Merge pull request #21330 from github/release-prep/2.24.2

Release preparation for version 2.24.2

MODULE.bazel

@@ -254,11 +254,11 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.25.0")
+go_sdk.download(version = "1.26.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
+use_repo(go_deps, "com_github_stretchr_testify", "org_golang_x_mod", "org_golang_x_tools")
 
 ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
 

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.28
+
+No user-facing changes.
+
 ## 0.4.27
 
 ### Bug Fixes

actions/ql/lib/change-notes/released/0.4.28.md

@@ -0,0 +1,3 @@
+## 0.4.28
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.27
+lastReleaseVersion: 0.4.28

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.27
+version: 0.4.28
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.20
+
+No user-facing changes.
+
 ## 0.6.19
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.20.md

@@ -0,0 +1,3 @@
+## 0.6.20
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.19
+lastReleaseVersion: 0.6.20

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.19
+version: 0.6.20
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/downgrades/7e7c2f55670f8123d514cf542ccb1938118ac561/upgrade.properties

@@ -0,0 +1,5 @@
+description: Add trap_filename, source_file_uses_trap and in_trap relations
+compatibility: full
+trap_filename.rel: delete
+source_file_uses_trap.rel: delete
+in_trap.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 7.1.1
+
+### Minor Analysis Improvements
+
+* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++.
+
 ## 7.1.0
 
 ### New Features

cpp/ql/lib/change-notes/released/7.1.1.md

@@ -0,0 +1,5 @@
+## 7.1.1
+
+### Minor Analysis Improvements
+
+* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.0
+lastReleaseVersion: 7.1.1

cpp/ql/lib/ext/Windows.model.yml

@@ -24,6 +24,13 @@ extensions:
       - ["", "", False, "MapViewOfFileNuma2", "", "", "ReturnValue[*]", "local", "manual"]
       # ntifs.h
       - ["", "", False, "NtReadFile", "", "", "Argument[*5]", "local", "manual"]
+      # winhttp.h
+      - ["", "", False, "WinHttpReadData", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "WinHttpReadDataEx", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "WinHttpQueryHeaders", "", "", "Argument[*3]", "remote", "manual"]
+      - ["", "", False, "WinHttpQueryHeadersEx", "", "", "Argument[*5]", "remote", "manual"]
+      - ["", "", False, "WinHttpQueryHeadersEx", "", "", "Argument[*6]", "remote", "manual"]
+      - ["", "", False, "WinHttpQueryHeadersEx", "", "", "Argument[**8]", "remote", "manual"]
   - addsTo:
       pack: codeql/cpp-all
       extensible: summaryModel
@@ -46,4 +53,6 @@ extensions:
       - ["", "", False, "RtlMoveMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
       - ["", "", False, "RtlMoveVolatileMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
       # winternl.h
-      - ["", "", False, "RtlInitUnicodeString", "", "", "Argument[*1]", "Argument[*0].Field[*Buffer]", "value", "manual"]
+      - ["", "", False, "RtlInitUnicodeString", "", "", "Argument[*1]", "Argument[*0].Field[*Buffer]", "value", "manual"]
+      # winhttp.h
+      - ["", "", False, "WinHttpCrackUrl", "", "", "Argument[*0]", "Argument[*3]", "taint", "manual"]

cpp/ql/lib/ext/azure.core.model.yml

@@ -0,0 +1,41 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["Azure::Core::Http", "RawResponse", True, "GetHeaders", "", "", "ReturnValue[*]", "remote", "manual"]
+      - ["Azure::Core::Http", "RawResponse", True, "GetBody", "", "", "ReturnValue[*]", "remote", "manual"]
+      - ["Azure::Core::Http", "RawResponse", True, "ExtractBodyStream", "", "", "ReturnValue[*]", "remote", "manual"]
+      - ["Azure::Core::Http", "Request", True, "GetHeaders", "", "", "ReturnValue", "remote", "manual"]
+      - ["Azure::Core::Http", "Request", True, "GetHeader", "", "", "ReturnValue", "remote", "manual"]
+      - ["Azure::Core::Http", "Request", True, "GetBodyStream", "", "", "ReturnValue[*]", "remote", "manual"]
+
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["Azure::Core", "Url", True, "Url", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "SetScheme", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "SetHost", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "SetPort", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "SetPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "SetQueryParameters", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "AppendPath", "", "", "Argument[*0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "AppendQueryParameter", "", "", "Argument[*1]", "Argument[-1]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetHost", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetPath", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetPort", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetQueryParameters", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetScheme", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetRelativeUrl", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "GetAbsoluteUrl", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "Decode", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core", "Url", True, "Encode", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
+      - ["Azure::Core::IO", "BodyStream", True, "Read", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["Azure::Core::IO", "BodyStream", True, "ReadToCount", "", "", "Argument[-1]", "Argument[*0]", "taint", "manual"]
+      - ["Azure::Core::IO", "BodyStream", True, "ReadToEnd", "", "", "Argument[-1]", "ReturnValue.Element", "taint", "manual"]
+      - ["Azure", "Nullable", True, "Nullable", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["Azure", "Nullable", True, "operator=", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"]
+      - ["Azure", "Nullable", True, "Value", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["Azure", "Nullable", True, "operator->", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]
+      - ["Azure", "Nullable", True, "operator*", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 7.1.0
+version: 7.1.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -64,17 +64,27 @@ private string getMultiLocationFilePath(@element e) {
 overlay[local]
 private predicate isBase() { not isOverlay() }
 
+/**
+ * Holds if `path` was extracted in the overlay database.
+ */
+overlay[local]
+private predicate overlayHasFile(string path) {
+  isOverlay() and
+  files(_, path) and
+  path != ""
+}
+
 /**
  * Discards an element from the base variant if:
- * - It has a single location in a changed file, or
- * - All of its locations are in changed files.
+ * - It has a single location in a file extracted in the overlay, or
+ * - All of its locations are in files extracted in the overlay.
  */
 overlay[discard_entity]
 private predicate discardElement(@element e) {
   isBase() and
   (
-    overlayChangedFiles(getSingleLocationFilePath(e))
+    overlayHasFile(getSingleLocationFilePath(e))
     or
-    forex(string path | path = getMultiLocationFilePath(e) | overlayChangedFiles(path))
+    forex(string path | path = getMultiLocationFilePath(e) | overlayHasFile(path))
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1726,9 +1726,7 @@ private module Cached {
       SsaImpl::ssaFlow(n, succ) and
       bb1 = n.getBasicBlock() and
       bb2 = succ.getBasicBlock() and
-      bb1 != bb2 and
-      bb2.dominates(bb1) and
-      bb1.getASuccessor+() = bb2
+      bb2.strictlyDominates(bb1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -390,7 +390,7 @@ class TranslatedDeclStmt extends TranslatedStmt {
 
   override TranslatedElement getLastChild() { result = this.getChild(this.getChildCount() - 1) }
 
-  private int getChildCount() { result = count(this.getDeclarationEntry(_)) }
+  private int getChildCount() { result = count(int i | exists(this.getDeclarationEntry(i))) }
 
   IRDeclarationEntry getIRDeclarationEntry(int index) {
     result.hasIndex(index) and

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -57,3 +57,4 @@ private import implementations.CAtlFile
 private import implementations.CAtlFileMapping
 private import implementations.CAtlTemporaryFile
 private import implementations.CRegKey
+private import implementations.WinHttp

cpp/ql/lib/semmle/code/cpp/models/implementations/WinHttp.qll

@@ -0,0 +1,50 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `WINHTTP_HEADER_NAME` class from `winhttp.h`. */
+class WinHttpHeaderName extends Class {
+  WinHttpHeaderName() { this.hasGlobalName("_WINHTTP_HEADER_NAME") }
+}
+
+/** The `WINHTTP_EXTENDED_HEADER` class from `winhttp.h`. */
+class WinHttpExtendedHeader extends Class {
+  WinHttpExtendedHeader() { this.hasGlobalName("_WINHTTP_EXTENDED_HEADER") }
+}
+
+private class WinHttpHeaderNameInheritingContent extends TaintInheritingContent,
+  DataFlow::FieldContent
+{
+  WinHttpHeaderNameInheritingContent() {
+    this.getIndirectionIndex() = 2 and
+    (
+      this.getAField().getDeclaringType() instanceof WinHttpHeaderName
+      or
+      // The extended header looks like:
+      // struct WINHTTP_EXTENDED_HEADER {
+      //   union { [...] };
+      //   union { [...] };
+      // };
+      // So the first declaring type is the anonymous unions, and the declaring
+      // type of those anonymous unions is the `WINHTTP_EXTENDED_HEADER` struct.
+      this.getAField().getDeclaringType().getDeclaringType() instanceof WinHttpExtendedHeader
+    )
+  }
+}
+
+/** The `URL_COMPONENTS` class from `winhttp.h`. */
+class WinHttpUrlComponents extends Class {
+  WinHttpUrlComponents() { this.hasGlobalName("_WINHTTP_URL_COMPONENTS") }
+}
+
+private class WinHttpUrlComponentsInheritingContent extends TaintInheritingContent,
+  DataFlow::FieldContent
+{
+  WinHttpUrlComponentsInheritingContent() {
+    exists(Field f | f = this.getField() and f.getDeclaringType() instanceof WinHttpUrlComponents |
+      if f.getType().getUnspecifiedType() instanceof PointerType
+      then this.getIndirectionIndex() = 2
+      else this.getIndirectionIndex() = 1
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll

@@ -404,7 +404,7 @@ predicate cmpWithLinearBound(
  * For example, if `t` is a signed 32-bit type then holds if `lb` is
  * `-2^31` and `ub` is `2^31 - 1`.
  */
-private predicate typeBounds(ArithmeticType t, float lb, float ub) {
+private predicate typeBounds0(ArithmeticType t, float lb, float ub) {
   exists(IntegralType integralType, float limit |
     integralType = t and limit = 2.pow(8 * integralType.getSize())
   |
@@ -423,6 +423,42 @@ private predicate typeBounds(ArithmeticType t, float lb, float ub) {
   t instanceof FloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
 }
 
+/**
+ * Gets the underlying type for an enumeration `e`.
+ *
+ * If the enumeration does not have an explicit type we approximate it using
+ * the following rules:
+ * - The result type is always `signed`, and
+ * - if the largest value fits in an `int` the result is `int`. Otherwise, the
+ * result is `long`.
+ */
+private IntegralType getUnderlyingTypeForEnum(Enum e) {
+  result = e.getExplicitUnderlyingType()
+  or
+  not e.hasExplicitUnderlyingType() and
+  result.isSigned() and
+  exists(IntType intType |
+    if max(e.getAnEnumConstant().getValue().toFloat()) >= 2.pow(8 * intType.getSize() - 1)
+    then result instanceof LongType
+    else result = intType
+  )
+}
+
+/**
+ * Holds if `lb` and `ub` are the lower and upper bounds of the unspecified
+ * type `t`.
+ *
+ * For example, if `t` is a signed 32-bit type then holds if `lb` is
+ * `-2^31` and `ub` is `2^31 - 1`.
+ *
+ * Unlike `typeBounds0`, this predicate also handles `Enum` types.
+ */
+private predicate typeBounds(Type t, float lb, float ub) {
+  typeBounds0(t, lb, ub)
+  or
+  typeBounds0(getUnderlyingTypeForEnum(t), lb, ub)
+}
+
 private Type stripReference(Type t) {
   if t instanceof ReferenceType then result = t.(ReferenceType).getBaseType() else result = t
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -512,8 +512,8 @@ private module BoundsEstimate {
    */
   float getBoundsLimit() {
     // This limit is arbitrary, but low enough that it prevents timeouts on
-    // specific observed customer databases (and the in the tests).
-    result = 2.0.pow(40)
+    // specific observed customer databases (and in the tests).
+    result = 2.0.pow(29)
   }
 
   /** Gets the maximum number of bounds possible for `t` when widening is used. */

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -236,6 +236,34 @@ extractor_version(
     string frontend_version: string ref
 )
 
+/**
+ * Gives the TRAP filename that `trap` is associated with.
+ * For debugging only.
+ */
+trap_filename(
+    int trap: @trap,
+    string filename: string ref
+);
+
+/**
+ * In `build-mode: none` overlay mode, indicates that `source_file`
+ * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the
+ * TRAP file corresponding to `foo.c`, something it transitively
+ * includes, or a template instantiation it transitively uses.
+ */
+source_file_uses_trap(
+    string source_file: string ref,
+    int trap_file: @trap ref
+);
+
+/**
+ * Holds if there is a definition of `element` in TRAP file `trap_file`.
+ */
+in_trap(
+    int element: @element ref,
+    int trap_file: @trap ref
+);
+
 pch_uses(
     int pch: @pch ref,
     int compilation: @compilation ref,

cpp/ql/lib/upgrades/9439176c1d1312787926458dd54d65a849069118/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add trap_filename, source_file_uses_trap and in_trap relations
+compatibility: full

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.11
+
+No user-facing changes.
+
 ## 1.5.10
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.5.11.md

@@ -0,0 +1,3 @@
+## 1.5.11
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.10
+lastReleaseVersion: 1.5.11

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.10
+version: 1.5.11
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/azure.cpp

@@ -0,0 +1,297 @@
+using uint16_t = unsigned short;
+using int64_t = long long;
+using size_t = unsigned long;
+using uint8_t = unsigned char;
+using int32_t = int;
+using uint32_t = unsigned int;
+
+namespace std
+{
+  class string
+  {
+  public:
+    string();
+    string(const char *);
+    ~string();
+  };
+
+  template <typename K, typename V>
+  class map
+  {
+  public:
+    map();
+    ~map();
+
+    V& operator[](const K& key);
+  };
+
+  template <typename T>
+  class vector
+  {
+  public:
+    vector();
+    ~vector();
+
+    T& operator[](size_t);
+  };
+
+  template<typename T>
+  class unique_ptr {
+  public:
+    unique_ptr();
+    ~unique_ptr();
+
+    T* get();
+  };
+}
+
+namespace Azure
+{
+  template <typename T>
+    class Nullable
+    {
+    public:
+      Nullable();
+      Nullable(const T);
+      Nullable(const Nullable &);
+      ~Nullable();
+      Nullable (Nullable &&);
+      Nullable & operator= (const Nullable &);
+      bool HasValue() const;
+      const T & Value () const;
+      T& Value ();
+      const T * operator-> () const;
+      T * operator-> ();
+      const T & operator* () const;
+      T & operator* ();
+    };
+
+  namespace Core
+  {
+    class Url
+    {
+    public:
+      Url();
+      Url(const std::string &);
+      void AppendPath(const std::string &encodedPath);
+      void AppendQueryParameter(const std::string &encodedKey,
+                                const std::string &encodedValue);
+
+      static std::string Url::Decode(const std::string &value);
+      static std::string Url::Encode(const std::string &value,
+                                     const std::string &doNotEncodeSymbols = "");
+
+      std::string Url::GetAbsoluteUrl() const;
+      const std::string &GetHost() const;
+      const std::string &GetPath() const;
+      uint16_t GetPort() const;
+      std::map<std::string, std::string> GetQueryParameters() const;
+      std::string Url::GetRelativeUrl() const;
+      const std::string &GetScheme() const;
+      void RemoveQueryParameter(const std::string &encodedKey);
+      void SetHost(const std::string &encodedHost);
+      void SetPath(const std::string &encodedPath);
+      void SetPort(uint16_t port);
+      void SetQueryParameters(std::map<std::string, std::string> queryParameters);
+      void SetScheme(const std::string &scheme);
+    };
+
+    class Context
+    {
+    public:
+      Context();
+    };
+
+    namespace IO
+    {
+      class BodyStream
+      {
+      public:
+        virtual ~BodyStream();
+        virtual int64_t Length() const = 0;
+        virtual void Rewind();
+        size_t Read(uint8_t *buffer, size_t count, Azure::Core::Context const &context = Azure::Core::Context());
+        size_t ReadToCount(uint8_t *buffer, size_t count, Azure::Core::Context const &context = Azure::Core::Context());
+        std::vector<uint8_t> ReadToEnd(Azure::Core::Context const &context = Azure::Core::Context());
+      };
+    }
+
+    enum class HttpStatusCode {
+      None = 0,
+      Continue = 100,
+      SwitchingProtocols = 101,
+      Processing = 102,
+      EarlyHints = 103,
+      OK = 200,
+      Created = 201,
+      Accepted = 202,
+      NonAuthoritativeInformation = 203,
+      NoContent = 204,
+      ResetContent = 205,
+      PartialContent = 206,
+      MultiStatus = 207,
+      AlreadyReported = 208,
+      IMUsed = 226,
+      MultipleChoices = 300,
+      MovedPermanently = 301,
+      Found = 302,
+      SeeOther = 303,
+      NotModified = 304,
+      UseProxy = 305,
+      TemporaryRedirect = 307,
+      PermanentRedirect = 308,
+      BadRequest = 400,
+      Unauthorized = 401,
+      PaymentRequired = 402,
+      Forbidden = 403,
+      NotFound = 404,
+      MethodNotAllowed = 405,
+      NotAcceptable = 406,
+      ProxyAuthenticationRequired = 407,
+      RequestTimeout = 408,
+      Conflict = 409,
+      Gone = 410,
+      LengthRequired = 411,
+      PreconditionFailed = 412,
+      PayloadTooLarge = 413,
+      URITooLong = 414,
+      UnsupportedMediaType = 415,
+      RangeNotSatisfiable = 416,
+      ExpectationFailed = 417,
+      MisdirectedRequest = 421,
+      UnprocessableEntity = 422,
+      Locked = 423,
+      FailedDependency = 424,
+      TooEarly = 425,
+      UpgradeRequired = 426,
+      PreconditionRequired = 428,
+      TooManyRequests = 429,
+      RequestHeaderFieldsTooLarge = 431,
+      UnavailableForLegalReasons = 451,
+      InternalServerError = 500,
+      NotImplemented = 501,
+      BadGateway = 502,
+      ServiceUnavailable = 503,
+      GatewayTimeout = 504,
+      HTTPVersionNotSupported = 505,
+      VariantAlsoNegotiates = 506,
+      InsufficientStorage = 507,
+      LoopDetected = 508,
+      NotExtended = 510,
+      NetworkAuthenticationRequired = 511
+    };
+
+    namespace Http
+    {
+      class HttpMethod
+      {
+      public:
+        HttpMethod(std::string value);
+        bool operator==(const HttpMethod &other) const;
+        bool operator!=(const HttpMethod &other) const;
+        const std::string &ToString() const;
+      };
+
+      extern const HttpMethod Get;
+      extern const HttpMethod Head;
+      extern const HttpMethod Post;
+      extern const HttpMethod Put;
+      extern const HttpMethod Delete;
+      extern const HttpMethod Patch;
+      extern const HttpMethod Options;
+
+      class Request
+      {
+      public:
+        explicit Request(HttpMethod httpMethod,
+                         Url url);
+        explicit Request(HttpMethod httpMethod,
+                         Url url,
+                         bool shouldBufferResponse);
+        explicit Request(HttpMethod httpMethod,
+                         Url url,
+                         IO::BodyStream *bodyStream);
+        explicit Request(HttpMethod httpMethod,
+                         Url url,
+                         IO::BodyStream *bodyStream,
+                         bool shouldBufferResponse);
+        std::map<std::string, std::string> GetHeaders () const;
+        Azure::Nullable<std::string> GetHeader(std::string const &name);
+        IO::BodyStream * GetBodyStream();
+        Azure::Core::IO::BodyStream const* GetBodyStream () const;
+      };
+
+      class RawResponse {
+        public:
+        RawResponse (int32_t majorVersion, int32_t minorVersion, HttpStatusCode statusCode, std::string const &reasonPhrase);
+        RawResponse (RawResponse const &response);
+        RawResponse (RawResponse &&response);
+        ~RawResponse ();
+        void SetHeader (std::string const &name, std::string const &value);
+        void SetBodyStream (std::unique_ptr< Azure::Core::IO::BodyStream > stream);
+        void SetBody (std::vector< uint8_t > body);
+        uint32_t GetMajorVersion () const;
+        uint32_t GetMinorVersion () const;
+        HttpStatusCode GetStatusCode () const;
+        std::string const & GetReasonPhrase () const;
+        std::map<std::string, std::string>& GetHeaders () const;
+        std::unique_ptr<Azure::Core::IO::BodyStream> ExtractBodyStream ();
+        std::vector<uint8_t> & GetBody ();
+        std::vector<uint8_t> const& GetBody() const;
+      };
+    }
+  }
+}
+
+void sink(char);
+void sink(std::string);
+void sink(std::vector<uint8_t>);
+void sink(Azure::Nullable<std::string>);
+
+void test_BodyStream() {
+  Azure::Core::Http::Request request(Azure::Core::Http::Get, Azure::Core::Url("http://example.com"));
+  Azure::Core::IO::BodyStream * resp = request.GetBodyStream();
+  
+  {
+    unsigned char buffer[1024];
+    resp->Read(buffer, sizeof(buffer));
+    sink(*buffer); // $ ir
+  }
+  {
+    unsigned char buffer[1024];
+    resp->ReadToCount(buffer, sizeof(buffer));
+    sink(*buffer); // $ ir
+  }
+  {
+    std::vector<unsigned char> vec = resp->ReadToEnd();
+    sink(vec); // $ ir
+  }
+}
+
+void test_RawResponse(Azure::Core::Http::RawResponse& resp) {
+  {
+    std::map<std::string, std::string> body = resp.GetHeaders();
+    sink(body["Content-Type"]); // $ ir
+  }
+  {
+    std::vector<uint8_t> body = resp.GetBody();
+    sink(body); // $ ir
+  }
+  {
+    std::unique_ptr<Azure::Core::IO::BodyStream> bodyStream = resp.ExtractBodyStream();
+    sink(bodyStream.get()->ReadToEnd()); // $ ir
+  }
+}
+
+void test_GetHeader() {
+  Azure::Core::Http::Request request(Azure::Core::Http::Get, Azure::Core::Url("http://example.com"));
+  {
+    auto headerValue = request.GetHeader("Content-Type").Value();
+    sink(headerValue); // $ ir
+  }
+  {
+    std::map<std::string, std::string> headers = request.GetHeaders();
+    std::string contentType = headers["Content-Type"];
+    sink(contentType); // $ ir
+  }
+}

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -14,45 +14,111 @@ models
 | 13 | Source: ; ; false; NtReadFile; ; ; Argument[*5]; local; manual |
 | 14 | Source: ; ; false; ReadFile; ; ; Argument[*1]; local; manual |
 | 15 | Source: ; ; false; ReadFileEx; ; ; Argument[*1]; local; manual |
-| 16 | Source: ; ; false; ymlSource; ; ; ReturnValue; local; manual |
-| 17 | Source: boost::asio; ; false; read_until; ; ; Argument[*1]; remote; manual |
-| 18 | Summary: ; ; false; CommandLineToArgvA; ; ; Argument[*0]; ReturnValue[**]; taint; manual |
-| 19 | Summary: ; ; false; CreateRemoteThread; ; ; Argument[@4]; Argument[3].Parameter[@0]; value; manual |
-| 20 | Summary: ; ; false; CreateRemoteThreadEx; ; ; Argument[@4]; Argument[3].Parameter[@0]; value; manual |
-| 21 | Summary: ; ; false; CreateThread; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
-| 22 | Summary: ; ; false; ReadFileEx; ; ; Argument[*3].Field[@hEvent]; Argument[4].Parameter[*2].Field[@hEvent]; value; manual |
-| 23 | Summary: ; ; false; RtlCopyDeviceMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 24 | Summary: ; ; false; RtlCopyMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 25 | Summary: ; ; false; RtlCopyMemoryNonTemporal; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 26 | Summary: ; ; false; RtlCopyUnicodeString; ; ; Argument[*1].Field[*Buffer]; Argument[*0].Field[*Buffer]; value; manual |
-| 27 | Summary: ; ; false; RtlCopyVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 28 | Summary: ; ; false; RtlInitUnicodeString; ; ; Argument[*1]; Argument[*0].Field[*Buffer]; value; manual |
-| 29 | Summary: ; ; false; RtlMoveMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 30 | Summary: ; ; false; RtlMoveVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
-| 31 | Summary: ; ; false; callWithArgument; ; ; Argument[1]; Argument[0].Parameter[0]; value; manual |
-| 32 | Summary: ; ; false; callWithNonTypeTemplate<T>; (const T &); ; Argument[*0]; ReturnValue; value; manual |
-| 33 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
-| 34 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
-| 35 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
-| 36 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 37 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 16 | Source: ; ; false; WinHttpQueryHeaders; ; ; Argument[*3]; remote; manual |
+| 17 | Source: ; ; false; WinHttpQueryHeadersEx; ; ; Argument[**8]; remote; manual |
+| 18 | Source: ; ; false; WinHttpQueryHeadersEx; ; ; Argument[*5]; remote; manual |
+| 19 | Source: ; ; false; WinHttpQueryHeadersEx; ; ; Argument[*6]; remote; manual |
+| 20 | Source: ; ; false; WinHttpReadData; ; ; Argument[*1]; remote; manual |
+| 21 | Source: ; ; false; WinHttpReadDataEx; ; ; Argument[*1]; remote; manual |
+| 22 | Source: ; ; false; ymlSource; ; ; ReturnValue; local; manual |
+| 23 | Source: Azure::Core::Http; RawResponse; true; ExtractBodyStream; ; ; ReturnValue[*]; remote; manual |
+| 24 | Source: Azure::Core::Http; RawResponse; true; GetBody; ; ; ReturnValue[*]; remote; manual |
+| 25 | Source: Azure::Core::Http; RawResponse; true; GetHeaders; ; ; ReturnValue[*]; remote; manual |
+| 26 | Source: Azure::Core::Http; Request; true; GetBodyStream; ; ; ReturnValue[*]; remote; manual |
+| 27 | Source: Azure::Core::Http; Request; true; GetHeader; ; ; ReturnValue; remote; manual |
+| 28 | Source: Azure::Core::Http; Request; true; GetHeaders; ; ; ReturnValue; remote; manual |
+| 29 | Source: boost::asio; ; false; read_until; ; ; Argument[*1]; remote; manual |
+| 30 | Summary: ; ; false; CommandLineToArgvA; ; ; Argument[*0]; ReturnValue[**]; taint; manual |
+| 31 | Summary: ; ; false; CreateRemoteThread; ; ; Argument[@4]; Argument[3].Parameter[@0]; value; manual |
+| 32 | Summary: ; ; false; CreateRemoteThreadEx; ; ; Argument[@4]; Argument[3].Parameter[@0]; value; manual |
+| 33 | Summary: ; ; false; CreateThread; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
+| 34 | Summary: ; ; false; ReadFileEx; ; ; Argument[*3].Field[@hEvent]; Argument[4].Parameter[*2].Field[@hEvent]; value; manual |
+| 35 | Summary: ; ; false; RtlCopyDeviceMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 36 | Summary: ; ; false; RtlCopyMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 37 | Summary: ; ; false; RtlCopyMemoryNonTemporal; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 38 | Summary: ; ; false; RtlCopyUnicodeString; ; ; Argument[*1].Field[*Buffer]; Argument[*0].Field[*Buffer]; value; manual |
+| 39 | Summary: ; ; false; RtlCopyVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 40 | Summary: ; ; false; RtlInitUnicodeString; ; ; Argument[*1]; Argument[*0].Field[*Buffer]; value; manual |
+| 41 | Summary: ; ; false; RtlMoveMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 42 | Summary: ; ; false; RtlMoveVolatileMemory; ; ; Argument[*@1]; Argument[*@0]; value; manual |
+| 43 | Summary: ; ; false; WinHttpCrackUrl; ; ; Argument[*0]; Argument[*3]; taint; manual |
+| 44 | Summary: ; ; false; callWithArgument; ; ; Argument[1]; Argument[0].Parameter[0]; value; manual |
+| 45 | Summary: ; ; false; callWithNonTypeTemplate<T>; (const T &); ; Argument[*0]; ReturnValue; value; manual |
+| 46 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
+| 47 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
+| 48 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
+| 49 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
+| 50 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 51 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 52 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 53 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 54 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:37 |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17  |
-| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:54 |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:29  |
+| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:29 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:100:64:100:71 | *send_str | provenance | TaintFunction |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:100:44:100:62 | call to buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:37 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:35 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:34 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:36 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:54 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:53 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:50 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:51 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:52 |
+| azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:26  |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:50 |
+| azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:51 |
+| azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:52 |
+| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
+| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
+| azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
+| azure.cpp:273:62:273:64 | call to GetHeaders | azure.cpp:273:62:273:64 | call to GetHeaders | provenance | Src:MaD:25  |
+| azure.cpp:273:62:273:64 | call to GetHeaders | azure.cpp:274:14:274:29 | call to operator[] | provenance | TaintFunction |
+| azure.cpp:273:62:273:64 | call to GetHeaders | azure.cpp:274:14:274:29 | call to operator[] | provenance | TaintFunction |
+| azure.cpp:273:62:273:64 | call to GetHeaders | azure.cpp:274:14:274:29 | call to operator[] | provenance | TaintFunction |
+| azure.cpp:274:14:274:29 | call to operator[] | azure.cpp:274:10:274:29 | call to operator[] | provenance |  |
+| azure.cpp:274:14:274:29 | call to operator[] | azure.cpp:274:14:274:29 | call to operator[] | provenance |  |
+| azure.cpp:277:45:277:47 | call to GetBody | azure.cpp:277:45:277:47 | call to GetBody | provenance | Src:MaD:24  |
+| azure.cpp:277:45:277:47 | call to GetBody | azure.cpp:278:10:278:13 | body | provenance |  |
+| azure.cpp:277:45:277:47 | call to GetBody | azure.cpp:278:10:278:13 | body | provenance |  |
+| azure.cpp:278:10:278:13 | body | azure.cpp:278:10:278:13 | body | provenance |  |
+| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:23  |
+| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:52 |
+| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
+| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:53 |
+| azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
+| azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:27  |
+| azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
+| azure.cpp:289:63:289:65 | call to Value | azure.cpp:290:10:290:20 | headerValue | provenance |  |
+| azure.cpp:289:63:289:65 | call to Value | azure.cpp:290:10:290:20 | headerValue | provenance |  |
+| azure.cpp:290:10:290:20 | headerValue | azure.cpp:290:10:290:20 | headerValue | provenance |  |
+| azure.cpp:293:58:293:67 | call to GetHeaders | azure.cpp:293:58:293:67 | call to GetHeaders | provenance | Src:MaD:28  |
+| azure.cpp:293:58:293:67 | call to GetHeaders | azure.cpp:294:38:294:53 | call to operator[] | provenance | TaintFunction |
+| azure.cpp:294:38:294:53 | call to operator[] | azure.cpp:295:10:295:20 | contentType | provenance |  |
+| azure.cpp:294:38:294:53 | call to operator[] | azure.cpp:295:10:295:20 | contentType | provenance |  |
+| azure.cpp:295:10:295:20 | contentType | azure.cpp:295:10:295:20 | contentType | provenance |  |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:48 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:47 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:49 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:22  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:1 |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:17:24:17:24 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:21:27:21:27 | x | provenance |  |
@@ -61,15 +127,15 @@ edges
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:35 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:48 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:34 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:47 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:36 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:49 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
@@ -77,16 +143,16 @@ edges
 | test.cpp:46:30:46:32 | *arg [x] | test.cpp:47:12:47:19 | *arg [x] | provenance |  |
 | test.cpp:47:12:47:19 | *arg [x] | test.cpp:48:13:48:13 | *s [x] | provenance |  |
 | test.cpp:48:13:48:13 | *s [x] | test.cpp:48:16:48:16 | x | provenance | Sink:MaD:1 |
-| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:33 |
+| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:46 |
 | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | test.cpp:46:30:46:32 | *arg [x] | provenance |  |
 | test.cpp:56:2:56:2 | *s [post update] [x] | test.cpp:59:55:59:64 | *& ... [x] | provenance |  |
 | test.cpp:56:2:56:18 | ... = ... | test.cpp:56:2:56:2 | *s [post update] [x] | provenance |  |
-| test.cpp:56:8:56:16 | call to ymlSource | test.cpp:56:2:56:18 | ... = ... | provenance | Src:MaD:16  |
+| test.cpp:56:8:56:16 | call to ymlSource | test.cpp:56:2:56:18 | ... = ... | provenance | Src:MaD:22  |
 | test.cpp:59:55:59:64 | *& ... [x] | test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | provenance |  |
-| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:31 |
-| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:31 |
-| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:31 |
-| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:31 |
+| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:44 |
+| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:44 |
+| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:44 |
+| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:44 |
 | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:68:22:68:22 | y | provenance |  |
 | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:74:22:74:22 | y | provenance |  |
 | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:82:22:82:22 | y | provenance |  |
@@ -95,7 +161,7 @@ edges
 | test.cpp:74:22:74:22 | y | test.cpp:75:11:75:11 | y | provenance | Sink:MaD:1 |
 | test.cpp:82:22:82:22 | y | test.cpp:83:11:83:11 | y | provenance | Sink:MaD:1 |
 | test.cpp:88:22:88:22 | y | test.cpp:89:11:89:11 | y | provenance | Sink:MaD:1 |
-| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:94:10:94:18 | call to ymlSource | provenance | Src:MaD:16  |
+| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:94:10:94:18 | call to ymlSource | provenance | Src:MaD:22  |
 | test.cpp:94:10:94:18 | call to ymlSource | test.cpp:97:26:97:26 | x | provenance |  |
 | test.cpp:94:10:94:18 | call to ymlSource | test.cpp:101:26:101:26 | x | provenance |  |
 | test.cpp:94:10:94:18 | call to ymlSource | test.cpp:103:63:103:63 | x | provenance |  |
@@ -104,28 +170,28 @@ edges
 | test.cpp:101:26:101:26 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:103:63:103:63 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
 | test.cpp:104:62:104:62 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance |  |
-| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | provenance | MaD:32 |
-| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:114:10:114:18 | call to ymlSource | provenance | Src:MaD:16  |
+| test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | provenance | MaD:45 |
+| test.cpp:114:10:114:18 | call to ymlSource | test.cpp:114:10:114:18 | call to ymlSource | provenance | Src:MaD:22  |
 | test.cpp:114:10:114:18 | call to ymlSource | test.cpp:118:44:118:44 | *x | provenance |  |
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
-| test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:32 |
-| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
+| test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:45 |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:30 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance |  |
 | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:30:8:30:15 | * ... | provenance |  |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | provenance |  |
-| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:18 |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:30 |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:4  |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:36:10:36:13 | * ... | provenance |  |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:5  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | provenance |  |
 | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | provenance |  |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:22 |
-| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:22 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:34 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:34 |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | provenance |  |
 | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | provenance |  |
@@ -173,11 +239,11 @@ edges
 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:12  |
 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:333:20:333:52 | *pMapView | provenance |  |
 | windows.cpp:333:20:333:52 | *pMapView | windows.cpp:335:10:335:16 | * ... | provenance |  |
-| windows.cpp:349:8:349:19 | [summary param] *3 in CreateThread [x] | windows.cpp:349:8:349:19 | [summary] to write: Argument[2].Parameter[*0] in CreateThread [x] | provenance | MaD:21 |
+| windows.cpp:349:8:349:19 | [summary param] *3 in CreateThread [x] | windows.cpp:349:8:349:19 | [summary] to write: Argument[2].Parameter[*0] in CreateThread [x] | provenance | MaD:33 |
 | windows.cpp:349:8:349:19 | [summary] to write: Argument[2].Parameter[*0] in CreateThread [x] | windows.cpp:403:26:403:36 | *lpParameter [x] | provenance |  |
-| windows.cpp:357:8:357:25 | [summary param] *4 in CreateRemoteThread [x] | windows.cpp:357:8:357:25 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThread [x] | provenance | MaD:19 |
+| windows.cpp:357:8:357:25 | [summary param] *4 in CreateRemoteThread [x] | windows.cpp:357:8:357:25 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThread [x] | provenance | MaD:31 |
 | windows.cpp:357:8:357:25 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThread [x] | windows.cpp:410:26:410:36 | *lpParameter [x] | provenance |  |
-| windows.cpp:387:8:387:27 | [summary param] *4 in CreateRemoteThreadEx [x] | windows.cpp:387:8:387:27 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThreadEx [x] | provenance | MaD:20 |
+| windows.cpp:387:8:387:27 | [summary param] *4 in CreateRemoteThreadEx [x] | windows.cpp:387:8:387:27 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThreadEx [x] | provenance | MaD:32 |
 | windows.cpp:387:8:387:27 | [summary] to write: Argument[3].Parameter[*0] in CreateRemoteThreadEx [x] | windows.cpp:417:26:417:36 | *lpParameter [x] | provenance |  |
 | windows.cpp:403:26:403:36 | *lpParameter [x] | windows.cpp:405:10:405:25 | *lpParameter [x] | provenance |  |
 | windows.cpp:405:10:405:25 | *lpParameter [x] | windows.cpp:406:8:406:8 | *s [x] | provenance |  |
@@ -196,17 +262,17 @@ edges
 | windows.cpp:439:7:439:8 | *& ... [x] | windows.cpp:349:8:349:19 | [summary param] *3 in CreateThread [x] | provenance |  |
 | windows.cpp:451:7:451:8 | *& ... [x] | windows.cpp:357:8:357:25 | [summary param] *4 in CreateRemoteThread [x] | provenance |  |
 | windows.cpp:464:7:464:8 | *& ... [x] | windows.cpp:387:8:387:27 | [summary param] *4 in CreateRemoteThreadEx [x] | provenance |  |
-| windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | provenance | MaD:27 |
-| windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | provenance | MaD:23 |
-| windows.cpp:485:6:485:18 | [summary param] *1 in RtlCopyMemory | windows.cpp:485:6:485:18 | [summary param] *0 in RtlCopyMemory [Return] | provenance | MaD:24 |
-| windows.cpp:493:6:493:29 | [summary param] *1 in RtlCopyMemoryNonTemporal | windows.cpp:493:6:493:29 | [summary param] *0 in RtlCopyMemoryNonTemporal [Return] | provenance | MaD:25 |
+| windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | provenance | MaD:39 |
+| windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | provenance | MaD:35 |
+| windows.cpp:485:6:485:18 | [summary param] *1 in RtlCopyMemory | windows.cpp:485:6:485:18 | [summary param] *0 in RtlCopyMemory [Return] | provenance | MaD:36 |
+| windows.cpp:493:6:493:29 | [summary param] *1 in RtlCopyMemoryNonTemporal | windows.cpp:493:6:493:29 | [summary param] *0 in RtlCopyMemoryNonTemporal [Return] | provenance | MaD:37 |
 | windows.cpp:510:6:510:25 | [summary param] *1 in RtlCopyUnicodeString [*Buffer] | windows.cpp:510:6:510:25 | [summary] read: Argument[*1].Field[*Buffer] in RtlCopyUnicodeString | provenance |  |
-| windows.cpp:510:6:510:25 | [summary] read: Argument[*1].Field[*Buffer] in RtlCopyUnicodeString | windows.cpp:510:6:510:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlCopyUnicodeString | provenance | MaD:26 |
+| windows.cpp:510:6:510:25 | [summary] read: Argument[*1].Field[*Buffer] in RtlCopyUnicodeString | windows.cpp:510:6:510:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlCopyUnicodeString | provenance | MaD:38 |
 | windows.cpp:510:6:510:25 | [summary] to write: Argument[*0] in RtlCopyUnicodeString [*Buffer] | windows.cpp:510:6:510:25 | [summary param] *0 in RtlCopyUnicodeString [Return] [*Buffer] | provenance |  |
 | windows.cpp:510:6:510:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlCopyUnicodeString | windows.cpp:510:6:510:25 | [summary] to write: Argument[*0] in RtlCopyUnicodeString [*Buffer] | provenance |  |
-| windows.cpp:515:6:515:18 | [summary param] *1 in RtlMoveMemory | windows.cpp:515:6:515:18 | [summary param] *0 in RtlMoveMemory [Return] | provenance | MaD:29 |
-| windows.cpp:521:17:521:37 | [summary param] *1 in RtlMoveVolatileMemory | windows.cpp:521:17:521:37 | [summary param] *0 in RtlMoveVolatileMemory [Return] | provenance | MaD:30 |
-| windows.cpp:527:6:527:25 | [summary param] *1 in RtlInitUnicodeString | windows.cpp:527:6:527:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlInitUnicodeString | provenance | MaD:28 |
+| windows.cpp:515:6:515:18 | [summary param] *1 in RtlMoveMemory | windows.cpp:515:6:515:18 | [summary param] *0 in RtlMoveMemory [Return] | provenance | MaD:41 |
+| windows.cpp:521:17:521:37 | [summary param] *1 in RtlMoveVolatileMemory | windows.cpp:521:17:521:37 | [summary param] *0 in RtlMoveVolatileMemory [Return] | provenance | MaD:42 |
+| windows.cpp:527:6:527:25 | [summary param] *1 in RtlInitUnicodeString | windows.cpp:527:6:527:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlInitUnicodeString | provenance | MaD:40 |
 | windows.cpp:527:6:527:25 | [summary] to write: Argument[*0] in RtlInitUnicodeString [*Buffer] | windows.cpp:527:6:527:25 | [summary param] *0 in RtlInitUnicodeString [Return] [*Buffer] | provenance |  |
 | windows.cpp:527:6:527:25 | [summary] to write: Argument[*0].Field[*Buffer] in RtlInitUnicodeString | windows.cpp:527:6:527:25 | [summary] to write: Argument[*0] in RtlInitUnicodeString [*Buffer] | provenance |  |
 | windows.cpp:533:11:533:16 | call to source | windows.cpp:533:11:533:16 | call to source | provenance |  |
@@ -218,37 +284,51 @@ edges
 | windows.cpp:533:11:533:16 | call to source | windows.cpp:573:40:573:41 | *& ... | provenance |  |
 | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument | windows.cpp:538:10:538:23 | access to array | provenance |  |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | provenance |  |
-| windows.cpp:537:40:537:41 | *& ... | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument | provenance | MaD:27 |
+| windows.cpp:537:40:537:41 | *& ... | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument | provenance | MaD:39 |
 | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument | windows.cpp:543:10:543:23 | access to array | provenance |  |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | provenance |  |
-| windows.cpp:542:38:542:39 | *& ... | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument | provenance | MaD:23 |
+| windows.cpp:542:38:542:39 | *& ... | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument | provenance | MaD:35 |
 | windows.cpp:547:19:547:29 | RtlCopyMemory output argument | windows.cpp:548:10:548:23 | access to array | provenance |  |
 | windows.cpp:547:32:547:33 | *& ... | windows.cpp:485:6:485:18 | [summary param] *1 in RtlCopyMemory | provenance |  |
-| windows.cpp:547:32:547:33 | *& ... | windows.cpp:547:19:547:29 | RtlCopyMemory output argument | provenance | MaD:24 |
+| windows.cpp:547:32:547:33 | *& ... | windows.cpp:547:19:547:29 | RtlCopyMemory output argument | provenance | MaD:36 |
 | windows.cpp:552:30:552:40 | RtlCopyMemoryNonTemporal output argument | windows.cpp:553:10:553:23 | access to array | provenance |  |
 | windows.cpp:552:43:552:44 | *& ... | windows.cpp:493:6:493:29 | [summary param] *1 in RtlCopyMemoryNonTemporal | provenance |  |
-| windows.cpp:552:43:552:44 | *& ... | windows.cpp:552:30:552:40 | RtlCopyMemoryNonTemporal output argument | provenance | MaD:25 |
+| windows.cpp:552:43:552:44 | *& ... | windows.cpp:552:30:552:40 | RtlCopyMemoryNonTemporal output argument | provenance | MaD:37 |
 | windows.cpp:559:5:559:24 | ... = ... | windows.cpp:561:39:561:44 | *buffer | provenance |  |
 | windows.cpp:559:17:559:24 | call to source | windows.cpp:559:5:559:24 | ... = ... | provenance |  |
 | windows.cpp:561:26:561:36 | RtlInitUnicodeString output argument [*Buffer] | windows.cpp:562:10:562:19 | *src_string [*Buffer] | provenance |  |
 | windows.cpp:561:26:561:36 | RtlInitUnicodeString output argument [*Buffer] | windows.cpp:563:40:563:50 | *& ... [*Buffer] | provenance |  |
 | windows.cpp:561:39:561:44 | *buffer | windows.cpp:527:6:527:25 | [summary param] *1 in RtlInitUnicodeString | provenance |  |
-| windows.cpp:561:39:561:44 | *buffer | windows.cpp:561:26:561:36 | RtlInitUnicodeString output argument [*Buffer] | provenance | MaD:28 |
+| windows.cpp:561:39:561:44 | *buffer | windows.cpp:561:26:561:36 | RtlInitUnicodeString output argument [*Buffer] | provenance | MaD:40 |
 | windows.cpp:562:10:562:19 | *src_string [*Buffer] | windows.cpp:562:10:562:29 | access to array | provenance |  |
 | windows.cpp:562:10:562:19 | *src_string [*Buffer] | windows.cpp:562:21:562:26 | *Buffer | provenance |  |
 | windows.cpp:562:21:562:26 | *Buffer | windows.cpp:562:10:562:29 | access to array | provenance |  |
 | windows.cpp:563:26:563:37 | RtlCopyUnicodeString output argument [*Buffer] | windows.cpp:564:10:564:20 | *dest_string [*Buffer] | provenance |  |
 | windows.cpp:563:40:563:50 | *& ... [*Buffer] | windows.cpp:510:6:510:25 | [summary param] *1 in RtlCopyUnicodeString [*Buffer] | provenance |  |
-| windows.cpp:563:40:563:50 | *& ... [*Buffer] | windows.cpp:563:26:563:37 | RtlCopyUnicodeString output argument [*Buffer] | provenance | MaD:26 |
+| windows.cpp:563:40:563:50 | *& ... [*Buffer] | windows.cpp:563:26:563:37 | RtlCopyUnicodeString output argument [*Buffer] | provenance | MaD:38 |
 | windows.cpp:564:10:564:20 | *dest_string [*Buffer] | windows.cpp:564:10:564:30 | access to array | provenance |  |
 | windows.cpp:564:10:564:20 | *dest_string [*Buffer] | windows.cpp:564:22:564:27 | *Buffer | provenance |  |
 | windows.cpp:564:22:564:27 | *Buffer | windows.cpp:564:10:564:30 | access to array | provenance |  |
 | windows.cpp:568:19:568:29 | RtlMoveMemory output argument | windows.cpp:569:10:569:23 | access to array | provenance |  |
 | windows.cpp:568:32:568:33 | *& ... | windows.cpp:515:6:515:18 | [summary param] *1 in RtlMoveMemory | provenance |  |
-| windows.cpp:568:32:568:33 | *& ... | windows.cpp:568:19:568:29 | RtlMoveMemory output argument | provenance | MaD:29 |
+| windows.cpp:568:32:568:33 | *& ... | windows.cpp:568:19:568:29 | RtlMoveMemory output argument | provenance | MaD:41 |
 | windows.cpp:573:27:573:37 | RtlMoveVolatileMemory output argument | windows.cpp:574:10:574:23 | access to array | provenance |  |
 | windows.cpp:573:40:573:41 | *& ... | windows.cpp:521:17:521:37 | [summary param] *1 in RtlMoveVolatileMemory | provenance |  |
-| windows.cpp:573:40:573:41 | *& ... | windows.cpp:573:27:573:37 | RtlMoveVolatileMemory output argument | provenance | MaD:30 |
+| windows.cpp:573:40:573:41 | *& ... | windows.cpp:573:27:573:37 | RtlMoveVolatileMemory output argument | provenance | MaD:42 |
+| windows.cpp:645:45:645:50 | WinHttpReadData output argument | windows.cpp:647:10:647:16 | * ... | provenance | Src:MaD:20  |
+| windows.cpp:652:48:652:53 | WinHttpReadDataEx output argument | windows.cpp:654:10:654:16 | * ... | provenance | Src:MaD:21  |
+| windows.cpp:659:47:659:52 | WinHttpQueryHeaders output argument | windows.cpp:661:10:661:16 | * ... | provenance | Src:MaD:16  |
+| windows.cpp:669:70:669:79 | WinHttpQueryHeadersEx output argument | windows.cpp:673:10:673:29 | * ... | provenance | Src:MaD:18  |
+| windows.cpp:669:82:669:87 | WinHttpQueryHeadersEx output argument | windows.cpp:671:10:671:16 | * ... | provenance | Src:MaD:19  |
+| windows.cpp:669:105:669:112 | WinHttpQueryHeadersEx output argument | windows.cpp:675:10:675:27 | * ... | provenance | Src:MaD:17  |
+| windows.cpp:714:6:714:20 | [summary param] *0 in WinHttpCrackUrl | windows.cpp:714:6:714:20 | [summary param] *3 in WinHttpCrackUrl [Return] | provenance | MaD:43 |
+| windows.cpp:728:5:728:28 | ... = ... | windows.cpp:729:35:729:35 | *x | provenance |  |
+| windows.cpp:728:12:728:28 | call to source | windows.cpp:728:5:728:28 | ... = ... | provenance |  |
+| windows.cpp:729:35:729:35 | *x | windows.cpp:714:6:714:20 | [summary param] *0 in WinHttpCrackUrl | provenance |  |
+| windows.cpp:729:35:729:35 | *x | windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument | provenance | MaD:43 |
+| windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument | windows.cpp:731:10:731:36 | * ... | provenance |  |
+| windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument | windows.cpp:733:10:733:35 | * ... | provenance |  |
+| windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument | windows.cpp:735:10:735:37 | * ... | provenance |  |
 nodes
 | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer |
 | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer |
@@ -262,6 +342,59 @@ nodes
 | asio_streams.cpp:100:64:100:71 | *send_str | semmle.label | *send_str |
 | asio_streams.cpp:101:7:101:17 | send_buffer | semmle.label | send_buffer |
 | asio_streams.cpp:103:29:103:39 | *send_buffer | semmle.label | *send_buffer |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | semmle.label | [summary param] this in Value |
+| azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | semmle.label | [summary] to write: ReturnValue[*] in Value |
+| azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | semmle.label | [summary param] *0 in Read [Return] |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | semmle.label | [summary param] this in Read |
+| azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | semmle.label | [summary param] *0 in ReadToCount [Return] |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | semmle.label | [summary param] this in ReadToCount |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | semmle.label | [summary param] this in ReadToEnd |
+| azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | semmle.label | [summary] to write: ReturnValue in ReadToEnd [element] |
+| azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | semmle.label | [summary] to write: ReturnValue.Element in ReadToEnd |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | semmle.label | *call to GetBodyStream |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | semmle.label | *call to GetBodyStream |
+| azure.cpp:257:5:257:8 | *resp | semmle.label | *resp |
+| azure.cpp:257:16:257:21 | Read output argument | semmle.label | Read output argument |
+| azure.cpp:258:10:258:16 | * ... | semmle.label | * ... |
+| azure.cpp:262:5:262:8 | *resp | semmle.label | *resp |
+| azure.cpp:262:23:262:28 | ReadToCount output argument | semmle.label | ReadToCount output argument |
+| azure.cpp:263:10:263:16 | * ... | semmle.label | * ... |
+| azure.cpp:266:38:266:41 | *resp | semmle.label | *resp |
+| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | semmle.label | call to ReadToEnd [element] |
+| azure.cpp:266:44:266:52 | call to ReadToEnd [element] | semmle.label | call to ReadToEnd [element] |
+| azure.cpp:267:10:267:12 | vec | semmle.label | vec |
+| azure.cpp:267:10:267:12 | vec [element] | semmle.label | vec [element] |
+| azure.cpp:273:62:273:64 | call to GetHeaders | semmle.label | call to GetHeaders |
+| azure.cpp:273:62:273:64 | call to GetHeaders | semmle.label | call to GetHeaders |
+| azure.cpp:274:10:274:29 | call to operator[] | semmle.label | call to operator[] |
+| azure.cpp:274:14:274:29 | call to operator[] | semmle.label | call to operator[] |
+| azure.cpp:274:14:274:29 | call to operator[] | semmle.label | call to operator[] |
+| azure.cpp:274:14:274:29 | call to operator[] | semmle.label | call to operator[] |
+| azure.cpp:277:45:277:47 | call to GetBody | semmle.label | call to GetBody |
+| azure.cpp:277:45:277:47 | call to GetBody | semmle.label | call to GetBody |
+| azure.cpp:278:10:278:13 | body | semmle.label | body |
+| azure.cpp:278:10:278:13 | body | semmle.label | body |
+| azure.cpp:278:10:278:13 | body | semmle.label | body |
+| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | semmle.label | *call to ExtractBodyStream |
+| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | semmle.label | *call to ExtractBodyStream |
+| azure.cpp:282:10:282:38 | call to ReadToEnd | semmle.label | call to ReadToEnd |
+| azure.cpp:282:21:282:23 | *call to get | semmle.label | *call to get |
+| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | semmle.label | call to ReadToEnd [element] |
+| azure.cpp:282:28:282:36 | call to ReadToEnd [element] | semmle.label | call to ReadToEnd [element] |
+| azure.cpp:289:24:289:56 | call to GetHeader | semmle.label | call to GetHeader |
+| azure.cpp:289:32:289:40 | call to GetHeader | semmle.label | call to GetHeader |
+| azure.cpp:289:32:289:40 | call to GetHeader | semmle.label | call to GetHeader |
+| azure.cpp:289:63:289:65 | call to Value | semmle.label | call to Value |
+| azure.cpp:289:63:289:65 | call to Value | semmle.label | call to Value |
+| azure.cpp:290:10:290:20 | headerValue | semmle.label | headerValue |
+| azure.cpp:290:10:290:20 | headerValue | semmle.label | headerValue |
+| azure.cpp:290:10:290:20 | headerValue | semmle.label | headerValue |
+| azure.cpp:293:58:293:67 | call to GetHeaders | semmle.label | call to GetHeaders |
+| azure.cpp:293:58:293:67 | call to GetHeaders | semmle.label | call to GetHeaders |
+| azure.cpp:294:38:294:53 | call to operator[] | semmle.label | call to operator[] |
+| azure.cpp:295:10:295:20 | contentType | semmle.label | contentType |
+| azure.cpp:295:10:295:20 | contentType | semmle.label | contentType |
+| azure.cpp:295:10:295:20 | contentType | semmle.label | contentType |
 | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | semmle.label | [summary param] 0 in ymlStepManual |
 | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | semmle.label | [summary] to write: ReturnValue in ymlStepManual |
 | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | semmle.label | [summary param] 0 in ymlStepGenerated |
@@ -482,8 +615,34 @@ nodes
 | windows.cpp:573:27:573:37 | RtlMoveVolatileMemory output argument | semmle.label | RtlMoveVolatileMemory output argument |
 | windows.cpp:573:40:573:41 | *& ... | semmle.label | *& ... |
 | windows.cpp:574:10:574:23 | access to array | semmle.label | access to array |
+| windows.cpp:645:45:645:50 | WinHttpReadData output argument | semmle.label | WinHttpReadData output argument |
+| windows.cpp:647:10:647:16 | * ... | semmle.label | * ... |
+| windows.cpp:652:48:652:53 | WinHttpReadDataEx output argument | semmle.label | WinHttpReadDataEx output argument |
+| windows.cpp:654:10:654:16 | * ... | semmle.label | * ... |
+| windows.cpp:659:47:659:52 | WinHttpQueryHeaders output argument | semmle.label | WinHttpQueryHeaders output argument |
+| windows.cpp:661:10:661:16 | * ... | semmle.label | * ... |
+| windows.cpp:669:70:669:79 | WinHttpQueryHeadersEx output argument | semmle.label | WinHttpQueryHeadersEx output argument |
+| windows.cpp:669:82:669:87 | WinHttpQueryHeadersEx output argument | semmle.label | WinHttpQueryHeadersEx output argument |
+| windows.cpp:669:105:669:112 | WinHttpQueryHeadersEx output argument | semmle.label | WinHttpQueryHeadersEx output argument |
+| windows.cpp:671:10:671:16 | * ... | semmle.label | * ... |
+| windows.cpp:673:10:673:29 | * ... | semmle.label | * ... |
+| windows.cpp:675:10:675:27 | * ... | semmle.label | * ... |
+| windows.cpp:714:6:714:20 | [summary param] *0 in WinHttpCrackUrl | semmle.label | [summary param] *0 in WinHttpCrackUrl |
+| windows.cpp:714:6:714:20 | [summary param] *3 in WinHttpCrackUrl [Return] | semmle.label | [summary param] *3 in WinHttpCrackUrl [Return] |
+| windows.cpp:728:5:728:28 | ... = ... | semmle.label | ... = ... |
+| windows.cpp:728:12:728:28 | call to source | semmle.label | call to source |
+| windows.cpp:729:35:729:35 | *x | semmle.label | *x |
+| windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument | semmle.label | WinHttpCrackUrl output argument |
+| windows.cpp:731:10:731:36 | * ... | semmle.label | * ... |
+| windows.cpp:733:10:733:35 | * ... | semmle.label | * ... |
+| windows.cpp:735:10:735:37 | * ... | semmle.label | * ... |
 subpaths
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | asio_streams.cpp:100:44:100:62 | call to buffer |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | azure.cpp:257:16:257:21 | Read output argument |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | azure.cpp:262:23:262:28 | ReadToCount output argument |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | azure.cpp:289:63:289:65 | call to Value |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
@@ -498,4 +657,5 @@ subpaths
 | windows.cpp:563:40:563:50 | *& ... [*Buffer] | windows.cpp:510:6:510:25 | [summary param] *1 in RtlCopyUnicodeString [*Buffer] | windows.cpp:510:6:510:25 | [summary param] *0 in RtlCopyUnicodeString [Return] [*Buffer] | windows.cpp:563:26:563:37 | RtlCopyUnicodeString output argument [*Buffer] |
 | windows.cpp:568:32:568:33 | *& ... | windows.cpp:515:6:515:18 | [summary param] *1 in RtlMoveMemory | windows.cpp:515:6:515:18 | [summary param] *0 in RtlMoveMemory [Return] | windows.cpp:568:19:568:29 | RtlMoveMemory output argument |
 | windows.cpp:573:40:573:41 | *& ... | windows.cpp:521:17:521:37 | [summary param] *1 in RtlMoveVolatileMemory | windows.cpp:521:17:521:37 | [summary param] *0 in RtlMoveVolatileMemory [Return] | windows.cpp:573:27:573:37 | RtlMoveVolatileMemory output argument |
+| windows.cpp:729:35:729:35 | *x | windows.cpp:714:6:714:20 | [summary param] *0 in WinHttpCrackUrl | windows.cpp:714:6:714:20 | [summary param] *3 in WinHttpCrackUrl [Return] | windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument |
 testFailures

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -1,4 +1,10 @@
 | asio_streams.cpp:87:34:87:44 | read_until output argument | remote |
+| azure.cpp:253:48:253:60 | *call to GetBodyStream | remote |
+| azure.cpp:273:62:273:64 | call to GetHeaders | remote |
+| azure.cpp:277:45:277:47 | call to GetBody | remote |
+| azure.cpp:281:68:281:84 | *call to ExtractBodyStream | remote |
+| azure.cpp:289:32:289:40 | call to GetHeader | remote |
+| azure.cpp:293:58:293:67 | call to GetHeaders | remote |
 | test.cpp:10:10:10:18 | call to ymlSource | local |
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
@@ -20,3 +26,9 @@
 | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | local |
 | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | local |
 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | local |
+| windows.cpp:645:45:645:50 | WinHttpReadData output argument | remote |
+| windows.cpp:652:48:652:53 | WinHttpReadDataEx output argument | remote |
+| windows.cpp:659:47:659:52 | WinHttpQueryHeaders output argument | remote |
+| windows.cpp:669:70:669:79 | WinHttpQueryHeadersEx output argument | remote |
+| windows.cpp:669:82:669:87 | WinHttpQueryHeadersEx output argument | remote |
+| windows.cpp:669:105:669:112 | WinHttpQueryHeadersEx output argument | remote |

cpp/ql/test/library-tests/dataflow/external-models/steps.expected

@@ -1,6 +1,12 @@
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer |
+| azure.cpp:252:79:252:98 | call to string | azure.cpp:252:62:252:99 | call to Url |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument |
+| azure.cpp:287:79:287:98 | call to string | azure.cpp:287:62:287:99 | call to Url |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value |
 | test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual |
 | test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:28:35:28:35 | 0 | test.cpp:28:11:28:33 | call to ymlStepManual_with_body |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
+| windows.cpp:729:35:729:35 | *x | windows.cpp:729:44:729:57 | WinHttpCrackUrl output argument |

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -5586,3 +5586,6 @@
 | Unrecognized output specification "Field[***hEvent]" in summary model. |
 | Unrecognized output specification "Parameter[***0]" in summary model. |
 | Unrecognized output specification "Parameter[****0]" in summary model. |
+| Unrecognized output specification "ReturnValue[*****]" in summary model. |
+| Unrecognized output specification "ReturnValue[****]" in summary model. |
+| Unrecognized output specification "ReturnValue[***]" in summary model. |

cpp/ql/test/library-tests/dataflow/external-models/windows.cpp

@@ -573,4 +573,165 @@ void test_copy_and_move_memory() {
     RtlMoveVolatileMemory(dest_buffer, &x, sizeof(x));
     sink(dest_buffer[0]); // $ ir
   }
+}
+
+using HINTERNET = void*;
+using ULONGLONG = unsigned long long;
+using UINT = unsigned int;
+using PDWORD = DWORD*;
+using PCSTR = const char*;
+typedef union _WINHTTP_HEADER_NAME {
+  PCWSTR pwszName;
+  PCSTR  pszName;
+} WINHTTP_HEADER_NAME, *PWINHTTP_HEADER_NAME;
+typedef struct _WINHTTP_EXTENDED_HEADER {
+  union {
+    PCWSTR pwszName;
+    PCSTR  pszName;
+  };
+  union {
+    PCWSTR pwszValue;
+    PCSTR  pszValue;
+  };
+} WINHTTP_EXTENDED_HEADER, *PWINHTTP_EXTENDED_HEADER;
+
+BOOL WinHttpReadData(
+  HINTERNET hRequest,
+  LPVOID    lpBuffer,
+  DWORD     dwNumberOfBytesToRead,
+  LPDWORD   lpdwNumberOfBytesRead
+);
+
+DWORD WinHttpReadDataEx(
+  HINTERNET hRequest,
+  LPVOID    lpBuffer,
+  DWORD     dwNumberOfBytesToRead,
+  LPDWORD   lpdwNumberOfBytesRead,
+  ULONGLONG ullFlags,
+  DWORD     cbProperty,
+  PVOID     pvProperty
+);
+
+using LPCWSTR = const wchar_t*;
+
+BOOL WinHttpQueryHeaders(
+  HINTERNET hRequest,
+  DWORD     dwInfoLevel,
+  LPCWSTR   pwszName,
+  LPVOID    lpBuffer,
+  LPDWORD   lpdwBufferLength,
+  LPDWORD   lpdwIndex
+);
+
+DWORD WinHttpQueryHeadersEx(
+  HINTERNET                hRequest,
+  DWORD                    dwInfoLevel,
+  ULONGLONG                ullFlags,
+  UINT                     uiCodePage,
+  PDWORD                   pdwIndex,
+  PWINHTTP_HEADER_NAME     pHeaderName,
+  PVOID                    pBuffer,
+  PDWORD                   pdwBufferLength,
+  PWINHTTP_EXTENDED_HEADER *ppHeaders,
+  PDWORD                   pdwHeadersCount
+);
+
+void sink(PCSTR);
+
+void test_winhttp(HINTERNET hRequest) {
+  {
+    char buffer[1024];
+    DWORD bytesRead;
+    BOOL result = WinHttpReadData(hRequest, buffer, sizeof(buffer), &bytesRead);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+  {
+    char buffer[1024];
+    DWORD bytesRead;
+    DWORD result = WinHttpReadDataEx(hRequest, buffer, sizeof(buffer), &bytesRead, 0, 0, nullptr);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+  {
+    char buffer[1024];
+    DWORD bufferLength = sizeof(buffer);
+    WinHttpQueryHeaders(hRequest, 0, nullptr, buffer, &bufferLength, nullptr);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+  {
+    char buffer[1024];
+    DWORD bufferLength = sizeof(buffer);
+    PWINHTTP_EXTENDED_HEADER headers;
+    DWORD headersCount;
+    PWINHTTP_HEADER_NAME headerName;
+    DWORD result = WinHttpQueryHeadersEx(hRequest, 0, 0, 0, nullptr, headerName, buffer, &bufferLength, &headers, &headersCount);
+    sink(buffer);
+    sink(*buffer); // $ ir
+    sink(headerName->pszName);
+    sink(*headerName->pszName); // $ ir
+    sink(headers->pszValue);
+    sink(*headers->pszValue); // $ ir
+  }
+}
+
+using LPWSTR = wchar_t*;
+using INTERNET_SCHEME = enum {
+  INTERNET_SCHEME_INVALID = -1,
+  INTERNET_SCHEME_UNKNOWN = 0,
+  INTERNET_SCHEME_HTTP = 1,
+  INTERNET_SCHEME_HTTPS = 2,
+  INTERNET_SCHEME_FTP = 3,
+  INTERNET_SCHEME_FILE = 4,
+  INTERNET_SCHEME_NEWS = 5,
+  INTERNET_SCHEME_MAILTO = 6,
+  INTERNET_SCHEME_SNEWS = 7,
+  INTERNET_SCHEME_SOCKS = 8,
+  INTERNET_SCHEME_WAIS = 9,
+  INTERNET_SCHEME_LAST = 10
+};
+using INTERNET_PORT = unsigned short;
+
+typedef struct _WINHTTP_URL_COMPONENTS {
+  DWORD           dwStructSize;
+  LPWSTR          lpszScheme;
+  DWORD           dwSchemeLength;
+  INTERNET_SCHEME nScheme;
+  LPWSTR          lpszHostName;
+  DWORD           dwHostNameLength;
+  INTERNET_PORT   nPort;
+  LPWSTR          lpszUserName;
+  DWORD           dwUserNameLength;
+  LPWSTR          lpszPassword;
+  DWORD           dwPasswordLength;
+  LPWSTR          lpszUrlPath;
+  DWORD           dwUrlPathLength;
+  LPWSTR          lpszExtraInfo;
+  DWORD           dwExtraInfoLength;
+} URL_COMPONENTS, *LPURL_COMPONENTS;
+
+BOOL WinHttpCrackUrl(
+  LPCWSTR          pwszUrl,
+  DWORD            dwUrlLength,
+  DWORD            dwFlags,
+  LPURL_COMPONENTS lpUrlComponents
+);
+
+void sink(LPWSTR);
+
+void test_winhttp_crack_url() {
+  {
+    URL_COMPONENTS urlComponents;
+    urlComponents.dwStructSize = sizeof(URL_COMPONENTS);
+    wchar_t x[256];
+    x[0] = (wchar_t)source();
+    BOOL result = WinHttpCrackUrl(x, 0, 0, &urlComponents);
+    sink(urlComponents.lpszHostName);
+    sink(*urlComponents.lpszHostName); // $ ir
+    sink(urlComponents.lpszUrlPath);
+    sink(*urlComponents.lpszUrlPath); // $ ir
+    sink(urlComponents.lpszExtraInfo);
+    sink(*urlComponents.lpszExtraInfo); // $ ir
+  }
 }

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -1025,6 +1025,7 @@
 | test.c:970:12:970:12 | y | 256 |
 | test.c:971:9:971:9 | x | 2147483647 |
 | test.c:972:9:972:9 | y | 256 |
+| test.c:985:7:985:7 | e | -2147483648 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
@@ -1093,3 +1094,64 @@
 | test.cpp:122:4:122:4 | n | 0 |
 | test.cpp:122:8:122:8 | n | 0 |
 | test.cpp:122:12:122:12 | n | 1 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 0 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 0 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 0 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 0 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 0 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 0 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 0 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 0 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 0 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 0 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 0 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 0 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 0 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 0 |
+| test_nr_of_bounds.cpp:72:12:72:12 | x | 0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected

@@ -4546,6 +4546,13 @@ estimateNrOfBounds
 | test.c:970:18:970:20 | 512 | 1.0 |
 | test.c:971:9:971:9 | x | 1.0 |
 | test.c:972:9:972:9 | y | 1.0 |
+| test.c:977:9:977:11 | 1 | 1.0 |
+| test.c:978:9:978:11 | 2 | 1.0 |
+| test.c:979:9:979:11 | 4 | 1.0 |
+| test.c:980:9:980:11 | 8 | 1.0 |
+| test.c:981:9:981:12 | 16 | 1.0 |
+| test.c:985:7:985:7 | (int)... | 1.0 |
+| test.c:985:7:985:7 | e | 1.0 |
 | test.cpp:9:11:9:12 | - ... | 1.0 |
 | test.cpp:9:12:9:12 | 1 | 1.0 |
 | test.cpp:10:7:10:7 | (bool)... | 1.0 |
@@ -4721,3 +4728,394 @@ estimateNrOfBounds
 | test.cpp:122:4:122:4 | n | 8.0 |
 | test.cpp:122:8:122:8 | n | 8.0 |
 | test.cpp:122:12:122:12 | n | 8.0 |
+| test_nr_of_bounds.cpp:2:9:2:11 | 1 | 1.0 |
+| test_nr_of_bounds.cpp:3:9:3:11 | 2 | 1.0 |
+| test_nr_of_bounds.cpp:4:9:4:11 | 4 | 1.0 |
+| test_nr_of_bounds.cpp:5:9:5:11 | 8 | 1.0 |
+| test_nr_of_bounds.cpp:6:9:6:12 | 16 | 1.0 |
+| test_nr_of_bounds.cpp:7:9:7:12 | 32 | 1.0 |
+| test_nr_of_bounds.cpp:8:9:8:12 | 64 | 1.0 |
+| test_nr_of_bounds.cpp:9:9:9:12 | 128 | 1.0 |
+| test_nr_of_bounds.cpp:10:9:10:13 | 256 | 1.0 |
+| test_nr_of_bounds.cpp:11:9:11:13 | 512 | 1.0 |
+| test_nr_of_bounds.cpp:12:9:12:13 | 1024 | 1.0 |
+| test_nr_of_bounds.cpp:13:9:13:13 | 2048 | 1.0 |
+| test_nr_of_bounds.cpp:14:9:14:14 | 4096 | 1.0 |
+| test_nr_of_bounds.cpp:15:9:15:14 | 8192 | 1.0 |
+| test_nr_of_bounds.cpp:16:9:16:14 | 16384 | 1.0 |
+| test_nr_of_bounds.cpp:17:9:17:14 | 32768 | 1.0 |
+| test_nr_of_bounds.cpp:18:9:18:15 | 65536 | 1.0 |
+| test_nr_of_bounds.cpp:19:9:19:15 | 131072 | 1.0 |
+| test_nr_of_bounds.cpp:20:9:20:15 | 262144 | 1.0 |
+| test_nr_of_bounds.cpp:21:9:21:15 | 524288 | 1.0 |
+| test_nr_of_bounds.cpp:22:9:22:16 | 1048576 | 1.0 |
+| test_nr_of_bounds.cpp:23:9:23:16 | 2097152 | 1.0 |
+| test_nr_of_bounds.cpp:24:9:24:16 | 4194304 | 1.0 |
+| test_nr_of_bounds.cpp:25:9:25:16 | 8388608 | 1.0 |
+| test_nr_of_bounds.cpp:26:9:26:17 | 16777216 | 1.0 |
+| test_nr_of_bounds.cpp:27:10:27:18 | 33554432 | 1.0 |
+| test_nr_of_bounds.cpp:28:10:28:18 | 67108864 | 1.0 |
+| test_nr_of_bounds.cpp:29:10:29:18 | 134217728 | 1.0 |
+| test_nr_of_bounds.cpp:30:10:30:19 | 268435456 | 1.0 |
+| test_nr_of_bounds.cpp:31:10:31:19 | 536870912 | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:19 | ... & ... | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:19 | ... -= ... | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:20 | (...) | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 1.0 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | A | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | A | 1.0 |
+| test_nr_of_bounds.cpp:40:19:40:19 | A | 1.0 |
+| test_nr_of_bounds.cpp:41:5:41:19 | ... & ... | 2.0 |
+| test_nr_of_bounds.cpp:41:5:41:19 | ... -= ... | 2.0 |
+| test_nr_of_bounds.cpp:41:5:41:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | (...) | 2.0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 2.0 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 2.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | B | 1.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | B | 1.0 |
+| test_nr_of_bounds.cpp:41:19:41:19 | B | 1.0 |
+| test_nr_of_bounds.cpp:42:5:42:19 | ... & ... | 4.0 |
+| test_nr_of_bounds.cpp:42:5:42:19 | ... -= ... | 4.0 |
+| test_nr_of_bounds.cpp:42:5:42:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | (...) | 4.0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 4.0 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 4.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | C | 1.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | C | 1.0 |
+| test_nr_of_bounds.cpp:42:19:42:19 | C | 1.0 |
+| test_nr_of_bounds.cpp:43:5:43:19 | ... & ... | 8.0 |
+| test_nr_of_bounds.cpp:43:5:43:19 | ... -= ... | 8.0 |
+| test_nr_of_bounds.cpp:43:5:43:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | (...) | 8.0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 8.0 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 8.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | D | 1.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | D | 1.0 |
+| test_nr_of_bounds.cpp:43:19:43:19 | D | 1.0 |
+| test_nr_of_bounds.cpp:44:5:44:19 | ... & ... | 16.0 |
+| test_nr_of_bounds.cpp:44:5:44:19 | ... -= ... | 16.0 |
+| test_nr_of_bounds.cpp:44:5:44:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | (...) | 16.0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 16.0 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 16.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | E | 1.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | E | 1.0 |
+| test_nr_of_bounds.cpp:44:19:44:19 | E | 1.0 |
+| test_nr_of_bounds.cpp:45:5:45:19 | ... & ... | 32.0 |
+| test_nr_of_bounds.cpp:45:5:45:19 | ... -= ... | 32.0 |
+| test_nr_of_bounds.cpp:45:5:45:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | (...) | 32.0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 32.0 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 32.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | F | 1.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | F | 1.0 |
+| test_nr_of_bounds.cpp:45:19:45:19 | F | 1.0 |
+| test_nr_of_bounds.cpp:46:5:46:19 | ... & ... | 64.0 |
+| test_nr_of_bounds.cpp:46:5:46:19 | ... -= ... | 64.0 |
+| test_nr_of_bounds.cpp:46:5:46:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | (...) | 64.0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 64.0 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 64.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | G | 1.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | G | 1.0 |
+| test_nr_of_bounds.cpp:46:19:46:19 | G | 1.0 |
+| test_nr_of_bounds.cpp:47:5:47:19 | ... & ... | 128.0 |
+| test_nr_of_bounds.cpp:47:5:47:19 | ... -= ... | 128.0 |
+| test_nr_of_bounds.cpp:47:5:47:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | (...) | 128.0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 128.0 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 128.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | H | 1.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | H | 1.0 |
+| test_nr_of_bounds.cpp:47:19:47:19 | H | 1.0 |
+| test_nr_of_bounds.cpp:48:5:48:19 | ... & ... | 256.0 |
+| test_nr_of_bounds.cpp:48:5:48:19 | ... -= ... | 256.0 |
+| test_nr_of_bounds.cpp:48:5:48:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | (...) | 256.0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 256.0 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 256.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | I | 1.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | I | 1.0 |
+| test_nr_of_bounds.cpp:48:19:48:19 | I | 1.0 |
+| test_nr_of_bounds.cpp:49:5:49:19 | ... & ... | 512.0 |
+| test_nr_of_bounds.cpp:49:5:49:19 | ... -= ... | 512.0 |
+| test_nr_of_bounds.cpp:49:5:49:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | (...) | 512.0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 512.0 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 512.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | J | 1.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | J | 1.0 |
+| test_nr_of_bounds.cpp:49:19:49:19 | J | 1.0 |
+| test_nr_of_bounds.cpp:50:5:50:19 | ... & ... | 1024.0 |
+| test_nr_of_bounds.cpp:50:5:50:19 | ... -= ... | 1024.0 |
+| test_nr_of_bounds.cpp:50:5:50:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | (...) | 1024.0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 1024.0 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 1024.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | L | 1.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | L | 1.0 |
+| test_nr_of_bounds.cpp:50:19:50:19 | L | 1.0 |
+| test_nr_of_bounds.cpp:51:5:51:19 | ... & ... | 2048.0 |
+| test_nr_of_bounds.cpp:51:5:51:19 | ... -= ... | 2048.0 |
+| test_nr_of_bounds.cpp:51:5:51:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | (...) | 2048.0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 2048.0 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 2048.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | M | 1.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | M | 1.0 |
+| test_nr_of_bounds.cpp:51:19:51:19 | M | 1.0 |
+| test_nr_of_bounds.cpp:52:5:52:19 | ... & ... | 4096.0 |
+| test_nr_of_bounds.cpp:52:5:52:19 | ... -= ... | 4096.0 |
+| test_nr_of_bounds.cpp:52:5:52:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | (...) | 4096.0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 4096.0 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 4096.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | N | 1.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | N | 1.0 |
+| test_nr_of_bounds.cpp:52:19:52:19 | N | 1.0 |
+| test_nr_of_bounds.cpp:53:5:53:19 | ... & ... | 8192.0 |
+| test_nr_of_bounds.cpp:53:5:53:19 | ... -= ... | 8192.0 |
+| test_nr_of_bounds.cpp:53:5:53:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | (...) | 8192.0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 8192.0 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 8192.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | O | 1.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | O | 1.0 |
+| test_nr_of_bounds.cpp:53:19:53:19 | O | 1.0 |
+| test_nr_of_bounds.cpp:54:5:54:19 | ... & ... | 16384.0 |
+| test_nr_of_bounds.cpp:54:5:54:19 | ... -= ... | 16384.0 |
+| test_nr_of_bounds.cpp:54:5:54:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | (...) | 16384.0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 16384.0 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 16384.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | P | 1.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | P | 1.0 |
+| test_nr_of_bounds.cpp:54:19:54:19 | P | 1.0 |
+| test_nr_of_bounds.cpp:55:5:55:19 | ... & ... | 32768.0 |
+| test_nr_of_bounds.cpp:55:5:55:19 | ... -= ... | 32768.0 |
+| test_nr_of_bounds.cpp:55:5:55:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | (...) | 32768.0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 32768.0 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 32768.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | Q | 1.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | Q | 1.0 |
+| test_nr_of_bounds.cpp:55:19:55:19 | Q | 1.0 |
+| test_nr_of_bounds.cpp:56:5:56:19 | ... & ... | 65536.0 |
+| test_nr_of_bounds.cpp:56:5:56:19 | ... -= ... | 65536.0 |
+| test_nr_of_bounds.cpp:56:5:56:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | (...) | 65536.0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 65536.0 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 65536.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | R | 1.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | R | 1.0 |
+| test_nr_of_bounds.cpp:56:19:56:19 | R | 1.0 |
+| test_nr_of_bounds.cpp:57:5:57:19 | ... & ... | 131072.0 |
+| test_nr_of_bounds.cpp:57:5:57:19 | ... -= ... | 131072.0 |
+| test_nr_of_bounds.cpp:57:5:57:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | (...) | 131072.0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 131072.0 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 131072.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | S | 1.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | S | 1.0 |
+| test_nr_of_bounds.cpp:57:19:57:19 | S | 1.0 |
+| test_nr_of_bounds.cpp:58:5:58:19 | ... & ... | 262144.0 |
+| test_nr_of_bounds.cpp:58:5:58:19 | ... -= ... | 262144.0 |
+| test_nr_of_bounds.cpp:58:5:58:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | (...) | 262144.0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 262144.0 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 262144.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | T | 1.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | T | 1.0 |
+| test_nr_of_bounds.cpp:58:19:58:19 | T | 1.0 |
+| test_nr_of_bounds.cpp:59:5:59:19 | ... & ... | 524288.0 |
+| test_nr_of_bounds.cpp:59:5:59:19 | ... -= ... | 524288.0 |
+| test_nr_of_bounds.cpp:59:5:59:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | (...) | 524288.0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 524288.0 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 524288.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | U | 1.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | U | 1.0 |
+| test_nr_of_bounds.cpp:59:19:59:19 | U | 1.0 |
+| test_nr_of_bounds.cpp:60:5:60:19 | ... & ... | 1048576.0 |
+| test_nr_of_bounds.cpp:60:5:60:19 | ... -= ... | 1048576.0 |
+| test_nr_of_bounds.cpp:60:5:60:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | (...) | 1048576.0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 1048576.0 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 1048576.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | V | 1.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | V | 1.0 |
+| test_nr_of_bounds.cpp:60:19:60:19 | V | 1.0 |
+| test_nr_of_bounds.cpp:61:5:61:19 | ... & ... | 2097152.0 |
+| test_nr_of_bounds.cpp:61:5:61:19 | ... -= ... | 2097152.0 |
+| test_nr_of_bounds.cpp:61:5:61:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | (...) | 2097152.0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 2097152.0 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 2097152.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | W | 1.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | W | 1.0 |
+| test_nr_of_bounds.cpp:61:19:61:19 | W | 1.0 |
+| test_nr_of_bounds.cpp:62:5:62:19 | ... & ... | 4194304.0 |
+| test_nr_of_bounds.cpp:62:5:62:19 | ... -= ... | 4194304.0 |
+| test_nr_of_bounds.cpp:62:5:62:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | (...) | 4194304.0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 4194304.0 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 4194304.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | X | 1.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | X | 1.0 |
+| test_nr_of_bounds.cpp:62:19:62:19 | X | 1.0 |
+| test_nr_of_bounds.cpp:63:5:63:19 | ... & ... | 8388608.0 |
+| test_nr_of_bounds.cpp:63:5:63:19 | ... -= ... | 8388608.0 |
+| test_nr_of_bounds.cpp:63:5:63:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | (...) | 8388608.0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 8388608.0 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 8388608.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | Y | 1.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | Y | 1.0 |
+| test_nr_of_bounds.cpp:63:19:63:19 | Y | 1.0 |
+| test_nr_of_bounds.cpp:64:5:64:19 | ... & ... | 1.6777216E7 |
+| test_nr_of_bounds.cpp:64:5:64:19 | ... -= ... | 1.6777216E7 |
+| test_nr_of_bounds.cpp:64:5:64:19 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:64:5:64:20 | (...) | 1.6777216E7 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 1.6777216E7 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 1.6777216E7 |
+| test_nr_of_bounds.cpp:64:19:64:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:64:19:64:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:64:19:64:19 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:64:19:64:19 | Z | 1.0 |
+| test_nr_of_bounds.cpp:64:19:64:19 | Z | 1.0 |
+| test_nr_of_bounds.cpp:64:19:64:19 | Z | 1.0 |
+| test_nr_of_bounds.cpp:65:5:65:20 | ... & ... | 3.3554432E7 |
+| test_nr_of_bounds.cpp:65:5:65:20 | ... -= ... | 3.3554432E7 |
+| test_nr_of_bounds.cpp:65:5:65:20 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:65:5:65:21 | (...) | 3.3554432E7 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 3.3554432E7 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 3.3554432E7 |
+| test_nr_of_bounds.cpp:65:19:65:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:65:19:65:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:65:19:65:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:65:19:65:20 | AA | 1.0 |
+| test_nr_of_bounds.cpp:65:19:65:20 | AA | 1.0 |
+| test_nr_of_bounds.cpp:65:19:65:20 | AA | 1.0 |
+| test_nr_of_bounds.cpp:66:5:66:20 | ... & ... | 6.7108864E7 |
+| test_nr_of_bounds.cpp:66:5:66:20 | ... -= ... | 6.7108864E7 |
+| test_nr_of_bounds.cpp:66:5:66:20 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:66:5:66:21 | (...) | 6.7108864E7 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 6.7108864E7 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 6.7108864E7 |
+| test_nr_of_bounds.cpp:66:19:66:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:66:19:66:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:66:19:66:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:66:19:66:20 | AB | 1.0 |
+| test_nr_of_bounds.cpp:66:19:66:20 | AB | 1.0 |
+| test_nr_of_bounds.cpp:66:19:66:20 | AB | 1.0 |
+| test_nr_of_bounds.cpp:67:5:67:20 | ... & ... | 1.34217728E8 |
+| test_nr_of_bounds.cpp:67:5:67:20 | ... -= ... | 1.34217728E8 |
+| test_nr_of_bounds.cpp:67:5:67:20 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:67:5:67:21 | (...) | 1.34217728E8 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 1.34217728E8 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 1.34217728E8 |
+| test_nr_of_bounds.cpp:67:19:67:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:67:19:67:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:67:19:67:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:67:19:67:20 | AC | 1.0 |
+| test_nr_of_bounds.cpp:67:19:67:20 | AC | 1.0 |
+| test_nr_of_bounds.cpp:67:19:67:20 | AC | 1.0 |
+| test_nr_of_bounds.cpp:68:5:68:20 | ... & ... | 2.68435456E8 |
+| test_nr_of_bounds.cpp:68:5:68:20 | ... -= ... | 2.68435456E8 |
+| test_nr_of_bounds.cpp:68:5:68:20 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:68:5:68:21 | (...) | 2.68435456E8 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 2.68435456E8 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 2.68435456E8 |
+| test_nr_of_bounds.cpp:68:19:68:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:68:19:68:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:68:19:68:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:68:19:68:20 | AD | 1.0 |
+| test_nr_of_bounds.cpp:68:19:68:20 | AD | 1.0 |
+| test_nr_of_bounds.cpp:68:19:68:20 | AD | 1.0 |
+| test_nr_of_bounds.cpp:69:5:69:20 | ... & ... | 5.36870912E8 |
+| test_nr_of_bounds.cpp:69:5:69:20 | ... -= ... | 5.36870912E8 |
+| test_nr_of_bounds.cpp:69:5:69:20 | ... == ... | 1.0 |
+| test_nr_of_bounds.cpp:69:5:69:21 | (...) | 5.36870912E8 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 5.36870912E8 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 5.36870912E8 |
+| test_nr_of_bounds.cpp:69:19:69:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:69:19:69:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:69:19:69:20 | (unsigned int)... | 1.0 |
+| test_nr_of_bounds.cpp:69:19:69:20 | AE | 1.0 |
+| test_nr_of_bounds.cpp:69:19:69:20 | AE | 1.0 |
+| test_nr_of_bounds.cpp:69:19:69:20 | AE | 1.0 |
+| test_nr_of_bounds.cpp:72:12:72:12 | x | 1.073741824E9 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.ql

@@ -14,8 +14,14 @@ private predicate nonFunctionalNrOfBounds(Expr e) {
   strictcount(SimpleRangeAnalysisInternal::estimateNrOfBounds(e)) > 1
 }
 
+private predicate nrOfBoundsNotEq1(Expr e, int n) {
+  e.getFile().getBaseName() = "test_nr_of_bounds.cpp" and
+  n = count(SimpleRangeAnalysisInternal::estimateNrOfBounds(e)) and
+  n != 1
+}
+
 module FunctionalityTest implements TestSig {
-  string getARelevantTag() { result = "nonFunctionalNrOfBounds" }
+  string getARelevantTag() { result = ["nonFunctionalNrOfBounds", "bounds"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(Expr e |
@@ -25,6 +31,14 @@ module FunctionalityTest implements TestSig {
       tag = "nonFunctionalNrOfBounds" and
       value = ""
     )
+    or
+    exists(Expr e, int n |
+      nrOfBoundsNotEq1(e, n) and
+      location = e.getLocation() and
+      element = e.toString() and
+      tag = "bounds" and
+      value = n.toString()
+    )
   }
 }
 

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c

@@ -972,3 +972,15 @@ void test_overflow() {
     out(y);
   }
 }
+
+enum MY_ENUM_2 {
+    A = 0x1,
+    B = 0x2,
+    C = 0x4,
+    D = 0x8,
+    E = 0x10
+};
+
+void test_enum(enum MY_ENUM_2 e) {
+  out(e);
+}

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test_nr_of_bounds.cpp

@@ -0,0 +1,73 @@
+enum MY_ENUM {
+    A = 0x1,
+    B = 0x2,
+    C = 0x4,
+    D = 0x8,
+    E = 0x10,
+    F = 0x20,
+    G = 0x40,
+    H = 0x80,
+    I = 0x100,
+    J = 0x200,
+    L = 0x400,
+    M = 0x800,
+    N = 0x1000,
+    O = 0x2000,
+    P = 0x4000,
+    Q = 0x8000,
+    R = 0x10000,
+    S = 0x20000,
+    T = 0x40000,
+    U = 0x80000,
+    V = 0x100000,
+    W = 0x200000,
+    X = 0x400000,
+    Y = 0x800000,
+    Z = 0x1000000,
+    AA = 0x2000000,
+    AB = 0x4000000,
+    AC = 0x8000000,
+    AD = 0x10000000,
+    AE = 0x20000000
+};
+
+typedef unsigned int MY_ENUM_FLAGS;
+
+MY_ENUM_FLAGS check_and_subs(MY_ENUM_FLAGS x)
+{
+
+    #define CHECK_AND_SUB(flag) if ((x & flag) == flag) { x -= flag; }
+    CHECK_AND_SUB(A);
+    CHECK_AND_SUB(B);
+    CHECK_AND_SUB(C);
+    CHECK_AND_SUB(D);
+    CHECK_AND_SUB(E);
+    CHECK_AND_SUB(F);
+    CHECK_AND_SUB(G);
+    CHECK_AND_SUB(H);
+    CHECK_AND_SUB(I);
+    CHECK_AND_SUB(J);
+    CHECK_AND_SUB(L);
+    CHECK_AND_SUB(M);
+    CHECK_AND_SUB(N);
+    CHECK_AND_SUB(O);
+    CHECK_AND_SUB(P);
+    CHECK_AND_SUB(Q);
+    CHECK_AND_SUB(R);
+    CHECK_AND_SUB(S);
+    CHECK_AND_SUB(T);
+    CHECK_AND_SUB(U);
+    CHECK_AND_SUB(V);
+    CHECK_AND_SUB(W);
+    CHECK_AND_SUB(X);
+    CHECK_AND_SUB(Y);
+    CHECK_AND_SUB(Z);
+    CHECK_AND_SUB(AA);
+    CHECK_AND_SUB(AB);
+    CHECK_AND_SUB(AC);
+    CHECK_AND_SUB(AD);
+    CHECK_AND_SUB(AE);
+    #undef CHECK_AND_SUB
+    
+    return x;
+}

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected

@@ -1025,6 +1025,7 @@
 | test.c:970:12:970:12 | y | 256 |
 | test.c:971:9:971:9 | x | 2147483647 |
 | test.c:972:9:972:9 | y | 256 |
+| test.c:985:7:985:7 | e | 2147483647 |
 | test.cpp:10:7:10:7 | b | 2147483647 |
 | test.cpp:11:5:11:5 | x | 2147483647 |
 | test.cpp:13:10:13:10 | x | 2147483647 |
@@ -1093,3 +1094,64 @@
 | test.cpp:122:4:122:4 | n | 32767 |
 | test.cpp:122:8:122:8 | n | 0 |
 | test.cpp:122:12:122:12 | n | 32767 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:40:5:40:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:41:5:41:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:42:5:42:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:43:5:43:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:44:5:44:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:45:5:45:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:46:5:46:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:47:5:47:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:48:5:48:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:49:5:49:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:50:5:50:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:51:5:51:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:52:5:52:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:53:5:53:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:54:5:54:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:55:5:55:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:56:5:56:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:57:5:57:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:58:5:58:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:59:5:59:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:60:5:60:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:61:5:61:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:62:5:62:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:63:5:63:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:64:5:64:20 | x | 4294967295 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:65:5:65:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:66:5:66:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:67:5:67:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:68:5:68:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:69:5:69:21 | x | 4294967295 |
+| test_nr_of_bounds.cpp:72:12:72:12 | x | 4294967295 |

csharp/documentation/library-coverage/coverage.csv

@@ -44,5 +44,5 @@ NHibernate,3,,,,,,,,,,,,3,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,59,47,12491,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6378,6113
+System,59,47,12495,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6382,6113
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12491,59,5
+   System,"``System.*``, ``System``",47,12495,59,5
    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``NHibernate``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2406,162,4
-   Totals,,107,14904,415,9
+   Totals,,107,14908,415,9
 

csharp/downgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/upgrade.properties

@@ -0,0 +1,3 @@
+description: Remove the relation `extension_receiver_type` and remove the `extension_type` type kind.
+compatibility: backwards
+extension_receiver_type.rel: delete

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs

@@ -5,6 +5,7 @@ using System.Security.Cryptography.X509Certificates;
 using Semmle.Util;
 using Semmle.Util.Logging;
 using Newtonsoft.Json;
+using System.Linq;
 
 namespace Semmle.Extraction.CSharp.DependencyFetching
 {
@@ -37,7 +38,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         internal X509Certificate2? Certificate { get; private set; }
 
-        internal static DependabotProxy? GetDependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory)
+        internal static DependabotProxy? GetDependabotProxy(
+            ILogger logger, IDiagnosticsWriter diagnosticsWriter, TemporaryDirectory tempWorkingDirectory)
         {
             // Setting HTTP(S)_PROXY and SSL_CERT_FILE have no effect on Windows or macOS,
             // but we would still end up using the Dependabot proxy to check for feed reachability.
@@ -112,6 +114,23 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
             }
 
+            // Emit a diagnostic for the discovered private registries, so that it is easy
+            // for users to see that they were picked up.
+            if (result.RegistryURLs.Count > 0)
+            {
+                diagnosticsWriter.AddEntry(new DiagnosticMessage(
+                    Language.CSharp,
+                    "buildless/analysis-using-private-registries",
+                    severity: DiagnosticMessage.TspSeverity.Note,
+                    visibility: new DiagnosticMessage.TspVisibility(true, true, true),
+                    name: "C# extraction used private package registries",
+                    markdownMessage: string.Format(
+                        "C# was extracted using the following private package registries:\n\n{0}\n",
+                        string.Join("\n", result.RegistryURLs.Select(url => string.Format("- `{0}`", url)))
+                    )
+                ));
+            }
+
             return result;
         }
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -106,7 +106,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 return BuildScript.Success;
             }).Run(SystemBuildActions.Instance, startCallback, exitCallback);
 
-            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, tempWorkingDirectory);
+            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, diagnosticsWriter, tempWorkingDirectory);
 
             try
             {

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -4,6 +4,7 @@ using System.Diagnostics.CodeAnalysis;
 using System.IO;
 using System.Linq;
 using Microsoft.CodeAnalysis;
+using Semmle.Util;
 using Semmle.Extraction.CSharp.Entities;
 
 namespace Semmle.Extraction.CSharp
@@ -164,6 +165,7 @@ namespace Semmle.Extraction.CSharp
                     case TypeKind.Enum:
                     case TypeKind.Delegate:
                     case TypeKind.Error:
+                    case TypeKind.Extension:
                         var named = (INamedTypeSymbol)type;
                         named.BuildNamedTypeId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType);
                         return;
@@ -275,6 +277,20 @@ namespace Semmle.Extraction.CSharp
         public static IEnumerable<IFieldSymbol?> GetTupleElementsMaybeNull(this INamedTypeSymbol type) =>
             type.TupleElements;
 
+        private static void BuildExtensionTypeId(this INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile)
+        {
+            trapFile.Write("extension(");
+            if (named.ExtensionMarkerName is not null)
+            {
+                trapFile.Write(named.ExtensionMarkerName);
+            }
+            else
+            {
+                trapFile.Write("unknown");
+            }
+            trapFile.Write(")");
+        }
+
         private static void BuildQualifierAndName(INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined)
         {
             if (named.ContainingType is not null)
@@ -289,8 +305,18 @@ namespace Semmle.Extraction.CSharp
                 named.ContainingNamespace.BuildNamespace(cx, trapFile);
             }
 
-            var name = named.IsFileLocal ? named.MetadataName : named.Name;
-            trapFile.Write(name);
+            if (named.IsFileLocal)
+            {
+                trapFile.Write(named.MetadataName);
+            }
+            else if (named.IsExtension)
+            {
+                named.BuildExtensionTypeId(cx, trapFile);
+            }
+            else
+            {
+                trapFile.Write(named.Name);
+            }
         }
 
         private static void BuildTupleId(INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined)
@@ -391,6 +417,7 @@ namespace Semmle.Extraction.CSharp
                     case TypeKind.Enum:
                     case TypeKind.Delegate:
                     case TypeKind.Error:
+                    case TypeKind.Extension:
                         var named = (INamedTypeSymbol)type;
                         named.BuildNamedTypeDisplayName(cx, trapFile, constructUnderlyingTupleType);
                         return;
@@ -465,6 +492,20 @@ namespace Semmle.Extraction.CSharp
         private static void BuildFunctionPointerTypeDisplayName(this IFunctionPointerTypeSymbol funptr, Context cx, TextWriter trapFile) =>
             BuildFunctionPointerSignature(funptr, trapFile, s => s.BuildDisplayName(cx, trapFile));
 
+        private static void BuildExtensionTypeDisplayName(this INamedTypeSymbol named, Context cx, TextWriter trapFile)
+        {
+            trapFile.Write("extension(");
+            if (named.ExtensionParameter?.Type is ITypeSymbol type)
+            {
+                type.BuildDisplayName(cx, trapFile);
+            }
+            else
+            {
+                trapFile.Write("unknown");
+            }
+            trapFile.Write(")");
+        }
+
         private static void BuildNamedTypeDisplayName(this INamedTypeSymbol namedType, Context cx, TextWriter trapFile, bool constructUnderlyingTupleType)
         {
             if (!constructUnderlyingTupleType && namedType.IsTupleType)
@@ -484,6 +525,12 @@ namespace Semmle.Extraction.CSharp
                 return;
             }
 
+            if (namedType.IsExtension)
+            {
+                namedType.BuildExtensionTypeDisplayName(cx, trapFile);
+                return;
+            }
+
             if (namedType.IsAnonymousType)
             {
                 namedType.BuildAnonymousName(cx, trapFile);
@@ -596,6 +643,84 @@ namespace Semmle.Extraction.CSharp
             return true;
         }
 
+        /// <summary>
+        /// Return true if this method is a compiler-generated extension method.
+        /// </summary>
+        public static bool IsCompilerGeneratedExtensionMethod(this IMethodSymbol method) =>
+            method.TryGetExtensionMethod() is not null;
+
+        /// <summary>
+        /// Returns the extension method corresponding to this compiler-generated extension method, if it exists.
+        /// </summary>
+        public static IMethodSymbol? TryGetExtensionMethod(this IMethodSymbol method)
+        {
+            if (method.IsImplicitlyDeclared && method.ContainingSymbol is INamedTypeSymbol containingType)
+            {
+                // Extension types are declared within the same type as the generated
+                // extension method implementation.
+                var extensions = containingType.GetMembers()
+                    .OfType<INamedTypeSymbol>()
+                    .Where(t => t.IsExtension);
+                // Find the (possibly unbound) original extension method that maps to this implementation (if any).
+                var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
+                    .OfType<IMethodSymbol>()
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+
+                var isFullyConstructed = method.IsBoundGenericMethod();
+                if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)
+                {
+                    try
+                    {
+                        // Use the type arguments from the constructed extension method to construct the extension type.
+                        var arguments = method.TypeArguments.ToArray();
+                        var (extensionTypeArguments, extensionMethodArguments) = arguments.SplitAt(extensionType.TypeParameters.Length);
+
+                        // Construct the extension type.
+                        var boundExtensionType = extensionType.IsUnboundGenericType()
+                            ? extensionType.Construct(extensionTypeArguments.ToArray())
+                            : extensionType;
+
+                        // Find the extension method declaration within the constructed extension type.
+                        var extensionDeclaration = boundExtensionType.GetMembers()
+                            .OfType<IMethodSymbol>()
+                            .First(c => SymbolEqualityComparer.Default.Equals(c.OriginalDefinition, unboundDeclaration));
+
+                        // If the extension declaration is unbound apply the remaning type arguments and construct it.
+                        return extensionDeclaration.IsUnboundGenericMethod()
+                            ? extensionDeclaration.Construct(extensionMethodArguments.ToArray())
+                            : extensionDeclaration;
+                    }
+                    catch
+                    {
+                        // If anything goes wrong, fall back to the unbound declaration.
+                        return unboundDeclaration;
+                    }
+                }
+                else
+                {
+                    return unboundDeclaration;
+                }
+            }
+            return null;
+        }
+
+        /// <summary>
+        /// Returns true if this method is an unbound generic method.
+        /// </summary>
+        public static bool IsUnboundGenericMethod(this IMethodSymbol method) =>
+            method.IsGenericMethod && SymbolEqualityComparer.Default.Equals(method.ConstructedFrom, method);
+
+        /// <summary>
+        /// Returns true if this method is a bound generic method.
+        /// </summary>
+        public static bool IsBoundGenericMethod(this IMethodSymbol method) => method.IsGenericMethod && !method.IsUnboundGenericMethod();
+
+        /// <summary>
+        /// Returns true if this type is an unbound generic type.
+        /// </summary>
+        public static bool IsUnboundGenericType(this INamedTypeSymbol type) =>
+            type.IsGenericType && SymbolEqualityComparer.Default.Equals(type.ConstructedFrom, type);
+
         /// <summary>
         /// Gets the base type of `symbol`. Unlike `symbol.BaseType`, this excludes effective base
         /// types of type parameters as well as `object` base types.
@@ -692,5 +817,35 @@ namespace Semmle.Extraction.CSharp
         /// </summary>
         public static IEnumerable<T> ExtractionCandidates<T>(this IEnumerable<T> symbols) where T : ISymbol =>
             symbols.Where(symbol => symbol.ShouldExtractSymbol());
+
+        /// <summary>
+        /// Returns the parameter kind for this parameter symbol, e.g. `ref`, `out`, `params`, etc.
+        /// </summary>
+        public static Parameter.Kind GetParameterKind(this IParameterSymbol parameter)
+        {
+            switch (parameter.RefKind)
+            {
+                case RefKind.Out:
+                    return Parameter.Kind.Out;
+                case RefKind.Ref:
+                    return Parameter.Kind.Ref;
+                case RefKind.In:
+                    return Parameter.Kind.In;
+                case RefKind.RefReadOnlyParameter:
+                    return Parameter.Kind.RefReadOnly;
+                default:
+                    if (parameter.IsParams)
+                        return Parameter.Kind.Params;
+
+                    if (parameter.Ordinal == 0)
+                    {
+                        if (parameter.ContainingSymbol is IMethodSymbol method && method.IsExtensionMethod)
+                        {
+                            return Parameter.Kind.This;
+                        }
+                    }
+                    return Parameter.Kind.None;
+            }
+        }
     }
 }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/CachedEntity.cs

@@ -54,22 +54,6 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        protected static void WriteLocationToTrap<T1>(Action<T1, Location> writeAction, T1 entity, Location l)
-        {
-            if (l is not EmptyLocation)
-            {
-                writeAction(entity, l);
-            }
-        }
-
-        protected static void WriteLocationsToTrap<T1>(Action<T1, Location> writeAction, T1 entity, IEnumerable<Location> locations)
-        {
-            foreach (var loc in locations)
-            {
-                WriteLocationToTrap(writeAction, entity, loc);
-            }
-        }
-
         public override bool NeedsPopulation { get; }
 
         public override int GetHashCode() => Symbol is null ? 0 : Symbol.GetHashCode();

csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/CachedSymbol.cs

@@ -32,32 +32,6 @@ namespace Semmle.Extraction.CSharp.Entities
                 Attribute.ExtractAttributes(Context, Symbol, this);
         }
 
-        protected void PopulateNullability(TextWriter trapFile, AnnotatedTypeSymbol type)
-        {
-            var n = NullabilityEntity.Create(Context, Nullability.Create(type));
-            if (!type.HasObliviousNullability())
-            {
-                trapFile.type_nullability(this, n);
-            }
-        }
-
-        protected void PopulateRefKind(TextWriter trapFile, RefKind kind)
-        {
-            switch (kind)
-            {
-                case RefKind.Out:
-                    trapFile.type_annotation(this, Kinds.TypeAnnotation.Out);
-                    break;
-                case RefKind.Ref:
-                    trapFile.type_annotation(this, Kinds.TypeAnnotation.Ref);
-                    break;
-                case RefKind.RefReadOnly:
-                case RefKind.RefReadOnlyParameter:
-                    trapFile.type_annotation(this, Kinds.TypeAnnotation.ReadonlyRef);
-                    break;
-            }
-        }
-
         protected void PopulateScopedKind(TextWriter trapFile, ScopedKind kind)
         {
             switch (kind)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/Entity.cs

@@ -1,6 +1,8 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
 using Microsoft.CodeAnalysis;
+using Semmle.Extraction.CSharp.Entities;
 
 namespace Semmle.Extraction.CSharp
 {
@@ -24,7 +26,7 @@ namespace Semmle.Extraction.CSharp
             trapFile.WriteUnescaped('\"');
         }
 
-        public abstract Location? ReportingLocation { get; }
+        public abstract Microsoft.CodeAnalysis.Location? ReportingLocation { get; }
 
         public abstract TrapStackBehaviour TrapStackBehaviour { get; }
 
@@ -65,6 +67,48 @@ namespace Semmle.Extraction.CSharp
         }
 #endif
 
+        protected void PopulateRefKind(TextWriter trapFile, RefKind kind)
+        {
+            switch (kind)
+            {
+                case RefKind.Out:
+                    trapFile.type_annotation(this, Kinds.TypeAnnotation.Out);
+                    break;
+                case RefKind.Ref:
+                    trapFile.type_annotation(this, Kinds.TypeAnnotation.Ref);
+                    break;
+                case RefKind.RefReadOnly:
+                case RefKind.RefReadOnlyParameter:
+                    trapFile.type_annotation(this, Kinds.TypeAnnotation.ReadonlyRef);
+                    break;
+            }
+        }
+
+        protected void PopulateNullability(TextWriter trapFile, AnnotatedTypeSymbol type)
+        {
+            var n = NullabilityEntity.Create(Context, Nullability.Create(type));
+            if (!type.HasObliviousNullability())
+            {
+                trapFile.type_nullability(this, n);
+            }
+        }
+
+        protected static void WriteLocationToTrap<T1>(Action<T1, Entities.Location> writeAction, T1 entity, Entities.Location l)
+        {
+            if (l is not EmptyLocation)
+            {
+                writeAction(entity, l);
+            }
+        }
+
+        protected static void WriteLocationsToTrap<T1>(Action<T1, Entities.Location> writeAction, T1 entity, IEnumerable<Entities.Location> locations)
+        {
+            foreach (var loc in locations)
+            {
+                WriteLocationToTrap(writeAction, entity, loc);
+            }
+        }
+
         public override string ToString() => Label.ToString();
     }
 }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs

@@ -24,6 +24,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         private bool IsExplicitDelegateInvokeCall() => Kind == ExprKind.DELEGATE_INVOCATION && Context.GetModel(Syntax.Expression).GetSymbolInfo(Syntax.Expression).Symbol is IMethodSymbol m && m.MethodKind == MethodKind.DelegateInvoke;
 
+        private bool IsOperatorCall() => Kind == ExprKind.OPERATOR_INVOCATION;
+
+        private bool IsValidMemberAccessKind()
+        {
+            return Kind == ExprKind.METHOD_INVOCATION ||
+                IsEventDelegateCall() ||
+                IsExplicitDelegateInvokeCall() ||
+                IsOperatorCall();
+        }
+
         protected override void PopulateExpression(TextWriter trapFile)
         {
             if (IsNameof(Syntax))
@@ -37,7 +47,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             var target = TargetSymbol;
             switch (Syntax.Expression)
             {
-                case MemberAccessExpressionSyntax memberAccess when Kind == ExprKind.METHOD_INVOCATION || IsEventDelegateCall() || IsExplicitDelegateInvokeCall():
+                case MemberAccessExpressionSyntax memberAccess when IsValidMemberAccessKind():
                     memberName = memberAccess.Name.Identifier.Text;
                     if (Syntax.Expression.Kind() == SyntaxKind.SimpleMemberAccessExpression)
                         // Qualified method call; `x.M()`
@@ -113,14 +123,24 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         public SymbolInfo SymbolInfo => info.SymbolInfo;
 
+        private static bool IsOperatorLikeCall(ExpressionNodeInfo info)
+        {
+            return info.SymbolInfo.Symbol is IMethodSymbol method &&
+                method.TryGetExtensionMethod()?.MethodKind == MethodKind.UserDefinedOperator;
+        }
+
         public IMethodSymbol? TargetSymbol
         {
             get
             {
                 var si = SymbolInfo;
 
-                if (si.Symbol is not null)
-                    return si.Symbol as IMethodSymbol;
+                if (si.Symbol is ISymbol symbol)
+                {
+                    var method = symbol as IMethodSymbol;
+                    // Case for compiler-generated extension methods.
+                    return method?.TryGetExtensionMethod() ?? method;
+                }
 
                 if (si.CandidateReason == CandidateReason.OverloadResolutionFailure)
                 {
@@ -196,15 +216,25 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
         private static ExprKind GetKind(ExpressionNodeInfo info)
         {
-            return IsNameof((InvocationExpressionSyntax)info.Node)
-                ? ExprKind.NAMEOF
-                : IsDelegateLikeCall(info)
-                    ? IsDelegateInvokeCall(info)
-                        ? ExprKind.DELEGATE_INVOCATION
-                        : ExprKind.FUNCTION_POINTER_INVOCATION
-                    : IsLocalFunctionInvocation(info)
-                        ? ExprKind.LOCAL_FUNCTION_INVOCATION
-                        : ExprKind.METHOD_INVOCATION;
+            if (IsNameof((InvocationExpressionSyntax)info.Node))
+            {
+                return ExprKind.NAMEOF;
+            }
+            if (IsDelegateLikeCall(info))
+            {
+                return IsDelegateInvokeCall(info)
+                    ? ExprKind.DELEGATE_INVOCATION
+                    : ExprKind.FUNCTION_POINTER_INVOCATION;
+            }
+            if (IsLocalFunctionInvocation(info))
+            {
+                return ExprKind.LOCAL_FUNCTION_INVOCATION;
+            }
+            if (IsOperatorLikeCall(info))
+            {
+                return ExprKind.OPERATOR_INVOCATION;
+            }
+            return ExprKind.METHOD_INVOCATION;
         }
 
         private static bool IsNameof(InvocationExpressionSyntax syntax)

csharp/extractor/Semmle.Extraction.CSharp/Entities/IParameter.cs

@@ -0,0 +1,9 @@
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Marker interface for parameter entities.
+    /// </summary>
+    internal interface IParameter : IEntity
+    {
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs

@@ -14,9 +14,28 @@ namespace Semmle.Extraction.CSharp.Entities
         protected Method(Context cx, IMethodSymbol init)
             : base(cx, init) { }
 
+        private SyntheticExtensionParameter? SyntheticParameter { get; set; }
+
+        private int SynthesizeExtensionParameter()
+        {
+            // Synthesize implicit parameter for extension methods declared using extension(...) syntax.
+            if (Symbol.ContainingSymbol is INamedTypeSymbol type &&
+                type.IsExtension && type.ExtensionParameter is IParameterSymbol parameter &&
+                !string.IsNullOrEmpty(parameter.Name) && !Symbol.IsStatic)
+            {
+                var originalSyntheticParam = OriginalDefinition.SyntheticParameter;
+                SyntheticParameter = SyntheticExtensionParameter.Create(Context, this, parameter, originalSyntheticParam);
+                return 1;
+            }
+
+            return 0;
+        }
+
         protected void PopulateParameters()
         {
             var originalMethod = OriginalDefinition;
+            var positionOffset = SynthesizeExtensionParameter();
+
             IEnumerable<IParameterSymbol> parameters = Symbol.Parameters;
             IEnumerable<IParameterSymbol> originalParameters = originalMethod.Symbol.Parameters;
 
@@ -24,8 +43,8 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 var original = SymbolEqualityComparer.Default.Equals(p.paramSymbol, p.originalParam)
                     ? null
-                    : Parameter.Create(Context, p.originalParam, originalMethod);
-                Parameter.Create(Context, p.paramSymbol, this, original);
+                    : Parameter.Create(Context, p.originalParam, originalMethod, null, positionOffset);
+                Parameter.Create(Context, p.paramSymbol, this, original, positionOffset);
             }
 
             if (Symbol.IsVararg)
@@ -302,9 +321,9 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <summary>
         /// Whether this method has unbound type parameters.
         /// </summary>
-        public bool IsUnboundGeneric => IsGeneric && SymbolEqualityComparer.Default.Equals(Symbol.ConstructedFrom, Symbol);
+        public bool IsUnboundGeneric => Symbol.IsUnboundGenericMethod();
 
-        public bool IsBoundGeneric => IsGeneric && !IsUnboundGeneric;
+        public bool IsBoundGeneric => Symbol.IsBoundGenericMethod();
 
         protected IMethodSymbol ConstructedFromSymbol => Symbol.ConstructedFrom;
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs

@@ -23,7 +23,11 @@ namespace Semmle.Extraction.CSharp.Entities
                 ? Symbol.ContainingType.GetSymbolLocation()
                 : BodyDeclaringSymbol.GetSymbolLocation();
 
-        public override bool NeedsPopulation => base.NeedsPopulation || IsCompilerGeneratedDelegate();
+        public override bool NeedsPopulation =>
+            (base.NeedsPopulation || IsCompilerGeneratedDelegate()) &&
+            // Exclude compiler-generated extension methods. A call to such a method
+            // is replaced by a call to the defining extension method.
+            !Symbol.IsCompilerGeneratedExtensionMethod();
 
         public override void Populate(TextWriter trapFile)
         {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs

@@ -7,16 +7,23 @@ using Semmle.Extraction.CSharp.Populators;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
-    internal class Parameter : CachedSymbol<IParameterSymbol>, IExpressionParentEntity
+    internal class Parameter : CachedSymbol<IParameterSymbol>, IExpressionParentEntity, IParameter
     {
         protected IEntity? Parent { get; set; }
         protected Parameter Original { get; }
+        private int PositionOffset { get; set; }
 
-        protected Parameter(Context cx, IParameterSymbol init, IEntity? parent, Parameter? original)
+        private Parameter(Context cx, IParameterSymbol init, IEntity? parent, Parameter? original, int positionOffset)
             : base(cx, init)
         {
             Parent = parent;
             Original = original ?? this;
+            PositionOffset = positionOffset;
+        }
+
+        protected Parameter(Context cx, IParameterSymbol init, IEntity? parent, Parameter? original)
+            : this(cx, init, parent, original, 0)
+        {
         }
 
         public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.GetSymbolLocation();
@@ -32,46 +39,18 @@ namespace Semmle.Extraction.CSharp.Entities
             RefReadOnly = 6
         }
 
-        protected virtual int Ordinal => Symbol.Ordinal;
+        protected virtual int Ordinal => Symbol.Ordinal + PositionOffset;
 
-        private Kind ParamKind
-        {
-            get
-            {
-                switch (Symbol.RefKind)
-                {
-                    case RefKind.Out:
-                        return Kind.Out;
-                    case RefKind.Ref:
-                        return Kind.Ref;
-                    case RefKind.In:
-                        return Kind.In;
-                    case RefKind.RefReadOnlyParameter:
-                        return Kind.RefReadOnly;
-                    default:
-                        if (Symbol.IsParams)
-                            return Kind.Params;
-
-                        if (Ordinal == 0)
-                        {
-                            if (Symbol.ContainingSymbol is IMethodSymbol method && method.IsExtensionMethod)
-                                return Kind.This;
-                        }
-                        return Kind.None;
-                }
-            }
-        }
-
-        public static Parameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null)
+        public static Parameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null, int positionOffset = 0)
         {
             var cachedSymbol = cx.GetPossiblyCachedParameterSymbol(param);
-            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, parent, original));
+            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, parent, original, positionOffset));
         }
 
         public static Parameter Create(Context cx, IParameterSymbol param)
         {
             var cachedSymbol = cx.GetPossiblyCachedParameterSymbol(param);
-            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, null, null));
+            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, null, null, 0));
         }
 
         public override void WriteId(EscapingTextWriter trapFile)
@@ -79,6 +58,9 @@ namespace Semmle.Extraction.CSharp.Entities
             if (Parent is null)
                 Parent = Method.Create(Context, Symbol.ContainingSymbol as IMethodSymbol);
 
+            if (Parent is null && Symbol.ContainingSymbol is INamedTypeSymbol type && type.IsExtension)
+                Parent = Type.Create(Context, type);
+
             if (Parent is null)
                 throw new InternalError(Symbol, "Couldn't get parent of symbol.");
 
@@ -113,7 +95,8 @@ namespace Semmle.Extraction.CSharp.Entities
                 Context.ModelError(Symbol, "Inconsistent parameter declaration");
 
             var type = Type.Create(Context, Symbol.Type);
-            trapFile.@params(this, Name, type.TypeRef, Ordinal, ParamKind, Parent!, Original);
+            var kind = Symbol.GetParameterKind();
+            trapFile.@params(this, Name, type.TypeRef, Ordinal, kind, Parent!, Original);
 
             if (Context.OnlyScaffold)
             {
@@ -194,11 +177,11 @@ namespace Semmle.Extraction.CSharp.Entities
             return syntax?.Default;
         }
 
-        private class ParameterFactory : CachedEntityFactory<(IParameterSymbol, IEntity?, Parameter?), Parameter>
+        private class ParameterFactory : CachedEntityFactory<(IParameterSymbol, IEntity?, Parameter?, int), Parameter>
         {
             public static ParameterFactory Instance { get; } = new ParameterFactory();
 
-            public override Parameter Create(Context cx, (IParameterSymbol, IEntity?, Parameter?) init) => new Parameter(cx, init.Item1, init.Item2, init.Item3);
+            public override Parameter Create(Context cx, (IParameterSymbol, IEntity?, Parameter?, int) init) => new Parameter(cx, init.Item1, init.Item2, init.Item3, init.Item4);
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.OptionalLabel;

csharp/extractor/Semmle.Extraction.CSharp/Entities/SyntheticExtensionParameter.cs

@@ -0,0 +1,77 @@
+using System.IO;
+using System.Linq;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Synthetic parameter for extension methods declared using the extension syntax.
+    /// That is, we add a synthetic parameter `s` to `IsValid` in the following example:
+    /// extension(string s) {
+    ///   public bool IsValid() { ... }
+    /// }
+    ///
+    /// Note, that we use the characteristics of the parameter of the extension type
+    /// to populate the database.
+    /// </summary>
+    internal class SyntheticExtensionParameter : FreshEntity, IParameter
+    {
+        private Method ExtensionMethod { get; }
+        private IParameterSymbol ExtensionParameter { get; }
+        private SyntheticExtensionParameter Original { get; }
+
+        private SyntheticExtensionParameter(Context cx, Method method, IParameterSymbol parameter, SyntheticExtensionParameter? original) : base(cx)
+        {
+            ExtensionMethod = method;
+            ExtensionParameter = parameter;
+            Original = original ?? this;
+        }
+
+        private static int Ordinal => 0;
+
+        private string Name => ExtensionParameter.Name;
+
+        private bool IsSourceDeclaration => ExtensionMethod.Symbol.IsSourceDeclaration();
+
+        protected override void Populate(TextWriter trapFile)
+        {
+            PopulateNullability(trapFile, ExtensionParameter.GetAnnotatedType());
+            PopulateRefKind(trapFile, ExtensionParameter.RefKind);
+
+            var type = Type.Create(Context, ExtensionParameter.Type);
+            var kind = ExtensionParameter.GetParameterKind();
+            trapFile.@params(this, Name, type.TypeRef, Ordinal, kind, ExtensionMethod, Original);
+
+            if (Context.OnlyScaffold)
+            {
+                return;
+            }
+
+            if (Context.ExtractLocation(ExtensionParameter))
+            {
+                var locations = Context.GetLocations(ExtensionParameter);
+                WriteLocationsToTrap(trapFile.param_location, this, locations);
+            }
+
+            if (IsSourceDeclaration)
+            {
+                foreach (var syntax in ExtensionParameter.DeclaringSyntaxReferences
+                    .Select(d => d.GetSyntax())
+                    .OfType<ParameterSyntax>()
+                    .Where(s => s.Type is not null))
+                {
+                    TypeMention.Create(Context, syntax.Type!, this, type);
+                }
+            }
+        }
+
+        public static SyntheticExtensionParameter Create(Context cx, Method method, IParameterSymbol parameter, SyntheticExtensionParameter? original)
+        {
+            var p = new SyntheticExtensionParameter(cx, method, parameter, original);
+            p.TryPopulate();
+            return p;
+        }
+    }
+
+}

csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs

@@ -20,6 +20,8 @@ namespace Semmle.Extraction.CSharp.Entities
         public static NamedType Create(Context cx, INamedTypeSymbol type) =>
             NamedTypeFactory.Instance.CreateEntityFromSymbol(cx, type);
 
+        public NamedType OriginalDefinition => Create(Context, Symbol.OriginalDefinition);
+
         /// <summary>
         /// Creates a named type entity from a tuple type. Unlike <see cref="Create"/>, this
         /// will create an entity for the underlying `System.ValueTuple` struct.
@@ -90,6 +92,25 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 trapFile.anonymous_types(this);
             }
+
+            if (Symbol.IsExtension && Symbol.ExtensionParameter is IParameterSymbol parameter)
+            {
+                // For some reason an extension type has a receiver parameter with an empty name
+                // even when there is no parameter.
+                if (!string.IsNullOrEmpty(parameter.Name))
+                {
+                    var originalType = OriginalDefinition;
+                    // In case this is a constructed generic, we also need to create the unbound parameter.
+                    var originalParameter = SymbolEqualityComparer.Default.Equals(Symbol, originalType.Symbol.ExtensionParameter) || originalType.Symbol.ExtensionParameter is null
+                        ? null
+                        : Parameter.Create(Context, originalType.Symbol.ExtensionParameter, originalType);
+                    Parameter.Create(Context, parameter, this, originalParameter);
+                }
+
+                // Use the parameter type as the receiver type.
+                var receiverType = Type.Create(Context, parameter.Type).TypeRef;
+                trapFile.extension_receiver_type(this, receiverType);
+            }
         }
 
         private readonly Lazy<Type[]> typeArgumentsLazy;

csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs

@@ -105,6 +105,7 @@ namespace Semmle.Extraction.CSharp.Entities
                         case TypeKind.Pointer: return Kinds.TypeKind.POINTER;
                         case TypeKind.FunctionPointer: return Kinds.TypeKind.FUNCTION_POINTER;
                         case TypeKind.Error: return Kinds.TypeKind.UNKNOWN;
+                        case TypeKind.Extension: return Kinds.TypeKind.EXTENSION;
                         default:
                             cx.ModelError(Symbol, $"Unhandled type kind '{Symbol.TypeKind}'");
                             return Kinds.TypeKind.UNKNOWN;
@@ -366,7 +367,7 @@ namespace Semmle.Extraction.CSharp.Entities
             private DelegateTypeParameter(Context cx, IParameterSymbol init, IEntity parent, Parameter? original)
                 : base(cx, init, parent, original) { }
 
-            public static new DelegateTypeParameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null) =>
+            public static DelegateTypeParameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null) =>
                // We need to use a different cache key than `param` to avoid mixing up
                // `DelegateTypeParameter`s and `Parameter`s
                DelegateTypeParameterFactory.Instance.CreateEntity(cx, (typeof(DelegateTypeParameter), new SymbolEqualityWrapper(param)), (param, parent, original));

csharp/extractor/Semmle.Extraction.CSharp/Kinds/TypeKind.cs

@@ -38,5 +38,6 @@ namespace Semmle.Extraction.Kinds
         TUPLE = 32,
         FUNCTION_POINTER = 33,
         INLINE_ARRAY = 34,
+        EXTENSION = 35
     }
 }

csharp/extractor/Semmle.Extraction.CSharp/Trap/Tuples.cs

@@ -202,6 +202,9 @@ namespace Semmle.Extraction.CSharp
         internal static void extend(this TextWriter trapFile, Type type, Type super) =>
             trapFile.WriteTuple("extend", type, super);
 
+        internal static void extension_receiver_type(this TextWriter trapFile, Type @extension, Type receiverType) =>
+            trapFile.WriteTuple("extension_receiver_type", extension, receiverType);
+
         internal static void anonymous_types(this TextWriter trapFile, Type type) =>
             trapFile.WriteTuple("anonymous_types", type);
 
@@ -292,10 +295,10 @@ namespace Semmle.Extraction.CSharp
         internal static void overrides(this TextWriter trapFile, Method overriding, Method overridden) =>
             trapFile.WriteTuple("overrides", overriding, overridden);
 
-        internal static void param_location(this TextWriter trapFile, Parameter param, Location location) =>
+        internal static void param_location(this TextWriter trapFile, IParameter param, Location location) =>
             trapFile.WriteTuple("param_location", param, location);
 
-        internal static void @params(this TextWriter trapFile, Parameter param, string name, Type type, int child, Parameter.Kind mode, IEntity method, Parameter originalDefinition) =>
+        internal static void @params(this TextWriter trapFile, IParameter param, string name, Type type, int child, Parameter.Kind mode, IEntity method, IParameter originalDefinition) =>
             trapFile.WriteTuple("params", param, name, type, child, (int)mode, method, originalDefinition);
 
         internal static void parent_namespace(this TextWriter trapFile, IEntity type, Namespace parent) =>

csharp/extractor/Semmle.Util/IEnumerableExtensions.cs

@@ -119,5 +119,28 @@ namespace Semmle.Util
         /// </summary>
         public static IEnumerable<T> WhereNotNull<T>(this IEnumerable<T?> items) where T : class =>
             items.Where(i => i is not null)!;
+
+        /// <summary>
+        /// Splits the sequence at the given index.
+        /// </summary>
+        public static (IEnumerable<T>, IEnumerable<T>) SplitAt<T>(this IEnumerable<T> items, int index)
+        {
+            var left = new List<T>();
+            var right = new List<T>();
+            var i = 0;
+            foreach (var item in items)
+            {
+                if (i < index)
+                {
+                    left.Add(item);
+                }
+                else
+                {
+                    right.Add(item);
+                }
+                i++;
+            }
+            return (left, right);
+        }
     }
 }

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.59
+
+No user-facing changes.
+
 ## 1.7.58
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.59.md

@@ -0,0 +1,3 @@
+## 1.7.59
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.58
+lastReleaseVersion: 1.7.59

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.58
+version: 1.7.59
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.59
+
+No user-facing changes.
+
 ## 1.7.58
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.59.md

@@ -0,0 +1,3 @@
+## 1.7.59
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.58
+lastReleaseVersion: 1.7.59

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.58
+version: 1.7.59
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 5.4.7
+
+### Minor Analysis Improvements
+
+* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs.
+* C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators.
+
 ## 5.4.6
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/released/5.4.7.md

@@ -0,0 +1,6 @@
+## 5.4.7
+
+### Minor Analysis Improvements
+
+* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs.
+* C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.6
+lastReleaseVersion: 5.4.7

csharp/ql/lib/ext/System.Web.model.yml

@@ -29,6 +29,10 @@ extensions:
       - ["System.Web", "HttpUtility", False, "JavaScriptStringEncode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "JavaScriptStringEncode", "(System.String,System.Boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "ParseQueryString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.Byte[],System.Int32,System.Int32,System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.Byte[],System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.String,System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.Byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.6
+version: 5.4.7
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/Callable.qll

@@ -10,6 +10,7 @@ import exprs.Call
 private import commons.QualifiedName
 private import commons.Collections
 private import semmle.code.csharp.ExprOrStmtParent
+private import semmle.code.csharp.internal.Callable
 private import semmle.code.csharp.metrics.Complexity
 private import TypeRef
 
@@ -223,6 +224,8 @@ class Callable extends Parameterizable, ExprOrStmtParent, @callable {
   Call getACall() { this = result.getTarget() }
 }
 
+final class ExtensionCallable = ExtensionCallableImpl;
+
 /**
  * A method, for example
  *
@@ -267,8 +270,11 @@ class Method extends Callable, Virtualizable, Attributable, @method {
 
   override Location getALocation() { method_location(this.getUnboundDeclaration(), result) }
 
+  /** Holds if this method is a classic extension method. */
+  predicate isClassicExtensionMethod() { this.getParameter(0).hasExtensionMethodModifier() }
+
   /** Holds if this method is an extension method. */
-  predicate isExtensionMethod() { this.getParameter(0).hasExtensionMethodModifier() }
+  predicate isExtensionMethod() { this.isClassicExtensionMethod() or this.isInExtension() }
 
   /** Gets the type of the `params` parameter of this method, if any. */
   Type getParamsType() {
@@ -295,8 +301,10 @@ class Method extends Callable, Virtualizable, Attributable, @method {
   override string getAPrimaryQlClass() { result = "Method" }
 }
 
+final class ExtensionMethod = ExtensionMethodImpl;
+
 /**
- * An extension method, for example
+ *  An extension method, for example
  *
  * ```csharp
  * static bool IsDefined(this Widget w) {
@@ -304,16 +312,28 @@ class Method extends Callable, Virtualizable, Attributable, @method {
  * }
  * ```
  */
-class ExtensionMethod extends Method {
-  ExtensionMethod() { this.isExtensionMethod() }
+class ClassicExtensionMethod extends ExtensionMethodImpl {
+  ClassicExtensionMethod() { this.isClassicExtensionMethod() }
+
+  pragma[noinline]
+  override Type getExtendedType() { result = this.getParameter(0).getType() }
 
   override predicate isStatic() { any() }
+}
 
-  /** Gets the type being extended by this method. */
-  pragma[noinline]
-  Type getExtendedType() { result = this.getParameter(0).getType() }
-
-  override string getAPrimaryQlClass() { result = "ExtensionMethod" }
+/**
+ * An extension method declared in an extension type, for example `IsNullOrEmpty` in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public bool IsNullOrEmpty() { ... }
+ *   }
+ * }
+ * ```
+ */
+class ExtensionTypeExtensionMethod extends ExtensionMethodImpl {
+  ExtensionTypeExtensionMethod() { this.isInExtension() }
 }
 
 /**
@@ -536,6 +556,21 @@ class RecordCloneMethod extends Method {
   }
 }
 
+/**
+ * An extension operator, for example `*` in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public static string operator *(int s1, string s2) { ... }
+ *   }
+ * }
+ * ```
+ */
+class ExtensionOperator extends ExtensionCallableImpl, Operator {
+  ExtensionOperator() { this.isInExtension() }
+}
+
 /**
  * A user-defined unary operator - an operator taking one operand.
  *

csharp/ql/lib/semmle/code/csharp/Member.qll

@@ -102,6 +102,9 @@ class Declaration extends NamedElement, @declaration {
    * implicit constructors or accessors.
    */
   predicate isCompilerGenerated() { compiler_generated(this) }
+
+  /** Holds if this declaration is in an extension type. */
+  predicate isInExtension() { this.getDeclaringType() instanceof ExtensionType }
 }
 
 /** A declaration that can have a modifier. */
@@ -469,7 +472,7 @@ class Virtualizable extends Overridable, Member, @virtualizable {
 
 /**
  * A parameterizable declaration. Either a callable (`Callable`), a delegate
- * type (`DelegateType`), or an indexer (`Indexer`).
+ * type (`DelegateType`), an indexer (`Indexer`), or an extension (`ExtensionType`).
  */
 class Parameterizable extends Declaration, @parameterizable {
   /** Gets raw parameter `i`, including the `this` parameter at index 0. */

csharp/ql/lib/semmle/code/csharp/Property.qll

@@ -6,6 +6,7 @@ import Member
 import Stmt
 import Type
 private import semmle.code.csharp.ExprOrStmtParent
+private import semmle.code.csharp.internal.Callable
 private import TypeRef
 
 /**
@@ -260,6 +261,21 @@ class Property extends DeclarationWithGetSetAccessors, @property {
   override string getAPrimaryQlClass() { result = "Property" }
 }
 
+/**
+ * An extension property, for example `FirstChar` in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public char FirstChar { get { ... } }
+ *   }
+ * }
+ * ```
+ */
+class ExtensionProperty extends Property {
+  ExtensionProperty() { this.isInExtension() }
+}
+
 /**
  * An indexer, for example `string this[int i]` on line 2 in
  *
@@ -413,6 +429,22 @@ class Accessor extends Callable, Modifiable, Attributable, Overridable, @callabl
   override string toString() { result = this.getName() }
 }
 
+/**
+ *  An extension accessor. Either a getter (`Getter`) or a setter (`Setter`) of an
+ *  extension property, for example `get` in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public char FirstChar { get { ... } }
+ *   }
+ * }
+ * ```
+ */
+class ExtensionAccessor extends ExtensionCallableImpl, Accessor {
+  ExtensionAccessor() { this.isInExtension() }
+}
+
 /**
  * A `get` accessor, for example `get { return p; }` in
  *

csharp/ql/lib/semmle/code/csharp/Type.qll

@@ -17,7 +17,8 @@ private import semmle.code.csharp.frameworks.system.runtime.CompilerServices
  *
  * Either a value or reference type (`ValueOrRefType`), the `void` type (`VoidType`),
  * a pointer type (`PointerType`), the arglist type (`ArglistType`), an unknown
- * type (`UnknownType`), or a type parameter (`TypeParameter`).
+ * type (`UnknownType`), a type parameter (`TypeParameter`) or
+ * an extension type (`ExtensionType`).
  */
 class Type extends Member, TypeContainer, @type {
   /** Gets the name of this type without additional syntax such as `[]` or `*`. */
@@ -1326,3 +1327,35 @@ class TypeMention extends @type_mention {
   /** Gets the location of this type mention. */
   Location getLocation() { type_mention_location(this, result) }
 }
+
+/**
+ * A type extension declaration, for example `extension(string s) { ... }` in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) { ... }
+ * ```
+ */
+class ExtensionType extends Parameterizable, @extension_type {
+  /**
+   * Gets the receiver parameter of this extension type, if any.
+   */
+  Parameter getReceiverParameter() { result = this.getParameter(0) }
+
+  /**
+   * Holds if this extension type has a receiver parameter.
+   */
+  predicate hasReceiverParameter() { exists(this.getReceiverParameter()) }
+
+  /**
+   * Gets the type being extended by this extension type.
+   */
+  Type getExtendedType() {
+    extension_receiver_type(this, result)
+    or
+    not extension_receiver_type(this, any(Type t)) and
+    extension_receiver_type(this, getTypeRef(result))
+  }
+
+  override string getAPrimaryQlClass() { result = "ExtensionType" }
+}

csharp/ql/lib/semmle/code/csharp/commons/QualifiedName.qll

@@ -67,6 +67,12 @@ module QualifiedName<QualifiedNameInputSig Input> {
       )
   }
 
+  private string getName(ValueOrRefType t) {
+    not t instanceof ExtensionType and result = t.getUndecoratedName()
+    or
+    result = "extension(" + getFullName(t.(ExtensionType).getExtendedType()) + ")"
+  }
+
   /** Holds if declaration `d` has the qualified name `qualifier`.`name`. */
   predicate hasQualifiedName(Declaration d, string qualifier, string name) {
     d =
@@ -86,12 +92,12 @@ module QualifiedName<QualifiedNameInputSig Input> {
             exists(string name0 | name = name0 + Input::getUnboundGenericSuffix(ugt) |
               exists(string enclosing |
                 hasQualifiedName(ugt.getDeclaringType(), qualifier, enclosing) and
-                name0 = enclosing + "+" + ugt.getUndecoratedName()
+                name0 = enclosing + "+" + getName(ugt)
               )
               or
               not exists(ugt.getDeclaringType()) and
               qualifier = ugt.getNamespace().getFullName() and
-              name0 = ugt.getUndecoratedName()
+              name0 = getName(ugt)
             )
           )
         or
@@ -100,12 +106,12 @@ module QualifiedName<QualifiedNameInputSig Input> {
             exists(string name0 | name = name0 + "<" + getTypeArgumentsQualifiedNames(ct) + ">" |
               exists(string enclosing |
                 hasQualifiedName(ct.getDeclaringType(), qualifier, enclosing) and
-                name0 = enclosing + "+" + ct.getUndecoratedName()
+                name0 = enclosing + "+" + getName(ct)
               )
               or
               not exists(ct.getDeclaringType()) and
               qualifier = ct.getNamespace().getFullName() and
-              name0 = ct.getUndecoratedName()
+              name0 = getName(ct)
             )
           )
         or
@@ -116,12 +122,12 @@ module QualifiedName<QualifiedNameInputSig Input> {
         (
           exists(string enclosing |
             hasQualifiedName(vort.getDeclaringType(), qualifier, enclosing) and
-            name = enclosing + "+" + vort.getUndecoratedName()
+            name = enclosing + "+" + getName(vort)
           )
           or
           not exists(vort.getDeclaringType()) and
           qualifier = vort.getNamespace().getFullName() and
-          name = vort.getUndecoratedName()
+          name = getName(vort)
         )
       )
     or

csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll

@@ -214,7 +214,7 @@ module ModelValidation {
       not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
       or
-      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]+") and
+      not type.regexpMatch("[a-zA-Z0-9_<>,\\(\\)\\+\\.]+") and
       result = "Dubious type \"" + type + "\" in " + pred + " model."
       or
       not name.regexpMatch("[a-zA-Z0-9_<>,\\.]*") and

csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll

@@ -87,7 +87,8 @@ private module Internal {
     newtype TDispatchCall =
       TDispatchMethodCall(MethodCall mc) {
         not isReflectionCall(mc, _, _, _, _) and
-        not mc.isLateBound()
+        not mc.isLateBound() and
+        not isExtensionAccessorCall(mc)
       } or
       TDispatchAccessorCall(AccessorCall ac) or
       TDispatchOperatorCall(OperatorCall oc) { not oc.isLateBound() } or
@@ -110,7 +111,8 @@ private module Internal {
         c instanceof ConstructorInitializer
         or
         c instanceof LocalFunctionCall
-      }
+      } or
+      TDispatchExtensionAccessorCall(MethodCall mc) { isExtensionAccessorCall(mc) }
 
     cached
     Expr getCall(DispatchCall dc) { result = dc.(DispatchCallImpl).getCall() }
@@ -142,6 +144,8 @@ private module Internal {
 
   import Cached
 
+  private predicate isExtensionAccessorCall(MethodCall mc) { exists(mc.getTargetAccessor()) }
+
   /**
    * Holds if `mc` is a reflection call to a method named `name`, where
    * `object` is the object on which to invoke the method (`null` if a
@@ -819,6 +823,33 @@ private module Internal {
     override Method getAStaticTarget() { result = this.getCall().getTarget() }
   }
 
+  /**
+   * A call to an extension accessor method.
+   */
+  private class DispatchExtensionAccessorCall extends DispatchCallImpl,
+    TDispatchExtensionAccessorCall
+  {
+    override MethodCall getCall() { this = TDispatchExtensionAccessorCall(result) }
+
+    private Expr getArgumentForParameter(Parameter p) {
+      this.getCall().getTargetAccessor().getAParameter() = p and
+      result = this.getCall().getArgument(p.getPosition())
+    }
+
+    override Expr getArgument(int i) {
+      exists(MethodCall call, Parameter p | call = this.getCall() |
+        p = call.getTargetAccessor().getParameter(i) and
+        result = this.getArgumentForParameter(p)
+      )
+    }
+
+    override Expr getQualifier() { result = this.getCall().getQualifier() }
+
+    override Accessor getAStaticTarget() { result = this.getCall().getTargetAccessor() }
+
+    override RuntimeCallable getADynamicTarget() { result = this.getAStaticTarget() }
+  }
+
   /**
    * An ordinary operator call.
    *

csharp/ql/lib/semmle/code/csharp/exprs/Access.qll

@@ -223,6 +223,40 @@ class ParameterAccess extends LocalScopeVariableAccess, @parameter_access_expr {
   override string getAPrimaryQlClass() { result = "ParameterAccess" }
 }
 
+/**
+ * An access to a synthetic parameter for an extension method, for example the
+ * access to `s` on line 3 in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public bool IsEmpty() { return s == string.Empty; }
+ *   }
+ * }
+ * ```
+ */
+class SyntheticExtensionParameterAccess extends ParameterAccess {
+  SyntheticExtensionParameterAccess() {
+    exists(ExtensionType et, Parameter p |
+      p = et.getReceiverParameter() and
+      expr_access(this, p)
+    )
+  }
+
+  override Parameter getTarget() {
+    exists(ExtensionCallable c |
+      this.getEnclosingCallable+() = c and
+      result = c.getParameter(0)
+    )
+  }
+
+  override string toString() {
+    result = "access to extension synthetic parameter " + this.getTarget().getName()
+  }
+
+  override string getAPrimaryQlClass() { result = "SyntheticExtensionParameterAccess" }
+}
+
 /**
  * An access to a parameter that reads the underlying value, for example
  * the access to `p` on line 2 in

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -267,9 +267,33 @@ class Call extends Expr, @call {
 class MethodCall extends Call, QualifiableExpr, LateBindableExpr, @method_invocation_expr {
   override Method getTarget() { expr_call(this, result) }
 
+  /**
+   * Gets the accessor that was used to generate this method, if any. For example, the
+   * method call `MyExtensions.get_FirstChar(s)` on line 9 is generated from the property
+   * accessor `get_FirstChar` on line 3 in
+   *
+   * ```csharp
+   * static class MyExtensions {
+   *   extension(string s) {
+   *     public char FirstChar { get { ... } }
+   *   }
+   * }
+   *
+   * class A {
+   *   char M(string s) {
+   *     return MyExtensions.get_FirstChar(s);
+   *   }
+   * }
+   */
+  Accessor getTargetAccessor() { expr_call(this, result) }
+
   override Method getQualifiedDeclaration() { result = this.getTarget() }
 
-  override string toString() { result = "call to method " + concat(this.getTarget().getName()) }
+  override string toString() {
+    if exists(this.getTargetAccessor())
+    then result = "call to extension accessor " + concat(this.getTargetAccessor().getName())
+    else result = "call to method " + concat(this.getTarget().getName())
+  }
 
   override string getAPrimaryQlClass() { result = "MethodCall" }
 
@@ -479,6 +503,30 @@ class OperatorCall extends Call, LateBindableExpr, @operator_invocation_expr {
   override string getAPrimaryQlClass() { result = "OperatorCall" }
 }
 
+/**
+ * A call to an extension operator, for example `3 * s` on
+ * line 9 in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public static string operator *(int i, string s) { ... }
+ *   }
+ * }
+ *
+ * class A {
+ *   string M(string s) {
+ *     return 3 * s;
+ *   }
+ * }
+ * ```
+ */
+class ExtensionOperatorCall extends OperatorCall {
+  ExtensionOperatorCall() { this.getTarget() instanceof ExtensionOperator }
+
+  override string getAPrimaryQlClass() { result = "ExtensionOperatorCall" }
+}
+
 /**
  * A call to a user-defined mutator operator, for example `a++` on
  * line 7 in
@@ -658,6 +706,44 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   override string getAPrimaryQlClass() { result = "IndexerCall" }
 }
 
+/**
+ * A call to an extension property accessor (via the property), for example
+ * `s.FirstChar` on line 9 in
+ *
+ * ```csharp
+ * static class MyExtensions {
+ *   extension(string s) {
+ *     public char FirstChar { get { ... } }
+ *   }
+ * }
+ *
+ * class A {
+ *   char M(string s) {
+ *     return s.FirstChar;
+ *   }
+ * }
+ * ```
+ */
+class ExtensionPropertyCall extends PropertyCall {
+  private ExtensionProperty prop;
+
+  ExtensionPropertyCall() { this.getProperty() = prop }
+
+  override Expr getArgument(int i) {
+    if prop.isStatic()
+    then result = super.getArgument(i)
+    else (
+      // Shift arguments as the qualifier is an explicit argument in the getter/setter.
+      i = 0 and
+      result = this.getQualifier()
+      or
+      result = super.getArgument(i - 1)
+    )
+  }
+
+  override string getAPrimaryQlClass() { result = "ExtensionPropertyCall" }
+}
+
 /**
  * A call to an event accessor, for example the call to `add_Click`
  * (defined on line 5) on line 12 in

csharp/ql/lib/semmle/code/csharp/internal/Callable.qll

@@ -0,0 +1,33 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides `Callable` classes, which are things that can be called
+ * such as methods and operators.
+ */
+
+private import semmle.code.csharp.Callable
+private import semmle.code.csharp.Property
+
+/**
+ * A callable that is declared as an extension.
+ *
+ * Either an extension method (`ExtensionMethod`), an extension operator
+ * (`ExtensionOperator`) or an extension accessor (`ExtensionAccessor`).
+ */
+abstract class ExtensionCallableImpl extends Callable {
+  /** Gets the type being extended by this method. */
+  pragma[noinline]
+  Type getExtendedType() { result = this.getDeclaringType().(ExtensionType).getExtendedType() }
+
+  override string getAPrimaryQlClass() { result = "ExtensionCallable" }
+}
+
+/**
+ * An extension method.
+ *
+ * Either a classic extension method (`ClassicExtensionMethod`) or an extension
+ * type extension method (`ExtensionTypeExtensionMethod`).
+ */
+abstract class ExtensionMethodImpl extends ExtensionCallableImpl, Method {
+  override string getAPrimaryQlClass() { result = "ExtensionMethod" }
+}

csharp/ql/lib/semmlecode.csharp.dbscheme

@@ -492,6 +492,7 @@ case @type.kind of
 | 32 = @tuple_type
 | 33 = @function_pointer_type
 | 34 = @inline_array_type
+| 35 = @extension_type
   ;
 
 @simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
@@ -502,7 +503,7 @@ case @type.kind of
 @value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
             | @uint_ptr_type | @tuple_type | @void_type | @inline_array_type;
 @ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
-          | @dynamic_type;
+          | @dynamic_type | @extension_type;
 @value_or_ref_type = @value_type | @ref_type;
 
 typerefs(
@@ -541,6 +542,10 @@ function_pointer_return_type(
     unique int function_pointer_id: @function_pointer_type ref,
     int return_type_id: @type_or_ref ref);
 
+extension_receiver_type(
+  unique int extension: @extension_type ref,
+  int receiver_type_id: @type_or_ref ref);
+
 extend(
   int sub: @type ref,
   int super: @type_or_ref ref);
@@ -903,7 +908,7 @@ localvar_location(
   unique int id: @local_variable ref,
   int loc: @location ref);
 
-@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type | @extension_type;
 
 #keyset[name, parent_id]
 #keyset[index, parent_id]

csharp/ql/lib/upgrades/68b5aec54e50fe7e375df3777b756a746ca3a37c/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add the relation `extension_receiver_type` and add the `extension_type` type kind.
+compatibility: full

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.6.2
+
+### Bug Fixes
+
+* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.
+
 ## 1.6.1
 
 No user-facing changes.

csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql

@@ -54,12 +54,12 @@ predicate hasGlobalAntiForgeryFilter() {
 predicate isUnvalidatedPostMethod(Class c, Method m) {
   c.(Controller).getAPostActionMethod() = m and
   not m.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute and
-  not c.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute
+  not c.getABaseType*().getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute
   or
   c.(AspNetCore::MicrosoftAspNetCoreMvcController).getAnActionMethod() = m and
   m.getAnAttribute() instanceof AspNetCore::MicrosoftAspNetCoreMvcHttpPostAttribute and
   not m.getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute and
-  not c.getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute
+  not c.getABaseType*().getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute
 }
 
 Element getAValidatedElement() {

csharp/ql/src/change-notes/released/1.6.2.md

@@ -0,0 +1,5 @@
+## 1.6.2
+
+### Bug Fixes
+
+* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.6.2

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.1
+version: 1.6.2
 groups:
   - csharp
   - queries