Merge pull request #14630 from github/release-prep/2.15.2

Release preparation for version 2.15.2

.github/dependabot.yml

@@ -25,9 +25,18 @@ updates:
     allow:
       - dependency-name: "golang.org/x/mod"
       - dependency-name: "golang.org/x/tools"
-    group:
+    groups:
       extractor-dependencies:
         patterns:
           - "golang.org/x/*"
     reviewers:
       - "github/codeql-go"
+
+  - package-ecosystem: "gomod"
+    directory: "go/ql/test"
+    schedule:
+      interval: "monthly"
+    ignore:
+      - dependency-name: "*"
+    reviewers:
+      - "github/codeql-go"

.github/workflows/check-change-note.yml

@@ -9,26 +9,42 @@ on:
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
       - "*/ql/lib/**/*.yml"
+      - "shared/**/*.ql"
+      - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
+    env: 
+      REPO: ${{ github.repository }}
+      PULL_REQUEST_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
+
       - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
         if: |
           github.event.pull_request.draft == false &&
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c
+          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
+          
+          if [ -z "$change_note_files" ]; then
+            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
+            exit 1
+          fi
+
+          echo "Change notes found:"
+          echo "$change_note_files"
+
       - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
-          grep true -c
+          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
+
+          if [ -n "$bad_change_note_file_names" ]; then
+            echo "The following change note file names are invalid:"
+            echo "$bad_change_note_file_names"
+            exit 1
+          fi

.github/workflows/csharp-qltest.yml

@@ -91,7 +91,7 @@ jobs:
         run: |
           # Generate (Asp)NetCore stubs
           STUBS_PATH=stubs_output
-          python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
+          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
           rm -rf ql/test/resources/stubs/_frameworks
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -89,9 +89,32 @@ jobs:
       - name: Save PR number
         run: |
           mkdir -p pr
-          echo ${{ github.event.pull_request.number }} > pr/NR
+          echo ${PR_NUMBER} > pr/NR
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
       - name: Upload PR number
         uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/
+      - name: Save comment ID (if it exists)
+        run: |
+          # Find the latest comment starting with COMMENT_PREFIX
+          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
+          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
+          if [[ -z ${COMMENT_ID} ]]
+          then
+            echo "Comment not found. Not uploading 'comment/ID' artifact."
+          else
+            mkdir -p comment
+            echo ${COMMENT_ID} > comment/ID
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+      - name: Upload comment ID (if it exists)
+        uses: actions/upload-artifact@v3
+        with:
+          name: comment
+          path: comment/
+          if-no-files-found: ignore

codeql-workspace.yml

@@ -6,7 +6,7 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "shared/*/qlpack.yml"
+  - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql

@@ -0,0 +1,19 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if
+    type instanceof @fp16 or
+    type instanceof @std_bfloat16 or
+    type instanceof @std_float16 or
+    type instanceof @complex_std_float32 or
+    type instanceof @complex_float32x or
+    type instanceof @complex_std_float64 or
+    type instanceof @complex_float64x or
+    type instanceof @complex_std_float128
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce new floating-point types from C23 and C++23
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo

cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce extractor version numbers
+compatibility: breaking
+extractor_version.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.
+
 ## 0.10.1
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/released/0.11.0.md

@@ -0,0 +1,14 @@
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.10.1
+lastReleaseVersion: 0.11.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.10.1
+version: 0.11.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,6 +7,7 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -32,7 +32,7 @@ private module Input implements InputSig {
 private module Impl = Make<Input>;
 
 /** A file or folder. */
-class Container extends Locatable, Impl::Container {
+class Container extends ElementBase, Impl::Container {
   override string toString() { result = Impl::Container.super.toString() }
 }
 
@@ -47,11 +47,6 @@ class Container extends Locatable, Impl::Container {
  * To get the full path, use `getAbsolutePath`.
  */
 class Folder extends Container, Impl::Folder {
-  override Location getLocation() {
-    result.getContainer() = this and
-    result.hasLocationInfo(_, 0, 0, 0, 0)
-  }
-
   override string getAPrimaryQlClass() { result = "Folder" }
 }
 
@@ -67,7 +62,7 @@ class Folder extends Container, Impl::Folder {
  * The base name further decomposes into the _stem_ and _extension_ -- see
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
-class File extends Container, Impl::File {
+class File extends Container, Locatable, Impl::File {
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -819,6 +819,30 @@ private predicate floatingPointTypeMapping(
   or
   // _Complex _Float16
   kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
+  or
+  // __fp16
+  kind = 54 and base = 2 and domain = TRealDomain() and realKind = 54 and extended = false
+  or
+  // __bf16
+  kind = 55 and base = 2 and domain = TRealDomain() and realKind = 55 and extended = false
+  or
+  // std::float16_t
+  kind = 56 and base = 2 and domain = TRealDomain() and realKind = 56 and extended = false
+  or
+  // _Complex _Float32
+  kind = 57 and base = 2 and domain = TComplexDomain() and realKind = 45 and extended = false
+  or
+  // _Complex _Float32x
+  kind = 58 and base = 2 and domain = TComplexDomain() and realKind = 46 and extended = true
+  or
+  // _Complex _Float64
+  kind = 59 and base = 2 and domain = TComplexDomain() and realKind = 47 and extended = false
+  or
+  // _Complex _Float64x
+  kind = 60 and base = 2 and domain = TComplexDomain() and realKind = 48 and extended = true
+  or
+  // _Complex _Float128
+  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -306,15 +306,13 @@ private predicate exprHasReferenceConversion(Expr e) { referenceConversion(e.get
  *   }
  * };
  * ```
- * Note: the C++ front-end often automatically desugars `field` to
- * `this->field`, so most accesses of `this->field` are instances
- * of `PointerFieldAccess` (with `ThisExpr` as the qualifier), not
- * `ImplicitThisFieldAccess`.
  */
 class ImplicitThisFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "ImplicitThisFieldAccess" }
 
-  ImplicitThisFieldAccess() { not exists(this.getQualifier()) }
+  ImplicitThisFieldAccess() {
+    this.getQualifier().(ThisExpr).isCompilerGenerated() or not exists(this.getQualifier())
+  }
 }
 
 /**
@@ -332,7 +330,7 @@ class PointerToFieldLiteral extends ImplicitThisFieldAccess {
     // access without a qualifier. The only other unqualified field accesses it
     // emits are for compiler-generated constructors and destructors. When we
     // filter those out, there are only pointer-to-field literals left.
-    not this.isCompilerGenerated()
+    not this.isCompilerGenerated() and not exists(this.getQualifier())
   }
 
   override predicate isConstant() { any() }

cpp/ql/lib/semmle/code/cpp/internal/ExtractorVersion.qll

@@ -0,0 +1,15 @@
+/**
+ * INTERNAL: Do not use. Provides predicates for getting the CodeQL and frontend
+ * version used during database extraction.
+ */
+
+/** Get the extractor CodeQL version */
+string getExtractorCodeQLVersion() { extractor_version(result, _) }
+
+/** Get the extractor frontend version */
+string getExtractorFrontendVersion() { extractor_version(_, result) }
+
+predicate isExtractorFrontendVersion65OrHigher() {
+  // Version numbers we not included in the database before 6.5.
+  exists(getExtractorCodeQLVersion())
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -7,9 +7,12 @@ private import DataFlowImplCommon as DataFlowImplCommon
 
 /**
  * Gets a function that might be called by `call`.
+ *
+ * This predicate does not take additional call targets
+ * from `AdditionalCallTarget` into account.
  */
 cached
-DataFlowCallable viableCallable(DataFlowCall call) {
+DataFlowCallable defaultViableCallable(DataFlowCall call) {
   DataFlowImplCommon::forceCachingInSameStage() and
   result = call.getStaticCallTarget()
   or
@@ -29,6 +32,17 @@ DataFlowCallable viableCallable(DataFlowCall call) {
   result = call.(VirtualDispatch::DataSensitiveCall).resolve()
 }
 
+/**
+ * Gets a function that might be called by `call`.
+ */
+cached
+DataFlowCallable viableCallable(DataFlowCall call) {
+  result = defaultViableCallable(call)
+  or
+  // Additional call targets
+  result = any(AdditionalCallTarget additional).viableTarget(call.getUnconvertedResultExpression())
+}
+
 /**
  * Provides virtual dispatch support compatible with the original
  * implementation of `semmle.code.cpp.security.TaintTracking`.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -14,6 +14,7 @@ private import DataFlowPrivate
 private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
+private import codeql.util.Unit
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -2237,3 +2238,43 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
   }
 }
+
+/**
+ * A unit class for adding additional call steps.
+ *
+ * Extend this class to add additional call steps to the data flow graph.
+ *
+ * For example, if the following subclass is added:
+ * ```ql
+ * class MyAdditionalCallTarget extends DataFlow::AdditionalCallTarget {
+ *   override Function viableTarget(Call call) {
+ *     call.getTarget().hasName("f") and
+ *     result.hasName("g")
+ *   }
+ * }
+ * ```
+ * then flow from `source()` to `x` in `sink(x)` is reported in the following example:
+ * ```cpp
+ * void sink(int);
+ * int source();
+ * void f(int);
+ *
+ * void g(int x) {
+ *   sink(x);
+ * }
+ *
+ * void test() {
+ *   int x = source();
+ *   f(x);
+ * }
+ * ```
+ *
+ * Note: To prevent reevaluation of cached dataflow-related predicates any
+ * subclass of `AdditionalCallTarget` must be imported in all dataflow queries.
+ */
+class AdditionalCallTarget extends Unit {
+  /**
+   * Gets a viable target for `call`.
+   */
+  abstract DataFlowCallable viableTarget(Call call);
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -31,26 +31,35 @@ DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
   )
 }
 
+/**
+ * Gets the node that represents the output of `call` with kind `output` at
+ * indirection index `indirectionIndex`.
+ */
+private Node callOutputWithIndirectionIndex(
+  CallInstruction call, FunctionOutput output, int indirectionIndex
+) {
+  // The return value
+  simpleOutNode(result, call) and
+  output.isReturnValue() and
+  indirectionIndex = 0
+  or
+  // The side effect of a call on the value pointed to by an argument or qualifier
+  exists(int index |
+    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex - 1 and
+    result.(IndirectArgumentOutNode).getCallInstruction() = call and
+    output.isParameterDerefOrQualifierObject(index, indirectionIndex - 1)
+  )
+  or
+  result = getIndirectReturnOutNode(call, indirectionIndex) and
+  output.isReturnValueDeref(indirectionIndex)
+}
+
 /**
  * Gets the instruction that holds the `output` for `call`.
  */
 Node callOutput(CallInstruction call, FunctionOutput output) {
-  // The return value
-  simpleOutNode(result, call) and
-  output.isReturnValue()
-  or
-  // The side effect of a call on the value pointed to by an argument or qualifier
-  exists(int index, int indirectionIndex |
-    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
-    result.(IndirectArgumentOutNode).getCallInstruction() = call and
-    output.isParameterDerefOrQualifierObject(index, indirectionIndex)
-  )
-  or
-  exists(int ind |
-    result = getIndirectReturnOutNode(call, ind) and
-    output.isReturnValueDeref(ind)
-  )
+  result = callOutputWithIndirectionIndex(call, output, _)
 }
 
 DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
@@ -76,19 +85,15 @@ private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int
  */
 bindingset[d]
 Node callOutput(CallInstruction call, FunctionOutput output, int d) {
-  exists(DataFlow::Node n | n = callOutput(call, output) and d > 0 |
+  exists(DataFlow::Node n, int indirectionIndex |
+    n = callOutputWithIndirectionIndex(call, output, indirectionIndex) and d > 0
+  |
     // The return value
-    result = getIndirectReturnOutNode(n.asInstruction(), d)
+    result = callOutputWithIndirectionIndex(call, output, indirectionIndex + d)
     or
     // If there isn't an indirect out node for the call with indirection `d` then
     // we conflate this with the underlying `CallInstruction`.
-    not exists(getIndirectReturnOutNode(call, d)) and
+    not exists(getIndirectReturnOutNode(call, indirectionIndex + d)) and
     n = result
-    or
-    // The side effect of a call on the value pointed to by an argument or qualifier
-    exists(Operand operand, int indirectionIndex |
-      Ssa::outNodeHasAddressAndIndex(n, operand, indirectionIndex) and
-      Ssa::outNodeHasAddressAndIndex(result, operand, indirectionIndex + d)
-    )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -228,7 +228,7 @@ private class PointerWrapperTypeIndirection extends Indirection instanceof Point
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
-      this = call.getStaticCallTarget().getClassAndName("operator*") and
+      this = call.getStaticCallTarget().getClassAndName(["operator*", "operator->", "get"]) and
       address = call.getThisArgumentOperand()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -1,5 +1,6 @@
 private import cpp
 import semmle.code.cpp.ir.implementation.raw.IR
+private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.IRConfiguration
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -361,6 +362,12 @@ predicate ignoreLoad(Expr expr) {
     or
     expr instanceof FunctionAccess
     or
+    // The load is duplicated from the operand.
+    isExtractorFrontendVersion65OrHigher() and expr instanceof ParenthesisExpr
+    or
+    // The load is duplicated from the right operand.
+    isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
+    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1,4 +1,5 @@
 private import cpp
+private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -649,7 +650,9 @@ class TranslatedPrefixCrementOperation extends TranslatedCrementOperation {
   override PrefixCrementOperation expr;
 
   override Instruction getResult() {
-    if expr.isPRValueCategory()
+    // The following distinction is needed to work around extractor limitations
+    // in old versions of the extractor.
+    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
     then
       // If this is C, then the result of a prefix crement is a prvalue for the
       // new value assigned to the operand. If this is C++, then the result is
@@ -1504,7 +1507,9 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    if expr.isPRValueCategory()
+    // The following distinction is needed to work around extractor limitations
+    // in old versions of the extractor.
+    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -1642,7 +1647,9 @@ class TranslatedAssignOperation extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    if expr.isPRValueCategory()
+    // The following distinction is needed to work around extractor limitations
+    // in old versions of the extractor.
+    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -2191,8 +2198,16 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         not this.elseIsVoid() and tag = ConditionValueFalseStoreTag()
       ) and
       opcode instanceof Opcode::Store and
-      resultType = this.getResultType()
+      if isExtractorFrontendVersion65OrHigher()
+      then
+        not expr.hasLValueToRValueConversion() and
+        resultType = this.getResultType()
+        or
+        expr.hasLValueToRValueConversion() and
+        resultType = getTypeForPRValue(expr.getType())
+      else resultType = this.getResultType()
       or
+      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       opcode instanceof Opcode::Load and
       resultType = this.getResultType()
@@ -2222,8 +2237,16 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
       )
       or
       tag = ConditionValueResultTempAddressTag() and
-      result = this.getInstruction(ConditionValueResultLoadTag())
+      if isExtractorFrontendVersion65OrHigher()
+      then
+        not expr.hasLValueToRValueConversion() and
+        result = this.getInstruction(ConditionValueResultLoadTag())
+        or
+        expr.hasLValueToRValueConversion() and
+        result = this.getParent().getChildSuccessor(this)
+      else result = this.getInstruction(ConditionValueResultLoadTag())
       or
+      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       result = this.getParent().getChildSuccessor(this)
     )
@@ -2252,18 +2275,24 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         result = this.getElse().getResult()
       )
       or
+      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
-      (
-        operandTag instanceof AddressOperandTag and
-        result = this.getInstruction(ConditionValueResultTempAddressTag())
-      )
+      operandTag instanceof AddressOperandTag and
+      result = this.getInstruction(ConditionValueResultTempAddressTag())
     )
   }
 
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     not this.resultIsVoid() and
     tag = ConditionValueTempVar() and
-    type = this.getResultType()
+    if isExtractorFrontendVersion65OrHigher()
+    then
+      not expr.hasLValueToRValueConversion() and
+      type = this.getResultType()
+      or
+      expr.hasLValueToRValueConversion() and
+      type = getTypeForPRValue(expr.getType())
+    else type = this.getResultType()
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -2278,7 +2307,14 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
 
   final override Instruction getResult() {
     not this.resultIsVoid() and
-    result = this.getInstruction(ConditionValueResultLoadTag())
+    if isExtractorFrontendVersion65OrHigher()
+    then
+      expr.hasLValueToRValueConversion() and
+      result = this.getInstruction(ConditionValueResultTempAddressTag())
+      or
+      not expr.hasLValueToRValueConversion() and
+      result = this.getInstruction(ConditionValueResultLoadTag())
+    else result = this.getInstruction(ConditionValueResultLoadTag())
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -3238,10 +3274,18 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
     expr instanceof AssignExpr
     or
     expr instanceof AssignOperation and
-    not expr.isPRValueCategory() // is C++
+    (
+      not expr.isPRValueCategory() // is C++
+      or
+      isExtractorFrontendVersion65OrHigher()
+    )
     or
     expr instanceof PrefixCrementOperation and
-    not expr.isPRValueCategory() // is C++
+    (
+      not expr.isPRValueCategory() // is C++
+      or
+      isExtractorFrontendVersion65OrHigher()
+    )
     or
     // Because the load is on the `e` in `e++`.
     expr instanceof PostfixCrementOperation

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -19,6 +19,7 @@ private import implementations.Strtok
 private import implementations.Strset
 private import implementations.Strcrement
 private import implementations.Strnextc
+private import implementations.Strtol
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap

cpp/ql/lib/semmle/code/cpp/models/implementations/Pure.qll

@@ -13,7 +13,7 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
   PureStrFunction() {
     this.hasGlobalOrStdOrBslName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
-        "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
+        "strspn", strrev(), strcmp(), strlwr(), strupr()
       ])
   }
 
@@ -70,8 +70,6 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
 
 private string atoi() { result = ["atof", "atoi", "atol", "atoll"] }
 
-private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
-
 private string strlwr() {
   result = ["_strlwr", "_wcslwr", "_mbslwr", "_strlwr_l", "_wcslwr_l", "_mbslwr_l"]
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll

@@ -32,6 +32,8 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasOnlySpecificReadSideEffects() { none() }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtol.qll

@@ -0,0 +1,54 @@
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
+
+/**
+ * The standard function `strtol` and its assorted variants
+ */
+private class Strtol extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
+  Strtol() { this.hasGlobalOrStdOrBslName(strtol()) }
+
+  override predicate hasArrayInput(int bufParam) {
+    // All the functions given by `strtol()` takes a `const char*` input as the first parameter
+    bufParam = 0
+  }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameter(0)
+      or
+      input.isParameterDeref(0)
+    ) and
+    output.isReturnValue()
+    or
+    input.isParameter(0) and
+    output.isParameterDeref(1)
+  }
+
+  override predicate parameterNeverEscapes(int i) {
+    // Parameter 0 does escape into parameter 1.
+    i = 1
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int i) { none() }
+
+  override predicate parameterIsAlwaysReturned(int i) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and
+    buffer = true
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = false and mustWrite = false
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll

@@ -8,6 +8,18 @@ class SemLocation instanceof Location {
    */
   string toString() { result = super.toString() }
 
+  /** Gets the 1-based line number (inclusive) where this location starts. */
+  int getStartLine() { result = super.getStartLine() }
+
+  /** Gets the 1-based column number (inclusive) where this location starts. */
+  int getStartColumn() { result = super.getStartColumn() }
+
+  /** Gets the 1-based line number (inclusive) where this location ends. */
+  int getEndLine() { result = super.getEndLine() }
+
+  /** Gets the 1-based column number (inclusive) where this location ends. */
+  int getEndColumn() { result = super.getEndColumn() }
+
   /**
    * Holds if this element is at the specified location.
    * The location spans column `startcolumn` of line `startline` to

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll

@@ -1,5 +1,7 @@
-private import RangeAnalysisStage
 private import RangeAnalysisImpl
+private import codeql.rangeanalysis.RangeAnalysis
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType
 
 module FloatDelta implements DeltaSig {
   class Delta = float;
@@ -20,7 +22,7 @@ module FloatDelta implements DeltaSig {
   Delta fromFloat(float f) { result = f }
 }
 
-module FloatOverflow implements OverflowSig<FloatDelta> {
+module FloatOverflow implements OverflowSig<Sem, FloatDelta> {
   predicate semExprDoesNotOverflow(boolean positively, SemExpr expr) {
     exists(float lb, float ub, float delta |
       typeBounds(expr.getSemType(), lb, ub) and

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/IntDelta.qll

@@ -1,29 +0,0 @@
-private import RangeAnalysisStage
-
-module IntDelta implements DeltaSig {
-  class Delta = int;
-
-  bindingset[d]
-  bindingset[result]
-  float toFloat(Delta d) { result = d }
-
-  bindingset[d]
-  bindingset[result]
-  int toInt(Delta d) { result = d }
-
-  bindingset[n]
-  bindingset[result]
-  Delta fromInt(int n) { result = n }
-
-  bindingset[f]
-  Delta fromFloat(float f) {
-    result =
-      min(float diff, float res |
-        diff = (res - f) and res = f.ceil()
-        or
-        diff = (f - res) and res = f.floor()
-      |
-        res order by diff
-      )
-  }
-}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -12,11 +12,13 @@
 
 private import ModulusAnalysisSpecific::Private
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation
 private import ConstantAnalysis
 private import RangeUtils
-private import RangeAnalysisStage
+private import codeql.rangeanalysis.RangeAnalysis
+private import RangeAnalysisImpl
 
-module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
+module ModulusAnalysis<DeltaSig D, BoundSig<SemLocation, Sem, D> Bounds, UtilSig<Sem, D> U> {
   pragma[nomagic]
   private predicate valueFlowStepSsaEqFlowCond(
     SemSsaReadPosition pos, SemSsaVariable v, SemExpr e, int delta

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll

@@ -3,10 +3,11 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
-private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
+private import RangeAnalysisImpl
+private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplConstant implements LangSig<FloatDelta> {
+module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
   /**
    * Holds if the specified expression should be excluded from the result of `ssaRead()`.
    *

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -1,13 +1,104 @@
-private import RangeAnalysisStage
 private import RangeAnalysisConstantSpecific
 private import RangeAnalysisRelativeSpecific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
 private import RangeUtils
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticCFG
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticGuard
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound as SemanticBound
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticSSA
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType as SemanticType
+private import SemanticType
+private import codeql.rangeanalysis.RangeAnalysis
+private import ConstantAnalysis as ConstantAnalysis
 
-module ConstantBounds implements BoundSig<FloatDelta> {
+module Sem implements Semantic {
+  class Expr = SemExpr;
+
+  class ConstantIntegerExpr = ConstantAnalysis::SemConstantIntegerExpr;
+
+  class BinaryExpr = SemBinaryExpr;
+
+  class AddExpr = SemAddExpr;
+
+  class SubExpr = SemSubExpr;
+
+  class MulExpr = SemMulExpr;
+
+  class DivExpr = SemDivExpr;
+
+  class RemExpr = SemRemExpr;
+
+  class BitAndExpr = SemBitAndExpr;
+
+  class BitOrExpr = SemBitOrExpr;
+
+  class ShiftLeftExpr = SemShiftLeftExpr;
+
+  class ShiftRightExpr = SemShiftRightExpr;
+
+  class ShiftRightUnsignedExpr = SemShiftRightUnsignedExpr;
+
+  class RelationalExpr = SemRelationalExpr;
+
+  class UnaryExpr = SemUnaryExpr;
+
+  class ConvertExpr = SemConvertExpr;
+
+  class BoxExpr = SemBoxExpr;
+
+  class UnboxExpr = SemUnboxExpr;
+
+  class NegateExpr = SemNegateExpr;
+
+  class AddOneExpr = SemAddOneExpr;
+
+  class SubOneExpr = SemSubOneExpr;
+
+  class ConditionalExpr = SemConditionalExpr;
+
+  class BasicBlock = SemBasicBlock;
+
+  class Guard = SemGuard;
+
+  predicate implies_v2 = semImplies_v2/4;
+
+  predicate guardDirectlyControlsSsaRead = semGuardDirectlyControlsSsaRead/3;
+
+  class Type = SemType;
+
+  class IntegerType = SemIntegerType;
+
+  class FloatingPointType = SemFloatingPointType;
+
+  class AddressType = SemAddressType;
+
+  class SsaVariable = SemSsaVariable;
+
+  class SsaPhiNode = SemSsaPhiNode;
+
+  class SsaExplicitUpdate = SemSsaExplicitUpdate;
+
+  class SsaReadPosition = SemSsaReadPosition;
+
+  class SsaReadPositionPhiInputEdge = SemSsaReadPositionPhiInputEdge;
+
+  class SsaReadPositionBlock = SemSsaReadPositionBlock;
+
+  predicate backEdge = semBackEdge/3;
+
+  predicate conversionCannotOverflow(Type fromType, Type toType) {
+    SemanticType::conversionCannotOverflow(fromType, toType)
+  }
+}
+
+module SignAnalysis implements SignAnalysisSig<Sem> {
+  private import SignAnalysisCommon as SA
+  import SA::SignAnalysis<FloatDelta, Util>
+}
+
+module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() {
       this instanceof SemanticBound::SemZeroBound
@@ -29,7 +120,7 @@ module ConstantBounds implements BoundSig<FloatDelta> {
   }
 }
 
-module RelativeBounds implements BoundSig<FloatDelta> {
+module RelativeBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() { not this instanceof SemanticBound::SemZeroBound }
 
@@ -47,13 +138,38 @@ module RelativeBounds implements BoundSig<FloatDelta> {
   }
 }
 
+module AllBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
+  class SemBound instanceof SemanticBound::SemBound {
+    string toString() { result = super.toString() }
+
+    SemLocation getLocation() { result = super.getLocation() }
+
+    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
+  }
+
+  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
+
+  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+  }
+}
+
+private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
+  class ModBound = AllBounds::SemBound;
+
+  private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.ModulusAnalysis as MA
+  import MA::ModulusAnalysis<FloatDelta, AllBounds, Util>
+}
+
+module Util = RangeUtil<FloatDelta, CppLangImplConstant>;
+
 module ConstantStage =
-  RangeStage<FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
-    RangeUtil<FloatDelta, CppLangImplConstant>>;
+  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
+    SignAnalysis, ModulusAnalysisInstantiated, Util>;
 
 module RelativeStage =
-  RangeStage<FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
-    RangeUtil<FloatDelta, CppLangImplRelative>>;
+  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
+    SignAnalysis, ModulusAnalysisInstantiated, Util>;
 
 private newtype TSemReason =
   TSemNoReason() or

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll

@@ -3,13 +3,12 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
-private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.IntDelta
 private import RangeAnalysisImpl
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplRelative implements LangSig<FloatDelta> {
+module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
   /**
    * Holds if the specified expression should be excluded from the result of `ssaRead()`.
    *

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll

@@ -4,10 +4,11 @@
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import RangeAnalysisRelativeSpecific
-private import RangeAnalysisStage as Range
+private import codeql.rangeanalysis.RangeAnalysis
+private import RangeAnalysisImpl
 private import ConstantAnalysis
 
-module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
+module RangeUtil<DeltaSig D, LangSig<Sem, D> Lang> implements UtilSig<Sem, D> {
   /**
    * Gets an expression that equals `v - d`.
    */
@@ -138,27 +139,33 @@ module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::Ut
     or
     not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
   }
+
+  import Ranking
 }
 
-/**
- * Holds if `rix` is the number of input edges to `phi`.
- */
-predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
-  rix = max(int r | rankedPhiInput(phi, _, _, r))
-}
+import Ranking
 
-/**
- * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
- * in an arbitrary 1-based numbering of the input edges to `phi`.
- */
-predicate rankedPhiInput(
-  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
-) {
-  edge.phiInput(phi, inp) and
-  edge =
-    rank[r](SemSsaReadPositionPhiInputEdge e |
-      e.phiInput(phi, _)
-    |
-      e order by e.getOrigBlock().getUniqueId()
-    )
+module Ranking {
+  /**
+   * Holds if `rix` is the number of input edges to `phi`.
+   */
+  predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+    rix = max(int r | rankedPhiInput(phi, _, _, r))
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+   * in an arbitrary 1-based numbering of the input edges to `phi`.
+   */
+  predicate rankedPhiInput(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+  ) {
+    edge.phiInput(phi, inp) and
+    edge =
+      rank[r](SemSsaReadPositionPhiInputEdge e |
+        e.phiInput(phi, _)
+      |
+        e order by e.getOrigBlock().getUniqueId()
+      )
+  }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll

@@ -6,14 +6,15 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
-private import RangeAnalysisStage
+private import codeql.rangeanalysis.RangeAnalysis
+private import RangeAnalysisImpl
 private import SignAnalysisSpecific as Specific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
 private import Sign
 
-module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
+module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
   /**
    * An SSA definition for which the analysis can compute the sign.
    *
@@ -507,4 +508,16 @@ module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
     not semExprSign(e) = TPos() and
     not semExprSign(e) = TZero()
   }
+
+  /**
+   * Holds if `e` may have positive values. This does not rule out the
+   * possibility for negative values.
+   */
+  predicate semMayBePositive(SemExpr e) { semExprSign(e) = TPos() }
+
+  /**
+   * Holds if `e` may have negative values. This does not rule out the
+   * possibility for positive values.
+   */
+  predicate semMayBeNegative(SemExpr e) { semExprSign(e) = TNeg() }
 }

cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll

@@ -372,7 +372,8 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
 private predicate mk_PointerFieldAccess(HashCons qualifier, Field target, PointerFieldAccess access) {
   analyzablePointerFieldAccess(access) and
   target = access.getTarget() and
-  qualifier = hashCons(access.getQualifier().getFullyConverted())
+  qualifier = hashCons(access.getQualifier().getFullyConverted()) and
+  not access instanceof ImplicitThisFieldAccess
 }
 
 private predicate analyzableImplicitThisFieldAccess(ImplicitThisFieldAccess access) {

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -197,6 +197,11 @@ svnchurn(
  * C++ dbscheme
  */
 
+extractor_version(
+    string codeql_version: string ref,
+    string frontend_version: string ref
+)
+
 @location = @location_stmt | @location_expr | @location_default ;
 
 /**
@@ -612,6 +617,14 @@ case @builtintype.kind of
 | 51 = @char8_t
 | 52 = @float16               // _Float16
 | 53 = @complex_float16       // _Complex _Float16
+| 54 = @fp16                  // __fp16
+| 55 = @std_bfloat16          // __bf16
+| 56 = @std_float16           // std::float16_t
+| 57 = @complex_std_float32   // _Complex _Float32
+| 58 = @complex_float32x      // _Complex _Float32x
+| 59 = @complex_std_float64   // _Complex _Float64
+| 60 = @complex_float64x      // _Complex _Float64x
+| 61 = @complex_std_float128  // _Complex _Float128
 ;
 
 builtintypes(

cpp/ql/lib/upgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -0,0 +1,2 @@
+description: Introduce extractor version numbers
+compatibility: full

cpp/ql/lib/upgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties

@@ -0,0 +1,2 @@
+description: Introduce new floating-point types from C23 and C++23
+compatibility: full

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.2
+
+No user-facing changes.
+
 ## 0.8.1
 
 ### New Queries

cpp/ql/src/change-notes/released/0.8.2.md

@@ -0,0 +1,3 @@
+## 0.8.2
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.1
+lastReleaseVersion: 0.8.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.8.1
+version: 0.8.2
 groups:
   - cpp
   - queries

cpp/ql/test/examples/expressions/PrintAST.expected

@@ -763,7 +763,7 @@ StaticMemberAccess.cpp:
 #    7|             ValueCategory = lvalue
 #    7|         getRValue(): [VariableAccess] i
 #    7|             Type = [IntType] int
-#    7|             ValueCategory = prvalue
+#    7|             ValueCategory = prvalue(load)
 #    7|           getQualifier(): [VariableAccess] xref
 #    7|               Type = [LValueReferenceType] X &
 #    7|               ValueCategory = prvalue(load)
@@ -1298,7 +1298,7 @@ union_etc.cpp:
 #    6|       getExpr(): [AssignExpr] ... = ...
 #    6|           Type = [IntType] int
 #    6|           ValueCategory = lvalue
-#    6|         getLValue(): [PointerFieldAccess] x
+#    6|         getLValue(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 #    6|             Type = [IntType] int
 #    6|             ValueCategory = lvalue
 #    6|           getQualifier(): [ThisExpr] this
@@ -1394,7 +1394,7 @@ union_etc.cpp:
 #   26|                 ValueCategory = lvalue
 #   26|         getRValue(): [AssignExpr] ... = ...
 #   26|             Type = [IntType] int
-#   26|             ValueCategory = prvalue
+#   26|             ValueCategory = prvalue(load)
 #   26|           getLValue(): [ValueFieldAccess] e
 #   26|               Type = [IntType] int
 #   26|               ValueCategory = lvalue
@@ -1406,7 +1406,7 @@ union_etc.cpp:
 #   26|                   ValueCategory = lvalue
 #   26|           getRValue(): [AssignExpr] ... = ...
 #   26|               Type = [IntType] int
-#   26|               ValueCategory = prvalue
+#   26|               ValueCategory = prvalue(load)
 #   26|             getLValue(): [ValueFieldAccess] i
 #   26|                 Type = [IntType] int
 #   26|                 ValueCategory = lvalue
@@ -1488,7 +1488,7 @@ union_etc.cpp:
 #   33|       getExpr(): [AssignExpr] ... = ...
 #   33|           Type = [IntType] int
 #   33|           ValueCategory = lvalue
-#   33|         getLValue(): [PointerFieldAccess] q
+#   33|         getLValue(): [ImplicitThisFieldAccess,PointerFieldAccess] q
 #   33|             Type = [IntType] int
 #   33|             ValueCategory = lvalue
 #   33|           getQualifier(): [ThisExpr] this

cpp/ql/test/experimental/library-tests/rangeanalysis/signanalysis/SignAnalysis.expected

@@ -675,6 +675,7 @@
 | test.c:398:9:398:22 | CopyValue: ... , ... | positive strictlyPositive |
 | test.c:398:14:398:14 | Load: y | positive strictlyPositive |
 | test.c:398:14:398:19 | Add: ... += ... | positive strictlyPositive |
+| test.c:398:14:398:19 | Load: ... += ... | positive strictlyPositive |
 | test.c:398:14:398:19 | Store: ... += ... | positive strictlyPositive |
 | test.c:398:19:398:19 | Constant: (unsigned int)... | positive strictlyPositive |
 | test.c:398:22:398:22 | Load: y | positive strictlyPositive |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -35,9 +35,7 @@ edges
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
-| test.cpp:146:26:146:26 | p indirection | test.cpp:148:6:148:9 | * ... |
-| test.cpp:146:26:146:26 | p indirection | test.cpp:149:6:149:9 | * ... |
-| test.cpp:146:26:146:26 | p indirection | test.cpp:150:6:150:9 | * ... |
+| test.cpp:146:26:146:26 | p indirection | test.cpp:147:4:147:9 | -- ... |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | & ... indirection |
 | test.cpp:158:17:158:18 | & ... indirection | test.cpp:146:26:146:26 | p indirection |
@@ -124,9 +122,7 @@ nodes
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:146:26:146:26 | p indirection | semmle.label | p indirection |
-| test.cpp:148:6:148:9 | * ... | semmle.label | * ... |
-| test.cpp:149:6:149:9 | * ... | semmle.label | * ... |
-| test.cpp:150:6:150:9 | * ... | semmle.label | * ... |
+| test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | & ... indirection | semmle.label | & ... indirection |
@@ -179,9 +175,7 @@ subpaths
 | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
-| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:148:6:148:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
-| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:149:6:149:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:148:3:148:13 | Store: ... = ... | write |
-| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:150:6:150:9 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:149:3:149:13 | Store: ... = ... | write |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
 | test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
 | test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |

cpp/ql/test/library-tests/access/FieldAccess/FieldAccess.expected

@@ -1,6 +1,6 @@
-| FieldAccess.cpp:11:12:11:13 | p1 | ptr |
-| FieldAccess.cpp:12:12:12:13 | p2 | ptr |
-| FieldAccess.cpp:25:12:25:13 | x1 | ptr |
+| FieldAccess.cpp:11:12:11:13 | p1 | ptr, this |
+| FieldAccess.cpp:12:12:12:13 | p2 | ptr, this |
+| FieldAccess.cpp:25:12:25:13 | x1 | ptr, this |
 | FieldAccess.cpp:29:18:29:19 | x2 | ptr |
 | FieldAccess.cpp:34:3:34:3 | d | this |
 | FieldAccess.cpp:45:13:45:14 | x1 | ptr |
@@ -19,10 +19,10 @@
 | FieldAccess.cpp:91:7:91:7 | x | val |
 | FieldAccess.cpp:91:13:91:13 | y | ref |
 | FieldAccess.cpp:92:8:92:8 | x | ptr |
-| FieldAccess.cpp:92:12:92:12 | y | ptr |
+| FieldAccess.cpp:92:12:92:12 | y | ptr, this |
 | FieldAccess.cpp:93:8:93:8 | x | ptr |
 | FieldAccess.cpp:93:18:93:18 | y | ptr |
 | FieldAccess.cpp:94:11:94:11 | y | ptr |
 | FieldAccess.cpp:94:20:94:20 | y | val |
-| FieldAccess.cpp:113:5:113:5 | x | ptr |
+| FieldAccess.cpp:113:5:113:5 | x | ptr, this |
 | FieldAccess.cpp:116:3:116:3 | v | this |

cpp/ql/test/library-tests/attributes/deprecated_with_msg/clang421.c

@@ -1,2 +1,2 @@
 static int clang421 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40201 --edg --clang
+// semmle-extractor-options: --gnu_version 40201 --clang_version 30400

cpp/ql/test/library-tests/attributes/deprecated_with_msg/clang450.c

@@ -1,2 +1,2 @@
 static int clang450 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40500 --edg --clang
+// semmle-extractor-options: --gnu_version 40500 --clang_version 30500

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc421.c

@@ -1,2 +1,2 @@
 static int gcc421 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40201 --edg --clang
+// semmle-extractor-options: --gnu_version 40201

cpp/ql/test/library-tests/attributes/deprecated_with_msg/gcc450.c

@@ -1,2 +1,2 @@
 static int gcc450 = __has_feature(attribute_deprecated_with_message);
-// semmle-extractor-options: --gnu_version 40500 --edg --clang
+// semmle-extractor-options: --gnu_version 40500

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -14,17 +14,14 @@ localCallNodes
 postIsNotPre
 postHasUniquePre
 uniquePostUpdate
+| example.c:24:13:24:18 | coords indirection | Node has multiple PostUpdateNodes. |
 postIsInSameCallable
 reverseRead
 argHasPostUpdate
 postWithInFlow
 | test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition

cpp/ql/test/library-tests/dataflow/fields/IRConfiguration.qll

@@ -1,6 +1,19 @@
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlow
 
+private class TestAdditionalCallTarget extends AdditionalCallTarget {
+  override Function viableTarget(Call call) {
+    // To test that call targets specified by `AdditionalCallTarget` are
+    // resolved correctly this subclass resolves all calls to
+    // `call_template_argument<f>(x)` as if the user had written `f(x)`.
+    exists(FunctionTemplateInstantiation inst |
+      inst.getTemplate().hasName("call_template_argument") and
+      call.getTarget() = inst and
+      result = inst.getTemplateArgument(0).(FunctionAccess).getTarget()
+    )
+  }
+}
+
 module IRConfig implements ConfigSig {
   predicate isSource(Node src) {
     src.asExpr() instanceof NewExpr

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected

@@ -44,8 +44,6 @@ reverseRead
 argHasPostUpdate
 postWithInFlow
 | realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
-| realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 | realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition

cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected

@@ -770,6 +770,9 @@ edges
 | simple.cpp:92:7:92:7 | a indirection [post update] [i] | simple.cpp:94:10:94:11 | a2 indirection [i] |
 | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | ... = ... |
 | simple.cpp:94:10:94:11 | a2 indirection [i] | simple.cpp:94:13:94:13 | i |
+| simple.cpp:103:24:103:24 | x | simple.cpp:104:14:104:14 | x |
+| simple.cpp:108:17:108:26 | call to user_input | simple.cpp:109:43:109:43 | x |
+| simple.cpp:109:43:109:43 | x | simple.cpp:103:24:103:24 | x |
 | struct_init.c:14:24:14:25 | ab indirection [a] | struct_init.c:15:8:15:9 | ab indirection [a] |
 | struct_init.c:15:8:15:9 | ab indirection [a] | struct_init.c:15:12:15:12 | a |
 | struct_init.c:20:13:20:14 | definition of ab indirection [a] | struct_init.c:22:8:22:9 | ab indirection [a] |
@@ -1576,6 +1579,10 @@ nodes
 | simple.cpp:92:11:92:20 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:94:10:94:11 | a2 indirection [i] | semmle.label | a2 indirection [i] |
 | simple.cpp:94:13:94:13 | i | semmle.label | i |
+| simple.cpp:103:24:103:24 | x | semmle.label | x |
+| simple.cpp:104:14:104:14 | x | semmle.label | x |
+| simple.cpp:108:17:108:26 | call to user_input | semmle.label | call to user_input |
+| simple.cpp:109:43:109:43 | x | semmle.label | x |
 | struct_init.c:14:24:14:25 | ab indirection [a] | semmle.label | ab indirection [a] |
 | struct_init.c:15:8:15:9 | ab indirection [a] | semmle.label | ab indirection [a] |
 | struct_init.c:15:12:15:12 | a | semmle.label | a |
@@ -1782,6 +1789,7 @@ subpaths
 | simple.cpp:67:13:67:13 | i | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:67:13:67:13 | i | i flows from $@ | simple.cpp:65:11:65:20 | call to user_input | call to user_input |
 | simple.cpp:84:14:84:20 | call to getf2f1 | simple.cpp:83:17:83:26 | call to user_input | simple.cpp:84:14:84:20 | call to getf2f1 | call to getf2f1 flows from $@ | simple.cpp:83:17:83:26 | call to user_input | call to user_input |
 | simple.cpp:94:13:94:13 | i | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:94:13:94:13 | i | i flows from $@ | simple.cpp:92:11:92:20 | call to user_input | call to user_input |
+| simple.cpp:104:14:104:14 | x | simple.cpp:108:17:108:26 | call to user_input | simple.cpp:104:14:104:14 | x | x flows from $@ | simple.cpp:108:17:108:26 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:20:20:20:29 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:20:20:20:29 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:27:7:27:16 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:27:7:27:16 | call to user_input | call to user_input |
 | struct_init.c:15:12:15:12 | a | struct_init.c:40:20:40:29 | call to user_input | struct_init.c:15:12:15:12 | a | a flows from $@ | struct_init.c:40:20:40:29 | call to user_input | call to user_input |

cpp/ql/test/library-tests/dataflow/fields/simple.cpp

@@ -94,4 +94,21 @@ void single_field_test_typedef(A_typedef a)
     sink(a2.i); //$ ast,ir
 }
 
+namespace TestAdditionalCallTargets {
+
+    using TakesIntReturnsVoid = void(*)(int);
+    template<TakesIntReturnsVoid F>
+    void call_template_argument(int);
+
+    void call_sink(int x) {
+        sink(x); // $ ir
+    }
+
+    void test_additional_call_targets() {
+        int x = user_input();
+        call_template_argument<call_sink>(x);
+    }
+
+}
+
 } // namespace Simple

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -2199,6 +2199,19 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | map.cpp:436:55:436:59 | def | map.cpp:436:19:436:60 | call to pair | TAINT |
 | map.cpp:436:63:436:67 | first | map.cpp:436:7:436:67 | call to iterator |  |
 | map.cpp:437:7:437:9 | m35 | map.cpp:437:7:437:9 | call to unordered_map |  |
+| map.cpp:446:23:446:23 | call to map | map.cpp:448:3:448:3 | m |  |
+| map.cpp:446:23:446:23 | call to map | map.cpp:449:12:449:12 | m |  |
+| map.cpp:446:23:446:23 | call to map | map.cpp:451:1:451:1 | m |  |
+| map.cpp:447:12:447:26 | call to indirect_source | map.cpp:448:10:448:10 | p |  |
+| map.cpp:448:3:448:3 | m | map.cpp:448:4:448:4 | call to operator[] | TAINT |
+| map.cpp:448:3:448:3 | ref arg m | map.cpp:449:12:449:12 | m |  |
+| map.cpp:448:3:448:3 | ref arg m | map.cpp:451:1:451:1 | m |  |
+| map.cpp:448:3:448:10 | ... = ... | map.cpp:448:4:448:4 | call to operator[] [post update] |  |
+| map.cpp:448:4:448:4 | call to operator[] [post update] | map.cpp:448:3:448:3 | ref arg m | TAINT |
+| map.cpp:448:10:448:10 | p | map.cpp:448:3:448:10 | ... = ... |  |
+| map.cpp:449:12:449:12 | m | map.cpp:449:13:449:13 | call to operator[] | TAINT |
+| map.cpp:449:12:449:12 | ref arg m | map.cpp:451:1:451:1 | m |  |
+| map.cpp:449:13:449:13 | call to operator[] | map.cpp:450:8:450:8 | q |  |
 | movableclass.cpp:8:2:8:15 | this | movableclass.cpp:8:27:8:31 | constructor init of field v [pre-this] |  |
 | movableclass.cpp:8:21:8:22 | _v | movableclass.cpp:8:29:8:30 | _v |  |
 | movableclass.cpp:8:29:8:30 | _v | movableclass.cpp:8:27:8:31 | constructor init of field v | TAINT |
@@ -6609,6 +6622,27 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:711:13:711:13 | s | taint.cpp:711:2:711:8 | call to strncpy | TAINT |
 | taint.cpp:711:13:711:13 | s | taint.cpp:711:10:711:10 | ref arg d | TAINT |
 | taint.cpp:712:7:712:7 | ref arg d | taint.cpp:709:25:709:25 | d |  |
+| taint.cpp:718:17:718:31 | call to indirect_source | taint.cpp:720:27:720:32 | source |  |
+| taint.cpp:719:22:719:29 | ,.-;:_ | taint.cpp:720:35:720:39 | delim |  |
+| taint.cpp:719:22:719:29 | ,.-;:_ | taint.cpp:722:8:722:12 | delim |  |
+| taint.cpp:720:20:720:25 | call to strtok | taint.cpp:721:8:721:16 | tokenized |  |
+| taint.cpp:720:27:720:32 | source | taint.cpp:720:20:720:25 | call to strtok | TAINT |
+| taint.cpp:721:8:721:16 | tokenized | taint.cpp:721:7:721:16 | * ... | TAINT |
+| taint.cpp:722:8:722:12 | delim | taint.cpp:722:7:722:12 | * ... | TAINT |
+| taint.cpp:727:24:727:29 | source | taint.cpp:727:24:727:29 | source |  |
+| taint.cpp:727:24:727:29 | source | taint.cpp:729:18:729:23 | source |  |
+| taint.cpp:728:17:728:23 | 0 | taint.cpp:729:27:729:32 | endptr |  |
+| taint.cpp:728:17:728:23 | 0 | taint.cpp:731:7:731:12 | endptr |  |
+| taint.cpp:728:17:728:23 | 0 | taint.cpp:732:8:732:13 | endptr |  |
+| taint.cpp:729:11:729:16 | call to strtol | taint.cpp:730:7:730:7 | l |  |
+| taint.cpp:729:18:729:23 | source | taint.cpp:729:11:729:16 | call to strtol | TAINT |
+| taint.cpp:729:18:729:23 | source | taint.cpp:729:26:729:32 | ref arg & ... | TAINT |
+| taint.cpp:729:26:729:32 | ref arg & ... | taint.cpp:729:27:729:32 | endptr [inner post update] |  |
+| taint.cpp:729:26:729:32 | ref arg & ... | taint.cpp:731:7:731:12 | endptr |  |
+| taint.cpp:729:26:729:32 | ref arg & ... | taint.cpp:732:8:732:13 | endptr |  |
+| taint.cpp:729:27:729:32 | endptr | taint.cpp:729:26:729:32 | & ... |  |
+| taint.cpp:731:7:731:12 | ref arg endptr | taint.cpp:732:8:732:13 | endptr |  |
+| taint.cpp:732:8:732:13 | endptr | taint.cpp:732:7:732:13 | * ... | TAINT |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -165,9 +165,9 @@ void test_map()
 	// array-like access
 	std::map<char *, char *> m10, m11, m12, m13;
 	sink(m10["abc"] = "def");
-	sink(m11["abc"] = source()); // $ ast ir=168:7 ir=168:20
+	sink(m11["abc"] = source()); // $ ast,ir
 	sink(m12.at("abc") = "def");
-	sink(m13.at("abc") = source()); // $ ast ir=170:7 ir=170:23
+	sink(m13.at("abc") = source()); // $ ast,ir
 	sink(m10["abc"]);
 	sink(m11["abc"]); // $ ast,ir
 	sink(m12["abc"]);
@@ -317,9 +317,9 @@ void test_unordered_map()
 	// array-like access
 	std::unordered_map<char *, char *> m10, m11, m12, m13;
 	sink(m10["abc"] = "def");
-	sink(m11["abc"] = source()); // $ ast ir=320:7 ir=320:20
+	sink(m11["abc"] = source()); // $ ast,ir
 	sink(m12.at("abc") = "def");
-	sink(m13.at("abc") = source()); // $ ast ir=322:7 ir=322:23
+	sink(m13.at("abc") = source()); // $ ast,ir
 	sink(m10["abc"]);
 	sink(m11["abc"]); // $ ast,ir
 	sink(m12["abc"]);
@@ -436,3 +436,16 @@ void test_unordered_map()
 	sink(m35.emplace(std::pair<char *, char *>(source(), "def")).first); // $ MISSING: ast,ir
 	sink(m35); // $ MISSING: ast,ir
 }
+
+namespace {
+	int* indirect_source();
+	void indirect_sink(int*);
+}
+
+void test_indirect_taint() {
+  std::map<int, int*> m;
+  int* p = indirect_source();
+  m[1] = p;
+  int* q = m[1];
+  sink(q); // $ ir MISSING: ast
+}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -13,8 +13,8 @@ void arithAssignments(int source1, int clean1) {
   source1++;
   ++source1;
   source1 += 1;
-  sink(source1); // $ ast ir=12:13 ir=12:22
-  sink(++source1); // $ ast ir=12:13 ir=12:22
+  sink(source1); // $ ast,ir
+  sink(++source1); // $ ast,ir
 }
 
 // --- globals ---
@@ -710,4 +710,24 @@ void test_strncpy(char* d, char* s) {
 	argument_source(s);
 	strncpy(d, s, 16);
 	sink(d); // $ ast ir
+}
+
+char* indirect_source();
+
+void test_strtok_indirect() {
+	char *source = indirect_source();
+	const char* delim = ",.-;:_";
+	char* tokenized = strtok(source, delim);
+	sink(*tokenized); // $ ir MISSING: ast
+	sink(*delim);
+}
+
+long int strtol(const char*, char**, int);
+
+void test_strtol(char *source) {
+	char* endptr = nullptr;
+	long l = strtol(source, &endptr, 10);
+	sink(l); // $ ast,ir
+	sink(endptr); // $ ast,ir
+	sink(*endptr); // $ ast,ir
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql

@@ -84,6 +84,8 @@ module IRTest {
       or
       source.asIndirectExpr().(FunctionCall).getTarget().getName() = "source"
       or
+      source.asIndirectExpr().(FunctionCall).getTarget().getName() = "indirect_source"
+      or
       source.asParameter().getName().matches("source%")
       or
       exists(FunctionCall fc |

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -83,7 +83,7 @@ bad_asts.cpp:
 #   10|               Type = [IntType] int
 #   10|               Value = [Literal] 6
 #   10|               ValueCategory = prvalue
-#   10|           getRightOperand(): [PointerFieldAccess] x
+#   10|           getRightOperand(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 #   10|               Type = [IntType] int
 #   10|               ValueCategory = prvalue(load)
 #   10|             getQualifier(): [ThisExpr] this
@@ -108,7 +108,7 @@ bad_asts.cpp:
 #   10|               Type = [IntType] int
 #   10|               Value = [Literal] t
 #   10|               ValueCategory = prvalue
-#   10|           getRightOperand(): [PointerFieldAccess] x
+#   10|           getRightOperand(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 #   10|               Type = [IntType] int
 #   10|               ValueCategory = prvalue(load)
 #   10|             getQualifier(): [ThisExpr] this
@@ -1761,7 +1761,7 @@ ir.c:
 #    9|               ValueCategory = lvalue
 #    9|         getRValue(): [AssignExpr] ... = ...
 #    9|             Type = [IntType] int
-#    9|             ValueCategory = prvalue
+#    9|             ValueCategory = prvalue(load)
 #    9|           getLValue(): [ValueFieldAccess] y
 #    9|               Type = [IntType] int
 #    9|               ValueCategory = lvalue
@@ -2675,7 +2675,7 @@ ir.cpp:
 #  101|             ValueCategory = lvalue
 #  101|         getRValue(): [PrefixIncrExpr] ++ ...
 #  101|             Type = [IntType] int
-#  101|             ValueCategory = prvalue
+#  101|             ValueCategory = prvalue(load)
 #  101|           getOperand(): [VariableAccess] x
 #  101|               Type = [IntType] int
 #  101|               ValueCategory = lvalue
@@ -2688,7 +2688,7 @@ ir.cpp:
 #  102|             ValueCategory = lvalue
 #  102|         getRValue(): [PrefixDecrExpr] -- ...
 #  102|             Type = [IntType] int
-#  102|             ValueCategory = prvalue
+#  102|             ValueCategory = prvalue(load)
 #  102|           getOperand(): [VariableAccess] x
 #  102|               Type = [IntType] int
 #  102|               ValueCategory = lvalue
@@ -3041,7 +3041,7 @@ ir.cpp:
 #  147|             ValueCategory = lvalue
 #  147|         getRValue(): [PrefixIncrExpr] ++ ...
 #  147|             Type = [FloatType] float
-#  147|             ValueCategory = prvalue
+#  147|             ValueCategory = prvalue(load)
 #  147|           getOperand(): [VariableAccess] x
 #  147|               Type = [FloatType] float
 #  147|               ValueCategory = lvalue
@@ -3054,7 +3054,7 @@ ir.cpp:
 #  148|             ValueCategory = lvalue
 #  148|         getRValue(): [PrefixDecrExpr] -- ...
 #  148|             Type = [FloatType] float
-#  148|             ValueCategory = prvalue
+#  148|             ValueCategory = prvalue(load)
 #  148|           getOperand(): [VariableAccess] x
 #  148|               Type = [FloatType] float
 #  148|               ValueCategory = lvalue
@@ -3557,7 +3557,7 @@ ir.cpp:
 #  207|             ValueCategory = lvalue
 #  207|         getRValue(): [PrefixIncrExpr] ++ ...
 #  207|             Type = [IntPointerType] int *
-#  207|             ValueCategory = prvalue
+#  207|             ValueCategory = prvalue(load)
 #  207|           getOperand(): [VariableAccess] p
 #  207|               Type = [IntPointerType] int *
 #  207|               ValueCategory = lvalue
@@ -3570,7 +3570,7 @@ ir.cpp:
 #  208|             ValueCategory = lvalue
 #  208|         getRValue(): [PrefixDecrExpr] -- ...
 #  208|             Type = [IntPointerType] int *
-#  208|             ValueCategory = prvalue
+#  208|             ValueCategory = prvalue(load)
 #  208|           getOperand(): [VariableAccess] p
 #  208|               Type = [IntPointerType] int *
 #  208|               ValueCategory = lvalue
@@ -4825,7 +4825,7 @@ ir.cpp:
 #  483|         getVariable().getInitializer(): [Initializer] initializer for z
 #  483|           getExpr(): [ConditionalExpr] ... ? ... : ...
 #  483|               Type = [IntType] int
-#  483|               ValueCategory = prvalue
+#  483|               ValueCategory = prvalue(load)
 #  483|             getCondition(): [VariableAccess] a
 #  483|                 Type = [BoolType] bool
 #  483|                 ValueCategory = prvalue(load)
@@ -5718,7 +5718,7 @@ ir.cpp:
 #  645|       getExpr(): [AssignExpr] ... = ...
 #  645|           Type = [IntType] int
 #  645|           ValueCategory = lvalue
-#  645|         getLValue(): [PointerFieldAccess] m_a
+#  645|         getLValue(): [ImplicitThisFieldAccess,PointerFieldAccess] m_a
 #  645|             Type = [IntType] int
 #  645|             ValueCategory = lvalue
 #  645|           getQualifier(): [ThisExpr] this
@@ -5770,7 +5770,7 @@ ir.cpp:
 #  649|         getLValue(): [VariableAccess] x
 #  649|             Type = [IntType] int
 #  649|             ValueCategory = lvalue
-#  649|         getRValue(): [PointerFieldAccess] m_a
+#  649|         getRValue(): [ImplicitThisFieldAccess,PointerFieldAccess] m_a
 #  649|             Type = [IntType] int
 #  649|             ValueCategory = prvalue(load)
 #  649|           getQualifier(): [ThisExpr] this
@@ -6025,7 +6025,7 @@ ir.cpp:
 #  705|     getStmt(0): [ReturnStmt] return ...
 #  705|       getExpr(): [ConditionalExpr] ... ? ... : ...
 #  705|           Type = [UnknownType] unknown
-#  705|           ValueCategory = prvalue(load)
+#  705|           ValueCategory = prvalue
 #  705|         getCondition(): [LTExpr] ... < ...
 #  705|             Type = [UnknownType] unknown
 #  705|             ValueCategory = prvalue
@@ -6058,7 +6058,7 @@ ir.cpp:
 #  705|     getStmt(0): [ReturnStmt] return ...
 #  705|       getExpr(): [ConditionalExpr] ... ? ... : ...
 #  705|           Type = [IntType] int
-#  705|           ValueCategory = prvalue
+#  705|           ValueCategory = prvalue(load)
 #  705|         getCondition(): [LTExpr] ... < ...
 #  705|             Type = [BoolType] bool
 #  705|             ValueCategory = prvalue
@@ -7864,7 +7864,7 @@ ir.cpp:
 #  915|         getVariable().getInitializer(): [Initializer] initializer for b
 #  915|           getExpr(): [ConditionalExpr] ... ? ... : ...
 #  915|               Type = [IntType] int
-#  915|               ValueCategory = prvalue
+#  915|               ValueCategory = prvalue(load)
 #  915|             getCondition(): [Literal] 1
 #  915|                 Type = [BoolType] bool
 #  915|                 Value = [Literal] 1
@@ -8633,6 +8633,9 @@ ir.cpp:
 # 1038|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [RValueReferenceType] lambda [] type at line 1038, col. 12 &&
+# 1038|   <initializations>: 
+# 1038|   getEntryPoint(): [BlockStmt] { ... }
+# 1038|     getStmt(0): [ReturnStmt] return ...
 # 1038| [Constructor] void (lambda [] type at line 1038, col. 12)::(unnamed constructor)()
 # 1038|   <params>: 
 # 1038| [MemberFunction] void (lambda [] type at line 1038, col. 12)::_FUN()
@@ -8963,6 +8966,9 @@ ir.cpp:
 # 1041|   <params>: 
 #-----|     getParameter(0): [Parameter] (unnamed parameter 0)
 #-----|         Type = [RValueReferenceType] lambda [] type at line 1041, col. 23 &&
+# 1041|   <initializations>: 
+# 1041|   getEntryPoint(): [BlockStmt] { ... }
+# 1041|     getStmt(0): [ReturnStmt] return ...
 # 1041| [Constructor] void (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::(unnamed constructor)()
 # 1041|   <params>: 
 # 1041| [MemberFunction] char (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::_FUN(float)
@@ -9012,7 +9018,7 @@ ir.cpp:
 # 1043|         getArrayBase(): [FunctionCall] call to c_str
 # 1043|             Type = [PointerType] const char *
 # 1043|             ValueCategory = prvalue
-# 1043|           getQualifier(): [PointerFieldAccess] s
+# 1043|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1043|               Type = [LValueReferenceType] const String &
 # 1043|               ValueCategory = prvalue(load)
 # 1043|             getQualifier(): [ThisExpr] this
@@ -9021,7 +9027,7 @@ ir.cpp:
 # 1043|           getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1043|               Type = [SpecifiedType] const String
 # 1043|               ValueCategory = lvalue
-# 1043|         getArrayOffset(): [PointerFieldAccess] x
+# 1043|         getArrayOffset(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 # 1043|             Type = [LValueReferenceType] int &
 # 1043|             ValueCategory = prvalue(load)
 # 1043|           getQualifier(): [ThisExpr] this
@@ -9070,13 +9076,13 @@ ir.cpp:
 # 1045|         getArrayBase(): [FunctionCall] call to c_str
 # 1045|             Type = [PointerType] const char *
 # 1045|             ValueCategory = prvalue
-# 1045|           getQualifier(): [PointerFieldAccess] s
+# 1045|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1045|               Type = [SpecifiedType] const String
 # 1045|               ValueCategory = lvalue
 # 1045|             getQualifier(): [ThisExpr] this
 # 1045|                 Type = [PointerType] const lambda [] type at line 1045, col. 21 *
 # 1045|                 ValueCategory = prvalue(load)
-# 1045|         getArrayOffset(): [PointerFieldAccess] x
+# 1045|         getArrayOffset(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 # 1045|             Type = [IntType] int
 # 1045|             ValueCategory = prvalue(load)
 # 1045|           getQualifier(): [ThisExpr] this
@@ -9108,7 +9114,7 @@ ir.cpp:
 # 1047|         getArrayBase(): [FunctionCall] call to c_str
 # 1047|             Type = [PointerType] const char *
 # 1047|             ValueCategory = prvalue
-# 1047|           getQualifier(): [PointerFieldAccess] s
+# 1047|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1047|               Type = [LValueReferenceType] const String &
 # 1047|               ValueCategory = prvalue(load)
 # 1047|             getQualifier(): [ThisExpr] this
@@ -9161,7 +9167,7 @@ ir.cpp:
 # 1049|         getArrayBase(): [FunctionCall] call to c_str
 # 1049|             Type = [PointerType] const char *
 # 1049|             ValueCategory = prvalue
-# 1049|           getQualifier(): [PointerFieldAccess] s
+# 1049|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1049|               Type = [SpecifiedType] const String
 # 1049|               ValueCategory = lvalue
 # 1049|             getQualifier(): [ThisExpr] this
@@ -9197,7 +9203,7 @@ ir.cpp:
 # 1051|         getArrayBase(): [FunctionCall] call to c_str
 # 1051|             Type = [PointerType] const char *
 # 1051|             ValueCategory = prvalue
-# 1051|           getQualifier(): [PointerFieldAccess] s
+# 1051|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1051|               Type = [LValueReferenceType] const String &
 # 1051|               ValueCategory = prvalue(load)
 # 1051|             getQualifier(): [ThisExpr] this
@@ -9206,7 +9212,7 @@ ir.cpp:
 # 1051|           getQualifier().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
 # 1051|               Type = [SpecifiedType] const String
 # 1051|               ValueCategory = lvalue
-# 1051|         getArrayOffset(): [PointerFieldAccess] x
+# 1051|         getArrayOffset(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 # 1051|             Type = [IntType] int
 # 1051|             ValueCategory = prvalue(load)
 # 1051|           getQualifier(): [ThisExpr] this
@@ -9238,7 +9244,7 @@ ir.cpp:
 # 1054|         getArrayBase(): [FunctionCall] call to c_str
 # 1054|             Type = [PointerType] const char *
 # 1054|             ValueCategory = prvalue
-# 1054|           getQualifier(): [PointerFieldAccess] s
+# 1054|           getQualifier(): [ImplicitThisFieldAccess,PointerFieldAccess] s
 # 1054|               Type = [LValueReferenceType] const String &
 # 1054|               ValueCategory = prvalue(load)
 # 1054|             getQualifier(): [ThisExpr] this
@@ -9253,7 +9259,7 @@ ir.cpp:
 # 1054|           getLeftOperand(): [AddExpr] ... + ...
 # 1054|               Type = [IntType] int
 # 1054|               ValueCategory = prvalue
-# 1054|             getLeftOperand(): [PointerFieldAccess] x
+# 1054|             getLeftOperand(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 # 1054|                 Type = [IntType] int
 # 1054|                 ValueCategory = prvalue(load)
 # 1054|               getQualifier(): [ThisExpr] this
@@ -10456,7 +10462,7 @@ ir.cpp:
 # 1301|             ValueCategory = lvalue
 # 1301|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1301|             Type = [IntType] int
-# 1301|             ValueCategory = prvalue
+# 1301|             ValueCategory = prvalue(load)
 # 1301|           getCondition(): [VariableAccess] b
 # 1301|               Type = [BoolType] bool
 # 1301|               ValueCategory = prvalue(load)
@@ -10472,7 +10478,7 @@ ir.cpp:
 # 1302|             ValueCategory = lvalue
 # 1302|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1302|             Type = [LongType] long
-# 1302|             ValueCategory = prvalue
+# 1302|             ValueCategory = prvalue(load)
 # 1302|           getCondition(): [VariableAccess] b
 # 1302|               Type = [BoolType] bool
 # 1302|               ValueCategory = prvalue(load)
@@ -10492,7 +10498,7 @@ ir.cpp:
 # 1303|             ValueCategory = lvalue
 # 1303|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1303|             Type = [IntType] int
-# 1303|             ValueCategory = prvalue
+# 1303|             ValueCategory = prvalue(load)
 # 1303|           getCondition(): [VariableAccess] x
 # 1303|               Type = [IntType] int
 # 1303|               ValueCategory = prvalue(load)
@@ -10512,7 +10518,7 @@ ir.cpp:
 # 1304|             ValueCategory = lvalue
 # 1304|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1304|             Type = [LongType] long
-# 1304|             ValueCategory = prvalue
+# 1304|             ValueCategory = prvalue(load)
 # 1304|           getCondition(): [VariableAccess] x
 # 1304|               Type = [IntType] int
 # 1304|               ValueCategory = prvalue(load)
@@ -10536,7 +10542,7 @@ ir.cpp:
 # 1305|             ValueCategory = lvalue
 # 1305|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1305|             Type = [LongType] long
-# 1305|             ValueCategory = prvalue
+# 1305|             ValueCategory = prvalue(load)
 # 1305|           getCondition(): [VariableAccess] y
 # 1305|               Type = [LongType] long
 # 1305|               ValueCategory = prvalue(load)
@@ -10564,7 +10570,7 @@ ir.cpp:
 # 1306|             ValueCategory = lvalue
 # 1306|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1306|             Type = [LongType] long
-# 1306|             ValueCategory = prvalue
+# 1306|             ValueCategory = prvalue(load)
 # 1306|           getCondition(): [VariableAccess] y
 # 1306|               Type = [LongType] long
 # 1306|               ValueCategory = prvalue(load)
@@ -10588,7 +10594,7 @@ ir.cpp:
 # 1308|             ValueCategory = lvalue
 # 1308|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1308|             Type = [IntType] int
-# 1308|             ValueCategory = prvalue
+# 1308|             ValueCategory = prvalue(load)
 # 1308|           getCondition(): [LogicalOrExpr] ... || ...
 # 1308|               Type = [BoolType] bool
 # 1308|               ValueCategory = prvalue
@@ -10633,7 +10639,7 @@ ir.cpp:
 # 1315|     getStmt(0): [ReturnStmt] return ...
 # 1315|       getExpr(): [ConditionalExpr] ... ? ... : ...
 # 1315|           Type = [IntType] int
-# 1315|           ValueCategory = prvalue
+# 1315|           ValueCategory = prvalue(load)
 # 1315|         getCondition(): [LogicalAndExpr] ... && ...
 # 1315|             Type = [BoolType] bool
 # 1315|             ValueCategory = prvalue
@@ -10949,7 +10955,7 @@ ir.cpp:
 # 1376|           ValueCategory = prvalue
 # 1376|       getExpr().getFullyConverted(): [TemporaryObjectExpr] temporary object
 # 1376|           Type = [Struct] String
-# 1376|           ValueCategory = prvalue(load)
+# 1376|           ValueCategory = prvalue
 # 1377|     getStmt(9): [ReturnStmt] return ...
 # 1379| [TopLevelFunction] void temporary_destructor_only()
 # 1379|   <params>: 
@@ -11032,7 +11038,7 @@ ir.cpp:
 # 1388|           ValueCategory = prvalue
 # 1388|       getExpr().getFullyConverted(): [TemporaryObjectExpr] temporary object
 # 1388|           Type = [Class] destructor_only
-# 1388|           ValueCategory = prvalue(load)
+# 1388|           ValueCategory = prvalue
 # 1389|     getStmt(8): [ReturnStmt] return ...
 # 1391| [TopLevelFunction] void temporary_copy_constructor()
 # 1391|   <params>: 
@@ -11128,7 +11134,7 @@ ir.cpp:
 # 1399|           ValueCategory = prvalue
 # 1399|       getExpr().getFullyConverted(): [TemporaryObjectExpr] temporary object
 # 1399|           Type = [Class] copy_constructor
-# 1399|           ValueCategory = prvalue(load)
+# 1399|           ValueCategory = prvalue
 # 1401|     getStmt(8): [DeclStmt] declaration
 # 1401|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of y
 # 1401|           Type = [IntType] int
@@ -11484,7 +11490,7 @@ ir.cpp:
 # 1458|       getExpr(): [AssignExpr] ... = ...
 # 1458|           Type = [IntType] int
 # 1458|           ValueCategory = lvalue
-# 1458|         getLValue(): [PointerFieldAccess] y
+# 1458|         getLValue(): [ImplicitThisFieldAccess,PointerFieldAccess] y
 # 1458|             Type = [IntType] int
 # 1458|             ValueCategory = lvalue
 # 1458|           getQualifier(): [ThisExpr] this
@@ -12296,7 +12302,7 @@ ir.cpp:
 # 1567|   <params>: 
 # 1567|   getEntryPoint(): [BlockStmt] { ... }
 # 1568|     getStmt(0): [ReturnStmt] return ...
-# 1568|       getExpr(): [PointerFieldAccess] i
+# 1568|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] i
 # 1568|           Type = [IntType] int
 # 1568|           ValueCategory = lvalue
 # 1568|         getQualifier(): [ThisExpr] this
@@ -12309,7 +12315,7 @@ ir.cpp:
 # 1571|   <params>: 
 # 1571|   getEntryPoint(): [BlockStmt] { ... }
 # 1572|     getStmt(0): [ReturnStmt] return ...
-# 1572|       getExpr(): [PointerFieldAccess] d
+# 1572|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] d
 # 1572|           Type = [DoubleType] double
 # 1572|           ValueCategory = lvalue
 # 1572|         getQualifier(): [ThisExpr] this
@@ -12322,7 +12328,7 @@ ir.cpp:
 # 1575|   <params>: 
 # 1575|   getEntryPoint(): [BlockStmt] { ... }
 # 1576|     getStmt(0): [ReturnStmt] return ...
-# 1576|       getExpr(): [PointerFieldAccess] r
+# 1576|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] r
 # 1576|           Type = [LValueReferenceType] int &
 # 1576|           ValueCategory = prvalue(load)
 # 1576|         getQualifier(): [ThisExpr] this
@@ -12663,7 +12669,7 @@ ir.cpp:
 # 1633|   <params>: 
 # 1633|   getEntryPoint(): [BlockStmt] { ... }
 # 1634|     getStmt(0): [ReturnStmt] return ...
-# 1634|       getExpr(): [PointerFieldAccess] i
+# 1634|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] i
 # 1634|           Type = [IntType] int
 # 1634|           ValueCategory = prvalue(load)
 # 1634|         getQualifier(): [ThisExpr] this
@@ -12673,7 +12679,7 @@ ir.cpp:
 # 1637|   <params>: 
 # 1637|   getEntryPoint(): [BlockStmt] { ... }
 # 1638|     getStmt(0): [ReturnStmt] return ...
-# 1638|       getExpr(): [PointerFieldAccess] r
+# 1638|       getExpr(): [ImplicitThisFieldAccess,PointerFieldAccess] r
 # 1638|           Type = [LValueReferenceType] int &
 # 1638|           ValueCategory = prvalue(load)
 # 1638|         getQualifier(): [ThisExpr] this
@@ -13284,7 +13290,7 @@ ir.cpp:
 # 1703|         getQualifier(): [AddressOfExpr] & ...
 # 1703|             Type = [PointerType] const TrivialLambdaClass *
 # 1703|             ValueCategory = prvalue
-# 1703|           getOperand(): [PointerFieldAccess] (captured this)
+# 1703|           getOperand(): [ImplicitThisFieldAccess,PointerFieldAccess] (captured this)
 # 1703|               Type = [SpecifiedType] const TrivialLambdaClass
 # 1703|               ValueCategory = lvalue
 # 1703|             getQualifier(): [ThisExpr] this
@@ -13331,7 +13337,7 @@ ir.cpp:
 # 1706|         getQualifier(): [AddressOfExpr] & ...
 # 1706|             Type = [PointerType] const TrivialLambdaClass *
 # 1706|             ValueCategory = prvalue
-# 1706|           getOperand(): [PointerFieldAccess] (captured this)
+# 1706|           getOperand(): [ImplicitThisFieldAccess,PointerFieldAccess] (captured this)
 # 1706|               Type = [SpecifiedType] const TrivialLambdaClass
 # 1706|               ValueCategory = lvalue
 # 1706|             getQualifier(): [ThisExpr] this
@@ -13368,9 +13374,6 @@ ir.cpp:
 # 1714|               getExpr(): [TemporaryObjectExpr] temporary object
 # 1714|                   Type = [Class] TrivialLambdaClass
 # 1714|                   ValueCategory = lvalue
-# 1714|                 getExpr(): [TemporaryObjectExpr] temporary object
-# 1714|                     Type = [Class] TrivialLambdaClass
-# 1714|                     ValueCategory = prvalue(load)
 # 1716|     getStmt(2): [DeclStmt] declaration
 # 1716|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of l_outer1
 # 1716|           Type = [Closure,LocalClass] decltype([...](...){...})
@@ -13477,7 +13480,7 @@ ir.cpp:
 # 1726|       getExpr(): [AssignExpr] ... = ...
 # 1726|           Type = [IntType] int
 # 1726|           ValueCategory = lvalue
-# 1726|         getLValue(): [PointerFieldAccess] x
+# 1726|         getLValue(): [ImplicitThisFieldAccess,PointerFieldAccess] x
 # 1726|             Type = [IntType] int
 # 1726|             ValueCategory = lvalue
 # 1726|           getQualifier(): [ThisExpr] this
@@ -14710,7 +14713,7 @@ ir.cpp:
 # 1930|             ValueCategory = lvalue
 # 1930|         getRValue(): [AssignExpr] ... = ...
 # 1930|             Type = [IntType] int
-# 1930|             ValueCategory = prvalue
+# 1930|             ValueCategory = prvalue(load)
 # 1930|           getLValue(): [VariableAccess] j
 # 1930|               Type = [IntType] int
 # 1930|               ValueCategory = lvalue
@@ -14741,7 +14744,7 @@ ir.cpp:
 # 1935|             ValueCategory = lvalue
 # 1935|         getRValue(): [AssignAddExpr] ... += ...
 # 1935|             Type = [IntType] int
-# 1935|             ValueCategory = prvalue
+# 1935|             ValueCategory = prvalue(load)
 # 1935|           getLValue(): [VariableAccess] j
 # 1935|               Type = [IntType] int
 # 1935|               ValueCategory = lvalue
@@ -14751,7 +14754,7 @@ ir.cpp:
 # 1935|               ValueCategory = prvalue
 # 1935|         getRValue().getFullyConverted(): [ParenthesisExpr] (...)
 # 1935|             Type = [IntType] int
-# 1935|             ValueCategory = prvalue
+# 1935|             ValueCategory = prvalue(load)
 # 1936|     getStmt(2): [ReturnStmt] return ...
 # 1938| [CopyAssignmentOperator] D& D::operator=(D const&)
 # 1938|   <params>: 
@@ -15040,7 +15043,7 @@ ir.cpp:
 # 1993|             ValueCategory = lvalue
 # 1993|         getRValue(): [FunctionAccess] StaticMemberFunction
 # 1993|             Type = [FunctionPointerType] ..(*)(..)
-# 1993|             ValueCategory = prvalue
+# 1993|             ValueCategory = prvalue(load)
 # 1993|           getQualifier(): [VariableAccess] c
 # 1993|               Type = [Class] C
 # 1993|               ValueCategory = lvalue
@@ -15065,7 +15068,7 @@ ir.cpp:
 # 1997|             ValueCategory = lvalue
 # 1997|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1997|             Type = [IntType] int
-# 1997|             ValueCategory = prvalue
+# 1997|             ValueCategory = prvalue(load)
 # 1997|           getCondition(): [VariableAccess] a
 # 1997|               Type = [BoolType] bool
 # 1997|               ValueCategory = prvalue(load)
@@ -15084,7 +15087,7 @@ ir.cpp:
 # 1998|             ValueCategory = lvalue
 # 1998|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 1998|             Type = [IntType] int
-# 1998|             ValueCategory = prvalue
+# 1998|             ValueCategory = prvalue(load)
 # 1998|           getCondition(): [VariableAccess] a
 # 1998|               Type = [BoolType] bool
 # 1998|               ValueCategory = prvalue(load)
@@ -15168,7 +15171,7 @@ ir.cpp:
 # 2007|             ValueCategory = lvalue
 # 2007|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 2007|             Type = [Struct] TernaryPodObj
-# 2007|             ValueCategory = prvalue
+# 2007|             ValueCategory = prvalue(load)
 # 2007|           getCondition(): [VariableAccess] a
 # 2007|               Type = [BoolType] bool
 # 2007|               ValueCategory = prvalue(load)
@@ -15249,7 +15252,7 @@ ir.cpp:
 # 2010|               ValueCategory = lvalue
 # 2010|           getRValue(): [ConditionalExpr] ... ? ... : ...
 # 2010|               Type = [Struct] TernaryPodObj
-# 2010|               ValueCategory = prvalue
+# 2010|               ValueCategory = prvalue(load)
 # 2010|             getCondition(): [VariableAccess] a
 # 2010|                 Type = [BoolType] bool
 # 2010|                 ValueCategory = prvalue(load)
@@ -15501,7 +15504,7 @@ ir.cpp:
 # 2028|             ValueCategory = lvalue
 # 2028|         getRValue(): [ConditionalExpr] ... ? ... : ...
 # 2028|             Type = [IntType] unsigned int
-# 2028|             ValueCategory = prvalue
+# 2028|             ValueCategory = prvalue(load)
 # 2028|           getCondition(): [LTExpr] ... < ...
 # 2028|               Type = [BoolType] bool
 # 2028|               ValueCategory = prvalue
@@ -15519,7 +15522,7 @@ ir.cpp:
 # 2028|                 ValueCategory = prvalue
 # 2029|           getThen(): [CommaExpr] ... , ...
 # 2029|               Type = [IntType] unsigned int
-# 2029|               ValueCategory = prvalue
+# 2029|               ValueCategory = prvalue(load)
 # 2029|             getLeftOperand(): [FunctionCall] call to CommaTestHelper
 # 2029|                 Type = [VoidType] void
 # 2029|                 ValueCategory = prvalue
@@ -15544,7 +15547,7 @@ ir.cpp:
 # 2030|                 ValueCategory = prvalue
 # 2029|           getThen().getFullyConverted(): [ParenthesisExpr] (...)
 # 2029|               Type = [IntType] unsigned int
-# 2029|               ValueCategory = prvalue
+# 2029|               ValueCategory = prvalue(load)
 # 2030|           getElse().getFullyConverted(): [CStyleCast] (unsigned int)...
 # 2030|               Conversion = [IntegralConversion] integral conversion
 # 2030|               Type = [IntType] unsigned int
@@ -15935,6 +15938,44 @@ ir.cpp:
 # 2104|             Type = [CTypedefType,Size_t] size_t
 # 2104|             ValueCategory = prvalue(load)
 # 2105|     getStmt(6): [ReturnStmt] return ...
+# 2107| [TopLevelFunction] double strtod(char const*, char**)
+# 2107|   <params>: 
+# 2107|     getParameter(0): [Parameter] str
+# 2107|         Type = [PointerType] const char *
+# 2107|     getParameter(1): [Parameter] endptr
+# 2107|         Type = [PointerType] char **
+# 2109| [TopLevelFunction] char* test_strtod(char*)
+# 2109|   <params>: 
+# 2109|     getParameter(0): [Parameter] s
+# 2109|         Type = [CharPointerType] char *
+# 2109|   getEntryPoint(): [BlockStmt] { ... }
+# 2110|     getStmt(0): [DeclStmt] declaration
+# 2110|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of end
+# 2110|           Type = [CharPointerType] char *
+# 2111|     getStmt(1): [DeclStmt] declaration
+# 2111|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of d
+# 2111|           Type = [DoubleType] double
+# 2111|         getVariable().getInitializer(): [Initializer] initializer for d
+# 2111|           getExpr(): [FunctionCall] call to strtod
+# 2111|               Type = [DoubleType] double
+# 2111|               ValueCategory = prvalue
+# 2111|             getArgument(0): [VariableAccess] s
+# 2111|                 Type = [CharPointerType] char *
+# 2111|                 ValueCategory = prvalue(load)
+# 2111|             getArgument(1): [AddressOfExpr] & ...
+# 2111|                 Type = [PointerType] char **
+# 2111|                 ValueCategory = prvalue
+# 2111|               getOperand(): [VariableAccess] end
+# 2111|                   Type = [CharPointerType] char *
+# 2111|                   ValueCategory = lvalue
+# 2111|             getArgument(0).getFullyConverted(): [CStyleCast] (const char *)...
+# 2111|                 Conversion = [PointerConversion] pointer conversion
+# 2111|                 Type = [PointerType] const char *
+# 2111|                 ValueCategory = prvalue
+# 2112|     getStmt(2): [ReturnStmt] return ...
+# 2112|       getExpr(): [VariableAccess] end
+# 2112|           Type = [CharPointerType] char *
+# 2112|           ValueCategory = prvalue(load)
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -765,7 +765,7 @@ ir.c:
 #    9|     r9_6(glval<int>)                            = FieldAddress[y]              : r9_5
 #    9|     m9_7(int)                                   = Store[?]                     : &:r9_6, r9_4
 #    9|     m9_8((unnamed class/struct/union))          = Chi                          : total:m8_10, partial:m9_7
-#    9|     r9_9(int)                                   = CopyValue                    : r9_4
+#    9|     r9_9(int)                                   = Load[?]                      : &:r9_6, m9_7
 #    9|     r9_10(glval<(unnamed class/struct/union)>)  = VariableAddress[coords]      : 
 #    9|     r9_11(glval<int>)                           = FieldAddress[x]              : r9_10
 #    9|     m9_12(int)                                  = Store[?]                     : &:r9_11, r9_9
@@ -1187,15 +1187,17 @@ ir.cpp:
 #  101|     r101_3(int)        = Constant[1]            : 
 #  101|     r101_4(int)        = Add                    : r101_2, r101_3
 #  101|     m101_5(int)        = Store[x]               : &:r101_1, r101_4
-#  101|     r101_6(glval<int>) = VariableAddress[y]     : 
-#  101|     m101_7(int)        = Store[y]               : &:r101_6, r101_4
+#  101|     r101_6(int)        = Load[x]                : &:r101_1, m101_5
+#  101|     r101_7(glval<int>) = VariableAddress[y]     : 
+#  101|     m101_8(int)        = Store[y]               : &:r101_7, r101_6
 #  102|     r102_1(glval<int>) = VariableAddress[x]     : 
 #  102|     r102_2(int)        = Load[x]                : &:r102_1, m101_5
 #  102|     r102_3(int)        = Constant[1]            : 
 #  102|     r102_4(int)        = Sub                    : r102_2, r102_3
 #  102|     m102_5(int)        = Store[x]               : &:r102_1, r102_4
-#  102|     r102_6(glval<int>) = VariableAddress[y]     : 
-#  102|     m102_7(int)        = Store[y]               : &:r102_6, r102_4
+#  102|     r102_6(int)        = Load[x]                : &:r102_1, m102_5
+#  102|     r102_7(glval<int>) = VariableAddress[y]     : 
+#  102|     m102_8(int)        = Store[y]               : &:r102_7, r102_6
 #  103|     r103_1(glval<int>) = VariableAddress[x]     : 
 #  103|     r103_2(int)        = Load[x]                : &:r103_1, m102_5
 #  103|     r103_3(int)        = Constant[1]            : 
@@ -1407,15 +1409,17 @@ ir.cpp:
 #  147|     r147_3(float)        = Constant[1.0]          : 
 #  147|     r147_4(float)        = Add                    : r147_2, r147_3
 #  147|     m147_5(float)        = Store[x]               : &:r147_1, r147_4
-#  147|     r147_6(glval<float>) = VariableAddress[y]     : 
-#  147|     m147_7(float)        = Store[y]               : &:r147_6, r147_4
+#  147|     r147_6(float)        = Load[x]                : &:r147_1, m147_5
+#  147|     r147_7(glval<float>) = VariableAddress[y]     : 
+#  147|     m147_8(float)        = Store[y]               : &:r147_7, r147_6
 #  148|     r148_1(glval<float>) = VariableAddress[x]     : 
 #  148|     r148_2(float)        = Load[x]                : &:r148_1, m147_5
 #  148|     r148_3(float)        = Constant[1.0]          : 
 #  148|     r148_4(float)        = Sub                    : r148_2, r148_3
 #  148|     m148_5(float)        = Store[x]               : &:r148_1, r148_4
-#  148|     r148_6(glval<float>) = VariableAddress[y]     : 
-#  148|     m148_7(float)        = Store[y]               : &:r148_6, r148_4
+#  148|     r148_6(float)        = Load[x]                : &:r148_1, m148_5
+#  148|     r148_7(glval<float>) = VariableAddress[y]     : 
+#  148|     m148_8(float)        = Store[y]               : &:r148_7, r148_6
 #  149|     r149_1(glval<float>) = VariableAddress[x]     : 
 #  149|     r149_2(float)        = Load[x]                : &:r149_1, m148_5
 #  149|     r149_3(float)        = Constant[1.0]          : 
@@ -1723,15 +1727,17 @@ ir.cpp:
 #  207|     r207_3(int)          = Constant[1]              : 
 #  207|     r207_4(int *)        = PointerAdd[4]            : r207_2, r207_3
 #  207|     m207_5(int *)        = Store[p]                 : &:r207_1, r207_4
-#  207|     r207_6(glval<int *>) = VariableAddress[q]       : 
-#  207|     m207_7(int *)        = Store[q]                 : &:r207_6, r207_4
+#  207|     r207_6(int *)        = Load[p]                  : &:r207_1, m207_5
+#  207|     r207_7(glval<int *>) = VariableAddress[q]       : 
+#  207|     m207_8(int *)        = Store[q]                 : &:r207_7, r207_6
 #  208|     r208_1(glval<int *>) = VariableAddress[p]       : 
 #  208|     r208_2(int *)        = Load[p]                  : &:r208_1, m207_5
 #  208|     r208_3(int)          = Constant[1]              : 
 #  208|     r208_4(int *)        = PointerSub[4]            : r208_2, r208_3
 #  208|     m208_5(int *)        = Store[p]                 : &:r208_1, r208_4
-#  208|     r208_6(glval<int *>) = VariableAddress[q]       : 
-#  208|     m208_7(int *)        = Store[q]                 : &:r208_6, r208_4
+#  208|     r208_6(int *)        = Load[p]                  : &:r208_1, m208_5
+#  208|     r208_7(glval<int *>) = VariableAddress[q]       : 
+#  208|     m208_8(int *)        = Store[q]                 : &:r208_7, r208_6
 #  209|     r209_1(glval<int *>) = VariableAddress[p]       : 
 #  209|     r209_2(int *)        = Load[p]                  : &:r209_1, m208_5
 #  209|     r209_3(int)          = Constant[1]              : 
@@ -6049,6 +6055,27 @@ ir.cpp:
 # 1038|     v1038_10(void)                            = AliasedUse                    : ~m1038_8
 # 1038|     v1038_11(void)                            = ExitFunction                  : 
 
+# 1038| void (lambda [] type at line 1038, col. 12)::(unnamed constructor)((lambda [] type at line 1038, col. 12)&&)
+# 1038|   Block 0
+# 1038|     v1038_1(void)                                        = EnterFunction                                : 
+# 1038|     m1038_2(unknown)                                     = AliasedDefinition                            : 
+# 1038|     m1038_3(unknown)                                     = InitializeNonLocal                           : 
+# 1038|     m1038_4(unknown)                                     = Chi                                          : total:m1038_2, partial:m1038_3
+# 1038|     r1038_5(glval<unknown>)                              = VariableAddress[#this]                       : 
+# 1038|     m1038_6(glval<decltype([...](...){...})>)            = InitializeParameter[#this]                   : &:r1038_5
+# 1038|     r1038_7(glval<decltype([...](...){...})>)            = Load[#this]                                  : &:r1038_5, m1038_6
+# 1038|     m1038_8(decltype([...](...){...}))                   = InitializeIndirection[#this]                 : &:r1038_7
+#-----|     r0_1(glval<lambda [] type at line 1038, col. 12 &&>) = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     m0_2(lambda [] type at line 1038, col. 12 &&)        = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(lambda [] type at line 1038, col. 12 &&)        = Load[(unnamed parameter 0)]                  : &:r0_1, m0_2
+#-----|     m0_4(unknown)                                        = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1038|     v1038_9(void)                                        = NoOp                                         : 
+# 1038|     v1038_10(void)                                       = ReturnIndirection[#this]                     : &:r1038_7, m1038_8
+#-----|     v0_5(void)                                           = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, m0_4
+# 1038|     v1038_11(void)                                       = ReturnVoid                                   : 
+# 1038|     v1038_12(void)                                       = AliasedUse                                   : m1038_3
+# 1038|     v1038_13(void)                                       = ExitFunction                                 : 
+
 # 1038| void (lambda [] type at line 1038, col. 12)::operator()() const
 # 1038|   Block 0
 # 1038|     v1038_1(void)                             = EnterFunction                : 
@@ -6265,6 +6292,27 @@ ir.cpp:
 # 1040|     v1040_13(void)                            = AliasedUse                             : ~m1055_7
 # 1040|     v1040_14(void)                            = ExitFunction                           : 
 
+# 1041| void (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::(unnamed constructor)((void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)&&)
+# 1041|   Block 0
+# 1041|     v1041_1(void)                                        = EnterFunction                                : 
+# 1041|     m1041_2(unknown)                                     = AliasedDefinition                            : 
+# 1041|     m1041_3(unknown)                                     = InitializeNonLocal                           : 
+# 1041|     m1041_4(unknown)                                     = Chi                                          : total:m1041_2, partial:m1041_3
+# 1041|     r1041_5(glval<unknown>)                              = VariableAddress[#this]                       : 
+# 1041|     m1041_6(glval<decltype([...](...){...})>)            = InitializeParameter[#this]                   : &:r1041_5
+# 1041|     r1041_7(glval<decltype([...](...){...})>)            = Load[#this]                                  : &:r1041_5, m1041_6
+# 1041|     m1041_8(decltype([...](...){...}))                   = InitializeIndirection[#this]                 : &:r1041_7
+#-----|     r0_1(glval<lambda [] type at line 1041, col. 23 &&>) = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     m0_2(lambda [] type at line 1041, col. 23 &&)        = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(lambda [] type at line 1041, col. 23 &&)        = Load[(unnamed parameter 0)]                  : &:r0_1, m0_2
+#-----|     m0_4(unknown)                                        = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1041|     v1041_9(void)                                        = NoOp                                         : 
+# 1041|     v1041_10(void)                                       = ReturnIndirection[#this]                     : &:r1041_7, m1041_8
+#-----|     v0_5(void)                                           = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, m0_4
+# 1041|     v1041_11(void)                                       = ReturnVoid                                   : 
+# 1041|     v1041_12(void)                                       = AliasedUse                                   : m1041_3
+# 1041|     v1041_13(void)                                       = ExitFunction                                 : 
+
 # 1041| char (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::operator()(float) const
 # 1041|   Block 0
 # 1041|     v1041_1(void)                             = EnterFunction                : 
@@ -8156,7 +8204,6 @@ ir.cpp:
 # 1376|     m1376_4(unknown)         = ^CallSideEffect                   : ~m1374_11
 # 1376|     m1376_5(unknown)         = Chi                               : total:m1374_11, partial:m1376_4
 # 1376|     m1376_6(String)          = Store[#temp1376:5]                : &:r1376_1, r1376_3
-# 1376|     r1376_7(String)          = Load[#temp1376:5]                 : &:r1376_1, m1376_6
 # 1377|     v1377_1(void)            = NoOp                              : 
 # 1365|     v1365_5(void)            = ReturnVoid                        : 
 # 1365|     v1365_6(void)            = AliasedUse                        : ~m1376_5
@@ -8232,7 +8279,6 @@ ir.cpp:
 # 1388|     m1388_4(unknown)                  = ^CallSideEffect                   : ~m1386_10
 # 1388|     m1388_5(unknown)                  = Chi                               : total:m1386_10, partial:m1388_4
 # 1388|     m1388_6(destructor_only)          = Store[#temp1388:5]                : &:r1388_1, r1388_3
-# 1388|     r1388_7(destructor_only)          = Load[#temp1388:5]                 : &:r1388_1, m1388_6
 # 1389|     v1389_1(void)                     = NoOp                              : 
 # 1379|     v1379_5(void)                     = ReturnVoid                        : 
 # 1379|     v1379_6(void)                     = AliasedUse                        : ~m1388_5
@@ -8327,7 +8373,6 @@ ir.cpp:
 # 1399|     m1399_4(unknown)                   = ^CallSideEffect                   : ~m1398_10
 # 1399|     m1399_5(unknown)                   = Chi                               : total:m1398_10, partial:m1399_4
 # 1399|     m1399_6(copy_constructor)          = Store[#temp1399:5]                : &:r1399_1, r1399_3
-# 1399|     r1399_7(copy_constructor)          = Load[#temp1399:5]                 : &:r1399_1, m1399_6
 # 1401|     r1401_1(glval<int>)                = VariableAddress[y]                : 
 # 1401|     r1401_2(glval<copy_constructor>)   = VariableAddress[#temp1401:13]     : 
 # 1401|     r1401_3(glval<unknown>)            = FunctionAddress[returnValue]      : 
@@ -9841,14 +9886,11 @@ ir.cpp:
 # 1713|     m1713_2(TrivialLambdaClass)               = Uninitialized[l1]             : &:r1713_1
 # 1714|     r1714_1(glval<TrivialLambdaClass &>)      = VariableAddress[l2]           : 
 # 1714|     r1714_2(glval<TrivialLambdaClass>)        = VariableAddress[#temp1714:36] : 
-# 1714|     r1714_3(glval<TrivialLambdaClass>)        = VariableAddress[#temp1714:36] : 
-# 1714|     r1714_4(TrivialLambdaClass)               = Constant[0]                   : 
-# 1714|     m1714_5(TrivialLambdaClass)               = Store[#temp1714:36]           : &:r1714_3, r1714_4
-# 1714|     r1714_6(TrivialLambdaClass)               = Load[#temp1714:36]            : &:r1714_3, m1714_5
-# 1714|     m1714_7(TrivialLambdaClass)               = Store[#temp1714:36]           : &:r1714_2, r1714_6
-# 1714|     r1714_8(glval<TrivialLambdaClass>)        = Convert                       : r1714_2
-# 1714|     r1714_9(TrivialLambdaClass &)             = CopyValue                     : r1714_8
-# 1714|     m1714_10(TrivialLambdaClass &)            = Store[l2]                     : &:r1714_1, r1714_9
+# 1714|     r1714_3(TrivialLambdaClass)               = Constant[0]                   : 
+# 1714|     m1714_4(TrivialLambdaClass)               = Store[#temp1714:36]           : &:r1714_2, r1714_3
+# 1714|     r1714_5(glval<TrivialLambdaClass>)        = Convert                       : r1714_2
+# 1714|     r1714_6(TrivialLambdaClass &)             = CopyValue                     : r1714_5
+# 1714|     m1714_7(TrivialLambdaClass &)             = Store[l2]                     : &:r1714_1, r1714_6
 # 1716|     r1716_1(glval<decltype([...](...){...})>) = VariableAddress[l_outer1]     : 
 # 1716|     r1716_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1716:20] : 
 # 1716|     m1716_3(decltype([...](...){...}))        = Uninitialized[#temp1716:20]   : &:r1716_2
@@ -9876,8 +9918,8 @@ ir.cpp:
 # 1716|     m1716_19(decltype([...](...){...}))       = Chi                           : total:m0_6, partial:m1716_18
 # 1716|     r1716_20(glval<TrivialLambdaClass>)       = FieldAddress[l2]              : r1716_2
 # 1716|     r1716_21(glval<TrivialLambdaClass &>)     = VariableAddress[l2]           : 
-# 1716|     r1716_22(TrivialLambdaClass &)            = Load[l2]                      : &:r1716_21, m1714_10
-#-----|     r0_7(TrivialLambdaClass)                  = Load[?]                       : &:r1716_22, m1714_7
+# 1716|     r1716_22(TrivialLambdaClass &)            = Load[l2]                      : &:r1716_21, m1714_7
+#-----|     r0_7(TrivialLambdaClass)                  = Load[?]                       : &:r1716_22, m1714_4
 #-----|     m0_8(TrivialLambdaClass)                  = Store[?]                      : &:r1716_20, r0_7
 #-----|     m0_9(decltype([...](...){...}))           = Chi                           : total:m1716_19, partial:m0_8
 # 1716|     r1716_23(decltype([...](...){...}))       = Load[#temp1716:20]            : &:r1716_2, m0_9
@@ -11011,7 +11053,7 @@ ir.cpp:
 # 1930|     r1930_1(int)        = Constant[40]       : 
 # 1930|     r1930_2(glval<int>) = VariableAddress[j] : 
 # 1930|     m1930_3(int)        = Store[j]           : &:r1930_2, r1930_1
-# 1930|     r1930_4(int)        = CopyValue          : r1930_1
+# 1930|     r1930_4(int)        = Load[j]            : &:r1930_2, m1930_3
 # 1930|     r1930_5(glval<int>) = VariableAddress[i] : 
 # 1930|     m1930_6(int)        = Store[i]           : &:r1930_5, r1930_4
 # 1931|     v1931_1(void)       = NoOp               : 
@@ -11035,8 +11077,9 @@ ir.cpp:
 # 1935|     r1935_3(int)        = Load[j]            : &:r1935_2, m1934_5
 # 1935|     r1935_4(int)        = Add                : r1935_3, r1935_1
 # 1935|     m1935_5(int)        = Store[j]           : &:r1935_2, r1935_4
-# 1935|     r1935_6(glval<int>) = VariableAddress[i] : 
-# 1935|     m1935_7(int)        = Store[i]           : &:r1935_6, r1935_4
+# 1935|     r1935_6(int)        = Load[j]            : &:r1935_2, m1935_5
+# 1935|     r1935_7(glval<int>) = VariableAddress[i] : 
+# 1935|     m1935_8(int)        = Store[i]           : &:r1935_7, r1935_6
 # 1936|     v1936_1(void)       = NoOp               : 
 # 1933|     v1933_5(void)       = ReturnVoid         : 
 # 1933|     v1933_6(void)       = AliasedUse         : m1933_3
@@ -12290,6 +12333,40 @@ ir.cpp:
 # 2098|     v2098_8(void)                           = AliasedUse                      : ~m2104_8
 # 2098|     v2098_9(void)                           = ExitFunction                    : 
 
+# 2109| char* test_strtod(char*)
+# 2109|   Block 0
+# 2109|     v2109_1(void)           = EnterFunction                  : 
+# 2109|     m2109_2(unknown)        = AliasedDefinition              : 
+# 2109|     m2109_3(unknown)        = InitializeNonLocal             : 
+# 2109|     m2109_4(unknown)        = Chi                            : total:m2109_2, partial:m2109_3
+# 2109|     r2109_5(glval<char *>)  = VariableAddress[s]             : 
+# 2109|     m2109_6(char *)         = InitializeParameter[s]         : &:r2109_5
+# 2109|     r2109_7(char *)         = Load[s]                        : &:r2109_5, m2109_6
+# 2109|     m2109_8(unknown)        = InitializeIndirection[s]       : &:r2109_7
+# 2110|     r2110_1(glval<char *>)  = VariableAddress[end]           : 
+# 2110|     m2110_2(char *)         = Uninitialized[end]             : &:r2110_1
+# 2111|     r2111_1(glval<double>)  = VariableAddress[d]             : 
+# 2111|     r2111_2(glval<unknown>) = FunctionAddress[strtod]        : 
+# 2111|     r2111_3(glval<char *>)  = VariableAddress[s]             : 
+# 2111|     r2111_4(char *)         = Load[s]                        : &:r2111_3, m2109_6
+# 2111|     r2111_5(char *)         = Convert                        : r2111_4
+# 2111|     r2111_6(glval<char *>)  = VariableAddress[end]           : 
+# 2111|     r2111_7(char **)        = CopyValue                      : r2111_6
+# 2111|     r2111_8(double)         = Call[strtod]                   : func:r2111_2, 0:r2111_5, 1:r2111_7
+# 2111|     v2111_9(void)           = ^BufferReadSideEffect[0]       : &:r2111_5, ~m2109_8
+# 2111|     m2111_10(char *)        = ^IndirectMayWriteSideEffect[1] : &:r2111_7
+# 2111|     m2111_11(char *)        = Chi                            : total:m2110_2, partial:m2111_10
+# 2111|     m2111_12(double)        = Store[d]                       : &:r2111_1, r2111_8
+# 2112|     r2112_1(glval<char *>)  = VariableAddress[#return]       : 
+# 2112|     r2112_2(glval<char *>)  = VariableAddress[end]           : 
+# 2112|     r2112_3(char *)         = Load[end]                      : &:r2112_2, m2111_11
+# 2112|     m2112_4(char *)         = Store[#return]                 : &:r2112_1, r2112_3
+# 2109|     v2109_9(void)           = ReturnIndirection[s]           : &:r2109_7, m2109_8
+# 2109|     r2109_10(glval<char *>) = VariableAddress[#return]       : 
+# 2109|     v2109_11(void)          = ReturnValue                    : &:r2109_10, m2112_4
+# 2109|     v2109_12(void)          = AliasedUse                     : m2109_3
+# 2109|     v2109_13(void)          = ExitFunction                   : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/ir/ir/ir.cpp

@@ -2104,4 +2104,12 @@ void newArrayCorrectType(size_t n) {
   new int[n] { 0, 1, 2 };
 }
 
+double strtod (const char* str, char** endptr);
+
+char* test_strtod(char *s) {
+  char *end;
+  double d = strtod(s, &end);
+  return end;
+}
+
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -684,6 +684,10 @@
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
+| file://:0:0:0:0 | Address | &:r0_1 |
 | file://:0:0:0:0 | Address | &:r0_2 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
@@ -712,6 +716,10 @@
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
+| file://:0:0:0:0 | Address | &:r0_3 |
 | file://:0:0:0:0 | Address | &:r0_4 |
 | file://:0:0:0:0 | Address | &:r0_4 |
 | file://:0:0:0:0 | Address | &:r0_5 |
@@ -811,6 +819,8 @@
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
+| file://:0:0:0:0 | Load | m0_2 |
 | file://:0:0:0:0 | Load | m0_5 |
 | file://:0:0:0:0 | Load | m0_8 |
 | file://:0:0:0:0 | Load | m0_11 |
@@ -822,7 +832,7 @@
 | file://:0:0:0:0 | Load | m1466_4 |
 | file://:0:0:0:0 | Load | m1466_4 |
 | file://:0:0:0:0 | Load | m1685_9 |
-| file://:0:0:0:0 | Load | m1714_7 |
+| file://:0:0:0:0 | Load | m1714_4 |
 | file://:0:0:0:0 | Load | m1834_6 |
 | file://:0:0:0:0 | Load | m1834_6 |
 | file://:0:0:0:0 | Load | m1839_6 |
@@ -847,6 +857,8 @@
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_4 |
+| file://:0:0:0:0 | SideEffect | m0_4 |
 | file://:0:0:0:0 | SideEffect | m0_14 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
 | file://:0:0:0:0 | SideEffect | m1078_23 |
@@ -954,13 +966,14 @@
 | ir.c:9:14:9:19 | Unary | r9_5 |
 | ir.c:9:14:9:31 | ChiPartial | partial:m9_7 |
 | ir.c:9:14:9:31 | ChiTotal | total:m8_10 |
+| ir.c:9:14:9:31 | Load | m9_7 |
 | ir.c:9:14:9:31 | StoreValue | r9_9 |
 | ir.c:9:21:9:21 | Address | &:r9_6 |
+| ir.c:9:21:9:21 | Address | &:r9_6 |
 | ir.c:9:25:9:27 | Address | &:r9_1 |
 | ir.c:9:25:9:27 | Left | r9_2 |
 | ir.c:9:25:9:27 | Load | m7_6 |
 | ir.c:9:25:9:31 | StoreValue | r9_4 |
-| ir.c:9:25:9:31 | Unary | r9_4 |
 | ir.c:9:31:9:31 | Right | r9_3 |
 | ir.c:10:3:10:8 | Unary | r10_10 |
 | ir.c:10:3:10:26 | ChiPartial | partial:m10_12 |
@@ -1329,18 +1342,22 @@
 | ir.cpp:98:6:98:19 | SideEffect | m98_3 |
 | ir.cpp:98:25:98:25 | Address | &:r98_5 |
 | ir.cpp:99:9:99:9 | Address | &:r99_1 |
-| ir.cpp:101:5:101:5 | Address | &:r101_6 |
+| ir.cpp:101:5:101:5 | Address | &:r101_7 |
+| ir.cpp:101:9:101:11 | Load | m101_5 |
 | ir.cpp:101:9:101:11 | Right | r101_3 |
 | ir.cpp:101:9:101:11 | StoreValue | r101_4 |
-| ir.cpp:101:9:101:11 | StoreValue | r101_4 |
+| ir.cpp:101:9:101:11 | StoreValue | r101_6 |
+| ir.cpp:101:11:101:11 | Address | &:r101_1 |
 | ir.cpp:101:11:101:11 | Address | &:r101_1 |
 | ir.cpp:101:11:101:11 | Address | &:r101_1 |
 | ir.cpp:101:11:101:11 | Left | r101_2 |
 | ir.cpp:101:11:101:11 | Load | m98_6 |
-| ir.cpp:102:5:102:5 | Address | &:r102_6 |
+| ir.cpp:102:5:102:5 | Address | &:r102_7 |
+| ir.cpp:102:9:102:11 | Load | m102_5 |
 | ir.cpp:102:9:102:11 | Right | r102_3 |
 | ir.cpp:102:9:102:11 | StoreValue | r102_4 |
-| ir.cpp:102:9:102:11 | StoreValue | r102_4 |
+| ir.cpp:102:9:102:11 | StoreValue | r102_6 |
+| ir.cpp:102:11:102:11 | Address | &:r102_1 |
 | ir.cpp:102:11:102:11 | Address | &:r102_1 |
 | ir.cpp:102:11:102:11 | Address | &:r102_1 |
 | ir.cpp:102:11:102:11 | Left | r102_2 |
@@ -1531,18 +1548,22 @@
 | ir.cpp:144:6:144:17 | SideEffect | m144_3 |
 | ir.cpp:144:25:144:25 | Address | &:r144_5 |
 | ir.cpp:145:11:145:11 | Address | &:r145_1 |
-| ir.cpp:147:5:147:5 | Address | &:r147_6 |
+| ir.cpp:147:5:147:5 | Address | &:r147_7 |
+| ir.cpp:147:9:147:11 | Load | m147_5 |
 | ir.cpp:147:9:147:11 | Right | r147_3 |
 | ir.cpp:147:9:147:11 | StoreValue | r147_4 |
-| ir.cpp:147:9:147:11 | StoreValue | r147_4 |
+| ir.cpp:147:9:147:11 | StoreValue | r147_6 |
+| ir.cpp:147:11:147:11 | Address | &:r147_1 |
 | ir.cpp:147:11:147:11 | Address | &:r147_1 |
 | ir.cpp:147:11:147:11 | Address | &:r147_1 |
 | ir.cpp:147:11:147:11 | Left | r147_2 |
 | ir.cpp:147:11:147:11 | Load | m144_6 |
-| ir.cpp:148:5:148:5 | Address | &:r148_6 |
+| ir.cpp:148:5:148:5 | Address | &:r148_7 |
+| ir.cpp:148:9:148:11 | Load | m148_5 |
 | ir.cpp:148:9:148:11 | Right | r148_3 |
 | ir.cpp:148:9:148:11 | StoreValue | r148_4 |
-| ir.cpp:148:9:148:11 | StoreValue | r148_4 |
+| ir.cpp:148:9:148:11 | StoreValue | r148_6 |
+| ir.cpp:148:11:148:11 | Address | &:r148_1 |
 | ir.cpp:148:11:148:11 | Address | &:r148_1 |
 | ir.cpp:148:11:148:11 | Address | &:r148_1 |
 | ir.cpp:148:11:148:11 | Left | r148_2 |
@@ -1840,18 +1861,22 @@
 | ir.cpp:204:26:204:26 | Load | m204_6 |
 | ir.cpp:204:26:204:26 | SideEffect | m204_8 |
 | ir.cpp:205:10:205:10 | Address | &:r205_1 |
-| ir.cpp:207:5:207:5 | Address | &:r207_6 |
+| ir.cpp:207:5:207:5 | Address | &:r207_7 |
+| ir.cpp:207:9:207:11 | Load | m207_5 |
 | ir.cpp:207:9:207:11 | Right | r207_3 |
 | ir.cpp:207:9:207:11 | StoreValue | r207_4 |
-| ir.cpp:207:9:207:11 | StoreValue | r207_4 |
+| ir.cpp:207:9:207:11 | StoreValue | r207_6 |
+| ir.cpp:207:11:207:11 | Address | &:r207_1 |
 | ir.cpp:207:11:207:11 | Address | &:r207_1 |
 | ir.cpp:207:11:207:11 | Address | &:r207_1 |
 | ir.cpp:207:11:207:11 | Left | r207_2 |
 | ir.cpp:207:11:207:11 | Load | m204_6 |
-| ir.cpp:208:5:208:5 | Address | &:r208_6 |
+| ir.cpp:208:5:208:5 | Address | &:r208_7 |
+| ir.cpp:208:9:208:11 | Load | m208_5 |
 | ir.cpp:208:9:208:11 | Right | r208_3 |
 | ir.cpp:208:9:208:11 | StoreValue | r208_4 |
-| ir.cpp:208:9:208:11 | StoreValue | r208_4 |
+| ir.cpp:208:9:208:11 | StoreValue | r208_6 |
+| ir.cpp:208:11:208:11 | Address | &:r208_1 |
 | ir.cpp:208:11:208:11 | Address | &:r208_1 |
 | ir.cpp:208:11:208:11 | Address | &:r208_1 |
 | ir.cpp:208:11:208:11 | Left | r208_2 |
@@ -4947,6 +4972,15 @@
 | ir.cpp:1035:15:1035:15 | Address | &:r1035_1 |
 | ir.cpp:1038:6:1038:8 | Address | &:r1038_3 |
 | ir.cpp:1038:6:1038:8 | SideEffect | ~m1038_8 |
+| ir.cpp:1038:12:1038:12 | Address | &:r1038_5 |
+| ir.cpp:1038:12:1038:12 | Address | &:r1038_5 |
+| ir.cpp:1038:12:1038:12 | Address | &:r1038_7 |
+| ir.cpp:1038:12:1038:12 | Address | &:r1038_7 |
+| ir.cpp:1038:12:1038:12 | ChiPartial | partial:m1038_3 |
+| ir.cpp:1038:12:1038:12 | ChiTotal | total:m1038_2 |
+| ir.cpp:1038:12:1038:12 | Load | m1038_6 |
+| ir.cpp:1038:12:1038:12 | SideEffect | m1038_3 |
+| ir.cpp:1038:12:1038:12 | SideEffect | m1038_8 |
 | ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
 | ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
 | ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_7 |
@@ -4986,6 +5020,15 @@
 | ir.cpp:1040:34:1040:34 | Load | m1040_8 |
 | ir.cpp:1040:34:1040:34 | SideEffect | m1040_10 |
 | ir.cpp:1041:8:1041:19 | Address | &:r1041_1 |
+| ir.cpp:1041:23:1041:23 | Address | &:r1041_5 |
+| ir.cpp:1041:23:1041:23 | Address | &:r1041_5 |
+| ir.cpp:1041:23:1041:23 | Address | &:r1041_7 |
+| ir.cpp:1041:23:1041:23 | Address | &:r1041_7 |
+| ir.cpp:1041:23:1041:23 | ChiPartial | partial:m1041_3 |
+| ir.cpp:1041:23:1041:23 | ChiTotal | total:m1041_2 |
+| ir.cpp:1041:23:1041:23 | Load | m1041_6 |
+| ir.cpp:1041:23:1041:23 | SideEffect | m1041_3 |
+| ir.cpp:1041:23:1041:23 | SideEffect | m1041_8 |
 | ir.cpp:1041:23:1041:49 | Address | &:r1041_2 |
 | ir.cpp:1041:23:1041:49 | Address | &:r1041_2 |
 | ir.cpp:1041:23:1041:49 | Load | m1041_3 |
@@ -6610,8 +6653,6 @@
 | ir.cpp:1376:5:1376:28 | SideEffect | ~m1374_11 |
 | ir.cpp:1376:5:1376:28 | StoreValue | r1376_3 |
 | ir.cpp:1376:5:1376:30 | Address | &:r1376_1 |
-| ir.cpp:1376:5:1376:30 | Address | &:r1376_1 |
-| ir.cpp:1376:5:1376:30 | Load | m1376_6 |
 | ir.cpp:1379:6:1379:30 | ChiPartial | partial:m1379_3 |
 | ir.cpp:1379:6:1379:30 | ChiTotal | total:m1379_2 |
 | ir.cpp:1379:6:1379:30 | SideEffect | ~m1388_5 |
@@ -6686,8 +6727,6 @@
 | ir.cpp:1388:5:1388:37 | SideEffect | ~m1386_10 |
 | ir.cpp:1388:5:1388:37 | StoreValue | r1388_3 |
 | ir.cpp:1388:5:1388:39 | Address | &:r1388_1 |
-| ir.cpp:1388:5:1388:39 | Address | &:r1388_1 |
-| ir.cpp:1388:5:1388:39 | Load | m1388_6 |
 | ir.cpp:1391:6:1391:31 | ChiPartial | partial:m1391_3 |
 | ir.cpp:1391:6:1391:31 | ChiTotal | total:m1391_2 |
 | ir.cpp:1391:6:1391:31 | SideEffect | ~m1401_6 |
@@ -6787,8 +6826,6 @@
 | ir.cpp:1399:5:1399:38 | SideEffect | ~m1398_10 |
 | ir.cpp:1399:5:1399:38 | StoreValue | r1399_3 |
 | ir.cpp:1399:5:1399:40 | Address | &:r1399_1 |
-| ir.cpp:1399:5:1399:40 | Address | &:r1399_1 |
-| ir.cpp:1399:5:1399:40 | Load | m1399_6 |
 | ir.cpp:1401:9:1401:9 | Address | &:r1401_1 |
 | ir.cpp:1401:13:1401:41 | CallTarget | func:r1401_3 |
 | ir.cpp:1401:13:1401:41 | ChiPartial | partial:m1401_5 |
@@ -8171,14 +8208,10 @@
 | ir.cpp:1713:30:1713:31 | Address | &:r1713_1 |
 | ir.cpp:1714:31:1714:32 | Address | &:r1714_1 |
 | ir.cpp:1714:36:1714:55 | Address | &:r1714_2 |
-| ir.cpp:1714:36:1714:55 | Address | &:r1714_3 |
-| ir.cpp:1714:36:1714:55 | Address | &:r1714_3 |
-| ir.cpp:1714:36:1714:55 | Load | m1714_5 |
-| ir.cpp:1714:36:1714:55 | StoreValue | r1714_4 |
+| ir.cpp:1714:36:1714:55 | StoreValue | r1714_3 |
 | ir.cpp:1714:36:1714:55 | StoreValue | r1714_6 |
-| ir.cpp:1714:36:1714:55 | StoreValue | r1714_9 |
 | ir.cpp:1714:36:1714:55 | Unary | r1714_2 |
-| ir.cpp:1714:36:1714:55 | Unary | r1714_8 |
+| ir.cpp:1714:36:1714:55 | Unary | r1714_5 |
 | ir.cpp:1716:10:1716:17 | Address | &:r1716_1 |
 | ir.cpp:1716:20:1718:5 | Address | &:r1716_2 |
 | ir.cpp:1716:20:1718:5 | Address | &:r1716_2 |
@@ -8204,7 +8237,7 @@
 | ir.cpp:1716:20:1718:5 | Load | m1712_8 |
 | ir.cpp:1716:20:1718:5 | Load | m1712_12 |
 | ir.cpp:1716:20:1718:5 | Load | m1713_2 |
-| ir.cpp:1716:20:1718:5 | Load | m1714_10 |
+| ir.cpp:1716:20:1718:5 | Load | m1714_7 |
 | ir.cpp:1716:20:1718:5 | StoreValue | r1716_6 |
 | ir.cpp:1716:20:1718:5 | StoreValue | r1716_17 |
 | ir.cpp:1716:20:1718:5 | StoreValue | r1716_23 |
@@ -9037,22 +9070,25 @@
 | ir.cpp:1929:10:1929:10 | Address | &:r1929_3 |
 | ir.cpp:1930:3:1930:3 | Address | &:r1930_5 |
 | ir.cpp:1930:7:1930:7 | Address | &:r1930_2 |
+| ir.cpp:1930:7:1930:7 | Address | &:r1930_2 |
+| ir.cpp:1930:7:1930:12 | Load | m1930_3 |
 | ir.cpp:1930:7:1930:12 | StoreValue | r1930_4 |
 | ir.cpp:1930:11:1930:12 | StoreValue | r1930_1 |
-| ir.cpp:1930:11:1930:12 | Unary | r1930_1 |
 | ir.cpp:1933:6:1933:38 | ChiPartial | partial:m1933_3 |
 | ir.cpp:1933:6:1933:38 | ChiTotal | total:m1933_2 |
 | ir.cpp:1933:6:1933:38 | SideEffect | m1933_3 |
 | ir.cpp:1934:7:1934:7 | Address | &:r1934_1 |
 | ir.cpp:1934:10:1934:10 | Address | &:r1934_3 |
 | ir.cpp:1934:13:1934:14 | StoreValue | r1934_4 |
-| ir.cpp:1935:3:1935:3 | Address | &:r1935_6 |
+| ir.cpp:1935:3:1935:3 | Address | &:r1935_7 |
+| ir.cpp:1935:8:1935:8 | Address | &:r1935_2 |
 | ir.cpp:1935:8:1935:8 | Address | &:r1935_2 |
 | ir.cpp:1935:8:1935:8 | Address | &:r1935_2 |
 | ir.cpp:1935:8:1935:8 | Left | r1935_3 |
 | ir.cpp:1935:8:1935:8 | Load | m1934_5 |
+| ir.cpp:1935:8:1935:14 | Load | m1935_5 |
 | ir.cpp:1935:8:1935:14 | StoreValue | r1935_4 |
-| ir.cpp:1935:8:1935:14 | StoreValue | r1935_4 |
+| ir.cpp:1935:8:1935:14 | StoreValue | r1935_6 |
 | ir.cpp:1935:13:1935:14 | Right | r1935_1 |
 | ir.cpp:1942:15:1942:43 | Address | &:r1942_5 |
 | ir.cpp:1942:15:1942:43 | ChiPartial | partial:m1942_3 |
@@ -9968,6 +10004,36 @@
 | ir.cpp:2104:11:2104:11 | Address | &:r2104_2 |
 | ir.cpp:2104:11:2104:11 | Left | r2104_3 |
 | ir.cpp:2104:11:2104:11 | Load | m2098_6 |
+| ir.cpp:2109:7:2109:17 | Address | &:r2109_10 |
+| ir.cpp:2109:7:2109:17 | ChiPartial | partial:m2109_3 |
+| ir.cpp:2109:7:2109:17 | ChiTotal | total:m2109_2 |
+| ir.cpp:2109:7:2109:17 | Load | m2112_4 |
+| ir.cpp:2109:7:2109:17 | SideEffect | m2109_3 |
+| ir.cpp:2109:25:2109:25 | Address | &:r2109_5 |
+| ir.cpp:2109:25:2109:25 | Address | &:r2109_5 |
+| ir.cpp:2109:25:2109:25 | Address | &:r2109_7 |
+| ir.cpp:2109:25:2109:25 | Address | &:r2109_7 |
+| ir.cpp:2109:25:2109:25 | Load | m2109_6 |
+| ir.cpp:2109:25:2109:25 | SideEffect | m2109_8 |
+| ir.cpp:2110:9:2110:11 | Address | &:r2110_1 |
+| ir.cpp:2111:10:2111:10 | Address | &:r2111_1 |
+| ir.cpp:2111:14:2111:19 | CallTarget | func:r2111_2 |
+| ir.cpp:2111:14:2111:19 | StoreValue | r2111_8 |
+| ir.cpp:2111:21:2111:21 | Address | &:r2111_3 |
+| ir.cpp:2111:21:2111:21 | Address | &:r2111_5 |
+| ir.cpp:2111:21:2111:21 | Arg(0) | 0:r2111_5 |
+| ir.cpp:2111:21:2111:21 | Load | m2109_6 |
+| ir.cpp:2111:21:2111:21 | SideEffect | ~m2109_8 |
+| ir.cpp:2111:21:2111:21 | Unary | r2111_4 |
+| ir.cpp:2111:24:2111:27 | Address | &:r2111_7 |
+| ir.cpp:2111:24:2111:27 | Arg(1) | 1:r2111_7 |
+| ir.cpp:2111:24:2111:27 | ChiPartial | partial:m2111_10 |
+| ir.cpp:2111:24:2111:27 | ChiTotal | total:m2110_2 |
+| ir.cpp:2111:25:2111:27 | Unary | r2111_6 |
+| ir.cpp:2112:3:2112:13 | Address | &:r2112_1 |
+| ir.cpp:2112:10:2112:12 | Address | &:r2112_2 |
+| ir.cpp:2112:10:2112:12 | Load | m2111_11 |
+| ir.cpp:2112:10:2112:12 | StoreValue | r2112_3 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -747,7 +747,7 @@ ir.c:
 #    9|     r9_5(glval<(unnamed class/struct/union)>)  = VariableAddress[coords]      : 
 #    9|     r9_6(glval<int>)                           = FieldAddress[y]              : r9_5
 #    9|     mu9_7(int)                                 = Store[?]                     : &:r9_6, r9_4
-#    9|     r9_8(int)                                  = CopyValue                    : r9_4
+#    9|     r9_8(int)                                  = Load[?]                      : &:r9_6, ~m?
 #    9|     r9_9(glval<(unnamed class/struct/union)>)  = VariableAddress[coords]      : 
 #    9|     r9_10(glval<int>)                          = FieldAddress[x]              : r9_9
 #    9|     mu9_11(int)                                = Store[?]                     : &:r9_10, r9_8
@@ -1159,15 +1159,17 @@ ir.cpp:
 #  101|     r101_3(int)        = Constant[1]            : 
 #  101|     r101_4(int)        = Add                    : r101_2, r101_3
 #  101|     mu101_5(int)       = Store[x]               : &:r101_1, r101_4
-#  101|     r101_6(glval<int>) = VariableAddress[y]     : 
-#  101|     mu101_7(int)       = Store[y]               : &:r101_6, r101_4
+#  101|     r101_6(int)        = Load[x]                : &:r101_1, ~m?
+#  101|     r101_7(glval<int>) = VariableAddress[y]     : 
+#  101|     mu101_8(int)       = Store[y]               : &:r101_7, r101_6
 #  102|     r102_1(glval<int>) = VariableAddress[x]     : 
 #  102|     r102_2(int)        = Load[x]                : &:r102_1, ~m?
 #  102|     r102_3(int)        = Constant[1]            : 
 #  102|     r102_4(int)        = Sub                    : r102_2, r102_3
 #  102|     mu102_5(int)       = Store[x]               : &:r102_1, r102_4
-#  102|     r102_6(glval<int>) = VariableAddress[y]     : 
-#  102|     mu102_7(int)       = Store[y]               : &:r102_6, r102_4
+#  102|     r102_6(int)        = Load[x]                : &:r102_1, ~m?
+#  102|     r102_7(glval<int>) = VariableAddress[y]     : 
+#  102|     mu102_8(int)       = Store[y]               : &:r102_7, r102_6
 #  103|     r103_1(glval<int>) = VariableAddress[x]     : 
 #  103|     r103_2(int)        = Load[x]                : &:r103_1, ~m?
 #  103|     r103_3(int)        = Constant[1]            : 
@@ -1375,15 +1377,17 @@ ir.cpp:
 #  147|     r147_3(float)        = Constant[1.0]          : 
 #  147|     r147_4(float)        = Add                    : r147_2, r147_3
 #  147|     mu147_5(float)       = Store[x]               : &:r147_1, r147_4
-#  147|     r147_6(glval<float>) = VariableAddress[y]     : 
-#  147|     mu147_7(float)       = Store[y]               : &:r147_6, r147_4
+#  147|     r147_6(float)        = Load[x]                : &:r147_1, ~m?
+#  147|     r147_7(glval<float>) = VariableAddress[y]     : 
+#  147|     mu147_8(float)       = Store[y]               : &:r147_7, r147_6
 #  148|     r148_1(glval<float>) = VariableAddress[x]     : 
 #  148|     r148_2(float)        = Load[x]                : &:r148_1, ~m?
 #  148|     r148_3(float)        = Constant[1.0]          : 
 #  148|     r148_4(float)        = Sub                    : r148_2, r148_3
 #  148|     mu148_5(float)       = Store[x]               : &:r148_1, r148_4
-#  148|     r148_6(glval<float>) = VariableAddress[y]     : 
-#  148|     mu148_7(float)       = Store[y]               : &:r148_6, r148_4
+#  148|     r148_6(float)        = Load[x]                : &:r148_1, ~m?
+#  148|     r148_7(glval<float>) = VariableAddress[y]     : 
+#  148|     mu148_8(float)       = Store[y]               : &:r148_7, r148_6
 #  149|     r149_1(glval<float>) = VariableAddress[x]     : 
 #  149|     r149_2(float)        = Load[x]                : &:r149_1, ~m?
 #  149|     r149_3(float)        = Constant[1.0]          : 
@@ -1682,15 +1686,17 @@ ir.cpp:
 #  207|     r207_3(int)          = Constant[1]              : 
 #  207|     r207_4(int *)        = PointerAdd[4]            : r207_2, r207_3
 #  207|     mu207_5(int *)       = Store[p]                 : &:r207_1, r207_4
-#  207|     r207_6(glval<int *>) = VariableAddress[q]       : 
-#  207|     mu207_7(int *)       = Store[q]                 : &:r207_6, r207_4
+#  207|     r207_6(int *)        = Load[p]                  : &:r207_1, ~m?
+#  207|     r207_7(glval<int *>) = VariableAddress[q]       : 
+#  207|     mu207_8(int *)       = Store[q]                 : &:r207_7, r207_6
 #  208|     r208_1(glval<int *>) = VariableAddress[p]       : 
 #  208|     r208_2(int *)        = Load[p]                  : &:r208_1, ~m?
 #  208|     r208_3(int)          = Constant[1]              : 
 #  208|     r208_4(int *)        = PointerSub[4]            : r208_2, r208_3
 #  208|     mu208_5(int *)       = Store[p]                 : &:r208_1, r208_4
-#  208|     r208_6(glval<int *>) = VariableAddress[q]       : 
-#  208|     mu208_7(int *)       = Store[q]                 : &:r208_6, r208_4
+#  208|     r208_6(int *)        = Load[p]                  : &:r208_1, ~m?
+#  208|     r208_7(glval<int *>) = VariableAddress[q]       : 
+#  208|     mu208_8(int *)       = Store[q]                 : &:r208_7, r208_6
 #  209|     r209_1(glval<int *>) = VariableAddress[p]       : 
 #  209|     r209_2(int *)        = Load[p]                  : &:r209_1, ~m?
 #  209|     r209_3(int)          = Constant[1]              : 
@@ -5746,6 +5752,26 @@ ir.cpp:
 # 1038|     v1038_9(void)                             = AliasedUse                    : ~m?
 # 1038|     v1038_10(void)                            = ExitFunction                  : 
 
+# 1038| void (lambda [] type at line 1038, col. 12)::(unnamed constructor)((lambda [] type at line 1038, col. 12)&&)
+# 1038|   Block 0
+# 1038|     v1038_1(void)                                        = EnterFunction                                : 
+# 1038|     mu1038_2(unknown)                                    = AliasedDefinition                            : 
+# 1038|     mu1038_3(unknown)                                    = InitializeNonLocal                           : 
+# 1038|     r1038_4(glval<unknown>)                              = VariableAddress[#this]                       : 
+# 1038|     mu1038_5(glval<decltype([...](...){...})>)           = InitializeParameter[#this]                   : &:r1038_4
+# 1038|     r1038_6(glval<decltype([...](...){...})>)            = Load[#this]                                  : &:r1038_4, ~m?
+# 1038|     mu1038_7(decltype([...](...){...}))                  = InitializeIndirection[#this]                 : &:r1038_6
+#-----|     r0_1(glval<lambda [] type at line 1038, col. 12 &&>) = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(lambda [] type at line 1038, col. 12 &&)       = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(lambda [] type at line 1038, col. 12 &&)        = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                       = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1038|     v1038_8(void)                                        = NoOp                                         : 
+# 1038|     v1038_9(void)                                        = ReturnIndirection[#this]                     : &:r1038_6, ~m?
+#-----|     v0_5(void)                                           = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, ~m?
+# 1038|     v1038_10(void)                                       = ReturnVoid                                   : 
+# 1038|     v1038_11(void)                                       = AliasedUse                                   : ~m?
+# 1038|     v1038_12(void)                                       = ExitFunction                                 : 
+
 # 1038| void (lambda [] type at line 1038, col. 12)::operator()() const
 # 1038|   Block 0
 # 1038|     v1038_1(void)                              = EnterFunction                : 
@@ -5940,6 +5966,26 @@ ir.cpp:
 # 1040|     v1040_12(void)                            = AliasedUse                             : ~m?
 # 1040|     v1040_13(void)                            = ExitFunction                           : 
 
+# 1041| void (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::(unnamed constructor)((void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)&&)
+# 1041|   Block 0
+# 1041|     v1041_1(void)                                        = EnterFunction                                : 
+# 1041|     mu1041_2(unknown)                                    = AliasedDefinition                            : 
+# 1041|     mu1041_3(unknown)                                    = InitializeNonLocal                           : 
+# 1041|     r1041_4(glval<unknown>)                              = VariableAddress[#this]                       : 
+# 1041|     mu1041_5(glval<decltype([...](...){...})>)           = InitializeParameter[#this]                   : &:r1041_4
+# 1041|     r1041_6(glval<decltype([...](...){...})>)            = Load[#this]                                  : &:r1041_4, ~m?
+# 1041|     mu1041_7(decltype([...](...){...}))                  = InitializeIndirection[#this]                 : &:r1041_6
+#-----|     r0_1(glval<lambda [] type at line 1041, col. 23 &&>) = VariableAddress[(unnamed parameter 0)]       : 
+#-----|     mu0_2(lambda [] type at line 1041, col. 23 &&)       = InitializeParameter[(unnamed parameter 0)]   : &:r0_1
+#-----|     r0_3(lambda [] type at line 1041, col. 23 &&)        = Load[(unnamed parameter 0)]                  : &:r0_1, ~m?
+#-----|     mu0_4(unknown)                                       = InitializeIndirection[(unnamed parameter 0)] : &:r0_3
+# 1041|     v1041_8(void)                                        = NoOp                                         : 
+# 1041|     v1041_9(void)                                        = ReturnIndirection[#this]                     : &:r1041_6, ~m?
+#-----|     v0_5(void)                                           = ReturnIndirection[(unnamed parameter 0)]     : &:r0_3, ~m?
+# 1041|     v1041_10(void)                                       = ReturnVoid                                   : 
+# 1041|     v1041_11(void)                                       = AliasedUse                                   : ~m?
+# 1041|     v1041_12(void)                                       = ExitFunction                                 : 
+
 # 1041| char (void Lambda(int, String const&))::(lambda [] type at line 1041, col. 23)::operator()(float) const
 # 1041|   Block 0
 # 1041|     v1041_1(void)                              = EnterFunction                : 
@@ -7697,7 +7743,6 @@ ir.cpp:
 # 1376|     r1376_3(String)          = Call[defaultConstruct]            : func:r1376_2
 # 1376|     mu1376_4(unknown)        = ^CallSideEffect                   : ~m?
 # 1376|     mu1376_5(String)         = Store[#temp1376:5]                : &:r1376_1, r1376_3
-# 1376|     r1376_6(String)          = Load[#temp1376:5]                 : &:r1376_1, ~m?
 # 1377|     v1377_1(void)            = NoOp                              : 
 # 1365|     v1365_4(void)            = ReturnVoid                        : 
 # 1365|     v1365_5(void)            = AliasedUse                        : ~m?
@@ -7762,7 +7807,6 @@ ir.cpp:
 # 1388|     r1388_3(destructor_only)          = Call[defaultConstruct]            : func:r1388_2
 # 1388|     mu1388_4(unknown)                 = ^CallSideEffect                   : ~m?
 # 1388|     mu1388_5(destructor_only)         = Store[#temp1388:5]                : &:r1388_1, r1388_3
-# 1388|     r1388_6(destructor_only)          = Load[#temp1388:5]                 : &:r1388_1, ~m?
 # 1389|     v1389_1(void)                     = NoOp                              : 
 # 1379|     v1379_4(void)                     = ReturnVoid                        : 
 # 1379|     v1379_5(void)                     = AliasedUse                        : ~m?
@@ -7840,7 +7884,6 @@ ir.cpp:
 # 1399|     r1399_3(copy_constructor)          = Call[defaultConstruct]            : func:r1399_2
 # 1399|     mu1399_4(unknown)                  = ^CallSideEffect                   : ~m?
 # 1399|     mu1399_5(copy_constructor)         = Store[#temp1399:5]                : &:r1399_1, r1399_3
-# 1399|     r1399_6(copy_constructor)          = Load[#temp1399:5]                 : &:r1399_1, ~m?
 # 1401|     r1401_1(glval<int>)                = VariableAddress[y]                : 
 # 1401|     r1401_2(glval<copy_constructor>)   = VariableAddress[#temp1401:13]     : 
 # 1401|     r1401_3(glval<unknown>)            = FunctionAddress[returnValue]      : 
@@ -9241,14 +9284,11 @@ ir.cpp:
 # 1713|     mu1713_2(TrivialLambdaClass)              = Uninitialized[l1]             : &:r1713_1
 # 1714|     r1714_1(glval<TrivialLambdaClass &>)      = VariableAddress[l2]           : 
 # 1714|     r1714_2(glval<TrivialLambdaClass>)        = VariableAddress[#temp1714:36] : 
-# 1714|     r1714_3(glval<TrivialLambdaClass>)        = VariableAddress[#temp1714:36] : 
-# 1714|     r1714_4(TrivialLambdaClass)               = Constant[0]                   : 
-# 1714|     mu1714_5(TrivialLambdaClass)              = Store[#temp1714:36]           : &:r1714_3, r1714_4
-# 1714|     r1714_6(TrivialLambdaClass)               = Load[#temp1714:36]            : &:r1714_3, ~m?
-# 1714|     mu1714_7(TrivialLambdaClass)              = Store[#temp1714:36]           : &:r1714_2, r1714_6
-# 1714|     r1714_8(glval<TrivialLambdaClass>)        = Convert                       : r1714_2
-# 1714|     r1714_9(TrivialLambdaClass &)             = CopyValue                     : r1714_8
-# 1714|     mu1714_10(TrivialLambdaClass &)           = Store[l2]                     : &:r1714_1, r1714_9
+# 1714|     r1714_3(TrivialLambdaClass)               = Constant[0]                   : 
+# 1714|     mu1714_4(TrivialLambdaClass)              = Store[#temp1714:36]           : &:r1714_2, r1714_3
+# 1714|     r1714_5(glval<TrivialLambdaClass>)        = Convert                       : r1714_2
+# 1714|     r1714_6(TrivialLambdaClass &)             = CopyValue                     : r1714_5
+# 1714|     mu1714_7(TrivialLambdaClass &)            = Store[l2]                     : &:r1714_1, r1714_6
 # 1716|     r1716_1(glval<decltype([...](...){...})>) = VariableAddress[l_outer1]     : 
 # 1716|     r1716_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1716:20] : 
 # 1716|     mu1716_3(decltype([...](...){...}))       = Uninitialized[#temp1716:20]   : &:r1716_2
@@ -10330,7 +10370,7 @@ ir.cpp:
 # 1930|     r1930_1(int)        = Constant[40]       : 
 # 1930|     r1930_2(glval<int>) = VariableAddress[j] : 
 # 1930|     mu1930_3(int)       = Store[j]           : &:r1930_2, r1930_1
-# 1930|     r1930_4(int)        = CopyValue          : r1930_1
+# 1930|     r1930_4(int)        = Load[j]            : &:r1930_2, ~m?
 # 1930|     r1930_5(glval<int>) = VariableAddress[i] : 
 # 1930|     mu1930_6(int)       = Store[i]           : &:r1930_5, r1930_4
 # 1931|     v1931_1(void)       = NoOp               : 
@@ -10353,8 +10393,9 @@ ir.cpp:
 # 1935|     r1935_3(int)        = Load[j]            : &:r1935_2, ~m?
 # 1935|     r1935_4(int)        = Add                : r1935_3, r1935_1
 # 1935|     mu1935_5(int)       = Store[j]           : &:r1935_2, r1935_4
-# 1935|     r1935_6(glval<int>) = VariableAddress[i] : 
-# 1935|     mu1935_7(int)       = Store[i]           : &:r1935_6, r1935_4
+# 1935|     r1935_6(int)        = Load[j]            : &:r1935_2, ~m?
+# 1935|     r1935_7(glval<int>) = VariableAddress[i] : 
+# 1935|     mu1935_8(int)       = Store[i]           : &:r1935_7, r1935_6
 # 1936|     v1936_1(void)       = NoOp               : 
 # 1933|     v1933_4(void)       = ReturnVoid         : 
 # 1933|     v1933_5(void)       = AliasedUse         : ~m?
@@ -11497,6 +11538,38 @@ ir.cpp:
 # 2098|     v2098_7(void)                          = AliasedUse                      : ~m?
 # 2098|     v2098_8(void)                          = ExitFunction                    : 
 
+# 2109| char* test_strtod(char*)
+# 2109|   Block 0
+# 2109|     v2109_1(void)           = EnterFunction                  : 
+# 2109|     mu2109_2(unknown)       = AliasedDefinition              : 
+# 2109|     mu2109_3(unknown)       = InitializeNonLocal             : 
+# 2109|     r2109_4(glval<char *>)  = VariableAddress[s]             : 
+# 2109|     mu2109_5(char *)        = InitializeParameter[s]         : &:r2109_4
+# 2109|     r2109_6(char *)         = Load[s]                        : &:r2109_4, ~m?
+# 2109|     mu2109_7(unknown)       = InitializeIndirection[s]       : &:r2109_6
+# 2110|     r2110_1(glval<char *>)  = VariableAddress[end]           : 
+# 2110|     mu2110_2(char *)        = Uninitialized[end]             : &:r2110_1
+# 2111|     r2111_1(glval<double>)  = VariableAddress[d]             : 
+# 2111|     r2111_2(glval<unknown>) = FunctionAddress[strtod]        : 
+# 2111|     r2111_3(glval<char *>)  = VariableAddress[s]             : 
+# 2111|     r2111_4(char *)         = Load[s]                        : &:r2111_3, ~m?
+# 2111|     r2111_5(char *)         = Convert                        : r2111_4
+# 2111|     r2111_6(glval<char *>)  = VariableAddress[end]           : 
+# 2111|     r2111_7(char **)        = CopyValue                      : r2111_6
+# 2111|     r2111_8(double)         = Call[strtod]                   : func:r2111_2, 0:r2111_5, 1:r2111_7
+# 2111|     v2111_9(void)           = ^BufferReadSideEffect[0]       : &:r2111_5, ~m?
+# 2111|     mu2111_10(char *)       = ^IndirectMayWriteSideEffect[1] : &:r2111_7
+# 2111|     mu2111_11(double)       = Store[d]                       : &:r2111_1, r2111_8
+# 2112|     r2112_1(glval<char *>)  = VariableAddress[#return]       : 
+# 2112|     r2112_2(glval<char *>)  = VariableAddress[end]           : 
+# 2112|     r2112_3(char *)         = Load[end]                      : &:r2112_2, ~m?
+# 2112|     mu2112_4(char *)        = Store[#return]                 : &:r2112_1, r2112_3
+# 2109|     v2109_8(void)           = ReturnIndirection[s]           : &:r2109_6, ~m?
+# 2109|     r2109_9(glval<char *>)  = VariableAddress[#return]       : 
+# 2109|     v2109_10(void)          = ReturnValue                    : &:r2109_9, ~m?
+# 2109|     v2109_11(void)          = AliasedUse                     : ~m?
+# 2109|     v2109_12(void)          = ExitFunction                   : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0

cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp

@@ -672,7 +672,7 @@ void test17() {
   range(i); // $ range===50
 
   i = 20 + (j -= 10);
-  range(i); // $ range="==Store: ... += ... | Store: ... = ...+10" range===60
+  range(i); // $ range="==Store: ... += ... | Store: ... = ...+10" range===60 range="==Store: ... -= ...+20"
 }
 
 // Tests for unsigned multiplication.

cpp/ql/test/library-tests/ir/range-analysis/test.cpp

@@ -56,7 +56,7 @@
     while (f3_get(n)) n+=2;
 
     for (int i = 0; i < n; i += 2) {
-      range(i); // $ range=>=0 SPURIOUS: range="<=Phi: call to f3_get-1" range="<=Phi: call to f3_get-2"
+      range(i); // $ range=>=0 range="<=Phi: call to f3_get-2"
     }
   }
 
@@ -117,3 +117,16 @@ void test_sub(int x, int y, int n) {
     }
   }
 }
+
+void test_div(int x) {
+  if (3 <= x && x <= 7) {
+    range(x / 2); // $ range=>=1 range=<=3
+    range(x / 3); // $ range=>=1 range=<=2
+    range(x >> 2); // $ range=>=0 range=<=1
+  }
+  if (2 <= x && x <= 8) {
+    range(x / 2); // $ range=>=1 range=<=4
+    range(x / 3); // $ range=>=0 range=<=2
+    range(x >> 2); // $ range=>=0 range=<=2
+  }
+}

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -15,6 +15,7 @@ localCallNodes
 postIsNotPre
 postHasUniquePre
 uniquePostUpdate
+| allocators.cpp:4:24:4:26 | this indirection | Node has multiple PostUpdateNodes. |
 | cpp11.cpp:82:17:82:17 | this indirection | Node has multiple PostUpdateNodes. |
 | cpp11.cpp:82:17:82:55 | [...](...){...} indirection | Node has multiple PostUpdateNodes. |
 | ir.cpp:514:10:514:11 | definition of r2 indirection | Node has multiple PostUpdateNodes. |

cpp/ql/test/library-tests/templates/type_instantiations/types.expected

@@ -1,5 +1,10 @@
 | file://:0:0:0:0 | Cl<char, Sa, Sb> * |
 | file://:0:0:0:0 | _Complex _Float16 |
+| file://:0:0:0:0 | _Complex _Float32 |
+| file://:0:0:0:0 | _Complex _Float32x |
+| file://:0:0:0:0 | _Complex _Float64 |
+| file://:0:0:0:0 | _Complex _Float64x |
+| file://:0:0:0:0 | _Complex _Float128 |
 | file://:0:0:0:0 | _Complex __float128 |
 | file://:0:0:0:0 | _Complex double |
 | file://:0:0:0:0 | _Complex float |
@@ -16,7 +21,9 @@
 | file://:0:0:0:0 | _Imaginary double |
 | file://:0:0:0:0 | _Imaginary float |
 | file://:0:0:0:0 | _Imaginary long double |
+| file://:0:0:0:0 | __bf16 |
 | file://:0:0:0:0 | __float128 |
+| file://:0:0:0:0 | __fp16 |
 | file://:0:0:0:0 | __int128 |
 | file://:0:0:0:0 | __va_list_tag |
 | file://:0:0:0:0 | __va_list_tag & |
@@ -44,6 +51,7 @@
 | file://:0:0:0:0 | signed long |
 | file://:0:0:0:0 | signed long long |
 | file://:0:0:0:0 | signed short |
+| file://:0:0:0:0 | std::float16_t |
 | file://:0:0:0:0 | unknown |
 | file://:0:0:0:0 | unsigned __int128 |
 | file://:0:0:0:0 | unsigned char |

cpp/ql/test/library-tests/type_sizes/type_sizes.expected

@@ -20,6 +20,11 @@
 | file://:0:0:0:0 | UnionWithDef & | 8 |
 | file://:0:0:0:0 | UnionWithDef && | 8 |
 | file://:0:0:0:0 | _Complex _Float16 | 4 |
+| file://:0:0:0:0 | _Complex _Float32 | 8 |
+| file://:0:0:0:0 | _Complex _Float32x | 16 |
+| file://:0:0:0:0 | _Complex _Float64 | 16 |
+| file://:0:0:0:0 | _Complex _Float64x | 32 |
+| file://:0:0:0:0 | _Complex _Float128 | 32 |
 | file://:0:0:0:0 | _Complex __float128 | 32 |
 | file://:0:0:0:0 | _Complex double | 16 |
 | file://:0:0:0:0 | _Complex float | 8 |
@@ -37,7 +42,9 @@
 | file://:0:0:0:0 | _Imaginary float | 4 |
 | file://:0:0:0:0 | _Imaginary long double | 16 |
 | file://:0:0:0:0 | __attribute((vector_size(16))) int | 16 |
+| file://:0:0:0:0 | __bf16 | 2 |
 | file://:0:0:0:0 | __float128 | 16 |
+| file://:0:0:0:0 | __fp16 | 2 |
 | file://:0:0:0:0 | __int128 | 16 |
 | file://:0:0:0:0 | __va_list_tag | 24 |
 | file://:0:0:0:0 | __va_list_tag & | 8 |
@@ -83,6 +90,7 @@
 | file://:0:0:0:0 | signed long | 8 |
 | file://:0:0:0:0 | signed long long | 8 |
 | file://:0:0:0:0 | signed short | 2 |
+| file://:0:0:0:0 | std::float16_t | 2 |
 | file://:0:0:0:0 | unknown | 1 |
 | file://:0:0:0:0 | unsigned __int128 | 16 |
 | file://:0:0:0:0 | unsigned char | 1 |

cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected

@@ -2,6 +2,11 @@
 | file://:0:0:0:0 | ..(*)(..) | ..(*)(..) |
 | file://:0:0:0:0 | Tmpl<T> | Tmpl<T> |
 | file://:0:0:0:0 | _Complex _Float16 | _Complex _Float16 |
+| file://:0:0:0:0 | _Complex _Float32 | _Complex _Float32 |
+| file://:0:0:0:0 | _Complex _Float32x | _Complex _Float32x |
+| file://:0:0:0:0 | _Complex _Float64 | _Complex _Float64 |
+| file://:0:0:0:0 | _Complex _Float64x | _Complex _Float64x |
+| file://:0:0:0:0 | _Complex _Float128 | _Complex _Float128 |
 | file://:0:0:0:0 | _Complex __float128 | _Complex __float128 |
 | file://:0:0:0:0 | _Complex double | _Complex double |
 | file://:0:0:0:0 | _Complex float | _Complex float |
@@ -18,7 +23,9 @@
 | file://:0:0:0:0 | _Imaginary double | _Imaginary double |
 | file://:0:0:0:0 | _Imaginary float | _Imaginary float |
 | file://:0:0:0:0 | _Imaginary long double | _Imaginary long double |
+| file://:0:0:0:0 | __bf16 | __bf16 |
 | file://:0:0:0:0 | __float128 | __float128 |
+| file://:0:0:0:0 | __fp16 | __fp16 |
 | file://:0:0:0:0 | __int128 | __int128 |
 | file://:0:0:0:0 | __va_list_tag & | __va_list_tag & |
 | file://:0:0:0:0 | __va_list_tag && | __va_list_tag && |
@@ -45,6 +52,7 @@
 | file://:0:0:0:0 | signed long | signed long |
 | file://:0:0:0:0 | signed long long | signed long long |
 | file://:0:0:0:0 | signed short | signed short |
+| file://:0:0:0:0 | std::float16_t | std::float16_t |
 | file://:0:0:0:0 | unknown | unknown |
 | file://:0:0:0:0 | unsigned __int128 | unsigned __int128 |
 | file://:0:0:0:0 | unsigned char | unsigned char |

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected

@@ -756,7 +756,7 @@ test.cpp:
 #   92|         valnum = r92_1, r92_3, r93_2
 #   92|     m92_4(int)        = Store[x]                 : &:r92_3, r92_2
 #   92|         valnum = m92_4, m92_6, m93_4, r92_2, r92_5, r93_3
-#   92|     r92_5(int)        = CopyValue                : r92_2
+#   92|     r92_5(int)        = Load[x]                  : &:r92_3, m92_4
 #   92|         valnum = m92_4, m92_6, m93_4, r92_2, r92_5, r93_3
 #   92|     m92_6(int)        = Store[x]                 : &:r92_1, r92_5
 #   92|         valnum = m92_4, m92_6, m93_4, r92_2, r92_5, r93_3

cpp/ql/test/library-tests/variables/variables/types.expected

@@ -1,6 +1,11 @@
 | ..()(..) | RoutineType |  |  |  |  |
 | ..(*)(..) | FunctionPointerType |  | ..()(..) |  |  |
 | _Complex _Float16 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex _Float32 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex _Float32x | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex _Float64 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex _Float64x | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
+| _Complex _Float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex __float128 | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex double | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
 | _Complex float | BinaryFloatingPointType, ComplexNumberType |  |  |  |  |
@@ -17,7 +22,9 @@
 | _Imaginary double | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
 | _Imaginary float | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
 | _Imaginary long double | BinaryFloatingPointType, ImaginaryNumberType |  |  |  |  |
+| __bf16 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | __float128 | Float128Type |  |  |  |  |
+| __fp16 | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | __int128 | Int128Type |  |  |  |  |
 | __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass |  |  |  |  |
 | __va_list_tag & | LValueReferenceType |  | __va_list_tag |  |  |
@@ -83,6 +90,7 @@
 | signed long | LongType |  |  |  |  |
 | signed long long | LongLongType |  |  |  |  |
 | signed short | ShortType |  |  |  |  |
+| std::float16_t | BinaryFloatingPointType, RealNumberType |  |  |  |  |
 | unknown | UnknownType |  |  |  |  |
 | unsigned __int128 | Int128Type |  |  |  | unsigned integral |
 | unsigned char | UnsignedCharType |  |  |  | unsigned integral |

cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected

@@ -97,6 +97,10 @@
 | test_free.cpp:260:9:260:9 | p |
 | test_free.cpp:263:12:263:12 | p |
 | test_free.cpp:269:7:269:11 | ... = ... |
+| test_free.cpp:277:11:277:13 | buf |
+| test_free.cpp:282:10:282:12 | buf |
+| test_free.cpp:288:8:288:10 | buf |
+| test_free.cpp:293:8:293:10 | buf |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

@@ -12,6 +12,10 @@ edges
 | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... |
 | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
 | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
+| test_free.cpp:293:8:293:10 | buf | test_free.cpp:294:3:294:13 | ... = ... |
+| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:5:294:7 | s indirection [post update] [buf] |
+| test_free.cpp:294:5:294:7 | s indirection [post update] [buf] | test_free.cpp:295:12:295:12 | s indirection [buf] |
+| test_free.cpp:295:12:295:12 | s indirection [buf] | test_free.cpp:295:14:295:16 | buf |
 nodes
 | test_free.cpp:11:10:11:10 | a | semmle.label | a |
 | test_free.cpp:12:5:12:5 | a | semmle.label | a |
@@ -38,6 +42,11 @@ nodes
 | test_free.cpp:241:9:241:10 | * ... | semmle.label | * ... |
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
+| test_free.cpp:293:8:293:10 | buf | semmle.label | buf |
+| test_free.cpp:294:3:294:13 | ... = ... | semmle.label | ... = ... |
+| test_free.cpp:294:5:294:7 | s indirection [post update] [buf] | semmle.label | s indirection [post update] [buf] |
+| test_free.cpp:295:12:295:12 | s indirection [buf] | semmle.label | s indirection [buf] |
+| test_free.cpp:295:14:295:16 | buf | semmle.label | buf |
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
@@ -53,3 +62,4 @@ subpaths
 | test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | * ... | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free |
 | test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free |
 | test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free |
+| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | buf | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free |

cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp

@@ -267,4 +267,30 @@ void test_free_assign() {
 	void *a = malloc(10); 
 	void *b;
 	free(b = a); // GOOD 
+}
+
+struct MyStruct {
+  char* buf;
+};
+
+void test_free_struct(MyStruct* s) {
+  free(s->buf);
+  char c = s->buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct2(MyStruct s) {
+  free(s.buf);
+  char c = s.buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct3(MyStruct s) {
+  char* buf = s.buf;
+  free(buf);
+  char c = s.buf[0]; // BAD [FALSE NEGATIVE]
+}
+
+void test_free_struct4(char* buf, MyStruct s) {
+  free(buf);
+  s.buf = buf;
+  char c = s.buf[0]; // BAD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

@@ -67,8 +67,6 @@ edges
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
-| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
@@ -163,7 +161,6 @@ nodes
 | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
-| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
 | argvLocal.c:136:17:136:18 | i4 | semmle.label | i4 |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... | semmle.label | ... ? ... : ... |

csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/StubVisitor.cs

@@ -186,7 +186,8 @@ internal sealed class StubVisitor : SymbolVisitor
                 }
                 break;
             case TypedConstantKind.Enum:
-                stubWriter.Write("throw null");
+                stubWriter.Write($"({c.Type!.GetQualifiedName()}) ");
+                stubWriter.Write(c.Value!.ToString());
                 break;
             case TypedConstantKind.Array:
                 stubWriter.Write("new []{");
@@ -200,7 +201,8 @@ internal sealed class StubVisitor : SymbolVisitor
     }
 
     private static readonly HashSet<string> attributeAllowList = new() {
-        "System.FlagsAttribute"
+        "System.FlagsAttribute",
+        "System.AttributeUsageAttribute"
     };
 
     private void StubAttribute(AttributeData a, string prefix)
@@ -219,6 +221,14 @@ internal sealed class StubVisitor : SymbolVisitor
         {
             stubWriter.Write("(");
             WriteCommaSep(a.ConstructorArguments, StubTypedConstant);
+            if (a.ConstructorArguments.Any() && a.NamedArguments.Any())
+                stubWriter.Write(",");
+            WriteCommaSep(a.NamedArguments, arg =>
+            {
+                stubWriter.Write(arg.Key);
+                stubWriter.Write(" = ");
+                StubTypedConstant(arg.Value);
+            });
             stubWriter.Write(")");
         }
         stubWriter.WriteLine("]");

csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs

@@ -82,10 +82,16 @@ namespace Semmle.Extraction.CSharp.Entities
                 var paramName = Symbol.AttributeConstructor?.Parameters[i].Name;
                 var argSyntax = ctorArguments?.SingleOrDefault(a => a.NameColon is not null && a.NameColon.Name.Identifier.Text == paramName);
 
+                var isParamsParameter = false;
+
                 if (argSyntax is null &&                            // couldn't find named argument
                     ctorArguments?.Count > childIndex &&            // there're more arguments
                     ctorArguments[childIndex].NameColon is null)    // the argument is positional
                 {
+                    // The current argument is not named
+                    // so the previous ones were also not named
+                    // so the child index matches the parameter index.
+                    isParamsParameter = Symbol?.AttributeConstructor?.Parameters[childIndex].IsParams == true;
                     argSyntax = ctorArguments[childIndex];
                 }
 
@@ -94,6 +100,28 @@ namespace Semmle.Extraction.CSharp.Entities
                     argSyntax?.Expression,
                     this,
                     childIndex++);
+
+                if (isParamsParameter &&
+                    ctorArguments is not null)
+                {
+                    // The current argument is a params argument, so we're processing all the remaining arguments:
+                    while (childIndex < ctorArguments.Count)
+                    {
+                        if (ctorArguments[childIndex].Expression is null)
+                        {
+                            // This shouldn't happen
+                            continue;
+                        }
+
+                        CreateExpressionFromArgument(
+                            constructorArgument,
+                            ctorArguments[childIndex].Expression,
+                            this,
+                            childIndex);
+
+                        childIndex++;
+                    }
+                }
             }
 
             foreach (var namedArgument in Symbol.NamedArguments)

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.2
+
+No user-facing changes.
+
 ## 1.7.1
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.2.md

@@ -0,0 +1,3 @@
+## 1.7.2
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.1
+lastReleaseVersion: 1.7.2

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.1
+version: 1.7.2
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.2
+
+No user-facing changes.
+
 ## 1.7.1
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.2.md

@@ -0,0 +1,3 @@
+## 1.7.2
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.1
+lastReleaseVersion: 1.7.2

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.1
+version: 1.7.2
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.2
+
+No user-facing changes.
+
 ## 0.8.1
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/released/0.8.2.md

@@ -0,0 +1,3 @@
+## 0.8.2
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.1
+lastReleaseVersion: 0.8.2

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.1
+version: 0.8.2
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp