConsistency::Consistency
-private class MyConsistencyConfiguration extends ConsistencyConfiguration {
+private module Input implements InputSig<CsharpDataFlow> {
-  override predicate uniqueEnclosingCallableExclude(Node n) {
+  private import CsharpDataFlow
  predicate uniqueEnclosingCallableExclude(Node n) {
    // TODO: Remove once static initializers are folded into the
    // static constructors
    exists(ControlFlow::Node cfn |
@@ -15,7 +16,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
    )
  }
-  override predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
+  predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
    // TODO: Remove once static initializers are folded into the
    // static constructors
    exists(ControlFlow::Node cfn |
@@ -24,25 +25,25 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
    )
  }
-  override predicate uniqueNodeLocationExclude(Node n) {
+  predicate uniqueNodeLocationExclude(Node n) {
    // Methods with multiple implementations
    n instanceof ParameterNode
    or
-    this.missingLocationExclude(n)
+    missingLocationExclude(n)
  }
-  override predicate missingLocationExclude(Node n) {
+  predicate missingLocationExclude(Node n) {
    // Some CIL methods are missing locations
    n.asParameter() instanceof CIL::Parameter
  }
-  override predicate postWithInFlowExclude(Node n) {
+  predicate postWithInFlowExclude(Node n) {
    n instanceof FlowSummaryNode
    or
    n.asExpr().(ObjectCreation).hasInitializer()
  }
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
+  predicate argHasPostUpdateExclude(ArgumentNode n) {
    n instanceof FlowSummaryNode
    or
    not exists(LocalFlow::getAPostUpdateNodeForArg(n.getControlFlowNode()))
@@ -54,7 +55,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
    n.asExpr() instanceof CIL::Expr
  }
-  override predicate postHasUniquePreExclude(PostUpdateNode n) {
+  predicate postHasUniquePreExclude(PostUpdateNode n) {
    exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
      e = LocalFlow::getAPostUpdateNodeForArg(arg) and
      e != arg and
@@ -62,7 +63,7 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
    )
  }
-  override predicate uniquePostUpdateExclude(Node n) {
+  predicate uniquePostUpdateExclude(Node n) {
    exists(ControlFlow::Nodes::ExprNode e, ControlFlow::Nodes::ExprNode arg |
      e = LocalFlow::getAPostUpdateNodeForArg(arg) and
      e != arg and
@@ -70,12 +71,12 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
    )
  }
-  override predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
+  predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
  override predicate identityLocalStepExclude(Node n) { none() }
 }
-query predicate multipleToString(Node n, string s) {
+import MakeConsistency<CsharpDataFlow, CsharpTaintTracking, Input>
 query predicate multipleToString(DataFlow::Node n, string s) {
  s = strictconcat(n.toString(), ",") and
  strictcount(n.toString()) > 1
 }
--- a/csharp/ql/integration-tests/posix-only/dotnet_test/dotnet_test.csproj
+++ b/csharp/ql/integration-tests/posix-only/dotnet_test/dotnet_test.csproj
@@ -8,10 +8,10 @@
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
    <PackageReference Include="NUnit" Version="3.13.3" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.5.0" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.3.0" />
-    <PackageReference Include="coverlet.collector" Version="6.0.0" />
+    <PackageReference Include="coverlet.collector" Version="3.2.0" />
  </ItemGroup>
 </Project>
--- a/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj
+++ b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj
@@ -10,10 +10,10 @@
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.3.2" />
-    <PackageReference Include="MSTest.TestAdapter" Version="3.1.1" />
+    <PackageReference Include="MSTest.TestAdapter" Version="2.2.10" />
-    <PackageReference Include="MSTest.TestFramework" Version="3.1.1" />
+    <PackageReference Include="MSTest.TestFramework" Version="2.2.10" />
-    <PackageReference Include="coverlet.collector" Version="6.0.0" />
+    <PackageReference Include="coverlet.collector" Version="3.1.2" />
  </ItemGroup>
 </Project>
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
 ## 0.7.4
 ### Minor Analysis Improvements
 * The `--nostdlib` extractor option for the standalone extractor has been removed.
 ## 0.7.3
 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/released/0.7.4.md
+++ b/csharp/ql/lib/change-notes/released/0.7.4.md
@@ -0,0 +1,5 @@
 ## 0.7.4
 ### Minor Analysis Improvements
 * The `--nostdlib` extractor option for the standalone extractor has been removed.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.7.4
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.7.4-dev
+version: 0.7.4
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/cil/Stubs.qll
+++ b/csharp/ql/lib/semmle/code/cil/Stubs.qll
@@ -32,11 +32,11 @@ private module Cached {
    exists(Assembly asm |
      asm = mi.getLocation() and
      (assemblyIsStubImpl(asm) implies asm.getFile().extractedQlTest()) and
-      not exists(MethodImplementation better | mi.getMethod() = better.getMethod() |
+      mi =
-        mi.getNumberOfInstructions() < better.getNumberOfInstructions()
+        max(MethodImplementation impl |
-        or
+          mi.getMethod() = impl.getMethod()
-        mi.getNumberOfInstructions() = better.getNumberOfInstructions() and
+        |
-        asm.getFile().toString() > better.getLocation().getFile().toString()
+          impl order by impl.getNumberOfInstructions(), impl.getLocation().getFile().toString() desc
        ) and
      exists(mi.getAnInstruction())
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -109,8 +109,8 @@ private module Cached {
    TExplicitDelegateLikeCall(ControlFlow::Nodes::ElementNode cfn, DelegateLikeCall dc) {
      cfn.getAstNode() = dc
    } or
-    TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn, Callable target) {
+    TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn) {
-      transitiveCapturedCallTarget(cfn, target)
+      transitiveCapturedCallTarget(cfn, _)
    } or
    TCilCall(CIL::Call call) {
      // No need to include calls that are compiled from source
@@ -389,11 +389,12 @@ class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDe
 */
 class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCall {
  private ControlFlow::Nodes::ElementNode cfn;
  private Callable target;
-  TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn, target) }
+  TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn) }
-  override DataFlowCallable getARuntimeTarget() { result.asCallable() = target }
+  override DataFlowCallable getARuntimeTarget() {
    transitiveCapturedCallTarget(cfn, result.asCallable())
  }
  override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -1564,7 +1564,7 @@ private module OutNodes {
        additionalCalls = false and call = csharpCall(_, cfn)
        or
        additionalCalls = true and
-        call = TTransitiveCapturedCall(cfn, n.getEnclosingCallable())
+        call = TTransitiveCapturedCall(cfn)
      )
    }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
 ## 0.7.4
 No user-facing changes.
 ## 0.7.3
 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/0.7.4.md
+++ b/csharp/ql/src/change-notes/released/0.7.4.md
@@ -0,0 +1,3 @@
 ## 0.7.4
 No user-facing changes.
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`lastReleaseVersion: 0.9.1`	`lastReleaseVersion: 0.9.2`