Merge pull request #19172 from github/release-prep/2.21.0

Release preparation for version 2.21.0

.bazelrc

@@ -37,5 +37,6 @@ build --java_language_version=17
 build --tool_java_language_version=17
 build --tool_java_runtime_version=remotejdk_17
 build --java_runtime_version=remotejdk_17
+build --@rules_python//python/config_settings:python_version=3.12
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,3 +8,5 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
+
+build --@rules_python//python/config_settings:python_version=3.12

.devcontainer/Dockerfile.codespaces

@@ -0,0 +1,7 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
+
+USER root
+# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
+# most come from the base image, but we need to install some additional ones
+RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
+RUN yes | unminimize

.devcontainer/devcontainer.json

@@ -1,5 +1,4 @@
 {
-  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
   "extensions": [
     "rust-lang.rust-analyzer",
     "bungcip.better-toml",
@@ -8,6 +7,10 @@
     "ms-vscode.test-adapter-converter",
     "slevesque.vscode-zipexplorer"
   ],
+  "build": {
+    // Path is relative to the devcontainer.json file.
+    "dockerfile": "Dockerfile.codespaces"
+  },
   "settings": {
     "files.watcherExclude": {
       "**/target/**": true

.github/codeql/codeql-config.yml

@@ -4,9 +4,13 @@ queries:
   - uses: security-and-quality
 
 paths-ignore:
+  - '/actions/ql/test'
   - '/cpp/'
   - '/java/'
   - '/python/'
   - '/javascript/ql/test'
+  - '/javascript/ql/integration-tests'
   - '/javascript/extractor/tests'
+  - '/javascript/extractor/parser-tests'
+  - '/javascript/ql/src/'
   - '/rust/ql'

.github/workflows/build-ripunzip.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, macos-13, windows-2019]
+        os: [ubuntu-22.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/codegen.yml

@@ -0,0 +1,34 @@
+name: Codegen
+
+on:
+  pull_request:
+    paths:
+      - "misc/bazel/**"
+      - "misc/codegen/**"
+      - "*.bazel*"
+      - .github/workflows/codegen.yml
+      - .pre-commit-config.yaml
+    branches:
+      - main
+      - rc/*
+      - codeql-cli-*
+
+permissions:
+  contents: read
+
+jobs:
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'misc/codegen/.python-version'
+      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+        name: Check that python code is properly formatted
+        with:
+          extra_args: autopep8 --all-files
+      - name: Run codegen tests
+        shell: bash
+        run: |
+          bazel test //misc/codegen/...

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,10 @@ on:
 
 jobs:
   CodeQL-Build:
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions', 'csharp']
 
     runs-on: ubuntu-latest
 
@@ -38,9 +42,8 @@ jobs:
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
       with:
-        languages: csharp
+        languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).

.github/workflows/go-tests-rtjo.yml

@@ -0,0 +1,22 @@
+name: "Go: Run RTJO Tests"
+on:
+  pull_request:
+    types:
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  test-linux:
+    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
+    name: RTJO Test Linux (Ubuntu)
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test
+        with:
+          run-code-checks: true
+          dynamic-join-order-mode: all

.github/workflows/ruby-qltest-rtjo.yml

@@ -0,0 +1,40 @@
+name: "Ruby: Run RTJO Language Tests"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+permissions:
+  contents: read
+
+jobs:
+  qltest-rtjo:
+    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: ruby-qltest
+      - name: Run QL tests
+        run: |
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -18,45 +18,39 @@ on:
       - main
       - rc/*
       - codeql-cli-*
-  push:
-    paths:
-      - "swift/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
-      - "*.bazel*"
-      - .github/workflows/swift.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - .pre-commit-config.yaml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
 
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash
+    working-directory: swift
+
 jobs:
-  # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
-  # without waiting for the macOS build
-  build-and-test-macos:
+  build-and-test:
     if: github.repository_owner == 'github'
-    runs-on: macos-13-xlarge
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, macos-13-xlarge]
+      fail-fast: false
+    runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@v4
-      - uses: ./swift/actions/build-and-test
-  qltests-macos:
-    if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
-    needs: build-and-test-macos
-    runs-on: macos-13-xlarge
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./swift/actions/run-ql-tests
+      - name: Setup (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y uuid-dev zlib1g-dev
+      - name: Build Swift extractor
+        shell: bash
+        run: |
+          bazel run :install
+      - name: Run Swift tests
+        shell: bash
+        run: |
+          bazel test ... --test_tag_filters=-override --test_output=errors
   clang-format:
-    if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -65,18 +59,9 @@ jobs:
         with:
           extra_args: clang-format --all-files
   codegen:
-    if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'swift/.python-version'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: autopep8 --all-files
       - uses: ./.github/actions/fetch-codeql
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that QL generated code was checked in
@@ -84,22 +69,14 @@ jobs:
           extra_args: swift-codegen --all-files
       - name: Generate C++ files
         run: |
-          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
+          bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
       - uses: actions/upload-artifact@v4
         with:
           name: swift-generated-cpp-files
           path: generated-cpp-files/**
-  database-upgrade-scripts:
-    if : ${{ github.event_name == 'pull_request' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./swift/actions/database-upgrade-scripts
   check-no-override:
-    if : github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - shell: bash
-        run: bazel test //swift/... --test_tag_filters=override --test_output=errors
+      - name: Check that no override is present in load.bzl
+        run: bazel test ... --test_tag_filters=override --test_output=errors

.pre-commit-config.yaml

@@ -72,7 +72,7 @@ repos:
 
       - id: rust-codegen
         name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
+        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
         language: system
         entry: bazel run //rust/codegen -- --quiet
         pass_filenames: false

.vscode/tasks.json

@@ -50,6 +50,11 @@
                 "${input:name}",
                 "${input:categoryQuery}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r",
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true
@@ -67,6 +72,11 @@
                 "${input:name}",
                 "${input:categoryLibrary}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r"
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true

MODULE.bazel

@@ -28,16 +28,16 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.57.1")
+bazel_dep(name = "rules_rust", version = "0.58.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
 # Keep edition and version approximately in sync with internal repo.
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
-RUST_EDITION = "2021"
+RUST_EDITION = "2024"
 
-RUST_VERSION = "1.82.0"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,57 +71,59 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor__anyhow-1.0.95",
-    "vendor__argfile-0.2.1",
-    "vendor__chrono-0.4.39",
-    "vendor__clap-4.5.26",
-    "vendor__dunce-1.0.5",
-    "vendor__either-1.13.0",
-    "vendor__encoding-0.2.33",
-    "vendor__figment-0.10.19",
-    "vendor__flate2-1.0.35",
-    "vendor__glob-0.3.2",
-    "vendor__globset-0.4.15",
-    "vendor__itertools-0.14.0",
-    "vendor__lazy_static-1.5.0",
-    "vendor__mustache-0.9.0",
-    "vendor__num-traits-0.2.19",
-    "vendor__num_cpus-1.16.0",
-    "vendor__proc-macro2-1.0.93",
-    "vendor__quote-1.0.38",
-    "vendor__ra_ap_base_db-0.0.258",
-    "vendor__ra_ap_cfg-0.0.258",
-    "vendor__ra_ap_hir-0.0.258",
-    "vendor__ra_ap_hir_def-0.0.258",
-    "vendor__ra_ap_hir_expand-0.0.258",
-    "vendor__ra_ap_ide_db-0.0.258",
-    "vendor__ra_ap_intern-0.0.258",
-    "vendor__ra_ap_load-cargo-0.0.258",
-    "vendor__ra_ap_parser-0.0.258",
-    "vendor__ra_ap_paths-0.0.258",
-    "vendor__ra_ap_project_model-0.0.258",
-    "vendor__ra_ap_span-0.0.258",
-    "vendor__ra_ap_stdx-0.0.258",
-    "vendor__ra_ap_syntax-0.0.258",
-    "vendor__ra_ap_vfs-0.0.258",
-    "vendor__rand-0.8.5",
-    "vendor__rayon-1.10.0",
-    "vendor__regex-1.11.1",
-    "vendor__serde-1.0.217",
-    "vendor__serde_json-1.0.135",
-    "vendor__serde_with-3.12.0",
-    "vendor__syn-2.0.96",
-    "vendor__toml-0.8.19",
-    "vendor__tracing-0.1.41",
-    "vendor__tracing-flame-0.2.0",
-    "vendor__tracing-subscriber-0.3.19",
-    "vendor__tree-sitter-0.24.6",
-    "vendor__tree-sitter-embedded-template-0.23.2",
-    "vendor__tree-sitter-json-0.24.8",
-    "vendor__tree-sitter-ql-0.23.1",
-    "vendor__tree-sitter-ruby-0.23.1",
-    "vendor__triomphe-0.1.14",
-    "vendor__ungrammar-1.16.1",
+    "vendor_ts__anyhow-1.0.97",
+    "vendor_ts__argfile-0.2.1",
+    "vendor_ts__chalk-ir-0.100.0",
+    "vendor_ts__chrono-0.4.40",
+    "vendor_ts__clap-4.5.32",
+    "vendor_ts__dunce-1.0.5",
+    "vendor_ts__either-1.15.0",
+    "vendor_ts__encoding-0.2.33",
+    "vendor_ts__figment-0.10.19",
+    "vendor_ts__flate2-1.1.0",
+    "vendor_ts__glob-0.3.2",
+    "vendor_ts__globset-0.4.15",
+    "vendor_ts__itertools-0.14.0",
+    "vendor_ts__lazy_static-1.5.0",
+    "vendor_ts__mustache-0.9.0",
+    "vendor_ts__num-traits-0.2.19",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.94",
+    "vendor_ts__quote-1.0.40",
+    "vendor_ts__ra_ap_base_db-0.0.270",
+    "vendor_ts__ra_ap_cfg-0.0.270",
+    "vendor_ts__ra_ap_hir-0.0.270",
+    "vendor_ts__ra_ap_hir_def-0.0.270",
+    "vendor_ts__ra_ap_hir_expand-0.0.270",
+    "vendor_ts__ra_ap_hir_ty-0.0.270",
+    "vendor_ts__ra_ap_ide_db-0.0.270",
+    "vendor_ts__ra_ap_intern-0.0.270",
+    "vendor_ts__ra_ap_load-cargo-0.0.270",
+    "vendor_ts__ra_ap_parser-0.0.270",
+    "vendor_ts__ra_ap_paths-0.0.270",
+    "vendor_ts__ra_ap_project_model-0.0.270",
+    "vendor_ts__ra_ap_span-0.0.270",
+    "vendor_ts__ra_ap_stdx-0.0.270",
+    "vendor_ts__ra_ap_syntax-0.0.270",
+    "vendor_ts__ra_ap_vfs-0.0.270",
+    "vendor_ts__rand-0.9.0",
+    "vendor_ts__rayon-1.10.0",
+    "vendor_ts__regex-1.11.1",
+    "vendor_ts__serde-1.0.219",
+    "vendor_ts__serde_json-1.0.140",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.100",
+    "vendor_ts__toml-0.8.20",
+    "vendor_ts__tracing-0.1.41",
+    "vendor_ts__tracing-flame-0.2.0",
+    "vendor_ts__tracing-subscriber-0.3.19",
+    "vendor_ts__tree-sitter-0.24.6",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
+    "vendor_ts__tree-sitter-json-0.24.8",
+    "vendor_ts__tree-sitter-ql-0.23.1",
+    "vendor_ts__tree-sitter-ruby-0.23.1",
+    "vendor_ts__triomphe-0.1.14",
+    "vendor_ts__ungrammar-1.16.1",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -153,7 +155,7 @@ use_repo(csharp_main_extension, "paket.main")
 pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
 pip.parse(
     hub_name = "codegen_deps",
-    python_version = "3.11",
+    python_version = "3.12",
     requirements_lock = "//misc/codegen:requirements_lock.txt",
 )
 use_repo(pip, "codegen_deps")

actions/extractor/BUILD.bazel

@@ -5,7 +5,8 @@ codeql_pkg_files(
     srcs = [
         "codeql-extractor.yml",
         "//:LICENSE",
-    ] + glob(["tools/**"]),
+    ],
+    exes = glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],
 )

actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml

@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]

actions/ql/extensions/immutable-actions-list/qlpack.yml

@@ -0,0 +1,14 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: codeql/immutable-actions-list
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 0.4.6
+
+### Bug Fixes
+
+* The query `actions/code-injection/medium` now produces alerts for injection
+  vulnerabilities on `pull_request` events.
+
+## 0.4.5
+
+No user-facing changes.
+
+## 0.4.4
+
+No user-facing changes.
+
 ## 0.4.3
 
 ### New Features

actions/ql/lib/change-notes/released/0.4.4.md

@@ -0,0 +1,3 @@
+## 0.4.4
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.5.md

@@ -0,0 +1,3 @@
+## 0.4.5
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.6.md

@@ -0,0 +1,6 @@
+## 0.4.6
+
+### Bug Fixes
+
+* The query `actions/code-injection/medium` now produces alerts for injection
+  vulnerabilities on `pull_request` events.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.3
+lastReleaseVersion: 0.4.6

actions/ql/lib/ext/config/context_event_map.yml

@@ -30,6 +30,9 @@ extensions:
       - ["pull_request_review_comment", "github.event.review"] 
       - ["pull_request_review_comment", "github.head_ref"] 
       - ["pull_request_review_comment", "github.event.changes"] 
+      - ["pull_request", "github.event.pull_request"] 
+      - ["pull_request", "github.head_ref"] 
+      - ["pull_request", "github.event.changes"] 
       - ["pull_request_target", "github.event.pull_request"] 
       - ["pull_request_target", "github.head_ref"] 
       - ["pull_request_target", "github.event.changes"] 

actions/ql/lib/ext/config/externally_triggereable_events.yml

@@ -12,6 +12,7 @@ extensions:
       - ["pull_request_comment"]
       - ["pull_request_review"]
       - ["pull_request_review_comment"]
+      - ["pull_request"]
       - ["pull_request_target"]
       - ["workflow_run"] # depending on branch filter
       - ["workflow_call"] # depending on caller

actions/ql/lib/ext/config/immutable_actions.yml

@@ -2,21 +2,9 @@ extensions:
   - addsTo:
       pack: codeql/actions-all
       extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []

actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -5,4 +5,4 @@ extensions:
     data:      
       - ["actions"]
       - ["github"]
-      - ["advanced-security"]
+      - ["advanced-security"]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.4-dev
+version: 0.4.6
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,25 @@
+## 0.5.3
+
+### Bug Fixes
+
+* Fixed typos in the query and alert titles for the queries
+  `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
+
+## 0.5.2
+
+No user-facing changes.
+
+## 0.5.1
+
+### Bug Fixes
+
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.
+
 ## 0.5.0
 
 ### Breaking Changes

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name PATH Enviroment Variable built from user-controlled sources
+ * @name PATH environment variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name PATH Enviroment Variable built from user-controlled sources
+ * @name PATH environment variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name Enviroment Variable built from user-controlled sources
+ * @name Environment variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name Enviroment Variable built from user-controlled sources
+ * @name Environment variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/change-notes/released/0.5.1.md

@@ -0,0 +1,9 @@
+## 0.5.1
+
+### Bug Fixes
+
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.

actions/ql/src/change-notes/released/0.5.2.md

@@ -0,0 +1,3 @@
+## 0.5.2
+
+No user-facing changes.

actions/ql/src/change-notes/released/0.5.3.md

@@ -0,0 +1,7 @@
+## 0.5.3
+
+### Bug Fixes
+
+* Fixed typos in the query and alert titles for the queries
+  `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.5.3

actions/ql/src/codeql-suites/actions-security-and-quality.qls

@@ -1,2 +1,4 @@
 - description: Security-and-quality queries for GitHub Actions
-- import: codeql-suites/actions-security-extended.qls
+- queries: .
+- apply: security-and-quality-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-experimental.qls

@@ -1,2 +1,4 @@
 - description: Extended and experimental security queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-experimental-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql

@@ -8,6 +8,7 @@
  * @tags security
  *       actions
  *       internal
+ *       experimental
  *       external/cwe/cwe-829
  */
 

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.1-dev
+version: 0.5.3
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
@@ -8,3 +8,4 @@ extractor: actions
 defaultSuiteFile: codeql-suites/actions-code-scanning.qls
 dependencies:
   codeql/actions-all: ${workspace}
+  codeql/suite-helpers: ${workspace}

actions/ql/test/qlpack.yml

@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
   codeql/actions-all: ${workspace}
   codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -400,6 +400,7 @@ nodes
 | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
 | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -629,6 +630,7 @@ nodes
 | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
 | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
+| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -400,6 +400,7 @@ nodes
 | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
 | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -629,6 +630,7 @@ nodes
 | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
 | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
+| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
@@ -706,6 +708,7 @@ subpaths
 | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
 | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
 | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
 | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
 | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |

actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref

@@ -1 +1 @@
-Security/CWE-829/UnversionedImmutableAction.ql
+experimental/Security/CWE-829/UnversionedImmutableAction.ql

codeql-workspace.yml

@@ -17,7 +17,7 @@ provide:
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
   default:
     requireChangeNotes: true

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 4.1.0
+
+### New Features
+
+* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
+
+## 4.0.3
+
+No user-facing changes.
+
+## 4.0.2
+
+### Minor Analysis Improvements
+
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.
+
 ## 4.0.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/4.0.2.md

@@ -0,0 +1,6 @@
+## 4.0.2
+
+### Minor Analysis Improvements
+
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

cpp/ql/lib/change-notes/released/4.0.3.md

@@ -0,0 +1,3 @@
+## 4.0.3
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/4.1.0.md

@@ -0,0 +1,5 @@
+## 4.1.0
+
+### New Features
+
+* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.1
+lastReleaseVersion: 4.1.0

cpp/ql/lib/ext/CA2CAEX.model.yml

@@ -3,16 +3,16 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(UINT)", "", "Argument[0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
-      - ["", "_U_STRINGorID", True, "_U_STRINGorID", "(LPCTSTR)", "", "Argument[*0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
-      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
-      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
-      - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
-      - ["", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CA2CAEX", True, "CA2CAEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
-      - ["", "CA2CAEX", True, "operator LPCSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
-      - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
-      - ["", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "_U_STRINGorID", True, "_U_STRINGorID", "(UINT)", "", "Argument[0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
+      - ["ATL", "_U_STRINGorID", True, "_U_STRINGorID", "(LPCTSTR)", "", "Argument[*0]", "Argument[-1].Field[*m_lpstr]", "value", "manual"]
+      - ["ATL", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["ATL", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["ATL", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CA2AEX", True, "CA2AEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["ATL", "CA2AEX", True, "operator LPSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CA2CAEX", True, "CA2CAEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["ATL", "CA2CAEX", True, "operator LPCSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[*m_psz]", "value", "manual"]
+      - ["ATL", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[*m_psz]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CA2WEX", True, "CA2WEX", "", "", "Argument[*0]", "Argument[-1].Field[m_szBuffer]", "value", "manual"]
+      - ["ATL", "CA2WEX", True, "operator LPWSTR", "", "", "Argument[-1].Field[m_szBuffer]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CAtlArray.model.yml

@@ -3,13 +3,13 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CAtlArray", True, "Add", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "Append", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "Copy", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CAtlArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CAtlArray", True, "InsertArrayAt", "", "", "Argument[*1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "InsertAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "SetAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "SetAtGrow", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "Add", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "Append", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "Copy", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "InsertArrayAt", "", "", "Argument[*1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "InsertAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "SetAt", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "SetAtGrow", "", "", "Argument[@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CAtlFile.model.yml

@@ -3,7 +3,7 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CAtlFile", True, "CAtlFile", "(CAtlFile &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CAtlFile", True, "CAtlFile", "(HANDLE)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CAtlFile", True, "CAtlFile", "(CAtlFile &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CAtlFile", True, "CAtlFile", "(HANDLE)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]

cpp/ql/lib/ext/CAtlFileMappingBase.model.yml

@@ -3,12 +3,12 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CAtlFileMappingBase", True, "CAtlFileMappingBase", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CAtlFileMappingBase", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "GetData", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "GetHandle", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "MapFile", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "MapSharedMem", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "OpenMapping", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "CAtlFileMappingBase", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "GetData", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "GetHandle", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "MapFile", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "MapSharedMem", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "OpenMapping", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CAtlFileMappingBase", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CAtlList.model.yml

@@ -3,13 +3,13 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CAtlList", True, "AddHead", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "AddHeadList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "AddTail", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "AddHead", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "AddHeadList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "AddTail", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "AddTailList", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "GetAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "GetHead", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "GetTail", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "InsertAfter", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "InsertBefore", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CAtlList", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CAtlTemporaryFile.model.yml

@@ -3,6 +3,6 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CAtlTemporaryFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CAtlTemporaryFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CAtlTemporaryFile", True, "Write", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlTemporaryFile", True, "Create", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CAtlTemporaryFile", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CAtlTemporaryFile", True, "Write", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CComBSTR.model.yml

@@ -3,31 +3,31 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CComBSTR", True, "CComBSTR", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "CComBSTR", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "CComBSTR", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "CComBSTR", "(CComBSTR &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "Append", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "Append", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "Append", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "Append", "(LPCOLESTR,int)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "AppendBytes", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "AppendBSTR", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[**0].Field[*pvData]", "value", "manual"]
-      - ["", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
-      - ["", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "LoadString", "(UINT)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(int,LPCSTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(int,LPCOLESTR)", "", "Argument[*1]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CComBSTR", "(CComBSTR &&)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(const CComBSTR &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(LPCOLESTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(LPCSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "Append", "(LPCOLESTR,int)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "AppendBytes", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "AppendBSTR", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "ArrayToBSTR", "", "", "Argument[*0].Field[*pvData]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "AssignBSTR", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "Attach", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "BSTRToArray", "", "", "Argument[-1]", "Argument[**0].Field[*pvData]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "Copy", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "CopyTo", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "LoadString", "(HINSTANCE,UINT)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "LoadString", "(UINT)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "ReadFromStream", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "WriteToStream", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "operator BSTR", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "operator&", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CComBSTR", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CComSafeArray.model.yml

@@ -3,24 +3,24 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CComSafeArray", True, "CComSafeArray", "(const CComSafeArray &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY &)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "Add", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray<T>", True, "Add", "(const T &,BOOL)", "", "Argument[*@0]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
-      - ["", "CComSafeArray", True, "Attach", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "CopyTo", "", "", "Argument[-1].Field[*m_psa]", "Argument[*0]", "value", "manual"]
-      - ["", "CComSafeArray", True, "GetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CComSafeArray", True, "GetLowerBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CComSafeArray", True, "GetSafeArrayPtr", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CComSafeArray", True, "GetUpperBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CComSafeArray", True, "MultiDimGetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "Argument[*@1]", "value", "manual"]
-      - ["", "CComSafeArray", True, "MultiDimSetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
-      - ["", "CComSafeArray", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator LPSAFEARRAY", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator[]", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
-      - ["", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "CComSafeArray", "(const CComSafeArray &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY &)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "CComSafeArray", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "Add", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray<T>", True, "Add", "(const T &,BOOL)", "", "Argument[*@0]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "Attach", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "CopyFrom", "", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "CopyTo", "", "", "Argument[-1].Field[*m_psa]", "Argument[*0]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "GetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "GetLowerBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CComSafeArray", True, "GetSafeArrayPtr", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "GetUpperBound", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CComSafeArray", True, "MultiDimGetAt", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "Argument[*@1]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "MultiDimSetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Field[*m_psa].Field[*@pvData]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator LPSAFEARRAY", "", "", "Argument[-1].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator[]", "", "", "Argument[-1].Field[*m_psa].Field[*@pvData]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator=", "(const CComSafeArray &)", "", "Argument[*0].Field[*m_psa]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "Argument[-1].Field[*m_psa]", "value", "manual"]
+      - ["ATL", "CComSafeArray", True, "operator=", "(const SAFEARRAY *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CPathT.model.yml

@@ -3,21 +3,21 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CPathT", True, "CPathT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CPathT", True, "AddExtension", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "Combine", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "Combine", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
-      - ["", "CPathT", True, "CommonPrefix", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CPathT", True, "GetExtension", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "RelativePathTo", "", "", "Argument[*2]", "ReturnValue[-1]", "taint", "manual"]
-      - ["", "CPathT", True, "RenameExtension", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "CPathT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CPathT", True, "AddExtension", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "Combine", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "Combine", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "CommonPrefix", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CPathT", True, "CommonPrefix", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CPathT", True, "GetExtension", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "RelativePathTo", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "RelativePathTo", "", "", "Argument[*2]", "ReturnValue[-1]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "RenameExtension", "", "", "Argument[*0]", "ReturnValue[-1]", "taint", "manual"]
       # Note: These don't work currently since we cannot use the template parameter in the name of the function
-      # - ["", "CPathT<T>", True, "operator const T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      # - ["", "CPathT<T>", True, "operator T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CPathT", True, "operator+=", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CPathT", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      # - ["ATL", "CPathT<T>", True, "operator const T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      # - ["ATL", "CPathT<T>", True, "operator T &", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CPathT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CPathT", True, "operator+=", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "operator+=", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CPathT", True, "operator+=", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]

cpp/ql/lib/ext/CRegKey.model.yml

@@ -3,18 +3,18 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CRegKey", True, "CRegKey", "(CRegKey &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CRegKey", True, "Create", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CRegKey", True, "operator HKEY", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CRegKey", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CRegKey", True, "CRegKey", "(CRegKey &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CRegKey", True, "CRegKey", "(HKEY)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "Create", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "Attach", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryBinaryValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryDWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryMultiStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryQWORDValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryStringValue", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryValue", "(LPCTSTR,DWORD *,void *,ULONG *)", "", "Argument[*0]", "Argument[*2]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryValue", "(DWORD &,LPCTSTR)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "QueryValue", "(LPTSTR,LPCTSTR,DWORD *)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "operator HKEY", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CRegKey", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CRegKey", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]

cpp/ql/lib/ext/CSimpleArray.model.yml

@@ -3,10 +3,10 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CSimpleArray", True, "CSimpleArray", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "Add", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "SetAtIndex", "", "", "Argument[*1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "CSimpleArray", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "Add", "", "", "Argument[*0]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "GetData", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "SetAtIndex", "", "", "Argument[*1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleArray", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CSimpleMap.model.yml

@@ -3,11 +3,11 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CSimpleMap", True, "Add", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "Lookup", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "SetAtIndex", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "Add", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "GetValueAt", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "Lookup", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "SetAt", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "SetAtIndex", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
+      - ["ATL", "CSimpleMap", True, "operator=", "", "", "Argument[*0].Element[@]", "ReturnValue[*].Element[@]", "value", "manual"]

cpp/ql/lib/ext/CSimpleStringT.model.yml

@@ -3,40 +3,40 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # TODO this model can be improved a lot once we have MapKey content # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CSimpleStringT", True, "CSimpleStringT", "(const XCHAR *,int,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "CSimpleStringT", "(PCXSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "CSimpleStringT", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "AppendChar", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "CopyChars", "(XCHAR *,const XCHAR *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "CopyChars", "(XCHAR *,size_t,const XCHAR *,int)", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "CopyCharsOverlapped", "(XCHAR *,const XCHAR *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "GetString", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "LockBuffer", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "SetAt", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "SetString", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "operator[]", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "GetAt", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CSimpleStringT", True, "GetBuffer", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CSimpleStringT", True, "GetBufferSetLength", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CSimpleStringT", "(const XCHAR *,int,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CSimpleStringT", "(PCXSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CSimpleStringT", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "Append", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "AppendChar", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CopyChars", "(XCHAR *,const XCHAR *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CopyChars", "(XCHAR *,size_t,const XCHAR *,int)", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "CopyCharsOverlapped", "(XCHAR *,const XCHAR *,int)", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "GetString", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "LockBuffer", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "SetAt", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "SetString", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator[]", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(unsigned char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator+=", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "GetAt", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CSimpleStringT", True, "GetBuffer", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CSimpleStringT", True, "GetBufferSetLength", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CStrBufT.model.yml

@@ -3,6 +3,6 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data:
-      - ["", "CStrBufT", True, "CStrBufT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStrBufT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStrBufT", True, "operator PXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStrBufT", True, "CStrBufT", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStrBufT", True, "operator PCXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStrBufT", True, "operator PXSTR", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CStringData.model.yml

@@ -3,4 +3,4 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data:
-      - ["", "CStringData", True, "data", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringData", True, "data", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/ext/CStringT.model.yml

@@ -3,116 +3,116 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # TODO this model can be improved a lot once we have MapKey content # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CStringT", True, "CStringT", "(const VARIANT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const VARIANT &,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const CStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const XCHAR *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const YCHAR *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(LPCSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(LPCWSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(wchar_t *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const unsigned char *,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(char,int)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "CStringT", "(wchar_t,int)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const XCHAR *,int)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const YCHAR *,int)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const XCHAR *,int,AtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "CStringT", "(const YCHAR *,int,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "AllocSysString", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Format", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessageV", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatMessageV", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatV", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "FormatV", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Insert", "(int,PCXSTR)", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Insert", "(int,XCHAR)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Left", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "Right", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "LoadString", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "LoadString", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "MakeLower", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "MakeReverse", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "MakeUpper", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "Mid", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "Replace", "(PCXSTR,PCXSTR)", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "Replace", "(XCHAR,XCHAR)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
-      - ["", "CStringT", True, "SetSysString", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]
-      - ["", "CStringT", True, "SetSysString", "", "", "Argument[-1]", "Argument[**0]", "value", "manual"]
-      - ["", "CStringT", True, "SpanExcluding", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "SpanIncluding", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "Tokenize", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["", "CStringT", True, "Trim", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "TrimLeft", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "TrimRight", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CStringT", True, "operator=", "(const CStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const CStringT &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(PCYSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(PCYSTR)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const unsigned char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(XCHAR)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(XCHAR)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(YCHAR)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(YCHAR)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const VARIANT &)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
-      - ["", "CStringT", True, "operator=", "(const VARIANT &)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,const CStringT &)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,PCXSTR)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(PCXSTR,const CStringT &)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(char,const CStringT &)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(char,const CStringT &)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,char)", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,char)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,wchar_t)", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(const CStringT &,wchar_t)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(wchar_t, const CStringT &)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+", "(wchar_t,const CStringT &)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const CStaticString &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCXSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCYSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCYSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(PCYSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(unsigned char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(unsigned char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(unsigned char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(wchar_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(wchar_t)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const VARIANT &)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const VARIANT &)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
-      - ["", "", True, "operator+=", "(const VARIANT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const VARIANT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const VARIANT &,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const CStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const XCHAR *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const YCHAR *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(LPCSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(LPCWSTR,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(wchar_t *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const unsigned char *,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(char,int)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(wchar_t,int)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const XCHAR *,int)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const YCHAR *,int)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const XCHAR *,int,AtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "CStringT", "(const YCHAR *,int,IAtlStringMgr *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "AllocSysString", "", "", "Argument[-1]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "AppendFormat", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Format", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(PCXSTR,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessage", "(UINT,...)", "", "Argument[*1..8]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessageV", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatMessageV", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatV", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "FormatV", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Insert", "(int,PCXSTR)", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Insert", "(int,XCHAR)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Left", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Right", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "LoadString", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "LoadString", "", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "MakeLower", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "MakeReverse", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "MakeUpper", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Mid", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Replace", "(PCXSTR,PCXSTR)", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Replace", "(XCHAR,XCHAR)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "SetSysString", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]
+      - ["ATL", "CStringT", True, "SetSysString", "", "", "Argument[-1]", "Argument[**0]", "value", "manual"]
+      - ["ATL", "CStringT", True, "SpanExcluding", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "SpanIncluding", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Tokenize", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "CStringT", True, "Trim", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "TrimLeft", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "TrimRight", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const CStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const CStringT &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(PCYSTR)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(PCYSTR)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const unsigned char *)", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const unsigned char *)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(XCHAR)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(XCHAR)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(YCHAR)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(YCHAR)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const VARIANT &)", "", "Argument[0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CStringT", True, "operator=", "(const VARIANT &)", "", "Argument[0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,const CStringT &)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,PCXSTR)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(PCXSTR,const CStringT &)", "", "Argument[*0..1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(char,const CStringT &)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(char,const CStringT &)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,char)", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,char)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,wchar_t)", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(const CStringT &,wchar_t)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(wchar_t, const CStringT &)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+", "(wchar_t,const CStringT &)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CSimpleStringT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CStaticString &)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const CStaticString &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCXSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCXSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCYSTR)", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCYSTR)", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(PCYSTR)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(unsigned char)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(unsigned char)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(unsigned char)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(wchar_t)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(wchar_t)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(wchar_t)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const VARIANT &)", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const VARIANT &)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "", True, "operator+=", "(const VARIANT &)", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]

cpp/ql/lib/ext/CUrl.model.yml

@@ -3,20 +3,20 @@ extensions:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # TODO this model can be improved a lot once we have MapKey content # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "CUrl", True, "CUrl", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CUrl", True, "CrackUrl", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "CreateUrl", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
-      - ["", "CUrl", True, "GetExtraInfo", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "GetHostName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "GetPassword", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "GetSchemeName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "GetUrlPath", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "GetUserName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
-      - ["", "CUrl", True, "SetExtraInfo", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "SetHostName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "SetPassword", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "SetSchemeName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "SetUrlPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "SetUserName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
-      - ["", "CUrl", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
-      - ["", "CUrl", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
+      - ["ATL", "CUrl", True, "CUrl", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CUrl", True, "CrackUrl", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "CreateUrl", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetExtraInfo", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetHostName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetPassword", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetSchemeName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetUrlPath", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "GetUserName", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetExtraInfo", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetHostName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetPassword", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetSchemeName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetUrlPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "SetUserName", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["ATL", "CUrl", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["ATL", "CUrl", True, "operator=", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.0.2-dev
+version: 4.1.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -71,7 +71,7 @@ private int getSize(VariableAccess va) {
       result = t.getSize()
     )
     or
-    exists(Class c |
+    exists(Class c, int trueSize |
       // Otherwise, we find the "outermost" object and compute the size
       // as the difference between the size of the type of the "outermost
       // object" and the offset of the field relative to that type.
@@ -91,7 +91,9 @@ private int getSize(VariableAccess va) {
       // of `y` relative to the type `S2` (i.e., `4`). So the size of the
       // buffer is `12 - 4 = 8`.
       c = getRootType(va) and
-      result = c.getSize() - v.(Field).getOffsetInClass(c)
+      // we calculate the size based on the last field, to avoid including any padding after it
+      trueSize = max(Field f | | f.getOffsetInClass(c) + f.getUnspecifiedType().getSize()) and
+      result = trueSize - v.(Field).getOffsetInClass(c)
     )
   )
 }
@@ -105,9 +107,16 @@ private int getSize(VariableAccess va) {
 private int isSource(Expr bufferExpr, Element why) {
   exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
     // buffer is a fixed size array
-    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
+    exists(bufferVar.getUnspecifiedType().(ArrayType).getSize()) and
+    result =
+      unique(int size | // more generous than .getSize() itself, when the array is a class field or similar.
+        size = getSize(bufferExpr)
+      |
+        size
+      ) and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
+    not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild*() = bufferExpr) and
     // zero sized arrays are likely to have special usage, for example
     // behaving a bit like a 'union' overlapping other fields.
     not result = 0

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1318,7 +1318,7 @@ predicate nodeIsHidden(Node n) {
   or
   n instanceof InitialGlobalValue
   or
-  n instanceof SsaPhiInputNode
+  n instanceof SsaSynthNode
 }
 
 predicate neverSkipInPathGraph(Node n) {
@@ -1520,16 +1520,17 @@ private EdgeKind caseOrDefaultEdge() {
 private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, ParameterNode p) {
   exists(Ssa::SourceVariable sv |
     parameterNodeHasSourceVariable(p, sv) and
-    // Count the number of cases that use the parameter. We do this by finding the phi node
-    // that merges the uses/defs of the parameter. There might be multiple such phi nodes, so
-    // we pick the one with the highest edge count.
+    // Count the number of cases that use the parameter.
     result =
-      max(SsaPhiNode phi |
-        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() =
-          phi.getBasicBlock() and
-        phi.getSourceVariable() = sv
-      |
-        strictcount(phi.getAnInput())
+      strictcount(IRBlock caseblock |
+        exists(IRBlock useblock |
+          switch.getSuccessor(caseOrDefaultEdge()).getBlock() = caseblock and
+          caseblock.dominates(useblock)
+        |
+          exists(Ssa::UseImpl use | use.hasIndexInBlock(useblock, _, sv))
+          or
+          exists(Ssa::DefImpl def | def.hasIndexInBlock(useblock, _, sv))
+        )
       )
   )
 }
@@ -1631,9 +1632,7 @@ private Instruction getAnInstruction(Node n) {
   not n instanceof InstructionNode and
   result = n.asOperand().getUse()
   or
-  result = n.(SsaPhiNode).getPhiNode().getBasicBlock().getFirstInstruction()
-  or
-  result = n.(SsaPhiInputNode).getBasicBlock().getFirstInstruction()
+  result = n.(SsaSynthNode).getBasicBlock().getFirstInstruction()
   or
   n.(IndirectInstruction).hasInstructionAndIndirectionIndex(result, _)
   or
@@ -1765,14 +1764,14 @@ module IteratorFlow {
      * Note: Unlike `def.getAnUltimateDefinition()` this predicate also
      * traverses back through iterator increment and decrement operations.
      */
-    private Ssa::DefinitionExt getAnUltimateDefinition(Ssa::DefinitionExt def) {
+    private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) {
       result = def.getAnUltimateDefinition()
       or
       exists(IRBlock bb, int i, IteratorCrementCall crementCall, Ssa::SourceVariable sv |
         crementCall = def.getValue().asInstruction().(StoreInstruction).getSourceValue() and
         sv = def.getSourceVariable() and
         bb.getInstruction(i) = crementCall and
-        Ssa::ssaDefReachesReadExt(sv, result, bb, i)
+        Ssa::ssaDefReachesRead(sv, result, bb, i)
       )
     }
 
@@ -1800,13 +1799,13 @@ module IteratorFlow {
       GetsIteratorCall beginCall, Instruction writeToDeref
     ) {
       exists(
-        StoreInstruction beginStore, IRBlock bbStar, int iStar, Ssa::DefinitionExt def,
-        IteratorPointerDereferenceCall starCall, Ssa::DefinitionExt ultimate, Operand address
+        StoreInstruction beginStore, IRBlock bbStar, int iStar, Ssa::Definition def,
+        IteratorPointerDereferenceCall starCall, Ssa::Definition ultimate, Operand address
       |
         isIteratorWrite(writeToDeref, address) and
         operandForFullyConvertedCall(address, starCall) and
         bbStar.getInstruction(iStar) = starCall and
-        Ssa::ssaDefReachesReadExt(_, def, bbStar, iStar) and
+        Ssa::ssaDefReachesRead(_, def, bbStar, iStar) and
         ultimate = getAnUltimateDefinition*(def) and
         beginStore = ultimate.getValue().asInstruction() and
         operandForFullyConvertedCall(beginStore.getSourceValueOperand(), beginCall)
@@ -1835,45 +1834,15 @@ module IteratorFlow {
 
   private module IteratorSsa = SsaImpl::Make<Location, SsaInput>;
 
-  cached
-  private newtype TSsaDef =
-    TDef(IteratorSsa::DefinitionExt def) or
-    TPhi(PhiNode phi)
-
-  abstract private class SsaDef extends TSsaDef {
-    /** Gets a textual representation of this element. */
-    string toString() { none() }
-
-    /** Gets the underlying non-phi definition or use. */
-    IteratorSsa::DefinitionExt asDef() { none() }
-
-    /** Gets the underlying phi node. */
-    PhiNode asPhi() { none() }
-
-    /** Gets the location of this element. */
-    abstract Location getLocation();
-  }
-
-  private class Def extends TDef, SsaDef {
-    IteratorSsa::DefinitionExt def;
-
-    Def() { this = TDef(def) }
-
-    final override IteratorSsa::DefinitionExt asDef() { result = def }
-
+  private class Def extends IteratorSsa::DefinitionExt {
     final override Location getLocation() { result = this.getImpl().getLocation() }
 
-    /** Gets the variable written to by this definition. */
-    final SourceVariable getSourceVariable() { result = def.getSourceVariable() }
-
-    override string toString() { result = def.toString() }
-
     /**
      * Holds if this definition (or use) has index `index` in block `block`,
      * and is a definition (or use) of the variable `sv`.
      */
     predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
-      def.definesAt(sv, block, index, _)
+      super.definesAt(sv, block, index, _)
     }
 
     private Ssa::DefImpl getImpl() {
@@ -1890,20 +1859,6 @@ module IteratorFlow {
     int getIndirectionIndex() { result = this.getImpl().getIndirectionIndex() }
   }
 
-  private class Phi extends TPhi, SsaDef {
-    PhiNode phi;
-
-    Phi() { this = TPhi(phi) }
-
-    final override PhiNode asPhi() { result = phi }
-
-    final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
-
-    override string toString() { result = phi.toString() }
-
-    SsaIteratorNode getNode() { result.getIteratorFlowNode() = phi }
-  }
-
   private class PhiNode extends IteratorSsa::DefinitionExt {
     PhiNode() {
       this instanceof IteratorSsa::PhiNode or

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -27,7 +27,7 @@ import ExprNodes
  * - `VariableNode`, which is used to model flow through global variables.
  * - `PostUpdateNodeImpl`, which is used to model the state of an object after
  *    an update after a number of loads.
- * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA
+ * - `SsaSynthNode`, which represents synthesized nodes as computed by the shared SSA
  *    library.
  * - `RawIndirectOperand`, which represents the value of `operand` after
  *    loading the address a number of times.
@@ -47,8 +47,7 @@ private newtype TIRDataFlowNode =
     or
     Ssa::isModifiableByCall(operand, indirectionIndex)
   } or
-  TSsaPhiInputNode(Ssa::PhiNode phi, IRBlock input) { phi.hasInputFromBlock(_, _, _, _, input) } or
-  TSsaPhiNode(Ssa::PhiNode phi) or
+  TSsaSynthNode(Ssa::SynthNode n) or
   TSsaIteratorNode(IteratorFlow::IteratorFlowNode n) or
   TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
     Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
@@ -184,10 +183,11 @@ class Node extends TIRDataFlowNode {
     or
     this.asOperand().getUse() = block.getInstruction(i)
     or
-    this.(SsaPhiNode).getPhiNode().getBasicBlock() = block and i = -1
-    or
-    this.(SsaPhiInputNode).getBlock() = block and
-    i = block.getInstructionCount()
+    exists(Ssa::SynthNode ssaNode |
+      this.(SsaSynthNode).getSynthNode() = ssaNode and
+      ssaNode.getBasicBlock() = block and
+      ssaNode.getIndex() = i
+    )
     or
     this.(RawIndirectOperand).getOperand().getUse() = block.getInstruction(i)
     or
@@ -313,13 +313,79 @@ class Node extends TIRDataFlowNode {
    * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
    * the expression `x++` is passed to `sink`.
    */
-  Expr asDefinition() {
-    exists(StoreInstruction store |
+  Expr asDefinition() { result = this.asDefinition(_) }
+
+  /**
+   * Gets the definition associated with this node, if any.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * - For (1) the result is `42`.
+   * - For (2) the result is `x = 34`.
+   * - For (3) the result is `++x`.
+   * - For (4) the result is `x++`.
+   * - For (5) the result is `x += 1`.
+   * - For (6) there are two results:
+   *   - For the definition generated by `x += 2` the result is `x += 2`
+   *   - For the definition generated by `int y = ...` the result is
+   *     also `x += 2`.
+   *
+   * For assignments, `node.asDefinition(_)` and `node.asExpr()` will both exist
+   * for the same dataflow node. However, for expression such as `x++` that
+   * both write to `x` and read the current value of `x`, `node.asDefinition(_)`
+   * will give the node corresponding to the value after the increment, and
+   * `node.asExpr()` will give the node corresponding to the value before the
+   * increment. For an example of this, consider the following:
+   *
+   * ```cpp
+   * sink(x++);
+   * ```
+   * in the above program, there will not be flow from a node `n` such that
+   * `n.asDefinition(_) instanceof IncrementOperation` to the argument of `sink`
+   * since the value passed to `sink` is the value before to the increment.
+   * However, there will be dataflow from a node `n` such that
+   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
+   * the expression `x++` is passed to `sink`.
+   *
+   * If `uncertain = false` then the definition is guaranteed to overwrite
+   * the entire buffer pointed to by the destination address of the definition.
+   * Otherwise, `uncertain = true`.
+   *
+   * For example, the write `int x; x = 42;` is guaranteed to overwrite all the
+   * bytes allocated to `x`, while the assignment `int p[10]; p[3] = 42;` has
+   * `uncertain = true` since the write will not overwrite the entire buffer
+   * pointed to by `p`.
+   */
+  Expr asDefinition(boolean uncertain) {
+    exists(StoreInstruction store, Ssa::Definition def |
       store = this.asInstruction() and
-      result = asDefinitionImpl(store)
+      result = asDefinitionImpl(store) and
+      Ssa::defToNode(this, def, _) and
+      if def.isCertain() then uncertain = false else uncertain = true
     )
   }
 
+  /**
+   * Gets the definition associated with this node, if this node is a certain definition.
+   *
+   * See `Node.asDefinition/1` for a description of certain and uncertain definitions.
+   */
+  Expr asCertainDefinition() { result = this.asDefinition(false) }
+
+  /**
+   * Gets the definition associated with this node, if this node is an uncertain definition.
+   *
+   * See `Node.asDefinition/1` for a description of certain and uncertain definitions.
+   */
+  Expr asUncertainDefinition() { result = this.asDefinition(true) }
+
   /**
    * Gets the indirect definition at a given indirection corresponding to this
    * node, if any.
@@ -620,117 +686,30 @@ class PostFieldUpdateNode extends PostUpdateNodeImpl {
 /**
  * INTERNAL: do not use.
  *
- * A phi node produced by the shared SSA library, viewed as a node in a data flow graph.
+ * A synthesized SSA node produced by the shared SSA library, viewed as a node
+ * in a data flow graph.
  */
-class SsaPhiNode extends Node, TSsaPhiNode {
-  Ssa::PhiNode phi;
+class SsaSynthNode extends Node, TSsaSynthNode {
+  Ssa::SynthNode node;
 
-  SsaPhiNode() { this = TSsaPhiNode(phi) }
+  SsaSynthNode() { this = TSsaSynthNode(node) }
 
-  /** Gets the phi node associated with this node. */
-  Ssa::PhiNode getPhiNode() { result = phi }
+  /** Gets the synthesized SSA node associated with this node. */
+  Ssa::SynthNode getSynthNode() { result = node }
 
   override DataFlowCallable getEnclosingCallable() {
     result.asSourceCallable() = this.getFunction()
   }
 
-  override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
+  override Declaration getFunction() { result = node.getBasicBlock().getEnclosingFunction() }
 
-  override DataFlowType getType() {
-    exists(Ssa::SourceVariable sv |
-      this.getPhiNode().definesAt(sv, _, _, _) and
-      result = sv.getType()
-    )
-  }
+  override DataFlowType getType() { result = node.getSourceVariable().getType() }
 
-  override predicate isGLValue() { phi.getSourceVariable().isGLValue() }
+  override predicate isGLValue() { node.getSourceVariable().isGLValue() }
 
-  final override Location getLocationImpl() { result = phi.getBasicBlock().getLocation() }
+  final override Location getLocationImpl() { result = node.getLocation() }
 
-  override string toStringImpl() { result = phi.toString() }
-
-  /**
-   * Gets a node that is used as input to this phi node.
-   * `fromBackEdge` is true if data flows along a back-edge,
-   * and `false` otherwise.
-   */
-  cached
-  final Node getAnInput(boolean fromBackEdge) {
-    result.(SsaPhiInputNode).getPhiNode() = phi and
-    exists(IRBlock bPhi, IRBlock bResult |
-      bPhi = phi.getBasicBlock() and bResult = result.getBasicBlock()
-    |
-      if bPhi.dominates(bResult) then fromBackEdge = true else fromBackEdge = false
-    )
-  }
-
-  /** Gets a node that is used as input to this phi node. */
-  final Node getAnInput() { result = this.getAnInput(_) }
-
-  /** Gets the source variable underlying this phi node. */
-  Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
-
-  /**
-   * Holds if this phi node is a phi-read node.
-   *
-   * Phi-read nodes are like normal phi nodes, but they are inserted based
-   * on reads instead of writes.
-   */
-  predicate isPhiRead() { phi.isPhiRead() }
-}
-
-/**
- * INTERNAL: Do not use.
- *
- * A node that is used as an input to a phi node.
- *
- * This class exists to allow more powerful barrier guards. Consider this
- * example:
- *
- * ```cpp
- * int x = source();
- * if(!safe(x)) {
- *   x = clear();
- * }
- * // phi node for x here
- * sink(x);
- * ```
- *
- * At the phi node for `x` it is neither the case that `x` is dominated by
- * `safe(x)`, or is the case that the phi is dominated by a clearing of `x`.
- *
- * By inserting a "phi input" node as the last entry in the basic block that
- * defines the inputs to the phi we can conclude that each of those inputs are
- * safe to pass to `sink`.
- */
-class SsaPhiInputNode extends Node, TSsaPhiInputNode {
-  Ssa::PhiNode phi;
-  IRBlock block;
-
-  SsaPhiInputNode() { this = TSsaPhiInputNode(phi, block) }
-
-  /** Gets the phi node associated with this node. */
-  Ssa::PhiNode getPhiNode() { result = phi }
-
-  /** Gets the basic block in which this input originates. */
-  IRBlock getBlock() { result = block }
-
-  override DataFlowCallable getEnclosingCallable() {
-    result.asSourceCallable() = this.getFunction()
-  }
-
-  override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
-
-  override DataFlowType getType() { result = this.getSourceVariable().getType() }
-
-  override predicate isGLValue() { phi.getSourceVariable().isGLValue() }
-
-  final override Location getLocationImpl() { result = block.getLastInstruction().getLocation() }
-
-  override string toStringImpl() { result = "Phi input" }
-
-  /** Gets the source variable underlying this phi node. */
-  Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
+  override string toStringImpl() { result = node.toString() }
 }
 
 /**
@@ -1305,10 +1284,10 @@ class UninitializedNode extends Node {
   LocalVariable v;
 
   UninitializedNode() {
-    exists(Ssa::DefinitionExt def, Ssa::SourceVariable sv |
+    exists(Ssa::Definition def, Ssa::SourceVariable sv |
       def.getIndirectionIndex() = 0 and
       def.getValue().asInstruction() instanceof UninitializedInstruction and
-      Ssa::defToNode(this, def, sv, _, _, _) and
+      Ssa::defToNode(this, def, sv) and
       v = sv.getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst()
     )
   }
@@ -1733,6 +1712,21 @@ predicate hasInstructionAndIndex(
 
 cached
 private module Cached {
+  /**
+   * Holds if `n` has a local flow step that goes through a back-edge.
+   */
+  cached
+  predicate flowsToBackEdge(Node n) {
+    exists(Node succ, IRBlock bb1, IRBlock bb2 |
+      Ssa::ssaFlow(n, succ) and
+      bb1 = n.getBasicBlock() and
+      bb2 = succ.getBasicBlock() and
+      bb1 != bb2 and
+      bb2.dominates(bb1) and
+      bb1.getASuccessor+() = bb2
+    )
+  }
+
   /**
    * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
    * (intra-procedural) step. This relation is only used for local dataflow
@@ -1821,15 +1815,9 @@ private module Cached {
   cached
   predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
     (
-      // Post update node -> Node flow
-      Ssa::postUpdateFlow(nodeFrom, nodeTo)
-      or
       // Def-use/Use-use flow
       Ssa::ssaFlow(nodeFrom, nodeTo)
       or
-      // Phi input -> Phi
-      nodeFrom.(SsaPhiInputNode).getPhiNode() = nodeTo.(SsaPhiNode).getPhiNode()
-      or
       IteratorFlow::localFlowStep(nodeFrom, nodeTo)
       or
       // Operand -> Instruction flow
@@ -1844,9 +1832,6 @@ private module Cached {
         not iFrom = Ssa::getIRRepresentationOfOperand(opTo)
       )
       or
-      // Phi node -> Node flow
-      Ssa::fromPhiNode(nodeFrom, nodeTo)
-      or
       // Indirect operand -> (indirect) instruction flow
       indirectionOperandFlow(nodeFrom, nodeTo)
       or
@@ -2290,22 +2275,6 @@ class ContentSet instanceof Content {
   }
 }
 
-pragma[nomagic]
-private predicate guardControlsPhiInput(
-  IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-) {
-  phi.hasInputFromBlock(def, _, _, _, input) and
-  (
-    g.controls(input, branch)
-    or
-    exists(EdgeKind kind |
-      g.getBlock() = input and
-      kind = getConditionalEdge(branch) and
-      input.getSuccessor(kind) = phi.getBasicBlock()
-    )
-  )
-}
-
 /**
  * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
  *
@@ -2337,6 +2306,10 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     )
   }
 
+  private predicate guardChecksNode(IRGuardCondition g, Node n, boolean branch) {
+    guardChecks(g, n.asOperand().getDef().getConvertedResultExpression(), branch)
+  }
+
   /**
    * Gets an expression node that is safely guarded by the given guard check.
    *
@@ -2377,14 +2350,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       controls(g, result, edge)
     )
     or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      guardChecks(g, def.getARead().asOperand().getDef().getConvertedResultExpression(), branch) and
-      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
-        pragma[only_bind_into](phi)) and
-      result = TSsaPhiInputNode(phi, input)
-    )
+    result = Ssa::BarrierGuard<guardChecksNode/3>::getABarrierNode()
   }
 
   /**
@@ -2433,6 +2399,13 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     )
   }
 
+  private predicate guardChecksIndirectNode(
+    IRGuardCondition g, Node n, boolean branch, int indirectionIndex
+  ) {
+    guardChecks(g, n.asIndirectOperand(indirectionIndex).getDef().getConvertedResultExpression(),
+      branch)
+  }
+
   /**
    * Gets an indirect expression node with indirection index `indirectionIndex` that is
    * safely guarded by the given guard check.
@@ -2475,16 +2448,8 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       controls(g, result, edge)
     )
     or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      guardChecks(g,
-        def.getARead().asIndirectOperand(indirectionIndex).getDef().getConvertedResultExpression(),
-        branch) and
-      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
-        pragma[only_bind_into](phi)) and
-      result = TSsaPhiInputNode(phi, input)
-    )
+    result =
+      Ssa::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
   }
 }
 
@@ -2493,14 +2458,6 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
  */
 signature predicate instructionGuardChecksSig(IRGuardCondition g, Instruction instr, boolean branch);
 
-private EdgeKind getConditionalEdge(boolean branch) {
-  branch = true and
-  result instanceof TrueEdge
-  or
-  branch = false and
-  result instanceof FalseEdge
-}
-
 /**
  * Provides a set of barrier nodes for a guard that validates an instruction.
  *
@@ -2517,6 +2474,10 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
   }
 
+  private predicate guardChecksNode(IRGuardCondition g, Node n, boolean branch) {
+    instructionGuardChecks(g, n.asOperand().getDef(), branch)
+  }
+
   /** Gets a node that is safely guarded by the given guard check. */
   Node getABarrierNode() {
     exists(IRGuardCondition g, ValueNumber value, boolean edge |
@@ -2525,14 +2486,7 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
       controls(g, result, edge)
     )
     or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      instructionGuardChecks(g, def.getARead().asOperand().getDef(), branch) and
-      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
-        pragma[only_bind_into](phi)) and
-      result = TSsaPhiInputNode(phi, input)
-    )
+    result = Ssa::BarrierGuard<guardChecksNode/3>::getABarrierNode()
   }
 
   bindingset[value, n]
@@ -2544,6 +2498,12 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
   }
 
+  private predicate guardChecksIndirectNode(
+    IRGuardCondition g, Node n, boolean branch, int indirectionIndex
+  ) {
+    instructionGuardChecks(g, n.asIndirectOperand(indirectionIndex).getDef(), branch)
+  }
+
   /**
    * Gets an indirect node with indirection index `indirectionIndex` that is
    * safely guarded by the given guard check.
@@ -2555,14 +2515,8 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
       controls(g, result, edge)
     )
     or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      instructionGuardChecks(g, def.getARead().asIndirectOperand(indirectionIndex).getDef(), branch) and
-      guardControlsPhiInput(g, branch, def, pragma[only_bind_into](input),
-        pragma[only_bind_into](phi)) and
-      result = TSsaPhiInputNode(phi, input)
-    )
+    result =
+      Ssa::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -2,6 +2,7 @@ private import codeql.ssa.Ssa as SsaImplCommon
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.controlflow.IRGuards as IRGuards
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
 private import semmle.code.cpp.models.interfaces.Taint as Taint
@@ -464,6 +465,17 @@ private predicate finalParameterNodeHasParameterAndIndex(
   n.getIndirectionIndex() = indirectionIndex
 }
 
+pragma[nomagic]
+private predicate hasReturnPosition(IRFunction f, IRBlock block, int index) {
+  exists(Instruction return |
+    return instanceof ReturnInstruction or
+    return instanceof UnreachedInstruction
+  |
+    block.getInstruction(index) = return and
+    return.getEnclosingIRFunction() = f
+  )
+}
+
 class FinalParameterUse extends UseImpl, TFinalParameterUse {
   Parameter p;
 
@@ -492,12 +504,9 @@ class FinalParameterUse extends UseImpl, TFinalParameterUse {
     // `UnreachedInstruction`. If that's the case this predicate will
     // return multiple results. I don't think this is detrimental to
     // performance, however.
-    exists(Instruction return |
-      return instanceof ReturnInstruction or
-      return instanceof UnreachedInstruction
-    |
-      block.getInstruction(index) = return and
-      return.getEnclosingFunction() = p.getFunction()
+    exists(IRFunction f |
+      hasReturnPosition(f, block, index) and
+      f.getFunction() = p.getFunction()
     )
   }
 
@@ -587,13 +596,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
     // globals at any exit so that we can flow out of non-returning functions.
     // Obviously this isn't correct as we can't actually flow but the global flow
     // requires this if we want to flow into children.
-    exists(Instruction return |
-      return instanceof ReturnInstruction or
-      return instanceof UnreachedInstruction
-    |
-      block.getInstruction(index) = return and
-      return.getEnclosingIRFunction() = f
-    )
+    hasReturnPosition(f, block, index)
   }
 
   override BaseSourceVariable getBaseSourceVariable() {
@@ -669,21 +672,6 @@ class GlobalDefImpl extends DefImpl, TGlobalDefImpl {
   override Location getLocation() { result = f.getLocation() }
 }
 
-/**
- * Holds if there is a definition or access at index `i1` in basic block `bb1`
- * and the next subsequent read is at index `i2` in basic block `bb2`.
- */
-predicate adjacentDefRead(IRBlock bb1, int i1, SourceVariable sv, IRBlock bb2, int i2) {
-  adjacentDefReadExt(_, sv, bb1, i1, bb2, i2)
-}
-
-predicate useToNode(IRBlock bb, int i, SourceVariable sv, Node nodeTo) {
-  exists(UseImpl use |
-    use.hasIndexInBlock(bb, i, sv) and
-    nodeTo = use.getNode()
-  )
-}
-
 pragma[noinline]
 predicate outNodeHasAddressAndIndex(
   IndirectArgumentOutNode out, Operand address, int indirectionIndex
@@ -697,34 +685,17 @@ predicate outNodeHasAddressAndIndex(
  *
  * Holds if `node` is the node that corresponds to the definition of `def`.
  */
-predicate defToNode(
-  Node node, DefinitionExt def, SourceVariable sv, IRBlock bb, int i, boolean uncertain
-) {
-  def.definesAt(sv, bb, i, _) and
-  (
-    nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
-    or
-    nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
-    or
-    node.(InitialGlobalValue).getGlobalDef() = def
-  ) and
-  if def.isCertain() then uncertain = false else uncertain = true
+predicate defToNode(Node node, Definition def, SourceVariable sv) {
+  def.getSourceVariable() = sv and
+  defToNode(node, def)
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * Holds if `node` is the node that corresponds to the definition or use at
- * index `i` in block `bb` of `sv`.
- *
- * `uncertain` is `true` if this is an uncertain definition.
- */
-predicate nodeToDefOrUse(Node node, SourceVariable sv, IRBlock bb, int i, boolean uncertain) {
-  defToNode(node, _, sv, bb, i, uncertain)
+private predicate defToNode(Node node, Definition def) {
+  nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
   or
-  // Node -> Use
-  useToNode(bb, i, sv, node) and
-  uncertain = false
+  nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
+  or
+  node.(InitialGlobalValue).getGlobalDef() = def
 }
 
 /**
@@ -732,10 +703,7 @@ predicate nodeToDefOrUse(Node node, SourceVariable sv, IRBlock bb, int i, boolea
  * only holds when there is no use-use relation out of `nTo`.
  */
 private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
-  not exists(SourceVariable sv, IRBlock bb2, int i2 |
-    useToNode(bb2, i2, sv, nTo) and
-    adjacentDefRead(bb2, i2, sv, _, _)
-  ) and
+  not ssaFlowImpl(nTo, _) and
   exists(Operand op1, Operand op2, int indirectionIndex, Instruction instr |
     hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
     hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and
@@ -744,50 +712,6 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
   )
 }
 
-/**
- * Holds if `node` is a phi input node that should receive flow from the
- * definition to (or use of) `sv` at `(bb1, i1)`.
- */
-private predicate phiToNode(SsaPhiInputNode node, SourceVariable sv, IRBlock bb1, int i1) {
-  exists(PhiNode phi, IRBlock input |
-    phi.hasInputFromBlock(_, sv, bb1, i1, input) and
-    node.getPhiNode() = phi and
-    node.getBlock() = input
-  )
-}
-
-/**
- * Holds if there should be flow from `nodeFrom` to `nodeTo` because
- * `nodeFrom` is a definition or use of `sv` at index `i1` at basic
- * block `bb1`.
- *
- * `uncertain` is `true` if `(bb1, i1)` is a definition, and that definition
- * is _not_ guaranteed to overwrite the entire allocation.
- */
-private predicate ssaFlowImpl(
-  IRBlock bb1, int i1, SourceVariable sv, Node nodeFrom, Node nodeTo, boolean uncertain
-) {
-  nodeToDefOrUse(nodeFrom, sv, bb1, i1, uncertain) and
-  (
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, nodeTo)
-    )
-    or
-    phiToNode(nodeTo, sv, bb1, i1)
-  ) and
-  nodeFrom != nodeTo
-}
-
-/** Gets a node that represents the prior definition of `node`. */
-private Node getAPriorDefinition(DefinitionExt next) {
-  exists(IRBlock bb, int i, SourceVariable sv |
-    lastRefRedefExt(_, pragma[only_bind_into](sv), pragma[only_bind_into](bb),
-      pragma[only_bind_into](i), _, next) and
-    nodeToDefOrUse(result, sv, bb, i, _)
-  )
-}
-
 private predicate inOut(FIO::FunctionInput input, FIO::FunctionOutput output) {
   exists(int indirectionIndex |
     input.isQualifierObject(indirectionIndex) and
@@ -834,21 +758,6 @@ private predicate modeledFlowBarrier(Node n) {
   )
 }
 
-/** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
-predicate ssaFlow(Node nodeFrom, Node nodeTo) {
-  exists(Node nFrom, boolean uncertain, IRBlock bb, int i, SourceVariable sv |
-    ssaFlowImpl(bb, i, sv, nFrom, nodeTo, uncertain) and
-    not modeledFlowBarrier(nFrom) and
-    nodeFrom != nodeTo
-  |
-    if uncertain = true
-    then
-      nodeFrom =
-        [nFrom, getAPriorDefinition(any(DefinitionExt next | next.definesAt(sv, bb, i, _)))]
-    else nodeFrom = nFrom
-  )
-}
-
 private predicate isArgumentOfCallableInstruction(DataFlowCall call, Instruction instr) {
   isArgumentOfCallableOperand(call, unique( | | getAUse(instr)))
 }
@@ -905,22 +814,15 @@ private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
   // So this predicate recurses back along conversions and `PointerArithmetic`
   // instructions to find the first use that has provides use-use flow, and
   // uses that target as the target of the `nodeFrom`.
-  exists(Node adjusted, IRBlock bb1, int i1, SourceVariable sv |
+  exists(Node adjusted |
     indirectConversionFlowStep*(adjusted, pun.getPreUpdateNode()) and
-    useToNode(bb1, i1, sv, adjusted)
-  |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, n)
-    )
-    or
-    phiToNode(n, sv, bb1, i1)
+    ssaFlowImpl(adjusted, n)
   )
 }
 
 private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) {
   isArgumentOfCallable(call, n1) and
-  exists(Node mid | ssaFlowImpl(_, _, _, n1, mid, _) |
+  exists(Node mid | ssaFlowImpl(n1, mid) |
     isArgumentOfCallable(call, mid) and
     stepUntilNotInCall(call, mid, n2)
     or
@@ -952,7 +854,7 @@ private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) {
  * similarly we want flow from the second argument of `write_first_argument` to `x`
  * on the next line.
  */
-predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
+private predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
   exists(Node preUpdate, Node mid |
     preUpdate = pun.getPreUpdateNode() and
     postUpdateNodeToFirstUse(pun, mid)
@@ -967,21 +869,6 @@ predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
   )
 }
 
-/** Holds if `nodeTo` receives flow from the phi node `nodeFrom`. */
-predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
-  exists(PhiNode phi, SourceVariable sv, IRBlock bb1, int i1 |
-    phi = nodeFrom.getPhiNode() and
-    phi.definesAt(sv, bb1, i1, _)
-  |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, nodeTo)
-    )
-    or
-    phiToNode(nodeTo, sv, bb1, i1)
-  )
-}
-
 private predicate baseSourceVariableIsGlobal(
   BaseIRVariable base, GlobalLikeVariable global, IRFunction func
 ) {
@@ -1023,11 +910,6 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
     exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
       if use.isCertain() then certain = true else certain = false
     )
-    or
-    exists(GlobalUse global |
-      global.hasIndexInBlock(bb, i, v) and
-      certain = true
-    )
   }
 }
 
@@ -1036,42 +918,14 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
  */
 cached
 module SsaCached {
-  /**
-   * Holds if `def` is accessed at index `i1` in basic block `bb1` (either a read
-   * or a write), `def` is read at index `i2` in basic block `bb2`, and there is a
-   * path between them without any read of `def`.
-   */
   cached
-  predicate adjacentDefReadExt(
-    DefinitionExt def, SourceVariable sv, IRBlock bb1, int i1, IRBlock bb2, int i2
-  ) {
-    SsaImpl::adjacentDefReadExt(def, sv, bb1, i1, bb2, i2)
-  }
-
-  /**
-   * Holds if the node at index `i` in `bb` is a last reference to SSA definition
-   * `def`. The reference is last because it can reach another write `next`,
-   * without passing through another read or write.
-   *
-   * The path from node `i` in `bb` to `next` goes via basic block `input`,
-   * which is either a predecessor of the basic block of `next`, or `input` =
-   * `bb` in case `next` occurs in basic block `bb`.
-   */
-  cached
-  predicate lastRefRedefExt(
-    DefinitionExt def, SourceVariable sv, IRBlock bb, int i, IRBlock input, DefinitionExt next
-  ) {
-    SsaImpl::lastRefRedefExt(def, sv, bb, i, input, next)
+  predicate ssaDefReachesRead(SourceVariable v, Definition def, IRBlock bb, int i) {
+    SsaImpl::ssaDefReachesRead(v, def, bb, i)
   }
 
   cached
-  DefinitionExt phiHasInputFromBlockExt(PhiNode phi, IRBlock bb) {
-    SsaImpl::phiHasInputFromBlockExt(phi, result, bb)
-  }
-
-  cached
-  predicate ssaDefReachesReadExt(SourceVariable v, DefinitionExt def, IRBlock bb, int i) {
-    SsaImpl::ssaDefReachesReadExt(v, def, bb, i)
+  predicate phiHasInputFromBlock(PhiNode phi, Definition inp, IRBlock bb) {
+    SsaImpl::phiHasInputFromBlock(phi, inp, bb)
   }
 
   predicate variableRead = SsaInput::variableRead/4;
@@ -1080,14 +934,14 @@ module SsaCached {
 }
 
 /** Gets the `DefImpl` corresponding to `def`. */
-private DefImpl getDefImpl(SsaImpl::DefinitionExt def) {
+private DefImpl getDefImpl(SsaImpl::Definition def) {
   exists(SourceVariable sv, IRBlock bb, int i |
-    def.definesAt(sv, bb, i, _) and
+    def.definesAt(sv, bb, i) and
     result.hasIndexInBlock(bb, i, sv)
   )
 }
 
-class GlobalDef extends DefinitionExt {
+class GlobalDef extends Definition {
   GlobalDefImpl impl;
 
   GlobalDef() { impl = getDefImpl(this) }
@@ -1101,51 +955,167 @@ class GlobalDef extends DefinitionExt {
 
 private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
 
+private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
+  class Expr extends Instruction {
+    Expr() {
+      exists(IRBlock bb, int i |
+        variableRead(bb, i, _, true) and
+        this = bb.getInstruction(i)
+      )
+    }
+
+    predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
+  }
+
+  Expr getARead(SsaImpl::Definition def) {
+    exists(SourceVariable v, IRBlock bb, int i |
+      ssaDefReachesRead(v, def, bb, i) and
+      variableRead(bb, i, v, true) and
+      result.hasCfgNode(bb, i)
+    )
+  }
+
+  predicate ssaDefHasSource(SsaImpl::WriteDefinition def) { none() }
+
+  predicate allowFlowIntoUncertainDef(SsaImpl::UncertainWriteDefinition def) { any() }
+
+  private EdgeKind getConditionalEdge(boolean branch) {
+    branch = true and
+    result instanceof TrueEdge
+    or
+    branch = false and
+    result instanceof FalseEdge
+  }
+
+  class Guard instanceof IRGuards::IRGuardCondition {
+    string toString() { result = super.toString() }
+
+    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      exists(EdgeKind kind |
+        super.getBlock() = bb1 and
+        kind = getConditionalEdge(branch) and
+        bb1.getSuccessor(kind) = bb2
+      )
+    }
+  }
+
+  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
+    guard.(IRGuards::IRGuardCondition).controls(bb, branch)
+  }
+
+  predicate keepAllPhiInputBackEdges() { any() }
+}
+
+private module DataFlowIntegrationImpl = SsaImpl::DataFlowIntegration<DataFlowIntegrationInput>;
+
+class SynthNode extends DataFlowIntegrationImpl::SsaNode {
+  SynthNode() { not this.asDefinition() instanceof SsaImpl::WriteDefinition }
+}
+
+signature predicate guardChecksNodeSig(IRGuards::IRGuardCondition g, Node e, boolean branch);
+
+signature predicate guardChecksNodeSig(
+  IRGuards::IRGuardCondition g, Node e, boolean branch, int indirectionIndex
+);
+
+module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
+  private predicate ssaDefReachesCertainUse(Definition def, UseImpl use) {
+    exists(SourceVariable v, IRBlock bb, int i |
+      use.hasIndexInBlock(bb, i, v) and
+      variableRead(bb, i, v, true) and
+      ssaDefReachesRead(v, def, bb, i)
+    )
+  }
+
+  private predicate guardChecks(
+    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, boolean branch, int indirectionIndex
+  ) {
+    exists(UseImpl use |
+      guardChecksNode(g, use.getNode(), branch, indirectionIndex) and
+      ssaDefReachesCertainUse(def, use)
+    )
+  }
+
+  Node getABarrierNode(int indirectionIndex) {
+    // Only get the SynthNodes from the shared implementation, as the ExprNodes cannot
+    // be matched on SourceVariable.
+    result.(SsaSynthNode).getSynthNode() =
+      DataFlowIntegrationImpl::BarrierGuardDefWithState<int, guardChecks/4>::getABarrierNode(indirectionIndex)
+    or
+    // Calculate the guarded UseImpls corresponding to ExprNodes directly.
+    exists(DataFlowIntegrationInput::Guard g, boolean branch, Definition def, IRBlock bb |
+      guardChecks(g, def, branch, indirectionIndex) and
+      exists(UseImpl use |
+        ssaDefReachesCertainUse(def, use) and
+        use.getBlock() = bb and
+        DataFlowIntegrationInput::guardControlsBlock(g, bb, branch) and
+        result = use.getNode()
+      )
+    )
+  }
+}
+
+module BarrierGuard<guardChecksNodeSig/3 guardChecksNode> {
+  private predicate guardChecksNode(
+    IRGuards::IRGuardCondition g, Node e, boolean branch, int indirectionIndex
+  ) {
+    guardChecksNode(g, e, branch) and indirectionIndex = 0
+  }
+
+  Node getABarrierNode() {
+    result = BarrierGuardWithIntParam<guardChecksNode/4>::getABarrierNode(0)
+  }
+}
+
+bindingset[result, v]
+pragma[inline_late]
+DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
+  result = n.(SsaSynthNode).getSynthNode()
+  or
+  exists(UseImpl use, IRBlock bb, int i |
+    result.(DataFlowIntegrationImpl::ExprNode).getExpr().hasCfgNode(bb, i) and
+    use.hasIndexInBlock(bb, i, v) and
+    use.isCertain() and
+    use.getNode() = n
+  )
+  or
+  defToNode(n, result.(DataFlowIntegrationImpl::SsaDefinitionNode).getDefinition())
+}
+
+private predicate ssaFlowImpl(Node nodeFrom, Node nodeTo) {
+  exists(SourceVariable v |
+    nodeFrom != nodeTo and
+    DataFlowIntegrationImpl::localFlowStep(v, fromDfNode(nodeFrom, v), fromDfNode(nodeTo, v), _)
+  )
+}
+
+/** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
+predicate ssaFlow(Node nodeFrom, Node nodeTo) {
+  postUpdateFlow(nodeFrom, nodeTo)
+  or
+  ssaFlowImpl(nodeFrom, nodeTo) and
+  not modeledFlowBarrier(nodeFrom)
+}
+
 /**
  * An static single assignment (SSA) phi node.
- *
- * This is either a normal phi node or a phi-read node.
  */
-class PhiNode extends SsaImpl::DefinitionExt {
-  PhiNode() {
-    this instanceof SsaImpl::PhiNode or
-    this instanceof SsaImpl::PhiReadNode
-  }
-
-  /**
-   * Holds if this phi node is a phi-read node.
-   *
-   * Phi-read nodes are like normal phi nodes, but they are inserted based
-   * on reads instead of writes.
-   */
-  predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
-
-  /**
-   * Holds if the node at index `i` in `bb` is a last reference to SSA
-   * definition `def` of `sv`. The reference is last because it can reach
-   * this phi node, without passing through another read or write.
-   *
-   * The path from node `i` in `bb` to this phi node goes via basic block
-   * `input`, which is either a predecessor of the basic block of this phi
-   * node, or `input` = `bb` in case this phi node occurs in basic block `bb`.
-   */
-  predicate hasInputFromBlock(DefinitionExt def, SourceVariable sv, IRBlock bb, int i, IRBlock input) {
-    SsaCached::lastRefRedefExt(def, sv, bb, i, input, this)
-  }
-
+class PhiNode extends Definition instanceof SsaImpl::PhiNode {
   /** Gets a definition that is an input to this phi node. */
-  final DefinitionExt getAnInput() { this.hasInputFromBlock(result, _, _, _, _) }
+  final Definition getAnInput() { phiHasInputFromBlock(this, result, _) }
 }
 
 /** An static single assignment (SSA) definition. */
-class DefinitionExt extends SsaImpl::DefinitionExt {
-  private DefinitionExt getAPhiInputOrPriorDefinition() { result = this.(PhiNode).getAnInput() }
+class Definition extends SsaImpl::Definition {
+  // TODO: Include prior definitions of uncertain writes or rename predicate
+  // i.e. the disjunct `SsaImpl::uncertainWriteDefinitionInput(this, result)`
+  private Definition getAPhiInputOrPriorDefinition() { result = this.(PhiNode).getAnInput() }
 
   /**
    * Gets a definition that ultimately defines this SSA definition and is
    * not itself a phi node.
    */
-  final DefinitionExt getAnUltimateDefinition() {
+  final Definition getAnUltimateDefinition() {
     result = this.getAPhiInputOrPriorDefinition*() and
     not result instanceof PhiNode
   }
@@ -1180,16 +1150,6 @@ class DefinitionExt extends SsaImpl::DefinitionExt {
 
   /** Gets the unspecified type of the variable being defined by this definition. */
   Type getUnspecifiedType() { result = this.getUnderlyingType().getUnspecifiedType() }
-
-  /** Gets a node that represents a read of this SSA definition. */
-  pragma[nomagic]
-  Node getARead() {
-    exists(SourceVariable sv, IRBlock bb, int i | SsaCached::ssaDefReachesReadExt(sv, this, bb, i) |
-      useToNode(bb, i, sv, result)
-      or
-      phiToNode(result, sv, bb, i)
-    )
-  }
 }
 
 import SsaCached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -630,10 +630,18 @@ private module Cached {
     Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
   ) {
     indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
-    exists(Instruction load |
-      isDereference(load, operand, false) and
-      operandRepr = unique( | | getAUse(load)) and
-      indirectionIndexRepr = indirectionIndex - 1
+    (
+      exists(Instruction load |
+        isDereference(load, operand, false) and
+        operandRepr = unique( | | getAUse(load)) and
+        indirectionIndexRepr = indirectionIndex - 1
+      )
+      or
+      exists(CopyValueInstruction copy |
+        copy.getSourceValueOperand() = operand and
+        operandRepr = unique( | | getAUse(copy)) and
+        indirectionIndexRepr = indirectionIndex
+      )
     )
   }
 
@@ -649,11 +657,19 @@ private module Cached {
     Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
   ) {
     indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
-    exists(Instruction load, Operand address |
-      address = unique( | | getAUse(instr)) and
-      isDereference(load, address, false) and
-      instrRepr = load and
-      indirectionIndexRepr = indirectionIndex - 1
+    (
+      exists(Instruction load, Operand address |
+        address = unique( | | getAUse(instr)) and
+        isDereference(load, address, false) and
+        instrRepr = load and
+        indirectionIndexRepr = indirectionIndex - 1
+      )
+      or
+      exists(CopyValueInstruction copy |
+        copy.getSourceValueOperand() = unique( | | getAUse(instr)) and
+        instrRepr = copy and
+        indirectionIndexRepr = indirectionIndex
+      )
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/CA2AEX.qll

@@ -6,7 +6,7 @@ private import semmle.code.cpp.dataflow.new.DataFlow
  * The `CA2AEX` (and related) classes from the Windows Active Template library.
  */
 class Ca2Aex extends Class {
-  Ca2Aex() { this.hasGlobalName(["CA2AEX", "CA2CAEX", "CA2WEX"]) }
+  Ca2Aex() { this.hasQualifiedName("ATL", ["CA2AEX", "CA2CAEX", "CA2WEX"]) }
 }
 
 private class Ca2AexTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFile.qll

@@ -4,7 +4,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The `CAtlFile` class from Microsoft's Active Template Library.
  */
 class CAtlFile extends Class {
-  CAtlFile() { this.hasGlobalName("CAtlFile") }
+  CAtlFile() { this.hasQualifiedName("ATL", "CAtlFile") }
 }
 
 private class CAtlFileRead extends MemberFunction, LocalFlowSourceFunction {

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlFileMapping.qll

@@ -4,14 +4,14 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The `CAtlFileMapping` class from Microsoft's Active Template Library.
  */
 class CAtlFileMapping extends Class {
-  CAtlFileMapping() { this.hasGlobalName("CAtlFileMapping") }
+  CAtlFileMapping() { this.hasQualifiedName("ATL", "CAtlFileMapping") }
 }
 
 /**
  * The `CAtlFileMappingBase` class from Microsoft's Active Template Library.
  */
 class CAtlFileMappingBase extends Class {
-  CAtlFileMappingBase() { this.hasGlobalName("CAtlFileMappingBase") }
+  CAtlFileMappingBase() { this.hasQualifiedName("ATL", "CAtlFileMappingBase") }
 }
 
 private class CAtlFileMappingBaseGetData extends MemberFunction, LocalFlowSourceFunction {

cpp/ql/lib/semmle/code/cpp/models/implementations/CAtlTemporaryFile.qll

@@ -4,7 +4,7 @@ import semmle.code.cpp.models.interfaces.FlowSource
  * The `CAtlFile` class from Microsoft's Active Template Library.
  */
 class CAtlTemporaryFile extends Class {
-  CAtlTemporaryFile() { this.hasGlobalName("CAtlTemporaryFile") }
+  CAtlTemporaryFile() { this.hasQualifiedName("ATL", "CAtlTemporaryFile") }
 }
 
 private class CAtlTemporaryFileRead extends MemberFunction, LocalFlowSourceFunction {

cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll

@@ -4,7 +4,7 @@ private import semmle.code.cpp.dataflow.new.DataFlow
 
 /** The `CComBSTR` class from the Microsoft "Active Template Library". */
 class CcomBstr extends Class {
-  CcomBstr() { this.hasGlobalName("CComBSTR") }
+  CcomBstr() { this.hasQualifiedName("ATL", "CComBSTR") }
 }
 
 private class Mstr extends Field {

cpp/ql/lib/semmle/code/cpp/models/implementations/CPathT.qll

@@ -4,7 +4,7 @@ private import semmle.code.cpp.dataflow.new.DataFlow
 
 /** The `CPathT` class from the Microsoft "Active Template Library". */
 class CPathT extends Class {
-  CPathT() { this.hasGlobalName("CPathT") }
+  CPathT() { this.hasQualifiedName("ATL", "CPathT") }
 }
 
 private class MStrPath extends Field {

cpp/ql/lib/semmle/code/cpp/models/implementations/CRegKey.qll

@@ -5,7 +5,7 @@ private import semmle.code.cpp.dataflow.new.DataFlow
 
 /** The `CRegKey` class from the Microsoft "Active Template Library". */
 class CRegKey extends Class {
-  CRegKey() { this.hasGlobalName("CRegKey") }
+  CRegKey() { this.hasQualifiedName("ATL", "CRegKey") }
 }
 
 module CRegKey {

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll

@@ -327,9 +327,7 @@ private module Config implements ProductFlow::StateConfigSig {
 
   predicate isBarrierIn1(DataFlow::Node node) { isSourcePair(node, _, _, _) }
 
-  predicate isBarrierOut2(DataFlow::Node node) {
-    node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
-  }
+  predicate isBarrierOut2(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
 }
 
 private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState<Config>;

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -203,9 +203,7 @@ private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
 
   predicate isSink(DataFlow::Node sink, FlowState pai) { none() }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
-  }
+  predicate isBarrier(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
 
   predicate isBarrier(DataFlow::Node node, FlowState pai) {
     // `node = getABarrierNode(pai)` ensures that node < pai, so this node is safe to dereference.

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,21 @@
+## 1.3.7
+
+### Minor Analysis Improvements
+
+* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
+* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
+
+## 1.3.6
+
+No user-facing changes.
+
+## 1.3.5
+
+### Minor Analysis Improvements
+
+* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.
+* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.
+
 ## 1.3.4
 
 No user-facing changes.

cpp/ql/src/Diagnostics/ExtractionWarnings.ql

@@ -14,5 +14,5 @@ where
   or
   warning instanceof ExtractionUnknownProblem
 select warning,
-  "Extraction failed in " + warning.getFile() + " with warning " + warning.getProblemMessage(),
-  warning.getSeverity()
+  "Extraction failed in " + warning.getFile() + " with warning " +
+    warning.getProblemMessage().replaceAll("$", "$$"), warning.getSeverity()

cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql

@@ -17,5 +17,6 @@ from ExtractionError error
 where
   error instanceof ExtractionUnknownError or
   exists(error.getFile().getRelativePath())
-select error, "Extraction failed in " + error.getFile() + " with error " + error.getErrorMessage(),
-  error.getSeverity()
+select error,
+  "Extraction failed in " + error.getFile() + " with error " +
+    error.getErrorMessage().replaceAll("$", "$$"), error.getSeverity()

cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql

@@ -12,7 +12,11 @@
 import cpp
 
 predicate allowedTypedefs(TypedefType t) {
-  t.getName() = ["I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32"]
+  t.getName() =
+    [
+      "I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32", "int64_t", "uint64_t",
+      "int32_t", "uint32_t", "int16_t", "uint16_t", "int8_t", "uint8_t"
+    ]
 }
 
 /**
@@ -46,6 +50,8 @@ from Declaration d, Type usedType
 where
   usedType = getAUsedType*(getAnImmediateUsedType(d)) and
   problematic(usedType) and
+  // Allow uses of boolean types where defined by the language.
+  not usedType instanceof BoolType and
   // Ignore violations for which we do not have a valid location.
   not d.getLocation() instanceof UnknownLocation
 select d,

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -208,8 +208,7 @@ class LoopWithAlloca extends Stmt {
       this.conditionRequiresInequality(va, _, _) and
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
       // Phi nodes will be preceded by nodes that represent actual definitions
-      not result instanceof DataFlow::SsaPhiNode and
-      not result instanceof DataFlow::SsaPhiInputNode and
+      not result instanceof DataFlow::SsaSynthNode and
       // A source is outside the loop if it's not inside the loop
       not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )

cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Include file resolution status
+ * @description Counts unresolved and resolved #includes.
+ *              This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/include-resolution-status
+ */
+
+import cpp
+
+/**
+ * A cannot open file error.
+ *
+ * Typically this is due to a missing include.
+ */
+class CannotOpenFileError extends CompilerError {
+  CannotOpenFileError() { this.hasTag(["cannot_open_file", "cannot_open_file_reason"]) }
+}
+
+select count(CannotOpenFileError e) as failed_includes, count(Include i) as successful_includes

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -5,8 +5,9 @@
  *              buffer.
  * @kind problem
  * @id cpp/overflow-buffer
- * @problem.severity recommendation
+ * @problem.severity warning
  * @security-severity 9.3
+ * @precision medium
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -212,9 +212,7 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
     )
   }
 
-  predicate isBarrierOut2(DataFlow::Node node) {
-    node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
-  }
+  predicate isBarrierOut2(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
 
   predicate isAdditionalFlowStep2(
     DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -42,7 +42,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and isArithmeticNonCharType(node.asExpr().getUnspecifiedType())
     or
-    isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType())
+    isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
 }
 

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -37,7 +37,7 @@ private module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
     or
     mayAddNullTerminator(_, node.asIndirectExpr())
   }

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -75,9 +75,11 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(StoreInstruction store | store = node.asInstruction() |
+    exists(StoreInstruction store, Expr e |
+      store = node.asInstruction() and e = node.asCertainDefinition()
+    |
       // Block flow to "likely small expressions"
-      bounded(store.getSourceValue().getUnconvertedResultExpression())
+      bounded(e)
       or
       // Block flow to "small types"
       store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1