Merge branch 'main' into rdmarsh2/cpp/improve-constant-off-by-one

2026-04-30 19:26:02 +02:00 · 2023-05-24 16:07:08 -07:00
parent 298013a57e f9a464605b
commit ebc1d5feff
1679 changed files with 111404 additions and 79379 deletions
--- a/cpp/ql/test/TestUtilities/dataflow/FlowTestCommon.qll
+++ b/cpp/ql/test/TestUtilities/dataflow/FlowTestCommon.qll
@@ -16,18 +16,16 @@ private import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IRDataFlow
 private import semmle.code.cpp.dataflow.DataFlow::DataFlow as AstDataFlow
 import TestUtilities.InlineExpectationsTest

-class IRFlowTest extends InlineExpectationsTest {
-  IRFlowTest() { this = "IRFlowTest" }
+module IRFlowTest<IRDataFlow::GlobalFlowSig Flow> implements TestSig {
+  string getARelevantTag() { result = "ir" }

-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(IRDataFlow::Node source, IRDataFlow::Node sink, IRDataFlow::Configuration conf, int n |
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(IRDataFlow::Node source, IRDataFlow::Node sink, int n |
      tag = "ir" and
-      conf.hasFlow(source, sink) and
+      Flow::flow(source, sink) and
      n =
        strictcount(int line, int column |
-          conf.hasFlow(any(IRDataFlow::Node otherSource |
+          Flow::flow(any(IRDataFlow::Node otherSource |
              otherSource.hasLocationInfo(_, line, column, _, _)
            ), sink)
        ) and
@@ -47,20 +45,16 @@ class IRFlowTest extends InlineExpectationsTest {
  }
 }

-class AstFlowTest extends InlineExpectationsTest {
-  AstFlowTest() { this = "ASTFlowTest" }
+module AstFlowTest<AstDataFlow::GlobalFlowSig Flow> implements TestSig {
+  string getARelevantTag() { result = "ast" }

-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      AstDataFlow::Node source, AstDataFlow::Node sink, AstDataFlow::Configuration conf, int n
-    |
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(AstDataFlow::Node source, AstDataFlow::Node sink, int n |
      tag = "ast" and
-      conf.hasFlow(source, sink) and
+      Flow::flow(source, sink) and
      n =
        strictcount(int line, int column |
-          conf.hasFlow(any(AstDataFlow::Node otherSource |
+          Flow::flow(any(AstDataFlow::Node otherSource |
              otherSource.hasLocationInfo(_, line, column, _, _)
            ), sink)
        ) and
@@ -79,6 +73,3 @@ class AstFlowTest extends InlineExpectationsTest {
    )
  }
 }
-
-/** DEPRECATED: Alias for AstFlowTest */
-deprecated class ASTFlowTest = AstFlowTest;
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
@@ -1,202 +1,62 @@
 edges
-| test.cpp:16:11:16:21 | mk_string_t indirection [string] | test.cpp:24:21:24:31 | call to mk_string_t indirection [string] |
-| test.cpp:16:11:16:21 | mk_string_t indirection [string] | test.cpp:34:21:34:31 | call to mk_string_t indirection [string] |
 | test.cpp:16:11:16:21 | mk_string_t indirection [string] | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] |
 | test.cpp:18:5:18:30 | ... = ... | test.cpp:18:10:18:15 | str indirection [post update] [string] |
 | test.cpp:18:10:18:15 | str indirection [post update] [string] | test.cpp:16:11:16:21 | mk_string_t indirection [string] |
 | test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
-| test.cpp:24:21:24:31 | call to mk_string_t indirection [string] | test.cpp:26:13:26:15 | str indirection [string] |
-| test.cpp:26:13:26:15 | str indirection [string] | test.cpp:26:18:26:23 | string |
-| test.cpp:26:13:26:15 | str indirection [string] | test.cpp:26:18:26:23 | string indirection |
-| test.cpp:26:18:26:23 | string indirection | test.cpp:26:18:26:23 | string |
-| test.cpp:29:32:29:34 | str indirection [string] | test.cpp:30:13:30:15 | str indirection [string] |
-| test.cpp:30:13:30:15 | str indirection [string] | test.cpp:30:18:30:23 | string |
-| test.cpp:30:13:30:15 | str indirection [string] | test.cpp:30:18:30:23 | string indirection |
-| test.cpp:30:18:30:23 | string indirection | test.cpp:30:18:30:23 | string |
-| test.cpp:34:21:34:31 | call to mk_string_t indirection [string] | test.cpp:35:21:35:23 | str indirection [string] |
-| test.cpp:35:21:35:23 | str indirection [string] | test.cpp:29:32:29:34 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:41:13:41:15 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:42:13:42:15 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:44:13:44:15 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:45:13:45:15 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:48:17:48:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:52:17:52:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:56:17:56:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:60:17:60:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:64:17:64:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:68:17:68:19 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:72:17:72:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:76:17:76:19 | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:80:17:80:19 | str indirection [string] |
-| test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | test.cpp:84:17:84:19 | str indirection [string] |
-| test.cpp:41:13:41:15 | str indirection [string] | test.cpp:41:18:41:23 | string |
-| test.cpp:41:13:41:15 | str indirection [string] | test.cpp:41:18:41:23 | string indirection |
-| test.cpp:41:18:41:23 | string indirection | test.cpp:41:18:41:23 | string |
 | test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string |
 | test.cpp:42:13:42:15 | str indirection [string] | test.cpp:42:18:42:23 | string indirection |
 | test.cpp:42:18:42:23 | string indirection | test.cpp:42:18:42:23 | string |
-| test.cpp:44:13:44:15 | str indirection [string] | test.cpp:44:18:44:23 | string |
-| test.cpp:44:13:44:15 | str indirection [string] | test.cpp:44:18:44:23 | string indirection |
-| test.cpp:44:18:44:23 | string indirection | test.cpp:44:18:44:23 | string |
-| test.cpp:45:13:45:15 | str indirection [string] | test.cpp:45:18:45:23 | string |
-| test.cpp:45:13:45:15 | str indirection [string] | test.cpp:45:18:45:23 | string indirection |
-| test.cpp:45:18:45:23 | string indirection | test.cpp:45:18:45:23 | string |
-| test.cpp:48:17:48:19 | str indirection [string] | test.cpp:48:22:48:27 | string |
-| test.cpp:48:17:48:19 | str indirection [string] | test.cpp:48:22:48:27 | string indirection |
-| test.cpp:48:22:48:27 | string indirection | test.cpp:48:22:48:27 | string |
-| test.cpp:52:17:52:19 | str indirection [string] | test.cpp:52:22:52:27 | string |
-| test.cpp:52:17:52:19 | str indirection [string] | test.cpp:52:22:52:27 | string indirection |
-| test.cpp:52:22:52:27 | string indirection | test.cpp:52:22:52:27 | string |
-| test.cpp:56:17:56:19 | str indirection [string] | test.cpp:56:22:56:27 | string |
-| test.cpp:56:17:56:19 | str indirection [string] | test.cpp:56:22:56:27 | string indirection |
-| test.cpp:56:22:56:27 | string indirection | test.cpp:56:22:56:27 | string |
-| test.cpp:60:17:60:19 | str indirection [string] | test.cpp:60:22:60:27 | string |
-| test.cpp:60:17:60:19 | str indirection [string] | test.cpp:60:22:60:27 | string indirection |
-| test.cpp:60:22:60:27 | string indirection | test.cpp:60:22:60:27 | string |
-| test.cpp:64:17:64:19 | str indirection [string] | test.cpp:64:22:64:27 | string |
-| test.cpp:64:17:64:19 | str indirection [string] | test.cpp:64:22:64:27 | string indirection |
-| test.cpp:64:22:64:27 | string indirection | test.cpp:64:22:64:27 | string |
-| test.cpp:68:17:68:19 | str indirection [string] | test.cpp:68:22:68:27 | string |
-| test.cpp:68:17:68:19 | str indirection [string] | test.cpp:68:22:68:27 | string indirection |
-| test.cpp:68:22:68:27 | string indirection | test.cpp:68:22:68:27 | string |
 | test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string |
 | test.cpp:72:17:72:19 | str indirection [string] | test.cpp:72:22:72:27 | string indirection |
 | test.cpp:72:22:72:27 | string indirection | test.cpp:72:22:72:27 | string |
-| test.cpp:76:17:76:19 | str indirection [string] | test.cpp:76:22:76:27 | string |
-| test.cpp:76:17:76:19 | str indirection [string] | test.cpp:76:22:76:27 | string indirection |
-| test.cpp:76:22:76:27 | string indirection | test.cpp:76:22:76:27 | string |
 | test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string |
 | test.cpp:80:17:80:19 | str indirection [string] | test.cpp:80:22:80:27 | string indirection |
 | test.cpp:80:22:80:27 | string indirection | test.cpp:80:22:80:27 | string |
-| test.cpp:84:17:84:19 | str indirection [string] | test.cpp:84:22:84:27 | string |
-| test.cpp:84:17:84:19 | str indirection [string] | test.cpp:84:22:84:27 | string indirection |
-| test.cpp:84:22:84:27 | string indirection | test.cpp:84:22:84:27 | string |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | test.cpp:90:10:90:15 | str indirection [post update] [string] |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] |
 | test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:98:13:98:15 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:99:13:99:15 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:101:13:101:15 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:102:13:102:15 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:105:17:105:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:109:17:109:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:113:17:113:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:117:17:117:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:121:17:121:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:125:17:125:19 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:129:17:129:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:133:17:133:19 | str indirection [string] |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:137:17:137:19 | str indirection [string] |
-| test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | test.cpp:141:17:141:19 | str indirection [string] |
-| test.cpp:98:13:98:15 | str indirection [string] | test.cpp:98:18:98:23 | string |
-| test.cpp:98:13:98:15 | str indirection [string] | test.cpp:98:18:98:23 | string indirection |
-| test.cpp:98:18:98:23 | string indirection | test.cpp:98:18:98:23 | string |
 | test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string |
 | test.cpp:99:13:99:15 | str indirection [string] | test.cpp:99:18:99:23 | string indirection |
 | test.cpp:99:18:99:23 | string indirection | test.cpp:99:18:99:23 | string |
-| test.cpp:101:13:101:15 | str indirection [string] | test.cpp:101:18:101:23 | string |
-| test.cpp:101:13:101:15 | str indirection [string] | test.cpp:101:18:101:23 | string indirection |
-| test.cpp:101:18:101:23 | string indirection | test.cpp:101:18:101:23 | string |
-| test.cpp:102:13:102:15 | str indirection [string] | test.cpp:102:18:102:23 | string |
-| test.cpp:102:13:102:15 | str indirection [string] | test.cpp:102:18:102:23 | string indirection |
-| test.cpp:102:18:102:23 | string indirection | test.cpp:102:18:102:23 | string |
-| test.cpp:105:17:105:19 | str indirection [string] | test.cpp:105:22:105:27 | string |
-| test.cpp:105:17:105:19 | str indirection [string] | test.cpp:105:22:105:27 | string indirection |
-| test.cpp:105:22:105:27 | string indirection | test.cpp:105:22:105:27 | string |
-| test.cpp:109:17:109:19 | str indirection [string] | test.cpp:109:22:109:27 | string |
-| test.cpp:109:17:109:19 | str indirection [string] | test.cpp:109:22:109:27 | string indirection |
-| test.cpp:109:22:109:27 | string indirection | test.cpp:109:22:109:27 | string |
-| test.cpp:113:17:113:19 | str indirection [string] | test.cpp:113:22:113:27 | string |
-| test.cpp:113:17:113:19 | str indirection [string] | test.cpp:113:22:113:27 | string indirection |
-| test.cpp:113:22:113:27 | string indirection | test.cpp:113:22:113:27 | string |
-| test.cpp:117:17:117:19 | str indirection [string] | test.cpp:117:22:117:27 | string |
-| test.cpp:117:17:117:19 | str indirection [string] | test.cpp:117:22:117:27 | string indirection |
-| test.cpp:117:22:117:27 | string indirection | test.cpp:117:22:117:27 | string |
-| test.cpp:121:17:121:19 | str indirection [string] | test.cpp:121:22:121:27 | string |
-| test.cpp:121:17:121:19 | str indirection [string] | test.cpp:121:22:121:27 | string indirection |
-| test.cpp:121:22:121:27 | string indirection | test.cpp:121:22:121:27 | string |
-| test.cpp:125:17:125:19 | str indirection [string] | test.cpp:125:22:125:27 | string |
-| test.cpp:125:17:125:19 | str indirection [string] | test.cpp:125:22:125:27 | string indirection |
-| test.cpp:125:22:125:27 | string indirection | test.cpp:125:22:125:27 | string |
 | test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string |
 | test.cpp:129:17:129:19 | str indirection [string] | test.cpp:129:22:129:27 | string indirection |
 | test.cpp:129:22:129:27 | string indirection | test.cpp:129:22:129:27 | string |
-| test.cpp:133:17:133:19 | str indirection [string] | test.cpp:133:22:133:27 | string |
-| test.cpp:133:17:133:19 | str indirection [string] | test.cpp:133:22:133:27 | string indirection |
-| test.cpp:133:22:133:27 | string indirection | test.cpp:133:22:133:27 | string |
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string |
 | test.cpp:137:17:137:19 | str indirection [string] | test.cpp:137:22:137:27 | string indirection |
 | test.cpp:137:22:137:27 | string indirection | test.cpp:137:22:137:27 | string |
-| test.cpp:141:17:141:19 | str indirection [string] | test.cpp:141:22:141:27 | string |
-| test.cpp:141:17:141:19 | str indirection [string] | test.cpp:141:22:141:27 | string indirection |
-| test.cpp:141:22:141:27 | string indirection | test.cpp:141:22:141:27 | string |
 | test.cpp:147:5:147:34 | ... = ... | test.cpp:147:10:147:15 | str indirection [post update] [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:150:13:150:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:151:13:151:15 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:152:13:152:15 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:154:13:154:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:155:13:155:15 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:156:13:156:15 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:159:17:159:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:163:17:163:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:167:17:167:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:171:17:171:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:175:17:175:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:179:17:179:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:183:17:183:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:187:17:187:19 | str indirection [string] |
-| test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:191:17:191:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:195:17:195:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:199:17:199:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:203:17:203:19 | str indirection [string] |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | test.cpp:207:17:207:19 | str indirection [string] |
 | test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
-| test.cpp:150:13:150:15 | str indirection [string] | test.cpp:150:18:150:23 | string |
-| test.cpp:150:13:150:15 | str indirection [string] | test.cpp:150:18:150:23 | string indirection |
-| test.cpp:150:18:150:23 | string indirection | test.cpp:150:18:150:23 | string |
-| test.cpp:151:13:151:15 | str indirection [string] | test.cpp:151:18:151:23 | string |
-| test.cpp:151:13:151:15 | str indirection [string] | test.cpp:151:18:151:23 | string indirection |
-| test.cpp:151:18:151:23 | string indirection | test.cpp:151:18:151:23 | string |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string |
 | test.cpp:152:13:152:15 | str indirection [string] | test.cpp:152:18:152:23 | string indirection |
 | test.cpp:152:18:152:23 | string indirection | test.cpp:152:18:152:23 | string |
 | test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string |
 | test.cpp:154:13:154:15 | str indirection [string] | test.cpp:154:18:154:23 | string indirection |
 | test.cpp:154:18:154:23 | string indirection | test.cpp:154:18:154:23 | string |
-| test.cpp:155:13:155:15 | str indirection [string] | test.cpp:155:18:155:23 | string |
-| test.cpp:155:13:155:15 | str indirection [string] | test.cpp:155:18:155:23 | string indirection |
-| test.cpp:155:18:155:23 | string indirection | test.cpp:155:18:155:23 | string |
 | test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string |
 | test.cpp:156:13:156:15 | str indirection [string] | test.cpp:156:18:156:23 | string indirection |
 | test.cpp:156:18:156:23 | string indirection | test.cpp:156:18:156:23 | string |
-| test.cpp:159:17:159:19 | str indirection [string] | test.cpp:159:22:159:27 | string |
-| test.cpp:159:17:159:19 | str indirection [string] | test.cpp:159:22:159:27 | string indirection |
-| test.cpp:159:22:159:27 | string indirection | test.cpp:159:22:159:27 | string |
-| test.cpp:163:17:163:19 | str indirection [string] | test.cpp:163:22:163:27 | string |
-| test.cpp:163:17:163:19 | str indirection [string] | test.cpp:163:22:163:27 | string indirection |
-| test.cpp:163:22:163:27 | string indirection | test.cpp:163:22:163:27 | string |
-| test.cpp:167:17:167:19 | str indirection [string] | test.cpp:167:22:167:27 | string |
-| test.cpp:167:17:167:19 | str indirection [string] | test.cpp:167:22:167:27 | string indirection |
-| test.cpp:167:22:167:27 | string indirection | test.cpp:167:22:167:27 | string |
-| test.cpp:171:17:171:19 | str indirection [string] | test.cpp:171:22:171:27 | string |
-| test.cpp:171:17:171:19 | str indirection [string] | test.cpp:171:22:171:27 | string indirection |
-| test.cpp:171:22:171:27 | string indirection | test.cpp:171:22:171:27 | string |
 | test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string |
 | test.cpp:175:17:175:19 | str indirection [string] | test.cpp:175:22:175:27 | string indirection |
 | test.cpp:175:22:175:27 | string indirection | test.cpp:175:22:175:27 | string |
-| test.cpp:179:17:179:19 | str indirection [string] | test.cpp:179:22:179:27 | string |
-| test.cpp:179:17:179:19 | str indirection [string] | test.cpp:179:22:179:27 | string indirection |
-| test.cpp:179:22:179:27 | string indirection | test.cpp:179:22:179:27 | string |
-| test.cpp:183:17:183:19 | str indirection [string] | test.cpp:183:22:183:27 | string |
-| test.cpp:183:17:183:19 | str indirection [string] | test.cpp:183:22:183:27 | string indirection |
-| test.cpp:183:22:183:27 | string indirection | test.cpp:183:22:183:27 | string |
 | test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string |
 | test.cpp:187:17:187:19 | str indirection [string] | test.cpp:187:22:187:27 | string indirection |
 | test.cpp:187:22:187:27 | string indirection | test.cpp:187:22:187:27 | string |
-| test.cpp:191:17:191:19 | str indirection [string] | test.cpp:191:22:191:27 | string |
-| test.cpp:191:17:191:19 | str indirection [string] | test.cpp:191:22:191:27 | string indirection |
-| test.cpp:191:22:191:27 | string indirection | test.cpp:191:22:191:27 | string |
 | test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string |
 | test.cpp:195:17:195:19 | str indirection [string] | test.cpp:195:22:195:27 | string indirection |
 | test.cpp:195:22:195:27 | string indirection | test.cpp:195:22:195:27 | string |
@@ -209,159 +69,70 @@ edges
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string |
 | test.cpp:207:17:207:19 | str indirection [string] | test.cpp:207:22:207:27 | string indirection |
 | test.cpp:207:22:207:27 | string indirection | test.cpp:207:22:207:27 | string |
+| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
+| test.cpp:220:43:220:48 | call to malloc | test.cpp:222:15:222:20 | buffer |
+| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
+| test.cpp:228:43:228:48 | call to malloc | test.cpp:232:10:232:15 | buffer |
+| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
+| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:12:236:17 | p_str indirection [post update] [string] |
+| test.cpp:241:27:241:32 | call to malloc | test.cpp:242:22:242:27 | buffer |
+| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | str indirection [string] |
+| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
+| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
+| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:12:243:21 | string |
+| test.cpp:243:12:243:14 | str indirection [string] | test.cpp:243:16:243:21 | string indirection |
+| test.cpp:243:16:243:21 | string indirection | test.cpp:243:12:243:21 | string |
+| test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p |
+| test.cpp:256:17:256:22 | call to malloc | test.cpp:257:12:257:12 | p |
+| test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p |
+| test.cpp:264:20:264:25 | call to malloc | test.cpp:266:12:266:12 | p |
 nodes
 | test.cpp:16:11:16:21 | mk_string_t indirection [string] | semmle.label | mk_string_t indirection [string] |
 | test.cpp:18:5:18:30 | ... = ... | semmle.label | ... = ... |
 | test.cpp:18:10:18:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
-| test.cpp:24:21:24:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
-| test.cpp:26:13:26:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:26:18:26:23 | string | semmle.label | string |
-| test.cpp:26:18:26:23 | string indirection | semmle.label | string indirection |
-| test.cpp:29:32:29:34 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:30:13:30:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:30:18:30:23 | string | semmle.label | string |
-| test.cpp:30:18:30:23 | string indirection | semmle.label | string indirection |
-| test.cpp:34:21:34:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
-| test.cpp:35:21:35:23 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:39:21:39:31 | call to mk_string_t indirection [string] | semmle.label | call to mk_string_t indirection [string] |
-| test.cpp:41:13:41:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:41:18:41:23 | string | semmle.label | string |
-| test.cpp:41:18:41:23 | string indirection | semmle.label | string indirection |
 | test.cpp:42:13:42:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:42:18:42:23 | string | semmle.label | string |
 | test.cpp:42:18:42:23 | string indirection | semmle.label | string indirection |
-| test.cpp:44:13:44:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:44:18:44:23 | string | semmle.label | string |
-| test.cpp:44:18:44:23 | string indirection | semmle.label | string indirection |
-| test.cpp:45:13:45:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:45:18:45:23 | string | semmle.label | string |
-| test.cpp:45:18:45:23 | string indirection | semmle.label | string indirection |
-| test.cpp:48:17:48:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:48:22:48:27 | string | semmle.label | string |
-| test.cpp:48:22:48:27 | string indirection | semmle.label | string indirection |
-| test.cpp:52:17:52:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:52:22:52:27 | string | semmle.label | string |
-| test.cpp:52:22:52:27 | string indirection | semmle.label | string indirection |
-| test.cpp:56:17:56:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:56:22:56:27 | string | semmle.label | string |
-| test.cpp:56:22:56:27 | string indirection | semmle.label | string indirection |
-| test.cpp:60:17:60:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:60:22:60:27 | string | semmle.label | string |
-| test.cpp:60:22:60:27 | string indirection | semmle.label | string indirection |
-| test.cpp:64:17:64:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:64:22:64:27 | string | semmle.label | string |
-| test.cpp:64:22:64:27 | string indirection | semmle.label | string indirection |
-| test.cpp:68:17:68:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:68:22:68:27 | string | semmle.label | string |
-| test.cpp:68:22:68:27 | string indirection | semmle.label | string indirection |
 | test.cpp:72:17:72:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:72:22:72:27 | string | semmle.label | string |
 | test.cpp:72:22:72:27 | string indirection | semmle.label | string indirection |
-| test.cpp:76:17:76:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:76:22:76:27 | string | semmle.label | string |
-| test.cpp:76:22:76:27 | string indirection | semmle.label | string indirection |
 | test.cpp:80:17:80:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:80:22:80:27 | string | semmle.label | string |
 | test.cpp:80:22:80:27 | string indirection | semmle.label | string indirection |
-| test.cpp:84:17:84:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:84:22:84:27 | string | semmle.label | string |
-| test.cpp:84:22:84:27 | string indirection | semmle.label | string indirection |
 | test.cpp:88:11:88:30 | mk_string_t_plus_one indirection [string] | semmle.label | mk_string_t_plus_one indirection [string] |
 | test.cpp:90:5:90:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:90:10:90:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:90:19:90:24 | call to malloc | semmle.label | call to malloc |
 | test.cpp:96:21:96:40 | call to mk_string_t_plus_one indirection [string] | semmle.label | call to mk_string_t_plus_one indirection [string] |
-| test.cpp:98:13:98:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:98:18:98:23 | string | semmle.label | string |
-| test.cpp:98:18:98:23 | string indirection | semmle.label | string indirection |
 | test.cpp:99:13:99:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:99:18:99:23 | string | semmle.label | string |
 | test.cpp:99:18:99:23 | string indirection | semmle.label | string indirection |
-| test.cpp:101:13:101:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:101:18:101:23 | string | semmle.label | string |
-| test.cpp:101:18:101:23 | string indirection | semmle.label | string indirection |
-| test.cpp:102:13:102:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:102:18:102:23 | string | semmle.label | string |
-| test.cpp:102:18:102:23 | string indirection | semmle.label | string indirection |
-| test.cpp:105:17:105:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:105:22:105:27 | string | semmle.label | string |
-| test.cpp:105:22:105:27 | string indirection | semmle.label | string indirection |
-| test.cpp:109:17:109:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:109:22:109:27 | string | semmle.label | string |
-| test.cpp:109:22:109:27 | string indirection | semmle.label | string indirection |
-| test.cpp:113:17:113:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:113:22:113:27 | string | semmle.label | string |
-| test.cpp:113:22:113:27 | string indirection | semmle.label | string indirection |
-| test.cpp:117:17:117:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:117:22:117:27 | string | semmle.label | string |
-| test.cpp:117:22:117:27 | string indirection | semmle.label | string indirection |
-| test.cpp:121:17:121:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:121:22:121:27 | string | semmle.label | string |
-| test.cpp:121:22:121:27 | string indirection | semmle.label | string indirection |
-| test.cpp:125:17:125:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:125:22:125:27 | string | semmle.label | string |
-| test.cpp:125:22:125:27 | string indirection | semmle.label | string indirection |
 | test.cpp:129:17:129:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:129:22:129:27 | string | semmle.label | string |
 | test.cpp:129:22:129:27 | string indirection | semmle.label | string indirection |
-| test.cpp:133:17:133:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:133:22:133:27 | string | semmle.label | string |
-| test.cpp:133:22:133:27 | string indirection | semmle.label | string indirection |
 | test.cpp:137:17:137:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:137:22:137:27 | string | semmle.label | string |
 | test.cpp:137:22:137:27 | string indirection | semmle.label | string indirection |
-| test.cpp:141:17:141:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:141:22:141:27 | string | semmle.label | string |
-| test.cpp:141:22:141:27 | string indirection | semmle.label | string indirection |
 | test.cpp:147:5:147:34 | ... = ... | semmle.label | ... = ... |
 | test.cpp:147:10:147:15 | str indirection [post update] [string] | semmle.label | str indirection [post update] [string] |
 | test.cpp:147:19:147:24 | call to malloc | semmle.label | call to malloc |
-| test.cpp:150:13:150:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:150:18:150:23 | string | semmle.label | string |
-| test.cpp:150:18:150:23 | string indirection | semmle.label | string indirection |
-| test.cpp:151:13:151:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:151:18:151:23 | string | semmle.label | string |
-| test.cpp:151:18:151:23 | string indirection | semmle.label | string indirection |
 | test.cpp:152:13:152:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:152:18:152:23 | string | semmle.label | string |
 | test.cpp:152:18:152:23 | string indirection | semmle.label | string indirection |
 | test.cpp:154:13:154:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:154:18:154:23 | string | semmle.label | string |
 | test.cpp:154:18:154:23 | string indirection | semmle.label | string indirection |
-| test.cpp:155:13:155:15 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:155:18:155:23 | string | semmle.label | string |
-| test.cpp:155:18:155:23 | string indirection | semmle.label | string indirection |
 | test.cpp:156:13:156:15 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:156:18:156:23 | string | semmle.label | string |
 | test.cpp:156:18:156:23 | string indirection | semmle.label | string indirection |
-| test.cpp:159:17:159:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:159:22:159:27 | string | semmle.label | string |
-| test.cpp:159:22:159:27 | string indirection | semmle.label | string indirection |
-| test.cpp:163:17:163:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:163:22:163:27 | string | semmle.label | string |
-| test.cpp:163:22:163:27 | string indirection | semmle.label | string indirection |
-| test.cpp:167:17:167:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:167:22:167:27 | string | semmle.label | string |
-| test.cpp:167:22:167:27 | string indirection | semmle.label | string indirection |
-| test.cpp:171:17:171:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:171:22:171:27 | string | semmle.label | string |
-| test.cpp:171:22:171:27 | string indirection | semmle.label | string indirection |
 | test.cpp:175:17:175:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:175:22:175:27 | string | semmle.label | string |
 | test.cpp:175:22:175:27 | string indirection | semmle.label | string indirection |
-| test.cpp:179:17:179:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:179:22:179:27 | string | semmle.label | string |
-| test.cpp:179:22:179:27 | string indirection | semmle.label | string indirection |
-| test.cpp:183:17:183:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:183:22:183:27 | string | semmle.label | string |
-| test.cpp:183:22:183:27 | string indirection | semmle.label | string indirection |
 | test.cpp:187:17:187:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:187:22:187:27 | string | semmle.label | string |
 | test.cpp:187:22:187:27 | string indirection | semmle.label | string indirection |
-| test.cpp:191:17:191:19 | str indirection [string] | semmle.label | str indirection [string] |
-| test.cpp:191:22:191:27 | string | semmle.label | string |
-| test.cpp:191:22:191:27 | string indirection | semmle.label | string indirection |
 | test.cpp:195:17:195:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:195:22:195:27 | string | semmle.label | string |
 | test.cpp:195:22:195:27 | string indirection | semmle.label | string indirection |
@@ -374,7 +145,30 @@ nodes
 | test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:207:22:207:27 | string | semmle.label | string |
 | test.cpp:207:22:207:27 | string indirection | semmle.label | string indirection |
+| test.cpp:214:24:214:24 | p | semmle.label | p |
+| test.cpp:216:10:216:10 | p | semmle.label | p |
+| test.cpp:220:43:220:48 | call to malloc | semmle.label | call to malloc |
+| test.cpp:222:15:222:20 | buffer | semmle.label | buffer |
+| test.cpp:228:43:228:48 | call to malloc | semmle.label | call to malloc |
+| test.cpp:232:10:232:15 | buffer | semmle.label | buffer |
+| test.cpp:235:40:235:45 | buffer | semmle.label | buffer |
+| test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:236:12:236:17 | p_str indirection [post update] [string] | semmle.label | p_str indirection [post update] [string] |
+| test.cpp:241:27:241:32 | call to malloc | semmle.label | call to malloc |
+| test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] |
+| test.cpp:242:22:242:27 | buffer | semmle.label | buffer |
+| test.cpp:243:12:243:14 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:243:12:243:21 | string | semmle.label | string |
+| test.cpp:243:16:243:21 | string indirection | semmle.label | string indirection |
+| test.cpp:249:20:249:27 | call to my_alloc | semmle.label | call to my_alloc |
+| test.cpp:250:12:250:12 | p | semmle.label | p |
+| test.cpp:256:17:256:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:257:12:257:12 | p | semmle.label | p |
+| test.cpp:262:22:262:27 | call to malloc | semmle.label | call to malloc |
+| test.cpp:264:20:264:25 | call to malloc | semmle.label | call to malloc |
+| test.cpp:266:12:266:12 | p | semmle.label | p |
 subpaths
+| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:236:12:236:17 | p_str indirection [post update] [string] | test.cpp:242:16:242:19 | set_string output argument [string] |
 #select
 | test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |
 | test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string |
@@ -391,3 +185,6 @@ subpaths
 | test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string |
 | test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string |
 | test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string |
+| test.cpp:243:5:243:10 | call to memset | test.cpp:241:27:241:32 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string |
+| test.cpp:250:5:250:10 | call to memset | test.cpp:249:20:249:27 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p |
+| test.cpp:266:5:266:10 | call to memset | test.cpp:262:22:262:27 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
@@ -208,3 +208,60 @@ void test5(unsigned size, char *buf, unsigned anotherSize) {
    }
 }

+
+void *memset(void *, int, unsigned);
+
+void call_memset(void *p, unsigned size)
+{
+  memset(p, 0, size); // GOOD
+}
+
+void test_missing_call_context(unsigned char *unrelated_buffer, unsigned size) {
+  unsigned char* buffer = (unsigned char*)malloc(size);
+  call_memset(unrelated_buffer, size + 5);
+  call_memset(buffer, size);
+}
+
+bool unknown();
+
+void repeated_alerts(unsigned size, unsigned offset) {
+  unsigned char* buffer = (unsigned char*)malloc(size);
+  while(unknown()) {
+    ++size;
+  }
+  memset(buffer, 0, size); // BAD [NOT DETECTED]
+}
+
+void set_string(string_t* p_str, char* buffer) {
+    p_str->string = buffer;
+}
+
+void test_flow_through_setter(unsigned size) {
+    string_t str;
+    char* buffer = (char*)malloc(size);
+    set_string(&str, buffer);
+    memset(str.string, 0, size + 1); // BAD
+}
+
+void* my_alloc(unsigned size);
+
+void foo(unsigned size) {
+    int* p = (int*)my_alloc(size); // BAD
+    memset(p, 0, size + 1);
+}
+
+void test6(unsigned long n, char *p) {
+  while (unknown()) {
+    n++;
+    p = (char *)malloc(n);
+    memset(p, 0, n); // GOOD
+  }
+}
+
+void test7(unsigned n) {
+    char* p = (char*)malloc(n);
+    if(!p) {
+        p = (char*)malloc(++n);
+    }
+    memset(p, 0, n); // GOOD [FALSE POSITIVE]
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
@@ -86,4 +86,37 @@ void testCharIndex(BigArray *arr) {

    charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
    charBuf[MAX_SIZE_BYTES] = 0; // BAD [FALSE NEGATIVE]
-}
+}
+
+void testEqRefinement() {
+    int arr[MAX_SIZE];
+
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        if(i != MAX_SIZE) {
+            arr[i] = 0; // GOOD
+        }
+    }
+}
+
+void testEqRefinement2() {
+    int arr[MAX_SIZE];
+
+    int n = 0;
+
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        if(n == 0) {
+            if(i == MAX_SIZE) {
+                break;
+            }
+            n = arr[i]; // GOOD
+            continue;
+        }
+
+        if (i == MAX_SIZE || n != arr[i]) {
+            if (i == MAX_SIZE) {
+                break;
+            }
+            n = arr[i]; // GOOD
+        }
+    }
+}
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -594,8 +594,6 @@ edges
 | test.cpp:261:14:261:15 | xs | test.cpp:262:26:262:28 | end |
 | test.cpp:261:14:261:15 | xs | test.cpp:262:26:262:28 | end |
 | test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:31 | x |
-| test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:33 | ... ++ |
-| test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:33 | ... ++ |
 | test.cpp:261:14:261:15 | xs | test.cpp:264:14:264:14 | x |
 | test.cpp:261:14:261:15 | xs | test.cpp:264:14:264:14 | x |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... |
@@ -608,20 +606,11 @@ edges
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
-| test.cpp:262:21:262:21 | x | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:26:262:28 | end | test.cpp:262:26:262:28 | end |
 | test.cpp:262:26:262:28 | end | test.cpp:262:26:262:28 | end |
 | test.cpp:262:26:262:28 | end | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:26:262:28 | end | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:31:262:31 | x | test.cpp:264:13:264:14 | Load: * ... |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:21:262:21 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:21:262:21 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:31:262:31 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:31:262:31 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
 | test.cpp:264:14:264:14 | x | test.cpp:262:31:262:31 | x |
 | test.cpp:264:14:264:14 | x | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:264:14:264:14 | x | test.cpp:264:13:264:14 | Load: * ... |
@@ -634,8 +623,6 @@ edges
 | test.cpp:271:14:271:15 | xs | test.cpp:272:26:272:28 | end |
 | test.cpp:271:14:271:15 | xs | test.cpp:272:26:272:28 | end |
 | test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:31 | x |
-| test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:33 | ... ++ |
-| test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:33 | ... ++ |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:5:274:6 | * ... |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:6:274:6 | x |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:6:274:6 | x |
@@ -649,55 +636,42 @@ edges
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
-| test.cpp:272:21:272:21 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:26:272:28 | end | test.cpp:272:26:272:28 | end |
 | test.cpp:272:26:272:28 | end | test.cpp:272:26:272:28 | end |
 | test.cpp:272:26:272:28 | end | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:26:272:28 | end | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:31:272:31 | x | test.cpp:274:5:274:10 | Store: ... = ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:21:272:21 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:21:272:21 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:31:272:31 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:31:272:31 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:5:274:6 | * ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:5:274:6 | * ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
 | test.cpp:274:5:274:6 | * ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:274:6:274:6 | x | test.cpp:272:31:272:31 | x |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:6 | * ... |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:280:13:280:24 | new[] | test.cpp:281:14:281:15 | xs |
-| test.cpp:281:14:281:15 | xs | test.cpp:282:30:282:32 | ... ++ |
-| test.cpp:281:14:281:15 | xs | test.cpp:282:30:282:32 | ... ++ |
-| test.cpp:282:21:282:21 | x | test.cpp:284:13:284:14 | Load: * ... |
-| test.cpp:282:30:282:30 | x | test.cpp:284:13:284:14 | Load: * ... |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:21:282:21 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:21:282:21 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:30:282:30 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:30:282:30 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:284:14:284:14 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:284:14:284:14 | x |
-| test.cpp:284:14:284:14 | x | test.cpp:284:13:284:14 | Load: * ... |
 | test.cpp:290:13:290:24 | new[] | test.cpp:291:14:291:15 | xs |
 | test.cpp:290:13:290:24 | new[] | test.cpp:292:30:292:30 | x |
-| test.cpp:291:14:291:15 | xs | test.cpp:292:30:292:32 | ... ++ |
-| test.cpp:291:14:291:15 | xs | test.cpp:292:30:292:32 | ... ++ |
-| test.cpp:292:21:292:21 | x | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:292:30:292:30 | x | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:21:292:21 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:21:292:21 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:30:292:30 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:30:292:30 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:5:294:6 | * ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:5:294:6 | * ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:6:294:6 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:6:294:6 | x |
-| test.cpp:294:5:294:6 | * ... | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:294:6:294:6 | x | test.cpp:294:5:294:10 | Store: ... = ... |
+| test.cpp:304:15:304:26 | new[] | test.cpp:307:5:307:6 | xs |
+| test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:6 | xs |
+| test.cpp:308:5:308:6 | xs | test.cpp:308:5:308:11 | access to array |
+| test.cpp:308:5:308:11 | access to array | test.cpp:308:5:308:29 | Store: ... = ... |
+| test.cpp:313:14:313:27 | new[] | test.cpp:314:15:314:16 | xs |
+| test.cpp:325:14:325:27 | new[] | test.cpp:326:15:326:16 | xs |
+| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:338:8:338:15 | * ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:341:8:341:17 | * ... |
+| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:342:8:342:17 | * ... | test.cpp:333:5:333:21 | Store: ... = ... |
+| test.cpp:342:8:342:17 | * ... | test.cpp:341:5:341:21 | Store: ... = ... |
+| test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs |
+| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:15:350:19 | Load: * ... |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
+subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -719,9 +693,9 @@ edges
 | test.cpp:232:3:232:20 | Store: ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
 | test.cpp:239:5:239:22 | Store: ... = ... | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:238:20:238:32 | new[] | new[] | test.cpp:239:13:239:17 | index | index |
 | test.cpp:254:9:254:16 | Store: ... = ... | test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:24:248:30 | call to realloc | call to realloc | test.cpp:254:11:254:11 | i | i |
-| test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
-| test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
 | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
-| test.cpp:284:13:284:14 | Load: * ... | test.cpp:280:13:280:24 | new[] | test.cpp:284:13:284:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:280:13:280:24 | new[] | new[] | test.cpp:281:19:281:21 | len | len |
-| test.cpp:294:5:294:10 | Store: ... = ... | test.cpp:290:13:290:24 | new[] | test.cpp:294:5:294:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:290:13:290:24 | new[] | new[] | test.cpp:291:19:291:21 | len | len |
+| test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
+| test.cpp:333:5:333:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:333:5:333:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
+| test.cpp:341:5:341:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:341:5:341:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size |
+| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -281,7 +281,7 @@ void test19(unsigned len)
  int *end = xs + len;
  for (int *x = xs; x < end; x++)
  {
-    int i = *x; // GOOD [FALSE POSITIVE]
+    int i = *x; // GOOD
  }
 }

@@ -291,6 +291,62 @@ void test20(unsigned len)
  int *end = xs + len;
  for (int *x = xs; x < end; x++)
  {
-    *x = 0; // GOOD [FALSE POSITIVE]
+    *x = 0; // GOOD
  }
-}
+}
+
+void* test21_get(int n);
+
+void test21() {
+  int n = 0;
+  while (test21_get(n)) n+=2;
+
+  void** xs = new void*[n];
+
+  for (int i = 0; i < n; i += 2) {
+    xs[i] = test21_get(i); // GOOD
+    xs[i+1] = test21_get(i+1); // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test22(unsigned size, int val) {
+  char *xs = new char[size];
+  char *end = xs + size; // GOOD
+  char **current = &end;
+  do {
+    if (*current - xs < 1) // GOOD
+      return;
+    *--(*current) = 0; // GOOD
+      val >>= 8;
+  } while (val > 0);
+}
+
+void test23(unsigned size, int val) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  char **current = &end;
+
+  if (val < 1) {
+    if(*current - xs < 1)
+      return;
+
+    *--(*current) = 0; // GOOD [FALSE POSITIVE]
+    return;
+  }
+
+  if (val < 2) {
+    if(*current - xs < 2)
+      return;
+
+    *--(*current) = 0; // GOOD [FALSE POSITIVE]
+    *--(*current) = 0; // GOOD
+  }
+}
+
+void test24(unsigned size) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  if (xs < end) {
+    int val = *xs++; // GOOD [FALSE POSITIVE]
+  }
+}
--- a/cpp/ql/test/library-tests/blocks/cpp/exprs.ql
+++ b/cpp/ql/test/library-tests/blocks/cpp/exprs.ql
@@ -6,7 +6,7 @@ import cpp
 */

 class CStyleCastPlain extends CStyleCast {
-  override string toString() { result = "Conversion of " + getExpr().toString() }
+  override string toString() { result = "Conversion of " + this.getExpr().toString() }
 }

 from Expr e
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected
@@ -1,2 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
@@ -38,12 +38,10 @@ predicate irTaint(Element source, TaintedWithPath::PathNode predNode, string tag
  )
 }

-class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
+module IRDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = ["ir-path", "ir-sink"] }

-  override string getARelevantTag() { result = ["ir-path", "ir-sink"] }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Element elem, TaintedWithPath::PathNode node, int n |
      irTaint(_, node, tag) and
      elem = getElementFromPathNode(node) and
@@ -67,12 +65,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
  }
 }

-class AstTaintTrackingTest extends InlineExpectationsTest {
-  AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
+module AstTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }

-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Expr source, Element tainted, int n |
      tag = "ast" and
      astTaint(source, tainted) and
@@ -100,3 +96,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
@@ -1,2 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
@@ -29,12 +29,10 @@ predicate irTaint(Expr source, Element sink) {
  TaintedWithPath::taintedWithPath(source, sink, _, _)
 }

-class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
+module IRDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ir" }

-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Expr source, Element tainted, int n |
      tag = "ir" and
      irTaint(source, tainted) and
@@ -55,12 +53,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
  }
 }

-class AstTaintTrackingTest extends InlineExpectationsTest {
-  AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
+module AstTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }

-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Expr source, Element tainted, int n |
      tag = "ast" and
      astTaint(source, tainted) and
@@ -80,3 +76,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.expected
@@ -1,2 +1,4 @@
 WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:8,3-47)
 WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:12,3-53)
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.ql
@@ -12,12 +12,10 @@ predicate irTaint(Expr source, Element sink, string globalVar) {
  IRDefaultTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
 }

-class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRGlobalDefaultTaintTrackingTest() { this = "IRGlobalDefaultTaintTrackingTest" }
+module IRGlobalDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ir" }

-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Element tainted |
      tag = "ir" and
      irTaint(_, tainted, value) and
@@ -27,12 +25,10 @@ class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
  }
 }

-class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
-  AstGlobalDefaultTaintTrackingTest() { this = "ASTGlobalDefaultTaintTrackingTest" }
+module AstGlobalDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }

-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Element tainted |
      tag = "ast" and
      astTaint(_, tainted, value) and
@@ -41,3 +37,5 @@ class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<MergeTests<IRGlobalDefaultTaintTrackingTest, AstGlobalDefaultTaintTrackingTest>>
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp
@@ -1,5 +1,5 @@
 int source();
-void sink(int);
+void sink(...);
 bool guarded(int);

 void bg_basic(int source) {
@@ -66,3 +66,13 @@ void bg_structptr(XY *p1, XY *p2) { // $ ast-def=p1 ast-def=p2
    sink(p1->x); // $ ast,ir
  }
 }
+
+int* indirect_source();
+bool guarded(const int*);
+
+void bg_indirect_expr() {
+  int *buf = indirect_source();
+  if (guarded(buf)) {
+    sink(buf);
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp
@@ -1,7 +1,7 @@
 // semmle-extractor-options: --edg --clang

 int source();
-void sink(int); void sink(const int *); void sink(int **);
+void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);

 struct twoIntFields {
  int m1, m2;
@@ -19,7 +19,8 @@ void following_pointers( // $ ast-def=sourceStruct1_ptr

  sink(sourceArray1[0]); // no flow
  sink(*sourceArray1); // no flow
-  sink(&sourceArray1); // $ ast,ir // [should probably be taint only]
+  sink(&sourceArray1); // $ ast // [should probably be taint only]
+  indirect_sink(&sourceArray1); // $ ast,ir

  sink(sourceStruct1.m1); // no flow
  sink(sourceStruct1_ptr->m1); // no flow
@@ -48,5 +49,6 @@ void following_pointers( // $ ast-def=sourceStruct1_ptr

  int stackArray[2] = { source(), source() };
  stackArray[0] = source();
-  sink(stackArray); // $ ast ir ir=49:25 ir=49:35 ir=50:19
+  sink(stackArray); // $ ast,ir
+  indirect_sink(stackArray); // $ ast ir=50:25 ir=50:35 ir=51:19
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
@@ -28,9 +28,10 @@ postWithInFlow
 | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:22:9:22:20 | sourceArray1 [inner post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:28:22:28:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:50:3:50:12 | stackArray [inner post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:50:3:50:15 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:23:18:23:29 | sourceArray1 [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:29:22:29:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:51:3:51:12 | stackArray [inner post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:51:3:51:15 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:60:3:60:14 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:61:3:61:14 | globalMiddle [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:78:24:78:37 | call to allocateBottom [inner post update] | PostUpdateNode should not be the target of local flow. |
@@ -115,7 +116,20 @@ postWithInFlow
 | test.cpp:602:3:602:7 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:608:3:608:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:608:4:608:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:639:3:639:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:646:3:646:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:652:3:652:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:653:3:653:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:659:3:659:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:660:3:660:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:671:3:671:3 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:681:3:681:3 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:689:3:689:3 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:690:3:690:3 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:694:4:694:6 | buf [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:704:23:704:25 | buf [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -31,3 +31,4 @@ viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql
@@ -5,12 +5,10 @@ module AstTest {
  private import semmle.code.cpp.dataflow.DataFlow::DataFlow
  private import semmle.code.cpp.dataflow.internal.DataFlowPrivate

-  class AstParameterDefTest extends InlineExpectationsTest {
-    AstParameterDefTest() { this = "AstParameterDefTest" }
+  module AstParameterDefTest implements TestSig {
+    string getARelevantTag() { result = "ast-def" }

-    override string getARelevantTag() { result = "ast-def" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(Function f, Parameter p, RefParameterFinalValueNode n |
        p.isNamed() and
        n.getParameter() = p and
@@ -33,12 +31,10 @@ module IRTest {
    (if k = 0 then result = "" else result = "*" + stars(k - 1))
  }

-  class IRParameterDefTest extends InlineExpectationsTest {
-    IRParameterDefTest() { this = "IRParameterDefTest" }
+  module IRParameterDefTest implements TestSig {
+    string getARelevantTag() { result = "ir-def" }

-    override string getARelevantTag() { result = "ir-def" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(Function f, Parameter p, FinalParameterNode n |
        p.isNamed() and
        n.getParameter() = p and
@@ -51,3 +47,5 @@ module IRTest {
    }
  }
 }
+
+import MakeTest<MergeTests<AstTest::AstParameterDefTest, IRTest::IRParameterDefTest>>
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.ql
@@ -5,12 +5,10 @@ module AstTest {
  private import semmle.code.cpp.dataflow.DataFlow::DataFlow
  private import semmle.code.cpp.dataflow.internal.DataFlowPrivate

-  class AstMultipleOutNodesTest extends InlineExpectationsTest {
-    AstMultipleOutNodesTest() { this = "AstMultipleOutNodesTest" }
+  module AstMultipleOutNodesTest implements TestSig {
+    string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }

-    override string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(DataFlowCall call, int n, ReturnKind kind |
        call.getLocation() = location and
        n = strictcount(getAnOutNode(call, kind)) and
@@ -27,12 +25,10 @@ module IRTest {
  private import semmle.code.cpp.ir.dataflow.DataFlow
  private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate

-  class IRMultipleOutNodesTest extends InlineExpectationsTest {
-    IRMultipleOutNodesTest() { this = "IRMultipleOutNodesTest" }
+  module IRMultipleOutNodesTest implements TestSig {
+    string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }

-    override string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(DataFlowCall call, int n, ReturnKind kind |
        call.getLocation() = location and
        n = strictcount(getAnOutNode(call, kind)) and
@@ -44,3 +40,5 @@ module IRTest {
    }
  }
 }
+
+import MakeTest<MergeTests<AstTest::AstMultipleOutNodesTest, IRTest::IRMultipleOutNodesTest>>
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
@@ -1,5 +1,5 @@
 int source();
-void sink(int); void sink(const int *); void sink(int **);
+void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);

 void intraprocedural_with_local_flow() {
  int t2;
@@ -626,5 +626,80 @@ void test_def_via_phi_read(bool b)
    use(buffer);
  }
  intPointerSource(buffer);
-  sink(buffer); // $ ast,ir
+  indirect_sink(buffer); // $ ast,ir
+}
+
+void test_static_local_1() {
+  static int x = source();
+  sink(x); // $ ast,ir
+}
+
+void test_static_local_2() {
+  static int x = source();
+  x = 0;
+  sink(x); // clean
+}
+
+void test_static_local_3() {
+  static int x = 0;
+  sink(x); // $ ir MISSING: ast
+  x = source();
+}
+
+void test_static_local_4() {
+  static int x = 0;
+  sink(x); // clean
+  x = source();
+  x = 0;
+}
+
+void test_static_local_5() {
+  static int x = 0;
+  sink(x); // $ ir MISSING: ast
+  x = 0;
+  x = source();
+}
+
+void test_static_local_6() {
+  static int s = source();
+  static int* ptr_to_s = &s;
+  sink(*ptr_to_s); // $ ir MISSING: ast
+}
+
+void test_static_local_7() {
+  static int s = source();
+  s = 0;
+  static int* ptr_to_s = &s;
+  sink(*ptr_to_s); // clean
+}
+
+void test_static_local_8() {
+  static int s;
+  static int* ptr_to_s = &s;
+  sink(*ptr_to_s); // $ ir MISSING: ast
+
+  s = source();
+}
+
+void test_static_local_9() {
+  static int s;
+  static int* ptr_to_s = &s;
+  sink(*ptr_to_s); // clean
+
+  s = source();
+  s = 0;
+}
+
+void increment_buf(int** buf) { // $ ast-def=buf ir-def=*buf ir-def=**buf
+  *buf += 10;
+  sink(buf); // $ SPURIOUS: ast
+}
+
+void call_increment_buf(int** buf) { // $ ast-def=buf
+  increment_buf(buf);
+}
+
+void test_conflation_regression(int* source) { // $ ast-def=source
+  int* buf = source;
+  call_increment_buf(&buf);
 }
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
@@ -16,10 +16,8 @@ module AstTest {
  }

  /** Common data flow configuration to be used by tests. */
-  class AstTestAllocationConfig extends DataFlow::Configuration {
-    AstTestAllocationConfig() { this = "ASTTestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module AstTestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
      or
      source.asParameter().getName().matches("source%")
@@ -32,21 +30,24 @@ module AstTest {
      exists(source.asUninitialized())
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
-        call.getTarget().getName() = "sink" and
+        call.getTarget().getName() = ["sink", "indirect_sink"] and
        sink.asExpr() = call.getAnArgument()
      )
    }

-    override predicate isBarrier(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
      barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
      barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
    }
  }
+
+  module AstFlow = DataFlow::Global<AstTestAllocationConfig>;
 }

 module IRTest {
+  private import cpp
  private import semmle.code.cpp.ir.dataflow.DataFlow
  private import semmle.code.cpp.ir.IR
  private import semmle.code.cpp.controlflow.IRGuards
@@ -56,17 +57,18 @@ module IRTest {
   * S in `if (guarded(x)) S`.
   */
  // This is tested in `BarrierGuard.cpp`.
-  predicate testBarrierGuard(IRGuardCondition g, Instruction checked, boolean isTrue) {
-    g.(CallInstruction).getStaticCallTarget().getName() = "guarded" and
-    checked = g.(CallInstruction).getPositionalArgument(0) and
-    isTrue = true
+  predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean isTrue) {
+    exists(Call call |
+      call = g.getUnconvertedResultExpression() and
+      call.getTarget().hasName("guarded") and
+      checked = call.getArgument(0) and
+      isTrue = true
+    )
  }

  /** Common data flow configuration to be used by tests. */
-  class IRTestAllocationConfig extends DataFlow::Configuration {
-    IRTestAllocationConfig() { this = "IRTestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module IRTestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
      or
      source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
@@ -78,19 +80,28 @@ module IRTest {
      exists(source.asUninitialized())
    }

-    override predicate isSink(DataFlow::Node sink) {
-      exists(FunctionCall call |
+    predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call, Expr e | e = call.getAnArgument() |
        call.getTarget().getName() = "sink" and
-        call.getAnArgument() in [sink.asExpr(), sink.asIndirectExpr()]
+        sink.asExpr() = e
+        or
+        call.getTarget().getName() = "indirect_sink" and
+        sink.asIndirectExpr() = e
      )
    }

-    override predicate isBarrier(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
      exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
        barrierExpr.(VariableAccess).getTarget().hasName("barrier")
      )
      or
-      barrier = DataFlow::InstructionBarrierGuard<testBarrierGuard/3>::getABarrierNode()
+      barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
+      or
+      barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
    }
  }
+
+  module IRFlow = DataFlow::Global<IRTestAllocationConfig>;
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
--- a/cpp/ql/test/library-tests/dataflow/fields/ASTConfiguration.qll
+++ b/cpp/ql/test/library-tests/dataflow/fields/ASTConfiguration.qll
@@ -1,10 +1,8 @@
 private import semmle.code.cpp.dataflow.DataFlow
 private import DataFlow

-class AstConf extends Configuration {
-  AstConf() { this = "ASTFieldFlowConf" }
-
-  override predicate isSource(Node src) {
+module AstConfig implements ConfigSig {
+  predicate isSource(Node src) {
    src.asExpr() instanceof NewExpr
    or
    src.asExpr().(Call).getTarget().hasName("user_input")
@@ -15,14 +13,14 @@ class AstConf extends Configuration {
    )
  }

-  override predicate isSink(Node sink) {
+  predicate isSink(Node sink) {
    exists(Call c |
      c.getTarget().hasName("sink") and
      c.getAnArgument() = sink.asExpr()
    )
  }

-  override predicate isAdditionalFlowStep(Node a, Node b) {
+  predicate isAdditionalFlowStep(Node a, Node b) {
    b.asPartialDefinition() =
      any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
          .getQualifier()
@@ -31,5 +29,4 @@ class AstConf extends Configuration {
  }
 }

-/** DEPRECATED: Alias for AstConf */
-deprecated class ASTConf = AstConf;
+module AstFlow = Global<AstConfig>;
--- a/cpp/ql/test/library-tests/dataflow/fields/IRConfiguration.qll
+++ b/cpp/ql/test/library-tests/dataflow/fields/IRConfiguration.qll
@@ -1,10 +1,8 @@
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlow

-class IRConf extends Configuration {
-  IRConf() { this = "IRFieldFlowConf" }
-
-  override predicate isSource(Node src) {
+module IRConfig implements ConfigSig {
+  predicate isSource(Node src) {
    src.asExpr() instanceof NewExpr
    or
    src.asExpr().(Call).getTarget().hasName("user_input")
@@ -15,14 +13,14 @@ class IRConf extends Configuration {
    )
  }

-  override predicate isSink(Node sink) {
+  predicate isSink(Node sink) {
    exists(Call c |
      c.getTarget().hasName("sink") and
      c.getAnArgument() = [sink.asExpr(), sink.asIndirectExpr(), sink.asConvertedExpr()]
    )
  }

-  override predicate isAdditionalFlowStep(Node a, Node b) {
+  predicate isAdditionalFlowStep(Node a, Node b) {
    b.asPartialDefinition() =
      any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
          .getQualifier()
@@ -30,3 +28,5 @@ class IRConf extends Configuration {
    b.asExpr().(AddressOfExpr).getOperand() = a.asExpr()
  }
 }
+
+module IRFlow = Global<IRConfig>;
--- a/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll
+++ b/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll
@@ -14,7 +14,7 @@ class Node extends TNode {
  AST::DataFlow::Node asAst() { none() }

  /** DEPRECATED: Alias for asAst */
-  deprecated AST::DataFlow::Node asAST() { result = asAst() }
+  deprecated AST::DataFlow::Node asAST() { result = this.asAst() }

  Location getLocation() { none() }
 }
@@ -29,7 +29,7 @@ class AstNode extends Node, TAstNode {
  override AST::DataFlow::Node asAst() { result = n }

  /** DEPRECATED: Alias for asAst */
-  deprecated override AST::DataFlow::Node asAST() { result = asAst() }
+  deprecated override AST::DataFlow::Node asAST() { result = this.asAst() }

  override Location getLocation() { result = n.getLocation() }
 }
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
@@ -162,3 +162,4 @@ viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
@@ -41,3 +41,4 @@ viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/library-tests/dataflow/fields/flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/flow.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/fields/flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/flow.ql
@@ -1,9 +1,11 @@
 import TestUtilities.dataflow.FlowTestCommon

 module AstTest {
-  private import ASTConfiguration
+  import ASTConfiguration
 }

 module IRTest {
-  private import IRConfiguration
+  import IRConfiguration
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.ql
@@ -4,8 +4,8 @@

 import semmle.code.cpp.ir.dataflow.DataFlow
 import IRConfiguration
-import DataFlow::PathGraph
+import IRFlow::PathGraph

-from DataFlow::PathNode src, DataFlow::PathNode sink, IRConf conf
-where conf.hasFlowPath(src, sink)
+from IRFlow::PathNode src, IRFlow::PathNode sink
+where IRFlow::flowPath(src, sink)
 select sink, src, sink, sink + " flows from $@", src, src.toString()
--- a/cpp/ql/test/library-tests/dataflow/fields/path-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/path-flow.ql
@@ -4,8 +4,8 @@

 import semmle.code.cpp.dataflow.DataFlow
 import ASTConfiguration
-import DataFlow::PathGraph
+import AstFlow::PathGraph

-from DataFlow::PathNode src, DataFlow::PathNode sink, AstConf conf
-where conf.hasFlowPath(src, sink)
+from AstFlow::PathNode src, AstFlow::PathNode sink
+where AstFlow::flowPath(src, sink)
 select sink, src, sink, sink + " flows from $@", src, src.toString()
--- a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.ql
+++ b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.ql
@@ -3,37 +3,39 @@ import TestUtilities.dataflow.FlowTestCommon
 module AstTest {
  private import semmle.code.cpp.dataflow.TaintTracking

-  class AstSmartPointerTaintConfig extends TaintTracking::Configuration {
-    AstSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module AstSmartPointerTaintConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
        call.getTarget().getName() = "sink" and
        sink.asExpr() = call.getAnArgument()
      )
    }
  }
+
+  module AstFlow = TaintTracking::Global<AstSmartPointerTaintConfig>;
 }

 module IRTest {
  private import semmle.code.cpp.ir.dataflow.TaintTracking

-  class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
-    IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module IRSmartPointerTaintConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
        call.getTarget().getName() = "sink" and
        sink.asExpr() = call.getAnArgument()
      )
    }
  }
+
+  module IRFlow = TaintTracking::Global<IRSmartPointerTaintConfig>;
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql
@@ -4,12 +4,10 @@ import cpp
 import TestUtilities.InlineExpectationsTest
 import semmle.code.cpp.security.FlowSources

-class LocalFlowSourceTest extends InlineExpectationsTest {
-  LocalFlowSourceTest() { this = "LocalFlowSourceTest" }
+module LocalFlowSourceTest implements TestSig {
+  string getARelevantTag() { result = "local_source" }

-  override string getARelevantTag() { result = "local_source" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "local_source" and
    exists(LocalFlowSource node, int n |
      n =
@@ -30,3 +28,5 @@ class LocalFlowSourceTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<LocalFlowSourceTest>
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql
@@ -4,12 +4,10 @@ import cpp
 import TestUtilities.InlineExpectationsTest
 import semmle.code.cpp.security.FlowSources

-class RemoteFlowSourceTest extends InlineExpectationsTest {
-  RemoteFlowSourceTest() { this = "RemoteFlowSourceTest" }
+module RemoteFlowSourceTest implements TestSig {
+  string getARelevantTag() { result = "remote_source" }

-  override string getARelevantTag() { result = "remote_source" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "remote_source" and
    exists(RemoteFlowSource node, int n |
      n =
@@ -31,12 +29,10 @@ class RemoteFlowSourceTest extends InlineExpectationsTest {
  }
 }

-class RemoteFlowSinkTest extends InlineExpectationsTest {
-  RemoteFlowSinkTest() { this = "RemoteFlowSinkTest" }
+module RemoteFlowSinkTest implements TestSig {
+  string getARelevantTag() { result = "remote_sink" }

-  override string getARelevantTag() { result = "remote_sink" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "remote_sink" and
    exists(RemoteFlowSink node, int n |
      n =
@@ -57,3 +53,5 @@ class RemoteFlowSinkTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<MergeTests<RemoteFlowSourceTest, RemoteFlowSinkTest>>
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -8090,20 +8090,20 @@
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:523:8:523:9 | vs |  |
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:524:8:524:9 | vs |  |
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:526:8:526:9 | vs |  |
-| vector.cpp:520:25:520:31 | call to vector | vector.cpp:539:8:539:9 | vs |  |
-| vector.cpp:520:25:520:31 | call to vector | vector.cpp:540:2:540:2 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:520:25:520:31 | call to vector | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:520:30:520:30 | 0 | vector.cpp:520:25:520:31 | call to vector | TAINT |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:524:8:524:9 | vs |  |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
-| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:539:8:539:9 | vs |  |
-| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:540:2:540:2 | vs |  |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:523:8:523:9 | vs | vector.cpp:523:10:523:10 | call to operator[] | TAINT |
 | vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
-| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:539:8:539:9 | vs |  |
-| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:540:2:540:2 | vs |  |
+| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:524:8:524:9 | vs | vector.cpp:524:10:524:10 | call to operator[] | TAINT |
-| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:539:8:539:9 | vs |  |
-| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:540:2:540:2 | vs |  |
+| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
+| vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:526:8:526:9 | vs | vector.cpp:526:11:526:15 | call to begin | TAINT |
 | vector.cpp:526:11:526:15 | call to begin | vector.cpp:526:3:526:17 | ... = ... |  |
 | vector.cpp:526:11:526:15 | call to begin | vector.cpp:527:9:527:10 | it |  |
@@ -8128,5 +8128,5 @@
 | vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
 | vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
-| vector.cpp:539:8:539:9 | ref arg vs | vector.cpp:540:2:540:2 | vs |  |
-| vector.cpp:539:8:539:9 | vs | vector.cpp:539:10:539:10 | call to operator[] | TAINT |
+| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
@@ -43,10 +43,8 @@ module AstTest {
  private import semmle.code.cpp.models.interfaces.Taint

  /** Common data flow configuration to be used by tests. */
-  class AstTestAllocationConfig extends TaintTracking::Configuration {
-    AstTestAllocationConfig() { this = "ASTTestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module AstTestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
      or
      source.asParameter().getName().matches("source%")
@@ -60,17 +58,19 @@ module AstTest {
      )
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
        call.getTarget().getName() = "sink" and
        sink.asExpr() = call.getAnArgument()
      )
    }

-    override predicate isSanitizer(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
      barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")
    }
  }
+
+  module AstFlow = TaintTracking::Global<AstTestAllocationConfig>;
 }

 module IRTest {
@@ -78,10 +78,8 @@ module IRTest {
  private import semmle.code.cpp.ir.dataflow.TaintTracking

  /** Common data flow configuration to be used by tests. */
-  class TestAllocationConfig extends TaintTracking::Configuration {
-    TestAllocationConfig() { this = "TestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module TestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      source.asExpr().(FunctionCall).getTarget().getName() = "source"
      or
      source.asIndirectExpr().(FunctionCall).getTarget().getName() = "source"
@@ -94,21 +92,25 @@ module IRTest {
      )
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
        call.getTarget().getName() = "sink" and
        [sink.asExpr(), sink.asIndirectExpr()] = call.getAnArgument()
      )
    }

-    override predicate isSanitizer(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
      barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")
    }

-    override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
      // allow arbitrary reads at sinks
-      this.isSink(node) and
+      isSink(node) and
      c.(DataFlow::FieldContent).getField().getDeclaringType() = node.getType().getUnspecifiedType()
    }
  }
+
+  module IRFlow = TaintTracking::Global<TestAllocationConfig>;
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -523,19 +523,12 @@ void test_vector_iterator() {
 		sink(vs[1]);
 		sink(vs[source()]); // $ MISSING: ast,ir

-		it = vs.begin(); // (1)
+		it = vs.begin();
 		sink(*it);
 		it += 1;
 		sink(*it);
-		it += source(); // (2)
-		sink(*it); // $ ast,ir // (3)
-		// This FP happens because of the following flows:
-		// 1. There's a write to the iterator at (2)
-		// 2. This write propagates to `it` on the next line at (3)
-		// 3. There's a taint step from `it` to `*it` at (3)
-		// 4. The `*it` is seen as a use of `vs` because of (1).
-		// 5. There's use-use flow from `*it` at (3) (which is a use of `vs`) to `vs` at (4)
-		// 6. There's a taint step from vs to vs[1]
-		sink(vs[1]); // $ SPURIOUS: ir // (4)
+		it += source();
+		sink(*it); // $ ast,ir
+		sink(vs[1]); // clean
 	}
 }
--- a/cpp/ql/test/library-tests/identity_string/identity_string.ql
+++ b/cpp/ql/test/library-tests/identity_string/identity_string.ql
@@ -6,11 +6,11 @@ abstract class CheckCall extends FunctionCall {

  final string getExpectedString() {
    exists(int lastArgIndex |
-      lastArgIndex = getNumberOfArguments() - 1 and
+      lastArgIndex = this.getNumberOfArguments() - 1 and
      (
-        result = getArgument(lastArgIndex).getValue()
+        result = this.getArgument(lastArgIndex).getValue()
        or
-        not exists(getArgument(lastArgIndex).getValue()) and result = "<missing>"
+        not exists(this.getArgument(lastArgIndex).getValue()) and result = "<missing>"
      )
    )
  }
@@ -20,50 +20,54 @@ abstract class CheckCall extends FunctionCall {

 class CheckTypeCall extends CheckCall {
  CheckTypeCall() {
-    getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_type")
+    this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_type")
  }

  override string getActualString() {
-    result = getTypeIdentityString(getSpecifiedType())
+    result = getTypeIdentityString(this.getSpecifiedType())
    or
-    not exists(getTypeIdentityString(getSpecifiedType())) and result = "<missing>"
+    not exists(getTypeIdentityString(this.getSpecifiedType())) and result = "<missing>"
  }

-  override string explain() { result = getSpecifiedType().explain() }
+  override string explain() { result = this.getSpecifiedType().explain() }

-  final Type getSpecifiedType() { result = getTarget().getTemplateArgument(0) }
+  final Type getSpecifiedType() { result = this.getTarget().getTemplateArgument(0) }
 }

 class CheckFuncCall extends CheckCall {
  CheckFuncCall() {
-    getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_func")
+    this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_func")
  }

  override string getActualString() {
-    result = getIdentityString(getSpecifiedFunction())
+    result = getIdentityString(this.getSpecifiedFunction())
    or
-    not exists(getIdentityString(getSpecifiedFunction())) and result = "<missing>"
+    not exists(getIdentityString(this.getSpecifiedFunction())) and result = "<missing>"
  }

-  override string explain() { result = getSpecifiedFunction().toString() }
+  override string explain() { result = this.getSpecifiedFunction().toString() }

-  final Function getSpecifiedFunction() { result = getArgument(0).(FunctionAccess).getTarget() }
+  final Function getSpecifiedFunction() {
+    result = this.getArgument(0).(FunctionAccess).getTarget()
+  }
 }

 class CheckVarCall extends CheckCall {
  CheckVarCall() {
-    getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_var")
+    this.getTarget().(FunctionTemplateInstantiation).getTemplate().hasGlobalName("check_var")
  }

  override string getActualString() {
-    result = getIdentityString(getSpecifiedVariable())
+    result = getIdentityString(this.getSpecifiedVariable())
    or
-    not exists(getIdentityString(getSpecifiedVariable())) and result = "<missing>"
+    not exists(getIdentityString(this.getSpecifiedVariable())) and result = "<missing>"
  }

-  override string explain() { result = getSpecifiedVariable().toString() }
+  override string explain() { result = this.getSpecifiedVariable().toString() }

-  final Variable getSpecifiedVariable() { result = getArgument(0).(VariableAccess).getTarget() }
+  final Variable getSpecifiedVariable() {
+    result = this.getArgument(0).(VariableAccess).getTarget()
+  }
 }

 bindingset[s]
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -14408,6 +14408,60 @@ ir.cpp:
 # 1894|             Conversion = [IntegralConversion] integral conversion
 # 1894|             Type = [IntType] int
 # 1894|             ValueCategory = prvalue
+# 1897| [TopLevelFunction] void noreturnFunc()
+# 1897|   <params>: 
+# 1899| [TopLevelFunction] int noreturnTest(int)
+# 1899|   <params>: 
+# 1899|     getParameter(0): [Parameter] x
+# 1899|         Type = [IntType] int
+# 1899|   getEntryPoint(): [BlockStmt] { ... }
+# 1900|     getStmt(0): [IfStmt] if (...) ... 
+# 1900|       getCondition(): [LTExpr] ... < ...
+# 1900|           Type = [BoolType] bool
+# 1900|           ValueCategory = prvalue
+# 1900|         getLesserOperand(): [VariableAccess] x
+# 1900|             Type = [IntType] int
+# 1900|             ValueCategory = prvalue(load)
+# 1900|         getGreaterOperand(): [Literal] 10
+# 1900|             Type = [IntType] int
+# 1900|             Value = [Literal] 10
+# 1900|             ValueCategory = prvalue
+# 1900|       getThen(): [BlockStmt] { ... }
+# 1901|         getStmt(0): [ReturnStmt] return ...
+# 1901|           getExpr(): [VariableAccess] x
+# 1901|               Type = [IntType] int
+# 1901|               ValueCategory = prvalue(load)
+# 1902|       getElse(): [BlockStmt] { ... }
+# 1903|         getStmt(0): [ExprStmt] ExprStmt
+# 1903|           getExpr(): [FunctionCall] call to noreturnFunc
+# 1903|               Type = [VoidType] void
+# 1903|               ValueCategory = prvalue
+# 1905|     getStmt(1): [ReturnStmt] return ...
+# 1907| [TopLevelFunction] int noreturnTest2(int)
+# 1907|   <params>: 
+# 1907|     getParameter(0): [Parameter] x
+# 1907|         Type = [IntType] int
+# 1907|   getEntryPoint(): [BlockStmt] { ... }
+# 1908|     getStmt(0): [IfStmt] if (...) ... 
+# 1908|       getCondition(): [LTExpr] ... < ...
+# 1908|           Type = [BoolType] bool
+# 1908|           ValueCategory = prvalue
+# 1908|         getLesserOperand(): [VariableAccess] x
+# 1908|             Type = [IntType] int
+# 1908|             ValueCategory = prvalue(load)
+# 1908|         getGreaterOperand(): [Literal] 10
+# 1908|             Type = [IntType] int
+# 1908|             Value = [Literal] 10
+# 1908|             ValueCategory = prvalue
+# 1908|       getThen(): [BlockStmt] { ... }
+# 1909|         getStmt(0): [ExprStmt] ExprStmt
+# 1909|           getExpr(): [FunctionCall] call to noreturnFunc
+# 1909|               Type = [VoidType] void
+# 1909|               ValueCategory = prvalue
+# 1911|     getStmt(1): [ReturnStmt] return ...
+# 1911|       getExpr(): [VariableAccess] x
+# 1911|           Type = [IntType] int
+# 1911|           ValueCategory = prvalue(load)
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1894,4 +1894,21 @@ int test_global_template_int() {
    return local_int + (int)local_char;
 }

+[[noreturn]] void noreturnFunc();
+
+int noreturnTest(int x) {
+    if (x < 10) {
+        return x;
+    } else {
+        noreturnFunc();
+    }
+}
+
+int noreturnTest2(int x) {
+    if (x < 10) {
+        noreturnFunc();
+    }
+    return x;
+}
+
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -8783,6 +8783,44 @@
 | ir.cpp:1894:29:1894:38 | Address | &:r1894_4 |
 | ir.cpp:1894:29:1894:38 | Load | m1893_4 |
 | ir.cpp:1894:29:1894:38 | Unary | r1894_5 |
+| ir.cpp:1899:5:1899:16 | Address | &:r1899_7 |
+| ir.cpp:1899:5:1899:16 | ChiPartial | partial:m1899_3 |
+| ir.cpp:1899:5:1899:16 | ChiTotal | total:m1899_2 |
+| ir.cpp:1899:5:1899:16 | Load | m1901_4 |
+| ir.cpp:1899:5:1899:16 | SideEffect | m1899_3 |
+| ir.cpp:1899:22:1899:22 | Address | &:r1899_5 |
+| ir.cpp:1900:9:1900:9 | Address | &:r1900_1 |
+| ir.cpp:1900:9:1900:9 | Left | r1900_2 |
+| ir.cpp:1900:9:1900:9 | Load | m1899_6 |
+| ir.cpp:1900:9:1900:14 | Condition | r1900_4 |
+| ir.cpp:1900:13:1900:14 | Right | r1900_3 |
+| ir.cpp:1901:9:1901:17 | Address | &:r1901_1 |
+| ir.cpp:1901:16:1901:16 | Address | &:r1901_2 |
+| ir.cpp:1901:16:1901:16 | Load | m1899_6 |
+| ir.cpp:1901:16:1901:16 | StoreValue | r1901_3 |
+| ir.cpp:1903:9:1903:20 | CallTarget | func:r1903_1 |
+| ir.cpp:1903:9:1903:20 | ChiPartial | partial:m1903_3 |
+| ir.cpp:1903:9:1903:20 | ChiTotal | total:m1899_4 |
+| ir.cpp:1903:9:1903:20 | SideEffect | ~m1899_4 |
+| ir.cpp:1907:5:1907:17 | Address | &:r1907_8 |
+| ir.cpp:1907:5:1907:17 | ChiPartial | partial:m1907_3 |
+| ir.cpp:1907:5:1907:17 | ChiTotal | total:m1907_2 |
+| ir.cpp:1907:5:1907:17 | Load | m1911_4 |
+| ir.cpp:1907:5:1907:17 | SideEffect | m1907_3 |
+| ir.cpp:1907:23:1907:23 | Address | &:r1907_5 |
+| ir.cpp:1908:9:1908:9 | Address | &:r1908_1 |
+| ir.cpp:1908:9:1908:9 | Left | r1908_2 |
+| ir.cpp:1908:9:1908:9 | Load | m1907_6 |
+| ir.cpp:1908:9:1908:14 | Condition | r1908_4 |
+| ir.cpp:1908:13:1908:14 | Right | r1908_3 |
+| ir.cpp:1909:9:1909:20 | CallTarget | func:r1909_1 |
+| ir.cpp:1909:9:1909:20 | ChiPartial | partial:m1909_3 |
+| ir.cpp:1909:9:1909:20 | ChiTotal | total:m1907_4 |
+| ir.cpp:1909:9:1909:20 | SideEffect | ~m1907_4 |
+| ir.cpp:1911:5:1911:13 | Address | &:r1911_1 |
+| ir.cpp:1911:12:1911:12 | Address | &:r1911_2 |
+| ir.cpp:1911:12:1911:12 | Load | m1907_6 |
+| ir.cpp:1911:12:1911:12 | StoreValue | r1911_3 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -10105,6 +10105,68 @@ ir.cpp:
 # 1891|     v1891_6(void)        = AliasedUse                       : ~m?
 # 1891|     v1891_7(void)        = ExitFunction                     : 

+# 1899| int noreturnTest(int)
+# 1899|   Block 0
+# 1899|     v1899_1(void)       = EnterFunction          : 
+# 1899|     mu1899_2(unknown)   = AliasedDefinition      : 
+# 1899|     mu1899_3(unknown)   = InitializeNonLocal     : 
+# 1899|     r1899_4(glval<int>) = VariableAddress[x]     : 
+# 1899|     mu1899_5(int)       = InitializeParameter[x] : &:r1899_4
+# 1900|     r1900_1(glval<int>) = VariableAddress[x]     : 
+# 1900|     r1900_2(int)        = Load[x]                : &:r1900_1, ~m?
+# 1900|     r1900_3(int)        = Constant[10]           : 
+# 1900|     r1900_4(bool)       = CompareLT              : r1900_2, r1900_3
+# 1900|     v1900_5(void)       = ConditionalBranch      : r1900_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 1901|   Block 1
+# 1901|     r1901_1(glval<int>) = VariableAddress[#return] : 
+# 1901|     r1901_2(glval<int>) = VariableAddress[x]       : 
+# 1901|     r1901_3(int)        = Load[x]                  : &:r1901_2, ~m?
+# 1901|     mu1901_4(int)       = Store[#return]           : &:r1901_1, r1901_3
+# 1899|     r1899_6(glval<int>) = VariableAddress[#return] : 
+# 1899|     v1899_7(void)       = ReturnValue              : &:r1899_6, ~m?
+# 1899|     v1899_8(void)       = AliasedUse               : ~m?
+# 1899|     v1899_9(void)       = ExitFunction             : 
+
+# 1903|   Block 2
+# 1903|     r1903_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+# 1903|     v1903_2(void)           = Call[noreturnFunc]            : func:r1903_1
+# 1903|     mu1903_3(unknown)       = ^CallSideEffect               : ~m?
+# 1905|     v1905_1(void)           = Unreached                     : 
+
+# 1907| int noreturnTest2(int)
+# 1907|   Block 0
+# 1907|     v1907_1(void)       = EnterFunction          : 
+# 1907|     mu1907_2(unknown)   = AliasedDefinition      : 
+# 1907|     mu1907_3(unknown)   = InitializeNonLocal     : 
+# 1907|     r1907_4(glval<int>) = VariableAddress[x]     : 
+# 1907|     mu1907_5(int)       = InitializeParameter[x] : &:r1907_4
+# 1908|     r1908_1(glval<int>) = VariableAddress[x]     : 
+# 1908|     r1908_2(int)        = Load[x]                : &:r1908_1, ~m?
+# 1908|     r1908_3(int)        = Constant[10]           : 
+# 1908|     r1908_4(bool)       = CompareLT              : r1908_2, r1908_3
+# 1908|     v1908_5(void)       = ConditionalBranch      : r1908_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+# 1909|   Block 1
+# 1909|     r1909_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+# 1909|     v1909_2(void)           = Call[noreturnFunc]            : func:r1909_1
+# 1909|     mu1909_3(unknown)       = ^CallSideEffect               : ~m?
+# 1907|     v1907_6(void)           = Unreached                     : 
+
+# 1911|   Block 2
+# 1911|     r1911_1(glval<int>) = VariableAddress[#return] : 
+# 1911|     r1911_2(glval<int>) = VariableAddress[x]       : 
+# 1911|     r1911_3(int)        = Load[x]                  : &:r1911_2, ~m?
+# 1911|     mu1911_4(int)       = Store[#return]           : &:r1911_1, r1911_3
+# 1907|     r1907_7(glval<int>) = VariableAddress[#return] : 
+# 1907|     v1907_8(void)       = ReturnValue              : &:r1907_7, ~m?
+# 1907|     v1907_9(void)       = AliasedUse               : ~m?
+# 1907|     v1907_10(void)      = ExitFunction             : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
--- a/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.expected
+++ b/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.ql
+++ b/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.ql
@@ -12,12 +12,10 @@ import TestUtilities.InlineExpectationsTest
 module ModulusAnalysisInstantiated =
  ModulusAnalysis<FloatDelta, ConstantBounds, RangeUtil<FloatDelta, CppLangImplRelative>>;

-class ModulusAnalysisTest extends InlineExpectationsTest {
-  ModulusAnalysisTest() { this = "ModulusAnalysisTest" }
+module ModulusAnalysisTest implements TestSig {
+  string getARelevantTag() { result = "mod" }

-  override string getARelevantTag() { result = "mod" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(SemExpr e, IR::CallInstruction call |
      getSemanticExpr(call.getArgument(0)) = e and
      call.getStaticCallTarget().hasName("mod") and
@@ -29,6 +27,8 @@ class ModulusAnalysisTest extends InlineExpectationsTest {
  }
 }

+import MakeTest<ModulusAnalysisTest>
+
 private string getAModString(SemExpr e) {
  exists(SemBound b, int delta, int mod |
    ModulusAnalysisInstantiated::semExprModulus(e, b, delta, mod) and
--- a/cpp/ql/test/library-tests/ir/points_to/points_to.expected
+++ b/cpp/ql/test/library-tests/ir/points_to/points_to.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/points_to/points_to.ql
+++ b/cpp/ql/test/library-tests/ir/points_to/points_to.ql
@@ -21,12 +21,10 @@ module Raw {
    result = getOperandMemoryLocation(instr.getAnOperand())
  }

-  class RawPointsToTest extends InlineExpectationsTest {
-    RawPointsToTest() { this = "RawPointsToTest" }
+  module RawPointsToTest implements TestSig {
+    string getARelevantTag() { result = "raw" }

-    override string getARelevantTag() { result = "raw" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(Instruction instr, MemoryLocation memLocation |
        memLocation = getAMemoryAccess(instr) and
        tag = "raw" and
@@ -49,12 +47,10 @@ module UnaliasedSsa {
    result = getOperandMemoryLocation(instr.getAnOperand())
  }

-  class UnaliasedSsaPointsToTest extends InlineExpectationsTest {
-    UnaliasedSsaPointsToTest() { this = "UnaliasedSSAPointsToTest" }
+  module UnaliasedSsaPointsToTest implements TestSig {
+    string getARelevantTag() { result = "ussa" }

-    override string getARelevantTag() { result = "ussa" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(Instruction instr, MemoryLocation memLocation |
        memLocation = getAMemoryAccess(instr) and
        not memLocation.getVirtualVariable() instanceof AliasedVirtualVariable and
@@ -69,3 +65,5 @@ module UnaliasedSsa {
    }
  }
 }
+
+import MakeTest<MergeTests<Raw::RawPointsToTest, UnaliasedSsa::UnaliasedSsaPointsToTest>>
--- a/cpp/ql/test/library-tests/ir/range-analysis/Overflow.expected
+++ b/cpp/ql/test/library-tests/ir/range-analysis/Overflow.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/range-analysis/Overflow.ql
+++ b/cpp/ql/test/library-tests/ir/range-analysis/Overflow.ql
@@ -2,12 +2,10 @@ import cpp
 import semmle.code.cpp.rangeanalysis.new.SimpleRangeAnalysis
 import TestUtilities.InlineExpectationsTest

-class RangeAnalysisTest extends InlineExpectationsTest {
-  RangeAnalysisTest() { this = "RangeAnalysisTest" }
+module RangeAnalysisTest implements TestSig {
+  string getARelevantTag() { result = "overflow" }

-  override string getARelevantTag() { result = "overflow" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(Expr e |
      tag = "overflow" and
      element = e.toString() and
@@ -21,3 +19,5 @@ class RangeAnalysisTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<RangeAnalysisTest>
--- a/cpp/ql/test/library-tests/ir/range-analysis/RangeAnalysis.expected
+++ b/cpp/ql/test/library-tests/ir/range-analysis/RangeAnalysis.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/range-analysis/RangeAnalysis.ql
+++ b/cpp/ql/test/library-tests/ir/range-analysis/RangeAnalysis.ql
@@ -5,12 +5,10 @@ import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.ir.IR as IR
 import TestUtilities.InlineExpectationsTest

-class RangeAnalysisTest extends InlineExpectationsTest {
-  RangeAnalysisTest() { this = "RangeAnalysisTest" }
+module RangeAnalysisTest implements TestSig {
+  string getARelevantTag() { result = "range" }

-  override string getARelevantTag() { result = "range" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(SemExpr e, IR::CallInstruction call |
      getSemanticExpr(call.getArgument(0)) = e and
      call.getStaticCallTarget().hasName("range") and
@@ -22,6 +20,8 @@ class RangeAnalysisTest extends InlineExpectationsTest {
  }
 }

+import MakeTest<RangeAnalysisTest>
+
 private string getDirectionString(boolean d) {
  result = "<=" and d = true
  or
--- a/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
+++ b/cpp/ql/test/library-tests/ir/range-analysis/test.cpp
@@ -49,3 +49,24 @@
    return 0;
  }

+  void* f3_get(int n);
+
+  void f3() {
+    int n = 0;
+    while (f3_get(n)) n+=2;
+
+    for (int i = 0; i < n; i += 2) {
+      range(i); // $ range=>=0 SPURIOUS: range="<=call to f3_get-1" range="<=call to f3_get-2"
+    }
+  }
+
+int f4(int x) {
+  for (int i = 0; i <= 100; i++) {
+    range(i); // $ range=<=100 range=>=0
+    if(i == 100) {
+      range(i); // $ range===100
+    } else {
+      range(i); // $ range=<=99 range=>=0
+    }
+  }
+}
--- a/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.expected
+++ b/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.ql
+++ b/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.ql
@@ -11,12 +11,10 @@ import TestUtilities.InlineExpectationsTest
 module SignAnalysisInstantiated =
  SignAnalysis<FloatDelta, RangeUtil<FloatDelta, CppLangImplRelative>>;

-class SignAnalysisTest extends InlineExpectationsTest {
-  SignAnalysisTest() { this = "SignAnalysisTest" }
+module SignAnalysisTest implements TestSig {
+  string getARelevantTag() { result = "sign" }

-  override string getARelevantTag() { result = "sign" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(SemExpr e, IR::CallInstruction call |
      getSemanticExpr(call.getArgument(0)) = e and
      call.getStaticCallTarget().hasName("sign") and
@@ -28,6 +26,8 @@ class SignAnalysisTest extends InlineExpectationsTest {
  }
 }

+import MakeTest<SignAnalysisTest>
+
 private string getASignString(SemExpr e) {
  result = strictconcat(SignAnalysisInstantiated::semExprSign(e).toString(), "")
 }
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -2091,3 +2091,69 @@ ssa.cpp:
 #  417|     v417_5(void)             = ReturnVoid         : 
 #  417|     v417_6(void)             = AliasedUse         : m417_3
 #  417|     v417_7(void)             = ExitFunction       : 
+
+#  423| int noreturnTest(int)
+#  423|   Block 0
+#  423|     v423_1(void)       = EnterFunction          : 
+#  423|     m423_2(unknown)    = AliasedDefinition      : 
+#  423|     m423_3(unknown)    = InitializeNonLocal     : 
+#  423|     m423_4(unknown)    = Chi                    : total:m423_2, partial:m423_3
+#  423|     r423_5(glval<int>) = VariableAddress[x]     : 
+#  423|     m423_6(int)        = InitializeParameter[x] : &:r423_5
+#  424|     r424_1(glval<int>) = VariableAddress[x]     : 
+#  424|     r424_2(int)        = Load[x]                : &:r424_1, m423_6
+#  424|     r424_3(int)        = Constant[10]           : 
+#  424|     r424_4(bool)       = CompareLT              : r424_2, r424_3
+#  424|     v424_5(void)       = ConditionalBranch      : r424_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  425|   Block 1
+#  425|     r425_1(glval<int>) = VariableAddress[#return] : 
+#  425|     r425_2(glval<int>) = VariableAddress[x]       : 
+#  425|     r425_3(int)        = Load[x]                  : &:r425_2, m423_6
+#  425|     m425_4(int)        = Store[#return]           : &:r425_1, r425_3
+#  423|     r423_7(glval<int>) = VariableAddress[#return] : 
+#  423|     v423_8(void)       = ReturnValue              : &:r423_7, m425_4
+#  423|     v423_9(void)       = AliasedUse               : m423_3
+#  423|     v423_10(void)      = ExitFunction             : 
+
+#  427|   Block 2
+#  427|     r427_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  427|     v427_2(void)           = Call[noreturnFunc]            : func:r427_1
+#  427|     m427_3(unknown)        = ^CallSideEffect               : ~m423_4
+#  427|     m427_4(unknown)        = Chi                           : total:m423_4, partial:m427_3
+#  423|     v423_11(void)          = Unreached                     : 
+
+#  431| int noreturnTest2(int)
+#  431|   Block 0
+#  431|     v431_1(void)       = EnterFunction          : 
+#  431|     m431_2(unknown)    = AliasedDefinition      : 
+#  431|     m431_3(unknown)    = InitializeNonLocal     : 
+#  431|     m431_4(unknown)    = Chi                    : total:m431_2, partial:m431_3
+#  431|     r431_5(glval<int>) = VariableAddress[x]     : 
+#  431|     m431_6(int)        = InitializeParameter[x] : &:r431_5
+#  432|     r432_1(glval<int>) = VariableAddress[x]     : 
+#  432|     r432_2(int)        = Load[x]                : &:r432_1, m431_6
+#  432|     r432_3(int)        = Constant[10]           : 
+#  432|     r432_4(bool)       = CompareLT              : r432_2, r432_3
+#  432|     v432_5(void)       = ConditionalBranch      : r432_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  433|   Block 1
+#  433|     r433_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  433|     v433_2(void)           = Call[noreturnFunc]            : func:r433_1
+#  433|     m433_3(unknown)        = ^CallSideEffect               : ~m431_4
+#  433|     m433_4(unknown)        = Chi                           : total:m431_4, partial:m433_3
+#  431|     v431_7(void)           = Unreached                     : 
+
+#  435|   Block 2
+#  435|     r435_1(glval<int>) = VariableAddress[#return] : 
+#  435|     r435_2(glval<int>) = VariableAddress[x]       : 
+#  435|     r435_3(int)        = Load[x]                  : &:r435_2, m431_6
+#  435|     m435_4(int)        = Store[#return]           : &:r435_1, r435_3
+#  431|     r431_8(glval<int>) = VariableAddress[#return] : 
+#  431|     v431_9(void)       = ReturnValue              : &:r431_8, m435_4
+#  431|     v431_10(void)      = AliasedUse               : m431_3
+#  431|     v431_11(void)      = ExitFunction             : 
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -2080,3 +2080,69 @@ ssa.cpp:
 #  417|     v417_5(void)             = ReturnVoid         : 
 #  417|     v417_6(void)             = AliasedUse         : m417_3
 #  417|     v417_7(void)             = ExitFunction       : 
+
+#  423| int noreturnTest(int)
+#  423|   Block 0
+#  423|     v423_1(void)       = EnterFunction          : 
+#  423|     m423_2(unknown)    = AliasedDefinition      : 
+#  423|     m423_3(unknown)    = InitializeNonLocal     : 
+#  423|     m423_4(unknown)    = Chi                    : total:m423_2, partial:m423_3
+#  423|     r423_5(glval<int>) = VariableAddress[x]     : 
+#  423|     m423_6(int)        = InitializeParameter[x] : &:r423_5
+#  424|     r424_1(glval<int>) = VariableAddress[x]     : 
+#  424|     r424_2(int)        = Load[x]                : &:r424_1, m423_6
+#  424|     r424_3(int)        = Constant[10]           : 
+#  424|     r424_4(bool)       = CompareLT              : r424_2, r424_3
+#  424|     v424_5(void)       = ConditionalBranch      : r424_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  425|   Block 1
+#  425|     r425_1(glval<int>) = VariableAddress[#return] : 
+#  425|     r425_2(glval<int>) = VariableAddress[x]       : 
+#  425|     r425_3(int)        = Load[x]                  : &:r425_2, m423_6
+#  425|     m425_4(int)        = Store[#return]           : &:r425_1, r425_3
+#  423|     r423_7(glval<int>) = VariableAddress[#return] : 
+#  423|     v423_8(void)       = ReturnValue              : &:r423_7, m425_4
+#  423|     v423_9(void)       = AliasedUse               : m423_3
+#  423|     v423_10(void)      = ExitFunction             : 
+
+#  427|   Block 2
+#  427|     r427_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  427|     v427_2(void)           = Call[noreturnFunc]            : func:r427_1
+#  427|     m427_3(unknown)        = ^CallSideEffect               : ~m423_4
+#  427|     m427_4(unknown)        = Chi                           : total:m423_4, partial:m427_3
+#  423|     v423_11(void)          = Unreached                     : 
+
+#  431| int noreturnTest2(int)
+#  431|   Block 0
+#  431|     v431_1(void)       = EnterFunction          : 
+#  431|     m431_2(unknown)    = AliasedDefinition      : 
+#  431|     m431_3(unknown)    = InitializeNonLocal     : 
+#  431|     m431_4(unknown)    = Chi                    : total:m431_2, partial:m431_3
+#  431|     r431_5(glval<int>) = VariableAddress[x]     : 
+#  431|     m431_6(int)        = InitializeParameter[x] : &:r431_5
+#  432|     r432_1(glval<int>) = VariableAddress[x]     : 
+#  432|     r432_2(int)        = Load[x]                : &:r432_1, m431_6
+#  432|     r432_3(int)        = Constant[10]           : 
+#  432|     r432_4(bool)       = CompareLT              : r432_2, r432_3
+#  432|     v432_5(void)       = ConditionalBranch      : r432_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  433|   Block 1
+#  433|     r433_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  433|     v433_2(void)           = Call[noreturnFunc]            : func:r433_1
+#  433|     m433_3(unknown)        = ^CallSideEffect               : ~m431_4
+#  433|     m433_4(unknown)        = Chi                           : total:m431_4, partial:m433_3
+#  431|     v431_7(void)           = Unreached                     : 
+
+#  435|   Block 2
+#  435|     r435_1(glval<int>) = VariableAddress[#return] : 
+#  435|     r435_2(glval<int>) = VariableAddress[x]       : 
+#  435|     r435_3(int)        = Load[x]                  : &:r435_2, m431_6
+#  435|     m435_4(int)        = Store[#return]           : &:r435_1, r435_3
+#  431|     r431_8(glval<int>) = VariableAddress[#return] : 
+#  431|     v431_9(void)       = ReturnValue              : &:r431_8, m435_4
+#  431|     v431_10(void)      = AliasedUse               : m431_3
+#  431|     v431_11(void)      = ExitFunction             : 
--- a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
+++ b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
@@ -417,3 +417,20 @@ void vla(int n1, int n2, int n3, bool b1) {
 void nested_array_designators() {
  int x[1][2] = {[0][0] = 1234, [0][1] = 5678};
 }
+
+[[noreturn]] void noreturnFunc();
+
+int noreturnTest(int x) {
+    if (x < 10) {
+        return x;
+    } else {
+        noreturnFunc();
+    }
+}
+
+int noreturnTest2(int x) {
+    if (x < 10) {
+        noreturnFunc();
+    }
+    return x;
+}
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -1940,3 +1940,65 @@ ssa.cpp:
 #  417|     v417_4(void)             = ReturnVoid         : 
 #  417|     v417_5(void)             = AliasedUse         : ~m?
 #  417|     v417_6(void)             = ExitFunction       : 
+
+#  423| int noreturnTest(int)
+#  423|   Block 0
+#  423|     v423_1(void)       = EnterFunction          : 
+#  423|     mu423_2(unknown)   = AliasedDefinition      : 
+#  423|     mu423_3(unknown)   = InitializeNonLocal     : 
+#  423|     r423_4(glval<int>) = VariableAddress[x]     : 
+#  423|     m423_5(int)        = InitializeParameter[x] : &:r423_4
+#  424|     r424_1(glval<int>) = VariableAddress[x]     : 
+#  424|     r424_2(int)        = Load[x]                : &:r424_1, m423_5
+#  424|     r424_3(int)        = Constant[10]           : 
+#  424|     r424_4(bool)       = CompareLT              : r424_2, r424_3
+#  424|     v424_5(void)       = ConditionalBranch      : r424_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  425|   Block 1
+#  425|     r425_1(glval<int>) = VariableAddress[#return] : 
+#  425|     r425_2(glval<int>) = VariableAddress[x]       : 
+#  425|     r425_3(int)        = Load[x]                  : &:r425_2, m423_5
+#  425|     m425_4(int)        = Store[#return]           : &:r425_1, r425_3
+#  423|     r423_6(glval<int>) = VariableAddress[#return] : 
+#  423|     v423_7(void)       = ReturnValue              : &:r423_6, m425_4
+#  423|     v423_8(void)       = AliasedUse               : ~m?
+#  423|     v423_9(void)       = ExitFunction             : 
+
+#  427|   Block 2
+#  427|     r427_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  427|     v427_2(void)           = Call[noreturnFunc]            : func:r427_1
+#  427|     mu427_3(unknown)       = ^CallSideEffect               : ~m?
+#  423|     v423_10(void)          = Unreached                     : 
+
+#  431| int noreturnTest2(int)
+#  431|   Block 0
+#  431|     v431_1(void)       = EnterFunction          : 
+#  431|     mu431_2(unknown)   = AliasedDefinition      : 
+#  431|     mu431_3(unknown)   = InitializeNonLocal     : 
+#  431|     r431_4(glval<int>) = VariableAddress[x]     : 
+#  431|     m431_5(int)        = InitializeParameter[x] : &:r431_4
+#  432|     r432_1(glval<int>) = VariableAddress[x]     : 
+#  432|     r432_2(int)        = Load[x]                : &:r432_1, m431_5
+#  432|     r432_3(int)        = Constant[10]           : 
+#  432|     r432_4(bool)       = CompareLT              : r432_2, r432_3
+#  432|     v432_5(void)       = ConditionalBranch      : r432_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  433|   Block 1
+#  433|     r433_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  433|     v433_2(void)           = Call[noreturnFunc]            : func:r433_1
+#  433|     mu433_3(unknown)       = ^CallSideEffect               : ~m?
+#  431|     v431_6(void)           = Unreached                     : 
+
+#  435|   Block 2
+#  435|     r435_1(glval<int>) = VariableAddress[#return] : 
+#  435|     r435_2(glval<int>) = VariableAddress[x]       : 
+#  435|     r435_3(int)        = Load[x]                  : &:r435_2, m431_5
+#  435|     m435_4(int)        = Store[#return]           : &:r435_1, r435_3
+#  431|     r431_7(glval<int>) = VariableAddress[#return] : 
+#  431|     v431_8(void)       = ReturnValue              : &:r431_7, m435_4
+#  431|     v431_9(void)       = AliasedUse               : ~m?
+#  431|     v431_10(void)      = ExitFunction             : 
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1940,3 +1940,65 @@ ssa.cpp:
 #  417|     v417_4(void)             = ReturnVoid         : 
 #  417|     v417_5(void)             = AliasedUse         : ~m?
 #  417|     v417_6(void)             = ExitFunction       : 
+
+#  423| int noreturnTest(int)
+#  423|   Block 0
+#  423|     v423_1(void)       = EnterFunction          : 
+#  423|     mu423_2(unknown)   = AliasedDefinition      : 
+#  423|     mu423_3(unknown)   = InitializeNonLocal     : 
+#  423|     r423_4(glval<int>) = VariableAddress[x]     : 
+#  423|     m423_5(int)        = InitializeParameter[x] : &:r423_4
+#  424|     r424_1(glval<int>) = VariableAddress[x]     : 
+#  424|     r424_2(int)        = Load[x]                : &:r424_1, m423_5
+#  424|     r424_3(int)        = Constant[10]           : 
+#  424|     r424_4(bool)       = CompareLT              : r424_2, r424_3
+#  424|     v424_5(void)       = ConditionalBranch      : r424_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  425|   Block 1
+#  425|     r425_1(glval<int>) = VariableAddress[#return] : 
+#  425|     r425_2(glval<int>) = VariableAddress[x]       : 
+#  425|     r425_3(int)        = Load[x]                  : &:r425_2, m423_5
+#  425|     m425_4(int)        = Store[#return]           : &:r425_1, r425_3
+#  423|     r423_6(glval<int>) = VariableAddress[#return] : 
+#  423|     v423_7(void)       = ReturnValue              : &:r423_6, m425_4
+#  423|     v423_8(void)       = AliasedUse               : ~m?
+#  423|     v423_9(void)       = ExitFunction             : 
+
+#  427|   Block 2
+#  427|     r427_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  427|     v427_2(void)           = Call[noreturnFunc]            : func:r427_1
+#  427|     mu427_3(unknown)       = ^CallSideEffect               : ~m?
+#  423|     v423_10(void)          = Unreached                     : 
+
+#  431| int noreturnTest2(int)
+#  431|   Block 0
+#  431|     v431_1(void)       = EnterFunction          : 
+#  431|     mu431_2(unknown)   = AliasedDefinition      : 
+#  431|     mu431_3(unknown)   = InitializeNonLocal     : 
+#  431|     r431_4(glval<int>) = VariableAddress[x]     : 
+#  431|     m431_5(int)        = InitializeParameter[x] : &:r431_4
+#  432|     r432_1(glval<int>) = VariableAddress[x]     : 
+#  432|     r432_2(int)        = Load[x]                : &:r432_1, m431_5
+#  432|     r432_3(int)        = Constant[10]           : 
+#  432|     r432_4(bool)       = CompareLT              : r432_2, r432_3
+#  432|     v432_5(void)       = ConditionalBranch      : r432_4
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  433|   Block 1
+#  433|     r433_1(glval<unknown>) = FunctionAddress[noreturnFunc] : 
+#  433|     v433_2(void)           = Call[noreturnFunc]            : func:r433_1
+#  433|     mu433_3(unknown)       = ^CallSideEffect               : ~m?
+#  431|     v431_6(void)           = Unreached                     : 
+
+#  435|   Block 2
+#  435|     r435_1(glval<int>) = VariableAddress[#return] : 
+#  435|     r435_2(glval<int>) = VariableAddress[x]       : 
+#  435|     r435_3(int)        = Load[x]                  : &:r435_2, m431_5
+#  435|     m435_4(int)        = Store[#return]           : &:r435_1, r435_3
+#  431|     r431_7(glval<int>) = VariableAddress[#return] : 
+#  431|     v431_8(void)       = ReturnValue              : &:r431_7, m435_4
+#  431|     v431_9(void)       = AliasedUse               : ~m?
+#  431|     v431_10(void)      = ExitFunction             : 
--- a/cpp/ql/test/library-tests/ir/types/irtypes.expected
+++ b/cpp/ql/test/library-tests/ir/types/irtypes.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/cpp/ql/test/library-tests/ir/types/irtypes.ql
+++ b/cpp/ql/test/library-tests/ir/types/irtypes.ql
@@ -2,12 +2,10 @@ private import cpp
 private import semmle.code.cpp.ir.implementation.raw.IR
 import TestUtilities.InlineExpectationsTest

-class IRTypesTest extends InlineExpectationsTest {
-  IRTypesTest() { this = "IRTypesTest" }
+module IRTypesTest implements TestSig {
+  string getARelevantTag() { result = "irtype" }

-  override string getARelevantTag() { result = "irtype" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(IRUserVariable irVar |
      location = irVar.getLocation() and
      element = irVar.toString() and
@@ -16,3 +14,5 @@ class IRTypesTest extends InlineExpectationsTest {
    )
  }
 }
+
+import MakeTest<IRTypesTest>
--- a/cpp/ql/test/library-tests/locations/constants/locations.ql
+++ b/cpp/ql/test/library-tests/locations/constants/locations.ql
@@ -6,7 +6,7 @@ import cpp
 */

 class CStyleCastPlain extends CStyleCast {
-  override string toString() { result = "Conversion of " + getExpr().toString() }
+  override string toString() { result = "Conversion of " + this.getExpr().toString() }
 }

 from Expr e
--- a/cpp/ql/test/library-tests/loops/loops.ql
+++ b/cpp/ql/test/library-tests/loops/loops.ql
@@ -1,7 +1,7 @@
 import cpp

 class ExprStmt_ extends ExprStmt {
-  override string toString() { result = "ExprStmt: " + getExpr().toString() }
+  override string toString() { result = "ExprStmt: " + this.getExpr().toString() }
 }

 from Loop l, string s, Element e
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
@@ -97,3 +97,4 @@ viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
@@ -4,7 +4,9 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
+| cpp11.cpp:50:15:50:16 | (no string representation) | Node should have one toString but has 0. |
 missingToString
+| Nodes without toString: 1 |
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -51,3 +53,4 @@ uniqueParameterNodeAtPosition
 | ir.cpp:726:6:726:13 | TryCatch | 0 indirection | ir.cpp:740:24:740:24 | e indirection | Parameters with overlapping positions. |
 uniqueParameterNodePosition
 uniqueContentApprox
+identityLocalStep
--- a/cpp/ql/test/qlpack.yml
+++ b/cpp/ql/test/qlpack.yml
@@ -5,3 +5,4 @@ dependencies:
  codeql/cpp-queries: ${workspace}
 extractor: cpp
 tests: .
+warnOnImplicitThis: true
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
@@ -23,8 +23,6 @@ edges
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
-| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
-| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
@@ -61,7 +59,6 @@ nodes
 | test_free.cpp:239:14:239:15 | * ... | semmle.label | * ... |
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
-| test_free.cpp:241:10:241:10 | b | semmle.label | b |
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
@@ -92,8 +89,6 @@ subpaths
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
-| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
-| test_free.cpp:241:10:241:10 | b | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:10:241:10 | b | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
--- a/Bugs/Format/NonConstantFormat/NonConstantFormat.expected
+++ b/Bugs/Format/NonConstantFormat/NonConstantFormat.expected
@@ -3,6 +3,7 @@
 | nested.cpp:21:23:21:26 | fmt0 | The format string argument to snprintf should be constant to prevent security issues and other potential errors. |
 | nested.cpp:79:32:79:38 | call to get_fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
 | nested.cpp:87:18:87:20 | fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
+| test.cpp:51:10:51:21 | call to make_message | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | test.cpp:57:12:57:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | test.cpp:60:12:60:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
 | test.cpp:61:12:61:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
--- a/Bugs/Format/NonConstantFormat/test.cpp
+++ b/Bugs/Format/NonConstantFormat/test.cpp
@@ -48,7 +48,7 @@ int main(int argc, char **argv) {
  printf(choose_message(argc - 1), argc - 1); // GOOD
  printf(messages[1]); // GOOD
  printf(message); // GOOD
-  printf(make_message(argc - 1)); // BAD  [NOT DETECTED]
+  printf(make_message(argc - 1)); // BAD
  printf("Hello, World\n"); // GOOD
  printf(_("Hello, World\n")); // GOOD
  {
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
@@ -1,29 +1,16 @@
 edges
 | tests.cpp:26:15:26:23 | badSource indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
-| tests.cpp:26:32:26:35 | data indirection | tests.cpp:26:15:26:23 | badSource indirection |
-| tests.cpp:26:32:26:35 | data indirection | tests.cpp:38:25:38:36 | strncat output argument |
 | tests.cpp:33:34:33:39 | call to getenv indirection | tests.cpp:38:39:38:49 | environment indirection |
 | tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | badSource indirection |
-| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | badSource indirection |
-| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:51:22:51:25 | badSource output argument |
 | tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
 | tests.cpp:51:12:51:20 | call to badSource indirection | tests.cpp:53:16:53:19 | data indirection |
-| tests.cpp:51:22:51:25 | badSource output argument | tests.cpp:51:22:51:25 | data indirection |
-| tests.cpp:51:22:51:25 | data indirection | tests.cpp:26:32:26:35 | data indirection |
-| tests.cpp:51:22:51:25 | data indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
 nodes
 | tests.cpp:26:15:26:23 | badSource indirection | semmle.label | badSource indirection |
-| tests.cpp:26:15:26:23 | badSource indirection | semmle.label | badSource indirection |
-| tests.cpp:26:32:26:35 | data indirection | semmle.label | data indirection |
 | tests.cpp:33:34:33:39 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:38:25:38:36 | strncat output argument | semmle.label | strncat output argument |
-| tests.cpp:38:25:38:36 | strncat output argument | semmle.label | strncat output argument |
 | tests.cpp:38:39:38:49 | environment indirection | semmle.label | environment indirection |
 | tests.cpp:51:12:51:20 | call to badSource indirection | semmle.label | call to badSource indirection |
-| tests.cpp:51:22:51:25 | badSource output argument | semmle.label | badSource output argument |
-| tests.cpp:51:22:51:25 | data indirection | semmle.label | data indirection |
 | tests.cpp:53:16:53:19 | data indirection | semmle.label | data indirection |
 subpaths
-| tests.cpp:51:22:51:25 | data indirection | tests.cpp:26:32:26:35 | data indirection | tests.cpp:26:15:26:23 | badSource indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
 #select
 | tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | call to getenv indirection | tests.cpp:53:16:53:19 | data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | call to getenv indirection | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
@@ -45,8 +45,6 @@ edges
 | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:20:188:24 | flags indirection |
 | test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | strncat output argument |
 | test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | strncat output argument |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | strncat output argument |
 | test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
 | test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | filename indirection |
 | test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | command indirection |