Merge pull request #13613 from github/release-prep/2.13.5

Release preparation for version 2.13.5

.github/labeler.yml

@@ -11,7 +11,7 @@ Go:
   - change-notes/**/*go.*
 
 Java:
-  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
+  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
   - change-notes/**/*java.*
 
 JS:
@@ -20,7 +20,6 @@ JS:
 
 Kotlin:
   - java/kotlin-extractor/**/*
-  - java/kotlin-explorer/**/*
   - java/ql/test/kotlin/**/*
 
 Python:

.github/workflows/check-change-note.yml

@@ -11,7 +11,6 @@ on:
       - "*/ql/lib/**/*.yml"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!swift/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
@@ -32,4 +31,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
-          grep true -c 
+          grep true -c

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -10,6 +10,7 @@ on:
       - "*/ql/src/**/*.qll"
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/ext/**/*.yml"
       - "misc/scripts/library-coverage/*.py"
       # input data files
       - "*/documentation/library-coverage/cwe-sink.csv"

.github/workflows/ql-for-ql-build.yml

@@ -32,7 +32,7 @@ jobs:
           path: |
             ql/extractor-pack/
             ql/target/release/buramu
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
       - name: Cache cargo
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         uses: actions/cache@v3

.github/workflows/ruby-build.yml

@@ -61,7 +61,7 @@ jobs:
             ruby/extractor/target/release/codeql-extractor-ruby
             ruby/extractor/target/release/codeql-extractor-ruby.exe
             ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}--${{ hashFiles('ruby/extractor/**/*.rs') }}
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
       - uses: actions/cache@v3
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         with:

.github/workflows/sync-files.yml

@@ -17,4 +17,6 @@ jobs:
       - uses: actions/checkout@v3
       - name: Check synchronized files
         run: python config/sync-files.py
+      - name: Check dbscheme fragments
+        run: python config/sync-dbscheme-fragments.py
 

CODEOWNERS

@@ -8,7 +8,6 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/kotlin-explorer/ @github/codeql-kotlin
 
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

config/dbscheme-fragments.json

@@ -0,0 +1,33 @@
+{
+  "files": [
+    "javascript/ql/lib/semmlecode.javascript.dbscheme",
+    "python/ql/lib/semmlecode.python.dbscheme",
+    "ruby/ql/lib/ruby.dbscheme",
+    "ql/ql/src/ql.dbscheme"
+  ],
+  "fragments": [
+    "/*- External data -*/",
+    "/*- Files and folders -*/",
+    "/*- Diagnostic messages -*/",
+    "/*- Diagnostic messages: severity -*/",
+    "/*- Source location prefix -*/",
+    "/*- Lines of code -*/",
+    "/*- Configuration files with key value pairs -*/",
+    "/*- YAML -*/",
+    "/*- XML Files -*/",
+    "/*- XML: sourceline -*/",
+    "/*- DEPRECATED: External defects and metrics -*/",
+    "/*- DEPRECATED: Snapshot date -*/",
+    "/*- DEPRECATED: Duplicate code -*/",
+    "/*- DEPRECATED: Version control data -*/",
+    "/*- JavaScript-specific part -*/",
+    "/*- Ruby dbscheme -*/",
+    "/*- Erb dbscheme -*/",
+    "/*- QL dbscheme -*/",
+    "/*- Dbscheme dbscheme -*/",
+    "/*- Yaml dbscheme -*/",
+    "/*- Blame dbscheme -*/",
+    "/*- JSON dbscheme -*/",
+    "/*- Python dbscheme -*/"
+  ]
+}

config/identical-files.json

@@ -511,7 +511,8 @@
   "SensitiveDataHeuristics Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
     "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
-    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
+    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
+    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
   "CFG": [
     "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
@@ -598,4 +599,4 @@
     "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
   ]
-}
+}

config/sync-dbscheme-fragments.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+import argparse
+import json
+import os
+import pathlib
+import re
+
+
+def make_groups(blocks):
+    groups = {}
+    for block in blocks:
+        groups.setdefault("".join(block["lines"]), []).append(block)
+    return list(groups.values())
+
+
+def validate_fragments(fragments):
+    ok = True
+    for header, blocks in fragments.items():
+        groups = make_groups(blocks)
+        if len(groups) > 1:
+            ok = False
+            print("Warning: dbscheme fragments with header '{}' are different for {}".format(header, ["{}:{}:{}".format(
+                group[0]["file"], group[0]["start"], group[0]["end"]) for group in groups]))
+    return ok
+
+
+def main():
+    script_path = os.path.realpath(__file__)
+    script_dir = os.path.dirname(script_path)
+    parser = argparse.ArgumentParser(
+        prog=os.path.basename(script_path),
+        description='Sync dbscheme fragments across files.'
+    )
+    parser.add_argument('files', metavar='dbscheme_file', type=pathlib.Path, nargs='*', default=[],
+                        help='dbscheme files to check')
+    args = parser.parse_args()
+
+    with open(os.path.join(script_dir, "dbscheme-fragments.json"), "r") as f:
+        config = json.load(f)
+
+    fragment_headers = set(config["fragments"])
+    fragments = {}
+    ok = True
+    for file in args.files + config["files"]:
+        with open(os.path.join(os.path.dirname(script_dir), file), "r") as dbscheme:
+            header = None
+            line_number = 1
+            block = {"file": file, "start": line_number,
+                     "end": None, "lines": []}
+
+            def end_block():
+                block["end"] = line_number - 1
+                if len(block["lines"]) > 0:
+                    if header is None:
+                        if re.match(r'(?m)\A(\s|//.*$|/\*(\**[^\*])*\*+/)*\Z', "".join(block["lines"])):
+                            # Ignore comments at the beginning of the file
+                            pass
+                        else:
+                            ok = False
+                            print("Warning: dbscheme fragment without header: {}:{}:{}".format(
+                                block["file"], block["start"], block["end"]))
+                    else:
+                        fragments.setdefault(header, []).append(block)
+            for line in dbscheme:
+                m = re.match(r"^\/\*-.*-\*\/$", line)
+                if m:
+                    end_block()
+                    header = line.strip()
+                    if header not in fragment_headers:
+                        ok = False
+                        print("Warning: unknown header for dbscheme fragment: '{}': {}:{}".format(
+                            header, file, line_number))
+                    block = {"file": file, "start": line_number,
+                             "end": None, "lines": []}
+                block["lines"].append(line)
+                line_number += 1
+            block["lines"].append('\n')
+            line_number += 1
+            end_block()
+    if not ok or not validate_fragments(fragments):
+        exit(1)
+
+
+if __name__ == "__main__":
+    main()

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.7.4
+
+No user-facing changes.
+
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.
+
 ## 0.7.2
 
 ### New Features

cpp/ql/lib/change-notes/released/0.7.3.md

@@ -0,0 +1,7 @@
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.

cpp/ql/lib/change-notes/released/0.7.4.md

@@ -0,0 +1,3 @@
+## 0.7.4
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.2
+lastReleaseVersion: 0.7.4

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.7.2
+version: 0.7.4
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -176,20 +176,6 @@ class Class extends UserType {
   /** Holds if this class, struct or union has a constructor. */
   predicate hasConstructor() { exists(this.getAConstructor()) }
 
-  /**
-   * Holds if this class has a copy constructor that is either explicitly
-   * declared (though possibly `= delete`) or is auto-generated, non-trivial
-   * and called from somewhere.
-   *
-   * DEPRECATED: There is more than one reasonable definition of what it means
-   * to have a copy constructor, and we do not want to promote one particular
-   * definition by naming it with this predicate. Having a copy constructor
-   * could mean that such a member is declared or defined in the source or that
-   * it is callable by a particular caller. For C++11, there's also a question
-   * of whether to include members that are defaulted or deleted.
-   */
-  deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
-
   /**
    * Like accessOfBaseMember but returns multiple results if there are multiple
    * paths to `base` through the inheritance graph.

cpp/ql/lib/semmle/code/cpp/Macro.qll

@@ -34,7 +34,7 @@ class Macro extends PreprocessorDirective, @ppd_define {
    * Gets the name of the macro.  For example, `MAX` in
    * `#define MAX(x,y) (((x)>(y))?(x):(y))`.
    */
-  string getName() { result = this.getHead().splitAt("(", 0) }
+  string getName() { result = this.getHead().regexpCapture("([^(]*+).*", 1) }
 
   /** Holds if the macro has name `name`. */
   predicate hasName(string name) { this.getName() = name }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -27,9 +27,6 @@ class PrintAstConfiguration extends TPrintAstConfiguration {
   predicate shouldPrintFunction(Function func) { any() }
 }
 
-/** DEPRECATED: Alias for PrintAstConfiguration */
-deprecated class PrintASTConfiguration = PrintAstConfiguration;
-
 private predicate shouldPrintFunction(Function func) {
   exists(PrintAstConfiguration config | config.shouldPrintFunction(func))
 }
@@ -239,9 +236,6 @@ class PrintAstNode extends TPrintAstNode {
   }
 }
 
-/** DEPRECATED: Alias for PrintAstNode */
-deprecated class PrintASTNode = PrintAstNode;
-
 /**
  * Class that restricts the elements that we compute `qlClass` for.
  */
@@ -286,9 +280,6 @@ abstract class BaseAstNode extends PrintAstNode {
   deprecated Locatable getAST() { result = this.getAst() }
 }
 
-/** DEPRECATED: Alias for BaseAstNode */
-deprecated class BaseASTNode = BaseAstNode;
-
 /**
  * A node representing an AST node other than a `DeclarationEntry`.
  */
@@ -296,9 +287,6 @@ abstract class AstNode extends BaseAstNode, TAstNode {
   AstNode() { this = TAstNode(ast) }
 }
 
-/** DEPRECATED: Alias for AstNode */
-deprecated class ASTNode = AstNode;
-
 /**
  * A node representing an `Expr`.
  */

cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll

@@ -14,9 +14,6 @@ library class StandardSsa extends SsaHelper {
   StandardSsa() { this = 0 }
 }
 
-/** DEPRECATED: Alias for StandardSsa */
-deprecated class StandardSSA = StandardSsa;
-
 /**
  * A definition of one or more SSA variables, including phi node definitions.
  * An _SSA variable_, as defined in the literature, is effectively the pair of

cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll

@@ -312,6 +312,3 @@ library class SsaHelper extends int {
     ssa_use(v, result, _, _)
   }
 }
-
-/** DEPRECATED: Alias for SsaHelper */
-deprecated class SSAHelper = SsaHelper;

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -1385,9 +1385,6 @@ private module Cached {
     conditionalSuccessor(n1, _, n2)
   }
 
-  /** DEPRECATED: Alias for qlCfgSuccessor */
-  deprecated predicate qlCFGSuccessor = qlCfgSuccessor/2;
-
   /**
    * Holds if `n2` is a control-flow node such that the control-flow
    * edge `(n1, n2)` may be taken when `n1` is an expression that is true.
@@ -1398,9 +1395,6 @@ private module Cached {
     not conditionalSuccessor(n1, false, n2)
   }
 
-  /** DEPRECATED: Alias for qlCfgTrueSuccessor */
-  deprecated predicate qlCFGTrueSuccessor = qlCfgTrueSuccessor/2;
-
   /**
    * Holds if `n2` is a control-flow node such that the control-flow
    * edge `(n1, n2)` may be taken when `n1` is an expression that is false.
@@ -1410,7 +1404,4 @@ private module Cached {
     conditionalSuccessor(n1, false, n2) and
     not conditionalSuccessor(n1, true, n2)
   }
-
-  /** DEPRECATED: Alias for qlCfgFalseSuccessor */
-  deprecated predicate qlCFGFalseSuccessor = qlCfgFalseSuccessor/2;
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -210,8 +210,8 @@ class IndirectOperand extends Node {
     this.(RawIndirectOperand).getOperand() = operand and
     this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex
     or
-    this.(OperandNode).getOperand() =
-      Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex)
+    nodeHasOperand(this, Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex),
+      indirectionIndex - 1)
   }
 
   /** Gets the underlying operand. */
@@ -250,8 +250,8 @@ class IndirectInstruction extends Node {
     this.(RawIndirectInstruction).getInstruction() = instr and
     this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex
     or
-    this.(InstructionNode).getInstruction() =
-      Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex)
+    nodeHasInstruction(this, Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex),
+      indirectionIndex - 1)
   }
 
   /** Gets the underlying instruction. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1640,8 +1640,15 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
   localFlow(instructionNode(e1), instructionNode(e2))
 }
 
+/**
+ * INTERNAL: Do not use.
+ *
+ * Ideally this module would be private, but the `asExprInternal` predicate is
+ * needed in `DefaultTaintTrackingImpl`. Once `DefaultTaintTrackingImpl` is gone
+ * we can make this module private.
+ */
 cached
-private module ExprFlowCached {
+module ExprFlowCached {
   /**
    * Holds if `n` is an indirect operand of a `PointerArithmeticInstruction`, and
    * `e` is the result of loading from the `PointerArithmeticInstruction`.
@@ -1692,7 +1699,8 @@ private module ExprFlowCached {
    * `x[i]` steps to the expression `x[i - 1]` without traversing the
    * entire chain.
    */
-  private Expr asExpr(Node n) {
+  cached
+  Expr asExprInternal(Node n) {
     isIndirectBaseOfArrayAccess(n, result)
     or
     not isIndirectBaseOfArrayAccess(n, _) and
@@ -1704,7 +1712,7 @@ private module ExprFlowCached {
    * dataflow step.
    */
   private predicate localStepFromNonExpr(Node n1, Node n2) {
-    not exists(asExpr(n1)) and
+    not exists(asExprInternal(n1)) and
     localFlowStep(n1, n2)
   }
 
@@ -1715,7 +1723,7 @@ private module ExprFlowCached {
   pragma[nomagic]
   private predicate localStepsToExpr(Node n1, Node n2, Expr e2) {
     localStepFromNonExpr*(n1, n2) and
-    e2 = asExpr(n2)
+    e2 = asExprInternal(n2)
   }
 
   /**
@@ -1726,7 +1734,7 @@ private module ExprFlowCached {
     exists(Node mid |
       localFlowStep(n1, mid) and
       localStepsToExpr(mid, n2, e2) and
-      e1 = asExpr(n1)
+      e1 = asExprInternal(n1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll

@@ -60,7 +60,7 @@ private DataFlow::Node getNodeForSource(Expr source) {
 }
 
 private DataFlow::Node getNodeForExpr(Expr node) {
-  result = DataFlow::exprNode(node)
+  node = DataFlow::ExprFlowCached::asExprInternal(result)
   or
   // Some of the sources in `isUserInput` are intended to match the value of
   // an expression, while others (those modeled below) are intended to match
@@ -221,7 +221,7 @@ private module Cached {
   predicate nodeIsBarrierIn(DataFlow::Node node) {
     // don't use dataflow into taint sources, as this leads to duplicate results.
     exists(Expr source | isUserInput(source, _) |
-      node = DataFlow::exprNode(source)
+      source = DataFlow::ExprFlowCached::asExprInternal(node)
       or
       // This case goes together with the similar (but not identical) rule in
       // `getNodeForSource`.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll

@@ -0,0 +1,38 @@
+/**
+ * Print the dataflow local store steps in IR dumps.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import PrintIRUtilities
+
+/** A property provider for local IR dataflow store steps. */
+class FieldFlowPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    exists(PostFieldUpdateNode pfun, Content content |
+      key = "store " + content.toString() and
+      operand = pfun.getPreUpdateNode().(IndirectOperand).getOperand() and
+      result =
+        strictconcat(string element, Node node |
+          storeStep(node, content, pfun) and
+          element = nodeId(node, _, _)
+        |
+          element, ", "
+        )
+    )
+    or
+    exists(Node node2, Content content |
+      key = "read " + content.toString() and
+      operand = node2.(IndirectOperand).getOperand() and
+      result =
+        strictconcat(string element, Node node1 |
+          readStep(node1, content, node2) and
+          element = nodeId(node1, _, _)
+        |
+          element, ", "
+        )
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -1,119 +1,44 @@
 private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import SsaInternals as Ssa
 private import PrintIRUtilities
 
 /**
  * Gets the local dataflow from other nodes in the same function to this node.
  */
-private string getFromFlow(DataFlow::Node useNode, int order1, int order2) {
-  exists(DataFlow::Node defNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if defNode.asInstruction() = useNode.asOperand().getAnyDef()
-    then
-      // Shorthand for flow from the def of this operand.
-      result = prefix + "def" and
-      order1 = -1 and
-      order2 = 0
-    else
-      if defNode.asOperand().getUse() = useNode.asInstruction()
-      then
-        // Shorthand for flow from an operand of this instruction
-        result = prefix + defNode.asOperand().getDumpId() and
-        order1 = -1 and
-        order2 = defNode.asOperand().getDumpSortOrder()
-      else result = prefix + nodeId(defNode, order1, order2)
+private string getFromFlow(Node node2, int order1, int order2) {
+  exists(Node node1 |
+    simpleLocalFlowStep(node1, node2) and
+    result = nodeId(node1, order1, order2)
   )
 }
 
 /**
  * Gets the local dataflow from this node to other nodes in the same function.
  */
-private string getToFlow(DataFlow::Node defNode, int order1, int order2) {
-  exists(DataFlow::Node useNode, string prefix |
-    (
-      simpleLocalFlowStep(defNode, useNode) and prefix = ""
-      or
-      any(DataFlow::Configuration cfg).isAdditionalFlowStep(defNode, useNode) and
-      defNode.getEnclosingCallable() = useNode.getEnclosingCallable() and
-      prefix = "+"
-    ) and
-    if useNode.asInstruction() = defNode.asOperand().getUse()
-    then
-      // Shorthand for flow to this operand's instruction.
-      result = prefix + "result" and
-      order1 = -1 and
-      order2 = 0
-    else result = prefix + nodeId(useNode, order1, order2)
+private string getToFlow(Node node1, int order1, int order2) {
+  exists(Node node2 |
+    simpleLocalFlowStep(node1, node2) and
+    result = nodeId(node2, order1, order2)
   )
 }
 
 /**
  * Gets the properties of the dataflow node `node`.
  */
-private string getNodeProperty(DataFlow::Node node, string key) {
+private string getNodeProperty(Node node, string key) {
   // List dataflow into and out of this node. Flow into this node is printed as `src->@`, and flow
   // out of this node is printed as `@->dest`.
   key = "flow" and
   result =
     strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->@" and to = false
+      flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
       or
-      flow = "@->" + getToFlow(node, order1, order2) and to = true
+      flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
     |
       flow, ", " order by to, order1, order2, flow
     )
-  or
-  // Is this node a dataflow sink?
-  key = "sink" and
-  any(DataFlow::Configuration cfg).isSink(node) and
-  result = "true"
-  or
-  // Is this node a dataflow source?
-  key = "source" and
-  any(DataFlow::Configuration cfg).isSource(node) and
-  result = "true"
-  or
-  // Is this node a dataflow barrier, and if so, what kind?
-  key = "barrier" and
-  result =
-    strictconcat(string kind |
-      any(DataFlow::Configuration cfg).isBarrier(node) and kind = "full"
-      or
-      any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
-      or
-      any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
-    |
-      kind, ", "
-    )
-  // or
-  // // Is there partial flow from a source to this node?
-  // // This property will only be emitted if partial flow is enabled by overriding
-  // // `DataFlow::Configuration::explorationLimit()`.
-  // key = "pflow" and
-  // result =
-  //   strictconcat(DataFlow::PartialPathNode sourceNode, DataFlow::PartialPathNode destNode, int dist,
-  //     int order1, int order2 |
-  //     any(DataFlow::Configuration cfg).hasPartialFlow(sourceNode, destNode, dist) and
-  //     destNode.getNode() = node and
-  //     // Only print flow from a source in the same function.
-  //     sourceNode.getNode().getEnclosingCallable() = node.getEnclosingCallable()
-  //   |
-  //     nodeId(sourceNode.getNode(), order1, order2) + "+" + dist.toString(), ", "
-  //     order by
-  //       order1, order2, dist desc
-  //   )
 }
 
 /**
@@ -121,16 +46,21 @@ private string getNodeProperty(DataFlow::Node node, string key) {
  */
 class LocalFlowPropertyProvider extends IRPropertyProvider {
   override string getOperandProperty(Operand operand, string key) {
-    exists(DataFlow::Node node |
-      operand = node.asOperand() and
+    exists(Node node |
+      operand = [node.asOperand(), node.(RawIndirectOperand).getOperand()] and
       result = getNodeProperty(node, key)
     )
   }
 
   override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node node |
-      instruction = node.asInstruction() and
+    exists(Node node |
+      instruction = [node.asInstruction(), node.(RawIndirectInstruction).getInstruction()]
+    |
       result = getNodeProperty(node, key)
     )
   }
+
+  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
+
+  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll

@@ -1,33 +0,0 @@
-/**
- * Print the dataflow local store steps in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import PrintIRUtilities
-
-/**
- * Property provider for local IR dataflow store steps.
- */
-class LocalFlowPropertyProvider extends IRPropertyProvider {
-  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node objectNode, Content content |
-      key = "content[" + content.toString() + "]" and
-      instruction = objectNode.asInstruction() and
-      result =
-        strictconcat(string element, DataFlow::Node fieldNode |
-          storeStep(fieldNode, content, objectNode) and
-          element = nodeId(fieldNode, _, _)
-        |
-          element, ", "
-        )
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -3,37 +3,59 @@
  */
 
 private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
+private string stars(int k) {
+  k =
+    [0 .. max([
+            any(RawIndirectInstruction n).getIndirectionIndex(),
+            any(RawIndirectOperand n).getIndirectionIndex()
+          ]
+      )] and
+  (if k = 0 then result = "" else result = "*" + stars(k - 1))
+}
+
+string starsForNode(Node node) {
+  result = stars(node.(IndirectInstruction).getIndirectionIndex())
+  or
+  result = stars(node.(IndirectOperand).getIndirectionIndex())
+  or
+  not node instanceof IndirectInstruction and
+  not node instanceof IndirectOperand and
+  result = ""
+}
+
+private Instruction getInstruction(Node n, string stars) {
+  result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
+  stars = starsForNode(n)
+}
+
+private Operand getOperand(Node n, string stars) {
+  result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
+  stars = starsForNode(n)
+}
 
 /**
  * Gets a short ID for an IR dataflow node.
  * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
  * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
  *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
  */
-string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
+string nodeId(Node node, int order1, int order2) {
+  exists(Instruction instruction, string stars | instruction = getInstruction(node, stars) |
+    result = stars + instruction.getResultId() and
     order1 = instruction.getBlock().getDisplayIndex() and
     order2 = instruction.getDisplayIndexInBlock()
   )
   or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
+  exists(Operand operand, Instruction instruction, string stars |
+    operand = getOperand(node, stars) and
     instruction = operand.getUse()
   |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
+    result = stars + instruction.getResultId() + "." + operand.getDumpId() and
     order1 = instruction.getBlock().getDisplayIndex() and
     order2 = instruction.getDisplayIndexInBlock()
   )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -1,10 +1,29 @@
-import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
+/**
+ * Provides a library for global (inter-procedural) data flow analysis of two
+ * values "simultaneously". This can be used, for example, if you want to track
+ * a memory allocation as well as the size of the allocation.
+ *
+ * Intuitively, you can think of this as regular dataflow, but where each node
+ * in the dataflow graph has been replaced by a pair of nodes `(node1, node2)`,
+ * and two node pairs `(n11, n12)`, `(n21, n22)` is then connected by a dataflow
+ * edge if there's a regular dataflow edge between `n11` and `n21`, and `n12`
+ * and `n22`.
+ *
+ * Note that the above intuition does not reflect the actual implementation.
+ */
+
+import semmle.code.cpp.dataflow.new.DataFlow
+private import DataFlowPrivate
+private import DataFlowUtil
+private import DataFlowImplCommon
 private import codeql.util.Unit
 
+/**
+ * Provides classes for performing global (inter-procedural) data flow analyses
+ * on a product dataflow graph.
+ */
 module ProductFlow {
+  /** An input configuration for product data-flow. */
   signature module ConfigSig {
     /**
      * Holds if `(source1, source2)` is a relevant data flow source.
@@ -70,6 +89,9 @@ module ProductFlow {
     default predicate isBarrierIn2(DataFlow::Node node) { none() }
   }
 
+  /**
+   * The output of a global data flow computation.
+   */
   module Global<ConfigSig Config> {
     private module StateConfig implements StateConfigSig {
       class FlowState1 = Unit;
@@ -138,6 +160,7 @@ module ProductFlow {
     import GlobalWithState<StateConfig>
   }
 
+  /** An input configuration for data flow using flow state. */
   signature module StateConfigSig {
     bindingset[this]
     class FlowState1;
@@ -247,6 +270,9 @@ module ProductFlow {
     default predicate isBarrierIn2(DataFlow::Node node) { none() }
   }
 
+  /**
+   * The output of a global data flow computation.
+   */
   module GlobalWithState<StateConfigSig Config> {
     class PathNode1 = Flow1::PathNode;
 
@@ -260,6 +286,7 @@ module ProductFlow {
 
     class FlowState2 = Config::FlowState2;
 
+    /** Holds if data can flow from `(source1, source2)` to `(sink1, sink2)`. */
     predicate flowPath(
       Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
     ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -144,6 +144,20 @@ class AllocationInstruction extends CallInstruction {
   AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction }
 }
 
+private predicate isIndirectionType(Type t) { t instanceof Indirection }
+
+private predicate hasUnspecifiedBaseType(Indirection t, Type base) {
+  base = t.getBaseType().getUnspecifiedType()
+}
+
+/**
+ * Holds if `t2` is the same type as `t1`, but after stripping away `result` number
+ * of indirections.
+ * Furthermore, specifies in `t2` been deeply stripped and typedefs has been resolved.
+ */
+private int getNumberOfIndirectionsImpl(Type t1, Type t2) =
+  shortestDistances(isIndirectionType/1, hasUnspecifiedBaseType/2)(t1, t2, result)
+
 /**
  * An abstract class for handling indirections.
  *
@@ -162,7 +176,10 @@ abstract class Indirection extends Type {
    * For example, the number of indirections of a variable `p` of type
    * `int**` is `3` (i.e., `p`, `*p` and `**p`).
    */
-  abstract int getNumberOfIndirections();
+  final int getNumberOfIndirections() {
+    result =
+      getNumberOfIndirectionsImpl(this.getType(), any(Type end | not end instanceof Indirection))
+  }
 
   /**
    * Holds if `deref` is an instruction that behaves as a `LoadInstruction`
@@ -200,19 +217,11 @@ private class PointerOrArrayOrReferenceTypeIndirection extends Indirection insta
   PointerOrArrayOrReferenceTypeIndirection() {
     baseType = PointerOrArrayOrReferenceType.super.getBaseType()
   }
-
-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
 }
 
 private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper {
   PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() }
 
-  override int getNumberOfIndirections() {
-    result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-  }
-
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
@@ -233,10 +242,6 @@ private module IteratorIndirections {
       baseType = super.getValueType()
     }
 
-    override int getNumberOfIndirections() {
-      result = 1 + countIndirections(this.getBaseType().getUnspecifiedType())
-    }
-
     override predicate isAdditionalDereference(Instruction deref, Operand address) {
       exists(CallInstruction call |
         operandForFullyConvertedCall(getAUse(deref), call) and

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll

@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
    * Gets the value of the property named `key` for the specified operand.
    */
   string getOperandProperty(Operand operand, string key) { none() }
+
+  /**
+   * Holds if the instruction `instr` should be included when printing
+   * the IR instructions.
+   */
+  predicate shouldPrintInstruction(Instruction instr) { any() }
+
+  /**
+   * Holds if the operand `operand` should be included when printing the an
+   * instruction's operand list.
+   */
+  predicate shouldPrintOperand(Operand operand) { any() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll

@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
   exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
+private predicate shouldPrintInstruction(Instruction i) {
+  exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
+}
+
+private predicate shouldPrintOperand(Operand operand) {
+  exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
 private newtype TPrintableIRNode =
   TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
   TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
-  TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
+  TPrintableInstruction(Instruction instr) {
+    shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
+  }
 
 /**
  * A node to be emitted in the IR graph.
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
   private string getOperandsString() {
     result =
       concat(Operand operand |
-        operand = instr.getAnOperand()
+        operand = instr.getAnOperand() and
+        shouldPrintOperand(operand)
       |
         operand.getDumpString() + getOperandPropertyString(operand), ", "
         order by

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -577,9 +577,6 @@ private Overlap getVariableMemoryLocationOverlap(
  */
 predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMemoryResult(instr) }
 
-/** DEPRECATED: Alias for canReuseSsaForOldResult */
-deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
-
 bindingset[result, b]
 private boolean unbindBool(boolean b) { result != b.booleanNot() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -422,12 +422,6 @@ private module Cached {
     )
   }
 
-  /** DEPRECATED: Alias for getInstructionAst */
-  cached
-  deprecated Language::AST getInstructionAST(Instruction instr) {
-    result = getInstructionAst(instr)
-  }
-
   cached
   Language::LanguageType getInstructionResultType(Instruction instr) {
     result = instr.(RawIR::Instruction).getResultLanguageType()
@@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
   // We don't support reusing SSA for any location that could create a `Chi` instruction.
 }
 
-/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
-deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
-
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSsa` module, which is then imported by PrintSSA.
@@ -1005,9 +996,6 @@ module DebugSsa {
   import DefUse
 }
 
-/** DEPRECATED: Alias for DebugSsa */
-deprecated module DebugSSA = DebugSsa;
-
 import CachedForDebugging
 
 cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll

@@ -73,9 +73,6 @@ module UnaliasedSsaInstructions {
   }
 }
 
-/** DEPRECATED: Alias for UnaliasedSsaInstructions */
-deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions;
-
 /**
  * Provides wrappers for the constructors of each branch of `TInstruction` that is used by the
  * aliased SSA stage.
@@ -107,6 +104,3 @@ module AliasedSsaInstructions {
     result = TAliasedSsaUnreachedInstruction(irFunc)
   }
 }
-
-/** DEPRECATED: Alias for AliasedSsaInstructions */
-deprecated module AliasedSSAInstructions = AliasedSsaInstructions;

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -74,20 +74,12 @@ private module Shared {
 
   class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand;
 
-  /** DEPRECATED: Alias for TNonSsaMemoryOperand */
-  deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand;
-
   /**
    * Returns the non-Phi memory operand with the specified parameters.
    */
   TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
     result = Internal::TNonSsaMemoryOperand(useInstr, tag)
   }
-
-  /** DEPRECATED: Alias for nonSsaMemoryOperand */
-  deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) {
-    result = nonSsaMemoryOperand(useInstr, tag)
-  }
 }
 
 /**
@@ -167,9 +159,6 @@ module UnaliasedSsaOperands {
   TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() }
 }
 
-/** DEPRECATED: Alias for UnaliasedSsaOperands */
-deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands;
-
 /**
  * Provides wrappers for the constructors of each branch of `TOperand` that is used by the
  * aliased SSA stage.
@@ -217,6 +206,3 @@ module AliasedSsaOperands {
     result = Internal::TAliasedChiOperand(useInstr, tag)
   }
 }
-
-/** DEPRECATED: Alias for AliasedSsaOperands */
-deprecated module AliasedSSAOperands = AliasedSsaOperands;

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll

@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
    * Gets the value of the property named `key` for the specified operand.
    */
   string getOperandProperty(Operand operand, string key) { none() }
+
+  /**
+   * Holds if the instruction `instr` should be included when printing
+   * the IR instructions.
+   */
+  predicate shouldPrintInstruction(Instruction instr) { any() }
+
+  /**
+   * Holds if the operand `operand` should be included when printing the an
+   * instruction's operand list.
+   */
+  predicate shouldPrintOperand(Operand operand) { any() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll

@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
   exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
+private predicate shouldPrintInstruction(Instruction i) {
+  exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
+}
+
+private predicate shouldPrintOperand(Operand operand) {
+  exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
 private newtype TPrintableIRNode =
   TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
   TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
-  TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
+  TPrintableInstruction(Instruction instr) {
+    shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
+  }
 
 /**
  * A node to be emitted in the IR graph.
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
   private string getOperandsString() {
     result =
       concat(Operand operand |
-        operand = instr.getAnOperand()
+        operand = instr.getAnOperand() and
+        shouldPrintOperand(operand)
       |
         operand.getDumpString() + getOperandPropertyString(operand), ", "
         order by

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -375,11 +375,6 @@ Locatable getInstructionAst(TStageInstruction instr) {
   )
 }
 
-/** DEPRECATED: Alias for getInstructionAst */
-deprecated Locatable getInstructionAST(TStageInstruction instr) {
-  result = getInstructionAst(instr)
-}
-
 CppType getInstructionResultType(TStageInstruction instr) {
   getInstructionTranslatedElement(instr).hasInstruction(_, getInstructionTag(instr), result)
   or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -76,9 +76,6 @@ abstract class TranslatedExpr extends TranslatedElement {
 
   final override Locatable getAst() { result = expr }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
   final override Declaration getFunction() { result = getEnclosingDeclaration(expr) }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll

@@ -77,4 +77,16 @@ class IRPropertyProvider extends TIRPropertyProvider {
    * Gets the value of the property named `key` for the specified operand.
    */
   string getOperandProperty(Operand operand, string key) { none() }
+
+  /**
+   * Holds if the instruction `instr` should be included when printing
+   * the IR instructions.
+   */
+  predicate shouldPrintInstruction(Instruction instr) { any() }
+
+  /**
+   * Holds if the operand `operand` should be included when printing the an
+   * instruction's operand list.
+   */
+  predicate shouldPrintOperand(Operand operand) { any() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction {
    */
   final Language::AST getAst() { result = Construction::getInstructionAst(this) }
 
-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
   /**
    * Gets the location of the source code for this instruction.
    */
@@ -463,9 +460,6 @@ class VariableInstruction extends Instruction {
    * Gets the AST variable that this instruction's IR variable refers to, if one exists.
    */
   final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /** DEPRECATED: Alias for getAstVariable */
-  deprecated Language::Variable getASTVariable() { result = this.getAstVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll

@@ -42,6 +42,14 @@ private predicate shouldPrintFunction(Language::Declaration decl) {
   exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }
 
+private predicate shouldPrintInstruction(Instruction i) {
+  exists(IRPropertyProvider provider | provider.shouldPrintInstruction(i))
+}
+
+private predicate shouldPrintOperand(Operand operand) {
+  exists(IRPropertyProvider provider | provider.shouldPrintOperand(operand))
+}
+
 private string getAdditionalInstructionProperty(Instruction instr, string key) {
   exists(IRPropertyProvider provider | result = provider.getInstructionProperty(instr, key))
 }
@@ -84,7 +92,9 @@ private string getOperandPropertyString(Operand operand) {
 private newtype TPrintableIRNode =
   TPrintableIRFunction(IRFunction irFunc) { shouldPrintFunction(irFunc.getFunction()) } or
   TPrintableIRBlock(IRBlock block) { shouldPrintFunction(block.getEnclosingFunction()) } or
-  TPrintableInstruction(Instruction instr) { shouldPrintFunction(instr.getEnclosingFunction()) }
+  TPrintableInstruction(Instruction instr) {
+    shouldPrintInstruction(instr) and shouldPrintFunction(instr.getEnclosingFunction())
+  }
 
 /**
  * A node to be emitted in the IR graph.
@@ -252,7 +262,8 @@ private class PrintableInstruction extends PrintableIRNode, TPrintableInstructio
   private string getOperandsString() {
     result =
       concat(Operand operand |
-        operand = instr.getAnOperand()
+        operand = instr.getAnOperand() and
+        shouldPrintOperand(operand)
       |
         operand.getDumpString() + getOperandPropertyString(operand), ", "
         order by

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -422,12 +422,6 @@ private module Cached {
     )
   }
 
-  /** DEPRECATED: Alias for getInstructionAst */
-  cached
-  deprecated Language::AST getInstructionAST(Instruction instr) {
-    result = getInstructionAst(instr)
-  }
-
   cached
   Language::LanguageType getInstructionResultType(Instruction instr) {
     result = instr.(RawIR::Instruction).getResultLanguageType()
@@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
   // We don't support reusing SSA for any location that could create a `Chi` instruction.
 }
 
-/** DEPRECATED: Alias for canReuseSsaForMemoryResult */
-deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
-
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSsa` module, which is then imported by PrintSSA.
@@ -1005,9 +996,6 @@ module DebugSsa {
   import DefUse
 }
 
-/** DEPRECATED: Alias for DebugSsa */
-deprecated module DebugSSA = DebugSsa;
-
 import CachedForDebugging
 
 cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) {
   not allocationEscapes(var)
 }
 
-/** DEPRECATED: Alias for canReuseSsaForVariable */
-deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1;
-
 private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
 
 private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
@@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation {
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }
 
-/** DEPRECATED: Alias for canReuseSsaForOldResult */
-deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;
-
 /**
  * Represents a set of `MemoryLocation`s that cannot overlap with
  * `MemoryLocation`s outside of the set. The `VirtualVariable` will be

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll

@@ -40,9 +40,6 @@ library class RangeSsa extends SsaHelper {
   }
 }
 
-/** DEPRECATED: Alias for RangeSsa */
-deprecated class RangeSSA = RangeSsa;
-
 private predicate guard_defn(VariableAccess v, Expr guard, BasicBlock b, boolean branch) {
   guardCondition(guard, v, branch) and
   guardSuccessor(guard, branch, b)

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisStage.qll

@@ -729,7 +729,7 @@ module RangeStage<
   ) {
     exists(SemExpr e, D::Delta d1, D::Delta d2 |
       unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
-      boundedUpper(e, b, d1) and
+      boundedUpper(e, b, d2) and
       boundedLower(e, b, d2) and
       delta = D::fromFloat(D::toFloat(d1) + D::toFloat(d2))
     )

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.6.4
+
+No user-facing changes.
+
+## 0.6.3
+
+### New Queries
+
+* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
+
 ## 0.6.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
 }
 
-/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
-deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
-
 /** An external API which is used with untrusted data. */
 private newtype TExternalApi =
   /** An untrusted API method `m` where untrusted data is passed at `index`. */
@@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
     )
   }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
-/** DEPRECATED: Alias for ExternalApiDataNode */
-deprecated class ExternalAPIDataNode = ExternalApiDataNode;
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
@@ -58,9 +55,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
-deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {

cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll

@@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect
  */
 abstract class SafeExternalApiFunction extends Function { }
 
-/** DEPRECATED: Alias for SafeExternalApiFunction */
-deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
-
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
   DefaultSafeExternalApiFunction() {

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
 }
 
-/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
-deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
-
 /** An external API which is used with untrusted data. */
 private newtype TExternalApi =
   /** An untrusted API method `m` where untrusted data is passed at `index`. */
@@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
     )
   }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
-/** DEPRECATED: Alias for ExternalApiDataNode */
-deprecated class ExternalAPIDataNode = ExternalApiDataNode;
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" }
@@ -53,9 +50,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
-deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
-
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll

@@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect
  */
 abstract class SafeExternalApiFunction extends Function { }
 
-/** DEPRECATED: Alias for SafeExternalApiFunction */
-deprecated class SafeExternalAPIFunction = SafeExternalApiFunction;
-
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
   DefaultSafeExternalApiFunction() {

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -4,16 +4,17 @@
  *              may result in a buffer overflow.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.3
+ * @precision low
  * @id cpp/overrun-write
  * @tags reliability
  *       security
- *       experimental
  *       external/cwe/cwe-119
  *       external/cwe/cwe-131
  */
 
 import cpp
-import experimental.semmle.code.cpp.dataflow.ProductFlow
+import semmle.code.cpp.ir.dataflow.internal.ProductFlow
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.ArrayFunction

cpp/ql/src/change-notes/released/0.6.3.md

@@ -0,0 +1,5 @@
+## 0.6.3
+
+### New Queries
+
+* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.

cpp/ql/src/change-notes/released/0.6.4.md

@@ -0,0 +1,3 @@
+## 0.6.4
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.4

cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql

@@ -10,7 +10,7 @@
  */
 
 import cpp
-import experimental.semmle.code.cpp.dataflow.ProductFlow
+import semmle.code.cpp.ir.dataflow.internal.ProductFlow
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.Bound

cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.qhelp

@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Detects <code>if (a+b>c) a=c-b</code>, which incorrectly implements
+<code>a = min(a,c-b)</code> if <code>a+b</code> overflows.
+</p>
+<p>
+Also detects variants such as <code>if (b+a>c) a=c-b</code> (swapped
+terms in addition), <code>if (a+b>c) { a=c-b }</code> (assignment
+inside block), <code>c&lt;a+b</code> (swapped operands), and
+<code>&gt;=</code>, <code>&lt;</code>, <code>&lt;=</code> instead of 
+<code>&gt;</code> (all operators).
+</p>
+<p>
+This integer overflow is the root cause of the buffer overflow in
+the SHA-3 reference implementation (CVE-2022-37454).
+</p>
+</overview>
+<recommendation>
+<p>
+Replace by <code>if (a>c-b) a=c-b</code>. This avoids the overflow
+and makes it easy to see that <code>a = min(a,c-b)</code>.
+</p>
+</recommendation>
+<references>
+<li>CVE-2022-37454: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.</a></li>
+<li>GitHub Advisory Database: <a href="https://github.com/advisories/GHSA-6w4m-2xhg-2658">CVE-2022-37454: Buffer overflow in sponge queue functions</a></li>
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Integer addition may overflow inside if statement
+ * @description Writing 'if (a+b>c) a=c-b' incorrectly implements
+ *              'a = min(a,c-b)' if 'a+b' overflows. This integer
+ *              overflow is the root cause of the buffer overflow
+ *              in the SHA-3 reference implementation (CVE-2022-37454).
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/if-statement-addition-overflow
+ * @tags: experimental
+ *        correctness
+ *        security
+ *        external/cwe/cwe-190
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.valuenumbering.HashCons
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.controlflow.Guards
+
+from
+  GuardCondition guard, Expr expr, ExprStmt exprstmt, BasicBlock block, AssignExpr assignexpr,
+  AddExpr addexpr, SubExpr subexpr
+where
+  (guard.ensuresLt(expr, addexpr, 0, block, _) or guard.ensuresLt(addexpr, expr, 0, block, _)) and
+  addexpr.getUnspecifiedType() instanceof IntegralType and
+  exprMightOverflowPositively(addexpr) and
+  block.getANode() = exprstmt and
+  exprstmt.getExpr() = assignexpr and
+  assignexpr.getRValue() = subexpr and
+  (
+    hashCons(addexpr.getLeftOperand()) = hashCons(assignexpr.getLValue()) and
+    globalValueNumber(addexpr.getRightOperand()) = globalValueNumber(subexpr.getRightOperand())
+    or
+    hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and
+    globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand())
+  ) and
+  globalValueNumber(expr) = globalValueNumber(subexpr.getLeftOperand())
+select guard,
+  "\"if (a+b>c) a=c-b\" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as \"if (a>c-b) a=c-b\" which avoids the overflow.",
+  addexpr, "addition"

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

@@ -14,7 +14,7 @@ import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysi
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.DataFlow
-import PointerArithmeticToDerefFlow::PathGraph
+import FieldAddressToDerefFlow::PathGraph
 
 pragma[nomagic]
 Instruction getABoundIn(SemBound b, IRFunction func) {
@@ -42,21 +42,6 @@ bindingset[b]
 pragma[inline_late]
 predicate bounded2(Instruction i, Instruction b, int delta) { boundedImpl(i, b, delta) }
 
-module FieldAddressToPointerArithmeticConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isFieldAddressSource(_, source) }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(PointerAddInstruction pai | pai.getLeft() = sink.asInstruction())
-  }
-}
-
-module FieldAddressToPointerArithmeticFlow =
-  DataFlow::Global<FieldAddressToPointerArithmeticConfig>;
-
-predicate isFieldAddressSource(Field f, DataFlow::Node source) {
-  source.asInstruction().(FieldAddressInstruction).getField() = f
-}
-
 bindingset[delta]
 predicate isInvalidPointerDerefSinkImpl(
   int delta, Instruction i, AddressOperand addr, string operation
@@ -93,38 +78,96 @@ predicate isInvalidPointerDerefSink2(DataFlow::Node sink, Instruction i, string
   )
 }
 
-predicate isConstantSizeOverflowSource(Field f, PointerAddInstruction pai, int delta) {
-  exists(int size, int bound, DataFlow::Node source, DataFlow::InstructionNode sink |
-    FieldAddressToPointerArithmeticFlow::flow(source, sink) and
-    isFieldAddressSource(f, source) and
-    pai.getLeft() = sink.asInstruction() and
-    f.getUnspecifiedType().(ArrayType).getArraySize() = size and
-    semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), bound, true, _) and
-    delta = bound - size and
-    delta >= 0 and
-    size != 0 and
-    size != 1
-  )
+pragma[nomagic]
+predicate arrayTypeHasSizes(ArrayType arr, int baseTypeSize, int arraySize) {
+  arr.getBaseType().getSize() = baseTypeSize and
+  arr.getArraySize() = arraySize
+}
+
+predicate pointerArithOverflow0(
+  PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
+) {
+  not f.getNamespace() instanceof StdNamespace and
+  arrayTypeHasSizes(f.getUnspecifiedType(), pai.getElementSize(), size) and
+  semBounded(getSemanticExpr(pai.getRight()), any(SemZeroBound b), bound, true, _) and
+  delta = bound - size and
+  delta >= 0 and
+  size != 0 and
+  size != 1
 }
 
 module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    isConstantSizeOverflowSource(_, source.asInstruction(), _)
+    pointerArithOverflow0(source.asInstruction(), _, _, _, _)
   }
 
-  pragma[inline]
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+
   predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) }
 }
 
 module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;
 
+predicate pointerArithOverflow(
+  PointerArithmeticInstruction pai, Field f, int size, int bound, int delta
+) {
+  pointerArithOverflow0(pai, f, size, bound, delta) and
+  PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
+}
+
+module FieldAddressToDerefConfig implements DataFlow::StateConfigSig {
+  newtype FlowState =
+    additional TArray(Field f) { pointerArithOverflow(_, f, _, _, _) } or
+    additional TOverflowArithmetic(PointerArithmeticInstruction pai) {
+      pointerArithOverflow(pai, _, _, _, _)
+    }
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    exists(Field f |
+      source.asInstruction().(FieldAddressInstruction).getField() = f and
+      state = TArray(f)
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    exists(DataFlow::Node pai |
+      state = TOverflowArithmetic(pai.asInstruction()) and
+      PointerArithmeticToDerefFlow::flow(pai, sink)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    exists(PointerArithmeticInstruction pai, Field f |
+      state1 = TArray(f) and
+      state2 = TOverflowArithmetic(pai) and
+      pai.getLeft() = node1.asInstruction() and
+      node2.asInstruction() = pai and
+      pointerArithOverflow(pai, f, _, _, _)
+    )
+  }
+}
+
+module FieldAddressToDerefFlow = DataFlow::GlobalWithState<FieldAddressToDerefConfig>;
+
 from
-  Field f, PointerArithmeticToDerefFlow::PathNode source,
-  PointerArithmeticToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
+  Field f, FieldAddressToDerefFlow::PathNode source, PointerArithmeticInstruction pai,
+  FieldAddressToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
 where
-  PointerArithmeticToDerefFlow::flowPath(source, sink) and
+  FieldAddressToDerefFlow::flowPath(source, sink) and
   isInvalidPointerDerefSink2(sink.getNode(), deref, operation) and
-  isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
-select source, source, sink,
+  source.getState() = FieldAddressToDerefConfig::TArray(f) and
+  sink.getState() = FieldAddressToDerefConfig::TOverflowArithmetic(pai) and
+  pointerArithOverflow(pai, f, _, _, delta)
+select pai, source, sink,
   "This pointer arithmetic may have an off-by-" + (delta + 1) +
     " error allowing it to overrun $@ at this $@.", f, f.getName(), deref, operation

cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql

@@ -16,7 +16,7 @@
  */
 
 import cpp
-import experimental.semmle.code.cpp.dataflow.ProductFlow
+import semmle.code.cpp.ir.dataflow.internal.ProductFlow
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.ir.IR
@@ -81,8 +81,8 @@ predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
  * ```
  *
  * We do this by splitting the task up into two configurations:
- * 1. `AllocToInvalidPointerConf` find flow from `malloc(size)` to `begin + size`, and
- * 2. `InvalidPointerToDerefConf` finds flow from `begin + size` to an `end` (on line 3).
+ * 1. `AllocToInvalidPointerConfig` find flow from `malloc(size)` to `begin + size`, and
+ * 2. `InvalidPointerToDerefConfig` finds flow from `begin + size` to an `end` (on line 3).
  *
  * Finally, the range-analysis library will find a load from (or store to) an address that
  * is non-strictly upper-bounded by `end` (which in this case is `*p`).
@@ -180,14 +180,33 @@ predicate isSinkImpl(
 }
 
 /**
- * Holds if `sink` is a sink for `InvalidPointerToDerefConf` and `i` is a `StoreInstruction` that
+ * Yields any instruction that is control-flow reachable from `instr`.
+ */
+bindingset[instr, result]
+pragma[inline_late]
+Instruction getASuccessor(Instruction instr) {
+  exists(IRBlock b, int instrIndex, int resultIndex |
+    result.getBlock() = b and
+    instr.getBlock() = b and
+    b.getInstruction(instrIndex) = instr and
+    b.getInstruction(resultIndex) = result
+  |
+    resultIndex >= instrIndex
+  )
+  or
+  instr.getBlock().getASuccessor+() = result.getBlock()
+}
+
+/**
+ * Holds if `sink` is a sink for `InvalidPointerToDerefConfig` and `i` is a `StoreInstruction` that
  * writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that
  * reads from an address that non-strictly upper-bounds `sink`.
  */
 pragma[inline]
-predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation) {
-  exists(AddressOperand addr, int delta |
-    bounded1(addr.getDef(), sink.asInstruction(), delta) and
+predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) {
+  exists(AddressOperand addr, Instruction s |
+    s = sink.asInstruction() and
+    bounded1(addr.getDef(), s, delta) and
     delta >= 0 and
     i.getAnOperand() = addr
   |
@@ -201,13 +220,13 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o
 
 /**
  * A configuration to track flow from a pointer-arithmetic operation found
- * by `AllocToInvalidPointerConf` to a dereference of the pointer.
+ * by `AllocToInvalidPointerConfig` to a dereference of the pointer.
  */
 module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { invalidPointerToDerefSource(_, source, _) }
 
   pragma[inline]
-  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
+  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _, _) }
 
   predicate isBarrier(DataFlow::Node node) {
     node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
@@ -237,17 +256,18 @@ predicate invalidPointerToDerefSource(
 }
 
 newtype TMergedPathNode =
-  // The path nodes computed by the first projection of `AllocToInvalidPointerConf`
+  // The path nodes computed by the first projection of `AllocToInvalidPointerConfig`
   TPathNode1(AllocToInvalidPointerFlow::PathNode1 p) or
-  // The path nodes computed by `InvalidPointerToDerefConf`
+  // The path nodes computed by `InvalidPointerToDerefConfig`
   TPathNode3(InvalidPointerToDerefFlow::PathNode p) or
-  // The read/write that uses the invalid pointer identified by `InvalidPointerToDerefConf`.
-  // This one is needed because the sink identified by `InvalidPointerToDerefConf` is the
+  // The read/write that uses the invalid pointer identified by `InvalidPointerToDerefConfig`.
+  // This one is needed because the sink identified by `InvalidPointerToDerefConfig` is the
   // pointer, but we want to raise an alert at the dereference.
   TPathNodeSink(Instruction i) {
     exists(DataFlow::Node n |
       InvalidPointerToDerefFlow::flowTo(n) and
-      isInvalidPointerDerefSink(n, i, _)
+      isInvalidPointerDerefSink(n, i, _, _) and
+      i = getASuccessor(n.asInstruction())
     )
   }
 
@@ -321,7 +341,15 @@ query predicate edges(MergedPathNode node1, MergedPathNode node2) {
   or
   node1.asPathNode3().getASuccessor() = node2.asPathNode3()
   or
-  joinOn2(node1.asPathNode3(), node2.asSinkNode(), _)
+  joinOn2(node1.asPathNode3(), node2.asSinkNode(), _, _)
+}
+
+query predicate nodes(MergedPathNode n, string key, string val) {
+  AllocToInvalidPointerFlow::PathGraph1::nodes(n.asPathNode1(), key, val)
+  or
+  InvalidPointerToDerefFlow::PathGraph::nodes(n.asPathNode3(), key, val)
+  or
+  key = "semmle.label" and val = n.asSinkNode().toString()
 }
 
 query predicate subpaths(
@@ -335,8 +363,8 @@ query predicate subpaths(
 }
 
 /**
- * Holds if `p1` is a sink of `AllocToInvalidPointerConf` and `p2` is a source
- * of `InvalidPointerToDerefConf`, and they are connected through `pai`.
+ * Holds if `p1` is a sink of `AllocToInvalidPointerConfig` and `p2` is a source
+ * of `InvalidPointerToDerefConfig`, and they are connected through `pai`.
  */
 predicate joinOn1(
   PointerArithmeticInstruction pai, AllocToInvalidPointerFlow::PathNode1 p1,
@@ -347,34 +375,38 @@ predicate joinOn1(
 }
 
 /**
- * Holds if `p1` is a sink of `InvalidPointerToDerefConf` and `i` is the instruction
+ * Holds if `p1` is a sink of `InvalidPointerToDerefConfig` and `i` is the instruction
  * that dereferences `p1`. The string `operation` describes whether the `i` is
  * a `StoreInstruction` or `LoadInstruction`.
  */
 pragma[inline]
-predicate joinOn2(InvalidPointerToDerefFlow::PathNode p1, Instruction i, string operation) {
-  isInvalidPointerDerefSink(p1.getNode(), i, operation)
+predicate joinOn2(InvalidPointerToDerefFlow::PathNode p1, Instruction i, string operation, int delta) {
+  isInvalidPointerDerefSink(p1.getNode(), i, operation, delta)
 }
 
 predicate hasFlowPath(
   MergedPathNode source1, MergedPathNode sink, InvalidPointerToDerefFlow::PathNode source3,
-  PointerArithmeticInstruction pai, string operation
+  PointerArithmeticInstruction pai, string operation, int delta
 ) {
   exists(InvalidPointerToDerefFlow::PathNode sink3, AllocToInvalidPointerFlow::PathNode1 sink1 |
     AllocToInvalidPointerFlow::flowPath(source1.asPathNode1(), _, sink1, _) and
     joinOn1(pai, sink1, source3) and
     InvalidPointerToDerefFlow::flowPath(source3, sink3) and
-    joinOn2(sink3, sink.asSinkNode(), operation)
+    joinOn2(sink3, sink.asSinkNode(), operation, delta)
   )
 }
 
 from
-  MergedPathNode source, MergedPathNode sink, int k, string kstr,
-  InvalidPointerToDerefFlow::PathNode source3, PointerArithmeticInstruction pai, string operation,
-  Expr offset, DataFlow::Node n
+  MergedPathNode source, MergedPathNode sink, int k, string kstr, PointerArithmeticInstruction pai,
+  string operation, Expr offset, DataFlow::Node n
 where
-  hasFlowPath(source, sink, source3, pai, operation) and
-  invalidPointerToDerefSource(pai, source3.getNode(), k) and
+  k =
+    min(int k2, int k3, InvalidPointerToDerefFlow::PathNode source3 |
+      hasFlowPath(source, sink, source3, pai, operation, k3) and
+      invalidPointerToDerefSource(pai, source3.getNode(), k2)
+    |
+      k2 + k3
+    ) and
   offset = pai.getRight().getUnconvertedResultExpression() and
   n = source.asPathNode1().getNode() and
   if k = 0 then kstr = "" else kstr = " + " + k

cpp/ql/src/external/CodeDuplication.qll

@@ -1,373 +0,0 @@
-/** Provides classes for detecting duplicate or similar code. */
-
-import cpp
-
-deprecated private newtype TDuplicationOrSimilarity = MKDuplicationOrSimilarity()
-
-/**
- * DEPRECATED: This class is no longer used.
- *
- * A token block used for detection of duplicate and similar code.
- */
-deprecated class Copy extends TDuplicationOrSimilarity {
-  /** Gets the index of the token in this block starting at the location `loc`, if any. */
-  int tokenStartingAt(Location loc) { none() }
-
-  /** Gets the index of the token in this block ending at the location `loc`, if any. */
-  int tokenEndingAt(Location loc) { none() }
-
-  /** Gets the line on which the first token in this block starts. */
-  int sourceStartLine() { none() }
-
-  /** Gets the column on which the first token in this block starts. */
-  int sourceStartColumn() { none() }
-
-  /** Gets the line on which the last token in this block ends. */
-  int sourceEndLine() { none() }
-
-  /** Gets the column on which the last token in this block ends. */
-  int sourceEndColumn() { none() }
-
-  /** Gets the number of lines containing at least (part of) one token in this block. */
-  int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() }
-
-  /** Gets an opaque identifier for the equivalence class of this block. */
-  int getEquivalenceClass() { none() }
-
-  /** Gets the source file in which this block appears. */
-  File sourceFile() { none() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.sourceFile().getAbsolutePath() = filepath and
-    startline = this.sourceStartLine() and
-    startcolumn = this.sourceStartColumn() and
-    endline = this.sourceEndLine() and
-    endcolumn = this.sourceEndColumn()
-  }
-
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-}
-
-/**
- * DEPRECATED: This class is no longer used.
- *
- * A block of duplicated code.
- */
-deprecated class DuplicateBlock extends Copy {
-  override string toString() {
-    result = "Duplicate code: " + this.sourceLines() + " duplicated lines."
-  }
-}
-
-/**
- * DEPRECATED: This class is no longer used.
- *
- * A block of similar code.
- */
-deprecated class SimilarBlock extends Copy {
-  override string toString() {
-    result = "Similar code: " + this.sourceLines() + " almost duplicated lines."
-  }
-}
-
-/**
- * DEPRECATED: The `CodeDuplication` library will be removed in a future release.
- *
- * Gets a function with a body and a location.
- */
-deprecated FunctionDeclarationEntry sourceMethod() {
-  result.isDefinition() and
-  exists(result.getLocation()) and
-  numlines(unresolveElement(result.getFunction()), _, _, _)
-}
-
-/**
- * DEPRECATED: The `CodeDuplication` library will be removed in a future release.
- *
- * Gets the number of member functions in `c` with a body and a location.
- */
-deprecated int numberOfSourceMethods(Class c) {
-  result =
-    count(FunctionDeclarationEntry m |
-      m = sourceMethod() and
-      m.getFunction().getDeclaringType() = c
-    )
-}
-
-deprecated private predicate blockCoversStatement(int equivClass, int first, int last, Stmt stmt) {
-  exists(DuplicateBlock b, Location loc |
-    stmt.getLocation() = loc and
-    first = b.tokenStartingAt(loc) and
-    last = b.tokenEndingAt(loc) and
-    b.getEquivalenceClass() = equivClass
-  )
-}
-
-deprecated private Stmt statementInMethod(FunctionDeclarationEntry m) {
-  result.getParent+() = m.getBlock() and
-  not result.getLocation() instanceof UnknownStmtLocation and
-  not result instanceof BlockStmt
-}
-
-deprecated private predicate duplicateStatement(
-  FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, Stmt s1, Stmt s2
-) {
-  exists(int equivClass, int first, int last |
-    s1 = statementInMethod(m1) and
-    s2 = statementInMethod(m2) and
-    blockCoversStatement(equivClass, first, last, s1) and
-    blockCoversStatement(equivClass, first, last, s2) and
-    s1 != s2 and
-    m1 != m2
-  )
-}
-
-/**
- * DEPRECATED: Information on duplicated statements is no longer available.
- *
- * Holds if `m1` is a function with `total` lines, and `m2` is a function
- * that has `duplicate` lines in common with `m1`.
- */
-deprecated predicate duplicateStatements(
-  FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, int duplicate, int total
-) {
-  duplicate = strictcount(Stmt s | duplicateStatement(m1, m2, s, _)) and
-  total = strictcount(statementInMethod(m1))
-}
-
-/**
- * DEPRECATED: Information on duplicated methods is no longer available.
- *
- *  Holds if `m` and other are identical functions.
- */
-deprecated predicate duplicateMethod(FunctionDeclarationEntry m, FunctionDeclarationEntry other) {
-  exists(int total | duplicateStatements(m, other, total, total))
-}
-
-/**
- * DEPRECATED: Information on similar lines is no longer available.
- *
- * INTERNAL: do not use.
- *
- * Holds if `line` in `f` is similar to a line somewhere else.
- */
-deprecated predicate similarLines(File f, int line) {
-  exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()])
-}
-
-deprecated private predicate similarLinesPerEquivalenceClass(int equivClass, int lines, File f) {
-  lines =
-    strictsum(SimilarBlock b, int toSum |
-      (b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
-      toSum = b.sourceLines()
-    |
-      toSum
-    )
-}
-
-deprecated private predicate similarLinesCoveredFiles(File f, File otherFile) {
-  exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
-    exists(int coveredApprox |
-      coveredApprox =
-        strictsum(int num |
-          exists(int equivClass |
-            similarLinesPerEquivalenceClass(equivClass, num, f) and
-            similarLinesPerEquivalenceClass(equivClass, num, otherFile) and
-            f != otherFile
-          )
-        ) and
-      (coveredApprox * 100) / numLines > 75
-    )
-  )
-}
-
-/**
- * DEPRECATED: Information on similar lines is no longer available.
- *
- * Holds if `coveredLines` lines of `f` are similar to lines in `otherFile`.
- */
-deprecated predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
-  exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
-    similarLinesCoveredFiles(f, otherFile) and
-    exists(int notCovered |
-      notCovered =
-        count(int j |
-          j in [1 .. numLines] and
-          not similarLines(f, j)
-        ) and
-      coveredLines = numLines - notCovered
-    )
-  )
-}
-
-/**
- * DEPRECATED: Information on duplicate lines is no longer available.
- *
- * INTERNAL: do not use.
- *
- * Holds if `line` in `f` is duplicated by a line somewhere else.
- */
-deprecated predicate duplicateLines(File f, int line) {
-  exists(DuplicateBlock b |
-    b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]
-  )
-}
-
-deprecated private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, File f) {
-  lines =
-    strictsum(DuplicateBlock b, int toSum |
-      (b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
-      toSum = b.sourceLines()
-    |
-      toSum
-    )
-}
-
-/**
- * DEPRECATED: Information on duplicate lines is no longer available.
- *
- *  Holds if `coveredLines` lines of `f` are duplicates of lines in `otherFile`.
- */
-deprecated predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
-  exists(int numLines | numLines = f.getMetrics().getNumberOfLines() |
-    exists(int coveredApprox |
-      coveredApprox =
-        strictsum(int num |
-          exists(int equivClass |
-            duplicateLinesPerEquivalenceClass(equivClass, num, f) and
-            duplicateLinesPerEquivalenceClass(equivClass, num, otherFile) and
-            f != otherFile
-          )
-        ) and
-      (coveredApprox * 100) / numLines > 75
-    ) and
-    exists(int notCovered |
-      notCovered =
-        count(int j |
-          j in [1 .. numLines] and
-          not duplicateLines(f, j)
-        ) and
-      coveredLines = numLines - notCovered
-    )
-  )
-}
-
-/**
- * DEPRECATED: Information on similar files is no longer available.
- *
- * Holds if most of `f` (`percent`%) is similar to `other`.
- */
-deprecated predicate similarFiles(File f, File other, int percent) {
-  exists(int covered, int total |
-    similarLinesCovered(f, covered, other) and
-    total = f.getMetrics().getNumberOfLines() and
-    covered * 100 / total = percent and
-    percent > 80
-  ) and
-  not duplicateFiles(f, other, _)
-}
-
-/**
- * DEPRECATED: Information on duplicate files is no longer available.
- *
- *  Holds if most of `f` (`percent`%) is duplicated by `other`.
- */
-deprecated predicate duplicateFiles(File f, File other, int percent) {
-  exists(int covered, int total |
-    duplicateLinesCovered(f, covered, other) and
-    total = f.getMetrics().getNumberOfLines() and
-    covered * 100 / total = percent and
-    percent > 70
-  )
-}
-
-/**
- * DEPRECATED: Information on duplicate classes is no longer available.
- *
- * Holds if most member functions of `c` (`numDup` out of `total`) are
- * duplicates of member functions in `other`.
- */
-deprecated predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) {
-  numDup =
-    strictcount(FunctionDeclarationEntry m1 |
-      exists(FunctionDeclarationEntry m2 |
-        duplicateMethod(m1, m2) and
-        m1 = sourceMethod() and
-        exists(Function f | f = m1.getFunction() and f.getDeclaringType() = c) and
-        exists(Function f | f = m2.getFunction() and f.getDeclaringType() = other) and
-        c != other
-      )
-    ) and
-  total = numberOfSourceMethods(c) and
-  (numDup * 100) / total > 80
-}
-
-/**
- * DEPRECATED: Information on duplicate classes is no longer available.
- *
- * Holds if most member functions of `c` are duplicates of member functions in
- * `other`. Provides the human-readable `message` to describe the amount of
- * duplication.
- */
-deprecated predicate mostlyDuplicateClass(Class c, Class other, string message) {
-  exists(int numDup, int total |
-    mostlyDuplicateClassBase(c, other, numDup, total) and
-    (
-      total != numDup and
-      exists(string s1, string s2, string s3, string name |
-        s1 = " out of " and
-        s2 = " methods in " and
-        s3 = " are duplicated in $@." and
-        name = c.getName()
-      |
-        message = numDup + s1 + total + s2 + name + s3
-      )
-      or
-      total = numDup and
-      exists(string s1, string s2, string name |
-        s1 = "All methods in " and s2 = " are identical in $@." and name = c.getName()
-      |
-        message = s1 + name + s2
-      )
-    )
-  )
-}
-
-/**
- * DEPRECATED: Information on file duplication is no longer available.
- *
- * Holds if `f` and `other` are similar or duplicates.
- */
-deprecated predicate fileLevelDuplication(File f, File other) {
-  similarFiles(f, other, _) or duplicateFiles(f, other, _)
-}
-
-/**
- * DEPRECATED: Information on class duplication is no longer available.
- *
- * Holds if most member functions of `c` are duplicates of member functions in
- * `other`.
- */
-deprecated predicate classLevelDuplication(Class c, Class other) {
-  mostlyDuplicateClass(c, other, _)
-}
-
-/**
- * DEPRECATED: The CodeDuplication library will be removed in a future release.
- *
- * Holds if `line` in `f` should be allowed to be duplicated. This is the case
- * for `#include` directives.
- */
-deprecated predicate whitelistedLineForDuplication(File f, int line) {
-  exists(Include i | i.getFile() = f and i.getLocation().getStartLine() = line)
-}

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.6.2
+version: 0.6.4
 groups: 
   - cpp
   - queries

cpp/ql/test/TestUtilities/dataflow/FlowTestCommon.qll

@@ -16,18 +16,16 @@ private import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as IRDataFlow
 private import semmle.code.cpp.dataflow.DataFlow::DataFlow as AstDataFlow
 import TestUtilities.InlineExpectationsTest
 
-class IRFlowTest extends InlineExpectationsTest {
-  IRFlowTest() { this = "IRFlowTest" }
+module IRFlowTest<IRDataFlow::GlobalFlowSig Flow> implements TestSig {
+  string getARelevantTag() { result = "ir" }
 
-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(IRDataFlow::Node source, IRDataFlow::Node sink, IRDataFlow::Configuration conf, int n |
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(IRDataFlow::Node source, IRDataFlow::Node sink, int n |
       tag = "ir" and
-      conf.hasFlow(source, sink) and
+      Flow::flow(source, sink) and
       n =
         strictcount(int line, int column |
-          conf.hasFlow(any(IRDataFlow::Node otherSource |
+          Flow::flow(any(IRDataFlow::Node otherSource |
               otherSource.hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
@@ -47,20 +45,16 @@ class IRFlowTest extends InlineExpectationsTest {
   }
 }
 
-class AstFlowTest extends InlineExpectationsTest {
-  AstFlowTest() { this = "ASTFlowTest" }
+module AstFlowTest<AstDataFlow::GlobalFlowSig Flow> implements TestSig {
+  string getARelevantTag() { result = "ast" }
 
-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      AstDataFlow::Node source, AstDataFlow::Node sink, AstDataFlow::Configuration conf, int n
-    |
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(AstDataFlow::Node source, AstDataFlow::Node sink, int n |
       tag = "ast" and
-      conf.hasFlow(source, sink) and
+      Flow::flow(source, sink) and
       n =
         strictcount(int line, int column |
-          conf.hasFlow(any(AstDataFlow::Node otherSource |
+          Flow::flow(any(AstDataFlow::Node otherSource |
               otherSource.hasLocationInfo(_, line, column, _, _)
             ), sink)
         ) and
@@ -79,6 +73,3 @@ class AstFlowTest extends InlineExpectationsTest {
     )
   }
 }
-
-/** DEPRECATED: Alias for AstFlowTest */
-deprecated class ASTFlowTest = AstFlowTest;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.qlref

@@ -1 +0,0 @@
-experimental/Likely Bugs/OverrunWriteProductFlow.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected

@@ -0,0 +1,35 @@
+| test.cpp:18:6:18:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:18:6:18:8 | ... + ... | addition |
+| test.cpp:19:6:19:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:19:6:19:8 | ... + ... | addition |
+| test.cpp:20:6:20:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:20:6:20:8 | ... + ... | addition |
+| test.cpp:21:6:21:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:21:6:21:8 | ... + ... | addition |
+| test.cpp:22:6:22:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:22:8:22:10 | ... + ... | addition |
+| test.cpp:23:6:23:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:23:8:23:10 | ... + ... | addition |
+| test.cpp:24:6:24:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:24:8:24:10 | ... + ... | addition |
+| test.cpp:25:6:25:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:25:8:25:10 | ... + ... | addition |
+| test.cpp:27:6:27:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:27:6:27:8 | ... + ... | addition |
+| test.cpp:28:6:28:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:28:6:28:8 | ... + ... | addition |
+| test.cpp:29:6:29:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:29:6:29:8 | ... + ... | addition |
+| test.cpp:30:6:30:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:30:6:30:8 | ... + ... | addition |
+| test.cpp:31:6:31:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:31:9:31:11 | ... + ... | addition |
+| test.cpp:32:6:32:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:32:9:32:11 | ... + ... | addition |
+| test.cpp:33:6:33:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:33:9:33:11 | ... + ... | addition |
+| test.cpp:34:6:34:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:34:9:34:11 | ... + ... | addition |
+| test.cpp:36:6:36:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:36:6:36:8 | ... + ... | addition |
+| test.cpp:37:6:37:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:37:6:37:8 | ... + ... | addition |
+| test.cpp:38:6:38:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:38:6:38:8 | ... + ... | addition |
+| test.cpp:39:6:39:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:39:6:39:8 | ... + ... | addition |
+| test.cpp:40:6:40:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:40:8:40:10 | ... + ... | addition |
+| test.cpp:41:6:41:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:41:8:41:10 | ... + ... | addition |
+| test.cpp:42:6:42:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:42:8:42:10 | ... + ... | addition |
+| test.cpp:43:6:43:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:43:8:43:10 | ... + ... | addition |
+| test.cpp:45:6:45:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:45:6:45:8 | ... + ... | addition |
+| test.cpp:46:6:46:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:46:6:46:8 | ... + ... | addition |
+| test.cpp:47:6:47:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:47:6:47:8 | ... + ... | addition |
+| test.cpp:48:6:48:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:48:6:48:8 | ... + ... | addition |
+| test.cpp:49:6:49:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:49:9:49:11 | ... + ... | addition |
+| test.cpp:50:6:50:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:50:9:50:11 | ... + ... | addition |
+| test.cpp:51:6:51:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:51:9:51:11 | ... + ... | addition |
+| test.cpp:52:6:52:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:52:9:52:11 | ... + ... | addition |
+| test.cpp:54:6:54:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:54:6:54:8 | ... + ... | addition |
+| test.cpp:61:6:61:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:61:6:61:8 | ... + ... | addition |
+| test.cpp:62:6:62:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:62:6:62:8 | ... + ... | addition |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp

@@ -0,0 +1,63 @@
+
+int getAnInt();
+double getADouble();
+unsigned short getAnUnsignedShort();
+
+void test()
+{
+	int a = getAnInt();
+	int b = getAnInt();
+	int c = getAnInt();
+	int x = getAnInt();
+	int y = getAnInt();
+	double d = getADouble();
+	unsigned short a1 = getAnUnsignedShort();
+	unsigned short b1 = getAnUnsignedShort();
+	unsigned short c1 = getAnUnsignedShort();
+
+	if (a+b>c) a = c-b; // BAD
+	if (a+b>c) { a = c-b; } // BAD
+	if (b+a>c) a = c-b; // BAD
+	if (b+a>c) { a = c-b; } // BAD
+	if (c>a+b) a = c-b; // BAD
+	if (c>a+b) { a = c-b; } // BAD
+	if (c>b+a) a = c-b; // BAD
+	if (c>b+a) { a = c-b; } // BAD
+
+	if (a+b>=c) a = c-b; // BAD
+	if (a+b>=c) { a = c-b; } // BAD
+	if (b+a>=c) a = c-b; // BAD
+	if (b+a>=c) { a = c-b; } // BAD
+	if (c>=a+b) a = c-b; // BAD
+	if (c>=a+b) { a = c-b; } // BAD
+	if (c>=b+a) a = c-b; // BAD
+	if (c>=b+a) { a = c-b; } // BAD
+
+	if (a+b<c) a = c-b; // BAD
+	if (a+b<c) { a = c-b; } // BAD
+	if (b+a<c) a = c-b; // BAD
+	if (b+a<c) { a = c-b; } // BAD
+	if (c<a+b) a = c-b; // BAD
+	if (c<a+b) { a = c-b; } // BAD
+	if (c<b+a) a = c-b; // BAD
+	if (c<b+a) { a = c-b; } // BAD
+
+	if (a+b<=c) a = c-b; // BAD
+	if (a+b<=c) { a = c-b; } // BAD
+	if (b+a<=c) a = c-b; // BAD
+	if (b+a<=c) { a = c-b; } // BAD
+	if (c<=a+b) a = c-b; // BAD
+	if (c<=a+b) { a = c-b; } // BAD
+	if (c<=b+a) a = c-b; // BAD
+	if (c<=b+a) { a = c-b; } // BAD
+
+	if (a+b>d) a = d-b; // BAD
+	if (a+(double)b>c) a = c-b; // GOOD
+	if (a+(-x)>c) a = c-(-y); // GOOD
+	if (a+b>c) { b++; a = c-b; } // GOOD
+	if (a+d>c) a = c-d; // GOOD
+	if (a1+b1>c1) a1 = c1-b1; // GOOD
+	
+	if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
+	if (a+b<=c) { return; } a = c-b; // BAD
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -1,37 +1,46 @@
 edges
-| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | p |
-| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
-| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | p |
+| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
+| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
+| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
+| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
+| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
+| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
+| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
+| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
 | test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
-| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
+| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
+| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
+| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
 nodes
 | test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
+| test.cpp:35:10:35:12 | buf | semmle.label | buf |
 | test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
+| test.cpp:36:10:36:12 | buf | semmle.label | buf |
 | test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
+| test.cpp:43:14:43:16 | buf | semmle.label | buf |
 | test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
+| test.cpp:49:10:49:12 | buf | semmle.label | buf |
 | test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
+| test.cpp:50:10:50:12 | buf | semmle.label | buf |
 | test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
+| test.cpp:57:14:57:16 | buf | semmle.label | buf |
 | test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
+| test.cpp:61:14:61:16 | buf | semmle.label | buf |
 | test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:66:32:66:32 | p | semmle.label | p |
-| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
-| test.cpp:67:6:67:6 | p | semmle.label | p |
+| test.cpp:70:33:70:33 | p | semmle.label | p |
 | test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
 | test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
-| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
+| test.cpp:77:32:77:34 | buf | semmle.label | buf |
+| test.cpp:79:27:79:34 | buf | semmle.label | buf |
+| test.cpp:79:32:79:34 | buf | semmle.label | buf |
 subpaths
 #select
-| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
-| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
-| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
-| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
-| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
-| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
-| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
-| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
-| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
+| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
+| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
+| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
+| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
+| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
+| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
+| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp

@@ -78,3 +78,45 @@ void testInterproc(BigArray *arr) {
 
     addToPointerAndAssign(arr->buf);
 }
+
+#define MAX_SIZE_BYTES 4096
+
+void testCharIndex(BigArray *arr) {
+    char *charBuf = (char*) arr->buf;
+
+    charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
+    charBuf[MAX_SIZE_BYTES] = 0; // BAD [FALSE NEGATIVE]
+}
+
+void testEqRefinement() {
+    int arr[MAX_SIZE];
+
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        if(i != MAX_SIZE) {
+            arr[i] = 0; // GOOD
+        }
+    }
+}
+
+void testEqRefinement2() {
+    int arr[MAX_SIZE];
+
+    int n = 0;
+
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        if(n == 0) {
+            if(i == MAX_SIZE) {
+                break;
+            }
+            n = arr[i]; // GOOD
+            continue;
+        }
+
+        if (i == MAX_SIZE || n != arr[i]) {
+            if (i == MAX_SIZE) {
+                break;
+            }
+            n = arr[i]; // GOOD
+        }
+    }
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -653,43 +653,458 @@ edges
 | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:6 | xs |
 | test.cpp:308:5:308:6 | xs | test.cpp:308:5:308:11 | access to array |
 | test.cpp:308:5:308:11 | access to array | test.cpp:308:5:308:29 | Store: ... = ... |
-| test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:18 | xs |
-| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
-| test.cpp:314:17:314:18 | xs | test.cpp:314:17:314:25 | ... + ... |
-| test.cpp:314:17:314:18 | xs | test.cpp:318:13:318:20 | * ... |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:318:14:318:20 | current |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:13:320:20 | * ... |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
-| test.cpp:314:17:314:25 | ... + ... | test.cpp:320:14:320:20 | current |
-| test.cpp:318:13:318:20 | * ... | test.cpp:318:14:318:20 | current |
-| test.cpp:318:13:318:20 | * ... | test.cpp:320:13:320:20 | * ... |
-| test.cpp:318:13:318:20 | * ... | test.cpp:320:14:320:20 | current |
-| test.cpp:318:14:318:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
-| test.cpp:318:14:318:20 | current | test.cpp:318:13:318:20 | Load: * ... |
-| test.cpp:318:14:318:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
-| test.cpp:318:14:318:20 | current | test.cpp:320:12:320:21 | Load: (...) |
-| test.cpp:320:13:320:20 | * ... | test.cpp:314:17:314:25 | Store: ... + ... |
-| test.cpp:320:13:320:20 | * ... | test.cpp:318:13:318:20 | Load: * ... |
-| test.cpp:320:13:320:20 | * ... | test.cpp:320:10:320:21 | Store: -- ... |
-| test.cpp:320:13:320:20 | * ... | test.cpp:320:12:320:21 | Load: (...) |
-| test.cpp:320:14:320:20 | current | test.cpp:314:17:314:25 | Store: ... + ... |
-| test.cpp:320:14:320:20 | current | test.cpp:318:13:318:20 | Load: * ... |
-| test.cpp:320:14:320:20 | current | test.cpp:320:10:320:21 | Store: -- ... |
-| test.cpp:320:14:320:20 | current | test.cpp:320:12:320:21 | Load: (...) |
+| test.cpp:313:14:313:27 | new[] | test.cpp:314:15:314:16 | xs |
+| test.cpp:325:14:325:27 | new[] | test.cpp:326:15:326:16 | xs |
+| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:326:15:326:23 | ... + ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:338:8:338:15 | * ... |
+| test.cpp:326:15:326:16 | xs | test.cpp:341:8:341:17 | * ... |
+| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... |
+| test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs |
+| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:15:350:19 | Load: * ... |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ |
+| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:16 | xs |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:356:15:356:16 | xs | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:356:15:356:16 | xs | test.cpp:359:16:359:31 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:357:24:357:26 | end |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:26 | end | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:26 | end | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:357:24:357:30 | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:358:15:358:26 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:357:24:357:30 | ... + ... | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | test.cpp:359:16:359:27 | end_plus_one |
+| test.cpp:359:16:359:27 | end_plus_one | test.cpp:358:14:358:26 | Load: * ... |
+| test.cpp:359:16:359:27 | end_plus_one | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:359:16:359:31 | ... + ... | test.cpp:359:14:359:32 | Load: * ... |
+| test.cpp:363:14:363:27 | new[] | test.cpp:365:15:365:15 | p |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:365:15:365:15 | p | test.cpp:368:5:368:10 | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:371:7:371:7 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p |
+| test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... |
+| test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... |
+| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
+| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ |
+| test.cpp:378:15:378:16 | xs | test.cpp:384:14:384:16 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
+| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end |
+| test.cpp:381:5:381:7 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
+| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
+| test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
+nodes
+| test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:5:15:5:15 | p | semmle.label | p |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:6:14:6:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:6:15:6:15 | q | semmle.label | q |
+| test.cpp:6:15:6:15 | q | semmle.label | q |
+| test.cpp:7:16:7:16 | q | semmle.label | q |
+| test.cpp:7:16:7:16 | q | semmle.label | q |
+| test.cpp:8:14:8:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:8:16:8:16 | q | semmle.label | q |
+| test.cpp:8:16:8:16 | q | semmle.label | q |
+| test.cpp:8:16:8:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:9:16:9:16 | q | semmle.label | q |
+| test.cpp:9:16:9:16 | q | semmle.label | q |
+| test.cpp:10:16:10:16 | q | semmle.label | q |
+| test.cpp:10:16:10:16 | q | semmle.label | q |
+| test.cpp:11:16:11:16 | q | semmle.label | q |
+| test.cpp:11:16:11:16 | q | semmle.label | q |
+| test.cpp:12:16:12:16 | q | semmle.label | q |
+| test.cpp:16:15:16:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:17:15:17:15 | p | semmle.label | p |
+| test.cpp:17:15:17:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:20:14:20:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:20:16:20:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:28:15:28:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:29:15:29:15 | p | semmle.label | p |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:30:14:30:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:30:15:30:15 | q | semmle.label | q |
+| test.cpp:30:15:30:15 | q | semmle.label | q |
+| test.cpp:31:16:31:16 | q | semmle.label | q |
+| test.cpp:31:16:31:16 | q | semmle.label | q |
+| test.cpp:32:14:32:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:32:16:32:16 | q | semmle.label | q |
+| test.cpp:32:16:32:16 | q | semmle.label | q |
+| test.cpp:32:16:32:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:33:16:33:16 | q | semmle.label | q |
+| test.cpp:33:16:33:16 | q | semmle.label | q |
+| test.cpp:34:16:34:16 | q | semmle.label | q |
+| test.cpp:34:16:34:16 | q | semmle.label | q |
+| test.cpp:35:16:35:16 | q | semmle.label | q |
+| test.cpp:35:16:35:16 | q | semmle.label | q |
+| test.cpp:36:16:36:16 | q | semmle.label | q |
+| test.cpp:40:15:40:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:41:15:41:15 | p | semmle.label | p |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:41:15:41:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:42:14:42:15 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:42:15:42:15 | q | semmle.label | q |
+| test.cpp:42:15:42:15 | q | semmle.label | q |
+| test.cpp:43:16:43:16 | q | semmle.label | q |
+| test.cpp:43:16:43:16 | q | semmle.label | q |
+| test.cpp:44:14:44:21 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:44:16:44:16 | q | semmle.label | q |
+| test.cpp:44:16:44:16 | q | semmle.label | q |
+| test.cpp:44:16:44:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:45:16:45:16 | q | semmle.label | q |
+| test.cpp:45:16:45:16 | q | semmle.label | q |
+| test.cpp:46:16:46:16 | q | semmle.label | q |
+| test.cpp:46:16:46:16 | q | semmle.label | q |
+| test.cpp:47:16:47:16 | q | semmle.label | q |
+| test.cpp:47:16:47:16 | q | semmle.label | q |
+| test.cpp:48:16:48:16 | q | semmle.label | q |
+| test.cpp:51:7:51:14 | mk_array indirection | semmle.label | mk_array indirection |
+| test.cpp:51:33:51:35 | end | semmle.label | end |
+| test.cpp:52:19:52:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:53:5:53:23 | ... = ... | semmle.label | ... = ... |
+| test.cpp:53:12:53:16 | begin | semmle.label | begin |
+| test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:60:19:60:26 | call to mk_array | semmle.label | call to mk_array |
+| test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument |
+| test.cpp:62:32:62:34 | end | semmle.label | end |
+| test.cpp:62:39:62:39 | p | semmle.label | p |
+| test.cpp:66:32:66:34 | end | semmle.label | end |
+| test.cpp:66:39:66:39 | p | semmle.label | p |
+| test.cpp:67:9:67:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:70:31:70:33 | end | semmle.label | end |
+| test.cpp:70:38:70:38 | p | semmle.label | p |
+| test.cpp:80:9:80:16 | mk_array indirection [begin] | semmle.label | mk_array indirection [begin] |
+| test.cpp:80:9:80:16 | mk_array indirection [end] | semmle.label | mk_array indirection [end] |
+| test.cpp:82:5:82:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:82:9:82:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:82:17:82:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:83:5:83:30 | ... = ... | semmle.label | ... = ... |
+| test.cpp:83:9:83:11 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
+| test.cpp:83:15:83:17 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:83:15:83:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:83:19:83:23 | begin | semmle.label | begin |
+| test.cpp:83:19:83:23 | begin indirection | semmle.label | begin indirection |
+| test.cpp:89:19:89:26 | call to mk_array [begin] | semmle.label | call to mk_array [begin] |
+| test.cpp:89:19:89:26 | call to mk_array [end] | semmle.label | call to mk_array [end] |
+| test.cpp:91:20:91:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:91:24:91:28 | begin | semmle.label | begin |
+| test.cpp:91:24:91:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:91:36:91:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:91:40:91:42 | end | semmle.label | end |
+| test.cpp:91:40:91:42 | end indirection | semmle.label | end indirection |
+| test.cpp:91:47:91:47 | p | semmle.label | p |
+| test.cpp:95:20:95:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:95:24:95:28 | begin | semmle.label | begin |
+| test.cpp:95:24:95:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:95:36:95:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:95:40:95:42 | end | semmle.label | end |
+| test.cpp:95:40:95:42 | end indirection | semmle.label | end indirection |
+| test.cpp:95:47:95:47 | p | semmle.label | p |
+| test.cpp:96:9:96:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:99:20:99:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:99:24:99:28 | begin | semmle.label | begin |
+| test.cpp:99:24:99:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:99:35:99:37 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:99:39:99:41 | end | semmle.label | end |
+| test.cpp:99:39:99:41 | end indirection | semmle.label | end indirection |
+| test.cpp:99:46:99:46 | p | semmle.label | p |
+| test.cpp:104:27:104:29 | arr [begin] | semmle.label | arr [begin] |
+| test.cpp:104:27:104:29 | arr [end] | semmle.label | arr [end] |
+| test.cpp:105:20:105:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:105:24:105:28 | begin | semmle.label | begin |
+| test.cpp:105:24:105:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:105:36:105:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:105:40:105:42 | end | semmle.label | end |
+| test.cpp:105:40:105:42 | end indirection | semmle.label | end indirection |
+| test.cpp:105:47:105:47 | p | semmle.label | p |
+| test.cpp:109:20:109:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:109:24:109:28 | begin | semmle.label | begin |
+| test.cpp:109:24:109:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:109:36:109:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:109:40:109:42 | end | semmle.label | end |
+| test.cpp:109:40:109:42 | end indirection | semmle.label | end indirection |
+| test.cpp:109:47:109:47 | p | semmle.label | p |
+| test.cpp:110:9:110:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:113:20:113:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:113:24:113:28 | begin | semmle.label | begin |
+| test.cpp:113:24:113:28 | begin indirection | semmle.label | begin indirection |
+| test.cpp:113:35:113:37 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:113:39:113:41 | end | semmle.label | end |
+| test.cpp:113:39:113:41 | end indirection | semmle.label | end indirection |
+| test.cpp:113:46:113:46 | p | semmle.label | p |
+| test.cpp:119:18:119:25 | call to mk_array [begin] | semmle.label | call to mk_array [begin] |
+| test.cpp:119:18:119:25 | call to mk_array [end] | semmle.label | call to mk_array [end] |
+| test.cpp:124:15:124:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:125:5:125:17 | ... = ... | semmle.label | ... = ... |
+| test.cpp:125:9:125:13 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:126:15:126:15 | p | semmle.label | p |
+| test.cpp:129:11:129:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:129:15:129:19 | begin | semmle.label | begin |
+| test.cpp:129:15:129:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:133:11:133:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:133:15:133:19 | begin | semmle.label | begin |
+| test.cpp:133:15:133:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:137:11:137:13 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:137:15:137:19 | begin | semmle.label | begin |
+| test.cpp:137:15:137:19 | begin indirection | semmle.label | begin indirection |
+| test.cpp:141:10:141:19 | mk_array_p indirection [begin] | semmle.label | mk_array_p indirection [begin] |
+| test.cpp:141:10:141:19 | mk_array_p indirection [end] | semmle.label | mk_array_p indirection [end] |
+| test.cpp:143:5:143:29 | ... = ... | semmle.label | ... = ... |
+| test.cpp:143:10:143:14 | arr indirection [post update] [begin] | semmle.label | arr indirection [post update] [begin] |
+| test.cpp:143:18:143:23 | call to malloc | semmle.label | call to malloc |
+| test.cpp:144:5:144:32 | ... = ... | semmle.label | ... = ... |
+| test.cpp:144:10:144:12 | arr indirection [post update] [end] | semmle.label | arr indirection [post update] [end] |
+| test.cpp:144:16:144:18 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:144:16:144:32 | ... + ... | semmle.label | ... + ... |
+| test.cpp:144:21:144:25 | begin | semmle.label | begin |
+| test.cpp:144:21:144:25 | begin indirection | semmle.label | begin indirection |
+| test.cpp:150:20:150:29 | call to mk_array_p indirection [begin] | semmle.label | call to mk_array_p indirection [begin] |
+| test.cpp:150:20:150:29 | call to mk_array_p indirection [end] | semmle.label | call to mk_array_p indirection [end] |
+| test.cpp:152:20:152:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:152:25:152:29 | begin | semmle.label | begin |
+| test.cpp:152:25:152:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:152:49:152:49 | p | semmle.label | p |
+| test.cpp:156:20:156:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:156:25:156:29 | begin | semmle.label | begin |
+| test.cpp:156:25:156:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:156:37:156:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:156:42:156:44 | end | semmle.label | end |
+| test.cpp:156:42:156:44 | end indirection | semmle.label | end indirection |
+| test.cpp:156:49:156:49 | p | semmle.label | p |
+| test.cpp:157:9:157:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:160:20:160:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:160:25:160:29 | begin | semmle.label | begin |
+| test.cpp:160:25:160:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:160:48:160:48 | p | semmle.label | p |
+| test.cpp:165:29:165:31 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:165:29:165:31 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:166:20:166:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:166:25:166:29 | begin | semmle.label | begin |
+| test.cpp:166:25:166:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:166:37:166:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:166:42:166:44 | end | semmle.label | end |
+| test.cpp:166:42:166:44 | end indirection | semmle.label | end indirection |
+| test.cpp:166:49:166:49 | p | semmle.label | p |
+| test.cpp:170:20:170:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:170:25:170:29 | begin | semmle.label | begin |
+| test.cpp:170:25:170:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:170:37:170:39 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:170:42:170:44 | end | semmle.label | end |
+| test.cpp:170:42:170:44 | end indirection | semmle.label | end indirection |
+| test.cpp:170:49:170:49 | p | semmle.label | p |
+| test.cpp:171:9:171:14 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:174:20:174:22 | arr indirection [begin] | semmle.label | arr indirection [begin] |
+| test.cpp:174:25:174:29 | begin | semmle.label | begin |
+| test.cpp:174:25:174:29 | begin indirection | semmle.label | begin indirection |
+| test.cpp:174:36:174:38 | arr indirection [end] | semmle.label | arr indirection [end] |
+| test.cpp:174:41:174:43 | end | semmle.label | end |
+| test.cpp:174:41:174:43 | end indirection | semmle.label | end indirection |
+| test.cpp:174:48:174:48 | p | semmle.label | p |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | semmle.label | call to mk_array_p indirection [begin] |
+| test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | semmle.label | call to mk_array_p indirection [end] |
+| test.cpp:188:15:188:20 | call to malloc | semmle.label | call to malloc |
+| test.cpp:189:15:189:15 | p | semmle.label | p |
+| test.cpp:194:23:194:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:195:17:195:17 | p | semmle.label | p |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:195:17:195:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:197:8:197:8 | p | semmle.label | p |
+| test.cpp:197:20:197:22 | end | semmle.label | end |
+| test.cpp:201:5:201:5 | p | semmle.label | p |
+| test.cpp:201:5:201:12 | access to array | semmle.label | access to array |
+| test.cpp:201:5:201:19 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:205:23:205:28 | call to malloc | semmle.label | call to malloc |
+| test.cpp:206:17:206:17 | p | semmle.label | p |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:208:15:208:15 | p | semmle.label | p |
+| test.cpp:209:12:209:14 | end | semmle.label | end |
+| test.cpp:213:5:213:6 | * ... | semmle.label | * ... |
+| test.cpp:213:5:213:13 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:213:6:213:6 | q | semmle.label | q |
+| test.cpp:213:6:213:6 | q | semmle.label | q |
+| test.cpp:221:17:221:22 | call to malloc | semmle.label | call to malloc |
+| test.cpp:222:5:222:5 | p | semmle.label | p |
+| test.cpp:231:18:231:30 | new[] | semmle.label | new[] |
+| test.cpp:232:3:232:9 | newname | semmle.label | newname |
+| test.cpp:232:3:232:16 | access to array | semmle.label | access to array |
+| test.cpp:232:3:232:20 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:238:20:238:32 | new[] | semmle.label | new[] |
+| test.cpp:239:5:239:11 | newname | semmle.label | newname |
+| test.cpp:239:5:239:18 | access to array | semmle.label | access to array |
+| test.cpp:239:5:239:22 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:248:24:248:30 | call to realloc | semmle.label | call to realloc |
+| test.cpp:249:9:249:9 | p | semmle.label | p |
+| test.cpp:250:22:250:22 | p | semmle.label | p |
+| test.cpp:254:9:254:9 | p | semmle.label | p |
+| test.cpp:254:9:254:12 | access to array | semmle.label | access to array |
+| test.cpp:254:9:254:16 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:260:13:260:24 | new[] | semmle.label | new[] |
+| test.cpp:261:14:261:15 | xs | semmle.label | xs |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:261:14:261:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:262:26:262:28 | end | semmle.label | end |
+| test.cpp:262:26:262:28 | end | semmle.label | end |
+| test.cpp:262:31:262:31 | x | semmle.label | x |
+| test.cpp:264:13:264:14 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:264:14:264:14 | x | semmle.label | x |
+| test.cpp:264:14:264:14 | x | semmle.label | x |
+| test.cpp:270:13:270:24 | new[] | semmle.label | new[] |
+| test.cpp:271:14:271:15 | xs | semmle.label | xs |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:271:14:271:21 | ... + ... | semmle.label | ... + ... |
+| test.cpp:272:26:272:28 | end | semmle.label | end |
+| test.cpp:272:26:272:28 | end | semmle.label | end |
+| test.cpp:272:31:272:31 | x | semmle.label | x |
+| test.cpp:272:31:272:31 | x | semmle.label | x |
+| test.cpp:274:5:274:6 | * ... | semmle.label | * ... |
+| test.cpp:274:5:274:10 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:274:6:274:6 | x | semmle.label | x |
+| test.cpp:274:6:274:6 | x | semmle.label | x |
+| test.cpp:280:13:280:24 | new[] | semmle.label | new[] |
+| test.cpp:281:14:281:15 | xs | semmle.label | xs |
+| test.cpp:290:13:290:24 | new[] | semmle.label | new[] |
+| test.cpp:291:14:291:15 | xs | semmle.label | xs |
+| test.cpp:292:30:292:30 | x | semmle.label | x |
+| test.cpp:304:15:304:26 | new[] | semmle.label | new[] |
+| test.cpp:307:5:307:6 | xs | semmle.label | xs |
+| test.cpp:308:5:308:6 | xs | semmle.label | xs |
+| test.cpp:308:5:308:11 | access to array | semmle.label | access to array |
+| test.cpp:308:5:308:29 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:313:14:313:27 | new[] | semmle.label | new[] |
+| test.cpp:314:15:314:16 | xs | semmle.label | xs |
+| test.cpp:325:14:325:27 | new[] | semmle.label | new[] |
+| test.cpp:326:15:326:16 | xs | semmle.label | xs |
+| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:338:8:338:15 | * ... | semmle.label | * ... |
+| test.cpp:341:8:341:17 | * ... | semmle.label | * ... |
+| test.cpp:342:8:342:17 | * ... | semmle.label | * ... |
+| test.cpp:347:14:347:27 | new[] | semmle.label | new[] |
+| test.cpp:348:15:348:16 | xs | semmle.label | xs |
+| test.cpp:350:15:350:19 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ |
+| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ |
+| test.cpp:355:14:355:27 | new[] | semmle.label | new[] |
+| test.cpp:356:15:356:16 | xs | semmle.label | xs |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:26 | end | semmle.label | end |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:357:24:357:30 | ... + ... | semmle.label | ... + ... |
+| test.cpp:358:14:358:26 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:358:15:358:26 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:358:15:358:26 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:359:14:359:32 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:359:16:359:27 | end_plus_one | semmle.label | end_plus_one |
+| test.cpp:359:16:359:31 | ... + ... | semmle.label | ... + ... |
+| test.cpp:363:14:363:27 | new[] | semmle.label | new[] |
+| test.cpp:365:15:365:15 | p | semmle.label | p |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:368:5:368:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:371:7:371:7 | p | semmle.label | p |
+| test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:372:16:372:16 | p | semmle.label | p |
+| test.cpp:377:14:377:27 | new[] | semmle.label | new[] |
+| test.cpp:378:15:378:16 | xs | semmle.label | xs |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... |
+| test.cpp:381:5:381:7 | end | semmle.label | end |
+| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
+| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
+| test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
+| test.cpp:384:14:384:16 | end | semmle.label | end |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
-| test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:20:14:20:21 | Load: * ... | test.cpp:16:15:16:20 | call to malloc | test.cpp:20:14:20:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:16:15:16:20 | call to malloc | call to malloc | test.cpp:17:19:17:22 | size | size |
 | test.cpp:30:14:30:15 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:30:14:30:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
 | test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
-| test.cpp:32:14:32:21 | Load: * ... | test.cpp:28:15:28:20 | call to malloc | test.cpp:32:14:32:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:28:15:28:20 | call to malloc | call to malloc | test.cpp:29:20:29:27 | ... + ... | ... + ... |
 | test.cpp:42:14:42:15 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:42:14:42:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
-| test.cpp:44:14:44:21 | Load: * ... | test.cpp:40:15:40:20 | call to malloc | test.cpp:44:14:44:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:40:15:40:20 | call to malloc | call to malloc | test.cpp:41:20:41:27 | ... - ... | ... - ... |
 | test.cpp:67:9:67:14 | Store: ... = ... | test.cpp:52:19:52:24 | call to malloc | test.cpp:67:9:67:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:52:19:52:24 | call to malloc | call to malloc | test.cpp:53:20:53:23 | size | size |
 | test.cpp:96:9:96:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:96:9:96:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
 | test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
@@ -703,7 +1118,8 @@ subpaths
 | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
 | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... |
-| test.cpp:314:17:314:25 | Store: ... + ... | test.cpp:313:16:313:29 | new[] | test.cpp:314:17:314:25 | Store: ... + ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
-| test.cpp:318:13:318:20 | Load: * ... | test.cpp:313:16:313:29 | new[] | test.cpp:318:13:318:20 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
-| test.cpp:320:10:320:21 | Store: -- ... | test.cpp:313:16:313:29 | new[] | test.cpp:320:10:320:21 | Store: -- ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
-| test.cpp:320:12:320:21 | Load: (...) | test.cpp:313:16:313:29 | new[] | test.cpp:320:12:320:21 | Load: (...) | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:313:16:313:29 | new[] | new[] | test.cpp:314:22:314:25 | size | size |
+| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size |
+| test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
+| test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
+| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

@@ -310,15 +310,76 @@ void test21() {
 }
 
 void test22(unsigned size, int val) {
-    char *xs = new char[size];
-    char *end = xs + size; // GOOD [FALSE POSITIVE]
-    char **current = &end;
-    do
-    {
-        if( *current - xs < 1 ) // GOOD [FALSE POSITIVE]
-            return;
-        *--(*current) = 0; // GOOD [FALSE POSITIVE]
-        val >>= 8;
-    }
-    while( val > 0 );
+  char *xs = new char[size];
+  char *end = xs + size; // GOOD
+  char **current = &end;
+  do {
+    if (*current - xs < 1) // GOOD
+      return;
+    *--(*current) = 0; // GOOD
+      val >>= 8;
+  } while (val > 0);
+}
+
+void test23(unsigned size, int val) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  char **current = &end;
+
+  if (val < 1) {
+    if(*current - xs < 1)
+      return;
+
+    *--(*current) = 0; // GOOD
+    return;
+  }
+
+  if (val < 2) {
+    if(*current - xs < 2)
+      return;
+
+    *--(*current) = 0; // GOOD
+    *--(*current) = 0; // GOOD
+  }
+}
+
+void test24(unsigned size) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  if (xs < end) {
+    int val = *xs++; // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test25(unsigned size) {
+  char *xs = new char[size];
+  char *end = xs + size;
+  char *end_plus_one = end + 1;
+  int val1 = *end_plus_one; // BAD
+  int val2 = *(end_plus_one + 1); // BAD
+}
+
+void test26(unsigned size) {
+  char *xs = new char[size];
+  char *p = xs;
+  char *end = p + size;
+
+  if (p + 4 <= end) {
+    p += 4;
+  }
+
+  if (p < end) {
+    int val = *p; // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test27(unsigned size, bool b) {
+  char *xs = new char[size];
+  char *end = xs + size;
+
+  if (b) {
+    end++;
+  }
+
+  int val = *end; // BAD
 }

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected

@@ -1,2 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql

@@ -38,12 +38,10 @@ predicate irTaint(Element source, TaintedWithPath::PathNode predNode, string tag
   )
 }
 
-class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
+module IRDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = ["ir-path", "ir-sink"] }
 
-  override string getARelevantTag() { result = ["ir-path", "ir-sink"] }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Element elem, TaintedWithPath::PathNode node, int n |
       irTaint(_, node, tag) and
       elem = getElementFromPathNode(node) and
@@ -67,12 +65,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
   }
 }
 
-class AstTaintTrackingTest extends InlineExpectationsTest {
-  AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
+module AstTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }
 
-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Expr source, Element tainted, int n |
       tag = "ast" and
       astTaint(source, tainted) and
@@ -100,3 +96,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
     )
   }
 }
+
+import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected

@@ -1,2 +1,4 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql

@@ -29,12 +29,10 @@ predicate irTaint(Expr source, Element sink) {
   TaintedWithPath::taintedWithPath(source, sink, _, _)
 }
 
-class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
+module IRDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ir" }
 
-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Expr source, Element tainted, int n |
       tag = "ir" and
       irTaint(source, tainted) and
@@ -55,12 +53,10 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
   }
 }
 
-class AstTaintTrackingTest extends InlineExpectationsTest {
-  AstTaintTrackingTest() { this = "ASTTaintTrackingTest" }
+module AstTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }
 
-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Expr source, Element tainted, int n |
       tag = "ast" and
       astTaint(source, tainted) and
@@ -80,3 +76,5 @@ class AstTaintTrackingTest extends InlineExpectationsTest {
     )
   }
 }
+
+import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.expected

@@ -1,2 +1,4 @@
 WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:8,3-47)
 WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:12,3-53)
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.ql

@@ -12,12 +12,10 @@ predicate irTaint(Expr source, Element sink, string globalVar) {
   IRDefaultTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
 }
 
-class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
-  IRGlobalDefaultTaintTrackingTest() { this = "IRGlobalDefaultTaintTrackingTest" }
+module IRGlobalDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ir" }
 
-  override string getARelevantTag() { result = "ir" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Element tainted |
       tag = "ir" and
       irTaint(_, tainted, value) and
@@ -27,12 +25,10 @@ class IRGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
   }
 }
 
-class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
-  AstGlobalDefaultTaintTrackingTest() { this = "ASTGlobalDefaultTaintTrackingTest" }
+module AstGlobalDefaultTaintTrackingTest implements TestSig {
+  string getARelevantTag() { result = "ast" }
 
-  override string getARelevantTag() { result = "ast" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
+  predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Element tainted |
       tag = "ast" and
       astTaint(_, tainted, value) and
@@ -41,3 +37,5 @@ class AstGlobalDefaultTaintTrackingTest extends InlineExpectationsTest {
     )
   }
 }
+
+import MakeTest<MergeTests<IRGlobalDefaultTaintTrackingTest, AstGlobalDefaultTaintTrackingTest>>

cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql

@@ -5,12 +5,10 @@ module AstTest {
   private import semmle.code.cpp.dataflow.DataFlow::DataFlow
   private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
 
-  class AstParameterDefTest extends InlineExpectationsTest {
-    AstParameterDefTest() { this = "AstParameterDefTest" }
+  module AstParameterDefTest implements TestSig {
+    string getARelevantTag() { result = "ast-def" }
 
-    override string getARelevantTag() { result = "ast-def" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(Function f, Parameter p, RefParameterFinalValueNode n |
         p.isNamed() and
         n.getParameter() = p and
@@ -33,12 +31,10 @@ module IRTest {
     (if k = 0 then result = "" else result = "*" + stars(k - 1))
   }
 
-  class IRParameterDefTest extends InlineExpectationsTest {
-    IRParameterDefTest() { this = "IRParameterDefTest" }
+  module IRParameterDefTest implements TestSig {
+    string getARelevantTag() { result = "ir-def" }
 
-    override string getARelevantTag() { result = "ir-def" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(Function f, Parameter p, FinalParameterNode n |
         p.isNamed() and
         n.getParameter() = p and
@@ -51,3 +47,5 @@ module IRTest {
     }
   }
 }
+
+import MakeTest<MergeTests<AstTest::AstParameterDefTest, IRTest::IRParameterDefTest>>

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-number-of-outnodes.ql

@@ -5,12 +5,10 @@ module AstTest {
   private import semmle.code.cpp.dataflow.DataFlow::DataFlow
   private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
 
-  class AstMultipleOutNodesTest extends InlineExpectationsTest {
-    AstMultipleOutNodesTest() { this = "AstMultipleOutNodesTest" }
+  module AstMultipleOutNodesTest implements TestSig {
+    string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }
 
-    override string getARelevantTag() { result = "ast-count(" + any(ReturnKind k).toString() + ")" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(DataFlowCall call, int n, ReturnKind kind |
         call.getLocation() = location and
         n = strictcount(getAnOutNode(call, kind)) and
@@ -27,12 +25,10 @@ module IRTest {
   private import semmle.code.cpp.ir.dataflow.DataFlow
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
-  class IRMultipleOutNodesTest extends InlineExpectationsTest {
-    IRMultipleOutNodesTest() { this = "IRMultipleOutNodesTest" }
+  module IRMultipleOutNodesTest implements TestSig {
+    string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }
 
-    override string getARelevantTag() { result = "ir-count(" + any(ReturnKind k).toString() + ")" }
-
-    override predicate hasActualResult(Location location, string element, string tag, string value) {
+    predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(DataFlowCall call, int n, ReturnKind kind |
         call.getLocation() = location and
         n = strictcount(getAnOutNode(call, kind)) and
@@ -44,3 +40,5 @@ module IRTest {
     }
   }
 }
+
+import MakeTest<MergeTests<AstTest::AstMultipleOutNodesTest, IRTest::IRMultipleOutNodesTest>>

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql

@@ -16,10 +16,8 @@ module AstTest {
   }
 
   /** Common data flow configuration to be used by tests. */
-  class AstTestAllocationConfig extends DataFlow::Configuration {
-    AstTestAllocationConfig() { this = "ASTTestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module AstTestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asParameter().getName().matches("source%")
@@ -32,18 +30,20 @@ module AstTest {
       exists(source.asUninitialized())
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
         call.getTarget().getName() = ["sink", "indirect_sink"] and
         sink.asExpr() = call.getAnArgument()
       )
     }
 
-    override predicate isBarrier(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
       barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") or
       barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getABarrierNode()
     }
   }
+
+  module AstFlow = DataFlow::Global<AstTestAllocationConfig>;
 }
 
 module IRTest {
@@ -67,10 +67,8 @@ module IRTest {
   }
 
   /** Common data flow configuration to be used by tests. */
-  class IRTestAllocationConfig extends DataFlow::Configuration {
-    IRTestAllocationConfig() { this = "IRTestAllocationConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module IRTestAllocationConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
@@ -82,7 +80,7 @@ module IRTest {
       exists(source.asUninitialized())
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call, Expr e | e = call.getAnArgument() |
         call.getTarget().getName() = "sink" and
         sink.asExpr() = e
@@ -92,7 +90,7 @@ module IRTest {
       )
     }
 
-    override predicate isBarrier(DataFlow::Node barrier) {
+    predicate isBarrier(DataFlow::Node barrier) {
       exists(Expr barrierExpr | barrierExpr in [barrier.asExpr(), barrier.asIndirectExpr()] |
         barrierExpr.(VariableAccess).getTarget().hasName("barrier")
       )
@@ -102,4 +100,8 @@ module IRTest {
       barrier = DataFlow::BarrierGuard<testBarrierGuard/3>::getAnIndirectBarrierNode()
     }
   }
+
+  module IRFlow = DataFlow::Global<IRTestAllocationConfig>;
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>

cpp/ql/test/library-tests/dataflow/fields/ASTConfiguration.qll

@@ -1,10 +1,8 @@
 private import semmle.code.cpp.dataflow.DataFlow
 private import DataFlow
 
-class AstConf extends Configuration {
-  AstConf() { this = "ASTFieldFlowConf" }
-
-  override predicate isSource(Node src) {
+module AstConfig implements ConfigSig {
+  predicate isSource(Node src) {
     src.asExpr() instanceof NewExpr
     or
     src.asExpr().(Call).getTarget().hasName("user_input")
@@ -15,14 +13,14 @@ class AstConf extends Configuration {
     )
   }
 
-  override predicate isSink(Node sink) {
+  predicate isSink(Node sink) {
     exists(Call c |
       c.getTarget().hasName("sink") and
       c.getAnArgument() = sink.asExpr()
     )
   }
 
-  override predicate isAdditionalFlowStep(Node a, Node b) {
+  predicate isAdditionalFlowStep(Node a, Node b) {
     b.asPartialDefinition() =
       any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
           .getQualifier()
@@ -31,5 +29,4 @@ class AstConf extends Configuration {
   }
 }
 
-/** DEPRECATED: Alias for AstConf */
-deprecated class ASTConf = AstConf;
+module AstFlow = Global<AstConfig>;

cpp/ql/test/library-tests/dataflow/fields/IRConfiguration.qll

@@ -1,10 +1,8 @@
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlow
 
-class IRConf extends Configuration {
-  IRConf() { this = "IRFieldFlowConf" }
-
-  override predicate isSource(Node src) {
+module IRConfig implements ConfigSig {
+  predicate isSource(Node src) {
     src.asExpr() instanceof NewExpr
     or
     src.asExpr().(Call).getTarget().hasName("user_input")
@@ -15,14 +13,14 @@ class IRConf extends Configuration {
     )
   }
 
-  override predicate isSink(Node sink) {
+  predicate isSink(Node sink) {
     exists(Call c |
       c.getTarget().hasName("sink") and
       c.getAnArgument() = [sink.asExpr(), sink.asIndirectExpr(), sink.asConvertedExpr()]
     )
   }
 
-  override predicate isAdditionalFlowStep(Node a, Node b) {
+  predicate isAdditionalFlowStep(Node a, Node b) {
     b.asPartialDefinition() =
       any(Call c | c.getTarget().hasName("insert") and c.getAnArgument() = a.asExpr())
           .getQualifier()
@@ -30,3 +28,5 @@ class IRConf extends Configuration {
     b.asExpr().(AddressOfExpr).getOperand() = a.asExpr()
   }
 }
+
+module IRFlow = Global<IRConfig>;

cpp/ql/test/library-tests/dataflow/fields/Nodes.qll

@@ -34,9 +34,6 @@ class AstNode extends Node, TAstNode {
   override Location getLocation() { result = n.getLocation() }
 }
 
-/** DEPRECATED: Alias for AstNode */
-deprecated class ASTNode = AstNode;
-
 class IRNode extends Node, TIRNode {
   IR::DataFlow::Node n;
 

cpp/ql/test/library-tests/dataflow/fields/flow.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/fields/flow.ql

@@ -1,9 +1,11 @@
 import TestUtilities.dataflow.FlowTestCommon
 
 module AstTest {
-  private import ASTConfiguration
+  import ASTConfiguration
 }
 
 module IRTest {
-  private import IRConfiguration
+  import IRConfiguration
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.ql

@@ -4,8 +4,8 @@
 
 import semmle.code.cpp.ir.dataflow.DataFlow
 import IRConfiguration
-import DataFlow::PathGraph
+import IRFlow::PathGraph
 
-from DataFlow::PathNode src, DataFlow::PathNode sink, IRConf conf
-where conf.hasFlowPath(src, sink)
+from IRFlow::PathNode src, IRFlow::PathNode sink
+where IRFlow::flowPath(src, sink)
 select sink, src, sink, sink + " flows from $@", src, src.toString()

cpp/ql/test/library-tests/dataflow/fields/path-flow.ql

@@ -4,8 +4,8 @@
 
 import semmle.code.cpp.dataflow.DataFlow
 import ASTConfiguration
-import DataFlow::PathGraph
+import AstFlow::PathGraph
 
-from DataFlow::PathNode src, DataFlow::PathNode sink, AstConf conf
-where conf.hasFlowPath(src, sink)
+from AstFlow::PathNode src, AstFlow::PathNode sink
+where AstFlow::flowPath(src, sink)
 select sink, src, sink, sink + " flows from $@", src, src.toString()

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.ql

@@ -3,37 +3,39 @@ import TestUtilities.dataflow.FlowTestCommon
 module AstTest {
   private import semmle.code.cpp.dataflow.TaintTracking
 
-  class AstSmartPointerTaintConfig extends TaintTracking::Configuration {
-    AstSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module AstSmartPointerTaintConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
         call.getTarget().getName() = "sink" and
         sink.asExpr() = call.getAnArgument()
       )
     }
   }
+
+  module AstFlow = TaintTracking::Global<AstSmartPointerTaintConfig>;
 }
 
 module IRTest {
   private import semmle.code.cpp.ir.dataflow.TaintTracking
 
-  class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
-    IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  module IRSmartPointerTaintConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
         call.getTarget().getName() = "sink" and
         sink.asExpr() = call.getAnArgument()
       )
     }
   }
+
+  module IRFlow = TaintTracking::Global<IRSmartPointerTaintConfig>;
 }
+
+import MakeTest<MergeTests<AstFlowTest<AstTest::AstFlow>, IRFlowTest<IRTest::IRFlow>>>

cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.expected

@@ -0,0 +1,2 @@
+failures
+testFailures