Merge branch 'main' into rdmarsh2/cpp/ir-qualifier-flow

Fix test conflicts
2025-12-17 01:03:14 +01:00 · 2020-09-18 15:40:43 -07:00
parent 12be90a6af d867172d27
commit bc3e74f7d6
49 changed files with 1229 additions and 202 deletions
--- a/change-notes/1.26/analysis-cpp.md
+++ b/change-notes/1.26/analysis-cpp.md
@@ -23,7 +23,7 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 * The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
 * The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
 * The models library now models many more taint flows through `std::string`.
-* The models library now models some taint flows through `std::ostream`.
+* The models library now models many taint flows through `std::istream` and `std::ostream`.
 * The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -279,20 +279,62 @@ private predicate reachableRecursive(ControlFlowNode n) {
  reachableRecursive(n.getAPredecessor())
 }

+/** Holds if `e` is a compile time constant with integer value `val`. */
 private predicate compileTimeConstantInt(Expr e, int val) {
-  val = e.getFullyConverted().getValue().toInt() and
-  not e instanceof StringLiteral and
-  not exists(Expr e1 | e1.getConversion() = e) // only values for fully converted expressions
+  (
+    // If we have an integer value then we are done.
+    if exists(e.getValue().toInt())
+    then val = e.getValue().toInt()
+    else
+      // Otherwise, if we are a conversion of another expression with an
+      // integer value, and that value can be converted into our type,
+      // then we have that value.
+      exists(Expr x, int valx |
+        x.getConversion() = e and
+        compileTimeConstantInt(x, valx) and
+        val = convertIntToType(valx, e.getType().getUnspecifiedType())
+      )
+  ) and
+  // If our unconverted expression is a string literal `"123"`, then we
+  // do not have integer value `123`.
+  not e.getUnconverted() instanceof StringLiteral
 }

-library class CompileTimeConstantInt extends Expr {
-  CompileTimeConstantInt() { compileTimeConstantInt(this, _) }
+/**
+ * Get `val` represented as type `t`, if that is possible without
+ * overflow or underflows.
+ */
+bindingset[val, t]
+private int convertIntToType(int val, IntegralType t) {
+  if t instanceof BoolType
+  then if val = 0 then result = 0 else result = 1
+  else
+    if t.isUnsigned()
+    then if val >= 0 and val.bitShiftRight(t.getSize() * 8) = 0 then result = val else none()
+    else
+      if val >= 0 and val.bitShiftRight(t.getSize() * 8 - 1) = 0
+      then result = val
+      else
+        if (-(val + 1)).bitShiftRight(t.getSize() * 8 - 1) = 0
+        then result = val
+        else none()
+}

-  int getIntValue() { compileTimeConstantInt(this, result) }
+/**
+ * INTERNAL: Do not use.
+ * An expression that has been found to have an integer value at compile
+ * time.
+ */
+class CompileTimeConstantInt extends Expr {
+  int val;
+
+  CompileTimeConstantInt() { compileTimeConstantInt(this.getFullyConverted(), val) }
+
+  int getIntValue() { result = val }
 }

 library class CompileTimeVariableExpr extends Expr {
-  CompileTimeVariableExpr() { not compileTimeConstantInt(this, _) }
+  CompileTimeVariableExpr() { not this instanceof CompileTimeConstantInt }
 }

 /** A helper class for evaluation of expressions. */
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -264,9 +264,6 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
    t instanceof Union
    or
    t instanceof ArrayType
-    or
-    // Buffers of unknown size
-    t instanceof UnknownType
  )
  or
  exists(BinaryInstruction bin |
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -197,15 +197,17 @@ private class CollectionContent extends Content, TCollectionContent {
 }

 private class ArrayContent extends Content, TArrayContent {
-  override string toString() { result = "array" }
+  ArrayContent() { this = TArrayContent() }
+
+  override string toString() { result = "array content" }
 }

-private predicate storeStepNoChi(Node node1, Content f, PostUpdateNode node2) {
+private predicate fieldStoreStepNoChi(Node node1, FieldContent f, PostUpdateNode node2) {
  exists(StoreInstruction store, Class c |
    store = node2.asInstruction() and
    store.getSourceValue() = node1.asInstruction() and
    getWrittenField(store, f.(FieldContent).getAField(), c) and
-    f.(FieldContent).hasOffset(c, _, _)
+    f.hasOffset(c, _, _)
  )
 }

@@ -218,7 +220,7 @@ private predicate getWrittenField(StoreInstruction store, Field f, Class c) {
  )
 }

-private predicate storeStepChi(Node node1, Content f, PostUpdateNode node2) {
+private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) {
  exists(StoreInstruction store, ChiInstruction chi |
    node1.asInstruction() = store and
    node2.asInstruction() = chi and
@@ -227,23 +229,43 @@ private predicate storeStepChi(Node node1, Content f, PostUpdateNode node2) {
      c = chi.getResultType() and
      exists(int startBit, int endBit |
        chi.getUpdatedInterval(startBit, endBit) and
-        f.(FieldContent).hasOffset(c, startBit, endBit)
+        f.hasOffset(c, startBit, endBit)
      )
      or
-      getWrittenField(store, f.(FieldContent).getAField(), c) and
-      f.(FieldContent).hasOffset(c, _, _)
+      getWrittenField(store, f.getAField(), c) and
+      f.hasOffset(c, _, _)
    )
  )
 }

+private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) {
+  a = TArrayContent() and
+  exists(StoreInstruction store |
+    node1.asInstruction() = store and
+    (
+      // `x[i] = taint()`
+      // This matches the characteristic predicate in `ArrayStoreNode`.
+      store.getDestinationAddress() instanceof PointerAddInstruction
+      or
+      // `*p = taint()`
+      // This matches the characteristic predicate in `PointerStoreNode`.
+      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
+    ) and
+    // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode`
+    // and `PointerStoreNode` require it in their characteristic predicates.
+    node2.asInstruction().(ChiInstruction).getPartial() = store
+  )
+}
+
 /**
 * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
 * Thus, `node2` references an object with a field `f` that contains the
 * value of `node1`.
 */
 predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  storeStepNoChi(node1, f, node2) or
-  storeStepChi(node1, f, node2)
+  fieldStoreStepNoChi(node1, f, node2) or
+  fieldStoreStepChi(node1, f, node2) or
+  arrayStoreStepChi(node1, f, node2)
 }

 bindingset[result, i]
@@ -263,7 +285,7 @@ private predicate getLoadedField(LoadInstruction load, Field f, Class c) {
 * Thus, `node1` references an object with a field `f` whose value ends up in
 * `node2`.
 */
-predicate readStep(Node node1, Content f, Node node2) {
+private predicate fieldReadStep(Node node1, FieldContent f, Node node2) {
  exists(LoadInstruction load |
    node2.asInstruction() = load and
    node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and
@@ -271,15 +293,33 @@ predicate readStep(Node node1, Content f, Node node2) {
      c = load.getSourceValueOperand().getAnyDef().getResultType() and
      exists(int startBit, int endBit |
        load.getSourceValueOperand().getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and
-        f.(FieldContent).hasOffset(c, startBit, endBit)
+        f.hasOffset(c, startBit, endBit)
      )
      or
-      getLoadedField(load, f.(FieldContent).getAField(), c) and
-      f.(FieldContent).hasOffset(c, _, _)
+      getLoadedField(load, f.getAField(), c) and
+      f.hasOffset(c, _, _)
    )
  )
 }

+private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) {
+  a = TArrayContent() and
+  exists(LoadInstruction load |
+    node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and
+    load = node2.asInstruction()
+  )
+}
+
+/**
+ * Holds if data can flow from `node1` to `node2` via a read of `f`.
+ * Thus, `node1` references an object with a field `f` whose value ends up in
+ * `node2`.
+ */
+predicate readStep(Node node1, Content f, Node node2) {
+  fieldReadStep(node1, f, node2) or
+  arrayReadStep(node1, f, node2)
+}
+
 /**
 * Holds if values stored inside content `c` are cleared at node `n`.
 */
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -389,6 +389,45 @@ private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNod
  }
 }

+/**
+ * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
+ * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
+ */
+private class ArrayStoreNode extends PartialDefinitionNode {
+  override ChiInstruction instr;
+  PointerAddInstruction add;
+
+  ArrayStoreNode() {
+    not instr.isResultConflated() and
+    exists(StoreInstruction store |
+      instr.getPartial() = store and
+      add = store.getDestinationAddress()
+    )
+  }
+
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
+
+  override Expr getDefinedExpr() { result = add.getLeft().getUnconvertedResultExpression() }
+}
+
+/**
+ * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
+ * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
+ */
+private class PointerStoreNode extends PostUpdateNode {
+  override ChiInstruction instr;
+
+  PointerStoreNode() {
+    not instr.isResultConflated() and
+    exists(StoreInstruction store |
+      instr.getPartial() = store and
+      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
+    )
+  }
+
+  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
+}
+
 /**
 * A node that represents the value of a variable after a function call that
 * may have changed the variable because it's passed by reference.
@@ -545,6 +584,7 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
 * This is the local flow predicate that's used as a building block in global
 * data flow. It may have less flow than the `localFlowStep` predicate.
 */
+cached
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
  // Operand -> Instruction flow
  simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
@@ -562,10 +602,11 @@ private predicate getFieldSizeOfClass(Class c, Type type, int size) {
  )
 }

-private predicate isSingleFieldClass(Type type, Class cTo) {
-  exists(int size |
-    cTo.getSize() = size and
-    getFieldSizeOfClass(cTo, type, size)
+private predicate isSingleFieldClass(Type type, Operand op) {
+  exists(int size, Class c |
+    c = op.getType().getUnderlyingType() and
+    c.getSize() = size and
+    getFieldSizeOfClass(c, type, size)
  )
 }

@@ -601,11 +642,10 @@ private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
  exists(LoadInstruction load |
    load.getSourceValueOperand() = opTo and
    opTo.getAnyDef() = iFrom and
-    isSingleFieldClass(iFrom.getResultType(), opTo.getType().getUnderlyingType())
+    isSingleFieldClass(iFrom.getResultType(), opTo)
  )
 }

-cached
 private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
  iTo.(CopyInstruction).getSourceValueOperand() = opFrom
  or
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -260,10 +260,13 @@ class StdStringSubstr extends TaintFunction {
 }

 /**
- * The standard function `std::string.swap`.
+ * The standard functions `std::string.swap` and `std::stringstream::swap`.
 */
 class StdStringSwap extends TaintFunction {
-  StdStringSwap() { this.hasQualifiedName("std", "basic_string", "swap") }
+  StdStringSwap() {
+    this.hasQualifiedName("std", "basic_string", "swap") or
+    this.hasQualifiedName("std", "basic_stringstream", "swap")
+  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // str1.swap(str2)
@@ -292,6 +295,197 @@ class StdStringAt extends TaintFunction {
  }
 }

+/**
+ * The `std::basic_istream` template class.
+ */
+class StdBasicIStream extends TemplateClass {
+  StdBasicIStream() { this.hasQualifiedName("std", "basic_istream") }
+}
+
+/**
+ * The `std::istream` function `operator>>` (defined as a member function).
+ */
+class StdIStreamIn extends DataFlowFunction, TaintFunction {
+  StdIStreamIn() { this.hasQualifiedName("std", "basic_istream", "operator>>") }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // returns reference to `*this`
+    input.isQualifierAddress() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::istream` function `operator>>` (defined as a non-member function).
+ */
+class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
+  StdIStreamInNonMember() {
+    this.hasQualifiedName("std", "operator>>") and
+    this.getUnspecifiedType().(ReferenceType).getBaseType() =
+      any(StdBasicIStream s).getAnInstantiation()
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to return value
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to second parameter
+    input.isParameterDeref(0) and
+    output.isParameterDeref(1)
+    or
+    // reverse flow from returned reference to the first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * The `std::istream` functions `get` (without parameters) and `peek`.
+ */
+class StdIStreamGet extends TaintFunction {
+  StdIStreamGet() {
+    this.hasQualifiedName("std", "basic_istream", ["get", "peek"]) and
+    this.getNumberOfParameters() = 0
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The `std::istream` functions `get` (with parameters) and `read`.
+ */
+class StdIStreamRead extends DataFlowFunction, TaintFunction {
+  StdIStreamRead() {
+    this.hasQualifiedName("std", "basic_istream", ["get", "read"]) and
+    this.getNumberOfParameters() > 0
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // returns reference to `*this`
+    input.isQualifierAddress() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::istream` function `readsome`.
+ */
+class StdIStreamReadSome extends TaintFunction {
+  StdIStreamReadSome() { this.hasQualifiedName("std", "basic_istream", "readsome") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * The `std::istream` function `putback`.
+ */
+class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
+  StdIStreamPutBack() { this.hasQualifiedName("std", "basic_istream", "putback") }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // returns reference to `*this`
+    input.isQualifierAddress() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter (value or pointer) to qualifier
+    input.isParameter(0) and
+    output.isQualifierObject()
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+    or
+    // flow from first parameter (value or pointer) to return value
+    input.isParameter(0) and
+    output.isReturnValueDeref()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The `std::istream` function `getline`.
+ */
+class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
+  StdIStreamGetLine() { this.hasQualifiedName("std", "basic_istream", "getline") }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // returns reference to `*this`
+    input.isQualifierAddress() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to first parameter
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The (non-member) function `std::getline`.
+ */
+class StdGetLine extends DataFlowFunction, TaintFunction {
+  StdGetLine() { this.hasQualifiedName("std", "getline") }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to return value
+    input.isParameter(0) and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to second parameter
+    input.isParameterDeref(0) and
+    output.isParameterDeref(1)
+    or
+    // reverse flow from returned reference to first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
+  }
+}
+
 /**
 * The `std::basic_ostream` template class.
 */
@@ -307,7 +501,7 @@ class StdOStreamOut extends DataFlowFunction, TaintFunction {
  StdOStreamOut() { this.hasQualifiedName("std", "basic_ostream", ["operator<<", "put", "write"]) }

  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    // flow from qualifier to return value
+    // returns reference to `*this`
    input.isQualifierAddress() and
    output.isReturnValue()
  }
@@ -407,3 +601,27 @@ class StdStringStreamStr extends TaintFunction {
    output.isQualifierObject()
  }
 }
+
+/**
+ * A `std::` stream function that does not require a model, except that it
+ * returns a reference to `*this` and thus could be used in a chain.
+ */
+class StdStreamFunction extends DataFlowFunction, TaintFunction {
+  StdStreamFunction() {
+    this.hasQualifiedName("std", "basic_istream", ["ignore", "unget", "seekg"]) or
+    this.hasQualifiedName("std", "basic_ostream", ["seekp", "flush"]) or
+    this.hasQualifiedName("std", "basic_ios", "copyfmt")
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // returns reference to `*this`
+    input.isQualifierAddress() and
+    output.isReturnValue()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
@@ -93,7 +93,6 @@
 | defaulttainttracking.cpp:88:18:88:23 | call to getenv | shared.h:5:23:5:31 | sinkparam |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:91:42:91:44 | arg |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:92:12:92:14 | arg |
-| defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:96:11:96:12 | p2 |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:97:27:97:32 | call to getenv |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | (const char *)... |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | p2 |
@@ -112,51 +111,28 @@
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:140:11:140:16 | call to getenv |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:140:11:140:26 | (int)... |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:140:11:140:26 | access to array |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:143:23:143:24 | pp |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:144:8:144:9 | pp |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:150:13:150:14 | & ... |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:154:11:154:15 | p#0 |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:162:50:162:50 | p |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:164:8:164:8 | p |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:165:8:165:9 | & ... |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:166:10:166:10 | x |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:187:8:187:9 | pp |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | shared.h:6:15:6:23 | sinkparam |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:157:9:157:14 | call to getenv |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:157:9:157:24 | (int)... |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:157:9:157:24 | access to array |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:159:10:159:10 | x |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | shared.h:6:15:6:23 | sinkparam |
-| defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 |
 | defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:170:11:170:16 | call to getenv |
 | defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:170:11:170:26 | (int)... |
 | defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:170:11:170:26 | access to array |
-| defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:171:8:171:9 | pp |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:154:11:154:15 | p#0 |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:175:33:175:34 | pp |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:176:8:176:9 | pp |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:177:8:177:10 | * ... |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:177:9:177:10 | pp |
 | defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:181:11:181:16 | call to getenv |
 | defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:181:11:181:26 | (int)... |
 | defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:181:11:181:26 | access to array |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:182:23:182:24 | pp |
 | defaulttainttracking.cpp:195:11:195:16 | call to getenv | defaulttainttracking.cpp:195:11:195:16 | call to getenv |
 | defaulttainttracking.cpp:195:11:195:16 | call to getenv | defaulttainttracking.cpp:195:11:195:26 | (int)... |
 | defaulttainttracking.cpp:195:11:195:16 | call to getenv | defaulttainttracking.cpp:195:11:195:26 | access to array |
-| defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 |
 | defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:201:13:201:18 | call to getenv |
 | defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:201:13:201:28 | (int)... |
 | defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:201:13:201:28 | access to array |
-| defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:203:8:203:9 | pp |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:32 | call to getenv |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:42 | (int)... |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:27:208:42 | access to array |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:209:8:209:9 | pp |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:210:8:210:23 | ... + ... |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:24:28:27 | call to atoi |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:34 | call to getenv |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:29:28:45 | (const char *)... |
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
@@ -16,7 +16,6 @@
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:91:31:91:33 | ret | AST only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:92:5:92:8 | * ... | AST only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:92:6:92:8 | ret | AST only |
-| defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:96:11:96:12 | p2 | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | (const char *)... | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | p2 | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | shared.h:5:23:5:31 | sinkparam | IR only |
@@ -26,39 +25,16 @@
 | defaulttainttracking.cpp:133:9:133:14 | call to getenv | defaulttainttracking.cpp:134:10:134:10 | x | IR only |
 | defaulttainttracking.cpp:133:9:133:14 | call to getenv | shared.h:6:15:6:23 | sinkparam | IR only |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:140:7:140:7 | x | AST only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:143:23:143:24 | pp | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:144:8:144:9 | pp | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:150:13:150:14 | & ... | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:154:11:154:15 | p#0 | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:162:50:162:50 | p | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:164:8:164:8 | p | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:165:8:165:9 | & ... | IR only |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:166:10:166:10 | x | IR only |
-| defaulttainttracking.cpp:140:11:140:16 | call to getenv | defaulttainttracking.cpp:187:8:187:9 | pp | IR only |
 | defaulttainttracking.cpp:140:11:140:16 | call to getenv | shared.h:6:15:6:23 | sinkparam | IR only |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:157:5:157:5 | x | AST only |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | defaulttainttracking.cpp:159:10:159:10 | x | IR only |
 | defaulttainttracking.cpp:157:9:157:14 | call to getenv | shared.h:6:15:6:23 | sinkparam | IR only |
-| defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 | IR only |
 | defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:170:7:170:7 | x | AST only |
-| defaulttainttracking.cpp:170:11:170:16 | call to getenv | defaulttainttracking.cpp:171:8:171:9 | pp | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:154:11:154:15 | p#0 | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:175:33:175:34 | pp | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:176:8:176:9 | pp | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:177:8:177:10 | * ... | IR only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:177:9:177:10 | pp | IR only |
 | defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:181:7:181:7 | x | AST only |
-| defaulttainttracking.cpp:181:11:181:16 | call to getenv | defaulttainttracking.cpp:182:23:182:24 | pp | IR only |
 | defaulttainttracking.cpp:195:11:195:16 | call to getenv | defaulttainttracking.cpp:195:7:195:7 | x | AST only |
-| defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 | IR only |
 | defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:201:9:201:9 | x | AST only |
-| defaulttainttracking.cpp:201:13:201:18 | call to getenv | defaulttainttracking.cpp:203:8:203:9 | pp | IR only |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:153:11:153:15 | p#0 | IR only |
 | defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:208:23:208:23 | x | AST only |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:209:8:209:9 | pp | IR only |
-| defaulttainttracking.cpp:208:27:208:32 | call to getenv | defaulttainttracking.cpp:210:8:210:23 | ... + ... | IR only |
 | globals.cpp:13:15:13:20 | call to getenv | globals.cpp:13:5:13:11 | global1 | AST only |
 | globals.cpp:23:15:23:20 | call to getenv | globals.cpp:23:5:23:11 | global2 | AST only |
 | stl.cpp:62:25:62:30 | call to getenv | stl.cpp:43:78:43:104 | p#0 | IR only |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/ref.cpp
@@ -56,13 +56,13 @@ namespace withoutFields {
    sink(x1); // flow [FALSE POSITIVE from uninitialized]

    notAssign(x2, source());
-    sink(x2); // no flow [FALSE POSITIVE from uninitialized]
+    sink(x2); // no flow [FALSE POSITIVE from uninitialized, FALSE POSITIVE by IR]

    sourceToParamWrapper(x3);
    sink(x3); // flow [FALSE POSITIVE from uninitialized]

    notSource(x4);
-    sink(x4); // no flow [FALSE POSITIVE from uninitialized]
+    sink(x4); // no flow [FALSE POSITIVE from uninitialized, FALSE POSITIVE by IR]
  }
 }

--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected
@@ -20,13 +20,12 @@
 | globals.cpp:13:23:13:28 | globals.cpp:12:10:12:24 | IR only |
 | globals.cpp:23:23:23:28 | globals.cpp:19:10:19:24 | IR only |
 | lambdas.cpp:8:10:8:15 | lambdas.cpp:21:3:21:6 | AST only |
-| lambdas.cpp:43:7:43:12 | lambdas.cpp:46:7:46:7 | AST only |
-| ref.cpp:29:11:29:16 | ref.cpp:62:10:62:11 | AST only |
+| ref.cpp:44:11:44:16 | ref.cpp:65:10:65:11 | IR only |
 | ref.cpp:53:9:53:10 | ref.cpp:56:10:56:11 | AST only |
 | ref.cpp:53:13:53:14 | ref.cpp:59:10:59:11 | AST only |
 | ref.cpp:53:17:53:18 | ref.cpp:62:10:62:11 | AST only |
 | ref.cpp:53:21:53:22 | ref.cpp:65:10:65:11 | AST only |
-| ref.cpp:55:23:55:28 | ref.cpp:56:10:56:11 | AST only |
+| ref.cpp:58:19:58:24 | ref.cpp:59:10:59:11 | IR only |
 | test.cpp:75:7:75:8 | test.cpp:76:8:76:9 | AST only |
 | test.cpp:83:7:83:8 | test.cpp:84:8:84:18 | AST only |
 | test.cpp:83:7:83:8 | test.cpp:86:8:86:9 | AST only |
@@ -51,7 +50,6 @@
 | test.cpp:441:7:441:11 | test.cpp:444:8:444:13 | AST only |
 | test.cpp:442:18:442:22 | test.cpp:443:8:443:12 | AST only |
 | test.cpp:442:18:442:22 | test.cpp:444:8:444:13 | AST only |
-| test.cpp:465:8:465:13 | test.cpp:471:8:471:8 | AST only |
 | true_upon_entry.cpp:9:11:9:16 | true_upon_entry.cpp:13:8:13:8 | IR only |
 | true_upon_entry.cpp:62:11:62:16 | true_upon_entry.cpp:66:8:66:8 | IR only |
 | true_upon_entry.cpp:98:11:98:16 | true_upon_entry.cpp:105:8:105:8 | IR only |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
@@ -44,6 +44,11 @@
 | lambdas.cpp:29:3:29:6 | t | lambdas.cpp:8:10:8:15 | call to source |
 | lambdas.cpp:35:8:35:8 | a | lambdas.cpp:8:10:8:15 | call to source |
 | lambdas.cpp:41:8:41:8 | (reference dereference) | lambdas.cpp:8:10:8:15 | call to source |
+| lambdas.cpp:46:7:46:7 | w | lambdas.cpp:43:7:43:12 | call to source |
+| ref.cpp:56:10:56:11 | x1 | ref.cpp:55:23:55:28 | call to source |
+| ref.cpp:59:10:59:11 | x2 | ref.cpp:58:19:58:24 | call to source |
+| ref.cpp:62:10:62:11 | x3 | ref.cpp:29:11:29:16 | call to source |
+| ref.cpp:65:10:65:11 | x4 | ref.cpp:44:11:44:16 | call to source |
 | ref.cpp:123:13:123:15 | val | ref.cpp:122:23:122:28 | call to source |
 | ref.cpp:126:13:126:15 | val | ref.cpp:125:19:125:24 | call to source |
 | ref.cpp:129:13:129:15 | val | ref.cpp:94:15:94:20 | call to source |
@@ -77,6 +82,7 @@
 | test.cpp:394:10:394:12 | tmp | test.cpp:388:53:388:59 | source1 |
 | test.cpp:450:9:450:22 | (statement expression) | test.cpp:449:26:449:32 | source1 |
 | test.cpp:461:8:461:12 | local | test.cpp:449:26:449:32 | source1 |
+| test.cpp:471:8:471:8 | x | test.cpp:465:8:465:13 | call to source |
 | true_upon_entry.cpp:13:8:13:8 | x | true_upon_entry.cpp:9:11:9:16 | call to source |
 | true_upon_entry.cpp:21:8:21:8 | x | true_upon_entry.cpp:17:11:17:16 | call to source |
 | true_upon_entry.cpp:29:8:29:8 | x | true_upon_entry.cpp:27:9:27:14 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp
@@ -100,4 +100,14 @@ void addressOfField() {
  S s_copy = s;
  int* px = &s_copy.m1;
  sink(*px); // $f-:ast $ir
+}
+
+void taint_a_ptr(int* pa) {
+  *pa = user_input();
+}
+
+void test_field_conflation_array_content() {
+  S s;
+  taint_a_ptr(&s.m1);
+  sink(s.m2); //$f+:ir
 }
--- a/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
@@ -109,11 +109,11 @@ void test_outer_with_ptr(Outer *pouter) {

  sink(outer.inner_nested.a); // $ast,ir
  sink(outer.inner_ptr->a); // $ast $f-:ir
-  sink(outer.a); // $ast $f-:ir
+  sink(outer.a); // $ast,ir

  sink(pouter->inner_nested.a); // $ast,ir
  sink(pouter->inner_ptr->a); // $ast $f-:ir
-  sink(pouter->a); // $ast $f-:ir
+  sink(pouter->a); // $ast,ir
 }

 void test_outer_with_ref(Outer *pouter) {
@@ -129,9 +129,9 @@ void test_outer_with_ref(Outer *pouter) {

  sink(outer.inner_nested.a); // $ast,ir
  sink(outer.inner_ptr->a); // $ast $f-:ir
-  sink(outer.a); // $ast $f-:ir
+  sink(outer.a); // $ast,ir

  sink(pouter->inner_nested.a); // $ast,ir
  sink(pouter->inner_ptr->a); // $ast $f-:ir
-  sink(pouter->a); // $ast $f-:ir
+  sink(pouter->a); // $ast,ir
 }
--- a/cpp/ql/test/library-tests/dataflow/fields/flow-diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/flow-diff.expected
@@ -21,6 +21,7 @@
 | aliasing.cpp:79:11:79:20 | call to user_input | aliasing.cpp:80:12:80:13 | m1 | IR only |
 | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 | IR only |
 | aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:102:8:102:10 | * ... | IR only |
+| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:112:10:112:11 | m2 | IR only |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array | AST only |
 | arrays.cpp:15:14:15:23 | call to user_input | arrays.cpp:17:8:17:13 | access to array | AST only |
 | arrays.cpp:36:26:36:35 | call to user_input | arrays.cpp:38:24:38:27 | data | AST only |
@@ -30,10 +31,6 @@
 | by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:115:27:115:27 | a | AST only |
 | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:131:25:131:25 | a | AST only |
 | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:135:27:135:27 | a | AST only |
-| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:112:14:112:14 | a | AST only |
-| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:116:16:116:16 | a | AST only |
-| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:132:14:132:14 | a | AST only |
-| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | AST only |
 | complex.cpp:62:19:62:28 | call to user_input | complex.cpp:52:18:52:18 | call to b | AST only |
 | complex.cpp:63:19:63:28 | call to user_input | complex.cpp:51:18:51:18 | call to a | AST only |
 | complex.cpp:64:19:64:28 | call to user_input | complex.cpp:52:18:52:18 | call to b | AST only |
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -64,6 +64,11 @@ edges
 | aliasing.cpp:98:3:98:21 | Store | aliasing.cpp:98:3:98:21 | Chi [m1] |
 | aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:98:3:98:21 | Store |
 | aliasing.cpp:100:14:100:14 | Store [m1] | aliasing.cpp:102:8:102:10 | * ... |
+| aliasing.cpp:106:3:106:20 | Chi [array content] | aliasing.cpp:111:15:111:19 | taint_a_ptr output argument [array content] |
+| aliasing.cpp:106:3:106:20 | Store | aliasing.cpp:106:3:106:20 | Chi [array content] |
+| aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:106:3:106:20 | Store |
+| aliasing.cpp:111:15:111:19 | Chi [array content] | aliasing.cpp:112:10:112:11 | m2 |
+| aliasing.cpp:111:15:111:19 | taint_a_ptr output argument [array content] | aliasing.cpp:111:15:111:19 | Chi [array content] |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... |
 | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... |
@@ -89,14 +94,30 @@ edges
 | by_reference.cpp:88:3:88:24 | Chi [a] | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] |
 | by_reference.cpp:88:3:88:24 | Store | by_reference.cpp:88:3:88:24 | Chi [a] |
 | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:88:3:88:24 | Store |
+| by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] |
+| by_reference.cpp:92:3:92:20 | Chi [array content] | by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] |
+| by_reference.cpp:92:3:92:20 | Store | by_reference.cpp:92:3:92:20 | Chi [array content] |
+| by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:92:3:92:20 | Store |
+| by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] |
+| by_reference.cpp:96:3:96:19 | Chi [array content] | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] |
+| by_reference.cpp:96:3:96:19 | Store | by_reference.cpp:96:3:96:19 | Chi [array content] |
+| by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:96:3:96:19 | Store |
 | by_reference.cpp:102:21:102:39 | Chi [a] | by_reference.cpp:110:27:110:27 | a |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | by_reference.cpp:102:21:102:39 | Chi [a] |
+| by_reference.cpp:104:15:104:22 | Chi [array content] | by_reference.cpp:112:14:112:14 | a |
+| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | by_reference.cpp:104:15:104:22 | Chi [array content] |
 | by_reference.cpp:106:21:106:41 | Chi [a] | by_reference.cpp:114:29:114:29 | a |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | by_reference.cpp:106:21:106:41 | Chi [a] |
+| by_reference.cpp:108:15:108:24 | Chi [array content] | by_reference.cpp:116:16:116:16 | a |
+| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | by_reference.cpp:108:15:108:24 | Chi [array content] |
 | by_reference.cpp:122:21:122:38 | Chi [a] | by_reference.cpp:130:27:130:27 | a |
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | by_reference.cpp:122:21:122:38 | Chi [a] |
+| by_reference.cpp:124:15:124:21 | Chi [array content] | by_reference.cpp:132:14:132:14 | a |
+| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | by_reference.cpp:124:15:124:21 | Chi [array content] |
 | by_reference.cpp:126:21:126:40 | Chi [a] | by_reference.cpp:134:29:134:29 | a |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | by_reference.cpp:126:21:126:40 | Chi [a] |
+| by_reference.cpp:128:15:128:23 | Chi [array content] | by_reference.cpp:136:16:136:16 | a |
+| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | Chi [array content] |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:51:16:51:16 | Argument -1 indirection [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:51:16:51:16 | Argument -1 indirection [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:52:16:52:16 | Argument -1 indirection [b_] |
@@ -264,6 +285,12 @@ nodes
 | aliasing.cpp:98:10:98:19 | call to user_input | semmle.label | call to user_input |
 | aliasing.cpp:100:14:100:14 | Store [m1] | semmle.label | Store [m1] |
 | aliasing.cpp:102:8:102:10 | * ... | semmle.label | * ... |
+| aliasing.cpp:106:3:106:20 | Chi [array content] | semmle.label | Chi [array content] |
+| aliasing.cpp:106:3:106:20 | Store | semmle.label | Store |
+| aliasing.cpp:106:9:106:18 | call to user_input | semmle.label | call to user_input |
+| aliasing.cpp:111:15:111:19 | Chi [array content] | semmle.label | Chi [array content] |
+| aliasing.cpp:111:15:111:19 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
+| aliasing.cpp:112:10:112:11 | m2 | semmle.label | m2 |
 | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array |
 | arrays.cpp:9:8:9:11 | * ... | semmle.label | * ... |
@@ -294,18 +321,36 @@ nodes
 | by_reference.cpp:88:3:88:24 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:88:3:88:24 | Store | semmle.label | Store |
 | by_reference.cpp:88:13:88:22 | call to user_input | semmle.label | call to user_input |
+| by_reference.cpp:92:3:92:20 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:92:3:92:20 | Store | semmle.label | Store |
+| by_reference.cpp:92:9:92:18 | call to user_input | semmle.label | call to user_input |
+| by_reference.cpp:96:3:96:19 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:96:3:96:19 | Store | semmle.label | Store |
+| by_reference.cpp:96:8:96:17 | call to user_input | semmle.label | call to user_input |
 | by_reference.cpp:102:21:102:39 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:102:21:102:39 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
+| by_reference.cpp:104:15:104:22 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:104:15:104:22 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
 | by_reference.cpp:106:21:106:41 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:106:21:106:41 | taint_inner_a_ptr output argument [a] | semmle.label | taint_inner_a_ptr output argument [a] |
+| by_reference.cpp:108:15:108:24 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:108:15:108:24 | taint_a_ptr output argument [array content] | semmle.label | taint_a_ptr output argument [array content] |
 | by_reference.cpp:110:27:110:27 | a | semmle.label | a |
+| by_reference.cpp:112:14:112:14 | a | semmle.label | a |
 | by_reference.cpp:114:29:114:29 | a | semmle.label | a |
+| by_reference.cpp:116:16:116:16 | a | semmle.label | a |
 | by_reference.cpp:122:21:122:38 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:122:21:122:38 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
+| by_reference.cpp:124:15:124:21 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:124:15:124:21 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
 | by_reference.cpp:126:21:126:40 | Chi [a] | semmle.label | Chi [a] |
 | by_reference.cpp:126:21:126:40 | taint_inner_a_ref output argument [a] | semmle.label | taint_inner_a_ref output argument [a] |
+| by_reference.cpp:128:15:128:23 | Chi [array content] | semmle.label | Chi [array content] |
+| by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | semmle.label | taint_a_ref output argument [array content] |
 | by_reference.cpp:130:27:130:27 | a | semmle.label | a |
+| by_reference.cpp:132:14:132:14 | a | semmle.label | a |
 | by_reference.cpp:134:29:134:29 | a | semmle.label | a |
+| by_reference.cpp:136:16:136:16 | a | semmle.label | a |
 | complex.cpp:40:17:40:17 | *b [a_] | semmle.label | *b [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | semmle.label | *b [b_] |
 | complex.cpp:51:16:51:16 | Argument -1 indirection [a_] | semmle.label | Argument -1 indirection [a_] |
@@ -415,6 +460,7 @@ nodes
 | aliasing.cpp:87:12:87:13 | m1 | aliasing.cpp:86:10:86:19 | call to user_input | aliasing.cpp:87:12:87:13 | m1 | m1 flows from $@ | aliasing.cpp:86:10:86:19 | call to user_input | call to user_input |
 | aliasing.cpp:93:12:93:13 | m1 | aliasing.cpp:92:12:92:21 | call to user_input | aliasing.cpp:93:12:93:13 | m1 | m1 flows from $@ | aliasing.cpp:92:12:92:21 | call to user_input | call to user_input |
 | aliasing.cpp:102:8:102:10 | * ... | aliasing.cpp:98:10:98:19 | call to user_input | aliasing.cpp:102:8:102:10 | * ... | * ... flows from $@ | aliasing.cpp:98:10:98:19 | call to user_input | call to user_input |
+| aliasing.cpp:112:10:112:11 | m2 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:112:10:112:11 | m2 | m2 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input |
 | arrays.cpp:7:8:7:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:9:8:9:11 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
 | arrays.cpp:10:8:10:15 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:10:8:10:15 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input |
@@ -425,9 +471,13 @@ nodes
 | by_reference.cpp:63:10:63:28 | call to getThroughNonMember | by_reference.cpp:62:25:62:34 | call to user_input | by_reference.cpp:63:10:63:28 | call to getThroughNonMember | call to getThroughNonMember flows from $@ | by_reference.cpp:62:25:62:34 | call to user_input | call to user_input |
 | by_reference.cpp:69:8:69:20 | call to nonMemberGetA | by_reference.cpp:68:21:68:30 | call to user_input | by_reference.cpp:69:8:69:20 | call to nonMemberGetA | call to nonMemberGetA flows from $@ | by_reference.cpp:68:21:68:30 | call to user_input | call to user_input |
 | by_reference.cpp:110:27:110:27 | a | by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:110:27:110:27 | a | a flows from $@ | by_reference.cpp:84:14:84:23 | call to user_input | call to user_input |
+| by_reference.cpp:112:14:112:14 | a | by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:112:14:112:14 | a | a flows from $@ | by_reference.cpp:92:9:92:18 | call to user_input | call to user_input |
 | by_reference.cpp:114:29:114:29 | a | by_reference.cpp:84:14:84:23 | call to user_input | by_reference.cpp:114:29:114:29 | a | a flows from $@ | by_reference.cpp:84:14:84:23 | call to user_input | call to user_input |
+| by_reference.cpp:116:16:116:16 | a | by_reference.cpp:92:9:92:18 | call to user_input | by_reference.cpp:116:16:116:16 | a | a flows from $@ | by_reference.cpp:92:9:92:18 | call to user_input | call to user_input |
 | by_reference.cpp:130:27:130:27 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:130:27:130:27 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
+| by_reference.cpp:132:14:132:14 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:132:14:132:14 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
 | by_reference.cpp:134:29:134:29 | a | by_reference.cpp:88:13:88:22 | call to user_input | by_reference.cpp:134:29:134:29 | a | a flows from $@ | by_reference.cpp:88:13:88:22 | call to user_input | call to user_input |
+| by_reference.cpp:136:16:136:16 | a | by_reference.cpp:96:8:96:17 | call to user_input | by_reference.cpp:136:16:136:16 | a | a flows from $@ | by_reference.cpp:96:8:96:17 | call to user_input | call to user_input |
 | complex.cpp:51:18:51:18 | call to a | complex.cpp:62:19:62:28 | call to user_input | complex.cpp:51:18:51:18 | call to a | call to a flows from $@ | complex.cpp:62:19:62:28 | call to user_input | call to user_input |
 | complex.cpp:51:18:51:18 | call to a | complex.cpp:64:19:64:28 | call to user_input | complex.cpp:51:18:51:18 | call to a | call to a flows from $@ | complex.cpp:64:19:64:28 | call to user_input | call to user_input |
 | complex.cpp:52:18:52:18 | call to b | complex.cpp:63:19:63:28 | call to user_input | complex.cpp:52:18:52:18 | call to b | call to b flows from $@ | complex.cpp:63:19:63:28 | call to user_input | call to user_input |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
@@ -158,7 +158,11 @@
 | aliasing.cpp:92:3:92:3 | w | AST only |
 | aliasing.cpp:92:7:92:8 | m1 | AST only |
 | aliasing.cpp:98:5:98:6 | m1 | AST only |
+| aliasing.cpp:106:3:106:5 | * ... | AST only |
+| aliasing.cpp:111:15:111:19 | & ... | AST only |
+| aliasing.cpp:111:16:111:16 | s | AST only |
 | arrays.cpp:6:3:6:8 | access to array | AST only |
+| arrays.cpp:6:3:6:23 | arr | IR only |
 | arrays.cpp:15:3:15:10 | * ... | AST only |
 | arrays.cpp:36:3:36:3 | o | AST only |
 | arrays.cpp:36:5:36:10 | nested | AST only |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
@@ -27,6 +27,7 @@
 | aliasing.cpp:86:3:86:3 | s |
 | aliasing.cpp:92:5:92:5 | s |
 | aliasing.cpp:98:3:98:3 | s |
+| arrays.cpp:6:3:6:5 | arr |
 | arrays.cpp:36:3:36:17 | access to array |
 | by_reference.cpp:12:5:12:5 | s |
 | by_reference.cpp:16:5:16:8 | this |
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
@@ -187,6 +187,9 @@
 | aliasing.cpp:92:7:92:8 | m1 |
 | aliasing.cpp:98:3:98:3 | s |
 | aliasing.cpp:98:5:98:6 | m1 |
+| aliasing.cpp:106:3:106:5 | * ... |
+| aliasing.cpp:111:15:111:19 | & ... |
+| aliasing.cpp:111:16:111:16 | s |
 | arrays.cpp:6:3:6:8 | access to array |
 | arrays.cpp:15:3:15:10 | * ... |
 | arrays.cpp:36:3:36:3 | o |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -514,12 +514,12 @@
 | standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:53:12:53:18 | source1 |  |
 | standalone_iterators.cpp:51:37:51:43 | source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
 | standalone_iterators.cpp:53:12:53:18 | ref arg source1 | standalone_iterators.cpp:54:14:54:20 | source1 |  |
-| stl.h:204:30:204:40 | call to allocator | stl.h:204:21:204:41 | noexcept(...) | TAINT |
-| stl.h:204:30:204:40 | call to allocator | stl.h:204:21:204:41 | noexcept(...) | TAINT |
-| stl.h:204:30:204:40 | call to allocator | stl.h:204:21:204:41 | noexcept(...) | TAINT |
-| stl.h:204:30:204:40 | call to allocator | stl.h:204:21:204:41 | noexcept(...) | TAINT |
-| stl.h:204:30:204:40 | call to allocator | stl.h:204:21:204:41 | noexcept(...) | TAINT |
-| stl.h:204:53:204:63 | 0 | stl.h:204:46:204:64 | (no string representation) | TAINT |
+| stl.h:216:30:216:40 | call to allocator | stl.h:216:21:216:41 | noexcept(...) | TAINT |
+| stl.h:216:30:216:40 | call to allocator | stl.h:216:21:216:41 | noexcept(...) | TAINT |
+| stl.h:216:30:216:40 | call to allocator | stl.h:216:21:216:41 | noexcept(...) | TAINT |
+| stl.h:216:30:216:40 | call to allocator | stl.h:216:21:216:41 | noexcept(...) | TAINT |
+| stl.h:216:30:216:40 | call to allocator | stl.h:216:21:216:41 | noexcept(...) | TAINT |
+| stl.h:216:53:216:63 | 0 | stl.h:216:46:216:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
 | string.cpp:25:16:25:21 | call to basic_string | string.cpp:29:7:29:7 | b |  |
@@ -1568,9 +1568,13 @@
 | stringstream.cpp:76:14:76:19 | source | stringstream.cpp:76:11:76:11 | call to operator<< | TAINT |
 | stringstream.cpp:77:7:77:9 | ref arg ss1 | stringstream.cpp:80:7:80:9 | ss1 |  |
 | stringstream.cpp:77:7:77:9 | ref arg ss1 | stringstream.cpp:82:7:82:9 | ss1 |  |
+| stringstream.cpp:77:7:77:9 | ss1 | stringstream.cpp:77:11:77:11 | call to operator>> |  |
+| stringstream.cpp:77:7:77:9 | ss1 | stringstream.cpp:77:14:77:15 | ref arg v1 | TAINT |
 | stringstream.cpp:77:14:77:15 | ref arg v1 | stringstream.cpp:84:7:84:8 | v1 |  |
 | stringstream.cpp:78:7:78:9 | ref arg ss2 | stringstream.cpp:81:7:81:9 | ss2 |  |
 | stringstream.cpp:78:7:78:9 | ref arg ss2 | stringstream.cpp:83:7:83:9 | ss2 |  |
+| stringstream.cpp:78:7:78:9 | ss2 | stringstream.cpp:78:11:78:11 | call to operator>> |  |
+| stringstream.cpp:78:7:78:9 | ss2 | stringstream.cpp:78:14:78:15 | ref arg v2 | TAINT |
 | stringstream.cpp:78:14:78:15 | ref arg v2 | stringstream.cpp:85:7:85:8 | v2 |  |
 | stringstream.cpp:82:7:82:9 | ss1 | stringstream.cpp:82:11:82:13 | call to str | TAINT |
 | stringstream.cpp:83:7:83:9 | ss2 | stringstream.cpp:83:11:83:13 | call to str | TAINT |
@@ -1619,9 +1623,13 @@
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:118:2:118:4 | ss4 |  |
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:123:7:123:9 | ss4 |  |
 | stringstream.cpp:117:2:117:4 | ref arg ss1 | stringstream.cpp:120:7:120:9 | ss1 |  |
+| stringstream.cpp:117:2:117:4 | ss1 | stringstream.cpp:117:11:117:13 | ref arg ss2 | TAINT |
 | stringstream.cpp:117:11:117:13 | ref arg ss2 | stringstream.cpp:121:7:121:9 | ss2 |  |
+| stringstream.cpp:117:11:117:13 | ss2 | stringstream.cpp:117:2:117:4 | ref arg ss1 | TAINT |
 | stringstream.cpp:118:2:118:4 | ref arg ss4 | stringstream.cpp:123:7:123:9 | ss4 |  |
+| stringstream.cpp:118:2:118:4 | ss4 | stringstream.cpp:118:11:118:13 | ref arg ss3 | TAINT |
 | stringstream.cpp:118:11:118:13 | ref arg ss3 | stringstream.cpp:122:7:122:9 | ss3 |  |
+| stringstream.cpp:118:11:118:13 | ss3 | stringstream.cpp:118:2:118:4 | ref arg ss4 | TAINT |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:142:7:142:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:145:7:145:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:153:7:153:9 | ss1 |  |
@@ -1715,6 +1723,8 @@
 | stringstream.cpp:145:7:145:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:145:7:145:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:145:7:145:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:145:7:145:9 | ss1 | stringstream.cpp:145:11:145:11 | call to operator>> |  |
+| stringstream.cpp:145:7:145:9 | ss1 | stringstream.cpp:145:14:145:15 | ref arg s1 | TAINT |
 | stringstream.cpp:145:14:145:15 | ref arg s1 | stringstream.cpp:148:7:148:8 | s1 |  |
 | stringstream.cpp:146:7:146:9 | ref arg ss2 | stringstream.cpp:147:7:147:9 | ss2 |  |
 | stringstream.cpp:146:7:146:9 | ref arg ss2 | stringstream.cpp:154:7:154:9 | ss2 |  |
@@ -1725,6 +1735,8 @@
 | stringstream.cpp:146:7:146:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:146:7:146:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:146:7:146:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:146:7:146:9 | ss2 | stringstream.cpp:146:11:146:11 | call to operator>> |  |
+| stringstream.cpp:146:7:146:9 | ss2 | stringstream.cpp:146:14:146:15 | ref arg s2 | TAINT |
 | stringstream.cpp:146:14:146:15 | ref arg s2 | stringstream.cpp:149:7:149:8 | s2 |  |
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:154:7:154:9 | ss2 |  |
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:155:7:155:9 | ss2 |  |
@@ -1734,6 +1746,11 @@
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:11:147:11 | call to operator>> |  |
+| stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:14:147:15 | ref arg s3 | TAINT |
+| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> |  |
+| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:20:147:21 | ref arg s4 | TAINT |
+| stringstream.cpp:147:11:147:11 | ref arg call to operator>> | stringstream.cpp:147:7:147:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:147:14:147:15 | ref arg s3 | stringstream.cpp:150:7:150:8 | s3 |  |
 | stringstream.cpp:147:20:147:21 | ref arg s4 | stringstream.cpp:151:7:151:8 | s4 |  |
 | stringstream.cpp:153:7:153:9 | ref arg ss1 | stringstream.cpp:161:7:161:9 | ss1 |  |
@@ -1742,6 +1759,8 @@
 | stringstream.cpp:153:7:153:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:153:7:153:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:153:7:153:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:153:7:153:9 | ss1 | stringstream.cpp:153:11:153:11 | call to operator>> |  |
+| stringstream.cpp:153:7:153:9 | ss1 | stringstream.cpp:153:14:153:15 | ref arg b1 | TAINT |
 | stringstream.cpp:153:14:153:15 | ref arg b1 | stringstream.cpp:156:7:156:8 | b1 |  |
 | stringstream.cpp:154:7:154:9 | ref arg ss2 | stringstream.cpp:155:7:155:9 | ss2 |  |
 | stringstream.cpp:154:7:154:9 | ref arg ss2 | stringstream.cpp:162:7:162:9 | ss2 |  |
@@ -1750,6 +1769,8 @@
 | stringstream.cpp:154:7:154:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:154:7:154:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:154:7:154:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:154:7:154:9 | ss2 | stringstream.cpp:154:11:154:11 | call to operator>> |  |
+| stringstream.cpp:154:7:154:9 | ss2 | stringstream.cpp:154:14:154:15 | ref arg b2 | TAINT |
 | stringstream.cpp:154:14:154:15 | ref arg b2 | stringstream.cpp:157:7:157:8 | b2 |  |
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:162:7:162:9 | ss2 |  |
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:164:7:164:9 | ss2 |  |
@@ -1757,6 +1778,11 @@
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:11:155:11 | call to operator>> |  |
+| stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:14:155:15 | ref arg b3 | TAINT |
+| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> |  |
+| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:20:155:21 | ref arg b4 | TAINT |
+| stringstream.cpp:155:11:155:11 | ref arg call to operator>> | stringstream.cpp:155:7:155:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:155:14:155:15 | ref arg b3 | stringstream.cpp:158:7:158:8 | b3 |  |
 | stringstream.cpp:155:20:155:21 | ref arg b4 | stringstream.cpp:159:7:159:8 | b4 |  |
 | stringstream.cpp:156:7:156:8 | b1 | stringstream.cpp:156:7:156:8 | call to basic_string | TAINT |
@@ -1768,30 +1794,40 @@
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:161:7:161:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:161:7:161:9 | ss1 | stringstream.cpp:161:11:161:14 | call to read |  |
+| stringstream.cpp:161:7:161:9 | ss1 | stringstream.cpp:161:16:161:17 | ref arg b5 | TAINT |
 | stringstream.cpp:161:16:161:17 | ref arg b5 | stringstream.cpp:167:7:167:8 | b5 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:164:7:164:9 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:166:7:166:9 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:162:7:162:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:162:7:162:9 | ss2 | stringstream.cpp:162:11:162:14 | call to read |  |
+| stringstream.cpp:162:7:162:9 | ss2 | stringstream.cpp:162:16:162:17 | ref arg b6 | TAINT |
 | stringstream.cpp:162:16:162:17 | ref arg b6 | stringstream.cpp:168:7:168:8 | b6 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:165:7:165:9 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:163:7:163:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:163:7:163:9 | ss1 | stringstream.cpp:163:20:163:21 | ref arg b7 | TAINT |
 | stringstream.cpp:163:20:163:21 | ref arg b7 | stringstream.cpp:169:7:169:8 | b7 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:166:7:166:9 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:164:7:164:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:164:7:164:9 | ss2 | stringstream.cpp:164:20:164:21 | ref arg b8 | TAINT |
 | stringstream.cpp:164:20:164:21 | ref arg b8 | stringstream.cpp:170:7:170:8 | b8 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:174:12:174:14 | ss1 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:165:7:165:9 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:165:7:165:9 | ss1 | stringstream.cpp:165:11:165:13 | call to get |  |
+| stringstream.cpp:165:7:165:9 | ss1 | stringstream.cpp:165:15:165:16 | ref arg b9 | TAINT |
 | stringstream.cpp:165:15:165:16 | ref arg b9 | stringstream.cpp:171:7:171:8 | b9 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:175:12:175:14 | ss2 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:166:7:166:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:166:7:166:9 | ss2 | stringstream.cpp:166:11:166:13 | call to get |  |
+| stringstream.cpp:166:7:166:9 | ss2 | stringstream.cpp:166:15:166:17 | ref arg b10 | TAINT |
 | stringstream.cpp:166:15:166:17 | ref arg b10 | stringstream.cpp:172:7:172:9 | b10 |  |
 | stringstream.cpp:167:7:167:8 | b5 | stringstream.cpp:167:7:167:8 | call to basic_string | TAINT |
 | stringstream.cpp:168:7:168:8 | b6 | stringstream.cpp:168:7:168:8 | call to basic_string | TAINT |
@@ -1802,22 +1838,30 @@
 | stringstream.cpp:174:7:174:8 | c1 | stringstream.cpp:174:7:174:20 | ... = ... |  |
 | stringstream.cpp:174:12:174:14 | ref arg ss1 | stringstream.cpp:176:12:176:14 | ss1 |  |
 | stringstream.cpp:174:12:174:14 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:174:12:174:14 | ss1 | stringstream.cpp:174:16:174:18 | call to get | TAINT |
 | stringstream.cpp:174:16:174:18 | call to get | stringstream.cpp:174:7:174:20 | ... = ... |  |
 | stringstream.cpp:174:16:174:18 | call to get | stringstream.cpp:180:7:180:8 | c1 |  |
 | stringstream.cpp:175:7:175:8 | c2 | stringstream.cpp:175:7:175:20 | ... = ... |  |
 | stringstream.cpp:175:12:175:14 | ref arg ss2 | stringstream.cpp:177:12:177:14 | ss2 |  |
 | stringstream.cpp:175:12:175:14 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:175:12:175:14 | ss2 | stringstream.cpp:175:16:175:18 | call to get | TAINT |
 | stringstream.cpp:175:16:175:18 | call to get | stringstream.cpp:175:7:175:20 | ... = ... |  |
 | stringstream.cpp:175:16:175:18 | call to get | stringstream.cpp:181:7:181:8 | c2 |  |
 | stringstream.cpp:176:7:176:8 | c3 | stringstream.cpp:176:7:176:21 | ... = ... |  |
 | stringstream.cpp:176:12:176:14 | ref arg ss1 | stringstream.cpp:178:7:178:9 | ss1 |  |
+| stringstream.cpp:176:12:176:14 | ss1 | stringstream.cpp:176:16:176:19 | call to peek | TAINT |
 | stringstream.cpp:176:16:176:19 | call to peek | stringstream.cpp:176:7:176:21 | ... = ... |  |
 | stringstream.cpp:176:16:176:19 | call to peek | stringstream.cpp:182:7:182:8 | c3 |  |
 | stringstream.cpp:177:7:177:8 | c4 | stringstream.cpp:177:7:177:21 | ... = ... |  |
 | stringstream.cpp:177:12:177:14 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
+| stringstream.cpp:177:12:177:14 | ss2 | stringstream.cpp:177:16:177:19 | call to peek | TAINT |
 | stringstream.cpp:177:16:177:19 | call to peek | stringstream.cpp:177:7:177:21 | ... = ... |  |
 | stringstream.cpp:177:16:177:19 | call to peek | stringstream.cpp:183:7:183:8 | c4 |  |
+| stringstream.cpp:178:7:178:9 | ss1 | stringstream.cpp:178:11:178:13 | call to get |  |
+| stringstream.cpp:178:7:178:9 | ss1 | stringstream.cpp:178:15:178:16 | ref arg c5 | TAINT |
 | stringstream.cpp:178:15:178:16 | ref arg c5 | stringstream.cpp:184:7:184:8 | c5 |  |
+| stringstream.cpp:179:7:179:9 | ss2 | stringstream.cpp:179:11:179:13 | call to get |  |
+| stringstream.cpp:179:7:179:9 | ss2 | stringstream.cpp:179:15:179:16 | ref arg c6 | TAINT |
 | stringstream.cpp:179:15:179:16 | ref arg c6 | stringstream.cpp:185:7:185:8 | c6 |  |
 | stringstream.cpp:190:20:190:21 | call to basic_stringstream | stringstream.cpp:192:7:192:8 | ss |  |
 | stringstream.cpp:190:20:190:21 | call to basic_stringstream | stringstream.cpp:193:7:193:8 | ss |  |
@@ -1837,12 +1881,272 @@
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:195:7:195:8 | ss |  |
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:193:7:193:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:193:7:193:8 | ss | stringstream.cpp:193:10:193:12 | call to get | TAINT |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:195:7:195:8 | ss |  |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:194:7:194:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:194:7:194:8 | ss | stringstream.cpp:194:10:194:16 | call to putback |  |
+| stringstream.cpp:194:18:194:20 | 98 | stringstream.cpp:194:7:194:8 | ref arg ss | TAINT |
+| stringstream.cpp:194:18:194:20 | 98 | stringstream.cpp:194:10:194:16 | call to putback | TAINT |
 | stringstream.cpp:195:7:195:8 | ref arg ss | stringstream.cpp:196:7:196:8 | ss |  |
 | stringstream.cpp:195:7:195:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:195:7:195:8 | ss | stringstream.cpp:195:10:195:12 | call to get | TAINT |
 | stringstream.cpp:196:7:196:8 | ref arg ss | stringstream.cpp:197:7:197:8 | ss |  |
+| stringstream.cpp:196:7:196:8 | ss | stringstream.cpp:196:10:196:16 | call to putback |  |
+| stringstream.cpp:196:18:196:32 | call to source | stringstream.cpp:196:7:196:8 | ref arg ss | TAINT |
+| stringstream.cpp:196:18:196:32 | call to source | stringstream.cpp:196:10:196:16 | call to putback | TAINT |
+| stringstream.cpp:197:7:197:8 | ss | stringstream.cpp:197:10:197:12 | call to get | TAINT |
+| stringstream.cpp:202:24:202:28 | abc | stringstream.cpp:202:24:202:28 | call to basic_string | TAINT |
+| stringstream.cpp:202:24:202:28 | call to basic_string | stringstream.cpp:202:24:202:29 | call to basic_stringstream | TAINT |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:214:7:214:9 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:217:7:217:9 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:222:7:222:9 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:225:7:225:9 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:234:15:234:17 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:202:24:202:29 | call to basic_stringstream | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:203:24:203:29 | call to source | stringstream.cpp:203:24:203:31 | call to basic_string | TAINT |
+| stringstream.cpp:203:24:203:31 | call to basic_string | stringstream.cpp:203:24:203:32 | call to basic_stringstream | TAINT |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:215:7:215:9 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:216:7:216:9 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:223:7:223:9 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:224:7:224:9 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:230:7:230:9 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:203:24:203:32 | call to basic_stringstream | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:204:17:204:20 | {...} | stringstream.cpp:214:19:214:20 | b1 |  |
+| stringstream.cpp:204:17:204:20 | {...} | stringstream.cpp:218:7:218:8 | b1 |  |
+| stringstream.cpp:204:19:204:19 | 0 | stringstream.cpp:204:17:204:20 | {...} | TAINT |
+| stringstream.cpp:205:17:205:20 | {...} | stringstream.cpp:215:19:215:20 | b2 |  |
+| stringstream.cpp:205:17:205:20 | {...} | stringstream.cpp:219:7:219:8 | b2 |  |
+| stringstream.cpp:205:19:205:19 | 0 | stringstream.cpp:205:17:205:20 | {...} | TAINT |
+| stringstream.cpp:206:17:206:20 | {...} | stringstream.cpp:216:19:216:20 | b3 |  |
+| stringstream.cpp:206:17:206:20 | {...} | stringstream.cpp:217:19:217:20 | b3 |  |
+| stringstream.cpp:206:17:206:20 | {...} | stringstream.cpp:220:7:220:8 | b3 |  |
+| stringstream.cpp:206:19:206:19 | 0 | stringstream.cpp:206:17:206:20 | {...} | TAINT |
+| stringstream.cpp:207:17:207:20 | {...} | stringstream.cpp:222:19:222:20 | b4 |  |
+| stringstream.cpp:207:17:207:20 | {...} | stringstream.cpp:226:7:226:8 | b4 |  |
+| stringstream.cpp:207:19:207:19 | 0 | stringstream.cpp:207:17:207:20 | {...} | TAINT |
+| stringstream.cpp:208:17:208:20 | {...} | stringstream.cpp:223:19:223:20 | b5 |  |
+| stringstream.cpp:208:17:208:20 | {...} | stringstream.cpp:227:7:227:8 | b5 |  |
+| stringstream.cpp:208:19:208:19 | 0 | stringstream.cpp:208:17:208:20 | {...} | TAINT |
+| stringstream.cpp:209:17:209:20 | {...} | stringstream.cpp:224:19:224:20 | b6 |  |
+| stringstream.cpp:209:17:209:20 | {...} | stringstream.cpp:225:19:225:20 | b6 |  |
+| stringstream.cpp:209:17:209:20 | {...} | stringstream.cpp:228:7:228:8 | b6 |  |
+| stringstream.cpp:209:19:209:19 | 0 | stringstream.cpp:209:17:209:20 | {...} | TAINT |
+| stringstream.cpp:210:17:210:20 | {...} | stringstream.cpp:230:19:230:20 | b7 |  |
+| stringstream.cpp:210:17:210:20 | {...} | stringstream.cpp:231:7:231:8 | b7 |  |
+| stringstream.cpp:210:19:210:19 | 0 | stringstream.cpp:210:17:210:20 | {...} | TAINT |
+| stringstream.cpp:211:17:211:20 | {...} | stringstream.cpp:230:37:230:38 | b8 |  |
+| stringstream.cpp:211:17:211:20 | {...} | stringstream.cpp:232:7:232:8 | b8 |  |
+| stringstream.cpp:211:19:211:19 | 0 | stringstream.cpp:211:17:211:20 | {...} | TAINT |
+| stringstream.cpp:212:14:212:15 | call to basic_string | stringstream.cpp:234:20:234:21 | s1 |  |
+| stringstream.cpp:212:14:212:15 | call to basic_string | stringstream.cpp:238:7:238:8 | s1 |  |
+| stringstream.cpp:212:18:212:19 | call to basic_string | stringstream.cpp:235:20:235:21 | s2 |  |
+| stringstream.cpp:212:18:212:19 | call to basic_string | stringstream.cpp:239:7:239:8 | s2 |  |
+| stringstream.cpp:212:22:212:23 | call to basic_string | stringstream.cpp:236:20:236:21 | s3 |  |
+| stringstream.cpp:212:22:212:23 | call to basic_string | stringstream.cpp:237:20:237:21 | s3 |  |
+| stringstream.cpp:212:22:212:23 | call to basic_string | stringstream.cpp:240:7:240:8 | s3 |  |
+| stringstream.cpp:212:26:212:27 | call to basic_string | stringstream.cpp:242:20:242:21 | s4 |  |
+| stringstream.cpp:212:26:212:27 | call to basic_string | stringstream.cpp:246:7:246:8 | s4 |  |
+| stringstream.cpp:212:30:212:31 | call to basic_string | stringstream.cpp:243:20:243:21 | s5 |  |
+| stringstream.cpp:212:30:212:31 | call to basic_string | stringstream.cpp:247:7:247:8 | s5 |  |
+| stringstream.cpp:212:34:212:35 | call to basic_string | stringstream.cpp:244:20:244:21 | s6 |  |
+| stringstream.cpp:212:34:212:35 | call to basic_string | stringstream.cpp:245:20:245:21 | s6 |  |
+| stringstream.cpp:212:34:212:35 | call to basic_string | stringstream.cpp:248:7:248:8 | s6 |  |
+| stringstream.cpp:212:38:212:39 | call to basic_string | stringstream.cpp:250:28:250:29 | s7 |  |
+| stringstream.cpp:212:38:212:39 | call to basic_string | stringstream.cpp:251:7:251:8 | s7 |  |
+| stringstream.cpp:212:42:212:43 | call to basic_string | stringstream.cpp:250:33:250:34 | s8 |  |
+| stringstream.cpp:212:42:212:43 | call to basic_string | stringstream.cpp:252:7:252:8 | s8 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:217:7:217:9 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:222:7:222:9 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:225:7:225:9 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:234:15:234:17 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:214:7:214:9 | ss1 | stringstream.cpp:214:11:214:17 | call to getline |  |
+| stringstream.cpp:214:7:214:9 | ss1 | stringstream.cpp:214:19:214:20 | ref arg b1 | TAINT |
+| stringstream.cpp:214:19:214:20 | ref arg b1 | stringstream.cpp:218:7:218:8 | b1 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:216:7:216:9 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:223:7:223:9 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:224:7:224:9 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:230:7:230:9 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:215:7:215:9 | ss2 | stringstream.cpp:215:11:215:17 | call to getline |  |
+| stringstream.cpp:215:7:215:9 | ss2 | stringstream.cpp:215:19:215:20 | ref arg b2 | TAINT |
+| stringstream.cpp:215:19:215:20 | ref arg b2 | stringstream.cpp:219:7:219:8 | b2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:223:7:223:9 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:224:7:224:9 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:230:7:230:9 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:216:7:216:9 | ss2 | stringstream.cpp:216:11:216:17 | call to getline |  |
+| stringstream.cpp:216:7:216:9 | ss2 | stringstream.cpp:216:19:216:20 | ref arg b3 | TAINT |
+| stringstream.cpp:216:19:216:20 | ref arg b3 | stringstream.cpp:217:19:217:20 | b3 |  |
+| stringstream.cpp:216:19:216:20 | ref arg b3 | stringstream.cpp:220:7:220:8 | b3 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:222:7:222:9 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:225:7:225:9 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:234:15:234:17 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:217:7:217:9 | ss1 | stringstream.cpp:217:11:217:17 | call to getline |  |
+| stringstream.cpp:217:7:217:9 | ss1 | stringstream.cpp:217:19:217:20 | ref arg b3 | TAINT |
+| stringstream.cpp:217:19:217:20 | ref arg b3 | stringstream.cpp:220:7:220:8 | b3 |  |
+| stringstream.cpp:218:7:218:8 | b1 | stringstream.cpp:218:7:218:8 | call to basic_string | TAINT |
+| stringstream.cpp:219:7:219:8 | b2 | stringstream.cpp:219:7:219:8 | call to basic_string | TAINT |
+| stringstream.cpp:220:7:220:8 | b3 | stringstream.cpp:220:7:220:8 | call to basic_string | TAINT |
+| stringstream.cpp:222:7:222:9 | ref arg ss1 | stringstream.cpp:225:7:225:9 | ss1 |  |
+| stringstream.cpp:222:7:222:9 | ref arg ss1 | stringstream.cpp:234:15:234:17 | ss1 |  |
+| stringstream.cpp:222:7:222:9 | ref arg ss1 | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:222:7:222:9 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:222:7:222:9 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:222:7:222:9 | ss1 | stringstream.cpp:222:11:222:17 | call to getline |  |
+| stringstream.cpp:222:7:222:9 | ss1 | stringstream.cpp:222:19:222:20 | ref arg b4 | TAINT |
+| stringstream.cpp:222:19:222:20 | ref arg b4 | stringstream.cpp:226:7:226:8 | b4 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:224:7:224:9 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:230:7:230:9 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:223:7:223:9 | ss2 | stringstream.cpp:223:11:223:17 | call to getline |  |
+| stringstream.cpp:223:7:223:9 | ss2 | stringstream.cpp:223:19:223:20 | ref arg b5 | TAINT |
+| stringstream.cpp:223:19:223:20 | ref arg b5 | stringstream.cpp:227:7:227:8 | b5 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:230:7:230:9 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:224:7:224:9 | ss2 | stringstream.cpp:224:11:224:17 | call to getline |  |
+| stringstream.cpp:224:7:224:9 | ss2 | stringstream.cpp:224:19:224:20 | ref arg b6 | TAINT |
+| stringstream.cpp:224:19:224:20 | ref arg b6 | stringstream.cpp:225:19:225:20 | b6 |  |
+| stringstream.cpp:224:19:224:20 | ref arg b6 | stringstream.cpp:228:7:228:8 | b6 |  |
+| stringstream.cpp:225:7:225:9 | ref arg ss1 | stringstream.cpp:234:15:234:17 | ss1 |  |
+| stringstream.cpp:225:7:225:9 | ref arg ss1 | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:225:7:225:9 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:225:7:225:9 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:225:7:225:9 | ss1 | stringstream.cpp:225:11:225:17 | call to getline |  |
+| stringstream.cpp:225:7:225:9 | ss1 | stringstream.cpp:225:19:225:20 | ref arg b6 | TAINT |
+| stringstream.cpp:225:19:225:20 | ref arg b6 | stringstream.cpp:228:7:228:8 | b6 |  |
+| stringstream.cpp:226:7:226:8 | b4 | stringstream.cpp:226:7:226:8 | call to basic_string | TAINT |
+| stringstream.cpp:227:7:227:8 | b5 | stringstream.cpp:227:7:227:8 | call to basic_string | TAINT |
+| stringstream.cpp:228:7:228:8 | b6 | stringstream.cpp:228:7:228:8 | call to basic_string | TAINT |
+| stringstream.cpp:230:7:230:9 | ref arg ss2 | stringstream.cpp:235:15:235:17 | ss2 |  |
+| stringstream.cpp:230:7:230:9 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:230:7:230:9 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:230:7:230:9 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:230:7:230:9 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:230:7:230:9 | ss2 | stringstream.cpp:230:11:230:17 | call to getline |  |
+| stringstream.cpp:230:7:230:9 | ss2 | stringstream.cpp:230:19:230:20 | ref arg b7 | TAINT |
+| stringstream.cpp:230:11:230:17 | call to getline | stringstream.cpp:230:29:230:35 | call to getline |  |
+| stringstream.cpp:230:11:230:17 | call to getline | stringstream.cpp:230:37:230:38 | ref arg b8 | TAINT |
+| stringstream.cpp:230:11:230:17 | ref arg call to getline | stringstream.cpp:230:7:230:9 | ref arg ss2 | TAINT |
+| stringstream.cpp:230:19:230:20 | ref arg b7 | stringstream.cpp:231:7:231:8 | b7 |  |
+| stringstream.cpp:230:37:230:38 | ref arg b8 | stringstream.cpp:232:7:232:8 | b8 |  |
+| stringstream.cpp:231:7:231:8 | b7 | stringstream.cpp:231:7:231:8 | call to basic_string | TAINT |
+| stringstream.cpp:232:7:232:8 | b8 | stringstream.cpp:232:7:232:8 | call to basic_string | TAINT |
+| stringstream.cpp:234:15:234:17 | ref arg ss1 | stringstream.cpp:237:15:237:17 | ss1 |  |
+| stringstream.cpp:234:15:234:17 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:234:15:234:17 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:234:15:234:17 | ss1 | stringstream.cpp:234:7:234:13 | call to getline |  |
+| stringstream.cpp:234:15:234:17 | ss1 | stringstream.cpp:234:20:234:21 | ref arg s1 | TAINT |
+| stringstream.cpp:234:20:234:21 | ref arg s1 | stringstream.cpp:238:7:238:8 | s1 |  |
+| stringstream.cpp:235:15:235:17 | ref arg ss2 | stringstream.cpp:236:15:236:17 | ss2 |  |
+| stringstream.cpp:235:15:235:17 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:235:15:235:17 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:235:15:235:17 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:235:15:235:17 | ss2 | stringstream.cpp:235:7:235:13 | call to getline |  |
+| stringstream.cpp:235:15:235:17 | ss2 | stringstream.cpp:235:20:235:21 | ref arg s2 | TAINT |
+| stringstream.cpp:235:20:235:21 | ref arg s2 | stringstream.cpp:239:7:239:8 | s2 |  |
+| stringstream.cpp:236:15:236:17 | ref arg ss2 | stringstream.cpp:243:15:243:17 | ss2 |  |
+| stringstream.cpp:236:15:236:17 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:236:15:236:17 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:236:15:236:17 | ss2 | stringstream.cpp:236:7:236:13 | call to getline |  |
+| stringstream.cpp:236:15:236:17 | ss2 | stringstream.cpp:236:20:236:21 | ref arg s3 | TAINT |
+| stringstream.cpp:236:20:236:21 | ref arg s3 | stringstream.cpp:237:20:237:21 | s3 |  |
+| stringstream.cpp:236:20:236:21 | ref arg s3 | stringstream.cpp:240:7:240:8 | s3 |  |
+| stringstream.cpp:237:15:237:17 | ref arg ss1 | stringstream.cpp:242:15:242:17 | ss1 |  |
+| stringstream.cpp:237:15:237:17 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:237:15:237:17 | ss1 | stringstream.cpp:237:7:237:13 | call to getline |  |
+| stringstream.cpp:237:15:237:17 | ss1 | stringstream.cpp:237:20:237:21 | ref arg s3 | TAINT |
+| stringstream.cpp:237:20:237:21 | ref arg s3 | stringstream.cpp:240:7:240:8 | s3 |  |
+| stringstream.cpp:242:15:242:17 | ref arg ss1 | stringstream.cpp:245:15:245:17 | ss1 |  |
+| stringstream.cpp:242:15:242:17 | ss1 | stringstream.cpp:242:7:242:13 | call to getline |  |
+| stringstream.cpp:242:15:242:17 | ss1 | stringstream.cpp:242:20:242:21 | ref arg s4 | TAINT |
+| stringstream.cpp:242:20:242:21 | ref arg s4 | stringstream.cpp:246:7:246:8 | s4 |  |
+| stringstream.cpp:243:15:243:17 | ref arg ss2 | stringstream.cpp:244:15:244:17 | ss2 |  |
+| stringstream.cpp:243:15:243:17 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:243:15:243:17 | ss2 | stringstream.cpp:243:7:243:13 | call to getline |  |
+| stringstream.cpp:243:15:243:17 | ss2 | stringstream.cpp:243:20:243:21 | ref arg s5 | TAINT |
+| stringstream.cpp:243:20:243:21 | ref arg s5 | stringstream.cpp:247:7:247:8 | s5 |  |
+| stringstream.cpp:244:15:244:17 | ref arg ss2 | stringstream.cpp:250:23:250:25 | ss2 |  |
+| stringstream.cpp:244:15:244:17 | ss2 | stringstream.cpp:244:7:244:13 | call to getline |  |
+| stringstream.cpp:244:15:244:17 | ss2 | stringstream.cpp:244:20:244:21 | ref arg s6 | TAINT |
+| stringstream.cpp:244:20:244:21 | ref arg s6 | stringstream.cpp:245:20:245:21 | s6 |  |
+| stringstream.cpp:244:20:244:21 | ref arg s6 | stringstream.cpp:248:7:248:8 | s6 |  |
+| stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:7:245:13 | call to getline |  |
+| stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:20:245:21 | ref arg s6 | TAINT |
+| stringstream.cpp:245:20:245:21 | ref arg s6 | stringstream.cpp:248:7:248:8 | s6 |  |
+| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline |  |
+| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:33:250:34 | ref arg s8 | TAINT |
+| stringstream.cpp:250:15:250:21 | ref arg call to getline | stringstream.cpp:250:23:250:25 | ref arg ss2 | TAINT |
+| stringstream.cpp:250:23:250:25 | ss2 | stringstream.cpp:250:15:250:21 | call to getline |  |
+| stringstream.cpp:250:23:250:25 | ss2 | stringstream.cpp:250:28:250:29 | ref arg s7 | TAINT |
+| stringstream.cpp:250:28:250:29 | ref arg s7 | stringstream.cpp:251:7:251:8 | s7 |  |
+| stringstream.cpp:250:33:250:34 | ref arg s8 | stringstream.cpp:252:7:252:8 | s8 |  |
+| stringstream.cpp:257:24:257:29 | call to source | stringstream.cpp:257:24:257:31 | call to basic_string | TAINT |
+| stringstream.cpp:257:24:257:31 | call to basic_string | stringstream.cpp:257:24:257:32 | call to basic_stringstream | TAINT |
+| stringstream.cpp:257:24:257:32 | call to basic_stringstream | stringstream.cpp:262:7:262:9 | ss1 |  |
+| stringstream.cpp:258:20:258:22 | call to basic_stringstream | stringstream.cpp:266:7:266:9 | ss2 |  |
+| stringstream.cpp:258:20:258:22 | call to basic_stringstream | stringstream.cpp:267:7:267:9 | ss2 |  |
+| stringstream.cpp:259:17:259:20 | {...} | stringstream.cpp:262:15:262:16 | b1 |  |
+| stringstream.cpp:259:17:259:20 | {...} | stringstream.cpp:263:7:263:8 | b1 |  |
+| stringstream.cpp:259:19:259:19 | 0 | stringstream.cpp:259:17:259:20 | {...} | TAINT |
+| stringstream.cpp:260:17:260:20 | {...} | stringstream.cpp:262:36:262:37 | b2 |  |
+| stringstream.cpp:260:17:260:20 | {...} | stringstream.cpp:264:7:264:8 | b2 |  |
+| stringstream.cpp:260:19:260:19 | 0 | stringstream.cpp:260:17:260:20 | {...} | TAINT |
+| stringstream.cpp:262:7:262:9 | ss1 | stringstream.cpp:262:11:262:13 | call to get |  |
+| stringstream.cpp:262:7:262:9 | ss1 | stringstream.cpp:262:15:262:16 | ref arg b1 | TAINT |
+| stringstream.cpp:262:11:262:13 | call to get | stringstream.cpp:262:24:262:28 | call to unget |  |
+| stringstream.cpp:262:11:262:13 | ref arg call to get | stringstream.cpp:262:7:262:9 | ref arg ss1 | TAINT |
+| stringstream.cpp:262:15:262:16 | ref arg b1 | stringstream.cpp:263:7:263:8 | b1 |  |
+| stringstream.cpp:262:24:262:28 | call to unget | stringstream.cpp:262:32:262:34 | call to get |  |
+| stringstream.cpp:262:24:262:28 | call to unget | stringstream.cpp:262:36:262:37 | ref arg b2 | TAINT |
+| stringstream.cpp:262:24:262:28 | ref arg call to unget | stringstream.cpp:262:11:262:13 | ref arg call to get | TAINT |
+| stringstream.cpp:262:36:262:37 | ref arg b2 | stringstream.cpp:264:7:264:8 | b2 |  |
+| stringstream.cpp:263:7:263:8 | b1 | stringstream.cpp:263:7:263:8 | call to basic_string | TAINT |
+| stringstream.cpp:264:7:264:8 | b2 | stringstream.cpp:264:7:264:8 | call to basic_string | TAINT |
+| stringstream.cpp:266:7:266:9 | ref arg ss2 | stringstream.cpp:267:7:267:9 | ss2 |  |
+| stringstream.cpp:266:7:266:9 | ss2 | stringstream.cpp:266:11:266:15 | call to write |  |
+| stringstream.cpp:266:11:266:15 | call to write | stringstream.cpp:266:27:266:31 | call to flush |  |
+| stringstream.cpp:266:11:266:15 | ref arg call to write | stringstream.cpp:266:7:266:9 | ref arg ss2 | TAINT |
+| stringstream.cpp:266:17:266:21 | abc | stringstream.cpp:266:7:266:9 | ref arg ss2 | TAINT |
+| stringstream.cpp:266:17:266:21 | abc | stringstream.cpp:266:11:266:15 | call to write | TAINT |
+| stringstream.cpp:266:27:266:31 | call to flush | stringstream.cpp:266:35:266:39 | call to write |  |
+| stringstream.cpp:266:27:266:31 | ref arg call to flush | stringstream.cpp:266:11:266:15 | ref arg call to write | TAINT |
+| stringstream.cpp:266:35:266:39 | call to write | stringstream.cpp:266:54:266:58 | call to flush |  |
+| stringstream.cpp:266:35:266:39 | ref arg call to write | stringstream.cpp:266:27:266:31 | ref arg call to flush | TAINT |
+| stringstream.cpp:266:41:266:46 | call to source | stringstream.cpp:266:27:266:31 | ref arg call to flush | TAINT |
+| stringstream.cpp:266:41:266:46 | call to source | stringstream.cpp:266:35:266:39 | call to write | TAINT |
+| stringstream.cpp:266:54:266:58 | call to flush | stringstream.cpp:266:62:266:66 | call to write |  |
+| stringstream.cpp:266:54:266:58 | ref arg call to flush | stringstream.cpp:266:35:266:39 | ref arg call to write | TAINT |
+| stringstream.cpp:266:68:266:72 | xyz | stringstream.cpp:266:54:266:58 | ref arg call to flush | TAINT |
+| stringstream.cpp:266:68:266:72 | xyz | stringstream.cpp:266:62:266:66 | call to write | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -144,12 +144,18 @@ namespace std
 		basic_istream<charT, traits>& read (char_type* s, streamsize n);
 		streamsize readsome(char_type* s, streamsize n);
 		basic_istream<charT, traits>& putback(char_type c);
+		basic_istream<charT,traits>& unget();

-	};
+		basic_istream<charT,traits>& getline(char_type* s, streamsize n);
+		basic_istream<charT,traits>& getline(char_type* s, streamsize n, char_type delim);
+ 	};

 	template<class charT, class traits> basic_istream<charT, traits>& operator>>(basic_istream<charT, traits>&, charT*);
 	template<class charT, class traits, class Allocator> basic_istream<charT, traits>& operator>>(basic_istream<charT, traits>& is, basic_string<charT, traits, Allocator>& str); 

+	template<class charT, class traits, class Allocator> basic_istream<charT,traits>& getline(basic_istream<charT,traits>& is, basic_string<charT,traits,Allocator>& str, charT delim);
+	template<class charT, class traits, class Allocator> basic_istream<charT,traits>& getline(basic_istream<charT,traits>& is, basic_string<charT,traits,Allocator>& str);
+
 	template <class charT, class traits = char_traits<charT> >
 	class basic_ostream /*: virtual public basic_ios<charT,traits> - not needed for this test */ {
 	public:
@@ -159,6 +165,7 @@ namespace std

 		basic_ostream<charT, traits>& put(char_type c);
 		basic_ostream<charT, traits>& write(const char_type* s, streamsize n);
+		basic_ostream<charT,traits>& flush();
 	};

 	template<class charT, class traits> basic_ostream<charT,traits>& operator<<(basic_ostream<charT,traits>&, const charT*);
@@ -185,6 +192,11 @@ namespace std
 		void str(const basic_string<charT, traits, Allocator>& str);
 	};

+	typedef basic_istream<char> istream;
+	typedef basic_ostream<char> ostream;
+	extern istream cin;
+	extern ostream cout;
+
 	using stringstream = basic_stringstream<char>;
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -14,10 +14,10 @@ char *user_input() {
  return source();
 }

-void sink(const char *s) {};
-void sink(const std::string &s) {};
+void sink(const char *s);
+void sink(const std::string &s);
 void sink(const char *filename, const char *mode);
-void sink(char) {}
+void sink(char);

 void test_string()
 {
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
@@ -10,18 +10,18 @@ namespace ns_char
 	char source();
 }

-void sink(int i) {};
+void sink(int i);

-void sink(const std::string &s) {};
+void sink(const std::string &s);

 template<class charT>
-void sink(const std::basic_ostream<charT> &s) {};
+void sink(const std::basic_ostream<charT> &s);

 template<class charT>
-void sink(const std::basic_istream<charT> &s) {};
+void sink(const std::basic_istream<charT> &s);

 template<class charT>
-void sink(const std::basic_iostream<charT> &s) {};
+void sink(const std::basic_iostream<charT> &s);

 void test_stringstream_string(int amount)
 {
@@ -75,14 +75,14 @@ void test_stringstream_int(int source)
 	sink(ss1 << 1234);
 	sink(ss2 << source); // tainted
 	sink(ss1 >> v1);
-	sink(ss2 >> v2); // tainted [NOT DETECTED]
+	sink(ss2 >> v2); // tainted

 	sink(ss1);
 	sink(ss2); // tainted
 	sink(ss1.str());
 	sink(ss2.str()); // tainted
 	sink(v1);
-	sink(v2); // tainted [NOT DETECTED]
+	sink(v2); // tainted
 }

 void test_stringstream_constructors()
@@ -117,9 +117,9 @@ void test_stringstream_swap()
 	ss1.swap(ss2);
 	ss4.swap(ss3);

-	sink(ss1); // tainted [NOT DETECTED]
+	sink(ss1); // tainted
 	sink(ss2); // [FALSE POSITIVE]
-	sink(ss3); // tainted [NOT DETECTED]
+	sink(ss3); // tainted
 	sink(ss4); // [FALSE POSITIVE]
 }

@@ -143,46 +143,46 @@ void test_stringstream_in()
 	sink(ss2 << source()); // tainted

 	sink(ss1 >> s1);
-	sink(ss2 >> s2); // tainted [NOT DETECTED]
-	sink(ss2 >> s3 >> s4); // tainted [NOT DETECTED]
+	sink(ss2 >> s2); // tainted
+	sink(ss2 >> s3 >> s4); // tainted
 	sink(s1);
-	sink(s2); // tainted [NOT DETECTED]
-	sink(s3); // tainted [NOT DETECTED]
-	sink(s4); // tainted [NOT DETECTED]
+	sink(s2); // tainted
+	sink(s3); // tainted
+	sink(s4); // tainted

 	sink(ss1 >> b1);
-	sink(ss2 >> b2);
-	sink(ss2 >> b3 >> b4);
+	sink(ss2 >> b2); // tainted
+	sink(ss2 >> b3 >> b4); // tainted
 	sink(b1);
-	sink(b2); // tainted [NOT DETECTED]
-	sink(b3); // tainted [NOT DETECTED]
-	sink(b4); // tainted [NOT DETECTED]
+	sink(b2); // tainted
+	sink(b3); // tainted
+	sink(b4); // tainted

 	sink(ss1.read(b5, 100));
-	sink(ss2.read(b6, 100)); // tainted [NOT DETECTED]
+	sink(ss2.read(b6, 100)); // tainted
 	sink(ss1.readsome(b7, 100));
 	sink(ss2.readsome(b8, 100)); // (returns a length, not significantly tainted)
 	sink(ss1.get(b9, 100));
-	sink(ss2.get(b10, 100));
+	sink(ss2.get(b10, 100)); // tainted
 	sink(b5);
-	sink(b6); // tainted [NOT DETECTED]
+	sink(b6); // tainted
 	sink(b7);
-	sink(b8); // tainted [NOT DETECTED]
+	sink(b8); // tainted
 	sink(b9);
-	sink(b10); // tainted [NOT DETECTED]
+	sink(b10); // tainted

 	sink(c1 = ss1.get());
-	sink(c2 = ss2.get()); // tainted [NOT DETECTED]
+	sink(c2 = ss2.get()); // tainted
 	sink(c3 = ss1.peek());
-	sink(c4 = ss2.peek()); // tainted [NOT DETECTED]
+	sink(c4 = ss2.peek()); // tainted
 	sink(ss1.get(c5));
-	sink(ss2.get(c6)); // tainted [NOT DETECTED]
+	sink(ss2.get(c6)); // tainted
 	sink(c1);
-	sink(c2); // tainted [NOT DETECTED]
+	sink(c2); // tainted
 	sink(c3);
-	sink(c4); // tainted [NOT DETECTED]
+	sink(c4); // tainted
 	sink(c5);
-	sink(c6); // tainted [NOT DETECTED]
+	sink(c6); // tainted
 }

 void test_stringstream_putback()
@@ -193,6 +193,76 @@ void test_stringstream_putback()
 	sink(ss.get());
 	sink(ss.putback('b'));
 	sink(ss.get());
-	sink(ss.putback(ns_char::source())); // tainted [NOT DETECTED]
-	sink(ss.get()); // tainted [NOT DETECTED]
+	sink(ss.putback(ns_char::source())); // tainted
+	sink(ss.get()); // tainted
+}
+
+void test_getline()
+{
+	std::stringstream ss1("abc");
+	std::stringstream ss2(source());
+	char b1[1000] = {0};
+	char b2[1000] = {0};
+	char b3[1000] = {0};
+	char b4[1000] = {0};
+	char b5[1000] = {0};
+	char b6[1000] = {0};
+	char b7[1000] = {0};
+	char b8[1000] = {0};
+	std::string s1, s2, s3, s4, s5, s6, s7, s8;
+
+	sink(ss1.getline(b1, 1000));
+	sink(ss2.getline(b2, 1000)); // tainted
+	sink(ss2.getline(b3, 1000)); // tainted
+	sink(ss1.getline(b3, 1000));
+	sink(b1);
+	sink(b2); // tainted
+	sink(b3); // [FALSE POSITIVE]
+
+	sink(ss1.getline(b4, 1000, ' '));
+	sink(ss2.getline(b5, 1000, ' ')); // tainted
+	sink(ss2.getline(b6, 1000, ' ')); // tainted
+	sink(ss1.getline(b6, 1000, ' '));
+	sink(b4);
+	sink(b5); // tainted
+	sink(b6); // [FALSE POSITIVE]
+
+	sink(ss2.getline(b7, 1000).getline(b8, 1000)); // tainted
+	sink(b7); // tainted
+	sink(b8); // tainted
+
+	sink(getline(ss1, s1));
+	sink(getline(ss2, s2)); // tainted
+	sink(getline(ss2, s3)); // tainted
+	sink(getline(ss1, s3));
+	sink(s1);
+	sink(s2); // tainted
+	sink(s3); // [FALSE POSITIVE]
+
+	sink(getline(ss1, s4, ' '));
+	sink(getline(ss2, s5, ' ')); // tainted
+	sink(getline(ss2, s6, ' ')); // tainted
+	sink(getline(ss1, s6, ' '));
+	sink(s4);
+	sink(s5); // tainted
+	sink(s6); // [FALSE POSITIVE]
+
+	sink(getline(getline(ss2, s7), s8)); // tainted
+	sink(s7); // tainted
+	sink(s8); // tainted
+}
+
+void test_chaining()
+{
+	std::stringstream ss1(source());
+	std::stringstream ss2;
+	char b1[1000] = {0};
+	char b2[1000] = {0};
+
+	sink(ss1.get(b1, 100).unget().get(b2, 100)); // tainted
+	sink(b1); // tainted
+	sink(b2); // tainted
+
+	sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // tainted
+	sink(ss2); // tainted
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -258,7 +258,7 @@ void test_lambdas()
 		c = source();
 	};
 	e(t, u, w);
-	sink(w); // tainted [NOT DETECTED]
+	sink(w); // tainted
 }

 // --- taint through return value ---
@@ -348,10 +348,10 @@ void test_outparams()
 	myNotAssign(e, t);

 	sink(t); // tainted
-	sink(a); // tainted [NOT DETECTED by IR]
-	sink(b); // tainted [NOT DETECTED by IR]
-	sink(c); // tainted [NOT DETECTED by IR]
-	sink(d); // tainted [NOT DETECTED by IR]
+	sink(a); // tainted
+	sink(b); // tainted
+	sink(c); // tainted
+	sink(d); // tainted
 	sink(e);
 }

@@ -468,7 +468,7 @@ void test_swop() {
 	swop(x, y);

 	sink(x); // clean [FALSE POSITIVE]
-	sink(y); // tainted [NOT DETECTED by IR]
+	sink(y); // tainted
 }

 // --- getdelim ---
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -188,15 +188,69 @@
 | stringstream.cpp:66:7:66:10 | ss12 | stringstream.cpp:63:18:63:23 | call to source |
 | stringstream.cpp:67:7:67:10 | ss13 | stringstream.cpp:64:36:64:41 | call to source |
 | stringstream.cpp:76:11:76:11 | call to operator<< | stringstream.cpp:70:32:70:37 | source |
+| stringstream.cpp:78:11:78:11 | call to operator>> | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:81:7:81:9 | ss2 | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:83:11:83:13 | call to str | stringstream.cpp:70:32:70:37 | source |
+| stringstream.cpp:85:7:85:8 | v2 | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:100:11:100:11 | call to operator= | stringstream.cpp:100:31:100:36 | call to source |
 | stringstream.cpp:103:7:103:9 | ss2 | stringstream.cpp:91:19:91:24 | call to source |
 | stringstream.cpp:105:7:105:9 | ss4 | stringstream.cpp:95:44:95:49 | call to source |
 | stringstream.cpp:107:7:107:9 | ss6 | stringstream.cpp:100:31:100:36 | call to source |
+| stringstream.cpp:120:7:120:9 | ss1 | stringstream.cpp:113:24:113:29 | call to source |
 | stringstream.cpp:121:7:121:9 | ss2 | stringstream.cpp:113:24:113:29 | call to source |
+| stringstream.cpp:122:7:122:9 | ss3 | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:123:7:123:9 | ss4 | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:146:11:146:11 | call to operator>> | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:147:17:147:17 | call to operator>> | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:149:7:149:8 | s2 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:150:7:150:8 | s3 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:151:7:151:8 | s4 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:154:11:154:11 | call to operator>> | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:155:17:155:17 | call to operator>> | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:157:7:157:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:158:7:158:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:159:7:159:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:162:11:162:14 | call to read | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:166:11:166:13 | call to get | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:168:7:168:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:170:7:170:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:172:7:172:9 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:175:7:175:20 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:177:7:177:21 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:179:11:179:13 | call to get | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:181:7:181:8 | c2 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:183:7:183:8 | c4 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:185:7:185:8 | c6 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:196:10:196:16 | call to putback | stringstream.cpp:196:18:196:32 | call to source |
+| stringstream.cpp:197:10:197:12 | call to get | stringstream.cpp:196:18:196:32 | call to source |
+| stringstream.cpp:215:11:215:17 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:216:11:216:17 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:219:7:219:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:220:7:220:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:223:11:223:17 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:224:11:224:17 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:227:7:227:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:228:7:228:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:230:29:230:35 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:231:7:231:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:232:7:232:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:235:7:235:13 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:236:7:236:13 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:239:7:239:8 | s2 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:240:7:240:8 | s3 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:243:7:243:13 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:244:7:244:13 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:247:7:247:8 | s5 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:248:7:248:8 | s6 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:250:7:250:13 | call to getline | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:251:7:251:8 | s7 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:252:7:252:8 | s8 | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:262:32:262:34 | call to get | stringstream.cpp:257:24:257:29 | call to source |
+| stringstream.cpp:263:7:263:8 | call to basic_string | stringstream.cpp:257:24:257:29 | call to source |
+| stringstream.cpp:264:7:264:8 | call to basic_string | stringstream.cpp:257:24:257:29 | call to source |
+| stringstream.cpp:266:62:266:66 | call to write | stringstream.cpp:266:41:266:46 | call to source |
+| stringstream.cpp:267:7:267:9 | ss2 | stringstream.cpp:266:41:266:46 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -93,8 +93,35 @@
 | stringstream.cpp:64:54:64:58 | stringstream.cpp:64:36:64:41 | AST only |
 | stringstream.cpp:67:7:67:10 | stringstream.cpp:64:36:64:41 | AST only |
 | stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |
+| stringstream.cpp:78:11:78:11 | stringstream.cpp:70:32:70:37 | AST only |
 | stringstream.cpp:100:11:100:11 | stringstream.cpp:100:31:100:36 | AST only |
 | stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
+| stringstream.cpp:146:11:146:11 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:147:17:147:17 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:151:7:151:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:154:11:154:11 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:155:17:155:17 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:159:7:159:8 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:162:11:162:14 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:166:11:166:13 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:179:11:179:13 | stringstream.cpp:143:14:143:19 | AST only |
+| stringstream.cpp:196:10:196:16 | stringstream.cpp:196:18:196:32 | AST only |
+| stringstream.cpp:215:11:215:17 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:216:11:216:17 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:223:11:223:17 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:224:11:224:17 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:230:29:230:35 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:232:7:232:8 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:235:7:235:13 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:236:7:236:13 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:243:7:243:13 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:244:7:244:13 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:250:7:250:13 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:252:7:252:8 | stringstream.cpp:203:24:203:29 | AST only |
+| stringstream.cpp:262:32:262:34 | stringstream.cpp:257:24:257:29 | AST only |
+| stringstream.cpp:264:7:264:8 | stringstream.cpp:257:24:257:29 | AST only |
+| stringstream.cpp:266:62:266:66 | stringstream.cpp:266:41:266:46 | AST only |
+| stringstream.cpp:267:7:267:9 | stringstream.cpp:266:41:266:46 | AST only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
 | swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |
@@ -115,18 +142,12 @@
 | taint.cpp:195:7:195:7 | taint.cpp:192:23:192:28 | AST only |
 | taint.cpp:195:7:195:7 | taint.cpp:193:6:193:6 | AST only |
 | taint.cpp:236:3:236:6 | taint.cpp:223:10:223:15 | AST only |
-| taint.cpp:261:7:261:7 | taint.cpp:258:7:258:12 | AST only |
-| taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
-| taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
-| taint.cpp:353:7:353:7 | taint.cpp:330:6:330:11 | AST only |
-| taint.cpp:354:7:354:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:374:7:374:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
 | taint.cpp:429:7:429:7 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:431:9:431:17 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
-| taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
 | vector.cpp:24:8:24:11 | vector.cpp:16:43:16:49 | IR only |
 | vector.cpp:52:7:52:8 | vector.cpp:51:10:51:15 | AST only |
 | vector.cpp:53:9:53:9 | vector.cpp:51:10:51:15 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -145,13 +145,40 @@
 | stringstream.cpp:66:7:66:10 | Argument 0 indirection | stringstream.cpp:63:18:63:23 | call to source |
 | stringstream.cpp:81:7:81:9 | Argument 0 indirection | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:83:11:83:13 | call to str | stringstream.cpp:70:32:70:37 | source |
+| stringstream.cpp:85:7:85:8 | v2 | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:103:7:103:9 | Argument 0 indirection | stringstream.cpp:91:19:91:24 | call to source |
 | stringstream.cpp:105:7:105:9 | Argument 0 indirection | stringstream.cpp:95:44:95:49 | call to source |
 | stringstream.cpp:107:7:107:9 | Argument 0 indirection | stringstream.cpp:100:31:100:36 | call to source |
+| stringstream.cpp:120:7:120:9 | Argument 0 indirection | stringstream.cpp:113:24:113:29 | call to source |
 | stringstream.cpp:121:7:121:9 | Argument 0 indirection | stringstream.cpp:113:24:113:29 | call to source |
+| stringstream.cpp:122:7:122:9 | Argument 0 indirection | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:123:7:123:9 | Argument 0 indirection | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
 | stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:149:7:149:8 | Argument 0 indirection | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:150:7:150:8 | Argument 0 indirection | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:157:7:157:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:158:7:158:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:168:7:168:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:170:7:170:8 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:172:7:172:9 | call to basic_string | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:175:7:175:20 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:177:7:177:21 | ... = ... | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:181:7:181:8 | c2 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:183:7:183:8 | c4 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:185:7:185:8 | c6 | stringstream.cpp:143:14:143:19 | call to source |
+| stringstream.cpp:197:10:197:12 | call to get | stringstream.cpp:196:18:196:32 | call to source |
+| stringstream.cpp:219:7:219:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:220:7:220:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:227:7:227:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:228:7:228:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:231:7:231:8 | call to basic_string | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:239:7:239:8 | Argument 0 indirection | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:240:7:240:8 | Argument 0 indirection | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:247:7:247:8 | Argument 0 indirection | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:248:7:248:8 | Argument 0 indirection | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:251:7:251:8 | Argument 0 indirection | stringstream.cpp:203:24:203:29 | call to source |
+| stringstream.cpp:263:7:263:8 | call to basic_string | stringstream.cpp:257:24:257:29 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -219,17 +246,23 @@
 | taint.cpp:244:3:244:6 | t | taint.cpp:223:10:223:15 | call to source |
 | taint.cpp:250:8:250:8 | a | taint.cpp:223:10:223:15 | call to source |
 | taint.cpp:256:8:256:8 | (reference dereference) | taint.cpp:223:10:223:15 | call to source |
+| taint.cpp:261:7:261:7 | w | taint.cpp:258:7:258:12 | call to source |
 | taint.cpp:280:7:280:7 | t | taint.cpp:275:6:275:11 | call to source |
 | taint.cpp:289:7:289:7 | t | taint.cpp:275:6:275:11 | call to source |
 | taint.cpp:290:7:290:7 | x | taint.cpp:275:6:275:11 | call to source |
 | taint.cpp:291:7:291:7 | y | taint.cpp:275:6:275:11 | call to source |
 | taint.cpp:337:7:337:7 | t | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:353:7:353:7 | c | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:354:7:354:7 | d | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
 | taint.cpp:429:7:429:7 | b | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
+| taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
 | vector.cpp:20:8:20:8 | x | vector.cpp:16:43:16:49 | source1 |
 | vector.cpp:24:8:24:8 | call to operator* | vector.cpp:16:43:16:49 | source1 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
@@ -2,6 +2,9 @@ edges
 | search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
 | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
 | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:17:8:17:12 | query | search.c:17:8:17:12 | (const char *)... |
+| search.c:17:8:17:12 | query | search.c:17:8:17:12 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
@@ -5,6 +5,10 @@ edges
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:28 | access to array | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:28 | access to array | tests.c:28:22:28:28 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
@@ -15,6 +19,10 @@ edges
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:16 | access to array | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:16 | access to array | tests.c:34:10:34:16 | access to array |
 nodes
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -5,6 +5,10 @@ edges
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
+| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:15 | (const char *)... |
+| argvLocal.c:95:9:95:15 | access to array | argvLocal.c:95:9:95:15 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
 | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
@@ -15,6 +19,8 @@ edges
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
@@ -25,16 +31,22 @@ edges
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
+| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
+| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:101:9:101:10 | (const char *)... |
+| argvLocal.c:101:9:101:10 | i1 | argvLocal.c:101:9:101:10 | i1 |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
@@ -45,10 +57,16 @@ edges
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
+| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
 | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
+| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:106:9:106:13 | (const char *)... |
+| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:106:9:106:13 | access to array |
+| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | (const char *)... |
+| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | * ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
@@ -125,16 +143,22 @@ edges
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
 | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
+| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:144:9:144:10 | (const char *)... |
+| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:144:9:144:10 | i7 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
+| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
+| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:150:9:150:10 | (const char *)... |
+| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:150:9:150:10 | i8 |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
@@ -159,12 +183,21 @@ edges
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
+| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:169:9:169:20 | (char *)... |
+| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:169:9:169:20 | (const char *)... |
+| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:169:18:169:20 | i10 |
+| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:170:15:170:26 | (char *)... |
+| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:170:24:170:26 | i10 |
 nodes
 | argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
 | argvLocal.c:9:25:9:31 | correct | semmle.label | correct |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
@@ -17,10 +17,14 @@ edges
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
 | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
 | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:32:9:32:10 | (const char *)... |
+| funcsLocal.c:32:9:32:10 | i4 | funcsLocal.c:32:9:32:10 | i4 |
 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
 | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
@@ -31,10 +35,14 @@ edges
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
 | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
 | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
 | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:42:9:42:10 | (const char *)... |
+| funcsLocal.c:42:9:42:10 | i6 | funcsLocal.c:42:9:42:10 | i6 |
 nodes
 | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
 | funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
@@ -13,6 +13,8 @@ edges
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
 | globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
+| globalVars.c:11:22:11:25 | *argv | globalVars.c:12:2:12:15 | Store |
+| globalVars.c:11:22:11:25 | argv | globalVars.c:11:22:11:25 | *argv |
 | globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | Store |
 | globalVars.c:12:2:12:15 | Store | globalVars.c:8:7:8:10 | copy |
 | globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store |
@@ -29,6 +31,7 @@ edges
 nodes
 | globalVars.c:8:7:8:10 | copy | semmle.label | copy |
 | globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
+| globalVars.c:11:22:11:25 | *argv | semmle.label | *argv |
 | globalVars.c:11:22:11:25 | argv | semmle.label | argv |
 | globalVars.c:12:2:12:15 | Store | semmle.label | Store |
 | globalVars.c:15:21:15:23 | val | semmle.label | val |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
@@ -5,66 +5,110 @@ edges
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
+| ifs.c:62:9:62:10 | c7 | ifs.c:62:9:62:10 | (const char *)... |
+| ifs.c:62:9:62:10 | c7 | ifs.c:62:9:62:10 | c7 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
+| ifs.c:69:9:69:10 | c8 | ifs.c:69:9:69:10 | (const char *)... |
+| ifs.c:69:9:69:10 | c8 | ifs.c:69:9:69:10 | c8 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
+| ifs.c:75:9:75:10 | i1 | ifs.c:75:9:75:10 | (const char *)... |
+| ifs.c:75:9:75:10 | i1 | ifs.c:75:9:75:10 | i1 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
+| ifs.c:81:9:81:10 | i2 | ifs.c:81:9:81:10 | (const char *)... |
+| ifs.c:81:9:81:10 | i2 | ifs.c:81:9:81:10 | i2 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
+| ifs.c:87:9:87:10 | i3 | ifs.c:87:9:87:10 | (const char *)... |
+| ifs.c:87:9:87:10 | i3 | ifs.c:87:9:87:10 | i3 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
+| ifs.c:93:9:93:10 | i4 | ifs.c:93:9:93:10 | (const char *)... |
+| ifs.c:93:9:93:10 | i4 | ifs.c:93:9:93:10 | i4 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
+| ifs.c:99:9:99:10 | i5 | ifs.c:99:9:99:10 | (const char *)... |
+| ifs.c:99:9:99:10 | i5 | ifs.c:99:9:99:10 | i5 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
+| ifs.c:106:9:106:10 | i6 | ifs.c:106:9:106:10 | (const char *)... |
+| ifs.c:106:9:106:10 | i6 | ifs.c:106:9:106:10 | i6 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
+| ifs.c:112:9:112:10 | i7 | ifs.c:112:9:112:10 | (const char *)... |
+| ifs.c:112:9:112:10 | i7 | ifs.c:112:9:112:10 | i7 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
+| ifs.c:118:9:118:10 | i8 | ifs.c:118:9:118:10 | (const char *)... |
+| ifs.c:118:9:118:10 | i8 | ifs.c:118:9:118:10 | i8 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
 | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
+| ifs.c:124:9:124:10 | i9 | ifs.c:124:9:124:10 | (const char *)... |
+| ifs.c:124:9:124:10 | i9 | ifs.c:124:9:124:10 | i9 |
 nodes
 | ifs.c:61:8:61:11 | argv | semmle.label | argv |
 | ifs.c:61:8:61:11 | argv | semmle.label | argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -5,6 +5,8 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
+| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
@@ -19,6 +21,8 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
 | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
 | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
+| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
 | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
 | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
 | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
@@ -27,6 +31,10 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
+| test.cpp:42:38:42:44 | tainted | test.cpp:42:38:42:44 | (size_t)... |
+| test.cpp:42:38:42:44 | tainted | test.cpp:42:38:42:44 | tainted |
+| test.cpp:48:32:48:35 | size | test.cpp:48:32:48:35 | (size_t)... |
+| test.cpp:48:32:48:35 | size | test.cpp:48:32:48:35 | size |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
@@ -50,27 +58,36 @@ edges
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:235:11:235:20 | (size_t)... |
 | test.cpp:227:24:227:29 | call to getenv | test.cpp:237:10:237:19 | (size_t)... |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:11:235:20 | (size_t)... |
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:229:9:229:18 | local_size | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:229:9:229:18 | local_size | test.cpp:229:9:229:18 | local_size |
 | test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
 | test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
-| test.cpp:241:2:241:32 | Chi | test.cpp:279:17:279:20 | get_size output argument |
-| test.cpp:241:2:241:32 | Chi | test.cpp:295:18:295:21 | get_size output argument |
-| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi |
-| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi |
+| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] |
+| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] |
+| test.cpp:241:2:241:32 | Store | test.cpp:241:2:241:32 | Chi [array content] |
+| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Store |
+| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Store |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:279:17:279:20 | Chi [array content] | test.cpp:281:11:281:14 | size |
+| test.cpp:279:17:279:20 | get_size output argument [array content] | test.cpp:279:17:279:20 | Chi [array content] |
+| test.cpp:281:11:281:14 | size | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:281:11:281:14 | size | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:295:18:295:21 | Chi [array content] | test.cpp:298:10:298:13 | size |
+| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi [array content] |
+| test.cpp:298:10:298:13 | size | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:298:10:298:13 | size | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
 | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
 | test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
@@ -142,7 +159,8 @@ nodes
 | test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:241:2:241:32 | Chi | semmle.label | Chi |
+| test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:241:2:241:32 | Store | semmle.label | Store |
 | test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
@@ -150,11 +168,15 @@ nodes
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:279:17:279:20 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:279:17:279:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:281:11:281:14 | size | semmle.label | size |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:295:18:295:21 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:295:18:295:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:298:10:298:13 | size | semmle.label | size |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -23,10 +23,14 @@ edges
 | test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
 | test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:61:5:61:5 | r | test.c:62:5:62:5 | r |
+| test.c:61:5:61:5 | r | test.c:62:5:62:5 | r |
 | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
 | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
 | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
@@ -42,18 +46,22 @@ edges
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
-| test.cpp:13:2:13:15 | Chi | test.cpp:30:13:30:14 | get_rand2 output argument |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi |
-| test.cpp:18:2:18:14 | Chi | test.cpp:36:13:36:13 | get_rand3 output argument |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi |
+| test.cpp:13:2:13:15 | Chi [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] |
+| test.cpp:13:2:13:15 | Store | test.cpp:13:2:13:15 | Chi [array content] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Store |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Store |
+| test.cpp:18:2:18:14 | Chi [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] |
+| test.cpp:18:2:18:14 | Store | test.cpp:18:2:18:14 | Chi [array content] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Store |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Store |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
+| test.cpp:30:13:30:14 | Chi [array content] | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | Chi [array content] | test.cpp:31:7:31:7 | r |
+| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | test.cpp:30:13:30:14 | Chi [array content] |
+| test.cpp:36:13:36:13 | Chi [array content] | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | Chi [array content] | test.cpp:37:7:37:7 | r |
+| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi [array content] |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
@@ -106,21 +114,25 @@ nodes
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
-| test.cpp:13:2:13:15 | Chi | semmle.label | Chi |
+| test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:13:2:13:15 | Store | semmle.label | Store |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
-| test.cpp:18:2:18:14 | Chi | semmle.label | Chi |
+| test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:18:2:18:14 | Store | semmle.label | Store |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
-| test.cpp:30:13:30:14 | get_rand2 output argument | semmle.label | get_rand2 output argument |
+| test.cpp:30:13:30:14 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | semmle.label | get_rand2 output argument [array content] |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
-| test.cpp:36:13:36:13 | get_rand3 output argument | semmle.label | get_rand3 output argument |
+| test.cpp:36:13:36:13 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | semmle.label | get_rand3 output argument [array content] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
--- a/Abuse/UselessUpcast.ql
+++ b/Abuse/UselessUpcast.ql
@@ -38,7 +38,7 @@ predicate hasInstanceCallable(ValueOrRefType t, InstanceCallable c, string name)
 }

 /** Holds if extension method `m` is a method on `t` with name `name`. */
-pragma[noinline]
+pragma[nomagic]
 predicate hasExtensionMethod(ValueOrRefType t, ExtensionMethod m, string name) {
  t.isImplicitlyConvertibleTo(m.getExtendedType()) and
  name = m.getName()
--- a/Features/CWE-020/RuntimeChecksBypass.ql
+++ b/Features/CWE-020/RuntimeChecksBypass.ql
@@ -27,6 +27,7 @@ GuardedExpr checkedWrite(Field f, Variable v, IfStmt check) {
 * The result is an unsafe write to the field `f`, where
 * there is no check performed within the (calling) scope of the method.
 */
+pragma[nomagic]
 Expr uncheckedWrite(Callable callable, Field f) {
  result = f.getAnAssignedValue() and
  result.getEnclosingCallable() = callable and
--- a/Bugs/Collections/ArrayIndexOutOfBounds.ql
+++ b/Bugs/Collections/ArrayIndexOutOfBounds.ql
@@ -9,6 +9,7 @@
 * @tags reliability
 *       correctness
 *       exceptions
+ *       external/cwe/cwe-193
 */

 import java
--- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -8,6 +8,7 @@
 * @id java/sql-injection
 * @tags security
 *       external/cwe/cwe-089
+ *       external/cwe/cwe-564
 */

 import java
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -8,6 +8,7 @@
 * @id java/sql-injection-local
 * @tags security
 *       external/cwe/cwe-089
+ *       external/cwe/cwe-564
 */

 import semmle.code.java.Expr
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -8,6 +8,7 @@
 * @id java/concatenated-sql-query
 * @tags security
 *       external/cwe/cwe-089
+ *       external/cwe/cwe-564
 */

 import java
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -8,6 +8,8 @@
 * @id java/xxe
 * @tags security
 *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
 */

 import java
--- a/java/ql/src/semmle/code/java/PrintAst.qll
+++ b/java/ql/src/semmle/code/java/PrintAst.qll
@@ -124,6 +124,9 @@ private newtype TPrintAstNode =
  TJavadocNode(Javadoc jd) { exists(Documentable d | d.getJavadoc() = jd | shouldPrint(d, _)) } or
  TJavadocElementNode(JavadocElement jd) {
    exists(Documentable d | d.getJavadoc() = jd.getParent*() | shouldPrint(d, _))
+  } or
+  TImportsNode(CompilationUnit cu) {
+    shouldPrint(cu, _) and exists(Import i | i.getCompilationUnit() = cu)
  }

 /**
@@ -395,13 +398,12 @@ final class CompilationUnitNode extends ElementNode {

  CompilationUnitNode() { cu = element }

-  private Element getADeclaration() {
-    cu.hasChildElement(result)
-    or
-    result.(Import).getCompilationUnit() = cu
-  }
+  private Element getADeclaration() { cu.hasChildElement(result) }

  override PrintAstNode getChild(int childIndex) {
+    childIndex = -1 and
+    result.(ImportsNode).getCompilationUnit() = cu
+    or
    childIndex >= 0 and
    result.(ElementNode).getElement() =
      rank[childIndex](Element e, string file, int line, int column |
@@ -622,6 +624,32 @@ final class JavadocElementNode extends PrintAstNode, TJavadocElementNode {
  JavadocElement getJavadocElement() { result = jd }
 }

+/**
+ * A node representing the `Import`s of a `CompilationUnit`.
+ * Only rendered if there is at least one import.
+ */
+final class ImportsNode extends PrintAstNode, TImportsNode {
+  CompilationUnit cu;
+
+  ImportsNode() { this = TImportsNode(cu) }
+
+  override string toString() { result = "(Imports)" }
+
+  override ElementNode getChild(int childIndex) {
+    result.getElement() =
+      rank[childIndex](Import im, string file, int line, int column |
+        im.getCompilationUnit() = cu and locationSortKeys(im, file, line, column)
+      |
+        im order by file, line, column
+      )
+  }
+
+  /**
+   * Gets the underlying CompilationUnit.
+   */
+  CompilationUnit getCompilationUnit() { result = cu }
+}
+
 /** Holds if `node` belongs to the output tree, and its property `key` has the given `value`. */
 query predicate nodes(PrintAstNode node, string key, string value) { value = node.getProperty(key) }

--- a/java/ql/test/library-tests/collections/PrintAst.expected
+++ b/java/ql/test/library-tests/collections/PrintAst.expected
@@ -1,7 +1,8 @@
 collections/Test.java:
 #    0| [CompilationUnit] Test
-#    3|   1: [ImportOnDemandFromPackage] import java.util.*
-#    5|   2: [Class] Test
+#-----|   -1: (Imports)
+#    3|     1: [ImportOnDemandFromPackage] import java.util.*
+#    5|   1: [Class] Test
 #    6|     3: [FieldDeclaration] Map<String,Integer> m, ...;
 #    6|       -1: [TypeAccess] Map<String,Integer>
 #    6|         0: [TypeAccess] String
--- a/java/ql/test/library-tests/dependency-counts/PrintAst.expected
+++ b/java/ql/test/library-tests/dependency-counts/PrintAst.expected
@@ -1,8 +1,9 @@
 Example.java:
 #    0| [CompilationUnit] Example
-#    1|   1: [ImportType] import Set
-#    2|   2: [ImportType] import List
-#    4|   3: [Interface] Example
+#-----|   -1: (Imports)
+#    1|     1: [ImportType] import Set
+#    2|     2: [ImportType] import List
+#    4|   1: [Interface] Example
 #-----|     -2: (Generic Parameters)
 #    4|       0: [TypeVariable] A
 #-----|     -1: (Base Types)
--- a/java/ql/test/library-tests/generics/PrintAst.expected
+++ b/java/ql/test/library-tests/generics/PrintAst.expected
@@ -1,12 +1,13 @@
 generics/A.java:
 #    0| [CompilationUnit] A
-#    3|   1: [ImportType] import HashMap
-#    4|   2: [ImportType] import Map
-#    6|   3: [Class] A
+#-----|   -1: (Imports)
+#    3|     1: [ImportType] import HashMap
+#    4|     2: [ImportType] import Map
+#    6|   1: [Class] A
 #-----|     -2: (Generic Parameters)
 #    6|       0: [TypeVariable] T
 #    7|     2: [Class] B
-#   10|   4: [Class] C
+#   10|   2: [Class] C
 #   11|     3: [FieldDeclaration] A<String> f, ...;
 #   11|       -1: [TypeAccess] A<String>
 #   11|         0: [TypeAccess] String
@@ -22,7 +23,7 @@ generics/A.java:
 #   13|         -3: [TypeAccess] HashMap<String,Object>
 #   13|           0: [TypeAccess] String
 #   13|           1: [TypeAccess] Object
-#   16|   5: [Class] D
+#   16|   3: [Class] D
 #-----|     -2: (Generic Parameters)
 #   16|       0: [TypeVariable] V
 #   16|         0: [TypeAccess] Number
--- a/java/ql/test/library-tests/java7/Diamond/PrintAst.expected
+++ b/java/ql/test/library-tests/java7/Diamond/PrintAst.expected
@@ -1,10 +1,11 @@
 Diamond.java:
 #    0| [CompilationUnit] Diamond
-#    3|   1: [ImportType] import ArrayList
-#    4|   2: [ImportType] import HashMap
-#    5|   3: [ImportType] import List
-#    6|   4: [ImportType] import Map
-#    8|   5: [Class] Diamond
+#-----|   -1: (Imports)
+#    3|     1: [ImportType] import ArrayList
+#    4|     2: [ImportType] import HashMap
+#    5|     3: [ImportType] import List
+#    6|     4: [ImportType] import Map
+#    8|   1: [Class] Diamond
 #   10|     3: [FieldDeclaration] List<Integer> list, ...;
 #   10|       -1: [TypeAccess] List<Integer>
 #   10|         0: [TypeAccess] Integer
--- a/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
@@ -1,8 +1,9 @@
 MultiCatch.java:
 #    0| [CompilationUnit] MultiCatch
-#    3|   1: [ImportType] import IOException
-#    4|   2: [ImportType] import SQLException
-#    6|   3: [Class] MultiCatch
+#-----|   -1: (Imports)
+#    3|     1: [ImportType] import IOException
+#    4|     2: [ImportType] import SQLException
+#    6|   1: [Class] MultiCatch
 #    7|     2: [Method] multiCatch
 #    7|       3: [TypeAccess] void
 #-----|       4: (Parameters)
--- a/java/ql/test/library-tests/reflection/PrintAst.expected
+++ b/java/ql/test/library-tests/reflection/PrintAst.expected
@@ -1,7 +1,8 @@
 reflection/ReflectiveAccess.java:
 #    0| [CompilationUnit] ReflectiveAccess
-#    3|   1: [ImportType] import Annotation
-#    5|   2: [Class] ReflectiveAccess
+#-----|   -1: (Imports)
+#    3|     1: [ImportType] import Annotation
+#    5|   1: [Class] ReflectiveAccess
 #    6|     2: [Interface] TestAnnotation
 #   10|     3: [Class] TestClass
 #-----|       -3: (Annotations)
--- a/java/ql/test/library-tests/typeaccesses/PrintAst.expected
+++ b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
@@ -26,8 +26,9 @@ typeaccesses/Outer.java:
 #    7|             0: [IntegerLiteral] 1
 typeaccesses/TA.java:
 #    0| [CompilationUnit] TA
-#    3|   1: [ImportType] import ArrayList
-#    5|   2: [Class] TA
+#-----|   -1: (Imports)
+#    3|     1: [ImportType] import ArrayList
+#    5|   1: [Class] TA
 #-----|     -1: (Base Types)
 #    5|       -1: [TypeAccess] ArrayList<TA>
 #    5|         0: [TypeAccess] TA