Updates test expectations

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>

.github/pull_request_template.md

@@ -0,0 +1,13 @@
+### Pull Request checklist
+
+#### All query authors
+
+- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
+- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
+- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
+- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
+
+#### Internal query authors only
+
+- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
+- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).

.github/workflows/csharp-qltest.yml

@@ -29,45 +29,6 @@ permissions:
   contents: read
 
 jobs:
-  qlupgrade:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/fetch-codeql
-      - name: Check DB upgrade scripts
-        run: |
-          echo >empty.trap
-          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
-          codeql dataset upgrade testdb --additional-packs ql/lib
-          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
-      - name: Check DB downgrade scripts
-        run: |
-          echo >empty.trap
-          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
-          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
-           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
-           xargs codeql execute upgrades testdb
-          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
-  qltest:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        slice: ["1/2", "2/2"]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./csharp/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: csharp-qltest-${{ matrix.slice }}
-      - name: Run QL tests
-        run: |
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
     strategy:
       matrix:

.github/workflows/ruby-build.yml

@@ -140,6 +140,7 @@ jobs:
           path: |
             ${{ runner.temp }}/query-packs/*
           retention-days: 1
+          include-hidden-files: true
 
   package:
     runs-on: ubuntu-latest
@@ -176,6 +177,7 @@ jobs:
           name: codeql-ruby-pack
           path: ruby/codeql-ruby.zip
           retention-days: 1
+          include-hidden-files: true
       - uses: actions/download-artifact@v3
         with:
           name: codeql-ruby-queries
@@ -193,6 +195,7 @@ jobs:
           name: codeql-ruby-bundle
           path: ruby/codeql-ruby-bundle.zip
           retention-days: 1
+          include-hidden-files: true
 
   test:
     defaults:

MODULE.bazel

@@ -15,10 +15,10 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.49.0")
-bazel_dep(name = "rules_pkg", version = "0.10.1")
+bazel_dep(name = "rules_go", version = "0.50.0")
+bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.32.2")
+bazel_dep(name = "rules_python", version = "0.35.0")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
@@ -27,7 +27,7 @@ bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.49.1")
+bazel_dep(name = "rules_rust", version = "0.49.3")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql

@@ -0,0 +1,32 @@
+/*
+ * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
+ * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
+ * and drop the relation which its child expressions, which are just syntactic
+ * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
+ * and behave similarly in the context of the IR.
+ */
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location {
+  string toString() { none() }
+}
+
+class ExprParent extends @exprparent {
+  string toString() { none() }
+}
+
+query predicate new_exprs(Expr expr, int new_kind, Location loc) {
+  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
+}
+
+query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
+  exprparents(expr, index, expr_parent) and
+  (
+    not expr_parent instanceof @expr
+    or
+    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
+  )
+}

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -0,0 +1,4 @@
+description: Expose C11 _Generics
+compatibility: partial
+exprs.rel: run downgrades.ql new_exprs
+exprparents.rel: run downgrades.ql new_exprparents

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql

@@ -0,0 +1,18 @@
+class Function extends @function {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Variable extends @variable {
+  string toString() { none() }
+}
+
+from Function func, Type traits, Variable handle, Variable promise
+where
+  coroutine(func, traits) and
+  coroutine_placeholder_variable(handle, 1, func) and
+  coroutine_placeholder_variable(promise, 2, func)
+select func, traits, handle, promise

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -0,0 +1,4 @@
+description: Improve handling of coroutine placeholder variables
+compatibility: full
+coroutine.rel: run coroutine.qlo
+coroutine_placeholder_variable.rel: delete

cpp/ql/lib/change-notes/2024-08-30-c11-generics.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.

cpp/ql/lib/change-notes/2024-09-03-outdated-deprecations.md

@@ -0,0 +1,11 @@
+---
+category: breaking
+---
+* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
+* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
+* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
+* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
+* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
+* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
+* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.

cpp/ql/lib/change-notes/2024-09-03-realloc-data-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

cpp/ql/lib/change-notes/2024-09-04-swap-data-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -36,16 +36,6 @@ module PrivateCleartextWrite {
     }
   }
 
-  deprecated class WriteConfig extends TaintTracking::Configuration {
-    WriteConfig() { this = "Write configuration" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  }
-
   private module WriteConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -60,18 +60,6 @@ class Declaration extends Locatable, @declaration {
    */
   string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
 
-  /**
-   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
-   * `hasQualifiedName` predicates. To get the exact same results as this
-   * predicate in all edge cases, use `getQualifiedName()`.
-   *
-   * Holds if this declaration has the fully-qualified name `qualifiedName`.
-   * See `getQualifiedName`.
-   */
-  deprecated predicate hasQualifiedName(string qualifiedName) {
-    this.getQualifiedName() = qualifiedName
-  }
-
   /**
    * Holds if this declaration has a fully-qualified name with a name-space
    * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -185,9 +173,6 @@ class Declaration extends Locatable, @declaration {
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
 
-  /** DEPRECATED: Use `hasDefinition` instead. */
-  deprecated predicate isDefined() { this.hasDefinition() }
-
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -30,46 +30,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   override string getName() { functions(underlyingElement(this), result, _) }
 
-  /**
-   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-   * Gets the full signature of this function, including return type, parameter
-   * types, and template arguments.
-   *
-   * For example, in the following code:
-   * ```
-   * template<typename T> T min(T x, T y);
-   * int z = min(5, 7);
-   * ```
-   * The full signature of the function called on the last line would be
-   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
-   * template on the first line would be `min<T>(T, T) -> T`.
-   */
-  deprecated string getFullSignature() {
-    exists(string name, string templateArgs, string args |
-      result = name + templateArgs + args + " -> " + this.getType().toString() and
-      name = this.getQualifiedName() and
-      (
-        if exists(this.getATemplateArgument())
-        then
-          templateArgs =
-            "<" +
-              concat(int i |
-                exists(this.getTemplateArgument(i))
-              |
-                this.getTemplateArgument(i).toString(), ", " order by i
-              ) + ">"
-        else templateArgs = ""
-      ) and
-      args =
-        "(" +
-          concat(int i |
-            exists(this.getParameter(i))
-          |
-            this.getParameter(i).getType().toString(), ", " order by i
-          ) + ")"
-    )
-  }
-
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -286,9 +286,6 @@ abstract class BaseAstNode extends PrintAstNode {
    * Gets the AST represented by this node.
    */
   final Locatable getAst() { result = ast }
-
-  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -385,6 +382,21 @@ class CastNode extends ConversionNode {
   }
 }
 
+/**
+ * A node representing a `C11GenericExpr`.
+ */
+class C11GenericNode extends ConversionNode {
+  C11GenericExpr generic;
+
+  C11GenericNode() { generic = conv }
+
+  override AstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex - count(generic.getAChild()))
+    or
+    result.getAst() = generic.getChild(childIndex)
+  }
+}
+
 /**
  * A node representing a `StmtExpr`.
  */
@@ -860,6 +872,15 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
     or
+    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
+    or
+    exists(int n |
+      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
+      pred = "getAssociationType(" + n + ")"
+      or
+      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
+    )
+    or
     expr.(Call).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -409,11 +409,18 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
+    or
+    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
   }
 
   override predicate isStatic() {
     super.isStatic() or orphaned_variables(underlyingElement(this), _)
   }
+
+  override predicate isCompilerGenerated() {
+    super.isCompilerGenerated() or
+    coroutine_placeholder_variable(underlyingElement(this), _, _)
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll

@@ -7,15 +7,6 @@ import semmle.code.cpp.models.interfaces.Deallocation
  */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }
 
-/**
- * A call to a library routine that frees memory.
- *
- * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
- */
-deprecated predicate freeCall(FunctionCall fc, Expr arg) {
-  arg = fc.(DeallocationExpr).getFreedExpr()
-}
-
 /**
  * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
  */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -632,6 +632,106 @@ class ParenthesisExpr extends Conversion, @parexpr {
   override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }
 
+/**
+ * A node representing a C11 `_Generic` selection expression.
+ *
+ * For example:
+ * ```
+ * _Generic(e, int: "int", default: "unknown")
+ * ```
+ */
+class C11GenericExpr extends Conversion, @c11_generic {
+  int associationCount;
+
+  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
+
+  override string toString() { result = "_Generic" }
+
+  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
+
+  /**
+   * Gets the controlling expression of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the result is `e`.
+   */
+  Expr getControllingExpr() { result = this.getChild(0) }
+
+  /**
+   * Gets the type of the `n`th element in the association list of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the type of the 0th element is `int`. In the case of the default element the
+   * type will an instance of `VoidType`.
+   */
+  Type getAssociationType(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 1).(TypeName).getType()
+  }
+
+  /**
+   * Gets the type of an element in the association list of the generic selection.
+   */
+  Type getAnAssociationType() { result = this.getAssociationType(_) }
+
+  /**
+   * Gets the expression of the `n`th element in the association list of
+   * the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the expression for 0th element is `"a"`, and the expression for the
+   * 1st element is `"b"`. For the selected expression, this predicate
+   * will yield a `ReuseExpr`, such that
+   * ```
+   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+   * ```
+   */
+  Expr getAssociationExpr(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 2)
+  }
+
+  /**
+   * Gets the expression of an element in the association list of the generic selection.
+   */
+  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * default element.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 1.
+   */
+  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * one whose expression was selected.
+   *
+   * For example, with `e` of type `int` and
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 0.
+   */
+  predicate isSelectedAssociation(int n) {
+    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+  }
+}
+
 /**
  * A C/C++ expression that could not be resolved, or that can no longer be
  * represented due to a database upgrade or downgrade.
@@ -668,6 +768,8 @@ class AssumeExpr extends Expr, @assume {
 
 /**
  * A C/C++ comma expression.
+ *
+ * For example:
  * ```
  * int c = compute1(), compute2(), resulting_value;
  * ```

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -195,17 +195,6 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
 
-  /**
-   * DEPRECATED: Use `getAFieldExpr` instead.
-   *
-   * Gets the expression within the aggregate literal that is used to initialize
-   * field `field`, if present.
-   *
-   * This predicate may have multiple results since a field can be initialized
-   * multiple times in the same initializer.
-   */
-  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
-
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present. The expression is the `position`'th entry in the
@@ -300,17 +289,6 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
 
-  /**
-   * DEPRECATED: Use `getAnElementExpr` instead.
-   *
-   * Gets the expression within the aggregate literal that is used to initialize
-   * element `elementIndex`, if present.
-   *
-   * This predicate may have multiple results since an element can be initialized
-   * multiple times in the same initializer.
-   */
-  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
-
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present. The expression is the `position`'th entry

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -285,9 +285,6 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
   predicate isAlwaysAllocatedOnStack() { none() }
 
   final predicate canReuseSsa() { none() }
-
-  /** DEPRECATED: Alias for canReuseSsa */
-  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -216,9 +216,6 @@ abstract class TranslatedSideEffects extends TranslatedElement {
 
   final override Locatable getAst() { result = this.getExpr() }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) }
 
   final override TranslatedElement getChild(int i) {
@@ -616,9 +613,6 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
 
   final override Locatable getAst() { result = arg }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Type getIndirectionType() {
     result = arg.getUnspecifiedType().(DerivedType).getBaseType()
     or
@@ -651,9 +645,6 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect
 
   final override Locatable getAst() { result = call }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
 
   final override string getArgString() { result = "this" }
@@ -675,9 +666,6 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide
 
   override Locatable getAst() { result = expr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {
@@ -716,9 +704,6 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl
 
   override Locatable getAst() { result = expr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -29,9 +29,6 @@ abstract class TranslatedCondition extends TranslatedElement {
 
   final override Locatable getAst() { result = expr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final ConditionContext getConditionContext() { result = this.getParent() }
 
   final Expr getExpr() { result = expr }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -45,9 +45,6 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
   final override string toString() { result = entry.toString() }
 
   final override Locatable getAst() { result = entry.getAst() }
-
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -248,9 +245,6 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
 
   final override Locatable getAst() { result = entry.getAst() }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override LocalVariable getVariable() { result = var }
 
   final override Declaration getFunction() { result = var.getFunction() }
@@ -277,9 +271,6 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans
 
   override Locatable getAst() { result = conditionDeclExpr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }
 
   override LocalVariable getVariable() { result = conditionDeclExpr.getVariable() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -128,6 +128,9 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
   or
+  // The children of C11 _Generic expressions are just surface syntax.
+  exists(C11GenericExpr generic | generic.getAChild() = expr)
+  or
   // Do not translate implicit destructor calls for unnamed temporary variables that are
   // conditionally constructed (until we have a mechanism for calling these only when the
   // temporary's constructor was run)
@@ -432,6 +435,9 @@ predicate ignoreLoad(Expr expr) {
     // The load is duplicated from the right operand.
     isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
     or
+    // The load is duplicated from the chosen expression.
+    expr instanceof C11GenericExpr
+    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or
@@ -920,9 +926,6 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   abstract Locatable getAst();
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = this.getAst() }
-
   /** Gets the location of this element. */
   Location getLocation() { result = this.getAst().getLocation() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -893,7 +893,8 @@ class TranslatedTransparentConversion extends TranslatedTransparentExpr {
     (
       expr instanceof ParenthesisExpr or
       expr instanceof ReferenceDereferenceExpr or
-      expr instanceof ReferenceToExpr
+      expr instanceof ReferenceToExpr or
+      expr instanceof C11GenericExpr
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -67,9 +67,6 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
 
   final override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   /**
    * Gets the function being translated.
    */
@@ -483,9 +480,6 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame
 
   final override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -518,9 +512,6 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
 
   final override Locatable getAst() { result = param }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Function getFunction() {
     result = param.getFunction() or
     result = param.getCatchBlock().getEnclosingFunction()
@@ -558,9 +549,6 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips
 
   final override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -597,9 +585,6 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
 
   override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override TranslatedElement getChild(int id) {
     exists(ConstructorFieldInit fieldInit |
       fieldInit = func.(Constructor).getInitializer(id) and
@@ -677,9 +662,6 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
 
   override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override TranslatedElement getChild(int id) {
     exists(DestructorFieldDestruction fieldDestruction |
       fieldDestruction = func.(Destructor).getDestruction(id) and
@@ -733,9 +715,6 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
 
   override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effects: " + func.toString() }
@@ -839,9 +818,6 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead
 
   override Locatable getAst() { result = func }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effect: this" }
@@ -865,9 +841,6 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar
 
   override Locatable getAst() { result = param }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   override string toString() { result = "read effect: " + param.toString() }
 
   override Function getFunction() { result = param.getFunction() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -153,9 +153,6 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
 
   final override Locatable getAst() { result = expr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   /**
    * Gets the expression that is doing the initialization.
    */
@@ -528,9 +525,6 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = ast }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Declaration getFunction() {
     result = getEnclosingFunction(ast) or
     result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
@@ -701,9 +695,6 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = initList }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Declaration getFunction() {
     result = getEnclosingFunction(initList)
     or
@@ -912,9 +903,6 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str
 
   final override Locatable getAst() { result = call }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override TranslatedElement getChild(int id) {
     id = 0 and
     result = this.getStructorCall()
@@ -1058,9 +1046,6 @@ class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstr
 
   override Locatable getAst() { result = init }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override string toString() { result = "construct base (no constructor)" }
 
   override Instruction getFirstInstruction(EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -268,9 +268,6 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
 
   final override Locatable getAst() { result = stmt }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Function getFunction() { result = stmt.getEnclosingFunction() }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -71,9 +71,6 @@ class MemoryLocation extends TMemoryLocation {
   final string getUniqueId() { result = var.getUniqueId() }
 
   final predicate canReuseSsa() { canReuseSsaForVariable(var) }
-
-  /** DEPRECATED: Alias for canReuseSsa */
-  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -5,13 +5,13 @@
  */
 
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow
 
 /**
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
  */
-private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
+private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunction {
   int sizeArg;
   int reallocArg;
 
@@ -44,7 +44,7 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio
 
   override int getReallocPtrArg() { result = reallocArg }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -26,7 +26,7 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction {
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -34,7 +34,7 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
       this.getDeclaringType()
   }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isParameterDeref(0)
     or

cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll

@@ -353,22 +353,6 @@ module BoostorgAsio {
   }
 
   //////////////////////// Dataflow /////////////////////
-  /**
-   * Abstract class for flows of protocol values to the first argument of a context
-   * constructor.
-   */
-  abstract deprecated class SslContextCallAbstractConfig extends DataFlow::Configuration {
-    bindingset[this]
-    SslContextCallAbstractConfig() { any() }
-
-    override predicate isSink(DataFlow::Node sink) {
-      exists(ConstructorCall cc, SslContextClass c, Expr e | e = sink.asExpr() |
-        c.getAContructorCall() = cc and
-        cc.getArgument(0) = e
-      )
-    }
-  }
-
   /**
    * Signature for flows of protocol values to the first argument of a context
    * constructor.
@@ -402,20 +386,6 @@ module BoostorgAsio {
     import DataFlow::Global<C>
   }
 
-  /**
-   * Any protocol value that flows to the first argument of a context constructor.
-   */
-  deprecated class SslContextCallConfig extends SslContextCallAbstractConfig {
-    SslContextCallConfig() { this = "SslContextCallConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
-      )
-    }
-  }
-
   /**
    * Any protocol value that flows to the first argument of a context constructor.
    */
@@ -430,21 +400,6 @@ module BoostorgAsio {
 
   module SslContextCallFlow = SslContextCallGlobal<SslContextCallConfig>;
 
-  /**
-   * A banned protocol value that flows to the first argument of a context constructor.
-   */
-  deprecated class SslContextCallBannedProtocolConfig extends SslContextCallAbstractConfig {
-    SslContextCallBannedProtocolConfig() { this = "SslContextCallBannedProtocolConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
-        isExprBannedBoostProtocol(e)
-      )
-    }
-  }
-
   /**
    * A banned protocol value that flows to the first argument of a context constructor.
    */
@@ -461,21 +416,6 @@ module BoostorgAsio {
   module SslContextCallBannedProtocolFlow =
     SslContextCallGlobal<SslContextCallBannedProtocolConfig>;
 
-  /**
-   * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
-   */
-  deprecated class SslContextCallTls12ProtocolConfig extends SslContextCallAbstractConfig {
-    SslContextCallTls12ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
-        isExprTls12BoostProtocol(e)
-      )
-    }
-  }
-
   /**
    * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
    */
@@ -491,21 +431,6 @@ module BoostorgAsio {
 
   module SslContextCallTls12ProtocolFlow = SslContextCallGlobal<SslContextCallTls12ProtocolConfig>;
 
-  /**
-   * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
-   */
-  deprecated class SslContextCallTls13ProtocolConfig extends SslContextCallAbstractConfig {
-    SslContextCallTls13ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
-        isExprTls13BoostProtocol(e)
-      )
-    }
-  }
-
   /**
    * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
    */
@@ -521,21 +446,6 @@ module BoostorgAsio {
 
   module SslContextCallTls13ProtocolFlow = SslContextCallGlobal<SslContextCallTls13ProtocolConfig>;
 
-  /**
-   * A generic TLS protocol value that flows to the first argument of a context constructor.
-   */
-  deprecated class SslContextCallTlsProtocolConfig extends SslContextCallAbstractConfig {
-    SslContextCallTlsProtocolConfig() { this = "SslContextCallTlsProtocolConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
-        isExprTlsBoostProtocol(e)
-      )
-    }
-  }
-
   /**
    * A generic TLS protocol value that flows to the first argument of a context constructor.
    */
@@ -551,30 +461,6 @@ module BoostorgAsio {
 
   module SslContextCallTlsProtocolFlow = SslContextCallGlobal<SslContextCallTlsProtocolConfig>;
 
-  /**
-   * A context constructor call that flows to a call to `SetOptions()`.
-   */
-  deprecated class SslContextFlowsToSetOptionConfig extends DataFlow::Configuration {
-    SslContextFlowsToSetOptionConfig() { this = "SslContextFlowsToSetOptionConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(SslContextClass c, ConstructorCall cc |
-        cc = source.asExpr() and
-        c.getAContructorCall() = cc
-      )
-    }
-
-    override predicate isSink(DataFlow::Node sink) {
-      exists(FunctionCall fc, SslSetOptionsFunction f, Variable v, VariableAccess va |
-        va = sink.asExpr()
-      |
-        f.getACallToThisFunction() = fc and
-        v.getAnAccess() = va and
-        va = fc.getQualifier()
-      )
-    }
-  }
-
   /**
    * A context constructor call that flows to a call to `SetOptions()`.
    */
@@ -599,28 +485,6 @@ module BoostorgAsio {
 
   module SslContextFlowsToSetOptionFlow = DataFlow::Global<SslContextFlowsToSetOptionConfig>;
 
-  /**
-   * An option value that flows to the first parameter of a call to `SetOptions()`.
-   */
-  deprecated class SslOptionConfig extends DataFlow::Configuration {
-    SslOptionConfig() { this = "SslOptionConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
-      exists(Expr e | e = source.asExpr() |
-        e.fromSource() and
-        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
-      )
-    }
-
-    override predicate isSink(DataFlow::Node sink) {
-      exists(SslSetOptionsFunction f, FunctionCall call |
-        sink.asExpr() = call.getArgument(0) and
-        f.getACallToThisFunction() = call and
-        not sink.getLocation().getFile().toString().matches("%/boost/asio/%")
-      )
-    }
-  }
-
   /**
    * An option value that flows to the first parameter of a call to `SetOptions()`.
    */

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -384,11 +384,23 @@ function_return_type(
  */
 coroutine(
   unique int function: @function ref,
-  int traits: @type ref,
-  int handle: @variable ref,
-  int promise: @variable ref
+  int traits: @type ref
 );
 
+/*
+case @coroutine_placeholder_variable.kind of
+  1 = @handle
+| 2 = @promise
+| 3 = @init_await_resume
+;
+*/
+
+coroutine_placeholder_variable(
+  unique int placeholder_variable: @variable ref,
+  int kind: int ref,
+  int function: @function ref
+)
+
 /** The `new` function used for allocating the coroutine state, if any. */
 coroutine_new(
   unique int function: @function ref,
@@ -829,22 +841,6 @@ variable_template_argument_value(
     int arg_value: @expr ref
 );
 
-/*
-  Fixed point types
-  precision(1) = short, precision(2) = default, precision(3) = long
-  is_unsigned(1) = unsigned is_unsigned(2) = signed
-  is_fract_type(1) = declared with _Fract
-  saturating(1) = declared with _Sat
-*/
-/* TODO
-fixedpointtypes(
-    unique int id: @fixedpointtype,
-    int precision: int ref,
-    int is_unsigned: int ref,
-    int is_fract_type: int ref,
-    int saturating: int ref);
-*/
-
 routinetypes(
     unique int id: @routinetype,
     int return_type: @type ref
@@ -1210,6 +1206,7 @@ conversionkinds(
             | @reference_to
             | @ref_indirect
             | @temp_init
+            | @c11_generic
             ;
 
 /*
@@ -1792,6 +1789,7 @@ case @expr.kind of
 | 386 = @isscopedenum
 | 387 = @istriviallyrelocatable
 | 388 = @datasizeof
+| 389 = @c11_generic
 ;
 
 @var_args_expr = @vastartexpr

cpp/ql/lib/upgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -0,0 +1,2 @@
+description: Expose C11 _Generics
+compatibility: backwards

cpp/ql/lib/upgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -0,0 +1,4 @@
+description: Improve handling of coroutine placeholder variables
+compatibility: partial
+coroutine.rel: run upgrades.qlo new_coroutine
+coroutine_placeholder_variable.rel: run upgrades.qlo new_coroutine_placeholder_variable

cpp/ql/lib/upgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrades.ql

@@ -0,0 +1,19 @@
+class Function extends @function {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Variable extends @variable {
+  string toString() { none() }
+}
+
+query predicate new_coroutine(Function func, Type traits) { coroutine(func, traits, _, _) }
+
+query predicate new_coroutine_placeholder_variable(Variable var, int kind, Function func) {
+  coroutine(func, _, var, _) and kind = 1
+  or
+  coroutine(func, _, _, var) and kind = 2
+}

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -205,20 +205,6 @@ class ChecksForLeapYearFunctionCall extends FunctionCall {
   ChecksForLeapYearFunctionCall() { this.getTarget() instanceof ChecksForLeapYearFunction }
 }
 
-/**
- * Data flow configuration for finding a variable access that would flow into
- * a function call that includes an operation to check for leap year.
- */
-deprecated class LeapYearCheckConfiguration extends DataFlow::Configuration {
-  LeapYearCheckConfiguration() { this = "LeapYearCheckConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof VariableAccess }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
-  }
-}
-
 /**
  * Data flow configuration for finding a variable access that would flow into
  * a function call that includes an operation to check for leap year.
@@ -233,33 +219,6 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
 
 module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
 
-/**
- * Data flow configuration for finding an operation with hardcoded 365 that will flow into
- * a `FILEINFO` field.
- */
-deprecated class FiletimeYearArithmeticOperationCheckConfiguration extends DataFlow::Configuration {
-  FiletimeYearArithmeticOperationCheckConfiguration() {
-    this = "FiletimeYearArithmeticOperationCheckConfiguration"
-  }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(Expr e, Operation op | e = source.asExpr() |
-      op.getAChild*().getValue().toInt() = 365 and
-      op.getAChild*() = e
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr, Expr e | e = sink.asExpr() |
-      dds instanceof PackedTimeType and
-      fa.getQualifier().getUnderlyingType() = dds and
-      fa.isModified() and
-      aexpr.getAChild() = fa and
-      aexpr.getChild(1).getAChild*() = e
-    )
-  }
-}
-
 /**
  * Data flow configuration for finding an operation with hardcoded 365 that will flow into
  * a `FILEINFO` field.
@@ -286,51 +245,6 @@ private module FiletimeYearArithmeticOperationCheckConfig implements DataFlow::C
 module FiletimeYearArithmeticOperationCheckFlow =
   DataFlow::Global<FiletimeYearArithmeticOperationCheckConfig>;
 
-/**
- * Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field.
- */
-deprecated class PossibleYearArithmeticOperationCheckConfiguration extends TaintTracking::Configuration
-{
-  PossibleYearArithmeticOperationCheckConfiguration() {
-    this = "PossibleYearArithmeticOperationCheckConfiguration"
-  }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(Operation op | op = source.asExpr() |
-      op.getAChild*().getValue().toInt() = 365 and
-      (
-        not op.getParent() instanceof Expr or
-        op.getParent() instanceof Assignment
-      )
-    )
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    // flow from anything on the RHS of an assignment to a time/date structure to that
-    // assignment.
-    exists(StructLikeClass dds, FieldAccess fa, Assignment aexpr, Expr e |
-      e = node1.asExpr() and
-      fa = node2.asExpr()
-    |
-      (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
-      fa.getQualifier().getUnderlyingType() = dds and
-      aexpr.getLValue() = fa and
-      aexpr.getRValue().getAChild*() = e
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
-      aexpr.getRValue() = sink.asExpr()
-    |
-      (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
-      fa.getQualifier().getUnderlyingType() = dds and
-      fa.isModified() and
-      aexpr.getLValue() = fa
-    )
-  }
-}
-
 /**
  * Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field.
  */

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -129,24 +129,6 @@ class NetworkFunctionCall extends FunctionCall {
   NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }
 
-deprecated class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
-  NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" }
-
-  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
-
-  override predicate isSink(DataFlow::Node node) {
-    node.asExpr() = any(BufferAccess ba).getAccessedLength()
-  }
-
-  override predicate isBarrier(DataFlow::Node node) {
-    exists(GuardCondition gc, GVN gvn |
-      gc.getAChild*() = gvn.getAnExpr() and
-      globalValueNumber(node.asExpr()) = gvn and
-      gc.controls(node.asExpr().getBasicBlock(), _)
-    )
-  }
-}
-
 private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
 

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -41,20 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
-  UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(RemoteFlowSourceFunction remoteFlow |
-      remoteFlow = source.asExpr().(Call).getTarget() and
-      remoteFlow.hasRemoteFlowSource(_, _)
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
-}
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -41,15 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
-/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
-  UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
-}
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

cpp/ql/src/experimental/Security/CWE/CWE-409/Brotli.qll

@@ -0,0 +1,26 @@
+/**
+ * https://github.com/google/brotli
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `BrotliDecoderDecompress` function is used in flow sink.
+ * See https://www.brotli.org/decode.html.
+ */
+class BrotliDecoderDecompressFunction extends DecompressionFunction {
+  BrotliDecoderDecompressFunction() { this.hasGlobalName("BrotliDecoderDecompress") }
+
+  override int getArchiveParameterIndex() { result = 1 }
+}
+
+/**
+ * The `BrotliDecoderDecompressStream` function is used in flow sink.
+ * See https://www.brotli.org/decode.html.
+ */
+class BrotliDecoderDecompressStreamFunction extends DecompressionFunction {
+  BrotliDecoderDecompressStreamFunction() { this.hasGlobalName("BrotliDecoderDecompressStream") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBomb.qll

@@ -0,0 +1,26 @@
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import MiniZip
+import ZlibGzopen
+import ZlibInflator
+import ZlibUncompress
+import LibArchive
+import ZSTD
+import Brotli
+
+/**
+ * The Decompression Sink instances, extend this class to define new decompression sinks.
+ */
+abstract class DecompressionFunction extends Function {
+  abstract int getArchiveParameterIndex();
+}
+
+/**
+ * The Decompression Flow Steps, extend this class to define new decompression sinks.
+ */
+abstract class DecompressionFlowStep extends string {
+  bindingset[this]
+  DecompressionFlowStep() { any() }
+
+  abstract predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2);
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause denial of service attacks.</p>
+<p>Attackers can compress a huge file consisting of repeated similiar bytes into a small compressed file.</p>
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+Reading an uncompressed Gzip file within a loop and check for a threshold size in each cycle.
+</p>
+<sample src="example_good.cpp"/>
+
+<p>
+The following example is unsafe, as we do not check the uncompressed size.
+</p>
+<sample src="example_bad.cpp" />
+
+</example>
+
+<references>
+
+<li>
+<a href="https://zlib.net/manual.html">Zlib documentation</a>
+</li>
+
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">An explanation of the attack</a>
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql

@@ -0,0 +1,40 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @precision low
+ * @id cpp/data-decompression-bomb
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import cpp
+import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
+
+predicate isSink(FunctionCall fc, DataFlow::Node sink) {
+  exists(DecompressionFunction f | fc.getTarget() = f |
+    fc.getArgument(f.getArchiveParameterIndex()) = [sink.asExpr(), sink.asIndirectExpr()]
+  )
+}
+
+module DecompressionTaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node sink) { isSink(_, sink) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(DecompressionFlowStep s).isAdditionalFlowStep(node1, node2)
+  }
+}
+
+module DecompressionTaint = TaintTracking::Global<DecompressionTaintConfig>;
+
+import DecompressionTaint::PathGraph
+
+from DecompressionTaint::PathNode source, DecompressionTaint::PathNode sink, FunctionCall fc
+where DecompressionTaint::flowPath(source, sink) and isSink(fc, sink.getNode())
+select sink.getNode(), source, sink, "The decompression output of $@ is not limited", fc,
+  fc.getTarget().getName()

cpp/ql/src/experimental/Security/CWE/CWE-409/LibArchive.qll

@@ -0,0 +1,32 @@
+/**
+ * https://github.com/libarchive/libarchive/wiki
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `archive_read_data*` functions are used in flow sink.
+ * See https://github.com/libarchive/libarchive/wiki/Examples.
+ */
+class Archive_read_data_block extends DecompressionFunction {
+  Archive_read_data_block() {
+    this.hasGlobalName(["archive_read_data_block", "archive_read_data", "archive_read_data_into_fd"])
+  }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `archive_read_open_filename` function as a flow step.
+ */
+class ReadOpenFunctionStep extends DecompressionFlowStep {
+  ReadOpenFunctionStep() { this = "ReadOpenFunction" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("archive_read_open_filename") |
+      node1.asIndirectExpr() = fc.getArgument(1) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/MiniZip.qll

@@ -0,0 +1,56 @@
+/**
+ * https://github.com/zlib-ng/minizip-ng
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `mz_zip_entry` function is used in flow sink.
+ * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip.md.
+ */
+class Mz_zip_entry extends DecompressionFunction {
+  Mz_zip_entry() { this.hasGlobalName("mz_zip_entry_read") }
+
+  override int getArchiveParameterIndex() { result = 1 }
+}
+
+/**
+ * The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in flow sink.
+ * See https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip_rw.md.
+ */
+class Mz_zip_reader_entry extends DecompressionFunction {
+  Mz_zip_reader_entry() {
+    this.hasGlobalName([
+        "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
+        "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all"
+      ])
+  }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `UnzOpen*` functions are used in flow sink.
+ */
+class UnzOpenFunction extends DecompressionFunction {
+  UnzOpenFunction() { this.hasGlobalName(["UnzOpen", "unzOpen64", "unzOpen2", "unzOpen2_64"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `mz_zip_reader_open_file` and `mz_zip_reader_open_file_in_memory` functions as a flow step.
+ */
+class ReaderOpenFunctionStep extends DecompressionFlowStep {
+  ReaderOpenFunctionStep() { this = "ReaderOpenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc |
+      fc.getTarget().hasGlobalName(["mz_zip_reader_open_file_in_memory", "mz_zip_reader_open_file"])
+    |
+      node1.asIndirectExpr() = fc.getArgument(1) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZSTD.qll

@@ -0,0 +1,88 @@
+/**
+ * https://github.com/facebook/zstd/blob/dev/examples/streaming_decompression.c
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `ZSTD_decompress`  function is used in flow sink.
+ */
+class ZstdDecompressFunction extends DecompressionFunction {
+  ZstdDecompressFunction() { this.hasGlobalName("ZSTD_decompress") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
+
+/**
+ * The `ZSTD_decompressDCtx` function is used in flow sink.
+ */
+class ZstdDecompressDctxFunction extends DecompressionFunction {
+  ZstdDecompressDctxFunction() { this.hasGlobalName("ZSTD_decompressDCtx") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `ZSTD_decompressStream` function is used in flow sink.
+ */
+class ZstdDecompressStreamFunction extends DecompressionFunction {
+  ZstdDecompressStreamFunction() { this.hasGlobalName("ZSTD_decompressStream") }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}
+
+/**
+ * The `ZSTD_decompress_usingDDict` function is used in flow sink.
+ */
+class ZstdDecompressUsingDdictFunction extends DecompressionFunction {
+  ZstdDecompressUsingDdictFunction() { this.hasGlobalName("ZSTD_decompress_usingDDict") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `fopen_orDie` function as a flow step.
+ */
+class FopenOrDieFunctionStep extends DecompressionFlowStep {
+  FopenOrDieFunctionStep() { this = "FopenOrDieFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fopen_orDie") |
+      node1.asIndirectExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+/**
+ * The `fread_orDie` function as a flow step.
+ */
+class FreadOrDieFunctionStep extends DecompressionFlowStep {
+  FreadOrDieFunctionStep() { this = "FreadOrDieFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("fread_orDie") |
+      node1.asExpr() = fc.getArgument(2) and
+      node2.asIndirectExpr() = fc.getArgument(0)
+    )
+  }
+}
+
+/**
+ * The `src` member of a `ZSTD_inBuffer` variable is used in a flow steps.
+ */
+class SrcMember extends DecompressionFlowStep {
+  SrcMember() { this = "SrcMember" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(VariableAccess inBufferAccess, Field srcField, ClassAggregateLiteral c |
+      inBufferAccess.getType().hasName("ZSTD_inBuffer") and
+      srcField.hasName("src")
+    |
+      node2.asExpr() = inBufferAccess and
+      inBufferAccess.getTarget().getInitializer().getExpr() = c and
+      node1.asIndirectExpr() = c.getFieldExpr(srcField, _)
+    )
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibGzopen.qll

@@ -0,0 +1,71 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `gzfread` function is used in flow sink.
+ *
+ * `gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file)`
+ */
+class GzFreadFunction extends DecompressionFunction {
+  GzFreadFunction() { this.hasGlobalName("gzfread") }
+
+  override int getArchiveParameterIndex() { result = 3 }
+}
+
+/**
+ * The `gzgets` function is used in flow sink.
+ *
+ * `gzgets(gzFile file, char *buf, int len)`
+ */
+class GzGetsFunction extends DecompressionFunction {
+  GzGetsFunction() { this.hasGlobalName("gzgets") }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `gzread` function is used in flow sink.
+ *
+ * `gzread(gzFile file, voidp buf, unsigned len)`
+ */
+class GzReadFunction extends DecompressionFunction {
+  GzReadFunction() { this.hasGlobalName("gzread") }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `gzdopen` function is used in flow steps.
+ *
+ * `gzdopen(int fd, const char *mode)`
+ */
+class GzdopenFunctionStep extends DecompressionFlowStep {
+  GzdopenFunctionStep() { this = "GzdopenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzdopen") |
+      node1.asExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+/**
+ * The `gzopen` function is used in flow steps.
+ *
+ * `gzopen(const char *path, const char *mode)`
+ */
+class GzopenFunctionStep extends DecompressionFlowStep {
+  GzopenFunctionStep() { this = "GzopenFunctionStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget().hasGlobalName("gzopen") |
+      node1.asIndirectExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibInflator.qll

@@ -0,0 +1,37 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `inflate` and `inflateSync` functions are used in flow sink.
+ *
+ * `inflate(z_stream strm, int flush)`
+ *
+ * `inflateSync(z_stream strm)`
+ */
+class InflateFunction extends DecompressionFunction {
+  InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `next_in` member of a `z_stream` variable is used in a flow steps.
+ */
+class NextInMemberStep extends DecompressionFlowStep {
+  NextInMemberStep() { this = "NextInMemberStep" }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Variable nextInVar |
+      nextInVar.getDeclaringType().hasName("z_stream") and
+      nextInVar.hasName("next_in")
+    |
+      node1.asIndirectExpr() = nextInVar.getAnAssignedValue() and
+      node2.asExpr() =
+        nextInVar.getAnAccess().getQualifier().(VariableAccess).getTarget().getAnAccess()
+    )
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/ZlibUncompress.qll

@@ -0,0 +1,15 @@
+/**
+ * https://www.zlib.net/
+ */
+
+import cpp
+import DecompressionBomb
+
+/**
+ * The `uncompress`/`uncompress2` function is used in flow sink.
+ */
+class UncompressFunction extends DecompressionFunction {
+  UncompressFunction() { this.hasGlobalName(["uncompress", "uncompress2"]) }
+
+  override int getArchiveParameterIndex() { result = 2 }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/example_bad.cpp

@@ -0,0 +1,15 @@
+#include "zlib.h"
+
+void UnsafeGzread(gzFile inFileZ) {
+    const int BUFFER_SIZE = 8192;
+    unsigned char unzipBuffer[BUFFER_SIZE];
+    unsigned int unzippedBytes;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
+        if (unzippedBytes <= 0) {
+            break;
+        }
+
+        // process buffer
+    }
+}

cpp/ql/src/experimental/Security/CWE/CWE-409/example_good.cpp

@@ -0,0 +1,23 @@
+#include "zlib.h"
+
+void SafeGzread(gzFile inFileZ) {
+    const int MAX_READ = 1024 * 1024 * 4;
+    const int BUFFER_SIZE = 8192;
+    unsigned char unzipBuffer[BUFFER_SIZE];
+    unsigned int unzippedBytes;
+    unsigned int totalRead = 0;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, BUFFER_SIZE);
+        totalRead += unzippedBytes;
+        if (unzippedBytes <= 0) {
+            break;
+        }
+
+        if (totalRead > MAX_READ) {
+            // Possible decompression bomb, stop processing.
+            break;
+        } else {
+            // process buffer
+        }
+    }
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected

@@ -0,0 +1,239 @@
+edges
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance |  |
+| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:21:30:21:52 | *access to array | provenance |  |
+| brotliTest.cpp:21:30:21:52 | *access to array | brotliTest.cpp:24:51:24:58 | **& ... | provenance |  |
+| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
+| libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:22:41:22:42 | *ar | provenance |  |
+| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
+| libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:34:35:34:41 | *access to array | provenance |  |
+| libarchiveTests.cpp:34:32:34:32 | *a | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
+| libarchiveTests.cpp:34:35:34:41 | *access to array | libarchiveTests.cpp:34:32:34:32 | *a | provenance | Config |
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | provenance |  |
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:38:27:38:27 | read_data output argument | provenance |  |
+| libarchiveTests.cpp:38:27:38:27 | read_data output argument | libarchiveTests.cpp:38:27:38:27 | *a | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:8:23:8:26 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:9:27:9:30 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:7:33:7:36 | **argv | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | **argv | main.cpp:8:23:8:26 | brotli_test output argument | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:9:27:9:30 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:8:23:8:26 | brotli_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:10:24:10:27 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:9:27:9:30 | libarchive_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | **argv | main.cpp:10:24:10:27 | minizip_test output argument | provenance |  |
+| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:11:21:11:24 | **argv | provenance |  |
+| main.cpp:10:24:10:27 | minizip_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
+| main.cpp:11:21:11:24 | **argv | main.cpp:11:21:11:24 | zlib_test output argument | provenance |  |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | **argv | provenance |  |
+| main.cpp:11:21:11:24 | zlib_test output argument | main.cpp:12:21:12:24 | *argv | provenance |  |
+| main.cpp:12:21:12:24 | **argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
+| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | **argv | provenance |  |
+| main.cpp:12:21:12:24 | *argv | zstdTest.cpp:26:39:26:42 | *argv | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:24:41:24:47 | *access to array | provenance |  |
+| minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | provenance |  |
+| minizipTest.cpp:24:29:24:38 | **zip_reader | minizipTest.cpp:26:30:26:39 | **zip_reader | provenance |  |
+| minizipTest.cpp:24:29:24:38 | *zip_reader | minizipTest.cpp:26:30:26:39 | *zip_reader | provenance |  |
+| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | **zip_reader | provenance | Config |
+| minizipTest.cpp:24:41:24:47 | *access to array | minizipTest.cpp:24:29:24:38 | *zip_reader | provenance | Config |
+| zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:20:25:20:39 | *input | provenance |  |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:24:17:24:26 | & ... | provenance | Config |
+| zlibTest.cpp:20:25:20:39 | *input | zlibTest.cpp:25:13:25:22 | & ... | provenance | Config |
+| zlibTest.cpp:24:17:24:26 | & ... | zlibTest.cpp:25:13:25:22 | & ... | provenance |  |
+| zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:38:29:38:36 | *fileName | provenance |  |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | zlibTest.cpp:41:20:41:26 | inFileZ | provenance |  |
+| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
+| zlibTest.cpp:38:29:38:36 | *fileName | zlibTest.cpp:38:22:38:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:48:29:48:36 | *fileName | provenance |  |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | zlibTest.cpp:51:38:51:44 | inFileZ | provenance |  |
+| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
+| zlibTest.cpp:48:29:48:36 | *fileName | zlibTest.cpp:48:22:48:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:58:29:58:36 | *fileName | provenance |  |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | zlibTest.cpp:62:25:62:31 | inFileZ | provenance |  |
+| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
+| zlibTest.cpp:58:29:58:36 | *fileName | zlibTest.cpp:58:22:58:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
+| zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:77:45:77:59 | *input | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:81:19:81:25 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | provenance |  |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:82:18:82:24 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | provenance |  |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:83:19:83:25 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | provenance |  |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:84:18:84:24 | *access to array | provenance |  |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | provenance |  |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | zlibTest.cpp:85:19:85:25 | *access to array | provenance |  |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | provenance |  |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:85:19:85:25 | InflateString output argument | provenance |  |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv | provenance |  |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | zlibTest.cpp:80:33:80:36 | **argv [Return] | provenance |  |
+| zstdTest.cpp:26:39:26:42 | **argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
+| zstdTest.cpp:26:39:26:42 | *argv | zstdTest.cpp:27:35:27:41 | *access to array | provenance |  |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance |  |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | zstdTest.cpp:35:52:35:54 | fin | provenance |  |
+| zstdTest.cpp:27:35:27:41 | *access to array | zstdTest.cpp:27:23:27:33 | call to fopen_orDie | provenance | Config |
+| zstdTest.cpp:35:32:35:37 | **buffIn | zstdTest.cpp:36:32:36:37 | **buffIn | provenance |  |
+| zstdTest.cpp:35:32:35:37 | *buffIn | zstdTest.cpp:36:32:36:37 | *buffIn | provenance |  |
+| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | **buffIn | provenance | Config |
+| zstdTest.cpp:35:52:35:54 | fin | zstdTest.cpp:35:32:35:37 | *buffIn | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:35:32:35:37 | **buffIn | provenance |  |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | **buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:35:32:35:37 | *buffIn | provenance |  |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:36:32:36:37 | *buffIn | zstdTest.cpp:39:69:39:74 | & ... | provenance | Config |
+| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
+| zstdTest.cpp:39:69:39:74 | & ... | zstdTest.cpp:39:69:39:74 | & ... | provenance |  |
+nodes
+| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
+| brotliTest.cpp:15:41:15:44 | **argv | semmle.label | **argv |
+| brotliTest.cpp:18:35:18:53 | *access to array | semmle.label | *access to array |
+| brotliTest.cpp:21:30:21:52 | *access to array | semmle.label | *access to array |
+| brotliTest.cpp:24:51:24:58 | **& ... | semmle.label | **& ... |
+| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:16:31:16:32 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:22:41:22:42 | *ar | semmle.label | *ar |
+| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
+| libarchiveTests.cpp:30:45:30:48 | **argv | semmle.label | **argv |
+| libarchiveTests.cpp:34:32:34:32 | *a | semmle.label | *a |
+| libarchiveTests.cpp:34:35:34:41 | *access to array | semmle.label | *access to array |
+| libarchiveTests.cpp:38:27:38:27 | *a | semmle.label | *a |
+| libarchiveTests.cpp:38:27:38:27 | read_data output argument | semmle.label | read_data output argument |
+| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |
+| main.cpp:8:23:8:26 | **argv | semmle.label | **argv |
+| main.cpp:8:23:8:26 | brotli_test output argument | semmle.label | brotli_test output argument |
+| main.cpp:9:27:9:30 | **argv | semmle.label | **argv |
+| main.cpp:9:27:9:30 | libarchive_test output argument | semmle.label | libarchive_test output argument |
+| main.cpp:10:24:10:27 | **argv | semmle.label | **argv |
+| main.cpp:10:24:10:27 | minizip_test output argument | semmle.label | minizip_test output argument |
+| main.cpp:11:21:11:24 | **argv | semmle.label | **argv |
+| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
+| main.cpp:11:21:11:24 | zlib_test output argument | semmle.label | zlib_test output argument |
+| main.cpp:12:21:12:24 | **argv | semmle.label | **argv |
+| main.cpp:12:21:12:24 | *argv | semmle.label | *argv |
+| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
+| minizipTest.cpp:12:42:12:45 | **argv | semmle.label | **argv |
+| minizipTest.cpp:17:52:17:67 | *access to array | semmle.label | *access to array |
+| minizipTest.cpp:24:29:24:38 | **zip_reader | semmle.label | **zip_reader |
+| minizipTest.cpp:24:29:24:38 | *zip_reader | semmle.label | *zip_reader |
+| minizipTest.cpp:24:41:24:47 | *access to array | semmle.label | *access to array |
+| minizipTest.cpp:26:30:26:39 | **zip_reader | semmle.label | **zip_reader |
+| minizipTest.cpp:26:30:26:39 | *zip_reader | semmle.label | *zip_reader |
+| minizipTest.cpp:28:13:28:19 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
+| zlibTest.cpp:16:26:16:30 | *input | semmle.label | *input |
+| zlibTest.cpp:20:25:20:39 | *input | semmle.label | *input |
+| zlibTest.cpp:24:17:24:26 | & ... | semmle.label | & ... |
+| zlibTest.cpp:25:13:25:22 | & ... | semmle.label | & ... |
+| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:37:25:37:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:38:22:38:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:38:29:38:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:41:20:41:26 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:47:26:47:33 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:48:22:48:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:48:29:48:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:51:38:51:44 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:57:25:57:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:58:22:58:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:58:29:58:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:62:25:62:31 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
+| zlibTest.cpp:71:26:71:30 | *input | semmle.label | *input |
+| zlibTest.cpp:77:45:77:59 | *input | semmle.label | *input |
+| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
+| zlibTest.cpp:80:33:80:36 | **argv | semmle.label | **argv |
+| zlibTest.cpp:80:33:80:36 | **argv [Return] | semmle.label | **argv [Return] |
+| zlibTest.cpp:81:19:81:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument | semmle.label | UnsafeGzfread output argument |
+| zlibTest.cpp:82:18:82:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument | semmle.label | UnsafeGzgets output argument |
+| zlibTest.cpp:83:19:83:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | semmle.label | UnsafeInflate output argument |
+| zlibTest.cpp:84:18:84:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | semmle.label | UnsafeGzread output argument |
+| zlibTest.cpp:85:19:85:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:85:19:85:25 | InflateString output argument | semmle.label | InflateString output argument |
+| zstdTest.cpp:26:39:26:42 | **argv | semmle.label | **argv |
+| zstdTest.cpp:26:39:26:42 | *argv | semmle.label | *argv |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
+| zstdTest.cpp:27:23:27:33 | call to fopen_orDie | semmle.label | call to fopen_orDie |
+| zstdTest.cpp:27:35:27:41 | *access to array | semmle.label | *access to array |
+| zstdTest.cpp:35:32:35:37 | **buffIn | semmle.label | **buffIn |
+| zstdTest.cpp:35:32:35:37 | *buffIn | semmle.label | *buffIn |
+| zstdTest.cpp:35:52:35:54 | fin | semmle.label | fin |
+| zstdTest.cpp:36:32:36:37 | **buffIn | semmle.label | **buffIn |
+| zstdTest.cpp:36:32:36:37 | *buffIn | semmle.label | *buffIn |
+| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
+| zstdTest.cpp:39:69:39:74 | & ... | semmle.label | & ... |
+subpaths
+| libarchiveTests.cpp:38:27:38:27 | *a | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:16:31:16:32 | *ar | libarchiveTests.cpp:38:27:38:27 | read_data output argument |
+| main.cpp:8:23:8:26 | **argv | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | main.cpp:8:23:8:26 | brotli_test output argument |
+| main.cpp:9:27:9:30 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | libarchiveTests.cpp:30:45:30:48 | **argv | main.cpp:9:27:9:30 | libarchive_test output argument |
+| main.cpp:10:24:10:27 | **argv | minizipTest.cpp:12:42:12:45 | **argv | minizipTest.cpp:12:42:12:45 | **argv | main.cpp:10:24:10:27 | minizip_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv | main.cpp:11:21:11:24 | zlib_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
+| main.cpp:11:21:11:24 | **argv | zlibTest.cpp:80:33:80:36 | **argv | zlibTest.cpp:80:33:80:36 | **argv [Return] | main.cpp:11:21:11:24 | zlib_test output argument |
+| zlibTest.cpp:81:19:81:25 | *access to array | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:47:26:47:33 | *fileName | zlibTest.cpp:81:19:81:25 | UnsafeGzfread output argument |
+| zlibTest.cpp:82:18:82:24 | *access to array | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:57:25:57:32 | *fileName | zlibTest.cpp:82:18:82:24 | UnsafeGzgets output argument |
+| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument |
+| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument |
+| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument |
+#select
+| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
+| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
+| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
+| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
+| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
+| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
+| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
+| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
+| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
+| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
+| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
+| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
+| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-409/DecompressionBombs.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp

@@ -0,0 +1,26 @@
+typedef long unsigned int size_t;
+typedef unsigned char uint8_t;
+
+enum BrotliDecoderResult {};
+struct BrotliDecoderState;
+
+BrotliDecoderResult BrotliDecoderDecompress(
+        size_t encoded_size, const uint8_t encoded_buffer[],
+        size_t *decoded_size, uint8_t decoded_buffer[]);
+
+BrotliDecoderResult BrotliDecoderDecompressStream(
+        BrotliDecoderState *state, size_t *available_in, const uint8_t **next_in,
+        size_t *available_out, uint8_t **next_out, size_t *total_out);
+
+void brotli_test(int argc, const char **argv) {
+    uint8_t output[1024];
+    size_t output_size = sizeof(output);
+    BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
+
+    size_t input_size = 1024;
+    const uint8_t *input_p = (const uint8_t*)argv[2];
+    uint8_t *output_p = output;
+    size_t out_size;
+    BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
+                                  &output_p, &out_size);
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp

@@ -0,0 +1,42 @@
+#define    ARCHIVE_EOF     1
+#define    ARCHIVE_OK      0
+#define    ARCHIVE_WARN    (-20)
+
+struct archive;
+struct archive_entry;
+typedef int size_t;
+typedef int la_int64_t;
+
+archive *archive_read_new();
+int archive_read_open_filename(archive *pArchive, const char *filename, int i);
+int archive_read_next_header(archive *a, archive_entry **entry);
+int archive_entry_size(archive_entry *pEntry);
+int archive_read_data_block(archive *pArchive, const void **pVoid, size_t *pInt, la_int64_t *pInt1);
+
+static int read_data(archive *ar) {
+    for (;;) {
+        const void *buff;
+        size_t size;
+        la_int64_t offset;
+
+        int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
+        if (r == ARCHIVE_EOF)
+            return ARCHIVE_OK;
+        if (r < ARCHIVE_OK)
+            return r;
+    }
+}
+
+void libarchive_test(int argc, const char **argv) {
+    archive *a = archive_read_new();
+    archive_entry *entry;
+
+    archive_read_open_filename(a, argv[1], 10240);
+    for (;;) {
+        archive_read_next_header(a, &entry);
+        if (archive_entry_size(entry) > 0) {
+            if (read_data(a) < ARCHIVE_WARN)
+                break;
+        }
+    }
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp

@@ -0,0 +1,14 @@
+void brotli_test(int argc, const char **argv);
+void libarchive_test(int argc, const char **argv);
+void minizip_test(int argc, const char **argv);
+void zlib_test(int argc, const char **argv);
+void zstd_test(int argc, const char **argv);
+
+int main(int argc, const char **argv) {
+    brotli_test(argc, argv);
+    libarchive_test(argc, argv);
+    minizip_test(argc, argv);
+    zlib_test(argc, argv);
+    zstd_test(argc, argv);
+    return 0;
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp

@@ -0,0 +1,29 @@
+typedef signed int int32_t;
+
+void *mz_zip_reader_create();
+int32_t mz_zip_reader_open_file(void *handle, const char *path);
+int32_t mz_zip_reader_goto_first_entry(void *pVoid);
+int32_t mz_zip_reader_entry_save(void *pVoid, int stream, int write);
+int32_t mz_zip_entry_read(void *pVoid, void *buf, int32_t i);
+void UnzOpen(const char *string);
+
+void *mz_zip_create();
+
+void minizip_test(int argc, const char **argv) {
+    void *zip_handle = mz_zip_create();
+    int32_t bytes_read;
+    char buf[4096];
+    while(true) {
+        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
+        if (bytes_read <= 0) {
+            break;
+        }
+    }
+
+    void *zip_reader = mz_zip_reader_create();
+    mz_zip_reader_open_file(zip_reader, argv[1]);
+    mz_zip_reader_goto_first_entry(zip_reader);
+    mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
+
+    UnzOpen(argv[3]); // BAD
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp

@@ -0,0 +1,86 @@
+typedef unsigned char Bytef;
+typedef unsigned long uLong;
+typedef uLong uLongf;
+typedef unsigned int uInt;
+
+struct z_stream {
+    Bytef *next_in;
+    Bytef *next_out;
+    uInt avail_out;
+};
+
+void inflateInit(z_stream *infstream);
+void inflate(z_stream *infstream, int i);
+void inflateEnd(z_stream *infstream);
+
+void UnsafeInflate(char *input) {
+    unsigned char output[1024];
+
+    z_stream infstream;
+    infstream.next_in = (Bytef *) input; // input char array
+    infstream.avail_out = sizeof(output); // size of output
+    infstream.next_out = output; // output char array
+
+    inflateInit(&infstream);
+    inflate(&infstream, 0); // BAD
+}
+
+
+struct gzFile {
+};
+
+gzFile gzopen(char *str, const char *rb);
+unsigned int gzread(gzFile gz_file, unsigned char *str, int i);
+bool gzfread(char *str, int i, int i1, gzFile gz_file);
+char *gzgets(gzFile gz_file, char *buffer, int i);
+
+void UnsafeGzread(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    unsigned char unzipBuffer[8192];
+    while (true) {
+        if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
+            break;
+        }
+    }
+}
+
+void UnsafeGzfread(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    while (true) {
+        char buffer[1000];
+        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
+            break;
+        }
+    }
+}
+
+void UnsafeGzgets(char *fileName) {
+    gzFile inFileZ = gzopen(fileName, "rb");
+    char *buffer = new char[4000000000];
+    char *result;
+    while (true) {
+        result = gzgets(inFileZ, buffer, 1000000000); // BAD
+        if (result == nullptr) {
+            break;
+        }
+    }
+}
+
+int uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen);
+
+void InflateString(char *input) {
+    unsigned char output[1024];
+
+    uLong source_length = 500;
+    uLong destination_length = sizeof(output);
+
+    uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
+}
+
+void zlib_test(int argc, char **argv) {
+    UnsafeGzfread(argv[2]);
+    UnsafeGzgets(argv[2]);
+    UnsafeInflate(argv[2]);
+    UnsafeGzread(argv[2]);
+    InflateString(argv[2]);
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp

@@ -0,0 +1,43 @@
+typedef long unsigned int size_t;
+struct FILE;
+
+FILE *fopen_orDie(const char *filename, const char *instruction);
+size_t fread_orDie(void *const pVoid, const size_t read, FILE *const pFile);
+void *const malloc_orDie(const size_t size);
+
+struct ZSTD_DCtx;
+typedef struct ZSTD_inBuffer_s {
+    const void *src;
+    size_t size;
+    size_t pos;
+} ZSTD_inBuffer;
+typedef struct ZSTD_outBuffer_s {
+    void *dst;
+    size_t size;
+    size_t pos;
+} ZSTD_outBuffer;
+
+const size_t ZSTD_DStreamInSize();
+const size_t ZSTD_DStreamOutSize();
+ZSTD_DCtx *const ZSTD_createDCtx();
+const size_t ZSTD_decompressStream(ZSTD_DCtx *const pCtx, ZSTD_outBuffer *pS, ZSTD_inBuffer *pS1);
+void CHECK_ZSTD(const size_t ret);
+
+void zstd_test(int argc, const char **argv) {
+    FILE *const fin = fopen_orDie(argv[1], "rb");
+    size_t const buffInSize = ZSTD_DStreamInSize();
+    void *const buffIn = malloc_orDie(buffInSize);
+    size_t const buffOutSize = ZSTD_DStreamOutSize();
+    void *const buffOut = malloc_orDie(buffOutSize);
+
+    ZSTD_DCtx *const dctx = ZSTD_createDCtx();
+    size_t read;
+    while ((read = fread_orDie(buffIn, buffInSize, fin))) {
+        ZSTD_inBuffer input = {buffIn, read, 0};
+        while (input.pos < input.size) {
+            ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
+            size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD  
+            CHECK_ZSTD(ret);
+        }
+    }
+}

cpp/ql/test/header-variant-tests/multi-target-includes/includes.expected

@@ -5,6 +5,5 @@
 | main1.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
 | main2.cpp:3:1:3:19 | #include "common.h" | Include | common.h | 1 |
 | main2.cpp:7:1:7:26 | #include "defines_issue.h" | Include | defines_issue.h | 1 |
-| nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | nameclash.h | 1 |
 | nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir1/nameclash.h | 1 |
 | nameclash.h:3:1:3:27 | #include_next "nameclash.h" | IncludeNext | subdir2/nameclash.h | 1 |

cpp/ql/test/library-tests/c11_generic/PrintAST.expected

@@ -0,0 +1,458 @@
+#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const __va_list_tag &
+#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] __va_list_tag &&
+generic.c:
+#    3| [FormattingFunction,TopLevelFunction] int printf(char const*)
+#    3|   <params>: 
+#    3|     getParameter(0): [Parameter] format
+#    3|         Type = [PointerType] const char *
+#   14| [TopLevelFunction] int main()
+#   14|   <params>: 
+#   15|   getEntryPoint(): [BlockStmt] { ... }
+#   16|     getStmt(0): [DeclStmt] declaration
+#   16|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   16|           Type = [IntType] int
+#   17|     getStmt(1): [DeclStmt] declaration
+#   17|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
+#   17|           Type = [CTypedefType] MYINT
+#   18|     getStmt(2): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
+#   18|           Type = [PointerType] const char *
+#   19|     getStmt(3): [DeclStmt] declaration
+#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
+#   19|           Type = [PointerType] float ***
+#   21|     getStmt(4): [ExprStmt] ExprStmt
+#   21|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   21|           Type = [IntType] int
+#   21|           ValueCategory = prvalue
+#   21|         getArgument(0): i is %s\n
+#   21|             Type = [ArrayType] char[9]
+#   21|             Value = [StringLiteral] "i is %s\n"
+#   21|             ValueCategory = lvalue
+#   21|         getArgument(1): int
+#   21|             Type = [ArrayType] char[4]
+#   21|             Value = [StringLiteral] "int"
+#   21|             ValueCategory = lvalue
+#   21|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   21|             Conversion = [PointerConversion] pointer conversion
+#   21|             Type = [PointerType] const char *
+#   21|             ValueCategory = prvalue
+#   21|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   21|               Type = [CharPointerType] char *
+#   21|               ValueCategory = prvalue
+#   21|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   21|             Type = [CharPointerType] char *
+#   21|             ValueCategory = prvalue
+#   21|           getExpr(): [C11GenericExpr] _Generic
+#   21|               Type = [ArrayType] char[4]
+#   21|               Value = [C11GenericExpr] int
+#   21|               ValueCategory = lvalue
+#   21|             getControllingExpr(): [VariableAccess] i
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue(load)
+#   21|             getAssociationType(0): [TypeName] int
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   21|                 Type = [ArrayType] char[4]
+#   21|                 ValueCategory = lvalue
+#   21|             getAssociationType(1): [TypeName] const char *
+#   21|                 Type = [PointerType] const char *
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(1): string
+#   21|                 Type = [ArrayType] char[7]
+#   21|                 Value = [StringLiteral] "string"
+#   21|                 ValueCategory = lvalue
+#   21|             getAssociationType(2): [TypeName] void
+#   21|                 Type = [VoidType] void
+#   21|                 ValueCategory = prvalue
+#   21|             getAssociationExpr(2): unknown
+#   21|                 Type = [ArrayType] char[8]
+#   21|                 Value = [StringLiteral] "unknown"
+#   21|                 ValueCategory = lvalue
+#   21|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   21|                 Type = [IntType] int
+#   21|                 ValueCategory = prvalue(load)
+#   22|     getStmt(5): [ExprStmt] ExprStmt
+#   22|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   22|           Type = [IntType] int
+#   22|           ValueCategory = prvalue
+#   22|         getArgument(0): c is %s\n
+#   22|             Type = [ArrayType] char[9]
+#   22|             Value = [StringLiteral] "c is %s\n"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(1): int
+#   22|             Type = [ArrayType] char[4]
+#   22|             Value = [StringLiteral] "int"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   22|             Conversion = [PointerConversion] pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   22|               Type = [CharPointerType] char *
+#   22|               ValueCategory = prvalue
+#   22|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [CharPointerType] char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [C11GenericExpr] _Generic
+#   22|               Type = [ArrayType] char[4]
+#   22|               Value = [C11GenericExpr] int
+#   22|               ValueCategory = lvalue
+#   22|             getControllingExpr(): [VariableAccess] m
+#   22|                 Type = [CTypedefType] MYINT
+#   22|                 ValueCategory = prvalue(load)
+#   22|             getAssociationType(0): [TypeName] int
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   22|                 Type = [ArrayType] char[4]
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(1): [TypeName] const char *
+#   22|                 Type = [PointerType] const char *
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(1): string
+#   22|                 Type = [ArrayType] char[7]
+#   22|                 Value = [StringLiteral] "string"
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(2): [TypeName] void
+#   22|                 Type = [VoidType] void
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(2): unknown
+#   22|                 Type = [ArrayType] char[8]
+#   22|                 Value = [StringLiteral] "unknown"
+#   22|                 ValueCategory = lvalue
+#   22|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   22|                 Type = [CTypedefType] MYINT
+#   22|                 ValueCategory = prvalue(load)
+#   23|     getStmt(6): [ExprStmt] ExprStmt
+#   23|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   23|           Type = [IntType] int
+#   23|           ValueCategory = prvalue
+#   23|         getArgument(0): s is %s\n
+#   23|             Type = [ArrayType] char[9]
+#   23|             Value = [StringLiteral] "s is %s\n"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(1): string
+#   23|             Type = [ArrayType] char[7]
+#   23|             Value = [StringLiteral] "string"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   23|             Conversion = [PointerConversion] pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   23|               Type = [CharPointerType] char *
+#   23|               ValueCategory = prvalue
+#   23|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [CharPointerType] char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [C11GenericExpr] _Generic
+#   23|               Type = [ArrayType] char[7]
+#   23|               Value = [C11GenericExpr] string
+#   23|               ValueCategory = lvalue
+#   23|             getControllingExpr(): [VariableAccess] s
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue(load)
+#   23|             getAssociationType(0): [TypeName] int
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(0): int
+#   23|                 Type = [ArrayType] char[4]
+#   23|                 Value = [StringLiteral] "int"
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(1): [TypeName] const char *
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(1): [ReuseExpr] reuse of string
+#   23|                 Type = [ArrayType] char[7]
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(2): [TypeName] void
+#   23|                 Type = [VoidType] void
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(2): unknown
+#   23|                 Type = [ArrayType] char[8]
+#   23|                 Value = [StringLiteral] "unknown"
+#   23|                 ValueCategory = lvalue
+#   23|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue(load)
+#   24|     getStmt(7): [ExprStmt] ExprStmt
+#   24|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   24|           Type = [IntType] int
+#   24|           ValueCategory = prvalue
+#   24|         getArgument(0): f is %s\n
+#   24|             Type = [ArrayType] char[9]
+#   24|             Value = [StringLiteral] "f is %s\n"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(1): unknown
+#   24|             Type = [ArrayType] char[8]
+#   24|             Value = [StringLiteral] "unknown"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+#   24|             Conversion = [PointerConversion] pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [ArrayToPointerConversion] array to pointer conversion
+#   24|               Type = [CharPointerType] char *
+#   24|               ValueCategory = prvalue
+#   24|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [CharPointerType] char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [C11GenericExpr] _Generic
+#   24|               Type = [ArrayType] char[8]
+#   24|               Value = [C11GenericExpr] unknown
+#   24|               ValueCategory = lvalue
+#   24|             getControllingExpr(): [VariableAccess] f
+#   24|                 Type = [PointerType] float ***
+#   24|                 ValueCategory = prvalue(load)
+#   24|             getAssociationType(0): [TypeName] int
+#   24|                 Type = [IntType] int
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(0): int
+#   24|                 Type = [ArrayType] char[4]
+#   24|                 Value = [StringLiteral] "int"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(1): [TypeName] const char *
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(1): string
+#   24|                 Type = [ArrayType] char[7]
+#   24|                 Value = [StringLiteral] "string"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(2): [TypeName] void
+#   24|                 Type = [VoidType] void
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(2): [ReuseExpr] reuse of unknown
+#   24|                 Type = [ArrayType] char[8]
+#   24|                 ValueCategory = lvalue
+#   24|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   24|                 Type = [PointerType] float ***
+#   24|                 ValueCategory = prvalue(load)
+#   25|     getStmt(8): [ReturnStmt] return ...
+#-----|       getExpr(): [Literal] 0
+#-----|           Type = [IntType] int
+#-----|           Value = [Literal] 0
+#-----|           ValueCategory = prvalue
+generic.cpp:
+#    4| [FormattingFunction,TopLevelFunction] int printf(char const*)
+#    4|   <params>: 
+#    4|     getParameter(0): [Parameter] format
+#    4|         Type = [PointerType] const char *
+#   15| [TopLevelFunction] int main()
+#   15|   <params>: 
+#   16|   getEntryPoint(): [BlockStmt] { ... }
+#   17|     getStmt(0): [DeclStmt] declaration
+#   17|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of i
+#   17|           Type = [IntType] int
+#   18|     getStmt(1): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of m
+#   18|           Type = [CTypedefType] MYINT
+#   19|     getStmt(2): [DeclStmt] declaration
+#   19|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of s
+#   19|           Type = [PointerType] const char *
+#   20|     getStmt(3): [DeclStmt] declaration
+#   20|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of f
+#   20|           Type = [PointerType] float ***
+#   22|     getStmt(4): [ExprStmt] ExprStmt
+#   22|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   22|           Type = [IntType] int
+#   22|           ValueCategory = prvalue
+#   22|         getArgument(0): i is %s\n
+#   22|             Type = [ArrayType] const char[9]
+#   22|             Value = [StringLiteral] "i is %s\n"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(1): int
+#   22|             Type = [ArrayType] const char[4]
+#   22|             Value = [StringLiteral] "int"
+#   22|             ValueCategory = lvalue
+#   22|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   22|             Type = [PointerType] const char *
+#   22|             ValueCategory = prvalue
+#   22|           getExpr(): [C11GenericExpr] _Generic
+#   22|               Type = [ArrayType] const char[4]
+#   22|               Value = [C11GenericExpr] int
+#   22|               ValueCategory = lvalue
+#   22|             getControllingExpr(): [VariableAccess] i
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(0): [TypeName] int
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   22|                 Type = [ArrayType] const char[4]
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(1): [TypeName] const char *
+#   22|                 Type = [PointerType] const char *
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(1): string
+#   22|                 Type = [ArrayType] const char[7]
+#   22|                 Value = [StringLiteral] "string"
+#   22|                 ValueCategory = lvalue
+#   22|             getAssociationType(2): [TypeName] void
+#   22|                 Type = [VoidType] void
+#   22|                 ValueCategory = prvalue
+#   22|             getAssociationExpr(2): unknown
+#   22|                 Type = [ArrayType] const char[8]
+#   22|                 Value = [StringLiteral] "unknown"
+#   22|                 ValueCategory = lvalue
+#   22|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   22|                 Type = [IntType] int
+#   22|                 ValueCategory = lvalue
+#   23|     getStmt(5): [ExprStmt] ExprStmt
+#   23|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   23|           Type = [IntType] int
+#   23|           ValueCategory = prvalue
+#   23|         getArgument(0): c is %s\n
+#   23|             Type = [ArrayType] const char[9]
+#   23|             Value = [StringLiteral] "c is %s\n"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(1): int
+#   23|             Type = [ArrayType] const char[4]
+#   23|             Value = [StringLiteral] "int"
+#   23|             ValueCategory = lvalue
+#   23|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   23|             Type = [PointerType] const char *
+#   23|             ValueCategory = prvalue
+#   23|           getExpr(): [C11GenericExpr] _Generic
+#   23|               Type = [ArrayType] const char[4]
+#   23|               Value = [C11GenericExpr] int
+#   23|               ValueCategory = lvalue
+#   23|             getControllingExpr(): [VariableAccess] m
+#   23|                 Type = [CTypedefType] MYINT
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(0): [TypeName] int
+#   23|                 Type = [IntType] int
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(0): [ReuseExpr] reuse of int
+#   23|                 Type = [ArrayType] const char[4]
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(1): [TypeName] const char *
+#   23|                 Type = [PointerType] const char *
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(1): string
+#   23|                 Type = [ArrayType] const char[7]
+#   23|                 Value = [StringLiteral] "string"
+#   23|                 ValueCategory = lvalue
+#   23|             getAssociationType(2): [TypeName] void
+#   23|                 Type = [VoidType] void
+#   23|                 ValueCategory = prvalue
+#   23|             getAssociationExpr(2): unknown
+#   23|                 Type = [ArrayType] const char[8]
+#   23|                 Value = [StringLiteral] "unknown"
+#   23|                 ValueCategory = lvalue
+#   23|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   23|                 Type = [CTypedefType] MYINT
+#   23|                 ValueCategory = lvalue
+#   24|     getStmt(6): [ExprStmt] ExprStmt
+#   24|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   24|           Type = [IntType] int
+#   24|           ValueCategory = prvalue
+#   24|         getArgument(0): s is %s\n
+#   24|             Type = [ArrayType] const char[9]
+#   24|             Value = [StringLiteral] "s is %s\n"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(1): string
+#   24|             Type = [ArrayType] const char[7]
+#   24|             Value = [StringLiteral] "string"
+#   24|             ValueCategory = lvalue
+#   24|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   24|             Type = [PointerType] const char *
+#   24|             ValueCategory = prvalue
+#   24|           getExpr(): [C11GenericExpr] _Generic
+#   24|               Type = [ArrayType] const char[7]
+#   24|               Value = [C11GenericExpr] string
+#   24|               ValueCategory = lvalue
+#   24|             getControllingExpr(): [VariableAccess] s
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(0): [TypeName] int
+#   24|                 Type = [IntType] int
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(0): int
+#   24|                 Type = [ArrayType] const char[4]
+#   24|                 Value = [StringLiteral] "int"
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(1): [TypeName] const char *
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(1): [ReuseExpr] reuse of string
+#   24|                 Type = [ArrayType] const char[7]
+#   24|                 ValueCategory = lvalue
+#   24|             getAssociationType(2): [TypeName] void
+#   24|                 Type = [VoidType] void
+#   24|                 ValueCategory = prvalue
+#   24|             getAssociationExpr(2): unknown
+#   24|                 Type = [ArrayType] const char[8]
+#   24|                 Value = [StringLiteral] "unknown"
+#   24|                 ValueCategory = lvalue
+#   24|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   24|                 Type = [PointerType] const char *
+#   24|                 ValueCategory = lvalue
+#   25|     getStmt(7): [ExprStmt] ExprStmt
+#   25|       getExpr(): [FormattingFunctionCall,FunctionCall] call to printf
+#   25|           Type = [IntType] int
+#   25|           ValueCategory = prvalue
+#   25|         getArgument(0): f is %s\n
+#   25|             Type = [ArrayType] const char[9]
+#   25|             Value = [StringLiteral] "f is %s\n"
+#   25|             ValueCategory = lvalue
+#   25|         getArgument(1): unknown
+#   25|             Type = [ArrayType] const char[8]
+#   25|             Value = [StringLiteral] "unknown"
+#   25|             ValueCategory = lvalue
+#   25|         getArgument(0).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   25|             Type = [PointerType] const char *
+#   25|             ValueCategory = prvalue
+#   25|         getArgument(1).getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#   25|             Type = [PointerType] const char *
+#   25|             ValueCategory = prvalue
+#   25|           getExpr(): [C11GenericExpr] _Generic
+#   25|               Type = [ArrayType] const char[8]
+#   25|               Value = [C11GenericExpr] unknown
+#   25|               ValueCategory = lvalue
+#   25|             getControllingExpr(): [VariableAccess] f
+#   25|                 Type = [PointerType] float ***
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(0): [TypeName] int
+#   25|                 Type = [IntType] int
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(0): int
+#   25|                 Type = [ArrayType] const char[4]
+#   25|                 Value = [StringLiteral] "int"
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(1): [TypeName] const char *
+#   25|                 Type = [PointerType] const char *
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(1): string
+#   25|                 Type = [ArrayType] const char[7]
+#   25|                 Value = [StringLiteral] "string"
+#   25|                 ValueCategory = lvalue
+#   25|             getAssociationType(2): [TypeName] void
+#   25|                 Type = [VoidType] void
+#   25|                 ValueCategory = prvalue
+#   25|             getAssociationExpr(2): [ReuseExpr] reuse of unknown
+#   25|                 Type = [ArrayType] const char[8]
+#   25|                 ValueCategory = lvalue
+#   25|             getControllingExpr().getFullyConverted(): [ParenthesisExpr] (...)
+#   25|                 Type = [PointerType] float ***
+#   25|                 ValueCategory = lvalue
+#   26|     getStmt(8): [ReturnStmt] return ...
+#-----|       getExpr(): [Literal] 0
+#-----|           Type = [IntType] int
+#-----|           Value = [Literal] 0
+#-----|           ValueCategory = prvalue

cpp/ql/test/library-tests/c11_generic/PrintAST.qlref

@@ -0,0 +1 @@
+semmle/code/cpp/PrintAST.ql

cpp/ql/test/library-tests/c11_generic/macro_invocation.expected

@@ -0,0 +1,8 @@
+| generic.c:21:22:21:32 | _Generic | generic.c:21:22:21:32 | describe(val) |
+| generic.c:22:22:22:32 | _Generic | generic.c:22:22:22:32 | describe(val) |
+| generic.c:23:22:23:32 | _Generic | generic.c:23:22:23:32 | describe(val) |
+| generic.c:24:22:24:32 | _Generic | generic.c:24:22:24:32 | describe(val) |
+| generic.cpp:22:22:22:32 | _Generic | generic.cpp:22:22:22:32 | describe(val) |
+| generic.cpp:23:22:23:32 | _Generic | generic.cpp:23:22:23:32 | describe(val) |
+| generic.cpp:24:22:24:32 | _Generic | generic.cpp:24:22:24:32 | describe(val) |
+| generic.cpp:25:22:25:32 | _Generic | generic.cpp:25:22:25:32 | describe(val) |

cpp/ql/test/library-tests/c11_generic/macro_invocation.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from C11GenericExpr g, MacroInvocation m
+where m.getAnExpandedElement() = g
+select g, m

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -33,7 +33,7 @@ argHasPostUpdate
 | test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. |
 | test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. |
-| test.cpp:1057:19:1057:21 | * ... | ArgumentNode is missing PostUpdateNode. |
+| test.cpp:1093:19:1093:21 | * ... | ArgumentNode is missing PostUpdateNode. |
 postWithInFlow
 | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
@@ -167,15 +167,17 @@ postWithInFlow
 | test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1051:5:1051:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1052:9:1052:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1056:5:1056:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1056:6:1056:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1062:53:1062:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1072:3:1072:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1072:4:1072:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1073:3:1073:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1073:4:1073:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1066:5:1066:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1069:5:1069:5 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1087:5:1087:11 | content [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1088:9:1088:9 | a [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1092:5:1092:7 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1092:6:1092:7 | pp [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1098:53:1098:53 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1108:3:1108:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1108:4:1108:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1109:3:1109:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1109:4:1109:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -26,6 +26,10 @@ postWithInFlow
 | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1076:2:1076:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1076:10:1076:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1077:2:1077:3 | swap output argument | PostUpdateNode should not be the target of local flow. |
+| test.cpp:1077:10:1077:11 | swap output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -202,12 +202,12 @@
 | test.cpp:489:23:489:29 | *content | test.cpp:490:8:490:17 | * ... |
 | test.cpp:489:23:489:29 | content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1050:12:1050:12 | definition of a | test.cpp:1051:3:1051:3 | *a |
-| test.cpp:1051:3:1051:3 | *a | test.cpp:1052:8:1052:9 | *& ... |
-| test.cpp:1051:3:1051:3 | *a [post update] | test.cpp:1052:8:1052:9 | *& ... |
-| test.cpp:1051:3:1051:3 | a | test.cpp:1052:8:1052:9 | & ... |
-| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:8:1052:9 | & ... |
-| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
-| test.cpp:1051:15:1051:21 | *0 | test.cpp:1051:3:1051:21 | *... = ... |
-| test.cpp:1052:9:1052:9 | *a | test.cpp:1052:8:1052:9 | *& ... |
-| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1086:12:1086:12 | definition of a | test.cpp:1087:3:1087:3 | *a |
+| test.cpp:1087:3:1087:3 | *a | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1087:3:1087:3 | *a [post update] | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1087:3:1087:3 | a | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:8:1088:9 | & ... |
+| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
+| test.cpp:1087:15:1087:21 | *0 | test.cpp:1087:3:1087:21 | *... = ... |
+| test.cpp:1088:9:1088:9 | *a | test.cpp:1088:8:1088:9 | *& ... |
+| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected

@@ -81,10 +81,10 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (loc
 | test.cpp:488:21:488:21 | s [post update] | test.cpp:489:20:489:20 | s |
 | test.cpp:488:24:488:30 | ref arg content | test.cpp:489:23:489:29 | content |
 | test.cpp:489:23:489:29 | content | test.cpp:490:9:490:17 | p_content |
-| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
-| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
-| test.cpp:1051:3:1051:3 | a [post update] | test.cpp:1052:9:1052:9 | a |
-| test.cpp:1051:3:1051:21 | ... = ... | test.cpp:1051:5:1051:11 | content [post update] |
-| test.cpp:1051:15:1051:21 | 0 | test.cpp:1051:3:1051:21 | ... = ... |
-| test.cpp:1052:8:1052:9 | ref arg & ... | test.cpp:1052:9:1052:9 | a [inner post update] |
-| test.cpp:1052:9:1052:9 | a | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:9:1088:9 | a |
+| test.cpp:1087:3:1087:21 | ... = ... | test.cpp:1087:5:1087:11 | content [post update] |
+| test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
+| test.cpp:1088:8:1088:9 | ref arg & ... | test.cpp:1088:9:1088:9 | a [inner post update] |
+| test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -127,7 +127,11 @@ astFlow
 | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y |
 | test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx |
 | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic |
-| test.cpp:1050:12:1050:12 | a | test.cpp:1052:8:1052:9 | & ... |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1080:10:1080:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1082:10:1082:10 | i |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |
@@ -313,7 +317,12 @@ irFlow
 | test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
 | test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
 | test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
-| test.cpp:1081:27:1081:34 | call to source | test.cpp:1081:27:1081:34 | call to source |
+| test.cpp:1052:13:1052:27 | *call to indirect_source | test.cpp:1054:7:1054:11 | * ... |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1072:10:1072:10 | i |
+| test.cpp:1066:9:1066:14 | call to source | test.cpp:1079:10:1079:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
+| test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
+| test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1046,6 +1046,42 @@ void memset_test(char* buf) { // $ ast-def=buf ir-def=*buf
 	sink(*buf); // $ ir MISSING: ast
 }
 
+void *realloc(void *, size_t);
+
+void test_realloc() {
+	int *src = indirect_source();
+	int *dest = (int*)realloc(src, sizeof(int));
+	sink(*dest); // $ ir, MISSING: ast
+}
+
+struct MyInt {
+  int i;
+  MyInt();
+  void swap(MyInt &j);
+};
+
+void test_member_swap() {
+	MyInt s1;
+	MyInt s2;
+	s2.i = source();
+	MyInt s3;
+	MyInt s4;
+	s4.i = source();
+
+	sink(s1.i);
+	sink(s2.i); // $ ast,ir
+	sink(s3.i);
+	sink(s4.i); // $ ast,ir
+
+	s1.swap(s2);
+	s4.swap(s3);
+
+	sink(s1.i); // $ ir
+	sink(s2.i); // $ SPURIOUS: ast
+	sink(s3.i); // $ ir
+	sink(s4.i); // $ SPURIOUS: ast
+}
+
 void flow_out_of_address_with_local_flow() {
   MyStruct a;
   a.content = nullptr;

cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected

@@ -51,5 +51,5 @@ incorrectBaseType
 | test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * |
 | test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
 | test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
-| test.cpp:1062:52:1062:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
+| test.cpp:1098:52:1098:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * |
 failures

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -54,5 +54,5 @@
 | test.cpp:796:12:796:12 | a | test.cpp:797:20:797:20 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:797:31:797:31 | a |
 | test.cpp:796:12:796:12 | a | test.cpp:798:17:798:17 | a |
-| test.cpp:1050:12:1050:12 | a | test.cpp:1051:3:1051:3 | a |
-| test.cpp:1050:12:1050:12 | a | test.cpp:1052:9:1052:9 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1087:3:1087:3 | a |
+| test.cpp:1086:12:1086:12 | a | test.cpp:1088:9:1088:9 | a |

cpp/ql/test/library-tests/dataflow/fields/Nodes.qll

@@ -13,9 +13,6 @@ class Node extends TNode {
 
   AST::DataFlow::Node asAst() { none() }
 
-  /** DEPRECATED: Alias for asAst */
-  deprecated AST::DataFlow::Node asAST() { result = this.asAst() }
-
   Location getLocation() { none() }
 }
 
@@ -28,9 +25,6 @@ class AstNode extends Node, TAstNode {
 
   override AST::DataFlow::Node asAst() { result = n }
 
-  /** DEPRECATED: Alias for asAst */
-  deprecated override AST::DataFlow::Node asAST() { result = this.asAst() }
-
   override Location getLocation() { result = n.getLocation() }
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -554,19 +554,15 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:67:30:67:42 | call to pair | map.cpp:80:7:80:7 | l |  |
 | map.cpp:67:30:67:42 | call to pair | map.cpp:81:7:81:7 | l |  |
 | map.cpp:67:37:67:41 | 456 | map.cpp:67:30:67:42 | call to pair | TAINT |
-| map.cpp:68:3:68:3 | i | map.cpp:68:10:68:10 | ref arg j | TAINT |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:70:7:70:7 | i |  |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:71:7:71:7 | i |  |
 | map.cpp:68:3:68:3 | ref arg i | map.cpp:72:7:72:7 | i |  |
-| map.cpp:68:10:68:10 | j | map.cpp:68:3:68:3 | ref arg i | TAINT |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:73:7:73:7 | j |  |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:74:7:74:7 | j |  |
 | map.cpp:68:10:68:10 | ref arg j | map.cpp:75:7:75:7 | j |  |
-| map.cpp:69:2:69:2 | k | map.cpp:69:9:69:9 | ref arg l | TAINT |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:76:7:76:7 | k |  |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:77:7:77:7 | k |  |
 | map.cpp:69:2:69:2 | ref arg k | map.cpp:78:7:78:7 | k |  |
-| map.cpp:69:9:69:9 | l | map.cpp:69:2:69:2 | ref arg k | TAINT |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:79:7:79:7 | l |  |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:80:7:80:7 | l |  |
 | map.cpp:69:9:69:9 | ref arg l | map.cpp:81:7:81:7 | l |  |
@@ -1065,16 +1061,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:194:7:194:9 | m16 | map.cpp:194:7:194:9 | call to map |  |
 | map.cpp:195:7:195:9 | m17 | map.cpp:195:7:195:9 | call to map |  |
 | map.cpp:196:7:196:9 | m18 | map.cpp:196:7:196:9 | call to map |  |
-| map.cpp:197:2:197:4 | m15 | map.cpp:197:11:197:13 | ref arg m16 | TAINT |
 | map.cpp:197:2:197:4 | ref arg m15 | map.cpp:199:7:199:9 | m15 |  |
 | map.cpp:197:2:197:4 | ref arg m15 | map.cpp:252:1:252:1 | m15 |  |
-| map.cpp:197:11:197:13 | m16 | map.cpp:197:2:197:4 | ref arg m15 | TAINT |
 | map.cpp:197:11:197:13 | ref arg m16 | map.cpp:200:7:200:9 | m16 |  |
 | map.cpp:197:11:197:13 | ref arg m16 | map.cpp:252:1:252:1 | m16 |  |
-| map.cpp:198:2:198:4 | m17 | map.cpp:198:11:198:13 | ref arg m18 | TAINT |
 | map.cpp:198:2:198:4 | ref arg m17 | map.cpp:201:7:201:9 | m17 |  |
 | map.cpp:198:2:198:4 | ref arg m17 | map.cpp:252:1:252:1 | m17 |  |
-| map.cpp:198:11:198:13 | m18 | map.cpp:198:2:198:4 | ref arg m17 | TAINT |
 | map.cpp:198:11:198:13 | ref arg m18 | map.cpp:202:7:202:9 | m18 |  |
 | map.cpp:198:11:198:13 | ref arg m18 | map.cpp:252:1:252:1 | m18 |  |
 | map.cpp:199:7:199:9 | m15 | map.cpp:199:7:199:9 | call to map |  |
@@ -1747,16 +1739,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | map.cpp:343:7:343:9 | m16 | map.cpp:343:7:343:9 | call to unordered_map |  |
 | map.cpp:344:7:344:9 | m17 | map.cpp:344:7:344:9 | call to unordered_map |  |
 | map.cpp:345:7:345:9 | m18 | map.cpp:345:7:345:9 | call to unordered_map |  |
-| map.cpp:346:2:346:4 | m15 | map.cpp:346:11:346:13 | ref arg m16 | TAINT |
 | map.cpp:346:2:346:4 | ref arg m15 | map.cpp:348:7:348:9 | m15 |  |
 | map.cpp:346:2:346:4 | ref arg m15 | map.cpp:438:1:438:1 | m15 |  |
-| map.cpp:346:11:346:13 | m16 | map.cpp:346:2:346:4 | ref arg m15 | TAINT |
 | map.cpp:346:11:346:13 | ref arg m16 | map.cpp:349:7:349:9 | m16 |  |
 | map.cpp:346:11:346:13 | ref arg m16 | map.cpp:438:1:438:1 | m16 |  |
-| map.cpp:347:2:347:4 | m17 | map.cpp:347:11:347:13 | ref arg m18 | TAINT |
 | map.cpp:347:2:347:4 | ref arg m17 | map.cpp:350:7:350:9 | m17 |  |
 | map.cpp:347:2:347:4 | ref arg m17 | map.cpp:438:1:438:1 | m17 |  |
-| map.cpp:347:11:347:13 | m18 | map.cpp:347:2:347:4 | ref arg m17 | TAINT |
 | map.cpp:347:11:347:13 | ref arg m18 | map.cpp:351:7:351:9 | m18 |  |
 | map.cpp:347:11:347:13 | ref arg m18 | map.cpp:438:1:438:1 | m18 |  |
 | map.cpp:348:7:348:9 | m15 | map.cpp:348:7:348:9 | call to unordered_map |  |
@@ -2579,16 +2567,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | set.cpp:81:7:81:9 | s15 | set.cpp:81:7:81:9 | call to set |  |
 | set.cpp:82:2:82:4 | ref arg s12 | set.cpp:84:7:84:9 | s12 |  |
 | set.cpp:82:2:82:4 | ref arg s12 | set.cpp:126:1:126:1 | s12 |  |
-| set.cpp:82:2:82:4 | s12 | set.cpp:82:11:82:13 | ref arg s13 | TAINT |
 | set.cpp:82:11:82:13 | ref arg s13 | set.cpp:85:7:85:9 | s13 |  |
 | set.cpp:82:11:82:13 | ref arg s13 | set.cpp:126:1:126:1 | s13 |  |
-| set.cpp:82:11:82:13 | s13 | set.cpp:82:2:82:4 | ref arg s12 | TAINT |
 | set.cpp:83:2:83:4 | ref arg s14 | set.cpp:86:7:86:9 | s14 |  |
 | set.cpp:83:2:83:4 | ref arg s14 | set.cpp:126:1:126:1 | s14 |  |
-| set.cpp:83:2:83:4 | s14 | set.cpp:83:11:83:13 | ref arg s15 | TAINT |
 | set.cpp:83:11:83:13 | ref arg s15 | set.cpp:87:7:87:9 | s15 |  |
 | set.cpp:83:11:83:13 | ref arg s15 | set.cpp:126:1:126:1 | s15 |  |
-| set.cpp:83:11:83:13 | s15 | set.cpp:83:2:83:4 | ref arg s14 | TAINT |
 | set.cpp:84:7:84:9 | s12 | set.cpp:84:7:84:9 | call to set |  |
 | set.cpp:85:7:85:9 | s13 | set.cpp:85:7:85:9 | call to set |  |
 | set.cpp:86:7:86:9 | s14 | set.cpp:86:7:86:9 | call to set |  |
@@ -3066,16 +3050,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | set.cpp:193:7:193:9 | s15 | set.cpp:193:7:193:9 | call to unordered_set |  |
 | set.cpp:194:2:194:4 | ref arg s12 | set.cpp:196:7:196:9 | s12 |  |
 | set.cpp:194:2:194:4 | ref arg s12 | set.cpp:238:1:238:1 | s12 |  |
-| set.cpp:194:2:194:4 | s12 | set.cpp:194:11:194:13 | ref arg s13 | TAINT |
 | set.cpp:194:11:194:13 | ref arg s13 | set.cpp:197:7:197:9 | s13 |  |
 | set.cpp:194:11:194:13 | ref arg s13 | set.cpp:238:1:238:1 | s13 |  |
-| set.cpp:194:11:194:13 | s13 | set.cpp:194:2:194:4 | ref arg s12 | TAINT |
 | set.cpp:195:2:195:4 | ref arg s14 | set.cpp:198:7:198:9 | s14 |  |
 | set.cpp:195:2:195:4 | ref arg s14 | set.cpp:238:1:238:1 | s14 |  |
-| set.cpp:195:2:195:4 | s14 | set.cpp:195:11:195:13 | ref arg s15 | TAINT |
 | set.cpp:195:11:195:13 | ref arg s15 | set.cpp:199:7:199:9 | s15 |  |
 | set.cpp:195:11:195:13 | ref arg s15 | set.cpp:238:1:238:1 | s15 |  |
-| set.cpp:195:11:195:13 | s15 | set.cpp:195:2:195:4 | ref arg s14 | TAINT |
 | set.cpp:196:7:196:9 | s12 | set.cpp:196:7:196:9 | call to unordered_set |  |
 | set.cpp:197:7:197:9 | s13 | set.cpp:197:7:197:9 | call to unordered_set |  |
 | set.cpp:198:7:198:9 | s14 | set.cpp:198:7:198:9 | call to unordered_set |  |
@@ -4047,13 +4027,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:272:17:272:25 | call to basic_string | string.cpp:280:2:280:3 | s4 |  |
 | string.cpp:272:17:272:25 | call to basic_string | string.cpp:285:7:285:8 | s4 |  |
 | string.cpp:279:2:279:3 | ref arg s1 | string.cpp:282:7:282:8 | s1 |  |
-| string.cpp:279:2:279:3 | s1 | string.cpp:279:10:279:11 | ref arg s2 | TAINT |
 | string.cpp:279:10:279:11 | ref arg s2 | string.cpp:283:7:283:8 | s2 |  |
-| string.cpp:279:10:279:11 | s2 | string.cpp:279:2:279:3 | ref arg s1 | TAINT |
 | string.cpp:280:2:280:3 | ref arg s4 | string.cpp:285:7:285:8 | s4 |  |
-| string.cpp:280:2:280:3 | s4 | string.cpp:280:10:280:11 | ref arg s3 | TAINT |
 | string.cpp:280:10:280:11 | ref arg s3 | string.cpp:284:7:284:8 | s3 |  |
-| string.cpp:280:10:280:11 | s3 | string.cpp:280:2:280:3 | ref arg s4 | TAINT |
 | string.cpp:289:17:289:22 | call to source | string.cpp:289:17:289:25 | call to basic_string | TAINT |
 | string.cpp:289:17:289:25 | call to basic_string | string.cpp:293:7:293:8 | s1 |  |
 | string.cpp:289:17:289:25 | call to basic_string | string.cpp:297:2:297:3 | s1 |  |
@@ -4839,13 +4815,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:118:2:118:4 | ss4 |  |
 | stringstream.cpp:115:24:115:32 | call to basic_stringstream | stringstream.cpp:123:7:123:9 | ss4 |  |
 | stringstream.cpp:117:2:117:4 | ref arg ss1 | stringstream.cpp:120:7:120:9 | ss1 |  |
-| stringstream.cpp:117:2:117:4 | ss1 | stringstream.cpp:117:11:117:13 | ref arg ss2 | TAINT |
 | stringstream.cpp:117:11:117:13 | ref arg ss2 | stringstream.cpp:121:7:121:9 | ss2 |  |
-| stringstream.cpp:117:11:117:13 | ss2 | stringstream.cpp:117:2:117:4 | ref arg ss1 | TAINT |
 | stringstream.cpp:118:2:118:4 | ref arg ss4 | stringstream.cpp:123:7:123:9 | ss4 |  |
-| stringstream.cpp:118:2:118:4 | ss4 | stringstream.cpp:118:11:118:13 | ref arg ss3 | TAINT |
 | stringstream.cpp:118:11:118:13 | ref arg ss3 | stringstream.cpp:122:7:122:9 | ss3 |  |
-| stringstream.cpp:118:11:118:13 | ss3 | stringstream.cpp:118:2:118:4 | ref arg ss4 | TAINT |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:142:7:142:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:145:7:145:9 | ss1 |  |
 | stringstream.cpp:128:20:128:22 | call to basic_stringstream | stringstream.cpp:153:7:153:9 | ss1 |  |
@@ -5413,9 +5385,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:24:9:24:13 | this | swap1.cpp:24:31:24:34 | this |  |
 | swap1.cpp:24:23:24:26 | that | swap1.cpp:24:23:24:26 | that |  |
 | swap1.cpp:24:23:24:26 | that | swap1.cpp:24:36:24:39 | that |  |
-| swap1.cpp:24:31:24:34 | this | swap1.cpp:24:36:24:39 | ref arg that | TAINT |
 | swap1.cpp:24:36:24:39 | ref arg that | swap1.cpp:24:23:24:26 | that |  |
-| swap1.cpp:24:36:24:39 | that | swap1.cpp:24:31:24:34 | ref arg this | TAINT |
 | swap1.cpp:25:9:25:13 | this | swap1.cpp:25:36:25:52 | constructor init of field data1 [pre-this] |  |
 | swap1.cpp:25:28:25:31 | that | swap1.cpp:25:42:25:45 | that |  |
 | swap1.cpp:25:47:25:51 | data1 | swap1.cpp:25:36:25:52 | constructor init of field data1 | TAINT |
@@ -5425,36 +5395,28 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:29:23:29:27 | call to Class | swap1.cpp:30:18:30:20 | tmp |  |
 | swap1.cpp:29:24:29:27 | that | swap1.cpp:29:23:29:27 | call to Class |  |
 | swap1.cpp:30:13:30:16 | ref arg this | swap1.cpp:31:21:31:24 | this |  |
-| swap1.cpp:30:13:30:16 | this | swap1.cpp:30:18:30:20 | ref arg tmp | TAINT |
 | swap1.cpp:30:13:30:16 | this | swap1.cpp:31:21:31:24 | this |  |
-| swap1.cpp:30:18:30:20 | tmp | swap1.cpp:30:13:30:16 | ref arg this | TAINT |
 | swap1.cpp:31:21:31:24 | this | swap1.cpp:31:20:31:24 | * ... | TAINT |
 | swap1.cpp:34:16:34:24 | this | swap1.cpp:36:13:36:16 | this |  |
 | swap1.cpp:34:34:34:37 | that | swap1.cpp:34:34:34:37 | that |  |
 | swap1.cpp:34:34:34:37 | that | swap1.cpp:36:18:36:21 | that |  |
 | swap1.cpp:36:13:36:16 | ref arg this | swap1.cpp:37:21:37:24 | this |  |
-| swap1.cpp:36:13:36:16 | this | swap1.cpp:36:18:36:21 | ref arg that | TAINT |
 | swap1.cpp:36:13:36:16 | this | swap1.cpp:37:21:37:24 | this |  |
 | swap1.cpp:36:18:36:21 | ref arg that | swap1.cpp:34:34:34:37 | that |  |
-| swap1.cpp:36:18:36:21 | that | swap1.cpp:36:13:36:16 | ref arg this | TAINT |
 | swap1.cpp:37:21:37:24 | this | swap1.cpp:37:20:37:24 | * ... | TAINT |
 | swap1.cpp:40:16:40:26 | this | swap1.cpp:43:13:43:16 | this |  |
 | swap1.cpp:40:41:40:44 | that | swap1.cpp:42:24:42:27 | that |  |
 | swap1.cpp:42:23:42:27 | call to Class | swap1.cpp:43:18:43:20 | tmp |  |
 | swap1.cpp:42:24:42:27 | that | swap1.cpp:42:23:42:27 | call to Class |  |
 | swap1.cpp:43:13:43:16 | ref arg this | swap1.cpp:44:21:44:24 | this |  |
-| swap1.cpp:43:13:43:16 | this | swap1.cpp:43:18:43:20 | ref arg tmp | TAINT |
 | swap1.cpp:43:13:43:16 | this | swap1.cpp:44:21:44:24 | this |  |
-| swap1.cpp:43:18:43:20 | tmp | swap1.cpp:43:13:43:16 | ref arg this | TAINT |
 | swap1.cpp:44:21:44:24 | this | swap1.cpp:44:20:44:24 | * ... | TAINT |
 | swap1.cpp:47:16:47:26 | this | swap1.cpp:49:13:49:16 | this |  |
 | swap1.cpp:47:36:47:39 | that | swap1.cpp:47:36:47:39 | that |  |
 | swap1.cpp:47:36:47:39 | that | swap1.cpp:49:18:49:21 | that |  |
 | swap1.cpp:49:13:49:16 | ref arg this | swap1.cpp:50:21:50:24 | this |  |
-| swap1.cpp:49:13:49:16 | this | swap1.cpp:49:18:49:21 | ref arg that | TAINT |
 | swap1.cpp:49:13:49:16 | this | swap1.cpp:50:21:50:24 | this |  |
 | swap1.cpp:49:18:49:21 | ref arg that | swap1.cpp:47:36:47:39 | that |  |
-| swap1.cpp:49:18:49:21 | that | swap1.cpp:49:13:49:16 | ref arg this | TAINT |
 | swap1.cpp:50:21:50:24 | this | swap1.cpp:50:20:50:24 | * ... | TAINT |
 | swap1.cpp:53:14:53:17 | this | swap1.cpp:56:18:56:22 | this |  |
 | swap1.cpp:53:26:53:29 | that | swap1.cpp:53:26:53:29 | that |  |
@@ -5468,9 +5430,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap1.cpp:61:32:61:32 | y | swap1.cpp:61:32:61:32 | y |  |
 | swap1.cpp:61:32:61:32 | y | swap1.cpp:63:16:63:16 | y |  |
 | swap1.cpp:63:9:63:9 | ref arg x | swap1.cpp:61:22:61:22 | x |  |
-| swap1.cpp:63:9:63:9 | x | swap1.cpp:63:16:63:16 | ref arg y | TAINT |
 | swap1.cpp:63:16:63:16 | ref arg y | swap1.cpp:61:32:61:32 | y |  |
-| swap1.cpp:63:16:63:16 | y | swap1.cpp:63:9:63:9 | ref arg x | TAINT |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:71:5:71:5 | x |  |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:73:10:73:10 | x |  |
 | swap1.cpp:69:23:69:23 | x | swap1.cpp:76:9:76:9 | x |  |
@@ -5579,9 +5539,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:24:9:24:13 | this | swap2.cpp:24:31:24:34 | this |  |
 | swap2.cpp:24:23:24:26 | that | swap2.cpp:24:23:24:26 | that |  |
 | swap2.cpp:24:23:24:26 | that | swap2.cpp:24:36:24:39 | that |  |
-| swap2.cpp:24:31:24:34 | this | swap2.cpp:24:36:24:39 | ref arg that | TAINT |
 | swap2.cpp:24:36:24:39 | ref arg that | swap2.cpp:24:23:24:26 | that |  |
-| swap2.cpp:24:36:24:39 | that | swap2.cpp:24:31:24:34 | ref arg this | TAINT |
 | swap2.cpp:25:9:25:13 | this | swap2.cpp:25:36:25:52 | constructor init of field data1 [pre-this] |  |
 | swap2.cpp:25:28:25:31 | that | swap2.cpp:25:42:25:45 | that |  |
 | swap2.cpp:25:28:25:31 | that | swap2.cpp:25:61:25:64 | that |  |
@@ -5596,36 +5554,28 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:29:23:29:27 | call to Class | swap2.cpp:30:18:30:20 | tmp |  |
 | swap2.cpp:29:24:29:27 | that | swap2.cpp:29:23:29:27 | call to Class |  |
 | swap2.cpp:30:13:30:16 | ref arg this | swap2.cpp:31:21:31:24 | this |  |
-| swap2.cpp:30:13:30:16 | this | swap2.cpp:30:18:30:20 | ref arg tmp | TAINT |
 | swap2.cpp:30:13:30:16 | this | swap2.cpp:31:21:31:24 | this |  |
-| swap2.cpp:30:18:30:20 | tmp | swap2.cpp:30:13:30:16 | ref arg this | TAINT |
 | swap2.cpp:31:21:31:24 | this | swap2.cpp:31:20:31:24 | * ... | TAINT |
 | swap2.cpp:34:16:34:24 | this | swap2.cpp:36:13:36:16 | this |  |
 | swap2.cpp:34:34:34:37 | that | swap2.cpp:34:34:34:37 | that |  |
 | swap2.cpp:34:34:34:37 | that | swap2.cpp:36:18:36:21 | that |  |
 | swap2.cpp:36:13:36:16 | ref arg this | swap2.cpp:37:21:37:24 | this |  |
-| swap2.cpp:36:13:36:16 | this | swap2.cpp:36:18:36:21 | ref arg that | TAINT |
 | swap2.cpp:36:13:36:16 | this | swap2.cpp:37:21:37:24 | this |  |
 | swap2.cpp:36:18:36:21 | ref arg that | swap2.cpp:34:34:34:37 | that |  |
-| swap2.cpp:36:18:36:21 | that | swap2.cpp:36:13:36:16 | ref arg this | TAINT |
 | swap2.cpp:37:21:37:24 | this | swap2.cpp:37:20:37:24 | * ... | TAINT |
 | swap2.cpp:40:16:40:26 | this | swap2.cpp:43:13:43:16 | this |  |
 | swap2.cpp:40:41:40:44 | that | swap2.cpp:42:24:42:27 | that |  |
 | swap2.cpp:42:23:42:27 | call to Class | swap2.cpp:43:18:43:20 | tmp |  |
 | swap2.cpp:42:24:42:27 | that | swap2.cpp:42:23:42:27 | call to Class |  |
 | swap2.cpp:43:13:43:16 | ref arg this | swap2.cpp:44:21:44:24 | this |  |
-| swap2.cpp:43:13:43:16 | this | swap2.cpp:43:18:43:20 | ref arg tmp | TAINT |
 | swap2.cpp:43:13:43:16 | this | swap2.cpp:44:21:44:24 | this |  |
-| swap2.cpp:43:18:43:20 | tmp | swap2.cpp:43:13:43:16 | ref arg this | TAINT |
 | swap2.cpp:44:21:44:24 | this | swap2.cpp:44:20:44:24 | * ... | TAINT |
 | swap2.cpp:47:16:47:26 | this | swap2.cpp:49:13:49:16 | this |  |
 | swap2.cpp:47:36:47:39 | that | swap2.cpp:47:36:47:39 | that |  |
 | swap2.cpp:47:36:47:39 | that | swap2.cpp:49:18:49:21 | that |  |
 | swap2.cpp:49:13:49:16 | ref arg this | swap2.cpp:50:21:50:24 | this |  |
-| swap2.cpp:49:13:49:16 | this | swap2.cpp:49:18:49:21 | ref arg that | TAINT |
 | swap2.cpp:49:13:49:16 | this | swap2.cpp:50:21:50:24 | this |  |
 | swap2.cpp:49:18:49:21 | ref arg that | swap2.cpp:47:36:47:39 | that |  |
-| swap2.cpp:49:18:49:21 | that | swap2.cpp:49:13:49:16 | ref arg this | TAINT |
 | swap2.cpp:50:21:50:24 | this | swap2.cpp:50:20:50:24 | * ... | TAINT |
 | swap2.cpp:53:14:53:17 | this | swap2.cpp:56:18:56:22 | this |  |
 | swap2.cpp:53:26:53:29 | that | swap2.cpp:53:26:53:29 | that |  |
@@ -5647,9 +5597,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | swap2.cpp:61:32:61:32 | y | swap2.cpp:61:32:61:32 | y |  |
 | swap2.cpp:61:32:61:32 | y | swap2.cpp:63:16:63:16 | y |  |
 | swap2.cpp:63:9:63:9 | ref arg x | swap2.cpp:61:22:61:22 | x |  |
-| swap2.cpp:63:9:63:9 | x | swap2.cpp:63:16:63:16 | ref arg y | TAINT |
 | swap2.cpp:63:16:63:16 | ref arg y | swap2.cpp:61:32:61:32 | y |  |
-| swap2.cpp:63:16:63:16 | y | swap2.cpp:63:9:63:9 | ref arg x | TAINT |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:71:5:71:5 | x |  |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:73:10:73:10 | x |  |
 | swap2.cpp:69:23:69:23 | x | swap2.cpp:76:9:76:9 | x |  |
@@ -6597,38 +6545,45 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:729:27:729:32 | endptr | taint.cpp:729:26:729:32 | & ... |  |
 | taint.cpp:731:7:731:12 | ref arg endptr | taint.cpp:732:8:732:13 | endptr |  |
 | taint.cpp:732:8:732:13 | endptr | taint.cpp:732:7:732:13 | * ... | TAINT |
-| taint.cpp:738:17:738:31 | call to indirect_source | taint.cpp:739:30:739:35 | source |  |
-| taint.cpp:739:22:739:28 | call to realloc | taint.cpp:740:7:740:10 | dest |  |
-| taint.cpp:739:30:739:35 | source | taint.cpp:739:22:739:28 | call to realloc | TAINT |
-| taint.cpp:743:40:743:45 | buffer | taint.cpp:744:5:744:10 | buffer |  |
-| taint.cpp:743:40:743:45 | buffer | taint.cpp:745:27:745:32 | buffer |  |
-| taint.cpp:744:4:744:10 | * ... | taint.cpp:744:3:744:10 | * ... | TAINT |
-| taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT |
-| taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... |  |
-| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer |  |
-| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... |  |
-| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer |  |
-| taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT |
-| taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT |
-| taint.cpp:746:10:746:15 | buffer | taint.cpp:746:9:746:15 | * ... | TAINT |
-| taint.cpp:751:31:751:34 | path | taint.cpp:751:31:751:34 | path |  |
-| taint.cpp:751:31:751:34 | path | taint.cpp:752:10:752:13 | path |  |
-| taint.cpp:751:31:751:34 | path | taint.cpp:753:10:753:13 | path |  |
-| taint.cpp:751:43:751:46 | data | taint.cpp:751:43:751:46 | data |  |
-| taint.cpp:751:43:751:46 | data | taint.cpp:753:22:753:25 | data |  |
-| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:751:31:751:34 | path |  |
-| taint.cpp:752:10:752:13 | ref arg path | taint.cpp:753:10:753:13 | path |  |
-| taint.cpp:752:16:752:19 | %s | taint.cpp:752:10:752:13 | ref arg path | TAINT |
-| taint.cpp:752:22:752:26 | abc | taint.cpp:752:10:752:13 | ref arg path | TAINT |
-| taint.cpp:753:10:753:13 | ref arg path | taint.cpp:751:31:751:34 | path |  |
-| taint.cpp:753:16:753:19 | %s | taint.cpp:753:10:753:13 | ref arg path | TAINT |
-| taint.cpp:753:22:753:25 | data | taint.cpp:753:10:753:13 | ref arg path | TAINT |
-| taint.cpp:753:22:753:25 | ref arg data | taint.cpp:751:43:751:46 | data |  |
-| taint.cpp:757:7:757:10 | path | taint.cpp:758:21:758:24 | path |  |
-| taint.cpp:757:7:757:10 | path | taint.cpp:759:8:759:11 | path |  |
-| taint.cpp:758:21:758:24 | ref arg path | taint.cpp:759:8:759:11 | path |  |
-| taint.cpp:759:8:759:11 | path | taint.cpp:759:7:759:11 | * ... |  |
-| taint.cpp:769:37:769:42 | call to source | taint.cpp:770:7:770:9 | obj |  |
+| taint.cpp:739:17:739:31 | call to indirect_source | taint.cpp:740:30:740:35 | source |  |
+| taint.cpp:740:22:740:28 | call to realloc | taint.cpp:741:7:741:10 | dest |  |
+| taint.cpp:740:30:740:35 | source | taint.cpp:740:22:740:28 | call to realloc | TAINT |
+| taint.cpp:744:40:744:45 | buffer | taint.cpp:745:5:745:10 | buffer |  |
+| taint.cpp:744:40:744:45 | buffer | taint.cpp:746:27:746:32 | buffer |  |
+| taint.cpp:745:4:745:10 | * ... | taint.cpp:745:3:745:10 | * ... | TAINT |
+| taint.cpp:745:5:745:10 | buffer | taint.cpp:745:4:745:10 | * ... | TAINT |
+| taint.cpp:745:14:745:19 | call to source | taint.cpp:745:3:745:21 | ... = ... |  |
+| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:744:40:744:45 | buffer |  |
+| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:746:3:746:37 | ... = ... |  |
+| taint.cpp:746:19:746:25 | call to realloc | taint.cpp:747:10:747:15 | buffer |  |
+| taint.cpp:746:27:746:32 | buffer | taint.cpp:746:19:746:25 | call to realloc | TAINT |
+| taint.cpp:747:9:747:15 | * ... | taint.cpp:747:8:747:15 | * ... | TAINT |
+| taint.cpp:747:10:747:15 | buffer | taint.cpp:747:9:747:15 | * ... | TAINT |
+| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:753:2:753:2 | a |  |
+| taint.cpp:752:13:752:18 | call to malloc | taint.cpp:754:22:754:22 | a |  |
+| taint.cpp:753:2:753:2 | a [post update] | taint.cpp:754:22:754:22 | a |  |
+| taint.cpp:753:2:753:16 | ... = ... | taint.cpp:753:5:753:5 | x [post update] |  |
+| taint.cpp:753:9:753:14 | call to source | taint.cpp:753:2:753:16 | ... = ... |  |
+| taint.cpp:754:14:754:20 | call to realloc | taint.cpp:755:7:755:8 | a2 |  |
+| taint.cpp:754:22:754:22 | a | taint.cpp:754:14:754:20 | call to realloc | TAINT |
+| taint.cpp:760:31:760:34 | path | taint.cpp:760:31:760:34 | path |  |
+| taint.cpp:760:31:760:34 | path | taint.cpp:761:10:761:13 | path |  |
+| taint.cpp:760:31:760:34 | path | taint.cpp:762:10:762:13 | path |  |
+| taint.cpp:760:43:760:46 | data | taint.cpp:760:43:760:46 | data |  |
+| taint.cpp:760:43:760:46 | data | taint.cpp:762:22:762:25 | data |  |
+| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:760:31:760:34 | path |  |
+| taint.cpp:761:10:761:13 | ref arg path | taint.cpp:762:10:762:13 | path |  |
+| taint.cpp:761:16:761:19 | %s | taint.cpp:761:10:761:13 | ref arg path | TAINT |
+| taint.cpp:761:22:761:26 | abc | taint.cpp:761:10:761:13 | ref arg path | TAINT |
+| taint.cpp:762:10:762:13 | ref arg path | taint.cpp:760:31:760:34 | path |  |
+| taint.cpp:762:16:762:19 | %s | taint.cpp:762:10:762:13 | ref arg path | TAINT |
+| taint.cpp:762:22:762:25 | data | taint.cpp:762:10:762:13 | ref arg path | TAINT |
+| taint.cpp:762:22:762:25 | ref arg data | taint.cpp:760:43:760:46 | data |  |
+| taint.cpp:766:7:766:10 | path | taint.cpp:767:21:767:24 | path |  |
+| taint.cpp:766:7:766:10 | path | taint.cpp:768:8:768:11 | path |  |
+| taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path |  |
+| taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... |  |
+| taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |
@@ -7005,16 +6960,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:112:7:112:8 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
 | vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
 | vector.cpp:114:2:114:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
-| vector.cpp:114:2:114:3 | v1 | vector.cpp:114:10:114:11 | ref arg v2 | TAINT |
 | vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:118:7:118:8 | v2 |  |
 | vector.cpp:114:10:114:11 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
-| vector.cpp:114:10:114:11 | v2 | vector.cpp:114:2:114:3 | ref arg v1 | TAINT |
 | vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:119:7:119:8 | v3 |  |
 | vector.cpp:115:2:115:3 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |
-| vector.cpp:115:2:115:3 | v3 | vector.cpp:115:10:115:11 | ref arg v4 | TAINT |
 | vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
 | vector.cpp:115:10:115:11 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
-| vector.cpp:115:10:115:11 | v4 | vector.cpp:115:2:115:3 | ref arg v3 | TAINT |
 | vector.cpp:117:7:117:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
 | vector.cpp:118:7:118:8 | ref arg v2 | vector.cpp:121:1:121:1 | v2 |  |
 | vector.cpp:119:7:119:8 | ref arg v3 | vector.cpp:121:1:121:1 | v3 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -68,8 +68,8 @@ void test_pair()
  	i.swap(j);
 	k.swap(l);
 	sink(i.first);
-	sink(i.second); // $ MISSING: ast,ir
-	sink(i); // $ ast,ir
+	sink(i.second); // $ ir, MISSING: ast
+	sink(i); // $ ir
 	sink(j.first);
 	sink(j.second); // $ SPURIOUS: ast
 	sink(j); // $ SPURIOUS: ast
@@ -77,8 +77,8 @@ void test_pair()
 	sink(k.second); // $ SPURIOUS: ast
 	sink(k); // $ SPURIOUS: ast
 	sink(l.first);
-	sink(l.second); // $ MISSING: ast,ir
-	sink(l); // $ ast,ir
+	sink(l.second); // $ ir, MISSING: ast
+	sink(l); // $ ir
 
 	sink(make_pair("123", "456"));
 	sink(make_pair("123", "456").first);
@@ -197,8 +197,8 @@ void test_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // $ SPURIOUS: ast
-	sink(m16); // $ ast,ir
-	sink(m17); // $ ast,ir
+	sink(m16); // $ ir
+	sink(m17); // $ ir
 	sink(m18); // $ SPURIOUS: ast
 
 	// merge
@@ -346,8 +346,8 @@ void test_unordered_map()
 	m15.swap(m16);
 	m17.swap(m18);
 	sink(m15); // $ SPURIOUS: ast
-	sink(m16); // $ ast,ir
-	sink(m17); // $ ast,ir
+	sink(m16); // $ ir
+	sink(m17); // $ ir
 	sink(m18); // $ SPURIOUS: ast
 
 	// merge

cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp

@@ -82,8 +82,8 @@ void test_set()
 	s12.swap(s13);
 	s14.swap(s15);
 	sink(s12); // $ SPURIOUS: ast
-	sink(s13); // $ ast,ir
-	sink(s14); // $ ast,ir
+	sink(s13); // $ ir
+	sink(s14); // $ ir
 	sink(s15); // $ SPURIOUS: ast
 
 	// merge
@@ -194,8 +194,8 @@ void test_unordered_set()
 	s12.swap(s13);
 	s14.swap(s15);
 	sink(s12); // $ SPURIOUS: ast
-	sink(s13); // $ ast,ir
-	sink(s14); // $ ast,ir
+	sink(s13); // $ ir
+	sink(s14); // $ ir
 	sink(s15); // $ SPURIOUS: ast
 
 	// merge

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

@@ -279,9 +279,9 @@ void test_string_swap() {
 	s1.swap(s2);
 	s4.swap(s3);
 
-	sink(s1); // $ ast,ir
+	sink(s1); // $ ir
 	sink(s2); // $ SPURIOUS: ast
-	sink(s3); // $ ast,ir
+	sink(s3); // $ ir
 	sink(s4); // $ SPURIOUS: ast
 }