Merge branch 'main' into rdmarsh2/cpp/constant-array-overflow-tests

2026-04-29 10:45:15 +02:00 · 2023-07-05 13:49:17 +01:00
parent 60c0226dce f714de0040
commit d24a05a1b9
180 changed files with 3567 additions and 2411 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -39,6 +39,22 @@ edges
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
 | test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
+| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
+| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
+| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
+| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array |
+| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
+| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
+| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p |
+| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 |
+| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p |
+| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p |
+| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p |
+| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 |
+| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p |
+| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 |
+| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p |
+| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 |
 nodes
 | test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
 | test.cpp:34:10:34:12 | buf | semmle.label | buf |
@@ -96,6 +112,25 @@ nodes
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
+| test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
+| test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
+| test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
+| test.cpp:229:25:229:29 | array | semmle.label | array |
+| test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
+| test.cpp:232:5:232:10 | access to array | semmle.label | access to array |
+| test.cpp:245:30:245:30 | p | semmle.label | p |
+| test.cpp:245:30:245:30 | p | semmle.label | p |
+| test.cpp:261:27:261:30 | access to array | semmle.label | access to array |
+| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
+| test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
+| test.cpp:277:35:277:35 | p | semmle.label | p |
+| test.cpp:278:14:278:14 | p | semmle.label | p |
+| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
+| test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
+| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
+| test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
+| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
+| test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
 subpaths
 #select
 | test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
@@ -107,6 +142,10 @@ subpaths
 | test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
 | test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
 | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
+| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
+| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
+| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
@@ -211,4 +211,80 @@ int countdownLength2() {
    }

    return p[5];
-}
+}
+
+void pointer_size_larger_than_array_element_size() {
+    unsigned char buffer[100]; // getByteSize() = 100
+    int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
+
+    ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
+    ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
+}
+
+struct vec2 { int x, y; };
+struct vec3 { int x, y, z; };
+
+void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
+    vec3 array[3]; // getByteSize() = 9 * sizeof(int)
+    vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
+
+    ptr[3] = vec2{}; // GOOD: writes ints 6, 7
+    ptr[4] = vec2{}; // BAD: writes ints 8, 9
+}
+
+void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
+    vec2 array[2]; // getByteSize() = 4 * sizeof(int) = 4 * 4 = 16
+    vec3 *ptr = (vec3 *)array; // pai.getElementSize() will be 3 * sizeof(int) -> size = 1
+
+    ptr[0] = vec3{}; // GOOD: writes ints 0, 1, 2
+    ptr[1] = vec3{}; // BAD: writes ints 3, 4, 5 [NOT DETECTED]
+}
+
+void use(...);
+
+void call_use(unsigned char* p, int n) {
+    if(n == 0) {
+        return;
+    }
+    if(n == 1) {
+        unsigned char x = p[0];
+        use(x);
+    }
+    if(n == 2) {
+        unsigned char x = p[0];
+        unsigned char y = p[1];
+        use(x, y);
+    }
+    if(n == 3) {
+        unsigned char x = p[0];
+        unsigned char y = p[1];
+        unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
+        use(x, y, z);
+    }
+}
+
+void test_call_use() {
+    unsigned char buffer1[1];
+    call_use(buffer1,1);
+
+    unsigned char buffer2[2];
+    call_use(buffer2,2);
+
+    unsigned char buffer3[3];
+    call_use(buffer3,3);
+}
+
+void call_call_use(unsigned char* p, int n) {
+    call_use(p, n);
+}
+
+void test_call_use2() {
+    unsigned char buffer1[1];
+    call_call_use(buffer1,1);
+
+    unsigned char buffer2[2];
+    call_call_use(buffer2,2);
+
+    unsigned char buffer3[3];
+    call_call_use(buffer3,3);
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -720,14 +720,6 @@ edges
 | test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
 | test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
 | test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p |
-| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
-| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
-| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
-| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
-| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
-| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
-| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
-| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
 | test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs |
 | test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
 | test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
@@ -752,53 +744,303 @@ edges
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
 | test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
-| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
-| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
-| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
-| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
-| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
-| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
-| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
-| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
-| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
-| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
-| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
-| test.cpp:439:14:439:27 | new[] | test.cpp:444:5:444:6 | xs |
-| test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:6 | xs |
-| test.cpp:455:5:455:6 | xs | test.cpp:455:5:455:15 | access to array |
-| test.cpp:455:5:455:15 | access to array | test.cpp:455:5:455:19 | Store: ... = ... |
-| test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:6 | xs |
-| test.cpp:466:5:466:6 | xs | test.cpp:466:5:466:15 | access to array |
-| test.cpp:466:5:466:15 | access to array | test.cpp:466:5:466:19 | Store: ... = ... |
-| test.cpp:472:14:472:27 | new[] | test.cpp:477:5:477:6 | xs |
-| test.cpp:483:14:483:27 | new[] | test.cpp:488:5:488:6 | xs |
-| test.cpp:494:14:494:31 | new[] | test.cpp:499:5:499:6 | xs |
-| test.cpp:505:14:505:31 | new[] | test.cpp:510:5:510:6 | xs |
-| test.cpp:516:14:516:31 | new[] | test.cpp:521:5:521:6 | xs |
-| test.cpp:527:14:527:31 | new[] | test.cpp:532:5:532:6 | xs |
-| test.cpp:538:14:538:31 | new[] | test.cpp:543:5:543:6 | xs |
-| test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:6 | xs |
-| test.cpp:554:5:554:6 | xs | test.cpp:554:5:554:15 | access to array |
-| test.cpp:554:5:554:15 | access to array | test.cpp:554:5:554:19 | Store: ... = ... |
+| test.cpp:388:14:388:27 | new[] | test.cpp:392:3:392:4 | xs |
+| test.cpp:399:14:399:27 | new[] | test.cpp:400:16:400:17 | xs |
+| test.cpp:399:14:399:27 | new[] | test.cpp:402:5:402:6 | xs |
+| test.cpp:410:14:410:27 | new[] | test.cpp:411:16:411:17 | xs |
+| test.cpp:410:14:410:27 | new[] | test.cpp:413:5:413:6 | xs |
+| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:412:12:412:14 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:414:14:414:16 | end |
+| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array |
+| test.cpp:411:16:411:17 | xs | test.cpp:411:16:411:23 | access to array |
+| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end |
+| test.cpp:411:16:411:17 | xs | test.cpp:412:12:412:14 | end |
+| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:411:16:411:17 | xs | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:411:16:411:17 | xs | test.cpp:414:9:414:10 | xs |
+| test.cpp:411:16:411:17 | xs | test.cpp:414:14:414:16 | end |
+| test.cpp:411:16:411:17 | xs | test.cpp:415:7:415:11 | access to array |
+| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:23 | access to array | test.cpp:411:15:411:23 | & ... |
+| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end |
+| test.cpp:411:16:411:23 | access to array | test.cpp:412:12:412:14 | end |
+| test.cpp:411:16:411:23 | access to array | test.cpp:414:14:414:16 | end |
+| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:411:16:411:23 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:412:12:412:14 | end | test.cpp:414:14:414:16 | end |
+| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:412:12:412:14 | end | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:413:5:413:8 | ... ++ |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:414:9:414:10 | xs |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:413:5:413:8 | ... ++ | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:414:9:414:10 | xs | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:414:14:414:16 | end | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:415:7:415:11 | access to array | test.cpp:415:7:415:15 | Store: ... = ... |
+| test.cpp:421:14:421:27 | new[] | test.cpp:422:16:422:17 | xs |
+| test.cpp:421:14:421:27 | new[] | test.cpp:424:5:424:6 | xs |
+| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:423:12:423:14 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:425:18:425:20 | end |
+| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array |
+| test.cpp:422:16:422:17 | xs | test.cpp:422:16:422:23 | access to array |
+| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end |
+| test.cpp:422:16:422:17 | xs | test.cpp:423:12:423:14 | end |
+| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:422:16:422:17 | xs | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs |
+| test.cpp:422:16:422:17 | xs | test.cpp:425:9:425:10 | xs |
+| test.cpp:422:16:422:17 | xs | test.cpp:425:18:425:20 | end |
+| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:8 | xs |
+| test.cpp:422:16:422:17 | xs | test.cpp:426:7:426:11 | access to array |
+| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:23 | access to array | test.cpp:422:15:422:23 | & ... |
+| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end |
+| test.cpp:422:16:422:23 | access to array | test.cpp:423:12:423:14 | end |
+| test.cpp:422:16:422:23 | access to array | test.cpp:425:18:425:20 | end |
+| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:422:16:422:23 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:423:12:423:14 | end | test.cpp:425:18:425:20 | end |
+| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:423:12:423:14 | end | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:424:5:424:8 | ... ++ |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:425:9:425:10 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:8 | xs |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:424:5:424:8 | ... ++ | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:8 | xs |
+| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:425:9:425:10 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:425:18:425:20 | end | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:426:7:426:8 | xs | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:426:7:426:11 | access to array | test.cpp:426:7:426:15 | Store: ... = ... |
+| test.cpp:432:14:432:27 | new[] | test.cpp:433:16:433:17 | xs |
+| test.cpp:432:14:432:27 | new[] | test.cpp:436:5:436:6 | xs |
+| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:434:12:434:14 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:435:5:435:7 | end |
+| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array |
+| test.cpp:433:16:433:17 | xs | test.cpp:433:16:433:23 | access to array |
+| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end |
+| test.cpp:433:16:433:17 | xs | test.cpp:434:12:434:14 | end |
+| test.cpp:433:16:433:17 | xs | test.cpp:435:5:435:7 | end |
+| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:433:16:433:17 | xs | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:433:16:433:17 | xs | test.cpp:437:9:437:10 | xs |
+| test.cpp:433:16:433:17 | xs | test.cpp:438:7:438:11 | access to array |
+| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:23 | access to array | test.cpp:433:15:433:23 | & ... |
+| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end |
+| test.cpp:433:16:433:23 | access to array | test.cpp:434:12:434:14 | end |
+| test.cpp:433:16:433:23 | access to array | test.cpp:435:5:435:7 | end |
+| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:433:16:433:23 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:434:12:434:14 | end | test.cpp:435:5:435:7 | end |
+| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:434:12:434:14 | end | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:435:5:435:7 | end | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:436:5:436:8 | ... ++ |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:437:9:437:10 | xs |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:436:5:436:8 | ... ++ | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:437:9:437:10 | xs | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:438:7:438:11 | access to array | test.cpp:438:7:438:15 | Store: ... = ... |
+| test.cpp:444:14:444:27 | new[] | test.cpp:445:16:445:17 | xs |
+| test.cpp:444:14:444:27 | new[] | test.cpp:448:5:448:6 | xs |
+| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end |
+| test.cpp:445:15:445:23 | & ... | test.cpp:446:3:446:5 | end |
+| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array |
+| test.cpp:445:16:445:17 | xs | test.cpp:445:16:445:23 | access to array |
+| test.cpp:445:16:445:17 | xs | test.cpp:446:3:446:5 | end |
+| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:445:16:445:17 | xs | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:445:16:445:17 | xs | test.cpp:449:9:449:10 | xs |
+| test.cpp:445:16:445:17 | xs | test.cpp:450:7:450:11 | access to array |
+| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:23 | access to array | test.cpp:445:15:445:23 | & ... |
+| test.cpp:445:16:445:23 | access to array | test.cpp:446:3:446:5 | end |
+| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:445:16:445:23 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:446:3:446:5 | end | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:448:5:448:8 | ... ++ |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:449:9:449:10 | xs |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:448:5:448:8 | ... ++ | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:449:9:449:10 | xs | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:450:7:450:11 | access to array | test.cpp:450:7:450:15 | Store: ... = ... |
+| test.cpp:456:14:456:31 | new[] | test.cpp:457:16:457:17 | xs |
+| test.cpp:456:14:456:31 | new[] | test.cpp:460:5:460:6 | xs |
+| test.cpp:468:14:468:27 | new[] | test.cpp:469:16:469:17 | xs |
+| test.cpp:468:14:468:27 | new[] | test.cpp:472:5:472:6 | xs |
+| test.cpp:480:14:480:27 | new[] | test.cpp:481:16:481:17 | xs |
+| test.cpp:480:14:480:27 | new[] | test.cpp:484:5:484:6 | xs |
+| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end |
+| test.cpp:481:15:481:23 | & ... | test.cpp:482:3:482:5 | end |
+| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array |
+| test.cpp:481:16:481:17 | xs | test.cpp:481:16:481:23 | access to array |
+| test.cpp:481:16:481:17 | xs | test.cpp:482:3:482:5 | end |
+| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:481:16:481:17 | xs | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:481:16:481:17 | xs | test.cpp:485:9:485:10 | xs |
+| test.cpp:481:16:481:17 | xs | test.cpp:486:7:486:11 | access to array |
+| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:23 | access to array | test.cpp:481:15:481:23 | & ... |
+| test.cpp:481:16:481:23 | access to array | test.cpp:482:3:482:5 | end |
+| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:481:16:481:23 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:482:3:482:5 | end | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:484:5:484:8 | ... ++ |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:485:9:485:10 | xs |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:484:5:484:8 | ... ++ | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:485:9:485:10 | xs | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:486:7:486:11 | access to array | test.cpp:486:7:486:15 | Store: ... = ... |
+| test.cpp:499:3:499:25 | ... = ... | test.cpp:499:7:499:8 | val indirection [post update] [xs] |
+| test.cpp:499:7:499:8 | val indirection [post update] [xs] | test.cpp:500:3:500:5 | val indirection [xs] |
+| test.cpp:499:12:499:25 | new[] | test.cpp:499:3:499:25 | ... = ... |
+| test.cpp:500:3:500:5 | val indirection [xs] | test.cpp:500:7:500:8 | xs indirection |
+| test.cpp:500:7:500:8 | xs indirection | test.cpp:500:7:500:8 | xs |
+| test.cpp:510:16:510:33 | new[] | test.cpp:512:7:512:8 | xs |
+| test.cpp:520:14:520:27 | new[] | test.cpp:526:5:526:6 | xs |
+| test.cpp:532:14:532:27 | new[] | test.cpp:537:5:537:6 | xs |
+| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:6 | xs |
+| test.cpp:548:5:548:6 | xs | test.cpp:548:5:548:15 | access to array |
+| test.cpp:548:5:548:15 | access to array | test.cpp:548:5:548:19 | Store: ... = ... |
+| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:6 | xs |
+| test.cpp:559:5:559:6 | xs | test.cpp:559:5:559:15 | access to array |
+| test.cpp:559:5:559:15 | access to array | test.cpp:559:5:559:19 | Store: ... = ... |
+| test.cpp:565:14:565:27 | new[] | test.cpp:570:5:570:6 | xs |
+| test.cpp:576:14:576:27 | new[] | test.cpp:581:5:581:6 | xs |
+| test.cpp:587:14:587:31 | new[] | test.cpp:592:5:592:6 | xs |
+| test.cpp:598:14:598:31 | new[] | test.cpp:603:5:603:6 | xs |
+| test.cpp:609:14:609:31 | new[] | test.cpp:614:5:614:6 | xs |
+| test.cpp:620:14:620:31 | new[] | test.cpp:625:5:625:6 | xs |
+| test.cpp:631:14:631:31 | new[] | test.cpp:636:5:636:6 | xs |
+| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:6 | xs |
+| test.cpp:647:5:647:6 | xs | test.cpp:647:5:647:15 | access to array |
+| test.cpp:647:5:647:15 | access to array | test.cpp:647:5:647:19 | Store: ... = ... |
+| test.cpp:652:14:652:27 | new[] | test.cpp:653:16:653:17 | xs |
+| test.cpp:652:14:652:27 | new[] | test.cpp:656:3:656:4 | xs |
+| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:653:16:653:17 | xs | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:653:16:653:17 | xs | test.cpp:657:7:657:8 | xs |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:656:3:656:6 | ... ++ |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:657:7:657:8 | xs |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:657:7:657:8 | xs |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
+| test.cpp:656:3:656:6 | ... ++ | test.cpp:662:3:662:11 | Store: ... = ... |
+| test.cpp:657:7:657:8 | xs | test.cpp:662:3:662:11 | Store: ... = ... |
+| test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:8 | xs |
+| test.cpp:675:7:675:8 | xs | test.cpp:675:7:675:19 | access to array |
+| test.cpp:675:7:675:19 | access to array | test.cpp:675:7:675:23 | Store: ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1125,11 +1367,6 @@ nodes
 | test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... |
 | test.cpp:363:14:363:27 | new[] | semmle.label | new[] |
 | test.cpp:365:15:365:15 | p | semmle.label | p |
-| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
-| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
-| test.cpp:371:7:371:7 | p | semmle.label | p |
-| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
-| test.cpp:372:16:372:16 | p | semmle.label | p |
 | test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
 | test.cpp:378:15:378:16 | xs | semmle.label | xs |
 | test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
@@ -1143,53 +1380,160 @@ nodes
 | test.cpp:384:14:384:16 | end | semmle.label | end |
 | test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
 | test.cpp:389:16:389:17 | xs | semmle.label | xs |
-| test.cpp:392:5:392:6 | xs | semmle.label | xs |
-| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
-| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
-| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
-| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
-| test.cpp:393:9:393:10 | xs | semmle.label | xs |
-| test.cpp:393:9:393:10 | xs | semmle.label | xs |
-| test.cpp:395:5:395:6 | xs | semmle.label | xs |
-| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
-| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
-| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
-| test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
-| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
-| test.cpp:407:7:407:8 | xs | semmle.label | xs |
-| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
-| test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
-| test.cpp:419:7:419:8 | xs | semmle.label | xs |
-| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
-| test.cpp:433:5:433:6 | xs | semmle.label | xs |
-| test.cpp:439:14:439:27 | new[] | semmle.label | new[] |
-| test.cpp:444:5:444:6 | xs | semmle.label | xs |
-| test.cpp:450:14:450:27 | new[] | semmle.label | new[] |
-| test.cpp:455:5:455:6 | xs | semmle.label | xs |
-| test.cpp:455:5:455:15 | access to array | semmle.label | access to array |
-| test.cpp:455:5:455:19 | Store: ... = ... | semmle.label | Store: ... = ... |
-| test.cpp:461:14:461:27 | new[] | semmle.label | new[] |
-| test.cpp:466:5:466:6 | xs | semmle.label | xs |
-| test.cpp:466:5:466:15 | access to array | semmle.label | access to array |
-| test.cpp:466:5:466:19 | Store: ... = ... | semmle.label | Store: ... = ... |
-| test.cpp:472:14:472:27 | new[] | semmle.label | new[] |
-| test.cpp:477:5:477:6 | xs | semmle.label | xs |
-| test.cpp:483:14:483:27 | new[] | semmle.label | new[] |
-| test.cpp:488:5:488:6 | xs | semmle.label | xs |
-| test.cpp:494:14:494:31 | new[] | semmle.label | new[] |
-| test.cpp:499:5:499:6 | xs | semmle.label | xs |
-| test.cpp:505:14:505:31 | new[] | semmle.label | new[] |
-| test.cpp:510:5:510:6 | xs | semmle.label | xs |
-| test.cpp:516:14:516:31 | new[] | semmle.label | new[] |
-| test.cpp:521:5:521:6 | xs | semmle.label | xs |
-| test.cpp:527:14:527:31 | new[] | semmle.label | new[] |
-| test.cpp:532:5:532:6 | xs | semmle.label | xs |
-| test.cpp:538:14:538:31 | new[] | semmle.label | new[] |
-| test.cpp:543:5:543:6 | xs | semmle.label | xs |
-| test.cpp:549:14:549:31 | new[] | semmle.label | new[] |
-| test.cpp:554:5:554:6 | xs | semmle.label | xs |
-| test.cpp:554:5:554:15 | access to array | semmle.label | access to array |
-| test.cpp:554:5:554:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:392:3:392:4 | xs | semmle.label | xs |
+| test.cpp:399:14:399:27 | new[] | semmle.label | new[] |
+| test.cpp:400:16:400:17 | xs | semmle.label | xs |
+| test.cpp:402:5:402:6 | xs | semmle.label | xs |
+| test.cpp:410:14:410:27 | new[] | semmle.label | new[] |
+| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
+| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
+| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
+| test.cpp:411:15:411:23 | & ... | semmle.label | & ... |
+| test.cpp:411:16:411:17 | xs | semmle.label | xs |
+| test.cpp:411:16:411:23 | access to array | semmle.label | access to array |
+| test.cpp:411:16:411:23 | access to array | semmle.label | access to array |
+| test.cpp:412:12:412:14 | end | semmle.label | end |
+| test.cpp:412:12:412:14 | end | semmle.label | end |
+| test.cpp:413:5:413:6 | xs | semmle.label | xs |
+| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:413:5:413:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:414:9:414:10 | xs | semmle.label | xs |
+| test.cpp:414:14:414:16 | end | semmle.label | end |
+| test.cpp:415:7:415:11 | access to array | semmle.label | access to array |
+| test.cpp:415:7:415:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:421:14:421:27 | new[] | semmle.label | new[] |
+| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
+| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
+| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
+| test.cpp:422:15:422:23 | & ... | semmle.label | & ... |
+| test.cpp:422:16:422:17 | xs | semmle.label | xs |
+| test.cpp:422:16:422:23 | access to array | semmle.label | access to array |
+| test.cpp:422:16:422:23 | access to array | semmle.label | access to array |
+| test.cpp:423:12:423:14 | end | semmle.label | end |
+| test.cpp:423:12:423:14 | end | semmle.label | end |
+| test.cpp:424:5:424:6 | xs | semmle.label | xs |
+| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:424:5:424:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:425:9:425:10 | xs | semmle.label | xs |
+| test.cpp:425:9:425:10 | xs | semmle.label | xs |
+| test.cpp:425:18:425:20 | end | semmle.label | end |
+| test.cpp:426:7:426:8 | xs | semmle.label | xs |
+| test.cpp:426:7:426:11 | access to array | semmle.label | access to array |
+| test.cpp:426:7:426:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:432:14:432:27 | new[] | semmle.label | new[] |
+| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
+| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
+| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
+| test.cpp:433:15:433:23 | & ... | semmle.label | & ... |
+| test.cpp:433:16:433:17 | xs | semmle.label | xs |
+| test.cpp:433:16:433:23 | access to array | semmle.label | access to array |
+| test.cpp:433:16:433:23 | access to array | semmle.label | access to array |
+| test.cpp:434:12:434:14 | end | semmle.label | end |
+| test.cpp:434:12:434:14 | end | semmle.label | end |
+| test.cpp:435:5:435:7 | end | semmle.label | end |
+| test.cpp:436:5:436:6 | xs | semmle.label | xs |
+| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:436:5:436:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:437:9:437:10 | xs | semmle.label | xs |
+| test.cpp:438:7:438:11 | access to array | semmle.label | access to array |
+| test.cpp:438:7:438:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:444:14:444:27 | new[] | semmle.label | new[] |
+| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
+| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
+| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
+| test.cpp:445:15:445:23 | & ... | semmle.label | & ... |
+| test.cpp:445:16:445:17 | xs | semmle.label | xs |
+| test.cpp:445:16:445:23 | access to array | semmle.label | access to array |
+| test.cpp:445:16:445:23 | access to array | semmle.label | access to array |
+| test.cpp:446:3:446:5 | end | semmle.label | end |
+| test.cpp:448:5:448:6 | xs | semmle.label | xs |
+| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:448:5:448:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:449:9:449:10 | xs | semmle.label | xs |
+| test.cpp:450:7:450:11 | access to array | semmle.label | access to array |
+| test.cpp:450:7:450:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:456:14:456:31 | new[] | semmle.label | new[] |
+| test.cpp:457:16:457:17 | xs | semmle.label | xs |
+| test.cpp:460:5:460:6 | xs | semmle.label | xs |
+| test.cpp:468:14:468:27 | new[] | semmle.label | new[] |
+| test.cpp:469:16:469:17 | xs | semmle.label | xs |
+| test.cpp:472:5:472:6 | xs | semmle.label | xs |
+| test.cpp:480:14:480:27 | new[] | semmle.label | new[] |
+| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
+| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
+| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
+| test.cpp:481:15:481:23 | & ... | semmle.label | & ... |
+| test.cpp:481:16:481:17 | xs | semmle.label | xs |
+| test.cpp:481:16:481:23 | access to array | semmle.label | access to array |
+| test.cpp:481:16:481:23 | access to array | semmle.label | access to array |
+| test.cpp:482:3:482:5 | end | semmle.label | end |
+| test.cpp:484:5:484:6 | xs | semmle.label | xs |
+| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:484:5:484:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:485:9:485:10 | xs | semmle.label | xs |
+| test.cpp:486:7:486:11 | access to array | semmle.label | access to array |
+| test.cpp:486:7:486:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:499:3:499:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:499:7:499:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:499:12:499:25 | new[] | semmle.label | new[] |
+| test.cpp:500:3:500:5 | val indirection [xs] | semmle.label | val indirection [xs] |
+| test.cpp:500:7:500:8 | xs | semmle.label | xs |
+| test.cpp:500:7:500:8 | xs indirection | semmle.label | xs indirection |
+| test.cpp:510:16:510:33 | new[] | semmle.label | new[] |
+| test.cpp:512:7:512:8 | xs | semmle.label | xs |
+| test.cpp:520:14:520:27 | new[] | semmle.label | new[] |
+| test.cpp:526:5:526:6 | xs | semmle.label | xs |
+| test.cpp:532:14:532:27 | new[] | semmle.label | new[] |
+| test.cpp:537:5:537:6 | xs | semmle.label | xs |
+| test.cpp:543:14:543:27 | new[] | semmle.label | new[] |
+| test.cpp:548:5:548:6 | xs | semmle.label | xs |
+| test.cpp:548:5:548:15 | access to array | semmle.label | access to array |
+| test.cpp:548:5:548:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:554:14:554:27 | new[] | semmle.label | new[] |
+| test.cpp:559:5:559:6 | xs | semmle.label | xs |
+| test.cpp:559:5:559:15 | access to array | semmle.label | access to array |
+| test.cpp:559:5:559:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:565:14:565:27 | new[] | semmle.label | new[] |
+| test.cpp:570:5:570:6 | xs | semmle.label | xs |
+| test.cpp:576:14:576:27 | new[] | semmle.label | new[] |
+| test.cpp:581:5:581:6 | xs | semmle.label | xs |
+| test.cpp:587:14:587:31 | new[] | semmle.label | new[] |
+| test.cpp:592:5:592:6 | xs | semmle.label | xs |
+| test.cpp:598:14:598:31 | new[] | semmle.label | new[] |
+| test.cpp:603:5:603:6 | xs | semmle.label | xs |
+| test.cpp:609:14:609:31 | new[] | semmle.label | new[] |
+| test.cpp:614:5:614:6 | xs | semmle.label | xs |
+| test.cpp:620:14:620:31 | new[] | semmle.label | new[] |
+| test.cpp:625:5:625:6 | xs | semmle.label | xs |
+| test.cpp:631:14:631:31 | new[] | semmle.label | new[] |
+| test.cpp:636:5:636:6 | xs | semmle.label | xs |
+| test.cpp:642:14:642:31 | new[] | semmle.label | new[] |
+| test.cpp:647:5:647:6 | xs | semmle.label | xs |
+| test.cpp:647:5:647:15 | access to array | semmle.label | access to array |
+| test.cpp:647:5:647:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:652:14:652:27 | new[] | semmle.label | new[] |
+| test.cpp:653:16:653:17 | xs | semmle.label | xs |
+| test.cpp:656:3:656:4 | xs | semmle.label | xs |
+| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
+| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
+| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
+| test.cpp:656:3:656:6 | ... ++ | semmle.label | ... ++ |
+| test.cpp:657:7:657:8 | xs | semmle.label | xs |
+| test.cpp:662:3:662:11 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:667:14:667:31 | new[] | semmle.label | new[] |
+| test.cpp:675:7:675:8 | xs | semmle.label | xs |
+| test.cpp:675:7:675:19 | access to array | semmle.label | access to array |
+| test.cpp:675:7:675:23 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1214,9 +1558,14 @@ subpaths
 | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
 | test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
 | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
-| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
 | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
-| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
-| test.cpp:455:5:455:19 | Store: ... = ... | test.cpp:450:14:450:27 | new[] | test.cpp:455:5:455:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:450:14:450:27 | new[] | new[] | test.cpp:455:8:455:14 | src_pos | src_pos |
-| test.cpp:466:5:466:19 | Store: ... = ... | test.cpp:461:14:461:27 | new[] | test.cpp:466:5:466:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:461:14:461:27 | new[] | new[] | test.cpp:466:8:466:14 | src_pos | src_pos |
-| test.cpp:554:5:554:19 | Store: ... = ... | test.cpp:549:14:549:31 | new[] | test.cpp:554:5:554:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:549:14:549:31 | new[] | new[] | test.cpp:554:8:554:14 | src_pos | src_pos |
+| test.cpp:415:7:415:15 | Store: ... = ... | test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:410:14:410:27 | new[] | new[] | test.cpp:411:19:411:22 | size | size |
+| test.cpp:426:7:426:15 | Store: ... = ... | test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:421:14:421:27 | new[] | new[] | test.cpp:422:19:422:22 | size | size |
+| test.cpp:438:7:438:15 | Store: ... = ... | test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:432:14:432:27 | new[] | new[] | test.cpp:433:19:433:22 | size | size |
+| test.cpp:450:7:450:15 | Store: ... = ... | test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:444:14:444:27 | new[] | new[] | test.cpp:445:19:445:22 | size | size |
+| test.cpp:486:7:486:15 | Store: ... = ... | test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 498. | test.cpp:480:14:480:27 | new[] | new[] | test.cpp:481:19:481:22 | size | size |
+| test.cpp:548:5:548:19 | Store: ... = ... | test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:543:14:543:27 | new[] | new[] | test.cpp:548:8:548:14 | src_pos | src_pos |
+| test.cpp:559:5:559:19 | Store: ... = ... | test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:554:14:554:27 | new[] | new[] | test.cpp:559:8:559:14 | src_pos | src_pos |
+| test.cpp:647:5:647:19 | Store: ... = ... | test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:642:14:642:31 | new[] | new[] | test.cpp:647:8:647:14 | src_pos | src_pos |
+| test.cpp:662:3:662:11 | Store: ... = ... | test.cpp:652:14:652:27 | new[] | test.cpp:662:3:662:11 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:652:14:652:27 | new[] | new[] | test.cpp:653:19:653:22 | size | size |
+| test.cpp:675:7:675:23 | Store: ... = ... | test.cpp:667:14:667:31 | new[] | test.cpp:675:7:675:23 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:667:14:667:31 | new[] | new[] | test.cpp:675:10:675:18 | ... ++ | ... ++ |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -369,7 +369,7 @@ void test26(unsigned size) {
  }

  if (p < end) {
-    int val = *p; // GOOD [FALSE POSITIVE]
+    int val = *p; // GOOD
  }
 }

@@ -387,12 +387,105 @@ void test27(unsigned size, bool b) {
 void test28(unsigned size) {
  char *xs = new char[size];
  char *end = &xs[size];
-    if (xs >= end)
-      return;
+  if (xs >= end)
+    return;
+  xs++;
+  if (xs >= end)
+    return;
+  xs[0] = 0;  // GOOD
+}
+
+void test28_simple(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  if (xs < end) {
    xs++;
-    if (xs >= end)
-      return;
-    xs[0] = 0;  // GOOD [FALSE POSITIVE]
+    if (xs < end) {
+      xs[0] = 0;  // GOOD
+    }
+  }
+}
+
+void test28_simple2(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  if (xs < end) {
+    xs++;
+    if (xs < end + 1) {
+      xs[0] = 0;  // BAD
+    }
+  }
+}
+
+void test28_simple3(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  if (xs < end) {
+    xs++;
+    if (xs - 1 < end) {
+      xs[0] = 0;  // BAD
+    }
+  }
+}
+
+void test28_simple4(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  if (xs < end) {
+    end++;
+    xs++;
+    if (xs < end) {
+      xs[0] = 0;  // BAD
+    }
+  }
+}
+
+void test28_simple5(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  end++;
+  if (xs < end) {
+    xs++;
+    if (xs < end) {
+      xs[0] = 0;  // BAD
+    }
+  }
+}
+
+void test28_simple6(unsigned size) {
+  char *xs = new char[size + 1];
+  char *end = &xs[size];
+  end++;
+  if (xs < end) {
+    xs++;
+    if (xs < end) {
+      xs[0] = 0;  // GOOD
+    }
+  }
+}
+
+void test28_simple7(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  end++;
+  if (xs < end) {
+    xs++;
+    if (xs < end - 1) {
+      xs[0] = 0;  // GOOD
+    }
+  }
+}
+
+void test28_simple8(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  end += 500;
+  if (xs < end) {
+    xs++;
+    if (xs < end - 1) {
+      xs[0] = 0;  // BAD
+    }
+  }
 }

 struct test29_struct {
@@ -429,7 +522,7 @@ void test31(unsigned size, unsigned src_pos)
    src_pos = size;
  }
  unsigned dst_pos = src_pos;
-  if(dst_pos < size - 3) {
+  if (dst_pos < size - 3) {
    xs[dst_pos++] = 0; // GOOD
  }
 }
@@ -440,7 +533,7 @@ void test31_simple1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size) {
+  if (src_pos < size) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -451,7 +544,7 @@ void test31_simple2(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size + 1) {
+  if (src_pos < size + 1) {
    xs[src_pos] = 0; // BAD
  }
 }
@@ -462,7 +555,7 @@ void test31_simple3(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos - 1 < size) {
+  if (src_pos - 1 < size) {
    xs[src_pos] = 0; // BAD
  }
 }
@@ -473,7 +566,7 @@ void test31_simple4(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size - 1) {
+  if (src_pos < size - 1) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -484,7 +577,7 @@ void test31_simple5(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos + 1 < size) {
+  if (src_pos + 1 < size) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -495,7 +588,7 @@ void test31_simple1_plus1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size) {
+  if (src_pos < size) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -506,7 +599,7 @@ void test31_simple2_plus1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size + 1) {
+  if (src_pos < size + 1) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -517,7 +610,7 @@ void test31_simple3_plus1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos - 1 < size) {
+  if (src_pos - 1 < size) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -528,7 +621,7 @@ void test31_simple4_plus1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size - 1) {
+  if (src_pos < size - 1) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -539,7 +632,7 @@ void test31_simple5_plus1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos + 1 < size) {
+  if (src_pos + 1 < size) {
    xs[src_pos] = 0; // GOOD
  }
 }
@@ -550,7 +643,35 @@ void test31_simple1_sub1(unsigned size, unsigned src_pos)
  if (src_pos > size) {
    src_pos = size;
  }
-  if(src_pos < size) {
+  if (src_pos < size) {
    xs[src_pos] = 0; // BAD
  }
 }
+
+void test32(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+  if (xs >= end)
+    return;
+  xs++;
+  if (xs >= end)
+    return;
+  xs++;
+  if (xs >= end)
+    return;
+  xs[0] = 0; // GOOD [FALSE POSITIVE]
+}
+
+void test33(unsigned size, unsigned src_pos)
+{
+  char *xs = new char[size + 1];
+  if (src_pos > size) {
+    src_pos = size;
+  }
+  unsigned dst_pos = src_pos;
+  while (dst_pos < size - 1) {
+    dst_pos++;
+    if (true)
+      xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -734,3 +734,58 @@ void test_does_not_write_source_to_dereference()
  does_not_write_source_to_dereference(&x);
  sink(x); // $ ast,ir=733:7 SPURIOUS: ast,ir=726:11
 }
+
+void sometimes_calls_sink_eq(int x, int n) {
+  if(n == 0) {
+    sink(x); // $ ast,ir=751:27 ast,ir=755:32 SPURIOUS: ast=749:27 ast,ir=753:32 // IR spurious results because we only have call contexts of depth 1
+  }
+}
+
+void call_sometimes_calls_sink_eq(int x, int n) {
+  sometimes_calls_sink_eq(x, n);
+}
+
+void test_sometimes_calls_sink_eq_1() {
+  sometimes_calls_sink_eq(source(), 1);
+  sometimes_calls_sink_eq(0, 0);
+  sometimes_calls_sink_eq(source(), 0);
+
+  call_sometimes_calls_sink_eq(source(), 1);
+  call_sometimes_calls_sink_eq(0, 0);
+  call_sometimes_calls_sink_eq(source(), 0);
+}
+
+void sometimes_calls_sink_lt(int x, int n) {
+  if(n < 10) {
+    sink(x); // $ ast,ir=771:27 ast,ir=775:32 SPURIOUS: ast=769:27 ast,ir=773:32 // IR spurious results because we only have call contexts of depth 1
+  }
+}
+
+void call_sometimes_calls_sink_lt(int x, int n) {
+  sometimes_calls_sink_lt(x, n);
+}
+
+void test_sometimes_calls_sink_lt() {
+  sometimes_calls_sink_lt(source(), 10);
+  sometimes_calls_sink_lt(0, 0);
+  sometimes_calls_sink_lt(source(), 2);
+
+  call_sometimes_calls_sink_lt(source(), 10);
+  call_sometimes_calls_sink_lt(0, 0);
+  call_sometimes_calls_sink_lt(source(), 2);
+
+}
+
+void sometimes_calls_sink_switch(int x, int n) {
+  switch(n) {
+    case 0:
+      sink(x); // $ ast,ir=790:31 SPURIOUS: ast,ir=788:31 // IR spurious results because IRGuard doesn't understand switch statements.
+      break;
+  }
+}
+
+void test_sometimes_calls_sink_switch() {
+  sometimes_calls_sink_switch(source(), 1);
+  sometimes_calls_sink_switch(0, 0);
+  sometimes_calls_sink_switch(source(), 0);
+}
--- a/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
@@ -90,7 +90,8 @@ void gotoLoop(bool b1, bool b2)
  {
    for (j = 0; j < 10; ++j)
    {
+      int x;
      main_decode_loop:
    }
  }
-}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,6 +1,7 @@
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
+| test.c:42:15:42:29 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:41:9:41:10 | s1 | s1 | test.c:42:20:42:29 | 65535 | 65535 |
 | test.c:65:14:65:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:64:8:64:8 | s | s | test.c:63:17:63:17 | x | x |
 | test.c:87:14:87:18 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:84:15:84:15 | x | x |
 | test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
@@ -13,3 +14,4 @@
 | test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
 | test.c:128:15:128:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
 | test.c:139:15:139:21 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:121:16:121:17 | uc | uc | test.c:123:19:123:20 | sz | sz |
+| test.c:156:9:156:14 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:150:8:150:8 | s | s | test.c:151:6:151:7 | sx | sx |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
@@ -39,7 +39,7 @@ void test5 () {

 void test6() {
 	short  s1;
-	for (s1 = 0; s1 < 0x0000ffff; s1++) {}
+	for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD
 }

 void test7(long long l) {
@@ -145,3 +145,22 @@ void test13() {
 	sz = (unsigned)sx & (unsigned)sy;
 	for (uc = 0; uc < sz; uc++) {} // GOOD
 }
+
+void test14() {
+	short s = 0;
+	int sx = 0x7FFF + 1;
+
+	// BAD: 's' is compared with a value of a wider type.
+	// 's' overflows before  reaching 'sx',
+	// causing an infinite loop
+	while (s < sx) {
+		s += 1;
+	}
+
+	unsigned int ux = 0;
+
+	// GOOD: 'ux' has a type  at least as wide as 'max_get'
+	while (ux < sx) {
+		ux += 1;
+	}
+}