bla

.devcontainer/swift/root.sh

@@ -3,16 +3,6 @@ set -xe
 BAZELISK_VERSION=v1.12.0
 BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
 
-# install git lfs apt source
-curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
-
-# install gh apt source
-(type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) \
-&& sudo mkdir -p -m 755 /etc/apt/keyrings \
-&& wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
-&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
-&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
-
 apt-get update
 export DEBIAN_FRONTEND=noninteractive
 apt-get -y install --no-install-recommends \
@@ -20,9 +10,7 @@ apt-get -y install --no-install-recommends \
     uuid-dev \
     python3-distutils \
     python3-pip \
-    bash-completion \
-    git-lfs \
-    gh
+    bash-completion
 
 # Install Bazel
 curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64

.devcontainer/swift/user.sh

@@ -1,7 +1,5 @@
 set -xe
 
-git lfs install
-
 # add the workspace to the codeql search path
 mkdir -p /home/vscode/.config/codeql
 echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config

MODULE.bazel

@@ -112,7 +112,6 @@ use_repo(
     "kotlin-compiler-1.9.0-Beta",
     "kotlin-compiler-1.9.20-Beta",
     "kotlin-compiler-2.0.0-RC1",
-    "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-embeddable-1.5.0",
     "kotlin-compiler-embeddable-1.5.10",
     "kotlin-compiler-embeddable-1.5.20",
@@ -125,7 +124,6 @@ use_repo(
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
     "kotlin-compiler-embeddable-2.0.0-RC1",
-    "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-stdlib-1.5.0",
     "kotlin-stdlib-1.5.10",
     "kotlin-stdlib-1.5.20",
@@ -138,16 +136,11 @@ use_repo(
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
     "kotlin-stdlib-2.0.0-RC1",
-    "kotlin-stdlib-2.0.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(version = "1.22.2")
 
-go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
-go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
-
 lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 
 lfs_files(

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 364 <= kind and kind <= 384)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,27 +1,3 @@
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
-
-## 1.2.0
-
-### New Features
-
-* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
-
-### Minor Analysis Improvements
-
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
-
-## 1.1.1
-
-No user-facing changes.
-
 ## 1.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-13-double-free.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.

cpp/ql/lib/change-notes/released/1.1.1.md

@@ -1,3 +0,0 @@
-## 1.1.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/1.2.0.md

@@ -1,11 +0,0 @@
-## 1.2.0
-
-### New Features
-
-* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
-
-### Minor Analysis Improvements
-
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/released/1.3.0.md

@@ -1,7 +0,0 @@
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.0
+lastReleaseVersion: 1.1.0

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,3 +1,4 @@
+extensions:
   # partial model of the Boost::Asio network library
 extensions:
   - addsTo:

cpp/ql/lib/ext/bsl.array.model.yml

@@ -1,14 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["bsl", "array", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "array", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "array", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "array", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "array", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "array", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "array", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "array", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "array", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]

cpp/ql/lib/ext/bsl.deque.model.yml

@@ -1,73 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["bsl", "deque<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "deque", "(const deque &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "deque", "(deque &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "deque", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T,Allocator>", True, "deque", "(const deque &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T,Allocator>", True, "deque", "(deque &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T,Allocator>", True, "deque", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T,Allocator>", True, "deque<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.forward_list.model.yml

@@ -1,56 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_after", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "forward_list", "(const forward_list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "forward_list", "(forward_list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(const forward_list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(forward_list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T,Allocator>", True, "forward_list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.list.model.yml

@@ -1,71 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["bsl", "list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "list", "(const list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "list", "(list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T,Allocator>", True, "list", "(const list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T,Allocator>", True, "list", "(list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T,Allocator>", True, "list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T,Allocator>", True, "list<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/bsl.vector.model.yml

@@ -1,60 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["bsl", "vector<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["bsl", "vector", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "vector", "(const vector &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector", True, "vector", "(vector &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T,Allocator>", True, "vector", "(const vector &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T,Allocator>", True, "vector", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T,Allocator>", True, "vector", "(vector &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T,Allocator>", True, "vector<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["bsl", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.array.model.yml

@@ -1,14 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "array", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "array", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "array", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "array", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "array", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "array", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "array", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "array", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "array", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]

cpp/ql/lib/ext/std.deque.model.yml

@@ -1,73 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "deque<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "deque", "(const deque &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "deque", "(deque &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "deque", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T,Allocator>", True, "deque", "(const deque &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T,Allocator>", True, "deque", "(deque &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T,Allocator>", True, "deque", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T,Allocator>", True, "deque<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "deque<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.forward_list.model.yml

@@ -1,56 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_after", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "forward_list", "(const forward_list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "forward_list", "(forward_list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "insert_after<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(const forward_list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(forward_list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T,Allocator>", True, "forward_list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "forward_list<T>", True, "insert_after", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.iterator.model.yml

@@ -1,11 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "iterator", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "iterator", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "iterator", True, "iterator", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["__gnu_cxx", "__normal_iterator", True, "operator*", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["__gnu_cxx", "__normal_iterator", True, "operator->", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["__gnu_cxx", "__normal_iterator", True, "__normal_iterator", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.list.model.yml

@@ -1,71 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "list<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "emplace_front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "list", "(const list &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "list", "(list &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "push_front", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T,Allocator>", True, "list", "(const list &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T,Allocator>", True, "list", "(list &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T,Allocator>", True, "list", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T,Allocator>", True, "list<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "list<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/ext/std.vector.model.yml

@@ -1,60 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "vector<T,Allocator>", True, "assign", "(size_type,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "assign<InputIt>", "(InputIt,InputIt)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "at", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "begin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "cbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "data", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@3]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@4]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[*@5]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@0]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@1]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@2]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@3]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@3]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@4]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@4]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@5]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[*@5]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "emplace_back", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "front", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "insert<InputIt>", "(const_iterator,InputIt,InputIt)", "", "Argument[1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "operator=", "", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "operator[]", "", "", "Argument[-1].Element[@]", "ReturnValue[*@]", "value", "manual"]
-      - ["std", "vector", True, "push_back", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "rbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "rcbegin", "", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector", True, "vector", "(const vector &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector", True, "vector", "(vector &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T,Allocator>", True, "vector", "(const vector &,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T,Allocator>", True, "vector", "(size_type,const T &,const Allocator &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T,Allocator>", True, "vector", "(vector &&,const Allocator &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T,Allocator>", True, "vector<InputIterator>", "(InputIterator,InputIterator,const Allocator &)", "", "Argument[0].Element[@]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[*@2]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,size_type,const T &)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "Argument[-1].Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[*@1]", "ReturnValue.Element[@]", "value", "manual"]
-      - ["std", "vector<T>", True, "insert", "(const_iterator,T &&)", "", "Argument[-1].Element[@]", "ReturnValue.Element[@]", "value", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.3.0
+version: 1.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -59,7 +59,8 @@ class MatchValue extends AbstractValue, TMatchValue {
 }
 
 /**
- * A Boolean condition in the AST that guards one or more basic blocks.
+ * A Boolean condition in the AST that guards one or more basic blocks. This includes
+ * operands of logical operators but not switch statements.
  */
 cached
 class GuardCondition extends Expr {
@@ -365,10 +366,10 @@ private predicate nonExcludedIRAndBasicBlock(IRBlock irb, BasicBlock controlled)
 }
 
 /**
- * A Boolean condition in the IR that guards one or more basic blocks.
- *
- * Note that `&&` and `||` don't have an explicit representation in the IR,
- * and therefore will not appear as IRGuardConditions.
+ * A Boolean condition in the IR that guards one or more basic blocks. This includes
+ * operands of logical operators but not switch statements. Note that `&&` and `||`
+ * don't have an explicit representation in the IR, and therefore will not appear as
+ * IRGuardConditions.
  */
 cached
 class IRGuardCondition extends Instruction {

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -14,22 +14,16 @@
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
  * 1. The `namespace` column selects a namespace.
- * 2. The `type` column selects a type within that namespace. This column can
- *    introduce template names that can be mentioned in the `signature` column.
- *    For example, `vector<T,Allocator>` introduces the template names `T` and
- *    `Allocator`.
+ * 2. The `type` column selects a type within that namespace.
  * 3. The `subtypes` is a boolean that indicates whether to jump to an
  *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
  *    blank (for example, a free function).
  * 4. The `name` column optionally selects a specific named member of the type.
- *    Like the `type` column, this column can introduce template names that can
- *    be mentioned in the `signature` column. For example, `insert<InputIt>`
- *    introduces the template name `InputIt`.
  * 5. The `signature` column optionally restricts the named member. If
  *    `signature` is blank then no such filtering is done. The format of the
  *    signature is a comma-separated list of types enclosed in parentheses. The
- *    types must be stripped of template names. That is, write `const vector &`
- *    instead of `const vector<T> &`.
+ *    types can be short names or fully qualified names (mixing these two options
+ *    is not allowed within a single signature).
  * 6. The `ext` column specifies additional API-graph-like edges. Currently
  *    there is only one valid value: "".
  * 7. The `input` column specifies how data enters the element selected by the
@@ -50,9 +44,6 @@
  *      One or more "*" can be added as an argument to indicate indirection, for
  *      example, "ReturnValue[*]" indicates the first indirection of the return
  *      value.
- *    The special symbol `@` can be used to specify an arbitrary (but fixed)
- *    number of indirections. For example, the `input` column `Argument[*@0]`
- *    indicates one or more indirections of the 0th argument.
  *
  *    An `output` can be either:
  *    - "": Selects a read of a selected field.
@@ -74,17 +65,6 @@
  *      One or more "*" can be added as an argument to indicate indirection, for
  *      example, "ReturnValue[*]" indicates the first indirection of the return
  *      value.
- *    The special symbol `@` can be used to specify an arbitrary (but fixed)
- *    number of indirections. For example, the `output` column
- *    `ReturnValue[*@0]` indicates one or more indirections of the return
- *    value.
- *    Note: The symbol `@` only ever takes a single value across a row. Thus,
- *    the (`input`, `output`) pair `("Argument[*@0]", "ReturnValue[@]")`
- *    represents:
- *    - flow from the _first_ indirection of the 0th argument to the return
- *    value, and
- *    - flow from the _second_ indirection of the 0th argument to the first
- *    indirection of the return value, etc.
  * 8. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources "remote" indicates a default remote flow source, and for summaries
@@ -94,8 +74,6 @@
 
 import cpp
 private import new.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as Private
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
@@ -146,7 +124,7 @@ predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, string model
+  string output, string kind, string provenance
 ) {
   exists(string row |
     sourceModel(row) and
@@ -160,20 +138,16 @@ predicate sourceModel(
     row.splitAt(";", 6) = output and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
+    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, string model
+  string input, string kind, string provenance
 ) {
   exists(string row |
     sinkModel(row) and
@@ -187,24 +161,15 @@ predicate sinkModel(
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
-/**
- * Holds if a summary model exists for the given parameters.
- *
- * This predicate does not expand `@` to `*`s.
- */
-private predicate summaryModel0(
+/** Holds if a summary model exists for the given parameters. */
+predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
+  string input, string output, string kind, string provenance
 ) {
   exists(string row |
     summaryModel(row) and
@@ -219,48 +184,16 @@ private predicate summaryModel0(
     row.splitAt(";", 7) = output and
     row.splitAt(";", 8) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
-}
-
-/**
- * Holds if `input` is `input0`, but with all occurrences of `@` replaced
- * by `n` repetitions of `*` (and similarly for `output` and `output0`).
- */
-bindingset[input0, output0, n]
-pragma[inline_late]
-private predicate expandInputAndOutput(
-  string input0, string input, string output0, string output, int n
-) {
-  input = input0.replaceAll("@", repeatStars(n)) and
-  output = output0.replaceAll("@", repeatStars(n))
-}
-
-/**
- * Holds if a summary model exists for the given parameters.
- */
-predicate summaryModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
-) {
-  exists(string input0, string output0 |
-    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
-      provenance, model) and
-    expandInputAndOutput(input0, input, output0, output,
-      [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
-  )
+  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+    provenance, _)
 }
 
 private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _, _, _)
+  sourceModel(namespace, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
 }
 
 private predicate namespaceLink(string shortns, string longns) {
@@ -290,17 +223,17 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
     part = "source" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, string provenance, string model |
+        string ext, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, model)
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
       )
     or
     part = "sink" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string provenance, string model |
+        string ext, string input, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, model)
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
       )
     or
     part = "summary" and
@@ -308,7 +241,7 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
         string ext, string input, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
       )
   )
 }
@@ -317,9 +250,9 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
 module CsvValidation {
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, string part |
-      sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
+      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
-      summaryModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(input, part) and
@@ -336,9 +269,9 @@ module CsvValidation {
 
   private string getInvalidModelOutput() {
     exists(string pred, string output, string part |
-      sourceModel(_, _, _, _, _, _, output, _, _, _) and pred = "source"
+      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
-      summaryModel(_, _, _, _, _, _, _, output, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       invalidSpecComponent(output, part) and
       not part = "" and
@@ -348,11 +281,11 @@ module CsvValidation {
   }
 
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
-    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _, _) }
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
 
-    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
 
-    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
   }
 
   private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
@@ -393,11 +326,11 @@ module CsvValidation {
 
   private string getInvalidModelSignature() {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
-      sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
+      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
       or
-      sinkModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "sink"
+      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
       or
-      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _, _) and pred = "summary"
+      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.:]*") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -429,160 +362,21 @@ module CsvValidation {
 private predicate elementSpec(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _)
-}
-
-/** Gets the fully templated version of `f`. */
-private Function getFullyTemplatedMemberFunction(Function f) {
-  not f.isFromUninstantiatedTemplate(_) and
-  exists(Class c, Class templateClass, int i |
-    c.isConstructedFrom(templateClass) and
-    f = c.getAMember(i) and
-    result = templateClass.getCanonicalMember(i)
-  )
-}
-
-/**
- * Gets the type name of the `n`'th parameter of `f` without any template
- * arguments.
- */
-bindingset[f]
-pragma[inline_late]
-string getParameterTypeWithoutTemplateArguments(Function f, int n) {
-  exists(string s, string base, string specifiers |
-    s = f.getParameter(n).getType().getName() and
-    parseAngles(s, base, _, specifiers) and
-    result = base + specifiers
-  )
-}
-
-/**
- * Normalize the `n`'th parameter of `f` by replacing template names
- * with `func:N` (where `N` is the index of the template).
- */
-private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
-  exists(Function templateFunction |
-    templateFunction = getFullyTemplatedMemberFunction(f) and
-    remaining = templateFunction.getNumberOfTemplateArguments() and
-    result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
-  )
-  or
-  exists(string mid, TemplateParameter tp, Function templateFunction |
-    mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
-    templateFunction = getFullyTemplatedMemberFunction(f) and
-    tp = templateFunction.getTemplateArgument(remaining) and
-    result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
-  )
-}
-
-/**
- * Normalize the `n`'th parameter of `f` by replacing template names
- * with `class:N` (where `N` is the index of the template).
- */
-private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
-  exists(Class template |
-    f.getDeclaringType().isConstructedFrom(template) and
-    remaining = template.getNumberOfTemplateArguments() and
-    result = getTypeNameWithoutFunctionTemplates(f, n, 0)
-  )
-  or
-  exists(string mid, TemplateParameter tp, Class template |
-    mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    f.getDeclaringType().isConstructedFrom(template) and
-    tp = template.getTemplateArgument(remaining) and
-    result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
-  )
-}
-
-/** Gets the string representation of the `i`'th parameter of `c`. */
-private string getParameterTypeName(Function c, int i) {
-  result = getTypeNameWithoutClassTemplates(c, i, 0)
-}
-
-/** Splits `s` by `,` and gets the `i`'th element. */
-bindingset[s]
-pragma[inline_late]
-private string getAtIndex(string s, int i) {
-  result = s.splitAt(",", i) and
-  // when `s` is `""` and `i` is `0` we get `result = ""` which we don't want.
-  not (s = "" and i = 0)
-}
-
-/**
- * Normalizes `partiallyNormalizedSignature` by replacing the `remaining`
- * number of template arguments in `partiallyNormalizedSignature` with their
- * index in `typeArgs`.
- */
-private string getSignatureWithoutClassTemplateNames(
-  string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
-) {
-  elementSpecWithArguments0(_, _, _, partiallyNormalizedSignature, typeArgs, nameArgs) and
-  remaining = count(partiallyNormalizedSignature.indexOf(",")) + 1 and
-  result = partiallyNormalizedSignature
-  or
-  exists(string mid |
-    mid =
-      getSignatureWithoutClassTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs,
-        remaining + 1)
-  |
-    exists(string typeArg |
-      typeArg = getAtIndex(typeArgs, remaining) and
-      result = mid.replaceAll(typeArg, "class:" + remaining.toString())
-    )
-    or
-    // Make sure `remaining` is properly bound
-    remaining = [0 .. count(partiallyNormalizedSignature.indexOf(",")) + 1] and
-    not exists(getAtIndex(typeArgs, remaining)) and
-    result = mid
-  )
-}
-
-/**
- * Normalizes `partiallyNormalizedSignature` by replacing:
- * - _All_ the template arguments in `partiallyNormalizedSignature` that refer to
- * template parameters in `typeArgs` with their index in `typeArgs`, and
- * - The `remaining` number of template arguments in `partiallyNormalizedSignature`
- * with their index in `nameArgs`.
- */
-private string getSignatureWithoutFunctionTemplateNames(
-  string partiallyNormalizedSignature, string typeArgs, string nameArgs, int remaining
-) {
-  remaining = count(partiallyNormalizedSignature.indexOf(",")) + 1 and
-  result =
-    getSignatureWithoutClassTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs, 0)
-  or
-  exists(string mid |
-    mid =
-      getSignatureWithoutFunctionTemplateNames(partiallyNormalizedSignature, typeArgs, nameArgs,
-        remaining + 1)
-  |
-    exists(string nameArg |
-      nameArg = getAtIndex(nameArgs, remaining) and
-      result = mid.replaceAll(nameArg, "func:" + remaining.toString())
-    )
-    or
-    // Make sure `remaining` is properly bound
-    remaining = [0 .. count(partiallyNormalizedSignature.indexOf(",")) + 1] and
-    not exists(getAtIndex(nameArgs, remaining)) and
-    result = mid
-  )
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
 private string paramsStringPart(Function c, int i) {
-  not c.isFromUninstantiatedTemplate(_) and
-  (
-    i = -1 and result = "(" and exists(c)
+  i = -1 and result = "(" and exists(c)
+  or
+  exists(int n, string p | c.getParameter(n).getType().toString() = p |
+    i = 2 * n and result = p
     or
-    exists(int n, string p | getParameterTypeName(c, n) = p |
-      i = 2 * n and result = p
-      or
-      i = 2 * n - 1 and result = "," and n != 0
-    )
-    or
-    i = 2 * c.getNumberOfParameters() and result = ")"
+    i = 2 * n - 1 and result = "," and n != 0
   )
+  or
+  i = 2 * c.getNumberOfParameters() and result = ")"
 }
 
 /**
@@ -602,193 +396,6 @@ private predicate matchesSignature(Function func, string signature) {
   paramsString(func) = signature
 }
 
-/**
- * Holds if `elementSpec(_, type, _, name, signature, _)` holds and
- * - `typeArgs` represents the named template parameters supplied to `type`, and
- * - `nameArgs` represents the named template parameters supplied to `name`, and
- * - `normalizedSignature` is `signature`, except with
- *    - template parameter names replaced by `func:i` if the template name is
- *      the `i`'th entry in `nameArgs`, and
- *    - template parameter names replaced by `class:i` if the template name is
- *      the `i`'th entry in `typeArgs`.
- *
- * In other words, the string `normalizedSignature` represents a "normalized"
- * signature with no mention of any free template parameters.
- *
- * For example, consider a summary row such as:
- * ```
- * elementSpec(_, "MyClass<B, C>", _, myFunc<A>, "(const A &,int,C,B *)", _)
- * ```
- * In this case, `normalizedSignature` will be `"(const func:0 &,int,class:1,class:0 *)"`.
- */
-private predicate elementSpecWithArguments(
-  string signature, string type, string name, string normalizedSignature, string typeArgs,
-  string nameArgs
-) {
-  exists(string signatureWithoutParens |
-    elementSpecWithArguments0(signature, type, name, signatureWithoutParens, typeArgs, nameArgs) and
-    normalizedSignature =
-      getSignatureWithoutFunctionTemplateNames(signatureWithoutParens, typeArgs, nameArgs, 0)
-  )
-}
-
-/** Gets the `n`'th normalized signature parameter for the function `name` in class `type`. */
-private string getSignatureParameterName(string signature, string type, string name, int n) {
-  exists(string normalizedSignature |
-    elementSpecWithArguments(signature, type, name, normalizedSignature, _, _) and
-    result = getAtIndex(normalizedSignature, n)
-  )
-}
-
-/**
- * Holds if the suffix containing the entries in `signature` starting at entry
- * `i` matches the suffix containing the parameters of `func` starting at entry `i`.
- *
- * For example, consider the signature `(int,bool,char)` and a function:
- * ```
- * void f(int a, bool b, char c);
- * ```
- * 1. The predicate holds for `i = 2` because the suffix containing all the entries
- * in `signature` starting at `2` is `char`, and suffix containing all the parameters
- * of `func` starting at `2` is `char`.
- * 2. The predicate holds for `i = 1` because the suffix containing all the entries
- * in `signature` starting at `1` is `bool,char`, and the suffix containing all the
- * parameters of `func` starting at `1` is `bool, char`.
- * 3. The predicate holds for `i = 0` because the suffix containing all the entries
- * in `signature` starting at `0` is `int,bool,char` and the suffix containing all
- * the parameters of `func` starting at `0` is `int, bool, char`.
- *
- * When `paramsString(func)[i]` is `class:n` then the signature name is
- * compared with the `n`'th name in `type`, and when `paramsString(func)[i]`
- * is `func:n` then the signature name is compared with the `n`'th name
- * in `name`.
- */
-private predicate signatureMatches(Function func, string signature, string type, string name, int i) {
-  exists(string s |
-    s = getSignatureParameterName(signature, type, name, i) and
-    s = getParameterTypeName(func, i)
-  ) and
-  if exists(getParameterTypeName(func, i + 1))
-  then signatureMatches(func, signature, type, name, i + 1)
-  else i = count(signature.indexOf(","))
-}
-
-/**
- * Internal: Do not use.
- *
- * This module only exists to expose internal predicates for testing purposes.
- */
-module ExternalFlowDebug {
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Exposed for testing purposes.
-   */
-  predicate signatureMatches_debug = signatureMatches/5;
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Exposed for testing purposes.
-   */
-  predicate getSignatureParameterName_debug = getSignatureParameterName/4;
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Exposed for testing purposes.
-   */
-  predicate getParameterTypeName_debug = getParameterTypeName/2;
-}
-
-/**
- * Holds if `s` can be broken into a string of the form
- * `beforeAngles<betweenAngles>`,
- * or `s = beforeAngles` where `beforeAngles` does not have any brackets.
- */
-bindingset[s]
-pragma[inline_late]
-private predicate parseAngles(
-  string s, string beforeAngles, string betweenAngles, string afterAngles
-) {
-  beforeAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 1) and
-  (
-    betweenAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 2) and
-    afterAngles = s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 3)
-    or
-    not exists(s.regexpCapture("([^<]+)(?:<([^>]+)>(.*))?", 2)) and
-    betweenAngles = "" and
-    afterAngles = ""
-  )
-}
-
-/** Holds if `s` can be broken into a string of the form `(betweenParens)`. */
-bindingset[s]
-pragma[inline_late]
-private predicate parseParens(string s, string betweenParens) { s = "(" + betweenParens + ")" }
-
-/**
- * Holds if `elementSpec(_, type, _, name, signature, _)` and:
- * - `type` introduces template parameters `typeArgs`, and
- * - `name` introduces template parameters `nameArgs`, and
- * - `signatureWithoutParens` equals `signature`, but with the surrounding
- *    parentheses removed.
- */
-private predicate elementSpecWithArguments0(
-  string signature, string type, string name, string signatureWithoutParens, string typeArgs,
-  string nameArgs
-) {
-  elementSpec(_, type, _, name, signature, _) and
-  parseAngles(name, _, nameArgs, "") and
-  (
-    type = "" and typeArgs = ""
-    or
-    parseAngles(type, _, typeArgs, "")
-  ) and
-  parseParens(signature, signatureWithoutParens)
-}
-
-/**
- * Holds if `elementSpec(namespace, type, subtypes, name, signature, _)` and
- * `method`'s signature matches `signature`.
- *
- * `signature` may contain template parameter names that are bound by `type` and `name`.
- */
-pragma[nomagic]
-private predicate elementSpecMatchesSignature(
-  Function method, string namespace, string type, boolean subtypes, string name, string signature
-) {
-  elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
-    pragma[only_bind_into](signature), _) and
-  signatureMatches(method, signature, type, name, 0)
-}
-
-/**
- * Holds if `classWithMethod` has `method` named `name` (excluding any
- * template parameters).
- */
-bindingset[name]
-pragma[inline_late]
-private predicate hasClassAndName(Class classWithMethod, Function method, string name) {
-  exists(string nameWithoutArgs |
-    parseAngles(name, nameWithoutArgs, _, "") and
-    classWithMethod = method.getClassAndName(nameWithoutArgs)
-  )
-}
-
-/**
- * Holds if `namedClass` is in namespace `namespace` and has
- * name `type` (excluding any template parameters).
- */
-bindingset[type, namespace]
-pragma[inline_late]
-private predicate hasQualifiedName(Class namedClass, string namespace, string type) {
-  exists(string typeWithoutArgs |
-    parseAngles(type, typeWithoutArgs, _, "") and
-    namedClass.hasQualifiedName(namespace, typeWithoutArgs)
-  )
-}
-
 /**
  * Gets the element in module `namespace` that satisfies the following properties:
  * 1. If the element is a member of a class-like type, then the class-like type has name `type`
@@ -803,8 +410,8 @@ pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
+  elementSpec(namespace, type, subtypes, name, signature, _) and
   (
-    elementSpec(namespace, type, subtypes, name, signature, _) and
     // Non-member functions
     exists(Function func |
       func.hasQualifiedName(namespace, name) and
@@ -816,28 +423,21 @@ private Element interpretElement0(
     )
     or
     // Member functions
-    exists(Class namedClass, Class classWithMethod |
-      (
-        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature) and
-        hasClassAndName(classWithMethod, result, name)
-        or
-        signature = "" and
-        elementSpec(namespace, type, subtypes, name, "", _) and
-        hasClassAndName(classWithMethod, result, name)
-      ) and
-      hasQualifiedName(namedClass, namespace, type) and
-      (
-        // member declared in the named type or a subtype of it
-        subtypes = true and
-        classWithMethod = namedClass.getADerivedClass*()
-        or
-        // member declared directly in the named type
-        subtypes = false and
-        classWithMethod = namedClass
-      )
+    exists(Class namedClass, Class classWithMethod, Function method |
+      classWithMethod = method.getClassAndName(name) and
+      namedClass.hasQualifiedName(namespace, type) and
+      matchesSignature(method, signature) and
+      result = method
+    |
+      // member declared in the named type or a subtype of it
+      subtypes = true and
+      classWithMethod = namedClass.getADerivedClass*()
+      or
+      // member declared directly in the named type
+      subtypes = false and
+      classWithMethod = namedClass
     )
     or
-    elementSpec(namespace, type, subtypes, name, signature, _) and
     // Member variables
     signature = "" and
     exists(Class namedClass, Class classWithMember, MemberVariable member |
@@ -856,7 +456,6 @@ private Element interpretElement0(
     )
     or
     // Global or namespace variables
-    elementSpec(namespace, type, subtypes, name, signature, _) and
     signature = "" and
     type = "" and
     subtypes = false and
@@ -881,9 +480,9 @@ private module Cached {
    * model.
    */
   cached
-  predicate sourceNode(DataFlow::Node node, string kind, string model) {
+  predicate sourceNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSourceNode(n, kind, model) and n.asNode() = node
+      isSourceNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 
@@ -892,57 +491,40 @@ private module Cached {
    * model.
    */
   cached
-  predicate sinkNode(DataFlow::Node node, string kind, string model) {
+  predicate sinkNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSinkNode(n, kind, model) and n.asNode() = node
+      isSinkNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 }
 
 import Cached
 
-/**
- * Holds if `node` is specified as a source with the given kind in a MaD flow
- * model.
- */
-predicate sourceNode(DataFlow::Node node, string kind) { sourceNode(node, kind, _) }
-
-/**
- * Holds if `node` is specified as a sink with the given kind in a MaD flow
- * model.
- */
-predicate sinkNode(DataFlow::Node node, string kind) { sinkNode(node, kind, _) }
-
 private predicate interpretSummary(
-  Function f, string input, string output, string kind, string provenance, string model
+  Function f, string input, string output, string kind, string provenance
 ) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance,
-      model) and
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
     f = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
 
 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _, _) }
+  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _) }
 
-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementManual(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isManual()
     )
   }
 
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isGenerated()
     )
   }
@@ -951,17 +533,18 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
+      this.relevantSummaryElementManual(input, output, kind)
       or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
+      not this.relevantSummaryElementManual(_, _, _) and
+      this.relevantSummaryElementGenerated(input, output, kind)
     |
       if kind = "value" then preservesValue = true else preservesValue = false
-    )
+    ) and
+    model = "" // TODO
   }
 
   override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance, _)
+    interpretSummary(this, _, _, _, provenance)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -239,7 +239,17 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-class DataFlowCallable extends Function { }
+class DataFlowCallable extends Function {
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
+}
 
 class DataFlowExpr = Expr;
 
@@ -259,12 +269,24 @@ class DataFlowCall extends Expr instanceof Call {
 
   /** Gets the enclosing callable of this call. */
   DataFlowCallable getEnclosingCallable() { result = this.getEnclosingFunction() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 class NodeRegion instanceof Unit {
   string toString() { result = "NodeRegion" }
 
   predicate contains(Node n) { none() }
+
+  int totalOrder() { result = 1 }
 }
 
 predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } // stub implementation

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -35,22 +35,16 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
       result = "Field" and
       arg = repeatStars(c.getIndirectionIndex() - 1) + c.getField().getName()
     )
-    or
-    exists(ElementContent ec |
-      cs.isSingleton(ec) and
-      result = "Element" and
-      arg = repeatStars(ec.getIndirectionIndex() - 1)
-    )
   }
 
   string encodeWithoutContent(ContentSet c, string arg) {
     // used for type tracking, not currently used in C/C++.
-    none()
+    result = "WithoutContent" + c and arg = ""
   }
 
   string encodeWithContent(ContentSet c, string arg) {
     // used for type tracking, not currently used in C/C++.
-    none()
+    result = "WithContent" + c and arg = ""
   }
 
   /**
@@ -85,6 +79,25 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
     token.getName() = "Parameter" and
     result = decodePosition(token.getAnArgument())
   }
+
+  bindingset[token]
+  ContentSet decodeUnknownContent(AccessPath::AccessPathTokenBase token) {
+    // field content (no indirection support)
+    exists(FieldContent c |
+      result.isSingleton(c) and
+      token.getName() = c.getField().getName() and
+      not exists(token.getArgumentList()) and
+      c.getIndirectionIndex() = 1
+    )
+    or
+    // field content (with indirection support)
+    exists(FieldContent c |
+      result.isSingleton(c) and
+      token.getName() = c.getField().getName() and
+      // FieldContent indices have 0 for the address, 1 for content, so we need to subtract one.
+      token.getAnArgument() = repeatStars(c.getIndirectionIndex() - 1)
+    )
+  }
 }
 
 private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl
@@ -112,8 +125,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string namespace, string type, boolean subtypes, string name, string signature, string ext
     |
-      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
+      e = interpretElement(namespace, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 
@@ -127,8 +141,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, model) and
-      e = interpretElement(package, type, subtypes, name, signature, ext)
+      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
+      e = interpretElement(package, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -383,37 +383,6 @@ class BuiltInOperationIsConvertibleTo extends BuiltInOperation, @isconvtoexpr {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertibleTo" }
 }
 
-/**
- * A C++ `__is_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type.
- * ```
- * bool v = __is_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsConvertible extends BuiltInOperation, @isconvertible {
-  override string toString() { result = "__is_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertible" }
-}
-
-/**
- * A C++ `__is_nothrow_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type and the
- * conversion operator has an empty exception specification.
- * ```
- * bool v = __is_nothrow_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsNothrowConvertible extends BuiltInOperation, @isnothrowconvertible {
-  override string toString() { result = "__is_nothrow_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowConvertible" }
-}
-
 /**
  * A C++ `__is_empty` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -678,7 +647,8 @@ class BuiltInOperationIsTriviallyAssignable extends BuiltInOperation, @istrivial
  * The `__is_nothrow_assignable` built-in operation (used by some
  * implementations of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator with an empty exception specification.
+ * Returns true if there exists a `C::operator =(const D& d) nothrow`
+ * assignment operator (i.e, with an empty exception specification).
  * ```
  * bool v = __is_nothrow_assignable(MyType1, MyType2);
  * ```
@@ -693,7 +663,8 @@ class BuiltInOperationIsNothrowAssignable extends BuiltInOperation, @isnothrowas
  * The `__is_assignable` built-in operation (used by some implementations
  * of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator.
+ * Returns true if there exists a `C::operator =(const D& d)` assignment
+ * operator.
  * ```
  * bool v = __is_assignable(MyType1, MyType2);
  * ```
@@ -704,25 +675,6 @@ class BuiltInOperationIsAssignable extends BuiltInOperation, @isassignable {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsAssignable" }
 }
 
-/**
- * The `__is_assignable_no_precondition_check` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns true if there exists an assignment operator.
- * ```
- * bool v = __is_assignable_no_precondition_check(MyType1, MyType2);
- * ```
- */
-class BuiltInOperationIsAssignableNoPreconditionCheck extends BuiltInOperation,
-  @isassignablenopreconditioncheck
-{
-  override string toString() { result = "__is_assignable_no_precondition_check" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsAssignableNoPreconditionCheck"
-  }
-}
-
 /**
  * The `__is_standard_layout` built-in operation (used by some implementations
  * of the `<type_traits>` header).
@@ -756,20 +708,6 @@ class BuiltInOperationIsTriviallyCopyable extends BuiltInOperation, @istrivially
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyable" }
 }
 
-/**
- * The `__is_trivially_copy_assignable` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns `true` if instances of this type can be copied using a trivial
- * copy operator.
- */
-class BuiltInOperationIsTriviallyCopyAssignable extends BuiltInOperation, @istriviallycopyassignable
-{
-  override string toString() { result = "__is_trivially_copy_assignable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyAssignable" }
-}
-
 /**
  * The `__is_literal_type` built-in operation (used by some implementations of
  * the `<type_traits>` header).
@@ -1124,24 +1062,6 @@ class BuiltInOperationIsSame extends BuiltInOperation, @issame {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsSame" }
 }
 
-/**
- * A C++ `__is_same_as` built-in operation (used by some implementations of the
- * `<type_traits>` header).
- *
- * Returns `true` if two types are the same.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct is_same
- *   : public integral_constant<bool, __is_same_as(_Tp, _Up)>
- *   { };
- * ```
- */
-class BuiltInOperationIsSameAs extends BuiltInOperation, @issameas {
-  override string toString() { result = "__is_same_as" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsSameAs" }
-}
-
 /**
  * A C++ `__is_function` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1200,87 +1120,6 @@ class BuiltInOperationIsPointerInterconvertibleBaseOf extends BuiltInOperation,
   }
 }
 
-/**
- * A C++ `__is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a
- * class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __is_pointer_interconvertible_with_class(_Tp, mp);
- * ```
- */
-class BuiltInOperationIsPointerInterconvertibleWithClass extends BuiltInOperation,
-  @ispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsPointerInterconvertibleWithClass"
-  }
-}
-
-/**
- * A C++ `__builtin_is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __builtin_is_pointer_interconvertible_with_class(mp);
- * ```
- */
-class BuiltInOperationBuiltInIsPointerInterconvertible extends BuiltInOperation,
-  @builtinispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__builtin_is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationBuiltInIsPointerInterconvertible"
-  }
-}
-
-/**
- * A C++ `__is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __is_corresponding_member(_Tp1, _Tp2, mp1, mp2);
- * ```
- */
-class BuiltInOperationIsCorrespondingMember extends BuiltInOperation, @iscorrespondingmember {
-  override string toString() { result = "__is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsCorrespondingMember" }
-}
-
-/**
- * A C++ `__builtin_is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __builtin_is_corresponding_member(mp1, mp2);
- * ```
- */
-class BuiltInOperationBuiltInIsCorrespondingMember extends BuiltInOperation,
-  @builtiniscorrespondingmember
-{
-  override string toString() { result = "__builtin_is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationBuiltInIsCorrespondingMember" }
-}
-
 /**
  * A C++ `__is_array` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1299,42 +1138,6 @@ class BuiltInOperationIsArray extends BuiltInOperation, @isarray {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsArray" }
 }
 
-/**
- * A C++ `__is_bounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a bounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_bounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsBoundedArray extends BuiltInOperation, @isboundedarray {
-  override string toString() { result = "__is_bounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBoundedArray" }
-}
-
-/**
- * A C++ `__is_unbounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is an unbounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_unbounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsUnboundedArray extends BuiltInOperation, @isunboundedarray {
-  override string toString() { result = "__is_unbounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsUnboundedArray" }
-}
-
 /**
  * A C++ `__array_rank` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1751,10 +1554,10 @@ class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {
  *
  * Returns `true` if a type is a trivial type.
  * ```
- * template<typename _Tp>
- *   struct is_trivial
- *   : public integral_constant<bool, __is_trivial(_Tp)>
- *   {};
+ *  template<typename _Tp>
+ *    struct is_trivial
+ *    : public integral_constant<bool, __is_trivial(_Tp)>
+ *    {};
  * ```
  */
 class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
@@ -1762,126 +1565,3 @@ class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
 
   override string getAPrimaryQlClass() { result = "BuiltInIsTrivial" }
 }
-
-/**
- * A C++ `__reference_constructs_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in direct-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_constructs_from_temporary
- *   : public integral_constant<bool, __reference_constructs_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceConstructsFromTemporary extends BuiltInOperation,
-  @referenceconstructsfromtemporary
-{
-  override string toString() { result = "__reference_constructs_from_temporary" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationReferenceConstructsFromTemporary"
-  }
-}
-
-/**
- * A C++ `__reference_converts_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in copy-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_converts_from_temporary
- *   : public integral_constant<bool, __reference_converts_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceCovertsFromTemporary extends BuiltInOperation,
-  @referenceconvertsfromtemporary
-{
-  override string toString() { result = "__reference_converts_from_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceCovertsFromTemporary" }
-}
-
-/**
- * A C++ `__reference_binds_to_temporary` built-in operation (used by some
- * implementations of the `<tuple>` header).
- *
- * Returns `true` if a reference of type `Type1` is bound to an expression of
- * type `Type1`, and a temporary object is bound.
- * ```
- * __reference_binds_to_temporary(Type1, Type2)
- */
-class BuiltInOperationReferenceBindsToTemporary extends BuiltInOperation, @referencebindstotemporary
-{
-  override string toString() { result = "__reference_binds_to_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceBindsToTemporary" }
-}
-
-/**
- * A C++ `__builtin_has_attribute` built-in operation.
- *
- * Returns `true` if a type or expression has been declared with the
- * specified attribute.
- * ```
- * __attribute__ ((aligned(8))) int v;
- * bool has_attribute = __builtin_has_attribute(v, aligned);
- * ```
- */
-class BuiltInOperationHasAttribute extends BuiltInOperation, @builtinhasattribute {
-  override string toString() { result = "__builtin_has_attribute" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationHasAttribute" }
-}
-
-/**
- * A C++ `__is_referenceable` built-in operation.
- *
- * Returns `true` if a type can be referenced.
- * ```
- * bool is_referenceable = __is_referenceable(int);
- * ```
- */
-class BuiltInOperationIsReferenceable extends BuiltInOperation, @isreferenceable {
-  override string toString() { result = "__is_referenceable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsReferenceable" }
-}
-
-/**
- * The `__is_valid_winrt_type` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the type is a valid WinRT type.
- */
-class BuiltInOperationIsValidWinRtType extends BuiltInOperation, @isvalidwinrttype {
-  override string toString() { result = "__is_valid_winrt_type" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsValidWinRtType" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is a ref class.
- */
-class BuiltInOperationIsWinClass extends BuiltInOperation, @iswinclass {
-  override string toString() { result = "__is_win_class" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinClass" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is an interface class.
- */
-class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {
-  override string toString() { result = "__is_win_interface" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
-}

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -949,16 +949,6 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
    * gives nothing, as the 10 is considered part of the type.
    */
   Expr getExtent() { result = this.getChild(2) }
-
-  /**
-   * Gets the number of elements in the array, if available.
-   *
-   * For example, `new int[]{1,2,3}` has an array size of 3.
-   */
-  int getArraySize() {
-    result = this.getAllocatedType().(ArrayType).getArraySize() or
-    result = this.getInitializer().(ArrayAggregateLiteral).getArraySize()
-  }
 }
 
 private class TDeleteOrDeleteArrayExpr = @delete_expr or @delete_array_expr;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -11,7 +11,6 @@ private import Node0ToString
 private import ModelUtil
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as IO
 private import semmle.code.cpp.models.interfaces.DataFlow as DF
-private import semmle.code.cpp.dataflow.ExternalFlow as External
 
 cached
 private module Cached {
@@ -413,8 +412,6 @@ class ArgumentPosition = Position;
 
 abstract class Position extends TPosition {
   abstract string toString();
-
-  abstract int getIndirectionIndex();
 }
 
 class DirectPosition extends Position, TDirectPosition {
@@ -424,15 +421,13 @@ class DirectPosition extends Position, TDirectPosition {
 
   override string toString() {
     index = -1 and
-    result = "this pointer"
+    result = "this"
     or
     index != -1 and
     result = index.toString()
   }
 
   int getIndex() { result = index }
-
-  final override int getIndirectionIndex() { result = 0 }
 }
 
 class IndirectionPosition extends Position, TIndirectionPosition {
@@ -443,13 +438,16 @@ class IndirectionPosition extends Position, TIndirectionPosition {
 
   override string toString() {
     if argumentIndex = -1
-    then result = repeatStars(indirectionIndex - 1) + "this"
-    else result = repeatStars(indirectionIndex) + argumentIndex.toString()
+    then if indirectionIndex > 0 then result = "this indirection" else result = "this"
+    else
+      if indirectionIndex > 0
+      then result = argumentIndex.toString() + " indirection"
+      else result = argumentIndex.toString()
   }
 
   int getArgumentIndex() { result = argumentIndex }
 
-  final override int getIndirectionIndex() { result = indirectionIndex }
+  int getIndirectionIndex() { result = indirectionIndex }
 }
 
 newtype TPosition =
@@ -1061,6 +1059,16 @@ class DataFlowCallable extends TDataFlowCallable {
     result = this.asSummarizedCallable() or // SummarizedCallable = Function (in CPP)
     result = this.asSourceCallable()
   }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1158,6 +1166,16 @@ class DataFlowCall extends TDataFlowCall {
    * Gets the location of this call.
    */
   Location getLocation() { none() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1250,6 +1268,15 @@ module IsUnreachableInCall {
     string toString() { result = "NodeRegion" }
 
     predicate contains(Node n) { this = n.getBasicBlock() }
+
+    int totalOrder() {
+      this =
+        rank[result](IRBlock b, int startline, int startcolumn |
+          b.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+        |
+          b order by startline, startcolumn
+        )
+    }
   }
 
   predicate isUnreachableInCall(NodeRegion block, DataFlowCall call) {
@@ -1295,7 +1322,7 @@ import IsUnreachableInCall
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.
  */
-predicate forceHighPrecision(Content c) { c instanceof ElementContent }
+predicate forceHighPrecision(Content c) { none() }
 
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
@@ -1334,9 +1361,9 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
-predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) }
+predicate knownSourceModel(Node source, string model) { none() }
 
-predicate knownSinkModel(Node sink, string model) { External::sinkNode(sink, _, model) }
+predicate knownSinkModel(Node sink, string model) { none() }
 
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
@@ -1366,8 +1393,7 @@ private predicate unionHasApproxName(Cpp::Union u, string s) { s = u.getName().c
 cached
 private newtype TContentApprox =
   TFieldApproxContent(string s) { fieldHasApproxName(_, s) } or
-  TUnionApproxContent(string s) { unionHasApproxName(_, s) } or
-  TElementApproxContent()
+  TUnionApproxContent(string s) { unionHasApproxName(_, s) }
 
 /** An approximated `Content`. */
 class ContentApprox extends TContentApprox {
@@ -1398,10 +1424,6 @@ private class UnionApproxContent extends ContentApprox, TUnionApproxContent {
   final override string toString() { result = s }
 }
 
-private class ElementApproxContent extends ContentApprox, TElementApproxContent {
-  final override string toString() { result = "ElementApprox" }
-}
-
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) {
@@ -1416,9 +1438,6 @@ ContentApprox getContentApprox(Content c) {
     u = c.(UnionContent).getUnion() and
     unionHasApproxName(u, prefix)
   )
-  or
-  c instanceof ElementContent and
-  result instanceof ElementApproxContent
 }
 
 /**
@@ -1678,14 +1697,6 @@ class DataFlowSecondLevelScope extends TDataFlowSecondLevelScope {
 /** Gets the second-level scope containing the node `n`, if any. */
 DataFlowSecondLevelScope getSecondLevelScope(Node n) { result.getANode() = n }
 
-/**
- * Gets the maximum number of indirections to use for `ElementContent`.
- *
- * This should be equal to the largest number of stars (i.e., `*`s) in any
- * `Element` content across all of our MaD summaries, sources, and sinks.
- */
-int getMaxElementContentIndirectionIndex() { result = 5 }
-
 /**
  * Module that defines flow through iterators.
  * For example,
@@ -1798,7 +1809,7 @@ module IteratorFlow {
      * Holds if `(bb, i)` contains a write to an iterator that may have been obtained
      * by calling `begin` (or related functions) on the variable `v`.
      */
-    predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
       certain = false and
       exists(GetsIteratorCall beginCall, Instruction writeToDeref, IRBlock bbQual, int iQual |
         isIteratorStoreInstruction(beginCall, writeToDeref) and
@@ -1809,7 +1820,7 @@ module IteratorFlow {
     }
 
     /** Holds if `(bb, i)` reads the container variable `v`. */
-    predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
       Ssa::variableRead(bb, i, v, certain)
     }
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2083,9 +2083,6 @@ private newtype TContent =
       indirectionIndex =
         [1 .. max(Ssa::getMaxIndirectionsForType(getAFieldWithSize(u, bytes).getUnspecifiedType()))]
     )
-  } or
-  TElementContent(int indirectionIndex) {
-    indirectionIndex = [1 .. getMaxElementContentIndirectionIndex()]
   }
 
 /**
@@ -2196,25 +2193,6 @@ class UnionContent extends Content, TUnionContent {
   }
 }
 
-/**
- * A `Content` that represents one of the elements of a
- * container (e.g., `std::vector`).
- */
-class ElementContent extends Content, TElementContent {
-  int indirectionIndex;
-
-  ElementContent() { this = TElementContent(indirectionIndex) }
-
-  pragma[inline]
-  override int getIndirectionIndex() {
-    pragma[only_bind_into](result) = pragma[only_bind_out](indirectionIndex)
-  }
-
-  override predicate impliesClearOf(Content c) { none() }
-
-  override string toString() { result = contentStars(this) + "element" }
-}
-
 /**
  * An entity that represents a set of `Content`s.
  *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -104,7 +104,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
 
 cached
 private newtype TDefImpl =
-  TDefAddressImpl(BaseSourceVariable v) or
+  TDefAddressImpl(BaseIRVariable v) or
   TDirectDefImpl(Operand address, int indirectionIndex) {
     isDef(_, _, address, _, _, indirectionIndex)
   } or
@@ -325,9 +325,9 @@ private Instruction getInitializationTargetAddress(IRVariable v) {
   )
 }
 
-/** An initial definition of an SSA variable address. */
-abstract private class DefAddressImpl extends DefImpl, TDefAddressImpl {
-  BaseSourceVariable v;
+/** An initial definition of an `IRVariable`'s address. */
+private class DefAddressImpl extends DefImpl, TDefAddressImpl {
+  BaseIRVariable v;
 
   DefAddressImpl() {
     this = TDefAddressImpl(v) and
@@ -342,19 +342,6 @@ abstract private class DefAddressImpl extends DefImpl, TDefAddressImpl {
 
   final override Node0Impl getValue() { none() }
 
-  override Cpp::Location getLocation() { result = v.getLocation() }
-
-  final override SourceVariable getSourceVariable() {
-    result.getBaseVariable() = v and
-    result.getIndirection() = 0
-  }
-
-  final override BaseSourceVariable getBaseSourceVariable() { result = v }
-}
-
-private class DefVariableAddressImpl extends DefAddressImpl {
-  override BaseIRVariable v;
-
   final override predicate hasIndexInBlock(IRBlock block, int index) {
     exists(IRVariable var | var = v.getIRVariable() |
       block.getInstruction(index) = getInitializationTargetAddress(var)
@@ -366,14 +353,15 @@ private class DefVariableAddressImpl extends DefAddressImpl {
       index = 0
     )
   }
-}
 
-private class DefCallAddressImpl extends DefAddressImpl {
-  override BaseCallVariable v;
+  override Cpp::Location getLocation() { result = v.getIRVariable().getLocation() }
 
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    block.getInstruction(index) = v.getCallInstruction()
+  final override SourceVariable getSourceVariable() {
+    result.getBaseVariable() = v and
+    result.getIndirection() = 0
   }
+
+  final override BaseSourceVariable getBaseSourceVariable() { result = v }
 }
 
 private class DirectDef extends DefImpl, TDirectDefImpl {
@@ -993,7 +981,7 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`'th write in block `bb` writes to the variable `v`.
    * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
    */
-  predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
     (
       exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
@@ -1011,7 +999,7 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`'th read in block `bb` reads to the variable `v`.
    * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
    */
-  predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+  predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
     exists(UseImpl use | use.hasIndexInBlock(bb, i, v) |
       if use.isCertain() then certain = true else certain = false
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -40,8 +40,7 @@ predicate ignoreInstruction(Instruction instr) {
     instr instanceof AliasedDefinitionInstruction or
     instr instanceof AliasedUseInstruction or
     instr instanceof InitializeNonLocalInstruction or
-    instr instanceof ReturnIndirectionInstruction or
-    instr instanceof UninitializedGroupInstruction
+    instr instanceof ReturnIndirectionInstruction
   )
 }
 
@@ -758,19 +757,13 @@ import Cached
  * between the SSA pruning stage, and the final SSA stage.
  */
 module InputSigCommon {
-  class BasicBlock extends IRBlock {
-    ControlFlowNode getNode(int i) { result = this.getInstruction(i) }
-
-    int length() { result = this.getInstructionCount() }
-  }
-
-  class ControlFlowNode = Instruction;
+  class BasicBlock = IRBlock;
 
   BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
 
   BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
 
-  class ExitBasicBlock extends BasicBlock {
+  class ExitBasicBlock extends IRBlock {
     ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -147,10 +147,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink, st
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
-  node instanceof ArgumentNode and
-  c.isSingleton(any(ElementContent ec))
-}
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations

cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -13,8 +13,7 @@ private newtype TMemoryAccessKind =
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
-  TChiPartialMemoryAccess() or
-  TGroupedMemoryAccess()
+  TChiPartialMemoryAccess()
 
 /**
  * Describes the set of memory locations memory accessed by a memory operand or
@@ -100,11 +99,3 @@ class ChiTotalMemoryAccess extends MemoryAccessKind, TChiTotalMemoryAccess {
 class ChiPartialMemoryAccess extends MemoryAccessKind, TChiPartialMemoryAccess {
   override string toString() { result = "chi(partial)" }
 }
-
-/**
- * The result of an `UninitializedGroup` instruction, which initializes a set of
- * allocations that are each assigned the same virtual variable.
- */
-class GroupedMemoryAccess extends MemoryAccessKind, TGroupedMemoryAccess {
-  override string toString() { result = "group" }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -89,7 +89,6 @@ private newtype TOpcode =
   TSizedBufferMayWriteSideEffect() or
   TInitializeDynamicAllocation() or
   TChi() or
-  TUninitializedGroup() or
   TInlineAsm() or
   TUnreached() or
   TNewObj()
@@ -1238,17 +1237,6 @@ module Opcode {
     }
   }
 
-  /**
-   * The `Opcode` for a `UninitializedGroup`.
-   *
-   * See the `UninitializedGroupInstruction` documentation for more details.
-   */
-  class UninitializedGroup extends Opcode, TUninitializedGroup {
-    final override string toString() { result = "UninitializedGroup" }
-
-    override GroupedMemoryAccess getWriteMemoryAccess() { any() }
-  }
-
   /**
    * The `Opcode` for an `InlineAsmInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -2142,47 +2142,6 @@ class ChiInstruction extends Instruction {
   final predicate isPartialUpdate() { Construction::chiOnlyPartiallyUpdatesLocation(this) }
 }
 
-/**
- * An instruction that initializes a set of allocations that are each assigned
- * the same "virtual variable".
- *
- * As an example, consider the following snippet:
- * ```
- * int a;
- * int b;
- * int* p;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 5;
- * int x = a;
- * ```
- *
- * Since both the address of `a` and `b` reach `p` at `*p = 5` the IR alias
- * analysis will create a region that contains both `a` and `b`. The region
- * containing both `a` and `b` are initialized by an `UninitializedGroup`
- * instruction in the entry block of the enclosing function.
- */
-class UninitializedGroupInstruction extends Instruction {
-  UninitializedGroupInstruction() { this.getOpcode() instanceof Opcode::UninitializedGroup }
-
-  /**
-   * Gets an `IRVariable` whose memory is initialized by this instruction, if any.
-   * Note: Allocations that are not represented as `IRVariable`s (such as
-   * dynamic allocations) are not returned by this predicate even if this
-   * instruction initializes such memory.
-   */
-  final IRVariable getAnIRVariable() {
-    result = Construction::getAnUninitializedGroupVariable(this)
-  }
-
-  final override string getImmediateString() {
-    result = strictconcat(this.getAnIRVariable().toString(), ",")
-  }
-}
-
 /**
  * An instruction representing unreachable code.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -106,7 +106,8 @@ private predicate operandEscapesDomain(Operand operand) {
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
-  not operand.getUse() instanceof ReturnIndirectionInstruction
+  not operand.getUse() instanceof ReturnIndirectionInstruction and
+  not operand instanceof PhiInputOperand
 }
 
 /**
@@ -190,11 +191,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
   )
-  or
-  operand = instr.(PhiInstruction).getAnInputOperand() and
-  // Using `unknown` ensures termination since we cannot keep incrementing a bit offset
-  // through the back edge of a loop (or through recursion).
-  bitOffset = Ints::unknown()
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
@@ -216,6 +212,9 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUse())
   or
+  operand instanceof PhiInputOperand and
+  resultEscapesNonReturn(operand.getUse())
+  or
   operandEscapesDomain(operand)
 }
 
@@ -237,6 +236,9 @@ private predicate operandMayReachReturn(Operand operand) {
   operand.getUse() instanceof ReturnValueInstruction
   or
   isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUse())
+  or
+  operand instanceof PhiInputOperand and
+  resultMayReachReturn(operand.getUse())
 }
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll

@@ -101,8 +101,6 @@ class IndirectParameterAllocation extends Allocation, TIndirectParameterAllocati
   final override predicate isAlwaysAllocatedOnStack() { none() }
 
   final override predicate alwaysEscapes() { none() }
-
-  final IRAutomaticVariable getIRVariable() { result = var }
 }
 
 class DynamicAllocation extends Allocation, TDynamicAllocation {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -8,7 +8,6 @@ private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private import semmle.code.cpp.ir.internal.IntegerInterval as Interval
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
 private import AliasConfiguration
-private import codeql.util.Boolean
 
 private class IntValue = Ints::IntValue;
 
@@ -17,196 +16,49 @@ private predicate isIndirectOrBufferMemoryAccess(MemoryAccessKind kind) {
   kind instanceof BufferMemoryAccess
 }
 
-private predicate hasMemoryAccess(
-  AddressOperand addrOperand, Allocation var, IntValue startBitOffset, boolean grouped
-) {
-  addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
-  if strictcount(Allocation alloc | addressOperandAllocationAndOffset(addrOperand, alloc, _)) > 1
-  then grouped = true
-  else grouped = false
-}
-
 private predicate hasResultMemoryAccess(
-  AddressOperand address, Instruction instr, Allocation var, IRType type,
-  Language::LanguageType languageType, IntValue startBitOffset, IntValue endBitOffset,
-  boolean isMayAccess, boolean grouped
+  Instruction instr, Allocation var, IRType type, Language::LanguageType languageType,
+  IntValue startBitOffset, IntValue endBitOffset, boolean isMayAccess
 ) {
-  address = instr.getResultAddressOperand() and
-  hasMemoryAccess(address, var, startBitOffset, grouped) and
-  languageType = instr.getResultLanguageType() and
-  type = languageType.getIRType() and
-  isIndirectOrBufferMemoryAccess(instr.getResultMemoryAccess()) and
-  (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
-  if exists(type.getByteSize())
-  then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
-  else endBitOffset = Ints::unknown()
+  exists(AddressOperand addrOperand |
+    addrOperand = instr.getResultAddressOperand() and
+    addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
+    languageType = instr.getResultLanguageType() and
+    type = languageType.getIRType() and
+    isIndirectOrBufferMemoryAccess(instr.getResultMemoryAccess()) and
+    (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
+    if exists(type.getByteSize())
+    then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
+    else endBitOffset = Ints::unknown()
+  )
 }
 
 private predicate hasOperandMemoryAccess(
-  AddressOperand address, MemoryOperand operand, Allocation var, IRType type,
-  Language::LanguageType languageType, IntValue startBitOffset, IntValue endBitOffset,
-  boolean isMayAccess, boolean grouped
+  MemoryOperand operand, Allocation var, IRType type, Language::LanguageType languageType,
+  IntValue startBitOffset, IntValue endBitOffset, boolean isMayAccess
 ) {
-  address = operand.getAddressOperand() and
-  hasMemoryAccess(address, var, startBitOffset, grouped) and
-  languageType = operand.getLanguageType() and
-  type = languageType.getIRType() and
-  isIndirectOrBufferMemoryAccess(operand.getMemoryAccess()) and
-  (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
-  if exists(type.getByteSize())
-  then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
-  else endBitOffset = Ints::unknown()
-}
-
-private Allocation getAnAllocation(AddressOperand address) {
-  hasResultMemoryAccess(address, _, result, _, _, _, _, _, true) or
-  hasOperandMemoryAccess(address, _, result, _, _, _, _, _, true)
-}
-
-private module AllocationSet0 =
-  QlBuiltins::InternSets<AddressOperand, Allocation, getAnAllocation/1>;
-
-/**
- * A set of allocations containing at least 2 elements.
- */
-private class NonSingletonSets extends AllocationSet0::Set {
-  NonSingletonSets() { strictcount(Allocation var | this.contains(var)) > 1 }
-
-  /** Gets an allocation from this set. */
-  Allocation getAnAllocation() { this.contains(result) }
-
-  /** Gets the string representation of this set. */
-  string toString() { result = "{" + strictconcat(this.getAnAllocation().toString(), ", ") + "}" }
-}
-
-/** Holds the instersection of `s1` and `s2` is non-empty. */
-private predicate hasOverlappingElement(NonSingletonSets s1, NonSingletonSets s2) {
-  exists(Allocation var |
-    s1.contains(var) and
-    s2.contains(var)
+  exists(AddressOperand addrOperand |
+    addrOperand = operand.getAddressOperand() and
+    addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
+    languageType = operand.getLanguageType() and
+    type = languageType.getIRType() and
+    isIndirectOrBufferMemoryAccess(operand.getMemoryAccess()) and
+    (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
+    if exists(type.getByteSize())
+    then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
+    else endBitOffset = Ints::unknown()
   )
 }
 
-private module AllocationSet =
-  QlBuiltins::EquivalenceRelation<NonSingletonSets, hasOverlappingElement/2>;
-
-/**
- * Holds if `var` is created by the AST element `e`. Furthermore, the value `d`
- * represents which branch of the `Allocation` type `var` is from.
- */
-private predicate allocationAst(Allocation var, @element e, int d) {
-  var.(VariableAllocation).getIRVariable().getAst() = e and d = 0
-  or
-  var.(IndirectParameterAllocation).getIRVariable().getAst() = e and d = 1
-  or
-  var.(DynamicAllocation).getABaseInstruction().getAst() = e and d = 2
-}
-
-/** Holds if `x = y` and `x` is an AST element that creates an `Allocation`. */
-private predicate id(@element x, @element y) {
-  allocationAst(_, x, _) and
-  x = y
-}
-
-private predicate idOf(@element x, int y) = equivalenceRelation(id/2)(x, y)
-
-/** Gets a unique integer representation of `var`. */
-private int getUniqueAllocationId(Allocation var) {
-  exists(int r, @element e, int d |
-    allocationAst(var, e, d) and
-    idOf(e, r) and
-    result = 3 * r + d
-  )
-}
-
-/**
- * An equivalence class of a set of allocations.
- *
- * Any `VariableGroup` will be completely disjunct from any other
- * `VariableGroup`.
- */
-class VariableGroup extends AllocationSet::EquivalenceClass {
-  /** Gets the location of this set. */
-  final Location getLocation() { result = this.getIRFunction().getLocation() }
-
-  /** Gets the enclosing `IRFunction` of this set. */
-  final IRFunction getIRFunction() {
-    result = unique( | | this.getAnAllocation().getEnclosingIRFunction())
-  }
-
-  /** Gets the type of elements contained in this set. */
-  final Language::LanguageType getType() {
-    strictcount(Language::LanguageType langType |
-      exists(Allocation var | var = this.getAnAllocation() |
-        hasResultMemoryAccess(_, _, var, _, langType, _, _, _, true) or
-        hasOperandMemoryAccess(_, _, var, _, langType, _, _, _, true)
-      )
-    ) = 1 and
-    exists(Allocation var | var = this.getAnAllocation() |
-      hasResultMemoryAccess(_, _, var, _, result, _, _, _, true) or
-      hasOperandMemoryAccess(_, _, var, _, result, _, _, _, true)
-    )
-    or
-    strictcount(Language::LanguageType langType |
-      exists(Allocation var | var = this.getAnAllocation() |
-        hasResultMemoryAccess(_, _, var, _, langType, _, _, _, true) or
-        hasOperandMemoryAccess(_, _, var, _, langType, _, _, _, true)
-      )
-    ) > 1 and
-    result = any(IRUnknownType type).getCanonicalLanguageType()
-  }
-
-  /** Gets an allocation of this set. */
-  final Allocation getAnAllocation() {
-    exists(AllocationSet0::Set set |
-      this = AllocationSet::getEquivalenceClass(set) and
-      set.contains(result)
-    )
-  }
-
-  /** Gets a unique string representing this set. */
-  final private string getUniqueId() {
-    result = strictconcat(getUniqueAllocationId(this.getAnAllocation()).toString(), ",")
-  }
-
-  /**
-   * Gets the order that this set should be initialized in.
-   *
-   * Note: This is _not_ the order in which the _members_ of the set should be
-   * initialized. Rather, it represents the order in which the set should be
-   * initialized in relation to other sets. That is, if
-   * ```
-   * getInitializationOrder() = 2
-   * ```
-   * then this set will be initialized as the second (third) set in the
-   * enclosing function. In order words, the third `UninitializedGroup`
-   * instruction in the entry block of the enclosing function will initialize
-   * this set of allocations.
-   */
-  final int getInitializationOrder() {
-    exists(IRFunction func |
-      func = this.getIRFunction() and
-      this =
-        rank[result + 1](VariableGroup vg, string uniq |
-          vg.getIRFunction() = func and uniq = vg.getUniqueId()
-        |
-          vg order by uniq
-        )
-    )
-  }
-
-  string toString() { result = "{" + strictconcat(this.getAnAllocation().toString(), ", ") + "}" }
-}
-
 private newtype TMemoryLocation =
   TVariableMemoryLocation(
     Allocation var, IRType type, Language::LanguageType languageType, IntValue startBitOffset,
     IntValue endBitOffset, boolean isMayAccess
   ) {
     (
-      hasResultMemoryAccess(_, _, var, type, _, startBitOffset, endBitOffset, isMayAccess, false)
+      hasResultMemoryAccess(_, var, type, _, startBitOffset, endBitOffset, isMayAccess)
       or
-      hasOperandMemoryAccess(_, _, var, type, _, startBitOffset, endBitOffset, isMayAccess, false)
+      hasOperandMemoryAccess(_, var, type, _, startBitOffset, endBitOffset, isMayAccess)
       or
       // For a stack variable, always create a memory location for the entire variable.
       var.isAlwaysAllocatedOnStack() and
@@ -217,14 +69,22 @@ private newtype TMemoryLocation =
     ) and
     languageType = type.getCanonicalLanguageType()
   } or
-  TEntireAllocationMemoryLocation(Allocation var, Boolean isMayAccess) {
-    var instanceof IndirectParameterAllocation or
-    var instanceof DynamicAllocation
+  TEntireAllocationMemoryLocation(Allocation var, boolean isMayAccess) {
+    (
+      var instanceof IndirectParameterAllocation or
+      var instanceof DynamicAllocation
+    ) and
+    (isMayAccess = false or isMayAccess = true)
   } or
-  TGroupedMemoryLocation(VariableGroup vg, Boolean isMayAccess, Boolean isAll) or
-  TUnknownMemoryLocation(IRFunction irFunc, Boolean isMayAccess) or
-  TAllNonLocalMemory(IRFunction irFunc, Boolean isMayAccess) or
-  TAllAliasedMemory(IRFunction irFunc, Boolean isMayAccess)
+  TUnknownMemoryLocation(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  } or
+  TAllNonLocalMemory(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  } or
+  TAllAliasedMemory(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  }
 
 /**
  * Represents the memory location accessed by a memory operand or memory result. In this implementation, the location is
@@ -256,14 +116,7 @@ abstract class MemoryLocation extends TMemoryLocation {
 
   abstract predicate isMayAccess();
 
-  /**
-   * Gets an allocation associated with this `MemoryLocation`.
-   *
-   * This returns zero or one results in all cases except when `this` is an
-   * instance of `GroupedMemoryLocation`. When `this` is an instance of
-   * `GroupedMemoryLocation` this predicate always returns two or more results.
-   */
-  Allocation getAnAllocation() { none() }
+  Allocation getAllocation() { none() }
 
   /**
    * Holds if the location cannot be overwritten except by definition of a `MemoryLocation` for
@@ -300,29 +153,24 @@ abstract class AllocationMemoryLocation extends MemoryLocation {
   Allocation var;
   boolean isMayAccess;
 
-  bindingset[isMayAccess]
-  AllocationMemoryLocation() { any() }
+  AllocationMemoryLocation() {
+    this instanceof TMemoryLocation and
+    isMayAccess = false
+    or
+    isMayAccess = true // Just ensures that `isMayAccess` is bound.
+  }
 
   final override VirtualVariable getVirtualVariable() {
     if allocationEscapes(var)
     then result = TAllAliasedMemory(var.getEnclosingIRFunction(), false)
-    else (
-      // It may be that the grouped memory location contains an escaping
-      // allocation. In that case, the virtual variable is still the memory
-      // location that represents all aliased memory. Thus, we need to
-      // call `getVirtualVariable` on the grouped memory location.
-      result = getGroupedMemoryLocation(var, false, false).getVirtualVariable()
-      or
-      not exists(getGroupedMemoryLocation(var, false, false)) and
-      result.(AllocationMemoryLocation).getAnAllocation() = var
-    )
+    else result.(AllocationMemoryLocation).getAllocation() = var
   }
 
   final override IRFunction getIRFunction() { result = var.getEnclosingIRFunction() }
 
   final override Location getLocation() { result = var.getLocation() }
 
-  final override Allocation getAnAllocation() { result = var }
+  final override Allocation getAllocation() { result = var }
 
   final override predicate isMayAccess() { isMayAccess = true }
 
@@ -363,13 +211,13 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
   final override Language::LanguageType getType() {
     if
       strictcount(Language::LanguageType accessType |
-        hasResultMemoryAccess(_, _, var, type, accessType, startBitOffset, endBitOffset, _, false) or
-        hasOperandMemoryAccess(_, _, var, type, accessType, startBitOffset, endBitOffset, _, false)
+        hasResultMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset, _) or
+        hasOperandMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset, _)
       ) = 1
     then
       // All of the accesses have the same `LanguageType`, so just use that.
-      hasResultMemoryAccess(_, _, var, type, result, startBitOffset, endBitOffset, _, false) or
-      hasOperandMemoryAccess(_, _, var, type, result, startBitOffset, endBitOffset, _, false)
+      hasResultMemoryAccess(_, var, type, result, startBitOffset, endBitOffset, _) or
+      hasOperandMemoryAccess(_, var, type, result, startBitOffset, endBitOffset, _)
     else
       // There is no single type for all accesses, so just use the canonical one for this `IRType`.
       result = type.getCanonicalLanguageType()
@@ -399,89 +247,6 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
   }
 }
 
-/**
- * A group of allocations represented as a single memory location.
- *
- * If `isAll()` holds then this memory location represents all the enclosing
- * allocations, and if `isSome()` holds then this memory location represents
- * one or more of the enclosing allocations.
- *
- * For example, consider the following snippet:
- * ```
- * int* p;
- * int a, b;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 42;
- * ```
- *
- * The write memory location associated with the write to `*p` writes to a
- * grouped memory location representing the _some_ allocation in the set
- * `{a, b}`, and the subsequent `Chi` instruction merges the new value of
- * `{a, b}` into a memory location that represents _all_ of the allocations
- * in the set.
- */
-class GroupedMemoryLocation extends TGroupedMemoryLocation, MemoryLocation {
-  VariableGroup vg;
-  boolean isMayAccess;
-  boolean isAll;
-
-  GroupedMemoryLocation() { this = TGroupedMemoryLocation(vg, isMayAccess, isAll) }
-
-  final override Location getLocation() { result = vg.getLocation() }
-
-  final override IRFunction getIRFunction() { result = vg.getIRFunction() }
-
-  final override predicate isMayAccess() { isMayAccess = true }
-
-  final override string getUniqueId() {
-    if this.isAll()
-    then result = "All{" + strictconcat(vg.getAnAllocation().getUniqueId(), ", ") + "}"
-    else result = "Some{" + strictconcat(vg.getAnAllocation().getUniqueId(), ", ") + "}"
-  }
-
-  final override string toStringInternal() { result = this.getUniqueId() }
-
-  final override Language::LanguageType getType() { result = vg.getType() }
-
-  final override VirtualVariable getVirtualVariable() {
-    if allocationEscapes(this.getAnAllocation())
-    then result = TAllAliasedMemory(vg.getIRFunction(), false)
-    else result = TGroupedMemoryLocation(vg, false, true)
-  }
-
-  /** Gets an allocation of this memory location. */
-  override Allocation getAnAllocation() { result = vg.getAnAllocation() }
-
-  /** Gets the set of allocations associated with this memory location. */
-  VariableGroup getGroup() { result = vg }
-
-  /** Holds if this memory location represents all the enclosing allocations. */
-  predicate isAll() { isAll = true }
-
-  /** Holds if this memory location represents one or more of the enclosing allocations. */
-  predicate isSome() { isAll = false }
-}
-
-private GroupedMemoryLocation getGroupedMemoryLocation(
-  Allocation alloc, boolean isMayAccess, boolean isAll
-) {
-  result.getAnAllocation() = alloc and
-  (
-    isMayAccess = true and result.isMayAccess()
-    or
-    isMayAccess = false and not result.isMayAccess()
-  ) and
-  (
-    isAll = true and result.isAll()
-    or
-    isAll = false and result.isSome()
-  )
-}
-
 class EntireAllocationMemoryLocation extends TEntireAllocationMemoryLocation,
   AllocationMemoryLocation
 {
@@ -517,14 +282,6 @@ class VariableVirtualVariable extends VariableMemoryLocation, VirtualVariable {
   }
 }
 
-class GroupedVirtualVariable extends GroupedMemoryLocation, VirtualVariable {
-  GroupedVirtualVariable() {
-    forex(Allocation var | var = this.getAnAllocation() | not allocationEscapes(var)) and
-    not this.isMayAccess() and
-    this.isAll()
-  }
-}
-
 /**
  * An access to memory that is not known to be confined to a specific `IRVariable`.
  */
@@ -689,7 +446,7 @@ private Overlap getExtentOverlap(MemoryLocation def, MemoryLocation use) {
       result instanceof MustExactlyOverlap
       or
       not use instanceof EntireAllocationMemoryLocation and
-      if def.getAnAllocation() = use.getAnAllocation()
+      if def.getAllocation() = use.getAllocation()
       then
         // EntireAllocationMemoryLocation totally overlaps any location within
         // the same allocation.
@@ -697,48 +454,11 @@ private Overlap getExtentOverlap(MemoryLocation def, MemoryLocation use) {
       else (
         // There is no overlap with a location that's known to belong to a
         // different allocation, but all other locations may partially overlap.
-        not exists(use.getAnAllocation()) and
+        not exists(use.getAllocation()) and
         result instanceof MayPartiallyOverlap
       )
     )
     or
-    exists(GroupedMemoryLocation group |
-      group = def and
-      def.getVirtualVariable() = use.getVirtualVariable()
-    |
-      (
-        use instanceof UnknownMemoryLocation or
-        use instanceof AllAliasedMemory
-      ) and
-      result instanceof MayPartiallyOverlap
-      or
-      group.isAll() and
-      (
-        group.getAnAllocation() =
-          [
-            use.(EntireAllocationMemoryLocation).getAnAllocation(),
-            use.(VariableMemoryLocation).getAnAllocation()
-          ]
-        or
-        use.(GroupedMemoryLocation).isSome()
-      ) and
-      result instanceof MustTotallyOverlap
-      or
-      group.isAll() and
-      use.(GroupedMemoryLocation).isAll() and
-      result instanceof MustExactlyOverlap
-      or
-      group.isSome() and
-      (
-        use instanceof EntireAllocationMemoryLocation
-        or
-        use instanceof VariableMemoryLocation
-        or
-        use instanceof GroupedMemoryLocation
-      ) and
-      result instanceof MayPartiallyOverlap
-    )
-    or
     exists(VariableMemoryLocation defVariableLocation |
       defVariableLocation = def and
       (
@@ -748,8 +468,7 @@ private Overlap getExtentOverlap(MemoryLocation def, MemoryLocation use) {
         (
           use instanceof UnknownMemoryLocation or
           use instanceof AllAliasedMemory or
-          use instanceof EntireAllocationMemoryLocation or
-          use instanceof GroupedMemoryLocation
+          use instanceof EntireAllocationMemoryLocation
         ) and
         result instanceof MayPartiallyOverlap
         or
@@ -815,7 +534,7 @@ private predicate isCoveredOffset(Allocation var, int offsetRank, VariableMemory
   exists(int startRank, int endRank, VirtualVariable vvar |
     vml.getStartBitOffset() = rank[startRank](IntValue offset_ | isRelevantOffset(vvar, offset_)) and
     vml.getEndBitOffset() = rank[endRank](IntValue offset_ | isRelevantOffset(vvar, offset_)) and
-    var = vml.getAnAllocation() and
+    var = vml.getAllocation() and
     vvar = vml.getVirtualVariable() and
     isRelatableMemoryLocation(vml) and
     offsetRank in [startRank .. endRank]
@@ -823,7 +542,7 @@ private predicate isCoveredOffset(Allocation var, int offsetRank, VariableMemory
 }
 
 private predicate hasUnknownOffset(Allocation var, VariableMemoryLocation vml) {
-  vml.getAnAllocation() = var and
+  vml.getAllocation() = var and
   (
     vml.getStartBitOffset() = Ints::unknown() or
     vml.getEndBitOffset() = Ints::unknown()
@@ -838,9 +557,9 @@ private predicate overlappingIRVariableMemoryLocations(
     isCoveredOffset(var, offsetRank, use)
   )
   or
-  hasUnknownOffset(use.getAnAllocation(), def)
+  hasUnknownOffset(use.getAllocation(), def)
   or
-  hasUnknownOffset(def.getAnAllocation(), use)
+  hasUnknownOffset(def.getAllocation(), use)
 }
 
 private Overlap getVariableMemoryLocationOverlap(
@@ -869,24 +588,13 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
     (
       (
         isIndirectOrBufferMemoryAccess(kind) and
-        if hasResultMemoryAccess(_, instr, _, _, _, _, _, _, _)
+        if hasResultMemoryAccess(instr, _, _, _, _, _, _)
         then
-          exists(
-            Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset,
-            boolean grouped
-          |
-            hasResultMemoryAccess(_, instr, var, type, _, startBitOffset, endBitOffset, isMayAccess,
-              grouped)
-          |
-            // If the instruction is only associated with one allocation we assign it a `VariableMemoryLocation`
-            if grouped = false
-            then
-              result =
-                TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset,
-                  unbindBool(isMayAccess))
-            else
-              // And otherwise we assign it a memory location that groups all the relevant memory locations into one.
-              result = getGroupedMemoryLocation(var, unbindBool(isMayAccess), false)
+          exists(Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset |
+            hasResultMemoryAccess(instr, var, type, _, startBitOffset, endBitOffset, isMayAccess) and
+            result =
+              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset,
+                unbindBool(isMayAccess))
           )
         else result = TUnknownMemoryLocation(instr.getEnclosingIRFunction(), isMayAccess)
       )
@@ -913,23 +621,12 @@ MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
     (
       (
         isIndirectOrBufferMemoryAccess(kind) and
-        if hasOperandMemoryAccess(_, operand, _, _, _, _, _, _, _)
+        if hasOperandMemoryAccess(operand, _, _, _, _, _, _)
         then
-          exists(
-            Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset,
-            boolean grouped
-          |
-            hasOperandMemoryAccess(_, operand, var, type, _, startBitOffset, endBitOffset,
-              isMayAccess, grouped)
-          |
-            // If the operand is only associated with one memory location we assign it a `VariableMemoryLocation`
-            if grouped = false
-            then
-              result =
-                TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset, isMayAccess)
-            else
-              // And otherwise we assign it a memory location that groups all relevant memory locations into one.
-              result = getGroupedMemoryLocation(var, isMayAccess, false)
+          exists(Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset |
+            hasOperandMemoryAccess(operand, var, type, _, startBitOffset, endBitOffset, isMayAccess) and
+            result =
+              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset, isMayAccess)
           )
         else result = TUnknownMemoryLocation(operand.getEnclosingIRFunction(), isMayAccess)
       )

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -15,51 +15,6 @@ private class OldInstruction = Reachability::ReachableInstruction;
 
 import Cached
 
-/**
- * Holds if `instruction` is the first instruction that may be followed by
- * an `UninitializedGroup` instruction, and the enclosing function of
- * `instruction` is `func`.
- */
-private predicate isFirstInstructionBeforeUninitializedGroup(
-  Instruction instruction, IRFunction func
-) {
-  instruction = getChi(any(OldIR::InitializeNonLocalInstruction init)) and
-  func = instruction.getEnclosingIRFunction()
-}
-
-/** Gets the `i`'th `UninitializedGroup` instruction in `func`. */
-private UninitializedGroupInstruction getInitGroupInstruction(int i, IRFunction func) {
-  exists(Alias::VariableGroup vg |
-    vg.getIRFunction() = func and
-    vg.getInitializationOrder() = i and
-    result = uninitializedGroup(vg)
-  )
-}
-
-/**
- * Holds if `instruction` is the last instruction in the chain of `UninitializedGroup`
- * instructions in `func`. The chain of instructions may be empty in which case
- * `instruction` satisfies
- * ```
- * isFirstInstructionBeforeUninitializedGroup(instruction, func)
- * ```
- */
-predicate isLastInstructionForUninitializedGroups(Instruction instruction, IRFunction func) {
-  exists(int i |
-    instruction = getInitGroupInstruction(i, func) and
-    not exists(getChi(instruction)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  exists(int i |
-    instruction = getChi(getInitGroupInstruction(i, func)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-  not exists(getInitGroupInstruction(0, func))
-}
-
 cached
 private module Cached {
   cached
@@ -77,11 +32,6 @@ private module Cached {
     hasChiNode(_, primaryInstruction)
   }
 
-  cached
-  predicate hasChiNodeAfterUninitializedGroup(UninitializedGroupInstruction initGroup) {
-    hasChiNodeAfterUninitializedGroup(_, initGroup)
-  }
-
   cached
   predicate hasUnreachedInstructionCached(IRFunction irFunc) {
     exists(OldIR::Instruction oldInstruction |
@@ -95,8 +45,7 @@ private module Cached {
   }
 
   class TStageInstruction =
-    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction or
-        TUninitializedGroupInstruction;
+    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
   /**
    * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
@@ -129,8 +78,6 @@ private module Cached {
     or
     instr instanceof TChiInstruction
     or
-    instr instanceof TUninitializedGroupInstruction
-    or
     instr instanceof TUnreachedInstruction
   }
 
@@ -176,8 +123,7 @@ private module Cached {
   predicate hasModeledMemoryResult(Instruction instruction) {
     canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
-    instruction instanceof ChiInstruction or // Chis always have modeled results
-    instruction instanceof UninitializedGroupInstruction // Group initializers always have modeled results
+    instruction instanceof ChiInstruction // Chis always have modeled results
   }
 
   cached
@@ -188,23 +134,16 @@ private module Cached {
     or
     // Chi instructions track virtual variables, and therefore a chi instruction is
     // conflated if it's associated with the aliased virtual variable.
-    exists(Instruction input | instruction = getChi(input) |
-      Alias::getResultMemoryLocation(input).getVirtualVariable() instanceof
+    exists(OldInstruction oldInstruction | instruction = getChi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
         Alias::AliasedVirtualVariable
-      or
-      // A chi following an `UninitializedGroupInstruction` only happens when the virtual
-      // variable of the grouped memory location is `{AllAliasedMemory}`.
-      exists(Alias::GroupedMemoryLocation gml |
-        input = uninitializedGroup(gml.getGroup()) and
-        gml.getVirtualVariable() instanceof Alias::AliasedVirtualVariable
-      )
     )
     or
     // Phi instructions track locations, and therefore a phi instruction is
     // conflated if it's associated with a conflated location.
     exists(Alias::MemoryLocation location |
       instruction = getPhi(_, location) and
-      not exists(location.getAnAllocation())
+      not exists(location.getAllocation())
     )
   }
 
@@ -266,11 +205,7 @@ private module Cached {
       hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
     )
     or
-    (
-      instruction = getChi(getOldInstruction(result))
-      or
-      instruction = getChi(result.(UninitializedGroupInstruction))
-    ) and
+    instruction = getChi(getOldInstruction(result)) and
     tag instanceof ChiPartialOperandTag and
     overlap instanceof MustExactlyOverlap
     or
@@ -328,14 +263,6 @@ private module Cached {
     )
   }
 
-  cached
-  IRVariable getAnUninitializedGroupVariable(UninitializedGroupInstruction init) {
-    exists(Alias::VariableGroup vg |
-      init = uninitializedGroup(vg) and
-      result = vg.getAnAllocation().getABaseInstruction().(VariableInstruction).getIRVariable()
-    )
-  }
-
   /**
    * Holds if `instr` is part of a cycle in the operand graph that doesn't go
    * through a phi instruction and therefore should be impossible.
@@ -389,19 +316,6 @@ private module Cached {
     result = getNewPhiOperandDefinitionFromOldSsa(instr, newPredecessorBlock, overlap)
   }
 
-  private ChiInstruction getChiAfterUninitializedGroup(int i, IRFunction func) {
-    result =
-      rank[i + 1](VariableGroup vg, UninitializedGroupInstruction initGroup, ChiInstruction chi,
-        int r |
-        initGroup.getEnclosingIRFunction() = func and
-        chi = getChi(initGroup) and
-        initGroup = uninitializedGroup(vg) and
-        r = vg.getInitializationOrder()
-      |
-        chi order by r
-      )
-  }
-
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
@@ -415,19 +329,6 @@ private module Cached {
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)
     )
-    or
-    exists(UninitializedGroupInstruction initGroup, IRFunction func |
-      chiInstr = getChi(initGroup) and
-      func = initGroup.getEnclosingIRFunction()
-    |
-      chiInstr = getChiAfterUninitializedGroup(0, func) and
-      isFirstInstructionBeforeUninitializedGroup(result, func)
-      or
-      exists(int i |
-        chiInstr = getChiAfterUninitializedGroup(i + 1, func) and
-        result = getChiAfterUninitializedGroup(i, func)
-      )
-    )
   }
 
   cached
@@ -443,40 +344,14 @@ private module Cached {
     )
   }
 
-  private UninitializedGroupInstruction firstInstructionToUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-      result = getInitGroupInstruction(0, func) and
-      kind instanceof GotoEdge
-    )
-  }
+  /*
+   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
+   * that node is its successor in the new successor relation, and the Chi node's successors are
+   * the new instructions generated from the successors of the old instruction
+   */
 
-  private Instruction getNextUninitializedGroupInstruction(Instruction instruction, EdgeKind kind) {
-    exists(int i, IRFunction func |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      if hasChiNodeAfterUninitializedGroup(_, instruction)
-      then result = getChi(instruction)
-      else result = getInitGroupInstruction(i + 1, func)
-    )
-    or
-    exists(int i, IRFunction func, UninitializedGroupInstruction initGroup |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getChi(initGroup) and
-      initGroup = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      result = getInitGroupInstruction(i + 1, func)
-    )
-  }
-
-  private Instruction getInstructionSuccessorAfterUninitializedGroup0(
-    Instruction instruction, EdgeKind kind
-  ) {
+  cached
+  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
     if hasChiNode(_, getOldInstruction(instruction))
     then
       result = getChi(getOldInstruction(instruction)) and
@@ -496,107 +371,6 @@ private module Cached {
       )
   }
 
-  private Instruction getInstructionSuccessorAfterUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func, Instruction firstBeforeUninitializedGroup |
-      isLastInstructionForUninitializedGroups(instruction, func) and
-      isFirstInstructionBeforeUninitializedGroup(firstBeforeUninitializedGroup, func) and
-      result = getInstructionSuccessorAfterUninitializedGroup0(firstBeforeUninitializedGroup, kind)
-    )
-  }
-
-  /**
-   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
-   * that node is its successor in the new successor relation, and the Chi node's successors are
-   * the new instructions generated from the successors of the old instruction.
-   *
-   * Furthermore, the entry block is augmented with `UninitializedGroup` instructions and `Chi`
-   * instructions. For example, consider this example:
-   * ```cpp
-   * int x, y;
-   * int* p;
-   * if(b) {
-   *   p = &x;
-   *   escape(&x);
-   * } else {
-   *   p = &y;
-   * }
-   * *p = 42;
-   *
-   * int z, w;
-   * int* q;
-   * if(b) {
-   *   q = &z;
-   * } else {
-   *   q = &w;
-   * }
-   * *q = 43;
-   * ```
-   *
-   * the unaliased IR for the entry block of this snippet is:
-   * ```
-   * v1(void)         = EnterFunction          :
-   * m1(unknown)      = AliasedDefinition      :
-   * m2(unknown)      = InitializeNonLocal     :
-   * r1(glval<bool>)  = VariableAddress[b]     :
-   * m3(bool)         = InitializeParameter[b] : &:r1
-   * r2(glval<int>)   = VariableAddress[x]     :
-   * m4(int)          = Uninitialized[x]       : &:r2
-   * r3(glval<int>)   = VariableAddress[y]     :
-   * m5(int)          = Uninitialized[y]       : &:r3
-   * r4(glval<int *>) = VariableAddress[p]     :
-   * m6(int *)        = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]     :
-   * r6(bool)         = Load[b]                : &:r5, m3
-   * v2(void)         = ConditionalBranch      : r6
-   * ```
-   * and we need to transform this to aliased IR by inserting an `UninitializedGroup`
-   * instruction for every `VariableGroup` memory location in the function. Furthermore,
-   * if the `VariableGroup` memory location contains an allocation that escapes we need
-   * to insert a `Chi` that writes the memory produced by `UninitializedGroup` into
-   * `{AllAliasedMemory}`. For the above snippet we then end up with:
-   * ```
-   * v1(void)         = EnterFunction           :
-   * m2(unknown)      = AliasedDefinition       :
-   * m3(unknown)      = InitializeNonLocal      :
-   * m4(unknown)      = Chi                     : total:m2, partial:m3
-   * m5(int)          = UninitializedGroup[x,y] :
-   * m6(unknown)      = Chi                     : total:m4, partial:m5
-   * m7(int)          = UninitializedGroup[w,z] :
-   * r1(glval<bool>)  = VariableAddress[b]      :
-   * m8(bool)         = InitializeParameter[b]  : &:r1
-   * r2(glval<int>)   = VariableAddress[x]      :
-   * m10(int)         = Uninitialized[x]       : &:r2
-   * m11(unknown)     = Chi                    : total:m6, partial:m10
-   * r3(glval<int>)   = VariableAddress[y]      :
-   * m12(int)         = Uninitialized[y]       : &:r3
-   * m13(unknown)     = Chi                    : total:m11, partial:m12
-   * r4(glval<int *>) = VariableAddress[p]      :
-   * m14(int *)       = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]      :
-   * r6(bool)         = Load[b]                 : &:r5, m8
-   * v2(void)         = ConditionalBranch       : r6
-   * ```
-   *
-   * Here, the group `{x, y}` contains an allocation that escapes (`x`), so there
-   * is a `Chi` after the `UninitializedGroup` that initializes the memory for the
-   * `VariableGroup` containing `x`. None of the allocations in `{w, z}` escape so
-   * there is no `Chi` following that the `UninitializedGroup` that initializes the
-   * memory of `{w, z}`.
-   */
-  cached
-  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
-    result = firstInstructionToUninitializedGroup(instruction, kind)
-    or
-    result = getNextUninitializedGroupInstruction(instruction, kind)
-    or
-    result = getInstructionSuccessorAfterUninitializedGroup(instruction, kind)
-    or
-    not isFirstInstructionBeforeUninitializedGroup(instruction, _) and
-    result = getInstructionSuccessorAfterUninitializedGroup0(instruction, kind)
-  }
-
   cached
   Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
     exists(OldInstruction oldInstruction |
@@ -632,16 +406,6 @@ private module Cached {
     exists(IRFunctionBase irFunc |
       instr = unreachedInstruction(irFunc) and result = irFunc.getFunction()
     )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction().getFunction()
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup |
-      instr = chiInstruction(initGroup) and
-      result = getInstructionAst(initGroup)
-    )
   }
 
   cached
@@ -654,16 +418,9 @@ private module Cached {
     )
     or
     exists(Instruction primaryInstr, Alias::VirtualVariable vvar |
-      instr = chiInstruction(primaryInstr) and result = vvar.getType()
-    |
-      hasChiNode(vvar, primaryInstr)
-      or
-      hasChiNodeAfterUninitializedGroup(vvar, primaryInstr)
-    )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getType()
+      instr = chiInstruction(primaryInstr) and
+      hasChiNode(vvar, primaryInstr) and
+      result = vvar.getType()
     )
     or
     instr = reusedPhiInstruction(_) and
@@ -691,8 +448,6 @@ private module Cached {
     or
     instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = uninitializedGroup(_) and opcode instanceof Opcode::UninitializedGroup
-    or
     instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
@@ -705,15 +460,10 @@ private module Cached {
       result = blockStartInstr.getEnclosingIRFunction()
     )
     or
-    exists(Instruction primaryInstr |
+    exists(OldInstruction primaryInstr |
       instr = chiInstruction(primaryInstr) and result = primaryInstr.getEnclosingIRFunction()
     )
     or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction()
-    )
-    or
     instr = unreachedInstruction(result)
   }
 
@@ -728,8 +478,6 @@ private module Cached {
       instruction = getChi(oldInstruction) and
       result = getNewInstruction(oldInstruction)
     )
-    or
-    instruction = getChi(result.(UninitializedGroupInstruction))
   }
 }
 
@@ -737,7 +485,7 @@ private Instruction getNewInstruction(OldInstruction instr) { getOldInstruction(
 
 private OldInstruction getOldInstruction(Instruction instr) { instr = result }
 
-private ChiInstruction getChi(Instruction primaryInstr) { result = chiInstruction(primaryInstr) }
+private ChiInstruction getChi(OldInstruction primaryInstr) { result = chiInstruction(primaryInstr) }
 
 private PhiInstruction getPhi(OldBlock defBlock, Alias::MemoryLocation defLocation) {
   result = phiInstruction(defBlock.getFirstInstruction(), defLocation)
@@ -758,16 +506,6 @@ private predicate hasChiNode(Alias::VirtualVariable vvar, OldInstruction def) {
   )
 }
 
-private predicate hasChiNodeAfterUninitializedGroup(
-  Alias::AliasedVirtualVariable vvar, UninitializedGroupInstruction initGroup
-) {
-  exists(Alias::GroupedMemoryLocation defLocation |
-    initGroup = uninitializedGroup(defLocation.getGroup()) and
-    defLocation.getVirtualVariable() = vvar and
-    Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap
-  )
-}
-
 private import PhiInsertion
 
 /**
@@ -930,33 +668,19 @@ private import DefUse
  * potentially very sparse.
  */
 module DefUse {
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getNonChiOffset(int index, OldBlock block) {
-    exists(IRFunction func | func = block.getEnclosingIRFunction() |
-      if
-        getNewBlock(block) = func.getEntryBlock() and
-        not block.getInstruction(index) instanceof InitializeNonLocalInstruction and
-        not block.getInstruction(index) instanceof AliasedDefinitionInstruction
-      then result = 2 * (index + count(VariableGroup vg | vg.getIRFunction() = func))
-      else result = 2 * index
-    )
-  }
-
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getChiOffset(int index, OldBlock block) { result = getNonChiOffset(index, block) + 1 }
-
   /**
    * Gets the `Instruction` for the definition at offset `defOffset` in block `defBlock`.
    */
-  private Instruction getDefinitionOrChiInstruction0(
+  Instruction getDefinitionOrChiInstruction(
     OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
     Alias::MemoryLocation actualDefLocation
   ) {
-    exists(OldInstruction oldInstr, int oldOffset | oldInstr = defBlock.getInstruction(oldOffset) |
+    exists(OldInstruction oldInstr, int oldOffset |
+      oldInstr = defBlock.getInstruction(oldOffset) and
+      oldOffset >= 0
+    |
       // An odd offset corresponds to the `Chi` instruction.
-      defOffset = getChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 + 1 and
       result = getChi(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -965,7 +689,7 @@ module DefUse {
       actualDefLocation = defLocation.getVirtualVariable()
       or
       // An even offset corresponds to the original instruction.
-      defOffset = getNonChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 and
       result = getNewInstruction(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -978,54 +702,6 @@ module DefUse {
     hasDefinition(_, defLocation, defBlock, defOffset) and
     result = getPhi(defBlock, defLocation) and
     actualDefLocation = defLocation
-    or
-    exists(
-      Alias::VariableGroup vg, int index, UninitializedGroupInstruction initGroup,
-      Alias::GroupedMemoryLocation gml
-    |
-      // Add 3 to account for the function prologue:
-      // v1(void)    = EnterFunction
-      // m1(unknown) = AliasedDefinition
-      // m2(unknown) = InitializeNonLocal
-      index = 3 + vg.getInitializationOrder() and
-      not gml.isMayAccess() and
-      gml.isSome() and
-      gml.getGroup() = vg and
-      vg.getIRFunction().getEntryBlock() = defBlock and
-      initGroup = uninitializedGroup(vg) and
-      (defLocation = gml or defLocation = gml.getVirtualVariable())
-    |
-      result = initGroup and
-      defOffset = 2 * index and
-      actualDefLocation = defLocation
-      or
-      result = getChi(initGroup) and
-      defOffset = 2 * index + 1 and
-      actualDefLocation = defLocation.getVirtualVariable()
-    )
-  }
-
-  private ChiInstruction remapGetDefinitionOrChiInstruction(Instruction oldResult) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(oldResult, func) and
-      isLastInstructionForUninitializedGroups(result, func)
-    )
-  }
-
-  Instruction getDefinitionOrChiInstruction(
-    OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
-    Alias::MemoryLocation actualDefLocation
-  ) {
-    exists(Instruction oldResult |
-      oldResult =
-        getDefinitionOrChiInstruction0(defBlock, defOffset, defLocation, actualDefLocation) and
-      (
-        result = remapGetDefinitionOrChiInstruction(oldResult)
-        or
-        not exists(remapGetDefinitionOrChiInstruction(oldResult)) and
-        result = oldResult
-      )
-    )
   }
 
   /**
@@ -1166,20 +842,8 @@ module DefUse {
       block.getInstruction(index) = def and
       overlap = Alias::getOverlap(defLocation, useLocation) and
       if overlap instanceof MayPartiallyOverlap
-      then offset = getChiOffset(index, block) // The use will be connected to the definition on the `Chi` instruction.
-      else offset = getNonChiOffset(index, block) // The use will be connected to the definition on the original instruction.
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup, int index, Overlap overlap, VariableGroup vg |
-      initGroup.getEnclosingIRFunction().getEntryBlock() = getNewBlock(block) and
-      vg = defLocation.(Alias::GroupedMemoryLocation).getGroup() and
-      // EnterFunction + AliasedDefinition + InitializeNonLocal + index
-      index = 3 + vg.getInitializationOrder() and
-      initGroup = uninitializedGroup(vg) and
-      overlap = Alias::getOverlap(defLocation, useLocation) and
-      if overlap instanceof MayPartiallyOverlap and hasChiNodeAfterUninitializedGroup(initGroup)
-      then offset = 2 * index + 1 // The use will be connected to the definition on the `Chi` instruction.
-      else offset = 2 * index // The use will be connected to the definition on the original instruction.
+      then offset = (index * 2) + 1 // The use will be connected to the definition on the `Chi` instruction.
+      else offset = index * 2 // The use will be connected to the definition on the original instruction.
     )
   }
 
@@ -1240,11 +904,10 @@ module DefUse {
       block.getInstruction(index) = use and
       (
         // A direct use of the location.
-        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and
-        offset = getNonChiOffset(index, block)
+        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and offset = index * 2
         or
         // A `Chi` instruction will include a use of the virtual variable.
-        hasChiNode(useLocation, use) and offset = getChiOffset(index, block)
+        hasChiNode(useLocation, use) and offset = (index * 2) + 1
       )
     )
   }
@@ -1394,9 +1057,5 @@ module Ssa {
 
   predicate hasChiInstruction = Cached::hasChiInstructionCached/1;
 
-  predicate hasChiNodeAfterUninitializedGroup = Cached::hasChiNodeAfterUninitializedGroup/1;
-
   predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
-
-  class VariableGroup = Alias::VariableGroup;
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll

@@ -31,7 +31,6 @@ newtype TInstruction =
   TUnaliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
     UnaliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
   } or
-  TUnaliasedSsaUninitializedGroupInstruction(UnaliasedSsa::Ssa::VariableGroup vg) or
   TAliasedSsaPhiInstruction(
     TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
   ) {
@@ -42,12 +41,6 @@ newtype TInstruction =
   } or
   TAliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
     AliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
-  } or
-  TAliasedSsaUninitializedGroupInstruction(AliasedSsa::Ssa::VariableGroup vg) or
-  TAliasedSsaChiAfterUninitializedGroupInstruction(
-    TAliasedSsaUninitializedGroupInstruction initGroup
-  ) {
-    AliasedSsa::Ssa::hasChiNodeAfterUninitializedGroup(initGroup)
   }
 
 /**
@@ -69,11 +62,7 @@ module UnaliasedSsaInstructions {
 
   class TChiInstruction = TUnaliasedSsaChiInstruction;
 
-  class TUninitializedGroupInstruction = TUnaliasedSsaUninitializedGroupInstruction;
-
-  class TRawOrUninitializedGroupInstruction = TRawInstruction or TUninitializedGroupInstruction;
-
-  TChiInstruction chiInstruction(TRawOrUninitializedGroupInstruction primaryInstruction) {
+  TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
     result = TUnaliasedSsaChiInstruction(primaryInstruction)
   }
 
@@ -82,12 +71,6 @@ module UnaliasedSsaInstructions {
   TUnreachedInstruction unreachedInstruction(IRFunctionBase irFunc) {
     result = TUnaliasedSsaUnreachedInstruction(irFunc)
   }
-
-  class VariableGroup = UnaliasedSsa::Ssa::VariableGroup;
-
-  // This really should just be `TUnaliasedSsaUninitializedGroupInstruction`, but that makes the
-  // compiler realize that certain expressions in `SSAConstruction` are unsatisfiable.
-  TRawOrUninitializedGroupInstruction uninitializedGroup(VariableGroup vg) { none() }
 }
 
 /**
@@ -109,16 +92,10 @@ module AliasedSsaInstructions {
     result = TUnaliasedSsaPhiInstruction(blockStartInstr, _)
   }
 
-  class TChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
+  class TChiInstruction = TAliasedSsaChiInstruction;
 
-  class TRawOrInitialzieGroupInstruction =
-    TRawInstruction or TAliasedSsaUninitializedGroupInstruction;
-
-  TChiInstruction chiInstruction(TRawOrInitialzieGroupInstruction primaryInstruction) {
+  TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
     result = TAliasedSsaChiInstruction(primaryInstruction)
-    or
-    result = TAliasedSsaChiAfterUninitializedGroupInstruction(primaryInstruction)
   }
 
   class TUnreachedInstruction = TAliasedSsaUnreachedInstruction;
@@ -126,12 +103,4 @@ module AliasedSsaInstructions {
   TUnreachedInstruction unreachedInstruction(IRFunctionBase irFunc) {
     result = TAliasedSsaUnreachedInstruction(irFunc)
   }
-
-  class VariableGroup = AliasedSsa::Ssa::VariableGroup;
-
-  class TUninitializedGroupInstruction = TAliasedSsaUninitializedGroupInstruction;
-
-  TUninitializedGroupInstruction uninitializedGroup(VariableGroup vg) {
-    result = TAliasedSsaUninitializedGroupInstruction(vg)
-  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -12,9 +12,6 @@ private import semmle.code.cpp.ir.internal.Overlap
  * Provides the newtype used to represent operands across all phases of the IR.
  */
 private module Internal {
-  private class TAliasedChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
-
   /**
    * An IR operand. `TOperand` is shared across all phases of the IR. There are branches of this
    * type for operands created directly from the AST (`TRegisterOperand` and `TNonSSAMemoryOperand`),
@@ -55,7 +52,7 @@ private module Internal {
     ) {
       exists(AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap))
     } or
-    TAliasedChiOperand(TAliasedChiInstruction useInstr, ChiOperandTag tag) { any() }
+    TAliasedChiOperand(TAliasedSsaChiInstruction useInstr, ChiOperandTag tag) { any() }
 }
 
 /**
@@ -201,13 +198,10 @@ module AliasedSsaOperands {
     )
   }
 
-  private class TChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
-
   /**
    * Returns the Chi operand with the specified parameters.
    */
-  TChiOperand chiOperand(TChiInstruction useInstr, ChiOperandTag tag) {
+  TChiOperand chiOperand(TAliasedSsaChiInstruction useInstr, ChiOperandTag tag) {
     result = Internal::TAliasedChiOperand(useInstr, tag)
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -2142,47 +2142,6 @@ class ChiInstruction extends Instruction {
   final predicate isPartialUpdate() { Construction::chiOnlyPartiallyUpdatesLocation(this) }
 }
 
-/**
- * An instruction that initializes a set of allocations that are each assigned
- * the same "virtual variable".
- *
- * As an example, consider the following snippet:
- * ```
- * int a;
- * int b;
- * int* p;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 5;
- * int x = a;
- * ```
- *
- * Since both the address of `a` and `b` reach `p` at `*p = 5` the IR alias
- * analysis will create a region that contains both `a` and `b`. The region
- * containing both `a` and `b` are initialized by an `UninitializedGroup`
- * instruction in the entry block of the enclosing function.
- */
-class UninitializedGroupInstruction extends Instruction {
-  UninitializedGroupInstruction() { this.getOpcode() instanceof Opcode::UninitializedGroup }
-
-  /**
-   * Gets an `IRVariable` whose memory is initialized by this instruction, if any.
-   * Note: Allocations that are not represented as `IRVariable`s (such as
-   * dynamic allocations) are not returned by this predicate even if this
-   * instruction initializes such memory.
-   */
-  final IRVariable getAnIRVariable() {
-    result = Construction::getAnUninitializedGroupVariable(this)
-  }
-
-  final override string getImmediateString() {
-    result = strictconcat(this.getAnIRVariable().toString(), ",")
-  }
-}
-
 /**
  * An instruction representing unreachable code.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -407,8 +407,6 @@ predicate hasUnreachedInstruction(IRFunction func) {
   )
 }
 
-IRVariable getAnUninitializedGroupVariable(UninitializedGroupInstruction instr) { none() }
-
 import CachedForDebugging
 
 cached

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -2142,47 +2142,6 @@ class ChiInstruction extends Instruction {
   final predicate isPartialUpdate() { Construction::chiOnlyPartiallyUpdatesLocation(this) }
 }
 
-/**
- * An instruction that initializes a set of allocations that are each assigned
- * the same "virtual variable".
- *
- * As an example, consider the following snippet:
- * ```
- * int a;
- * int b;
- * int* p;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 5;
- * int x = a;
- * ```
- *
- * Since both the address of `a` and `b` reach `p` at `*p = 5` the IR alias
- * analysis will create a region that contains both `a` and `b`. The region
- * containing both `a` and `b` are initialized by an `UninitializedGroup`
- * instruction in the entry block of the enclosing function.
- */
-class UninitializedGroupInstruction extends Instruction {
-  UninitializedGroupInstruction() { this.getOpcode() instanceof Opcode::UninitializedGroup }
-
-  /**
-   * Gets an `IRVariable` whose memory is initialized by this instruction, if any.
-   * Note: Allocations that are not represented as `IRVariable`s (such as
-   * dynamic allocations) are not returned by this predicate even if this
-   * instruction initializes such memory.
-   */
-  final IRVariable getAnIRVariable() {
-    result = Construction::getAnUninitializedGroupVariable(this)
-  }
-
-  final override string getImmediateString() {
-    result = strictconcat(this.getAnIRVariable().toString(), ",")
-  }
-}
-
 /**
  * An instruction representing unreachable code.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -106,7 +106,8 @@ private predicate operandEscapesDomain(Operand operand) {
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
-  not operand.getUse() instanceof ReturnIndirectionInstruction
+  not operand.getUse() instanceof ReturnIndirectionInstruction and
+  not operand instanceof PhiInputOperand
 }
 
 /**
@@ -190,11 +191,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
   )
-  or
-  operand = instr.(PhiInstruction).getAnInputOperand() and
-  // Using `unknown` ensures termination since we cannot keep incrementing a bit offset
-  // through the back edge of a loop (or through recursion).
-  bitOffset = Ints::unknown()
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
@@ -216,6 +212,9 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUse())
   or
+  operand instanceof PhiInputOperand and
+  resultEscapesNonReturn(operand.getUse())
+  or
   operandEscapesDomain(operand)
 }
 
@@ -237,6 +236,9 @@ private predicate operandMayReachReturn(Operand operand) {
   operand.getUse() instanceof ReturnValueInstruction
   or
   isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUse())
+  or
+  operand instanceof PhiInputOperand and
+  resultMayReachReturn(operand.getUse())
 }
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -15,51 +15,6 @@ private class OldInstruction = Reachability::ReachableInstruction;
 
 import Cached
 
-/**
- * Holds if `instruction` is the first instruction that may be followed by
- * an `UninitializedGroup` instruction, and the enclosing function of
- * `instruction` is `func`.
- */
-private predicate isFirstInstructionBeforeUninitializedGroup(
-  Instruction instruction, IRFunction func
-) {
-  instruction = getChi(any(OldIR::InitializeNonLocalInstruction init)) and
-  func = instruction.getEnclosingIRFunction()
-}
-
-/** Gets the `i`'th `UninitializedGroup` instruction in `func`. */
-private UninitializedGroupInstruction getInitGroupInstruction(int i, IRFunction func) {
-  exists(Alias::VariableGroup vg |
-    vg.getIRFunction() = func and
-    vg.getInitializationOrder() = i and
-    result = uninitializedGroup(vg)
-  )
-}
-
-/**
- * Holds if `instruction` is the last instruction in the chain of `UninitializedGroup`
- * instructions in `func`. The chain of instructions may be empty in which case
- * `instruction` satisfies
- * ```
- * isFirstInstructionBeforeUninitializedGroup(instruction, func)
- * ```
- */
-predicate isLastInstructionForUninitializedGroups(Instruction instruction, IRFunction func) {
-  exists(int i |
-    instruction = getInitGroupInstruction(i, func) and
-    not exists(getChi(instruction)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  exists(int i |
-    instruction = getChi(getInitGroupInstruction(i, func)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-  not exists(getInitGroupInstruction(0, func))
-}
-
 cached
 private module Cached {
   cached
@@ -77,11 +32,6 @@ private module Cached {
     hasChiNode(_, primaryInstruction)
   }
 
-  cached
-  predicate hasChiNodeAfterUninitializedGroup(UninitializedGroupInstruction initGroup) {
-    hasChiNodeAfterUninitializedGroup(_, initGroup)
-  }
-
   cached
   predicate hasUnreachedInstructionCached(IRFunction irFunc) {
     exists(OldIR::Instruction oldInstruction |
@@ -95,8 +45,7 @@ private module Cached {
   }
 
   class TStageInstruction =
-    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction or
-        TUninitializedGroupInstruction;
+    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
   /**
    * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
@@ -129,8 +78,6 @@ private module Cached {
     or
     instr instanceof TChiInstruction
     or
-    instr instanceof TUninitializedGroupInstruction
-    or
     instr instanceof TUnreachedInstruction
   }
 
@@ -176,8 +123,7 @@ private module Cached {
   predicate hasModeledMemoryResult(Instruction instruction) {
     canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
-    instruction instanceof ChiInstruction or // Chis always have modeled results
-    instruction instanceof UninitializedGroupInstruction // Group initializers always have modeled results
+    instruction instanceof ChiInstruction // Chis always have modeled results
   }
 
   cached
@@ -188,23 +134,16 @@ private module Cached {
     or
     // Chi instructions track virtual variables, and therefore a chi instruction is
     // conflated if it's associated with the aliased virtual variable.
-    exists(Instruction input | instruction = getChi(input) |
-      Alias::getResultMemoryLocation(input).getVirtualVariable() instanceof
+    exists(OldInstruction oldInstruction | instruction = getChi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
         Alias::AliasedVirtualVariable
-      or
-      // A chi following an `UninitializedGroupInstruction` only happens when the virtual
-      // variable of the grouped memory location is `{AllAliasedMemory}`.
-      exists(Alias::GroupedMemoryLocation gml |
-        input = uninitializedGroup(gml.getGroup()) and
-        gml.getVirtualVariable() instanceof Alias::AliasedVirtualVariable
-      )
     )
     or
     // Phi instructions track locations, and therefore a phi instruction is
     // conflated if it's associated with a conflated location.
     exists(Alias::MemoryLocation location |
       instruction = getPhi(_, location) and
-      not exists(location.getAnAllocation())
+      not exists(location.getAllocation())
     )
   }
 
@@ -266,11 +205,7 @@ private module Cached {
       hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
     )
     or
-    (
-      instruction = getChi(getOldInstruction(result))
-      or
-      instruction = getChi(result.(UninitializedGroupInstruction))
-    ) and
+    instruction = getChi(getOldInstruction(result)) and
     tag instanceof ChiPartialOperandTag and
     overlap instanceof MustExactlyOverlap
     or
@@ -328,14 +263,6 @@ private module Cached {
     )
   }
 
-  cached
-  IRVariable getAnUninitializedGroupVariable(UninitializedGroupInstruction init) {
-    exists(Alias::VariableGroup vg |
-      init = uninitializedGroup(vg) and
-      result = vg.getAnAllocation().getABaseInstruction().(VariableInstruction).getIRVariable()
-    )
-  }
-
   /**
    * Holds if `instr` is part of a cycle in the operand graph that doesn't go
    * through a phi instruction and therefore should be impossible.
@@ -389,19 +316,6 @@ private module Cached {
     result = getNewPhiOperandDefinitionFromOldSsa(instr, newPredecessorBlock, overlap)
   }
 
-  private ChiInstruction getChiAfterUninitializedGroup(int i, IRFunction func) {
-    result =
-      rank[i + 1](VariableGroup vg, UninitializedGroupInstruction initGroup, ChiInstruction chi,
-        int r |
-        initGroup.getEnclosingIRFunction() = func and
-        chi = getChi(initGroup) and
-        initGroup = uninitializedGroup(vg) and
-        r = vg.getInitializationOrder()
-      |
-        chi order by r
-      )
-  }
-
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
@@ -415,19 +329,6 @@ private module Cached {
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)
     )
-    or
-    exists(UninitializedGroupInstruction initGroup, IRFunction func |
-      chiInstr = getChi(initGroup) and
-      func = initGroup.getEnclosingIRFunction()
-    |
-      chiInstr = getChiAfterUninitializedGroup(0, func) and
-      isFirstInstructionBeforeUninitializedGroup(result, func)
-      or
-      exists(int i |
-        chiInstr = getChiAfterUninitializedGroup(i + 1, func) and
-        result = getChiAfterUninitializedGroup(i, func)
-      )
-    )
   }
 
   cached
@@ -443,40 +344,14 @@ private module Cached {
     )
   }
 
-  private UninitializedGroupInstruction firstInstructionToUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-      result = getInitGroupInstruction(0, func) and
-      kind instanceof GotoEdge
-    )
-  }
+  /*
+   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
+   * that node is its successor in the new successor relation, and the Chi node's successors are
+   * the new instructions generated from the successors of the old instruction
+   */
 
-  private Instruction getNextUninitializedGroupInstruction(Instruction instruction, EdgeKind kind) {
-    exists(int i, IRFunction func |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      if hasChiNodeAfterUninitializedGroup(_, instruction)
-      then result = getChi(instruction)
-      else result = getInitGroupInstruction(i + 1, func)
-    )
-    or
-    exists(int i, IRFunction func, UninitializedGroupInstruction initGroup |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getChi(initGroup) and
-      initGroup = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      result = getInitGroupInstruction(i + 1, func)
-    )
-  }
-
-  private Instruction getInstructionSuccessorAfterUninitializedGroup0(
-    Instruction instruction, EdgeKind kind
-  ) {
+  cached
+  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
     if hasChiNode(_, getOldInstruction(instruction))
     then
       result = getChi(getOldInstruction(instruction)) and
@@ -496,107 +371,6 @@ private module Cached {
       )
   }
 
-  private Instruction getInstructionSuccessorAfterUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func, Instruction firstBeforeUninitializedGroup |
-      isLastInstructionForUninitializedGroups(instruction, func) and
-      isFirstInstructionBeforeUninitializedGroup(firstBeforeUninitializedGroup, func) and
-      result = getInstructionSuccessorAfterUninitializedGroup0(firstBeforeUninitializedGroup, kind)
-    )
-  }
-
-  /**
-   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
-   * that node is its successor in the new successor relation, and the Chi node's successors are
-   * the new instructions generated from the successors of the old instruction.
-   *
-   * Furthermore, the entry block is augmented with `UninitializedGroup` instructions and `Chi`
-   * instructions. For example, consider this example:
-   * ```cpp
-   * int x, y;
-   * int* p;
-   * if(b) {
-   *   p = &x;
-   *   escape(&x);
-   * } else {
-   *   p = &y;
-   * }
-   * *p = 42;
-   *
-   * int z, w;
-   * int* q;
-   * if(b) {
-   *   q = &z;
-   * } else {
-   *   q = &w;
-   * }
-   * *q = 43;
-   * ```
-   *
-   * the unaliased IR for the entry block of this snippet is:
-   * ```
-   * v1(void)         = EnterFunction          :
-   * m1(unknown)      = AliasedDefinition      :
-   * m2(unknown)      = InitializeNonLocal     :
-   * r1(glval<bool>)  = VariableAddress[b]     :
-   * m3(bool)         = InitializeParameter[b] : &:r1
-   * r2(glval<int>)   = VariableAddress[x]     :
-   * m4(int)          = Uninitialized[x]       : &:r2
-   * r3(glval<int>)   = VariableAddress[y]     :
-   * m5(int)          = Uninitialized[y]       : &:r3
-   * r4(glval<int *>) = VariableAddress[p]     :
-   * m6(int *)        = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]     :
-   * r6(bool)         = Load[b]                : &:r5, m3
-   * v2(void)         = ConditionalBranch      : r6
-   * ```
-   * and we need to transform this to aliased IR by inserting an `UninitializedGroup`
-   * instruction for every `VariableGroup` memory location in the function. Furthermore,
-   * if the `VariableGroup` memory location contains an allocation that escapes we need
-   * to insert a `Chi` that writes the memory produced by `UninitializedGroup` into
-   * `{AllAliasedMemory}`. For the above snippet we then end up with:
-   * ```
-   * v1(void)         = EnterFunction           :
-   * m2(unknown)      = AliasedDefinition       :
-   * m3(unknown)      = InitializeNonLocal      :
-   * m4(unknown)      = Chi                     : total:m2, partial:m3
-   * m5(int)          = UninitializedGroup[x,y] :
-   * m6(unknown)      = Chi                     : total:m4, partial:m5
-   * m7(int)          = UninitializedGroup[w,z] :
-   * r1(glval<bool>)  = VariableAddress[b]      :
-   * m8(bool)         = InitializeParameter[b]  : &:r1
-   * r2(glval<int>)   = VariableAddress[x]      :
-   * m10(int)         = Uninitialized[x]       : &:r2
-   * m11(unknown)     = Chi                    : total:m6, partial:m10
-   * r3(glval<int>)   = VariableAddress[y]      :
-   * m12(int)         = Uninitialized[y]       : &:r3
-   * m13(unknown)     = Chi                    : total:m11, partial:m12
-   * r4(glval<int *>) = VariableAddress[p]      :
-   * m14(int *)       = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]      :
-   * r6(bool)         = Load[b]                 : &:r5, m8
-   * v2(void)         = ConditionalBranch       : r6
-   * ```
-   *
-   * Here, the group `{x, y}` contains an allocation that escapes (`x`), so there
-   * is a `Chi` after the `UninitializedGroup` that initializes the memory for the
-   * `VariableGroup` containing `x`. None of the allocations in `{w, z}` escape so
-   * there is no `Chi` following that the `UninitializedGroup` that initializes the
-   * memory of `{w, z}`.
-   */
-  cached
-  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
-    result = firstInstructionToUninitializedGroup(instruction, kind)
-    or
-    result = getNextUninitializedGroupInstruction(instruction, kind)
-    or
-    result = getInstructionSuccessorAfterUninitializedGroup(instruction, kind)
-    or
-    not isFirstInstructionBeforeUninitializedGroup(instruction, _) and
-    result = getInstructionSuccessorAfterUninitializedGroup0(instruction, kind)
-  }
-
   cached
   Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
     exists(OldInstruction oldInstruction |
@@ -632,16 +406,6 @@ private module Cached {
     exists(IRFunctionBase irFunc |
       instr = unreachedInstruction(irFunc) and result = irFunc.getFunction()
     )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction().getFunction()
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup |
-      instr = chiInstruction(initGroup) and
-      result = getInstructionAst(initGroup)
-    )
   }
 
   cached
@@ -654,16 +418,9 @@ private module Cached {
     )
     or
     exists(Instruction primaryInstr, Alias::VirtualVariable vvar |
-      instr = chiInstruction(primaryInstr) and result = vvar.getType()
-    |
-      hasChiNode(vvar, primaryInstr)
-      or
-      hasChiNodeAfterUninitializedGroup(vvar, primaryInstr)
-    )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getType()
+      instr = chiInstruction(primaryInstr) and
+      hasChiNode(vvar, primaryInstr) and
+      result = vvar.getType()
     )
     or
     instr = reusedPhiInstruction(_) and
@@ -691,8 +448,6 @@ private module Cached {
     or
     instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = uninitializedGroup(_) and opcode instanceof Opcode::UninitializedGroup
-    or
     instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
@@ -705,15 +460,10 @@ private module Cached {
       result = blockStartInstr.getEnclosingIRFunction()
     )
     or
-    exists(Instruction primaryInstr |
+    exists(OldInstruction primaryInstr |
       instr = chiInstruction(primaryInstr) and result = primaryInstr.getEnclosingIRFunction()
     )
     or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction()
-    )
-    or
     instr = unreachedInstruction(result)
   }
 
@@ -728,8 +478,6 @@ private module Cached {
       instruction = getChi(oldInstruction) and
       result = getNewInstruction(oldInstruction)
     )
-    or
-    instruction = getChi(result.(UninitializedGroupInstruction))
   }
 }
 
@@ -737,7 +485,7 @@ private Instruction getNewInstruction(OldInstruction instr) { getOldInstruction(
 
 private OldInstruction getOldInstruction(Instruction instr) { instr = result }
 
-private ChiInstruction getChi(Instruction primaryInstr) { result = chiInstruction(primaryInstr) }
+private ChiInstruction getChi(OldInstruction primaryInstr) { result = chiInstruction(primaryInstr) }
 
 private PhiInstruction getPhi(OldBlock defBlock, Alias::MemoryLocation defLocation) {
   result = phiInstruction(defBlock.getFirstInstruction(), defLocation)
@@ -758,16 +506,6 @@ private predicate hasChiNode(Alias::VirtualVariable vvar, OldInstruction def) {
   )
 }
 
-private predicate hasChiNodeAfterUninitializedGroup(
-  Alias::AliasedVirtualVariable vvar, UninitializedGroupInstruction initGroup
-) {
-  exists(Alias::GroupedMemoryLocation defLocation |
-    initGroup = uninitializedGroup(defLocation.getGroup()) and
-    defLocation.getVirtualVariable() = vvar and
-    Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap
-  )
-}
-
 private import PhiInsertion
 
 /**
@@ -930,33 +668,19 @@ private import DefUse
  * potentially very sparse.
  */
 module DefUse {
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getNonChiOffset(int index, OldBlock block) {
-    exists(IRFunction func | func = block.getEnclosingIRFunction() |
-      if
-        getNewBlock(block) = func.getEntryBlock() and
-        not block.getInstruction(index) instanceof InitializeNonLocalInstruction and
-        not block.getInstruction(index) instanceof AliasedDefinitionInstruction
-      then result = 2 * (index + count(VariableGroup vg | vg.getIRFunction() = func))
-      else result = 2 * index
-    )
-  }
-
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getChiOffset(int index, OldBlock block) { result = getNonChiOffset(index, block) + 1 }
-
   /**
    * Gets the `Instruction` for the definition at offset `defOffset` in block `defBlock`.
    */
-  private Instruction getDefinitionOrChiInstruction0(
+  Instruction getDefinitionOrChiInstruction(
     OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
     Alias::MemoryLocation actualDefLocation
   ) {
-    exists(OldInstruction oldInstr, int oldOffset | oldInstr = defBlock.getInstruction(oldOffset) |
+    exists(OldInstruction oldInstr, int oldOffset |
+      oldInstr = defBlock.getInstruction(oldOffset) and
+      oldOffset >= 0
+    |
       // An odd offset corresponds to the `Chi` instruction.
-      defOffset = getChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 + 1 and
       result = getChi(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -965,7 +689,7 @@ module DefUse {
       actualDefLocation = defLocation.getVirtualVariable()
       or
       // An even offset corresponds to the original instruction.
-      defOffset = getNonChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 and
       result = getNewInstruction(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -978,54 +702,6 @@ module DefUse {
     hasDefinition(_, defLocation, defBlock, defOffset) and
     result = getPhi(defBlock, defLocation) and
     actualDefLocation = defLocation
-    or
-    exists(
-      Alias::VariableGroup vg, int index, UninitializedGroupInstruction initGroup,
-      Alias::GroupedMemoryLocation gml
-    |
-      // Add 3 to account for the function prologue:
-      // v1(void)    = EnterFunction
-      // m1(unknown) = AliasedDefinition
-      // m2(unknown) = InitializeNonLocal
-      index = 3 + vg.getInitializationOrder() and
-      not gml.isMayAccess() and
-      gml.isSome() and
-      gml.getGroup() = vg and
-      vg.getIRFunction().getEntryBlock() = defBlock and
-      initGroup = uninitializedGroup(vg) and
-      (defLocation = gml or defLocation = gml.getVirtualVariable())
-    |
-      result = initGroup and
-      defOffset = 2 * index and
-      actualDefLocation = defLocation
-      or
-      result = getChi(initGroup) and
-      defOffset = 2 * index + 1 and
-      actualDefLocation = defLocation.getVirtualVariable()
-    )
-  }
-
-  private ChiInstruction remapGetDefinitionOrChiInstruction(Instruction oldResult) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(oldResult, func) and
-      isLastInstructionForUninitializedGroups(result, func)
-    )
-  }
-
-  Instruction getDefinitionOrChiInstruction(
-    OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
-    Alias::MemoryLocation actualDefLocation
-  ) {
-    exists(Instruction oldResult |
-      oldResult =
-        getDefinitionOrChiInstruction0(defBlock, defOffset, defLocation, actualDefLocation) and
-      (
-        result = remapGetDefinitionOrChiInstruction(oldResult)
-        or
-        not exists(remapGetDefinitionOrChiInstruction(oldResult)) and
-        result = oldResult
-      )
-    )
   }
 
   /**
@@ -1166,20 +842,8 @@ module DefUse {
       block.getInstruction(index) = def and
       overlap = Alias::getOverlap(defLocation, useLocation) and
       if overlap instanceof MayPartiallyOverlap
-      then offset = getChiOffset(index, block) // The use will be connected to the definition on the `Chi` instruction.
-      else offset = getNonChiOffset(index, block) // The use will be connected to the definition on the original instruction.
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup, int index, Overlap overlap, VariableGroup vg |
-      initGroup.getEnclosingIRFunction().getEntryBlock() = getNewBlock(block) and
-      vg = defLocation.(Alias::GroupedMemoryLocation).getGroup() and
-      // EnterFunction + AliasedDefinition + InitializeNonLocal + index
-      index = 3 + vg.getInitializationOrder() and
-      initGroup = uninitializedGroup(vg) and
-      overlap = Alias::getOverlap(defLocation, useLocation) and
-      if overlap instanceof MayPartiallyOverlap and hasChiNodeAfterUninitializedGroup(initGroup)
-      then offset = 2 * index + 1 // The use will be connected to the definition on the `Chi` instruction.
-      else offset = 2 * index // The use will be connected to the definition on the original instruction.
+      then offset = (index * 2) + 1 // The use will be connected to the definition on the `Chi` instruction.
+      else offset = index * 2 // The use will be connected to the definition on the original instruction.
     )
   }
 
@@ -1240,11 +904,10 @@ module DefUse {
       block.getInstruction(index) = use and
       (
         // A direct use of the location.
-        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and
-        offset = getNonChiOffset(index, block)
+        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and offset = index * 2
         or
         // A `Chi` instruction will include a use of the virtual variable.
-        hasChiNode(useLocation, use) and offset = getChiOffset(index, block)
+        hasChiNode(useLocation, use) and offset = (index * 2) + 1
       )
     )
   }
@@ -1394,9 +1057,5 @@ module Ssa {
 
   predicate hasChiInstruction = Cached::hasChiInstructionCached/1;
 
-  predicate hasChiNodeAfterUninitializedGroup = Cached::hasChiNodeAfterUninitializedGroup/1;
-
   predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
-
-  class VariableGroup = Alias::VariableGroup;
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -2,7 +2,6 @@ import AliasAnalysis
 private import SimpleSSAImports
 import SimpleSSAPublicImports
 private import AliasConfiguration
-private import codeql.util.Unit
 
 private predicate isTotalAccess(Allocation var, AddressOperand addrOperand, IRType type) {
   exists(Instruction constantBase, int bitOffset |
@@ -49,7 +48,7 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) {
 
 private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
 
-private MemoryLocation getMemoryLocation(Allocation var) { result.getAnAllocation() = var }
+private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
 
 class MemoryLocation extends TMemoryLocation {
   Allocation var;
@@ -58,7 +57,7 @@ class MemoryLocation extends TMemoryLocation {
 
   final string toString() { result = var.getAllocationString() }
 
-  final Allocation getAnAllocation() { result = var }
+  final Allocation getAllocation() { result = var }
 
   final Language::Location getLocation() { result = var.getLocation() }
 
@@ -78,40 +77,6 @@ class MemoryLocation extends TMemoryLocation {
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }
 
-abstract class VariableGroup extends Unit {
-  abstract Allocation getAnAllocation();
-
-  string toString() { result = "{" + strictconcat(this.getAnAllocation().toString(), ", ") + "}" }
-
-  abstract Language::Location getLocation();
-
-  abstract IRFunction getIRFunction();
-
-  abstract Language::LanguageType getType();
-
-  abstract int getInitializationOrder();
-}
-
-class GroupedMemoryLocation extends MemoryLocation {
-  VariableGroup vg;
-
-  GroupedMemoryLocation() { none() }
-
-  /** Gets an allocation of this memory location. */
-  Allocation getAnAllocation() { result = vg.getAnAllocation() }
-
-  /** Gets the set of allocations associated with this memory location. */
-  VariableGroup getGroup() { result = vg }
-
-  predicate isMayAccess() { none() }
-
-  /** Holds if this memory location represents all the enclosing allocations. */
-  predicate isAll() { none() }
-
-  /** Holds if this memory location represents one or more of the enclosing allocations. */
-  predicate isSome() { none() }
-}
-
 /**
  * Represents a set of `MemoryLocation`s that cannot overlap with
  * `MemoryLocation`s outside of the set. The `VirtualVariable` will be

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -2,7 +2,7 @@
  * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
  */
 
-import semmle.code.cpp.models.interfaces.FlowSource
+import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Iterator
 
 /**
@@ -55,6 +55,73 @@ private class Vector extends StdSequenceContainer {
   Vector() { this.hasQualifiedName(["std", "bsl"], "vector") }
 }
 
+/**
+ * Additional model for standard container constructors that reference the
+ * value type of the container (that is, the `T` in `std::vector<T>`).  For
+ * example the fill constructor:
+ * ```
+ * std::vector<std::string> v(100, potentially_tainted_string);
+ * ```
+ */
+private class StdSequenceContainerConstructor extends Constructor, TaintFunction {
+  StdSequenceContainerConstructor() {
+    this.getDeclaringType() instanceof Vector or
+    this.getDeclaringType() instanceof Deque or
+    this.getDeclaringType() instanceof List or
+    this.getDeclaringType() instanceof ForwardList
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of the value type to the returned object
+    (
+      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
+      input.isParameter(this.getAnIteratorParameterIndex())
+    ) and
+    (
+      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
+      or
+      output.isQualifierObject()
+    )
+  }
+}
+
+/**
+ * The standard container function `data`.
+ */
+private class StdSequenceContainerData extends TaintFunction {
+  StdSequenceContainerData() {
+    this.getClassAndName("data") instanceof Array or
+    this.getClassAndName("data") instanceof Vector
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from container itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
 /**
  * The standard container functions `push_back` and `push_front`.
  */
@@ -76,6 +143,35 @@ class StdSequenceContainerPush extends MemberFunction {
   }
 }
 
+private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
+/**
+ * The standard container functions `front` and `back`.
+ */
+private class StdSequenceContainerFrontBack extends TaintFunction {
+  StdSequenceContainerFrontBack() {
+    this.getClassAndName(["front", "back"]) instanceof Array or
+    this.getClassAndName(["front", "back"]) instanceof Deque or
+    this.getClassAndName("front") instanceof ForwardList or
+    this.getClassAndName(["front", "back"]) instanceof List or
+    this.getClassAndName(["front", "back"]) instanceof Vector
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
  * The standard container functions `insert` and `insert_after`.
  */
@@ -102,6 +198,58 @@ class StdSequenceContainerInsert extends MemberFunction {
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
 }
 
+private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to container itself (qualifier) and return value
+    (
+      input.isQualifierObject() or
+      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
+      input.isParameter(this.getAnIteratorParameterIndex())
+    ) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
+/**
+ * The standard container function `assign`.
+ */
+private class StdSequenceContainerAssign extends TaintFunction {
+  StdSequenceContainerAssign() {
+    this.getClassAndName("assign") instanceof Deque or
+    this.getClassAndName("assign") instanceof ForwardList or
+    this.getClassAndName("assign") instanceof List or
+    this.getClassAndName("assign") instanceof Vector
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to container itself (qualifier)
+    (
+      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
+      input.isParameter(this.getAnIteratorParameterIndex())
+    ) and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The standard container functions `at` and `operator[]`.
  */
@@ -113,6 +261,20 @@ class StdSequenceContainerAt extends MemberFunction {
   }
 }
 
+private class StdSequenceContainerAtModel extends StdSequenceContainerAt, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to referenced return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
 /**
  * The standard `emplace` function.
  */
@@ -135,6 +297,20 @@ class StdSequenceEmplace extends MemberFunction {
   }
 }
 
+private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any parameter except the position iterator to qualifier and return value
+    // (here we assume taint flow from any constructor parameter to the constructed object)
+    input.isParameterDeref([1 .. this.getNumberOfParameters() - 1]) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
 /**
  * The standard vector `emplace` function.
  */
@@ -164,6 +340,17 @@ class StdSequenceEmplaceBack extends MemberFunction {
   }
 }
 
+private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any parameter to qualifier
+    // (here we assume taint flow from any constructor parameter to the constructed object)
+    input.isParameterDeref([0 .. this.getNumberOfParameters() - 1]) and
+    output.isQualifierObject()
+  }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
+}
+
 /**
  * The standard vector `emplace_back` function.
  */

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -66,7 +66,7 @@ abstract private class StdStringTaintFunction extends TaintFunction {
    * Gets the index of a parameter to this function that is an iterator.
    */
   final int getAnIteratorParameterIndex() {
-    this.getParameter(result).getUnspecifiedType() instanceof Iterator
+    this.getParameter(result).getType() instanceof Iterator
   }
 }
 

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1748,25 +1748,6 @@ case @expr.kind of
 | 361 = @isvoid
 | 362 = @isvolatile
 | 363 = @reuseexpr
-| 364 = @istriviallycopyassignable
-| 365 = @isassignablenopreconditioncheck
-| 366 = @referencebindstotemporary
-| 367 = @issameas
-| 368 = @builtinhasattribute
-| 369 = @ispointerinterconvertiblewithclass
-| 370 = @builtinispointerinterconvertiblewithclass
-| 371 = @iscorrespondingmember
-| 372 = @builtiniscorrespondingmember
-| 373 = @isboundedarray
-| 374 = @isunboundedarray
-| 375 = @isreferenceable
-| 378 = @isnothrowconvertible
-| 379 = @referenceconstructsfromtemporary
-| 380 = @referenceconvertsfromtemporary
-| 381 = @isconvertible
-| 382 = @isvalidwinrttype
-| 383 = @iswinclass
-| 384 = @iswininterface
 ;
 
 @var_args_expr = @vastartexpr
@@ -1861,25 +1842,6 @@ case @expr.kind of
             | @isunsigned
             | @isvoid
             | @isvolatile
-            | @istriviallycopyassignable
-            | @isassignablenopreconditioncheck
-            | @referencebindstotemporary
-            | @issameas
-            | @builtinhasattribute
-            | @ispointerinterconvertiblewithclass
-            | @builtinispointerinterconvertiblewithclass
-            | @iscorrespondingmember
-            | @builtiniscorrespondingmember
-            | @isboundedarray
-            | @isunboundedarray
-            | @isreferenceable
-            | @isnothrowconvertible
-            | @referenceconstructsfromtemporary
-            | @referenceconvertsfromtemporary
-            | @isconvertible
-            | @isvalidwinrttype
-            | @iswinclass
-            | @iswininterface
             ;
 
 new_allocated_type(

cpp/ql/lib/upgrades/abfce5c170f93e281948f7689ece373464fdaf87/upgrade.properties

@@ -1,2 +0,0 @@
-description: Add new builtin operations
-compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,22 +1,3 @@
-## 1.1.0
-
-### Query Metadata Changes
-
-* The precision of `cpp/iterator-to-expired-container` ("Iterator to expired container") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
-* The precision of `cpp/unsafe-strncat` ("Potentially unsafe call to strncat") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
-
-### Minor Analysis Improvements
-
-* The `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") query now produces fewer false positives.
-
-## 1.0.3
-
-No user-facing changes.
-
-## 1.0.2
-
-No user-facing changes.
-
 ## 1.0.1
 
 ### Minor Analysis Improvements

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -172,5 +172,5 @@ where
   not arg.isFromUninstantiatedTemplate(_) and
   not actual.getUnspecifiedType() instanceof ErroneousType
 select arg,
-  "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
+  "This argument should be of type '" + expected.getName() + "' but is of type '" +
     actual.getUnspecifiedType().getName() + "'."

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.cpp

@@ -0,0 +1,7 @@
+Record* fixRecord(Record* r) {
+	Record myRecord = *r;
+	delete r;
+
+	myRecord.fix();
+	return &myRecord; //returns reference to myRecord, which is a stack-allocated object
+}

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.qhelp

@@ -5,23 +5,22 @@
 
 
 <overview>
-<p>This rule finds return statements that return pointers to an object allocated on the stack.
-The lifetime of a stack allocated memory location only lasts until the function returns, and
-the contents of that memory become undefined after that. Clearly, using a pointer to stack
+<p>This rule finds return statements that return pointers to an object allocated on the stack. 
+The lifetime of a stack allocated memory location only lasts until the function returns, and 
+the contents of that memory become undefined after that. Clearly, using a pointer to stack 
 memory after the function has already returned will have undefined results. </p>
 
 </overview>
 <recommendation>
-<p>Use the functions of the <tt>malloc</tt> family, or <tt>new</tt>, to dynamically allocate memory on the heap for data that is used across function calls.</p>
+<p>Use the functions of the <tt>malloc</tt> family to dynamically allocate memory on the heap for data that is used across function calls.</p>
 
 </recommendation>
-<example>
-<p>The following example allocates an object on the stack and returns a pointer to it. This is incorrect because the object is deallocated
-when the function returns, and the pointer becomes invalid.</p>
-<sample src="ReturnStackAllocatedMemoryBad.cpp" />
+<example><sample src="ReturnStackAllocatedMemory.cpp" />
+
+
+
+
 
-<p>To fix this, allocate the object on the heap using <tt>new</tt> and return a pointer to the heap-allocated object.</p>
-<sample src="ReturnStackAllocatedMemoryGood.cpp" />
 </example>
 
 <references>

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemoryBad.cpp

@@ -1,5 +0,0 @@
-Record *mkRecord(int value) {
-	Record myRecord(value);
-
-	return &myRecord; // BAD: returns a pointer to `myRecord`, which is a stack-allocated object.
-}

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemoryGood.cpp

@@ -1,5 +0,0 @@
-Record *mkRecord(int value) {
-	Record *myRecord = new Record(value);
-
-	return myRecord; // GOOD: returns a pointer to a `myRecord`, which is a heap-allocated object.
-}

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 9.3
- * @precision high
+ * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability
  *       correctness

cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c

@@ -1,14 +1,5 @@
-uint32_t limit = get_limit();
-uint32_t total = 0;
-
-while (limit - total > 0) { // BAD: if `total` is greater than `limit` this will underflow and continue executing the loop.
+unsigned limit = get_limit();
+unsigned total = 0;
+while (limit - total > 0) { // wrong: if `total` is greater than `limit` this will underflow and continue executing the loop.
   total += get_data();
-}
-
-while (total < limit) { // GOOD: never underflows here because there is no arithmetic.
-  total += get_data();
-}
-
-while ((int64_t)limit - total > 0) { // GOOD: never underflows here because the result always fits in an `int64_t`.
-  total += get_data();
-}
+}

cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

@@ -17,7 +17,6 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**
  *  Holds if `sub` is guarded by a condition which ensures that
@@ -34,108 +33,45 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
   )
 }
 
-/**
- * Gets an expression that is less than or equal to `sub.getLeftOperand()`.
- * These serve as the base cases for `exprIsSubLeftOrLess`.
- */
-Expr exprIsLeftOrLessBase(SubExpr sub) {
-  interestingSubExpr(sub, _) and // Manual magic
-  exists(Expr e | globalValueNumber(e).getAnExpr() = sub.getLeftOperand() |
-    // sub = e - x
-    // result = e
-    // so:
-    // result <= e
-    result = e
-    or
-    // sub = e - x
-    // result = e & y
-    // so:
-    // result = e & y <= e
-    result.(BitwiseAndExpr).getAnOperand() = e
-    or
-    exists(SubExpr s |
-      // sub = e - x
-      // result = s
-      // s = e - y
-      // y >= 0
-      // so:
-      // result = e - y <= e
-      result = s and
-      s.getLeftOperand() = e and
-      lowerBound(s.getRightOperand().getFullyConverted()) >= 0
-    )
-    or
-    exists(Expr other |
-      // sub = e - x
-      // result = a
-      // a = e + y
-      // y <= 0
-      // so:
-      // result = e + y <= e + 0 = e
-      result.(AddExpr).hasOperands(e, other) and
-      upperBound(other.getFullyConverted()) <= 0
-    )
-    or
-    exists(DivExpr d |
-      // sub = e - x
-      // result = d
-      // d = e / y
-      // y >= 1
-      // so:
-      // result = e / y <= e / 1 = e
-      result = d and
-      d.getLeftOperand() = e and
-      lowerBound(d.getRightOperand().getFullyConverted()) >= 1
-    )
-    or
-    exists(RShiftExpr rs |
-      // sub = e - x
-      // result = rs
-      // rs = e >> y
-      // so:
-      // result = e >> y <= e
-      result = rs and
-      rs.getLeftOperand() = e
-    )
-  )
-}
-
 /**
  * Holds if `n` is known or suspected to be less than or equal to
  * `sub.getLeftOperand()`.
  */
 predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
-  n.asExpr() = exprIsLeftOrLessBase(sub)
-  or
-  exists(DataFlow::Node other |
-    // dataflow
-    exprIsSubLeftOrLess(sub, other) and
-    (
-      DataFlow::localFlowStep(n, other) or
-      DataFlow::localFlowStep(other, n)
+  interestingSubExpr(sub, _) and // Manual magic
+  (
+    n.asExpr() = sub.getLeftOperand()
+    or
+    exists(DataFlow::Node other |
+      // dataflow
+      exprIsSubLeftOrLess(sub, other) and
+      (
+        DataFlow::localFlowStep(n, other) or
+        DataFlow::localFlowStep(other, n)
+      )
+    )
+    or
+    exists(DataFlow::Node other |
+      // guard constraining `sub`
+      exprIsSubLeftOrLess(sub, other) and
+      isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
+    )
+    or
+    exists(DataFlow::Node other, float p, float q |
+      // linear access of `other`
+      exprIsSubLeftOrLess(sub, other) and
+      linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
+      p <= 1 and
+      q <= 0
+    )
+    or
+    exists(DataFlow::Node other, float p, float q |
+      // linear access of `n`
+      exprIsSubLeftOrLess(sub, other) and
+      linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
+      p >= 1 and
+      q >= 0
     )
-  )
-  or
-  exists(DataFlow::Node other |
-    // guard constraining `sub`
-    exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
-  )
-  or
-  exists(DataFlow::Node other, float p, float q |
-    // linear access of `other`
-    exprIsSubLeftOrLess(sub, other) and
-    linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
-    p <= 1 and
-    q <= 0
-  )
-  or
-  exists(DataFlow::Node other, float p, float q |
-    // linear access of `n`
-    exprIsSubLeftOrLess(sub, other) and
-    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
-    p >= 1 and
-    q >= 0
   )
 }
 

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRaceBad.c

@@ -1,17 +1,15 @@
 char *file_name;
 FILE *f_ptr;
-
+ 
 /* Initialize file_name */
-
+ 
 f_ptr = fopen(file_name, "w");
 if (f_ptr == NULL)  {
   /* Handle error */
 }
-
+ 
 /* ... */
-
+ 
 if (chmod(file_name, S_IRUSR) == -1) {
   /* Handle error */
-}
-
-fclose(f_ptr);
+}

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRaceGood.c

@@ -1,8 +1,8 @@
 char *file_name;
 int fd;
-
+ 
 /* Initialize file_name */
-
+ 
 fd = open(
   file_name,
   O_WRONLY | O_CREAT | O_EXCL,
@@ -11,11 +11,9 @@ fd = open(
 if (fd == -1) {
   /* Handle error */
 }
-
+ 
 /* ... */
-
+ 
 if (fchmod(fd, S_IRUSR) == -1) {
   /* Handle error */
-}
-
-close(fd);
+}

cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql

@@ -2,7 +2,7 @@
  * @name Iterator to expired container
  * @description Using an iterator owned by a container whose lifetime has expired may lead to unexpected behavior.
  * @kind problem
- * @precision high
+ * @precision medium
  * @id cpp/iterator-to-expired-container
  * @problem.severity warning
  * @security-severity 8.8

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp

@@ -34,7 +34,7 @@ void good1(std::size_t length) noexcept {
 
 // GOOD: the allocation failure is handled appropriately.
 void good2(std::size_t length) noexcept {
-  int* dest = new(std::nothrow) int[length];
+  int* dest = new int[length];
   if(!dest) {
     return;
   }

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.c

@@ -1,38 +1,11 @@
 void write_default_config_bad() {
 	// BAD - this is world-writable so any user can overwrite the config
 	int out = creat(OUTFILE, 0666);
-	if (out < 0) {
-		// handle error
-	}
-
-	dprintf(out, "%s", DEFAULT_CONFIG);
-	close(out);
+	dprintf(out, DEFAULT_CONFIG);
 }
 
 void write_default_config_good() {
 	// GOOD - this allows only the current user to modify the file
 	int out = creat(OUTFILE, S_IWUSR | S_IRUSR);
-	if (out < 0) {
-		// handle error
-	}
-
-	dprintf(out, "%s", DEFAULT_CONFIG);
-	close(out);
-}
-
-void write_default_config_good_2() {
-	// GOOD - this allows only the current user to modify the file
-	int out = open(OUTFILE, O_WRONLY | O_CREAT, S_IWUSR | S_IRUSR);
-	if (out < 0) {
-		// handle error
-	}
-
-	FILE *fd = fdopen(out, "w");
-	if (fd == NULL) {
-		close(out);
-		// handle error
-	}
-
-	fprintf(fd, "%s", DEFAULT_CONFIG);
-	fclose(fd);
+	dprintf(out, DEFAULT_CONFIG);
 }

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.qhelp

@@ -29,11 +29,10 @@ so it is important that they cannot be controlled by an attacker.
 </p>
 
 <p>
-The first example creates the default configuration file with the usual "default" Unix permissions, <code>0666</code>. This makes the
+The first example creates the default configuration file with the usual "default" Unix permissions, <code>0666</code>. This makes the 
 file world-writable, so that an attacker could write in their own configuration that would be read by the program. The second example uses
 more restrictive permissions: a combination of the standard Unix constants <code>S_IWUSR</code> and <code>S_IRUSR</code> which means that
-only the current user will have read and write access to the file. The third example shows another way to create a file with more restrictive
-permissions if a <code>FILE *</code> stream pointer is required rather than a file descriptor.
+only the current user will have read and write access to the file.
 </p>
 
 <sample src="DoNotCreateWorldWritable.c" />

cpp/ql/src/change-notes/released/1.0.2.md

@@ -1,3 +0,0 @@
-## 1.0.2
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.0.3.md

@@ -1,3 +0,0 @@
-## 1.0.3
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.1.0.md

@@ -1,10 +0,0 @@
-## 1.1.0
-
-### Query Metadata Changes
-
-* The precision of `cpp/iterator-to-expired-container` ("Iterator to expired container") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
-* The precision of `cpp/unsafe-strncat` ("Potentially unsafe call to strncat") has been increased to `high`. As a result, it will be run by default as part of the Code Scanning suite.
-
-### Minor Analysis Improvements
-
-* The `cpp/unsigned-difference-expression-compared-zero` ("Unsigned difference expression compared to zero") query now produces fewer false positives.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.0.1

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.1.0
+version: 1.0.2-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/array_sizes/arr2.expected

@@ -1,11 +1,5 @@
 | file://:0:0:0:0 | char[6] | 6 |
 | file://:0:0:0:0 | char[26] | 26 |
-| file://:0:0:0:0 | char[] |  |
-| file://:0:0:0:0 | const char[6] | 6 |
-| file://:0:0:0:0 | double[0] | 0 |
-| file://:0:0:0:0 | double[3] | 3 |
-| file://:0:0:0:0 | double[4] | 4 |
-| file://:0:0:0:0 | double[] |  |
 | file://:0:0:0:0 | int[1] | 1 |
 | file://:0:0:0:0 | int[11] | 11 |
 | file://:0:0:0:0 | long[] |  |

cpp/ql/test/library-tests/array_sizes/implicit_sizes.cpp

@@ -1,10 +0,0 @@
-// semmle-extractor-options: -std=c++20
-double a1[]{1,2,3};
-double* p1 = new double[]{1,2,3};
-double* p2 = new double[0]{};
-double* p3 = new double[]{};
-char c[]{"Hello"};
-char* d = new char[]{"Hello"};
-double a2[](1,2,3);
-double* p4 = new double[](1,2,3);
-double* p5 = new double[4]{1,2};  // Size mismatch

cpp/ql/test/library-tests/array_sizes/new.expected

@@ -1,6 +0,0 @@
-| implicit_sizes.cpp:3:14:3:32 | new[] | 3 |
-| implicit_sizes.cpp:4:14:4:28 | new[] | 0 |
-| implicit_sizes.cpp:5:14:5:27 | new[] | 0 |
-| implicit_sizes.cpp:7:11:7:29 | new[] | 6 |
-| implicit_sizes.cpp:9:14:9:32 | new[] | 3 |
-| implicit_sizes.cpp:10:14:10:31 | new[] | 4 |

cpp/ql/test/library-tests/array_sizes/new.ql

@@ -1,4 +0,0 @@
-import cpp
-
-from NewArrayExpr nae
-select nae, nae.getArraySize()

cpp/ql/test/library-tests/atomic/variables.expected

@@ -1,5 +1,7 @@
 | (unnamed parameter 0) | __va_list_tag && | rvalue reference to {struct __va_list_tag} |
+| (unnamed parameter 0) | atomic_box<int> && | rvalue reference to {struct atomic_box<int>} |
 | (unnamed parameter 0) | const __va_list_tag & | reference to {const {struct __va_list_tag}} |
+| (unnamed parameter 0) | const atomic_box<int> & | reference to {const {struct atomic_box<int>}} |
 | a | _Atomic(int) | atomic {int} |
 | b | _Atomic(int) | atomic {int} |
 | c | _Atomic(int) * | pointer to {atomic {int}} |

cpp/ql/test/library-tests/builtins/type_traits/clang.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 180000
+// semmle-extractor-options: --clang --clang_version 100000
 
 struct S {
     void f() {}
@@ -93,18 +93,3 @@ struct S2 {
 
 bool bok_is_trivial1 = __is_trivial(int);
 bool bok_is_trivial2 = __is_trivial(S2);
-
-bool bok_reference_binds_to_temporary1 = __reference_binds_to_temporary(int&, long&);
-bool bok_reference_binds_to_temporary2 = __reference_binds_to_temporary(int const &, long&);
-
-bool b_is_same_as1 = __is_same_as(int, int);
-bool b_is_same_as2 = __is_same_as(int, float);
-
-bool b_is_bounded_array1 = __is_bounded_array(int[]);
-bool b_is_bounded_array2 = __is_bounded_array(int[42]);
-
-bool b_is_unbounded_array1 = __is_unbounded_array(int[]);
-bool b_is_unbounded_array2 = __is_unbounded_array(int[42]);
-
-bool b_is_referenceable1 = __is_referenceable(int);
-bool b_is_referenceable2 = __is_referenceable(void);

cpp/ql/test/library-tests/builtins/type_traits/expr.expected

@@ -125,78 +125,9 @@
 | clang.cpp:94:24:94:40 | int |  | <none> |
 | clang.cpp:95:24:95:39 | S2 |  | <none> |
 | clang.cpp:95:24:95:39 | __is_trivial | S2 | 0 |
-| clang.cpp:97:42:97:84 | __reference_binds_to_temporary | int &,long & | 0 |
-| clang.cpp:97:42:97:84 | int & |  | <none> |
-| clang.cpp:97:42:97:84 | long & |  | <none> |
-| clang.cpp:98:42:98:91 | __reference_binds_to_temporary | const int &,long & | 1 |
-| clang.cpp:98:42:98:91 | const int & |  | <none> |
-| clang.cpp:98:42:98:91 | long & |  | <none> |
-| clang.cpp:100:22:100:43 | __is_same_as | int,int | 1 |
-| clang.cpp:100:22:100:43 | int |  | <none> |
-| clang.cpp:100:22:100:43 | int |  | <none> |
-| clang.cpp:101:22:101:45 | __is_same_as | int,float | 0 |
-| clang.cpp:101:22:101:45 | float |  | <none> |
-| clang.cpp:101:22:101:45 | int |  | <none> |
-| clang.cpp:103:28:103:52 | __is_bounded_array | int[] | 0 |
-| clang.cpp:103:28:103:52 | int[] |  | <none> |
-| clang.cpp:104:28:104:54 | __is_bounded_array | int[42] | 1 |
-| clang.cpp:104:28:104:54 | int[42] |  | <none> |
-| clang.cpp:104:51:104:52 | 42 |  | 42 |
-| clang.cpp:104:51:104:52 | (unsigned long)... |  | 42 |
-| clang.cpp:106:30:106:56 | __is_unbounded_array | int[] | 1 |
-| clang.cpp:106:30:106:56 | int[] |  | <none> |
-| clang.cpp:107:30:107:58 | __is_unbounded_array | int[42] | 0 |
-| clang.cpp:107:30:107:58 | int[42] |  | <none> |
-| clang.cpp:107:55:107:56 | 42 |  | 42 |
-| clang.cpp:107:55:107:56 | (unsigned long)... |  | 42 |
-| clang.cpp:109:28:109:50 | __is_referenceable | int | 1 |
-| clang.cpp:109:28:109:50 | int |  | <none> |
-| clang.cpp:110:28:110:51 | __is_referenceable | void | 0 |
-| clang.cpp:110:28:110:51 | void |  | <none> |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 1 |  | 1 |
 | file://:0:0:0:0 | 2 |  | 2 |
-| gcc.cpp:3:25:3:25 | 8 |  | 8 |
-| gcc.cpp:4:25:4:59 | 0 |  | 0 |
-| gcc.cpp:4:25:4:59 | __builtin_has_attribute | v,0 | 1 |
-| gcc.cpp:4:49:4:49 | v |  | <none> |
-| gcc.cpp:5:25:5:62 | 0 |  | 0 |
-| gcc.cpp:5:25:5:62 | __builtin_has_attribute | v,0 | 0 |
-| gcc.cpp:5:49:5:49 | v |  | <none> |
-| gcc.cpp:13:50:13:111 | __builtin_is_pointer_interconvertible_with_class | i | 1 |
-| gcc.cpp:13:99:13:110 | i |  | <none> |
-| gcc.cpp:14:50:14:111 | __builtin_is_pointer_interconvertible_with_class | d | 0 |
-| gcc.cpp:14:99:14:110 | d |  | <none> |
-| gcc.cpp:16:35:16:95 | __builtin_is_corresponding_member | i,i | 1 |
-| gcc.cpp:16:69:16:80 | i |  | <none> |
-| gcc.cpp:16:83:16:94 | i |  | <none> |
-| gcc.cpp:17:35:17:95 | __builtin_is_corresponding_member | i,d | 0 |
-| gcc.cpp:17:69:17:80 | i |  | <none> |
-| gcc.cpp:17:83:17:94 | d |  | <none> |
-| gcc.cpp:19:34:19:67 | __is_nothrow_convertible | int,int | 1 |
-| gcc.cpp:19:34:19:67 | int |  | <none> |
-| gcc.cpp:19:34:19:67 | int |  | <none> |
-| gcc.cpp:20:34:20:72 | __is_nothrow_convertible | a_struct,int | 0 |
-| gcc.cpp:20:34:20:72 | a_struct |  | <none> |
-| gcc.cpp:20:34:20:72 | int |  | <none> |
-| gcc.cpp:22:26:22:51 | __is_convertible | int,int | 1 |
-| gcc.cpp:22:26:22:51 | int |  | <none> |
-| gcc.cpp:22:26:22:51 | int |  | <none> |
-| gcc.cpp:23:26:23:56 | __is_convertible | a_struct,int | 0 |
-| gcc.cpp:23:26:23:56 | a_struct |  | <none> |
-| gcc.cpp:23:26:23:56 | int |  | <none> |
-| gcc.cpp:25:47:25:95 | __reference_constructs_from_temporary | int &&,int | 1 |
-| gcc.cpp:25:47:25:95 | int |  | <none> |
-| gcc.cpp:25:47:25:95 | int && |  | <none> |
-| gcc.cpp:26:47:26:97 | __reference_constructs_from_temporary | int &&,int && | 0 |
-| gcc.cpp:26:47:26:97 | int && |  | <none> |
-| gcc.cpp:26:47:26:97 | int && |  | <none> |
-| gcc.cpp:28:45:28:91 | __reference_converts_from_temporary | int &&,int | 1 |
-| gcc.cpp:28:45:28:91 | int |  | <none> |
-| gcc.cpp:28:45:28:91 | int && |  | <none> |
-| gcc.cpp:29:45:29:93 | __reference_converts_from_temporary | int &&,int && | 0 |
-| gcc.cpp:29:45:29:93 | int && |  | <none> |
-| gcc.cpp:29:45:29:93 | int && |  | <none> |
 | ms.cpp:38:41:38:45 | 0 |  | 0 |
 | ms.cpp:88:27:88:45 | __has_assign | empty | 0 |
 | ms.cpp:88:27:88:45 | empty |  | <none> |
@@ -521,38 +452,3 @@
 | ms.cpp:272:51:272:104 | __is_pointer_interconvertible_base_of | empty,abstract | 0 |
 | ms.cpp:272:51:272:104 | abstract |  | <none> |
 | ms.cpp:272:51:272:104 | empty |  | <none> |
-| ms.cpp:274:44:274:85 | __is_trivially_copy_assignable | has_assign | 0 |
-| ms.cpp:274:44:274:85 | has_assign |  | <none> |
-| ms.cpp:275:44:275:78 | __is_trivially_copy_assignable | int | 1 |
-| ms.cpp:275:44:275:78 | int |  | <none> |
-| ms.cpp:277:51:277:107 | __is_assignable_no_precondition_check | a_struct,a_struct | 1 |
-| ms.cpp:277:51:277:107 | a_struct |  | <none> |
-| ms.cpp:277:51:277:107 | a_struct |  | <none> |
-| ms.cpp:278:51:278:104 | __is_assignable_no_precondition_check | a_struct,empty | 0 |
-| ms.cpp:278:51:278:104 | a_struct |  | <none> |
-| ms.cpp:278:51:278:104 | empty |  | <none> |
-| ms.cpp:279:51:279:102 | __is_assignable_no_precondition_check | a_struct,int | 0 |
-| ms.cpp:279:51:279:102 | a_struct |  | <none> |
-| ms.cpp:279:51:279:102 | int |  | <none> |
-| ms.cpp:281:54:281:117 | __is_pointer_interconvertible_with_class | a_struct,i | 1 |
-| ms.cpp:281:54:281:117 | a_struct |  | <none> |
-| ms.cpp:281:105:281:116 | i |  | <none> |
-| ms.cpp:282:54:282:117 | __is_pointer_interconvertible_with_class | a_struct,d | 0 |
-| ms.cpp:282:54:282:117 | a_struct |  | <none> |
-| ms.cpp:282:105:282:116 | d |  | <none> |
-| ms.cpp:284:39:284:111 | __is_corresponding_member | a_struct,a_struct,i,i | 1 |
-| ms.cpp:284:39:284:111 | a_struct |  | <none> |
-| ms.cpp:284:39:284:111 | a_struct |  | <none> |
-| ms.cpp:284:85:284:96 | i |  | <none> |
-| ms.cpp:284:99:284:110 | i |  | <none> |
-| ms.cpp:285:39:285:111 | __is_corresponding_member | a_struct,a_struct,i,d | 0 |
-| ms.cpp:285:39:285:111 | a_struct |  | <none> |
-| ms.cpp:285:39:285:111 | a_struct |  | <none> |
-| ms.cpp:285:85:285:96 | i |  | <none> |
-| ms.cpp:285:99:285:110 | d |  | <none> |
-| ms.cpp:287:34:287:59 | __is_valid_winrt_type | int | 1 |
-| ms.cpp:287:34:287:59 | int |  | <none> |
-| ms.cpp:288:27:288:45 | __is_win_class | int | 0 |
-| ms.cpp:288:27:288:45 | int |  | <none> |
-| ms.cpp:289:31:289:53 | __is_win_interface | int | 0 |
-| ms.cpp:289:31:289:53 | int |  | <none> |

cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp

@@ -1,29 +0,0 @@
-// semmle-extractor-options: --gnu_version 130000
-
-__attribute__ ((aligned(8))) int v;
-bool b_has_attribute1 = __builtin_has_attribute(v, aligned);
-bool b_has_attribute2 = __builtin_has_attribute(v, aligned(4));
-
-
-struct a_struct {
-    int i;
-    double d;
-};
-
-bool b_is_pointer_interconvertible_with_class1 = __builtin_is_pointer_interconvertible_with_class(&a_struct::i);
-bool b_is_pointer_interconvertible_with_class2 = __builtin_is_pointer_interconvertible_with_class(&a_struct::d);
-
-bool b_is_corresponding_member1 = __builtin_is_corresponding_member(&a_struct::i, &a_struct::i);
-bool b_is_corresponding_member2 = __builtin_is_corresponding_member(&a_struct::i, &a_struct::d);
-
-bool b_is_nothrow_convertible1 = __is_nothrow_convertible(int, int);
-bool b_is_nothrow_convertible2 = __is_nothrow_convertible(a_struct, int);
-
-bool b_is_convertible1 = __is_convertible(int, int);
-bool b_is_convertible2 = __is_convertible(a_struct, int);
-
-bool b_reference_constructs_from_temporary1 = __reference_constructs_from_temporary(int&&, int);
-bool b_reference_constructs_from_temporary2 = __reference_constructs_from_temporary(int&&, int&&);
-
-bool b_reference_converts_from_temporary1 = __reference_converts_from_temporary(int&&, int);
-bool b_reference_converts_from_temporary2 = __reference_converts_from_temporary(int&&, int&&);

cpp/ql/test/library-tests/builtins/type_traits/ms.cpp

@@ -270,21 +270,4 @@ void f(void) {
 
     bool b_is_pointer_interconvertible_base_of1 = __is_pointer_interconvertible_base_of(empty, empty);
     bool b_is_pointer_interconvertible_base_of2 = __is_pointer_interconvertible_base_of(empty, abstract);
-
-    bool b_is_trivially_copy_assignable1 = __is_trivially_copy_assignable(has_assign);
-    bool b_is_trivially_copy_assignable2 = __is_trivially_copy_assignable(int);
-
-    bool b_is_assignable_no_precondition_check1 = __is_assignable_no_precondition_check(a_struct, a_struct);
-    bool b_is_assignable_no_precondition_check2 = __is_assignable_no_precondition_check(a_struct, empty);
-    bool b_is_assignable_no_precondition_check3 = __is_assignable_no_precondition_check(a_struct, int);
-
-    bool b_is_pointer_interconvertible_with_class1 = __is_pointer_interconvertible_with_class(a_struct, &a_struct::i);
-    bool b_is_pointer_interconvertible_with_class2 = __is_pointer_interconvertible_with_class(a_struct, &a_struct::d);
-
-    bool b_is_corresponding_member1 = __is_corresponding_member(a_struct, a_struct, &a_struct::i, &a_struct::i);
-    bool b_is_corresponding_member2 = __is_corresponding_member(a_struct, a_struct, &a_struct::i, &a_struct::d);
-
-    bool b_is_valid_winrt_type = __is_valid_winrt_type(int);
-    bool b_is_win_class = __is_win_class(int);
-    bool b_is_win_interface = __is_win_interface(int);
 }

cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.cpp

@@ -1,29 +0,0 @@
-namespace std
-{
-  struct ptrdiff_t;
-  struct input_iterator_tag
-  {
-  };
-  struct forward_iterator_tag : public input_iterator_tag
-  {
-  };
-}
-
-struct A
-{
-  using value_type = int;
-  using difference_type = std::ptrdiff_t;
-  using pointer = int*;
-  using reference = int&;
-  using iterator_category = std::forward_iterator_tag;
-};
-
-A get();
-
-void test()
-{
-  while (true)
-  {
-    auto &&x = get();
-  }
-}

cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.expected

@@ -1,4 +0,0 @@
-edges
-nodes
-subpaths
-#select

cpp/ql/test/library-tests/dataflow/calls-as-ssa-variables/test.ql

@@ -1,23 +0,0 @@
-/**
- * @kind path-problem
- */
-
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.dataflow.new.DataFlow
-import Flow::PathGraph
-
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asInstruction().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asInstruction().(CallInstruction).getStaticCallTarget().hasName("get")
-  }
-}
-
-module Flow = DataFlow::Global<Config>;
-
-from Flow::PathNode source, Flow::PathNode sink
-where Flow::flowPath(source, sink)
-select sink.getNode(), source, sink, ""

cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected

@@ -1,41 +1,5 @@
 astTypeBugs
 irTypeBugs
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary param] *0 in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary param] this in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[****] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[***] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[**] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] read: Argument[*0].Element[*] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[****] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[***] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[**] in iterator |
-| ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | ../../../include/iterator.h:21:3:21:10 | [summary] to write: Argument[this].Element[*] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary param] *0 in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary param] this in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[****] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[***] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[**] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] read: Argument[*0].Element[*] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[****] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[***] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[**] in iterator |
-| ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | ../../../include/iterator.h:22:3:22:10 | [summary] to write: Argument[this].Element[*] in iterator |
-| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary param] this in operator* |
-| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] read: Argument[this].Element in operator* |
-| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] read: Argument[this].Element[*] in operator* |
-| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] to write: ReturnValue[**] in operator* |
-| ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | ../../../include/iterator.h:30:18:30:26 | [summary] to write: ReturnValue[*] in operator* |
-| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary param] this in operator-> |
-| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element in operator-> |
-| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] read: Argument[this].Element[*] in operator-> |
-| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[**] in operator-> |
-| ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | ../../../include/iterator.h:31:16:31:25 | [summary] to write: ReturnValue[*] in operator-> |
 incorrectBaseType
 | clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
 | clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * |

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -1,46 +1,2 @@
 testFailures
 failures
-edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:10 |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:2  |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:2  Sink:MaD:6 |
-| asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
-| asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:100:64:100:71 | *send_str | provenance | TaintFunction |
-| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance |  |
-| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
-| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance |  Sink:MaD:6 |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
-| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | provenance | MaD:2 |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:7:10:7:18 | call to ymlSource | provenance | Src:MaD:0  |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:11:10:11:10 | x | provenance |  Sink:MaD:1 |
-| test.cpp:7:10:7:18 | call to ymlSource | test.cpp:13:18:13:18 | x | provenance |  |
-| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:13:10:13:16 | call to ymlStep | provenance |  |
-| test.cpp:13:10:13:16 | call to ymlStep | test.cpp:15:10:15:10 | y | provenance |  Sink:MaD:1 |
-| test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | provenance |  |
-| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep | provenance | MaD:2 |
-nodes
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer |
-| asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | semmle.label | read_until output argument |
-| asio_streams.cpp:91:7:91:17 | recv_buffer | semmle.label | recv_buffer |
-| asio_streams.cpp:93:29:93:39 | *recv_buffer | semmle.label | *recv_buffer |
-| asio_streams.cpp:97:37:97:44 | call to source | semmle.label | call to source |
-| asio_streams.cpp:98:7:98:14 | send_str | semmle.label | send_str |
-| asio_streams.cpp:100:44:100:62 | call to buffer | semmle.label | call to buffer |
-| asio_streams.cpp:100:44:100:62 | call to buffer | semmle.label | call to buffer |
-| asio_streams.cpp:100:64:100:71 | *send_str | semmle.label | *send_str |
-| asio_streams.cpp:101:7:101:17 | send_buffer | semmle.label | send_buffer |
-| asio_streams.cpp:103:29:103:39 | *send_buffer | semmle.label | *send_buffer |
-| test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | semmle.label | [summary param] 0 in ymlStep |
-| test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | semmle.label | [summary] to write: ReturnValue in ymlStep |
-| test.cpp:7:10:7:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:7:10:7:18 | call to ymlSource | semmle.label | call to ymlSource |
-| test.cpp:11:10:11:10 | x | semmle.label | x |
-| test.cpp:13:10:13:16 | call to ymlStep | semmle.label | call to ymlStep |
-| test.cpp:13:10:13:16 | call to ymlStep | semmle.label | call to ymlStep |
-| test.cpp:13:18:13:18 | x | semmle.label | x |
-| test.cpp:15:10:15:10 | y | semmle.label | y |
-subpaths
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | asio_streams.cpp:100:44:100:62 | call to buffer |
-| test.cpp:13:18:13:18 | x | test.cpp:4:5:4:11 | [summary param] 0 in ymlStep | test.cpp:4:5:4:11 | [summary] to write: ReturnValue in ymlStep | test.cpp:13:10:13:16 | call to ymlStep |

cpp/ql/test/library-tests/dataflow/external-models/flow.ql

@@ -1,7 +1,6 @@
 import TestUtilities.dataflow.FlowTestCommon
 import cpp
 import semmle.code.cpp.security.FlowSources
-import IRTest::IRFlow::PathGraph
 
 module IRTest {
   private import semmle.code.cpp.ir.IR

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -1,26 +0,0 @@
-| Dubious member name "operator*" in summary model. |
-| Dubious member name "operator->" in summary model. |
-| Dubious member name "operator=" in summary model. |
-| Dubious member name "operator[]" in summary model. |
-| Dubious signature "(InputIterator,InputIterator,const Allocator &)" in summary model. |
-| Dubious signature "(const deque &)" in summary model. |
-| Dubious signature "(const deque &,const Allocator &)" in summary model. |
-| Dubious signature "(const forward_list &)" in summary model. |
-| Dubious signature "(const forward_list &,const Allocator &)" in summary model. |
-| Dubious signature "(const list &)" in summary model. |
-| Dubious signature "(const list &,const Allocator &)" in summary model. |
-| Dubious signature "(const vector &)" in summary model. |
-| Dubious signature "(const vector &,const Allocator &)" in summary model. |
-| Dubious signature "(const_iterator,T &&)" in summary model. |
-| Dubious signature "(const_iterator,const T &)" in summary model. |
-| Dubious signature "(const_iterator,size_type,const T &)" in summary model. |
-| Dubious signature "(deque &&)" in summary model. |
-| Dubious signature "(deque &&,const Allocator &)" in summary model. |
-| Dubious signature "(forward_list &&)" in summary model. |
-| Dubious signature "(forward_list &&,const Allocator &)" in summary model. |
-| Dubious signature "(list &&)" in summary model. |
-| Dubious signature "(list &&,const Allocator &)" in summary model. |
-| Dubious signature "(size_type,const T &)" in summary model. |
-| Dubious signature "(size_type,const T &,const Allocator &)" in summary model. |
-| Dubious signature "(vector &&)" in summary model. |
-| Dubious signature "(vector &&,const Allocator &)" in summary model. |

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected

@@ -4,29 +4,29 @@
 | tests.cpp:145:6:145:28 | [summary] to write: ReturnValue[*] in madArg0ToReturnIndirect | ReturnNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
 | tests.cpp:147:5:147:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:147:5:147:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
-| tests.cpp:148:5:148:27 | [summary param] *0 in madArg0IndirectToReturn | ParameterNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
+| tests.cpp:148:5:148:27 | [summary param] 0 indirection in madArg0IndirectToReturn | ParameterNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
 | tests.cpp:148:5:148:27 | [summary] to write: ReturnValue in madArg0IndirectToReturn | ReturnNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
-| tests.cpp:149:5:149:33 | [summary param] **0 in madArg0DoubleIndirectToReturn | ParameterNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
+| tests.cpp:149:5:149:33 | [summary param] 0 indirection in madArg0DoubleIndirectToReturn | ParameterNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
 | tests.cpp:149:5:149:33 | [summary] to write: ReturnValue in madArg0DoubleIndirectToReturn | ReturnNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
 | tests.cpp:150:5:150:30 | [summary param] 0 in madArg0NotIndirectToReturn | ParameterNode | madArg0NotIndirectToReturn | madArg0NotIndirectToReturn |
 | tests.cpp:150:5:150:30 | [summary] to write: ReturnValue in madArg0NotIndirectToReturn | ReturnNode | madArg0NotIndirectToReturn | madArg0NotIndirectToReturn |
 | tests.cpp:151:6:151:26 | [summary param] 0 in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
-| tests.cpp:151:6:151:26 | [summary param] *1 in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
-| tests.cpp:151:6:151:26 | [summary] to write: Argument[*1] in madArg0ToArg1Indirect | PostUpdateNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
-| tests.cpp:152:6:152:34 | [summary param] *0 in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
-| tests.cpp:152:6:152:34 | [summary param] *1 in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
-| tests.cpp:152:6:152:34 | [summary] to write: Argument[*1] in madArg0IndirectToArg1Indirect | PostUpdateNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:151:6:151:26 | [summary param] 1 indirection in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
+| tests.cpp:151:6:151:26 | [summary] to write: Argument[1 indirection] in madArg0ToArg1Indirect | PostUpdateNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
+| tests.cpp:152:6:152:34 | [summary param] 0 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:152:6:152:34 | [summary param] 1 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:152:6:152:34 | [summary] to write: Argument[1 indirection] in madArg0IndirectToArg1Indirect | PostUpdateNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
+| tests.cpp:153:5:153:18 | [summary param] 0 indirection in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
+| tests.cpp:153:5:153:18 | [summary param] 1 indirection in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
 | tests.cpp:153:5:153:18 | [summary param] 2 in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
-| tests.cpp:153:5:153:18 | [summary param] *0 in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
-| tests.cpp:153:5:153:18 | [summary param] *1 in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
 | tests.cpp:153:5:153:18 | [summary] to write: ReturnValue in madArgsComplex | ReturnNode | madArgsComplex | madArgsComplex |
 | tests.cpp:155:5:155:28 | [summary param] 2 in madAndImplementedComplex | ParameterNode | madAndImplementedComplex | madAndImplementedComplex |
 | tests.cpp:155:5:155:28 | [summary] to write: ReturnValue in madAndImplementedComplex | ReturnNode | madAndImplementedComplex | madAndImplementedComplex |
 | tests.cpp:160:5:160:24 | [summary param] 0 in madArg0FieldToReturn | ParameterNode | madArg0FieldToReturn | madArg0FieldToReturn |
 | tests.cpp:160:5:160:24 | [summary] read: Argument[0].Field[value] in madArg0FieldToReturn |  | madArg0FieldToReturn | madArg0FieldToReturn |
 | tests.cpp:160:5:160:24 | [summary] to write: ReturnValue in madArg0FieldToReturn | ReturnNode | madArg0FieldToReturn | madArg0FieldToReturn |
-| tests.cpp:161:5:161:32 | [summary param] *0 in madArg0IndirectFieldToReturn | ParameterNode | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
-| tests.cpp:161:5:161:32 | [summary] read: Argument[*0].Field[value] in madArg0IndirectFieldToReturn |  | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
+| tests.cpp:161:5:161:32 | [summary param] 0 indirection in madArg0IndirectFieldToReturn | ParameterNode | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
+| tests.cpp:161:5:161:32 | [summary] read: Argument[0 indirection].Field[value] in madArg0IndirectFieldToReturn |  | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
 | tests.cpp:161:5:161:32 | [summary] to write: ReturnValue in madArg0IndirectFieldToReturn | ReturnNode | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
 | tests.cpp:162:5:162:32 | [summary param] 0 in madArg0FieldIndirectToReturn | ParameterNode | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
 | tests.cpp:162:5:162:32 | [summary] read: Argument[0].Field[*ptr] in madArg0FieldIndirectToReturn |  | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
@@ -41,36 +41,36 @@
 | tests.cpp:165:13:165:40 | [summary] to write: ReturnValue in madArg0ToReturnFieldIndirect | ReturnNode | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
 | tests.cpp:165:13:165:40 | [summary] to write: ReturnValue.Field[*ptr] in madArg0ToReturnFieldIndirect |  | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
 | tests.cpp:284:7:284:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:284:7:284:19 | [summary param] this in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:284:7:284:19 | [summary] to write: Argument[this] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:285:6:285:20 | [summary param] this in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
+| tests.cpp:284:7:284:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:284:7:284:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:285:6:285:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
 | tests.cpp:285:6:285:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
 | tests.cpp:287:7:287:20 | [summary param] 0 in madArg0ToField | ParameterNode | madArg0ToField | madArg0ToField |
-| tests.cpp:287:7:287:20 | [summary param] this in madArg0ToField | ParameterNode | madArg0ToField | madArg0ToField |
-| tests.cpp:287:7:287:20 | [summary] to write: Argument[this] in madArg0ToField | PostUpdateNode | madArg0ToField | madArg0ToField |
-| tests.cpp:287:7:287:20 | [summary] to write: Argument[this].Field[val] in madArg0ToField |  | madArg0ToField | madArg0ToField |
-| tests.cpp:288:6:288:21 | [summary param] this in madFieldToReturn | ParameterNode | madFieldToReturn | madFieldToReturn |
-| tests.cpp:288:6:288:21 | [summary] read: Argument[this].Field[val] in madFieldToReturn |  | madFieldToReturn | madFieldToReturn |
+| tests.cpp:287:7:287:20 | [summary param] this indirection in madArg0ToField | ParameterNode | madArg0ToField | madArg0ToField |
+| tests.cpp:287:7:287:20 | [summary] to write: Argument[this indirection] in madArg0ToField | PostUpdateNode | madArg0ToField | madArg0ToField |
+| tests.cpp:287:7:287:20 | [summary] to write: Argument[this indirection].Field[val] in madArg0ToField |  | madArg0ToField | madArg0ToField |
+| tests.cpp:288:6:288:21 | [summary param] this indirection in madFieldToReturn | ParameterNode | madFieldToReturn | madFieldToReturn |
+| tests.cpp:288:6:288:21 | [summary] read: Argument[this indirection].Field[val] in madFieldToReturn |  | madFieldToReturn | madFieldToReturn |
 | tests.cpp:288:6:288:21 | [summary] to write: ReturnValue in madFieldToReturn | ReturnNode | madFieldToReturn | madFieldToReturn |
-| tests.cpp:313:7:313:30 | [summary param] this in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:313:7:313:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
 | tests.cpp:313:7:313:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
 | tests.cpp:434:5:434:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:434:5:434:29 | [summary] read: Argument[0].Parameter[this pointer] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:434:5:434:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
 | tests.cpp:434:5:434:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:434:5:434:29 | [summary] to write: Argument[0].Parameter[this pointer] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:434:5:434:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
 | tests.cpp:434:5:434:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
 | tests.cpp:435:9:435:38 | [summary param] 0 in madCallArg0ReturnToReturnFirst | ParameterNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
-| tests.cpp:435:9:435:38 | [summary] read: Argument[0].Parameter[this pointer] in madCallArg0ReturnToReturnFirst | PostUpdateNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
+| tests.cpp:435:9:435:38 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturnFirst | PostUpdateNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
 | tests.cpp:435:9:435:38 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturnFirst | OutNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
-| tests.cpp:435:9:435:38 | [summary] to write: Argument[0].Parameter[this pointer] in madCallArg0ReturnToReturnFirst | ArgumentNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
+| tests.cpp:435:9:435:38 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturnFirst | ArgumentNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
 | tests.cpp:435:9:435:38 | [summary] to write: ReturnValue in madCallArg0ReturnToReturnFirst | ReturnNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
 | tests.cpp:435:9:435:38 | [summary] to write: ReturnValue.Field[first] in madCallArg0ReturnToReturnFirst |  | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
 | tests.cpp:436:6:436:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
 | tests.cpp:436:6:436:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
 | tests.cpp:436:6:436:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:436:6:436:25 | [summary] read: Argument[0].Parameter[this pointer] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:436:6:436:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
 | tests.cpp:436:6:436:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:436:6:436:25 | [summary] to write: Argument[0].Parameter[this pointer] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:436:6:436:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
 | tests.cpp:436:6:436:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
 | tests.cpp:437:5:437:36 | [summary param] 1 in madCallReturnValueIgnoreFunction | ParameterNode | madCallReturnValueIgnoreFunction | madCallReturnValueIgnoreFunction |
 | tests.cpp:437:5:437:36 | [summary] to write: ReturnValue in madCallReturnValueIgnoreFunction | ReturnNode | madCallReturnValueIgnoreFunction | madCallReturnValueIgnoreFunction |

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll

@@ -80,22 +80,22 @@ private class TestSummaries extends SummaryModelCsv {
         ";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
         ";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
         ";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
-        ";;false;madArg0FieldToReturn;;;Argument[0].Field[value];ReturnValue;taint",
-        ";;false;madArg0IndirectFieldToReturn;;;Argument[*0].Field[value];ReturnValue;taint",
-        ";;false;madArg0FieldIndirectToReturn;;;Argument[0].Field[*ptr];ReturnValue;taint",
-        ";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.Field[value];taint",
-        ";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].Field[value];taint",
-        ";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.Field[*ptr];taint",
-        ";;false;madFieldToFieldVar;;;Field[value];Field[value2];taint",
-        ";;false;madFieldToIndirectFieldVar;;;Field[value];Field[*ptr];taint",
-        ";;false;madIndirectFieldToFieldVar;;;;Field[value];Field[value2];taint", // not correctly expressed
+        ";;false;madArg0FieldToReturn;;;Argument[0].value;ReturnValue;taint",
+        ";;false;madArg0IndirectFieldToReturn;;;Argument[*0].value;ReturnValue;taint",
+        ";;false;madArg0FieldIndirectToReturn;;;Argument[0].ptr[*];ReturnValue;taint",
+        ";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.value;taint",
+        ";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].value;taint",
+        ";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.ptr[*];taint",
+        ";;false;madFieldToFieldVar;;;value;value2;taint",
+        ";;false;madFieldToIndirectFieldVar;;;value;ptr[*];taint",
+        ";;false;madIndirectFieldToFieldVar;;;;value;value2;taint", // not correctly expressed
         ";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
         ";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
-        ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].Field[val];taint",
-        ";MyClass;true;madFieldToReturn;;;Argument[-1].Field[val];ReturnValue;taint",
+        ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",
+        ";MyClass;true;madFieldToReturn;;;Argument[-1].val;ReturnValue;taint",
         "MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
         ";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
-        ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
+        ";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.first;value",
         ";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
         ";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
       ]

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -301,6 +301,27 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:75:8:75:8 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:75:8:75:8 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
+| file://:0:0:0:0 | (unnamed parameter 0) | stl.h:389:9:389:9 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | structlikeclass.cpp:5:7:5:7 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | structlikeclass.cpp:5:7:5:7 | (unnamed parameter 0) |  |
 | file://:0:0:0:0 | (unnamed parameter 0) | taint.cpp:228:11:228:11 | (unnamed parameter 0) |  |
@@ -3578,6 +3599,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | standalone_iterators.cpp:128:2:128:3 | it | standalone_iterators.cpp:128:5:128:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:128:2:128:3 | ref arg it | standalone_iterators.cpp:129:7:129:8 | it |  |
 | standalone_iterators.cpp:128:8:128:13 | call to source | standalone_iterators.cpp:128:2:128:3 | ref arg it | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | constructor init of field container | TAINT |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container |  |
+| stl.h:75:8:75:8 | container | stl.h:75:8:75:8 | container |  |
+| stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
+| stl.h:75:8:75:8 | this | stl.h:75:8:75:8 | constructor init of field container [pre-this] |  |
 | stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x |  |
 | stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x |  |
 | stl.h:95:69:95:69 | x | stl.h:95:69:95:69 | x |  |
@@ -3593,6 +3620,41 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | (no string representation) | TAINT |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | first | stl.h:389:9:389:9 | first |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | second | stl.h:389:9:389:9 | second |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
 | stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
 | stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
 | stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
@@ -4299,8 +4361,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:446:17:446:17 | a | string.cpp:446:19:446:23 | call to begin | TAINT |
 | string.cpp:446:17:446:17 | ref arg a | string.cpp:446:8:446:8 | a |  |
 | string.cpp:446:17:446:17 | ref arg a | string.cpp:447:8:447:8 | a |  |
-| string.cpp:446:17:446:25 | call to iterator | string.cpp:446:8:446:8 | ref arg a | TAINT |
-| string.cpp:446:17:446:25 | call to iterator | string.cpp:446:10:446:15 | call to insert | TAINT |
 | string.cpp:446:19:446:23 | call to begin | string.cpp:446:17:446:25 | call to iterator | TAINT |
 | string.cpp:446:32:446:34 | 120 | string.cpp:446:8:446:8 | ref arg a | TAINT |
 | string.cpp:446:32:446:34 | 120 | string.cpp:446:10:446:15 | call to insert | TAINT |
@@ -4309,8 +4369,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:449:17:449:17 | b | string.cpp:449:19:449:23 | call to begin | TAINT |
 | string.cpp:449:17:449:17 | ref arg b | string.cpp:449:8:449:8 | b |  |
 | string.cpp:449:17:449:17 | ref arg b | string.cpp:450:8:450:8 | b |  |
-| string.cpp:449:17:449:25 | call to iterator | string.cpp:449:8:449:8 | ref arg b | TAINT |
-| string.cpp:449:17:449:25 | call to iterator | string.cpp:449:10:449:15 | call to insert | TAINT |
 | string.cpp:449:19:449:23 | call to begin | string.cpp:449:17:449:25 | call to iterator | TAINT |
 | string.cpp:449:32:449:46 | call to source | string.cpp:449:8:449:8 | ref arg b | TAINT |
 | string.cpp:449:32:449:46 | call to source | string.cpp:449:10:449:15 | call to insert | TAINT |
@@ -4338,8 +4396,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:459:17:459:17 | c | string.cpp:459:19:459:21 | call to end | TAINT |
 | string.cpp:459:17:459:17 | ref arg c | string.cpp:459:8:459:8 | c |  |
 | string.cpp:459:17:459:17 | ref arg c | string.cpp:460:8:460:8 | c |  |
-| string.cpp:459:17:459:23 | call to iterator | string.cpp:459:8:459:8 | ref arg c | TAINT |
-| string.cpp:459:17:459:23 | call to iterator | string.cpp:459:10:459:15 | call to insert | TAINT |
 | string.cpp:459:19:459:21 | call to end | string.cpp:459:17:459:23 | call to iterator | TAINT |
 | string.cpp:459:26:459:27 | ref arg s1 | string.cpp:459:38:459:39 | s1 |  |
 | string.cpp:459:26:459:27 | ref arg s1 | string.cpp:465:28:465:29 | s1 |  |
@@ -4357,8 +4413,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:462:17:462:17 | d | string.cpp:462:19:462:21 | call to end | TAINT |
 | string.cpp:462:17:462:17 | ref arg d | string.cpp:462:8:462:8 | d |  |
 | string.cpp:462:17:462:17 | ref arg d | string.cpp:463:8:463:8 | d |  |
-| string.cpp:462:17:462:23 | call to iterator | string.cpp:462:8:462:8 | ref arg d | TAINT |
-| string.cpp:462:17:462:23 | call to iterator | string.cpp:462:10:462:15 | call to insert | TAINT |
 | string.cpp:462:19:462:21 | call to end | string.cpp:462:17:462:23 | call to iterator | TAINT |
 | string.cpp:462:26:462:27 | ref arg s2 | string.cpp:462:38:462:39 | s2 |  |
 | string.cpp:462:26:462:27 | ref arg s2 | string.cpp:465:8:465:9 | s2 |  |
@@ -4378,8 +4432,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | string.cpp:465:18:465:19 | ref arg s2 | string.cpp:465:8:465:9 | s2 |  |
 | string.cpp:465:18:465:19 | ref arg s2 | string.cpp:466:8:466:9 | s2 |  |
 | string.cpp:465:18:465:19 | s2 | string.cpp:465:21:465:23 | call to end | TAINT |
-| string.cpp:465:18:465:25 | call to iterator | string.cpp:465:8:465:9 | ref arg s2 | TAINT |
-| string.cpp:465:18:465:25 | call to iterator | string.cpp:465:11:465:16 | call to insert | TAINT |
 | string.cpp:465:21:465:23 | call to end | string.cpp:465:18:465:25 | call to iterator | TAINT |
 | string.cpp:465:28:465:29 | ref arg s1 | string.cpp:465:40:465:41 | s1 |  |
 | string.cpp:465:28:465:29 | s1 | string.cpp:465:31:465:35 | call to begin | TAINT |
@@ -6632,6 +6684,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:23:55:23:55 | v |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:27:15:27:15 | v |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:35:1:35:1 | v |  |
+| vector.cpp:17:26:17:32 | source1 | vector.cpp:17:21:17:33 | call to vector | TAINT |
 | vector.cpp:19:14:19:14 | (__begin) | vector.cpp:19:14:19:14 | call to operator* | TAINT |
 | vector.cpp:19:14:19:14 | (__begin) | vector.cpp:19:14:19:14 | call to operator++ |  |
 | vector.cpp:19:14:19:14 | (__end) | vector.cpp:19:14:19:14 | call to iterator |  |
@@ -6693,6 +6746,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:27:15:27:15 | v | vector.cpp:27:15:27:15 | call to operator* | TAINT |
 | vector.cpp:31:33:31:45 | call to vector | vector.cpp:32:21:32:27 | const_v |  |
 | vector.cpp:31:33:31:45 | call to vector | vector.cpp:35:1:35:1 | const_v |  |
+| vector.cpp:31:38:31:44 | source1 | vector.cpp:31:33:31:45 | call to vector | TAINT |
 | vector.cpp:32:21:32:21 | (__begin) | vector.cpp:32:21:32:21 | call to operator* | TAINT |
 | vector.cpp:32:21:32:21 | (__begin) | vector.cpp:32:21:32:21 | call to operator++ |  |
 | vector.cpp:32:21:32:21 | (__range) | vector.cpp:32:21:32:21 | call to begin | TAINT |
@@ -6783,7 +6837,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:40:2:40:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:40:2:40:3 | v1 | vector.cpp:40:4:40:4 | call to operator[] | TAINT |
 | vector.cpp:40:2:40:10 | ... = ... | vector.cpp:40:4:40:4 | call to operator[] [post update] |  |
+| vector.cpp:40:4:40:4 | call to operator[] [post update] | vector.cpp:40:2:40:3 | ref arg v1 | TAINT |
 | vector.cpp:40:10:40:10 | 0 | vector.cpp:40:2:40:10 | ... = ... |  |
 | vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:42:2:42:3 | v1 |  |
 | vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
@@ -6794,7 +6850,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:41:2:41:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:41:2:41:3 | v1 | vector.cpp:41:4:41:4 | call to operator[] | TAINT |
 | vector.cpp:41:2:41:10 | ... = ... | vector.cpp:41:4:41:4 | call to operator[] [post update] |  |
+| vector.cpp:41:4:41:4 | call to operator[] [post update] | vector.cpp:41:2:41:3 | ref arg v1 | TAINT |
 | vector.cpp:41:10:41:10 | 0 | vector.cpp:41:2:41:10 | ... = ... |  |
 | vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:43:2:43:3 | v1 |  |
 | vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
@@ -6804,7 +6862,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:42:2:42:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:42:2:42:3 | v1 | vector.cpp:42:4:42:4 | call to operator[] | TAINT |
 | vector.cpp:42:2:42:10 | ... = ... | vector.cpp:42:4:42:4 | call to operator[] [post update] |  |
+| vector.cpp:42:4:42:4 | call to operator[] [post update] | vector.cpp:42:2:42:3 | ref arg v1 | TAINT |
 | vector.cpp:42:10:42:10 | 0 | vector.cpp:42:2:42:10 | ... = ... |  |
 | vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:44:7:44:8 | v1 |  |
 | vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
@@ -6813,6 +6873,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:43:2:43:3 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:43:15:43:15 | 1 | vector.cpp:43:2:43:3 | ref arg v1 | TAINT |
 | vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:45:7:45:8 | v1 |  |
 | vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:46:7:46:8 | v1 |  |
 | vector.cpp:44:7:44:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
@@ -6824,23 +6885,30 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:45:7:45:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:45:7:45:8 | v1 | vector.cpp:45:9:45:9 | call to operator[] | TAINT |
 | vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:47:7:47:8 | v1 |  |
 | vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:46:7:46:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:46:7:46:8 | v1 | vector.cpp:46:9:46:9 | call to operator[] | TAINT |
 | vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:48:7:48:8 | v1 |  |
 | vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:47:7:47:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:47:7:47:8 | v1 | vector.cpp:47:9:47:9 | call to operator[] | TAINT |
 | vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:49:7:49:8 | v1 |  |
 | vector.cpp:48:7:48:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:48:7:48:8 | v1 | vector.cpp:48:10:48:14 | call to front | TAINT |
 | vector.cpp:49:7:49:8 | ref arg v1 | vector.cpp:101:1:101:1 | v1 |  |
+| vector.cpp:49:7:49:8 | v1 | vector.cpp:49:10:49:13 | call to back | TAINT |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:52:7:52:8 | v2 |  |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
 | vector.cpp:51:2:51:3 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:51:2:51:3 | v2 | vector.cpp:51:4:51:4 | call to operator[] | TAINT |
 | vector.cpp:51:2:51:17 | ... = ... | vector.cpp:51:4:51:4 | call to operator[] [post update] |  |
+| vector.cpp:51:4:51:4 | call to operator[] [post update] | vector.cpp:51:2:51:3 | ref arg v2 | TAINT |
 | vector.cpp:51:10:51:15 | call to source | vector.cpp:51:2:51:17 | ... = ... |  |
 | vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:53:7:53:8 | v2 |  |
 | vector.cpp:52:7:52:8 | ref arg v2 | vector.cpp:54:7:54:8 | v2 |  |
@@ -6851,11 +6919,14 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
 | vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
 | vector.cpp:53:7:53:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:53:7:53:8 | v2 | vector.cpp:53:9:53:9 | call to operator[] | TAINT |
 | vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:55:7:55:8 | v2 |  |
 | vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
 | vector.cpp:54:7:54:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:54:7:54:8 | v2 | vector.cpp:54:9:54:9 | call to operator[] | TAINT |
 | vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:57:7:57:8 | v2 |  |
 | vector.cpp:55:7:55:8 | ref arg v2 | vector.cpp:101:1:101:1 | v2 |  |
+| vector.cpp:55:7:55:8 | v2 | vector.cpp:55:9:55:9 | call to operator[] | TAINT |
 | vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:58:7:58:8 | v3 |  |
 | vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:59:7:59:8 | v3 |  |
 | vector.cpp:57:2:57:3 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
@@ -6870,15 +6941,20 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:60:7:60:8 | v3 |  |
 | vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
 | vector.cpp:59:7:59:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:59:7:59:8 | v3 | vector.cpp:59:9:59:9 | call to operator[] | TAINT |
 | vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:61:7:61:8 | v3 |  |
 | vector.cpp:60:7:60:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:60:7:60:8 | v3 | vector.cpp:60:9:60:9 | call to operator[] | TAINT |
 | vector.cpp:61:7:61:8 | ref arg v3 | vector.cpp:101:1:101:1 | v3 |  |
+| vector.cpp:61:7:61:8 | v3 | vector.cpp:61:9:61:9 | call to operator[] | TAINT |
 | vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:64:7:64:8 | v4 |  |
 | vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
 | vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
 | vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
 | vector.cpp:63:2:63:3 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:63:2:63:3 | v4 | vector.cpp:63:4:63:4 | call to operator[] | TAINT |
 | vector.cpp:63:2:63:17 | ... = ... | vector.cpp:63:4:63:4 | call to operator[] [post update] |  |
+| vector.cpp:63:4:63:4 | call to operator[] [post update] | vector.cpp:63:2:63:3 | ref arg v4 | TAINT |
 | vector.cpp:63:10:63:15 | call to source | vector.cpp:63:2:63:17 | ... = ... |  |
 | vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:65:7:65:8 | v4 |  |
 | vector.cpp:64:7:64:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
@@ -6887,30 +6963,39 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:66:7:66:8 | v4 |  |
 | vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
 | vector.cpp:65:7:65:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:65:7:65:8 | v4 | vector.cpp:65:9:65:9 | call to operator[] | TAINT |
 | vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:67:7:67:8 | v4 |  |
 | vector.cpp:66:7:66:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:66:7:66:8 | v4 | vector.cpp:66:9:66:9 | call to operator[] | TAINT |
 | vector.cpp:67:7:67:8 | ref arg v4 | vector.cpp:101:1:101:1 | v4 |  |
+| vector.cpp:67:7:67:8 | v4 | vector.cpp:67:9:67:9 | call to operator[] | TAINT |
 | vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:70:7:70:8 | v5 |  |
 | vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
 | vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
 | vector.cpp:69:2:69:3 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:69:15:69:20 | call to source | vector.cpp:69:2:69:3 | ref arg v5 | TAINT |
 | vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:71:7:71:8 | v5 |  |
 | vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
 | vector.cpp:70:7:70:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
 | vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:72:7:72:8 | v5 |  |
 | vector.cpp:71:7:71:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:71:7:71:8 | v5 | vector.cpp:71:10:71:14 | call to front | TAINT |
 | vector.cpp:72:7:72:8 | ref arg v5 | vector.cpp:101:1:101:1 | v5 |  |
+| vector.cpp:72:7:72:8 | v5 | vector.cpp:72:10:72:13 | call to back | TAINT |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:3 | v6 | vector.cpp:74:5:74:8 | call to data | TAINT |
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:5:74:8 | call to data [inner post update] | vector.cpp:74:2:74:3 | ref arg v6 | TAINT |
 | vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
 | vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
 | vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | v6 | vector.cpp:76:10:76:13 | call to data | TAINT |
 | vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:80:40:80:50 | call to iterator | vector.cpp:81:13:81:14 | it |  |
@@ -6925,12 +7010,17 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
 | vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
 | vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:81:3:81:4 | v7 | vector.cpp:81:6:81:11 | call to insert | TAINT |
+| vector.cpp:81:17:81:22 | call to source | vector.cpp:81:3:81:4 | ref arg v7 | TAINT |
+| vector.cpp:81:17:81:22 | call to source | vector.cpp:81:6:81:11 | call to insert | TAINT |
 | vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:84:7:84:8 | v7 |  |
 | vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
 | vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
 | vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 |  |
 | vector.cpp:84:7:84:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:84:7:84:8 | v7 | vector.cpp:84:10:84:14 | call to front | TAINT |
 | vector.cpp:85:7:85:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 |  |
+| vector.cpp:85:7:85:8 | v7 | vector.cpp:85:10:85:13 | call to back | TAINT |
 | vector.cpp:88:33:88:34 | v8 | vector.cpp:89:41:89:43 | v8c |  |
 | vector.cpp:89:41:89:43 | v8c | vector.cpp:89:45:89:49 | call to begin | TAINT |
 | vector.cpp:89:45:89:49 | call to begin | vector.cpp:90:13:90:14 | it |  |
@@ -6938,18 +7028,23 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
 | vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
 | vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:90:3:90:4 | v8 | vector.cpp:90:6:90:11 | call to insert | TAINT |
 | vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:93:7:93:8 | v8 |  |
 | vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
 | vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
 | vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 |  |
 | vector.cpp:93:7:93:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:93:7:93:8 | v8 | vector.cpp:93:10:93:14 | call to front | TAINT |
 | vector.cpp:94:7:94:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 |  |
+| vector.cpp:94:7:94:8 | v8 | vector.cpp:94:10:94:13 | call to back | TAINT |
 | vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:97:7:97:8 | v9 |  |
 | vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
 | vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
 | vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
 | vector.cpp:96:2:96:3 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:96:2:96:3 | v9 | vector.cpp:96:5:96:6 | call to at | TAINT |
 | vector.cpp:96:2:96:20 | ... = ... | vector.cpp:96:5:96:6 | call to at [post update] |  |
+| vector.cpp:96:5:96:6 | call to at [post update] | vector.cpp:96:2:96:3 | ref arg v9 | TAINT |
 | vector.cpp:96:13:96:18 | call to source | vector.cpp:96:2:96:20 | ... = ... |  |
 | vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:98:7:98:8 | v9 |  |
 | vector.cpp:97:7:97:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
@@ -6958,9 +7053,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:99:7:99:8 | v9 |  |
 | vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
 | vector.cpp:98:7:98:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:98:7:98:8 | v9 | vector.cpp:98:10:98:11 | call to at | TAINT |
 | vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:100:7:100:8 | v9 |  |
 | vector.cpp:99:7:99:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:99:7:99:8 | v9 | vector.cpp:99:10:99:11 | call to at | TAINT |
 | vector.cpp:100:7:100:8 | ref arg v9 | vector.cpp:101:1:101:1 | v9 |  |
+| vector.cpp:100:7:100:8 | v9 | vector.cpp:100:10:100:11 | call to at | TAINT |
 | vector.cpp:104:22:104:24 | call to vector | vector.cpp:106:2:106:3 | v1 |  |
 | vector.cpp:104:22:104:24 | call to vector | vector.cpp:109:7:109:8 | v1 |  |
 | vector.cpp:104:22:104:24 | call to vector | vector.cpp:114:2:114:3 | v1 |  |
@@ -6983,10 +7081,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
 | vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
 | vector.cpp:106:2:106:3 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
+| vector.cpp:106:15:106:20 | call to source | vector.cpp:106:2:106:3 | ref arg v1 | TAINT |
 | vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:112:7:112:8 | v4 |  |
 | vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:115:10:115:11 | v4 |  |
 | vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:120:7:120:8 | v4 |  |
 | vector.cpp:107:2:107:3 | ref arg v4 | vector.cpp:121:1:121:1 | v4 |  |
+| vector.cpp:107:15:107:20 | call to source | vector.cpp:107:2:107:3 | ref arg v4 | TAINT |
 | vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:114:2:114:3 | v1 |  |
 | vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:117:7:117:8 | v1 |  |
 | vector.cpp:109:7:109:8 | ref arg v1 | vector.cpp:121:1:121:1 | v1 |  |
@@ -7039,15 +7139,18 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
 | vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
 | vector.cpp:126:2:126:3 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
+| vector.cpp:126:15:126:20 | call to source | vector.cpp:126:2:126:3 | ref arg v1 | TAINT |
 | vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:131:7:131:8 | v2 |  |
 | vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:2:136:3 | v2 |  |
 | vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:136:7:136:8 | v2 |  |
 | vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:140:7:140:8 | v2 |  |
 | vector.cpp:127:2:127:3 | ref arg v2 | vector.cpp:143:1:143:1 | v2 |  |
+| vector.cpp:127:15:127:20 | call to source | vector.cpp:127:2:127:3 | ref arg v2 | TAINT |
 | vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:132:7:132:8 | v3 |  |
 | vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:137:2:137:3 | v3 |  |
 | vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:141:7:141:8 | v3 |  |
 | vector.cpp:128:2:128:3 | ref arg v3 | vector.cpp:143:1:143:1 | v3 |  |
+| vector.cpp:128:15:128:20 | call to source | vector.cpp:128:2:128:3 | ref arg v3 | TAINT |
 | vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:135:2:135:3 | v1 |  |
 | vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:139:7:139:8 | v1 |  |
 | vector.cpp:130:7:130:8 | ref arg v1 | vector.cpp:143:1:143:1 | v1 |  |
@@ -7107,18 +7210,31 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:166:37:166:39 | call to vector | vector.cpp:170:3:170:4 | bb |  |
 | vector.cpp:166:37:166:39 | call to vector | vector.cpp:171:8:171:9 | bb |  |
 | vector.cpp:166:37:166:39 | call to vector | vector.cpp:172:2:172:2 | bb |  |
+| vector.cpp:168:3:168:4 | bb | vector.cpp:168:5:168:5 | call to operator[] | TAINT |
 | vector.cpp:168:3:168:4 | ref arg bb | vector.cpp:169:8:169:9 | bb |  |
 | vector.cpp:168:3:168:4 | ref arg bb | vector.cpp:170:3:170:4 | bb |  |
 | vector.cpp:168:3:168:4 | ref arg bb | vector.cpp:171:8:171:9 | bb |  |
 | vector.cpp:168:3:168:4 | ref arg bb | vector.cpp:172:2:172:2 | bb |  |
+| vector.cpp:168:5:168:5 | ref arg call to operator[] | vector.cpp:168:3:168:4 | ref arg bb | TAINT |
+| vector.cpp:168:19:168:19 | 0 | vector.cpp:168:5:168:5 | ref arg call to operator[] | TAINT |
+| vector.cpp:169:8:169:9 | bb | vector.cpp:169:10:169:10 | call to operator[] | TAINT |
 | vector.cpp:169:8:169:9 | ref arg bb | vector.cpp:170:3:170:4 | bb |  |
 | vector.cpp:169:8:169:9 | ref arg bb | vector.cpp:171:8:171:9 | bb |  |
 | vector.cpp:169:8:169:9 | ref arg bb | vector.cpp:172:2:172:2 | bb |  |
+| vector.cpp:169:10:169:10 | call to operator[] | vector.cpp:169:13:169:13 | call to operator[] | TAINT |
+| vector.cpp:169:10:169:10 | ref arg call to operator[] | vector.cpp:169:8:169:9 | ref arg bb | TAINT |
+| vector.cpp:170:3:170:4 | bb | vector.cpp:170:5:170:5 | call to operator[] | TAINT |
 | vector.cpp:170:3:170:4 | ref arg bb | vector.cpp:171:8:171:9 | bb |  |
 | vector.cpp:170:3:170:4 | ref arg bb | vector.cpp:172:2:172:2 | bb |  |
 | vector.cpp:170:3:170:21 | ... = ... | vector.cpp:170:8:170:8 | call to operator[] [post update] |  |
+| vector.cpp:170:5:170:5 | call to operator[] | vector.cpp:170:8:170:8 | call to operator[] | TAINT |
+| vector.cpp:170:5:170:5 | ref arg call to operator[] | vector.cpp:170:3:170:4 | ref arg bb | TAINT |
+| vector.cpp:170:8:170:8 | call to operator[] [post update] | vector.cpp:170:5:170:5 | ref arg call to operator[] | TAINT |
 | vector.cpp:170:14:170:19 | call to source | vector.cpp:170:3:170:21 | ... = ... |  |
+| vector.cpp:171:8:171:9 | bb | vector.cpp:171:10:171:10 | call to operator[] | TAINT |
 | vector.cpp:171:8:171:9 | ref arg bb | vector.cpp:172:2:172:2 | bb |  |
+| vector.cpp:171:10:171:10 | call to operator[] | vector.cpp:171:13:171:13 | call to operator[] | TAINT |
+| vector.cpp:171:10:171:10 | ref arg call to operator[] | vector.cpp:171:8:171:9 | ref arg bb | TAINT |
 | vector.cpp:175:20:175:21 | call to vector | vector.cpp:175:20:175:21 | {...} | TAINT |
 | vector.cpp:175:20:175:21 | {...} | vector.cpp:177:3:177:4 | cc |  |
 | vector.cpp:175:20:175:21 | {...} | vector.cpp:178:8:178:9 | cc |  |
@@ -7132,20 +7248,25 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:177:3:177:7 | ref arg access to array | vector.cpp:180:8:180:9 | cc |  |
 | vector.cpp:177:3:177:7 | ref arg access to array | vector.cpp:181:2:181:2 | cc |  |
 | vector.cpp:177:6:177:6 | 0 | vector.cpp:177:3:177:7 | access to array | TAINT |
+| vector.cpp:177:19:177:19 | 0 | vector.cpp:177:3:177:7 | ref arg access to array | TAINT |
 | vector.cpp:178:8:178:9 | cc | vector.cpp:178:8:178:12 | access to array |  |
+| vector.cpp:178:8:178:12 | access to array | vector.cpp:178:13:178:13 | call to operator[] | TAINT |
 | vector.cpp:178:8:178:12 | ref arg access to array | vector.cpp:178:8:178:9 | cc [inner post update] |  |
 | vector.cpp:178:8:178:12 | ref arg access to array | vector.cpp:179:3:179:4 | cc |  |
 | vector.cpp:178:8:178:12 | ref arg access to array | vector.cpp:180:8:180:9 | cc |  |
 | vector.cpp:178:8:178:12 | ref arg access to array | vector.cpp:181:2:181:2 | cc |  |
 | vector.cpp:178:11:178:11 | 0 | vector.cpp:178:8:178:12 | access to array | TAINT |
 | vector.cpp:179:3:179:4 | cc | vector.cpp:179:3:179:7 | access to array |  |
+| vector.cpp:179:3:179:7 | access to array | vector.cpp:179:8:179:8 | call to operator[] | TAINT |
 | vector.cpp:179:3:179:7 | ref arg access to array | vector.cpp:179:3:179:4 | cc [inner post update] |  |
 | vector.cpp:179:3:179:7 | ref arg access to array | vector.cpp:180:8:180:9 | cc |  |
 | vector.cpp:179:3:179:7 | ref arg access to array | vector.cpp:181:2:181:2 | cc |  |
 | vector.cpp:179:3:179:21 | ... = ... | vector.cpp:179:8:179:8 | call to operator[] [post update] |  |
 | vector.cpp:179:6:179:6 | 0 | vector.cpp:179:3:179:7 | access to array | TAINT |
+| vector.cpp:179:8:179:8 | call to operator[] [post update] | vector.cpp:179:3:179:7 | ref arg access to array | TAINT |
 | vector.cpp:179:14:179:19 | call to source | vector.cpp:179:3:179:21 | ... = ... |  |
 | vector.cpp:180:8:180:9 | cc | vector.cpp:180:8:180:12 | access to array |  |
+| vector.cpp:180:8:180:12 | access to array | vector.cpp:180:13:180:13 | call to operator[] | TAINT |
 | vector.cpp:180:8:180:12 | ref arg access to array | vector.cpp:180:8:180:9 | cc [inner post update] |  |
 | vector.cpp:180:8:180:12 | ref arg access to array | vector.cpp:181:2:181:2 | cc |  |
 | vector.cpp:180:11:180:11 | 0 | vector.cpp:180:8:180:12 | access to array | TAINT |
@@ -7163,22 +7284,29 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:187:3:187:4 | ref arg dd | vector.cpp:191:8:191:9 | dd |  |
 | vector.cpp:187:3:187:4 | ref arg dd | vector.cpp:192:8:192:9 | dd |  |
 | vector.cpp:187:3:187:4 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
+| vector.cpp:187:16:187:17 | mp | vector.cpp:187:3:187:4 | ref arg dd | TAINT |
+| vector.cpp:188:8:188:9 | dd | vector.cpp:188:10:188:10 | call to operator[] | TAINT |
 | vector.cpp:188:8:188:9 | ref arg dd | vector.cpp:189:8:189:9 | dd |  |
 | vector.cpp:188:8:188:9 | ref arg dd | vector.cpp:190:3:190:4 | dd |  |
 | vector.cpp:188:8:188:9 | ref arg dd | vector.cpp:191:8:191:9 | dd |  |
 | vector.cpp:188:8:188:9 | ref arg dd | vector.cpp:192:8:192:9 | dd |  |
 | vector.cpp:188:8:188:9 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
+| vector.cpp:189:8:189:9 | dd | vector.cpp:189:10:189:10 | call to operator[] | TAINT |
 | vector.cpp:189:8:189:9 | ref arg dd | vector.cpp:190:3:190:4 | dd |  |
 | vector.cpp:189:8:189:9 | ref arg dd | vector.cpp:191:8:191:9 | dd |  |
 | vector.cpp:189:8:189:9 | ref arg dd | vector.cpp:192:8:192:9 | dd |  |
 | vector.cpp:189:8:189:9 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
+| vector.cpp:190:3:190:4 | dd | vector.cpp:190:5:190:5 | call to operator[] | TAINT |
 | vector.cpp:190:3:190:4 | ref arg dd | vector.cpp:191:8:191:9 | dd |  |
 | vector.cpp:190:3:190:4 | ref arg dd | vector.cpp:192:8:192:9 | dd |  |
 | vector.cpp:190:3:190:4 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
 | vector.cpp:190:3:190:20 | ... = ... | vector.cpp:190:9:190:9 | a [post update] |  |
+| vector.cpp:190:5:190:5 | call to operator[] [post update] | vector.cpp:190:3:190:4 | ref arg dd | TAINT |
 | vector.cpp:190:13:190:18 | call to source | vector.cpp:190:3:190:20 | ... = ... |  |
+| vector.cpp:191:8:191:9 | dd | vector.cpp:191:10:191:10 | call to operator[] | TAINT |
 | vector.cpp:191:8:191:9 | ref arg dd | vector.cpp:192:8:192:9 | dd |  |
 | vector.cpp:191:8:191:9 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
+| vector.cpp:192:8:192:9 | dd | vector.cpp:192:10:192:10 | call to operator[] | TAINT |
 | vector.cpp:192:8:192:9 | ref arg dd | vector.cpp:193:2:193:2 | dd |  |
 | vector.cpp:196:21:196:22 | call to MyVectorContainer | vector.cpp:198:3:198:4 | ee |  |
 | vector.cpp:196:21:196:22 | call to MyVectorContainer | vector.cpp:199:8:199:9 | ee |  |
@@ -7192,17 +7320,22 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:199:11:199:12 | vs |  |
 | vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:200:6:200:7 | vs |  |
 | vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
+| vector.cpp:198:19:198:19 | 0 | vector.cpp:198:6:198:7 | ref arg vs | TAINT |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:200:3:200:4 | ee |  |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:201:8:201:9 | ee |  |
 | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
 | vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:200:6:200:7 | vs |  |
 | vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
+| vector.cpp:199:11:199:12 | vs | vector.cpp:199:13:199:13 | call to operator[] | TAINT |
 | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:201:8:201:9 | ee |  |
 | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
 | vector.cpp:200:3:200:21 | ... = ... | vector.cpp:200:8:200:8 | call to operator[] [post update] |  |
 | vector.cpp:200:6:200:7 | ref arg vs | vector.cpp:201:11:201:12 | vs |  |
+| vector.cpp:200:6:200:7 | vs | vector.cpp:200:8:200:8 | call to operator[] | TAINT |
+| vector.cpp:200:8:200:8 | call to operator[] [post update] | vector.cpp:200:6:200:7 | ref arg vs | TAINT |
 | vector.cpp:200:14:200:19 | call to source | vector.cpp:200:3:200:21 | ... = ... |  |
 | vector.cpp:201:8:201:9 | ee [post update] | vector.cpp:202:2:202:2 | ee |  |
+| vector.cpp:201:11:201:12 | vs | vector.cpp:201:13:201:13 | call to operator[] | TAINT |
 | vector.cpp:205:34:205:35 | call to vector | vector.cpp:209:3:209:4 | ff |  |
 | vector.cpp:205:34:205:35 | call to vector | vector.cpp:210:8:210:9 | ff |  |
 | vector.cpp:205:34:205:35 | call to vector | vector.cpp:211:3:211:4 | ff |  |
@@ -7213,18 +7346,30 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:206:21:206:23 | call to MyVectorContainer | vector.cpp:213:2:213:2 | mvc |  |
 | vector.cpp:208:3:208:5 | mvc [post update] | vector.cpp:209:16:209:18 | mvc |  |
 | vector.cpp:208:3:208:5 | mvc [post update] | vector.cpp:213:2:213:2 | mvc |  |
+| vector.cpp:208:20:208:20 | 0 | vector.cpp:208:7:208:8 | ref arg vs | TAINT |
 | vector.cpp:209:3:209:4 | ref arg ff | vector.cpp:210:8:210:9 | ff |  |
 | vector.cpp:209:3:209:4 | ref arg ff | vector.cpp:211:3:211:4 | ff |  |
 | vector.cpp:209:3:209:4 | ref arg ff | vector.cpp:212:8:212:9 | ff |  |
 | vector.cpp:209:3:209:4 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
+| vector.cpp:209:16:209:18 | mvc | vector.cpp:209:3:209:4 | ref arg ff | TAINT |
+| vector.cpp:210:8:210:9 | ff | vector.cpp:210:10:210:10 | call to operator[] | TAINT |
 | vector.cpp:210:8:210:9 | ref arg ff | vector.cpp:211:3:211:4 | ff |  |
 | vector.cpp:210:8:210:9 | ref arg ff | vector.cpp:212:8:212:9 | ff |  |
 | vector.cpp:210:8:210:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
+| vector.cpp:210:10:210:10 | call to operator[] [post update] | vector.cpp:210:8:210:9 | ref arg ff | TAINT |
+| vector.cpp:210:14:210:15 | vs | vector.cpp:210:16:210:16 | call to operator[] | TAINT |
+| vector.cpp:211:3:211:4 | ff | vector.cpp:211:5:211:5 | call to operator[] | TAINT |
 | vector.cpp:211:3:211:4 | ref arg ff | vector.cpp:212:8:212:9 | ff |  |
 | vector.cpp:211:3:211:4 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
 | vector.cpp:211:3:211:24 | ... = ... | vector.cpp:211:11:211:11 | call to operator[] [post update] |  |
+| vector.cpp:211:5:211:5 | call to operator[] [post update] | vector.cpp:211:3:211:4 | ref arg ff | TAINT |
+| vector.cpp:211:9:211:10 | vs | vector.cpp:211:11:211:11 | call to operator[] | TAINT |
+| vector.cpp:211:11:211:11 | call to operator[] [post update] | vector.cpp:211:9:211:10 | ref arg vs | TAINT |
 | vector.cpp:211:17:211:22 | call to source | vector.cpp:211:3:211:24 | ... = ... |  |
+| vector.cpp:212:8:212:9 | ff | vector.cpp:212:10:212:10 | call to operator[] | TAINT |
 | vector.cpp:212:8:212:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
+| vector.cpp:212:10:212:10 | call to operator[] [post update] | vector.cpp:212:8:212:9 | ref arg ff | TAINT |
+| vector.cpp:212:14:212:15 | vs | vector.cpp:212:16:212:16 | call to operator[] | TAINT |
 | vector.cpp:235:19:235:20 | call to vector | vector.cpp:237:2:237:3 | v1 |  |
 | vector.cpp:235:19:235:20 | call to vector | vector.cpp:241:7:241:8 | v1 |  |
 | vector.cpp:235:19:235:20 | call to vector | vector.cpp:249:13:249:14 | v1 |  |
@@ -7243,13 +7388,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:237:17:237:17 | 0 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:242:7:242:8 | v2 |  |
 | vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:238:17:238:30 | call to source | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:243:7:243:8 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
 | vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:239:15:239:20 | call to source | vector.cpp:239:2:239:3 | ref arg v3 | TAINT |
 | vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
 | vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
@@ -7272,17 +7420,21 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
 | vector.cpp:249:13:249:14 | v1 | vector.cpp:249:16:249:20 | call to begin | TAINT |
+| vector.cpp:249:16:249:20 | call to begin | vector.cpp:249:3:249:4 | ref arg v4 | TAINT |
 | vector.cpp:249:25:249:26 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
 | vector.cpp:249:25:249:26 | v1 | vector.cpp:249:28:249:30 | call to end | TAINT |
+| vector.cpp:249:28:249:30 | call to end | vector.cpp:249:3:249:4 | ref arg v4 | TAINT |
 | vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:258:8:258:9 | v5 |  |
 | vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:250:13:250:14 | v3 | vector.cpp:250:16:250:20 | call to begin | TAINT |
+| vector.cpp:250:16:250:20 | call to begin | vector.cpp:250:3:250:4 | ref arg v5 | TAINT |
 | vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
 | vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:250:25:250:26 | v3 | vector.cpp:250:28:250:30 | call to end | TAINT |
+| vector.cpp:250:28:250:30 | call to end | vector.cpp:250:3:250:4 | ref arg v5 | TAINT |
 | vector.cpp:251:8:251:9 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:251:8:251:9 | v3 | vector.cpp:251:11:251:15 | call to begin | TAINT |
 | vector.cpp:251:11:251:15 | call to begin | vector.cpp:251:3:251:17 | ... = ... |  |
@@ -7303,9 +7455,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:260:8:260:9 | i2 |  |
 | vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:261:8:261:9 | v6 |  |
 | vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:255:13:255:14 | call to iterator | vector.cpp:255:3:255:4 | ref arg v6 | TAINT |
 | vector.cpp:255:13:255:14 | call to iterator [post update] | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:255:13:255:14 | i1 | vector.cpp:255:13:255:14 | call to iterator |  |
 | vector.cpp:255:13:255:14 | i1 [post update] | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:255:17:255:18 | call to iterator | vector.cpp:255:3:255:4 | ref arg v6 | TAINT |
 | vector.cpp:255:17:255:18 | i2 | vector.cpp:255:17:255:18 | call to iterator |  |
 | vector.cpp:257:8:257:9 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
 | vector.cpp:258:8:258:9 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
@@ -7322,10 +7476,13 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:267:28:267:29 | call to vector | vector.cpp:276:2:276:2 | v9 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:273:8:273:9 | v7 |  |
 | vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:269:18:269:31 | call to source | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:274:8:274:9 | v8 |  |
 | vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:271:18:271:34 | call to source | vector.cpp:271:3:271:4 | ref arg v9 | TAINT |
 | vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
 | vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
@@ -7343,12 +7500,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
 | vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
 | vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:284:15:284:20 | call to source | vector.cpp:284:2:284:3 | ref arg v1 | TAINT |
 | vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
 | vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
 | vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
 | vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
 | vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:286:7:286:8 | v1 | vector.cpp:286:10:286:13 | call to data | TAINT |
+| vector.cpp:286:10:286:13 | ref arg call to data | vector.cpp:286:7:286:8 | ref arg v1 | TAINT |
 | vector.cpp:287:7:287:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:287:7:287:8 | v1 | vector.cpp:287:10:287:13 | call to data | TAINT |
 | vector.cpp:287:10:287:13 | call to data | vector.cpp:287:7:287:18 | access to array | TAINT |
 | vector.cpp:287:17:287:17 | 2 | vector.cpp:287:7:287:18 | access to array | TAINT |
 | vector.cpp:289:2:289:13 | * ... [post update] | vector.cpp:289:7:289:10 | call to data [inner post update] |  |
@@ -7357,14 +7518,19 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
 | vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
 | vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:289:4:289:5 | v2 | vector.cpp:289:7:289:10 | call to data | TAINT |
 | vector.cpp:289:7:289:10 | call to data | vector.cpp:289:2:289:13 | * ... | TAINT |
+| vector.cpp:289:7:289:10 | call to data [inner post update] | vector.cpp:289:4:289:5 | ref arg v2 | TAINT |
 | vector.cpp:289:17:289:30 | call to source | vector.cpp:289:2:289:32 | ... = ... |  |
 | vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
 | vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
 | vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
 | vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
 | vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:291:7:291:8 | v2 | vector.cpp:291:10:291:13 | call to data | TAINT |
+| vector.cpp:291:10:291:13 | ref arg call to data | vector.cpp:291:7:291:8 | ref arg v2 | TAINT |
 | vector.cpp:292:7:292:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:292:7:292:8 | v2 | vector.cpp:292:10:292:13 | call to data | TAINT |
 | vector.cpp:292:10:292:13 | call to data | vector.cpp:292:7:292:18 | access to array | TAINT |
 | vector.cpp:292:17:292:17 | 2 | vector.cpp:292:7:292:18 | access to array | TAINT |
 | vector.cpp:298:19:298:19 | call to vector | vector.cpp:305:7:305:7 | a |  |
@@ -7393,6 +7559,8 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:303:2:303:2 | ref arg d | vector.cpp:311:16:311:16 | d |  |
 | vector.cpp:303:2:303:2 | ref arg d | vector.cpp:312:7:312:7 | d |  |
 | vector.cpp:303:2:303:2 | ref arg d | vector.cpp:313:1:313:1 | d |  |
+| vector.cpp:303:14:303:19 | call to source | vector.cpp:303:2:303:2 | ref arg d | TAINT |
+| vector.cpp:305:7:305:7 | a | vector.cpp:305:9:305:14 | call to insert | TAINT |
 | vector.cpp:305:7:305:7 | ref arg a | vector.cpp:306:7:306:7 | a |  |
 | vector.cpp:305:7:305:7 | ref arg a | vector.cpp:311:25:311:25 | a |  |
 | vector.cpp:305:7:305:7 | ref arg a | vector.cpp:311:36:311:36 | a |  |
@@ -7407,11 +7575,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:305:25:305:25 | b | vector.cpp:305:27:305:31 | call to begin | TAINT |
 | vector.cpp:305:25:305:25 | ref arg b | vector.cpp:305:36:305:36 | b |  |
 | vector.cpp:305:25:305:25 | ref arg b | vector.cpp:313:1:313:1 | b |  |
+| vector.cpp:305:27:305:31 | call to begin | vector.cpp:305:7:305:7 | ref arg a | TAINT |
+| vector.cpp:305:27:305:31 | call to begin | vector.cpp:305:9:305:14 | call to insert | TAINT |
 | vector.cpp:305:36:305:36 | b | vector.cpp:305:38:305:40 | call to end | TAINT |
 | vector.cpp:305:36:305:36 | ref arg b | vector.cpp:313:1:313:1 | b |  |
+| vector.cpp:305:38:305:40 | call to end | vector.cpp:305:7:305:7 | ref arg a | TAINT |
+| vector.cpp:305:38:305:40 | call to end | vector.cpp:305:9:305:14 | call to insert | TAINT |
 | vector.cpp:306:7:306:7 | ref arg a | vector.cpp:311:25:311:25 | a |  |
 | vector.cpp:306:7:306:7 | ref arg a | vector.cpp:311:36:311:36 | a |  |
 | vector.cpp:306:7:306:7 | ref arg a | vector.cpp:313:1:313:1 | a |  |
+| vector.cpp:308:7:308:7 | c | vector.cpp:308:9:308:14 | call to insert | TAINT |
 | vector.cpp:308:7:308:7 | ref arg c | vector.cpp:309:7:309:7 | c |  |
 | vector.cpp:308:7:308:7 | ref arg c | vector.cpp:313:1:313:1 | c |  |
 | vector.cpp:308:16:308:16 | c | vector.cpp:308:18:308:20 | call to end | TAINT |
@@ -7425,12 +7598,17 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:308:25:308:25 | ref arg d | vector.cpp:311:16:311:16 | d |  |
 | vector.cpp:308:25:308:25 | ref arg d | vector.cpp:312:7:312:7 | d |  |
 | vector.cpp:308:25:308:25 | ref arg d | vector.cpp:313:1:313:1 | d |  |
+| vector.cpp:308:27:308:31 | call to begin | vector.cpp:308:7:308:7 | ref arg c | TAINT |
+| vector.cpp:308:27:308:31 | call to begin | vector.cpp:308:9:308:14 | call to insert | TAINT |
 | vector.cpp:308:36:308:36 | d | vector.cpp:308:38:308:40 | call to end | TAINT |
 | vector.cpp:308:36:308:36 | ref arg d | vector.cpp:311:7:311:7 | d |  |
 | vector.cpp:308:36:308:36 | ref arg d | vector.cpp:311:16:311:16 | d |  |
 | vector.cpp:308:36:308:36 | ref arg d | vector.cpp:312:7:312:7 | d |  |
 | vector.cpp:308:36:308:36 | ref arg d | vector.cpp:313:1:313:1 | d |  |
+| vector.cpp:308:38:308:40 | call to end | vector.cpp:308:7:308:7 | ref arg c | TAINT |
+| vector.cpp:308:38:308:40 | call to end | vector.cpp:308:9:308:14 | call to insert | TAINT |
 | vector.cpp:309:7:309:7 | ref arg c | vector.cpp:313:1:313:1 | c |  |
+| vector.cpp:311:7:311:7 | d | vector.cpp:311:9:311:14 | call to insert | TAINT |
 | vector.cpp:311:7:311:7 | ref arg d | vector.cpp:312:7:312:7 | d |  |
 | vector.cpp:311:7:311:7 | ref arg d | vector.cpp:313:1:313:1 | d |  |
 | vector.cpp:311:16:311:16 | d | vector.cpp:311:18:311:20 | call to end | TAINT |
@@ -7441,8 +7619,12 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:311:25:311:25 | a | vector.cpp:311:27:311:31 | call to begin | TAINT |
 | vector.cpp:311:25:311:25 | ref arg a | vector.cpp:311:36:311:36 | a |  |
 | vector.cpp:311:25:311:25 | ref arg a | vector.cpp:313:1:313:1 | a |  |
+| vector.cpp:311:27:311:31 | call to begin | vector.cpp:311:7:311:7 | ref arg d | TAINT |
+| vector.cpp:311:27:311:31 | call to begin | vector.cpp:311:9:311:14 | call to insert | TAINT |
 | vector.cpp:311:36:311:36 | a | vector.cpp:311:38:311:40 | call to end | TAINT |
 | vector.cpp:311:36:311:36 | ref arg a | vector.cpp:313:1:313:1 | a |  |
+| vector.cpp:311:38:311:40 | call to end | vector.cpp:311:7:311:7 | ref arg d | TAINT |
+| vector.cpp:311:38:311:40 | call to end | vector.cpp:311:9:311:14 | call to insert | TAINT |
 | vector.cpp:312:7:312:7 | ref arg d | vector.cpp:313:1:313:1 | d |  |
 | vector.cpp:316:19:316:20 | call to vector | vector.cpp:320:22:320:23 | v1 |  |
 | vector.cpp:316:19:316:20 | call to vector | vector.cpp:320:34:320:35 | v1 |  |
@@ -7457,24 +7639,29 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:318:2:318:3 | ref arg v2 | vector.cpp:321:34:321:35 | v2 |  |
 | vector.cpp:318:2:318:3 | ref arg v2 | vector.cpp:324:7:324:8 | v2 |  |
 | vector.cpp:318:2:318:3 | ref arg v2 | vector.cpp:327:1:327:1 | v2 |  |
+| vector.cpp:318:15:318:20 | call to source | vector.cpp:318:2:318:3 | ref arg v2 | TAINT |
 | vector.cpp:320:22:320:23 | ref arg v1 | vector.cpp:320:34:320:35 | v1 |  |
 | vector.cpp:320:22:320:23 | ref arg v1 | vector.cpp:323:7:323:8 | v1 |  |
 | vector.cpp:320:22:320:23 | ref arg v1 | vector.cpp:327:1:327:1 | v1 |  |
 | vector.cpp:320:22:320:23 | v1 | vector.cpp:320:25:320:29 | call to begin | TAINT |
 | vector.cpp:320:22:320:42 | call to vector | vector.cpp:325:7:325:8 | v3 |  |
 | vector.cpp:320:22:320:42 | call to vector | vector.cpp:327:1:327:1 | v3 |  |
+| vector.cpp:320:25:320:29 | call to begin | vector.cpp:320:22:320:42 | call to vector | TAINT |
 | vector.cpp:320:34:320:35 | ref arg v1 | vector.cpp:323:7:323:8 | v1 |  |
 | vector.cpp:320:34:320:35 | ref arg v1 | vector.cpp:327:1:327:1 | v1 |  |
 | vector.cpp:320:34:320:35 | v1 | vector.cpp:320:37:320:39 | call to end | TAINT |
+| vector.cpp:320:37:320:39 | call to end | vector.cpp:320:22:320:42 | call to vector | TAINT |
 | vector.cpp:321:22:321:23 | ref arg v2 | vector.cpp:321:34:321:35 | v2 |  |
 | vector.cpp:321:22:321:23 | ref arg v2 | vector.cpp:324:7:324:8 | v2 |  |
 | vector.cpp:321:22:321:23 | ref arg v2 | vector.cpp:327:1:327:1 | v2 |  |
 | vector.cpp:321:22:321:23 | v2 | vector.cpp:321:25:321:29 | call to begin | TAINT |
 | vector.cpp:321:22:321:42 | call to vector | vector.cpp:326:7:326:8 | v4 |  |
 | vector.cpp:321:22:321:42 | call to vector | vector.cpp:327:1:327:1 | v4 |  |
+| vector.cpp:321:25:321:29 | call to begin | vector.cpp:321:22:321:42 | call to vector | TAINT |
 | vector.cpp:321:34:321:35 | ref arg v2 | vector.cpp:324:7:324:8 | v2 |  |
 | vector.cpp:321:34:321:35 | ref arg v2 | vector.cpp:327:1:327:1 | v2 |  |
 | vector.cpp:321:34:321:35 | v2 | vector.cpp:321:37:321:39 | call to end | TAINT |
+| vector.cpp:321:37:321:39 | call to end | vector.cpp:321:22:321:42 | call to vector | TAINT |
 | vector.cpp:323:7:323:8 | ref arg v1 | vector.cpp:327:1:327:1 | v1 |  |
 | vector.cpp:324:7:324:8 | ref arg v2 | vector.cpp:327:1:327:1 | v2 |  |
 | vector.cpp:325:7:325:8 | ref arg v3 | vector.cpp:327:1:327:1 | v3 |  |
@@ -7912,7 +8099,9 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:472:10:472:14 | ref arg & ... | vector.cpp:472:12:472:12 | call to operator[] [inner post update] |  |
 | vector.cpp:472:11:472:11 | ref arg v | vector.cpp:473:8:473:8 | v |  |
 | vector.cpp:472:11:472:11 | ref arg v | vector.cpp:474:2:474:2 | v |  |
+| vector.cpp:472:11:472:11 | v | vector.cpp:472:12:472:12 | call to operator[] | TAINT |
 | vector.cpp:472:12:472:12 | call to operator[] | vector.cpp:472:10:472:14 | & ... |  |
+| vector.cpp:472:12:472:12 | call to operator[] [inner post update] | vector.cpp:472:11:472:11 | ref arg v | TAINT |
 | vector.cpp:472:17:472:18 | & ... | vector.cpp:472:3:472:8 | call to memcpy | TAINT |
 | vector.cpp:472:17:472:18 | & ... | vector.cpp:472:10:472:14 | ref arg & ... | TAINT |
 | vector.cpp:472:18:472:18 | s | vector.cpp:472:10:472:14 | ref arg & ... |  |
@@ -7935,9 +8124,11 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:483:8:483:9 | ref arg cs | vector.cpp:487:2:487:2 | cs |  |
 | vector.cpp:484:10:484:22 | & ... | vector.cpp:484:3:484:8 | call to memcpy |  |
 | vector.cpp:484:10:484:22 | ref arg & ... | vector.cpp:484:13:484:13 | call to operator[] [inner post update] |  |
+| vector.cpp:484:11:484:12 | cs | vector.cpp:484:13:484:13 | call to operator[] | TAINT |
 | vector.cpp:484:11:484:12 | ref arg cs | vector.cpp:486:8:486:9 | cs |  |
 | vector.cpp:484:11:484:12 | ref arg cs | vector.cpp:487:2:487:2 | cs |  |
 | vector.cpp:484:13:484:13 | call to operator[] | vector.cpp:484:10:484:22 | & ... |  |
+| vector.cpp:484:13:484:13 | call to operator[] [inner post update] | vector.cpp:484:11:484:12 | ref arg cs | TAINT |
 | vector.cpp:484:14:484:17 | offs | vector.cpp:484:14:484:21 | ... + ... | TAINT |
 | vector.cpp:484:21:484:21 | 1 | vector.cpp:484:14:484:21 | ... + ... | TAINT |
 | vector.cpp:484:25:484:27 | src | vector.cpp:484:29:484:33 | call to c_str | TAINT |
@@ -7953,6 +8144,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:491:30:491:32 | call to vector | vector.cpp:498:1:498:1 | v2 |  |
 | vector.cpp:493:2:493:3 | ref arg v1 | vector.cpp:494:7:494:8 | v1 |  |
 | vector.cpp:493:2:493:3 | ref arg v1 | vector.cpp:498:1:498:1 | v1 |  |
+| vector.cpp:493:18:493:23 | call to source | vector.cpp:493:2:493:3 | ref arg v1 | TAINT |
 | vector.cpp:494:7:494:8 | ref arg v1 | vector.cpp:498:1:498:1 | v1 |  |
 | vector.cpp:496:2:496:3 | ref arg v2 | vector.cpp:497:7:497:8 | v2 |  |
 | vector.cpp:496:2:496:3 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
@@ -7961,6 +8153,8 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:496:13:496:14 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
 | vector.cpp:496:13:496:14 | v2 | vector.cpp:496:16:496:20 | call to begin | TAINT |
 | vector.cpp:496:16:496:20 | call to begin | vector.cpp:496:13:496:22 | call to iterator | TAINT |
+| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:2:496:3 | ref arg v2 | TAINT |
+| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:5:496:11 | call to emplace | TAINT |
 | vector.cpp:497:7:497:8 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
 | vector.cpp:503:18:503:21 | {...} | vector.cpp:506:8:506:9 | as |  |
 | vector.cpp:503:18:503:21 | {...} | vector.cpp:507:8:507:9 | as |  |
@@ -7991,13 +8185,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:526:8:526:9 | vs |  |
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:532:8:532:9 | vs |  |
 | vector.cpp:520:25:520:31 | call to vector | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:520:30:520:30 | 0 | vector.cpp:520:25:520:31 | call to vector | TAINT |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:524:8:524:9 | vs |  |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
 | vector.cpp:523:8:523:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:523:8:523:9 | vs | vector.cpp:523:10:523:10 | call to operator[] | TAINT |
 | vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:526:8:526:9 | vs |  |
 | vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
 | vector.cpp:524:8:524:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:524:8:524:9 | vs | vector.cpp:524:10:524:10 | call to operator[] | TAINT |
 | vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:532:8:532:9 | vs |  |
 | vector.cpp:526:8:526:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:526:8:526:9 | vs | vector.cpp:526:11:526:15 | call to begin | TAINT |
@@ -8025,6 +8222,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
 | vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
+| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
 | zmq.cpp:17:21:17:26 | socket | zmq.cpp:17:21:17:26 | socket |  |
 | zmq.cpp:17:35:17:46 | message_data | zmq.cpp:17:35:17:46 | message_data |  |
 | zmq.cpp:17:35:17:46 | message_data | zmq.cpp:20:35:20:46 | message_data |  |